Chapter 4. New features
This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 9.0 Beta.
4.1. Installer and image creation
Smart card authentication for sudo and SSH from the web console
Previously, it was not possible to use smart card authentication to obtain sudo privileges or use SSH in the web console. With this update, Identity Management users can use a smart card to gain sudo privileges or to connect to a different host with SSH.
It is only possible to use one smart card to authenticate and gain sudo privileges. Using a separate smart cart for sudo is not supported.
Anaconda supports the rhsm command for machine provisioning via Kickstart installations for satellite
Previously, machine provisioning was dependent on a custom
%post script for Kickstart installation on Red Hat Satellite. This
%post script imports the custom satellite self-signed certificate, registers the machine, attaches a subscription and installs packages residing in repositories.
With RHEL 9, satellite support has been added via
rhsm command for machine provisioning. You can now use this
rhsm command for all provisioning tasks such as registering the system, attaching RHEL subscriptions, and installing from a satellite instance using the
rhsm kickstart command.
Licensing, system, and user setting configuration screens have been disabled post standard installation
Previously, RHEL users were configuring Licensing, System (Subscription manager), and User Settings prior to gnome-initial-setup and login screens. With this update, the initial setup screens have been disabled by default to improve user experience.
If you must run the initial setup for user creation or license display, install the following packages based on the requirements.
Install initial setup packages.
# yum install initial-setup initial-setup-gui
Enable initial setup while next reboot of the system.
# systemctl enable initial-setup
- Reboot the system to view initial setup.
For kickstart installations, add initial-setup-gui to the packages section and enable the initial-setup service.
firstboot --enable %packages @^graphical-server-environment initial-setup-gui %end
Anaconda activates network automatically for interactive installations
Previously, when performing an interactive installation without having the network activated by kickstart or boot options, users had to activate the network manually in the network spoke. With this update, Anaconda activates the network automatically, without requiring users to visit the network spoke and activate it manually.
This update does not change the installation experience for kickstart installations and installations using the
ip= boot option.
Image Builder now supports filesystem configuration
With this enhancement, you can specify custom filesystem configuration in your blueprints and you can create images with the desired disk layout. As a result, by having non-default layouts, you can benefit from security benchmarks, consistency with existing setups, performance, and protection against out-of-disk errors.
To customize the filesystem configuration in your blueprint, set the following customization:
[[customizations.filesystem]] mountpoint = "MOUNTPOINT" size = MINIMUM-PARTITION-SIZE
Image Builder now supports cross-version image building
With this enhancement, you can use Image Builder to create images of multiple RHEL minor releases that are different from the host, such as RHEL 8.4 and RHEL 8.5. As a result, you can avoid maintaining multiple Image Builder instances.
Image Builder now supports creating bootable installer images
With this enhancement, you can use Image Builder to create bootable ISO images that consist of a
tarball file, which contains a root file system. As a result, you can use the bootable ISO image to install the
tarball file system to a bare metal system.
4.2. RHEL for Edge
rpm-ostree rebased to version v2021.5
rpm-ostree package has been upgraded to version v2021.5, which provides multiple bug fixes and enhancements. Notable changes include:
Kernel arguments can now be updated in an idempotent way, by using the new
Count Mefeature from DNF is now fully disabled by default in all repo queries and will only be triggered by the corresponding
rpm-ostree-countme.serviceunits. See countme.
The post-processing logic can now process the
user.imaIMA extended attribute. When an
xattrextended attribute is found, the system automatically translates it to
security.imain the final
treefilefile has a new
repo-packagesfield. You can use it to pin a set of packages to a specific repository.
OSTree rebased to version v2021.2
OSTree package has been upgraded to version v2021.2, which provides multiple bug fixes and enhancements. Notable changes include:
- New APIs for writing files, used in the new ostree-rs-ext project, to improve imports from tarballs.
rofiles-fusecommand now handles
xattrsextended attributes. Note: The
rofiles-fuseis considered deprecated, see #2281.
Improvements to the
introspectionAPI and testing.
4.3. Subscription management
Merged system purpose commands under
Previously, there were two different commands to set system purpose attributes;
subscriptions-manager. To unify all the system purpose attributes under one module, all the
usage commands from subscription-manager have been moved to the new submodule,
subscription-manager commands outside the new submodule are deprecated. The separate package (
python3-syspurpose) that provides the
syspurpose command line tool has been removed in RHEL 9.
This update provides a consistent way to view, set, and update all system purpose attributes using a single command of subscription-manager; this replaces all the existing system purpose commands with their equivalent versions available as a new subcommand. For example,
subscription-manager role --set SystemRole becomes
subscription-manager syspurpose role --set SystemRole and so on.
For complete information about the new commands, options, and other attributes, see the
SYSPURPOSE OPTIONS section in the
subscription-manager man page.
4.4. Software management
New RPM plugin notifies
fapolicyd about changes during RPM transactions
This update of the
rpm packages introduces a new RPM plugin that integrates the
fapolicyd framework with the RPM database. The plugin notifies
fapolicyd about installed and changed files during an RPM transaction. As a result,
fapolicyd now supports integrity checking.
Note that the RPM plugin replaces the YUM plugin because its functionality is not limited to YUM transactions but covers also changes by RPM.
libmodulemd rebased to version 2.13.0
libmodulemd packages have been rebased to version 2.13.0, which provides the following notable changes over the previous version:
- Added support for delisting demodularized packages from a module.
Added support for validating
modulemd-packager-v3documents with a new
--typeoption of the
- Fortified parsing integers.
RPM rebased to version 4.16
RPM packages have been rebased to version 4.16, which provides the following notable changes:
New SPEC features, most notably:
- Fast macro-based dependency generators
%generate_buildrequiressection that allows for generating dynamic build dependencies
- Meta (unordered) dependencies
- Native version comparison in expressions
- Caret version operator, opposite of tilde
- Optional automatic patch and source numbering
%autopatchnow accepts patch ranges
The rpm database is now based on the
sqlitelibrary. Read-only support for Berkeley DB databases has been retained for migration and query purposes.
rpm-plugin-auditplug-in for issuing audit log events on transactions, previously built into RPM itself
- Increased parallelism in package builds
- Enforced UTF-8 validation of header data at build-time
rpm now supports the EdDSA public key algorithm
With this enhancement, the
rpm command supports signing keys using the EdDSA public key algorithm. As a result, signing keys generated using EdDSA can now be used for signing and verifying packages.
Note that, however signing keys using EdDSA are now supported, RSA continues to be the default public key algorithm in GnuPG.
4.5. Shells and command-line tools
powerpc-utils rebased to version 1.3.9
powerpc-utils package has been upgraded to version 1.3.9. Notable bug fixes and enhancements include:
Increased the log size to 1 MB in
HCINDarray size at the boot time.
autoconnect-slaveson HNV connections in
Improved the HNV bond list connections in
hcn-init.servicestarts with the NetworkManager.
Fixed OF to logical FC lookup for multipath in
Fixed OF to logical lookup with partitions in
- Fixed bootlist for multipath devices with greater than 5 paths.
Added missing substring extraction of
devpartin l2of_vd() of
Fixed the remove by
Moved the definition of
-xoption to enhance the security in partstat.
nroffwarnings and errors in
Implemented NUMA-based LMB removal in
nmclito check bonding interface status in
nmclito clean the bond interface at the boot time when HNV does not exist.
ppc64-diag rebased to version 2.7.7
ppc64-diag package has been upgraded to version 2.7.7. Notable bug fixes and enhancements include:
- Improved unit test cases.
Added the UUID property in
rtas_errdservice does not run in the Linux containers.
The obsolete logging options are no longer available in the
4.6. Infrastructure services
s-nail mail processing system has replaced the
mailx utility. The
s-nail utility is compatible with
mailx and adds numerous new features. The
mailx package is no longer maintained in the upstream.
mod_security_crs rebased to version 3.3
mod_security_crs has been upgraded to version 3.3. Notable bug fixes and enhancements include:
Blocked backup files ending with
.swpto restricted extensions.
- Added Common Attack Pattern Enumeration and Classification (CAPEC) tags for attack classification.
Added support to detect
Improved variable to lowercase (
modsec3 behavior fix)
- Added support to detect Unix RCE bypass techniques via uninitialized variables, string concatenations, and globbing patterns.
Removed outdated rule tags
attack-typeare still included in the
The format of
tx.allowed_request_content_typehas been changed to be in line with the other variables. In case, the variable is overridden, please see the example in
crs-setup.conffile for the new separator.
chrony rebased to version 4.1
chrony has been updated to version 4.1. Notable bug fixes and enhancements include:
- Added support for Network Time Security (NTS) authentication.
By default, the Authenticated Network Time Protocol (NTP) sources are trusted over non-authenticated NTP sources. Add the
autselectmode ignoreargument in the
chrony.conffile to restore the original behavior.
Support for authentication with
RMD320is no longer available.
Support for long non-standard MACs in NTPv4 packets is no longer available. If you are using
non-MD5/SHA1keys, you need to configure
OpenSSL now includes providers
The OpenSSL toolkit in version 3.0.0-0.beta2, which is included in RHEL 9 Beta, added the concept of providers. Providers are collections of algorithms, and you can choose different providers for different applications. OpenSSL currently includes the following providers:
By default, if the
openssl.cnf configuration file does not contain a specific provider, OpenSSL loads and activates the default provider, which includes commonly used algorithms such as RSA, DSA, DH, CAMELLIA, SHA-1, and SHA-2.
When the FIPS flag is set in the kernel, OpenSSL automatically loads the FIPS provider and uses only FIPS-approved algorithms. As a result, you do not have to manually switch OpenSSL to FIPS mode.
To change to a different provider on the system level, edit the
openssl.cnf configuration file. For example, if your scenario requires using the
legacy provider, uncomment the corresponding section.
WARNING: Explicitly activating a provider overrides the implicit activation of the default provider and may make the system remotely inaccessible, for example by the OpenSSH suite.
For information on the algorithms included in each provider, see the relevant man pages. For example, the
OSSL_PROVIDER-legacy(7) man page for the
crypto-policies are now more secure
With this update, the system-wide cryptographic policies have been adjusted to provide up-to-date secure defaults:
- Disabled TLS 1.0, TLS 1.1, DTLS 1.0, RC4, Camellia, DSA, 3DES, and FFDHE-1024 in all policies.
- Increased minimum RSA key size and minimum Diffie-Hellman parameter size in LEGACY.
- Disabled TLS and SSH algorithms using SHA-1, with an exception of SHA-1 usage in Hash-based Message Authentication Codes (HMACs). SHA-1 is also allowed for DNSSEC in the DEFAULT and LEGACY policy levels.
If your scenario requires enabling some of the disabled algorithms and ciphers, use policy modifiers or customize the policy.
RHEL System Roles now support VPN management
Previously, it was difficult to set up secure and properly configured IPsec tunneling and virtual private networking (VPN) solutions on Linux. With this enhancement, you can use the VPN RHEL System Role to set up and configure VPN tunnels for host-to-host and mesh connections more easily across large numbers of hosts. As a result, you have a consistent and stable configuration interface for VPN and IPsec tunneling configuration within the RHEL System Roles project.
The VPN System Role does not work correctly with the
ansible-core 2.11 package that is provided in RHEL 9.0 Beta. For more information, see Some RHEL System Roles do not work with the
ansible-core 2.11 package.
OpenSSL provided in version 3.0.0-0.beta2
RHEL 9 Beta provides
openssl packages in upstream version 3.0.0-0.beta2, which includes many improvements and bug fixes over the previous version. The most notable changes include:
- Added the new Provider concept. Providers are collections of algorithms, and you can choose different providers for different applications.
- Introduced the new versioning scheme in the following format: <major>.<minor>.<patch>.
- Added support for the Certificate Management Protocol (CMP, RFC 4210), the Certificate Request Message Format (CRMF), and HTTP transfer (RFC 6712).
- Introduced an HTTP(S) client that supports GET and POST, redirection, plain and ASN.1-encoded contents, proxies, and timeouts.
- Added new Key Derivation Function API (EVP_KDF) and Message Authentication Code API (EVP_MAC).
Added support for Linux Kernel TLS (KTLS) through compiling with the
- Added CAdES-BES signature verification support.
- Added CAdES-BES signature scheme and attributes support (RFC 5126) to CMS API.
Added support for new algorithms, for example:
- KDF algorithms "SINGLE STEP" and "SSH".
- MAC Algorithms "GMAC" and "KMAC".
- KEM Algorithm "RSASVE".
- Cipher Algorithm "AES-SIV"
- Added AuthEnvelopedData content type structure (RFC 5083) using AES_GCM.
The default algorithms for PKCS #12 creation with the
PKCS12_create()function changed to more modern PBKDF2 and AES-based algorithms.
- Added a new generic trace API.
GnuTLS provided in version 3.7.2
In RHEL 9 Beta, the
gnutls packages are provided in upstream version 3.7.2. This provides many improvements and bug fixes over previous versions, most notably:
- Fixed timing of the early data (zero round trip data, 0-RTT) exchange.
certutiltool no longer inherits the CRL (Certificate Revocation List) distribution point from the certificate authority (CA) when signing a certificate signing request (CSR).
OpenSSH distributed in 8.6p1
RHEL 9 Beta includes OpenSSH in version 8.6p1. This version provides many enhancements and bug fixes over OpenSSH version 8.0p1, which is distributed in RHEL 8.5, most notably:
- The LogVerbose configuration directive that allows forcing maximum debug logging by file/function/line pattern lists.
Client address-based rate-limiting with the new
PerSourceNetBlockSizedirectives. This provides finer control than the global
HostbasedAcceptedAlgorithmskeyword now filters based on the signature algorithm instead of filtering by key type.
sshd_configkeyword in the
sshddaemon that allows including additional configuration files by using
Support for Universal 2nd Factor (U2F) hardware authenticators specified by the FIDO Alliance. U2F/FIDO are open standards for inexpensive two-factor authentication hardware that are widely used for website authentication. In OpenSSH, FIDO devices are supported by new public key types
ed25519-skand by the corresponding certificate types.
Support for FIDO keys that require a PIN for each use. You can generate these keys by using
ssh-keygenwith the new
verify-requiredoption. When a PIN-required key is used, the user will be prompted for a PIN to complete the signature operation.
authorized_keysfile now supports a new
verify-requiredoption. This option requires FIDO signatures to assert token verification of the user’s presence before making the signature. The FIDO protocol supports multiple methods for user verification, OpenSSH currently supports only PIN verification.
Added support for verifying FIDO
webauthnis a standard for using FIDO keys in web browsers. These signatures are a slightly different format to plain FIDO signatures and therefore require explicit support.
Clarified semantics of the
ClientAliveCountMax=0keyword. Now, it entirely disables connection killing instead of the previous behavior of instantly killing the connection after the first liveness test regardless of its success.
- Fixed an exploitable integer overflow bug in the private key parsing code for the XMSS key type. This key type is still experimental and support for it is not compiled by default. No user-facing autoconf option exists in portable OpenSSH to enable it.
- Added protection for private keys at rest in RAM against speculation and memory side-channel attacks like Spectre, Meltdown and Rambleed. This release encrypts private keys when they are not in use with a symmetric key that is derived from a relatively large “prekey” consisting of random data (currently 16 KB).
OpenSSL random bit generator now supports CPACF
This release of the
openssl packages introduces support for the CP Assist for Cryptographic Functions (CPACF) in the OpenSSL NIST SP800-90A-compliant AES-based deterministic random bit generator (DRBG).
cyrus-sasl now uses GDBM instead of Berkeley DB
cyrus-sasl package is now built without the
libdb dependency, and the
sasldb plugin uses the GDBM database format instead of Berkeley DB. To migrate your existing Simple Authentication and Security Layer (SASL) databases stored in the old Berkeley DB format, use the
cyrusbdb2current tool with the following syntax:
cyrusbdb2current <sasldb_path> <new_path>
openssl-spkac can now create SPKAC files signed with SHA-1 and SHA-256
openssl-spkac utility can now create Netscape signed public key and challenge (SPKAC) files signed with hashes different than MD5. You can now create and verify also SPKAC files signed with SHA-1 and SHA-256 hashes.
SELinux policy in RHEL 9 is up-to-date with the current kernel
The SELinux policy includes new permissions, classes, and capabilities that are also part of the kernel. Therefore, SELinux can utilize the full potential provided by the kernel. Specifically, SELinux has better granularity for granting permissions, which has subsequent security benefits. This also enables running systems with the MLS SELinux policy because the MLS policy would prevent some systems from starting if the system contained permissions unknown to the policy.
Notable changes in
RHEL 9 Beta includes the
scap-security-guide packages in version 0.1.57. This version introduces the following major changes over the version available in RHEL 8:
*-xccdf.xmlSCAP component files have been removed to avoid data duplication and to reduce the package size.
- Removed the Legacy SCAP 1.2 source data streams.
Removed the Bash Profile Remediation scripts to encourage safer practices. The preferred way to remediate a hardening profile is to use the
oscap xccdf eval --remediatecommand that executes only the needed remediations.
- Includes only RHEL 9 content. If you need to scan systems with different versions of RHEL, use the packages that are provided for the scanned systems.
OSCAP Anaconda Add-on now supports a new add-on name
With this enhancement, you can use the new
com_redhat_oscap add-on name as opposed to the legacy
org_fedora_oscap add-on name in the Kickstart file for the OSCAP Anaconda Add-on plugin. For example, the Kickstart section can be structured as follows:
%addon com_redhat_oscap content-type = scap-security-guide %end
OSCAP Anaconda Add-on is currently compatibile with the legacy add-on name, but support for the legacy add-on name will be removed in a future major RHEL version.
sudo supports Python plugins
sudo program version 1.9, which is included in RHEL 9-beta, you can write
sudo plugins in Python. This makes it easier to enhance
sudo to more precisely suit specific scenarios.
For additional information, see the
sudo_plugin_python(8) man page.
logrotate included in a separate
logrotate config was separated from the main
rsyslog package into the new
rsyslog-logrotate package. This is useful in certain minimal environments, for example where log rotation is not needed, to prevent installing unnecessary dependencies.
Clevis now supports
With this enhancement, the Clevis framework supports the
SHA-256 algorithm as the default hash for JSON Web Key (JWK) thumbprints as recommended by
RFC 7638. Because the older thumbprints (SHA-1) are still supported, you can still decrypt the previously encrypted data.
diag modules are now available in the kernel
diag modules are now included with the kernel image. With this update, the
diag modules no longer need to be dynamically loaded when the
ss command is used. This allows better debugging of networking issues regardless of the customer policy on kernel modules. Modules included in the kernel:
CONFIG_INET_DIAG CONFIG_INET_RAW_DIAG CONFIG_INET_TCP_DIAG CONFIG_INET_UDP_DIAG CONFIG_INET_MPTCP_DIAG CONFIG_NETLINK_DIAG CONFIG_PACKET_DIAG CONFIG_UNIX_DIAG
Making Nmstate more inclusive
Red Hat is committed to using conscious language. See details about this initiative in Making open source more inclusive. Therefore the
slave term in the
nmstate API has been replaced by the term
NetworkManager allows to change
queue_id of bond port
NetworkManager ports in a bond now supports the
queue_id parameter. Assuming
eth1 is a port of bond interface, you can enable
queue_id for a bond port with:
# nmcli connection modify eth1 bond-port.queue-id 1 # nmcli connection up eth1
Any network interface that needs to use this option should configure it with multiple calls until proper priorities are set for all interfaces. For more information, see
/usr/share/docs/kernel-doc-_<version>/Documentation/networking/bonding.rst file that is provided by the
RHEL 9 Beta kernels signed with trusted SecureBoot certificates
Previously, RHEL Beta releases required users to enroll a separate Beta public key using the Machine Owner Key (MOK) facility. Starting with RHEL 9 Beta, kernels are signed with trusted SecureBoot certificates, hence users no longer need to enroll a separate Beta public key to use the beta versions on systems having UEFI Secure Boot enabled.
cgroup-v2 enabled by default in RHEL 9
The control groups version 2 (
cgroup-v2) feature implements a single hierarchy model that simplifies the management of control groups. Also, it ensures that a process can only be a member of a single control group at a time. Deep integration with
systemd improves the end-user experience when configuring resource control on a RHEL system.
Development of new features is mostly done for
cgroup-v2, which has some features that are missing in
cgroup-v1 contains some legacy features that are missing in
cgroup-v2. Also, the control interfaces are different. Therefore, third party software with direct dependency on
cgroup-v1 may not run properly in the
cgroup-v1, you need to add the following parameters to the kernel command-line:
cgroup-v2 are fully enabled in the kernel. There is no default control group version from the kernel point of view, and is decided by
systemd to mount at startup.
Kernel changes potentially affecting third party kernel modules
Linux distributions with a kernel version prior to 5.9 supported exporting GPL functions as non-GPL functions. As a result, users could link proprietary functions to GPL kernel functions through the
shim mechanism. With this release, the RHEL kernel incorporates upstream changes that enhance the ability of RHEL to enforce GPL by rebuffing
Partners and independent software vendors (ISVs) should test their kernel modules with an early version of RHEL 9 to ensure their compliance with GPL.
The 64-bit ARM architecture has a 4 KB page size in RHEL 9
Red Hat has selected a 4 KB page size of physical memory for the 64-bit ARM architecture in Red Hat Enterprise Linux 9. This size pairs well with the workloads and memory amounts present on the majority of ARM-based systems. To employ large page sizes efficiently, use the huge pages option to address a greater amount of memory or workloads with large data sets.
For more information about huge pages see Monitoring and Managing System Status and Performance.
perf-top now can sort by a certain column
With this update to the
perf-top system profiling tool, you can sort samples by an arbitrary event column. Previously, the events were sorted by the first column in case multiple events in a group were sampled. To sort the samples, use the
--group-sort-idx command-line option and press a number key to sort the table by the matching data column. Note that column numbering starts from
Checkpoint/Restore In Userspace (CRIU) is a Linux utility that allows checkpointing and restoring of processes. The
jigawatts package contains a Java library, which aims to improve the usability of CRIU mechanisms from Java applications.
trace-cmd reset command has new behavior
trace-cmd reset command disabled several settings of the ftrace framework that were enabled by default. Most notably being the
tracing_max_latency configurations. The new behavior of
trace-cmd reset is to reset the mentioned configurations to their default values.
crashkernel.default file for
kdump memory allocation
A new implementation of the
crashkernel.default file is now available on the RHEL 9 version of
crashkernel.default file is shipped with each kernel and it contains the default crash kernel value for the corresponding kernel build. The default value is used by
kdump to control the default crash kernel memory value of each kernel. The value forms a good reference for
kdump memory reservation. Using this value as the base to estimate the required memory, you can configure the desired
As a result, this improves the memory allocation for
kdump when a system has less than 4 GB available memory.
Note that the
crashkernel=auto option in the boot command line is no longer supported on RHEL 9 and later releases.
For more information, see the
The kernel-rt source tree has been updated to RHEL 9.0 tree
kernel-rt sources have been updated to use the latest Red Hat Enterprise Linux kernel source tree. The real-time patch set has also been updated to the latest upstream version, v5.14-rt15. These updates provide a number of bug fixes and enhancements.
Core scheduling is supported in RHEL 9
With the core scheduling functionality users can prevent tasks that should not trust each other from sharing the same CPU core. Likewise, users can define groups of tasks that can share a CPU core.
These groups can be specified:
- To improve security by mitigating some cross-Symmetric Multithreading (SMT) attacks
- To isolate tasks that need a whole core. For example for tasks in real-time environments, or for tasks that rely on specific processor features such as Single Instruction, Multiple Data (SIMD) processing
For more information, see Core Scheduling.
Support for CPU hotplug in the
With this update, PMU counters correctly react to the hot-plugging of a CPU. As a result, if a
hv_gpci event counter is running on a CPU that gets disabled, the counting redirects to another CPU.
Metrics for POWERPC
hv_24x7 nest events are now available
Metrics for POWERPC
hv_24x7 nest events are now available for
perf. By aggregating multiple events, these metrics provide a better understanding of the values obtained from
perf counters and how effectively the CPU is able to process the workload.
The IRDMA driver has been introduced in RHEL 9
The IRDMA driver enables RDMA functionality on RDMA-capable Intel® network devices. Devices supported by this driver are:
- Intel® Ethernet Controller E810
- Intel® Ethernet Network Adapter X722
RHEL 9 delivers updated Intel® Ethernet Protocol Driver for RDMA (IRDMA) for the X722 Internet Wide-area RDMA Protocol (iWARP) device. RHEL 9 also introduces a new E810 device that supports iWARP and RDMA over Converged Ethernet (RoCEv2). The IRDMA module replaces the legacy i40iw module for X722 and extends the Application Binary Interface (ABI) defined for i40iw. The change is backward compatible with legacy X722 RDMA-Core provider (libi40iw).
- The X722 device supports only iWARP and a more limited set of configuration parameters.
The E810 device supports the following set of RDMA and congestion management features:
- iWARP and RoCEv2 RDMA transports
- Priority Flow Control (PFC)
- Explicit Congestion Notification (ECN)
4.10. High availability and clusters
resource-stickiness resource meta-attribute now defaults to 1 instead of 0 for newly-created clusters
Previously, the default value for the
resource-stickiness resource meta-attribute had a default value of 0 for newly-created clusters. This meta-attribute now defaults to 1.
With a stickiness of 0, a cluster may move resources as needed to balance resources across nodes. This may result in resources moving when unrelated resources start or stop. With a positive stickiness, resources have a preference to stay where they are, and move only if other circumstances outweigh the stickiness. This may result in newly-added nodes not getting any resources assigned to them without administrator intervention. Both approaches have potentially unexpected behavior, but most users prefer having some stickiness. The default value for this meta-attribute has been changed to 1 to reflect this preference.
Only newly-created clusters are affected by this change, so the behavior does not change for existing clusters. Users who prefer the old behavior for their cluster can delete the
resource-stickiness entry from resource defaults.
New LVM volume group flag to control autoactivation
LVM volume groups now support a
setautoactivation flag which controls whether logical volumes that you create from a volume group will be automatically activated on startup. When creating a volume group that will be managed by Pacemaker in a cluster, set this flag to
n with the
vgcreate --setautoactivation n command for the volume group to prevent possible data corruption. If you have an existing volume group used in a Pacemaker cluster, set the flag with
vgchange --setautoactivation n.
New pcs resource status display commands
pcs resource status and the
pcs stonith status commands now support the following options:
You can display the status of resources configured on a specific node with the
pcs resource status node=node_idcommand and the
pcs stonith status node=node_idcommand. You can use these commands to display the status of resources on both cluster and remote nodes.
You can display the status of a single resource with the
pcs resource status resource_idand the
pcs stonith status resource_idcommands.
You can display the status of all resources with a specified tag with the
pcs resource status tag_idand the
pcs stonith status tag_idcommands.
New reduced output display option for
pcs resource safe-disable command
pcs resource safe-disable and
pcs resource disable --safe commands print a lengthy simulation result after an error report. You can now specify the
--brief option for those commands to print errors only. The error report now always contains resource IDs of affected resources.
pcs command to update SCSI fencing device without causing restart of all other resources
Updating a SCSI fencing device with the
pcs stonith update command causes a restart of all resources running on the same node where the stonith resource was running. The new
pcs stonith update-scsi-devices command allows you to update SCSI devices without causing a restart of other cluster resources.
Ability to configure watchdog-only SBD for fencing on subset of cluster nodes
Previously, to use a watchdog-only SBD configuration, all nodes in the cluster had to use SBD. That prevented using SBD in a cluster where some nodes support it but other nodes (often remote nodes) required some other form of fencing. Users can now configure a watchdog-only SBD setup using the new
fence_watchdog agent, which allows cluster configurations where only some nodes use watchdog-only SBD for fencing and other nodes use other fencing types. A cluster may only have a single such device, and it must be named
Local mode version of
pcs cluster setup command is now fully supported
By default, the
pcs cluster setup command automatically synchronizes all configuration files to the cluster nodes. The
pcs cluster setup command now fully supports the
--corosync-conf option. Specifying this option switches the command to
local mode. In this mode, the
pcs command-line interface creates a
corosync.conf file and saves it to a specified file on the local node only, without communicating with any other node. This allows you to create a
corosync.conf file in a script and handle that file by means of the script.
Automatic removal of location constraint following resource move
When you execute the
pcs resource move command, this adds a constraint to the resource to prevent it from running on the node on which it is currently running. By default, the location constraint that the command creates is automatically removed once the resource has been moved. This does not necessarily move the resources back to the original node; where the resources can run at that point depends on how you have configured your resources initially. If you would like to move a resource and leave the resulting constraint in place, use the
pcs resource move-with-contraint command.
pcs now accepts
Unpromoted as role names
pcs command-line interface now accepts
Unpromoted anywhere roles are specified in Pacemaker configuration. These role names are the functional equivalent of the
Slave Pacemaker roles in previous RHEL releases, and these are the role names that are visible in configuration displays and help pages.
4.11. Dynamic programming languages, web and database servers
Python in RHEL 9
Python 3.9 is the default Python implementation in RHEL 9. Python 3.9 is distributed in a non-modular
python3 RPM package in the BaseOS repository and usually installed by default. Python 3.9 will be supported for the whole life cycle of RHEL 9.
Additional versions of Python 3 will be distributed as RPM packages with a shorter life cycle through the AppStream repository and will be installable in parallel.
python command (
/usr/bin/python), as well as other Python-related commands such as
pip, are available in the unversioned form and point to the default Python 3.9 version.
Python 2 is not distributed with RHEL 9.
For more information about Python in RHEL 9, see Introduction to Python.
Node.js 16 available in RHEL 9
RHEL 9 provides version 16 of
Notable changes in
Node.js 16 over
Node.js 14 include:
V8engine has been upgraded to version 9.2.
npmpackage manager has been upgraded to version 7.20.3.
Timers PromisesAPI provides an alternative set of timer functions that return
Node.jsnow provides a new experimental
Node.jsis now compatible with
Node.js 16 is the initial version of this Application Stream, which you can install easily as an RPM package. Additional
Node.js versions will be provided as modules with a shorter life cycle in future minor releases of RHEL 9.
RHEL 9 provides
RHEL 9 is distributed with
Ruby 3.0.2, which provides a number of performance improvements, bug and security fixes, and new features over
Notable enhancements include:
Concurrency and parallelism features:
Ractor, an Actor-model abstraction that provides thread-safe parallel execution, is provided as an experimental feature.
Fiber Schedulerhas been introduced as an experimental feature.
Fiber Schedulerintercepts blocking operations, which enables light-weight concurrency without changing existing code.
Static analysis features:
RBSlanguage has been introduced which describes the structure of
rbsgem has been added to parse type definitions written in
TypeProfutility has been introduced which is a type analysis tool for
Pattern matching with the
case/inexpression is no longer experimental.
- One-line pattern matching, which is an experimental feature, has been redesigned.
- Find pattern has been added as an experimental feature.
The following performance improvements have been implemented:
Pasting long code to the
Interactive Ruby Shell (IRB)is now significantly faster.
measurecommand has been added to
IRBfor time measurement.
Other notable changes include:
- Keyword arguments are now separated from other arguments.
The default directory for user-installed gems is now
$HOME/.gem/directory is already present.
Ruby 3.0 is the initial version of this Application Stream which you can install easily as an RPM package. Additional
Ruby versions will be provided as modules with a shorter life cycle in future minor releases of RHEL 9.
RHEL 9 introduces
RHEL 9 includes
Perl 5.32, which provides a number of bug fixes and enhancements over version 5.30 available in RHEL 8.
Notable enhancement include:
Perlnow supports unicode version 13.0.
qrqoute-like operator has been enhanced.
wctombfunctions now work on shift state locales and are thread-safe on C99 and above compilers when executed on a platform that has locale thread-safety; the length parameters are now optional.
The new experimental
isainfix operator tests whether a given object is an instance of a given class or a class derived from it.
- Alpha assertions are no longer experimental.
- Script runs are no longer experimental.
- Feature checks are now faster.
Perlcan now dump compiled patterns before optimization.
Perl 5.32 is the initial version of this Application Stream, which you can install easily as an RPM package. Additional
Perl versions will be provided as modules with a shorter life cycle in future minor releases of RHEL 9.
RHEL 9 introduces
RHEL 9 is distributed with
PHP 8.0, which provides a number of bug fixes and enhancements over version 7.4 available in RHEL 8.
Notable enhancements include:
- New named arguments are order-independent and self-documented, and enable you to specify only required parameters.
- New attributes enable you to use structured metadata with PHP’s native syntax.
- New union types enable you to use native union type declarations that are validated at runtime instead of PHPDoc annotations for a combination of types.
- Internal functions now more consistently raise an Error exception instead of warnings if parameter validation fails.
- The Just-In-Time compilation has improved the performance.
Xdebugdebugging and productivity extension for PHP has been updated to version 3. This version introduces major changes in functionality and configuration compared to
PHP 8.0 is the initial version of this Application Stream, which you can install easily as an RPM package. Additional
PHP versions will be provided as modules with a shorter life cycle in future minor releases of RHEL 9.
For more information, see Using the PHP scripting language.
RHEL 9 provides
Git 2.31 and
Git LFS 2.13
RHEL 9 is distributed with
Git 2.31 which provides a number of enhancements and performance improvements over version 2.27 available in RHEL 8. Notable changes include:
git statuscommand now reports the status of sparse checkout.
You can now use the
--add-fileoption with the
git archivecommand to include untracked files in a snapshot from a tree-ish identifier.
You can use the
clone.defaultremotenameconfiguration variable to customize a nickname of the source remote repository.
You can configure the maximum length of output file names created by the
git format-patchcommand. Previously, the length limit was 64 bytes.
- Support for the deprecated PCRE1 library has been removed.
Git Large File Storage (LFS) extension version 2.13 is now available. Enhancements over version 2.11 distributed in RHEL 8 include:
Git LFSnow supports SHA-256 repositories.
Git LFSnow supports the
--worktreeoption is available for the
git lfs installand
git lfs uninstallcommands.
--aboveparameter is available for the
git lfs migrate importcommand.
Subversion 1.14 in RHEL 9
RHEL 9 is distributed with
Subversion 1.14 is the initial version of this Application Stream, which you can install easily as an RPM package. Additional
Subversion versions will be provided as modules with a shorter life cycle in future minor releases of RHEL 9.
Notable changes in the Apache HTTP Server
RHEL 9.0 Beta provides version 2.4.48 of the Apache HTTP Server. Notable changes over version 2.4.37 distributed with RHEL 8 include:
Apache HTTP Server Control Interface (
systemctlpager is now disabled for
apachectlcommand now fails instead of giving a warning if you pass additional arguments.
apachectl graceful-stopcommand now returns immediately.
apachectl configtestcommand now executes the
httpd -tcommand without changing the SELinux context.
apachectl(8)man page in RHEL now fully documents differences from upstream
Apache eXtenSion tool (
/usr/bin/apxscommand no longer uses or exposes compiler optimisation flags as applied when building the
httpdpackage. You can now use the
/usr/lib64/httpd/build/vendor-apxscommand to apply the same compiler flags as used to build
httpd. To use the
vendor-apxscommand, you must install the
mod_luamodule is now provided in a separate package.
Configuration syntax changes:
In the deprecated
Allowdirective provided by the
mod_access_compatmodule, a comment (the
#character) now triggers a syntax error instead of being silently ignored.
- In the deprecated
- Kernel thread IDs are now used directly in error log messages, making them both accurate and more concise.
- Many minor enhancements and bug fixes.
- A number of new interfaces are available to module authors.
There are no backwards-incompatible changes to the
httpd module API since RHEL 8.
Apache HTTP Server 2.4 is the initial version of this Application Stream, which you can install easily as an RPM package.
For more information, see Setting up the Apache HTTP web server.
(JIRA:RHELPLAN-68364, BZ#1931976, JIRA:RHELPLAN-80725)
nginx 1.20 available in RHEL 9
RHEL 9 includes the
nginx 1.20 web and proxy server. This release provides a number of bug fixes, security fixes, new features and enhancements over version 1.18.
nginxnow supports client SSL certificate validation with Online Certificate Status Protocol (OCSP).
nginxnow supports cache clearing based on the minimum amount of free space. This support is implemented as the
min_freeparameter of the
ngx_stream_set_modulemodule has been added, which enables you to set a value for a variable.
Multiple new directives are now available, such as
proxy_cookie_flagsdirective now supports variables.
Improved support for HTTP/2:
ngx_http_v2module now includes the
Handling connections in HTTP/2 has been aligned with HTTP/1.x. From
nginx 1.20, use the
keepalive_requestsdirectives instead of the removed
nginx 1.20 is the initial version of this Application Stream, which you can install easily as an RPM package. Additional
nginx versions will be provided as modules with a shorter life cycle in future minor releases of RHEL 9.
For more information, see Setting up and configuring NGINX.
Varnish Cache 6.5 in RHEL 9
RHEL 9 includes
Varnish Cache 6.5, a high-performance HTTP reverse proxy. This release provides a number of bug fixes and enhancements over version 6.0 available in RHEL 8.
Varnish Cache 6 is the initial version of this Application Stream, which you can install easily as an RPM package.
RHEL 9 introduces
RHEL 9 is distributed with
Squid 5.1, a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. This release provides a number of bug fixes, security fixes, new features, and enhancements over version 4 available in RHEL 8.
Squidimproves responsibility by using the Happy Eyeballs (HE) algorithm.
Squidnow uses a received IP address as soon request forwarding requires it instead of waiting for all of the potential forwarding destinations to be fully resolved.
New directives are now available:
dns_v4_firstdirective has been removed.
Squidnow uses the
CDN-Loopheader as a source for loop detection in Content Delivery Networks (CDN).
Squidintroduces peering support for SSL bumping.
- A new Internet Content Adaptation Protocol (ICAP) trailers feature is available, which enables ICAP agents to reliably send message metadata after the message body.
Changes to configuration options:
mark_client_packetconfiguration option has replaced
shared_transient_entries_limitconfiguration option has replaced
Squid 5 is the initial version of this Application Stream, which you can install easily as an RPM package.
For more information, see Configuring the Squid caching proxy server.
MariaDB 10.5 in RHEL 9
RHEL 9 provides
MariaDB 10.5 is the initial version of this Application Stream, which you can install easily as an RPM package. Additional
MariaDB versions will be provided as modules with a shorter life cycle in future minor releases of RHEL 9.
For more information, see Using MariaDB.
RHEL 9 includes
RHEL 9 is distributed with
MySQL 8.0 is the initial version of this Application Stream, which you can install easily as an RPM package.
RHEL 9 provides
PostgreSQL 13 is available with RHEL 9.
PostgreSQL 13 is the initial version of this Application Stream, which you can install easily as an RPM package. Additional
PostgreSQL versions will be provided as modules with a shorter life cycle in future minor releases of RHEL 9.
For more information, see Using PostgreSQL.
Redis 6.2 in RHEL 9
RHEL 9 is distributed with
Redis 6.2, which provides a number of bug and security fixes and enhancements over version 6.0 available in RHEL 8.
Redis server configuration files are now located in a dedicated directory:
/etc/redis/sentinel.conf. In the RHEL 8 version, the location of these files was
Redis 6 is the initial version of this Application Stream, which you can install easily as an RPM package. Additional
Redis versions will be provided as modules with a shorter life cycle in future minor releases of RHEL 9.
4.12. Compilers and development tools
GCC 11.2 is available
RHEL 9 Beta is distributed with GCC version 11.2. Notable bug fixes and enhancements include:
- GCC now defaults to the DWARF Version 5 debugging format.
- Column numbers shown in diagnostics represent real column numbers by default and respect multicolumn characters.
- The straight-line code vectorizer considers the whole function when vectorizing.
- A series of conditional expressions that compare the same variable can be transformed into a switch statement if each of them contains a comparison expression.
Interprocedural optimization improvements:
A new IPA-modref pass, controlled by the
-fipa-modrefoption, tracks side effects of function calls and improves the precision of points-to analysis.
The identical code folding pass, controlled by the
-fipa-icfoption, was significantly improved to increase the number of unified functions and reduce compile-time memory use.
- A new IPA-modref pass, controlled by the
Link-time optimization improvements:
- Memory allocation during linking was improved to reduce peak memory use.
Using a new
GCC_EXTRA_DIAGNOSTIC_OUTPUTenvironment variable in IDEs, you can request machine-readable “fix-it hints” without adjusting build flags.
- C and C++ compilers support non-rectangular loop nests in OpenMP constructs and the allocator routines of the OpenMP 5.0 specification.
no_stack_protectorattribute marks functions that should not be instrumented with stack protection (
mallocattribute can be used to identify allocator and deallocator API pairs.
- The new
-Wsizeof-array-div, enabled by the
-Walloption, warns about divisions of two
sizeofoperators when the first one is applied to an array and the divisor does not equal the size of the array element.
-Wstringop-overread, enabled by default, warns about calls to string functions that try to read past the end of the arrays passed to them as arguments.
-Wfree-nonheap-objectdetects more instances of calls to deallocation functions with pointers not returned from a dynamic memory allocation function.
-Wmaybe-uninitializeddiagnoses the passing of pointers and references to uninitialized memory to functions that take
-Wuninitializeddetects reads from uninitialized dynamically allocated memory.
Several new features from the upcoming C2X revision of the ISO C standard are supported with the
-std=gnu2xoptions. For example:
standard attribute is supported.
__has_c_attributepreprocessor operator is supported.
- Labels may appear before declarations and at the end of a compound statement.
The default mode is changed to
The C++ library
libstdc++has improved C++17 support now.
Several new C++20 features are implemented. Note that C++20 support is experimental.
For more information about the features, see C++20 Language Features.
- The C++ front end has experimental support for some of the upcoming C++23 draft features.
-Wctad-maybe-unsupported, disabled by default, warns about performing class template argument deduction on a type with no deduction guides.
-Wrange-loop-construct, enabled by
-Wall, warns when a range-based for loop is creating unnecessary and resource inefficient copies.
-Wmismatched-new-delete, enabled by
-Wall, warns about calls to operator delete with pointers returned from mismatched forms of operator new or from other mismatched allocation functions.
-Wvexing-parse, enabled by default, warns about the most vexing parse rule: the cases when a declaration looks like a variable definition, but the C++ language requires it to be interpreted as a function declaration.
The 64-bit ARM architecture
The Armv8-R architecture is supported through the
- GCC can autovectorize operations performing addition, subtraction, multiplication, and the accumulate and subtract variants on complex numbers.
AMD and Intel 64-bit architectures
- The following Intel CPUs are supported: Sapphire Rapids, Alder Lake, and Rocket Lake.
New ISA extension support for Intel AVX-VNNI is added. The
-mavxvnnicompiler switch controls the AVX-VNNI intrinsics.
AMD CPUs based on the znver3 core are supported with the new
Three microarchitecture levels defined in the x86-64 psABI supplement are supported with the new
GCC defaults to IBM z14
RHEL 9 Beta is distributed with GCC 11.2 that defaults to the IBM z14 processor.
GCC defaults to IBM POWER9
RHEL 9 Beta is distributed with GCC 11.2 that defaults to the IBM POWER9 processor.
Link time optimization in GCC
Link time optimization (LTO) enables the compiler to perform various optimizations across all translation units of your program by using its intermediate representation at link time. For more information, see Link time optimization.
Updated performance tools and debuggers
The following performance tools and debuggers are available with RHEL 9.0 Beta:
- GDB 10.2
- Valgrind 3.17.0
- SystemTap 4.5
- Dyninst 11.0.0
- elfutils 0.185
DAWR functionality improved in GDB on IBM POWER10
RHEL 9 Beta is distributed with GDB 10.2 that provides improved DAWR functionality. New hardware watchpoint capabilities are enabled for GDB on the IBM POWER10 processors. For example, a new set of DAWR/DAWRX registers has been added.
GDB supports new prefixed instructions on IBM POWER10
GDB 10.2 fully supports the Power ISA 3.1 prefixed instructions on POWER10, which include eight-byte prefixed instructions. In RHEL 8.4, GDB only supported four-byte instructions.
Notable changes in LLVM Toolset 12.0.1
RHEL 9 Beta is distributed with LLVM Toolset 12.0.1. Notable changes include:
The new compiler flag
-march=x86-64-vhas been added.
The compiler flag
clangcompiler is now the default on Linux AArch64/PowerPC.
clangcompiler now supports the C++20 likelihood attributes [[likely]] and [[unlikely]].
The new function attribute
tune-cpuhas been added. It allows microarchitectural optimizations to be applied independently from the
target-cpuattribute or TargetMachine CPU.
The new sanitizer
-fsanitize=unsigned-shift-basehas been added to the integer sanitizer
-fsanitize=integerto improve security.
- Code generation on PowerPC targets has been optimized.
- The WebAssembly backend is now enabled in LLVM. With this enhancement, you can generate WebAssembly binaries with LLVM and Clang.
For more information, see Using LLVM Toolset.
Notable changes in CMake 3.20.2
RHEL 9 Beta is distributed with CMake 3.20.2. To use CMake on a project that requires version 3.20.2 or less, use the command
Notable changes include:
C++23 compiler modes can now be specified by using the target properties
OBJCXX_STANDARD, or by using the
cxx_std_23meta-feature of the compile features function.
- CUDA language support now allows the NVIDIA CUDA compiler to be a symbolic link.
The Intel oneAPI NextGen LLVM compilers are now supported with the
IntelLLVMcompiler ID .
- CMake now facilitates cross compiling for Android by merging with the Android NDK’s toolchain file.
cmake(1)to generate a project build system, unknown command-line arguments starting with a hyphen are now rejected.
For further information on new features and deprecated functionalities, see the CMake Release Notes.
Notable changes in Rust Toolset 1.54.0
RHEL 9 Beta is distributed with Rust Toolset 1.54.0. Notable changes include:
The Rust standard library is now available for the
wasm32-unknown-unknowntarget. With this enhancement, you can generate WebAssembly binaries, including newly stabilized intrinsics.
It is now possible to use constant-value parameters to define generics. With this change, you can write functions completely generic over the values of any integer, boolean, or character type, and arrays generic over their element type as well as their length. Moreover, it is now possible to iterate items from an array by value using the new standard library’s array type API
Rust now includes the
IntoIteratorimplementation for arrays. With this enhancement, you can use the
IntoIteratortrait to iterate over arrays by value and pass arrays to methods. However,
array.into_iter()still iterates values by reference until the 2021 edition of Rust.
The syntax for
orpatterns now allows nesting anywhere in the pattern. For example:
- Unicode identifiers can now contain all valid identifier characters as defined in the Unicode Standard Annex #31.
- Methods and trait implementations have been stabilized.
For more information, see Using Rust Toolset.
Notable changes in Go Toolset 1.16.6
RHEL 9 Beta is distributed with Go Toolset 1.16.6. Notable changes include:
GO111MODULEenvironment variable is now set to
onby default. To revert this setting, change
- The Go linker now uses less resources and improves code robustness and maintainability. The change applies to all supported CPU architectures and operating systems.
With the new
embedpackage you can access embedded files while compiling.
All functions of the
io/ioutilpackage have been moved to the
ospackages. While you can still use
ospackages provide better definitions.
- The Delve debugger has been rebased to 1.6.0 so that it supports Go Toolset 1.16.6.
For more information, see Using Go Toolset.
Go FIPS mode is supported with OpenSSL 3
You can now use the OpenSSL 3 library when in Go FIPS mode.
Active Directory authentication for accessing SQL Server metrics in PCP
With this update, a system administrator can configure
pmdamssql(1) to connect securely to the SQL Server metrics using Active Directory (AD) authentication.
Accessing remote hosts through a central
pmproxy for the Vector data source in
In some environments, the network policy does not allow connections from the dashboard viewer’s browser to the monitored hosts directly. This update makes it possible to customize the
hostspec in order to connect to a central
pmproxy, which forwards the requests to the individual hosts.
pcp rebased to 5.3.1
The Performance Co-Pilot (PCP) package has been rebased to version 5.3.1. This release includes bug fixes, enhancements, and new features. The most notable changes include:
Scalability improvements, which now support large number of hosts to have performance metrics centrally logged (
pmloggerfarms) and automatically monitored with performance rules (
Supports the new
pcp-sstool for historical socket statistics.
Improvements to the
- Added extensions to the over-the-wire PCP protocol, which now support higher resolution timestamps.
grafana-pcp rebased to version 3.1.0
grafana-pcp package has been rebased to version 3.1.0. The rebase provides following notable changes over previous version:
- Updated Performance Co-Pilot Vector Checklist dashboards to show new time series panel, display units in graphs, and update help texts.
hostspecvariables to Performance Co-Pilot Vector Host Overview and Performance Co-Pilot Checklist dashboards.
Updated all dashboards to show
- Updated all dashboards as read only.
- Added compatibility with Grafana 8.
grafana rebased to version 7.5.9
grafana package has been rebased to version 7.5.9. This rebase provides following notable changes over previous version:
- Supports the beta version of the new time series panel visualization.
- Supports the beta version of the new Pie chart panel visualization.
- Added alert support for Grafana Loki. It is a log aggregation tool.
- Added support for multiple new query transformations.
python-jsonpointer rebased to version 2.0
python-jsonpointer module has been updated to version 2.0.
Notable changes include:
- The Python versions 2.6 and 3.3 are deprecated.
python-jsonpointermodule now automatically checks pointers for invalid escape sequences.
- You can now write pointers as arguments in the command line.
- Pointers can not be submitted in URL encoded format any more.
pcp-ss PCP utility is now available
pcp-ss PCP utility reports socket statistics collected by the
pmdasockets(1) PMDA. The command is compatible with many of the
ss command line options and reporting formats. It also offers the advantages of local or remote monitoring in live mode and historical replay from a previously recorded PCP archive.
Java implementations in RHEL 9
The RHEL 9 AppStream repository includes:
java-17-openjdkpackages, which provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit.
java-11-openjdkpackages, which provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit.
java-1.8.0-openjdkpackages, which provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.
For more information, see OpenJDK documentation.
Java tools in RHEL 9
The RHEL 9 AppStream repository includes the following Java tools:
Maven 3.6.3, a software project management and comprehension tool.
Ant 1.10.9, a Java library and command-line tool for compiling, assembling, testing, and running Java applications.
Maven 3.6 and
Ant 1.10 are the initial versions of these Application Streams, which you can install easily as RPM packages.
SWIG 4.0 available in the CRB repository
The Simplified Wrapper and Interface Generator (SWIG) version 4.0 is available in the CodeReady Linux Builder (CRB) repository. In RHEL 9, you can install
SWIG easily as an RPM package.
Note that packages included in the CodeReady Linux Builder repository are unsupported.
4.13. Identity Management
Improved the SSSD debug logging by adding a unique identifier tag for each request
As SSSD processes requests asynchronously, it is not easy to follow log entries for individual requests in the backend logs, as messages from different requests are added to the same log file. To improve the readability of debug logs, a unique request identifier is now added to log messages in the form of
RID#<integer>. This allows you to isolate logs pertaining to an individual request, and you can track requests from start to finish across log files from multiple SSSD components.
For example, the following sample output from an SSSD log file shows the unique identifiers RID#3 and RID#4 for two different requests:
(2021-07-26 18:26:37): [be[testidm.com]] [dp_req_destructor] (0x0400): RID#3 Number of active DP request: 0 (2021-07-26 18:26:37): [be[testidm.com]] [dp_req_reply_std] (0x1000): RID#3 DP Request AccountDomain #3: Returning [Internal Error]: 3,1432158301,GetAccountDomain() not supported (2021-07-26 18:26:37): [be[testidm.com]] [dp_attach_req] (0x0400): RID#4 DP Request Account #4: REQ_TRACE: New request. sssd.nss CID #1 Flags [0x0001]. (2021-07-26 18:26:37): [be[testidm.com]] [dp_attach_req] (0x0400): RID#4 Number of active DP request: 1
ansible-freeipa is now available in the AppStream repository with all dependencies
Previously in RHEL 8, before installing the
ansible-freeipa package, you first had to enable the Ansible repository and install the
ansible package. In RHEL 9, you can install
ansible-freeipa without any preliminary steps. Installing
ansible-freeipa automatically installs
ansible-core as a dependency. Both packages are available in the
ansible-freeipa in RHEL 9 contains all the modules that it contained in RHEL 8.
IdM now supports the
server Ansible modules
With this update, the
ansible-freeipa package contains the
ipaautomembermodule, you can add, remove, and modify automember rules and conditions. As a result, future IdM users and hosts that meet the conditions will be assigned to IdM groups automatically.
ipaservermodule, you can ensure various parameters of the presence or absence of a server in the IdM topology. You can also ensure that a replica is hidden or visible.
Support for managing subID ranges is available in IdM
With this update, you can manage ID subranges for users in Identity Management. You can use the
ipa CLI tool or IdM WebUI interface to assign automatically configured subID ranges to a user, which might be useful in a containerized environment.
Automatic private groups for AD users support centralized configuring
You can now centrally define how compatible versions of SSSD on IdM clients manage private groups for users from trusted Active Directory domains. With this enhancement, you can now explicitly set the value for SSSD’s
auto_private_groups option for an ID range that handles AD users.
auto_private_groups option is not explicitly set, it uses a default value:
ipa-ad-trust-posixID range, the default value is
false. SSSD always uses the
gidNumberof the AD entry. A group with the
gidNumbermust exist in AD.
ipa-ad-trustID range, the default value is
true. SSSD maps the
uidNumberfrom the entry SID, the
gidNumberis always set to the same value, and a private group is always mapped.
You can also set
auto_private_groups to a third setting:
hybrid. With this setting, SSSD maps a private group if the user entry has a GID equal to the UID but there is no group with this GID. If the UID and GID are different, a group with this GID number must exist.
This feature is useful for administrators that want to stop maintaining separate group objects for the user private groups, but also want to retain the existing user private groups.
Customizable logging settings for BIND
With this enhancement, you can now configure logging settings for the BIND DNS server component of an Identity Management server in the
/etc/named/ipa-logging-ext.conf configuration file.
Autodiscovery of IdM servers when retrieving an IdM keytab
With this enhancement, you no longer need to specify an IdM server host name when retrieving a Kerberos keytab with the
ipa-getkeytab command. If you do not specify a server host name, DNS discovery is used to find an IdM server. If no servers are found, the command falls back to the
host value specified in the
/etc/ipa/default.conf configuration file.
The support for managing subID ranges is available in the shadow-utils
shadow-utils configured the subID ranges automatically from the
/etc/subgid files. With this update, the configuration of subID ranges is available in the
/etc/nsswitch.conf file by setting a value in the
subid field. For more information, see
man subuid and
man subgid. Also, with this update, an SSSD implementation of the
shadow-utils plugin is available, which provides the subID ranges from the IPA server. To use this functionality, add the
subid: sss value to the
/etc/nsswitch.conf file. This solution might be useful in the containerized environment to facilitate rootless containers.
Note that in case the
/etc/nsswitch.conf file is configured by the
authselect tool, you must follow the procedures described in the
authselect documentation. When it is not the case, you can modify the
/etc/nsswitch.conf file manually.
SSSD now logs backtraces by default
With this enhancement, SSSD now stores detailed debug logs in an in-memory buffer and appends them to log files when a failure occurs. By default, the following error levels trigger a backtrace:
- Level 0: fatal failures
- Level 1: critical failures
- Level 2: serious failures
You can modify this behavior for each SSSD process by setting the
debug_level option in the corresponding section of the
sssd.conf configuration file:
- If you set the debugging level to 0, only level 0 events trigger a backtrace.
- If you set the debugging level to 1, levels 0 and 1 trigger a backtrace.
- If you set the debugging level to 2 or higher, events at level 0 through 2 trigger a backtrace.
You can disable this feature per SSSD process by setting the
debug_backtrace_enabled option to
false in the corresponding section of
[sssd] debug_backtrace_enabled = true debug_level=0 ... [nss] debug_backtrace_enabled = false ... [domain/idm.example.com] debug_backtrace_enabled = true debug_level=2 ... ...
GNOME updated to version 40
The GNOME environment is now updated from GNOME 3.28 to GNOME 40 with many new features.
GNOME 40 includes a new and improved Activities Overview design. This gives the overview a more coherent look, and provides an improved experience for navigating the system and launching applications. Workspaces are now arranged horizontally, and the window overview and application grid are accessed vertically.
Other improvements to GNOME include:
- The performance and resource usage of GNOME has been significantly improved.
- The visual style, including the user interface, the icons, and the desktop, has been refreshed.
- GNOME applications no longer use the application menu, which was available from the top panel. The functionality is now located in a primary menu within the application window.
- The Settings application has been redesigned.
- Screen sharing and remote desktop sessions have been improved.
If you use the proprietary NVIDIA drivers, you can now launch applications using the discrete GPU:
- Open the overview.
- Right-click the application icon in the dash.
- Select the Launch on Discrete GPU item in the menu.
- The Power Off / Log Out menu now includes the Suspend option and a new Restart option, which can reboot the system to the boot loader menu when you hold Alt.
- Flatpak applications now update automatically.
- You can now group application icons in the overview together into folders using drag and drop.
- The Terminal application now supports right-to-left and bi-directional text.
- The Pointer Location accessibility feature now works in the Wayland session. When the feature is enabled, pressing Ctrl highlights the pointer location on the screen.
- GNOME shell extensions are now managed by the Extensions application, rather than Software. The Extensions application handles updating extensions, configuring extension preferences, and removing or disabling extensions.
- The notifications popover now includes a Do Not Disturb button. When the button enabled, notifications do not appear on the screen.
- System dialogs that require a password now have an option to reveal the password text by clicking the eye (👁) icon.
- The Software application now automatically detects metered networks, such as mobile data networks. When the current network is metered, Software pauses updates in order to reduce data usage.
- Each connected display can now use a different refresh rate in the Wayland session.
Fractional display scaling is available as an experimental option. It includes several preconfigured fractional ratios.
To enable the experimental fractional scaling, add the
scale-monitor-framebuffervalue to the list of enabled experimental features:
$ dconf write \ /org/gnome/mutter/experimental-features \ "['scale-monitor-framebuffer']"
As a result, fractional scaling options are accessible on the Display panel in Settings.
For more details on the changes in GNOME, see versions 3.30 to 40.0 in Release Notes.
PipeWire is now the default audio service
The Pipewire service now manages all audio output and input. Pipewire replaces the PulseAudio service in general use cases and the JACK service in professional use cases. The system now redirects audio from applications that use PulseAudio, JACK, or the ALSA framework into Pipewire.
Benefits of Pipewire over the previous solutions include:
- A unified solution for consumer and professional users
- A flexible, modular architecture
- High performance and low latency, similar to the JACK service
- Isolation between audio clients for better security
You no longer have to configure the JACK service for applications that use it. All JACK applications now work in the default RHEL configuration.
Power profiles are available in GNOME
You can now switch between several power profiles in the Power panel of Settings in the GNOME environment. The power profiles optimize various system settings for the selected goal.
The following power profiles are available:
- Optimizes for high system performance and reduces battery life. This profile is only available on certain selected system configurations.
- Provides standard system performance and power consumption. This is the default profile.
- Power Saver
- Increases battery life and reduces system performance. This profile activates automatically on low battery.
Your power profile configuration persists across system reboots.
The power profiles functionality is available from the
power-profiles-daemon package, which is installed by default.
Boot loader menu hidden by default
The GRUB boot loader is now configured to hide the boot menu by default if RHEL is the only installed operating system and if the previous boot succeeded. This results in a smoother boot experience on such systems.
To access the boot menu, use one of the following options:
- Repeatedly press Esc after booting the system.
- Repeatedly press F8 after booting the system.
- Hold Shift during boot.
To disable this function and configure the boot loader menu to display by default, use the following command:
# grub2-editenv - unset menu_auto_hide
Boot loader configuration files are unified across CPU architectures
Configuration files for the GRUB boot loader are now stored in the
/boot/grub2/ directory on all supported CPU architectures. The
/boot/efi/EFI/redhat/grub.cfg file, which GRUB previously used on UEFI systems, is now a symbolic link to the
This change simplifies the layout of the GRUB configuration file, improves user experience, and provides the following notable benefits:
- You can boot the same installation with either EFI or legacy BIOS.
- You can use the same documentation and commands for all architectures.
- GRUB configuration tools are more robust, because they no longer rely on symbolic links and they do not have to handle platform-specific cases.
- The usage of the GRUB configuration files is aligned with images generated by CoreOS Assembler (COSA) and OSBuild.
- The usage of the GRUB configuration files is aligned with other Linux distributions.
Langpacks replace comps language groups
Support for various languages is now available from
langpacks packages. You can customize the level of language support that you want to install using the following package names, where
code is the short ISO code for the language, such as
es for Spanish:
Provides a basic language support, including:
- The default font
- The default input method if the language requires it
- Provides only the default font for the language.
Provides the complete language support, including the following in addition to the basic language support:
- Spell checker dictionaries
- Additional fonts
In previous RHEL releases, language support was available from
comps language groups. To enable support for a language, you previously installed the
code-support package. The
langpacks-code packages now replace the
comps language groups.
Lightweight, single-application environment
For graphical use cases that only present a single application, a lightweight user interface (UI) is now available.
You can start GNOME in a single-application session, also known as kiosk mode. In this session, GNOME displays only a full-screen window of an application that you have configured.
The single-application session is significantly less resource intensive than the standard GNOME session.
For more information, see Restricting the session to a single application.
4.15. Red Hat Enterprise Linux System Roles
The Storage RHEL System Role now supports LVM VDO volumes
With this enhancement, you can use the Storage System Role to manage Logical Manager Volumes (LVM) Virtual Data Optimizer (VDO) volumes. The LVM filesystem manages VDO volumes and with this feature, it is now possible to compress and deduplicate on LVM volumes. As a result, VDO helps to optimize the usage of the storage volumes.
Support for volume sizes expressed as a percentage is available in the Storage System Role
This enhancement adds support to the Storage RHEL System Role to express LVM volume sizes as a percentage of the pool’s total size. You can specify the size of LVM volumes as a percentage of the pool/VG size, e.g. 50% in addition to the human-readable size of the file system, for example, 10g, 50 GiB.
Support for configuring multiple elasticsearch hosts in one elasticsearch output dictionary
server_host parameter used to take a string value for a single host. This enhancement adjusts it to the underlying
rsyslog omelasticsearch’s specification, so it now also takes a list of strings to support multiple hosts. Consequently, it is adjusted to hosts, following the underlying
rsyslog omelasticsearch’s specification. As a result, users can configure multiple
elasticsearch hosts in one
elasticsearch output dictionary.
The SSHD RHEL System Role now supports non-exclusive configuration snippets
With this feature, you can configure SSHD through different roles and playbooks without rewriting the previous configurations by using namespaces. Namespaces are similar to a drop-in directory, and define non-exclusive configuration snippets for SSHD. As a result, you can use the SSHD RHEL System Role from a different role, if you need to configure only a small part of the configuration and not the entire configuration file.
Network Time Security (NTS) option added to the
timesync RHEL System Role
NTS option was added to the Timesync RHEL System Role to enable
NTS on client servers. NTS is a new security mechanism specified for Network Time Protocol (NTP). NTS can secure synchronization of NTP clients without client-specific configuration and can scale to large numbers of clients. The
NTS option is supported only with the
chrony NTP provider in version 4.0 and later.
QEMU uses Clang
The QEMU emulator is now built using the Clang compiler. This enables the RHEL 9 KVM hypervisor to use a number of advanced security and debugging features, and makes future feature development more efficient.
SafeStack for virtual machines
In RHEL 9 on AMD64 and Intel 64 hardware (x86_64), the QEMU emulator can use SafeStack, an enhanced compiler-based stack protection feature. SafeStack reduces the ability of an attacker to exploit a stack- based buffer overflow to change return pointers in the stack and create Return-Oriented Programming (ROP) attacks. As a result, virtual machines hosted on RHEL 9 are significantly more secure against ROP-based vulnerabilities.
4.17. RHEL in cloud environments
WALinuxAgent rebased to 126.96.36.199
The Windows Azure Linux Agent (WALinuxAgent) has been upgraded to upstream version 188.8.131.52, which introduces a number of bug fixes and enhancement. Most notably:
- Support for has been added RequiredFeatures and GoalStateAggregateStatus APIs.
- Fallback locations for extension manifests have been added.
- Missing calls to str.format() have been added when creating exceptions.
RHEL on Azure now supports MANA
RHEL 9 virtual machines running on Microsoft Azure can now use the Microsoft Azure Network Adapter (MANA).
Podman now supports secure short names
Short-name aliases for images can now be configured in the
registries.conf file in the
[aliases] table. The short-names modes are:
Enforcing: If no matching alias is found during the image pull, Podman prompts the user to choose one of the unqualified-search registries. If the selected image is pulled successfully, Podman automatically records a new short-name alias in the
$HOME/.cache/containers/short-name-aliases.conffile (rootless user) and in the
/var/cache/containers/short-name-aliases.conf(root user). If the user cannot be prompted (for example, stdin or stdout are not a TTY), Podman fails. Note that the
short-name-aliases.conffile has precedence over
registries.conffile if both specify the same alias.
- Permissive: Similar to enforcing mode, but Podman does not fail if the user cannot be prompted. Instead, Podman searches in all unqualified-search registries in the given order. Note that no alias is recorded.
unqualified-search-registries=["registry.fedoraproject.org", "quay.io"] [aliases] "fedora"="registry.fedoraproject.org/fedora"
containers-common package is now available
containers-common package has been added to the
container-tools:latest module. The
containers-common package contains common configuration files and documentation for the container tools ecosystem, such as Podman, Buildah and Skopeo.
Changes in the
container-tools module contains the Podman, Buildah, Skopeo, and runc tools. The rolling stream, represented by the
container-tools:rhel8 stream in RHEL 8, is named
container-tools:latest in RHEL 9. Similarly to RHEL 8, stable versions of container tools are going to be available in numbered streams (for example, 3.0).
For more information about the Container Tools Application Stream, see Container Tools AppStream - Content Availability.
Updating container images with new packages
For instance, to update the
registry.access.redhat.com/rhel9-beta container image with the latest packages, use the following commands:
$ podman run -it registry.access.redhat.com/rhel9-beta $ yum update -y && rm -rf /var/cache/yum
To install a particular
$ yum install <package>
For more information, see Adding software to a running UBI container.
Note that for RHEL 9 Beta, updating or installing new packages in the image requires that you are running on an entitled host. You can use the Red Hat Enterprise Linux Developer Subscription for Individuals to gain access to entitled repositories at no-cost.
For more information, see No-cost Red Hat Enterprise Linux Individual Developer Subscription: FAQs.
podman-py package is now available
podman-py package has been added to the
container-tools:3.0 stable module stream and the
container-tools:latest module. The
podman-py package is a library of bindings to use the RESTful API of Podman.
Control groups version 2 is now available
The previous version of control groups, cgroups version 1 (cgroups v1) caused performance problems with a variety of applications. The latest release of control groups, cgroups version 2 (cgroups v2) enables system administrators to limit resources for any application without causing performance problems.
This new version of control groups, cgroups v2, can be enabled in RHEL 8 and is enabled by default in RHEL 9.