Chapter 8. Deprecated functionality
This part provides an overview of functionality that has been deprecated in Red Hat Enterprise Linux 8.
Deprecated functionality continues to be supported until the end of life of Red Hat Enterprise Linux 8. Deprecated functionality will likely not be supported in future major releases of this product and is not recommended for new deployments. For the most recent list of deprecated functionality within a particular major release, refer to the latest version of release documentation.
Deprecated hardware components are not recommended for new deployments on the current or future major releases. Hardware driver updates are limited to security and critical fixes only. Red Hat recommends replacing this hardware as soon as reasonably feasible.
A package can be deprecated and not recommended for further use. Under certain circumstances, a package can be removed from a product. Product documentation then identifies more recent packages that offer functionality similar, identical, or more advanced to the one deprecated, and provides further recommendations.
For information regarding functionality that is present in RHEL 7 but has been removed in RHEL 8, see Considerations in adopting RHEL 8 .
8.1. Installer and image creation
Several Kickstart commands and options have been deprecated
Using the following commands and options in RHEL 8 Kickstart files will print a warning in the logs.
Where only specific options are listed, the base command and its other options are still available and not deprecated.
For more details and related changes in Kickstart, see the Kickstart changes section of the Considerations in adopting RHEL 8 document.
--interactive option of the
ignoredisk Kickstart command has been deprecated
--interactive option in future releases of Red Hat Enterprise Linux will result in a fatal installation error. It is recommended that you modify your Kickstart file to remove the option.
lorax-composer back end for Image Builder is deprecated in RHEL 8
The previous back end
lorax-composer for Image Builder is considered deprecated. It will only receive select fixes for the rest of the Red Hat Enterprise Linux 8 life cycle and will be omitted from future major releases. Red Hat recommends that you uninstall
lorax-composer the and install
osbuild-composer back end instead.
See Composing a customized RHEL system image for more details.
8.2. Software management
rpmbuild --sign is deprecated
With this update, the
rpmbuild --sign command has become deprecated. Using this command in future releases of Red Hat Enterprise Linux can result in an error. It is recommended that you use the
rpmsign command instead.
NSS SEED ciphers are deprecated
The Mozilla Network Security Services (
NSS) library will not support TLS cipher suites that use a SEED cipher in a future release. To ensure smooth transition of deployments that rely on SEED ciphers when NSS removes support, Red Hat recommends enabling support for other cipher suites.
Note that SEED ciphers are already disabled by default in RHEL.
TLS 1.0 and TLS 1.1 are deprecated
The TLS 1.0 and TLS 1.1 protocols are disabled in the
DEFAULT system-wide cryptographic policy level. If your scenario, for example, a video conferencing application in the Firefox web browser, requires using the deprecated protocols, switch the system-wide cryptographic policy to the
# update-crypto-policies --set LEGACY
For more information, see the Strong crypto defaults in RHEL 8 and deprecation of weak crypto algorithms Knowledgebase article on the Red Hat Customer Portal and the
update-crypto-policies(8) man page.
DSA is deprecated in RHEL 8
The Digital Signature Algorithm (DSA) is considered deprecated in Red Hat Enterprise Linux 8. Authentication mechanisms that depend on DSA keys do not work in the default configuration. Note that
OpenSSH clients do not accept DSA host keys even in the
LEGACY system-wide cryptographic policy level.
Client Hello has been deprecated in
The Transport Layer Security (
TLS) protocol version 1.2 and earlier allow to start a negotiation with a
Client Hello message formatted in a way that is backward compatible with the Secure Sockets Layer (
SSL) protocol version 2. Support for this feature in the Network Security Services (
NSS) library has been deprecated and it is disabled by default.
Applications that require support for this feature need to use the new
SSL_ENABLE_V2_COMPATIBLE_HELLO API to enable it. Support for this feature may be removed completely in future releases of Red Hat Enterprise Linux 8.
TPM 1.2 is deprecated
The Trusted Platform Module (TPM) secure cryptoprocessor standard version was updated to version 2.0 in 2016. TPM 2.0 provides many improvements over TPM 1.2, and it is not backward compatible with the previous version. TPM 1.2 is deprecated in RHEL 8, and it might be removed in the next major release.
