Chapter 4. New features

This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 8.7.

4.1. Installer and image creation

Automatic FCP SCSI LUN scanning support in installer

The installer can now use the automatic LUN scanning when attaching FCP SCSI LUNs on IBM Z systems. Automatic LUN scanning is available for FCP devices operating in NPIV mode, if it is not disabled through the zfcp.allow_lun_scan kernel module parameter. It is enabled by default. It provides access to all SCSI devices found in the storage area network attached to the FCP device with the specified device bus ID. It is not necessary to specify WWPN and FCP LUNs anymore and it is sufficient to provide just the FCP device bus ID.


Image builder on-premise now supports the /boot partition customization

Image builder on-premise version now supports building images with custom /boot mount point partition size. You can specify the size of the /boot mount point partition in the blueprint customization, to increase the size of the /boot partition in case the default boot partition size is too small. For example:

mountpoint = "/boot"
size = "20 GiB"


Image builder on-premise now supports uploading images to GCP

With this enhancement, you can use image builder CLI to build a gce image, providing credentials for the user or service account that you want to use to upload the images. As a result, image builder creates the image and then uploads the gce image directly to the GCP environment that you specified.


Image builder on-premise CLI supports pushing a container image directly to a registry

With this enhancement, you can push RHEL for Edge container images directly to a container registry after it has been built, using the image builder CLI. To build the container image:

  1. Set up an upload provider and optionally, add credentials.
  2. Build the container image, passing the container registry and the repository to composer-cli as arguments.

    After the image is ready, it is available in the container registry you set up.


Image builder on-premise users now customize their blueprints during the image creation process

With this update, the Edit Blueprint page was removed to unify the user experience in the image builder service and in the image builder app in cockpit-composer. Users can now create their blueprints and add their customization, such as adding packages, and create users, during the image creation process. The versioning of blueprints has also been removed so that blueprints only have one version: the current one. Users have access to older blueprint versions through their already created images.


4.2. Shells and command-line tools

Cronie adds support for a randomized time within a selected range

The Cronie utility now supports the ~ (random within range) operator for cronjob execution. As a result, you can start a cronjob on a randomized time within the selected range.


A new package: xmlstarlet

XMLStarlet is a set of command-line utilities for parsing, transforming, querying, validating, and editing XML files. The new xmlstarlet package offers a simple set of shell commands that you can use in a similar way as you use UNIX commands for plain text files like grep, sed, awk, diff, patch, join and other.


ReaR adds new variables for executing commands before and after recovery

With this enhancement, ReaR introduces two new variables for easier automation of commands to be executed before and after recovery:

  • PRE_RECOVERY_COMMANDS accepts an array of commands. These commands will be executed before recovery starts.
  • POST_RECOVERY_COMMANDS accepts an array of commands. These commands will be executed after recovery finishes.

These variables are an alternative to PRE_RECOVERY_SCRIPT and POST_RECOVERY_SCRIPT with the following differences:

  • The earlier PRE_RECOVERY_SCRIPT and POST_RECOVERY_SCRIPT variables accept a single shell command. To pass multiple commands to these variables, you must separate the commands by semicolons.
  • The new PRE_RECOVERY_COMMANDS and POST_RECOVERY_COMMANDS variables accept arrays of commands, and each element of the array is executed as a separate command.

As a result, providing multiple commands to be executed in the rescue system before and after recovery is now easier and less error-prone.

For more information, see the default.conf file.


libva rebased to version 2.13.0

The libva library for video acceleration API has been updated to version 2.13.0. Notable improvements and new features include:

  • Two new FourCC video coding formats: X2R10G10B10 and X2B10G10R10 for capturing, processing, and displaying video in the 10-bit RGB format (excluding Alpha).
  • The VAAPI driver mapping for iris and crocus DRI drivers.
  • The vaSyncBuffer function for output buffers synchronization.
  • The vaCopy interface to copy surface and buffer.
  • The LibVA Protected Content API for digital rights management (DRM) protected video.
  • The 3DLUT Filter in Video Processing, which maps input colors to new output values.


powerpc-utils rebased to version 1.3.10

The powerpc-utils package, which provides various utilities for a PowerPC platform, has been updated to version 1.3.10. Notable improvements include:

  • Added the capability to parsing the Power architecture platform reference (PAPR) information for energy and frequency in the ppc64_cpu tool.
  • Improved the lparstat utility to display enhanced error messages, when the lparstat -E command fails on max config systems. The lparstat command reports logical partition-related information.
  • Fixed reported online memory in legacy format in the lparstat command.
  • Added support for the acc command for changing the quality of service credits (QoS) dynamically for the NX GZIP accelerator.
  • Added improvements to format specifiers in printf() and sprintf() calls.
  • The hcnmgr utility, which provides the HMC tools to hybrid virtual network, includes following enhancements:

    • Added the wicked feature to the Hybrid Network Virtualization HNV FEATURE list. The hcnmgr utility supports wicked hybrid network virtualization (HNV) to use the wicked functions for bonding.
    • hcnmgr maintains an hcnid state for later cleanup.
    • hcnmgr excludes NetworkManager (NM) nmcli code.
    • The NM HNV primary slave setting was fixed.
    • hcnmgr supports the virtual Network Interface Controller (vNIC) as a backup device.
  • Fixed the invalid hexadecimal numbering system message in bootlist.
  • The -l flag included in kpartx utility as -p delimiter value in the bootlist command.
  • Fixes added to sslot utility to prevent memory leak when listing IO slots.
  • Added the DRC type description strings for the latest peripheral component interconnect express (PCIe) slot types in the lsslot utility.
  • Fixed the invalid config address to RTAS in errinjct tool.
  • Added support for non-volatile memory over fabrics (NVMf) devices in the ofpathname utility. The utility provides a mechanism for converting a logical device name to an open firmware device path and the other way round.
  • Added fixes to the non-volatile memory (NVMe) support in asymmetric namespace access (ANA) mode in the ofpathname utility.
  • Installed smt.state file as a configuration file.


opencryptoki rebased to version 3.18.0

The opencryptoki package, which is an implementation of the Public-Key Cryptography Standard (PKCS) #11, has been updated to version 3.18.0. Notable improvements include:

  • Default to Federal Information Processing Standards (FIPS) compliant token data format (tokversion = 3.12).
  • Added support for restricting usage of mechanisms and keys with a global policy.
  • Added support for statistics counting of mechanism usage.
  • The ICA/EP11 tokens now support libica library version 4.
  • The p11sak tool enables setting different attributes for public and private keys.
  • The C_GetMechanismList does not return CKR_BUFFER_TOO_SMALL in the EP11 token.

openCryptoki supports two different token data formats:

  • the earlier data format, which uses non-FIPS-approved algorithms (such as DES and SHA1)
  • the new data format, which uses FIPS-approved algorithms only.

The earlier data format no longer works because the FIPS provider allows the use of only FIPS-approved algorithms.


To make openCryptoki work on RHEL 8, migrate the tokens to use the new data format before enabling FIPS mode on the system. This is necessary because the earlier data format is still the default in openCryptoki 3.17. Existing openCryptoki installations that use the earlier token data format will no longer function when the system is changed to FIPS-enabled.

You can migrate the tokens to the new data format by using the pkcstok_migrate utility, which is provided with openCryptoki. Note that pkcstok_migrate uses non-FIPS-approved algorithms during the migration. Therefore, use this tool before enabling FIPS mode on the system. For additional information, see Migrating to FIPS compliance - pkcstok_migrate utility.


The Redfish modules are now part of the redhat.rhel_mgmt Ansible collection

The redhat.rhel_mgmt Ansible collection now includes the following modules:

  • redfish_info
  • redfish_command
  • redfish_config

With that, users can benefit from the management automation, by using the Redfish modules to retrieve server health status, get information about hardware and firmware inventory, perform power management, change BIOS settings, configure Out-Of-Band (OOB) controllers, configure hardware RAID, and perform firmware updates.


sysctl now matches the systemd directory order

The configuration directory order of the sysctl utility is now synchronized with the systemd-sysctl directory order. The configuration directory examines and changes kernel parameters at runtime. The configuration files in /etc/sysctl.d directory have higher priority than configuration files in /run/sysctl.d, and no more disruptions to the precedence of files between sysctl and systemd happen.


4.3. Infrastructure services

chrony rebased to version 4.2

The chrony suite has been updated to version 4.2. Notable enhancements over version 4.1 include:

  • The server interleaved mode has been improved to be more reliable and support multiple clients behind a single address translator (Network Address Translation - NAT).
  • Experimental support for the Network Time Protocol Version 4 (NTPv4) extension field has been added to improve time synchronization stability and precision of estimated errors. You can enable this field, which extends the capabilities of the protocol NTPv4, by using the extfield F323 option.
  • Experimental support for NTP forwarding over the Precision Time Protocol (PTP) has been added to enable full hardware timestamping on Network Interface Cards (NIC) that have timestamping limited to PTP packets. You can enable NTP over PTP by using the ptpport 319 directive.


unbound rebased to version 1.16.2

The unbound component has been updated to version 1.16.2. unbound is a validating, recursive, and caching DNS resolver. Notable improvements include:

  • With the ZONEMD Zone Verification with RFC 8976 support, recipients can now verify the zone contents for data integrity and origin authenticity.
  • With unbound, you can now configure persistent TCP connections.
  • The SVCB and HTTPS types and handling according to the Service binding and parameter specification via the DNS draft-ietf-dnsop-svcb-https document were added.
  • unbound takes the default TLS ciphers from crypto policies.
  • You can use a Special-Use Domain according to the RFC8375. This domain is designated for non-unique use in residential home networks.
  • unbound now supports selective enabling of tcp-upstream queries for stub or forward zones.
  • The default of aggressive-nsec option is now yes.
  • The ratelimit logic was updated.
  • You can use a new rpz-signal-nxdomain-ra option for unsetting the RA flag when a query is blocked by an Unbound response policy zone (RPZ) nxdomain reply.
  • With the basic support for Extended DNS Errors (EDE) according to the RFC8914, you can benefit from additional error information.


4.4. Security

NSS no longer support RSA keys shorter than 1023 bits

The update of the Network Security Services (NSS) libraries changes the minimum key size for all RSA operations from 128 to 1023 bits. This means that NSS no longer perform the following functions:

  • Generate RSA keys shorter than 1023 bits.
  • Sign or verify RSA signatures with RSA keys shorter than 1023 bits.
  • Encrypt or decrypt values with RSA key shorter than 1023 bits.


SCAP Security Guide rebased to 0.1.63

The SCAP Security Guide (SSG) packages have been rebased to upstream version 0.1.63. This version provides various enhancements and bug fixes, most notably:

  • New compliance rules for sysctl, grub2, pam_pwquality, and build time kernel configuration were added.
  • Rules hardening the PAM stack now use authselect as the configuration tool. Note: With this change the rules hardening the PAM stack will not be applied if the PAM stack was edited by other means.


SSG CIS profiles aligned to the CIS RHEL 8 benchmark 2.0.0

The SCAP Security Guide (SSG) now contains changes that align the Center for Internet Security (CIS) profiles with CIS Red Hat Enterprise Linux 8 Benchmark version 2.0.0. This version of the benchmark adds new requirements, removed requirements that are no longer relevant, and reordered some existing requirements. The update impacts the references in the relevant rules and the accuracy of the respective profiles.


The RHEL 8 STIG profile is now better aligned with the DISA STIG content

The DISA STIG for Red Hat Enterprise Linux 8 profile (xccdf_org.ssgproject.content_profile_stig) available in the scap-security-guide (SSG) package can be used to evaluate systems according to the Security Technical Implementation Guides (STIG) by the Defense Information Systems Agency (DISA). You can remediate your systems by using the content in SSG, but you might need to evaluate them using DISA STIG automated content. With this update, the DISA STIG RHEL 8 profile is better aligned with DISA’s content. This leads to fewer findings against DISA content after SSG remediation.

Note that the evaluations of the following rules still diverge:

  • SV-230264r627750_rule - CCE-80790-9 (ensure_gpgcheck_globally_activated)
  • SV-230349r833388_rule - CCE-82266-8 (configure_bashrc_exec_tmux)
  • SV-230311r833305_rule - CCE-82215-5 (sysctl_kernel_core_pattern)
  • SV-230546r833361_rule - CCE-80953-3 (sysctl_kernel_yama_ptrace_scope)
  • SV-230287r743951_rule - CCE-82424-3 (file_permissions_sshd_private_key)
  • SV-230364r627750_rule - CCE-82472-2 (accounts_password_set_min_life_existing)
  • SV-230343r743981_rule - CCE-86107-0 (account_passwords_pam_faillock_audit)


SSG rules for mount options no longer fail incorrectly if the /tmp and /var/tmp partitions do not exist

Previously, the SCAP Security Guide (SSG) rules for mount options of /tmp and /var/tmp partitions were incorrectly reporting the fail result if such partitions did not exist on the system.

This enhancement makes those rules not applicable instead of failing. Now, the rules fail only when the partition exists and the system does not have correct mount options.

If these mount options are essential for a particular policy, a rule that prescribes the existence of such partitions should be present in the profile, and that one rule should fail.


STIG security profile updated to version V1R7

The DISA STIG for Red Hat Enterprise Linux 8 profile in the SCAP Security Guide has been updated to align with the latest version V1R7.

The profile is more stable and better aligns with the RHEL 8 STIG (Security Technical Implementation Guide) manual benchmark provided by the Defense Information Systems Agency (DISA). This iteration brings updates to align the sysctl content to the new STIG.

You should use only the current version of this profile because older versions are no longer valid.


Automatic remediation might render the system non-functional. Run the remediation in a test environment first.


clevis-luks-askpass is now enabled by default

The /lib/systemd/system-preset/90-default.preset file now contains the enable clevis-luks-askpass.path configuration option and the installation of the clevis-systemd sub-package ensures that the clevis-luks-askpass.path unit file is enabled. This enables the Clevis encryption client to unlock also LUKS-encrypted volumes that mount late in the boot process. Before this update, the administrator must use the systemctl enable clevis-luks-askpass.path command to enable Clevis to unlock such volumes.


Added a maximum size option for Rsyslog error files

Using the new action.errorfile.maxsize option, you can specify a maximum number of bytes of the error file for the Rsyslog log processing system. When the error file reaches the specified size, Rsyslog cannot write any additional errors or other data in it. This prevents the error file from filling up the file system and making the host unusable.


fapolicyd rebased to 1.1.3

The fapolicyd packages have been upgraded to version 1.1.3. Notable improvements and bug fixes include:

  • Rules can now contain the new subject PPID attribute, which matches the parent PID (process ID) of a subject.
  • The OpenSSL library replaced the Libgcrypt library as a cryptographic engine for hash computations.
  • The fagenrules --load command now works correctly.


4.5. Networking

The save speed of large iptables rule sets has been improved

This enhancement optimizes the iptables-save utility to reduce the overhead when saving large rule sets. The utility has been improved when reading entries from the /etc/protocols file, and it no longer searches for extension shared object files in cases where this is not necessary. As a result, the run time of iptables-save has been significantly improved when you save large rule sets in environments with high storage access delays.


NetworkManager rebased to version 1.40

The NetworkManager packages have been upgraded to upstream version 1.40, which provides a number of enhancements and bug fixes over the previous version:

  • The device state files in the /run/NetworkManager/devices/ directory now have new sections, [dhcp4] and [dhcp6], which contain the DHCP options of the current lease.
  • NetworkManager supports setting an IPv6 Maximum Transmission Unit (MTU) in the ipv6.mtu property of connections.
  • NetworkManager uses the nm.debug kernel command line option to enable debug logging.
  • Carrier detection has been improved.
  • NetworkManager now restarts the DHCP client for a connection if the MAC address changes on a device.
  • Wifi hotspots now use a stable random channel number unless you select a specific channel.
  • NetworkManager now disables the Wi-Fi Protected Access 3 (WPA3) transition mode if you set the wifi.key-mgmt property to wpa-psk and the network interface does not support Protected Management Frames (PMF). The transition mode caused problems in certain setups in this scenario. To explicitly enable the WPA3 transitioning mode, set wifi.key-mgmt to sae.
  • NetworkManager now shortens an excessively long hostname received from a DHCP server to the first dot or to 64 characters.

For further information about notable changes, read the upstream release notes.


cloud-init updates network configuration at every boot on Microsoft Azure

Microsoft Azure does not change the instance ID when an administrator updates the network interface configuration while a VM is offline. With this enhancement, the cloud-init service always updates the network configuration when the VM boots to ensure that RHEL on Microsoft Azure uses the latest network settings.

As a consequence, if you manually configure settings on interfaces, such as an additional search domain, cloud-init may override them when you reboot the VM. For further details and a workaround, see the cloud-init-22.1-5 updates network config on every boot solution.


NetworkManger now stores DHCP lease information in the /run/NetworkManager/devices/ directory

NetworkManager now stores lease information from the DHCP server in the /run/NetworkManager/devices/ directory. Previously, the file-based API was not available and this information was only visible in the output of the nmcli -f all devices show DEVICE command. With this enhancement, other utilities and scripts can access DHCP options without calling nmcli.


4.6. Kernel

Kernel version in RHEL 8.7

Red Hat Enterprise Linux 8.7 is distributed with the kernel version 4.18.0-425.


The default mitigation of SSBD and STIBP has been changed

The default mitigation of the spec_store_bypass_disable (SSBD) and spectre_v2_user (STIBP) boot parameters has been changed from the seccomp mode to prctl. With this update, performance of containers and applications under the control of seccomp improves.


The vmcore dump file generates correctly on the debug kernel variant

With this update, the kdump mechanism now uses the same version of the non-debug kernel as the capture kernel when the current kernel is debug variant. By using a non-debug kernel as the capture kernel, kdump consumes less memory than the debug variant. As a result, kdump generates the vmcore file correctly and captures the memory contents of the crashed kernel.


Intel E800 devices now support iWARP and RoCE protocols

With this enhancement, you can now use the enable_iwarp and enable_roce devlink parameters to turn on and off iWARP or RoCE protocol support. With this mandatory feature, you can configure the device with one of the protocols. The Intel E800 devices do not support both protocols simultaneously on the same port.

To enable or disable the iWARP protocol for a specific E800 device, first obtain the PCI location of the card:

$ lspci | awk '/E810/ {print $1}'

Then enable, or disable, the protocol. You can use use pci/0000:44:00.0 for the first port, and pci/0000:44:00.1 for second port of the card as argument to the devlink command

$ devlink dev param set pci/0000:44:00.0 name enable_iwarp value true cmode runtime
$ devlink dev param set pci/0000:44:00.0 name enable_iwarp value false cmode runtime

To enable or disable the RoCE protocol for a specific E800 device, obtain the PCI location of the card as shown above. Then use one of the following commands:

$ devlink dev param set pci/0000:44:00.0 name enable_roce value true cmode runtime
$ devlink dev param set pci/0000:44:00.0 name enable_roce value false cmode runtime


4.7. Boot loader

GRUB is signed by new keys

Due to security reasons, GRUB is now signed with new keys. As a consequence, if you are using RHEL on the little-endian variant of IBM POWER with the Secure Boot feature enabled, you must update the firmware to version FW1010.30 (or later) or FW1020 to be able to boot.


Configurable disk access retries when booting a VM on IBM POWER

You can now configure how many times the GRUB boot loader retries accessing a remote disk when a logical partition (lpar) virtual machine (VM) boots on the IBM POWER architecture. Lowering the number of retries can prevent a slow boot in certain situations.

Previously, GRUB retried accessing disks 20 times when disk access failed at boot. This caused problems if you performed a Live Partition Mobility (LPM) migration on an lpar system that connected to slow Storage Area Network (SAN) disks. As a consequence, the boot might have taken very long on the system until the 20 retries finished.

With this update, you can now configure and decrease the number of disk access retries using the ofdisk_retries GRUB option. For details, see Configure disk access retries when booting a VM on IBM POWER.

As a result, the lpar boot is no longer slow after LPM on POWER, and the lpar system boots without the failed disks.


4.8. File systems and storage

nfsrahead has been added to RHEL 8

With the introduction of the nfsrahead tool, you can use it to modify the readahead value for NFS mounts, and thus affect the NFS read performance.


rpcctl command now displays SunRPC connection information

With this update, you can use the rpcctl command to display the information collected in the SunRPC sysfs files about the system’s SunRPC objects. You can show, remove, and set objects in the SunRPC network layer through the sysfs file system.


multipath.conf can now include protocol-specific configuration overrides in DM Multipath

You can access paths of multipath devices through various protocols. Because various protocols can have various optimal configurations, it was previously not possible to set the optimal configuration for all protocols in the Device Mapper Multipath feature without a per-protocol option. With this enhancement, you can include protocol-specific configuration overrides in the multipath.conf file. As a result, you can now configure multipath device paths on a per-protocol basis, allowing for the correct configuration of multipath devices accessible through multiple protocols.


multipathd now supports detecting FPIN-Li events

When you add a new value fpin for the marginal_pathgroups config option, you enable multipathd to monitor the Link Integrity Fabric Performance Impact Notification (PFIN-Li) events and move paths with link integrity issues to a marginal pathgroup. With the fpin value set, multipathd overrides its existing marginal path detection methods and relies on the Fibre Channel fabric to identify link integrity issues.

With this enhancement, the multipathd method becomes more robust in detecting marginal paths on Fibre Channel fabrics that can issue PFIN-Li events.


4.9. High availability and clusters

pcs command-line supports updating multipath SCSI devices without requiring a system restart

You can now update multipath SCSI devices with the pcs stonith update-scsi-devices command. This command updates SCSI devices without causing a restart of other cluster resources running on the same node.


Support for cluster UUID

During cluster setup, the pcs command now generates a UUID for every cluster. Since a cluster name is not a unique cluster identifier, you can use the cluster UUID to identify clusters with the same name when you administer multiple clusters.

You can display the current cluster UUID with the pcs cluster config [show] command. You can add a UUID to an existing cluster or regenerate a UUID if it already exists by using the pcs cluster config uuid generate command.


The multiple-active resource parameter now accepts a value of stop_unexpected

The multiple-active resource parameter determines recovery behavior when a resource is active on more than one node when it should not be. By default, this situation requires a full restart of the resource, even if the resource is running successfully where it should be. With this update, the multiple-active resource parameter accepts a value of stop_unexpected, which allows you to specify that only unexpected instances of a multiply-active resource are stopped. It is the user’s responsibility to verify that the service and its resource agent can function with extra active instances without requiring a full restart.


New allow-unhealthy-node Pacemaker resource meta-attribute

Pacemaker now supports the allow-unhealthy-node resource meta-attribute. When this meta-attribute is set to true, the resource is not forced off a node due to degraded node health. When health resources have this attribute set, the cluster can automatically detect if the node’s health recovers and move resources back to it.


Support for High Availability on Red Hat OpenStack platform

You can now configure a high availability cluster on the Red Hat OpenStack platform. In support of this feature, Red Hat provides the following new cluster agents:

  • fence_openstack: fencing agent for HA clusters on OpenStack
  • openstack-info: resource agent to configure the openstack-info cloned resource, which is required for an HA cluster on OpenStack
  • openstack-virtual-ip: resource agent to configure a virtual IP address resource
  • openstack-floating-ip: resource agent to configure a floating IP address resource
  • openstack-cinder-volume: resource agent to configure a block storage resource


Pacemaker now supports specifying Access Control Lists (ACLs) for system groups

Pacemaker previously allowed ACLs to be specified for individual users, but it is sometimes simpler and would comform better with local policies to specify ACLs for a system group, and to have them apply to all users in that group. The pcs acl group command was present in earlier releases but had no effect. Now, users can now specify ACLs for a system group using this command.


New pcs stonith config command option to display the pcs commands that re-create configured fence devices

The pcs stonith config command now accepts the --output-format=cmd option. Specifying this option displays the pcs commands you can use to re-create configured fence devices on a different system.


New pcs resource config command option to display the pcs commands that re-create configured resources

The pcs resource config command now accepts the --output-format=cmd option. Specifying this option displays the pcs commands you can use to re-create configured resources on a different system.


4.10. Dynamic programming languages, web and database servers

The nodejs:18 module stream is now fully supported

The nodejs:18 module stream, previously available as a Technology Preview, is fully supported with the release of the RHSA-2022:8833 advisory. The nodejs:18 module stream now provides Node.js 18.12, which is a Long Term Support (LTS) version.

Node.js 18 included in RHEL 8.7 provides numerous new features together with bug and security fixes over Node.js 16 available since RHEL 8.5.

Notable changes include:

  • The V8 engine has been upgraded to version 10.2.
  • The npm package manager has been upgraded to version 8.18.0.
  • Node.js now provides a new experimental fetch API.
  • Node.js now provides a new experimental node:test module, which facilitates the creation of tests that report results in the Test Anything Protocol (TAP) format.
  • Node.js now prefers IPv6 addresses over IPv4.

To install the nodejs:18 module stream, use:

# yum module install nodejs:18

If you want to upgrade from the nodejs:16 stream, see Switching to a later stream.


nodejs:18 rebased to version 18.14 with npm rebased to version 9

Node.js 18.14, released in RHSA-2023:1583, includes a SemVer major upgrade of npm from version 8 to version 9. This update was necessary due to maintenance reasons and may require you to adjust your npm configuration.

Notably, auth-related settings that are not scoped to a specific registry are no longer supported. This change was made for security reasons. If you used unscoped authentication configurations, the supplied token was sent to every registry listed in the .npmrc file.

If you use unscoped authentication tokens, generate and supply registry-scoped tokens in your .npmrc file.

If you have configuration lines using _auth, such as // in your .npmrc files, replace them with //${NPM_TOKEN} and supply the scoped token that you generated.

For a complete list of changes, see the upstream changelog.


A new module stream: ruby:3.1

RHEL 8.7 introduces Ruby 3.1.2 in a new ruby:3.1 module stream. This version provides a number of performance improvements, bug and security fixes, and new features over Ruby 3.0 distributed with RHEL 8.5.

Notable enhancements include:

  • The Interactive Ruby (IRB) utility now provides an autocomplete feature and a documentation dialog
  • A new debug gem, which replaces lib/debug.rb, provides improved performance, and supports remote debugging and multi-process/multi-thread debugging
  • The error_highlight gem now provides a fine-grained error location in the backtrace
  • Values in the hash literal data types and keyword arguments can now be omitted
  • The pin operator (^) now accepts an expression in pattern matching
  • Parentheses can now be omitted in one-line pattern matching
  • YJIT, a new experimental in-process Just-in-Time (JIT) compiler, is now available on the AMD and Intel 64-bit architectures
  • The TypeProf For IDE utility has been introduced, which is an experimental static type analysis tool for Ruby code in IDEs

The following performance improvements have been implemented in Method Based Just-in-Time Compiler (MJIT):

  • For workloads like Rails, the default maximum JIT cache value has increased from 100 to 10000
  • Code compiled using JIT is no longer canceled when a TracePoint for class events is enabled

Other notable changes include:

  • The tracer.rb file has been removed
  • Since version 4.0, the Psych YAML parser uses the safe_load method by default

To install the ruby:3.1 module stream, use:

# yum module install ruby:3.1

If you want to upgrade from an earlier ruby module stream, see Switching to a later stream.


A new module stream: mercurial:6.2

RHEL 8.7 adds Mercurial 6.2 as a new module stream. This version provides a number of bug fixes, enhancements, and performance improvements over Mercurial 4.8 available since RHEL 8.0.

Notable changes include:

  • Mercurial 6.2 supports Python 3.6 or later
  • Mercurial no longer supports Python 2
  • The hg purge and hg clean commands now provide a new -i option, which enables you to delete ignored files instead of untracked files
  • The hg diff and hg extdiff commands now support the --from <revision> and --to <revision> arguments
  • A new internal merge utility, internal:mergediff, is now available
  • The Zstandard (ZSTD) compression is now used by default for new repositories when available
  • A new way of specifying required extensions is now available that prevents Mercurial from starting if the required extensions are not found

In addition, a new mercurial-chg utility is available, which provides a C wrapper for the hg command. When you use the chg command, a Mercurial command server background process is created, a C program connects to that background process and executes Mercurial commands. As a result, the performance is significantly increased.

To install the mercurial:6.2 module stream, use:

# yum module install mercurial:6.2

If you want to upgrade from the mercurial:4.8 stream, see Switching to a later stream.


mariadb-java-client rebased to version 2.7.1

The mariadb-java-client package, which provides a MariaDB connector for applications developed in Java, has been updated to version 2.7.1.

This update introduces the following changes in services:

  • Client authentication plug-ins are now defined as services. As a result, you can easily add new client authentication plug-ins. The driver includes the caching_sha2_password and sha256_password plug-ins for compatibility with MySQL.
  • Credential plug-ins are now permitted to provide credential information. The driver includes three default plug-ins: AWS IAM, Environment, and Property.
  • The SSL factory service now enables you to use custom SSL implementation. For example, you can create a new HostnameVerifier implementation.

Other notable changes include:

  • The enabledSslProtocolSuites option now includes TLSv1.2 by default.


redis rebased to version 6.2.7

Redis 6, which is an advanced key-value store provided the redis:6 module stream, has been updated to version 6.2.7. This update provides bug fixes, security fixes, and improvements over version 6.0 available since RHEL 8.4.


A new default for the LimitRequestBody directive in httpd configuration

To fix CVE-2022-29404, the default value for the LimitRequestBody directive in the Apache HTTP Server has been changed from 0 (unlimited) to 1 GiB.

On systems where the value of LimitRequestBody is not explicitly specified in an httpd configuration file, updating the httpd package sets LimitRequestBody to the default value of 1 GiB. As a consequence, if the total size of the HTTP request body exceeds this 1 GiB default limit, httpd returns the 413 Request Entity Too Large error code.

If the new default allowed size of an HTTP request message body is insufficient for your use case, update your httpd configuration files within the respective context (server, per-directory, per-file, or per-location) and set your preferred limit in bytes. For example, to set a new 2 GiB limit, use:

LimitRequestBody 2147483648

Systems already configured to use any explicit value for the LimitRequestBody directive are unaffected by this change.


4.11. Compilers and development tools

New GCC Toolset 12

GCC Toolset 12 is a compiler toolset that provides recent versions of development tools. It is available as an Application Stream in the form of a Software Collection in the AppStream repository.

The GCC compiler has been updated to version 12.1.1, which provides many bug fixes and enhancements that are available in upstream GCC.

The following tools and versions are provided by GCC Toolset 12:












To install GCC Toolset 12, run the following command as root:

# yum install gcc-toolset-12

To run a tool from GCC Toolset 12:

$ scl enable gcc-toolset-12 tool

To run a shell session where tool versions from GCC Toolset 12 override system versions of these tools:

$ scl enable gcc-toolset-12 bash

For more information, see Using GCC Toolset.


GCC Toolset 12: Annobin rebased to version 10.76

In GCC Toolset 12, the Annobin package has been updated to version 10.76.

Notable bug fixes and enhancements include:

  • A new command line option for annocheck tells it to avoid using the debuginfod service, if it is unable to find debug information in another way. Using debuginfod provides annocheck with more information, but it can also cause significant slow downs in annocheck’s performance if the debuginfod server is unavailable.
  • The Annobin sources can now be built using meson and ninja rather than configure and make if desired.
  • Annocheck now supports binaries built by the Rust 1.18 compiler.

Additionally, the following known issue has been reported in the GCC Toolset 12 version of Annobin:

Under some circumstances it is possible for a compilation to fail with an error message that looks similar to the following:

cc1: fatal error: inaccessible plugin file
expanded from short plugin name gcc-annobin: No such file or directory

To work around the problem, create a symbolic link in the plugin directory from to

# cd /opt/rh/gcc-toolset-12/root/usr/lib/gcc/architecture-linux-gnu/12/plugin
# ln -s

Where architecture is replaced with the architecture being used:

  • aarch64
  • i686
  • ppc64le
  • s390x
  • x86_64


GCC Toolset 12: binutils rebased to version 2.38

In GCC Toolset 12, the binutils package has been updated to version 2.38.

Notable bug fixes and enhancements include:

  • All tools in the binutils package now support options to display or warn about the presence of multibyte characters.
  • The readelf and objdump tools now automatically follow any links to separate debuginfo files by default. This behavior can be disabled by using the --debug-dump=no-follow-links option for readelf or the --dwarf=no-follow-links option for objdump.


GCC 12 and later supports _FORTIFY_SOURCE level 3

With this enhancement, users can build applications with -D_FORTIFY_SOURCE=3 in the compiler command line when building with GCC version 12 or later. _FORTIFY_SOURCE level 3 improves coverage of source code fortification, thus improving security for applications built with -D_FORTIFY_SOURCE=3 in the compiler command line. This is supported in GCC versions 12 and later and Clang versions 9.0 and later with the __builtin_dynamic_object_size builtin.


DNS stub resolver option now supports no-aaaa option

With this enhancement, glibc now recognizes the no-aaaa stub resolver option in /etc/resolv.conf and the RES_OPTIONS environment variable. When this option is active, no AAAA queries will be sent over the network. System administrators can disable AAAA DNS lookups for diagnostic purposes, such as ruling out that the superfluous lookups on IPv4-only networks do not contribute to DNS issues.


Added support for IBM Z Series z16 in glibc

The support is now available for the s390 instruction set with the IBM z16 platform in glibc. IBM z16 provides two additional hardware capabilities that are HWCAP_S390_VXRS_PDE2 and HWCAP_S390_NNPA. As a result, applications can now use these capabilities to deliver optimized libraries and functions.


New make-latest package

This enhancement introduces the make-latest package which includes the latest version of the make utility. Previously, we provided the latest make version through GCC Toolset. Now, you can separately install the make-latest package and run the latest version with scl enable make43 /bin/bash (in case the make43 version is the latest).


GCC Toolset 12: GDB rebased to version 11.2

In GCC Toolset 12, the GDB package has been updated to version 11.2.

Notable bug fixes and enhancements include:

  • New support for Aarch64 MTE. See new commands with the memory-tag prefix.
  • --qualified option for -break-insert and -dprintf-insert. This option looks for an exact match of the user’s event location instead of searching in all scopes.

    For example, break --qualified foo will look for a symbol named foo in the global scope. Without --qualified, GDB will search all scopes for a symbol with that name.

  • --force-condition: Any supplied condition is defined even if it is currently invalid.
  • -break-condition --force: Likewise for the MI command.
  • -file-list-exec-source-files accepts optional REGEXP to limit output.
  • .gdbinit search path includes the config directory. The order is:

    1. $XDG_CONFIG_HOME/gdb/gdbinit
    2. $HOME/.config/gdb/gdbinit
    3. $HOME/.gdbinit
  • Support for ~/.config/gdb/gdbearlyinit or ~/.gdbearlyinit.
  • -eix and -eiex early initialization file options.

Terminal user interface (TUI):

  • Support for mouse actions inside terminal user interface (TUI) windows.
  • Key combinations that do not act on the focused window are now passed to GDB.

New commands:

  • show print memory-tag-violations
  • set print memory-tag-violations
  • memory-tag show-logical-tag
  • memory-tag with-logical-tag
  • memory-tag show-allocation-tag
  • memory-tag check
  • show startup-quietly and set startup-quietly: A way to specify -q or -quiet in GDB scripts. Only valid in early initialization files.
  • show print type hex and set print type hex: Tells GDB to print sizes or offsets for structure members in hexadecimal instead of decimal.
  • show python ignore-environment and set python ignore-environment: If enabled, GDB’s Python interpreter ignores Python environment variables, much like passing -E to the Python executable. Only valid in early initialization files.
  • show python dont-write-bytecode and set python dont-write-bytecode: If off, these commands suppress GDB’s Python interpreter from writing bytecode compiled objects of imported modules, much like passing -B to the Python executable. Only valid in early initialization files.

Changed commands:

  • break LOCATION if CONDITION: If CONDITION is invalid, GDB refuses to set a breakpoint. The -force-condition option overrides this.
  • CONDITION -force N COND: Same as the previous command.
  • inferior [ID]: When ID is omitted, this command prints information about the current inferior. Otherwise, unchanged.
  • ptype[/FLAGS] TYPE | EXPRESSION: Use the /x flag to use hexadecimal notation when printing sizes and offsets of struct members. Use the /d flag to do the same but using decimal.
  • info sources: Output has been restructured.

Python API:

  • Inferior objects contain a read-only connection_num attribute.
  • New gdb.Frame.level() method.
  • New gdb.PendingFrame.level() method.
  • gdb.BreakpoiontEvent emitted instead of gdb.Stop.


libpfm now supports AMD Zen 2 and Zen 3 processors

With this enhancement, users now can access the AMD Zen 2 and Zen 3 performance monitoring hardware using libpfm.


papi now supports AMD Zen 2 and Zen 3 processors

With this enhancement, users now can access the AMD Zen 2 and Zen 3 performance monitoring hardware using papi.


Improved hardware identification for ARM processors

With this enhancement, the papi_avail utility now correctly reports the vendor string and code information for various ARM vendors. This utility allows the PAPI_get_hardware_info() function to identify processors manufactured by companies other than ARM limited to the aarch64 architecture. As a result, developers can tune the code for the required architecture.


Updated Fujitsu A64FX event mappings

The PAPI library has been updated for Fujitsu A64FX processors. Users can now use additional presets in the output of papi_avail that can be used to analyze program performance.

These include the IDL event presets:

Branch unit idle
Integer unit idle
Floating point unit idle
Load store unit idle


The dyninst packaged rebased to version 12.1

The dyninst package has been rebased to version 12.1. Notable bug fixes and enhancements include:

  • Initial support for glibc-2.35 multiple namespaces.
  • Concurrency fixes for DWARF parallel parsing.
  • Better support for the CUDA and CDNA2 GPU binaries.
  • Better support for IBM POWER Systems (little endian) register access.
  • Better support for PIE binaries.
  • Corrected parsing for catch blocks.
  • Corrected access to 64-bit ARM (aarch64) floating point registers.


The systemtap package rebased to version 4.7

The systemtap package has been rebased to version 4.7. Notable bug fixes and enhancements include:

  • A new --sign-module option to manually sign modules with a MOK key, for use on SecureBoot systems.
  • A new stap-profile-annotate tool to produce system-wide profiles of annotated source code.
  • A new general Python tapset for probing function entry and return.
  • Extended $foo$ processing for kernel-space probes for strings that may be in user-space.
  • Extended the regular-expression language for non-capturing groups.
  • Added tapset support for several recently added kernel system calls.


Rust Toolset rebased to version 1.62.1

Rust Toolset has been updated to version 1.62.1. Notable changes include:

  • Destructuring assignment allows patterns to assign to existing variables in the left-hand side of an assignment. For example, a tuple assignment can swap to variables: (a, b) = (b, a);
  • Inline assembly is now supported on 64-bit x86 and 64-bit ARM using the core::arch::asm! macro. See more details in the Inline assembly chapter of the reference, /usr/share/doc/rust/html/reference/inline-assembly.html (online at
  • Enums can now derive the Default trait with an explicitly annotated #[default] variant.
  • Mutex, CondVar, and RwLock now use a custom futex-based implementation rather than pthreads, with new optimizations made possible by Rust language guarantees.
  • Rust now supports custom exit codes from main, including user-defined types that implement the newly-stabilized Termination trait.
  • Cargo supports more control over dependency features. The dep: prefix can refer to an optional dependency without exposing that as a feature, and a ? only enables a dependency feature if that dependency is enabled elsewhere, like package-name?/feature-name.
  • Cargo has a new cargo add subcommand for adding dependencies to Cargo.toml.
  • For more details, please see the series of upstream release announcements:


LLVM Toolset rebased to version 14.0.6

LLVM Toolset has been rebased to version 14.0.6. Notable changes include:

  • On 64-bit x86, support for AVX512-FP16 instructions has been added.
  • Support for the Armv9-A, Armv9.1-A and Armv9.2-A architectures has been added.
  • On PowerPC, added the __ibm128 type to represent IBM double-double format, also available as __attribute__((mode(IF))).

clang changes:

  • if consteval for C++2b is now implemented.
  • On 64-bit x86, support for AVX512-FP16 instructions has been added.
  • Completed support of OpenCL C 3.0 and C++ for OpenCL 2021 at experimental state.
  • The -E -P preprocessor output now always omits blank lines, matching GCC behavior. Previously, up to 8 consecutive blank lines could appear in the output.
  • Support -Wdeclaration-after-statement with C99 and later standards, and not just C89, matching GCC’s behavior. A notable use case is supporting style guides that forbid mixing declarations and code, but want to move to newer C standards.

For more information, see the LLVM Toolset and Clang upstream release notes.


Go Toolset rebased to version 1.18.2

Go Toolset has been rebased to version 1.18.2.

Notable changes include:

  • The introduction of generics while maintaining backwards compatibility with earlier versions of Go.
  • A new fuzzing library.
  • New debug/buildinfo and net/netip packages.
  • The go get tool no longer builds or installs packages. Now, it only handles dependencies in go.mod.
  • If the main module’s go.mod file specifies go 1.17 or higher, the go mod download command used without any additional arguments only downloads source code for the explicitly required modules in the main module’s go.mod file. To also download source code for transitive dependencies, use the go mod download all command.
  • The go mod vendor subcommand now supports a -o option to set the output directory.
  • The go mod tidy command now retains additional checksums in the go.sum file for modules whose source code is required to verify that only one module in the build list provides each imported package. This change is not conditioned on the Go version in the main module’s go.mod file.


The LLVM gold plugin is now available on the IBM Z architecture

With this enhancement, users can create LTO builds with clang and ld.bfd on the IBM Z (s390x) architecture. The s390x architecture now supports linking with ld.bfd and LTO.


A new module stream: maven:3.8

RHEL 8.7 introduces Maven 3.8 as a new module stream.

To install the maven:3.8 module stream, use:

# yum module install maven:3.8

If you want to upgrade from the maven:3.6 stream, see Switching to a later stream.

(BZ#2083114, BZ#2064785, BZ#2088473)

.NET version 7.0 is available

Red Hat Enterprise Linux 8.7 is distributed with .NET version 7.0. Notable improvements include:

  • Support for IBM Power (ppc64le)

For more information, see Release Notes for .NET 7.0 RPM packages and Release Notes for .NET 7.0 containers.


4.12. Identity Management

SSSD now supports memory caching for SID requests

With this enhancement, SSSD now supports memory caching for SID requests, which are GID and UID lookups by SID and vice versa. Memory caching results in improved performance, for example, when copying large amounts of files to or from a Samba server.


IdM now supports configuring an AD Trust with Windows Server 2022

With this enhancement, you can establish a cross-forest trust between Identity Management (IdM) domains and Active Directory forests that use Domain Controllers running Windows Server 2022.


IdM now supports a limit on the number of LDAP binds allowed after a user password has expired

With this enhancement, you can set the number of LDAP binds allowed when the password of an Identity Management (IdM) user has expired:

IdM grants the user unlimited LDAP binds before the user must reset the password. This is the default value, which matches the previous behavior.
This value disables all LDAP binds once a password is expired. In effect, the users must reset their password immediately.
The value entered allows exactly that many binds post-expiration.

The value can be set in the global password policy and in group policies.

Note that the count is stored per server.

In order for a user to reset their own password they need to bind with their current, expired password. If the user has exhausted all post-expiration binds, then the password must be administratively reset.


IdM now indicates whether a given name is a user or a group in a trusted AD domain during a name search

With this update, new getorigbyusername() and getorigbygroupname() calls are added to libsss_nss_idmap, a utility library for SID-based lookups. This addition makes user and group lookup more robust when Identity Management (IdM) is in a trust with an Active Directory (AD) domain. When performing a user or group lookup, IdM can now display whether the given name belongs to a user or a group in the trusted domain.


New ipasmartcard_server and ipasmartcard_client roles

With this update, the ansible-freeipa package provides Ansible roles to configure Identity Management (IdM) servers and clients for smart card authentication. The ipasmartcard_server and ipasmartcard_client roles replace the ipa-advise scripts to automate and simplify the integration. The same inventory and naming scheme are used as in the other ansible-freeipa roles.


samba rebased to version 4.16.1

The samba packages have been upgraded to upstream version 4.16.1, which provides bug fixes and enhancements over the previous version:

  • By default, the smbd process automatically starts the new samba-dcerpcd process on demand to serve Distributed Computing Environment / Remote Procedure Calls (DCERPC). Note that Samba 4.16 and later always requires samba-dcerpcd to use DCERPC. If you disable the rpc start on demand helpers setting in the [global] section in the /etc/samba/smb.conf file, you must create a systemd service unit to run samba-dcerpcd in standalone mode.
  • The Cluster Trivial Database (CTDB) recovery master role has been renamed to leader. As a result, the following ctdb sub-commands have been renamed:

    • recmaster to leader
    • setrecmasterrole to setleaderrole
  • The CTDB recovery lock configuration has been renamed to cluster lock.
  • CTDB now uses leader broadcasts and an associated timeout to determine if an election is required.

Note that the server message block version 1 (SMB1) protocol is deprecated since Samba 4.11 and will be removed in a future release.

Back up the database files before starting Samba. When the smbd, nmbd, or winbind services start, Samba automatically updates its tdb database files. Note that Red Hat does not support downgrading tdb database files.

After updating Samba, verify the /etc/samba/smb.conf file using the testparm utility.

For further information about notable changes, read the upstream release notes before updating.


SSSD now supports direct integration with Windows Server 2022

With this enhancement, you can use SSSD to directly integrate your RHEL system with Active Directory forests that use Domain Controllers running Windows Server 2022.


Directory Server now supports canceling the Auto Membership plug-in task.

Previously, the Auto Membership plug-in task could generate high CPU usage on the server if Directory Server has complex configuration (large groups, complex rules and interaction with other plugins). With this enhancement, you can cancel the Auto Membership plug-in task. As a result, performance issues no longer occur.


Directory Server now supports recursive delete operations when using ldapdelete

With this enhancement, Directory Server now supports the Tree Delete Control [1.2.840.113556.1.4.805] OpenLDAP control. As a result, you can use the ldapdelete utility to recursively delete subentries of a parent entry.


You can now set basic replication options during the Directory Server installation

With this enhancement, you can configure basic replication options like authentication credentials and changelog trimming during an instance installation using an .inf file.


Replication changelog trimming is now enabled by default in Directory Server

Previously, Directory Server was not configured to automatically trim the replication changelog file by default. Consequently, the changelog file could become very large. With this update, Directory Server is configured by default to trim changelog entries that are older than seven days, preventing excessive growth of the changelog file.


pki packages renamed to idm-pki

The following pki packages are now renamed to idm-pki to better distinguish between IDM packages and Red Hat Certificate System ones:

  • idm-pki-symkey
  • idm-pki-tools
  • idm-pki-symkey-debuginfo
  • idm-pki-tools-debuginfo
  • idm-pki-acme
  • idm-pki-base
  • idm-pki-base-java
  • idm-pki-ca
  • idm-pki-kra
  • idm-pki-server
  • python3-idm-pki

pki-core stays unchanged (this also includes pki-core-debuginfo and pki-core-debugsource).


4.13. Graphics infrastructures

Vulkan packages are available on 64-bit IBM POWER

Packages that provide support for the Vulkan 3D graphics API are now available on the little-endian 64-bit IBM POWER architecture (ppc64le):

  • vulkan-headers
  • vulkan-loader
  • vulkan-loader-devel
  • vulkan-tools

With these packages, you can run software that uses a Vulkan rendering engine.

Previously, these packages were only available on the AMD64 and Intel 64 architecture.


Support for new AMD GPUs

This release adds support for several AMD Radeon RX 6000 Series GPUs and integrated graphics of the AMD Ryzen 6000 Series CPUs.

The following AMD Radeon RX 6000 Series GPU models are now supported:

  • AMD Radeon RX 6400
  • AMD Radeon RX 6500 XT
  • AMD Radeon RX 6300M
  • AMD Radeon RX 6500M

AMD Ryzen 6000 Series includes integrated GPUs found with the following CPU models:

  • AMD Ryzen 5 6600U
  • AMD Ryzen 5 6600H
  • AMD Ryzen 5 6600HS
  • AMD Ryzen 7 6800U
  • AMD Ryzen 7 6800H
  • AMD Ryzen 7 6800HS
  • AMD Ryzen 9 6900HS
  • AMD Ryzen 9 6900HX
  • AMD Ryzen 9 6980HS
  • AMD Ryzen 9 6980HX


The force_probe option is no longer required with 12th Gen Intel Core GPUs

Prior to this release, you had to set the i915.alpha_support=1 or i915.force_probe=* kernel option to enable support for the 12th Gen Intel Core GPUs, formerly known as Alder Lake-S and Alder Lake-P.

With this release, you no longer have to set the option, and full support for these GPUs is enabled by default.


4.14. The web console

RHEL web console now features RHEL as an option for the Download an OS VM workflow

With this enhancement, the RHEL web console now supports the installation of RHEL virtual machines (VMs) using the default Download an OS workflow. As a result, you can download and install the RHEL OS as a VM directly within the web console.


A new button in RHEL web console for installing kernel patches separately

With this update, the RHEL web console provides the Install kpatch updates button. You can use it to install only kernel patches without the necessity to install other updates and reboot your system.


The diagnostics reports page now offers new functionalities

In the updated web console diagnostics report (sos report) page you now can:

  • label the report
  • encrypt the report with a passphrase
  • conceal private data within the report

Additionally, you can see a list of previously generated reports and download or delete them.


Crypto policies setup from the web console UI

With this update, you can change different cryptographic policy levels directly from the RHEL web console user interface (UI). You can access your cryptographic policy configuration options from the Configuration field in the Overview page of your UI.

Note that you must have the administrative access active to be able to change the settings.


Update progress page in the web console now supports an automatic restart option

The update progress page now has a Reboot after completion switch. This reboots the system automatically after installing the updates.


4.15. Red Hat Enterprise Linux System Roles

The ha_cluster RHEL System Role now supports SBD fencing and configuration of Corosync settings

The ha_cluster System Role now supports the following features:

SBD fencing
Fencing is a crucial part of HA cluster configuration. SBD provides a means for nodes to reliably self-terminate when fencing is required. SBD fencing can be particularly useful in environments where traditional fencing mechanisms are not possible. It is now possible to configure SBD fencing with the ha_cluster System Role.
Corosync settings
The ha_cluster System role now supports the configuration of Corosync settings, such as transport, compression, encryption, links, totem, and quorum. These settings are required to match cluster configuration with customers' needs and environment when the default settings are not suitable.

(BZ#2065339, BZ#2066868)

Users can create connections with IPoIB capability using the network RHEL System Role

The infiniband connection type of the network RHEL System Role now supports the Internet Protocol over Infiniband (IPoIB) capability. To enable this feature, define a value to the p_key option of infiniband. Note that if you specify p_key, the interface_name option of the network_connections variable must be left unset. The previous implementation of the network RHEL System Role did not properly validate the p_key value and the interface_name option for the infiniband connection type. Therefore, the IPoIB functionality never worked before. For more information, see a README file in the /usr/share/doc/rhel-system-roles/network/ directory.


The network RHEL System Role now configures network settings for routing rules

Previously, you could route the packet based on the destination address field in the packet, but you could not define the source routing and other policy routing rules. With this enhancement, network RHEL System Role supports routing rules so that the users have control over the packet transmission or route selection.


The Networking System Role now uses the Ansible managed comment in its managed configuration files

When using the initscripts provider, the Networking System Role now generates commented ifcfg files in the /etc/sysconfig/network-scripts directory. The Networking role inserts the Ansible managed comment using the Ansible standard ansible_managed variable. The comment declares that an ifcfg file is managed by Ansible, and indicates that the ifcfg file should not be edited directly as the Networking role will overwrite the file. The Ansible managed comment is added when the provider is initscripts. When using the Networking role with the nm (NetworkManager) provider, the ifcfg file is managed by NetworkManager and not by the Networking role.


The new previous:replaced configuration enables firewall System Role to reset the firewall settings to default

System administrators who manage different sets of machines, where each machine has different pre-existing firewall settings, can now use the previous: replaced configuration in the firewall role to ensure that all machines have the same firewall configuration settings. The previous: replaced configuration can erase all the existing firewall settings and replace them with consistent settings.


Enhanced Microsoft SQL Server RHEL System Role

The following new variables are now available for the microsoft.sql.server RHEL System Role:

  • Variables with the mssql_ha_ prefix to control configuring a high availability cluster.
  • The mssql_tls_remote_src variable to search for mssql_tls_cert and mssql_tls_private_key values on managed nodes. If you keep the default false setting, the role searches for these files on the control node.
  • The mssql_manage_firewall variable to manage firewall ports automatically. If this variable is set to false, you must enable firewall ports manually.
  • The mssql_pre_input_sql_file and mssql_post_input_sql_file variables to control whether you want to run the SQL scripts before the role execution or after it. These new variables replace the former mssql_input_sql_file variable, which did not allow you to influence the time of SQL script execution.

(BZ#2066338, BZ#2120713, BZ#2039990, BZ#2120714)

The logging RHEL System Role supports options startmsg.regex and endmsg.regex in files inputs

With this enhancement, you can now filter log messages coming from files by using regular expressions. Options startmsg_regex and endmsg_regex are now included in the files’ input. The startmsg_regex represents the regular expression that matches the start part of a message, and the endmsg_regex represents the regular expression that matches the last part of a message. As a result, you can now filter messages based upon properties such as date-time, priority, and severity.


Support for thinly provisioned volumes is available in the storage RHEL System Role

The storage RHEL System Role can now create and manage thinly provisioned LVM logical volumes. Thin provisioned LVs are allocated as they are written, allowing better flexibility when creating volumes as physical storage provided for thin provisioned LVs can be increased later as the need arises. LVM thin provisioning also allows creating more efficient snapshots because the data blocks common to a thin LV and any of its snapshots are shared.


The logging RHEL System Role now supports template, severity and facility options

The logging RHEL System Role now features new useful severity and facility options to the files inputs as well as a new template option to the files and forwards outputs. Use the template option to specify the traditional time format by using the parameter traditional, the syslog protocol 23 format by using the parameter syslog, and the modern style format by using the parameter modern. As a result, you can now use the logging role to filter by the severity and facility as well as to specify the output format by template.


RHEL System Roles now available also in playbooks with fact gathering disabled

Ansible fact gathering might be disabled in your environment for performance or other reasons. Previously, it was not possible to use RHEL System Roles in such configurations. With this update, the system detects the ANSIBLE_GATHERING=explicit parameter in your configuration and gather_facts: false parameter in your playbooks, and use the setup: module to gather only the facts required by the given role, if not available from the fact cache.


If you have disabled Ansible fact gathering due to performance, you can enable Ansible fact caching instead, which does not cause a performance hit of retrieving them from source.


The sshd RHEL System Role verifies the include directive for the drop-in directory

The sshd RHEL System Role on RHEL 9 manages only a file in the drop-in directory, but previously did not verify that the directory is included from the main sshd_config file. With this update, the role verifies that sshd_config contains the include directive for the drop-in directory. As a result, the role more reliably applies the provided configuration.


The sshd RHEL System Role can be managed through /etc/ssh/sshd_config

The sshd RHEL System Role applied to a RHEL 9 managed node places the SSHD configuration in a drop-in directory (/etc/ssh/sshd_config.d/00-ansible_system_role.conf by default). Previously, any changes to the /etc/ssh/sshd_config file overwrote the default values in 00-ansible_system_role.conf. With this update, you can manage SSHD by using /etc/ssh/sshd_config instead of 00-ansible_system_role.conf while preserving the system default values in 00-ansible_system_role.conf.


The firewall RHEL System Role does not require the state parameter when configuring masquerade or icmp_block_inversion

When configuring custom firewall zones, variables masquerade and icmp_block_inversion are boolean settings. A value of true implies state: present and a value of false implies state: absent. Therefore, the state parameter is not required when configuring masquerade or icmp_block_inversion.


The metrics role can export postfix performance data

You can now use the new metrics_from_postfix boolean variable in the metrics role for recording and detailed performance analysis. With this enhancement, setting the variable enables the pmdapostfix metrics agent on the system, making statistics about postfix available.


The storage System Role now has less verbosity by default

The storage role output is now less verbose by default. With this update, users can increase the verbosity of the storage role output to only produce debugging output if they are using Ansible verbosity level 1 or above.


The metrics System Role now generates files with the proper ansible_managed comment in the header

Previously, the metrics role did not add an ansible_managed header comment to files generated by the role. With this fix, the metrics role adds the ansible_managed header comment to files it generates, and as a result, users can easily identify files generated by the metrics role.


The postfix System Role now generates files with the proper ansible_managed comment in the header

Previously, the postfix role did not add an ansible_managed header comment to files generated by the role. With this fix, the postfix role adds the ansible_managed header comment to files it generates, and as a result, users can easily identify files generated by the postfix role.


New option in the postfix RHEL System Role for overwriting previous configuration

If you manage a group of systems which have inconsistent postfix configurations, you may want to make the configuration consistent on all of them. With this enhancement, you can specify the previous: replaced option within the postfix_conf dictionary to remove any existing configuration and apply the desired configuration on top of a clean postfix installation. As a result, you can erase any existing postfix configuration and ensure consistency on all the systems being managed.


You can now add, update, or remove services using absent and present states in the firewall RHEL System Role

With this enhancement, you can use the present state to add ports, modules, protocols, services, and destination addresses, or use the absent state to remove them. Note that to use the absent and present states in the firewall RHEL System Role, set the permanent option to true. With the permanent option set to true, the state settings apply until changed, and remain unaffected by role reloads.


The firewall system role can add or remove an interface to the zone using PCI device ID

Using the PCI device ID, the firewall system role can now assign or remove a network interface to or from a zone. Previously, if only the PCI device ID was known instead of the interface name, users had to first identify the corresponding interface name to use the firewall system role. With this update, the firewall system role can now use the PCI device ID to manage a network interface in a zone.


The network RHEL System Role supports network configuration using the nmstate API

With this update, the network RHEL System Role supports network configuration through the nmstate API. Users can now directly apply the configuration of the required network state to a network interface instead of creating connection profiles. The feature also allows partial configuration of a network. As a result, the following benefits exist:

  • decreased network configuration complexity
  • reliable way to apply the network state changes
  • no need to track the entire network configuration


New cockpit System Role variable for setting a custom listening port

The cockpit System Role introduces the cockpit_port variable that allows you to set a custom listening port other than the default 9090 port. Note that if you decide to set a custom listening port, you will also need to adjust your SELinux policy to allow the web console to listen on that port.


The firewall RHEL System Role can provide Ansible facts

With this enhancement, you can now gather the firewall RHEL System Role’s Ansible facts from all of your systems by including the firewall: variable in the playbook with no arguments. To gather a more detailed version of the Ansible facts, use the detailed: true argument, for example:

    detailed: true


Added setting of seuser and selevel to the selinux RHEL System Role

Sometimes, it is necessary to set seuser and selevel parameters when setting SELinux context file system mappings. With this update, you can use the seuser and selevel optional arguments in selinux_fcontext to specify SELinux user and level in the SELinux context file system mappings.


4.16. Virtualization

ap-check is now available in RHEL 8

The mdevctl tool now provides a new ap-check support utility. You can use mdevctl to persistently configure cryptographic adapters and domains that are allowed for pass-through usage into virtual machines as well as the matrix and vfio-ap devices. With mdevctl, you do not have to reconfigure these adapters, domains, and devices after every IPL. In addition, mdevctl prevents the distributor from inventing other ways to reconfigure them.

When invoking mdevctl commands for vfio-ap devices, the new ap-check support utility is invoked as part of the mdevctl command to perform additional validity checks against vfio-ap device configurations.

In addition, the chzdev tool now provides the ability to manage the system-wide Adjunct Processor (AP) mask settings, which determine what AP resources are available for vfio-ap devices. When used, chzdev makes it possible to persist these settings by generating an associated udev rule. Using lszdev, you can can now also query the system-wide AP mask settings.


Selected VMs on IBM Z can now boot with kernel command lines longer than 896 bytes

Previously, booting a virtual machine (VM) on a RHEL 8 IBM Z host always failed if the kernel command line of the VM was longer than 896 bytes. With this update, the QEMU emulator can handle kernel command lines longer than 896 bytes. As a result, you can now use QEMU direct kernel boot for VMs with very long kernel command lines, if the VM kernel supports it. Specifically, to use a command line longer than 896 bytes, the VM must use Linux kernel version 5.16-rc1 or later.


VM memory preallocation using multiple threads

You can now define multiple CPU threads for virtual machine (VM) memory allocation in the domain XML configuration, for example as follows:

  <allocation threads='8'/>

This ensures that more than one thread is used for allocating memory pages when starting a VM. As a result, VMs with multiple allocation threads configured start significantly faster, especially if the VMs has large amounts of RAM assigned and backed by hugepages.


ESXi hypervisor and SEV-ES is now fully supported

You can now enable the AMD Secure Encrypted Virtualization-Encrypted State (SEV-ES) to secure RHEL virtual machines (VMs) on VMware’s ESXi hypervisor, versions 7.0.2 and later. This feature was previously introduced in RHEL 8.4 as a Technology Preview. It is now fully supported.


Secure Execution on IBM Z now supports remote attestation

The Secure Execution feature on the IBM Z architecture now supports remote attestation. The pvattest utility can create a remote attestation request to verify the integrity of a virtual machine (VM) that has Secure Execution enabled.

Additionally, the Guest Interruption State Area (GISA) mechanism has now been enabled for Secure Execution VMs, which allows interrupts to be delivered directly into the VM by completely bypassing the host operating system.

(JIRA:RHELPLAN-98420, BZ#1984905, BZ#2043870)

4.17. RHEL in cloud environments

RHEL virtual machines are now supported on the Ampere Altra architecture

With this update, running a RHEL operating system is now supported on Azure Virtual Machines with processors based on the Ampere® Altra® architecture.


open-vm-tools rebased to 12.0.5

The open-vm-tools packages have been upgraded to version 12.0.5, which introduces a number of bug fixes and new features. Most notably, support has been added for the Salt Minion tool to be managed through guest OS variables.


New SSH module for cloud-init

With this update, an SSH module has been added to the cloud-init utility, which automatically generates host keys during instance creation.

Note that with this change, the default cloud-init configuration has been updated. Therefore, if you had a local modification, make sure the /etc/cloud/cloud.cfg contains "ssh_genkeytypes: ['rsa', 'ecdsa', 'ed25519']" line.

Otherwise, cloud-init creates an image which fails to start the sshd service. If this occurs, do the following to work around the problem:

  1. Make sure the /etc/cloud/cloud.cfg file contains the following line:

    ssh_genkeytypes:  ['rsa', 'ecdsa', 'ed25519']
  2. Check whether /etc/ssh/ssh_host_* files exist in the instance.
  3. If the /etc/ssh/ssh_host_* files do not exist, use the following command to generate host keys:

    cloud-init single --name cc_ssh
  4. Restart the sshd service:

    systemctl restart sshd


4.18. Containers

The Container Tools packages have been updated

The Container Tools packages which contain the Podman, Buildah, Skopeo, crun, and runc tools are now available. This update provides a list of bug fixes and enhancements over the previous version.

Notable changes include:

  • The podman pod create command now supports setting the CPU and memory limits. You can set a limit for all containers in the pod, while individual containers within the pod can have their own limits.
  • The podman pod clone command creates a copy of an existing pod.
  • The podman play kube command now supports the security context settings using the BlockDevice and CharDevice volumes.
  • Pods created by the podman play kube can now be managed by systemd unit files using a podman-kube@<service>.service (for example systemctl --user start podman-play-kube@$(systemd-escape my.yaml).service).
  • The podman push and podman push manifest commands now support the sigstore signatures.
  • The Podman networks can now be isolated by using the podman network --opt isolate command.

Podman has been upgraded to version 4.2, for further information about notable changes, see the upstream release notes.


GitLab Runner is now available on RHEL using Podman

Beginning with GitLab Runner 15.1, you can use Podman as the container runtime in the GitLab Runner Docker Executor. For more details, see GitLab’s Release Note.


Podman now supports the --health-on-failure option

The podman run and podman create commands now support the --health-on-failure option to determine the actions to be performed when the status of a container becomes unhealthy.

The --health-on-failure option supports four actions:

  • none: Take no action, this is the default action.
  • kill: Kill the container.
  • restart: Restart the container.
  • stop: Stop the container.

Do not combine the restart action with the --restart option. When running inside of a systemd unit, consider using the kill or stop action instead to make use of systemd’s restart policy.


Netavark network stack is now available

The new network stack available starting with Podman 4.0 consists of two tools, the Netavark network setup tool and the Aardvark DNS server. In RHEL 8, the Netavark stack, previously available as a Technology Preview, is now fully supported.

This network stack has the following capabilities:

  • Configuration of container networks using the JSON configuration file
  • Creating, managing, and removing network interfaces, including bridge and MACVLAN interfaces
  • Configuring firewall settings, such as network address translation (NAT) and port mapping rules
  • IPv4 and IPv6
  • Improved capability for containers in multiple networks
  • Container DNS resolution using the aardvark-dns project

You have to use the same version of Netavark stack and the Aardvark authoritative DNS server.