Chapter 5. New features

This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 8.2.

5.1. Installer and image creation

Ability to register your system, attach RHEL subscriptions, and install from the Red Hat CDN

In RHEL 8.2, you can register your system, attach RHEL subscriptions, and install from the Red Hat Content Delivery Network (CDN) before package installation. Interactive GUI installations, as well as automated Kickstart installations, support this feature. Benefits include:

  • The use of the smaller Boot ISO image file removes the need to download the larger Binary DVD ISO image file.
  • The CDN uses the latest packages that result in a fully subscribed and up-to-date system immediately after installation. There is no requirement to install package updates after installation.
  • Registration is performed before package installation, resulting in a shorter and more streamlined installation process.
  • Integrated support for Red Hat Insights is available.


Ability to register your system to Red Hat Insights during installation

In RHEL 8.2, you can register your system to Red Hat Insights during installation. Interactive GUI installations, as well as automated Kickstart installations, support this feature.

Benefits include:

  • Easier to identify, prioritize, and resolve issues before business operations are affected.
  • Proactively identify and remediate threats to security, performance, availability, and stability with predictive analytics.
  • Avoid problems and unplanned downtime in your environment.


Image Builder now offers cloud-init support for creating Azure images

With this enhancement, cloud-init support is available for Azure images created by Image Builder. As a result, the creation of on-premise images with fast-provisioning and the ability to add custom data is available to customers.


5.2. Software management

User-Agent header string now includes information read from the /etc/os-release file

With this enhancement, the User-Agent header string, which is normally included with the HTTP requests made by DNF, has been extended with information read from the /etc/os-release file.

To obtain more information, see user_agent in the dnf.conf(5) man page.


All dnf-automatic.timer timer units now use the real-time clock by default

Previously, the dnf-automatic.timer timer units used the monotonic clock, which resulted in unpredictable activation time after the system boot. With this update, the timer units run between 6 a.m. and 7 a.m. If the system is off during that time, the timer units are activated within one hour after the system boot.


The createrepo_c utility now skips packages whose metadata contains the disallowed control characters

To ensure a valid XML, the package metadata must not contain any control characters, with the exception of:

  • the horizontal tab
  • the newline character
  • the carriage return character

With this update, the createrepo_c utility does not include packages with metadata containing disallowed control characters in a newly created repository, and returns the following error message:

C_CREATEREPOLIB: Critical: Cannot dump XML for PACKAGE_NAME (PACKAGE_SUM): Forbidden control chars found (ASCII values <32 except 9, 10 and 13)


5.3. Shells and command-line tools

opencv rebased to version 3.4.6

The opencv packages have been upgraded to upstream version 3.4.6. Notable changes include:

  • The objdetect module now supports QR code detection algorithm.
  • Multiple new methods, such as MatSize::dims or VideoCapture::getBackendName.
  • Multiple new functions, such as drawFrameAxes or getVersionMajor.
  • Various performance improvements, including improvements of the GaussianBlur function, v_load_deinterleave and v_store_interleave intrinsics when using SSSE3 instructions.


5.4. Infrastructure services

graphviz-python3 is now distributed in the CRB repository

This update adds the graphviz-python3 package to RHEL 8. The package provides bindings required for usage of the Graphviz graph visualization software from Python.

Note that the graphviz-python3 package is distributed in the unsupported CodeReady Linux Builder repository (CRB).


tuned rebased to version 2.13.0

The tuned packages have been upgraded to upstream version 2.13.0. Notable enhancements include:

  • Architecture-dependant tuning framework has been added.
  • Support for multiple include directives has been added.
  • Tuning in the sap-hana, latency-performance, and realtime profiles has been updated.


powertop rebased to version 2.11

The powertop package has been upgraded to version 2.11, which provides a following notable change:

  • Support for the EHL, TGL, ICL/ICX platforms


BIND now supports .GeoIP2 instead of GeoLite Legacy GeoIP

The GeoLite Legacy GeoIP library is no longer supported in BIND. With this update, GeoLite Legacy GeoP has been replaced with GeoIP2, which is provided in the libmaxminddb data format.

Note that the new format may require some configuration changes, and the format also does not support following legacy GeoIP access control list (ACL) settings:

  • geoip netspeed
  • geoip org
  • ISO 3166 Alpha-3 country codes


stale-answer now provides old cached records in case of DDoS attack

Previously, the Distributed Denial of Service (DDoS) attack caused the authoritative servers to fail with the SERVFAIL error. With this update, the stale-answer functionality provides the expired records until a fresh response is obtained.

To enable or disable the serve-stale feature, use either of these:

  • Configuration file
  • Remote control channel (rndc)


BIND rebased to version 9.11.13

The bind packages have been upgraded to version 9.11.13. Notable changes include:

  • The tcp-highwater statistics variable has been added. This variable shows maximum concurrent TCP clients recorded during a run.
  • The SipHash-2-4-based DNS Cookies (RFC 7873) algorithm has been added.
  • Glue addresses for rooting priming queries are returned regardless of how the minimal-responses configuration option is set.
  • The named-checkconf command now ensures the validity of the DNS64 network prefixes.
  • Automatic rollover per RFC 5011 no longer fails when the trusted-keys and managed-keys statements are both configured for the same name. Instead, a warning message is logged.
  • Internationalized Domain Name (IDN) processing in the dig and nslookup utilities is now disabled by default when they are not run on terminal (for example, in a script). IDN processing in dig can be switched on by using the +idnin and +idnout options.


5.5. Security

RHEL 8 now contains the DISA STIG profile

Security Technical Implementation Guides (STIG) are a set of baseline recommendations published by the Defense Information Systems Agency (DISA) to harden the security of information systems and software that might otherwise be vulnerable. This release includes the profile and Kickstart file for this security policy. With this enhancement, users can check systems for compliance, remediate systems to be compliant, and install systems compliant with DISA STIG for Red Hat Enterprise Linux 8.


crypto-policies can now be customized

With this update, you can adjust certain algorithms or protocols of any policy level or set a new complete policy file as the current system-wide cryptographic policy. This enables administrators to customize the system-wide cryptographic policy as required by different scenarios.

RPM packages should store policies provided by them in the /usr/share/crypto-policies/policies directory. The /etc/crypto-policies/policies directory contains local custom policies.

For more information, see the Custom Policies section in the update-crypto-policies(8) man page and the Crypto Policy Definition Format section in the update-crypto-policies(8) man page.


SCAP Security Guide now supports ACSC Essential Eight

The scap-security-guide packages now provide the Australian Cyber Security Centre (ACSC) Essential Eight compliance profile and a corresponding Kickstart file. With this enhancement, users can install a system that conforms with this security baseline. Furthermore, you can use the OpenSCAP suite for checking security compliance and remediation using this specification of minimum security controls defined by ACSC.


oscap-podman for security and compliance scanning of containers is now available

This update of the openscap packages introduces a new utility for security and compliance scanning of containers. The oscap-podman tool provides an equivalent of the oscap-docker utility that serves for scanning container and container images in RHEL 7.


setroubleshoot can now analyze and react to execmem access denials

This update introduces a new setroubleshoot plugin. The plugin can analyze execmem access denials (AVCs) and provide relevant advice. As a result, setroubleshoot can now suggest a possibility to switch a boolean if it allows access, or report the issue when no boolean can allow access.


New packages: setools-gui and setools-console-analyses

The setools-gui package, which has been part of RHEL 7, is now being introduced to RHEL 8. Graphical tools help inspect relations and data flows especially in multi-level systems with highly specialized SELinux policies. With the apol graphical tool from the setools-gui package, you can inspect and analyze aspects of an SELinux policy. Tools from the setools-console-analyses package enable you to analyze domain transitions and SELinux policy information flows.


Confined users in SELinux can now manage user session services

Previously, confined users were not able to manage user session services. As a result, they could not execute systemctl --user or busctl --user commands or work in the RHEL web console. With this update, confined users can manage user sessions.


The lvmdbusd service is now confined by SELinux

The lvmdbusd service provides a D-Bus API to the logical volume manager (LVM). Previously, the lvmdbusd daemon could not transition to the lvm_t context even though the SELinux policy for lvm_t was defined. As a consequence, the lvmdbusd daemon was executed in the unconfined_service_t domain and SELinux labeled lvmdbusd as unconfined. With this update, the lvmdbusd executable file has the lvm_exec_t context defined and lvmdbusd can now be used correctly with SELinux in enforcing mode.


semanage now supports listing and modifying SCTP and DCCP ports.

Previously, semanage port allowed listing and modifying of only TCP and UDP ports. This update adds SCTP and DCCP protocol support to semanage port. As a result, administrators can now check if two machines can communicate via SCTP and fully enable SCTP features to successfully deploy SCTP-based applications.


semanage export now shows customizations related to permissive domains

With this update, the semanage utility, which is part of the policycoreutils package for SELinux, is able to display customizations related to permissive domains. System administrators can now transfer permissive local modifications between machines using the semanage export command.


udica can add new allow rules generated from SELinux denials to existing container policy

When a container that is running under a policy generated by the udica utility triggers an SELinux denial, udica is now able to update the policy. The new parameter -a or --append-rules can be used to append rules from an AVC file.


New SELinux types enable services to run confined

This update introduces new SELinux types that enable the following services to run as confined services in SELinux enforcing mode instead of running in the unconfined_service_t domain:

  • lldpd now runs as lldpad_t
  • rrdcached now runs as rrdcached_t
  • stratisd now runs as stratisd_t
  • timedatex now runs as timedatex_t

(BZ#1726246, BZ#1726255, BZ#1726259, BZ#1730204)

Clevis is able to list policies in place for a given LUKS device

With this update, the clevis luks list command lists PBD policies in place for a given LUKS device. This makes it easier to find information on Clevis pins in use and pin configuration, for example, Tang server addresses, details on tpm2 policies, and SSS thresholds.


Clevis provides new commands for reporting key status and rebinding expired keys

The clevis luks report command now provides a simple way to report whether keys for a particular binding require rotation. Regular key rotations in a Tang server improve the security of Network-Bound Disk Encryption (NBDE) deployments, and therefore the client should provide detection of expired keys. If the key is expired, Clevis suggests using the clevis luks regen command which rebinds the expired key slot with a current key. This significantly simplifies the process of key rotation.

(BZ#1564559, BZ#1564566)

Clevis can now extract the passphrase used for binding a particular slot in a LUKS device

With this update to the Clevis policy-based decryption framework, you can now extract the passphrase used for binding a particular slot in a LUKS device. Previously, if the LUKS installation passphrase was erased, Clevis could not perform LUKS administrative tasks, such as re-encryption, enabling a new key slot with a user passphrase, and re-binding Clevis when the administrator needs to change the sss threshold. This update introduces the clevis luks pass command that shows the passphrase used for binding a particular slot.


Clevis now provides improved support for decrypting multiple LUKS devices on boot

The clevis packages have been updated to provide better support for decrypting multiple LUKS-encrypted devices on boot. Prior to this improvement, the administrator had to perform complicated changes to the system configuration to enable the proper decryption of multiple devices by Clevis on boot. With this release, you can set up the decryption by using the clevis luks bind command and updating the initramfs through the dracut -fv --regenerate-all command.

For more details, see the Configuring automated unlocking of encrypted volumes using policy-based decryption section.


openssl-pkcs11 rebased to 0.4.10

The openssl-pkcs11 package has been upgraded to upstream version 0.4.10, which provides many bug fixes and enhancements over the previous version. The openssl-pkcs11 package provides access to PKCS #11 modules through the engine interface. The major changes introduced by the new version are:

  • If a public key object corresponding to the private key is not available when loading an ECDSA private key, the engine loads the public key from a matching certificate, if present.
  • You can use generic PKCS #11 URI (for example pkcs11:type=public) because the openssl-pkcs11 engine searches all tokens that match a given PKCS #11 URI.
  • The system attempts to log in with a PIN only if a single device matches the URI search. This prevents authentication failures due to providing the PIN to all matching tokens.
  • When accessing a device, the openssl-pkcs11 engine now marks the RSA methods structure with the RSA_FLAG_FIPS_METHOD flag. In FIPS mode, OpenSSL requires the flag to be set in the RSA methods structure. Note that the engine cannot detect whether a device is FIPS-certified.


rsyslog rebased to 8.1911.0

The rsyslog utility has been upgraded to upstream version 8.1911.0, which provides a number of bug fixes and enhancements over the previous version. The following list includes notable enhancements:

  • New omhttp module allows you to send messages over the HTTP REST interface.
  • The file input module is enhanced to improve stability, error reporting, and truncation detection.
  • New action.resumeIntervalMax parameter that can be used with any action allows capping retry interval growth at a specified value.
  • New StreamDriver.PermitExpiredCerts option for TLS permits connections even if a certificate has expired.
  • You can now suspend and resume output based on configured external file content. This is useful in cases where the other end always accepts messages and silently drops them when it is not able to process them all.
  • Error reporting for the file output module is improved and now contains real file names and more information on causes of errors.
  • Disk queues now run multi-threaded, which improves performance.
  • You can set stricter TLS operation modes: checking of the extendedKeyUsage certificate field and stricter checking of the CN/SAN certificate fields.


rsyslog now provides the omhttp plugin for communication through an HTTP REST interface

With this update of the rsyslog packages, you can use the new omhttp plugin for producing an output compatible with services using a Representational State Transfer (REST) API, such as the Ceph storage platform, Amazon Simple Storage Service (Amazon S3), and Grafana Loki. This new HTTP output module provides a configurable REST path and message format, support for several batching formats, compression, and TLS encryption.

For more details, see the /usr/share/doc/rsyslog/html/configuration/modules/omhttp.html file installed on your system with the rsyslog-doc package.


omelasticsearch in rsyslog now supports rebindinterval

This update of the rsyslog packages introduces support for setting the time of periodical reconnection in the omelasticsearch module. You can improve performance when sending records to a cluster of Elasticsearch nodes by setting this parameter according to your scenario. The value of the rebindinterval parameter indicates the number of operations submitted to a node after which rsyslog closes the connection and establishes a new one. The default value -1 means that rsyslog does not re-establish the connection.


rsyslog mmkubernetes now provides metadata cache expiration

With this update of the rsyslog packages, you can use two new parameters for the mmkubernetes module for setting metadata cache expiration. This ensures that deleted Kubernetes objects are removed from the mmkubernetes static cache. The value of the cacheentryttl parameter indicates the maximum age of cache entries in seconds. The cacheexpireinterval parameter has the following values:

  • -1 for disabling cache-expiration checks
  • 0 for enabling cache-expiration checks
  • greater than 0 for regular cache-expiration checks in seconds


audit rebased to version 3.0-0.14

The audit packages have been upgraded to upstream version 3.0-0.14, which provides many bug fixes and enhancements over the previous version, most notably:

  • Added an option to interpret fields in the syslog plugin
  • Divided the 30-ospp-v42.rules file into more granular files
  • Moved example rules to the /usr/share/audit/sample-rules/ directory
  • Fixed Audit KRB5 transport mode for remote logging


Audit now contains many improvements from the kernel v5.5-rc1

This addition to the Linux kernel contains the majority of enhancements, bug fixes, and cleanups related to the Audit subsystem and introduced between the version 4.18 and 5.5-rc1. The following list highlights important changes:

  • Wider use of the exe field for filtering
  • Support for v3 namespaced capabilities
  • Improvements for filtering on remote file systems
  • Fix of the gid filter rule
  • Fixes of a use-after-free memory corruption and memory leaks
  • Improvements of event-record association
  • Cleanups of the fanoticy interface, Audit configuration options, and the syscall interface
  • Fix of the Extended Verification Module (EVM) return value
  • Fixes and cleanups of several record formats
  • Simplifications and fixes of Virtual File System (VFS) auditing


fapolicyd rebased to 0.9.1-2

The fapolicyd packages that provide RHEL application whitelisting have been upgraded to upstream version 0.9.1-2. Notable bug fixes and enhancements include:

  • Process identification is fixed.
  • The subject part and the object part are now positioned strictly in the rule. Both parts are separated by a colon, and they contain the required permission (execute, open, any).
  • The subject and object attributes are consolidated.
  • The new rule format is the following:


    For example:

    allow perm=open exe=/usr/bin/rpm : all


sudo rebased to 1.8.29-3.el8

sudo packages have been upgraded to upstream version 1.8.29-3, which provides a number of bug fixes and enhancements over the previous version. The major changes introduced by the new version are:

  • sudo now writes Pluggable Authentication Module (PAM) messages to the user’s terminal, if available, instead of the standard output or standard error output. This prevents possible confusion of PAM output and command output sent to files and pipes.
  • The notBefore and notAfter options from LDAP and SSSD now work and display correctly with the sudo -l command.
  • The cvtsudoers command now rejects non-LDAP Data Interchange Format (LDIF) input when converting from LDIF to sudoers and JSON formats.
  • With the new log_allowed and log_denied settings for sudoers, you can disable logging and auditing of allowed and denied commands.
  • You can now use sudo with the -g option to specify a group that matches any of the target user’s groups even if no groups are present in the runas_spec specification. Previously, you could only do so if the group matched the target user’s primary group.
  • Fixed a bug that prevented sudo from matching the host name to the value of ipa_hostname from sssd.conf, if specified.
  • A vulnerability that allowed a sudo user to run a command as root when the Runas specification disallowed root access with the ALL keyword is now fixed (CVE-2019-14287).
  • The use of unknown user and group IDs for permissive sudoers entries, for example using the ALL keyword, is now disabled. You can enable it with the allow_unknown_runas_id setting (CVE-2019-19232).


The pam_namespace module now allows specifying additional mount options for tmpfs

The nosuid, noexec, and nodev mount options can now be used in the /etc/security/namespace.conf configuration file to respectively disable setuid bit effect, disable running executables, and to prevent files from being interpreted as character or block devices on the mounted tmpfs filesystem.

Additional mount options are specified in the tmpfs(5) man page.


pam_faillock can now read settings from faillock.conf configuration file

The pam_faillock module, a part of pluggable authentication modules (PAM), can now read settings from the configuration file located at /etc/security/faillock.conf. This makes it easier to set up an account lockout on authentication failures, provide user profiles for this functionality, and handle different PAM configurations by simply editing the faillock.conf file.


5.6. Networking

User-space applications can now retrieve the netns id selected by the kernel

User-space applications can request the kernel to select a new netns ID and assign it to a network name space. With this enhancement, users can specify the NLM_F_ECHO flag when sending an RTM_NETNSID netlink message to the kernel. The kernel then sends the netlink message back to the user. This message includes the netns ID set to the value the kernel selected. As a result, user-space applications now have a reliable option to identify the netlink ID the kernel selected.


firewalld rebased to version 0.8

The firewalld packages have been updated to version 0.8. Notable changes include:

  • This version of firewalld includes all bug fixes since version 0.7.0.
  • firewalld now uses the libnftables JSON interface to the nftables subsystem. This improves performance and reliability of rule application.
  • In service definitions, the new helper element replaces module.
  • This version allows custom helpers to use standard helper modules.


ndptool can now specify a destination address in IPv6 header

With this update, the ndptool utility can send a Neighbor Solicitation (NS) or a Neighbor Advertisement (NA) message to a specific destination by specifying the address in the IPv6 header. As a result, a message can be sent to addresses other than just the link-local address.


nftables now supports multi-dimensional IP set types

With this enhancement, the nftables packet-filtering framework supports set types with concatenations and intervals. As a result, administrators no longer require workarounds to create multi-dimensional IP set types.


nftables rebased to version 0.9.3

The nftables packages have been upgraded to upstream version 0.9.3, which provides a number of bug fixes and enhancements over the previous version:

  • A JSON API has been added to the libnftables library. This library provides a high-level interface to manage nftables rule sets from third-party applications. To use the new API in Python, install the python3-nftables package.
  • Statements support IP prefixes and ranges, such as and
  • Support for operating system fingerprints has been added to mark packets based on the guessed operating system. For further details, see the osf expression section in the nft(8) man page.
  • Transparent proxy support has been added to redirect packets to a local socket without changing the packet header in any way. For details, see the tproxy statement section in the nft(8) man page.
  • The security mark support has been added.
  • The support for dynamic sets updates has been improved to set updates from the packet path.
  • The support for transport header port matching has been added.

For further information about notable changes, read the upstream release notes before updating:


Rules for the firewalld service can now use connection tracking helpers for services running on a non-standard port

User-defined helpers in the firewalld service can now use standard kernel helper modules. This enables administrators to create firewalld rules to use connection tracking helpers for services running on a non-standard port.


The whois package is now available

With this enhancement, the whois package is now available in RHEL 8.2.0. As a result, retrieving information about a specific domain name or IP address is now possible.


eBPF for tc is now fully supported

The Traffic Control (tc) kernel subsystem and the tc tool can attach extended Berkeley Packet Filtering (eBPF) programs as packet classifiers and actions for both ingress and egress queueing disciplines. This enables programmable packet processing inside the kernel network data path. eBPF for tc, previously available as a technology preview, is now fully supported in RHEL 8.2.


5.7. Kernel

Kernel version in RHEL 8.2

Red Hat Enterprise Linux 8.2 is distributed with the kernel version 4.18.0-193.

See also Important Changes to External Kernel Parameters and Device Drivers.


Extended Berkeley Packet Filter for RHEL 8.2

The Extended Berkeley Packet Filter (eBPF) is an in-kernel virtual machine that allows code execution in the kernel space, in the restricted sandbox environment with access to a limited set of functions. The virtual machine executes a special assembly-like code. The eBPF bytecode first loads to the kernel, followed by its verification, code translation to the native machine code with just-in-time compilation, and then the virtual machine executes the code.

Red Hat ships numerous components that utilize the eBPF virtual machine. Each component is in a different development phase, and thus not all components are currently fully supported. In RHEL 8.2, the following eBPF components are supported:

  • The BPF Compiler Collection (BCC) tools package, which is a userspace collection of dynamic kernel tracing utilities that use the eBPF virtual machine for creating efficient kernel tracing and manipulation programs. The BCC provides tools for I/O analysis, networking, and monitoring of Linux operating systems using eBPF.
  • The BCC library which allows the development of tools similar to those provided in the BCC tools package.
  • The eBPF for Traffic Control (tc) feature, which enables programmable packet processing inside the kernel network data path.

All other eBPF components are available as Technology Preview, unless a specific component is indicated as supported.

The following notable eBPF components are currently available as Technology Preview:

  • The bpftrace tracing language
  • The eXpress Data Path (XDP) feature

For more information regarding the Technology Preview components, see Technology Previews.


Control Group v2 is now fully supported in RHEL 8

Control Group v2 mechanism is a unified hierarchy control group. Control Group v2 organizes processes hierarchically and distributes system resources along the hierarchy in a controlled and configurable manner.

Unlike the previous version, Control Group v2 has only a single hierarchy. This single hierarchy enables the Linux kernel to:

  • Categorize processes based on the role of their owner.
  • Eliminate issues with conflicting policies of multiple hierarchies.

Control Group v2 supports numerous controllers. Some of the examples are:

  • CPU controller regulates the distribution of CPU cycles. This controller implements:

    • Weight and absolute bandwidth limit models for normal scheduling policy.
    • Absolute bandwidth allocation model for real-time scheduling policy.
  • Cpuset controller confines processor and/or memory placement of processes to only those of the mentioned resources that are specified in the cpuset interface files.
  • Memory controller regulates the memory distribution. Currently, the following types of memory usages are tracked:

    • Userland memory - page cache and anonymous memory.
    • Kernel data structures such as dentries and inodes.
    • TCP socket buffers.
  • I/O controller regulates the distribution of I/O resources.
  • Writeback controller interacts with both Memory and I/O controllers and is Control Group v2 specific.

The information above was based on Control Group v2 upstream documentation. You can refer to the same link to obtain more information about particular Control Group v2 controllers.

Be warned that not all features mentioned in the upstream document are implemented yet in RHEL 8.


Randomizing free lists: Improved performance and utilization of direct-mapped memory-side-cache

With this enhancement, you can enable page allocator to randomize free lists and improve the average utilization of a direct-mapped memory-side-cache. The kernel command-line option page_alloc.shuffle, enables the page allocator to randomize the free lists and sets the boolean flag to True. The sysfs file, which is located at /sys/module/page_alloc/parameters/shuffle reads the flag status, shuffles the free lists, such that the Dynamic Random Access Memory (DRAM) is cached, and the latency band between the DRAM and persistent memory is reduced. As a result, persistent memory with a higher capacity and lower bandwidth is available on general purpose server platforms.


The TPM userspace tool has been updated to the last version

The tpm2-tools userspace tool has been updated to version 3.2.1. This update provides several bug fixes, in particular relating to Platform Configuration Register code and manual page clean ups.


The C620-series PCH chipset now supports the Intel Trace Hub feature

This update adds hardware support for Intel Trace Hub (TH) in C620-series Platform Controller Hub (PCH), also known as Lewisburg PCH. Users with C620-series PCH can now use Intel TH.


The perf tool now supports per die events aggregation for CLX-AP and CPX processors

With this update, the perf tool now provides support for per-die event counts aggregation for some Intel CPUs with multiple dies. To enable this mode, add the --per-die option in addition to the -a option for Xeon Cascade Lake-AP (CLX-AP) and Cooper Lake (CPX) system processors. As a result, this update detects any imbalance between the dies. The perf stat command captures the event counts and displays the output as:

# perf stat -e cycles --per-die -a -- sleep 1
 Performance counter stats for 'system wide':
S0-D0           8         21,029,877      cycles
S0-D1           8         19,192,372      cycles


The threshold of crashkernel=auto is decreased on IBM Z

The lower threshold of the crashkernel=auto kernel command-line parameter is now decreased from 4G to 1G on IBM Z systems. This implementation allows the IBM Z to align with the threshold of the AMD64 and Intel 64 systems to share the same reservation policy on the lower threshold of crashkernel=auto. As a result, the crash kernel is able to automatically reserve memory for kdump on systems with less than 4GB RAM.


The numactl manual entry clarifies the memory usage output

With this release of RHEL 8, the manual page for numactl explicitly mentions that the memory usage information reflects only the resident pages on the system. The reason for this addition is to eliminate potential confusion for users whether the memory usage information relates to resident pages or virtual memory.


The kexec-tools document is now updated to include Kdump FCoE target support

In this release, the /usr/share/doc/kexec-tools/supported-kdump-targets.txt file has been updated to include Kdump Fibre Channel over Ethernet (FCoE) target support. As a result, users can now have better understanding of the status and details of the kdump crash dumping mechanism on a FCoE target support.


Firmware-assisted dump now supports PowerNV

Firmware-assisted dump (fadump) mechanism is now supported on the PowerNV platform. The feature is supported with the IBM POWER9 FW941 firmware version and later. At the time of system failure, fadump, along with the vmcore file, also exports the opalcore file. The opalcore file contains information about the state of OpenPOWER Abstraction Layer (OPAL) memory at the time of breakdown. The opalcore file is helpful in debugging crashes of OPAL-based systems.


kernel-rt source tree now matches the latest RHEL 8 tree

The kernel-rt sources have been updated to use the latest RHEL kernel source tree. The realtime patch set has also been updated to the latest upstream v5.2.21-rt13 version. Both of these updates provide a number of bug fixes and enhancements.


rngd is now able to run with non-root privileges

The random number generator daemon (rngd) checks whether data supplied by the source of randomness is sufficiently random and then stores the data in the kernel’s random-number entropy pool. With this update, rngd is able to run with non-root user privileges to enhance system security.


Virtual Persistent Memory now supported for RHEL 8.2 and later on POWER 9

When running a RHEL 8.2 or later host with a PowerVM hypervisor on IBM POWER9 hardware, the host can now use the Virtual Persistent Memory (vPMEM) feature. With vPMEM, data persists across application and partition restarts until the physical server is turned off. As a result, restarting workloads that use vPMEM is significantly faster.

The following requirements must be met for your system to be able to use vPMEM:

  • Hardware Management Console (HMC) V9R1 M940 or later
  • Firmware level FW940 or later
  • E980 system firmware FW940 or later
  • L922 system firmware FW940 or later
  • PowerVM level V3.1.1

Note that several known issues currently occur in RHEL 8 with vPMEM. For details, see the following Knowledgebase articles:


5.8. File systems and storage

LVM now supports the dm-writecache caching method

LVM cache volumes now provide the dm-writecache caching method in addition to the existing dm-cache method.

This method speeds up access to frequently used data by caching it on the faster volume. The method caches both read and write operations.
This method caches only write operations. The faster volume, usually an SSD or a persistent memory (PMEM) disk, stores the write operations first and then migrates them to the slower disk in the background.

To configure the caching method, use the --type cache or --type writecache option with the lvconvert utility.

For more information, see Enabling caching to improve logical volume performance.


VDO async policy is now ACID compliant

With this release, the VDO async write mode is now compliant with Atomicity, Consistency, Isolation, Durability (ACID). If the system unexpectedly halts while VDO is writing data in async mode, the recovered data is now always consistent.

Due to the ACID compliance, the performance of async is now lower compared to the previous release. To restore the original performance, you can change the write mode on your VDO volume to async-unsafe mode, which is not ACID compliant.

For more information, see Selecting a VDO write mode.


You can now import VDO volumes

The vdo utility now enables you to import existing VDO volumes that are currently not registered on your system. To import a VDO volume, use the vdo import command.

Additionally, you can modify the Universally Unique Identifier (UUID) of a VDO volume using the vdo import command.


New per-op error counter is now available in the output of the mountstats and nfsiostat

A minor supportability feature is available for the NFS client systems: the output of the mountstats and nfsiostat commands in nfs-utils have a per-op error count. This enhancement allows these tools to display per-op error counts and percentages that can assist in narrowing down problems on specific NFS mount points on an NFS client machine. Note that these new statistics depend on kernel changes that are inside the Red Hat Enterprise Linux 8.2 kernel.


Writeback IOs with cgroup awareness is now available in XFS

With this release, XFS supports writeback IOs with cgroup awareness. In general, cgroup writeback requires explicit support from the underlying file system. Until now, writeback IOs on XFS was the attribute for the root cgroup only.


The FUSE file systems now implement copy_file_range()

The copy_file_range() system call provides a way for file systems to implement efficient data copy mechanism. With this update, GlusterFS, which is using the Filesystem in Userspace (FUSE) framework takes advantage of this mechanism. Since read/write functionality of FUSE file systems involves multiple copies of data, using copy_file_range() can significantly improve performance.


Support for per-op statistics is now available for the mountstats and nfsiostat commands

A support feature is now available for the NFS client systems: the /proc/self/mountstats file has the per-op error counter. With this update, under each per-op statistics row, the ninth number indicates the number of the operations that have been completed with a status value less then zero. This status value indicates an error. For more information, see the updates to the mountstats and nfsiostat programs in the nfs-utils that displays these new error counts.


New mount stats lease_time and lease_expired are available in /proc/self/mountstats file

A support feature is available for NFSv4.x client systems. The /proc/self/mountstats file has the lease_time and the lease_expired fields at the end of the line starting with nfsv4:. The lease_time field indicates the number of seconds in the NFSv4 lease time. The lease_expired field indicates the number of seconds since the lease has expired, or 0 if the lease has not expired.


5.9. High availability and clusters

New command options to disable a resource only if this would not affect other resources

It is sometimes necessary to disable resources only if this would not have an effect on other resources. Ensuring that this would be the case can be impossible to do by hand when complex resource relations are set up. To address this need, the pcs resource disable command now supports the following options:

  • pcs resource disable --simulate: show effects of disabling specified resource(s) while not changing the cluster configuration
  • pcs resource disable --safe: disable specified resource(s) only if no other resources would be affected in any way, such as being migrated from one node to another
  • pcs resource disable --safe --no-strict: disable specified resource(s) only if no other resources would be stopped or demoted

In addition, the pcs resource safe-disable command has been introduced as an alias for pcs resource disable --safe.


New command to show relations between resources

The new pcs resource relations command allows you to display the relations between cluster resources in a tree structure.


New command to display the status of both a primary site and recovery site cluster

If you have configured a cluster to use as a recovery site, you can now configure that cluster as a recovery site cluster with the pcs dr command. You can then use the pcs dr command to display the status of both your primary site cluster and your recovery site cluster from a single node.


Expired resource constraints are now hidden by default when listing constraints

Listing resource constraints no longer by default displays expired constraints. To include expired constaints, use the --all option of the pcs constraint command. This will list expired constraints, noting the constraints and their associated rules as (expired) in the display.


Pacemaker support for configuring resources to remain stopped on clean node shutdown

When a cluster node shuts down, Pacemaker’s default response is to stop all resources running on that node and recover them elsewhere. Some users prefer to have high availability only for failures, and to treat clean shutdowns as scheduled outages. To address this, Pacemaker now supports the shutdown-lock and shutdown-lock-limit cluster properties to specify that resources active on a node when it shuts down should remain stopped until the node next rejoins. Users can now use clean shutdowns as scheduled outages without any manual intervention. For information on configuring resources to remain stopped on a clean node shutdown, see link: Configuring resources to remain stopped on clean node shutdown.


Support for running the cluster environment in a single node

A cluster with only one member configured is now able to start and run resources in a cluster environment. This allows a user to configure a separate disaster recovery site for a multi-node cluster that uses a single node for backup. Note that a cluster with only one node is not in itself fault tolerant.


5.10. Dynamic programming languages, web and database servers

A new module: python38

RHEL 8.2 introduces Python 3.8, provided by the new module python38 and the ubi8/python-38 container image.

Notable enhancements compared to Python 3.6 include:

  • New Python modules, for example, contextvars, dataclasses, or importlib.resources
  • New language features, such as assignment expressions (the so-called walrus operator, :=) or positional-only parameters
  • Improved developer experience with the breakpoint() built-in function, the = format string specification, and compatibility between debug and non-debug builds of Python and extension modules
  • Performance improvements
  • Improved support for optional static type hints
  • An addition of the = specifier to formatted string literals (f-strings) for easier debugging
  • Updated versions of packages, such as pip, requests, or Cython

Python 3.8 and packages built for it can be installed in parallel with Python 3.6 on the same system.

Note that the python38 module does not include the same binary bindings to system tools (RPM, DNF, SELinux, and others) that are provided for the python36 module.

To install packages from the python38 module, use, for example:

# yum install python38
# yum install python38-Cython

The python38:3.8 module stream will be enabled automatically.

To run the interpreter, use, for example:

$ python3.8
$ python3.8 -m cython --help

See Using Python for more information.

Note that Red Hat will continue to provide support for Python 3.6 until the end of life of RHEL 8. Python 3.8 will have a shorter life cycle, see RHEL 8 Application Streams Life Cycle.


Changes in mod_wsgi installation

Previously, when the user tried to install the mod_wsgi module using the yum install mod_wsgi command, the python3-mod_wsgi package was always installed. RHEL 8.2 introduces Python 3.8 as an addition to Python 3.6. With this update, you need to specify which version of mod_wsgi you want to install, otherwise an error message is returned.

To install the Python 3.6 version of mod_wsgi:

# yum install python3-mod_wsgi

To install the Python 3.8 version of mod_wsgi:

# yum install python38-mod_wsgi

Note that the python3-mod_wsgi and python38-mod_wsgi packages conflict with each other, and only one mod_wsgi module can be installed on a system due to a limitation of the Apache HTTP Server.

This change introduced a dependency known issue described in BZ#1829692.


Support for hardware-accelerated deflate in zlib on IBM Z

This update adds support for a hardware-accelerated deflate algorithm to the zlib library in the IBM Z mainframes. As a result, performance of compression and decompression on IBM Z vector machines has been improved.


Performance improved when decompressing gzip on IBM Power Systems, little endian

This update adds optimization for the 32-bit Cyclic Redundancy Check (CRC32) to the zlib library on IBM Power Systems, little endian. As a result, performance of decompressing gzip files has been improved.


A new module stream: maven:3.6

RHEL 8.2 introduces a new module stream, maven:3.6. This version of the Maven software project management and comprehension tool provides numerous bug fixes and various enhancements over the maven:3.5 stream distributed with RHEL 8.0.

To install the maven:3.6 stream, use:

# yum module install maven:3.6

If you want to upgrade from the maven:3.5 stream, see Switching to a later stream.


mod_md now supports the ACMEv2 protocol

The mod_md module has been updated to version 2.0.8. This update adds a number of features, notably support for version 2 of the Automatic Certificate Management Environment (ACME) certificate issuance and management protocol, which is the Internet Engineering Task Force (IETF) standard (RFC 8555). The original ACMEv1 protocol remains supported but is deprecated by popular service providers.


New extensions for PHP 7.3

The php:7.3 module stream has been updated to provide two new PHP extensions: rrd and Xdebug.

The rrd extension provides bindings to the RRDtool C library. RRDtool is a high performance data logging and graphing system for time series data.

The Xdebug extension is included to assist you with debugging and development. Note that the extension is provided only for development purposes and should not be used in production environments.

For information about installing and using PHP in RHEL 8, see Using the PHP scripting language.

(BZ#1769857, BZ#1764738)

New packages: perl-LDAP and perl-Convert-ASN1

This update adds the perl-LDAP and Perl-Convert-ASN1 packages to RHEL 8. The perl-LDAP package provides an LDAP client for the Perl language. perl-LDAP requires the perl-Convert-ASN1 package, which encodes and decodes Abstract Syntax Notation One (ASN.1) data structures using Basic Encoding Rules (BER) and Distinguished Encoding Rules (DER).

(BZ#1663063, BZ#1746898)

sscg now supports generating private key files protected by a password

The sscg utility is now able to generate private key files protected by a password. This adds another level of protection for private keys, and it is required by some services, such as FreeRADIUS.


5.11. Compilers and development tools

grafana rebased to version 6.3.6

The grafana package has been upgraded to version 6.3.6, which provides multiple bug fixes and enhancements. Notable changes include:

  • Database: Rewrites system statistics query for better performance.
  • Explore:

    • Fixes query field layout in split view for the Safari browsers.
    • Adds Live option for the supported data sources, adds the orgId to URL for sharing purposes.
    • Adds support for the new loki start and end parameters for labels endpoint.
    • Adds support for toggling raw query mode in the Explore, allow switching between metrics and logs.
    • Displays log lines context, does not parse log levels if provided by field or label.
    • Supports new LogQL filtering syntax.
    • Uses new TimePicker from Grafana/UI.
    • Handles newlines in the LogRow Highlighter.
    • Fixes browsing back to the dashboard panel.
    • Fixes filter by series level in logs graph.
    • Fix issues when loading and graph/table are collapsed.
    • Fixes the selection/copy of log lines.
  • Dashboard: Fixes dashboards init failed loading error for dashboards with panel links that had missing properties, and fixes timezone dashboard setting while exporting to the comma-separated values (CSV) Data links.
  • Editor: Fixes issue where only entire lines were being copied.
  • LDAP: Integration of the multi ldap and ldap authentication components.
  • Profile/UserAdmin: Fixes user agent parser crashing the grafana-server on 32-bit builds.
  • Prometheus:

    • Prevents panel editor crash while switching to the Prometheus data source, changes brace-insertion behaviour to be less annoying.
    • Fixes queries with the label_replace and removes the $1 match when loading the query editor.
    • Consistently allows multi-line queries in the editor, taking timezone into account for the step alignment.
    • Uses the overridden panel range for $__range instead of the dashboard range.
    • Adds time range filter to series labels query, escapes | literals in the interpolated PromQL variables.
    • Fixes while adding labels for metrics which contain colons in the Explore.
  • Auth: Allows expiration of the API keys, returns device, os and browser while listing user auth tokens in HTTP API, supports list and revoke of user auth tokens in UI.
  • DataLinks: Correctly applies scoped variables to the data links, follows timezone while displaying datapoint timestamp in the graph context menu, uses datapoint timestamp correctly when interpolating the variables, fixes the incorrect interpolation of the ${__series_name}.
  • Graph: Fixes legend issue clicking on series line icon and issue with horizontal scrollbar being visible on windows, adds new fill gradient option.
  • Graphite: Avoids the glob of single-value array variables, fixes issues with alias function being moved last, fixes issue with the seriesByTag & function with variable parameter, uses POST for /metrics/find requests.
  • TimeSeries: Assumes values are all numbers.
  • Gauge/BarGauge: Fixes issue with lost thresholds and an issue loading Gauge with the avg stat.
  • PanelLinks: Fixes crash issue with Gauge & Bar Gauge panels with panel links (drill down links), fixes render issue while there is no panel description.
  • OAuth: Fixes the missing saved state OAuth login failure due to SameSite cookie policy, fixes for wrong user token updated on the OAuth refresh in DS proxy.
  • Auth Proxy: Includes additional headers as a part of the cache key.
  • cli: Fix for recognizing when in dev mode, fixes the issue of encrypt-datasource-passwords failing with the sql error.
  • Permissions: Show plugins in the navigation for non admin users but hides plugin configuration.
  • TimePicker: Increases max height of quick range dropdown and fixes style issue for custom range popover.
  • Loki: Displays live tailed logs in correct order in the Explore.
  • Timerange: Fixes a bug where custom time ranges were not following the Universal Time Coordinated (UTC).
  • remote_cache: Fixes the redis connstr parsing.
  • Alerting: Add tags to alert rules, attempts to send email notifications to all the given email addresses, improves alert rule testing, support for configuring the content field for the Discord alert notifier.
  • Alertmanager: Replaces illegal characters with underscore in the label names.
  • AzureMonitor: Changes clashing built-in Grafana variables or macro names for the Azure Logs.
  • CloudWatch: Made region visible for Amazon Web Services (AWS) Cloudwatch Expressions, adds the AWS DocDB metrics.
  • GraphPanel: Do not sort series when legend table and sort column is not visible.
  • InfluxDB: Supports visualizing logs in the Explore.
  • MySQL/Postgres/MSSQL: Adds parsing for day, weeks, and year intervals in macros, adds support for periodically reloading client certs.
  • Plugins: Replaces the dataFormats list with the skipDataQuery flag in the plugin.json file.
  • Refresh picker: Handles empty intervals.
  • Singlestat: Add y min/max configuration to the singlestat sparklines.
  • Templating: Correctly displays the __text in the multi-value variable after page reloads, supports selecting all the filtered values of a multi-value variable.
  • Frontend: Fixes Json tree component not working issue.
  • InfluxDB: Fixes issues with single quotes not escaped in the label value filters.
  • Config: Fixes the connectionstring option for the remote_cache in the defaults.ini file.
  • Elasticsearch: Fixes the empty query (via template variable) should be sent as wildcard, fixes the default max concurrent shard requests, supports visualizing logs in the Explore.
  • TablePanel: Fixes the annotations display.
  • Grafana-CLI: Fixes receiving flags via command line, wrapper for the grafana-cli within the RPM/DEB packages and config/homepath are now global flags.
  • HTTPServer: Fixes the X-XSS-Protection header formatting, options for returning new headers X-Content-Type-Options, X-XSS-Protection and Strict-Transport-Security, fixes the Strict-Transport-Security header, serves Grafana with a custom URL path prefix.


pcp rebased to version 5.0.2

The pcp package has been upgraded to version 5.0.2, which provides multiple bug fixes and enhancements. Notable changes include:

  • The pcp-webapp-* packages are now replaced by the grafana-pcp package and pmproxy.
  • The pcp-collectl tool is now replaced by the pmrep configurations.
  • New and improved performance metric domain agents (PMDAs):

    • pmdamssql: New PMDA for Microsoft SQL Server implementation.
    • pmdanetcheck: New PMDA to perform network checks.
    • pmdaopenmetrics: Renames prometheus agent to openmetrics.
    • pmdanfsclient: Adds the per-op and per-mount rpc error metrics.
    • pmdalmsensors: Improvements in the name parsing and error handling.
    • pmdaperfevent: Supports hv_24x7 nest events on the multi-node system.
    • pmdalinux:

      • Correctly handles sparse or discontinuous numa nodes.
      • Uses cpu instname and not the instid for per-cpu numa stats.
      • Adds an active and total slabs to slabinfo v2 parsing
      • Fixes several unix socket, icmp6 metrics, hugepage metric value. calculations, segfault in interrupts code with large CPU counts
      • Fetches more network metrics in the --container namespace.
    • pmdabcc: Fixes the tracepoints module for the bcc 0.10.0 and higher versions
    • pmdabpftrace: New PMDA for metrics from the bpftrace scripts
    • pmdaproc:

      • Fixes memory leak in the pidlist refresh.
      • Avoids excessive stat calls in cgroups_scan.
      • Retains cgroup paths and only un-escape instance names.
    • pmdaroot: Improves handling of cached or inactive the cgroup behaviour and refreshes the container indom on cgroup fs change as well.
  • Fixes to collector (server) tools:

    • pmproxy: Openmetrics support via the /metrics endpoint, consolidates the pmseries/grafana REST API, and adds new async PMWEBAPI(3) REST API implementation.
    • selinux: Numerous pcp policy updates.
    • python pmdas: Enables authentication support, new set_comm_flags method to set the communication flags.
    • python api: Exports the pmdaGetContext() and adds debugging wrapper.
    • perl api: Ensures context set up for PMDA store as with python wrapper.
    • systemd: Adds 120s timeout in all the services and fixes failure to start the pmlogger service.
  • Fixes to analysis (client) tools:

    • pmchart: Fixes chart auto-scaling under fetch error conditions.
    • pmrep: Fixes the wait.formula for collectl-dm-sD and collectl-sD.
    • pmseries: Provides support for the delta keyword and better timestamps.
    • pcp-atop: Fixes the write mode (-w) to handle the proc vs hotproc metrics.
    • pcp-atopsar: Fixes the mishandling of a few command line arguments.
    • pcp-dstat: Fixes misaligned headers in CSV output and handling of the --bits command line option.
    • libpcp: Fixes the cockpit-pcp segv with local context and multi-archive replay error handling for the corrupted archive(s).


grafana-pcp is now available in RHEL 8.2

The grafana-pcp package provides new grafana data sources and application plugins connecting PCP with grafana. With the grafana-pcp package, you can analyze historical PCP metrics and real-time PCP metrics using the pmseries query language and pmwebapi live services respectively. For more information, see Performance Co-Pilot Grafana Plugin.


Updated GCC Toolset 9

GCC Toolset 9 is a compiler toolset that provides recent versions of development tools. It is available as an Application Stream in the form of a Software Collection in the AppStream repository.

Notable changes introduced with RHEL 8.2 include:

  • The GCC compiler has been updated to version 9.2.1, which provides many bug fixes and enhancements that are available in upstream GCC.
  • The GCC Toolset 9 components are now available in the two container images:

    • rhel8/gcc-toolset-9-toolchain, which includes the GCC compiler, the GDB debugger, and the make automation tool.
    • rhel8/gcc-toolset-9-perftools, which includes the performance monitoring tools, such as SystemTap and Valgrind.

      To pull a container image, run the following command as root:

      # podman pull<image_name>

The following tools and versions are provided by GCC Toolset 9:


























To install GCC Toolset 9, run the following command as root:

# yum install gcc-toolset-9

To run a tool from GCC Toolset 9:

$ scl enable gcc-toolset-9 tool

To run a shell session where tool versions from GCC Toolset 9 take precedence over system versions of these tools:

$ scl enable gcc-toolset-9 bash

For more information, see Using GCC Toolset.


GCC Toolset 9 now supports NVIDIA PTX target offloading

The GCC compiler in GCC Toolset 9 now supports OpenMP target offloading for NVIDIA PTX.


The updated GCC compiler is now available for RHEL 8.2

The system GCC compiler, version 8.3.1, has been updated to include numerous bug fixes and enhancements available in the upstream GCC.

The GNU Compiler Collection (GCC) provides tools for developing applications with the C, C++, and Fortran programming languages.

For usage information, see Developing C and C++ applications in RHEL 8.


A new tunable for changing the maximum fastbin size in glibc

The malloc function uses a series of fastbins that hold reusable memory chunks up to a specific size. The default maximum chunk size is 80 bytes on 32-bit systems and 160 bytes on 64-bit systems. This enhancement introduces a new glibc.malloc.mxfast tunable to glibc that enables you to change the maximum fastbin size.


Vectorized math library is now enabled for GNU Fortran in GCC Toolset 9

With this enhancement, GNU Fortran from GCC Toolset can now use routines from the vectorized math library libmvec. Previously, the Fortran compiler in GCC Toolset needed a Fortran header file before it could use routines from libmvec provided by the GNU C Library glibc.


The glibc.malloc.tcache tunable has been enhanced

The glibc.malloc.tcache_count tunable allows to set the maximum number of memory chunks of each size that can be stored in the per-thread cache (tcache). With this update, the upper limit of the glibc.malloc.tcache_count tunable has been increased from 127 to 65535.


The glibc dynamic loader is enhanced to provide a non-inheriting library preloading mechanism

With this enhancement, the loader can now be invoked to load a user program with a --preload option followed by a colon-separated list of libraries to preload. This feature allows users to invoke their programs directly through the loader with a non-inheriting library preload list.

Previously, users had to use the LD_PRELOAD environment variable which was inherited by all child processes through their environment.


GDB now supports the ARCH(13) extension on the IBM Z architecture

With this enhancement, the GNU Debugger (GDB) now supports the new instructions implemented by the ARCH(13) extension on the IBM Z architecture.


elfutils rebased to version 0.178

The elfutils package has been upgraded to version 0.178, which provides multiple bug fixes and enhancements. Notable changes include:

  • elfclassify: a new tool to analyze ELF objects.
  • debuginfod: a new server, client tool, and library to index and automatically fetch ELF, DWARF, and source from files and RPM archives through HTTP.
  • libebl is now directly compiled into
  • eu-readelf has multiple new flags for notes, section numbering, and symbol tables.
  • libdw has improved multithreading support.
  • libdw supports additional GNU DWARF extensions.


SystemTap rebased to version 4.2

The SystemTap instrumentation tool has been updated to version 4.2. Notable enhancements include:

  • Backtraces can now include source file names and line numbers.
  • Numerous Berkeley Packet Filter (BPF) back-end extensions are now available, for example, for looping, timing, and other processes.
  • A new service for managing SystemTap scripts is available. This service sends metrics to a Prometheus-compatible monitoring system.
  • SystemTap has inherited functionality of a new HTTP file server for elfutils called debuginfod. This server automatically sends debugging resources to SystemTap.


Enhancements to IBM Z series performance counters

IBM Z series type 0x8561, 0x8562, and 0x3907 (z14 ZR1) machines are now recognized by libpfm. Performance events for monitoring elliptic-curve cryptography (ECC) operations on IBM Z series are now available. This allows monitoring of additional subsystems on IBM Z series machines.


Rust Toolset rebased to version 1.41

Rust Toolset has been updated to version 1.41. Notable changes include:

  • Implementing new traits is now easier because the orphan rule is less strict.
  • You can now attach the #[non_exhaustive] attribute to a struct, an enum, or enum variants.
  • Using Box<T> in the Foreign Function Interface (FFI) has more guarantees now. Box<T> will have the same Application Binary Interface (ABI) as a T* pointer in the FFI.
  • Rust is supposed to detect memory-safety bugs at compile time, but the previous borrow checker had limitations and allowed undefined behaviour and memory unsafety. The new non-lexical lifetimes (NLL) borrow checker can report memory unsafety problems as hard errors. It now applies to the Rust 2015 and Rust 2018 editions. Previously, in Rust 2015 the NLL borrow checker only raised warnings about such problems.

To install the rust-toolset module, run the following command as root:

# yum module install rust-toolset

For usage information, see Using Rust Toolset.


LLVM Toolset rebased to version 9.0.1

LLVM Toolset has been upgraded to version 9.0.1. With this update, the asm goto statements are now supported. This change allows to compile the Linux kernel on the AMD64 and Intel 64 architectures.

To install the llvm-toolset module, run the following command as root:

# yum module install llvm-toolset

For more information, see Using LLVM Toolset.


Go Toolset rebased to version 1.13

Go Toolset has been upgraded to version 1.13. Notable enhancements include:

  • Go can now use a FIPS-certified cryptographic module when the RHEL system is booted in the FIPS mode. Users can enable this mode manually using the GOLANG_FIPS=1 environment variable.
  • The Delve debugger, version 1.3.2, is now available for Go. It is a source-level debugger for the Go (golang) programming language.

To install the go-toolset module, run the following command as root:

# yum module install go-toolset

To install the Delve debugger, run the following command as root:

# yum install delve

To debug a helloworld.go program using Delve, run the following command:

$ dlv debug helloworld.go

For more information on Go Toolset, see Using Go Toolset.

For more information on Delve, see the upstream Delve documentation.


OpenJDK now supports also secp256k1

Previously, Open Java Development Kit (OpenJDK) could use only curves from the NSS library. Consequently, OpenJDK provided only the secp256r1, secp384r1, and secp521r1 curves for elliptic curve cryptography (ECC). With this update, OpenJDK uses the internal ECC implementation and supports also the secp256k1 curve.

(BZ#1746875, BZ#1746879)

5.12. Identity Management

IdM now supports new Ansible management modules

This update introduces several ansible-freeipa modules for automating common Identity Management (IdM) tasks using Ansible playbooks:

  • The ipauser module automates adding and removing users.
  • The ipagroup module automates adding and removing users and user groups to and from user groups.
  • The ipahost module automates adding and removing hosts.
  • The ipahostgroup module automates adding and removing hosts and host groups to and from host groups.
  • The ipasudorule module automates the management of sudo command and sudo rule.
  • The ipapwpolicy module automates the configuration of password policies in IdM.
  • The ipahbacrule module automates the management of host-based access control in IdM.

Note that you can combine two or more ipauser calls into one with the users variable or, alternatively, use a JSON file containing the users. Similarly, you can combine two or more ipahost calls into one with the hosts variable or, alternatively, use a JSON file containing the hosts. The ipahost module can also ensure the presence or absence of several IPv4 and IPv6 addresses for a host.


IdM Healthcheck now supports screening DNS records

This update introduces a standalone manual test of DNS records on an Identity Management (IdM) server.

The test uses the Healthcheck tool and performs a DNS query using the local resolver in the etc/resolv.conf file. The test ensures that the expected DNS records required for autodiscovery are resolvable.


Direct integration of RHEL into AD using SSSD now supports FIPS

With this enhancement, the System Services Security Daemon (SSSD) now integrates with Active Directory (AD) deployments whose authentication mechanisms use encryption types that were approved by the Federal Information Processing Standard (FIPS). The enhancement enables you to directly integrate RHEL systems into AD in environments that must meet the FIPS criteria.


The SMB1 protocol has been disabled in the Samba server and client utilities by default

In Samba 4.11, the default values of the server min protocol and client min protocol parameters have been changed from NT1 to SMB2_02 because the server message block version 1 (SMB1) protocol is deprecated. If you have not set these parameters in the /etc/samba/smb.conf file:

  • Clients that only support SMB1 are no longer able to connect to the Samba server.
  • Samba client utilities, such as smbclient, and the libsmbclient library fail to connect to servers that only support SMB1.

Red Hat recommends to not use the SMB1 protocol. However, if your environment requires SMB1, you can manually re-enable the protocol.

To re-enable SMB1 on a Samba server:

  • Add the following setting to the /etc/samba/smb.conf file:
server min protocol = NT1
  • Restart the smb service:
# systemctl restart smb

To re-enable SMB1 for Samba client utilities and the libsmbclient library:

  • Add the following setting to the /etc/samba/smb.conf file:
client min protocol = NT1
  • Restart the smb service:
# systemctl restart smb

Note that the SMB1 protocol will be removed in a future Samba release.


samba rebased to version 4.11.2

The samba packages have been upgraded to upstream version 4.11.2, which provides a number of bug fixes and enhancements over the previous version. Notable changes include:

  • By default, the server message block version 1 (SMB1) protocol is now disabled in the Samba server, client utilities, and the libsmbclient library. However, you can still set the server min protocol and client min protocol parameters manually to NT1 to re-enable SMB1. Red Hat does not recommend to re-enabling the SMB1 protocol.
  • The lanman auth and encrypt passwords parameters are deprecated. These parameters enable insecure authentication and are only available in the deprecated SMB1 protocol.
  • The -o parameter has been removed from the onode clustered trivial database (CTDB) utility.
  • Samba now uses the GnuTLS library for encryption. As a result, if the FIPS mode in RHEL is enabled, Samba is compliant with the FIPS standard.
  • The ctdbd service now logs when it uses more than 90% of a CPU thread.
  • The deprecated Python 2 support has been removed.

Samba automatically updates its tdb database files when the smbd, nmbd, or winbind service starts. Back up the database files before starting Samba. Note that Red Hat does not support downgrading tdb database files.

For further information about notable changes, read the upstream release notes before updating:


Directory Server rebased to version

The 389-ds-base packages have been upgraded to upstream version, which provides a number of bug fixes and enhancements over the previous version. For a complete list of notable changes, read the upstream release notes before updating:


Certain legacy scripts have been replaced in Directory Server

This enhancement provides replacements for the unsupported dbverify,,,, and legacy scripts in Directory Server. These scripts have been replaced with the following commands:

  • dbverify: dsctl instance_name dbverify
  • dsconf schema validate-syntax
  • dsconf replication dump-changelog
  • dsconf plugin posix-winsync fixup
  • dsconf replication monitor

For a list of all legacy scripts and their replacements, see Command-line utilities replaced in Red Hat Directory Server 11.


Setting up IdM as a hidden replica is now fully supported

Identity Management (IdM) in RHEL 8.2 fully supports setting up IdM servers as hidden replicas. A hidden replica is an IdM server that has all services running and available. However, it is not advertised to other clients or masters because no SRV records exist for the services in DNS, and LDAP server roles are not enabled. Therefore, clients cannot use service discovery to detect hidden replicas.

Hidden replicas are primarily designed for dedicated services that can otherwise disrupt clients. For example, a full backup of IdM requires to shut down all IdM services on the master or replica. Since no clients use a hidden replica, administrators can temporarily shut down the services on this host without affecting any clients. Other use cases include high-load operations on the IdM API or the LDAP server, such as a mass import or extensive queries.

To install a new hidden replica, use the ipa-replica-install --hidden-replica command. To change the state of an existing replica, use the ipa server-state command.

For further details, see Installing an IdM hidden replica.


Kerberos ticket policy now supports authentication indicators

Authentication indicators are attached to Kerberos tickets based on which pre-authentication mechanism has been used to acquire the ticket:

  • otp for two-factor authentication (password + OTP)
  • radius for RADIUS authentication
  • pkinit for PKINIT, smart card or certificate authentication
  • hardened for hardened passwords (SPAKE or FAST)

The Kerberos Distribution Center (KDC) can enforce policies such as service access control, maximum ticket lifetime, and maximum renewable age, on the service ticket requests which are based on the authentication indicators.

With this enhancement, administrators can achieve finer control over service ticket issuance by requiring specific authentication indicators from a user’s tickets.


The krb5 package is now FIPS-compliant

With this enhancement, non-compliant cryptography is prohibited. As a result, administrators can use Kerberos in FIPS-regulated environments.


Directory Server sets the sslVersionMin parameter based on the system-wide crypto policy

By default, Directory Server now sets the value of the sslVersionMin parameter based on the system-wide crypto policy. If you set the crypto policy profile in the /etc/crypto-policies/config file to:

  • DEFAULT, FUTURE, or FIPS, Directory Server sets sslVersionMin to TLS1.2
  • LEGACY, Directory Server sets sslVersionMin to TLS1.0

Alternatively, you can manually set sslVersionMin to higher value than the one defined in the crypto policy:

# dsconf -D "cn=Directory Manager" __ldap://server.example.com__ security set --tls-protocol-min TLS1.3


5.13. Desktop

Wayland is now enabled on dual-GPU systems

Previously, the GNOME environment defaulted to the X11 session on laptops and other systems that have two graphical processing units (GPUs). With this release, GNOME now defaults to the Wayland session on dual-GPU systems, which is the same behavior as on single-GPU systems.


5.14. Graphics infrastructures

Support for new graphics cards

The following graphics cards are now supported:

  • Intel HD Graphics 610, 620, and 630, which are found with the Intel Comet Lake H and U processors
  • Intel Ice Lake UHD Graphics 910 and Iris Plus Graphics 930, 940, and 950.

    You no longer need to set the alpha_support kernel option to enable support for Intel Ice Lake graphics.

  • The AMD Navi 10 family, which includes the following models:

    • Radeon RX 5600
    • Radeon RX 5600 XT
    • Radeon RX 5700
    • Radeon RX 5700 XT
    • Radeon Pro W5700
  • The Nvidia Turing TU116 family, which includes the following models.

    Note that the nouveau graphics driver does not yet support 3D acceleration with the Nvidia Turing TU116 family.

    • GeForce GTX 1650 Super
    • GeForce GTX 1660
    • GeForce GTX 1660 Super
    • GeForce GTX 1660 Ti
    • GeForce GTX 1660 Ti Max-Q

Additionally, the following graphics drivers have been updated:

  • The Matrox mgag2000 driver
  • The Aspeed ast driver
  • The Intel i915 driver


5.15. The web console

Administrators can now use client certificates to authenticate to the RHEL 8 web console

With this web console enhancement, a system administrator can use client certificates to access a RHEL 8 system locally or remotely using a browser with certificate authentication built in. No additional client software is required. These certificates are commonly provided by a smart card or Yubikey, or can be imported into the browser.

When logging in with a certificate, the user cannot currently perform administrative actions in the web console. But the user can perform them on the Terminal page with the sudo command after authenticating with a password.


Option to log in to the web console with a TLS client certificate

With this update, it is possible to configure the web console to log in with a TLS client certificate that is provided by a browser or a device such as a smart card or a YubiKey.


Changes to web console login

RHEL web console has been updated with the following changes:

  • The web console will automatically log you out of your current session after 15 minutes of inactivity. You can configure the timeout in minutes in the /etc/cockpit/cockpit.conf file.
  • Similarly to SSH, the web console can now optionally show the content of banner files on the login screen. Users need to configure the functionality in the /etc/cockpit/cockpit.conf file.

See the cockpit.conf(5) manual page for more information.


The RHEL web console has been redesigned to use the PatternFly 4 user interface design system

The new design provides better accessibility and matches the design of OpenShift 4. Updates include:

  • The Overview page has been completely redesigned. For example, information is grouped into easier-to-understand panels, health information is more prominent, resource graphs have been moved to their own page, and the hardware information page is now easier to find.
  • Users can use the new Search field in the Navigation menu to easily find specific pages that are based on keywords.

For more information about PatternFly, see the PatternFly project page.


Virtual Machines page updates

The web console’s Virtual Machines page got several storage improvements:

  • Storage volume creation now works for all libvirt-supported types.
  • Storage pools can be created on LVM or iSCSI.

Additionally, the Virtual Machines page now supports the creation and removal of virtual network interfaces.

(BZ#1676506, BZ#1672753)

Web console Storage page updates

Usability testing showed that the default mount point concept on the RHEL web console Storage page was hard to grasp, and led to a lot of confusion. With this update, the web console no longer offers a Default choice when mounting a file system. Creating a new file system now always requires a specified mount point.

Additionally, the web console now hides the distinction between the configuration (/etc/fstab) and the run-time state (/proc/mounts). Changes made in the web console always apply to both the configuration and the run-time state. When the configuration and the run-time state differ from each other, the web console shows a warning, and enable users to easily bring them back in sync.


5.16. Virtualization

Attempting to create a RHEL virtual machine from an install tree now returns a more helpful error message.

RHEL 7 and RHEL 8 virtual machines created using the virt-install utility with the --location option in some cases fail to boot. This update adds a virt-install error message that provides instructions on how to work around this problem.


Intel Xeon Platinum 9200 series processors supported on KVM guests

Support for Intel Xeon Platinum 9200 series processors (previously known as Cascade Lake) has now been added to the KVM hypervisor and kernel code, and to the libvirt API. This enables KVM virtual machines to use Intel Xeon Platinum 9200 series processors.


EDK2 rebased to version stable201908

The EDK2 package has been upgraded to version stable201908, which provides multiple enhancements. Notably:

  • EDK2 now includes support for OpenSSL-1.1.1.
  • To comply with the upstream project’s licensing requirements, the EDK2 package license has been changed from BSD and OpenSSL and MIT to BSD-2-Clause-Patent and OpenSSL and MIT.


Creating nested virtual machines

With this update, nested virtualization is fully supported for KVM virtual machines (VMs) running on an Intel 64 host with RHEL 8. With this feature, a RHEL 7 or RHEL 8 VM that runs on a physical RHEL 8 host can act as a hypervisor, and host its own VMs.

Note that on AMD64 systems, nested KVM virtualization remains a Technology Preview.


5.17. Containers

The default registries search list in /etc/containers/registries.conf has been updated

The default list in /etc/containers/registries.conf has been updated to only include trusted registries that provide container images curated, patched, and maintained by Red Hat and its partners.

Red Hat recommends always using fully qualified image names including:

  • The registry server (full DNS name)
  • Namespace
  • Image name
  • Tag (for example

When using short names, there is always an inherent risk of spoofing For example, a user wants to pull an image named foobar from a registry and expects it to come from If is not first in the search list, an attacker could place a different foobar image at a registry earlier in the search list. The user would accidentally pull and run the attacker image and code rather than the intended content. Red Hat recommends only adding registries which are trusted, that is registries which do not allow unknown or anonymous users to create accounts with arbitrary names. This prevents an image from being spoofed, squatted or otherwise made insecure.


Podman no longer depends on oci-systemd-hook

Podman does not need or depend on the oci-systemd-hook package which has been removed from the container-tools:rhel8 and container-tools:2.0 module streams.