Chapter 7. Technology Previews
This part provides a list of all Technology Previews available in Red Hat Enterprise Linux 8.3.
For information on Red Hat scope of support for Technology Preview features, see Technology Preview Features Support Scope.
xt_u32 Netfilter module
xt_u32 Netfilter module is now available in the
kernel-modules-extra rpm. This module helps in packet forwarding based on the data that is inaccessible to other protocol-based packet filters and thus eases manual migration to
xt_u32 Netfilter module is not supported by Red Hat.
nmstate available as a Technology Preview
Nmstate is a network API for hosts. The
nmstate packages, available as a Technology Preview, provide a library and the
nmstatectl command-line utility to manage host network settings in a declarative manner. The networking state is described by a pre-defined schema. Reporting of the current state and changes to the desired state both conform to the schema.
For further details, see the
/usr/share/doc/nmstate/README.md file and the examples in the
AF_XDP available as a Technology Preview
Address Family eXpress Data Path (
AF_XDP) socket is designed for high-performance packet processing. It accompanies
XDP and grants efficient redirection of programmatically selected packets to user space applications for further processing.
XDP available as a Technology Preview
The eXpress Data Path (XDP) feature, which is available as a Technology Preview, provides a means to attach extended Berkeley Packet Filter (eBPF) programs for high-performance packet processing at an early point in the kernel ingress data path, allowing efficient programmable packet analysis, filtering, and manipulation.
KTLS available as a Technology Preview
In Red Hat Enterprise Linux 8, Kernel Transport Layer Security (KTLS) is provided as a Technology Preview. KTLS handles TLS records using the symmetric encryption or decryption algorithms in the kernel for the AES-GCM cipher. KTLS also provides the interface for offloading TLS record encryption to Network Interface Controllers (NICs) that support this functionality.
XDP features that are available as Technology Preview
Red Hat provides the usage of the following eXpress Data Path (XDP) features as unsupported Technology Preview:
Loading XDP programs on architectures other than AMD and Intel 64-bit. Note that the
libxdplibrary is not available for architectures other than AMD and Intel 64-bit.
The XDP hardware offloading. Before using this feature, see Unloading XDP programs on Netronome network cards that use the
act_mpls module available as a Technology Preview
act_mpls module is now available in the
kernel-modules-extra rpm as a Technology Preview. The module allows the application of Multiprotocol Label Switching (MPLS) actions with Traffic Control (TC) filters, for example, push and pop MPLS label stack entries with TC filters. The module also allows the Label, Traffic Class, Bottom of Stack, and Time to Live fields to be set independently.
Multipath TCP is now available as a Technology Preview
Multipath TCP (MPTCP), an extension to TCP, is now available as a Technology Preview. MPTCP improves resource usage within the network and resilience to network failure. For example, with Multipath TCP on the RHEL server, smartphones with MPTCP v1 enabled can connect to an application running on the server and switch between Wi-Fi and cellular networks without interrupting the connection to the server.
Note that either the applications running on the server must natively support MPTCP or administrators must load an
eBPF program into the kernel to dynamically change
For further details see, Getting started with Multipath TCP.
(JIRA:RHELPLAN-41549, BZ#1798631, BZ#1808012, JIRA:RHELPLAN-45934, JIRA:RHELPLAN-24437, BZ#1667516, BZ#1667225)
kexec fast reboot feature is available as Technology Preview
kexec fast reboot feature continues to be available as a Technology Preview.
kexec fast reboot significantly speeds the boot process by allowing the kernel to boot directly into the second kernel without passing through the Basic Input/Output System (BIOS) first. To use this feature:
- Reboot the operating system.
eBPF available as a Technology Preview
Extended Berkeley Packet Filter (eBPF) is an in-kernel virtual machine that allows code execution in the kernel space, in the restricted sandbox environment with access to a limited set of functions.
The virtual machine includes a new system call
bpf(), which supports creating various types of maps, and also allows to load programs in a special assembly-like code. The code is then loaded to the kernel and translated to the native machine code with just-in-time compilation. Note that the
bpf() syscall can be successfully used only by a user with the
CAP_SYS_ADMIN capability, such as the root user. See the
bpf(2) man page for more information.
The loaded programs can be attached onto a variety of points (sockets, tracepoints, packet reception) to receive and process data.
There are numerous components shipped by Red Hat that utilize the eBPF virtual machine. Each component is in a different development phase, and thus not all components are currently fully supported. All components are available as a Technology Preview, unless a specific component is indicated as supported.
The following notable eBPF components are currently available as a Technology Preview:
bpftrace, a high-level tracing language that utilizes the eBPF virtual machine.
AF_XDP, a socket for connecting the eXpress Data Path (XDP) path to user space for applications that prioritize packet processing performance.
igc driver available as a Technology Preview for RHEL 8
igc Intel 2.5G Ethernet Linux wired LAN driver is now available on all architectures for RHEL 8 as a Technology Preview. The
ethtool utility also supports
igc wired LANs.
7.3. File systems and storage
NVMe/TCP is available as a Technology Preview
Accessing and sharing Nonvolatile Memory Express (NVMe) storage over TCP/IP networks (NVMe/TCP) and its corresponding
nvmet-tcp.ko kernel modules have been added as a Technology Preview.
The use of NVMe/TCP as either a storage client or a target is manageable with tools provided by the
The NVMe/TCP target Technology Preview is included only for testing purposes and is not currently planned for full support.
File system DAX is now available for ext4 and XFS as a Technology Preview
In Red Hat Enterprise Linux 8, file system DAX is available as a Technology Preview. DAX provides a means for an application to directly map persistent memory into its address space. To use DAX, a system must have some form of persistent memory available, usually in the form of one or more Non-Volatile Dual In-line Memory Modules (NVDIMMs), and a file system that supports DAX must be created on the NVDIMM(s). Also, the file system must be mounted with the
dax mount option. Then, an
mmap of a file on the dax-mounted file system results in a direct mapping of storage into the application’s address space.
OverlayFS is a type of union file system. It enables you to overlay one file system on top of another. Changes are recorded in the upper file system, while the lower file system remains unmodified. This allows multiple users to share a file-system image, such as a container or a DVD-ROM, where the base image is on read-only media.
OverlayFS remains a Technology Preview under most circumstances. As such, the kernel logs warnings when this technology is activated.
Full support is available for OverlayFS when used with supported container engines (
buildah) under the following restrictions:
- OverlayFS is supported for use only as a container engine graph driver. Its use is supported only for container COW content, not for persistent storage. You must place any persistent storage on non-OverlayFS volumes. You can use only the default container engine configuration: one level of overlay, one lowerdir, and both lower and upper levels are on the same file system.
- Only XFS is currently supported for use as a lower layer file system.
Additionally, the following rules and limitations apply to using OverlayFS:
- The OverlayFS kernel ABI and user-space behavior are not considered stable, and might change in future updates.
OverlayFS provides a restricted set of the POSIX standards. Test your application thoroughly before deploying it with OverlayFS. The following cases are not POSIX-compliant:
Lower files opened with
O_RDONLYdo not receive
st_atimeupdates when the files are read.
Lower files opened with
O_RDONLY, then mapped with
MAP_SHAREDare inconsistent with subsequent modification.
d_inovalues are not enabled by default on RHEL 8, but you can enable full POSIX compliance for them with a module option or mount option.
To get consistent inode numbering, use the
You can also use the
index=onoptions to improve POSIX compliance. These two options make the format of the upper layer incompatible with an overlay without these options. That is, you might get unexpected results or errors if you create an overlay with
index=on, unmount the overlay, then mount the overlay without these options.
- Lower files opened with
To determine whether an existing XFS file system is eligible for use as an overlay, use the following command and see if the
ftype=1option is enabled:
# xfs_info /mount-point | grep ftype
- SELinux security labels are enabled by default in all supported container engines with OverlayFS.
- Several known issues are associated with OverlayFS in this release. For details, see Non-standard behavior in the Linux kernel documentation: https://www.kernel.org/doc/Documentation/filesystems/overlayfs.txt.
For more information about OverlayFS, see the Linux kernel documentation: https://www.kernel.org/doc/Documentation/filesystems/overlayfs.txt.
Stratis is now available as a Technology Preview
Stratis is a new local storage manager. It provides managed file systems on top of pools of storage with additional features to the user.
Stratis enables you to more easily perform storage tasks such as:
- Manage snapshots and thin provisioning
- Automatically grow file system sizes as needed
- Maintain file systems
To administer Stratis storage, use the
stratis utility, which communicates with the
stratisd background service.
Stratis is provided as a Technology Preview.
For more information, see the Stratis documentation: Managing layered local storage with Stratis.
RHEL 8.3 updates Stratis to version 2.1.0. For more information, see Stratis 2.1.0 Release Notes.
(JIRA:RHELPLAN-1212, BZ#1798631, BZ#1808012, JIRA:RHELPLAN-45934, JIRA:RHELPLAN-24437, BZ#1667516, BZ#1667225)
IdM now supports setting up a Samba server on an IdM domain member as a Technology Preview
With this update, you can now set up a Samba server on an Identity Management (IdM) domain member. The new
ipa-client-samba utility provided by the same-named package adds a Samba-specific Kerberos service principal to IdM and prepares the IdM client. For example, the utility creates the
/etc/samba/smb.conf with the ID mapping configuration for the
sss ID mapping back end. As a result, administrators can now set up Samba on an IdM domain member.
Due to IdM Trust Controllers not supporting the Global Catalog Service, AD-enrolled Windows hosts cannot find IdM users and groups in Windows. Additionally, IdM Trust Controllers do not support resolving IdM groups using the Distributed Computing Environment / Remote Procedure Calls (DCE/RPC) protocols. As a consequence, AD users can only access the Samba shares and printers from IdM clients.
For details, see Setting up Samba on an IdM domain member.
(JIRA:RHELPLAN-13195, BZ#1798631, BZ#1808012, JIRA:RHELPLAN-45934, JIRA:RHELPLAN-24437, BZ#1667516, BZ#1667225)
7.4. High availability and clusters
Local mode version of
pcs cluster setup command available as a technology preview
By default, the
pcs cluster setup command automatically synchronizes all configuration files to the cluster nodes. In Red Hat Enterprise Linux 8.3, the
pcs cluster setup command provides the
--corosync-conf option as a technology preview. Specifying this option switches the command to
local mode. In this mode,
pcs creates a
corosync.conf file and saves it to a specified file on the local node only, without communicating with any other node. This allows you to create a
corosync.conf file in a script and handle that file by means of the script.
podman bundles available as a Technology Preview
Pacemaker container bundles now run on the
podman container platform, with the container bundle feature being available as a Technology Preview. There is one exception to this feature being Technology Preview: Red Hat fully supports the use of Pacemaker bundles for Red Hat Openstack.
corosync-qdevice available as a Technology Preview
Heuristics are a set of commands executed locally on startup, cluster membership change, successful connect to
corosync-qnetd, and, optionally, on a periodic basis. When all commands finish successfully on time (their return error code is zero), heuristics have passed; otherwise, they have failed. The heuristics result is sent to
corosync-qnetd where it is used in calculations to determine which partition should be quorate.
fence-agents-heuristics-ping fence agent
As a Technology Preview, Pacemaker now supports the
fence_heuristics_ping agent. This agent aims to open a class of experimental fence agents that do no actual fencing by themselves but instead exploit the behavior of fencing levels in a new way.
If the heuristics agent is configured on the same fencing level as the fence agent that does the actual fencing but is configured before that agent in sequence, fencing issues an
off action on the heuristics agent before it attempts to do so on the agent that does the fencing. If the heuristics agent gives a negative result for the
off action it is already clear that the fencing level is not going to succeed, causing Pacemaker fencing to skip the step of issuing the
off action on the agent that does the fencing. A heuristics agent can exploit this behavior to prevent the agent that does the actual fencing from fencing a node under certain conditions.
A user might want to use this agent, especially in a two-node cluster, when it would not make sense for a node to fence the peer if it can know beforehand that it would not be able to take over the services properly. For example, it might not make sense for a node to take over services if it has problems reaching the networking uplink, making the services unreachable to clients, a situation which a ping to a router might detect in that case.
7.5. Identity Management
Identity Management JSON-RPC API available as Technology Preview
An API is available for Identity Management (IdM). To view the API, IdM also provides an API browser as Technology Preview.
In Red Hat Enterprise Linux 7.3, the IdM API was enhanced to enable multiple versions of API commands. Previously, enhancements could change the behavior of a command in an incompatible way. Users are now able to continue using existing tools and scripts even if the IdM API changes. This enables:
- Administrators to use previous or later versions of IdM on the server than on the managing client.
- Developers to use a specific version of an IdM call, even if the IdM version changes on the server.
In all cases, the communication with the server is possible, regardless if one side uses, for example, a newer version that introduces new options for a feature.
For details on using the API, see Using the Identity Management API to Communicate with the IdM Server (TECHNOLOGY PREVIEW).
DNSSEC available as Technology Preview in IdM
Identity Management (IdM) servers with integrated DNS now support DNS Security Extensions (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are automatically generated and rotated.
Users who decide to secure their DNS zones with DNSSEC are advised to read and follow these documents:
Note that IdM servers with integrated DNS use DNSSEC to validate DNS answers obtained from other DNS servers. This might affect the availability of DNS zones that are not configured in accordance with recommended naming practices.
GNOME Desktop on ARM is available as a Technology Preview
The GNOME Desktop is now available as a Technology Preview on the 64-bit ARM architecture. Users who require a graphical session to configure and manage their servers can now connect to a remote graphical session running GNOME Desktop using VNC.
GNOME for the 64-bit ARM architecture available as a Technology Preview
The GNOME desktop environment is now available for the 64-bit ARM architecture as a Technology Preview. This enables administrators to configure and manage servers from a graphical user interface (GUI) remotely, using the VNC session.
As a consequence, new administration applications are available on the 64-bit ARM architecture. For example: Disk Usage Analyzer (
baobab), Firewall Configuration (
firewall-config), Red Hat Subscription Manager (
subscription-manager), or the Firefox web browser. Using Firefox, administrators can connect to the local Cockpit daemon remotely.
(JIRA:RHELPLAN-27394, BZ#1798631, BZ#1808012, JIRA:RHELPLAN-45934, JIRA:RHELPLAN-24437, BZ#1667516, BZ#1667225)
GNOME desktop on IBM Z is available as a Technology Preview
The GNOME desktop, including the Firefox web browser, is now available as a Technology Preview on the IBM Z architecture. You can now connect to a remote graphical session running GNOME using VNC to configure and manage your IBM Z servers.
(JIRA:RHELPLAN-27737, BZ#1798631, BZ#1808012, JIRA:RHELPLAN-45934, JIRA:RHELPLAN-24437, BZ#1667516, BZ#1667225)
7.7. Graphics infrastructures
VNC remote console available as a Technology Preview for the 64-bit ARM architecture
On the 64-bit ARM architecture, the Virtual Network Computing (VNC) remote console is available as a Technology Preview. Note that the rest of the graphics stack is currently unverified for the 64-bit ARM architecture.
Intel Tiger Lake graphics available as a Technology Preview
Intel Tiger Lake UP3 and UP4 Xe graphics are now available as a Technology Preview.
To enable hardware acceleration with Intel Tiger Lake graphics, add the following option on the kernel command line:
In this option, replace pci-id with one of the following:
- The PCI ID of your Intel GPU
*character to enable the
i915driver with all alpha-quality hardware
7.8. Red Hat Enterprise Linux System Roles
postfix role of RHEL System Roles available as a Technology Preview
Red Hat Enterprise Linux System Roles provides a configuration interface for Red Hat Enterprise Linux subsystems, which makes system configuration easier through the inclusion of Ansible Roles. This interface enables managing system configurations across multiple versions of Red Hat Enterprise Linux, as well as adopting new major releases.
rhel-system-roles packages are distributed through the AppStream repository.
postfix role is available as a Technology Preview.
The following roles are fully supported:
For more information, see the Knowledgebase article about RHEL System Roles.
KVM virtualization is usable in RHEL 8 Hyper-V virtual machines
As a Technology Preview, nested KVM virtualization can now be used on the Microsoft Hyper-V hypervisor. As a result, you can create virtual machines on a RHEL 8 guest system running on a Hyper-V host.
Note that currently, this feature only works on Intel systems. In addition, nested virtualization is in some cases not enabled by default on Hyper-V. To enable it, see the following Microsoft documentation:
AMD SEV for KVM virtual machines
As a Technology Preview, RHEL 8 introduces the Secure Encrypted Virtualization (SEV) feature for AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine (VM), SEV encrypts VM memory so that the host cannot access data on the VM. This increases the security of the VM if the host is successfully infected by malware.
Note that the number of VMs that can use this feature at a time on a single host is determined by the host hardware. Current AMD EPYC processors support up to 509 running VMs using SEV.
Also note that for VMs with SEV configured to be able to boot, you must also configure the VM with a hard memory limit. To do so, add the following to the VM’s XML configuration:
<memtune> <hard_limit unit='KiB'>N</hard_limit> </memtune>
The recommended value for N is equal to or greater then the guest RAM + 256 MiB. For example, if the guest is assigned 2 GiB RAM, N should be 2359296 or greater.
(BZ#1501618, BZ#1501607, JIRA:RHELPLAN-7677)
As a Technology Preview, it is now possible to divide a physical Intel GPU device into multiple virtual devices referred to as
mediated devices. These mediated devices can then be assigned to multiple virtual machines (VMs) as virtual GPUs. As a result, these VMs share the performance of a single physical Intel GPU.
Note that only selected Intel GPUs are compatible with the vGPU feature. In addition, assigning a physical GPU to VMs makes it impossible for the host to use the GPU, and may prevent graphical display output on the host from working.
Creating nested virtual machines
Nested KVM virtualization is provided as a Technology Preview for KVM virtual machines (VMs) running on AMD64 and IBM Z systems hosts with RHEL 8. With this feature, a RHEL 7 or RHEL 8 VM that runs on a physical RHEL 8 host can act as a hypervisor, and host its own VMs.
Note that in RHEL 8.2 and later, nested virtualization is fully supported for VMs running on an Intel 64 host.
(JIRA:RHELPLAN-14047, BZ#1798631, BZ#1808012, JIRA:RHELPLAN-45934, JIRA:RHELPLAN-24437, BZ#1667516, BZ#1667225)
Select Intel network adapters now support SR-IOV in RHEL guests on Hyper-V
As a Technology Preview, Red Hat Enterprise Linux guest operating systems running on a Hyper-V hypervisor can now use the single-root I/O virtualization (SR-IOV) feature for Intel network adapters supported by the
iavf drivers. This feature is enabled when the following conditions are met:
- SR-IOV support is enabled for the network interface controller (NIC)
- SR-IOV support is enabled for the virtual NIC
- SR-IOV support is enabled for the virtual switch
- The virtual function (VF) from the NIC is attached to the virtual machine
The feature is currently supported with Microsoft Windows Server 2019 and 2016.
podman container image is available as a Technology Preview
registry.redhat.io/rhel8/podman container image is a containerized implementation of the
podman package. The
podman tool is used for managing containers and images, volumes mounted into those containers, and pods made from groups of containers. Podman is based on the
libpod library for container lifecycle management. The
libpod library provides APIs for managing containers, pods, container images, and volumes. This container image allows create, modify and run container images without the need to install the
podman package on your system. The use-case does not cover running this image in rootless mode as a non-root user. To pull the
registry.redhat.io/rhel8/podman container image, you need an active Red Hat Enterprise Linux subscription.
crun is available as a Technology Preview
crun OCI runtime has been added to the
container-rools:rhl8 module. The
crun provides an access to run with cgoupsV2. The
crun supports an annotation that allows the container to access the rootless users additional groups. This is useful for volume mounting in a directory that the user only have group access to, or the directory is setgid on it.