Chapter 5. New features

This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 8.3.

5.1. Installer and image creation

Anaconda rebased to version 33.16

With this release, Anaconda has been rebased to version 33.16. This version provides the following notable enhancements over the previous version.

  • The Installation Program now displays static IPv6 addresses on multiple lines and no longer resizes the windows.
  • The Installation Program now displays supported NVDIMM device sector sizes.
  • Host name is now configured correctly on an installed system having IPv6 static configuration.
  • You can now use non-ASCII characters in disk encryption passphrase.
  • The Installation Program displays a proper recommendation to create a new file system on /boot, /tmp, and all /var and /usr mount points except /usr/local and /var/www.
  • The Installation Program now correctly checks the keyboard layout and does not change the status of the Keyboard Layout screen when the keyboard keys (ALT+SHIFT) are used to switch between different layouts and languages.
  • Rescue mode no longer fails on systems with existing RAID1 partitions.
  • Changing of the LUKS version of the container is now available in the Manual Partitioning screen.
  • The Installation Program successfully finishes the installation without the btrfs-progs package.
  • The Installation Program now uses the default LUKS2 version for an encrypted container.
  • The Installation Program no longer crashes when a Kickstart file places physical volumes (PVs) of a Logical volume group (VG) on an ignoredisk list.
  • Introduces a new mount path /mnt/sysroot for system root. This path is used to mount / of the target system. Usually, the physical root and the system root are the same, so /mnt/sysroot is attached to the same file system as /mnt/sysimage. The only exceptions are rpm-ostree systems, where the system root changes based on the deployment. Then, /mnt/sysroot is attached to a subdirectory of /mnt/sysimage. It is recommended to use /mnt/sysroot for chroot.

(BZ#1691319, BZ#1679893, BZ#1684045, BZ#1688478, BZ#1700450, BZ#1720145, BZ#1723888, BZ#1754977, BZ#1755996, BZ#1784360, BZ#1796310, BZ#1871680)

GUI changes in RHEL Installation Program

The RHEL Installation Program now includes the following user settings on the Installation Summary window:

  • Root password
  • User creation

With this change, you can now configure a root password and create a user account before you begin the installation. Previously, you configured a root password and created a user account after you began the installation process.

A root password is used to log in to the administrator (also known as superuser or root) account which is used for system administration tasks. The user name is used to log in from a command line; if you install a graphical environment, then your graphical login manager uses the full name. For more details, see Performing a standard RHEL installation document.

(JIRA:RHELPLAN-40469)

Image Builder backend osbuild-composer replaces lorax-composer

The osbuild-composer backend replaces lorax-composer. The new service provides REST APIs for image building. As a result, users can benefit from a more reliable backend and more predictable output images.

(BZ#1836211)

Image Builder osbuild-composer supports a set of image types

With the osbuild-composer backend replacement, the following set of image types supported in osbuild-composer this time:

  • TAR Archive (.tar)
  • QEMU QCOW2 (.qcow2)
  • VMware Virtual Machine Disk (.vmdk)
  • Amazon Machine Image (.ami)
  • Azure Disk Image (.vhd)
  • OpenStack Image (.qcow2)

The following outputs are not supported this time:

  • ext4-filesystem
  • partitioned-disk
  • Alibaba Cloud
  • Google GCE

(JIRA:RHELPLAN-42617)

Image Builder now supports push to clouds through GUI

With this enhancement, when creating images, users can choose the option of pushing to Azure and AWS service clouds through GUI Image Builder. As a result, users can benefit from easier uploads and instantiation.

(JIRA:RHELPLAN-30878)

5.2. RHEL for Edge

Introducing RHEL for Edge images

With this release, you can now create customized RHEL images for Edge servers.

You can use Image Builder to create RHEL for Edge images, and then use RHEL installer to deploy them on AMD and Intel 64-bit systems. Image Builder generates a RHEL for Edge image as rhel-edge-commit in a .tar file.

A RHEL for Edge image is an rpm-ostree image that includes system packages for remotely installing RHEL on Edge servers.

The system packages include:

  • Base OS package
  • Podman as the container engine

You can customize the image to configure the OS content as per your requirements, and can deploy them on physical and virtual machines.

With a RHEL for Edge image, you can achieve the following:

  • Atomic upgrades, where the state of each update is known and no changes are seen until you reboot the device.
  • Custom health checks using Greenboot and intelligent rollbacks for resiliency in case of failed upgrades.
  • Container-focused workflows, where you can separate core OS updates from the application updates, and test and deploy different versions of applications.
  • Optimized OTA payloads for low-bandwidth environments.
  • Custom health checks using Greenboot to ensure resiliency.

For more information about composing, installing, and managing RHEL for Edge images, see Composing, Installing, and Managing RHEL for Edge images.

(JIRA:RHELPLAN-56676)

5.3. Software management

The default value for the best dnf configuration option has been changed from True to False

With this update, the value for the best dnf configuration option has been set to True in the default configuration file to retain the original dnf behavior. As a result, for users that use the default configuration file the behavior remains unchanged.

If you provide your own configuration files, make sure that the best=True option is present to retain the original behavior.

(BZ#1832869)

New --norepopath option for the dnf reposync command is now available

Previously, the reposync command created a subdirectory under the --download-path directory for each downloaded repository by default. With this update, the --norepopath option has been introduced, and reposync does not create the subdirectory. As a result, the repository is downloaded directly into the directory specified by --download-path. This option is also present in the YUM v3.

(BZ#1842285)

Ability to enable and disable the libdnf plugins

Previously, subscription checking was hardcoded into the RHEL version of the libdnf plug-ins. With this update, the microdnf utility can enable and disable the libdnf plug-ins, and subscription checking can now be disabled the same way as in DNF. To disable subscription checking, use the --disableplugin=subscription-manager command. To disable all plug-ins, use the --noplugins command.

(BZ#1781126)

5.4. Shells and command-line tools

ReaR updates

RHEL 8.3 introduces a number of updates to the Relax-and-Recover (ReaR) utility. Notable changes include:

  • Support for the third-party Rubrik Cloud Data Management (CDM) as external backup software has been added. To use it, set the BACKUP option in the configuration file to CDM.
  • Creation of a rescue image with a file larger than 4 GB on the IBM POWER, little endian architecture has been enabled.
  • Disk layout created by ReaR no longer includes entries for Rancher 2 Longhorn iSCSI devices and file systems.

(BZ#1743303)

smartmontools rebased to version 7.1

The smartmontools package has been upgraded to version 7.1, which provides multiple bug fixes and enhancements. Notable changes include:

  • HDD, SSD and USB additions to the drive database.
  • New options -j and --json to enable JSON output mode.
  • Workaround for the incomplete Log subpages response from some SAS SSDs.
  • Improved handling of READ CAPACITY command.
  • Various improvements for the decoding of the log pages.

(BZ#1671154)

opencryptoki rebased to version 3.14.0

The opencryptoki packages have been upgraded to version 3.14.0, which provides multiple bug fixes and enhancements. Notable changes include:

  • EP11 cryptographic service enhancements:

    • Dilithium support
    • Edwards-curve digital signature algorithm (EdDSA) support
    • Support of Rivest–Shamir–Adleman optimal asymmetric encryption padding (RSA-OAEP) with non-SHA1 hash and mask generation function (MGF)
  • Enhanced process and thread locking
  • Enhanced btree and object locking
  • Support for new IBM Z hardware z15
  • Support of multiple token instances for trusted platform module (TPM), IBM cryptographic architecture (ICA) and integrated cryptographic service facility (ICSF)
  • Added a new tool p11sak, which lists the token keys in an openCryptoki token repository
  • Added a utility to migrate a token repository to FIPS compliant encryption
  • Fixed pkcsep11_migrate tool
  • Minor fixes of the ICSF software

(BZ#1780293)

gpgme rebased to version 1.13.1.

The gpgme packages have been upgraded to upstream version 1.13.1. Notable changes include:

  • New context flags no-symkey-cache (has an effect when used with GnuPG 2.2.7 or later), request-origin (has an effect when used with GnuPG 2.2.6 or later), auto-key-locate, and trust-model have been introduced.
  • New tool gpgme-json as native messaging server for web browsers has been added. As of now, the public key encryption and decryption is supported.
  • New encryption API to support direct key specification including hidden recipients option and taking keys from a file has been introduced. This also allows the use of a subkey.

(BZ#1829822)

5.5. Infrastructure services

powertop rebased to version 2.12

The powertop packages have been upgraded to version 2.12. Notable changes over the previously available version 2.11 include:

  • Use of Device Interface Power Management (DIPM) for SATA link PM.
  • Support for Intel Comet Lake mobile and desktop systems, the Skylake server, and the Atom-based Tremont architecture (Jasper Lake).

(BZ#1783110)

tuned rebased to version 2.14.0

The tuned packages have been upgraded to upstream version 2.14.0. Notable enhancements include:

  • The optimize-serial-console profile has been introduced.
  • Support for a post loaded profile has been added.
  • The irqbalance plugin for handling irqbalance settings has been added.
  • Architecture specific tuning for Marvell ThunderX and AMD based platforms has been added.
  • Scheduler plugin has been extended to support cgroups-v1 for CPU affinity setting.

(BZ#1792264)

tcpdump rebased to version 4.9.3

The tcpdump utility has been updated to version 4.9.3 to fix Common Vulnerabilities and Exposures (CVE).

(BZ#1804063)

libpcap rebased to version 1.9.1

The libpcap packages have been updated to version 1.9.1 to fix Common Vulnerabilities and Exposures (CVE).

(BZ#1806422)

iperf3 now supports sctp option on the client side

With this enhancement, the user can use Stream Control Transmission Protocol (SCTP) instead of Transmission Control Protocol (TCP) on the client side of testing network throughput.

The following options for iperf3 are now available on the client side of testing:

  • --sctp
  • --xbind
  • --nstreams

To obtain more information, see Client Specific Options in the iperf3 man page.

(BZ#1665142)

iperf3 now supports SSL

With this enhancement, the user can use RSA authentication between the client and the server to restrict the connections to the server only to legitimate clients.

The following options for iperf3 are now available on the server side:

  • --rsa-private-key-path
  • --authorized-users-path

The following options for iperf3 are now available on the client side of communication:

  • --username
  • --rsa-public-key-path

(BZ#1700497)

bind rebased to 9.11.20

The bind package has been upgraded to version 9.11.20, which provides multiple bug fixes and enhancements. Notable changes include:

  • Increased reliability on systems with many CPU cores by fixing several race conditions.
  • Detailed error reporting: dig and other tools can now print the Extended DNS Error (EDE) option, if it is present.
  • Message IDs in inbound DNS Zone Transfer Protocol (AXFR) transfers are checked and logged, when they are inconsistent.

(BZ#1818785)

A new optimize-serial-console TuneD profile to reduce I/O to serial consoles by lowering the printk value

With this update, a new optimize-serial-console TuneD profile is available. In some scenarios, kernel drivers can send large amounts of I/O operations to the serial console. Such behavior can cause temporary unresponsiveness while the I/O is written to the serial console. The optimize-serial-console profile reduces this I/O by lowering the printk value from the default of 7 4 1 7 to 4 4 1 7. Users with a serial console who wish to make this change on their system can instrument their system as follows:

# tuned-adm profile throughput-performance optimize-serial-console

As a result, users will have a lower printk value that persists across a reboot, which reduces the likelihood of system hangs.

This TuneD profile reduces the amount of I/O written to the serial console by removing debugging information. If you need to collect this debugging information, you should ensure this profile is not enabled and that your printk value is set to 7 4 1 7. To check the value of printk run:

# cat /proc/sys/kernel/printk

(BZ#1840689)

New TuneD profiles added for the AMD-based platforms

In RHEL 8.3, the throughput-performance TuneD profile was updated to include tuning for the AMD-based platforms. There is no need to change any parameter manually and the tuning is automatically applied on the AMD system. The AMD Epyc Naples and Rome systems alters the following parameters in the default throughput-performance profile:

sched_migration_cost_ns=5000000 and kernel.numa_balancing=0

With this enhancement, the system performance is improved by ~5%.

(BZ#1746957)

memcached rebased to version 1.5.22

The memcached packages have been upgraded to version 1.5.22. Notable changes over the previous version include:

  • TLS has been enabled.
  • The -o inline_ascii_response option has been removed.
  • The -Y [authfile] option has been added along with authentication mode for the ASCII protocol.
  • memcached can now recover its cache between restarts.
  • New experimental meta commands have been added.
  • Various performance improvements.

(BZ#1809536)

5.6. Security

Cyrus SASL now supports channel bindings with the SASL/GSSAPI and SASL/GSS-SPNEGO plug-ins

This update adds support for channel bindings with the SASL/GSSAPI and SASL/GSS-SPNEGO plug-ins. As a result, when used in the openldap libraries, this feature enables Cyrus SASL to maintain compatibility with and access to Microsoft Active Directory and Microsoft Windows systems which are introducing mandatory channel binding for LDAP connections.

(BZ#1817054)

Libreswan rebased to 3.32

With this update, Libreswan has been rebased to upstream version 3.32, which includes several new features and bug fixes. Notable features include:

  • Libreswan no longer requires separate FIPS 140-2 certification.
  • Libreswan now implements the cryptographic recommendations of RFC 8247, and changes the preference from SHA-1 and RSA-PKCS v1.5 to SHA-2 and RSA-PSS.
  • Libreswan supports XFRMi virtual ipsecXX interfaces that simplify writing firewall rules.
  • Recovery of crashed and rebooted nodes in a full-mesh encryption network is improved.

(BZ#1820206)

The libssh library has been rebased to version 0.9.4

The libssh library, which implements the SSH protocol, has been upgraded to version 0.9.4.

This update includes bug fixes and enhancements, including:

  • Added support for Ed25519 keys in PEM files.
  • Added support for diffie-hellman-group14-sha256 key exchange algorithm.
  • Added support for localuser in Match keyword in the libssh client configuration file.
  • Match criteria keyword arguments are now case-sensitive (note that keywords are case-insensitive, but keyword arguments are case-sensitive)
  • Fixed CVE-2019-14889 and CVE-2020-1730.
  • Added support for recursively creating missing directories found in the path string provided for the known hosts file.
  • Added support for OpenSSH keys in PEM files with comments and leading white spaces.
  • Removed the OpenSSH server configuration inclusion from the libssh server configuration.

(BZ#1804797)

gnutls rebased to 3.6.14

The gnutls packages have been rebased to upstream version 3.6.14. This version provides many bug fixes and enhancements, most notably:

  • gnutls now rejects certificates with Time fields that contain invalid characters or formatting.
  • gnutls now checks trusted CA certificates for minimum key sizes.
  • When displaying an encrypted private key, the certtool utility no longer includes its plain text description.
  • Servers using gnutls now advertise OCSP-stapling support.
  • Clients using gnutls now send OCSP staples only on request.

(BZ#1789392)

gnutls FIPS DH checks now conform with NIST SP 800-56A rev. 3

This update of the gnutls packages provides checks required by NIST Special Publication 800-56A Revision 3, sections 5.7.1.1 and 5.7.1.2, step 2. The change is necessary for future FIPS 140-2 certifications. As a result, gnutls now accept only 2048-bit or larger parameters from RFC 7919 and RFC 3526 during the Diffie-Hellman key exchange when operating in FIPS mode.

(BZ#1849079)

gnutls now performs validations according to NIST SP 800-56A rev 3

This update of the gnutls packages adds checks required by NIST Special Publication 800-56A Revision 3, sections 5.6.2.2.2 and 5.6.2.1.3, step 2. The addition prepares gnutls for future FIPS 140-2 certifications. As a result, gnutls perform additional validation steps for generated and received public keys during the Diffie-Hellman key exchange when operating in FIPS mode.

(BZ#1855803)

update-crypto-policies and fips-mode-setup moved into crypto-policies-scripts

The update-crypto-policies and fips-mode-setup scripts, which were previously included in the crypto-policies package, are now moved into a separate RPM subpackage crypto-policies-scripts. The package is automatically installed through the Recommends dependency on regular installations. This enables the ubi8/ubi-minimal image to avoid the inclusion of the Python language interpreter and thus reduces the image size.

(BZ#1832743)

OpenSC rebased to version 0.20.0

The opensc package has been rebased to version 0.20.0 which addresses multiple bugs and security issues. Notable changes include:

  • With this update, CVE-2019-6502, CVE-2019-15946, CVE-2019-15945, CVE-2019-19480, CVE-2019-19481 and CVE-2019-19479 security issues are fixed.
  • The OpenSC module now supports the C_WrapKey and C_UnwrapKey functions.
  • You can now use the facility to detect insertion and removal of card readers as expected.
  • The pkcs11-tool utility now supports the CKA_ALLOWED_MECHANISMS attribute.
  • This update allows default detection of the OsEID cards.
  • The OpenPGP Card v3 now supports Elliptic Curve Cryptography (ECC).
  • The PKCS#11 URI now truncates the reader name with ellipsis.

(BZ#1810660)

stunnel rebased to version 5.56

With this update, the stunnel encryption wrapper has been rebased to upstream version 5.56, which includes several new features and bug fixes. Notable features include:

  • New ticketKeySecret and ticketMacSecret options that control confidentiality and integrity protection of the issued session tickets. These options enable you to resume sessions on other nodes in a cluster.
  • New curves option to control the list of elliptic curves in OpenSSL 1.1.0 and later.
  • New ciphersuites option to control the list of permitted TLS 1.3 ciphersuites.
  • Added sslVersion, sslVersionMin and sslVersionMax for OpenSSL 1.1.0 and later.

(BZ#1808365)

libkcapi rebased to version 1.2.0

The libkcapi package has been rebased to upstream version 1.2.0, which includes minor changes.

(BZ#1683123)

setools rebased to 4.3.0

The setools package, which is a collection of tools designed to facilitate SELinux policy analysis, has been upgraded to version 4.3.0.

This update includes bug fixes and enhancements, including:

  • Revised sediff method for Type Enforcement (TE) rules, which significantly reduces memory and runtime issues.
  • Added infiniband context support to seinfo, sediff, and apol.
  • Added apol configuration for the location of the Qt assistant tool used to display online documentation.
  • Fixed sediff issues with:

    • Properties header displaying when not requested.
    • Name comparison of type_transition files.
  • Fixed permission of map socket sendto information flow direction.
  • Added methods to the TypeAttribute class to make it a complete Python collection.
  • Genfscon now looks up classes, rather than using fixed values which were dropped from libsepol.

The setools package requires the following packages:

  • setools-console
  • setools-console-analyses
  • setools-gui

(BZ#1820079)

Individual CephFS files and directories can now have SELinux labels

The Ceph File System (CephFS) has recently enabled storing SELinux labels in the extended attributes of files. Previously, all files in a CephFS volume were labeled with a single common label system_u:object_r:cephfs_t:s0. With this enhancement, you can change the labels for individual files, and SELinux defines the labels of newly created files based on transition rules. Note that previously unlabeled files still have the system_u:object_r:cephfs_t:s0 label until explicitly changed.

(BZ#1823764)

OpenSCAP rebased to version 1.3.3

The openscap packages have been upgraded to upstream version 1.3.3, which provides many bug fixes and enhancements over the previous version, most notably:

  • Added the autotailor script that enables you to generate tailoring files using a command-line interface (CLI).
  • Added the timezone part to the Extensible Configuration Checklist Description Format (XCCDF) TestResult start and end time stamps
  • Added the yamlfilecontent independent probe as a draft implementation.
  • Introduced the urn:xccdf:fix:script:kubernetes fix type in XCCDF.
  • Added ability to generate the machineconfig fix.
  • The oscap-podman tool can now detect ambiguous scan targets.
  • The rpmverifyfile probe can now verify files from the /bin directory.
  • Fixed crashes when complicated regexes are executed in the textfilecontent58 probe.
  • Evaluation characteristics of the XCCDF report are now consistent with OVAL entities from the system_info probe.
  • Fixed file-path pattern matching in offline mode in the textfilecontent58 probe.
  • Fixed infinite recursion in the systemdunitdependency probe.

(BZ#1829761)

SCAP Security Guide now provides a profile aligned with the CIS RHEL 8 Benchmark v1.0.0

With this update, the scap-security-guide packages provide a profile aligned with the CIS Red Hat Enterprise Linux 8 Benchmark v1.0.0. The profile enables you to harden the configuration of the system using the guidelines by the Center for Internet Security (CIS). As a result, you can configure and automate compliance of your RHEL 8 systems with CIS by using the CIS Ansible Playbook and the CIS SCAP profile.

Note that the rpm_verify_permissions rule in the CIS profile does not work correctly.

(BZ#1760734)

scap-security-guide now provides a profile that implements HIPAA

This update of the scap-security-guide packages adds the Health Insurance Portability and Accountability Act (HIPAA) profile to the RHEL 8 security compliance content. This profile implements recommendations outlined on the The HIPAA Privacy Rule website.

The HIPAA Security Rule establishes U.S. national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronically protected health information.

(BZ#1832760)

scap-security-guide rebased to 0.1.50

The scap-security-guide packages, which contain the latest set of security policies for Linux systems, have been upgraded to version 0.1.50.

This update includes bug fixes and enhancements, most notably:

  • Ansible content has been improved: numerous rules contain Ansible remediations for the first time and other rules have been updated to address bug fixes.
  • Fixes and improvements to the scap-security-guide content for scanning RHEL7 systems, including:

    • The scap-security-guide packages now provide a profile aligned with the CIS RHEL 7 Benchmark v2.2.0. Note that the rpm_verify_permissions rule in the CIS profile does not work correctly; see the rpm_verify_permissions fails in the CIS profile known issue.
    • The SCAP Security Guide profiles now correctly disable and mask services that should not be started.
    • The audit_rules_privileged_commands rule in the scap-security-guide packages now works correctly for privileged commands.
    • Remediation of the dconf_gnome_login_banner_text rule in the scap-security-guide packages no longer incorrectly fails.

(BZ#1815007)

SCAP Workbench can now generate results-based remediations from tailored profiles

With this update, you can now generate result-based remediation roles from tailored profiles using the SCAP Workbench tool.

(BZ#1640715)

New Ansible role provides automated deployments of Clevis clients

This update of the rhel-system-roles package introduces the nbde_client RHEL system role. This Ansible role enables you to deploy multiple Clevis clients in an automated way.

(BZ#1716040)

New Ansible role can now set up a Tang server

With this enhancement, you can deploy and manage a Tang server as part of an automated disk encryption solution with the new nbde_server system role. The nbde_server Ansible role, which is included in the rhel-system-roles package, supports the following features:

  • Rotating Tang keys
  • Deploying and backing up Tang keys

For more information, see Rotating Tang server keys.

(BZ#1716039)

clevis rebased to version 13

The clevis packages have been rebased to version 13, which provides multiple bug fixes and enhancements. Notable changes include:

  • clevis luks unlock can be used in the device with a key file in the non-interactive mode.
  • clevis encrypt tpm2 parses the pcr_ids field if the input is given as a JSON array.
  • The clevis-luks-unbind(1) man page no longer refers only to LUKS v1.
  • clevis luks bind does not write to an inactive slot anymore, if the password given is incorrect.
  • clevis luks bind now works while the system uses the non-English locale.
  • Added support for tpm2-tools 4.x.

(BZ#1818780)

clevis luks edit enables you to edit a specific pin configuration

This update of the clevis packages introduces the new clevis luks edit subcommand that enables you to edit a specific pin configuration. For example, you can now change the URL address of a Tang server and the pcr_ids parameter in a TPM2 configuration. You can also add and remove new sss pins and change the threshold of an sss pin.

(BZ#1436735)

clevis luks bind -y now allows automated binding

With this enhancement, Clevis supports automated binding with the -y parameter. You can now use the -y option with the clevis luks bind command, which automatically answers subsequent prompts with yes. For example, when using a Tang pin, you are no longer required to manually trust Tang keys.

(BZ#1819767)

fapolicyd rebased to version 1.0

The fapolicyd packages have been rebased to version 1.0, which provides multiple bug fixes and enhancements. Notable changes include:

  • The multiple thread synchronization problem has been resolved.
  • Enhanced performance with reduced database size and loading time.
  • A new trust option for the fapolicyd package in the fapolicyd.conf file has been added to customize trust back end. You can add all trusted files, binaries, and scripts to the new /etc/fapolicyd/fapolicyd.trust file.
  • You can manage the fapolicyd.trust file using the CLI.
  • You can clean or dump the database using the CLI.
  • The fapolicyd package overrides the magic database for better decoding of scripts. The CLI prints MIME type of the file similar to the file command according to the override.
  • The /etc/fapolicyd/fapolicyd.rules file supports a group of values as attribute values.
  • The fapolicyd daemon has a syslog_format option for setting the format of the audit/sylog events.

(BZ#1817413)

fapolicyd now provides its own SELinux policy in fapolicyd-selinux

With this enhancement, the fapolicyd framework now provides its own SELinux security policy. The daemon is confined under the fapolicyd_t domain and the policy is installed through the fapolicyd-selinux subpackage.

(BZ#1714529)

USBGuard rebased to version 0.7.8

The usbguard packages have been rebased to version 0.7.8 which provides multiple bug fixes and enhancements. Notable changes include:

  • The HidePII=true|false parameter in the /etc/usbguard/usbguard-daemon.conf file can now hide personally identifiable information from audit entries.
  • The AuthorizedDefault=keep|none|all|internal parameter in the /etc/usbguard/usbguard-daemon.conf file can predefine authorization state of controller devices.
  • With the new with-connect-type rule attribute, users can now distinguish the connection type of the device.
  • Users can now append temporary rules with the -t option. Temporary rules remain in memory only until the daemon restarts.
  • usbguard list-rules can now filter rules according to certain properties.
  • usbguard generate-policy can now generate a policy for specific devices.
  • The usbguard allow|block|reject command can now handle rule strings, and a target is applied on each device that matches the specified rule string.
  • New subpackages usbguard-notifier and usbguard-selinux are included.

(BZ#1738590)

USBGuard provides many improvements for corporate desktop users

This addition to the USBGuard project contains enhancements and bug fixes to improve the usability for corporate desktop users. Important changes include:

  • For keeping the /etc/usbguard/rules.conf rule file clean, users can define multiple configuration files inside the RuleFolder=/etc/usbguard/rules.d/ directory. By default, the RuleFolder is specified in the /etc/usbguard-daemon.conf file.
  • The usbguard-notifier tool now provides GUI notifications. The tool notifies the user whenever a device is plugged in or plugged out and whether the device is allowed, blocked, or rejected by any user.
  • You can now include comments in the configuration files, because the usbguard-daemon no longer parses lines starting with #.

(BZ#1667395)

USBGuard now provides its own SELinux policy in usbguard-selinux

With this enhancement, the USBGuard framework now provides its own SELinux security policy. The daemon is confined under the usbguard_t domain and the policy is installed through the usbguard-selinux subpackage.

(BZ#1683567)

libcap now supports ambient capabilities

With this update, users are able to grant ambient capabilities at login and prevent the need to have root access for the appropriately configured processes.

(BZ#1487388)

The libseccomp library has been rebased to version 2.4.3

The libseccomp library, which provides an interface to the seccomp system call filtering mechanism, has been upgraded to version 2.4.3.

This update provides numerous bug fixes and enhancements. Notable changes include:

  • Updated the syscall table for Linux v5.4-rc4.
  • No longer defining __NR_x values for system calls that do not exist.
  • __SNR_x is now used internally.
  • Added define for __SNR_ppoll.
  • Fixed a multiplexing issue with s390/s390x shm* system calls.
  • Removed the static flag from the libseccomp tools compilation.
  • Added support for io-uring related system calls.
  • Fixed the Python module naming issue introduced in the v2.4.0 release; the module is named seccomp as it was previously.
  • Fixed a potential memory leak identified by clang in the scmp_bpf_sim tool.

(BZ#1770693)

omamqp1 module is now supported

With this update, the AMQP 1.0 protocol supports sending messages to a destination on the bus. Previously, Openstack used the AMQP1 protocol as a communication standard, and this protocol can now log messages in AMQP messages. This update introduces the rsyslog-omamqp1 sub-package to deliver the omamqp1 output mode, which logs messages and sends them to the destination on the bus.

(BZ#1713427)

OpenSCAP compresses remote content

With this update, OpenSCAP uses gzip compression for transferring remote content. The most common type of remote content is text-based CVE feeds, which increase in size over time and typically have to be downloaded for every scan. The gzip compression reduces the bandwidth to 10% of bandwidth needed for uncompressed content. As a result, this reduces bandwidth requirements across the entire chain between the scanned system and the server that hosts the remote content.

(BZ#1855708)

SCAP Security Guide now provides a profile aligned with NIST-800-171

With this update, the scap-security-guide packages provide a profile aligned with the NIST-800-171 standard. The profile enables you to harden the system configuration in accordance with security requirements for protection of Controlled Unclassified Information (CUI) in non-federal information systems. As a result, you can more easily configure systems to be aligned with the NIST-800-171 standard.

(BZ#1762962)

5.7. Networking

The IPv4 and IPv6 connection tracking modules have been merged into the nf_conntrack module

This enhancement merges the nf_conntrack_ipv4 and nf_conntrack_ipv6 Netfilter connection tracking modules into the nf_conntrack kernel module. Due to this change, blacklisting the address family-specific modules no longer work in RHEL 8.3, and you can blacklist only the nf_conntrack module to disable connection tracking support for both the IPv4 and IPv6 protocols.

(BZ#1822085)

firewalld rebased to version 0.8.2

The firewalld packages have been upgraded to upstream version 0.8.2, which provides a number of bug fixes over the previous version. For details, see the firewalld 0.8.2 Release Notes.

(BZ#1809636)

NetworkManager rebased to version 1.26.0

The NetworkManager packages have been upgraded to upstream version 1.26.0, which provides a number of enhancements and bug fixes over the previous version:

  • NetworkManager resets the auto-negotiation, speed, and duplex setting to their original value when deactivating a device.
  • Wi-Fi profiles connect now automatically if all previous activation attempts failed. This means that an initial failure to auto-connect to the network no longer blocks the automatism. A side effect is that existing Wi-Fi profiles that were previously blocked now connect automatically.
  • The nm-settings-nmcli(5) and nm-settings-dbus(5) man pages have been added.
  • Support for a number of bridge parameters has been added.
  • Support for virtual routing and forwarding (VRF) interfaces has been added. For further details, see Permanently reusing the same IP address on different interfaces.
  • Support for Opportunistic Wireless Encryption mode (OWE) for Wi-Fi networks has been added.
  • NetworkManager now supports 31-bit prefixes on IPv4 point-to-point links according to RFC 3021.
  • The nmcli utility now supports removing settings using the nmcli connection modify <connection_name> remove <setting> command.
  • NetworkManager no longer creates and activates slave devices if a master device is missing.

For further information about notable changes, read the upstream release notes:

(BZ#1814746)

XDP is conditionally supported

Red Hat supports the eXpress Data Path (XDP) feature only if all of the following conditions apply:

  • You load the XDP program on an AMD or Intel 64-bit architecture
  • You use the libxdp library to load the program into the kernel
  • The XDP program uses one of the following return codes: XDP_ABORTED, XDP_DROP, or XDP_PASS
  • The XDP program does not use the XDP hardware offloading

For details about unsupported XDP features, see Overview of XDP features that are available as Technology Preview

(BZ#1889736)

xdp-tools is fully supported

The xdp-tools package, which contains userspace support utilities for the kernel eXpress Data Path (XDP) feature, is now supported on the AMD and Intel 64-bit architectures. This includes the libxdp library, the xdp-loader utility for loading XDP programs, the xdp-filter example program for packet filtering and the xdpdump utility for capturing packets from a network interface with XDP enabled.

(BZ#1820670)

The dracut utility by default now uses NetworkManager in initial RAM disk

Previously, the dracut utility was using a shell script to manage networking in the initial RAM disk, initrd. In certain cases, this could cause problems. For example, the NetworkManager sends another DHCP request, even if the script in the RAM disk has already requested an IP address, which could result in a timeout.

With this update, the dracut by default now uses the NetworkManager in the initial RAM disk and prevents the system from running into issues. In case you want to switch back to the previous implementation, and recreate the RAM disk images, use the following commands:

# echo 'add_dracutmodules+=" network-legacy "' > /etc/dracut.conf.d/enable-network-legacy.conf

# dracut -vf --regenerate-all

(BZ#1626348)

5.8. Kernel

Kernel version in RHEL 8.3

Red Hat Enterprise Linux 8.3 is distributed with the kernel version 4.18.0-240.

(BZ#1839151)

Extended Berkeley Packet Filter for RHEL 8.3

The Extended Berkeley Packet Filter (eBPF) is an in-kernel virtual machine that allows code execution in the kernel space, in the restricted sandbox environment with access to a limited set of functions. The virtual machine executes a special assembly-like code.

The eBPF bytecode first loads to the kernel, followed by its verification, code translation to the native machine code with just-in-time compilation, and then the virtual machine executes the code.

Red Hat ships numerous components that utilize the eBPF virtual machine. Each component is in a different development phase, and thus not all components are currently fully supported. In RHEL 8.3, the following eBPF components are supported:

  • The BPF Compiler Collection (BCC) tools package, which provides tools for I/O analysis, networking, and monitoring of Linux operating systems using eBPF
  • The BCC library which allows the development of tools similar to those provided in the BCC tools package.
  • The eBPF for Traffic Control (tc) feature, which enables programmable packet processing inside the kernel network data path.
  • The eXpress Data Path (XDP) feature, which provides access to received packets before the kernel networking stack processes them, is supported under specific conditions. For more details, refer to the Networking section of Relase Notes.
  • The libbpf package, which is crucial for bpf related applications like bpftrace and bpf/xdp development. For more details, refer to the dedicated release note libbpf fully supported.
  • The xdp-tools package, which contains userspace support utilities for the XDP feature, is now supported on the AMD and Intel 64-bit architectures. For more details, refer to the Networking section of Release Notes.

Note that all other eBPF components are available as Technology Preview, unless a specific component is indicated as supported.

The following notable eBPF components are currently available as Technology Preview:

  • The bpftrace tracing language
  • The AF_XDP socket for connecting the eXpress Data Path (XDP) path to user space

For more information regarding the Technology Preview components, see Technology Previews.

(BZ#1780124)

Cornelis Networks Omni-Path Architecture (OPA) Host Software

Omni-Path Architecture (OPA) host software is fully supported in Red Hat Enterprise Linux 8.3. OPA provides Host Fabric Interface (HFI) hardware with initialization and setup for high performance data transfers (high bandwidth, high message rate, low latency) between compute and I/O nodes in a clustered environment.

For instructions on installing Omni-Path Architecture, see the Intel® Omni-Path Fabric Software Release Notes file.

(BZ#1893174)

TSX is now disabled by default

Starting with RHEL 8.3, the kernel now has the Intel® Transactional Synchronization Extensions (TSX) technology disabled by default to improve the OS security. The change applies to those CPUs that support disabling TSX, including the 2nd Generation Intel® Xeon® Scalable Processors (formerly known as Cascade Lake with Intel® C620 Series Chipsets).

For users whose applications do not use TSX, the change removes the default performance penalty of the TSX Asynchronous Abort (TAA) mitigations on the 2nd Generation Intel® Xeon® Scalable Processors.

The change also aligns the RHEL kernel behavior with upstream, where TSX has been disabled by default since Linux 5.4.

To enable TSX, add the tsx=on parameter to the kernel command line.

(BZ#1828642)

RHEL 8.3 now supports the page owner tracking feature

With this update, you can use the page owner tracking feature to observe the kernel memory utilization at the page allocation level.

To enable the page tracker, execute the following steps :

# grubby --args="page_owner=on" --update-kernel=0
# reboot

As a result, the page owner tracker will track the kernel memory consumption, which helps to debug kernel memory leaks and detect the drivers that use a lot of memory.

(BZ#1825414)

EDAC for AMD EPYC™ 7003 Series Processors is now supported

This enhancement provides Error Detection And Correction (EDAC) device support for AMD EPYC™ 7003 Series Processors. Previously, corrected (CEs) and uncorrected (UEs) memory errors were not reported on systems based on AMD EPYC™ 7003 Series Processors. With this update, such errors will now be reported using EDAC.

(BZ#1735611)

Flamegraph is now supported with perf tool

With this update, the perf command line tool supports flamegraphs to create a graphical representation of the system’s performance. The perf data is grouped together into samples with similar stack backtraces. As a result, this data is converted into a visual representation to allow easier identification of computationally intensive areas of code. To generate a flamegraph using the perf tool, execute the following commands:

$ perf script record flamegraph -F 99 -g -- stress --cpu 1 --vm-bytes 128M --timeout 10s
stress: info: [4461] dispatching hogs: 1 cpu, 0 io, 0 vm, 0 hdd
stress: info: [4461] successful run completed in 10s
[ perf record: Woken up 1 times to write data ]
[ perf record: Captured and wrote 0.060 MB perf.data (970 samples) ]
$ perf script report flamegraph
dumping data to flamegraph.html

Note : To generate flamegraphs, install the js-d3-flame-graph rpm.

(BZ#1281843)

/dev/random and /dev/urandom are now conditionally powered by the Kernel Crypto API DRBG

In FIPS mode, the /dev/random and /dev/urandom pseudorandom number generators are powered by the Kernel Crypto API Deterministic Random Bit Generator (DRBG). Applications in FIPS mode use the mentioned devices as a FIPS-compliant noise source, therefore the devices have to employ FIPS-approved algorithms. To achieve this goal, necessary hooks have been added to the /dev/random driver. As a result, the hooks are enabled in the FIPS mode and cause /dev/random and /dev/urandom to connect to the Kernel Crypto API DRBG.

(BZ#1785660)

libbpf fully supported

The libbpf package, crucial for bpf related applications like bpftrace and bpf/xdp development, is now fully supported.

It is a mirror of bpf-next linux tree bpf-next/tools/lib/bpf directory plus its supporting header files. The version of the package reflects the version of the Application Binary Interface (ABI).

(BZ#1759154)

lshw utility now provides additional CPU information

With this enhancement, the List Hardware utility (lshw) displays more CPU information. The CPU version field now provides the family, model and stepping details of the system processors in numeric format as version: <family>.<model>.<stepping>.

(BZ#1794049)

kernel-rt source tree has been updated to the RHEL 8.3 tree

The kernel-rt sources have been updated to use the latest Red Hat Enterprise Linux kernel source tree. The real-time patch set has also been updated to the latest upstream version, v5.6.14-rt7. Both of these updates provide a number of bug fixes and enhancements.

(BZ#1818138, BZ#1818142)

tpm2-tools rebased to version 4.1.1

The tpm2-tools package has been upgraded to version 4.1.1, which provides a number of command additions, updates, and removals. For more details, see the Updates to tpm2-tools package in RHEL8.3 solution.

(BZ#1789682)

The Mellanox ConnectX-6 Dx network adapter is now fully supported

This enhancement adds the PCI IDs of the Mellanox ConnectX-6 Dx network adapter to the mlx5_core driver. On hosts that use this adapter, RHEL loads the mlx5_core driver automatically. This feature, previously available as a technology preview, is now fully supported in RHEL 8.3.

(BZ#1782831)

mlxsw driver rebased to version 5.7

The mlxsw driver is upgraded to upstream version 5.7 and include following new features:

  • The shared buffer occupancy feature, which provides buffer occupancy data.
  • The packet drop feature, which enables monitoring the layer 2, layer 3, tunnels and access control list drops.
  • Packet trap policers support.
  • Default port priority configuration support using Link Layer Discovery Protocol (LLDP) agent.
  • Enhanced Transmission Selection (ETS) and Token Bucket Filter (TBF) queuing discipline offloading support.
  • RED queuing discipline nodrop mode is enabled to prevent early packet drops.
  • Traffic class SKB editing action skbedit priority feature enables changing packets metadata and it complements with pedit Traffic Class Offloading (TOS).

(BZ#1821646)

5.9. File systems and storage

LVM can now manage VDO volumes

LVM now supports the Virtual Data Optimizer (VDO) segment type. As a result, you can now use LVM utilities to create and manage VDO volumes as native LVM logical volumes.

VDO provides inline block-level deduplication, compression, and thin provisioning features.

For more information, see Deduplicating and compressing logical volumes on RHEL.

(BZ#1598199)

The SCSI stack now works better with high-performance adapters

The performance of the SCSI stack has been improved. As a result, next-generation, high performance host bus adapters (HBAs) are now capable of higher IOPS (I/Os per second) on RHEL.

(BZ#1761928)

The megaraid_sas driver has been updated to the latest version

The megaraid_sas driver has been updated to version 07.713.01.00-rc1. This update provides several bug fixes and enhancements relating to improving performance, better stability of supported MegaRAID adapters, and a richer feature set.

(BZ#1791041)

Stratis now lists the pool name on error

When you attempt to create a Stratis pool on a block device that is already in use by an existing Stratis pool, the stratis utility now reports the name of the existing pool. Previously, the utility listed only the UUID label of the pool.

(BZ#1734496)

FPIN ELS frame notification support

The lpfc Fibre Channel (FC) driver now supports Fabric Performance Impact Notifications (FPINs) regarding link integrity, which help identify link level issues and allows the switch to choose a more reliable path.

(BZ#1796565)

New commands to debug LVM on-disk metadata

The pvck utility, which is available from the lvm2 package, now provides low-level commands to debug or rescue LVM on-disk metadata on physical volumes:

  • To extract metadata, use the pvck --dump command.
  • To repair metadata, use the pvck --repair command.

For more information, see the pvck(8) man page.

(BZ#1541165)

LVM RAID supports DM integrity to prevent data loss due to corrupted data on a device

It is now possible to add Device Mapper (DM) integrity to an LVM RAID configuration to prevent data loss. The integrity layer detects data corruption on a device and alerts the RAID layer to fix the corrupted data across the LVM RAID.

While RAID prevents data loss due to device failure, adding integrity to an LVM RAID array prevents data loss due to corrupted data on a device. You can add the integrity layer when you create a new LVM RAID, or you can add it to an LVM RAID that already exists.

(JIRA:RHELPLAN-39320)

Resilient Storage (GFS2) supported on AWS, Azure, and Aliyun public clouds

Resilient Storage (GFS2) is now supported on three major public clouds, Amazon (AWS), Microsoft (Azure) and Alibaba (Aliyun) with the introduction of shared block device support on those platforms. As a result GFS2 is now a true hybrid cloud cluster filesystem with options to use both on premises and in the public cloud. For information on configuring shared block storage on Microsoft Azure and on AWS, see Deploying Red Hat Enterprise Linux 8 on public cloud platforms. For information on configuring shared block storage on Alibaba Cloud, see Configuring Shared Block Storage for a Red Hat High Availability Cluster on Alibaba Cloud.

(BZ#1900019)

Userspace now supports the latest nfsdcld daemon

Userspace now supports the lastest nfsdcld daemon, which is the only namespace-aware client tracking method. This enhancement ensures client open or lock recovery from the containerized knfsd daemon without any data corruption.

(BZ#1817756)

nconnect now supports multiple concurrent connections

With this enhancement, you can use the nconnect functionality to create multiple concurrent connections to an NFS server, allowing for a different load balancing ability. Enable the nconnect functionality with the nconnect=X NFS mount option, where X is the number of concurrent connections to use. The current limit is 16.

(BZ#1683394, BZ#1761352)

nfsdcld daemon for client information tracking is now supported

With this enhancement, the nfsdcld daemon is now the default method in tracking per-client information on a stable storage. As a result, the NFS v4 running in containers allows the clients to reclaim the opens or locks after a server restart.

(BZ#1817752)

5.10. High availability and clusters

pacemaker rebased to version 2.0.4

The Pacemaker cluster resource manager has been upgraded to upstream version 2.0.4, which provides a number of bug fixes.

(BZ#1828488)

New priority-fencing-delay cluster property

Pacemaker now supports the new priority-fencing-delay cluster property, which allows you to configure a two-node cluster so that in a split-brain situation the node with the fewest resources running is the node that gets fenced.

The priority-fencing-delay property can be set to a time duration. The default value for this property is 0 (disabled). If this property is set to a non-zero value, and the priority meta-attribute is configured for at least one resource, then in a split-brain situation the node with the highest combined priority of all resources running on it will be more likely to survive.

For example, if you set pcs resource defaults priority=1 and pcs property set priority-fencing-delay=15s and no other priorities are set, then the node running the most resources will be more likely to survive because the other node will wait 15 seconds before initiating fencing. If a particular resource is more important than the rest, you can give it a higher priority.

The node running the master role of a promotable clone will get an extra 1 point if a priority has been configured for that clone.

Any delay set with priority-fencing-delay will be added to any delay from the pcmk_delay_base and pcmk_delay_max fence device properties. This behavior allows some delay when both nodes have equal priority, or both nodes need to be fenced for some reason other than node loss (for example, on-fail=fencing is set for a resource monitor operation). If used in combination, it is recommended that you set the priority-fencing-delay property to a value that is significantly greater than the maximum delay from pcmk_delay_base and pcmk_delay_max, to be sure the prioritized node is preferred (twice the value would be completely safe).

(BZ#1784601)

New commands for managing multiple sets of resource and operation defaults

It is now possible to create, list, change and delete multiple sets of resource and operation defaults. When you create a set of default values, you can specify a rule that contains resource and op expressions. This allows you, for example, to configure a default resource value for all resources of a particular type. Commands that list existing default values now include multiple sets of defaults in their output.

  • The pcs resource [op] defaults set create command creates a new set of default values. When specifying rules with this command, only resource and op expressions, including and, or and parentheses, are allowed.
  • The pcs resource [op] defaults set delete | remove command removes sets of default values.
  • The pcs resource [op] defaults set update command changes the default values in a set.

(BZ#1817547)

Support for tagging cluster resources

It is now possible to tag cluster resources in a Pacemaker cluster with the pcs tag command. This feature allows you to administer a specified set of resources with a single command. You can also use the pcs tag command to remove or modify a resource tag, and to display the tag configuration.

The pcs resource enable, pcs resource disable, pcs resource manage, and pcs resource unmanage commands accept tag IDs as arguments.

(BZ#1684676)

Pacemaker now supports recovery by demoting a promoted resource rather than fully stopping it

It is now possible to configure a promotable resource in a Pacemaker cluster so that when a promote or monitor action fails for that resource, or the partition in which the resource is running loses quorum, the resource will be demoted but will not be fully stopped.

This feature can be useful when you would prefer that the resource continue to be available in the unpromoted mode. For example, if a database master’s partition loses quorum, you might prefer that the database resource lose the Master role, but stay alive in read-only mode so applications that only need to read can continue to work despite the lost quorum. This feature can also be useful when a successful demote is both sufficient for recovery and much faster than a full restart.

To support this feature:

  • The on-fail operation meta-attribute now accepts a demote value when used with promote actions, as in the following example:

    pcs resource op add my-rsc promote on-fail="demote"
  • The on-fail operation meta-attribute now accepts a demote value when used with monitor actions with both interval set to a nonzero value and role set to Master, as in the following example:

    pcs resource op add my-rsc monitor interval="10s" on-fail="demote" role="Master"
  • The no-quorum-policy cluster property now accepts a demote value. When set, if a cluster partition loses quorum, any promoted resources will be demoted but left running and all other resources will be stopped.

Specifying a demote meta-attribute for an operation does not affect how promotion of a resource is determined. If the affected node still has the highest promotion score, it will be selected to be promoted again.

(BZ#1837747, BZ#1843079)

New SBD_SYNC_RESOURCE_STARTUP SBD configuration parameter to improve synchronization with Pacemaker

To better control synchronization between SBD and Pacemaker, the /etc/sysconfig/sbd file now supports the SBD_SYNC_RESOURCE_STARTUP parameter. When Pacemaker and SBD packages from RHEL 8.3 or later are installed and SBD is configured with SBD_SYNC_RESOURCE_STARTUP=true, SBD contacts the Pacemaker daemon for information about the daemon’s state.

In this configuration, the Pacemaker daemon will wait until it has been contacted by SBD, both before starting its subdaemons and before final exit. As a result, Pacemaker will not run resources if SBD cannot actively communicate with it, and Pacemaker will not exit until it has reported a graceful shutdown to SBD. This prevents the unlikely situation that might occur during a graceful shutdown when SBD fails to detect the brief moment when no resources are running before Pacemaker finally disconnects, which would trigger an unneeded reboot. Detecting a graceful shutdown using a defined handshake works in maintenance mode as well. The previous method of detecting a graceful shutdown on the basis of no running resources left had to be disabled in maintenance mode since running resources would not be touched on shutdown.

In addition, enabling this feature avoids the risk of a split-brain situation in a cluster when SBD and Pacemaker both start successfully but SBD is unable to contact pacemaker. This could happen, for example, due to SELinux policies. In this situation, Pacemaker would assume that SBD is functioning when it is not. With this new feature enabled, Pacemaker will not complete startup until SBD has contacted it. Another advantage of this new feature is that when it is enabled SBD will contact Pacemaker repeatedly, using a heartbeat, and it is able to panic the node if Pacemaker stops responding at any time.

Note

If you have edited your /etc/sysconfig/sbd file or configured SBD through PCS, then an RPM upgrade will not pull in the new SBD_SYNC_RESOURCE_STARTUP parameter. In these cases, to implement this feature you must manually add it from the /etc/sysconfig/sbd.rpmnew file or follow the procedure described in the Configuration via environment section of the sbd(8) man page.

(BZ#1718324, BZ#1743726)

5.11. Dynamic programming languages, web and database servers

A new module stream: ruby:2.7

RHEL 8.3 introduces Ruby 2.7.1 in a new ruby:2.7 module stream. This version provides a number of performance improvements, bug and security fixes, and new features over Ruby 2.6 distributed with RHEL 8.1.

Notable enhancements include:

  • A new Compaction Garbage Collector (GC) has been introduced. This GC can defragment a fragmented memory space.
  • Ruby yet Another Compiler-Compiler (Racc) now provides a command-line interface for the one-token Look-Ahead Left-to-Right – LALR(1) – parser generator.
  • Interactive Ruby Shell (irb), the bundled Read–Eval–Print Loop (REPL) environment, now supports multi-line editing.
  • Pattern matching, frequently used in functional programming languages, has been introduced as an experimental feature.
  • Numbered parameter as the default block parameter has been introduced as an experimental feature.

The following performance improvements have been implemented:

  • Fiber cache strategy has been changed to accelerate fiber creation.
  • Performance of the CGI.escapeHTML method has been improved.
  • Performance of the Monitor class and MonitorMixin module has been improved.

In addition, automatic conversion of keyword arguments and positional arguments has been deprecated. In Ruby 3.0, positional arguments and keyword arguments will be separated. For more information, see the upstream documentation.

To suppress warnings against experimental features, use the -W:no-experimental command-line option. To disable a deprecation warning, use the -W:no-deprecated command-line option or add Warning[:deprecated] = false to your code.

To install the ruby:2.7 module stream, use:

# yum module install ruby:2.7

If you want to upgrade from the ruby:2.6 stream, see Switching to a later stream.

(BZ#1817135)

A new module stream: nodejs:14

A new module stream, nodejs:14, is now available. Node.js 14, included in RHEL 8.3, provides numerous new features and bug and security fixes over Node.js 12 distributed in RHEL 8.1.

Notable changes include:

  • The V8 engine has been upgraded to version 8.3.
  • A new experimental WebAssembly System Interface (WASI) has been implemented.
  • A new experimental Async Local Storage API has been introduced.
  • The diagnostic report feature is now stable.
  • The streams APIs have been hardened.
  • Experimental modules warnings have been removed.

With the release of the RHEA-2020:5101 advisory, RHEL 8 provides Node.js 14.15.0, which is the most recent Long Term Support (LTS) version with improved stability.

To install the nodejs:14 module stream, use:

# yum module install nodejs:14

If you want to upgrade from the nodejs:12 stream, see Switching to a later stream.

(BZ#1815402, BZ#1891809)

git rebased to version 2.27

The git packages have been upgraded to upstream version 2.27. Notable changes over the previously available version 2.18 include:

  • The git checkout command has been split into two separate commands:

    • git switch for managing branches
    • git restore for managing changes within the directory tree
  • The behavior of the git rebase command is now based on the merge workflow by default rather than the previous patch+apply workflow. To preserve the previous behavior, set the rebase.backend configuration variable to apply.
  • The git difftool command can now be used also outside a repository.
  • Four new configuration variables, {author,committer}.{name,email}, have been introduced to override user.{name,email} in more specific cases.
  • Several new options have been added that enable users to configure SSL for communication with proxies.
  • Handling of commits with log messages in non-UTF-8 character encoding has been improved in the git fast-export and git fast-import utilities.
  • The lfs extension has been added as a new git-lfs package. Git Large File Storage (LFS) replaces large files with text pointers inside Git and stores the file contents on a remote server.

(BZ#1825114, BZ#1783391)

Changes in Python

RHEL 8.3 introduces the following changes to the python38:3.8 module stream:

  • The Python interpreter has been updated to version 3.8.3, which provides several bug fixes.
  • The python38-pip package has been updated to version 19.3.1, and pip now supports installing manylinux2014 wheels.

Performance of the Python 3.6 interpreter, provided by the python3 packages, has been significantly improved.

The ubi8/python-27, ubi8/python-36, and ubi8/python-38 container images now support installing the pipenv utility from a custom package index or a PyPI mirror if provided by the customer. Previously, pipenv could only be downloaded from the upstream PyPI repository, and if the upstream repository was unavailable, the installation failed.

(BZ#1847416, BZ#1724996, BZ#1827623, BZ#1841001)

A new module stream: php:7.4

RHEL 8.3 introduces PHP 7.4, which provides a number of bug fixes and enhancements over version 7.3.

This release introduces a new experimental extension, Foreign Function Interface (FFI), which enables you to call native functions, access native variables, and create and access data structures defined in C libraries. The FFI extension is available in the php-ffi package.

The following extensions have been removed:

  • The wddx extension, removed from php-xml package
  • The recode extension, removed from the php-recode package.

To install the php:7.4 module stream, use:

# yum module install php:7.4

If you want to upgrade from the php:7.3 stream, see Switching to a later stream.

For details regarding PHP usage on RHEL 8, see Using the PHP scripting language.

(BZ#1797661)

A new module stream: nginx:1.18

The nginx 1.18 web and proxy server, which provides a number of bug fixes, security fixes, new features and enhancements over version 1.16, is now available. Notable changes include:

  • Enhancements to HTTP request rate and connection limiting have been implemented. For example, the limit_rate and limit_rate_after directives now support variables, including new $limit_req_status and $limit_conn_status variables. In addition, dry-run mode has been added for the limit_conn_dry_run and limit_req_dry_run directives.
  • A new auth_delay directive has been added, which enables delayed processing of unauthorized requests.
  • The following directives now support variables: grpc_pass, proxy_upload_rate, and proxy_download_rate.
  • Additional PROXY protocol variables have been added, namely $proxy_protocol_server_addr and $proxy_protocol_server_port.

To install the nginx:1.18 stream, use:

# yum module install nginx:1.18

If you want to upgrade from the nginx:1.16 stream, see Switching to a later stream.

(BZ#1826632)

A new module stream: perl:5.30

RHEL 8.3 introduces Perl 5.30, which provides a number of bug fixes and enhancements over the previously released Perl 5.26. The new version also deprecates or removes certain language features. Notable changes with significant impact include:

  • The Math::BigInt::CalcEmu, arybase, and B::Debug modules have been removed
  • File descriptors are now opened with a close-on-exec flag
  • Opening the same symbol as a file and as a directory handle is no longer allowed
  • Subroutine attributes now must precede subroutine signatures
  • The :locked and :uniq attributes have been removed
  • Comma-less variable lists in formats are no longer allowed
  • A bare << here-document operator is no longer allowed
  • Certain formerly deprecated uses of an unescaped left brace ({) character in regular expression patterns are no longer permitted
  • The AUTOLOAD() subroutine can no longer be inherited to non-method functions
  • The sort pragma no longer allows specifying a sort algorithm
  • The B::OP::terse() subroutine has been replaced by the B::Concise::b_terse() subroutine
  • The File::Glob::glob() function has been replaced by the File::Glob::bsd_glob() function
  • The dump() function now must be invoked fully qualified as CORE::dump()
  • The yada-yada operator (…​) is a statement now, it cannot be used as an expression
  • Assigning a non-zero value to the $[ variable now returns a fatal error
  • The $* and $# variables are no longer allowed
  • Declaring variables using the my() function in a false condition branch is no longer allowed
  • Using the sysread() and syswrite() functions on the :utf8 handles now returns a fatal error
  • The pack() function no longer returns malformed UTF-8 format
  • Unicode code points with a value greater than IV_MAX are no longer allowed
  • Unicode 12.1 is now supported

To upgrade from an earlier perl module stream, see Switching to a later stream.

Perl 5.30 is also available as an s2i-enabled ubi8/perl-530 container image.

(BZ#1713592, BZ#1732828)

A new module stream: perl-libwww-perl:6.34

RHEL 8.3 introduces a new perl-libwww-perl:6.34 module stream, which provides the perl-libwww-perl package for all versions of Perl available in RHEL 8. The non-modular perl-libwww-perl package, available since RHEL 8.0, which cannot be used with other Perl streams than 5.26, has been obsoleted by the new default perl-libwww-perl:6.34 stream.

(BZ#1781177)

A new module stream: perl-IO-Socket-SSL:2.066

A new perl-IO-Socket-SSL:2.066 module stream is now available. This module provides the perl-IO-Socket-SSL and perl-Net-SSLeay packages and it is compatible with all Perl streams available in RHEL 8.

(BZ#1824222)

The squid:4 module stream rebased to version 4.11

The Squid proxy server, provided by the squid:4 module stream, has been upgraded from version 4.4 to version 4.11. This release provides multiple bug and security fixes, and various enhancements, such as new configuration options.

(BZ#1829467)

Changes in the httpd:2.4 module stream

RHEL 8.3 introduces the following notable changes to the Apache HTTP Server, available through the httpd:2.4 module stream:

  • The mod_http2 module rebased to version 1.15.7
  • Configuration changes in the H2Upgrade and H2Push directives
  • A new H2Padding configuration directive to control padding of the HTTP/2 payload frames
  • Numerous bug fixes.

(BZ#1814236)

Support for logging to journald from the CustomLog directive in httpd

It is now possible to output access (transfer) logs to journald from the Apache HTTP Server by using a new option for the CustomLog directive.

The supported syntax is as follows:

CustomLog journald:priority format|nickname

where priority is any priority string up to debug as used in the LogLevel directive.

For example, to log to journald using the the combined log format, use:

CustomLog journald:info combined

Note that when using this option, the server performance might be lower than when logging directly to flat files.

(BZ#1209162)

5.12. Compilers and development tools

New GCC Toolset 10

GCC Toolset 10 is a compiler toolset that provides recent versions of development tools. It is available as an Application Stream in the form of a Software Collection in the AppStream repository.

The GCC compiler has been updated to version 10.2.1, which provides many bug fixes and enhancements that are available in upstream GCC.

The following tools and versions are provided by GCC Toolset 10:

ToolVersion

GCC

10.2.1

GDB

9.2

Valgrind

3.16.0

SystemTap

4.3

Dyninst

10.1.0

binutils

2.35

elfutils

0.180

dwz

0.12

make

4.2.1

strace

5.7

ltrace

0.7.91

annobin

9.29

To install GCC Toolset 10, run the following command as root:

# yum install gcc-toolset-10

To run a tool from GCC Toolset 10:

$ scl enable gcc-toolset-10 tool

To run a shell session where tool versions from GCC Toolset 10 override system versions of these tools:

$ scl enable gcc-toolset-10 bash

For more information, see Using GCC Toolset.

The GCC Toolset 10 components are available in the two container images:

  • rhel8/gcc-toolset-10-toolchain, which includes the GCC compiler, the GDB debugger, and the make automation tool.
  • rhel8/gcc-toolset-10-perftools, which includes the performance monitoring tools, such as SystemTap and Valgrind.

    To pull a container image, run the following command as root:

    # podman pull registry.redhat.io/<image_name>

    Note that only the GCC Toolset 10 container images are now supported. Container images of earlier GCC Toolset versions are deprecated.

For details regarding the container images, see Using the GCC Toolset container images.

(BZ#1842656)

Rust Toolset rebased to version 1.45.2

Rust Toolset has been updated to version 1.45.2. Notable changes include:

  • The subcommand cargo tree for viewing dependencies is now included in cargo.
  • Casting from floating point values to integers now produces a clamped cast. Previously, when a truncated floating point value was out of range for the target integer type the result was undefined behaviour of the compiler. Non-finite floating point values led to undefined behaviour as well. With this enhancement, finite values are clamped either to the minimum or the maximum range of the integer. Positive and negative infinity values are by default clamped to the maximum and minimum integer respectively, Not-a-Number(NaN) values to zero.
  • Function-like procedural macros in expressions, patterns, and statements are now extended and stabilized.

For detailed instructions regarding usage, see Using Rust Toolset.

(BZ#1820593)

LLVM Toolset rebased to version 10.0.1

LLVM Toolset has been upgraded to version 10.0.1. With this update, the clang-libs packages no longer include individual component libraries. As a result, it is no longer possible to link applications against them. To link applications against the clang libraries, use the libclang-cpp.so package.

For more information, see Using LLVM Toolset.

(BZ#1820587)

Go Toolset rebased to version 1.14.7

Go Toolset has been upgraded to version 1.14.7 Notable changes include:

  • The Go module system is now fully supported.
  • SSL version 3.0 (SSLv3) is no longer supported. Notable Delve debugger enhancements include:
  • The new command examinemem (or x) for examining raw memory
  • The new command display for printing values of an expression during each stop of the program
  • The new --tty flag for supplying a Teletypewriter (TTY) for the debugged program
  • The new coredump support for Arm64
  • The new ability to print goroutine labels
  • The release of the Debug Adapter Protocol (DAP) server
  • The improved output from dlv trace and trace REPL (read-eval-print-loop) commands

For more information on Go Toolset, see Using Go Toolset.

For more information on Delve, see the upstream Delve documentation.

(BZ#1820596)

SystemTap rebased to version 4.3

The SystemTap instrumentation tool has been updated to version 4.3, which provides multiple bug fixes and enhancements. Notable changes include:

  • Userspace probes can be targeted by hexadecimal buildid from readelf -n. This alternative to a path name enables matching binaries to be probed under any name, and thus allows a single script to target a range of different versions. This feature works well in conjunction with the elfutils debuginfod server.
  • Script functions can use probe $context variables to access variables in the probed location, which allows the SystemTap scripts to use common logic to work with a variety of probes.
  • The stapbpf program improvements, including try-catch statements, and error probes, have been made to enable proper error tolerance in scripts running on the BPF backend.

For further information about notable changes, read the upstream release notes before updating.

(BZ#1804319)

Valgrind rebased to version 3.16.0

The Valgrind executable code analysis tool has been updated to version 3.16.0, which provides a number of bug fixes and enhancements over the previous version:

  • It is now possible to dynamically change the value of many command-line options while your program is running under Valgrind: through vgdb, through a gdb connected to the Valgrind gdbserver, or through program client requests. To get a list of dynamically changeable options, run the valgrind --help-dyn-options command.
  • For the Cachegrind (cg_annotate) and Callgrind (callgrind_annotate) tools the --auto and --show-percs options now default to yes.
  • The Memcheck tool produces fewer false positive errors on optimized code. In particular, Memcheck now better handles the case when the compiler transformed an A && B check into B && A, where B could be undefined and A was false. Memcheck also better handles integer equality checks and non-equality checks on partially defined values.
  • The experimental Stack and Global Array Checking tool (exp-sgcheck) has been removed. An alternative for detecting stack and global array overruns is using the AddressSanitizer (ASAN) facility of GCC, which requires you to rebuild your code with the -fsanitize=address option.

(BZ#1804324)

elfutils rebased to version 0.180

The elfutils package has been updated to version 0.180, which provides multiple bug fixes and enhancements. Notable changes include:

  • Better support for debug info for code built with GCC LTO (link time optimization). The eu-readelf and libdw utilities now can read and handle .gnu.debuglto_ sections, and correctly resolve file names for functions that are defined across CUs (compile units).
  • The eu-nm utility now explicitly identifies weak objects as V and common symbols as C.
  • The debuginfod server can now index .deb archives and has a generic extension to add other package archive formats using the -Z EXT[=CMD] option. For example -Z '.tar.zst=zstdcat' indicates that archives ending with the .tar.zst extension should be unpacked using the zstdcat utility.
  • The debuginfo-client tool has several new helper functions, such as debuginfod_set_user_data, debuginfod_get_user_data, debuginfod_get_url and debuginfod_add_http_header. It also supports file:// URLs now.

(BZ#1804321)

GDB now supports process record and replay on IBM z15

With this enhancement, the GNU Debugger (GDB) now supports process record and replay with most of the new instructions of the IBM z15 processor (previously known as arch13). Note that the following instructions are currently not supported: SORTL (sort lists), DFLTCC (deflate conversion call), KDSA (compute digital signature authentication).

(BZ#1659535)

Marvell ThunderX2 performance monitoring events have been updated in papi

With this enhancement, a number of performance events specific to ThunderX2, including uncore events, have been updated. As a result, developers can better investigate system performance on Marvell ThunderX2 systems.

(BZ#1726070)

The glibc math library is now optimized for IBM Z

With this enhancement, the libm math functions were optimized to improve performance on IBM Z machines. Notable changes include:

  • improved rounding mode handling to avoid superfluous floating point control register sets and extracts
  • exploitation of conversion between z196 integer and float

(BZ#1780204)

An additional libffi-specific temporary directory is available now

Previously on hardened systems, the system-wide temporary directories may not have had permissions suitable for use with the libffi library.

With this enhancement, system administrators can now set the LIBFFI_TMPDIR environment variable to point to a libffi-specific temporary directory with both write and exec mount or selinux permissions.

(BZ#1723951)

Improved performance of strstr() and strcasestr()

With this update, the performance of the strstr() and strcasestr() functions has been improved across several supported architectures. As a result, users now benefit from significantly better performance of all applications using string and memory manipulation routines.

(BZ#1821531)

glibc now handles loading of a truncated locale archive correctly

If the archive of system locales has been previously truncated, either due to a power outage during upgrade or a disk failure, a process could terminate unexpectedly when loading the archive. This enhancement adds additional consistency checks to the loading of the locale archive. As a result, processes are now able to detect archive truncation and fall back to either non-archive installed locales or the default POSIX locale.

(BZ#1784525)

GDB now supports debuginfod

With this enhancement, the GNU Debugger (GDB) can now download debug information packages from centralized servers on demand using the elfutils debuginfod client library.

(BZ#1838777)

pcp rebased to version 5.1.1-3

The pcp package has been upgraded to version 5.1.1-3. Notable changes include:

  • Updated service units and improved systemd integration and reliability for all the PCP services. Improved archive log rotation and more timely compression. Archived discovery bug fixes in the pmproxy protocol.
  • Improved pcp-atop, pcp-dstat, pmrep, and related monitor tools along with metric labels reporting in the pmrep and export tools.
  • Improved bpftrace, OpenMetrics, MMV, the Linux kernel agent, and other collection agents. New metric collectors for the Open vSwitch and RabbitMQ servers.
  • New host discovery pmfind systemd service, which replaces the standalone pmmgr daemon.

(BZ#1792971)

grafana rebased to version 6.7.3

The grafana package has been upgraded to version 6.7.3. Notable changes include:

  • Generic OAuth role mapping support
  • A new logs panel
  • Multi-line text display in the table panel
  • A new currency and energy units

(BZ#1807323)

grafana-pcp rebased to version 2.0.2

The grafana-pcp package has been upgraded to version 2.0.2. Notable changes include:

  • Supports the multidimensional eBPF maps to be graphed in the flamegraph.
  • Removes an auto-completion cache in the query editor, so that the PCP metrics can appear dynamically.

(BZ#1807099)

A new rhel8/pcp container image

The rhel8/pcp container image is now available in the Red Hat Container Registry. The image contains the Performance Co-Pilot (PCP) toolkit, which includes preinstalled pcp-zeroconf package and the OpenMetrics PMDA.

(BZ#1497296)

A new rhel8/grafana container image

The rhel8/grafana container image is now available in the Red Hat Container Registry. Grafana is an open source utility with metrics dashboard, and graph editor for the Graphite, Elasticsearch, OpenTSDB, Prometheus, InfluxDB, and PCP monitoring tool.

(BZ#1823834)

5.13. Identity Management

IdM backup utility now checks for required replica roles

The ipa-backup utility now checks if all of the services used in the IdM cluster, such as a Certificate Authority (CA), Domain Name System (DNS), and Key Recovery Agent (KRA) are installed on the replica where you are running the backup. If the replica does not have all these services installed, the ipa-backup utility exits with a warning, because backups taken on that host would not be sufficient for a full cluster restoration.

For example, if your IdM deployment uses an integrated Certificate Authority (CA), a backup run on a non-CA replica will not capture CA data. Red Hat recommends verifying that the replica where you perform an ipa-backup has all of the IdM services used in the cluster installed.

For more information, see Preparing for data loss with IdM backups.

(BZ#1810154)

New password expiration notification tool

Expiring Password Notification (EPN), provided by the ipa-client-epn package, is a standalone tool you can use to build a list of Identity Management (IdM) users whose passwords are expiring soon.

IdM administrators can use EPN to:

  • Display a list of affected users in JSON format, which is calculated at runtime
  • Calculate how many emails will be sent for a given day or date range
  • Send password expiration email notifications to users

Red Hat recommends launching EPN once a day from an IdM client or replica with the included ipa-epn.timer systemd timer.

(BZ#913799)

JSS now provides a FIPS-compliant SSLContext

Previously, Tomcat used the SSLEngine directive from the Java Cryptography Architecture (JCA) SSLContext class. The default SunJSSE implementation is not compliant with the Federal Information Processing Standard (FIPS), therefore PKI now provides a FIPS-compliant implementation via JSS.

(BZ#1821851)

Checking the overall health of your public key infrastructure is now available

With this update, the public key infrastructure (PKI) Healthcheck tool reports the health of the PKI subsystem to the Identity Management (IdM) Healthcheck tool, which was introduced in RHEL 8.1. Executing the IdM Healthcheck invokes the PKI Healthcheck, which collects and returns the health report of the PKI subsystem.

The pki-healthcheck tool is available on any deployed RHEL IdM server or replica. All the checks provided by pki-healthcheck are also integrated into the ipa-healthcheck tool. ipa-healthcheck can be installed separately from the idm:DL1 module stream.

Note that pki-healthcheck can also work in a standalone Red Hat Certificate System (RHCS) infrastructure.

(BZ#1770322)

Support for RSA PSS

With this enhancement, PKI now supports the RSA PSS (Probabilistic Signature Scheme) signing algorithm.

To enable this feature, set the following line in the pkispawn script file for a given subsystem: pki_use_pss_rsa_signing_algorithm=True

As a result, all existing default signing algorithms for this subsystem (specified in its CS.cfg configuration file) will use the corresponding PSS version. For example, SHA256withRSA becomes SHA256withRSA/PSS

(BZ#1824948)

Directory Server exports the private key and certificate to a private name space when the service starts

Directory Server uses OpenLDAP libraries for outgoing connections, such as replication agreements. Because these libraries cannot access the network security services (NSS) database directly, Directory Server extracts the private key and certificates from the NSS database on instances with TLS encryption support to enable the OpenLDAP libraries to establish encrypted connections. Previously, Directory Server extracted the private key and certificates to the directory set in the nsslapd-certdir parameter in the cn=config entry (default: /etc/dirsrv/slapd-<instance_name>/). As a consequence, Directory Server stored the Server-Cert-Key.pem and Server-Cert.pem in this directory. With this enhancement, Directory Server extracts the private key and certificate to a private name space that systemd mounts to the /tmp/ directory. As a result, the security has been increased.

(BZ#1638875)

Directory Server can now turn an instance to read-only mode if the disk monitoring threshold is reached

This update adds the nsslapd-disk-monitoring-readonly-on-threshold parameter to the cn=config entry. If you enable this setting, Directory Server switches all databases to read-only if disk monitoring is enabled and the free disk space is lower than the value you configured in nsslapd-disk-monitoring-threshold. With nsslapd-disk-monitoring-readonly-on-threshold set to on, the databases cannot be modified until Directory Server successfully shuts down the instance. This can prevent data corruption.

(BZ#1728943)

samba rebased to version 4.12.3

The samba packages have been upgraded to upstream version 4.12.3, which provides a number of bug fixes and enhancements over the previous version:

  • Built-in cryptography functions have been replaced with GnuTLS functions. This improves the server message block version 3 (SMB3) performance and copy speed significantly.
  • The minimum runtime support is now Python 3.5.
  • The write cache size parameter has been removed because the previous write cache concept could reduce the performance on memory-constrained systems.
  • Support for authenticating connections using Kerberos tickets with DES encryption types has been removed.
  • The vfs_netatalk virtual file system (VFS) module has been removed.
  • The ldap ssl ads parameter is marked as deprecated and will be removed in a future Samba version. For information about how to alternatively encrypt LDAP traffic and further details, see the samba: removal of "ldap ssl ads" smb.conf option solution.
  • By default, Samba on RHEL 8.3 no longer supports the deprecated RC4 cipher suite. If you run Samba as a domain member in an AD that still requires RC4 for Kerberos authentication, use the update-crypto-policies --set DEFAULT:AD-SUPPORT command to enable support for the RC4 encryption type.

Samba automatically updates its tdb database files when the smbd, nmbd, or winbind service starts. Back up the database files before starting Samba. Note that Red Hat does not support downgrading tdb database files.

For further information about notable changes, read the upstream release notes before updating.

(BZ#1817557)

cockpit-session-recording rebased to version 4

The cockpit-session-recording module has been rebased to version 4. This version provides following notable changes over the previous version:

  • Updated parent id in the metainfo file.
  • Updated package manifest.
  • Fixed rpmmacro to resolve correct path on CentOS7.
  • Handled byte-array encoded journal data.
  • Moved code out of deprecated React lifecycle functions.

(BZ#1826516)

krb5 rebased to version 1.18.2

The krb5 packages have been upgraded to upstream version 1.18.2. Notable fixes and enhancements include:

  • Single- and triple-DES encryption types have been removed.
  • Draft 9 PKINIT has been removed as it is not needed for any of the supported versions of Active Directory.
  • NegoEx mechanism plug-ins are now supported.
  • Hostname canonicalization fallback is now supported (dns_canonicalize_hostname = fallback).

(BZ#1802334)

IdM now supports new Ansible management modules

This update introduces several ansible-freeipa modules for automating common Identity Management (IdM) tasks using Ansible playbooks:

  • The config module allows setting global configuration parameters within IdM.
  • The dnsconfig module allows modifying global DNS configuration.
  • The dnsforwardzone module allows adding and removing DNS forwarders from IdM.
  • The dnsrecord allows the management of DNS records. In contrast to the upstream ipa_dnsrecord, it allows multiple record management in one execution, and it supports more record types.
  • The dnszone module allows configuring zones in the DNS server.
  • The service module allows ensuring the presence and absence of services.
  • The vault module allows ensuring the presence and absence of vaults and of the members of vaults.

Note that the ipagroup and ipahostgroup modules have been extended to include user and host group membership managers, respectively. A group membership manager is a user or a group that can add members to a group or remove members from a group. For more information, see the Variables sections of the respective /usr/share/doc/ansible-freeipa/README-* files.

(JIRA:RHELPLAN-49954)

IdM now supports a new Ansible system role for certificate management

Identity Management (IdM) supports a new Ansible system role for automating certificate management tasks. The new role includes the following benefits:

  • The role helps automate the issuance and renewal of certificates.
  • The role can be configured to have the ipa certificate authority issue your certificates. In this way, you can use your existing IdM infrastructure to manage the certificate trust chain.
  • The role allows you to specify the commands to be executed before and after a certificate is issued, for example the stopping and starting of services.

(JIRA:RHELPLAN-50002)

Identity Management now supports FIPS

With this enhancement, you can now use encryption types that are approved by the Federal Information Processing Standard (FIPS) with the authentication mechanisms in Identity Management (IdM). Note that a cross-forest trust between IdM and Active Directory is not FIPS compliant.

Customers who require FIPS but do not require an AD trust can now install IdM in FIPS mode.

(JIRA:RHELPLAN-43531)

OpenDNSSEC in idm:DL1 rebased to version 2.1

The OpenDNSSEC component of the idm:DL1 module stream has been upgraded to the 2.1 version series, which is the current long term upstream support version. OpenDNSSEC is an open source project driving the adoption of Domain Name System Security Extensions (DNSSEC) to further enhance Internet security. OpenDNSSEC 2.1 provides a number of bug fixes and enhancements over the previous version. For more information, read the upstream release notes: https://www.opendnssec.org/archive/releases/

(JIRA:RHELPLAN-48838)

IdM now supports the deprecated RC4 cipher suite with a new system-wide cryptographic subpolicy

This update introduces the new AD-SUPPORT cryptographic subpolicy that enables the Rivest Cipher 4 (RC4) cipher suite in Identity Management (IdM).

As an administrator in the context of IdM-Active Directory (AD) cross-forest trusts, you can activate the new AD-SUPPORT subpolicy when AD is not configured to use Advanced Encryption Standard (AES). More specifically, Red Hat recommends enabling the new subpolicy if one of the following conditions applies:

  • The user or service accounts in AD have RC4 encryption keys and lack AES encryption keys.
  • The trust links between individual Active Directory domains have RC4 encryption keys and lack AES encryption keys.

To enable the AD-SUPPORT subpolicy in addition to the DEFAULT cryptographic policy, enter:

 # update-crypto-policies --set DEFAULT:AD-SUPPORT

Alternatively, to upgrade trusts between AD domains in an AD forest so that they support strong AES encryption types, see the following Microsoft article: AD DS: Security: Kerberos "Unsupported etype" error when accessing a resource in a trusted domain.

(BZ#1851139)

Adjusting to new Microsoft LDAP channel binding and LDAP signing requirements

With recent Microsoft updates, Active Directory (AD) flags the clients that do not use the default Windows settings for LDAP channel binding and LDAP signing. As a consequence, RHEL systems that use the System Security Services Daemon (SSSD) for direct or indirect integration with AD might trigger error Event IDs in AD upon successful Simple Authentication and Security Layer (SASL) operations that use the Generic Security Services Application Program Interface (GSSAPI).

To prevent these notifications, configure client applications to use the Simple and Protected GSSAPI Negotiation Mechanism (GSS-SPNEGO) SASL mechanism instead of GSSAPI. To configure SSSD, set the ldap_sasl_mech option to GSS-SPNEGO.

Additionally, if channel binding is enforced on the AD side, configure any systems that use SASL with SSL/TLS in the following way:

  1. Install the latest versions of the cyrus-sasl, openldap and krb5-libs packages that are shipped with RHEL 8.3 and later.
  2. In the /etc/openldap/ldap.conf file, specify the correct channel binding type by setting the SASL_CBINDING option to tls-endpoint.

For more information, see Impact of Microsoft Security Advisory ADV190023 | LDAP Channel Binding and LDAP Signing on RHEL and AD integration.

(BZ#1873567)

SSSD, adcli, and realmd now support the deprecated RC4 cipher suite with a new system-wide cryptographic subpolicy

This update introduces the new AD-SUPPORT cryptographic subpolicy that enables the Rivest Cipher 4 (RC4) cipher suite for the following utilities:

  • the System Security Services Daemon (SSSD)
  • adcli
  • realmd

As an administrator, you can activate the new AD-SUPPORT subpolicy when Active Directory (AD) is not configured to use Advanced Encryption Standard (AES) in the following scenarios:

  • SSSD is used on a RHEL system connected directly to AD.
  • adcli is used to join an AD domain or to update host attributes, for example the host key.
  • realmd is used to join an AD domain.

Red Hat recommends enabling the new subpolicy if one of the following conditions applies:

  • The user or service accounts in AD have RC4 encryption keys and lack AES encryption keys.
  • The trust links between individual Active Directory domains have RC4 encryption keys and lack AES encryption keys.

To enable the AD-SUPPORT subpolicy in addition to the DEFAULT cryptographic policy, enter:

 # update-crypto-policies --set DEFAULT:AD-SUPPORT

(BZ#1866695)

authselect has a new minimal profile

The authselect utility has a new minimal profile. You can use this profile to serve only local users and groups directly from system files instead of using other authentication providers. Therefore, you can safely remove the SSSD, winbind, and fprintd packages and can use this profile on systems that require minimal installation to save disk and memory space.

(BZ#1654018)

SSSD now updates Samba’s secrets.tdb file when rotating a password

A new ad_update_samba_machine_account_password option in the sssd.conf file is now available in RHEL. You can use it to set SSSD to automatically update the Samba secrets.tdb file when rotating a machine’s domain password while using Samba.

However, if SELinux is in enforcing mode, SSSD fails to update the secrets.tdb file. Consequently, Samba does not have access to the new password. To work around this problem, set SELinux to permissive mode.

(BZ#1793727)

SSSD now enforces AD GPOs by default

The default setting for the SSSD option ad_gpo_access_control is now enforcing. In RHEL 8, SSSD enforces access control rules based on Active Directory Group Policy Objects (GPOs) by default.

Red Hat recommends ensuring GPOs are configured correctly in Active Directory before upgrading from RHEL 7 to RHEL 8. If you would not like to enforce GPOs, change the value of the ad_gpo_access_control option in the /etc/sssd/sssd.conf file to permissive.

(JIRA:RHELPLAN-51289)

5.14. Desktop

Single-application session is now available

You can now start GNOME in a single-application session, also known as kiosk mode. In this session, GNOME displays only a full-screen window of an application that you have configured.

To enable the single-application session:

  1. Install the gnome-session-kiosk-session package:

    # yum install gnome-session-kiosk-session
  2. Create and edit the $HOME/.local/bin/redhat-kiosk file of the user that will open the single-application session.

    In the file, enter the executable name of the application that you want to launch.

    For example, to launch the Text Editor application:

    #!/bin/sh
    
    gedit &
  3. Make the file executable:

    $ chmod +x $HOME/.local/bin/redhat-kiosk
  4. At the GNOME login screen, select the Kiosk session from the cogwheel button menu and log in as the single-application user.

(BZ#1739556)

tigervnc has been rebased to version 1.10.1

The tigervnc suite has been rebased to version 1.10.1. The update contains number of fixes and improvements. Most notably:

  • tigervnc now only supports starting of the virtual network computing (VNC) server using the systemd service manager.
  • The clipboard now supports full Unicode in the native viewer, WinVNC and Xvnc/libvnc.so.
  • The native client will now respect the system trust store when verifying server certificates.
  • The Java web server has been removed.
  • x0vncserver can now be configured to only allow local connections.
  • x0vncserver has received fixes for when only part of the display is shared.
  • Polling is now default in WinVNC.
  • Compatibility with VMware’s VNC server has been improved.
  • Compatibility with some input methods on macOS has been improved.
  • Automatic "repair" of JPEG artefacts has been improved.

(BZ#1806992)

5.15. Graphics infrastructures

Support for new graphics cards

The following graphics cards are now fully supported:

  • The AMD Navi 14 family, which includes the following models:

    • Radeon RX 5300
    • Radeon RX 5300 XT
    • Radeon RX 5500
    • Radeon RX 5500 XT
  • The AMD Renoir APU family, which includes the following models:

    • Ryzen 3 4300U
    • Ryzen 5 4500U, 4600U, and 4600H
    • Ryzen 7 4700U, 4800U, and 4800H
  • The AMD Dali APU family, which includes the following models:

    • Athlon Silver 3050U
    • Athlon Gold 3150U
    • Ryzen 3 3250U

Additionally, the following graphics drivers have been updated:

  • The Matrox mgag200 driver

(JIRA:RHELPLAN-55009)

Hardware acceleration with Nvidia Volta and Turing

The nouveau graphics driver now supports hardware acceleration with the Nvidia Volta and Turing GPU families. As a result, the desktop and applications that use 3D graphics now render efficiently on the GPU. Additionally, this frees the CPU for other tasks and improves the overall system responsiveness.

(JIRA:RHELPLAN-57564)

Reduced display tearing on XWayland

The XWayland display back end now enables the XPresent extension. Using XPresent, applications can efficiently update their window content, which reduces display tearing.

This feature significantly improves the user interface rendering of full-screen OpenGL applications, such as 3D editors.

(JIRA:RHELPLAN-57567)

5.16. The web console

Setting privileges from within the web console session

With this update the web console provides an option to switch between administrative access and limited access from inside of a user session. You can switch between the modes by clicking the Administrative access or Limited access indicator in your web console session.

(JIRA:RHELPLAN-42395)

Improvements to logs searching

With this update, the web console introduces a search box that supports several new ways of how the users can search among logs. The search box supports regular expression searching in log messages, specifying service or searching for entries with specific log fields.

(BZ#1710731)

Overview page shows more detailed Insights reports

With this update, when a machine is connected to Red Hat Insights, the Health card in the Overview page in the web console shows more detailed information about number of hits and their priority.

(JIRA:RHELPLAN-42396)

5.17. Red Hat Enterprise Linux System Roles

Terminal log role added to RHEL System Roles

With this enhancement, a new Terminal log (TLOG) role has been added to RHEL system roles shipped with the rhel-system-roles package. Users can now use the tlog role to setup and configure session recording using Ansible.

Currently, the tlog role supports the following tasks:

  • Configure tlog to log recording data to the systemd journal
  • Enable session recording for explicit users and groups, via SSSD

(BZ#1822158)

RHEL Logging System Role is now available for Ansible

With the Logging System Role, you can deploy various logging configurations consistently on local and remote hosts. You can configure a RHEL host as a server to collect logs from many client systems.

(BZ#1677739)

rhel-system-roles-sap fully supported

The rhel-system-roles-sap package, previously available as a Technology Preview, is now fully supported. It provides Red Hat Enterprise Linux (RHEL) System Roles for SAP, which can be used to automate the configuration of a RHEL system to run SAP workloads. These roles greatly reduce the time to configure a system to run SAP workloads by automatically applying the optimal settings that are based on best practices outlined in relevant SAP Notes. Access is limited to RHEL for SAP Solutions offerings. Please contact Red Hat Customer Support if you need assistance with your subscription.

The following new roles in the rhel-system-roles-sap package are fully supported:

  • sap-preconfigure
  • sap-netweaver-preconfigure
  • sap-hana-preconfigure

For more information, see Red Hat Enterprise Linux System Roles for SAP.

(BZ#1660832)

The metrics RHEL System Role is now available for Ansible.

With the metrics RHEL System Role, you can configure, for local and remote hosts:

  • performance analysis services via the pcp application
  • visualisation of this data using a grafana server
  • querying of this data using the redis data source without having to manually configure these services separately.

(BZ#1890499)

rhel-system-roles-sap upgraded

The rhel-system-roles-sap packages have been upgraded to upstream version 2.0.0, which provides multiple bug fixes and enhancements. Notable changes include:

  • Improve hostname configuration and checking
  • Improve uuidd status detection and handling
  • Add support for the --check (-c) option
  • Increase nofile limits from 32800 to 65536
  • Add the nfs-utils file to sap_preconfigure_packages*
  • Disable firewalld. With this change we disable firewalld only when it is installed.
  • Add minimum required versions of the setup package for RHEL 8.0 and RHEL 8.1.
  • Improve the tmpfiles.d/sap.conf file handling
  • Support single step execution or checking of SAP notes
  • Add the required compat-sap-c++ packages
  • Improve minimum package installation handling
  • Detect if a reboot is required after applying the RHEL System Roles
  • Support setting any SElinux state. Default state is "disabled"
  • No longer fail if there is more than one line with identical IP addresses
  • No longer modify /etc/hosts if there is more than one line containing sap_ip
  • Support for HANA on RHEL 7.7
  • Support for adding a repository for the IBM service and productivity tools for Power, required for SAP HANA on the ppc64le platform

(BZ#1844190)

5.18. Virtualization

Migrating a virtual machine to a host with incompatible TSC setting now fails faster

Previously, migrating a virtual machine to a host with incompatible Time Stamp Counter (TSC) setting failed late in the process. With this update, attempting such a migration generates an error before the migration process starts.

(JIRA:RHELPLAN-45950)

Virtualization support for 2nd generation AMD EPYC processors

With this update, virtualization on RHEL 8 adds support for the 2nd generation AMD EPYC processors, also known as EPYC Rome. As a result, virtual machines hosted on RHEL 8 can now use the EPYC-Rome CPU model and utilise new features that the processors provide.

(JIRA:RHELPLAN-45959)

New command: virsh iothreadset

This update introduces the virsh iothreadset command, which can be used to configure dynamic IOThread polling. This makes it possible to set up virtual machines with lower latencies for I/O-intensive workloads at the expense of greater CPU consumption for the IOThread. For specific options, see the virsh man page.

(JIRA:RHELPLAN-45958)

UMIP is now supported by KVM on 10th generation Intel Core processors

With this update, the User-mode Instruction Prevention (UMIP) feature is now supported by KVM for hosts running on 10th generation Intel Core processors, also known as Ice Lake Servers. The UMIP feature issues a general protection exception if certain instructions, such as sgdt, sidt, sldt, smsw, and str, are executed when the Current Privilege Level (CPL) is greater than 0. As a result, UMIP ensures system security by preventing unauthorized applications from accessing certain system-wide settings which can be used to initiate privilege escalation attacks.

(JIRA:RHELPLAN-45957)

The libvirt library now supports Memory Bandwidth Allocation

libvirt now supports Memory Bandwidth Allocation (MBA). With MBA, you can allocate parts of host memory bandwidth in vCPU threads by using the <memorytune> element in the <cputune> section.

MBA is an extension of the existing Cache QoS Enforcement (CQE) feature found in the Intel Xeon v4 processors, also known as Broadwell server. For tasks that are associated with the CPU affinity, the mechanism used by MBA is the same as in CQE.

(JIRA:RHELPLAN-45956)

RHEL 6 virtual machines now support the Q35 machine type

Virtual machines (VMs) hosted on RHEL 8 that use RHEL 6 as their guest OS can now use Q35, a more modern PCI Express-based machine type. This provides a variety of improvements in features and performance of virtual devices, and ensures that a wider range of modern devices are compatible with RHEL 6 VMs.

(JIRA:RHELPLAN-45952)

All logged QEMU events now have a time stamp. As a result, users can more easily troubleshoot their virtual machines using logs saved in the /var/log/libvirt/qemu/ directory.

QEMU logs now include time stamps for spice-server events

This update adds time stamps to`spice-server` event logs. Therefore, all logged QEMU events now have a time stamp. As a result, users can more easily troubleshoot their virtual machines using logs saved in the /var/log/libvirt/qemu/ directory.

(JIRA:RHELPLAN-45945)

The bochs-display device is now supported

RHEL 8.3 and later introduce the Bochs display device, which is more secure than the currently used stdvga device. Note that all virtual machines (VMs) compatible with bochs-display will use it by default. This mainly includes VMs that use the UEFI interface.

(JIRA:RHELPLAN-45939)

Optimized MDS protection for virtual machines

With this update, a RHEL 8 host can inform its virtual machines (VMs) whether they are vulnerable to Microarchitectural Data Sampling (MDS). VMs that are not vulnerable do not use measures against MDS, which improves their performance.

(JIRA:RHELPLAN-45937)

Creating QCOW2 disk images on RBD now supported

With this update, it is possible to create QCOW2 disk images on RADOS Block Device (RBD) storage. As a result, virtual machines can use RBD servers for their storage back ends with QCOW2 images.

Note, however, that the write performance of QCOW2 disk images on RBD storage is currently lower than intended.

(JIRA:RHELPLAN-45936)

Maximum supported VFIO devices increased to 64

With this update, you can attach up to 64 PCI devices that use VFIO to a single virtual machine on a RHEL 8 host. This is up from 32 in RHEL 8.2 and prior.

(JIRA:RHELPLAN-45930)

discard and write-zeroes commands are now supported in QEMU/KVM

With this update, the discard and write-zeroes commands for virtio-blk are now supported in QEMU/KVM. As a result, virtual machines can use the virtio-blk device to discard unused sectors of an SSD, fill sectors with zeroes when they are emptied, or both. This can be used to increase SSD performance or to ensure that a drive is securely erased.

(JIRA:RHELPLAN-45926)

RHEL 8 now supports IBM POWER 9 XIVE

This update introduces support for the External Interrupt Virtualization Engine (XIVE) feature of IBM POWER9 to RHEL 8. As a result, virtual machines (VMs) running on a RHEL 8 hypervisor on an IBM POWER 9 system can use XIVE, which improves the performance of I/O-intensive VMs.

(JIRA:RHELPLAN-45922)

Control Group v2 support for virtual machines

With this update, the libvirt suite supports control groups v2. As a result, virtual machines hosted on RHEL 8 can take advantage of resource control capabilities of control group v2.

(JIRA:RHELPLAN-45920)

Paravirtualized IPIs are now supported for Windows virtual machines

With this update, the hv_ipi flag has been added to the supported hypervisor enlightenments for Windows virtual machines (VMs). This allows inter-processor interrupts (IPIs) to be sent via a hypercall. As a result, IPIs can be performed faster on VMs running a Windows OS.

(JIRA:RHELPLAN-45918)

Migrating virtual machines with enabled disk cache is now possible

This update makes the RHEL 8 KVM hypervisor compatible with disk cache live migration. As a result, it is now possible to live-migrate virtual machines with disk cache enabled.

(JIRA:RHELPLAN-45916)

macvtap interfaces can now be used by virtual machines in non-privileged sessions

It is now possible for virtual machines (VMs) to use a macvtap interface previously created by a privileged process. Notably, this enables VMs started by the non-privileged user session of libvirtd to use a macvtap interface.

To do so, first create a macvtap interface in a privileged environment and set it to be owned by the user who will be running libvirtd in a non-privileged session. You can do this using a management application such as the web console, or using command-line utilities as root, for example:

# ip link add link en2 name mymacvtap0 address 52:54:00:11:11:11 type macvtap mode bridge
# chown myuser /dev/tap$(cat /sys/class/net/mymacvtap0/ifindex)
# ip link set mymacvtap0 up

Afterwards, modify the <target> sub-element of the VM’s <interface> configuration to reference the newly created macvtap interface:

  <interface type='ethernet'>
     <model type='virtio'/>
     <mac address='52:54:00:11:11:11'/>
     <target dev='mymacvtap0' managed='no'/>
   </interface>

With this configuration, if libvirtd is run as the user myuser, the VM will use the existing macvtap interface when started.

(JIRA:RHELPLAN-45915)

Virtual machines can now use features of 10th generation Intel Core processors

The Icelake-Server and Icelake-Client CPU model names are now available for virtual machines (VMs). On hosts with 10th generation Intel Core processors, using Icelake-Server or Icelake-Client as the CPU type in the XML configuration of a VM makes new features of these CPUs exposed to the VM.

(JIRA:RHELPLAN-45911)

QEMU now supports LUKS encryption

With this update, it is possible to create virtual disks using Linux Unified Key Setup (LUKS) encryption. You can encrypt the disks when creating the storage volume by including the <encryption> field in the virtual machine’s (VM) XML configuration. You can also make the LUKS encrypted virtual disk completely transparent to the VM by including the <encryption> field in the disk’s domain definition in the XML configuration file.

(JIRA:RHELPLAN-45910)

Improved logs for nbdkit

The nbdkit service logging has been modified to be less verbose. As a result, nbdkit logs only potentially important messages, and the logs created during virt-v2v conversions are shorter and easier to parse.

(JIRA:RHELPLAN-45909)

Improved consistency for virtual machines SELinux security labels and permissions

With this update, the libvirt service can record SELinux security labels and permissions associated with files, and restore the labels after modifying the files. As a result, for example, using libguestfs utilities to modify a virtual machine (VM) disk image owned by a specific user no longer changes the image owner to root.

Note that this feature does not work on file systems that do not support extended file attributes, such as NFS.

(JIRA:RHELPLAN-45908)

QEMU now uses the gcrypt library for XTS ciphers

With this update, the QEMU emulator has been changed to use the XTS cipher mode implementation provided by the gcrypt library. This improves the I/O performance of virtual machines whose host storage uses QEMU’s native luks encryption driver.

(JIRA:RHELPLAN-45904)

Windows Virtio drivers can now be updated using Windows Updates

With this update, a new standard SMBIOS string is initiated by default when QEMU starts. The parameters provided in the SMBIOS fields make it possible to generate IDs for the virtual hardware running on the virtual machine(VM). As a result, Windows Update can identify the virtual hardware and the RHEL hypervisor machine type, and update the Virtio drivers on VMs running Windows 10+, Windows Server 2016, and Windows Server 2019+.

(JIRA:RHELPLAN-45901)

New command: virsh guestinfo

The virsh guestinfo command has been introduced to RHEL 8.3. This makes it possible to report the following types of information about a virtual machine (VM):

  • Guest OS and file system information
  • Active users
  • The time zone used

Before running virsh guestinfo, ensure that the qemu-guest-agent package is installed. In addition, the guest_agent channel must be enabled in the VM’s XML configuration, for example as follows:

<channel type='unix'>
   <target type='virtio' name='org.qemu.guest_agent.0'/>
</channel>

(JIRA:RHELPLAN-45900)

VNNI for BFLOAT16 inputs are now supported by KVM

With this update, Vector Neural Network Instructions (VNNI) supporting BFLOAT16 inputs, also known as AVX512_BF16 instructions, are now supported by KVM for hosts running on the 3rd Gen Intel Xeon scalable processors, also known as Cooper Lake. As a result, guest software can now use the AVX512_BF16 instructions inside virtual machines, by enabling it in the virtual CPU configuration.

(JIRA:RHELPLAN-45899)

New command: virsh pool-capabilities

RHEL 8.3 introduces the virsh pool-capabilities command option. This command displays information that can be used for creating storage pools, as well as storage volumes within each pool, on your host. This includes:

  • Storage pool types
  • Storage pool source formats
  • Target storage volume format types

(JIRA:RHELPLAN-45884)

Support for CPUID.1F in virtual machines with Intel Xeon Platinum 9200 series processors

With this update, virtual machines hosted on RHEL 8 can be configured with a virtual CPU topology of multiple dies, using the Extended Topology Enumeration leaf feature (CPUID.1F). This feature is supported by Intel Xeon Platinum 9200 series processors, previously known as Cascade Lake. As a result, it is now possible on hosts that use Intel Xeon Platinum 9200 series processors to create a vCPU topology that mirrors the physical CPU topology of the host.

(JIRA:RHELPLAN-37573, JIRA:RHELPLAN-45934)

Virtual machines can now use features of 3rd Generation Intel Xeon Scalable Processors

The Cooperlake CPU model name is now available for virtual machines (VMs). Using Cooperlake as the CPU type in the XML configuration of a VM makes new features from the 3rd Generation Intel Xeon Scalable Processors exposed to the VM, if the host uses this CPU.

(JIRA:RHELPLAN-37570)

Intel Optane persistent memory now supported by KVM

With this update, virtual machines hosted on RHEL 8 can benefit from the Intel Optane persistent memory technology, previously known as Intel Crystal Ridge. Intel Optane persistent memory storage devices provide data center-class persistent memory technology, which can significantly increase transaction throughput.

(JIRA:RHELPLAN-14068)

Virtual machines can now use Intel Processor Trace

With this update, virtual machines (VMs) hosted on RHEL 8 are able to use the Intel Processor Trace (PT) feature. When your host uses a CPU that supports Intel PT, you can use specialized Intel software to collect a variety of metrics about the performance of your VM’s CPU. Note that this also requires enabling the intel-pt feature in the XML configuration of the VM.

(JIRA:RHELPLAN-7788)

DASD devices can now be assigned to virtual machines on IBM Z

Direct-access storage devices (DASDs) provide a number of specific storage features. Using the vfio-ccw feature, you can assign DASDs as mediated devices to your virtual machines (VMs) on IBM Z hosts. This for example makes it possible for the VM to access a z/OS dataset, or to share the assigned DASDs with a z/OS machine.

(JIRA:RHELPLAN-40234)

IBM Secure Execution supported for IBM Z

When using IBM Z hardware to run your RHEL 8 host, you can improve the security of your virtual machines (VMs) by configuring IBM Secure Execution for the VMs. IBM Secure Execution, also known as Protected Virtualization, prevents the host system from accessing a VM’s state and memory contents.

As a result, even if the host is compromised, it cannot be used as a vector for attacking the guest operating system. In addition, Secure Execution can be used to prevent untrusted hosts from obtaining sensitive information from the VM.

(JIRA:RHELPLAN-14754)

5.19. RHEL in cloud environments

cloud-utils-growpart rebased to 0.31

The cloud-utils-growpart package has been upgraded to version 0.31, which provides multiple bug fixes and enhancements. Notable changes include:

  • A bug that prevented GPT disks from being grown past 2TB has been fixed.
  • The growpart operation no longer fails when the start sector and size are the same.
  • Resizing a partition using the sgdisk utility previously in some cases failed. This problem has now been fixed.

(BZ#1846246)

5.20. Containers

skopeo container image is now available

The registry.redhat.io/rhel8/skopeo container image is a containerized implementation of the skopeo package. The skopeo tool is a command-line utility that performs various operations on container images and image repositories. This container image allows you to inspect container images in a registry, to remove a container image from a registry, and to copy container images from one unauthenticated container registry to another. To pull the registry.redhat.io/rhel8/skopeo container image, you need an active Red Hat Enterprise Linux subscription.

(BZ#1627900)

buildah container image is now available

The registry.redhat.io/rhel8/buildah container image is a containerized implementation of the buildah package. The buildah tool facilitates building OCI container images. This container image allows you to build container images without the need to install the buildah package on your system. The use-case does not cover running this image in rootless mode as a non-root user. To pull the registry.redhat.io/rhel8/buildah container image, you need an active Red Hat Enterprise Linux subscription.

(BZ#1627898)

Podman v2.0 RESTful API is now available

The new REST based Podman 2.0 API replaces the old remote API based on the varlink library. The new API works in both a rootful and a rootless environment and provides a docker compatibility layer.

(JIRA:RHELPLAN-37517)

Installing Podman does not require container-selinux

With this enhancement, the installation of the container-selinux package is now optional during the container build. As a result, Podman has fewer dependencies on other packages.

(BZ#1806044)

5.21. New drivers

Network drivers

  • CAN driver for Kvaser CAN/USB devices (kvaser_usb.ko.xz)
  • Driver for Theobroma Systems UCAN devices (ucan.ko.xz)
  • Pensando Ethernet NIC Driver (ionic.ko.xz)

Graphics drivers and miscellaneous drivers

  • Generic Remote Processor Framework (remoteproc.ko.xz)
  • Package Level C-state Idle Injection for Intel® CPUs (intel_powerclamp.ko.xz)
  • X86 PKG TEMP Thermal Driver (x86_pkg_temp_thermal.ko.xz)
  • INT3402 Thermal driver (int3402_thermal.ko.xz)
  • ACPI INT3403 thermal driver (int3403_thermal.ko.xz)
  • Intel® acpi thermal rel misc dev driver (acpi_thermal_rel.ko.xz)
  • INT3400 Thermal driver (int3400_thermal.ko.xz)
  • Intel® INT340x common thermal zone handler (int340x_thermal_zone.ko.xz)
  • Processor Thermal Reporting Device Driver (processor_thermal_device.ko.xz)
  • Intel® PCH Thermal driver (intel_pch_thermal.ko.xz)
  • DRM gem ttm helpers (drm_ttm_helper.ko.xz)
  • Device node registration for cec drivers (cec.ko.xz)
  • Fairchild FUSB302 Type-C Chip Driver (fusb302.ko.xz)
  • VHOST IOTLB (vhost_iotlb.ko.xz)
  • vDPA-based vhost backend for virtio (vhost_vdpa.ko.xz)
  • VMware virtual PTP clock driver (ptp_vmw.ko.xz)
  • Intel® LPSS PCI driver (intel-lpss-pci.ko.xz)
  • Intel® LPSS core driver (intel-lpss.ko.xz)
  • Intel® LPSS ACPI driver (intel-lpss-acpi.ko.xz)
  • Mellanox watchdog driver (mlx_wdt.ko.xz)
  • Mellanox FAN driver (mlxreg-fan.ko.xz)
  • Mellanox regmap I/O access driver (mlxreg-io.ko.xz)
  • Intel® speed select interface pci mailbox driver (isst_if_mbox_pci.ko.xz)
  • Intel® speed select interface mailbox driver (isst_if_mbox_msr.ko.xz)
  • Intel® speed select interface mmio driver (isst_if_mmio.ko.xz)
  • Mellanox LED regmap driver (leds-mlxreg.ko.xz)
  • vDPA Device Simulator (vdpa_sim.ko.xz)
  • Intel® Tiger Lake PCH pinctrl/GPIO driver (pinctrl-tigerlake.ko.xz)
  • PXA2xx SSP SPI Controller (spi-pxa2xx-platform.ko.xz)
  • CE4100/LPSS PCI-SPI glue code for PXA’s driver (spi-pxa2xx-pci.ko.xz)
  • Hyper-V PCI Interface (pci-hyperv-intf.ko.xz)
  • vDPA bus driver for virtio devices (virtio_vdpa.ko.xz)

5.22. Updated drivers

Network driver updates

  • VMware vmxnet3 virtual NIC driver (vmxnet3.ko.xz) has been updated to version 1.5.0.0-k.
  • Realtek RTL8152/RTL8153 Based USB Ethernet Adapters (r8152.ko.xz) has been updated to version 1.09.10.
  • Broadcom BCM573xx network driver (bnxt_en.ko.xz) has been updated to version 1.10.1.
  • The Netronome Flow Processor (NFP) driver (nfp.ko.xz) has been updated to version 4.18.0-240.el8.x86_64.
  • Intel® Ethernet Switch Host Interface Driver (fm10k.ko.xz) has been updated to version 0.27.1-k.
  • Intel® Ethernet Connection E800 Series Linux Driver (ice.ko.xz) has been updated to version 0.8.2-k.

Storage driver updates

  • Emulex LightPulse Fibre Channel SCSI driver (lpfc.ko.xz) has been updated to version 0:12.8.0.1.
  • QLogic FCoE Driver (bnx2fc.ko.xz) has been updated to version 2.12.13.
  • LSI MPT Fusion SAS 3.0 Device Driver (mpt3sas.ko.xz) has been updated to version 34.100.00.00.
  • Driver for HP Smart Array Controller version (hpsa.ko.xz) has been updated to version 3.4.20-170-RH5.
  • QLogic Fibre Channel HBA Driver (qla2xxx.ko.xz) has been updated to version 10.01.00.25.08.3-k.
  • Broadcom MegaRAID SAS Driver (megaraid_sas.ko.xz) has been updated to version 07.714.04.00-rh1.

Graphics and miscellaneous driver updates

  • Standalone drm driver for the VMware SVGA device (vmwgfx.ko.xz) has been updated to version 2.17.0.0.
  • Crypto Co-processor for Chelsio Terminator cards. (chcr.ko.xz) has been updated to version 1.0.0.0-ko.