Network scripts are deprecated in RHEL 8
Network scripts are deprecated in Red Hat Enterprise Linux 8 and they are no longer provided by default. The basic installation provides a new version of the
ifdown scripts which call the NetworkManager service through the nmcli tool. In Red Hat Enterprise Linux 8, to run the
ifup and the
ifdown scripts, NetworkManager must be running.
Note that custom commands in
ifdown-local scripts are not executed.
If any of these scripts are required, the installation of the deprecated network scripts in the system is still possible with the following command:
~]# yum install network-scripts
ifdown scripts link to the installed legacy network scripts.
Calling the legacy network scripts shows a warning about their deprecation.
Installing RHEL for Real Time 8 using diskless boot is now deprecated
Diskless booting allows multiple systems to share a root file system via the network. While convenient, diskless boot is prone to introducing network latency in realtime workloads. With a future minor update of RHEL for Real Time 8, the diskless booting feature will no longer be supported.
qla3xxx driver is deprecated
qla3xxx driver has been deprecated in RHEL 8. The driver will likely not be supported in future major releases of this product, and thus it is not recommended for new deployments.
dlci drivers are deprecated
dlci drivers have been deprecated in RHEL 8. The drivers will likely not be supported in future major releases of this product, and thus they are not recommended for new deployments.
8.6. File systems and storage
elevator kernel command line parameter is deprecated
elevator kernel command line parameter was used in earlier RHEL releases to set the disk scheduler for all devices. In RHEL 8, the parameter is deprecated.
The upstream Linux kernel has removed support for the
elevator parameter, but it is still available in RHEL 8 for compatibility reasons.
Note that the kernel selects a default disk scheduler based on the type of device. This is typically the optimal setting. If you require a different scheduler, Red Hat recommends that you use
udev rules or the Tuned service to configure it. Match the selected devices and switch the scheduler only for those devices.
For more information, see Setting the disk scheduler.
mirror is deprecated
mirror segment type is now deprecated. Support for
mirror will be removed in a future major release of RHEL.
Red Hat recommends that you use LVM RAID 1 devices with a segment type of
raid1 instead of
raid1 segment type is the default RAID configuration type and replaces
mirror as the recommended solution.
mirror devices to
raid1, see Converting a mirrored LVM device to a RAID1 device.
mirror has several known issues. For details, see known issues in file systems and storage.
peripety is deprecated
peripety package is deprecated since RHEL 8.3.
The Peripety storage event notification daemon parses system storage logs into structured storage events. It helps you investigate storage issues.
NFSv3 over UDP has been disabled
The NFS server no longer opens or listens on a User Datagram Protocol (UDP) socket by default. This change affects only NFS version 3 because version 4 requires the Transmission Control Protocol (TCP).
NFS over UDP is no longer supported in RHEL 8.
8.7. Identity Management
openssh-ldap has been deprecated
openssh-ldap subpackage has been deprecated in Red Hat Enterprise Linux 8 and will be removed in RHEL 9. As the
openssh-ldap subpackage is not maintained upstream, Red Hat recommends using SSSD and the
sss_ssh_authorizedkeys helper, which integrate better with other IdM solutions and are more secure.
By default, the SSSD
ipa providers read the
sshPublicKey LDAP attribute of the user object, if available. Note that you cannot use the default SSSD configuration for the
ad provider or IdM trusted domains to retrieve SSH public keys from Active Directory (AD), since AD does not have a default LDAP attribute to store a public key.
To allow the
sss_ssh_authorizedkeys helper to get the key from SSSD, enable the
ssh responder by adding
ssh to the
services option in the
sssd.conf file. See the
sssd.conf(5) man page for details.
sshd to use
sss_ssh_authorizedkeys, add the
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys and
AuthorizedKeysCommandUser nobody options to the
/etc/ssh/sshd_config file as described by the
sss_ssh_authorizedkeys(1) man page.
DES and 3DES encryption types have been removed
Due to security reasons, the Data Encryption Standard (DES) algorithm has been deprecated and disabled by default since RHEL 7. With the recent rebase of Kerberos packages, single-DES (DES) and triple-DES (3DES) encryption types have been removed from RHEL 8.
If you have configured services or users to only use DES or 3DES encryption, you might experience service interruptions such as:
- Kerberos authentication errors
unknown enctypeencryption errors
Kerberos Distribution Centers (KDCs) with DES-encrypted Database Master Keys (
K/M) fail to start
Perform the following actions to prepare for the upgrade:
Check if your KDC uses DES or 3DES encryption with the
krb5checkopen source Python scripts. See krb5check on GitHub.
- If you are using DES or 3DES encryption with any Kerberos principals, re-key them with a supported encryption type, such as Advanced Encryption Standard (AES). For instructions on re-keying, see Retiring DES from MIT Kerberos Documentation.
Test independence from DES and 3DES by temporarily setting the following Kerberos options before upgrading:
/var/kerberos/krb5kdc/kdc.confon the KDC, set
supported_enctypesand do not include
For every host, in
/etc/krb5.confand any files in
false. It is false by default.
For every host, in
/etc/krb5.confand any files in
default_tkt_enctypesand do not include
- If you do not experience any service interruptions with the test Kerberos settings from the previous step, remove them and upgrade. You do not need those settings after upgrading to the latest Kerberos packages.
libgnome-keyring library has been deprecated
libgnome-keyring library has been deprecated in favor of the
libsecret library, as
libgnome-keyring is not maintained upstream, and does not follow the necessary cryptographic policies for RHEL. The new
libsecret library is the replacement that follows the necessary security standards.
8.9. Graphics infrastructures
AGP graphics cards are no longer supported
Graphics cards using the Accelerated Graphics Port (AGP) bus are not supported in Red Hat Enterprise Linux 8. Use the graphics cards with PCI-Express bus as the recommended replacement.
8.10. The web console
The web console no longer supports incomplete translations
The RHEL web console no longer provides translations for languages that have translations available for less than 50 % of the Console’s translatable strings. If the browser requests translation to such a language, the user interface will be in English instead.
8.11. Red Hat Enterprise Linux System Roles
geoipupdate package has been deprecated
geoipupdate package requires a third-party subscription and it also downloads proprietary content. Therefore, the
geoipupdate package has been deprecated, and will be removed in the next major RHEL version.
virt-manager has been deprecated
The Virtual Machine Manager application, also known as virt-manager, has been deprecated. The RHEL 8 web console, also known as Cockpit, is intended to become its replacement in a subsequent release. It is, therefore, recommended that you use the web console for managing virtualization in a GUI. Note, however, that some features available in virt-manager may not be yet available the RHEL 8 web console.
(JIRA:RHELPLAN-10304, BZ#1798631, BZ#1808012, JIRA:RHELPLAN-45934, JIRA:RHELPLAN-24437, BZ#1667516, BZ#1667225)
Virtual machine snapshots are not properly supported in RHEL 8
The current mechanism of creating virtual machine (VM) snapshots has been deprecated, as it is not working reliably. As a consequence, it is recommended not to use VM snapshots in RHEL 8.
Note that a new VM snapshot mechanism is under development and will be fully implemented in a future minor release of RHEL 8.
The Cirrus VGA virtual GPU type has been deprecated
With a future major update of Red Hat Enterprise Linux, the Cirrus VGA GPU device will no longer be supported in KVM virtual machines. Therefore, Red Hat recommends using the stdvga, virtio-vga, or qxl devices instead of Cirrus VGA.
SPICE has been deprecated
In RHEL 8.3, the SPICE remote display protocol has been deprecated. Note that SPICE will remain supported in RHEL 8, but Red Hat recommends using alternate solutions for remote display streaming:
- For remote console access, use the VNC protocol.
- For advanced remote display functions, use third party tools such as RDP, HP RGS, or Mechdyne TGX.
Podman varlink-based REST API V1 has been deprecated
The Podman varlink-based REST API V1 has been deprecated upstream in favor of the new Podman REST API V2. This functionality will be removed in a later release of Red Hat Enterprise Linux 8.
(JIRA:RHELPLAN-60226, BZ#1798631, BZ#1808012, JIRA:RHELPLAN-45934, JIRA:RHELPLAN-24437, BZ#1667516, BZ#1667225)
8.14. Deprecated packages
The following packages have been deprecated and will probably not be included in a future major release of Red Hat Enterprise Linux: