Automatic FCP SCSI LUN scanning support in installer

The installer can now use the automatic LUN scanning when attaching FCP SCSI LUNs on IBM Z systems. Automatic LUN scanning is available for FCP devices operating in NPIV mode, if it is not disabled through the zfcp.allow_lun_scan kernel module parameter. It is enabled by default. It provides access to all SCSI devices found in the storage area network attached to the FCP device with the specified device bus ID. It is not necessary to specify WWPN and FCP LUNs anymore and it is sufficient to provide just the FCP device bus ID.

Image builder on-premise now supports the /boot partition customization

Image builder on-premise version now supports building images with custom /boot mount point partition size. You can specify the size of the /boot mount point partition in the blueprint customization, to increase the size of the /boot partition in case the default boot partition size is too small. For example:

Added the --allow-ssh kickstart option to enable password-based SSH root logins

During the graphical installation, you have an option to enable password-based SSH root logins. This functionality was not available in kickstart installations. With this update, an option --allow-ssh has been added to the rootpw kickstart command. This option enables the root user to login to the system using SSH with a password.

Boot loader menu hidden by default

The GRUB boot loader is now configured to hide the boot menu by default. This results in a smoother boot experience. The boot menu is hidden in all of the following cases:

Minimal RHEL installation now installs only the s390utils-core package

In RHEL 8.4 and later, the s390utils-base package is split into an s390utils-core package and an auxiliary s390utils-base package. As a result, setting the RHEL installation to minimal-environment installs only the necessary s390utils-core package and not the auxiliary s390utils-base package. If you want to use the s390utils-base package with a minimal RHEL installation, you must manually install the package after completing the RHEL installation or explicitly install s390utils-base using a kickstart file.

Image builder on-premise now supports uploading images to GCP

With this enhancement, you can use image builder CLI to build a gce image, providing credentials for the user or service account that you want to use to upload the images. As a result, image builder creates the image and then uploads the gce image directly to the GCP environment that you specified.

Image builder on-premise CLI supports pushing a container image directly to a registry

With this enhancement, you can push RHEL for Edge container images directly to a container registry after it has been built, using the image builder CLI. To build the container image:

Image builder on-premise users now customize their blueprints during the image creation process

With this update, the Edit Blueprint page was removed to unify the user experience in the image builder service and in the image builder app in cockpit-composer. Users can now create their blueprints and add their customization, such as adding packages, and create users, during the image creation process. The versioning of blueprints has also been removed so that blueprints only have one version: the current one. Users have access to older blueprint versions through their already created images.

RHEL for Edge now supports the fdo-admin cli utility

With this update, you can configure the FDO services directly across all deployment scenarios by using the CLI.

The subscription-manager utility displays the current status of actions

The subscription-manager utility now displays with progress information while it is processing the current operation. This is helpful when subscription-manager takes more than usual time to complete its operations related to server communication, for example, registration.

The modulesync command is now available to replace certain workflows in RHEL 9

In RHEL 9, modular packages cannot be installed without modular metadata. Previously, you could use the dnf command to download packages, and then use the createrepo_c command to redistribute those packages.

Cronie adds support for a randomized time within a selected range

The Cronie utility now supports the ~ (random within range) operator for cronjob execution. As a result, you can start a cronjob on a randomized time within the selected range.

ReaR adds new variables for executing commands before and after recovery

With this enhancement, ReaR introduces two new variables for easier automation of commands to be executed before and after recovery:

A new package: xmlstarlet

XMLStarlet is a set of command-line utilities for parsing, transforming, querying, validating, and editing XML files. The new xmlstarlet package provides a simple set of shell commands that you can use in a similar way as you use UNIX commands for plain text files such as grep, sed, awk, diff, patch, join, and other.

opencryptoki rebased to version 3.18.0

The opencryptoki package, which is an implementation of the Public-Key Cryptography Standard (PKCS) #11, has been updated to version 3.18.0. Notable improvements include:

powerpc-utils rebased to version 1.3.10

The powerpc-utils package, which provides various utilities for a PowerPC platform, has been updated to version 1.3.10. Notable improvements include:

The Redfish modules are now part of the redhat.rhel_mgmt Ansible collection

The redhat.rhel_mgmt Ansible collection now includes the following modules:

libvpd rebased to version 2.2.9

The libvpd package, which contains classes for accessing the Vital Product Data (VPD), has been updated to version 2.2.9. Notable improvements include:

lsvpd rebased to version 1.7.14

The lsvpd package, which provides commands for constituting a hardware inventory system, has been updated to version 1.7.14. With this update, the lsvpd utility prevents corruption of the database file when you run the vpdupdate command.

ppc64-diag rebased to version 2.7.8

The ppc64-diag package for platform diagnostics has been updated to version 2.7.8. Notable improvements include:

sysctl introduces identic syntax for arguments as systemd-sysctl

The sysctl utility from the procps-ng package, which you can use to modify kernel parameters at runtime, now uses the same syntax for arguments as the systemd-sysctl utility. With this update, sysctl now parses configuration files that contain hyphens (-) or globs (*) on configuration lines. For more information about the systemd-sysctl syntax, see the sysctl.d(5) man page.

Updated systemd-udevd assigns consistent network device names to InfiniBand interfaces

Introduced in RHEL 9, the new version of the systemd package contains the updated systemd-udevd device manager. The device manager changes the default names of InfiniBand interfaces to consistent names selected by systemd-udevd.

chrony now uses DHCPv6 NTP servers

The NetworkManager dispatcher script for chrony updates the Network time protocol (NTP) sources passed from Dynamic Host Configuration Protocol (DHCP) options. Since RHEL 9.1, the script uses NTP servers provided by DHCPv6 in addition to DHCPv4. The DHCP option 56 specifies the usage of DHCPv6, the DHCP option 42 is DHCPv4-specific.

chrony rebased to version 4.2

The chrony suite has been updated to version 4.2. Notable enhancements over version 4.1 include:

unbound rebased to version 1.16.2

The unbound component has been updated to version 1.16.2. unbound is a validating, recursive, and caching DNS resolver. Notable improvements include:

The password encryption function is now available in whois

The whois package now provides the /usr/bin/mkpasswd binary, which you can use to encrypt a password with the crypt C library interface.

frr rebased to version 8.2.2

The frr package for managing dynamic routing stack has been updated to version 8.2.2. Notable changes and enhancements over version 8.0 include:

TuneD real-time profiles now auto determine initial CPU isolation setup

TuneD is a service for monitoring your system and optimizing the performance profile. You can also isolate central processing units (CPUs) using the tuned-profiles-realtime package to give application threads the most execution time possible.

New packages: keylime

RHEL 9.1 introduces Keylime, a tool for attestation of remote systems, which uses the trusted platform module (TPM) technology. With Keylime, you can verify and continuously monitor the integrity of remote systems. You can also specify encrypted payloads that Keylime delivers to the monitored machines, and define automated actions that trigger whenever a system fails the integrity test.

New option in OpenSSH supports setting the minimum RSA key length

Accidentally using short RSA keys makes the system more vulnerable to attacks. With this update, you can set minimum RSA key lengths for OpenSSH servers and clients. To define the minimum RSA key length, use the new RequiredRSASize option in the /etc/ssh/sshd_config file for OpenSSH servers, and in the /etc/ssh/ssh_config file for OpenSSH clients.

crypto-policies enforce 2048-bit RSA key length minimum for OpenSSH by default

Using short RSA keys makes the system more vulnerable to attacks. Because OpenSSH now supports limiting minimum RSA key length, the system-wide cryptographic policies enforce the 2048-bit minimum key length for RSA by default.

New option in OpenSSL supports SHA-1 for signatures

OpenSSL 3.0.0 in RHEL 9 does not support SHA-1 for signature creation and verification by default (SHA-1 key derivation functions (KDF) and hash-based message authentication codes (HMAC) are still supported). However, to support backwards compatibility with RHEL 8 systems that still use SHA-1 for signatures, a new configuration option rh-allow-sha1-signatures is introduced to RHEL 9. This option, if enabled in the alg_section of openssl.cnf, permits the creation and verification of SHA-1 signatures.

crypto-policies now support sntrup761x25519-sha512@openssh.com

This update of the system-wide cryptographic policies adds support for the sntrup761x25519-sha512@openssh.com key exchange (KEX) method. The post-quantum sntrup761 algorithm is already available in the OpenSSH suite, and this method provides better security against attacks from quantum computers. To enable sntrup761x25519-sha512@openssh.com, create and apply a subpolicy, for example:

NSS no longer support RSA keys shorter than 1023 bits

The update of the Network Security Services (NSS) libraries changes the minimum key size for all RSA operations from 128 to 1023 bits. This means that NSS no longer perform the following functions:

SELinux policy confines additional services

The selinux-policy packages have been updated, and therefore the following services are now confined by SELinux:

SELinux supports the self keyword in type transitions

SELinux tooling now supports type transition rules with the self keyword in the policy sources. Support for type transitions with the self keyword prepares the SELinux policy for labeling of anonymous inodes.

SELinux user-space packages updated

SELinux user-space packages libsepol, libselinux, libsemanage, policycoreutils, checkpolicy, and mcstrans were updated to the latest upstream release 3.4. The most notable changes are:

SELinux automatic relabeling is now parallel by default

Because the newly introduced parallel relabeling option significantly reduces the time required for the SELinux relabeling process on multi-core systems, the automatic relabeling script now contains the -T 0 option in the fixfiles command line. The -T 0 option ensures that the setfiles program uses the maximum of available processor cores for relabeling by default.

SCAP Security Guide rebased to 0.1.63

The SCAP Security Guide (SSG) packages have been rebased to upstream version 0.1.63. This version provides various enhancements and bug fixes, most notably:

Added a maximum size option for Rsyslog error files

Using the new action.errorfile.maxsize option, you can specify a maximum number of bytes of the error file for the Rsyslog log processing system. When the error file reaches the specified size, Rsyslog cannot write any additional errors or other data in it. This prevents the error file from filling up the file system and making the host unusable.

clevis-luks-askpass is now enabled by default

The /lib/systemd/system-preset/90-default.preset file now contains the enable clevis-luks-askpass.path configuration option and the installation of the clevis-systemd sub-package ensures that the clevis-luks-askpass.path unit file is enabled. This enables the Clevis encryption client to unlock also LUKS-encrypted volumes that mount late in the boot process. Before this update, the administrator must use the systemctl enable clevis-luks-askpass.path command to enable Clevis to unlock such volumes.

fapolicyd rebased to 1.1.3

The fapolicyd packages have been upgraded to version 1.1.3. Notable improvements and bug fixes include:

The act_ctinfo kernel module has been added

This enhancement adds the act_ctinfo kernel module to RHEL. Using the ctinfo action of the tc utility, administrators can copy the conntrack mark or the value of the differentiated services code point (DSCP) of network packets into the socket buffer’s mark metadata field. As a result, you can use conditions based on the conntrack mark or the DSCP value to filter traffic. For further details, see the tc-ctinfo(8) man page.

cloud-init updates network configuration at every boot on Microsoft Azure

Microsoft Azure does not change the instance ID when an administrator updates the network interface configuration while a VM is offline. With this enhancement, the cloud-init service always updates the network configuration when the VM boots to ensure that RHEL on Microsoft Azure uses the latest network settings.

The PTP driver now supports virtual clocks and time stamping

With this enhancement, the Precision Time Protocol (PTP) driver can create virtual PTP Hardware Clocks (PHCs) on top of a free-running PHC by writing to /sys/class/ptp/ptp*/n_vclocks. As a result, users can run multiple domain synchronization with hardware time stamps on one interface.

firewalld was rebased to version 1.1.1

The firewalld packages have been upgraded to version 1.1.1. This version provides multiple bug fixes and enhancements over the previous version:

NetworkManager now supports advmss, rto_min, and quickack route attributes

With this enhancement, administrators can configure the ipv4.routes setting with the following attributes:

Support for the 802.ad vlan-protocol option in nmstate

The nmstate API now supports creating the linux-bridge interfaces using the 802.ad vlan-protocol option. This feature enables the configuration of Service-Tag VLANs. The following example illustrates usage of this functionality in a yaml configuration file.

The firewalld service can forward NAT packets originating from the local host to a different host and port

You can forward packets sent from the localhost that runs the firewalld service to a different destination port and IP address. The functionality is useful, for example, to forward ports on the loopback device to a container or a virtual machine. Prior to this change, firewalld could only forward ports when it received a packet that originated from another host. For more details and an illustrative configuration, see Using DNAT to forward HTTPS traffic to a different host.

NetworkManager now supports migration from ifcfg-rh to key file

Users can migrate their existing connection profile files from the ifcfg-rh format to the key file format. This way, all connection profiles will be in one location and in the preferred format. The key file format has the following advantages:

More DHCP and IPv6 auto-configuration attributes have been added to the nmstate API

This enhancement adds support for the following attributes to the nmstate API:

NetworkManager now clearly indicates that WEP support is not available in RHEL 9

The wpa_supplicant packages in RHEL 9.0 and later no longer contain the deprecated and insecure Wired Equivalent Privacy (WEP) security algorithm. This enhancement updates NetworkManager to reflect these changes. For example, the nmcli device wifi list command now returns WEP access points at the end of the list in gray color, and connecting to a WEP-protected network returns a meaningful error message.

The MPTCP code has been updated

The MultiPath TCP (MPTCP) code in the kernel has been updated and upstream Linux 5.19. This update provides a number of bug fixes and enhancements over the previous version:

Kernel version in RHEL 9.1

Red Hat Enterprise Linux 9.1 is distributed with the kernel version 5.14.0-162.

Memory consumption of the list_lru has been optimized

The internal kernel data structure, list_lru, tracks the "Least Recently Used" status of kernel inodes and directory entries for files. Previously, the number of list_lru allocated structures was directly proportional to the number of mount points and the number of present memory cgroups. Both these numbers increased with the number of running containers leading to memory consumption of O(n^2) where n is the number of running containers. This update optimizes the memory consumption of list_lru in the system to O(n). As a result, sufficient memory is now available for the user applications, especially on the systems with a large number of running containers.

BPF rebased to Linux kernel version 5.16

The Berkeley Packet Filter (BPF) facility has been rebased to Linux kernel version 5.16 with multiple bug fixes and enhancements. The most notable changes include:

BTF data is now located in the kernel module

BPF Type Format (BTF) is the metadata format that encodes the debug information related to BPF program and map. Previously, the BTF data for kernel modules was stored in the kernel-debuginfo package. As a consequence, it was necessary to install the corresponding kernel-debuginfo package in order to use BTF for kernel modules. With this update, the BTF data is now located directly in the kernel module. As a result, you do not need to install any additional packages for BTF to work.

The kernel-rt source tree has been updated to RHEL 9.1 tree

The kernel-rt sources have been updated to use the latest Red Hat Enterprise Linux kernel source tree. The real-time patch set has also been updated to the latest upstream version, v5.15-rt. These updates provide a number of bug fixes and enhancements.

Dynamic preemptive scheduling enabled on ARM and AMD and Intel 64-bit architectures

RHEL 9 provides the dynamic scheduling feature on the ARM and AMD and Intel 64-bit architectures. This enhancement enables changing the preemption mode of the kernel at boot or runtime instead of the compile time. The /sys/kernel/debug/sched/preempt file contains the current setting and allows runtime modification.

stalld rebased to version 1.17

The stalld program, which provides the stall daemon, is a mechanism to prevent the starvation state of operating system threads in a Linux system. This version monitors the threads for the starvation state. Starvation occurs when a thread is on a CPU run queue for longer than the starvation threshold.

The tpm2-tools package has been rebased to tpm2-tools-5.2-1 version

The tpm2-tools package has been rebased to version tpm2-tools-5.2-1. This upgrade provides many significant enhancements and bug fixes. Most notable changes include:

Intel E800 devices now support iWARP and RoCE protocols

With this enhancement, you can now use the enable_iwarp and enable_roce devlink parameters to turn on and off iWARP or RoCE protocol support. With this mandatory feature, you can configure the device with one of the protocols. The Intel E800 devices do not support both protocols simultaneously on the same port.

GRUB is signed by new keys

Due to security reasons, GRUB is now signed by new keys. As a consequence, you need to update the RHEL firmware to version FW1010.30 (or later) or FW1020 to be able to boot the little-endian variant of IBM Power Systems with the Secure Boot feature enabled.

Configurable disk access retries when booting a VM on IBM POWER

You can now configure how many times the GRUB boot loader retries accessing a remote disk when a logical partition (lpar) virtual machine (VM) boots on the IBM POWER architecture. Lowering the number of retries can prevent a slow boot in certain situations.

Stratis now enables setting the file system size upon creation

You can now set the required size when creating a file system. Previously, the automatic default size was 1 TiB. With this enhancement, users can set an arbitrary filesystem size. The lower limit must not go below 512 MiB.

Improved overprovision management of Stratis pools

With the improvements to the management of thin provisioning, you can now have improved warnings, precise allocation of space for the pool metadata, improved predictability, overall safety, and reliability of thin pool management. A new distinct mode disables overprovisioning. With this enhancement, the user can disable overprovisioning to ensure that a pool contains enough space to support all its file systems, even if these are completely full.

Stratis now provides improved individual pool management

You can now stop and start stopped individual Stratis pools. Previously, stratisd attempted to start all available pools for all devices it detected. This enhancement provides more flexible management of individual pools within Stratis, better debugging and recovery capabilities. The system no longer requires a reboot to perform recovery and maintenance operations for a single pool.

Enabled protocol specific configuration of multipath device paths

Previously due to different optimal configurations for the different protocols, it was impossible to set the configuration correctly without setting an option for each individual protocol. With this enhancement, users can now configure multipath device paths based on their path transport protocol. Use the protocol subsection of the overrides section in the /etc/multipath.conf file to correctly configure multipath device paths, based on their protocol.

New libnvme feature library

Previously, the NVMe storage command line interface utility (nvme-cli) included all of the helper functions and definitions. This enhancement brings a new libnvme library to RHEL 9.1. The library includes:

A new library libnvme is now available

With this update, nvme-cli is divided in two different projects: * nvme-cli now only contains the code specific to the nvme tool * libnvme library now contains all type definitions for NVMe specification structures, enumerations, bit fields, helper functions to construct, dispatch, decode commands and payloads, and utilities to connect, scan, and manage NVMe devices.

Support for High Availability on Red Hat OpenStack platform

You can now configure a high availability cluster on the Red Hat OpenStack platform. In support of this feature, Red Hat provides the following new cluster agents:

pcs supports updating multipath SCSI devices without requiring a system restart

You can now update multipath SCSI devices with the pcs stonith update-scsi-devices command. This command updates SCSI devices without causing a restart of other cluster resources running on the same node.

Support for cluster UUID

During cluster setup, the pcs command now generates a UUID for every cluster. Since a cluster name is not a unique cluster identifier, you can use the cluster UUID to identify clusters with the same name when you administer multiple clusters.

New pcs resource config command option to display the pcs commands that re-create configured resources

The pcs resource config command now accepts the --output-format=cmd option. Specifying this option displays the pcs commands you can use to re-create configured resources on a different system.

New pcs stonith config command option to display the pcs commands that re-create configured fence devices

The pcs stonith config command now accepts the --output-format=cmd option. Specifying this option displays the pcs commands you can use to re-create configured fence devices on a different system.

Pacemaker rebased to version 2.1.4

The Pacemaker packages have been upgraded to the upstream version of Pacemaker 2.1.4. Notable changes include:

Samba no longer automatically installed with cluster packages

As of this release, installing the packages for the RHEL High Availability Add-On no longer installs the Samba packages automatically. This also allows you to remove the Samba packages without automatically removing the HA packages as well. If your cluster uses Samba resources you must now manually install them.

The nodejs:18 module stream is now fully supported

The nodejs:18 module stream, previously available as a Technology Preview, is fully supported with the release of the RHSA-2022:8832 advisory. The nodejs:18 module stream now provides Node.js 18.12, which is a Long Term Support (LTS) version.

A new module stream: php:8.1

RHEL 9.1 adds PHP 8.1 as a new php:8.1 module stream.

A new module stream: ruby:3.1

RHEL 9.1 introduces Ruby 3.1.2 in a new ruby:3.1 module stream. This version provides a number of performance improvements, bug and security fixes, and new features over Ruby 3.0 distributed with RHEL 9.0.

httpd rebased to version 2.4.53

The Apache HTTP Server has been updated to version 2.4.53, which provides bug fixes, enhancements, and security fixes over version 2.4.51 distributed with RHEL 9.0.

A new default for the LimitRequestBody directive in httpd configuration

To fix CVE-2022-29404, the default value for the LimitRequestBody directive in the Apache HTTP Server has been changed from 0 (unlimited) to 1 GiB.

New package: httpd-core

Starting with RHEL 9.1, the httpd binary file with all essential files has been moved to the new httpd-core package to limit the Apache HTTP Server’s dependencies in scenarios where only the basic httpd functionality is needed, for example, in containers.

pcre2 rebased to version 10.40

The pcre2 package, which provides the Perl Compatible Regular Expressions library v2, has been updated to version 10.40.

The updated GCC compiler is now available for RHEL 9.1

The system GCC compiler, version 11.2.1, has been updated to include numerous bug fixes and enhancements available in the upstream GCC.

New GCC Toolset 12

GCC Toolset 12 is a compiler toolset that provides recent versions of development tools. It is available as an Application Stream in the form of a Software Collection in the AppStream repository.

GCC Toolset 12: Annobin rebased to version 10.76

In GCC Toolset 12, the Annobin package has been updated to version 10.76.

GCC Toolset 12: binutils rebased to version 2.38

In GCC Toolset 12, the binutils package has been updated to version 2.38.

GCC 12 and later supports _FORTIFY_SOURCE level 3

With this enhancement, users can build applications with -D_FORTIFY_SOURCE=3 in the compiler command line when building with GCC version 12 or later. _FORTIFY_SOURCE level 3 improves coverage of source code fortification, thus improving security for applications built with -D_FORTIFY_SOURCE=3 in the compiler command line. This is supported in GCC versions 12 and later and all Clang in RHEL 9 with the __builtin_dynamic_object_size builtin.

DNS stub resolver option now supports no-aaaa option

With this enhancement, glibc now recognizes the no-aaaa stub resolver option in /etc/resolv.conf and the RES_OPTIONS environment variable. When this option is active, no AAAA queries will be sent over the network. System administrators can disable AAAA DNS lookups for diagnostic purposes, such as ruling out that the superfluous lookups on IPv4-only networks do not contribute to DNS issues.

Added support for IBM Z Series z16

The support is now available for the s390 instruction set with the IBM z16 platform. IBM z16 provides two additional hardware capabilities in glibc that are HWCAP_S390_VXRS_PDE2 and HWCAP_S390_NNPA. As a result, applications can now use these capabilities to deliver optimized libraries and functions.

Applications can use the restartable sequence features through the new glibc interfaces

To accelerate the sched_getcpu function (especially on aarch64), it is necessary to use the restartable sequences (rseq) kernel feature by default in glibc. To allow applications to continuously use the shared rseq area, glibc now provides the __rseq_offset, __rseq_size and __rseq_flags symbols which were first added in glibc 2.35 upstream version. With this enhancement, the performance of the sched_getcpu function is increased and applications can now use the restartable sequence features through the new glibc interfaces.

GCC Toolset 12: GDB rebased to version 11.2

In GCC Toolset 12, the GDB package has been updated to version 11.2.

GDB supports Power 10 PLT instructions

GDB now supports Power 10 PLT instructions. With this update, users are able to step into shared library functions and inspect stack backtraces using GDB version 10.2-10 and later.

The dyninst packaged rebased to version 12.1

The dyninst package has been rebased to version 12.1. Notable bug fixes and enhancements include:

A new fileset /etc/profile.d/debuginfod.*

Added new fileset for activating organizational debuginfod services. To get a system-wide debuginfod client activation you must add the URL to /etc/debuginfod/FOO.urls file.

Rust Toolset rebased to version 1.62.1

Rust Toolset has been updated to version 1.62.1. Notable changes include:

LLVM Toolset rebased to version 14.0.6

LLVM Toolset has been rebased to version 14.0.6. Notable changes include:

Go Toolset rebased to version 1.18.2

Go Toolset has been rebased to version 1.18.2.

A new module stream: maven:3.8

RHEL 9.1 introduces Maven 3.8 as a new module stream.

.NET version 7.0 is available

Red Hat Enterprise Linux 9.1 is distributed with .NET version 7.0. Notable improvements include:

SSSD now supports memory caching for SID requests

With this enhancement, SSSD now supports memory caching for SID requests, which are GID and UID lookups by SID and vice versa. Memory caching results in improved performance, for example, when copying large amounts of files to or from a Samba server.

The ipaservicedelegationtarget and ipaservicedelegationrule Ansible modules are now available

You can now use the ipaservicedelegationtarget and ipaservicedelegationrule ansible-freeipa modules to, for example, configure a web console client to allow an Identity Management (IdM) user that has authenticated with a smart card to do the following:

SSSD support for anonymous PKINIT for FAST

With this enhancement, SSSD now supports anonymous PKINIT for Flexible Authentication via Secure Tunneling (FAST), also called Kerberos armoring in Active Directory. Until now, to use FAST, a Kerberos keytab was needed to request the required credentials. You can now use anonymous PKINIT to create this credential cache to establish the FAST session.

IdM now supports Random Serial Numbers

With this update, Identity Management (IdM) now includes dogtagpki 11.2.0, which allows you to use Random Serial Numbers version 3 (RSNv3). You can enable RSNv3 by using the --random-serial-numbers option when running ipa-server-install or ipa-ca-install. With RSNv3 enabled, IdM generates fully random serial numbers for certificates and requests in PKI without range management. Using RSNv3, you can avoid range management in large IdM installations and prevent common collisions when reinstalling IdM.

IdM now supports a limit on the number of LDAP binds allowed after a user password has expired

With this enhancement, you can set the number of LDAP binds allowed when the password of an Identity Management (IdM) user has expired:

New ipasmartcard_server and ipasmartcard_client roles

With this update, the ansible-freeipa package provides Ansible roles to configure Identity Management (IdM) servers and clients for smart card authentication. The ipasmartcard_server and ipasmartcard_client roles replace the ipa-advise scripts to automate and simplify the integration. The same inventory and naming scheme are used as in the other ansible-freeipa roles.

IdM now supports configuring an AD Trust with Windows Server 2022

With this enhancement, you can establish a cross-forest trust between Identity Management (IdM) domains and Active Directory forests that use Domain Controllers running Windows Server 2022.

The ipa-dnskeysyncd and ipa-ods-exporter debug messages are no longer logged to /var/log/messages by default

Previously, ipa-dnskeysyncd, the service that is responsible for the LDAP-to-OpenDNSSEC synchronization, and ipa-ods-exporter, the Identity Management (IdM) OpenDNSSEC exporter service, logged all debug messages to /var/log/messages by default. As a consequence, log files grew substantially. With this enhancement, you can configure the log level by setting debug=True in the /etc/ipa/dns.conf file. For more information, refer to default.conf(5), the man page for the IdM configuration file.

samba rebased to version 4.16.1

The samba packages have been upgraded to upstream version 4.16.1, which provides bug fixes and enhancements over the previous version:

SSSD now supports direct integration with Windows Server 2022

With this enhancement, you can use SSSD to directly integrate your RHEL system with Active Directory forests that use Domain Controllers running Windows Server 2022.

Improved SSSD multi-threaded performance

Previously, SSSD serialized parallel requests from multi-threaded applications, such as Red Hat Directory Server and Identity Management. This update fixes all SSSD client libraries, such as nss and pam, so they do not serialize requests, therefore allowing requests from multiple threads to be executed in parallel for better performance. To enable the previous behavior of serialization, set the environment variable SSS_LOCKFREE to NO.

Directory Server now supports canceling the Auto Membership plug-in task.

Previously, the Auto Membership plug-in task could generate high CPU usage on the server if Directory Server has complex configuration (large groups, complex rules and interaction with other plugins). With this enhancement, you can cancel the Auto Membership plug-in task. As a result, performance issues no longer occur.

Directory Server now supports recursive delete operations when using ldapdelete

With this enhancement, Directory Server now supports the Tree Delete Control [1.2.840.113556.1.4.805] OpenLDAP control. As a result, you can use the ldapdelete utility to recursively delete subentries of a parent entry.

You can now set basic replication options during the Directory Server installation

With this enhancement, you can configure basic replication options like authentication credentials and changelog trimming during an instance installation using an .inf file.

Directory Server now supports instance creation by a non-root user

Previously, non-root users were not able to create Directory Server instances. With this enhancement, a non-root user can use the dscreate ds-root subcommand to configure an environment where dscreate,dsctl,dsconf commands are used as usual to create and administer Directory Server instances.

pki packages renamed to idm-pki

The following pki packages are now renamed to idm-pki to better distinguish between IDM packages and Red Hat Certificate System ones:

Wayland is now enabled with Matrox GPUs

The desktop session now enables the Wayland back end with Matrox GPUs.

12th generation Intel Core GPUs are now supported

This release adds support for several integrated GPUs for the 12th Gen Intel Core CPUs. This includes Intel UHD Graphics and Intel Xe integrated GPUs found with the following CPU models:

Support for new AMD GPUs

This release adds support for several AMD Radeon RX 6000 Series GPUs and integrated graphics of the AMD Ryzen 6000 Series CPUs.

Update progress page in the web console now supports an automatic restart option

The update progress page now has a Reboot after completion switch. This reboots the system automatically after installing the updates.

The network RHEL System Role supports network configuration using the nmstate API

With this update, the network RHEL System Role supports network configuration through the nmstate API. Users can now directly apply the configuration of the required network state to a network interface instead of creating connection profiles. The feature also allows partial configuration of a network. As a result, the following benefits exist:

Users can create connections with IPoIB capability using the network RHEL System Role

The infiniband connection type of the network RHEL System Role now supports the Internet Protocol over Infiniband (IPoIB) capability. To enable this feature, define a value to the p_key option of infiniband. Note that if you specify p_key, the interface_name option of the network_connections variable must be left unset. The previous implementation of the network RHEL System Role did not properly validate the p_key value and the interface_name option for the infiniband connection type. Therefore, the IPoIB functionality never worked before. For more information, see a README file in the /usr/share/doc/rhel-system-roles/network/ directory.

HA Cluster RHEL System Role now supports SBD fencing and configuration of Corosync settings

The HA Cluster System Role now supports the following features:

The network RHEL role now configures network settings for routing rules

Previously, you could route the packet based on the destination address field in the packet, but you could not define the source routing and other policy routing rules. With this enhancement, network RHEL role supports routing rules so that the users have control over the packet transmission or route selection.

The new previous:replaced configuration enables firewall system role to reset the firewall settings to default

System administrators who manage different sets of machines, where each machine has different pre-existing firewall settings, can now use the previous: replaced configuration in the firewall role to ensure that all machines have the same firewall configuration settings. The previous: replaced configuration can erase all the existing firewall settings and replace them with consistent settings.

New option in the postfix RHEL System Role for overwriting previous configuration

If you manage a group of systems which have inconsistent postfix configurations, you may want to make the configuration consistent on all of them. With this enhancement, you can specify the previous: replaced option within the postfix_conf dictionary to remove any existing configuration and apply the desired configuration on top of a clean postfix installation. As a result, you can erase any existing postfix configuration and ensure consistency on all the systems being managed.

Enhanced microsoft.sql.server RHEL system role

The following new variables are now available for the microsoft.sql.server RHEL system role:

The logging RHEL System Role supports options startmsg.regex and endmsg.regex in files inputs

With this enhancement, you can now filter log messages coming from files by using regular expressions. Options startmsg_regex and endmsg_regex are now included in the files’ input. The startmsg_regex represents the regular expression that matches the start part of a message, and the endmsg_regex represents the regular expression that matches the last part of a message. As a result, you can now filter messages based upon properties such as date-time, priority, and severity.

The sshd RHEL System Role verifies the include directive for the drop-in directory

The sshd RHEL System Role on RHEL 9 manages only a file in the drop-in directory, but previously did not verify that the directory is included from the main sshd_config file. With this update, the role verifies that sshd_config contains the include directive for the drop-in directory. As a result, the role more reliably applies the provided configuration.

The sshd RHEL System Role can be managed through /etc/ssh/sshd_config

The sshd RHEL System Role applied to a RHEL 9 managed node places the SSHD configuration in a drop-in directory (/etc/ssh/sshd_config.d/00-ansible_system_role.conf by default). Previously, any changes to the /etc/ssh/sshd_config file overwrote the default values in 00-ansible_system_role.conf. With this update, you can manage SSHD by using /etc/ssh/sshd_config instead of 00-ansible_system_role.conf while preserving the system default values in 00-ansible_system_role.conf.

The metrics role consistently uses "Ansible_managed" comment in its managed configuration files

With this update, the metrics role inserts the "Ansible managed" comment to the configuration files, using the Ansible standard ansible_managed variable. The comment indicates that the configuration files should not be directly edited because the metrics role can overwrite the file. As a result, the configuration files contain a declaration stating that the configuration files are managed by Ansible.

The storage RHEL System Role now supports managing the pool members

The storage RHEL System Role can now add or remove disks from existing LVM pools without removing the pool first. To increase the pool capacity, the storage RHEL system role can add new disks to the pool and free currently allocated disks in the pool for another use.

Support for thinly provisioned volumes is now available in the storage RHEL System Role

The storage RHEL System Role can now create and manage thinly provisioned LVM logical volumes (LVs). Thin provisioned LVs are allocated as they are written, allowing better flexibility when creating volumes as physical storage provided for thin provisioned LVs can be increased later as the need arises. LVM thin provisioning also allows creating more efficient snapshots because the data blocks common to a thin LV and any of its snapshots are shared.

Better support for cached volumes is available in the storage RHEL System Role

The storage RHEL System Role can now attach cache to existing LVM logical volumes. LVM cache can be used to improve performance of slower logical volumes by temporarily storing subsets of an LV’s data on a smaller, faster device, for example an SSD. This enhances the previously added support for creating cached volumes by allowing adding (attaching) a cache to an existing, previously uncached volume.

The logging RHEL System Role now supports template, severity and facility options

The logging RHEL System Role now features new useful severity and facility options to the files inputs as well as a new template option to the files and forwards outputs. Use the template option to specify the traditional time format by using the parameter traditional, the syslog protocol 23 format by using the parameter syslog, and the modern style format by using the parameter modern. As a result, you can now use the logging role to filter by the severity and facility as well as to specify the output format by template.

RHEL System Roles now available also in playbooks with fact gathering disabled

Ansible fact gathering might be disabled in your environment for performance or other reasons. Previously, it was not possible to use RHEL System Roles in such configurations. With this update, the system detects the ANSIBLE_GATHERING=explicit parameter in your configuration and gather_facts: false parameter in your playbooks, and use the setup: module to gather only the facts required by the given role, if not available from the fact cache.

The storage role now has less verbosity by default

The storage role output is now less verbose by default. With this update, users can increase the verbosity of storage role output to only produce debugging output if they are using Ansible verbosity level 1 or above.

The firewall RHEL System Role does not require the state parameter when configuring masquerade or icmp_block_inversion

When configuring custom firewall zones, variables masquerade and icmp_block_inversion are boolean settings. A value of true implies state: present and a value of false implies state: absent. Therefore, the state parameter is not required when configuring masquerade or icmp_block_inversion.

You can now add, update, or remove services using absent and present states in the firewall RHEL System Role

With this enhancement, you can use the present state to add ports, modules, protocols, services, and destination addresses, or use the absent state to remove them. Note that to use the absent and present states in the firewall RHEL System Role, set the permanent option to true. With the permanent option set to true, the state settings apply until changed, and remain unaffected by role reloads.

The firewall system role can add or remove an interface to the zone using PCI device ID

Using the PCI device ID, the firewall system role can now assign or remove a network interface to or from a zone. Previously, if only the PCI device ID was known instead of the interface name, users had to first identify the corresponding interface name to use the firewall system role. With this update, the firewall system role can now use the PCI device ID to manage a network interface in a zone.

The firewall RHEL System Role can provide Ansible facts

With this enhancement, you can now gather the firewall RHEL System Role’s Ansible facts from all of your systems by including the firewall: variable in the playbook with no arguments. To gather a more detailed version of the Ansible facts, use the detailed: true argument, for example:

Added setting of seuser and selevel to the selinux RHEL System Role

Sometimes, it is necessary to set seuser and selevel parameters when setting SELinux context file system mappings. With this update, you can use the seuser and selevel optional arguments in selinux_fcontext to specify SELinux user and level in the SELinux context file system mappings.

New cockpit System Role variable for setting a custom listening port

The cockpit System Role introduces the cockpit_port variable that allows you to set a custom listening port other than the default 9090 port. Note that if you decide to set a custom listening port, you will also need to adjust your SELinux policy to allow the web console to listen on that port.

The metrics role can export postfix performance data

You can now use the new metrics_from_postfix boolean variable in the metrics role for recording and detailed performance analysis. With this enhancement, setting the variable enables the pmdapostfix metrics agent on the system, making statistics about postfix available.

The postfix role consistently uses "Ansible_managed" comment in its managed configuration files

The postfix role generates the /etc/postfix/main.cf configuration file. With this update, the postfix role inserts the "Ansible managed" comment to the configuration files, using the Ansible standard ansible_managed variable. The comment indicates that the configuration files should not be directly edited because the postfix role can overwrite the file. As a result, the configuration files contain a declaration stating that the configuration files are managed by Ansible.

The nbde-client RHEL System Role supports static IP addresses

In previous versions of RHEL, restarting a system with a static IP address and configured with the nbde_client RHEL System Role changed the system’s IP address. With this update, systems with static IP addresses are supported by the nbde_client role, and their IP addresses do not change after a reboot.

RHEL web console now features RHEL as an option for the Download an OS VM workflow

With this enhancement, the RHEL web console now supports the installation of RHEL virtual machines (VMs) using the default Download an OS workflow. As a result, you can download and install the RHEL OS as a VM directly within the web console.

Improved KVM architectural compliance

With this update, the architectural compliance of the KVM hypervisor has now been enhanced and made stricter. As a result, the hypervisor is now better prepared to address future changes to Linux-based and other operating systems.

ap-check is now available in RHEL 9

The mdevctl tool now provides a new ap-check support utility. You can use mdevctl to persistently configure cryptographic adapters and domains that are allowed for pass-through usage into virtual machines as well as the matrix and vfio-ap devices. With mdevctl, you do not have to reconfigure these adapters, domains, and devices after every IPL. In addition, mdevctl prevents the distributor from inventing other ways to reconfigure them.

open-vm-tools rebased to 12.0.5

The open-vm-tools packages have been upgraded to version 12.0.5, which introduces a number of bug fixes and new features. Most notably, support has been added for the Salt Minion tool to be managed through guest OS variables.

Selected VMs on IBM Z can now boot with kernel command lines longer than 896 bytes

Previously, booting a virtual machine (VM) on a RHEL 9 IBM Z host always failed if the kernel command line of the VM was longer than 896 bytes. With this update, the QEMU emulator can handle kernel command lines longer than 896 bytes. As a result, you can now use QEMU direct kernel boot for VMs with very long kernel command lines, if the VM kernel supports it. Specifically, to use a command line longer than 896 bytes, the VM must use Linux kernel version 5.16-rc1 or later.

The Secure Execution feature on IBM Z now supports remote attestation

The Secure Execution feature on the IBM Z architecture now supports remote attestation. The pvattest utility can create a remote attestation request to verify the integrity of a guest that has Secure Execution enabled.

VM memory preallocation using multiple threads

You can now define multiple CPU threads for virtual machine (VM) memory allocation in the domain XML configuration, for example as follows:

RHEL 9 guests now support SEV-SNP

On virtual machines (VMs) that use RHEL 9 as a guest operating system, you can now use AMD Secure Encrypted Virtualization (SEV) with the Secure Nested Paging (SNP) feature. Among other benefits, SNP enhances SEV by improving its memory integrity protection, which helps prevent hypervisor-based attacks such as data replay or memory re-mapping. Note that for SEV-SNP to work on a RHEL 9 VM, the host running the VM must support SEV-SNP as well.

New SSH module for cloud-init

With this update, an SSH module has been added to the cloud-init utility, which automatically generates host keys during instance creation.

The Container Tools packages have been updated

The Container Tools packages which contain the Podman, Buildah, Skopeo, crun, and runc tools are now available. This update provides a list of bug fixes and enhancements over the previous version.

GitLab Runner is now available on RHEL using Podman

Beginning with GitLab Runner 15.1, you can use Podman as the container runtime in the GitLab Runner Docker Executor. For more details, see GitLab’s Release Note.

Podman now supports the --health-on-failure option

The podman run and podman create commands now support the --health-on-failure option to determine the actions to be performed when the status of a container becomes unhealthy.

Netavark network stack is now available

The Netavark stack is a network configuration tool for containers. In RHEL 9, the Netavark stack is fully supported and enabled by default.

New package: catatonit in the CRB repository

A new catatonit package is now available in the CodeReady Linux Builder (CRB) repository. The catatonit package is used as a minimal init program for containers and can be included within the application container image. Note that packages included in the CodeReady Linux Builder repository are unsupported.

The installer no longer installs earlier versions of packages

Previously, the installer did not correctly load the DNF configuration file during the installation process. As a consequence, the installer sometimes installed earlier versions of select packages in the RPM transaction.

Anaconda installation is successful even if changing the network configuration in stage2

Previously, when using the rd.live.ram boot argument, Anaconda did not unmount an NFS mount point that is used in initramfs to fetch the installation image into memory. As a consequence, the installation process could become unresponsive or fail with a timeout error if the network configuration was changed in stage2.

virt-who now connects to ESX servers correctly when in FIPS mode

Previously, when using the virt-who utility on a RHEL 9 system in FIPS mode, virt-who could not connect to ESX servers. As a consequence, virt-who did not report any ESX servers, even if configured for them, and logged the following error message:

DNF now correctly rolls back a transaction containing an item with the Reason Change Action type

Previously, running the dnf history rollback command on a transaction containing an item with the Reason Change Action type failed. With this update, the issue has been fixed, and dnf history rollback now works as expected.

The vi command in ReaR no longer results in an infinite loop

Previously, the ReaR rescue system did not contain the vi executable, only the /bin/vi script. As a consequence, the /bin/vi script caused an infinite loop when invoked. With this update, the ReaR rescue system contains the actual vi executable /usr/libexec/vi, and running the vi command no longer leads to an endless loop.

ReaR with the PXE output method no longer fails to store the output files in the rsync OUTPUT_URL location

Previously, the handling of the OUTPUT_URL variable with the OUTPUT=PXE and BACKUP=RSYNC options was removed. As a consequence, when using an rsync location for OUTPUT_URL, ReaR failed to copy the initrd and kernel files to this location, although it uploaded them to the location specified by BACKUP_URL. With this update, the behavior from RHEL 8.4 and earlier releases is restored. ReaR creates the required files at the designated OUTPUT_URL destination using rsync.

ReaR no longer fails to display an error message if it does not update the UUID in /etc/fstab

Previously, ReaR did not display an error message during recovery when it failed to update the universally unique identifier (UUID) in /etc/fstab to match the UUID of the newly created partition in case the UUIDs were different. This could have happened if the rescue image was out of sync with the backup. With this update, an error message occurs during recovery if the restored basic system files do not match the recreated system.

ReaR now supports restoring a system using NetBackup version 9

Previously, restoring a system using the NetBackup (NBU) method with NetBackup version 9 or later failed due to missing libraries and other files. With this update, the NBU_LD_LIBRARY_PATH variable contains the required library paths and the rescue system now incorporates the required files, and ReaR can use the NetBackup method.

ReaR no longer displays a false error message about missing symlink targets

Previously, ReaR displayed incorrect error messages about missing symlink targets for the build and source symlinks under /usr/lib/modules/ when creating the rescue image. This situation was harmless, and you could safely ignore the error message. With this update, ReaR does not report a false error message about missing symlink targets in this situation.

The cmx operation with no parameter no longer crashes the CIM Client

The cmx operation calls a method and returns XML, a parameter specifies the name of the called method. Previously, the command line sblim-wbemcli Common Information Model (CIM) Client crashed when running the cmx operation without an additional parameter. With this update, the cmx operation requires the parameter that defines the name of the called method. Invoking the cmx operation without this parameter results in an error message, and the CIM Client no longer crashes.

free command uses a new calculation method for used memory

Previously, the calculation of used memory in the free utility subtracted free space, cache space and buffer space from the total memory. Consequently, a discrepancy occurred when you compared the value of used memory with outcome of another tool because the free utility did not calculate shared memory. With this update, the free command uses a new calculation method that provides clear state of free memory and considers the unreclaimable cache. Used memory is now any memory that is not available, and includes also tmpfs objects that are in the virtual memory.

Unbound no longer validates SHA-1-based RSA signatures

Previously, OpenSSL did not validate SHA-1-based RSA signatures in the DEFAULT system-wide cryptographic policy. As a consequence, when Unbound tried to validate such signatures, the error from OpenSSL caused the resolution to fail. With this update, Unbound disables validation support of all RSA/SHA1 (algorithm number 5) and RSASHA1-NSEC3-SHA1 (algorithm number 7) signatures, which resolves the query. Note that this makes the result insecure under all system-wide cryptographic policies.

OpenSSH key generation uses FIPS-compatible interfaces

The OpenSSL cryptographic library, which is used by OpenSSH, provides two interfaces: legacy and modern. Previously, OpenSSH used the legacy interface for key generation, which did not comply with Federal Information Processing Standards (FIPS) requirements. With this update, the ssh-keygen utility uses the FIPS-compliant API instead of the low-level FIPS-incompatible API. As a result, OpenSSH key generation is FIPS-compliant.

Cryptography not approved by FIPS no longer works in OpenSSL in FIPS mode

Previously, cryptography that was not FIPS-approved worked in the OpenSSL toolkit regardless of system settings. Consequently, you could use cryptographic algorithms and ciphers that should be disabled when the system is running in FIPS mode, for example:

Specifying arbitrary curves removed from OpenSSL

Previously, the checks of explicit curve parameters safety were incomplete. As a consequence, arbitrary elliptic curves with sufficiently large p values worked in RHEL. With this update, the checks now verify that the explicit curve parameters match one of the well-known supported curves. As a result, the option to specify arbitrary curves through the use of explicit curve parameters has been removed from OpenSSL. Parameter files, private keys, public keys, and certificates that specify arbitrary explicit curves no longer work in OpenSSL. Using explicit curve parameters to specify one of the well known and supported curves such as P-224, P-256, P-384, P-521, and secp256k1 remains supported in non-FIPS mode.

OpenSSL req uses AES-256-CBC for private keys encryption

Previously, the OpenSSL req tool encrypted private key files by using the 3DES algorithm. Because the 3DES algorithm is insecure and disallowed in the current FIPS 140 standard for cryptographic modules, req now generates private key files encrypted using the AES-256-CBC algorithm instead. The overall PKCS#8 file format remains unchanged.

OpenSSL no longer fails to connect when FFDHE is used

Previously, TLS connections that use the finite-field-based Diffie-Hellman ephemeral (FFDHE) key exchange mechanism sometimes failed when processing FFDHE key shares from a client. This was caused by overly restrictive checks in OpenSSL. As a consequence, the OpenSSL server aborted the connection with an internal_error alert. With this update, OpenSSL accepts smaller but still compliant client key shares. As a result, connections between OpenSSL and other implementations no longer randomly abort when using FFDHE key exchanges.

OpenSSL-based applications now work correctly with the Turkish locale

Because the OpenSSL library uses case-insensitive string comparison functions, OpenSSL-based applications did not work correctly with the Turkish locale, and omitted checks caused applications using this locale to crash. This update provides a patch to use the Portable Operating System Interface (POSIX) locale for case-insensitive string comparison. As a result, OpenSSL-based applications such as curl work correctly with the Turkish locale.

Permissions for insights-client added to the SELinux policy

The new insights-client service requires permissions which were not in the previous selinux-policy versions. As a consequence, some components of insights-client did not work correctly and reported access vector cache (AVC) error messages. This update adds new permissions to the SELinux policy. As a result, insights-client runs correctly without reporting AVC errors.

SELinux staff_u users no longer can incorrectly switch to unconfined_r

Previously, when the secure_mode boolean was enabled, staff_u users could switch to the unconfined_r role, which was not expected behavior. As a consequence, staff_u users could perform privileged operations affecting the security of the system. With this update, the SELinux policy has been fixed, and staff_u users no longer can incorrectly switch to unconfined_r.

OpenSCAP no longer produces incorrect errors when checking available memory

Previously, when evaluating some XCCDF rules, OpenSCAP incorrectly showed the error message Failed to check available memory and produced invalid scan results. For example, this occurred for rules accounts_user_dot_no_world_writable_programs, accounts_user_dot_group_ownership and accounts_users_home_files_permissions. With this update, the bug in error handling is fixed and the error message appears only for real failures.

fagenrules --load now works correctly

Previously, the fapolicyd service did not correctly handle the signal hang up (SIGHUP). Consequently, fapolicyd terminated after receiving SIGHUP, and the fagenrules --load command did not work correctly. This update contains a fix for the problem. As a result, fagenrules --load now works correctly, and rule updates no longer require manual restarts of fapolicyd.

An instance now retains the primary IP address even after starting the nm-cloud-setup service in Alibaba Cloud

Previously, after launching an instance in the Alibaba Cloud, the nm-cloud-setup service configured the incorrect IP address as the primary IP address in case of multiple IPv4 addresses. Consequently, this affected the selection of the IPv4 source address for outgoing connections. With this update, after configuring secondary IP addresses manually, the NetworkManager package fetches the primary IP address from primary-ip-address metadata and configures both primary and secondary IP addresses correctly.

The NetworkManager utility enforces correct ordering of manually added IPv6 addresses

In general, the ordering of IPv6 addresses affects the priority for source address selection. For example when you make an outgoing TCP connection. Previously, the relative priority of IPv6 addresses added through the manual, dhcpv6, and autoconf6 methods was not correct. This update fixes the problem and the ordering priority now reflects this logic: manual > dhcpv6 > autoconf6. Also, the order of addresses under the ipv6.addresses setting was reversed so that the address added first has the highest priority.

Network socket tagging works again

Certain legacy cgroup v1 controllers that have no cgroup v2 equivalent, such as net_prio or net_cls, previously interfered with the cgroup v2 socket tagging when they were mounted together with other cgroup v2 controllers in a mixed cgroup v1/v2 environment. As a consequence, a mixed cgroup v1/v2 environment using either the net_prio or net_cls v1 controller disabled proper network socket tagging with cgroup v2. This update eliminates this limitation, which makes it possible to use a mixed cgroup v1/v2 environment network socket tagging.

The kexec-tools package now supports the default crashkernel memory reservation values

The kexec-tools package now maintains the default crashkernel memory reservation values. The kdump service uses the default value to reserve the crash kernel memory for each kernel. This implementation also improves memory allocation for kdump when a system has less than 4 GB of available memory.

Systems can successfully run dynamic LPAR operations

Previously, users could not run dynamic logical partition (DLPAR) operations from the Hardware Management Console (HMC) if either of these conditions were met:

No kernel warnings after setting the ring buffer value from rx to max

The kernel was producing a warning message Missing unregister, handled but fix driver when an internal function expecting a clean input was called with a reused, already initialized structure. With this update, the problem has been fixed by reinitializing the structure before registering it again.

grubby now passes arguments to future kernels

When installing a newer version of the kernel, the grubby tool did not pass the kernel command-line arguments from the previous kernel version. As a consequence, the GRUB boot loader ignored user settings. With this fix, the user settings now persist after installing the new kernel version.

Journal entries no longer stop the journal writes

Previously, in the VDO driver during device-mapper suspend operation and after resuming device operation, some journal blocks could still be marked as waiting for some metadata updates to be made before they could be reused, even though those updates had already been done. When enough journal entries were made for the journal to wrap around back to the same physical block, it was not available. Journal writes would stop, waiting for the block to become available, which never happened. Consequently, when some operations on a VDO device included a suspend or resume cycle, the device was in a frozen state after some journal updates. The journal updates before this device state were unpredictable because it was depended on previous allocation patterns within VDO, and the incoming write or discard patterns. With this update, after the suspend or resume cycle saving data to storage, the internal data structure state is reset and lockups no longer happened.

Adding a data device no longer triggers assertion failure

Previously, when adding additional devices to the cache, Stratis did not use cache immediately after initialization. As a consequence, the stratisd service returned an assertion failure message whenever a user attempted to add additional data devices to a pool. With this fix, cache is now used immediately after initialization and no assertion failures occur.

Resolved errors when adding new data devices to the encrypted pool

Previously, whenever the user initialized an encrypted pool with encrypted data devices, using a Clevis bind command on a tang server, specified with the --trust-url option, stratisd did not include the thumbprint part of the Clevis tang configuration in the internal data structures. Consequently, a failure occurred when attempting to add new data devices to the pool. With this update, the internal data structures of stratisd now include the thumbprint part of the Clevis tang configuration.

Connecting to NVMe namespaces from Broadcom initiators on AMD EPYC systems no longer require non-default IOMMU settings

By default, the RHEL kernel enables the IOMMU on AMD-based platforms. Previously, the lpfc driver did not use the scatter-gather list accessor macros. Consequently, certain servers with AMD processors encountered NVMe I/O problems, such as I/Os failing due to transfer length mismatches.

pcs now validates the value of stonith-watchdog-timeout

Previously, it was possible to set the stonith-watchdog-timeout property to a value that is incompatible with SBD configuration. This could result in a fence loop, or could cause the cluster to consider a fencing action to be successful even if the action is not finished. With this fix, pcs validates the value of stonith-watchdog-property when you set it, to prevent incorrect configuration.

pcs now recognizes the mode option when creating a new Booth ticket

Previously, when a user specified a mode option when adding a new Booth ticket, pcs reported the error invalid booth ticket option 'mode'. With this fix, you can now specify the mode option when creating a Booth ticket.

pcs now distinguishes between resources and stonith resources

Previously, some pcs commands did not distinguish between resources and stonith resources. This allowed users to use pcs resource sub-commands for stonith resources, and to use pcs stonith sub-commands for resources that are not stonith resources. This could lead to user confusion or resource misconfiguration. With this update, pcs displays a warning when there is a resource type mismatch.

glibc now restores errno after loading an NSS module

Previously, the Name Service Switch (NSS) implementation in glibc set errno incorrectly during database enumeration using functions such as getpwent() if the last NSS module did not provide any data. As a result, applications using these enumeration functions incorrectly observed errors and failed. glibc now restores errno after loading an NSS module and, as a result, applications using these functions no longer fail.

The auditing interface now saves and restores the x8 register and the full width of the NEON registers for AArch64

Previously, a bug in the implementation of the dynamic loader’s audit interface caused the AArch64 saved register state to be incomplete compared to the procedure call standard. This bug has been fixed and the auditing interface now saves and restores the x8 register and the full width of the NEON registers for AArch64. Applications using the dynamic loader auditing interface can now inspect and influence the x8 register for AArch64. To use this new x8 register and have access to the full width of the NEON registers on AArch64, the audit modules must be recompiled to use the new version of the interface (LAV_CURRENT is 2).

POWER9-optimized strncpy function no longer gives incorrect results

Previously, the POWER9 strncpy function did not use the correct register as the source of the NUL bytes for padding. Consequently, the output buffer contained uninitialized register content instead of the NUL padding. With this update, the strncpy function has been fixed, and the end of the output buffer is now correctly padded with NUL bytes.

Valgrind override of glibc memmem function installed on IBMz15 architecture

Previously, a missing valgrind override of the glibc memmem function lead to false positive warnings of:

The ipa user-del --preserve user_login output no longer indicates that the user was deleted

Previously, if you ran the ipa user-del --preserve user_login command to preserve a user account, the output incorrectly returned the message Deleted user “user_login”. With this update, the output now returns Preserved user “user_login”.

PKINIT user authentication now works correctly in the RHEL 9 Kerberos client - Heimdal KDC scenario

Previously, the PKINIT authentication of an IdM user on a RHEL 9 Kerberos client against the Heimdal Kerberos Distribution Center (KDC) failed. This failure occurred because the Kerberos client did not support the supportedCMSTypes field required in the context of the deprecation of the SHA-1 algorithm in RHEL 9.

Handling unreadable objects in an LDAP group’s member list

Before this update, SSSD inconsistently handled the unreadable objects in an LDAP group’s member list and this resulted in unreadable objects causing an error or in certain situations unreadable objects were ignored.

Subscription enrolling with Activation keys has been fixed

Previously, you could not enroll your Red Hat subscription in Settings using Activation keys. Settings displayed the following error after pressing Register:

X.org now enables the X11 SECURITY extension

Previously, the X.org display server did not provide the X11 SECURITY extension. As a consequence, applications that used this extension terminated unexpectedly.

Matrox GPU with a VGA display now works as expected

Prior to this release, your display showed no graphical output if you used the following system configuration:

Removing USB host devices using the web console now works as expected

Previously, when you attached a USB device to a virtual machine (VM), the device number and bus number of the USB device changed after they were passed to the VM. As a consequence, using the web console to remove such devices failed due to the incorrect correlation of the device and bus numbers. With this update, the issue has been fixed and you can remove the USB host devices using the web console.

Attaching multiple host devices using the web console now works as expected

Previously, when you selected multiple devices to attach to a virtual machine (VM) using the web console, only a single device was attached and the rest were ignored. With this update, the issue has been fixed and you can now simultaneously attach multiple host devices using the web console.

The network RHEL role manages ansible_managed parameter in the configuration files

Previously, the Ansible role was unable to provide the correct ansible_managed header for the network role managed configuration files. As a consequence, system administrators were uncertain about which files were managed by Ansible. With this fix, the role managed files have a correct ansible_managed header, and system administrators can reliably tell about which files are managed Ansible.

Fixed a typo to support active-backup for the correct bonding mode

Previously, there was a typo,active_backup, in supporting the InfiniBand port while specifying active-backup bonding mode. Due to this typo, the connection failed to support the correct bonding mode for the InfiniBand bonding port. This update fixes the typo by changing bonding mode to active-backup. The connection now successfully supports the InfiniBand bonding port.

The IPRouteUtils.get_route_tables_mapping() function now accepts any whitespace sequence

Previously, a parser for the iproute2 routing table database, such as /etc/iproute2/rt_tables, asserted that entries in the file were of the form 254 main and only a single space character separated the numeric id and the name. Consequently, the parser failed to cache all the mappings between the route table name and table id.Therefore the user could not add a static route into the route table by defining the route table name. With this update, the parser accepts any whitespace sequence in between the table ID and table name. As a result, as the parser caches all the mapping between the route table name and table ID, users can add a static route into the route table by defining the route table name.

The forward_port parameter now accepts both the string and dict option

Previously, in the firewall RHEL System role, the forward_port parameter only accepted the string option. However, the role documentation claimed that both string and dict options were supported. Consequently, the users reading and following the documentation were getting an error. This bug has been fixed by making forward_port accept both options. As a result, the users can safely follow the documentation to configure port forwarding.

Configuration by the metrics role now follows symbolic links correctly

When the mssql pcp package is installed, the mssql.conf file is located in /etc/pcp/mssql/ and is targeted by the symbolic link /var/lib/pcp/pmdas/mssql/mssql.conf. Previously, however, the metrics role overwrote the symbolic link instead of following it and configuring mssql.conf. Consequently, running the metrics role changed the symbolic link to a regular file and the configuration therefore only affected the /var/lib/pcp/pmdas/mssql/mssql.conf file. This resulted in a failed symbolic link, and the main configuration file /etc/pcp/mssql/mssql.conf was not affected by the configuration. The issue is now fixed and the follow: yes option to follow the symbolic link has been added to the metrics role. As a result, the metrics role preserves the symbolic links and correctly configures the main configuration file.

The kernel_settings configobj is available on managed hosts

Previously, the kernel_settings role did not install the python3-configobj package on managed hosts. As a consequence, the role returned an error stating that the configobj Python module could not be found. With this fix, the role ensures that the python3-configobj package is present on managed hosts and the kernel_settings role works as expected.

The mount_options parameter for volumes is now valid for a volume

Previously, the parameter was accidentally removed from the list of valid parameters for a volume. Consequently, users were unable to set the mount_options parameter for volumes. With this bug fix, the mount_options parameter has been added back to the list of valid parameters and the code has been refactored to catch the errors. As a result, the storage RHEL system role can set the mount_options parameter for volumes.

The storage RHEL System Role now correctly supports striped and raid0 levels for LVM volumes

The storage RHEL System Role previously incorrectly reported RAID levels striped and raid0 as not supported for LVM volumes. This is now fixed and the role can now correctly create LVM volumes of all RAID levels supported by LVM: raid0, raid1, raid4, raid5, raid6, raid10, striped and mirror.

The metrics RHEL System Role README and documentation now clearly specifies supported Redis and Grafana versions on specific versions of RHEL by the role

Previously, when trying to use the metrics role with unsupported versions of Redis and Grafana on unsupported platforms, the role failed. This update clarifies the documentation about which versions of Redis and Grafana are supported on which versions of RHEL by the role. As a result, you can avoid trying to use unsupported versions of Redis and Grafana on unsupported platforms.

Minimal RSA key bit length option in the ssh and sshd RHEL System Roles

Accidentally using short RSA keys might make the system more vulnerable to attacks. With this update, you can set RSA key minimal bit lengths for OpenSSH clients and servers by using the RequiredRSASize option in the ssh and sshd RHEL System Roles.

The nbde_client RHEL System Role now uses proper spacing when specifying extra Dracut command line-parameters

The Dracut framework requires proper spacing when specifying additional parameters, such as kernel command-line parameters. If the parameters are not specified with proper spacing, Dracut might not append the specified extra parameters to the kernel command line. With this update, the nbde_client RHEL System Role uses proper spacing when creating add-on Dracut configuration files. As a result, the role correctly sets Dracut command-line parameters.

The tlog RHEL System Roles is now correctly overlaid by SSSD

Previously, the tlog RHEL System Role relied on the System Security Services Daemon (SSSD) files provider and on enabled authselect option with-files-domain to set up correct passwd entries in the nsswitch.conf file. In RHEL 9.0, SSSD did not implicitly enable the files provider by default, and consequently the tlog-rec-session shell overlay by SSSD did not work. With this fix, the tlog role now updates the nsswitch.conf to ensure tlog-rec-session is correctly overlaid by SSSD.

The metrics RHEL System Role automatically restarts pmie and pmlogger services after an update to their configuration

Previously, the pmie and pmlogger services did not restart after their configuration was changed and waited for handler execution. This caused errors with other metrics services, which required pmie and pmlogger configuration to match their runtime behavior. With this update, the role restarts pmie and pmlogger immediately after a configuration update, their configuration matches runtime behavior of dependent metrics services, and they work correctly.

Network traffic performance in virtual machines is no longer reduced when under heavy load

Previously, RHEL virtual machines had, in some cases, decreased performance when handling high levels of network traffic. The underlying code has been fixed and network traffic performance now works as expected in the described circumstances.

The SR-IOV functionality of a network adapter attached to a Hyper-V VM now works reliably

Previously, when attaching a network adapter with single-root I/O virtualization (SR-IOV) enabled to a RHEL 9 virtual machine (VM) running on Microsoft Hyper-V hypervisor, the SR-IOV functionality in some cases did not work correctly. A bug in the Hyper-V specific memory-mapped I/O (MMIO) allocation code has been fixed and the SR-IOV functionality now works as expected on Hyper-V VMs.

SR-IOV no longer performs suboptimally in ARM 64 RHEL 9 virtual machines on Azure

Previously, SR-IOV networking devices had significantly lower throughout and higher latency than expected in ARM 64 RHEL 9 virtual machines (VMs) running on a Microsoft Azure platform. The problem has been fixed, and the affected VMs now perform as expected.

podman system connection add and podman image scp no longer fail

Podman uses SHA-1 hashes for the RSA key exchange. Previously, the regular SSH connection among machines using RSA keys worked, while the podman system connection add and podman image scp commands did not work using the same RSA keys, because the SHA-1 hashes were not accepted for key exchange on RHEL 9. With the update, the problem has been fixed.

Container images signed with a Beta GPG key can now be pulled

Previously, when you pulled RHEL Beta container images, Podman failed with the error message: Error: Source image rejected: None of the signatures were accepted. The images failed to be pulled due to current builds being configured to not trust the RHEL Beta GPG keys by default. With this update, the /etc/containers/policy.json file supports a new keyPaths field which accepts a list of files containing the trusted keys. Because of this, the container images signed with GA and Beta GPG keys are now accepted in the default configuration.

Podman no longer fails to pull a container "X509: certificate signed by unknown authority"

Previously, if you had your own internal registry signed by our own CA certificate, then you had to import the certificate onto your host machine. Otherwise, an error occurs:

DNF and YUM no longer fail because of non-matching repository IDs

Previously, DNF and YUM repository IDs did not match the format that DNF or YUM expected. For example, if you ran the following example, the error occurred:

ReaR available on the 64-bit IBM Z architecture as a Technology Preview

Basic Relax and Recover (ReaR) functionality is now available on the 64-bit IBM Z architecture as a Technology Preview. You can create a ReaR rescue image on IBM Z only in the z/VM environment. Backing up and recovering logical partitions (LPARs) has not been tested.

GIMP available as a Technology Preview in RHEL 9

GNU Image Manipulation Program (GIMP) 2.99.8 is now available in RHEL 9 as a Technology Preview. The gimp package version 2.99.8 is a pre-release version with a set of improvements, but a limited set of features and no guarantee for stability. As soon as the official GIMP 3 is released, it will be introduced into RHEL 9 as an update of this pre-release version.

gnutls now uses KTLS as a Technology Preview

The updated gnutls packages can use Kernel TLS (KTLS) for accelerating data transfer on encrypted channels as a Technology Preview. To enable KTLS, add the tls.ko kernel module using the modprobe command, and create a new configuration file /etc/crypto-policies/local.d/gnutls-ktls.txt for the system-wide cryptographic policies with the following content:

WireGuard VPN is available as a Technology Preview

WireGuard, which Red Hat provides as an unsupported Technology Preview, is a high-performance VPN solution that runs in the Linux kernel. It uses modern cryptography and is easier to configure than other VPN solutions. Additionally, the small code-basis of WireGuard reduces the surface for attacks and, therefore, improves the security.

Configuring Multipath TCP using NetworkManager is available as a Technology Preview

With this update, the NetworkManager utility provides you with the Multipath TCP (MPTCP) functionality. You can use nmcli commands to control MPTCP and make its settings persistent.

KTLS available as a Technology Preview

RHEL provides Kernel Transport Layer Security (KTLS) as a Technology Preview. KTLS handles TLS records using the symmetric encryption or decryption algorithms in the kernel for the AES-GCM cipher. KTLS also includes the interface for offloading TLS record encryption to Network Interface Controllers (NICs) that provides this functionality.

The systemd-resolved service is available as a Technology Preview

The systemd-resolved service provides name resolution to local applications. The service implements a caching and validating DNS stub resolver, a Link-Local Multicast Name Resolution (LLMNR), and Multicast DNS resolver and responder.

The Intel data streaming accelerator driver for kernel is available as a Technology Preview

The Intel data streaming accelerator driver (IDXD) for the kernel is currently available as a Technology Preview. It is an Intel CPU integrated accelerator and includes the shared work queue with process address space ID (pasid) submission and shared virtual memory (SVM).

SGX available as a Technology Preview

Software Guard Extensions (SGX) is an Intel® technology for protecting software code and data from disclosure and modification. The RHEL kernel partially provides the SGX v1 and v1.5 functionality. The version 1 enables platforms using the Flexible Launch Control mechanism to use the SGX technology.

The Soft-iWARP driver is available as a Technology Preview

Soft-iWARP (siw) is a software, Internet Wide-area RDMA Protocol (iWARP), kernel driver for Linux. Soft-iWARP implements the iWARP protocol suite over the TCP/IP network stack. This protocol suite is fully implemented in software and does not require a specific Remote Direct Memory Access (RDMA) hardware. Soft-iWARP enables a system with a standard Ethernet adapter to connect to an iWARP adapter or to another system with already installed Soft-iWARP.

DAX is now available for ext4 and XFS as a Technology Preview

In RHEL 9, the DAX file system is available as a Technology Preview. DAX provides means for an application to directly map persistent memory into its address space. To use DAX, a system must have some form of persistent memory available, usually in the form of one or more Non-Volatile Dual In-line Memory Modules (NVDIMMs), and a DAX compatible file system must be created on the NVDIMM(s). Also, the file system must be mounted with the dax mount option. Then, an mmap of a file on the dax-mounted file system results in a direct mapping of storage into the application’s address space.

Stratis is available as a Technology Preview

Stratis is a local storage manager. It provides managed file systems on top of pools of storage with additional features to the user:

NVMe-oF Discovery Service features available as a Technology Preview

The NVMe-oF Discovery Service features, defined in the NVMexpress.org Technical Proposals (TP) 8013 and 8014, are available as a Technology Preview. To preview these features, use the nvme-cli 2.0 package and attach the host to an NVMe-oF target device that implements TP-8013 or TP-8014. For more information about TP-8013 and TP-8014, see the NVM Express 2.0 Ratified TPs from the https://nvmexpress.org/developers/nvme-specification/ website.

nvme-stas package available as a Technology Preview

The nvme-stas package, which is a Central Discovery Controller (CDC) client for Linux, is now available as a Technology Preview. It handles Asynchronous Event Notifications (AEN), Automated NVMe subsystem connection controls, Error handling and reporting, and Automatic (zeroconf) and Manual configuration.

jmc-core and owasp-java-encoder available as a Technology Preview

RHEL 9 is distributed with the jmc-core and owasp-java-encoder packages as Technology Preview features.

DNSSEC available as Technology Preview in IdM

Identity Management (IdM) servers with integrated DNS now implement DNS Security Extensions (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are automatically generated and rotated.

Identity Management JSON-RPC API available as Technology Preview

An API is available for Identity Management (IdM). To view the API, IdM also provides an API browser as a Technology Preview.

RHEL IdM allows delegating user authentication to external identity providers as a Technology Preview

In RHEL IdM, you can now associate users with external identity providers (IdP) that support the OAuth 2 device authorization flow. When these users authenticate with the SSSD version available in RHEL 9.1, they receive RHEL IdM single sign-on capabilities with Kerberos tickets after performing authentication and authorization at the external IdP.

sssd-idp sub-package available as a Technology Preview

The sssd-idp sub-package for SSSD contains the oidc_child and krb5 idp plugins, which are client-side components that perform OAuth2 authentication against Identity Management (IdM) servers. This feature is available only with IdM servers on RHEL 8.7 and higher, and RHEL 9.1 and higher.

SSSD internal krb5 idp plugin available as a Technology Preview

The SSSD krb5 idp plugin allows you to authenticate against an external identity provider (IdP) using the OAuth2 protocol. This feature is available only with IdM servers on RHEL 8.7 and higher, and RHEL 9.1 and higher.

ACME available as a Technology Preview

The Automated Certificate Management Environment (ACME) service is now available in Identity Management (IdM) as a Technology Preview. ACME is a protocol for automated identifier validation and certificate issuance. Its goal is to improve security by reducing certificate lifetimes and avoiding manual processes from certificate lifecycle management.

GNOME for the 64-bit ARM architecture available as a Technology Preview

The GNOME desktop environment is available for the 64-bit ARM architecture as a Technology Preview.

GNOME for the IBM Z architecture available as a Technology Preview

The GNOME desktop environment is available for the IBM Z architecture as a Technology Preview.

Stratis available as a Technology Preview in the RHEL web console

With this update, the Red Hat Enterprise Linux web console provides the ability to manage Stratis storage as a Technology Preview.

RHEL VMs can now be deployed to VMware ESXi instances running on ARM64 processors

As a Technology Preview, it is now possible to deploy RHEL virtual machines to VMware ESXi hypervisor instances running on 64-bit ARM-based processors.

AMD SEV and SEV-ES for KVM virtual machines

As a Technology Preview, RHEL 9 provides the Secure Encrypted Virtualization (SEV) feature for AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine (VM), SEV encrypts the VM’s memory to protect the VM from access by the host. This increases the security of the VM.

Virtualization is now available on ARM 64

As a Technology Preview, it is now possible to create KVM virtual machines on systems using ARM 64 CPUs.

virtio-mem is now available on AMD64, Intel 64, and ARM 64

As a Technology Preview, RHEL 9 introduces the virtio-mem feature on AMD64, Intel 64, and ARM 64 systems. Using virtio-mem makes it possible to dynamically add or remove host memory in virtual machines (VMs).

Intel vGPU available as a Technology Preview

As a Technology Preview, it is possible to divide a physical Intel GPU device into multiple virtual devices referred to as mediated devices. These mediated devices can then be assigned to multiple virtual machines (VMs) as virtual GPUs. As a result, these VMs share the performance of a single physical Intel GPU.

Creating nested virtual machines

Nested KVM virtualization is provided as a Technology Preview for KVM virtual machines (VMs) running on Intel, AMD64, and IBM Z hosts with RHEL 9. With this feature, a RHEL 7, RHEL 8, or RHEL 9 VM that runs on a physical RHEL 9 host can act as a hypervisor, and host its own VMs.

RHEL confidential VMs are now available on Azure as a Technology Preview

With the updated RHEL kernel, you can now create and run confidential virtual machines (VMs) on Microsoft Azure as a Technology Preview. However, it is not yet possible to encrypt RHEL confidential VM images during boot on Azure.

The capability for multiple trusted GPG keys for signing images is available as a Technology Preview

The /etc/containers/policy.json file supports a new keyPaths field which accepts a list of files containing the trusted keys. Because of this, the container images signed with GA and Beta GPG keys are now accepted in the default configuration.

The sigstore signatures are now available as a Technology Preview

Beginning with Podman 4.2, you can use the sigstore format of container image signatures. The sigstore signatures are stored in the container registry together with the container image without the need to have a separate signature server to store image signatures.

The podman-machine command is unsupported

The podman-machine command for managing virtual machines, is available only as a Technology Preview. Instead, run Podman directly from the command line.

Deprecated Kickstart commands

The following Kickstart commands have been deprecated:

SHA-1 is deprecated for cryptographic purposes

The usage of the SHA-1 message digest for cryptographic purposes has been deprecated in RHEL 9. The digest produced by SHA-1 is not considered secure because of many documented successful attacks based on finding hash collisions. The RHEL core crypto components no longer create signatures using SHA-1 by default. Applications in RHEL 9 have been updated to avoid using SHA-1 in security-relevant use cases.

SCP is deprecated in RHEL 9

The secure copy protocol (SCP) is deprecated because it has known security vulnerabilities. The SCP API remains available for the RHEL 9 lifecycle but using it reduces system security.

Digest-MD5 in SASL is deprecated

The Digest-MD5 authentication mechanism in the Simple Authentication Security Layer (SASL) framework is deprecated, and it might be removed from the cyrus-sasl packages in a future major release.

OpenSSL deprecates MD2, MD4, MDC2, Whirlpool, RIPEMD160, Blowfish, CAST, DES, IDEA, RC2, RC4, RC5, SEED, and PBKDF1

The OpenSSL project has deprecated a set of cryptographic algorithms because they are insecure, uncommonly used, or both. Red Hat also discourages the use of those algorithms, and RHEL 9 provides them for migrating encrypted data to use new algorithms. Users must not depend on those algorithms for the security of their systems.

/etc/system-fips is now deprecated

Support for indicating FIPS mode through the /etc/system-fips file has been removed, and the file will not be included in future versions of RHEL. To install RHEL in FIPS mode, add the fips=1 parameter to the kernel command line during the system installation. You can check whether RHEL operates in FIPS mode by using the fips-mode-setup --check command.

libcrypt.so.1 is now deprecated

The libcrypt.so.1 library is now deprecated, and it might be removed in a future version of RHEL.

fapolicyd.rules is deprecated

The /etc/fapolicyd/rules.d/ directory for files containing allow and deny execution rules replaces the /etc/fapolicyd/fapolicyd.rules file. The fagenrules script now merges all component rule files in this directory to the /etc/fapolicyd/compiled.rules file. Rules in /etc/fapolicyd/fapolicyd.trust are still processed by the fapolicyd framework but only for ensuring backward compatibility.

Network teams are deprecated in RHEL 9

The teamd service and the libteam library are deprecated in Red Hat Enterprise Linux 9 and will be removed in the next major release. As a replacement, configure a bond instead of a network team.

NetworkManager connection profiles in ifcfg format are deprecated

In RHEL 9.0 and later, connection profiles in ifcfg format are deprecated. The next major RHEL release will remove the support for this format. However, in RHEL 9, NetworkManager still processes and updates existing profiles in this format if you modify them.

The iptables back end in firewalld is deprecated

In RHEL 9, the iptables framework is deprecated. As a consequence, the iptables backend and the direct interface in firewalld are also deprecated. Instead of the direct interface you can use the native features in firewalld to configure the required rules.

ATM encapsulation is deprecated in RHEL 9

Asynchronous Transfer Mode (ATM) encapsulation enables Layer-2 (Point-to-Point Protocol, Ethernet) or Layer-3 (IP) connectivity for the ATM Adaptation Layer 5 (AAL-5). Red Hat has not been providing support for ATM NIC drivers since RHEL 7. The support for ATM implementation is being dropped in RHEL 9. These protocols are currently used only in chipsets, which support the ADSL technology and are being phased out by manufacturers. Therefore, ATM encapsulation is deprecated in Red Hat Enterprise Linux 9.

lvm2-activation-generator and its generated services removed in RHEL 9.0

The lvm2-activation-generator program and its generated services lvm2-activation, lvm2-activation-early, and lvm2-activation-net are removed in RHEL 9.0. The lvm.conf event_activation setting, used to activate the services, is no longer functional. The only method for auto activating volume groups is event based activation.

libdb has been deprecated

RHEL 8 and RHEL 9 currently provide Berkeley DB (libdb) version 5.3.28, which is distributed under the LGPLv2 license. The upstream Berkeley DB version 6 is available under the AGPLv3 license, which is more restrictive.

Smaller size of keys than 2048 are deprecated by openssl 3.0

Key sizes smaller than 2048 bits are deprecated by openssl 3.0 and no longer work in Go’s FIPS mode.

Some PKCS1 v1.5 modes are now deprecated

Some PKCS1 v1.5 modes are not approved in FIPS-140-3 for encryption and are disabled. They will no longer work in Go’s FIPS mode.

SHA-1 in OpenDNSSec is now deprecated

OpenDNSSec supports exporting Digital Signatures and authentication records using the SHA-1 algorithm. The use of the SHA-1 algorithm is no longer supported. With the RHEL 9 release, SHA-1 in OpenDNSSec is deprecated and it might be removed in a future minor release. Additionally, OpenDNSSec support is limited to its integration with Red Hat Identity Management. OpenDNSSec is not supported standalone.

The SSSD implicit files provider domain is disabled by default

The SSSD implicit files provider domain, which retrieves user information from local files such as /etc/shadow and group information from /etc/groups, is now disabled by default.

-h and -p options were deprecated in OpenLDAP client utilities.

The upstream OpenLDAP project has deprecated the -h and -p options in its utilities, and recommends using the -H option instead to specify the LDAP URI. As a consequence, RHEL 9 has deprecated these two options in all OpenLDAP client utilities. The -h and -p options will be removed from RHEL products in future releases.

The SMB1 protocol is deprecated in Samba

Starting with Samba 4.11, the insecure Server Message Block version 1 (SMB1) protocol is deprecated and will be removed in a future release.

GTK 2 is now deprecated

The legacy GTK 2 toolkit and the following, related packages have been deprecated:

X.org Server is now deprecated

The X.org display server is deprecated, and will be removed in a future major RHEL release. The default desktop session is now the Wayland session in most cases.

Motif has been deprecated

The Motif widget toolkit has been deprecated in RHEL, because development in the upstream Motif community is inactive.

The networking System Role displays a deprecation warning when configuring teams on RHEL 9 nodes

The network teaming capabilities have been deprecated in RHEL 9. As a result, using the networking RHEL System Role on an RHEL 8 controller to configure a network team on RHEL 9 nodes, shows a warning about its deprecation.

SecureBoot image verification using SHA1-based signatures is deprecated

Performing SecureBoot image verification using SHA1-based signatures on UEFI (PE/COFF) executables has become deprecated. Instead, Red Hat recommends using signatures based on the SHA2 algorithm, or later.

Limited support for virtual machine snapshots

Creating snapshots of virtual machines (VMs) is currently only supported for VMs not using the UEFI firmware. In addition, during the snapshot operation, the QEMU monitor may become blocked, which negatively impacts the hypervisor performance for certain workloads.

virt-manager has been deprecated

The Virtual Machine Manager application, also known as virt-manager, has been deprecated. The RHEL web console, also known as Cockpit, is intended to become its replacement in a subsequent release. It is, therefore, recommended that you use the web console for managing virtualization in a GUI. Note, however, that some features available in virt-manager may not be yet available in the RHEL web console.

libvirtd has become deprecated

The monolithic libvirt daemon, libvirtd, has been deprecated in RHEL 9, and will be removed in a future major release of RHEL. Note that you can still use libvirtd for managing virtualization on your hypervisor, but Red Hat recommends switching to the newly introduced modular libvirt daemons. For instructions and details, see the RHEL 9 Configuring and Managing Virtualization document.

The virtual floppy driver has become deprecated

The isa-fdc driver, which controls virtual floppy disk devices, is now deprecated, and will become unsupported in a future release of RHEL. Therefore, to ensure forward compatibility with migrated virtual machines (VMs), Red Hat discourages using floppy disk devices in VMs hosted on RHEL 9.

qcow2-v2 image format is deprecated

With RHEL 9, the qcow2-v2 format for virtual disk images has become deprecated, and will become unsupported in a future major release of RHEL. In addition, the RHEL 9 Image Builder cannot create disk images in the qcow2-v2 format.

Legacy CPU models are now deprecated

A significant number of CPU models have become deprecated and will become unsupported for use in virtual machines (VMs) in a future major release of RHEL. The deprecated models are as follows:

Running RHEL 9 containers on a RHEL 7 host is not supported

Running RHEL 9 containers on a RHEL 7 host is not supported. It might work, but it is not guaranteed.

SHA1 hash algorithm within Podman has been deprecated

The SHA1 algorithm used to generate the filename of the rootless network namespace is no longer supported in Podman. Therefore, rootless containers started before updating to Podman 4.1.1 or later have to be restarted if they are joined to a network (and not just using slirp4netns) to ensure they can connect to containers started after the upgrade.

rhel9/pause has been deprecated

The rhel9/pause container image has been deprecated.

The reboot --kexec and inst.kexec commands do not provide a predictable system state

Performing a RHEL installation with the reboot --kexec Kickstart command or the inst.kexec kernel boot parameters do not provide the same predictable system state as a full reboot. As a consequence, switching to the installed system without rebooting can produce unpredictable results.

Local Media installation source is not detected when booting the installation from a USB that is created using a third party tool

When booting the RHEL installation from a USB that is created using a third party tool, the installer fails to detect the Local Media installation source (only Red Hat CDN is detected).

The auth and authconfig Kickstart commands require the AppStream repository

The authselect-compat package is required by the auth and authconfig Kickstart commands during installation. Without this package, the installation fails if auth or authconfig are used. However, by design, the authselect-compat package is only available in the AppStream repository.

Driver disk menu fails to display user inputs on the console

When you start RHEL installation using the inst.dd option on the Kernel command line with a driver disk, the console fails to display the user input. Consequently, it appears that the application does not respond to the user input and freezes, but displays the output which is confusing for users. However, this behavior does not affect the functionality, and user input gets registered after pressing Enter.

Unexpected SELinux policies on systems where Anaconda is running as an application

When Anaconda is running as an application on an already installed system (for example to perform another installation to an image file using the –image anaconda option), the system is not prohibited to modify the SELinux types and attributes during installation. As a consequence, certain elements of SELinux policy might change on the system where Anaconda is running. To work around this problem, do not run Anaconda on the production system and execute it in a temporary virtual machine. So that the SELinux policy on a production system is not modified. Running anaconda as part of the system installation process such as installing from boot.iso or dvd.iso is not affected by this issue.

The USB CD-ROM drive is not available as an installation source in Anaconda

Installation fails when the USB CD-ROM drive is the source for it and the Kickstart ignoredisk --only-use= command is specified. In this case, Anaconda cannot find and use this source disk.

Hard drive partitioned installations with iso9660 filesystem fails

You cannot install RHEL on systems where the hard drive is partitioned with the iso9660 filesystem. This is due to the updated installation code that is set to ignore any hard disk containing a iso9660 file system partition. This happens even when RHEL is installed without using a DVD.

Anaconda fails to verify existence of an administrator user account

While installing RHEL using a graphical user interface, Anaconda fails to verify if the administrator account has been created. As a consequence, users might install a system without any administrator user account.

New XFS features prevent booting of PowerNV IBM POWER systems with firmware older than version 5.10

PowerNV IBM POWER systems use a Linux kernel for firmware, and use Petitboot as a replacement for GRUB. This results in the firmware kernel mounting /boot and Petitboot reading the GRUB config and booting RHEL.

Cannot install RHEL when PReP is not 4 or 8 MiB in size

The RHEL installer cannot install the boot loader if the PowerPC Reference Platform (PReP) partition is of a different size than 4 MiB or 8 MiB on a disk that uses 4 kiB sectors. As a consequence, you cannot install RHEL on the disk.

The installer displays an incorrect total disk space while custom partitioning with multipath devices

The installer does not filter out individual paths of multipath devices while custom partitioning. This causes the installer to display individual paths to multipath devices and users can select individual paths to multipath devices for the created partitions. As a consequence, an incorrect sum of the total disk space is displayed. It is computed by adding the size of each individual path to the total disk space.

Installation fails with NVMe over Fibre Channel devices

When installing RHEL, the installer shows and allows selecting Non-volatile Memory Express (NVMe) over Fibre Channel devices. Use of such devices during the installation process is not supported. As a result, the installation process might fail or the installed system might fail to boot correctly.

RHEL for Edge installer image fails to create mount points when installing an rpm-ostree payload

When deploying rpm-ostree payloads, used for example in a RHEL for Edge installer image, the installer does not properly create some mount points for custom partitions. As a consequence, the installation is aborted with the following error:

NetworkManager fails to start after the installation when connected to a network but without DHCP or a static IP address configured

Starting with RHEL 9.0, Anaconda activates network devices automatically when there is no specific ip= or kickstart network configuration set. Anaconda creates a default persistent configuration file for each Ethernet device. The connection profile has the ONBOOT and autoconnect value set to true. As a consequence, during the start of the installed system, RHEL activates the network devices, and the networkManager-wait-online service fails.

The subscription-manager utility retains nonessential text in the terminal after completing a command

Starting with RHEL 9.1, the subscription-manager utility displays progress information while processing an operation. For some languages (typically non-Latin), progress messages might not be cleared after the operation finishes. As a result, you might see parts of old progress messages in the terminal.

The Installation process sometimes becomes unresponsive

When you install RHEL, the installation process sometimes becomes unresponsive. The /tmp/packaging.log file displays the following message at the end:

A security DNF upgrade fails for packages that change their architecture through the upgrade

The patch for BZ#2108969, released with the RHBA-2022:8295 advisory, introduced the following regression: The DNF upgrade using security filters fails for packages that change their architecture from or to noarch through the upgrade. Consequently, it can leave the system in a vulnerable state.

Renaming network interfaces using ifcfg files fails

On RHEL 9, the initscripts package is not installed by default. Consequently, renaming network interfaces using ifcfg files fails. To solve this problem, Red Hat recommends that you use udev rules or link files to rename interfaces. For further details, see Consistent network interface device naming and the systemd.link(5) man page.

The chkconfig package is not installed by default in RHEL 9

The chkconfig package, which updates and queries runlevel information for system services, is not installed by default in RHEL 9.

Both bind and unbound disable validation of SHA-1-based signatures

The bind and unbound components disable validation support of all RSA/SHA1 (algorithm number 5) and RSASHA1-NSEC3-SHA1 (algorithm number 7) signatures, and the SHA-1 usage for signatures is restricted in the DEFAULT system-wide cryptographic policy.

named fails to start if the same writable zone file is used in multiple zones

BIND does not allow the same writable zone file in multiple zones. Consequently, if a configuration includes multiple zones which share a path to a file that can be modified by the named service, named fails to start. To work around this problem, use the in-view clause to share one zone between multiple views and make sure to use different paths for different zones. For example, include the view names in the path.

Setting the console keymap requires the libxkbcommon library on your minimal install

In RHEL 9, certain systemd library dependencies have been converted from dynamic linking to dynamic loading, so that your system opens and uses the libraries at runtime when they are available. With this change, a functionality that depends on such libraries is not available unless you install the necessary library. This also affects setting the keyboard layout on systems with a minimal install. As a result, the localectl --no-convert set-x11-keymap gb command fails.

OpenSSL does not detect if a PKCS #11 token supports the creation of raw RSA or RSA-PSS signatures

The TLS 1.3 protocol requires support for RSA-PSS signatures. If a PKCS #11 token does not support raw RSA or RSA-PSS signatures, server applications that use the OpenSSL library fail to work with an RSA key if the key is held by the PKCS #11 token. As a result, TLS communication fails in the described scenario.

OpenSSL incorrectly handles PKCS #11 tokens that does not support raw RSA or RSA-PSS signatures

The OpenSSL library does not detect key-related capabilities of PKCS #11 tokens. Consequently, establishing a TLS connection fails when a signature is created with a token that does not support raw RSA or RSA-PSS signatures.

scp empties files copied to themselves when a specific syntax is used

The scp utility changed from the Secure copy protocol (SCP) to the more secure SSH file transfer protocol (SFTP). Consequently, copying a file from a location to the same location erases the file content. The problem affects the following syntax:

PSK ciphersuites do not work with the FUTURE crypto policy

Pre-shared key (PSK) ciphersuites are not recognized as performing perfect forward secrecy (PFS) key exchange methods. As a consequence, the ECDHE-PSK and DHE-PSK ciphersuites do not work with OpenSSL configured to SECLEVEL=3, for example with the FUTURE crypto policy. As a workaround, you can set a less restrictive crypto policy or set a lower security level (SECLEVEL) for applications that use PSK ciphersuites.

GnuPG incorrectly allows using SHA-1 signatures even if disallowed by crypto-policies

The GNU Privacy Guard (GnuPG) cryptographic software can create and verify signatures that use the SHA-1 algorithm regardless of the settings defined by the system-wide cryptographic policies. Consequently, you can use SHA-1 for cryptographic purposes in the DEFAULT cryptographic policy, which is not consistent with the system-wide deprecation of this insecure algorithm for signatures.

gpg-agent does not work as an SSH agent in FIPS mode

The gpg-agent tool creates MD5 fingerprints when adding keys to the ssh-agent program even though FIPS mode disables the MD5 digest. Consequently, the ssh-add utility fails to add the keys to the authentication agent.

Default SELinux policy allows unconfined executables to make their stack executable

The default state of the selinuxuser_execstack boolean in the SELinux policy is on, which means that unconfined executables can make their stack executable. Executables should not use this option, and it might indicate poorly coded executables or a possible attack. However, due to compatibility with other tools, packages, and third-party products, Red Hat cannot change the value of the boolean in the default policy. If your scenario does not depend on such compatibility aspects, you can turn the boolean off in your local policy by entering the command setsebool -P selinuxuser_execstack off.

Remediating service-related rules during kickstart installations might fail

During a kickstart installation, the OpenSCAP utility sometimes incorrectly shows that a service enable or disable state remediation is not needed. Consequently, OpenSCAP might set the services on the installed system to a non-compliant state. As a workaround, you can scan and remediate the system after the kickstart installation. This will fix the service-related issues.

Remediation of SCAP Audit rules fails incorrectly

Bash remediation of some SCAP rules related to Audit configuration does not add the Audit key when remediating. This applies to the following rules:

SSH timeout rules in STIG profiles configure incorrect options

An update of OpenSSH affected the rules in the following Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) profiles:

Keylime might fail attestation of systems that access multiple IMA-measured files

If a system that runs the Keylime agent accesses multiple files measured by the Integrity Measurement Architecture (IMA) in quick succession, the Keylime verifier might incorrectly process the IMA log additions. As a consequence, the running hash does not match the correct Platform Configuration Register (PCR) state, and the system fails attestation. There is currently no workaround.

Keylime measured boot policy generation script might cause a segmentation fault and core dump

The create_mb_refstate script, which generates policies for measure boot attestation in Keylime, might incorrectly calculate the data length in the DevicePath field instead of using the value of the LengthOfDevicePath field when handling the output of the tpm2_eventlog tool depending on the input provided. As a consequence, the script tries to access invalid memory using the incorrectly calculated length, which results in a segmentation fault and core dump. The main functionality of Keylime is not affected by this problem, but you might be unable to generate a measured boot policy.

Some TPM certificates cause Keylime registrar to crash

The require_ek_cert configuration option in tenant.conf, which should be enabled in production deployments, determines whether the Keylime tenant requires an endorsement key (EK) certificate from the Trusted Platform Module (TPM). When performing the initial identity quote with require_ek_cert enabled, Kelime attempts to verify whether the TPM device on the agent is genuine by comparing the EK certificate against the trusted certificates present in the Keylime TPM certificate store. However, some certificates in the store are malformed x509 certificates and cause the Keylime registrar to crash. There is currently no simple workaround to this problem, except for setting require_ek_cert to false, and defining a custom script in the ek_check_script option that will perform EK validation.

The nm-cloud-setup service removes manually-configured secondary IP addresses from interfaces

Based on the information received from the cloud environment, the nm-cloud-setup service configures network interfaces. Disable nm-cloud-setup to manually configure interfaces. However, in certain cases, other services on the host can configure interfaces as well. For example, these services could add secondary IP addresses. To avoid that nm-cloud-setup removes secondary IP addresses:

Failure to update the session key causes the connection to break

Kernel Transport Layer Security (kTLS) protocol does not support updating the session key, which is used by the symmetric cipher. Consequently, the user cannot update the key, which causes a connection break. To work around this problem, disable kTLS. As a result, with the workaround, it is possible to successfully update the session key.

The initscripts package is not installed by default

By default, the initscripts package is not installed. As a consequence, the ifup and ifdown utilities are not available. As an alternative, use the nmcli connection up and nmcli connection down commands to enable and disable connections. If the suggested alternative does not work for you, report the problem and install the NetworkManager-initscripts-updown package, which provides a NetworkManager solution for the ifup and ifdown utilities.

The mlx5 driver fails while using Mellanox ConnectX-5 adapter

In Ethernet switch device driver model (switchdev) mode, mlx5 driver fails when configured with device managed flow steering (DMFS) parameter and ConnectX-5 adapter supported hardware. As a consequence, you can see the following error message:

FADump enabled with Secure Boot might lead to GRUB Out of Memory (OOM)

In the Secure Boot environment, GRUB and PowerVM together allocate a 512 MB memory region, known as the Real Mode Area (RMA), for boot memory. The region is divided among the boot components and, if any component exceeds its allocation, out-of-memory failures occur.

weak-modules from kmod fails to work with module inter-dependencies

The weak-modules script provided by the kmod package determines which modules are kABI-compatible with installed kernels. However, while checking modules' kernel compatibility, weak-modules processes modules symbol dependencies from higher to lower release of the kernel for which they were built. As a consequence, modules with inter-dependencies built against different kernel releases might be interpreted as non-compatible, and therefore the weak-modules script fails to work in this scenario.

The kdump service fails to build the initrd file on IBM Z systems

On the 64-bit IBM Z systems, the kdump service fails to load the initial RAM disk (initrd) when znet related configuration information such as s390-subchannels reside in an inactive NetworkManager connection profile. Consequently, the kdump mechanism fails with the following error:

The kdump mechanism fails to capture the vmcore file on LUKS-encrypted targets

When running kdump on systems with Linux Unified Key Setup (LUKS) encrypted partitions, systems require a certain amount of available memory. When the available memory is less than the required amount of memory, the systemd-cryptsetup service fails to mount the partition. Consequently, the second kernel fails to capture the crash dump file (vmcore) on LUKS-encrypted targets.

Allocating crash kernel memory fails at boot time

On certain Ampere Altra systems, allocating the crash kernel memory for kdump usage fails during boot when the available memory is below 1 GB. Consequently, the kdumpctl command fails to start the kdump service.

The Delay Accounting functionality does not display the SWAPIN and IO% statistics columns by default

The Delayed Accounting functionality, unlike early versions, is disabled by default. Consequently, the iotop application does not show the SWAPIN and IO% statistics columns and displays the following warning:

kTLS does not support offloading of TLS 1.3 to NICs

Kernel Transport Layer Security (kTLS) does not support offloading of TLS 1.3 to NICs. Consequently, software encryption is used with TLS 1.3 even when the NICs support TLS offload. To work around this problem, disable TLS 1.3 if offload is required. As a result, you can offload only TLS 1.2. When TLS 1.3 is in use, there is lower performance, since TLS 1.3 cannot be offloaded.

The iwl7260-firmware breaks Wi-Fi on Intel Wi-Fi 6 AX200, AX210, and Lenovo ThinkPad P1 Gen 4

After updating the iwl7260-firmware or iwl7260-wifi driver to the version provided by RHEL 8.7 and/or RHEL 9.1 (and later), the hardware gets into an incorrect internal state. reports its state incorrectly. Consequently, Intel Wifi 6 cards may not work and display the error message:

dkms provides an incorrect warning on program failure with correctly compiled drivers on 64-bit ARM CPUs

The Dynamic Kernel Module Support (dkms) utility does not recognize that the kernel headers for 64-bit ARM CPUs work for both the kernels with 4 kilobytes and 64 kilobytes page sizes. As a result, when the kernel update is performed and the kernel-64k-devel package is not installed, dkms provides an incorrect warning on why the program failed on correctly compiled drivers. To work around this problem, install the kernel-headers package, which contains header files for both types of ARM CPU architectures and is not specific to dkms and its requirements.

The behavior of grubby diverges from its documentation

When you add a new kernel using the grubby tool and do not specify any arguments, grubby passes the default arguments to the new entry. This behavior occurs even without passing the --copy-default argument. Using --args and --copy-default options ensures those arguments are appended to the default arguments as stated in the grubby documentation.

RHEL instances on Azure fail to boot if provisioned by cloud-init and configured with an NFSv3 mount entry

Currently, booting a RHEL virtual machine (VM) on the Microsoft Azure cloud platform fails if the VM was provisioned by the cloud-init tool and the guest operating system of the VM has an NFSv3 mount entry in the /etc/fstab file.

Anaconda fails to login iSCSI server using the no authentication method after unsuccessful CHAP authentication attempt

When you add iSCSI discs using CHAP authentication and the login attempt fails due to incorrect credentials, a relogin attempt to the discs with the no authentication method fails. To workaround this problem, close the current session and login using the no authentication method.

Device Mapper Multipath is not supported with NVMe/TCP

Using Device Mapper Multipath with the nvme-tcp driver can result in the Call Trace warnings and system instability. To work around this problem, NVMe/TCP users must enable native NVMe multipathing and not use the device-mapper-multipath tools with NVMe.

The blk-availability systemd service deactivates complex device stacks

In systemd, the default block deactivation code does not always handle complex stacks of virtual block devices correctly. In some configurations, virtual devices might not be removed during the shutdown, which causes error messages to be logged. To work around this problem, deactivate complex block device stacks by executing the following command:

supported_speeds sysfs attribute reports incorrect speed values

Previously, due to an incorrect definition in the qla2xxx driver, the supported_speeds sysfs attribute for the HBA reported 20 Gb/s speed instead of the expected 64 Gb/s speed. Consequently, if the HBA supported 64 Gb/s link speed, the sysfs supported_speeds value was incorrect, which affected the reported speed value.

The --ssl-fips-mode option in MySQL and MariaDB does not change FIPS mode

The --ssl-fips-mode option in MySQL and MariaDB in RHEL works differently than in upstream.

Certain symbol-based probes do not work in SystemTap on the 64-bit ARM architecture

Kernel configuration disables certain functionality needed for SystemTap. Consequently, some symbol-based probes do not work on the 64-bit ARM architecture. As a result, affected SystemTap scripts may not run or may not collect hits on desired probe points.

MIT Kerberos does not support ECC certificates for PKINIT

MIT Kerberos does not implement the RFC5349 request for comments document, which describes the design of elliptic-curve cryptography (ECC) support in Public Key Cryptography for initial authentication (PKINIT). Consequently, the MIT krb5-pkinit package, used by RHEL, does not support ECC certificates. For more information, see Elliptic Curve Cryptography (ECC) Support for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT).

The DEFAULT:SHA1 sub-policy has to be set on RHEL 9 clients for PKINIT to work against AD KDCs

The SHA-1 digest algorithm has been deprecated in RHEL 9, and CMS messages for Public Key Cryptography for initial authentication (PKINIT) are now signed with the stronger SHA-256 algorithm.

The PKINIT authentication of a user fails if a RHEL 9 Kerberos agent communicates with a non-RHEL-9 and non-AD Kerberos agent

If a RHEL 9 Kerberos agent, either a client or Kerberos Distribution Center (KDC), interacts with a non-RHEL-9 Kerberos agent that is not an Active Directory (AD) agent, the PKINIT authentication of the user fails. To work around the problem, perform one of the following actions:

FIPS support for AD trust requires the AD-SUPPORT crypto sub-policy

Active Directory (AD) uses AES SHA-1 HMAC encryption types, which are not allowed in FIPS mode on RHEL 9 by default. If you want to use RHEL 9 IdM hosts with an AD trust, enable support for AES SHA-1 HMAC encryption types before installing IdM software.

Heimdal client fails to authenticate a user using PKINIT against RHEL 9 KDC

By default, a Heimdal Kerberos client initiates the PKINIT authentication of an IdM user by using Modular Exponential (MODP) Diffie-Hellman Group 2 for Internet Key Exchange (IKE). However, the MIT Kerberos Distribution Center (KDC) on RHEL 9 only supports MODP Group 14 and 16.

IdM in FIPS mode does not support using the NTLMSSP protocol to establish a two-way cross-forest trust

Establishing a two-way cross-forest trust between Active Directory (AD) and Identity Management (IdM) with FIPS mode enabled fails because the New Technology LAN Manager Security Support Provider (NTLMSSP) authentication is not FIPS-compliant. IdM in FIPS mode does not accept the RC4 NTLM hash that the AD domain controller uses when attempting to authenticate.

IdM to AD cross-realm TGS requests fail

The Privilege Attribute Certificate (PAC) information in IdM Kerberos tickets is now signed with AES SHA-2 HMAC encryption, which is not supported by Active Directory (AD).

IdM Vault encryption and decryption fails in FIPS mode

The OpenSSL RSA-PKCS1v15 padding encryption is blocked if FIPS mode is enabled. Consequently, Identity Management (IdM) Vaults fail to work correctly as IdM is currently using the PKCS1v15 padding for wrapping the session key with the transport certificate.

Migrated IdM users might be unable to log in due to mismatching domain SIDs

If you have used the ipa migrate-ds script to migrate users from one IdM deployment to another, those users might have problems using IdM services because their previously existing Security Identifiers (SIDs) do not have the domain SID of the current IdM environment. For example, those users can retrieve a Kerberos ticket with the kinit utility, but they cannot log in. To work around this problem, see the following Knowledgebase article: Migrated IdM users unable to log in due to mismatching domain SIDs.

Directory Server terminates unexpectedly when started in referral mode

Due to a bug, global referral mode does not work in Directory Server. If you start the ns-slapd process with the refer option as the dirsrv user, Directory Server ignores the port settings and terminates unexpectedly. Trying to run the process as the root user changes SELinux labels and prevents the service from starting in future in normal mode. There are no workarounds available.

Configuring a referral for a suffix fails in Directory Server

If you set a back-end referral in Directory Server, setting the state of the backend using the dsconf <instance_name> backend suffix set --state referral command fails with the following error:

The dsconf utility has no option to create fix-up tasks for the entryUUID plug-in

The dsconf utility does not provide an option to create fix-up tasks for the entryUUID plug-in. As a result, administrators cannot not use dsconf to create a task to automatically add entryUUID attributes to existing entries. As a workaround, create a task manually:

Potential risk when using the default value for ldap_id_use_start_tls option

When using ldap:// without TLS for identity lookups, it can pose a risk for an attack vector. Particularly a man-in-the-middle (MITM) attack which could allow an attacker to impersonate a user by altering, for example, the UID or GID of an object returned in an LDAP search.

Firefox add-ons are disabled after upgrading to RHEL 9

If you upgrade from RHEL 8 to RHEL 9, all add-ons that you previously enabled in Firefox are disabled.

User Creation screen is unresponsive

When installing RHEL using a graphical user interface, the User Creation screen is unresponsive. As a consequence, creating users during installation is more difficult.

VNC is not running after upgrading to RHEL 9

After upgrading from RHEL 8 to RHEL 9, the VNC server fails to start, even if it was previously enabled.

Matrox G200e shows no output on a VGA display

Your display might show no graphical output if you use the following system configuration:

X.org configuration utilities do not work under Wayland

X.org utilities for manipulating the screen do not work in the Wayland session. Notably, the xrandr utility does not work under Wayland due to its different approach to handling, resolutions, rotations, and layout.

NVIDIA drivers might revert to X.org

Under certain conditions, the proprietary NVIDIA drivers disable the Wayland display protocol and revert to the X.org display server:

Night Light is not available on Wayland with NVIDIA

When the proprietary NVIDIA drivers are enabled on your system, the Night Light feature of GNOME is not available in Wayland sessions. The NVIDIA drivers do not currently support Night Light.

VNC console works incorrectly at certain resolutions

When using the Virtual Network Computing (VNC) console under certain display resolutions, you might experience a mouse offset issue or you might see only a part of the interface. Consequently, using the VNC console might not be possible. To work around this issue, you can try expanding the size of the VNC console or use the Desktop Viewer in the Console tab to launch the remote viewer instead.

Installing a virtual machine over https or ssh in some cases fails

Currently, the virt-install utility fails when attempting to install a guest operating system (OS) from an ISO source over a https or ssh connection - for example using virt-install --cdrom https://example/path/to/image.iso. Instead of creating a virtual machine (VM), the described operation terminates unexpectedly with an internal error: process exited while connecting to monitor message.

Using NVIDIA drivers in virtual machines disables Wayland

Currently, NVIDIA drivers are not compatible with the Wayland graphical session. As a consequence, RHEL guest operating systems that use NVIDIA drivers automatically disable Wayland and load an Xorg session instead. This primarily occurs in the following scenarios:

The Milan VM CPU type is sometimes not available on AMD Milan systems

On certain AMD Milan systems, the Enhanced REP MOVSB (erms) and Fast Short REP MOVSB (fsrm) feature flags are disabled in the BIOS by default. Consequently, the Milan CPU type might not be available on these systems. In addition, VM live migration between Milan hosts with different feature flag settings might fail. To work around these problems, manually turn on erms and fsrm in the BIOS of your host.

Disabling AVX causes VMs to become unbootable

On a host machine that uses a CPU with Advanced Vector Extensions (AVX) support, attempting to boot a VM with AVX explicitly disabled currently fails, and instead triggers a kernel panic in the VM.

VNC is unable to connect to UEFI VMs after migration

If you enable or disable a message queue while migrating a virtual machine (VM), the Virtual Network Computing (VNC) client will fail to connect to the VM after the migration is complete.

Failover virtio NICs are not assigned an IP address on Windows virtual machines

Currently, when starting a Windows virtual machine (VM) with only a failover virtio NIC, the VM fails to assign an IP address to the NIC. Consequently, the NIC is unable to set up a network connection. Currently, there is no workaround.

Windows VM fails to get IP address after network interface reset

Sometimes, Windows virtual machines fail to get an IP address after an automatic network interface reset. As a consequence, the VM fails to connect to the network. To work around this problem, disable and re-enable the network adapter driver in the Windows Device Manager.

Broadcom network adapters work incorrectly on Windows VMs after a live migration

Currently, network adapters from the Broadcom family of devices, such as Broadcom, Qlogic, or Marvell, cannot be hot-unplugged during live migration of Windows virtual machines (VMs). As a consequence, the adapters work incorrectly after the migration is complete.

A hostdev interface with failover settings cannot be hot-plugged after being hot-unplugged

After removing a hostdev network interface with failover configuration from a running virtual machine (VM), the interface currently cannot be re-attached to the same running VM.

Live post-copy migration of VMs with failover VFs fails

Currently, attempting to post-copy migrate a running virtual machine (VM) fails if the VM uses a device with the virtual function (VF) failover capability enabled. To work around the problem, use the standard migration type, rather than post-copy migration.

Host network cannot ping VMs with VFs during live migration

When live migrating a virtual machine (VM) with a configured virtual function (VF), such as a VMs that uses virtual SR-IOV software, the network of the VM is not visible to other devices and the VM cannot be reached by commands such as ping. After the migration is finished, however, the problem no longer occurs.

Using a large number of queues might cause Windows virtual machines to fail

Windows virtual machines (VMs) might fail when the virtual Trusted Platform Module (vTPM) device is enabled and the multi-queue virtio-net feature is configured to use more than 250 queues.

PCIe ATS devices do not work on Windows VMs

When you configure a PCIe Address Translation Services (ATS) device in the XML configuration of virtual machine (VM) with a Windows guest operating system, the guest does not enable the ATS device after booting the VM. This is because Windows currently does not support ATS on virtio devices.

Cloning or restoring RHEL 9 virtual machines that use LVM on Nutanix AHV causes non-root partitions to disappear

When running a RHEL 9 guest operating system on a virtual machine (VM) hosted on the Nutanix AHV hypervisor, restoring the VM from a snapshot or cloning the VM currently causes non-root partitions in the VM to disappear if the guest is using Logical Volume Management (LVM). As a consequence, the following problems occur:

Customizing RHEL 9 guests on ESXi sometimes causes networking problems

Currently, customizing a RHEL 9 guest operating system in the VMware ESXi hypervisor does not work correctly with NetworkManager key files. As a consequence, if the guest is using such a key file, it will have incorrect network settings, such as the IP address or the gateway.

Setting static IP in a RHEL virtual machine on a VMware host does not work

Currently, when using RHEL as a guest operating system of a virtual machine (VM) on a VMware host, the DatasourceOVF function does not work correctly. As a consequence, if you use the cloud-init utility to set the VM’s network to static IP and then reboot the VM, the VM’s network will be changed to DHCP.

Timeout when running sos report on IBM Power Systems, Little Endian

When running the sos report command on IBM Power Systems, Little Endian with hundreds or thousands of CPUs, the processor plugin reaches its default timeout of 300 seconds when collecting huge content of the /sys/devices/system/cpu directory. As a workaround, increase the plugin’s timeout accordingly:

Running systemd within an older container image does not work

Running systemd within an older container image, for example, centos:7, does not work: