A new and improved way to create blueprints and images in the image builder web console

With this enhancement, you have access to a unified version of the image builder tool and a significant improvement in your user experience.

Ability to create customized files and directories in the /etc directory

With this enhancement, two new blueprint customizations are available. The [[customizations.files]] and the [[customizations.directories]] blueprint customizations enable you to create customized files and directories in the /etc directory of your image. Currently, you can use these customization only in the /etc directory.

Ability to specify user in a blueprint for simplified-installer images

Previously, when creating a blueprint for a simplified-installer image, you could not specify a user in the blueprint customization, because the customization was not used and was discarded. With this update, when you create an image from the blueprint, this blueprint creates a user under the /usr/lib/passwd directory and a password under the /usr/etc/shadow directory during installation time. You can log in to the device with the username and the password you created for the blueprint. Note that after you access the system, you need to create users, for example, using the useradd command.

Support for 64-bit ARM for .vhd images built with image builder

Previously, Microsoft Azure .vhd images created with the image builder tool were not supported on 64-bit ARM architectures. This update adds support for 64-bit ARM Microsoft Azure .vhd images and now you can build your .vhd images using image builder and upload them to the Microsoft Azure cloud.

Minimal RHEL installation now installs only the s390utils-core package

In RHEL 8.4 and later, the s390utils-base package is split into an s390utils-core package and an auxiliary s390utils-base package. As a result, setting the RHEL installation to minimal-environment installs only the necessary s390utils-core package and not the auxiliary s390utils-base package. If you want to use the s390utils-base package with a minimal RHEL installation, you must manually install the package after completing the RHEL installation or explicitly install s390utils-base using a kickstart file.

Ignition support in RHEL for Edge Simplified images

With this enhancement, you can add an Ignition file to the Simplified Installer images by customizing your blueprint. Both GUI and CLI have support for the Ignition customization. RHEL for Edge uses the Ignition provisioning utility to inject the user configuration into the images at an early stage of the boot process. On the first boot, Ignition reads its configuration either from a remote URL or a file embedded in the Simplified Installer image and applies that configuration into the image.

Simplified Installer images can now be composed without the FDO customization section in the blueprint

Previously, to build a RHEL for Edge Simplified Installer image, you had to add details to the FIDO device onboarding (FDO) customization section. Otherwise, the image build would fail. With this update, the FDO customization in blueprints is now optional, and you can build RHEL for Edge Simplified Installer image with no errors.

Red Hat build of MicroShift enablement for RHEL for Edge images

With this enhancement, you can enable Red Hat build of MicroShift services in a RHEL for Edge system. By using the [[customizations.firewalld.zones]] blueprint customization, you can add support for firewalld sources in the blueprint customization. For that, specify a name for the zone and a list of sources in that specific zone. Sources can be of the form source[/mask]|MAC|ipset:ipset.

New dnf offline-upgrade command for offline updates on RHEL

With this enhancement, you can apply offline updates to RHEL by using the new dnf offline-upgrade command from the DNF system-upgrade plug-in.

Applying advisory security filters to dnf offline-upgrade is now supported

With this enhancement, the new functionality for advisories filtering has been added. As a result, you can now download packages and their dependencies only from the specified advisory by using the dnf offline-upgrade command with advisory security filters (--advisory, --security, --bugfix, and other filters).

The unload_plugins function is now available for the DNF API

With this enhancement, a new unload_plugins function has been added to the DNF API to allow plug-ins unloading.

New --nocompression option for rpm2archive

With this enhancement, the --nocompression option has been added to the rpm2archive utility. You can use this option to avoid compression when directly unpacking an RPM package.

ReaR is now fully supported also on the 64-bit IBM Z architecture

Basic Relax and Recover (ReaR) functionality, previously available on the 64-bit IBM Z architecture as a Technology Preview, is fully supported with the rear package version 2.6-17.el9 or later. You can create a ReaR rescue image on the IBM Z architecture in the z/VM environment only. Backing up and recovering logical partitions (LPARs) is not supported at the moment. ReaR supports saving and restoring disk layout only on Extended Count Key Data (ECKD) direct access storage devices (DASDs). Fixed Block Access (FBA) DASDs and SCSI disks attached through Fibre Channel Protocol (FCP) are not supported for this purpose. The only output method currently available is Initial Program Load (IPL), which produces a kernel and an initial ramdisk (initrd) compatible with the zIPL bootloader.

systemd rebased to version 252

The systemd package has been upgraded to version 252. Notable changes include:

Updated systemd-udevd assigns consistent network device names to InfiniBand interfaces

Introduced in RHEL 9, the new version of the systemd package contains the updated systemd-udevd device manager. The device manager changes the default names of InfiniBand interfaces to consistent names selected by systemd-udevd.

chrony rebased to version 4.3

The chrony suite has been updated to version 4.3. Notable enhancements over version 4.2 include:

frr rebased to version 8.3.1

The frr package for managing dynamic routing stack has been updated to version 8.3.1. Notable changes over version 8.2.2 include:

vsftpd rebased to version 3.0.5

The Very Secure FTP Daemon (vsftpd) provides a secure method of transferring files between hosts. The vsftpd package has been updated to version 3.0.5. Notable changes and enhancements include the following SSL modernizations:

The frr package now contains targeted SELinux policy

Due to the fast development of the frr package for managing dynamic routing stack, new features and access vector cache (AVC) issues arose frequently. With this enhancement, the SELinux rules are now packaged together with FRR to address any issues faster. SELinux adds an additional level of protection to the package by enforcing mandatory access control policies.

powertop rebased to version 2.15

The powertop package for improving the energy efficiency has been updated to version 2.15. Notable changes and enhancements include:

The systemd-sysusers utility is available in the chrony, dhcp, radvd, and squid packages

The systemd-sysusers utility creates system users and groups during package installation and removes them during a removal of the package. With this enhancement, the following packages contain the systemd-sysusers utility in their scriptlets:

New synce4l package for frequency synchronization is now available

SyncE (Synchronous Ethernet) is a hardware feature that enables PTP clocks to achieve precise synchronization of frequency at the physical layer. SyncE is supported in certain network interface cards (NICs) and network switches.

tuned rebased to version 2.20.0

The TuneD utility for optimizing the performance of applications and workloads has been updated to version 2.20.0. Notable changes and enhancements over version 2.19.0 include:

Libreswan rebased to 4.9

The libreswan packages have been upgraded to version 4.9. Notable changes over the previous version include:

OpenSSL rebased to 3.0.7

The OpenSSL packages have been rebased to version 3.0.7, which contains various bug fixes and enhancements. Most notably, the default provider now includes the RIPEMD160 hash function.

libssh now supports smart cards

You can now use smart cards through Public-Key Cryptography Standard (PKCS) #11 Uniform Resource Identifier (URI). As a result, you can use smart cards with the libssh SSH library and with applications that use libssh.

libssh rebased to 0.10.4

The libssh library, which implements the SSH protocol for secure remote access and file transfer between machines, has been updated to version 0.10.4.

SELinux user-space packages updated to 3.5

The SELinux user-space packages libselinux, libsepol, libsemanage, checkpolicy, mcstrans, and policycoreutils, which includes the sepolicy utility, have been updated to version 3.5. Notable enhancements and bug fixes include:

OpenSCAP rebased to 1.3.7

The OpenSCAP packages have been rebased to upstream version 1.3.7. This version provides various bug fixes and enhancements, most notably:

SCAP Security Guide rebased to 0.1.66

The SCAP Security Guide (SSG) packages have been rebased to upstream version 0.1.66. This version provides various enhancements and bug fixes, most notably:

New SCAP rule for idle session termination

New SCAP rule logind_session_timeout has been added to the scap-security-guide package in ANSSI-BP-028 profiles for Enhanced and High levels. This rule uses a new feature of the systemd service manager and terminates idle user sessions after a certain time. This rule provides automatic configuration of a robust idle session termination mechanism which is required by multiple security policies. As a result, OpenSCAP can automatically check the security requirement related to terminating idle user sessions and, if necessary, remediate it.

scap-security-guide rules for Rsyslog log files are compatible with RainerScript logs

Rules in scap-security-guide for checking and remediating ownership, group ownership, and permissions of Rsyslog log files are now also compatible with the RainerScript syntax. Modern systems already use the RainerScript syntax in Rsyslog configuration files and the respective rules were not able to recognize this syntax. As a result, scap-security-guide rules can now check and remediate ownership, group ownership, and permissions of Rsyslog log files in both available syntaxes.

Keylime rebased to 6.5.2

The keylime packages have been rebased to upstream version - keylime-6.5.2-5.el9. This version contains various enhancements and bug fixes, most notably the following:

Clevis accepts external tokens

With the new -e option introduced to the Clevis automated encryption tool, you can provide an external token ID to avoid entering your password during cryptsetup. This feature makes the configuration process more automated and convenient, and is useful particularly for packages such as stratis that use Clevis.

Rsyslog TLS-encrypted logging now supports multiple CA files

With the new NetstreamDriverCaExtraFiles directive, you can specify a list of additional certificate authority (CA) files for TLS-encrypted remote logging. Note that the new directive is available only for the ossl (OpenSSL) Rsyslog network stream driver.

Rsyslog privileges are limited

The privileges of the Rsyslog log processing system are now limited to only the privileges explicitly required by Rsyslog. This minimizes security exposure in case of a potential error in input resources, for example, a networking plugin. As a result, Rsyslog has the same functionality but does not have unnecessary privileges.

SELinux policy allows Rsyslog to drop privileges at start

Because the privileges of the Rsyslog log processing system are now more limited to minimize security exposure (RHBZ#2127404), the SELinux policy has been updated to allow the rsyslog service to drop privileges at start.

Tang now uses systemd-sysusers

The Tang network presence server now adds system users and groups through the systemd-sysusers service instead of shell scripts containing useradd commands. This simplifies checking of the system user list, and you can also override definitions of system users by providing sysuser.d files with higher priority.

opencryptoki rebased to 3.19.0

The opencryptoki package has been rebased to version 3.19.0, which provides many enhancements and bug fixes. Most notably, opencryptoki now supports the following features:

SELinux now confines mptcpd and udftools

With this update of the selinux-policy packages, SELinux confines the following services:

fapolicyd now provides filtering of the RPM database

With the new configuration file /etc/fapolicyd/rpm-filter.conf, you can customize the list of RPM-database files that the fapolicyd software framework stores in the trust database. This way, you can block certain applications installed by RPM or allow an application denied by the default configuration filter.

GnuTLS can add and remove padding during decryption and encryption

The implementation of certain protocols requires PKCS#7 padding during decryption and encryption. The gnutls_cipher_encrypt3 and gnutls_cipher_decrypt3 block cipher functions have been added to GnuTLS to transparently handle padding. As a result, you can now use these functions in combination with the GNUTLS_CIPHER_PADDING_PKCS7 flag to automatically add or remove padding if the length of the original plaintext is not a multiple of the block size.

NSS no longer support RSA keys shorter than 1023 bits

The update of the Network Security Services (NSS) libraries changes the minimum key size for all RSA operations from 128 to 1023 bits. This means that NSS no longer perform the following functions:

The Extended Master Secret TLS Extension is now enforced on FIPS-enabled systems

With the release of the RHSA-2023:3722 advisory, the TLS Extended Master Secret (EMS) extension (RFC 7627) is mandatory for TLS 1.2 connections on FIPS-enabled RHEL 9 systems. This is in accordance with FIPS-140-3 requirements. TLS 1.3 is not affected.

NetworkManager rebased to version 1.42.2

The NetworkManager packages have been upgraded to upstream version 1.42.2, which provides a number of enhancements and bug fixes over the previous version:

Introduction of the weight property in ECMP routing with NetworkManager

With this update, RHEL 9 supports a new property weight when defining IPv4 Equal-Cost Multi-Path (ECMP) routes. You can configure multipath routing using NetworkManager to load-balance and stabilize network traffic. This allows for multiple paths to be used for data transmission between two nodes, which improves the network efficiency and provides redundancy in the event of a link failure. Conditions for using the weight property include:

NetworkManager update brings improved flexibility for DNS configuration across multiple networks

With this update, you can use the existing [global-dns] section in the /etc/Networkmanager/NetworkManager.conf file to configure DNS options without specifying the nameserver value in the [global-dns-domain-*] section. This enables you to configure DNS options in the /etc/resolv.conf file while still relying on the DNS servers provided by the network connection for actual DNS resolution. As a result, the feature makes it easier and more flexible to manage your DNS settings when connecting to different networks with different DNS servers. Especially when you use the /etc/resolv.conf file to configure DNS options.

NetworkManager now supports a new vlan.protocol property

With this update, the vlan interface type now accepts a new protocol property. The property type is string. The accepted values are either 802.1Q (default), or 802.1ad. The new property specifies which VLAN protocol controls the tag identifier for encapsulation.

NetworkManager now allows VLAN configuration over unmanaged interface

With this enhancement, you can use an unmanaged networking interface as a base interface when configuring virtual LAN (VLAN) with NetworkManager. As a result, the VLAN base interface remains intact unless changed explicitly through the nmcli device set enp1s0 managed true command or other API of NetworkManager.

Configuring Multipath TCP using NetworkManager is now fully supported

With this update, the NetworkManager utility provides you with the Multipath TCP (MPTCP) functionality. You can use nmcli commands to control MPTCP and make its settings persistent.

The NetworkManager utility now supports activating connections on the loopback interface

Administrators can manage the loopback interface to:

The balance-slb bonding mode is now supported

The new balance-slb bonding mode Source load balancing requires no switch configuration. The balance-slb divides traffic on the source ethernet address using xmit_hash_policy=vlan+srcmac, and NetworkManager adds necessary nftables rules for traffic filtering. As a result, you can now create bond profiles with the balance-slb option enabled by using NetworkManager.

firewalld rebased to version 1.2

The firewalld package has been upgraded to version 1.2, which provides multiple enhancements. Notable changes include:

The firewalld now supports the startup failsafe mechanism

With this enhancement, firewalld will fall back to failsafe defaults in case of a startup failure. This feature protects the host in case of invalid configurations or other startup issues. As a result, even if the user configuration is invalid, hosts running firewalld are now startup failsafe.

conntrack-tools rebased to version 1.4.7

The conntrack-tools package has been upgraded to version 1.4.7, which provides multiple bug fixes and enhancements. Notable changes include:

The nmstate API now supports IPv6 link-local addresses as DNS servers

With this enhancement, you can use the nmstate API to set IPv6 link-local addresses as DNS servers. Use the <link-local_address>%<interface> format, for example:

The nmstate API now supports MPTCP flags

This update enhances the nmstate API with support for MultiPath TCP (MPTCP) flags. As a result, you can use nmstate to set MPTCP address flags on interfaces with static or dynamic IP addresses.

The min-mtu and max-mtu properties added to MTU on all interfaces

Previously, an exception message was not clear enough to understand the supported MTU ranges. This update introduces the min-mtu and max-mtu properties to all interfaces. As a result, nmstate will indicate the supported MTU range when the desired MTU is out of range.

NetworkManager now allows VLAN configuration over unmanaged interface

With this enhancement, you can use an unmanaged networking interface as a base interface when configuring virtual LAN (VLAN) with NetworkManager. As a result, the VLAN base interface remains intact unless changed explicitly through the nmcli device set enp1s0 managed true command or other API of NetworkManager.

The balance-slb bonding mode is now supported

The new balance-slb bonding mode Source load balancing requires no switch configuration. The balance-slb divides traffic on the source Ethernet address using xmit_hash_policy=vlan+srcmac, and NetworkManager adds necessary nftables rules for traffic filtering. As a result, you can now create bond profiles with the balance-slb option enabled by using NetworkManager.

A new weight property in Nmstate

This update introduces the weight property in the Nmstate API and tooling suite. You can use weight to specify the relative weight of each path in the Equal Cost Multi-Path routes (ECMP) group. The weight is a number between 1 and 256. As a result, weight property in Nmstate provides greater flexibility and control over traffic distribution in an ECMP group.

xdp-tools rebased to version 1.3.1

The xdp-tools packages have been upgraded to upstream version 1.3.1, which provides a number of enhancements and bug fixes over the previous version:

iproute rebased to version 6.1.0

The iproute package has been upgraded to version 6.1.0, which provides multiple bug fixes and enhancements. Notable changes include:

The kernel now logs the listening address in SYN flood messages

This enhancement adds the listening IP address to SYN flood messages:

Kernel version in RHEL 9.2

Red Hat Enterprise Linux 9.2 is distributed with the kernel version 5.14.0-284.11.1.

The 64k page size kernel is now available

In addition to the RHEL 9 for ARM kernel which supports 4k pages, Red Hat now offers an optional kernel package that supports 64k pages: kernel-64k.

virtiofs support for kexec-tools enabled

This enhancement adds the virtiofs feature for kexec-tools by introducing the new option, virtiofs myfs, where myfs is a variable tag name to set in the qemu command line, for example, -device vhost-user-fs-pci,tag=myfs

The kexec-tools package now adds improvements on remote kdump targets

With this enhancement, the kexec-tools package adds significant bug fixes and enhancements. The most notable changes include:

BPF rebased to version 6.0

The Berkeley Packet Filter (BPF) facility has been rebased to Linux kernel version 6.0 with multiple enhancements. This update enables all the BPF features that depend on the BPF Type Format (BTF) for kernel modules. Such features include the usage of BPF trampolines for tracing, the availability of the Compile Once - Run Everywhere (CO-RE) mechanism, and several networking-related features. Furthermore, the kernel modules now contain debugging information, which means that you no longer need to install debuginfo packages to inspect the running modules.

The rtla meta-tool adds the osnoise and timerlat tracers for improved tracing capabilities

The Real-Time Linux Analysis (rtla) is a meta-tool that includes a set of commands that analyze the real-time properties of Linux. rtla leverages kernel tracing capabilities to provide precise information about the properties and root causes of unexpected system results. rtla currently adds support for osnoise and timerlat tracer commands:

The argparse module of Tuna now supports configuring CPU sockets

With this enhancement, you can specify a specific CPU socket when you have multiple CPU sockets. You can view the help usage by using the -h on a subcommand, for example, tuna show_threads -h.

The output format for cgroups and irqs in Tuna is improved to provide better readability

With this enhancement, the tuna show_threads command output for the cgroup utility is now structured based on the terminal size. You can also configure additional spacing to the cgroups output by adding the new -z or --spaced option to the show_threads command.

A new command line interface has been added to the tuna tool in real-time

This enhancement adds a new command line interface to the tuna tool, which is based on the argparse parsing module. With this update, you can now perform the following tasks:

The rteval command output now includes the program loads and measurement threads information

The rteval command now displays a report summary with the number of program loads, measurement threads, and the corresponding CPU that ran these threads. This information helps to evaluate the performance of a real-time kernel under load on specific hardware platforms.

The -W and --bucket-width options has been added to the oslat program to measure latency

With this enhancement, you can specify a latency range for a single bucket at nanoseconds accuracy. Widths that are not multiples of 1000 nanoseconds indicate nanosecond precision. By using the new options, -W or --bucket-width, you can modify the latency interval between buckets to measure latency within sub-microseconds delay time.

The NVMe/FC transport protocol enabled as the kdump storage target

The kdump mechanism now provides the support for Nonvolatile Memory Express (NVMe) over Fibre Channel (NVMe/FC) protocol as the dump target. With this update, you can configure kdump to save kernel crash dump files on NVMe/FC storage targets.

The crash-utility tool has been rebased to version 8.0.2

The crash-utility, which analyzes an active system state or after a kernel crash, has been rebased to version 8.0.2. The notable change includes adding support for multiqueue(blk-mq) devices. By using the dev -d or dev -D command, you can display the disk I/O statistics for multiqueue(blk-mq) devices.

openssl-ibmca rebased to version 2.3.1

The dynamic OpenSSL engine and provider for IBMCA on 64-bit IBM Z architecture have been rebased to upstream version 2.3.1. Users of RHEL 9 are recommended to use the OpenSSL provider to ensure compatibility with future updates of OpenSSL. The engine functionality has been deprecated in OpenSSL version 3.

Secure Execution guest dump encryption with customer keys

This new feature allows hypervisor-initiated dumps for Secure Execution guests to collect kernel crash information from KVM in scenarios in which the kdump utility does not work. Note that hypervisor-initiated dumps for Secure Execution is designed for the IBM Z Series z16 and LinuxONE Emperor 4 hardware.

The TSN protocol for real-time has been enabled on the ADL-S platform

With this enhancement, the IEEE Time Sensitive Networking (TSN) specification enables time synchronization and deterministic processing of real-time workloads over the network on Intel Alder Lake S (ADL-S) platform. It supports the following network devices:

The Intel ice driver rebased to version 6.0.0

The Intel ice driver has been upgraded to upstream version 6.0.0, which provides a number of enhancements and bug fixes over previous versions. The notable enhancements include:

Option to write data for gnss module is now available

This update provides the option of writing data to the gnss receiver. Previously, gnss was not fully configurable. With this enhancement, all gnss functions are now available.

Hosting Secure Boot certificates for IBM zSystems

Starting with IBM z16 A02/AGZ and LinuxONE Rockhopper 4 LA2/AGL, you can manage certificates used to validate Linux kernels when starting the system with Secure Boot enabled on the Hardware Management Console (HMC). Notably:

nvme-cli rebased to version 2.2.1

The nvme-cli packages have been upgraded to version 2.2.1, which provide multiple bug fixes and enhancements. Notable changes include:

libnvme rebased to version 1.2

The libnvme packages have been upgraded to version 1.2, which provide multiple bug fixes and enhancements. The most notable change is a dropped dependency of the libuuid library.

Stratis enforces consistent block size in pools

Stratis now enforces a consistent block size in pools to address potential edge case problems that can occur when mixed block size devices exist within a pool. With this enhancement, users can no longer create a pool or add new devices that have a different block size from the existing devices in the pool. As a result, there is a reduced risk of pool failure.

Support for existing disk growth within the Stratis pool

Previously, when a user added new disks to the RAID array, the size of the RAID array would generally increase. However, in all cases, Stratis ignored the increase in size and continued to use only the space that was available on the RAID array when it was first added to the pool. As a result, Stratis was unable to identify the new device, and users could not increase the size of the pool.

Improved functionality of the lvreduce command

With this enhancement, when the logical volume (LV) is active, the lvreduce command checks if reducing the LV size would damage any file system present on it. If a file system on the LV requires reduction, and the lvreduce resizefs option has not been enabled, then the LV will not be reduced.

Direct I/O alignment information for statx was added

This update introduces a new mask value, "STATX_DIOALIGN", to the statx(2) call. When this value is set in the stx_mask field, it requests stx_dio_mem_align and stx_dio_offset_align values, which indicate the required alignment (in bytes) for user memory buffers and file offsets and I/O segment lengths for direct I/O (O_DIRECT) on this file, respectively. If direct I/O is not supported on the file, both values will be 0. This interface is now implemented for block devices as well as for files on the xfs and ext4 filesystems in RHEL9.

NFSv4.1 session trunking discovery

With this update, the client can use multiple connections to the same server and session, resulting in faster data transfer. When an NFS client mounts a multi-homed NFS server with different IP addresses, only one connection is used by default, ignoring the rest. To improve performance, this update adds support for the trunkdiscovery and max_connect mount options, which enable the client to test each connection and associate multiple connections with the same NFSv4.1+ server and session.

NFS IO sizes can now be set as a multiples of PAGE_SIZE for TCP and RDMA

This update allows users to set NFS IO sizes as a multiples of PAGE_SIZE for TCP and RDMA connections. This offers greater flexibility in optimizing NFS performance for some architectures.

nfsrahead has been added to RHEL 9

With the introduction of the nfsrahead tool, you can use it to modify the readahead value for NFS mounts, and thus affect the NFS read performance.

New enable-authfile Booth configuration option

When you create a Booth configuration to use the Booth ticket manager in a cluster configuration, the pcs booth setup command now enables the new enable-authfile Booth configuration option by default. You can enable this option on an existing cluster with the pcs booth enable-authfile command. Additionally, the pcs status and pcs booth status commands now display warnings when they detect a possible enable-authfile misconfiguration.

pcs can now run the validate-all action of resource and stonith agents

When creating or updating a resource or a STONITH device, you can now specify the --agent-validation option. With this option, pcs uses an agent’s validate-all action, when it is available, in addition to the validation done by pcs based on the agent’s metadata.

Python 3.11 available in RHEL 9

RHEL 9.2 introduces Python 3.11, provided by the new package python3.11 and a suite of packages built for it, as well as the ubi9/python-311 container image.

nodejs:18 rebased to version 18.14 with npm rebased to version 9

The updated Node.js 18.14 includes a SemVer major upgrade of npm from version 8 to version 9. This update was necessary due to maintenance reasons and may require you to adjust your npm configuration.

git rebased to version 2.39.1

The Git version control system has been updated to version 2.39.1, which provides bug fixes, enhancements, and performance improvements over the previously released version 2.31.

git-lfs rebased to version 3.2.0

The Git Large File Storage (LFS) extension has been updated to version 3.2.0, which provides bug fixes, enhancements, and performance improvements over the previously released version 2.13.

A new module stream: nginx:1.22

The nginx 1.22 web and proxy server is now available as the nginx:1.22 module stream. This update provides a number of bug fixes, security fixes, new features, and enhancements over the previously released version 1.20.

mod_security rebased to version 2.9.6

The mod_security module for the Apache HTTP Server has been updated to version 2.9.6, which provides new features, bug fixes, and security fixes over the previously available version 2.9.3.

New packages: tomcat

RHEL 9.2 introduces the Apache Tomcat server version 9. Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory environment and released under the Apache Software License version 2.0.

A new module stream: postgresql:15

RHEL 9.2 introduces PostgreSQL 15 as the postgresql:15 module stream. PostgreSQL 15 provides a number of new features and enhancements over version 13. Notable changes include:

openblas rebased to version 0.3.21

The OpenBLAS library has been updated to version 0.3.21. This update includes performance optimalization patches for the IBM POWER10 platform.

A new module stream: swig:4.1

RHEL 9.2 introduces the Simplified Wrapper and Interface Generator (SWIG) version 4.1 as the swig:4.1 module stream available in the CodeReady Linux Builder (CRB) repository. Note that packages included in the CodeReady Linux Builder repository are unsupported.

New package: jmc in the CRB repository

RHEL 9.2 introduces the JDK Mission Control (JMC) profiler for HotSpot JVMs version 8.2.0, available as the jmc package in the CodeReady Linux Builder (CRB) repository for the AMD and Intel 64-bit architectures.

OpenJDK service attributes now available in FIPS mode

Previously, cryptographic services and algorithms available for OpenJDK in FIPS mode were too strictly filtered and resulted in unavailable service attributes. With this enhancement, these service attributes are now available in FIPS mode.

Performance Co-Pilot rebased to version 6.0

Performance Co-Pilot (PCP) has been updated to version 6.0. Notable improvements include:

grafana rebased to version 9.0.9

The grafana package has been rebased to version 9.0.9. Notable changes include:

grafana-pcp rebased to version 5.1.1

The grafana-pcp package has been rebased to version 5.1.1. Notable changes include:

Updated GCC Toolset 12

GCC Toolset 12 is a compiler toolset that provides recent versions of development tools. It is available as an Application Stream in the form of a Software Collection in the AppStream repository.

The updated GCC compiler is now available for RHEL 9.2

The system GCC compiler, version 11.3.1, has been updated to include numerous bug fixes and enhancements available in the upstream GCC.

LLVM Toolset rebased to version 15.0.7

LLVM Toolset has been updated to version 15.0.7. Notable changes include:

Rust Toolset rebased to version 1.66.1

Rust Toolset has been updated to version 1.66.1. Notable changes include:

Go Toolset rebased to version 1.19.6

Go Toolset has been updated to version 1.19.6. Notable changes include:

The tzdata package now includes the /usr/share/zoneinfo/leap-seconds.list file

Previously, the tzdata package only shipped the /usr/share/zoneinfo/leapseconds file. Some applications rely on the alternate format provided by the /usr/share/zoneinfo/leap-seconds.list file and, as a consequence, would experience errors.

SSSD support for converting home directories to lowercase

With this enhancement, you can now configure SSSD to convert user home directories to lowercase. This helps to integrate better with the case-sensitive nature of the RHEL environment. The override_homedir option in the [nss] section of the /etc/sssd/sssd.conf file now recognizes the %h template value. If you use %h as part of the override_homedir definition, SSSD replaces %h with the user’s home directory in lowercase.

SSSD now supports changing LDAP user passwords with the shadow password policy

With this enhancement, if you set ldap_pwd_policy to shadow in the /etc/sssd/sssd.conf file, LDAP users can now change their password stored in LDAP. Previously, password changes were rejected if ldap_pwd_policy was set to shadow as it was not clear if the corresponding shadow LDAP attributes were being updated.

IdM now supports the min_lifetime parameter

With this enhancement, the min_lifetime parameter has been added to the /etc/gssproxy/*.conf file. The min_lifetime parameter triggers the renewal of a service ticket in case its remaining lifetime is lower than this value.

The ipapwpolicy ansible-freeipa module now supports new password policy options

With this update, the ipapwpolicy module included in the ansible-freeipa package supports additional libpwquality library options:

IdM now supports the ipanetgroup Ansible management module

As an Identity Management (IdM) system administrator, you can integrate IdM with NIS domains and netgroups. Using the ipanetgroup ansible-freeipa module, you can achieve the following:

New ipaclient_configure_dns_resolver and ipaclient_dns_servers Ansible ipaclient role variables specifying the client’s DNS resolver  

Previously, when using the ansible-freeipa ipaclient role to install an Identity Management (IdM) client, it was not possible to specify the DNS resolver during the installation process. You had to configure the DNS resolver before the installation.   

Using the ipaclient role to install an IdM client with an OTP requires no prior modification of the Ansible controller

Previously, the kinit command on the Ansible controller was a prerequisite for obtaining a one-time-password (OTP) for Identity Management (IdM) client deployment. The need to obtain the OTP on the controller was a problem for Red Hat Ansible Automation Platform (AAP), where the krb5-workstation package was not installed by default.

IdM now enforces the presence of the MS-PAC structure in Kerberos tickets

Starting with RHEL 9.2, to increase security, Identity Management (IdM) and MIT Kerberos now enforce the presence of the Privilege Attribute Certificate (MS-PAC) structure in the Kerberos tickets issued by the RHEL IdM Kerberos Distribution Center (KDC).

New realm configuration template for KDC enabling FIPS 140-3-compliant key encryption

This update provides a new, EXAMPLE.COM, example realm configuration in the /var/kerberos/krb5kdc/kdc.conf file. It brings two changes:

Configure pam_pwhistory using a configuration file

With this update, you can configure the pam_pwhistory module in the /etc/security/pwhistory.conf configuration file. The pam_pwhistory module saves the last password for each user in order to manage password change history. Support has also been added in authselect which allows you to add the pam_pwhistory module to the PAM stack.

IdM now supports new Active Directory certificate mapping templates

Active Directory (AD) domain administrators can manually map certificates to a user in AD using the altSecurityIdentities attribute. There are six supported values for this attribute, though three mappings are now considered insecure. As part of May 10,2022 security update, once this update is installed on a domain controller, all devices are in compatibility mode. If a certificate is weakly mapped to a user, authentication occurs as expected but a warning message is logged identifying the certificates that are not compatible with full enforcement mode. As of November 14, 2023 or later, all devices will be updated to full enforcement mode and if a certificate fails the strong mapping criteria, authentication will be denied.

samba rebased to version 4.17.5

The samba packages have been upgraded to upstream version 4.17.5, which provides bug fixes and enhancements over the previous version. The most notable changes:

ipa-client-install now supports authentication with PKINIT

Previously, the ipa-client-install supported only password based authentication. This update provides support to ipa-client-install for authentication with PKINIT.

Red Hat IdM and Certificate System now support the EST protocol

Enrollment over Secure Transport (EST) is a new Certificate System subsystem feature that is specified in RFC 7030 and it is used to provision certificates from a Certificate Authority (CA). EST implements the server side of the operation, such as /getcacerts, /simpleenroll, and /simplereenroll.

Automatic purging of expired certificates

This update adds an automatic mechanism to purge expired certificates and request records from the database. You can enable this feature based on certain policies, such as search size limit, search time limit, and retention time.

Enhance negative cache usage

This update improves the SSSD performance for lookups by Security Identifier (SID). It now stores non-existing SIDs in the negative cache for individual domains and requests the domain that the SID belongs to.

ACME now supports automatically removing expired certificates

Previously, the Automated Certificate Management Environment (ACME) service in Identity Management (IdM) did not remove expired certificates from the certificate authority (CA). Because ACME issues short-lived, 90-day certificates, expired certificates accumulated in the CA, which affected performance.

Directory server now supports ECDSA private keys for TLS

Previously, you could not use cryptographic algorithms that are stronger than RSA to secure Directory Server connections. With this enhancement, Directory Server now supports both ECDSA and RSA keys.

Directory Server now supports extended logging of search operations

Previously, records in the access log did not show why some search operations had a very big etime value. With this release, you can enable logging of statistics such as a number of index lookups (database read operations) and overall duration of index lookups per each search operation. These statistical records can help to analyze why the etime value can be so resource expensive.

The NUNC_STANS error logging level was replaced by the new 1048576 logging level

Previously, you could not easily debug password policy issues. With the new 1048576 logging level for the error log, you can now check the following password policy information:

Directory Server introduces the security log

To properly track issues over time, Directory Server now has a specialized log that maintains security data. The security log does not rotate quickly and consumes less disk resources in comparison to the access log that has all the information, but requires expensive parsing to get the security data.

Directory Server now can compress archived log files

Previously, archived log files were not compressed. With this release, you can enable access, error, audit, audit fail log, security log files compression to save disk space. Note that only security log file compression is enabled by default.

New nsslapd-auditlog-display-attrs configuration parameter for the Directory Server audit log

Previously, it was difficult to determine who changed an entry if the distinguished name (DN) of the entry did not contain clear identifying information. With the new nsslapd-auditlog-display-attrs parameter, you can set additional attributes that Directory Server displays in the audit log to provide more details about the modified entry.

New pamModuleIsThreadSafe configuration option is now available

When a PAM module is thread-safe, you can improve the PAM authentication throughput and response time of that specific module, by setting the new pamModuleIsThreadSafe configuration option to yes:

Directory Server can now import a certificate bundle

Previously, when you tried to add a certificate bundle by using the dsconf or dsctl utility, the procedure failed with an error, and the certificate bundle was not imported. Such behavior was caused by the certutil utility that could import only one certificate at a time. With this update, Directory Server works around the issue with the certutil, and a certificate bundle is added successfully.

Default behavior change: Directory Server now returns a DN in exactly the same spelling as it was added to the database

With the new nsslapd-return-original-entrydn parameter under the cn=config entry, you can manage how Directory Server returns the distinguished name (DN) of entries during search operations.

Disable swipe to switch workspaces

Previously, swiping up or down with three fingers always switched the workspace on a touch screen. With this release, you can disable the workspace switching.

Wayland is now enabled on Aspeed GPUs

Previously, the Aspeed GPU driver did not perform well enough to run a Wayland session. To work around that problem, the Wayland session was disabled for Aspeed GPUs.

Custom right-click menu on the desktop

You can now customize the menu that opens when you right-click the desktop background. You can create custom entries in the menu that run arbitrary commands.

Certain cryptographic subpolicies are now available in the web console

This update of the RHEL web console extends the options in the Change crypto policy dialog. Besides the four system-wide cryptographic policies, you can also apply the following subpolicies through the graphical interface now:

The web console now performs additional steps for binding LUKS-encrypted root volumes to NBDE

With this update, the RHEL web console performs additional steps required for binding LUKS-encrypted root volumes to Network-Bound Disk Encryption (NBDE) deployments. After you select an encrypted root file system and a Tang server, you can skip adding the rd.neednet=1 parameter to the kernel command line, installing the clevis-dracut package, and regenerating an initial ramdisk (initrd). For non-root file systems, the web console now enables the remote-cryptsetup.target and clevis-luks-akspass.path systemd units, installs the clevis-systemd package, and adds the _netdev parameter to the fstab and crypttab configuration files. As a result, you can now use the graphical interface for all Clevis-client configuration steps when creating NBDE deployments for automated unlocking of LUKS-encrypted root volumes.

Routing rule is able to look up a route table by its name

With this update, the rhel-system-roles.network RHEL System Role supports looking up a route table by its name when you define a routing rule. This feature provides quick navigation for complex network configurations where you need to have different routing rules for different network segments.

The network System Role supports setting a DNS priority value

This enhancement adds the dns_priority parameter to the RHEL network System Role. You can set this parameter to a value from -2147483648 to 2147483647. The default value is 0. Lower values have a higher priority. Note that negative values cause the System Role to exclude other configurations with a greater numeric priority value. Consequently, in presence of at least one negative priority value, the System Role uses only DNS servers from connection profiles with the lowest priority value.

New IPsec customization parameters for the vpn RHEL System Role

Because certain network devices require IPsec customization to work correctly, the following parameters have been added to the vpn RHEL System Role:

The selinux RHEL System Role now supports the local parameter

This update of the selinux RHEL System Role introduces support for the local parameter. By using this parameter, you can remove only your local policy modifications and preserve the built-in SELinux policy.

The ha_cluster System Role now supports automated execution of the firewall, selinux, and certificate System Roles

The ha_cluster RHEL System Role now supports the following features:

The postfix RHEL System Role can now use the firewall and selinux RHEL System Roles to manage port access

With this enhancement, you can automate managing port access by using the new role variables postfix_manage_firewall and postfix_manage_selinux:

The vpn RHEL System Role can now use the firewall and selinux roles to manage port access

With this enhancement, you can automate managing port access in the vpn RHEL System Role through the firewall and selinux roles. If you set the new role variables vpn_manage_firewall and vpn_manage_selinux to true, the roles manage port access.

The logging RHEL System Role now supports port access and generation of the certificates

With this enhancement, you can use the logging role to manage ports access and generate certificates with new role variables. If you set the new role variables logging_manage_firewall and logging_manage_selinux to true, the roles manage port access. The new role variable for generating certificates is logging_certificates. The type and usage are the same as the certificate role certificate_requests. You can now automate these operations directly by using the logging role.

The metrics RHEL System Role now can use the firewall role and the selinux role to manage port access

With this enhancement, you can control access to ports. If you set the new role variables metrics_manage_firewall and metrics_manage_firewall to true, the roles manage port access. You can now automate and perform these operations directly by using the metrics role.

The nbde_server RHEL System Role now can use the firewall and selinux roles to manage port access

With this enhancement, you can use the firewall and selinux roles to manage ports access. If you set the new role variables nbde_server_manage_firewall and nbde_server_manage_selinux to true, the roles manage port access. You can now automate these operations directly by using the nbde_server role.

The initscripts network provider supports route metric configuration of the default gateway

With this update, you can use the initscripts network provider in the rhel-system-roles.network RHEL System Role to configure the route metric of the default gateway.

The cockpit RHEL System Role integration with the firewall, selinux, and certificate roles

This enhancement enables you to integrate the cockpit role with the firewall role and the selinux role to manage port access and the certificate role to generate certificates.

New RHEL System Role for direct integration with Active Directory

The new rhel-system-roles.ad_integration RHEL System Role was added to the rhel-system-roles package. As a result, administrators can now automate direct integration of a RHEL system with an Active Directory domain.

New Ansible Role for Red Hat Insights and subscription management

The rhel-system-roles package now includes the remote host configuration (rhc) system role. This role enables administrators to easily register RHEL systems to Red Hat Subscription Management (RHSM) and Satellite servers. By default, when you register a system by using the rhc system role, the system connects to Red Hat Insights. With the new rhc system role, administrators can now automate the following tasks on the managed nodes:

Added support for the cloned MAC address

Cloned MAC address is the MAC address of the device WAN port which is the same as the MAC address of the machine. With this update, users can specify the bonding or bridge interface with the MAC address or the strategy such as random or preserve to get the default MAC address for the bonding or bridge interface.

Microsoft SQL Server Ansible role supports asynchronous high availability replicas

Previously, Microsoft SQL Server Ansible role supported only primary, synchronous, and witness high availability replicas. Now, you can set the mssql_ha_replica_type variable to asynchronous to configure it with asynchronous replica type for a new or existing replica.

Microsoft SQL Server Ansible role supports the read-scale cluster type

Previously, Microsoft SQL Ansible role supported only the external cluster type. Now, you can configure the role with a new variable mssql_ha_ag_cluster_type. The default value is external, use it to configure the cluster with Pacemaker. To configure the cluster without Pacemaker, use the value none for that variable.

Microsoft SQL Server Ansible role can generate TLS certificates

Previously, you needed to generate a TLS certificate and a private key on the nodes manually before configuring the Microsoft SQL Ansible role. With this update, the Microsoft SQL Server Ansible role can use the redhat.rhel_system_roles.certificate role for that purpose. Now, you can set the mssql_tls_certificates variable in the format of the certificate_requests variable of the certificate role to generate a TLS certificate and a private key on the node.

Microsoft SQL Server Ansible role supports configuring SQL Server version 2022

Previously, Microsoft SQL Ansible role supported only configuring SQL Server version 2017 and version 2019. This update provides you with the support for SQL Server version 2022 for Microsoft SQL Ansible role. Now, you can set mssql_version value to 2022 for configuring a new SQL Server 2022 or upgrading SQL Server from version 2019 to version 2022. Note that upgrade of an SQL Server from version 2017 to version 2022 is unavailable.

Microsoft SQL Server Ansible role supports configuration of the Active Directory authentication

With this update, the Microsoft SQL Ansible role supports configuration of the Active Directory authentication for an SQL Server. Now, you can configure the Active Directory authentication by setting variables with the mssql_ad_ prefix.

The journald RHEL System Role is now available

The journald service collects and stores log data in a centralized database. With this enhancement, you can use the journald System Role variables to automate the configuration of the systemd journal, and configure persistent logging by using the Red Hat Ansible Automation Platform.

The ha_cluster System Role now supports quorum device configuration

A quorum device acts as a third-party arbitration device for a cluster. A quorum device is recommended for clusters with an even number of nodes. With two-node clusters, the use of a quorum device can better determine which node survives in a split-brain situation. You can now configure a quorum device with the ha_cluster System Role, both qdevice for a cluster and qnetd for an arbitration node.

Hardware cryptographic devices can now be automatically hot-plugged

Previously, it was only possible to define cryptographic devices for passthrough if they were present on the host before the mediated device was started. Now, you can define a mediated device matrix that lists all the cryptographic devices that you want to pass through to your virtual machine (VM). As a result, the specified cryptographic devices are automatically passed through to the running VM if they become available later. Also, if the devices become unavailable, they are removed from the VM, but the guest operating system keeps running normally.

Improved performance for PCI passthrough devices on IBM Z

With this update, the PCI passthrough implementation on IBM Z hardware has been enhanced through multiple improvements to I/O handling. As a result, PCI devices passed through to KVM virtual machines (VMs) on IBM Z hosts now have significantly better performance.

New package: passt

This update adds the passt package, which makes it possible to use the passt user-mode networking back end for virtual machines.

zPCI device assignment

It is now possible to attach zPCI devices as pass-through devices to virtual machines (VMs) hosted on RHEL running on IBM Z hardware. For example, thís enables the use of NVMe flash drives in VMs.

The sos utility is moving to a 4-week update cadence

Instead of releasing sos updates with RHEL minor releases, the sos utility release cadence is changing from 6 months to 4 weeks. You can find details about the updates for the sos package in the RPM changelog every 4 weeks or you can read a summary of sos updates in the RHEL Release Notes every 6 months.

The sos clean command now obfuscates IPv6 addresses

Previously, the sos clean command did not obfuscate IPv6 addresses, leaving some customer-sensitive data in the collected sos report. With this update, sos clean detects and obfuscates IPv6 addresses as expected.

New podman RHEL System Role is now available

Beginning with Podman 4.2, you can use the podman System Role to manage Podman configuration, containers, and systemd services that run Podman containers.

Podman now supports events for auditing

Beginning with Podman v4.4, you can gather all relevant information about a container directly from a single event and journald entry. To enable Podman auditing, modify the container.conf configuration file and add the events_container_create_inspect_data=true option to the [engine] section. The data is in JSON format, the same as from the podman container inspect command. For more information, see How to use new container events and auditing features in Podman 4.4.

The container-tools meta-package has been updated

The container-tools RPM meta-package, which contains the Podman, Buildah, Skopeo, crun and runc tools are now available. This update applies a series of bug fixes and enhancements over the previous version.

Aardvark and Netavark now support custom DNS server selection

The Aardvark and Netavark network stack now support custom DNS server selection for containers instead of the default DNS servers on the host. You have two options for specifying the custom DNS server:

Skopeo now supports generating sigstore key pairs

You can use the skopeo generate-sigstore-key command to generate a sigstore public/private key pair. For more information, see skopeo-generate-sigstore-key man page.

Toolbox is now available

With the toolbox utility, you can use the containerized command-line environment without installing troubleshooting tools directly on your system. Toolbox is built on top of Podman and other standard container technologies from OCI. For more information, see toolbx.

Container images now have a two-digit tag

In RHEL 9.0 and RHEL 9.1, container images had a three-digit tag. Starting from RHEL 9.2, container images now have a two-digit tag.

The capability for multiple trusted GPG keys for signing images is available

The /etc/containers/policy.json file supports a new keyPaths field which accepts a list of files containing the trusted keys. Because of this, the container images signed with Red Hat’s General Availability and Beta GPG keys are now accepted in the default configuration.

Podman now supports the pre-execution hooks

The root-owned plugin scripts located in the /usr/libexec/podman/pre-exec-hooks and /etc/containers/pre-exec-hooks directories define a fine-control over container operations, especially blocking unauthorized actions.

The sigstore signatures are now available

Beginning with Podman 4.2, you can use the sigstore format of container image signatures. The sigstore signatures are stored in the container registry together with the container image without the need to have a separate signature server to store image signatures.

Toolbox can create RHEL 9 containers

Previously, the Toolbox utility only supported RHEL UBI 8 images. With this release, Toolbox now also supports RHEL UBI 9. As a result, you can create a Toolbox container based on RHEL 8 or 9.

New package: passt

This update adds the passt package, which makes it possible to use the pasta rootless networking back end for containers.

The installer now displays correct total disk space in Custom partitioning with multipath or DDF RAID devices

Previously, when Custom partitioning was selected in Installer on a system with a multipath or DDF RAID device, the total disk space was not reported correctly and member disk devices were listed as available for partitioning.

The installer now adds configuration options correctly into the yum repo files

Previously, the installer did not add configuration options correctly into yum repo files while including and excluding packages from additional installation repositories. With this update, yum repo files are created correctly. As a result, using the --excludepkgs= or --includepkgs= options in the repo kickstart command now excludes or includes the specified packages during installation as expected.

Using the filename DHCP option no longer blocks downloading the kickstart file for installation

Previously, when building a path for getting the kickstart file from an NFS server, the installer did not consider the filename DHCP option. As a consequence, the installer did not download the kickstart file and was blocking the installation process. With this update, the filename DHCP option correctly constructs a path to the kickstart file. As a result, the kickstart file is downloaded properly, and the installation process starts correctly.

The installer now creates a new GPT disk layout while custom partitioning

Previously, the installer did not change the disk layout to GPT when inst.gpt was specified on the kernel command line, and the user removed all partitions from a disk with the MBR disk layout on the custom partitioning spoke. As a consequence, the MBR disk layout remained on the disk.

Installer now lists all PPC PreP Boot or BIOS Boot partitions during custom partitioning

Previously, when adding multiple PPC PreP Boot or BIOS Boot partitions during custom partitioning, the Custom Partitioning screen displayed only one partition of a related type. As a consequence, the Custom Partitioning screen did not reflect the real state of the intended partitioning layout, making the partitioning process difficult and non-transparent.

Anaconda now validates LUKS passphrases for the FIPS requirements

Previously, Anaconda did not check if the length of LUKS passphrases satisfies the FIPS requirements, while the underlying tools performed this check. As a consequence, installing in FIPS mode with a passphrase shorter than 8 characters caused the installer to terminate prematurely.

Subscription manager no longer denies registration and fetching of Red Hat content

Previously, subscription-manager operated in container mode when run under OpenShift Container Platform (OCP) because of improved container detection logic in RHEL 9. As a consequence, the system was unable to use the provided subscription credentials and therefore not fetching Red Hat content.

subscription-manager no longer retains nonessential text in the terminal

Starting with RHEL 9.1, subscription-manager displays progress information while processing any operation. Previously, for some languages, typically non-Latin, progress messages did not clean up after the operation finished. With this update, all the messages are cleaned up properly when the operation finishes.

RPM no longer hangs during a transaction involving the fapolicyd service restart

Previously, if you tried to update a package that caused the fapolicyd service to be restarted, for example, systemd, the RPM transaction stopped responding because the fapolicyd plug-in failed to communicate with the fapolicyd daemon.

Reverting a DNF upgrade transaction is now possible for a package group or environment

Previously, the dnf history rollback command failed when attempting to revert an upgrade transaction for a package group or an environment.

Security DNF upgrade is now possible for packages that change their architecture through the upgrade

Patch for BZ#2108969 introduced with RHBA-2022:8295 caused a regression where DNF upgrade using security filters skipped packages that changed their architecture from or to noarch through the upgrade. Consequently, the missing security upgrades for these packages could leave the system in a vulnerable state.

Qt message QM files with 3-letter names are now packaged when an RPM package is being built or rebuilt

Previously, the find-lang.sh script could not find Qt message QM files (.qm) with names consisting of 3 characters. Consequently, these files were not added to an RPM package.

ReaR handles excluded DASDs on the IBM Z architecture correctly

Previously on the IBM Z architecture, ReaR reformatted all connected Direct Access Storage Devices (DASD) during the recovery process, including those DASDs that users excluded from the saved layout and did not intend to restore their content. As a consequence, if you excluded some DASDs from the saved layout, their data were lost during system recovery. With this update, ReaR no longer formats excluded DASDs during system recovery, including the device from which the ReaR rescue system was booted (using the zIPL bootloader). You are also prompted to confirm the DASD formatting script before ReaR reformats DASDs. This ensures that the data on excluded DASDs survive a system recovery.

ReaR no longer fails to restore non-LVM XFS filesystems

Previously, when you used ReaR to restore a non-LVM XFS filesystems with certain settings and disk mapping, ReaR created the file system with the default settings instead of the specified settings. For example, if you had a file system with the sunit and swidth parameters set to non-zero values and you restored the file system using ReaR with disk mapping, the file system would be created with default sunit and swidth parameters ignoring the specified values. As a consequence, ReaR failed during mounting the filesystem with specific XFS options. With this update, ReaR correctly restores the file system with the specified settings.

wsmancli handles HTTP 401 Unauthorized statuses correctly

The wsmancli utility for managing systems using Web Services Management protocol now handles authentication to better conform to RFC 2616.

USBGuard saves rules even if RuleFile is not defined

Previously, if the RuleFolder configuration directive in USBGuard was set but RuleFile was not, the rule set could not be changed. With this update, you can now change the rule set even if RuleFolder is set but RuleFile is not. As a result, you can modify the permanent policy in USBGuard to permanently save newly added rules.

python-sqlalchemy rebased to 1.4.45

The python-sqlalchemy package has been rebased to version 1.4.45, which provides many bug fixes over version 1.4.37. Most notably, this version contains a fix for a critical memory bug in the cache key generation.

crypto-policies now disable NSEC3DSA for BIND

Previously, the system-wide cryptographic policies did not control the NSEC3DSA algorithm in the BIND configuration. Consequently, NSEC3DSA, which does not meet current security requirements, was not disabled on DNS servers. With this update, all cryptographic policies disable NSEC3DSA in the BIND configuration by default.

OpenSSL in SECLEVEL=3 now works with PSK cipher suites

Previously, pre-shared key (PSK) cipher suites were not recognized as performing perfect forward secrecy (PFS) key exchange methods. As a consequence, the ECDHE-PSK and DHE-PSK cipher suites did not work with OpenSSL configured to SECLEVEL=3, for example, when the system-wide cryptographic policy was set to FUTURE. The new version of the openssl package fixes this problem.

Clevis now correctly skips commented-out devices in crypttab

Previously, Clevis tried to unlock commented-out devices in the crypttab file, causing the clevis-luks-askpass service to run even if the device was not valid. This caused unnecessary service runs and made it difficult to troubleshoot.

Clevis no longer requests too much entropy from pwmake

Previously, the pwmake password generation utility displayed unwanted warnings when Clevis used pwmake to create passwords for storing data in LUKS metadata, which caused Clevis to use lower entropy. With this update, Clevis is limited to 256 entropy bits provided to pwmake, which eliminates an unwanted warning and uses the correct amount of entropy.

USBGuard no longer causes a confusing warning

Previously, a race condition could happen in USBGuard when a parent process finished sooner than the first child process. As a consequence, systemd reported that a process was present with a wrongly identified parent PID (PPID). With this update, a parent process waits for the first child process to finish in working mode. As a result, systemd no longer reports such warnings.

OOM killer no longer terminates usbguard prematurely

Previously, the usbguard.service file did not contain a definition of the OOMScoreAdjust option for the systemd service. Consequently, when the system was low on resources, the usbguard-daemon process could be terminated before other unprivileged processes. With this update, usbguard.service file now includes OOMScoreAdjust setting, which prevents the Out-of-Memory (OOM) killer terminate the usbguard-daemon process prematurely.

logrotate no longer incorrectly signals Rsyslog in log rotation

Previously, the argument order was incorrectly set in the logrotate script, which caused a syntax error. This resulted in logrotate not correctly signaling Rsyslog during log rotation.

imklog no longer calls free() on missing objects

Previously, the imklog module called a free() function on an already freed object. Consequently, imklog could cause a segmentation fault. With this update, the object is no longer freed twice.

fagenrules --load now works correctly

Previously, the fapolicyd service did not correctly handle the signal hang up (SIGHUP). Consequently, fapolicyd terminated after receiving SIGHUP, and the fagenrules --load command did not work correctly. This update contains a fix for the problem. As a result, fagenrules --load now works correctly, and rule updates no longer require manual restarts of fapolicyd.

Scans and remediations correctly ignore SCAP Audit rules Audit key

Previously, Audit watch rules that were defined without an Audit key (-k or -F key) encountered the following problems:

Keylime no longer fails attestation of systems that access multiple IMA-measured files

Previously, if a system that runs the Keylime agent accessed multiple files measured by the Integrity Measurement Architecture (IMA) in quick succession, the Keylime verifier incorrectly processed the IMA log additions. As a consequence, the running hash did not match the correct Platform Configuration Register (PCR) state, and the system failed attestation. This update fixes the problem and systems that quickly access multiple measured files no longer fail attestation.

Keylime policy generation script no longer causes a segmentation fault and core dump

The create_mb_refstate script generates policies for measured boot attestation in Keylime. Previously, create_mb_refstate incorrectly calculated the data length in the DevicePath field. As a consequence, the script tried to access invalid memory using the incorrectly calculated length, which resulted in a segmentation fault and core dump.

TPM certificates no longer cause Keylime registrar to crash

Previously, some certificates in the Keylime TPM certificate store were malformed x509 certificates and caused the Keylime registrar to crash. This update fixes the problem, and Keylime registrar no longer crashes due to malformed ceritficates.

NetworkManager now preserves IP addresses during reapply before acquiring a new DHCP lease

Previously, after changing the connection settings and then using nmcli device reapply command, NetworkManager did not preserve the DHCP lease. Consequently, the IP address got removed temporarily. With this fix, NetworkManager preserves the DHCP lease and uses it until the lease expires or the client requests a new one. As a result, when the nmcli device reapply command restarts DHCP client, it does not temporarily remove the IP address.

The firewalld service now triggers the ipset deprecation warning only when using direct rules

Previously, the firewalld service used the deprecated ipset kernel module when it was not necessary. Consequently, RHEL logged the module’s deprecation warning which could be misleading because the ipset feature of firewalld is not deprecated. With this update, firewalld only uses the deprecated ipset module and logs the warning if the user explicitly uses ipsets with the --direct option.

The HNV interface now displays the options after reboot

Previously, the nmcli utility created a Hybrid Network Virtualization (HNV) bond by using NetworkManager API. Consequently, after a reboot, the HNV bond lost the primary port setting. With this fix, nmcli now uses hcnmgr to set bonding options for the primary port. The hcnmgr utility supports migration of live partitions with Single Root Input/Output Virtualization (SR-IOV) for hybrid networks. As a result, the HNV bond interface displays the active slave/primary_reselect option after reboot.

FADump enabled with Secure Boot works correctly

Previously, when Firmware Assisted Dump (FADump) was enabled in the Secure Boot environment and any of the booting components exceeded the allocated memory region, system reboots caused a GRUB Out of Memory (OOM) state. This update provides a fix in kexec-tools so that Secure Boot and FADump work together correctly.

grubby now passes arguments to a new kernel correctly

When you add a new kernel using the grubby tool and do not specify any arguments, or leave the arguments blank, grubby will not pass any arguments to the new kernel and root will not be set. Using the --args and --copy-default options ensures new arguments are appended to the default arguments.

Installer creating LUKSv2 devices with sector size of 512 bytes

Previously, the RHEL installer created LUKSv2 devices with 4096 bytes sectors if the disk had 4096 bytes physical sectors. With this update, installer now creates LUKSv2 devices with sector size of 512 bytes to offer better disk compatibility with different physical sector sizes used together in one LVM volume group even when the LVM physical volumes are encrypted.

supported_speeds sysfs attribute reports correct speed values

Previously, because of an incorrect definition in the qla2xxx driver, the supported_speeds sysfs attribute for the HBA reported 20 Gb/s speed instead of the expected 64 Gb/s speed. Consequently, if the HBA supported 64 Gb/s link speed, the supported_speeds sysfs value was incorrect, which affected the reported speed value.

The lpfc driver is in a valid state during the D_ID port swap

Previously, the SAN Boot host, after issuing the NetApp giveback operation, resulted in LVM hung task warnings and stalled I/O. This problem occurred even when alternate paths were available in a DM-Multipath environment due to the fiber channel D_ID port swap. As a consequence of the race condition, the D_ID port swap resulted in an inconsistent state in the lpfc driver, which prevented I/O from being issued.

pcs no longer allows you to modify cluster properties that should not be changed

Previously, the pcs command line interface allowed you to modify cluster properties that should not be changed or for which change does not take effect. With this fix, pcs no longer allows you to modify these cluster properties: cluster-infrastructure, cluster-name, dc-version, have-watchdog, and last-lrm-refresh.

pcs now displays cluster properties that are not explicitly configured

Previously, a pcs command to display the value of a specific cluster property did not list values that are not explicitly configured in the CIB. With this fix, if a cluster property is not set pcs displays the default value for the property.

Cluster resources that call crm_mon now stop cleanly at shutdown

Previously, the crm_mon utility returned a nonzero exit status while Pacemaker was in the process of shutting down. Resource agents that called crm_mon in their monitor action, such as ocf:heartbeat:pqsql, could incorrectly return a failure at cluster shutdown. With this fix, crm_mon returns success even if the cluster is in the process of shutting down. Resources that call crm_mon now stop cleanly at cluster shutdown.

OCF resource agent metadata actions can now call crm_node without causing unexpected fencing

As of RHEL 8.5, OCF resource agent metadata actions blocked the controller and crm_node queries performed controller requests. As a result, if an agent’s metadata action called crm_node, it blocked the controller for 30 seconds until the action timed out. This could cause other actions to fail and the node to be fenced.

Pacemaker now rechecks resource assignments immediately when resource order changes

As of RHEL 8.7, Pacemaker did not recheck resource assignments when the order of resources in the CIB changed with no changes to the resource definition. If configuration reordering would cause resources to move, that would not take place until the next natural transition, up to the value of cluster-recheck-interval-property. This could cause issues if resource stickiness is not configured for a resource.

Enabling a single resource and monitoring operation no longer enables monitoring operations for all resources in a resource group

Previously, after unmanaging all resources and monitoring operations in a resource group, managing one of the resources in that group along with its monitoring operation re-enabled the monitoring operations for all resources in the resource group. This could trigger unexpected cluster behavior.

DNS lookup can now succeed even when some CNAME records are invalid

Previously, the glibc DNS stub resolver treated CNAME records with owner names that are not host names as DNS packet errors. Consequently, the DNS query failed because of the DNS packet errors. With this update, the glibc stub resolver now skips invalid CNAME records and the corresponding alias information is not extracted. Therefore, DNS lookups can now succeed even if the server response includes a CNAME chain that contains a domain name that is not a host name.

golang now supports 4096 bit keys in x509 FIPS mode

Previously, golang did not support the 4096 bit keys in x509 FIPS mode. Consequently, when the user used 4096 bit keys the program crashed. With this update, golang now supports 4096 bit keys in x509 FIPS mode.

You can install SciPy using pip on all architectures

Previously, the openblas-devel package did not contain a pkg-config file for the OpenBLAS library. As a consequence, in certain scenarios, it was impossible to determine the compiler and linker flags using the pkgconf utility while compiling with OpenBLAS. For example, this caused a failure of the pip install scipy command on the 64-bit IBM Z and IBM Power Systems, Little Endian architectures.

The tzset function in glibc now sets the daylight variable to a non-zero value if there is any DST rule in the TZ data

Previously, the tzset function in glibc would set the daylight variable to 0 if the last DST transition in the time zone data file did not result in a clock change due to a simultaneous change in the standard time offset. Consequently, when applications use the daylight variable to check if DST was ever active, they do not get the right result and perform incorrect actions based on this information. To fix this, the tzset function now sets the daylight variable to a non-zero value if there is any DST rule in the time zone data, regardless of offset. As a result, applications now observe the presence of DST rules regardless of offset changes.

OpenJDK RSAPSSSignature implementation now validates RSA keys before using them

Previously, the RSAPSSSignature implementation in OpenJDK did not fully check if given RSA keys could be used by the SunRSASign provider before attempting to use them, which would result in errors when using custom security providers. The bug is now fixed and, as a result, the RSAPSSSignature implementation now validates RSA keys and allows other providers to handle these keys when it cannot.

The OpenJDK XML signature provider is now functional in FIPS mode

Previously, the OpenJDK XML signature provider was unable to operate in FIPS mode. As a result of enhancements to FIPS mode support the OpenJDK XML signature provider is now enabled in FIPS mode.

OpenJDK in FIPS mode no longer experiences unexpected errors with certain PKCS#11 tokens

Previously, some PKCS#11 tokens were not fully initialized before use by OpenJDK in FIPS mode resulting in unexpected errors. With this upgrade, these errors are now expected and handled by the FIPS support code.

Authentication to external IdPs that require a client secret is now possible

Previously, SSSD did not properly pass client secrets to external identity providers (IdPs). Consequently, authentication failed against external IdPs that you previously configured with the ipa idp-add --secret command to require a client secret. With this update, SSSD passes the client secret to the IdP and users can authenticate.

IdM now supports setting hostmasks for sudo rules using Ansible

Previously, the ipa sudorule-add-host command allowed setting a hostmask to be used by the sudo rule, but this option was not present in the ansible-freeipa package. With this update, you can now use the ansible-freeipa hostmask variable to define a list of hostmasks to which a particular sudo rule, defined in Identity Management (IdM), applies.

The dscreate utility now works correctly when it uses a custom path with the db_dir parameter

Previously, an instance that used custom directory paths failed to start because the custom directories had a wrong SELinux label. As a consequence, SELinux denied access to these directories and the instance was not created. With this release, dscreate utility sets correct SELinux labels for the custom instance directories.

A password change for the Directory Server replication manager account now works correctly

Previously, after a password change, Directory Server did not properly update the password cache for the replication agreement. As a consequence, when you changed the password for the replication manager account, the replication failed. With this update, Directory Server updates the cache properly and, as a result, the replication works as expected.

The IdM client installer no longer specifies the TLS CA configuration in the ldap.conf file

Previously, the IdM client installer specified the TLS CA configuration in the ldap.conf file. With this update, OpenLDAP uses the default trust store and the IdM client installer does not set up the TLS CA configuration in the ldap.conf file.

The web console NBDE binding steps now work also on volume groups with a root file system

In RHEL 9.2.0, due to a bug in the code for determining whether or not the user was adding a Tang key to the root file system, the binding process in the web console crashed when there was no file system on the LUKS container at all. Because the web console displayed the error message TypeError: Qe(…​) is undefined after you had clicked the Trust key button in the Verify key dialog, you had to perform all the required steps in the command-line interface in the described scenario.

The nbde_client System Role now correctly handles different names of clevis-luks-askpass

The nbde_client System Role has been updated to handle the systems on which the clevis-luks-askpass systemd unit has a different name. The role now correctly works with different names of clevis-luks-askpass on managed nodes, which requires unlocking also LUKS-encrypted volumes that mount late in the boot process.

The ha_cluster System Role logs no longer display unencrypted passwords and secrets

The ha_cluster System Role accepts parameters that can be passwords or other secrets. Previously, some of the tasks would log their inputs and outputs. As a result, the role logs could contain unencrypted passwords and other secrets.

Clusters configured with ha_cluster System Role to use SBD and not start on boot now work correctly

Previously, if a user configured a cluster using the ha_cluster System Role to use SBD and not start on boot, then the SBD service was disabled and SBD did not start. With this fix, the SBD service is always enabled if a cluster is set to use SBD whether or not the cluster is configured to start on boot.

Enabling implicit files provider to fix cockpit-session-recording SSSD configuration

A disabled SSSD implicit files provider caused the cockpit-session-recording modules to create an invalid System Security Services Daemon (SSSD) configuration. This update unconditionally enables the files provider and as a result, the SSSD configuration created by cockpit-session-recording now works as expected.

The nbde_client_clevis role no longer reports traceback to users

Previously, the nbde_client_clevis role sometimes failed in exception, causing a traceback and reporting sensitive data, such as the encryption_password field, back to the user. With this update, the role no longer reports sensitive data, only the appropriate error messages.

Setting stonith-watchdog-timeout property with the ha_cluster System Role now works in a stopped cluster

Previously, when you set the stonith-watchdog-timeout property with the ha_cluster System Role in a stopped cluster, the property reverted to its previous value and the role failed. With this fix, configuring the stonith-watchdog-timeout property by using the ha_cluster System Role works properly.

Network traffic is now directed through the intended network interface when using initscripts with the networking RHEL System Role

Previously, when using the initscripts provider, the routing configuration for network connections did not specify the output device that the traffic should go through. Consequently, the kernel could use a different output device than the user intended. Now, if the network interface name is specified in the playbook for the connection, it is used as the output device in the route configuration file. This aligns the behavior with NetworkManager, which configures the output device in routes when activating profiles on devices. As a result, the users can ensure that the traffic is directed through the intended network interface.

The selinux role now now manages policy modules idempotently

Previously, the selinux role copied an existing module to the managed node every time, reporting a change even when the module was already present. With this update, the selinux role checks if the module has been installed on the managed node, and does not attempt to copy and install the module if it is already installed.

The rhc system role no longer fails on the registered systems when rhc_auth contains activation keys

Previously, a failure occurred when you executed playbook files on the registered systems with the activation key specified in the rhc_auth parameter. This issue has been resolved. It is now possible to execute playbook files on the already registered systems, even when activation keys are provided in the rhc_auth parameter.

System time on nested VMs now works reliably

Previously, system time on nested virtual machines (VMs) in some cases desynchronised from the Level 0 and level 1 hosts. This also sometimes caused the nested VM to become unresponsive or terminate unexpectedly.

VMs on IBM Z no longer fail to start when using memfd memory backing

Previously, on IBM Z hosts, virtual machines (VMs) failed to boot if they were configured to use the memfd type of hugepage memory backing, for example as follows:

VNC can now reliably connect to UEFI VMs after migration

Previously, if you enabled or disabled a message queue while migrating a virtual machine (VM), the Virtual Network Computing (VNC) client failed to connect to the VM after the migration was complete.

The installer shows the expected system disk to install RHEL on VM

Previously, when installing RHEL on a VM using virtio-scsi devices, it was possible that these devices did not appear in the installer because of a device-mapper-multipath bug. Consequently, during installation, if some devices had a serial set and some did not, the multipath command was claiming all the devices that had a serial. Due to this, the installer was unable to find the expected system disk to install RHEL in the VM.

NVMe over Fibre Channel devices are now available in RHEL installer as a Technology Preview

You can now add NVMe over Fibre Channel devices to your RHEL installation as a Technology Preview. In RHEL Installer, you can select these devices under the NVMe Fabrics Devices section while adding disks on the Installation Destination screen.

GIMP available as a Technology Preview in RHEL 9

GNU Image Manipulation Program (GIMP) 2.99.8 is now available in RHEL 9 as a Technology Preview. The gimp package version 2.99.8 is a pre-release version with a set of improvements, but a limited set of features and no guarantee for stability. As soon as the official GIMP 3 is released, it will be introduced into RHEL 9 as an update of this pre-release version.

Socket API for TuneD available as a Technology Preview

The socket API for controlling TuneD through Unix domain socket is now available as a Technology Preview. The socket API maps one-to-one with the D-Bus API and provides an alternative communication method for cases where D-Bus is not available. By using the socket API, you can control the TuneD daemon to optimize the performance, and change the values of various tuning parameters. The socket API is disabled by default, you can enable it in the tuned-main.conf file.

gnutls now uses KTLS as a Technology Preview

The updated gnutls packages can use Kernel TLS (KTLS) for accelerating data transfer on encrypted channels as a Technology Preview. To enable KTLS, add the tls.ko kernel module using the modprobe command, and create a new configuration file /etc/crypto-policies/local.d/gnutls-ktls.txt for the system-wide cryptographic policies with the following content:

WireGuard VPN is available as a Technology Preview

WireGuard, which Red Hat provides as an unsupported Technology Preview, is a high-performance VPN solution that runs in the Linux kernel. It uses modern cryptography and is easier to configure than other VPN solutions. Additionally, the small code-basis of WireGuard reduces the surface for attacks and, therefore, improves the security.

KTLS available as a Technology Preview

RHEL provides Kernel Transport Layer Security (KTLS) as a Technology Preview. KTLS handles TLS records using the symmetric encryption or decryption algorithms in the kernel for the AES-GCM cipher. KTLS also includes the interface for offloading TLS record encryption to Network Interface Controllers (NICs) that provides this functionality.

The systemd-resolved service is available as a Technology Preview

The systemd-resolved service provides name resolution to local applications. The service implements a caching and validating DNS stub resolver, a Link-Local Multicast Name Resolution (LLMNR), and Multicast DNS resolver and responder.

SGX available as a Technology Preview

Software Guard Extensions (SGX) is an Intel® technology for protecting software code and data from disclosure and modification. The RHEL kernel partially provides the SGX v1 and v1.5 functionality. The version 1 enables platforms using the Flexible Launch Control mechanism to use the SGX technology.

The Intel data streaming accelerator driver for kernel is available as a Technology Preview

The Intel data streaming accelerator driver (IDXD) for the kernel is currently available as a Technology Preview. It is an Intel CPU integrated accelerator and includes the shared work queue with process address space ID (pasid) submission and shared virtual memory (SVM).

The Soft-iWARP driver is available as a Technology Preview

Soft-iWARP (siw) is a software, Internet Wide-area RDMA Protocol (iWARP), kernel driver for Linux. Soft-iWARP implements the iWARP protocol suite over the TCP/IP network stack. This protocol suite is fully implemented in software and does not require a specific Remote Direct Memory Access (RDMA) hardware. Soft-iWARP enables a system with a standard Ethernet adapter to connect to an iWARP adapter or to another system with already installed Soft-iWARP.

SGX available as a Technology Preview

Software Guard Extensions (SGX) is an Intel® technology for protecting software code and data from disclosure and modification. The RHEL kernel partially provides the SGX v1 and v1.5 functionality. Version 1 enables platforms using the Flexible Launch Control mechanism to use the SGX technology. Version 2 adds Enclave Dynamic Memory Management (EDMM). Notable features include:

rvu_af, rvu_nicpf, and rvu_nicvf available as Technology Preview

The following kernel modules are available as Technology Preview for Marvell OCTEON TX2 Infrastructure Processor family:

DAX is now available for ext4 and XFS as a Technology Preview

In RHEL 9, the DAX file system is available as a Technology Preview. DAX provides means for an application to directly map persistent memory into its address space. To use DAX, a system must have some form of persistent memory available, usually in the form of one or more Non-Volatile Dual In-line Memory Modules (NVDIMMs), and a DAX compatible file system must be created on the NVDIMM(s). Also, the file system must be mounted with the dax mount option. Then, an mmap of a file on the dax-mounted file system results in a direct mapping of storage into the application’s address space.

Stratis is available as a Technology Preview

Stratis is a local storage manager. It provides managed file systems on top of pools of storage with additional features to the user:

NVMe-oF Discovery Service features available as a Technology Preview

The NVMe-oF Discovery Service features, defined in the NVMexpress.org Technical Proposals (TP) 8013 and 8014, are available as a Technology Preview. To preview these features, use the nvme-cli 2.0 package and attach the host to an NVMe-oF target device that implements TP-8013 or TP-8014. For more information about TP-8013 and TP-8014, see the NVM Express 2.0 Ratified TPs from the https://nvmexpress.org/specifications/ website.

nvme-stas package available as a Technology Preview

The nvme-stas package, which is a Central Discovery Controller (CDC) client for Linux, is now available as a Technology Preview. It handles Asynchronous Event Notifications (AEN), Automated NVMe subsystem connection controls, Error handling and reporting, and Automatic (zeroconf) and Manual configuration.

NVMe TP 8006 in-band authentication available as a Technology Preview

Implementing Non-Volatile Memory Express (NVMe) TP 8006, which is an in-band authentication for NVMe over Fabrics (NVMe-oF) is now available as an unsupported Technology Preview. The NVMe Technical Proposal 8006 defines the DH-HMAC-CHAP in-band authentication protocol for NVMe-oF, which is provided with this enhancement.

jmc-core and owasp-java-encoder available as a Technology Preview

RHEL 9 is distributed with the jmc-core and owasp-java-encoder packages as Technology Preview features for the AMD and Intel 64-bit architectures.

DNSSEC available as Technology Preview in IdM

Identity Management (IdM) servers with integrated DNS now implement DNS Security Extensions (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are automatically generated and rotated.

Identity Management JSON-RPC API available as Technology Preview

An API is available for Identity Management (IdM). To view the API, IdM also provides an API browser as a Technology Preview.

sssd-idp sub-package available as a Technology Preview

The sssd-idp sub-package for SSSD contains the oidc_child and krb5 idp plugins, which are client-side components that perform OAuth2 authentication against Identity Management (IdM) servers. This feature is available only with IdM servers on RHEL 9.1 and later.

SSSD internal krb5 idp plugin available as a Technology Preview

The SSSD krb5 idp plugin allows you to authenticate against an external identity provider (IdP) using the OAuth2 protocol. This feature is available only with IdM servers on RHEL 9.1 and later.

RHEL IdM allows delegating user authentication to external identity providers as a Technology Preview

In RHEL IdM, you can now associate users with external identity providers (IdP) that support the OAuth 2 device authorization flow. When these users authenticate with the SSSD version available in RHEL 9.1 or later, they receive RHEL IdM single sign-on capabilities with Kerberos tickets after performing authentication and authorization at the external IdP.

GNOME for the 64-bit ARM architecture available as a Technology Preview

The GNOME desktop environment is available for the 64-bit ARM architecture as a Technology Preview.

GNOME for the IBM Z architecture available as a Technology Preview

The GNOME desktop environment is available for the IBM Z architecture as a Technology Preview.

Intel Arc A-Series graphics available as a Technology Preview

Intel Arc A-Series graphics, also known as Alchemist or DG2, are now available as a Technology Preview.

Stratis available as a Technology Preview in the RHEL web console

With this update, the Red Hat Enterprise Linux web console provides the ability to manage Stratis storage as a Technology Preview.

Intel SGX available for VMs as a Technology Preview

As a Technology Preview, the Intel Software Guard Extensions (SGX) can now be configured for virtual machines (VMs) hosted on RHEL 9. SGX helps protect data integrity and confidentiality for specific processes on Intel hardware. After you set up SGX on your host, the feature is passed on to its VMs, so that the guest operating systems (OSs) can use it.

AMD SEV and SEV-ES for KVM virtual machines

As a Technology Preview, RHEL 9 provides the Secure Encrypted Virtualization (SEV) feature for AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine (VM), SEV encrypts the VM’s memory to protect the VM from access by the host. This increases the security of the VM.

Virtualization is now available on ARM 64

As a Technology Preview, it is now possible to create KVM virtual machines on systems using ARM 64 CPUs.

virtio-mem is now available on AMD64, Intel 64, and ARM 64

As a Technology Preview, RHEL 9 introduces the virtio-mem feature on AMD64, Intel 64, and ARM 64 systems. Using virtio-mem makes it possible to dynamically add or remove host memory in virtual machines (VMs).

Intel TDX in RHEL guests

As a Technology Preview, the Intel Trust Domain Extension (TDX) feature can now be used in RHEL 9.2 guest operating systems. If the host system supports TDX, you can deploy hardware-isolated RHEL 9 virtual machines (VMs), called trust domains (TDs). Note, however, that TDX currently does not work with kdump, and enabling TDX will cause kdump to fail on the VM.

A unified kernel image of RHEL is now available as a Technology Preview

As a Technology Preview, you can now obtain the RHEL kernel as a unified kernel image (UKI) for virtual machines (VMs). A unified kernel image combines the kernel, initramfs, and kernel command line into a single signed binary file.

RHEL is now available on Azure confidential VMs as a Technology Preview

With the updated RHEL kernel, you can now create and run RHEL confidential virtual machines (VMs) on Microsoft Azure as a Technology Preview. The newly added unified kernel image (UKI) now enables booting encrypted confidential VM images on Azure. The UKI is available as a kernel-uki-virt package in RHEL 9 repositories.

Quadlet in Podman is now available as a Technology Preview

Beginning with Podman v4.4, you can use Quadlet to automatically generate a systemd service file from the container description as a Technology Preview. The container description is in the systemd unit file format. The description focuses on the relevant container details and hides the technical complexity of running containers under systemd. The Quadlets are easier to write and maintain than the systemd unit files.

Clients for sigstore signatures with Fulcio and Rekor are now available as a Technology Preview

With Fulcio and Rekor servers, you can now create signatures by using short-term certificates based on an OpenID Connect (OIDC) server authentication, instead of manually managing a private key. Clients for sigstore signatures with Fulcio and Rekor are now available as a Technology Preview. This added functionality is the client side support only, and does not include either the Fulcio or Rekor servers.

Deprecated Kickstart commands

The following Kickstart commands have been deprecated:

User and Group customizations in the edge-commit and edge-container blueprints have been deprecated

Specifying a user or group customization in the blueprints is deprecated for the edge-commit and edge-container image types, because the user customization disappears when you upgrade the image and do not specify the user in the blueprint again. Therefore, you should specify the users and groups directly in the blueprints for edge image types which are used to deploy an existing OSTree commit, such as edge-raw-image, edge-installer, and edge-simplified-installer.

The --token option of the subscription-manager command is deprecated

The --token=<TOKEN> option of the subscription-manager register command is an authentication method that helps register your system to Red Hat. This option depends on capabilities offered by the entitlement server. The default entitlement server, subscription.rhsm.redhat.com, is planning to turn off this capability. As a consequence, attempting to use subscription-manager register --token=<TOKEN> might fail with the following error message:

The dump utility from the dump package has been deprecated

The dump utility used for backup of file systems has been deprecated and will not be available in RHEL 9.

The SQLite database backend in Bacula has been deprecated

The Bacula backup system supported multiple database backends: PostgreSQL, MySQL, and SQLite. The SQLite backend has been deprecated and will become unsupported in a later release of RHEL. As a replacement, migrate to one of the other backends (PostgreSQL or MySQL) and do not use the SQLite backend in new deployments.

SHA-1 is deprecated for cryptographic purposes

The usage of the SHA-1 message digest for cryptographic purposes has been deprecated in RHEL 9. The digest produced by SHA-1 is not considered secure because of many documented successful attacks based on finding hash collisions. The RHEL core crypto components no longer create signatures using SHA-1 by default. Applications in RHEL 9 have been updated to avoid using SHA-1 in security-relevant use cases.

fapolicyd.rules is deprecated

The /etc/fapolicyd/rules.d/ directory for files containing allow and deny execution rules replaces the /etc/fapolicyd/fapolicyd.rules file. The fagenrules script now merges all component rule files in this directory to the /etc/fapolicyd/compiled.rules file. Rules in /etc/fapolicyd/fapolicyd.trust are still processed by the fapolicyd framework but only for ensuring backward compatibility.

SCP is deprecated in RHEL 9

The secure copy protocol (SCP) is deprecated because it has known security vulnerabilities. The SCP API remains available for the RHEL 9 lifecycle but using it reduces system security.

Digest-MD5 in SASL is deprecated

The Digest-MD5 authentication mechanism in the Simple Authentication Security Layer (SASL) framework is deprecated, and it might be removed from the cyrus-sasl packages in a future major release.

OpenSSL deprecates MD2, MD4, MDC2, Whirlpool, Blowfish, CAST, DES, IDEA, RC2, RC4, RC5, SEED, and PBKDF1

The OpenSSL project has deprecated a set of cryptographic algorithms because they are insecure, uncommonly used, or both. Red Hat also discourages the use of those algorithms, and RHEL 9 provides them for migrating encrypted data to use new algorithms. Users must not depend on those algorithms for the security of their systems.

/etc/system-fips is now deprecated

Support for indicating FIPS mode through the /etc/system-fips file has been removed, and the file will not be included in future versions of RHEL. To install RHEL in FIPS mode, add the fips=1 parameter to the kernel command line during the system installation. You can check whether RHEL operates in FIPS mode by using the fips-mode-setup --check command.

libcrypt.so.1 is now deprecated

The libcrypt.so.1 library is now deprecated, and it might be removed in a future version of RHEL.

OpenSSL requires padding for RSA encryption in FIPS mode

OpenSSL no longer supports RSA encryption without padding in FIPS mode. RSA encryption without padding is uncommon and is rarely used. Note that key encapsulation with RSA (RSASVE) does not use padding but is still supported.

Network teams are deprecated in RHEL 9

The teamd service and the libteam library are deprecated in Red Hat Enterprise Linux 9 and will be removed in the next major release. As a replacement, configure a bond instead of a network team.

NetworkManager connection profiles in ifcfg format are deprecated

In RHEL 9.0 and later, connection profiles in ifcfg format are deprecated. The next major RHEL release will remove the support for this format. However, in RHEL 9, NetworkManager still processes and updates existing profiles in this format if you modify them.

The iptables back end in firewalld is deprecated

In RHEL 9, the iptables framework is deprecated. As a consequence, the iptables backend and the direct interface in firewalld are also deprecated. Instead of the direct interface you can use the native features in firewalld to configure the required rules.

ATM encapsulation is deprecated in RHEL 9

Asynchronous Transfer Mode (ATM) encapsulation enables Layer-2 (Point-to-Point Protocol, Ethernet) or Layer-3 (IP) connectivity for the ATM Adaptation Layer 5 (AAL-5). Red Hat has not been providing support for ATM NIC drivers since RHEL 7. The support for ATM implementation is being dropped in RHEL 9. These protocols are currently used only in chipsets, which support the ADSL technology and are being phased out by manufacturers. Therefore, ATM encapsulation is deprecated in Red Hat Enterprise Linux 9.

The kexec_load system call for kexec-tools has been deprecated

The kexec_load system call, which loads the second kernel, will not be supported in future RHEL releases. The kexec_file_load system call replaces kexec_load and is now the default system call on all architectures.

Network teams are deprecated in RHEL 9

The teamd service and the libteam library are deprecated in Red Hat Enterprise Linux 9 and will be removed in the next major release. As a replacement, configure a bond instead of a network team.

lvm2-activation-generator and its generated services removed in RHEL 9.0

The lvm2-activation-generator program and its generated services lvm2-activation, lvm2-activation-early, and lvm2-activation-net are removed in RHEL 9.0. The lvm.conf event_activation setting, used to activate the services, is no longer functional. The only method for auto activating volume groups is event based activation.

libdb has been deprecated

RHEL 8 and RHEL 9 currently provide Berkeley DB (libdb) version 5.3.28, which is distributed under the LGPLv2 license. The upstream Berkeley DB version 6 is available under the AGPLv3 license, which is more restrictive.

Smaller size of keys than 2048 are deprecated by openssl 3.0

Key sizes smaller than 2048 bits are deprecated by openssl 3.0 and no longer work in Go’s FIPS mode.

Some PKCS1 v1.5 modes are now deprecated

Some PKCS1 v1.5 modes are not approved in FIPS-140-3 for encryption and are disabled. They will no longer work in Go’s FIPS mode.

SHA-1 in OpenDNSSec is now deprecated

OpenDNSSec supports exporting Digital Signatures and authentication records using the SHA-1 algorithm. The use of the SHA-1 algorithm is no longer supported. With the RHEL 9 release, SHA-1 in OpenDNSSec is deprecated and it might be removed in a future minor release. Additionally, OpenDNSSec support is limited to its integration with Red Hat Identity Management. OpenDNSSec is not supported standalone.

The SSSD implicit files provider domain is disabled by default

The SSSD implicit files provider domain, which retrieves user information from local files such as /etc/shadow and group information from /etc/groups, is now disabled by default.

-h and -p options were deprecated in OpenLDAP client utilities.

The upstream OpenLDAP project has deprecated the -h and -p options in its utilities, and recommends using the -H option instead to specify the LDAP URI. As a consequence, RHEL 9 has deprecated these two options in all OpenLDAP client utilities. The -h and -p options will be removed from RHEL products in future releases.

The SSSD files provider has been deprecated

The SSSD files provider has been deprecated in Red Hat Enterprise Linux (RHEL) 9. The files provider might be removed from a future release of RHEL.

The nsslapd-idlistscanlimit parameter is deprecated and its default value has been changed

With the new filter reordering optimization, the nsslapd-idlistscanlimit attribute impact on search performance is more harmful than helpful. As a result, the attribute is deprecated. Additionally, the default value has been changed to 2147483646 (unlimited).

The SMB1 protocol is deprecated in Samba

Starting with Samba 4.11, the insecure Server Message Block version 1 (SMB1) protocol is deprecated and will be removed in a future release.

GTK 2 is now deprecated

The legacy GTK 2 toolkit and the following, related packages have been deprecated:

LibreOffice is deprecated

The LibreOffice RPM packages are now deprecated and will be removed in a future major RHEL release. LibreOffice continues to be fully supported through the entire life cycle of RHEL 7, 8, and 9.

Motif has been deprecated

The Motif widget toolkit has been deprecated in RHEL, because development in the upstream Motif community is inactive.

The network System Role displays a deprecation warning when configuring teams on RHEL 9 nodes

The network teaming capabilities have been deprecated in RHEL 9. As a result, using the network RHEL System Role on a RHEL 8 control node to configure a network team on RHEL 9 nodes, shows a warning about the deprecation.

SecureBoot image verification using SHA1-based signatures is deprecated

Performing SecureBoot image verification using SHA1-based signatures on UEFI (PE/COFF) executables has become deprecated. Instead, Red Hat recommends using signatures based on the SHA2 algorithm, or later.

Limited support for virtual machine snapshots

Creating snapshots of virtual machines (VMs) is currently only supported for VMs not using the UEFI firmware. In addition, during the snapshot operation, the QEMU monitor may become blocked, which negatively impacts the hypervisor performance for certain workloads.

The virtual floppy driver has become deprecated

The isa-fdc driver, which controls virtual floppy disk devices, is now deprecated, and will become unsupported in a future release of RHEL. Therefore, to ensure forward compatibility with migrated virtual machines (VMs), Red Hat discourages using floppy disk devices in VMs hosted on RHEL 9.

qcow2-v2 image format is deprecated

With RHEL 9, the qcow2-v2 format for virtual disk images has become deprecated, and will become unsupported in a future major release of RHEL. In addition, the RHEL 9 Image Builder cannot create disk images in the qcow2-v2 format.

virt-manager has been deprecated

The Virtual Machine Manager application, also known as virt-manager, has been deprecated. The RHEL web console, also known as Cockpit, is intended to become its replacement in a subsequent release. It is, therefore, recommended that you use the web console for managing virtualization in a GUI. Note, however, that some features available in virt-manager may not be yet available in the RHEL web console.

libvirtd has become deprecated

The monolithic libvirt daemon, libvirtd, has been deprecated in RHEL 9, and will be removed in a future major release of RHEL. Note that you can still use libvirtd for managing virtualization on your hypervisor, but Red Hat recommends switching to the newly introduced modular libvirt daemons. For instructions and details, see the RHEL 9 Configuring and Managing Virtualization document.

Legacy CPU models are now deprecated

A significant number of CPU models have become deprecated and will become unsupported for use in virtual machines (VMs) in a future major release of RHEL. The deprecated models are as follows:

RDMA-based live migration is deprecated

With this update, migrating running virtual machines using Remote Direct Memory Access (RDMA) has become deprecated. As a result, it is still possible to use the rdma:// migration URI to request migration over RDMA, but this feature will become unsupported in a future major release of RHEL.

Running RHEL 9 containers on a RHEL 7 host is not supported

Running RHEL 9 containers on a RHEL 7 host is not supported. It might work, but it is not guaranteed.

SHA1 hash algorithm within Podman has been deprecated

The SHA1 algorithm used to generate the filename of the rootless network namespace is no longer supported in Podman. Therefore, rootless containers started before updating to Podman 4.1.1 or later have to be restarted if they are joined to a network (and not just using slirp4netns) to ensure they can connect to containers started after the upgrade.

rhel9/pause has been deprecated

The rhel9/pause container image has been deprecated.

The CNI network stack has been deprecated

The Container Network Interface (CNI) network stack has been deprecated. Previously, containers connected to the single Container Network Interface (CNI) plugin only via DNS. Podman v.4.0 introduced a new Netavark network stack. You can use the Netavark network stack with Podman and other Open Container Initiative (OCI) container management applications. The Netavark network stack for Podman is also compatible with advanced Docker functionalities. Containers in multiple networks can access containers on any of those networks.

The auth and authconfig Kickstart commands require the AppStream repository

The authselect-compat package is required by the auth and authconfig Kickstart commands during installation. Without this package, the installation fails if auth or authconfig are used. However, by design, the authselect-compat package is only available in the AppStream repository.

The reboot --kexec and inst.kexec commands do not provide a predictable system state

Performing a RHEL installation with the reboot --kexec Kickstart command or the inst.kexec kernel boot parameters do not provide the same predictable system state as a full reboot. As a consequence, switching to the installed system without rebooting can produce unpredictable results.

Unexpected SELinux policies on systems where Anaconda is running as an application

When Anaconda is running as an application on an already installed system (for example to perform another installation to an image file using the –image anaconda option), the system is not prohibited to modify the SELinux types and attributes during installation. As a consequence, certain elements of SELinux policy might change on the system where Anaconda is running. To work around this problem, do not run Anaconda on the production system and execute it in a temporary virtual machine. So that the SELinux policy on a production system is not modified. Running anaconda as part of the system installation process such as installing from boot.iso or dvd.iso is not affected by this issue.

Local Media installation source is not detected when booting the installation from a USB that is created using a third party tool

When booting the RHEL installation from a USB that is created using a third party tool, the installer fails to detect the Local Media installation source (only Red Hat CDN is detected).

The USB CD-ROM drive is not available as an installation source in Anaconda

Installation fails when the USB CD-ROM drive is the source for it and the Kickstart ignoredisk --only-use= command is specified. In this case, Anaconda cannot find and use this source disk.

Driver disk menu fails to display user inputs on the console

When you start RHEL installation using the inst.dd option on the Kernel command line with a driver disk, the console fails to display the user input. Consequently, it appears that the application does not respond to the user input and freezes, but displays the output which is confusing for users. However, this behavior does not affect the functionality, and user input gets registered after pressing Enter.

Hard drive partitioned installations with iso9660 filesystem fails

You cannot install RHEL on systems where the hard drive is partitioned with the iso9660 filesystem. This is due to the updated installation code that is set to ignore any hard disk containing a iso9660 file system partition. This happens even when RHEL is installed without using a DVD.

Anaconda fails to verify existence of an administrator user account

While installing RHEL using a graphical user interface, Anaconda fails to verify if the administrator account has been created. As a consequence, users might install a system without any administrator user account.

New XFS features prevent booting of PowerNV IBM POWER systems with firmware older than version 5.10

PowerNV IBM POWER systems use a Linux kernel for firmware, and use Petitboot as a replacement for GRUB. This results in the firmware kernel mounting /boot and Petitboot reading the GRUB config and booting RHEL.

RHEL for Edge installer image fails to create mount points when installing an rpm-ostree payload

When deploying rpm-ostree payloads, used for example in a RHEL for Edge installer image, the installer does not properly create some mount points for custom partitions. As a consequence, the installation is aborted with the following error:

NetworkManager fails to start after the installation when connected to a network but without DHCP or a static IP address configured

Starting with RHEL 9.0, Anaconda activates network devices automatically when there is no specific ip= or kickstart network configuration set. Anaconda creates a default persistent configuration file for each Ethernet device. The connection profile has the ONBOOT and autoconnect value set to true. As a consequence, during the start of the installed system, RHEL activates the network devices, and the networkManager-wait-online service fails.

Unable to load an updated driver from the driver update disc in the installation environment

A new version of a driver from the driver update disc might not load if the same driver from the installation initial ramdisk has already been loaded. As a consequence, an updated version of the driver cannot be applied to the installation environment.

Kickstart installations fail to configure the network connection

Anaconda performs the kickstart network configuration only through the NetworkManager API. Anaconda processes the network configuration after the %pre kickstart section. As a consequence, some tasks from the kickstart %pre section are blocked. For example, downloading packages from the %pre section fails due to unavailability of the network configuration.

The Installation process sometimes becomes unresponsive

When you install RHEL, the installation process sometimes becomes unresponsive. The /tmp/packaging.log file displays the following message at the end:

Renaming network interfaces using ifcfg files fails

On RHEL 9, the initscripts package is not installed by default. Consequently, renaming network interfaces using ifcfg files fails. To solve this problem, Red Hat recommends that you use udev rules or link files to rename interfaces. For further details, see Consistent network interface device naming and the systemd.link(5) man page.

The chkconfig package is not installed by default in RHEL 9

The chkconfig package, which updates and queries runlevel information for system services, is not installed by default in RHEL 9.

The Service Location Protocol (SLP) is vulnerable to an attack through UDP

The OpenSLP provides a dynamic configuration mechanism for applications in local area networks, such as printers and file servers. However, SLP is vulnerable to a reflective denial of service amplification attack through UDP on systems connected to the internet. SLP allows an unauthenticated attacker to register new services without limits set by the SLP implementation. By using UDP and spoofing the source address, an attacker can request the service list, creating a Denial of Service on the spoofed address.

Both bind and unbound disable validation of SHA-1-based signatures

The bind and unbound components disable validation support of all RSA/SHA1 (algorithm number 5) and RSASHA1-NSEC3-SHA1 (algorithm number 7) signatures, and the SHA-1 usage for signatures is restricted in the DEFAULT system-wide cryptographic policy.

named fails to start if the same writable zone file is used in multiple zones

BIND does not allow the same writable zone file in multiple zones. Consequently, if a configuration includes multiple zones which share a path to a file that can be modified by the named service, named fails to start. To work around this problem, use the in-view clause to share one zone between multiple views and make sure to use different paths for different zones. For example, include the view names in the path.

libotr is not compliant with FIPS

The libotr library and toolkit for off-the-record (OTR) messaging provides end-to-end encryption for instant messaging conversations. However, the libotr library does not conform to the Federal Information Processing Standards (FIPS) due to its use of the gcry_pk_sign() and gcry_pk_verify() functions. As a result, you cannot use the libotr library in FIPS mode.

Setting the console keymap requires the libxkbcommon library on your minimal install

In RHEL 9, certain systemd library dependencies have been converted from dynamic linking to dynamic loading, so that your system opens and uses the libraries at runtime when they are available. With this change, a functionality that depends on such libraries is not available unless you install the necessary library. This also affects setting the keyboard layout on systems with a minimal install. As a result, the localectl --no-convert set-x11-keymap gb command fails.

The %vmeff metric from the sysstat package displays incorrect values

The sysstat package provides the %vmeff metric to measure the page reclaim efficiency. The values of the %vmeff column returned by the sar -B command are incorrect because sysstat does not parse all relevant /proc/vmstat values provided by later kernel versions. To work around this problem, you can calculate the %vmeff value manually from the /proc/vmstat file. For details, see Why the sar(1) tool reports %vmeff values beyond 100 % in RHEL 8 and RHEL 9?

tangd-keygen does not handle non-default umask correctly

The tangd-keygen script does not change file permissions for generated key files. Consequently, on systems with a default user file-creation mode mask (umask) that prevents reading keys to other users, the tang-show-keys command returns the error message Internal Error 500 instead of displaying the keys.

OpenSSL does not detect if a PKCS #11 token supports the creation of raw RSA or RSA-PSS signatures

The TLS 1.3 protocol requires support for RSA-PSS signatures. If a PKCS #11 token does not support raw RSA or RSA-PSS signatures, server applications that use the OpenSSL library fail to work with an RSA key if the key is held by the PKCS #11 token. As a result, TLS communication fails in the described scenario.

OpenSSL incorrectly handles PKCS #11 tokens that does not support raw RSA or RSA-PSS signatures

The OpenSSL library does not detect key-related capabilities of PKCS #11 tokens. Consequently, establishing a TLS connection fails when a signature is created with a token that does not support raw RSA or RSA-PSS signatures.

scp empties files copied to themselves when a specific syntax is used

The scp utility changed from the Secure copy protocol (SCP) to the more secure SSH file transfer protocol (SFTP). Consequently, copying a file from a location to the same location erases the file content. The problem affects the following syntax:

The OSCAP Anaconda add-on does not fetch tailored profiles in the graphical installation

The OSCAP Anaconda add-on does not provide an option to select or deselect tailoring of security profiles in the RHEL graphical installation. Starting from RHEL 8.8, the add-on does not take tailoring into account by default when installing from archives or RPM packages. Consequently, the installation displays the following error message instead of fetching an OSCAP tailored profile:

Ansible remediations require additional collections

With the replacement of Ansible Engine by the ansible-core package, the list of Ansible modules provided with the RHEL subscription is reduced. As a consequence, running remediations that use Ansible content included within the scap-security-guide package requires collections from the rhc-worker-playbook package.

oscap-anaconda-addon does not allow CIS hardening of systems with Network Servers package group

When installing RHEL Network Servers with a CIS security profile (cis, cis_server_l1, cis_workstation_l1, or cis_workstation_l2) on systems with the Network Servers package group selected, oscap-anaconda-addon sends the error message package tftp has been added to the list of excluded packages, but it can’t be removed from the current software selection without breaking the install. To proceed with the installation, navigate back to Software Selection and uncheck the Network Servers additional software to allow the installation and hardening to finish. Then, install the required packages.

Keylime does not accept concatenated PEM certificates

When Keylime receives a certificate chain as multiple certificates in the PEM format concatenated in a single file, the keylime-agent-rust Keylime component does not correctly use all the provided certificates during signature verification, resulting in a TLS handshake failure. As a consequence, the client components (keylime_verifier and keylime_tenant) cannot connect to the Keylime agent. To work around this problem, use just one certificate instead of multiple certificates.

Keylime requires a specific file for tls_dir = default

When the tls_dir variable is set to default in Keylime verifier or registrar configuration, Keylime checks for the presence of the cacert.crt file in the /var/lib/keylime/cv_ca directory. If the file is not present, the keylime_verifier or keylime_registrar service fails to start and records the following message in a log: Exception: It appears that the verifier has not yet created a CA and certificates, please run the verifier first. As a consequence, Keylime rejects custom certificate authority (CA) certificates that have a different file name even when they are placed in the /var/lib/keylime/ca_cv directory.

Default SELinux policy allows unconfined executables to make their stack executable

The default state of the selinuxuser_execstack boolean in the SELinux policy is on, which means that unconfined executables can make their stack executable. Executables should not use this option, and it might indicate poorly coded executables or a possible attack. However, due to compatibility with other tools, packages, and third-party products, Red Hat cannot change the value of the boolean in the default policy. If your scenario does not depend on such compatibility aspects, you can turn the boolean off in your local policy by entering the command setsebool -P selinuxuser_execstack off.

SSH timeout rules in STIG profiles configure incorrect options

An update of OpenSSH affected the rules in the following Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) profiles:

GnuPG incorrectly allows using SHA-1 signatures even if disallowed by crypto-policies

The GNU Privacy Guard (GnuPG) cryptographic software can create and verify signatures that use the SHA-1 algorithm regardless of the settings defined by the system-wide cryptographic policies. Consequently, you can use SHA-1 for cryptographic purposes in the DEFAULT cryptographic policy, which is not consistent with the system-wide deprecation of this insecure algorithm for signatures.

gpg-agent does not work as an SSH agent in FIPS mode

The gpg-agent tool creates MD5 fingerprints when adding keys to the ssh-agent program even though FIPS mode disables the MD5 digest. Consequently, the ssh-add utility fails to add the keys to the authentication agent.

OpenSCAP memory-consumption problems

On systems with limited memory, the OpenSCAP scanner might terminate prematurely or it might not generate the results files. To work around this problem, you can customize the scanning profile to deselect rules that involve recursion over the entire / file system:

The nm-cloud-setup service removes manually-configured secondary IP addresses from interfaces

Based on the information received from the cloud environment, the nm-cloud-setup service configures network interfaces. Disable nm-cloud-setup to manually configure interfaces. However, in certain cases, other services on the host can configure interfaces as well. For example, these services could add secondary IP addresses. To avoid that nm-cloud-setup removes secondary IP addresses:

Failure to update the session key causes the connection to break

Kernel Transport Layer Security (kTLS) protocol does not support updating the session key, which is used by the symmetric cipher. Consequently, the user cannot update the key, which causes a connection break. To work around this problem, disable kTLS. As a result, with the workaround, it is possible to successfully update the session key.

The initscripts package is not installed by default

By default, the initscripts package is not installed. As a consequence, the ifup and ifdown utilities are not available. As an alternative, use the nmcli connection up and nmcli connection down commands to enable and disable connections. If the suggested alternative does not work for you, report the problem and install the NetworkManager-initscripts-updown package, which provides a NetworkManager solution for the ifup and ifdown utilities.

The kdump mechanism in kernel causes OOM errors on the 64K kernel

The 64K kernel page size on the 64-bit ARM architecture uses more memory than the 4KB kernel. Consequently, kdump causes a kernel panic and memory allocation fails with out of memory (OOM) errors. As a work around, manually configure the crashkernel value to 640 MB. For example, set the crashkernel= parameter as crashkernel=2G- :640M.

Customer applications with dependencies on kernel page size may need updating when moving from 4k to 64k page size kernel

RHEL is compatible with both 4k and 64k page size kernels. Customer applications with dependencies on a 4k kernel page size may require updating when moving from 4k to 64k page size kernels. Known instances of this include jemalloc and dependent applications.

The kdump service fails to build the initrd file on IBM Z systems

On the 64-bit IBM Z systems, the kdump service fails to load the initial RAM disk (initrd) when znet related configuration information such as s390-subchannels reside in an inactive NetworkManager connection profile. Consequently, the kdump mechanism fails with the following error:

kTLS does not support offloading of TLS 1.3 to NICs

Kernel Transport Layer Security (kTLS) does not support offloading of TLS 1.3 to NICs. Consequently, software encryption is used with TLS 1.3 even when the NICs support TLS offload. To work around this problem, disable TLS 1.3 if offload is required. As a result, you can offload only TLS 1.2. When TLS 1.3 is in use, there is lower performance, since TLS 1.3 cannot be offloaded.

The Delay Accounting functionality does not display the SWAPIN and IO% statistics columns by default

The Delayed Accounting functionality, unlike early versions, is disabled by default. Consequently, the iotop application does not show the SWAPIN and IO% statistics columns and displays the following warning:

The kdump mechanism fails to capture the vmcore file on LUKS-encrypted targets

When running kdump on systems with Linux Unified Key Setup (LUKS) encrypted partitions, systems require a certain amount of available memory. When the available memory is less than the required amount of memory, the systemd-cryptsetup service fails to mount the partition. Consequently, the second kernel fails to capture the crash dump file (vmcore) on LUKS-encrypted targets.

Allocating crash kernel memory fails at boot time

On certain Ampere Altra systems, allocating the crash kernel memory for kdump usage fails during boot when the available memory is below 1 GB. Consequently, the kdumpctl command fails to start the kdump service.

RHEL fails to recognize NVMe disks when VMD is enabled

When you reset or reattach the driver, the Volume Management Device (VMD) domain currently does not soft-reset. Consequently, the hardware cannot properly detect and enumerate its devices. As a result, the operating system with VMD enabled does not recognize NVMe disks, especially when resetting a server or working with a VM machine.

The iwl7260-firmware breaks Wi-Fi on Intel Wi-Fi 6 AX200, AX210, and Lenovo ThinkPad P1 Gen 4

After updating the iwl7260-firmware or iwl7260-wifi driver to the version provided by RHEL 9.1 and later, the hardware gets into an incorrect internal state. reports its state incorrectly. Consequently, Intel Wifi 6 cards may not work and display the error message:

weak-modules from kmod fails to work with module inter-dependencies

The weak-modules script provided by the kmod package determines which modules are kABI-compatible with installed kernels. However, while checking modules' kernel compatibility, weak-modules processes modules symbol dependencies from higher to lower release of the kernel for which they were built. As a consequence, modules with inter-dependencies built against different kernel releases might be interpreted as non-compatible, and therefore the weak-modules script fails to work in this scenario.

The mlx5 driver fails while using the Mellanox ConnectX-5 adapter

In Ethernet switch device driver model (switchdev) mode, the mlx5 driver fails when configured with the device managed flow steering (DMFS) parameter and ConnectX-5 adapter supported hardware. As a consequence, you can see the following error message:

Hardware certification of the real-time kernel on systems with large core-counts might require passing the skew-tick=1 boot parameter to avoid lock contentions

Large or moderate sized systems with numerous sockets and large core-counts can experience latency spikes due to lock contentions on xtime_lock, which is used in the timekeeping system. As a consequence, latency spikes and delays in hardware certifications might occur on multiprocessing systems. As a workaround, you can offset the timer tick per CPU to start at a different time by adding the skew_tick=1 boot parameter.

Cannot install RHEL when PReP is not 4 or 8 MiB in size

The RHEL installer cannot install the boot loader if the PowerPC Reference Platform (PReP) partition is of a different size than 4 MiB or 8 MiB on a disk that uses 4 kiB sectors. As a consequence, you cannot install RHEL on the disk.

Anaconda fails to login iSCSI server using the no authentication method after unsuccessful CHAP authentication attempt

When you add iSCSI discs using CHAP authentication and the login attempt fails due to incorrect credentials, a relogin attempt to the discs with the no authentication method fails. To workaround this problem, close the current session and login using the no authentication method.

Device Mapper Multipath is not supported with NVMe/TCP

Using Device Mapper Multipath with the nvme-tcp driver can result in the Call Trace warnings and system instability. To work around this problem, NVMe/TCP users must enable native NVMe multipathing and not use the device-mapper-multipath tools with NVMe.

The blk-availability systemd service deactivates complex device stacks

In systemd, the default block deactivation code does not always handle complex stacks of virtual block devices correctly. In some configurations, virtual devices might not be removed during the shutdown, which causes error messages to be logged. To work around this problem, deactivate complex block device stacks by executing the following command:

Disabling quota accounting is no longer possible for an XFS filesystem mounted with quotas enabled

As of RHEL 9.2, it is no longer possible to disable quota accounting on an XFS filesystem which has been mounted with quotas enabled.

System fails to boot when adding an NVMe-FC device as a mount point in /etc/fstab

The Non-volatile Memory Express over Fibre Channel (NVMe-FC) devices mounted through the /etc/fstab file fails to mount at boot and the system enters into emergency mode. This is due to a known bug in the nvme-cli nvmf-autoconnect systemd services.

udev rule change for NVMe devices

There is a udev rule change for NVMe devices that adds OPTIONS="string_escape=replace" parameter. This leads to a disk by-id naming change for some vendors, if the serial number of your device has leading whitespace.

python3.11-lxml does not provide the lxml.isoschematron submodule

The python3.11-lxml package is distributed without the lxml.isoschematron submodule because it is not under an open source license. The submodule implements ISO Schematron support. As an alternative, pre-ISO-Schematron validation is available in the lxml.etree.Schematron class. The remaining content of the python3.11-lxml package is unaffected.

The --ssl-fips-mode option in MySQL and MariaDB does not change FIPS mode

The --ssl-fips-mode option in MySQL and MariaDB in RHEL works differently than in upstream.

Certain symbol-based probes do not work in SystemTap on the 64-bit ARM architecture

Kernel configuration disables certain functionality needed for SystemTap. Consequently, some symbol-based probes do not work on the 64-bit ARM architecture. As a result, affected SystemTap scripts may not run or may not collect hits on desired probe points.

GCC in GCC Toolset 12: CPU detection may fail on Intel Sapphire Rapids processors

CPU detection on Intel Sapphire Rapids processors relies on the existence of the AVX512_VP2INTERSECT feature. This feature has been removed from the GCC Toolset 12 version of GCC and, as a consequence, CPU detection may fail on Intel Sapphire Rapids processors.

Configuring a referral for a suffix fails in Directory Server

If you set a back-end referral in Directory Server, setting the state of the backend using the dsconf <instance_name> backend suffix set --state referral command fails with the following error:

The dsconf utility has no option to create fix-up tasks for the entryUUID plug-in

The dsconf utility does not provide an option to create fix-up tasks for the entryUUID plug-in. As a result, administrators cannot not use dsconf to create a task to automatically add entryUUID attributes to existing entries. As a workaround, create a task manually:

MIT Kerberos does not support ECC certificates for PKINIT

MIT Kerberos does not implement the RFC5349 request for comments document, which describes the design of elliptic-curve cryptography (ECC) support in Public Key Cryptography for initial authentication (PKINIT). Consequently, the MIT krb5-pkinit package, used by RHEL, does not support ECC certificates. For more information, see Elliptic Curve Cryptography (ECC) Support for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT).

The DEFAULT:SHA1 sub-policy has to be set on RHEL 9 clients for PKINIT to work against AD KDCs

The SHA-1 digest algorithm has been deprecated in RHEL 9, and CMS messages for Public Key Cryptography for initial authentication (PKINIT) are now signed with the stronger SHA-256 algorithm.

The PKINIT authentication of a user fails if a RHEL 9 Kerberos agent communicates with a non-RHEL-9 and non-AD Kerberos agent

If a RHEL 9 Kerberos agent, either a client or Kerberos Distribution Center (KDC), interacts with a non-RHEL-9 Kerberos agent that is not an Active Directory (AD) agent, the PKINIT authentication of the user fails. To work around the problem, perform one of the following actions: