Support to add customized files for SCAP security profile to a blueprint

With this enhancement, you can now add customized tailoring options for a profile to the osbuild-composer blueprint customizations by using the following options:

Minimal RHEL installation now installs only the s390utils-core package

In RHEL 8.4 and later, the s390utils-base package is split into an s390utils-core package and an auxiliary s390utils-base package. As a result, setting the RHEL installation to minimal-environment installs only the necessary s390utils-core package and not the auxiliary s390utils-base package. If you want to use the s390utils-base package with a minimal RHEL installation, you must manually install the package after completing the RHEL installation or explicitly install s390utils-base using a Kickstart file.

Keylime verifier and registrar containers available

You can now configure Keylime server components, the verifier and registrar, as containers. When configured to run inside a container, the Keylime registrar monitors the tenant systems from the container without any binaries on the host. The container deployment provides better isolation, modularity, and reproducibility of Keylime components.

libkcapi now provides an option for specifying target file names in hash-sum calculations

This update of the libkcapi (Linux kernel cryptographic API) packages introduces the new option -T for specifying target file names in hash-sum calculations. The value of this option overrides file names specified in processed HMAC files. You can use this option only with the -c option, for example:

Finer control over MACs in SSH with crypto-policies

You can now set additional options for message authentication codes (MACs) for the SSH protocol in the system-wide cryptographic policies (crypto-policies). With this update, the crypto-policies option ssh_etm has been converted into a tri-state etm@SSH option. The previous ssh_etm option has been deprecated.

The semanage fcontext command no longer reorders local modifications

The semanage fcontext -l -C command lists local file context modifications stored in the file_contexts.local file. The restorecon utility processes the entries in the file_contexts.local from the most recent entry to the oldest. Previously, semanage fcontext -l -C listed the entries in an incorrect order. This mismatch between processing order and listing order caused problems when managing SELinux rules. With this update, semanage fcontext -l -C displays the rules in the correct and expected order, from the oldest to the newest.

Additional services confined in the SELinux policy

This update adds additional rules to the SELinux policy that confine the following systemd services:

New SELinux policy module for the SAP HANA service

This update adds additional rules to the SELinux policy for the SAP HANA service. As a result, the service now runs successfully in SELinux enforcing mode in the sap_unconfined_t domain.

The glusterd SELinux module moved to a separate glusterfs-selinux package

With this update, the glusterd SELinux module is maintained in the separate glusterfs-selinux package. The module is therefore no longer part of the selinux-policy package. For any actions that concern the glusterd module, install and use the glusterfs-selinux package.

The fips.so library for OpenSSL provided as a separate package

OpenSSL uses the fips.so shared library as a FIPS provider. With this update, the latest version of fips.so submitted to the National Institute of Standards and Technology (NIST) for certification is in a separate package to ensure that future versions of OpenSSL use certified code or code undergoing certification.

The chronyd-restricted service is confined by the SELinux policy

This update adds additional rules to the SELinux policy that confine the new chronyd-restricted service. As a result, the service now runs successfully in SELinux.

OpenSSL adds a drop-in directory for provider configuration

The OpenSSL TLS toolkit supports provider APIs for installation and configuration of modules that provide cryptographic algorithms. With this update, you can place provider-specific configuration in separate .conf files in the /etc/pki/tls/openssl.d directory without modifying the main OpenSSL configuration file.

SELinux user-space components rebased to 3.6

The SELinux user-space components libsepol, libselinux, libsemanage, policycoreutils, checkpolicy, and mcstrans library package have been rebased to 3.6. This version provides various bug fixes, optimizations and enhancements, most notably:

GnuTLS rebased to 3.8.3

The GnuTLS package has been rebased to upstream version 3.8.3 This version provides various bug fixes and enhancements, most notably:

nettle rebased to 3.9.1

The nettle library package has been rebased to 3.9.1. This version provides various bug fixes, optimizations and enhancements, most notably:

p11-kit rebased to 0.25.3

The p11-kit packages have been updated to upstream version 0.25.3. The packages contain the p11-kit tool for managing PKCS #11 modules, the trust tool for operating on the trust policy store, and the p11-kit library. Notable enhancements include the following:

libkcapi rebased to 1.4.0

The libkcapi library, which provides access to the Linux kernel crypto API, has been rebased to upstream version 1.4.0. The update includes various enhancements and bug fixes, most notably:

User and group creation in OpenSSH uses the sysusers.d format

Previously, OpenSSH used static useradd scripts. With this update, OpenSSH uses the sysusers.d format to declare system users, which makes it possible to introspect system users.

OpenSSH limits artificial delays in authentication

OpenSSH’s response after login failure is artificially delayed to prevent user enumeration attacks. This update introduces an upper limit on such delays when remote authentication takes too long, for example in privilege access management (PAM) processing.

stunnel rebased to 5.71

The stunnel TLS/SSL tunneling service has been rebased to upstream version 5.71.

New options for dropping capabilities in Rsyslog

You can now configure Rsyslog’s behavior when dropping capabilities by using the following global options:

audit rebased to 3.1.2

The Linux Audit system has been updated to version 3.1.2, which provides bug fixes, enhancements, and performance improvements over the previously released version 3.0.7. Notable enhancements include:

Rsyslog rebased to 8.2310

The Rsyslog log processing system has been rebased to upstream version 8.2310. This update introduces significant enhancements and bug fixes. Most notable enhancements include:

SCAP Security Guide rebased to 0.1.72

The SCAP Security Guide (SSG) packages have been rebased to upstream version 0.1.72. This version provides bug fixes and various enhancements, most notably:

Support for building FIPS enabled RHEL for Edge images

This enhancement adds support for building FIPS enabled RHEL for Edge images for the following images types:

openCryptoki rebased to version 3.22.0

The opencryptoki package has been updated to version 3.22.0. Notable changes include:

synce4l rebased to version 1.0.0

The synce4l protocol has been updated to version 1.0.0. This update adds support for kernel Digital Phase Locked Loop (DPLL) interface.

chrony rebased to version 4.5

The chrony suite has been updated to version 4.5. Notable changes include:

linuxptp rebased to version 4.2

The linuxptp protocol has been updated to version 4.2. Notable changes include:

The nft utility can now reset nftables rule-contained states

With this enhancement, you can use the nft reset command to reset nftables rule-contained states. For example, use this feature to reset counter and quota statement values.

Marvell Octeon PCIe Endpoint Network Interface Controller driver is available

This enhancement has added the octeon_ep driver. You can use it for networking of Marvell’s Octeon PCIe Endpoint network interface cards. The host drivers act as PCI Express (PCIe) endpoint network interface (NIC) to support Marvell OCTEON TX2 CN106XX, a 24 N2 cores Infrastructure Processor Family. By using OCTEON TX2 driver as a PCIe NIC, you can use OCTEON TX2 as a PCIe endpoint in various products: security firewalls, 5G Open Radio Access Network (ORAN) and Virtual RAN (VRAN) applications and data processing offloading applications.

NetworkManager now supports configuring the switchdev mode for advanced hardware offload

With this enhancement, you can configure the following new properties in NetworkManager connection profiles:

NetworkManager supports changing ethtool channel settings

A network interface can have multiple interrupt request (IRQs) and associated packet queues called channels. With this enhancement, NetworkManager connection profiles can specify the number of channels to assign to an interface through connection properties ethtool.channels-rx,ethtool.channels-tx,ethtool.channels-other, and ethtool.channels-combined.

Nmstate can now create a YAML file to revert settings

With this enhancement, Nmstate can create a "revert configuration file" that contains the differences between the current network settings and a YAML file with the new configuration that you want to apply. If the settings do not work as expected after you applied the YAML file, you can use the revert configuration file to restore the previous settings:

Nmstate API configures VPN connection based on IPsec configuration

The Libreswan utility is an implementation of IPsec for configuring VPNs. With this update, by using nmstatectl, you can configure IPsec-based authentication types along with configuration modes (tunnel and transport) and network layouts (host-to-subnet, host-to-host, subnet-to-subnet).

nmstate now supports the priority bond property

With this update, you can set the priority of bond ports in the nmstate framework by using the priority property in the ports-config section of the configuration file. An example YAML file can look as follows:

NetworkManager wifi connections support a new MAC address-based privacy option

With this enhancement, you can configure NetworkManager to associate a random-generated MAC address with the Service Set Identifier (SSID) of a wifi network. This enables you to permanently use a random but consistent MAC address for a wifi network even if you delete a connection profile and recreate it. To use this new feature, set the 802-11-wireless.cloned-mac-address property of a wifi connection profile to stable-ssid.

Introduction of new nmstate attributes for the VLAN interface

With this update of the nmstate framework, the following VLAN attributes were introduced:

ipv4.dhcp-client-id set to none prevents sending a client-identifier

If the client-identifier option is not set in NetworkManager, then the actual value depends on the type of DHCP clients in use, such as NetworkManager internal DHCP client or dhclient. Generally, DHCP clients send a client-identifier. Therefore, in almost all cases, you do not need to set the none option. As a result, this option is only useful in case of some unusual DHCP server configurations that require clients to not send a client-identifier.

nmstate now supports creating MACsec interfaces

With this update, the users of the nmstate framework can configure MACsec interfaces to protect their communication on Layer 2 of the Open Systems Interconnection (OSI) model. As a result, there is no need to encrypt individual services later on Layer 7. Also, the feature eliminates associated challenges such as managing large amounts of certificates for each endpoint.

netfilter update

The kernel package has been upgraded to version 5.14.0-405 in RHEL 9. As a result, the rebase also provided multiple enhancements and bug fixes in the netfilter component of the RHEL kernel. The most notable change includes:

firewalld now avoids unnecessary firewall rule flushes

The firewalld service does not remove all existing rules from the iptables configuration if both following conditions are met:

The ss utility adds visibility improvement to TCP bound-inactive sockets

The iproute2 suite provides a collection of utilities to control TCP/IP networking traffic. TCP bound-inactive sockets are attached to an IP address and a port number but neither connected nor listening on TCP ports. The socket services (ss) utility adds support for the kernel to dump TCP bound-inactive sockets. You can view those sockets with the following command options:

The Nmstate API now supports SR-IOV VLAN 802.1ad tagging

With this enhancement, you can now use the Nmstate API to enable hardware-accelerated Single-Root I/O Virtualization (SR-IOV) Virtual Local Area Network (VLAN) 802.1ad tagging on cards whose firmware supports this feature.

The TCP Illinois congestion algorithm kernel module is re-enabled

TCP Illinois is a variant of the TCP protocol. Customers like Internet Service Providers (ISP) experience sub-optimal performance without TCP Illinois algorithm and network traffic does not scale well even when using Bandwidth and Round-trip propagation time (BBR) algorithm that results into high latency. As a result, TCP Illinois algorithm can produce slightly higher average throughput, fairer network resources allocation, and compatibility.

The iptables utility rebased to version 1.8.10

The iptables utility defines rules for packet filtering to manage firewall. This utility has been rebased. Notable changes include:

nftables rebased to version 1.0.9

The nftables utility has been upgraded to version 1.0.9, which provides multiple bug fixes and enhancements. Notable changes include:

firewalld rebased to version 1.3

The firewalld package has been upgraded to version 1.3, which provides multiple bug fixes and enhancements. Notable changes include:

Kernel version in RHEL 9.4

Red Hat Enterprise Linux 9.4 is distributed with the kernel version 5.14.0-427.13.1.

rteval now supports adding and removing arbitrary CPUs from the default measurement CPU list

With the rteval utility, you can add (using the + sign) or subtract (using the - sign) CPUs to the default measurement CPU list when using the --measurement-cpulist parameter, instead of having to specify an entire new list. Additionally, --measurement-run-on-isolcpus is introduced for adding the set of all isolated CPUs to the default measurement CPU list. This option covers the most common use case of a real-time application running on isolated CPUs. Other use cases require a more generic feature. For example, some real-time applications used one isolated CPU for housekeeping, requiring it to be excluded from the default measurement CPU list. As a result, you can now not only add, but also remove arbitrary CPUs from the default measurement CPU list in a flexible way. Removing takes precedence over adding. This rule applies to both, CPUs specified with +/- signs and to those defined with --measurement-run-on-isolcpus.

rtla rebased to version 6.6 of the upstream kernel source code

The rtla utility has been upgraded to the latest upstream version, which provides multiple bug fixes and enhancements. Notable changes include:

cyclicdeadline now supports generating a histogram of latencies

With this release, the cyclicdeadline utility supports generating a histogram of latencies. You can use this feature to get more insight into the frequency of latency spikes of different sizes, rather than getting just one worst-case number.

SGX is now fully supported

Software Guard Extensions (SGX) is an Intel® technology for protecting software code and data from disclosure and modification.

The Intel data streaming accelerator driver is now fully supported

The Intel data streaming accelerator driver (IDXD) is a kernel driver that provides an Intel CPU integrated accelerator. It includes a shared work queue with process address space ID (pasid) submission and shared virtual memory (SVM).

The eBPF facility has been rebased to Linux kernel version 6.6

Notable changes and enhancements include:

The libbpf-tools package is now available on IBM Z

The libbpf-tools package, which provides command line tools for the BPF Compiler Collection (BCC), is now available on the IBM Z architecture. As a result, you can now use commands from libbpf-tools on IBM Z.

DEP/NX support in the pre-boot stage

The memory protection feature known as Data Execution Prevention (DEP), No Execute (NX), or Execute Disable (XD), blocks the execution of code that is marked as non-executable. DEP/NX has been available in RHEL at the operating system level.

Setting a filesystem size limit is now supported

With this update, users can now set a filesystem size limit when creating or modifying a filesystem. The stratisd service enables dynamic filesystem growth, but excessive expansion of an XFS filesystem can cause significant performance issues. The addition of this feature addresses potential performance issues that might occur when growing XFS filesystems beyond a certain threshold. By setting a filesystem size limit, users can prevent such issues and ensure optimal performance. Additionally, this feature enables better pool monitoring and maintenance by allowing users to impose an upper limit on a filesystem’s size, ensuring efficient resource allocation.

Converting a standard LV to a thin LV by using lvconvert is now possible

By specifying a standard logical volume (LV) as a thin pool data, you can now convert a standard LV to a thin LV by using the lvconvert command. With this update, you can convert existing LVs to use the thin provisioning facility.

multipathd now supports detecting FPIN-Li events for NVMe devices

Previously, the multipathd command would only monitor Integrity Fabric Performance Impact Notification (PFIN-Li) events on SCSI devices. multipathd could listen for Link Integrity events sent by a Fibre Channel fabric and use it to mark paths as marginal. This feature was only supported for multipath devices on top of SCSI devices, and multipathd was unable to mark Non-volatile Memory Express (NVMe) device paths as marginal by limiting the use of this feature.

max_retries option is now added to the defaults section of multipath.conf

This enhancement adds the max_retries option to the defaults section of the multipath.conf file. By default this option is unset, and uses the SCSI layer’s default value of 5 retries. The valid values for this option is from 0 to 5. When this option is set, it overrides the default value of the max_retries sysfs attribute for SCSI devices. This attribute controls the number of times the SCSI layer retries I/O commands before returning failure when it encounters certain error types.

auto_resize option is now added to the defaults section of multipath.conf

Previously, to resize a multipath device, you had to manually execute the multipathd resize map <name> command. With this update, the auto_resize option is now added to the defaults section of the multipath.conf file. This option controls when the multipathd command can automatically resize a multipath device. The following are the different values for auto_resize:

Changes to Arcus NVMeoFC multipath.conf settings are now included in kernel

Device-mapper-multipath now has a built-in configuration for the HPE Alletra 9000 NVMeFC array. Arcus added support for ANA (Asymmetric Namespace Access) for NVMeoFC. This is similar to ALUA for SCSI. A change in the multipath.conf is required for a RHEL host to use this feature and send only I/O to ANA optimized paths when available. Without this change, device mapper was sending I/O to both ANA optimized and ANA non-optimized paths.

stratis-cli rebased to version 3.6.0

The stratis-cli package has been upgraded to version 3.6.0. Notable bug fixes and enhancements include:

boom rebased to version 1.6.0

The boom package has been upgraded to version 3.6.0. Notable enhancements include:

NVMe-FC Boot from SAN is now fully supported

The Non-volatile Memory Express (NVMe) over Fibre Channel (NVMe/FC) Boot, which was introduced in Red Hat Enterprise Linux 9.2 as a Technology Preview, is now fully supported. Some NVMe/FC host bus adapters support a NVMe/FC boot capability. For more information on programming a Host Bus Adapter (HBA) to enable NVMe/FC boot capability, see the NVMe/FC host bus adapter manufacturer’s documentation.

pcs support for ISO 8601 duration specification for time properties

The pcs command-line interface now allows you to specify values for Pacemaker time properties according to the ISO 8601 duration specification standard.

Support for new pscd Web UI features

The pscd Web UI now supports the following features:

TLS cipher list now defaults to system-wide crypto policy

Previously, the pcsd TLS cipher list was set to DEFAULT:!RC4:!3DES:@STRENGTH by default. With this update, the cipher list is defined by the system-wide crypto policy by default. The TLS ciphers accepted by the pcsd daemon might change with this upgrade, depending on the currently set crypto policy. For more information about the crypto policies framework, see the crypto-policies(7) man page.

Python 3.12 available in RHEL 9

RHEL 9.4 introduces Python 3.12, provided by the new package python3.12 and a suite of packages built for it, as well as the ubi9/python-312 container image.

A new environment variable in Python to control parsing of email addresses

To mitigate CVE-2023-27043, a backward incompatible change to ensure stricter parsing of email addresses was introduced in Python 3.

A new module stream: ruby:3.3

RHEL 9.4 introduces Ruby 3.3.0 in a new ruby:3.3 module stream. This version provides a number of performance improvements, bug and security fixes, and new features over Ruby 3.1 distributed with RHEL 9.1.

A new module stream: php:8.2

RHEL 9.4 adds PHP 8.2 as a new php:8.2 module stream.

A new module stream: nginx:1.24

The nginx 1.24 web and proxy server is now available as the nginx:1.24 module stream. This update provides a number of bug fixes, security fixes, new features, and enhancements over the previously released version 1.22.

A new module stream: mariadb:10.11

MariaDB 10.11 is now available as a new module stream, mariadb:10.11. Notable enhancements over the previously available version 10.5 include:

A new module stream: postgresql:16

RHEL 9.4 introduces PostgreSQL 16 as the postgresql:16 module stream. PostgreSQL 16 provides a number of new features and enhancements over version 15.

Git rebased to version 2.43.0

The Git version control system has been updated to version 2.43.0, which provides bug fixes, enhancements, and performance improvements over the previously released version 2.39.

Git LFS rebased to version 3.4.1

The Git Large File Storage (LFS) extension has been updated to version 3.4.1, which provides bug fixes, enhancements, and performance improvements over the previously released version 3.2.0.

LLVM Toolset rebased to version 17.0.6

LLVM Toolset has been updated to version 17.0.6.

Rust Toolset rebased to version 1.75.0

Rust Toolset has been updated to version 1.75.0.

Go Toolset rebased to version 1.21.0

Go Toolset has been updated to version 1.21.0.

Clang resource directory moved

The Clang resource directory, where Clang stores its internal headers and libraries, has been moved from /usr/lib64/clang/17 to /usr/lib/clang/17.

elfutils rebased to version 0.190

The elfutils package has been updated to version 0.190. Notable improvements include:

systemtap rebased to version 5.0

The systemtap package has been updated to version 5.0. Notable enhancements include:

Updated GCC Toolset 13

GCC Toolset 13 is a compiler toolset that provides recent versions of development tools. It is available as an Application Stream in the form of a Software Collection in the AppStream repository.

Compiling with GCC and the -fstack-protector flag no longer fails to guard dynamic stack allocations on 64-bit ARM

Previously, on the 64-bit ARM architecture, the system GCC compiler with the -fstack-protector flag failed to detect a buffer overflow in functions containing a C99 variable-length array or an alloca()-allocated object. Consequently, an attacker could overwrite saved registers on the stack. With this update, the buffer overflow detection on 64-bit ARM has been fixed. As a result, applications compiled with the system GCC are more secure.

GCC Toolset 13: Compiling with GCC and the -fstack-protector flag no longer fails to guard dynamic stack allocations on 64-bit ARM

Previously, on the 64-bit ARM architecture, the GCC compiler with the -fstack-protector flag failed to detect a buffer overflow in functions containing a C99 variable-length array or an alloca()-allocated object. Consequently, an attacker could overwrite saved registers on the stack. With this update, the buffer overflow detection on 64-bit ARM has been fixed. As a result, applications compiled with GCC are more secure.

pcp updated to version 6.2.0

The pcp package has been updated to version 6.2.0. Notable improvements include:

A new grafana-selinux package

Previously, the default installation of grafana-server ran as an unconfined_service_t SELinux type. This update adds the new grafana-selinux package, which contains an SELinux policy for grafana-server and which is installed by default with grafana-server. As a result, grafana-server now runs as grafana_t SELinux type.

papi supports new processor microarchitectures

With this enhancement, you can access performance monitoring hardware using papi events presets on the following processor microarchitectures:

New package: maven-openjdk21

The maven:3.8 module stream now includes the maven-openjdk21 subpackage, which provides the Maven JDK binding for OpenJDK 21 and configures Maven to use the system OpenJDK 21.

New package: libzip-tools

RHEL 9.4 introduces the libzip-tools package, which provides utilities such such as zipcmp, zipmerge, and ziptool.

cmake rebased to version 3.26

The cmake package has been updated to version 3.26. Notable improvements include:

A new passwordless authentication method is available in SSSD

With this update, you can enable and configure passwordless authentication in SSSD to use a biometric device that is compatible with the FIDO2 specification, for example a YubiKey. You must register the FIDO2 token in advance and store this registration information in the user account in RHEL IdM, Active Directory, or an LDAP store. RHEL implements FIDO2 compatibility with the libfido2 library, which currently only supports USB-based tokens.

The ansible-freeipa ipauser and ipagroup modules now support a new renamed state

With this update, you can use the renamed state in ansible-freeipa ipauser module to change the user name of an existing IdM user. You can also use this state in ansible-freeipa ipagroup module to change the group name of an existing IdM group.

Identity Management users can now use external identity providers to authenticate to IdM

With this enhancement, you can now associate Identity Management (IdM) users with external identity providers (IdPs) that support the OAuth 2 device authorization flow. Examples of such IdPs include Red Hat build of Keycloak, Azure Entra ID, Github, Google, and Facebook.

ipa rebased to version 4.11

The ipa package has been updated from version 4.10 to 4.11. Notable changes include:

Deleting expired KCM Kerberos tickets

Previously, if you attempted to add a new credential to the Kerberos Credential Manager (KCM) and you had already reached the storage space limit, the new credential was rejected. The user storage space is limited by the max_uid_ccaches configuration option that has a default value of 64. With this update, if you have already reached the storage space limit, your oldest expired credential is removed and the new credential is added to the KCM. If there are no expired credentials, the operation fails and an error is returned. To prevent this issue, you can free some space by removing credentials using the kdestroy command.

IdM now supports the idoverrideuser, idoverridegroup and idview Ansible modules

With this update, the ansible-freeipa package now contains the following modules:

The idp Ansible module allows associating IdM users with external IdPs

With this update, you can use the idp ansible-freeipa module to associate Identity Management (IdM) users with external identity providers (IdP) that support the OAuth 2 device authorization flow. If an IdP reference and an associated IdP user ID exist in IdM, you can use them to enable IdP authentication for an IdM user. 

getcert add-ca returns a new return code if a certificate is already present or tracked

With this update, the getcert command returns a specific return code, 2, if you try to add or track a certificate that is already present or tracked. Previously, the command returned return code 1 on any error condition.

The delegation of DNS zone management is now enabled in ansible-freeipa

You can now use the dnszone ansible-freeipa module to delegate DNS zone management. Use the permission or managedby variable of the dnszone module to configure a per-zone access delegation permission.

Enforcing OTP usage for all LDAP clients

With the release of the RHBA-2024:2558 advisory, in RHEL IdM, you can now set the default behavior for LDAP server authentication of user accounts with two-factor (OTP) authentication configured. If OTP is enforced, LDAP clients cannot authenticate against an LDAP server using single factor authentication (a password) for users that have associated OTP tokens. This method is already enforced through the Kerberos backend by using a special LDAP control with OID 2.16.840.1.113730.3.8.10.7 without any data.

The runasuser_group parameter is now available in ansible-freeipa ipasudorule

With this update, you can set Groups of RunAs Users for a sudo rule by using the ansible-freeipa ipasudorule module. The option is already available in the Identity Management (IdM) command-line interface and the IdM Web UI.

389-ds-base rebased to version 2.4.5

The 389-ds-base package has been updated to version 2.4.5. Notable bug fixes and enhancements over version 2.3.4 include:

Transparent Huge Pages are now disabled by default for the ns-slapd process

When large database caches are used, Transparent Huge Pages (THP) can have a negative effect on Directory Server performance under heavy load, for example, high memory footprint, high CPU usage and latency spikes. With this enhancement, a new THP_DISABLE=1 configuration option was added to the /usr/lib/systemd/system/dirsrv@.service.d/custom.conf drop-in configuration file for the dirsrv systemd unit to disable THP for the ns-slapd process.

The new lastLoginHistSize configuration attribute is now available for the Account Policy plug-in

Previously, when a user did a successful bind, only the time of the last login was available. With this update, you can use the new lastLoginHistSize configuration attribute to manage a history of successful logins. By default, the last five successful logins are saved.

The new notes=M message in the access log to identify MFA binds

With this update, when you configure the two-factor authentication for user accounts by using a pre-bind authentication plug-in, such as MFA plug-in, the Directory Server log files record the following messages during BIND operations:

The new inchainMatch matching rule is now available

With this update, a client application can use the new inchainMatch matching rule to search for the ancestry of an LDAP entry. The member, manager, parentOrganization, and memberof attributes can be used with the inchainMatch matching rule and the following searches can be performed:

The HAProxy protocol is now supported for the 389-ds-base package

Previously, Directory Server did not differentiate incoming connections between proxy and non-proxy clients. With this update, you can use the new nsslapd-haproxy-trusted-ip multi-valued configuration attribute to configure the list of trusted proxy servers. When nsslapd-haproxy-trusted-ip is configured under the cn=config entry, Directory Server uses the HAProxy protocol to receive client IP addresses via an additional TCP header so that access control instructions (ACIs) can be correctly evaluated and client traffic can be logged.

samba rebased to version 4.19.4

The samba packages have been upgraded to upstream version 4.19.4, which provides bug fixes and enhancements over the previous version. The most notable changes are:

Identity Management API is now fully supported

The Identity Management (IdM) API was available as a Technology Preview in RHEL 9.2. Since RHEL 9.3, it has been fully supported.

RHEL web console can now generate Ansible and shell scripts

In the web console, you can now easily access and copy automation scripts on the kdump configuration page. You can then use the generated script to implement a specific kdump configuration on multiple systems.

Simplified managing storage and resizing partitions on Storage

The Storage section of the web console is now redesigned. The new design improved visibility across all views. The overview page now presents all storage objects in a comprehensive table, which makes it easier to perform operations directly. You can click any row to view detailed information and any supplementary actions. Additionally, you can now resize partitions from the Storage section.

The ad_integration RHEL System Role now supports configuring dynamic DNS update options

With this update, the ad_integration RHEL System Role supports configuring options for dynamic DNS updates using SSSD when integrated with Active Directory (AD). By default, SSSD will attempt to automatically refresh the DNS record:

The Storage RHEL System Roles now support shared LVM device management

The RHEL System Roles now support the creation and management of shared logical volumes and volume groups.

Microsoft SQL Server 2022 available on RHEL 9

The mssql-server system role is now available on RHEL 9. The role adds two variables:

The rhc system role now supports RHEL 7 systems

You can now manage RHEL 7 systems by using the rhc system role. Register the RHEL 7 system to Red Hat Subscription Management (RHSM) and Insights and start managing your system using the rhc system role.

New RHEL System Role for configuring fapolicyd

With the new fapolicyd RHEL System Role, you can use Ansible playbooks to manage and configure the fapolicyd framework. The fapolicyd software framework controls the execution of applications based on a user-defined policy.

The RHEL System Roles now support LVM snapshot management

With this enhancement, you can use the new snapshot RHEL System Role to create, configure, and manage LVM snapshots.

The Nmstate API and the network RHEL System role now support new route types

With this enhancement, you can use the following route types with the Nmstate API and the network RHEL System Role:

The ad_integration RHEL System Role now supports custom SSSD domain configuration settings

Previously, when using the ad_integration RHEL System Role, it was not possible to add custom settings to the domain configuration section in the sssd.conf file using the role. With this enhancement, the ad_integration role can now modify the sssd.conf file and, as a result, you can use custom SSSD settings.

The ad_integration RHEL System Role now supports custom SSSD settings

Previously, when using the ad_integration RHEL System Role, it was not possible to add custom settings to the [sssd] section in the sssd.conf file using the role. With this enhancement, the ad_integration role can now modify the sssd.conf file and, as a result, you can use custom SSSD settings.

New rhc_insights.display_name option in the rhc role to set display names

You can now configure or update the display name of the system registered to Red Hat Insights by using the new rhc_insights.display_name parameter. The parameter allows you to name the system based on your preference to easily manage systems in the Insights Inventory. If your system is already connected with Red Hat Insights, use the parameter to update the existing display name. If the display name is not set explicitly on registration, it is set to the hostname by default. It is not possible to automatically revert the display name to the hostname, but it can be set so manually.

New RHEL System Role for configuring fapolicyd

With the new fapolicyd RHEL System Role, you can use Ansible playbooks to manage and configure the fapolicyd framework. The fapolicyd software framework controls the execution of applications based on a user-defined policy.

New logging_preserve_fqdn variable for the logging RHEL System Role

Previously, it was not possible to configure a fully qualified domain name (FQDN) using the logging system role. This update adds the optional logging_preserve_fqdn variable, which you can use to set the preserveFQDN configuration option in rsyslog to use the full FQDN instead of a short name in syslog entries.

The logging role supports general queue and general action parameters in output modules

Previously, it was not possible to configure general queue parameters and general action parameters with the logging role. With this update, the logging RHEL System Role supports configuration of general queue parameters and general action parameters in output modules.

The postgresql RHEL System Role now supports PostgreSQL 16

The postgresql RHEL System Role, which installs, configures, manages, and starts the PostgreSQL server, now supports PostgreSQL 16.

Support for creation of volumes without creating a file system

With this enhancement, you can now create a new volume without creating a file system by specifying the fs_type=unformatted option.

Support for new ha_cluster System Role features

The ha_cluster System Role now supports the following features:

ForwardToSyslog flag is now supported in the journald system role

In the journald RHEL System Role, the journald_forward_to_syslog variable controls whether the received messages should be forwarded to the traditional syslog daemon or not. The default value of this variable is false. With this enhancement, you can now configure the ForwardToSyslog flag by setting journald_forward_to_syslog to true in the inventory. As a result, when using remote logging systems such as Splunk, the logs are available in the /var/log files.

New rhc_insights.ansible_host option in the rhc role to set Ansible hostnames

You can now configure or update the Ansible hostname for the systems registered to Red Hat Insights by using the new rhc_insights.ansible_host parameter. When set, the parameter changes the ansible_host configuration in the /etc/insights-client/insights-client.conf file to your selected Ansible hostname. If your system is already connected with Red Hat Insights, this parameter will update the existing Ansible hostname.

New mssql_ha_prep_for_pacemaker variable

Previously, the microsoft.sql.server RHEL System Role did not have a variable to control whether to configure SQL Server for Pacemaker. This update adds the mssql_ha_prep_for_pacemaker. Set the variable to false if you do not want to configure your system for Pacemaker and you want to use another HA solution.

The sshd role now configures certificate-based SSH authentications

With the sshd RHEL System Role, you can now configure and manage multiple SSH servers to authenticate by using SSH certificates. This makes SSH authentications more secure because certificates are signed by a trusted CA and provide fine-grained access control, expiration dates, and centralized management.

Use the logging_max_message_size parameter instead of rsyslog_max_message_size in the logging system role

Previously, even though the rsyslog_max_message_size parameter was not supported, the logging RHEL System Role was using rsyslog_max_message_size instead of using the logging_max_message_size parameter. This enhancement ensures that logging_max_message_size is used and not rsyslog_max_message_size to set the maximum size for the log messages.

ratelimit_burst variable is only used if ratelimit_interval is set in logging system role

Previously, in the logging RHEL System Role, when the ratelimit_interval variable was not set, the role would use the ratelimit_burst variable to set the rsyslog ratelimit.burst setting. But it had no effect because it is also required to set ratelimit_interval.

selinux role now prints a message when specifying a non-existent module

With this release, the selinux RHEL System Role prints an error message when you specify a non-existent module in the selinux_modules.path variable.

selinux role now supports configuring SELinux in disabled mode

With this update, the selinux RHEL System Role supports configuring SELinux ports, file contexts, and boolean mappings on nodes that have SELinux set to disabled. This is useful for configuration scenarios before you enable SELinux to permissive or enforcing mode on a system.

The metrics RHEL System Role now supports configuring PMIE webhooks

With this update, you can automatically configure the`global webhook_endpoint` PMIE variable using the metrics_webhook_endpoint variable for the metrics RHEL System Role. This enables you to provide a custom URL for your environment that receives messages about important performance events, and is typically used with external tools such as Event-Driven Ansible.

The bootloader RHEL System Role

This update introduces the bootloader RHEL System Role. You can use this feature for stable and consistent configuration of bootloaders and kernels on your RHEL systems. For more details regarding requirements, role variables, and example playbooks, see the README resources in the /usr/share/doc/rhel-system-roles/bootloader/ directory.

Virtualization is now supported on ARM 64

This update introduces support for creating KVM virtual machines on systems that use ARM 64 (also known as AArch64) CPUs. Note, however, that certain virtualization features and functionalities that are available on AMD64 and Intel 64 systems might work differently or be unsupported on ARM 64.

External snapshots for virtual machines

This update introduces the external snapshot mechanism for virtual machines (VMs), which replaces the previously deprecated internal snapshot mechanism. As a result, you can create, delete, and revert to VM snapshots that are fully supported. External snapshots work more reliably both in the command-line interface and in the RHEL web console. This also applies to snapshots of running VMs, known as live snapshots. 

RHEL now supports Multi-FD migration of virtual machines

With this update, multiple file descriptors (multi-FD) migration of virtual machines is now supported. Multi-FD migration uses multiple parallel connections to migrate a virtual machine, which can speed up the process by utilizing all the available network bandwidth.

VM migration now supports post-copy preemption

Post-copy live migrations of virtual machines (VM) now use the postcopy-preempt feature, which improves the performance and stability of these migrations.

Secure Execution VMs on IBM Z now support cryptographic coprocessors

With this update, you can now assign cryptographic coprocessors as mediated devices to a virtual machine (VM) with IBM Secure Execution on IBM Z.

4th Generation AMD EPYC processors supported on KVM guests

Support for 4th Generation AMD EPYC processors (also known as AMD Genoa) has now been added to the KVM hypervisor and kernel code, and to the libvirt API. This enables KVM virtual machines to use 4th Generation AMD EPYC processors.

New virtualization features in the RHEL web console

With this update, the RHEL web console includes new features in the Virtual Machines page. You can now:

virtio-mem is now supported on AMD64 and Intel 64 systems

With this update, RHEL 9 introduces support for the virtio-mem feature on AMD64 and Intel 64 systems. With virtio-mem, you can dynamically add or remove host memory in virtual machines (VMs).

You can now replace SPICE with VNC in the web console

With this update, you can use the web console to replace the SPICE remote display protocol with the VNC protocol in an existing virtual machine (VM).

Improved I/O performance for virtio-blk disk devices

With this update, you can configure a separate IOThread for each virtqueue in a virtio-blk disk device. This configuration improves performance for virtual machines with multiple CPUs during intensive I/O workloads.

VNC viewer correctly initializes a VM display after live migration of ramfb

This update enhances the ramfb framebuffer device, which you can configure as a primary display for a virtual machine (VM). Previously, ramfb was unable to migrate, which resulted in VMs that use ramfb showing a blank screen after live migration. Now, ramfb is compatible with live migration. As a result, you see the VM desktop display when the migration completes.

RHEL instances on EC2 now support IPv6 IMDS connections

With this update, RHEL 8 and 9 instances on Amazon Elastic Cloud Compute (EC2) can use the IPv6 protocol to connect to Instance Metadata Service (IMDS). As a result, you can configure RHEL instances with cloud-init on EC2 with a dual-stack IPv4 and IPv6 connection. In addition, you can launch EC2 instances of RHEL with cloud-init in IPv6-only subnet.

New cloud-init clean option for deleting generated configuration files

The cloud-init clean --configs option has been added for the cloud-init utility. You can use this option to delete unnecessary configuration files generated by cloud-init on your instance. For example, to delete cloud-init configuration files that define network setup, use the following command:

Podman now supports containers.conf modules

You can use Podman modules to load a predetermined set of configurations. Podman modules are containers.conf files in the TOML format.

The Container Tools packages have been updated

The updated Container Tools RPM meta-package, which contain the Podman, Buildah, Skopeo, crun, and runc tools, are now available. Notable bug fixes and enhancements over the previous version include:

The Podman v4.9 RESTful API now displays data of progress

With this enhancement, the Podman v4.9 RESTful API now displays data of progress when you pull or push an image to the registry.

Toolbx is now available

With Toolbx, you can install the development and debugging tools, editors, and Software Development Kits (SDKs) into the Toolbx fully mutable container without affecting the base operating system. The Toolbx container is based on the registry.access.redhat.com/ubi9.4/toolbox:latest image.

SQLite is now fully supported as a default database backend for Podman

With Podman v4.9, the SQLite database backend for Podman, previously available as Technology Preview, is now fully supported. The SQLite database provides better stability, performance, and consistency when working with container metadata. The SQLite database backend is the default backend for new installations of RHEL 9.4. If you upgrade from a previous RHEL version, the default backend is BoltDB.

Administrators can set up isolation for firewall rules by using nftables

You can use Netavark, a Podman container networking stack, on systems without iptables installed. Previously, when using the container networking interface (CNI) networking, the predecessor to Netavark, there was no way to set up container networking on systems without iptables installed. With this enhancement, the Netavark network stack works on systems with only nftables installed and improves isolation of automatically generated firewall rules.

Containerfile now supports multi-line instructions

You can use the multi-line HereDoc instructions (Here Document notation) in the Containerfile file to simplify this file and reduce the number of image layers caused by performing multiple RUN directives.

The gvisor-tap-vsock package is now available

The gvisor-tap-vsock package is an alternative to the libslirp user-mode networking library and VPNKit tools and services. It is written in Go and based on the network stack of gVisor. Compared to libslirp, the gvisor-tap-vsock librarysupports a configurable DNS server and dynamic port forwarding. You can use the gvisor-tap-vsock networking library for podman-machine virtual machines. The podman machine command for managing virtual machines is currently unsupported on Red Hat Enterprise Linux.

Anaconda displays WWID identifiers for multipath storage devices on the Installation Destination screen

Previously, Anaconda did not display any details, for example, device number, WWPN, or LUN for the multipath storage devices. As a consequence, it was difficult to select the correct installation destination from the Installation Destination > Add a disk screen. With this update, Anaconda now displays WWID identifiers for multipath storage devices. As a result, you can now easily identify and select the desired installation destination on the advanced storage device screen.

Installer now accepts additional time zone definitions in Kickstart files

Anaconda switched to a different, more restrictive method of validating time zone selections. This caused some time zone definitions, such as Japan, to be no longer valid despite being accepted in previous versions. Legacy Kickstart files with these definitions had to be updated. Otherwise, they would default to the Americas/New_York time zone.

The installer now correctly creates bond device with multiple ports and a BOOTIF option

Previously, the installer created incorrect connection profiles when the installation was booted with a bond network device with multiple ports along with the BOOTIF boot option. Consequently, the device used by the BOOTIF option was not added to the bond device though it was configured as one of its ports.

Anaconda replaces the misleading error message when failing to boot an installation image

Previously, when the installation program failed to boot the installation image, for example due to missing source of stage2 specified in inst.stage2 or inst.repo, Anaconda displayed the following misleading error message:

The new version of xfsprogs no longer shrinks the size of /boot

Previously, the xfsprogs package with the 5.19 version in the RHEL 9.3 caused the size of /boot to shrink. As a consequence, it caused a difference in the available space on the /boot partition, if compared to the RHEL 9.2 version. This fix increases the /boot partition to 600 MiB for all images, instead of 500 MiB, and the /boot partition is no longer affected by space issues.

Libreswan accepts IPv6 SAN extensions

Previously, IPsec connection failed when setting up certificate-based authentication with a certificate that contained a subjectAltName (SAN) extension with an IPv6 address. With this update, the pluto daemon has been modified to accept IPv6 SAN as well as IPv4. As a result, IPsec connection is now correctly established with IPv6 address embedded in the certificate as an ID.

Rules for managing virtual routing with ip vrf are added to the SELinux policy

You can use the ip vrf command to manage virtual routing of other network services. Previously, selinux-policy did not contain rules to support this usage. With this update, SELinux policy rules allow explicit transitions from the ip domain to the httpd, sshd, and named domains. These transitions apply when the ip command uses the setexeccon library call.

SELinux policy denies SSH login for unconfined users when unconfined_login is set to off

Previously, the SELinux policy was missing a rule to deny unconfined users to log in via SSH when the unconfined_login boolean was set to off. As a consequence, with unconfined_login set to off, users still could log in with SSHD to an unconfined domain. This update adds a rule to the SELinux policy, and as a result, users cannot log in via sshd as unconfined when unconfined_login is off.

SELinux policy allows rsyslogd to execute confined commands

Previously, the SELinux policy was missing a rule to allow the rsyslogd daemon to execute SELinux-confined commands, such as systemctl. As a consequence, commands executed as an argument of the omprog directive failed. This update adds rules to the SELinux policy so that executables in the /usr/libexec/rsyslog directory that are run as an argument of omprog are in the syslogd_unconfined_script_t unconfined domain. As a result, commands executed as an argument of omprog finish successfully.

SELinux policy allows rsyslogd to execute confined commands

Previously, the SELinux policy was missing a rule to allow the rsyslogd daemon to execute SELinux-confined commands, such as systemctl. As a consequence, commands executed as an argument of the omprog directive failed. This update adds rules to the SELinux policy so that executables in the /usr/libexec/rsyslog directory that are run as an argument of omprog are in the syslogd_unconfined_script_t unconfined domain. As a result, commands executed as an argument of omprog finish successfully.

kmod runs in the SELinux MLS policy

Previously, the SELinux did not assign a private type for the /var/run/tmpfiles.d/static-nodes.conf file. As a consequence, the kmod utility may fail to work in the SELinux multi-level security (MLS) policy. This update adds the kmod_var_run_t label for /var/run/tmpfiles.d/static-nodes.conf to the SELinux policy, and as a result, kmod runs successfully in the SELinux MLS policy.

selinux-autorelabel runs in SELinux MLS policy

Previously, the SELinux policy did not assign a private type for the /usr/libexec/selinux/selinux-autorelabel utility. As a consequence, selinux-autorelabel.service might fail to work in the SELinux multi-level security (MLS) policy. This update adds the semanage_exec_t label to /usr/libexec/selinux/selinux-autorelabel, and as a result, selinux-autorelabel.service runs successfully in the SELinux MLS policy.

/bin = /usr/bin file context equivalency rule added to SELinux policy

Previously, the SELinux policy did not contain the /bin = /usr/bin file context equivalency rule. As a consequence, the restorecond daemon did not work correctly. This update adds the missing rule to the policy, and as a consequence, restorecond works correctly in SELinux enforcing mode.

SELinux policy contains rules for additional services and applications

This version of the selinux-policy package contains additional rules. Most notably, users in the sysadm_r role can execute the following commands:

SELinux policy adds permissions for QAT firmware

Previously, when updating the Intel QuickAssist Technology (QAT) with the Intel VT-d kernel option enabled, missing SELinux permissions caused denials. This update adds additional permissions for the qat service. As a result, QAT can be updated correctly.

Rsyslog can execute privileged commands through omprog

Previously, the omprog module of Rsyslog could not execute certain external programs, especially programs that contain privileged commands. As a consequence, the use of scripts that involve privileged commands through omprog was restricted. With this update, the SELinux policy was adjusted. Place your scripts into the /usr/libexec/rsyslog directory to ensure compatibility with the adjusted SELinux policy. As a result, Rsyslog now can execute scripts, including those with privileged commands, through the omprog module.

The semanage fcontext command no longer reorders local modifications

The semanage fcontext -l -C command lists local file context modifications stored in the file_contexts.local file. The restorecon utility processes the entries in the file_contexts.local from the most recent entry to the oldest. Previously, semanage fcontext -l -C listed the entries in an incorrect order. This mismatch between processing order and listing order caused problems when managing SELinux rules. With this update, semanage fcontext -l -C displays the rules in the correct and expected order, from the oldest to the newest.

CardOS 5.3 cards with offsets no longer cause problems in OpenSC

Previously, file caching did not work correctly for some CardOS 5.3 cards that stored certificates on different offsets of a single PKCS #15 file. This occurred because file caching ignored the offset part of the file, which caused repetitive overriding of the cache and reading invalid data from file cache. The problem was identified and fixed upstream, and after this update, CardOS 5.3 cards work correctly with the file cache.

subscription-manager no longer retains nonessential text in the terminal

Starting with RHEL 9.1, subscription-manager displays progress information while processing any operation. Previously, for some languages, typically non-Latin, progress messages did not clean up after the operation finished. With this update, all the messages are cleaned up properly when the operation finishes.

The librhsm library now returns the correct /etc/rhsm-host prefix if librhsm is run in a container

The librhsm library rewrites path prefixes to CA certificates from the /etc/rhsm to /etc/rhsm-host path if librhsm is run in a container. Previously, librhsm returned the wrong /etc/rhsm-host-host prefix because of a string manipulation mistake. With this update, the issue has been fixed, and the librhsm library now returns the correct /etc/rhsm-host prefix.

systemd now correctly manages the /run/user/0 directory created by librepo

Previously, if the librepo functions were called from an Insights client before logging in root, the /run/user/0 directory could be created with a wrong SELinux context type. This prevented systemd from cleaning the directory after you logged out from root.

systemd now correctly manages the /run/user/0 directory created by libdnf

Previously, if the libdnf functions were called from an Insights client before logging in root, the /run/user/0 directory could be created with a wrong SELinux context type. This prevented systemd from cleaning the directory after you logged out from root.

The dnf needs-restarting --reboothint command now recommends a reboot to update the CPU microcode

To fully update the CPU microcode, you must reboot a system. Previously, when you installed the microcode_ctl package, which contains the updated CPU microcode, the dnf needs-restarting --reboothint command did not recommend the reboot. With this update, the issue has been fixed, and dnf needs-restarting --reboothint now recommends a reboot to update the CPU microcode.

The top -u command now displays at least one process when you sort the processes by memory

Previously, when you executed the top command with the -u <user> parameter, where the user was different from the one running the command, all processes disappeared when the M key was pressed to sort the processes by memory. With this update, the top command displays at least one process when you sort the processes by memory.

ReaR now determines the presence of a BIOS bootloader when both BIOS and UEFI bootloaders are installed

Previously, in a hybrid bootloader setup (UEFI and BIOS), when UEFI was used to boot, Relax-and-Recover (ReaR) restored only the UEFI bootloader and not the BIOS bootloader. This would result in a system that had a GUID Partition Table (GPT), a BIOS Boot Partition, but not a BIOS bootloader. In this situation, ReaR failed to create the rescue image, the attempt to produce a backup or a rescue image by using the rear mkbackup or rear mkrescue command would fail with the following error message:

ReaR no longer uses the logbsize, sunit and swidth mount options during recovery

Previously, when restoring an XFS file system with the parameters different from the original ones by using the MKFS_XFS_OPTIONS configuration setting, Relax-and-Recover (ReaR) mounted this file system with mount options applicable for the original file system, but not for the restored file system. As a consequence, the disk layout recreation would fail with the following error message when ReaR ran the mount command :

ReaR recovery no longer fails on systems with a small thin pool metadata size

Previously, ReaR did not save the size of the pool metadata volume when saving a layout of an LVM volume group with a thin pool. During recovery, ReaR recreated the pool with the default size even if the system used a non-default pool metadata size.

ReaR now preserves logs from the bprestore command of NetBackup in the rescue system and the recovered system

Previously, when using the NetBackup integration (BACKUP=NBU), ReaR added the log from the bprestore command during recovery to a directory that was deleted on exit. Additionally, ReaR did not save further logs produced by the command under the /usr/openv/netbackup/logs/bprestore/ directory on the recovered system.

ReaR no longer fails during recovery if the TMPDIR variable is set in the configuration file

Previously, the ReaR default configuration file /usr/share/rear/conf/default.conf contained the following instructions:

wwan_hwsim is now in the kernel-modules-internal package

The wwan_hwsim kernel module provides a framework for simulating and testing various networking scenarios that use wireless wide area network (WWAN) devices. Previously, wwan_hwsim was a part of the kernel-modules-extra package. However, with this release, it is moved to the kernel-modules-internal package, which contains other similarly-oriented utilities. Note that the WWAN feature for PCI modem is still a Technology Preview.

The xdp-loader features command now works as expected

The xdp-loader utility was compiled against the previous version of libbpf. As a consequence, xdp-loader features failed with an error:

Mellanox ConnectX-5 adapter works in the DMFS mode

Previously, while using the Ethernet switch device driver model (switchdev) mode, the mlx5 driver failed if configured in the device managed flow steering (DMFS) mode on the ConnectX-5 adapter. Consequently, the following error message appeared:

crash was rebased to version 8.0.4

The crash utility was upgraded to version 8.0.4, which provides multiple bugfixes. Notable repairs include:

tuna launches GUI when needed

Previously, if you ran the tuna utility without any subcommand, it would launch the GUI. This behavior was desirable if you had a display. In the opposite case, tuna on a machine without a display would not exit gracefully. With this update, tuna detects whether you have a display, and the GUI is launched or not launched accordingly.

Intel TPM chips are now detected correctly

Previously, a side effect in a bug fix to AMD Trusted Platform Module (TPM) chips also affected Intel TPM chips. As a consequence, RHEL failed to detect certain Intel TPM chips.

RHEL previously failed to recognize NVMe disks when VMD was enabled

When you reset or reattached a driver, the Volume Management Device (VMD) domain previously did not soft-reset. Consequently, the hardware could not properly detect and enumerate its devices. With this update, the operating system with VMD enabled now correctly recognizes NVMe disks, especially when resetting a server or working with a VM machine.

multipathd now successfully removes devices that have outstanding queued I/O

Previously, the multipathd command did not disable the queue_if_no_path parameter before removing a device. This was possible only if there was an outstanding queued I/O to the multipath device itself, and not to the partition devices. Consequently, multipathd would hang, and could no longer maintain the multipath devices. With this update, the multipathd now disables queuing before executing the remove command such as multipath -F, multipath -f <device>, multipathd remove maps, or multipathd remove map <device>. As a result, multipathd now successfully removes devices that have outstanding queued I/O.

The no_read_workqueue, no_write_workqueue, and try_verify_in_taskle options of the dm-crypt and dm-verity devices are temporarily disabled

Previously, the dm-crypt devices created by using either the no_read_workqueue or no_write_workqueue option and dm-verity devices created by using the try_verify_in_tasklet option caused memory corruption. Consequently, random kernel memory was corrupted, which caused various system problems. With this update, these options are temporarily disabled. Note that this fix can cause dm-verity and dm-crypt to perform slower on some workloads.

Multipathd now checks if a device is incorrectly queuing I/O

Previously, a multipath device restarted queuing I/O, even though it was configured to fail, under the following conditions:

Removing duplicate entry from nvmf_log_connect_error

Previously, due to a duplicate commit merge error, a log message was repeated in the nvmf_log_connect_error kernel function. Consequently, when the kernel was unable to connect to a fabric-attached Non-volatile Memory Express (NVMe) device, the Connect command failed message appeared twice. With this update, the duplicate log message is now removed from the kernel, resulting in only a single log message available for each error.

The kernel no longer crashes when namespaces are added and removed

Previously, when NVMe namespaces were rapidly added and removed, a namespace disappeared between successive commands used to probe the namespace. In a specific case, a storage array did not return an invalid namespace error but instead returned a buffer filled with zero. Consequently, the kernel crashed due to the divide-by-zero error. With this update, the kernel now validates data from responses to both the Identify Namespace data structure issued to the storage. As a result, the kernel no longer crashes.

The newly allocated sections of the data device are now properly aligned

Previously, when a Stratis pool was expanded, it was possible to allocate the new regions of the pool. But the newly allocated regions were not correctly aligned with the previously allocated regions. Consequently, it could cause a performance degradation along with a non-zero entry in the Stratis thin pool’s alignment_offset file in sysfs. With this update, when the pool expands, the newly allocated region of the data device is properly aligned with the previously allocated region. As a result, there is no degradation in performance and no non-zero entry in the Stratis thin pool’s alignment_offset file in sysfs.

System boots correctly when adding a NVMe-FC device as a mount point in /etc/fstab

Previously, due to a known issue in the nvme-cli nvmf-autoconnect systemd services, systems failed to boot while adding the Non-volatile Memory Express over Fibre Channel (NVMe-FC) devices as a mount point in the /etc/fstab file. Consequently, the system entered into an emergency mode. With this update, a system boots without any issue when mounting an NVMe-FC device.

LUNs are now visible during the operating system installation

Previously, the system was not using the authentication information from firmware sources, specifically in cases involving iSCSI hardware offload with CHAP (Challenge-Handshake Authentication Protocol) authentication stored in the iSCSI iBFT (Boot Firmware Table). As a consequence, the iSCSI login failed during installation.

Configuring the tls and keep_active_partition_tie_breaker quorum device options without specifying --force

Previously, when configuring a quorum device, a user could not configure the tls and keep_active_partition_tie_breaker options for a quorum device model net without specifying the --force option. With this update, configuring these options no longer requires you to specify --force.

Issues with moving and banning clone and bundle resources now corrected

This bug fix addresses two limitations of moving bundled and clone resources:

Output of pcs status command no longer shows warning for expired constraints

Previously, when moving a cluster resource created a temporary location constraint, the pcs status command displayed a warning even after the constraint expired. With this fix, the pcs status command filters out expired constraints and they no longer generate a warning message in the command output.

Disabling the auto_tie_breaker quorum option no longer allowed when SBD fencing requires it

Previously, pcs allowed a user to disable the auto_tie_breaker quorum option even when a cluster configuration required this option for SBD fencing to work correctly. With this fix, pcs generates an error message when a user attempts to disable auto_tie_breaker on a system where SBD fencing requires that the auto_tie_breaker option be enabled.

httpd works correctly if a DAV repository location is configured by using a regular expression match

Previously, if a Distributed Authoring and Versioning (DAV) repository was configured in the Apache HTTP Server by using a regular expression match (such as LocationMatch), the mod_dav httpd module was unable to determine the root of the repository from the path name. As a consequence, httpd did not handle requests from third-party providers (for example, Subversion’s mod_dav_svn module).

ldconfig no longer crashes after an interrupted system upgrade

Previously, the ldconfig utility terminated unexpectedly with a segmentation fault when processing incomplete shared objects left in the /usr/lib64 directory after an interrupted system upgrade. With this update, ldconfig ignores temporary files written during system upgrades. As a result, ldconfig no longer crashes after an interrupted system upgrade.

glibc now uses the number of configured processors for malloc arena tuning

Previously, glibc used the per-thread CPU affinity mask for tuning the maximum arena count for malloc. As a consequence, restricting the thread affinity mask to a small subset of CPUs in the system could lead to performance degradation.

Improved glibc compatibility with applications using dlclose on shared objects involved in a dependency cycle

Previously, when unloading a shared object in a dependency cycle using the dlclose function in glibc, that object’s ELF destructor might not have been called before all other objects were unloaded. As a consequence of this late ELF destructor execution, applications experienced crashes and other errors due to the initial shared object’s dependencies already being deinitialized.

make no longer tries to run directories

Previously, make did not check if an executable it was trying to run was actually an executable. Consequently, if the path included a directory with the same name as the executable, make tried to run the directory instead. With this update, make now does additional checks when searching for an executable. As a result, make no longer tries to run directories.

Improved glibc wide-character write performance

Previously, the wide stdio stream implementation in glibc did not treat the default buffer size as large enough for wide-character write operations and used a 16-byte fallback buffer instead, negatively impacting performance. With this update, buffer management is fixed and the entire write buffer is used. As a result, glibc wide-character write performance is improved.

The glibc getaddrinfo function now correctly reads ncsd cache information

Previously, a bug in the glibc getaddrinfo function would cause it to occasionally return empty elements in the list address information structure. With this update, the getaddrinfo function has been fixed to read and translate ncsd cache data correctly and, as a result, returns correct address information.

Improved glibc compatibility with applications using dlclose on shared objects involved in a dependency cycle

Previously, when unloading a shared object in a dependency cycle using the dlclose function in glibc, that object’s ELF destructor might not have been called before all other objects were unloaded. As a consequence of this late ELF destructor execution, applications experienced crashes and other errors due to the initial shared object’s dependencies already being deinitialized.

ncsd no longer fails to start due to inconsistent cache expiry information

Previously, the glibc Name Service Switch Caching Daemon (nscd) could fail to start due to inconsistent cache expiry information in the persistent cache file. With this update, ncsd now marks cache entries with inconsistent timing information for deletion and skips them. As a result, ncsd no longer fails to start due to inconsistent cache expiry information.

Consistently fast glibc thread-local storage performance

Previously, the glibc dynamic linker did not adjust certain thread-local storage (TLS) metadata after shared objects with TLS were loaded by using the dlopen() function, which consequently caused slow TLS access. With this update, the dynamic linker now updates TLS metadata for TLS changes caused by dlopen() calls. As a result, TLS access is consistently fast.

Allocated memory now released when an operation is completed

Previously, memory allocated by the KCM for each operation was not being released until the connection was closed. As a result, for client applications that opened a connection and ran many operations on the same connection, it led to a noticeable memory increase because the allocated memory was not released until the connection closed. With this update, the memory allocated for an operation is now released as soon as the operation is completed.

IdM clients correctly retrieve information for trusted AD users when their names contain mixed case characters

Previously, if you attempted a user lookup or authentication of a user, and that trusted Active Directory (AD) user contained mixed case characters in their names and they were configured with overrides in IdM, an error was returned preventing users from accessing IdM resources.

SSSD correctly returns an error if no grace logins remain while changing a password

Previously, if a user’s LDAP password had expired, SSSD tried to change the password even after the initial bind of the user failed as there were no more grace logins left. However, the error returned to the user did not indicate the reason for the failure. With this update, the request to change the password is aborted if the bind fails and SSSD returns an error message indicating there are no more grace logins and the password must be changed by another means.

Removing systems from a domain using the realm leave command

Previously, if multiple names were set for the ad_server option in the sssd.conf file, running the realm leave command resulted in parsing errors and the system was not removed from the domain. With this update, the ad_server option is properly evaluated and the correct domain controller name is used and the system is correctly removed from the domain.

KCM logs to the correct sssd.kcm.log file

Previously, logrotate correctly rotated the Kerberos Credential Manager (KCM) log files but KCM incorrectly wrote the logs to the old log file, sssd_kcm.log.1. If KCM was restarted, it used the correct log file. With this update, after logrotate is invoked, log files are rotated and KCM correctly logs to the sssd_kcm.log file.

The realm leave --remove command no longer asks for credentials

Previously, the realm utility did not correctly check if a valid Kerberos ticket was available when running the realm leave operation. As a result, users were asked to enter a password even though a valid Kerberos ticket was available. With this update, realm now correctly verifies if there is a valid Kerberos ticket and no longer requests the user to enter a password when running the realm leave --remove command.

KDC now runs extra checks when general constrained delegation requests is processed

Previously, the forwardable flag in Kerberos tickets issued by KDCs running on Red Hat Enterprise Linux 8 was vulnerable, allowing unauthorized modification without detection. This vulnerability could lead to impersonation attacks, even from/by users without specific privileges. With this update, KDC runs extra checks when it processes general constrained delegation requests, ensuring detection and rejection of unauthorized flag modifications, thus removing the vulnerability.

Check on the forwardable flag is disabled in cases where SIDs are generated for the domain

Previously, the update providing a fix for CVE-2020-17049 relied on the Kerberos PAC to run certain checks on the ticket forwardable flag when the KDC processes a general constrained delegation request. However, the PAC is generated only on domains where the SIDs generation task was executed in the past. While this task is automatically performed for all IdM domains created on Red Hat Enterprise Linux (RHEL) 8.5 and newer, domains initialized on older versions require manual execution of this task.

IdM Vault encryption and decryption no longer fails in FIPS mode

Previously, IdM Vault used OpenSSL RSA-PKCS1v15 as the default padding wrapping algorithm. However, none of the FIPS certified modules in RHEL supported PKCS#1 v1.5 as a FIPS approved algorithm, causing IdM Vault to fail in FIPS mode. With this update, IdM Vault supports the RSA-OAEP padding wrapping algorithm as a fallback. As a result, IdM Vault encryption and decryption now work correctly in FIPS mode.

Directory Server no longer fails after abandoning the paged result search

Previously, a race condition was a reason for heap corruption and Directory Server failure during abandoning paged result search. With this update, the race condition was fixed, and Directory Server failure no longer occurs.

If the nsslapd-numlisteners attribute value is more than 2, Directory Server no longer fails

Previously, if the nsslapd-numlisteners attribute value was higher than 2, Directory Server sometimes closed the listening file descriptor instead of the accepted file descriptor. As a consequence, a segmentation fault occurred in Directory Server. With this update, Directory Server closes the correct descriptor and continues listening on ports correctly.

The autobind operation now does not impacts operations performed on other connections

Previously, when the autobind operation was in progress, Directory Server stopped listening to new operations on any connection. With this update, the autobind operation does not impact the operations performed on the other connection.

The IdM client installer no longer specifies the TLS CA configuration in the ldap.conf file

Previously, the IdM client installer specified the TLS CA configuration in the ldap.conf file. With this update, OpenLDAP uses the default truststore and the IdM client installer does not set up the TLS CA configuration in the ldap.conf file.

VNC console now works at most resolutions

Previously, when using the Virtual Network Computing (VNC) console under certain display resolutions, a mouse offset problem was present or only a part of the interface was visible. Consequently, using the VNC console was not possible.

Cluster start no longer times out when the SBD delay-start value is high

Previously, when a user configured SBD fencing in a cluster by using the ha_cluster System Role and set the delay-start option to a value close to or higher than 90 seconds, the cluster start timed out. This is because the default systemd start timeout is 90 seconds, which the system reached before the SBD start delay value. With this fix, the ha_cluster System Role overrides the sbd.service start timeout in systemd so that it is higher than the value of delay-start. This allows the system to start successfully even with high values of the delay-start option.

network role validates routing rules with 0.0.0.0/0 or ::/0

Previously, when the from: or to: settings were set to the 0.0.0.0/0 or ::/0 addresses in the routing rule, the network RHEL System Role failed to configure the routing rule and rejected the settings as invalid. With this update, the network role allows 0.0.0.0/0 and ::/0 for from: and to: in routing rule validation. As a result, the role successfully configures the routing rules without raising the validation errors.

Running read-scale clusters and installing mssql-server-ha no longer requires certain variables

Previously, if you used the mssql RHEL System Role to configure a read-scale cluster without certain variables (mssql_ha_virtual_ip, mssql_ha_login, mssql_ha_login_password, and mssql_ha_cluster_run_role), the role failed with an error message “Variable not defined”. However, these variables are not necessary to run a read-scale cluster. The role also tried to install the mssql-server-ha, which is not required for a read-scale cluster. With this fix, the requirement for these variables was removed. As a result, running a read-scale cluster proceeds successfully without the error message.

The Kdump system role works correctly when the kexec_crash_size file is busy

The /sys/kernel/kexec_crash_size file provides the size of the memory region allocated for crash kernel memory.

selinux role no longer uses the item loop variable

Previously, the selinux RHEL System Role used the  item loop variable. This might have resulted in the following warning message when you called the selinux role from another role:

The ha_cluster system role now correctly configures a firewall on a qnetd host

Previously, when a user configured a qnetd host and set the ha_cluster_manage_firewall variable to true by using the ha_cluster system role, the role did not enable high-availability services in the firewall. With this fix, the ha_cluster system role now correctly configures a firewall on a qnetd host.

The postgresql RHEL System Role now installs the correct version of PostgreSQL

Previously, if you tried to run the postgresql RHEL System Role with the postgresql_version: "15" variable defined on a RHEL managed node, PostgreSQL version 13 was installed instead of version 15. This bug has been fixed, and the postgresql role installs the version set in the variable.

keylime_server role correctly reports registrar service status

Previously, when the keylime_server role playbook provided incorrect information, the role incorrectly reported the start as successful. With this update, the role now correctly reports a failure when incorrect information is provided, and the timeout when waiting for opened ports has been reduced from approximately 300 seconds to approximately 30 seconds.

The podman RHEL system role now sets and cancels linger properly for rootless containers

Previously, the podman RHEL System Role did not set and cancel linger properly for rootless containers. Consequently, deploying secrets or containers for rootless users produced errors in some cases, and failed to cancel linger when removing resources in some cases. With this update, the podman RHEL System Role ensures that linger is enabled for rootless users before doing any secret or container resource management, and ensures that linger is canceled for rootless users when there are no more secrets or container resources to be managed. As a result, the role correctly manages lingering for rootless users.

nbde_server role now works with socket overrides

Previously, the nbde_server RHEL System Role assumed that the only file in the tangd socket override directory was the override.conf file for a custom port. Consequently, the role deleted the directory if there was no port customization without checking other files, and the system re-created the directory in subsequent runs.

A volume quadlet service name no longer fails

Previously, starting the volume service name produced an error similar to the following one: "Could not find the requested service NAME.volume: host" With this update, the volume quadlet service name is changed to basename-volume.service. As a result, the volume service starts with no errors.

Ansible now preserves JSON strings for use in secrets

Previously, Ansible converted JSON strings to the corresponding JSON object if the value was used in a loop and strings similar to data: "{{ value }}" As a consequence, you cannot pass JSON strings as secrets and have the value preserved. This update casts the data value to a string when passing to the podman_secret module. As a result, JSON strings are preserved as-is for use in secrets.

The rhc system role no longer fails on the registered systems when rhc_auth contains activation keys

Previously, a failure occurred when you executed playbook files on the registered systems with the activation key specified in the rhc_auth parameter. This issue has been resolved. It is now possible to execute playbook files on the already registered systems, even when activation keys are provided in the rhc_auth parameter.

RT VMs with a FIFO scheduler now boots correctly

Previously, after setting a real-time (RT) virtual machine (VM) to use the fifo setting for the vCPU scheduler, the VM became unresponsive when you attempted to boot it. Instead, the VM displayed the Guest has not initialized the display (yet) error. With this update, the error has been fixed, and setting fifo for the vCPU scheduler works as expected in the described circumstances.

A dump failure no longer blocks IBM Z VMs with Secure Execution from running

Previously, when a dump of an IBM Z virtual machine (VM) with Secure Execution failed, the VM remained in a paused state and was blocked from running. For example, dumping a VM by using the virsh dump command fails if there is not enough space on the disk.

The installer shows the expected system disk to install RHEL on VM

Previously, when installing RHEL on a VM using virtio-scsi devices, it was possible that these devices did not appear in the installer because of a device-mapper-multipath bug. Consequently, during installation, if some devices had a serial set and some did not, the multipath command was claiming all the devices that had a serial. Due to this, the installer was unable to find the expected system disk to install RHEL in the VM.

Using a large number of queues no longer causes VMs to fail

Previously, virtual machines (VMs) might have failed when the virtual Trusted Platform Module (vTPM) device was enabled and the multi-queue virtio-net feature was configured to use more than 250 queues.

Windows guests boot more reliably after a v2v conversion on hosts with AMD EPYC CPUs

After using the virt-v2v utility to convert a virtual machine (VM) that uses Windows 11 or a Windows Server 2022 as the guest OS, the VM previously failed to boot. This occurred on hosts that use AMD EPYC series CPUs. Now, the underlying code has been fixed and VMs boot as expected in the described circumstances.

nodedev-dumpxml lists attributes correctly for certain mediated devices

Before this update, the nodedev-dumpxml utility did not list attributes correctly for mediated devices that were created using the nodedev-create command. This has been fixed, and nodedev-dumpxml now displays the attributes of the affected mediated devices properly.

virtiofs devices could not be attached after restarting virtqemud or libvirtd

Previously, restarting the virtqemud or libvirtd services prevented virtiofs storage devices from being attached to virtual machines (VMs) on your host. This bug has been fixed, and you can now attach virtiofs devices in the described scenario as expected.

Hot plugging a Watchdog card to a virtual machine no longer fails

Previously, if no PCI slots were available, adding a Watchdog card to a running virtual machine (VM) failed with the following error:

blob resources now work correctly for virtio-gpu on IBM Z

Previously, the virtio-gpu device was incompatible with blob memory resources on IBM Z systems. As a consequence, if you configured a virtual machine (VM) with virtio-gpu on an IBM Z host to use blob resources, the VM did not have any graphical output.

Reinstalling virtio-win drivers no longer causes DNS configuration to reset on the guest

In virtual machines (VMs) that use a Windows guest operating system, reinstalling or upgrading virtio-win drivers for the network interface card (NIC) previously caused DNS settings in the guest to reset. As a consequence, your Windows guest in some cases lost network connectivity.

NVMe over TCP for RHEL installation is now available as a Technology Preview

With this Technology Preview, you can now use NVMe over TCP volumes to install RHEL after configuring the firmware. While adding disks from the Installation Destination screen, you can select the NVMe namespaces under the NVMe Fabrics Devices section.

Installation of bootable OSTree native containers is now available as a Technology Preview

The ostreecontainer Kickstart command is now available in Anaconda as a Technology Preview. You can use this command to install the operating system from an OSTree commit encapsulated in an OCI image. When performing Kickstart installations, the following commands are available together with ostreecontainer:

Boot loader installation and configuration via bootupd / bootupctl in Anaconda is now available as a Technology Preview

As the ostreecontainer Kickstart command is now available in Anaconda as a Technology Preview, you can use it to install the operating system from an OSTree commit encapsulated in an OCI image. Anaconda automatically arranges a boot loader installation and configuration via the bootupd/bootupctl tool contained within the container image, even without an explicit boot loader configuration in Kickstart.

The bootc image builder tool is available as a Technology Preview

The bootc image builder tool, now available as a Technology Preview, works as a container to easily create and deploy compatible disk images from the bootc container inputs. After running your container image with bootc image builder, you can generate images for the architecture that you need. Then, you can deploy the resulting image on VMs, clouds, or servers. You can easily update the images with the bootc, instead of having to regenerate the content with bootc image builder every time a new update is required.

A new rhel9/bootc-image-builder container image is available as a Technology Preview

The rhel9/bootc-image-builder container image for image mode for RHEL includes a minimal version of image builder that converts bootable container images, for example rhel-bootc, to different disk image formats, such as QCOW2, AMI, VMDK, ISO, and others.

gnutls now uses kTLS as a Technology Preview

The updated gnutls packages can use kernel TLS (kTLS) for accelerating data transfer on encrypted channels as a Technology Preview. To enable kTLS, add the tls.ko kernel module using the modprobe command, and create a new configuration file /etc/crypto-policies/local.d/gnutls-ktls.txt for the system-wide cryptographic policies with the following content:

The io_uring interface is available as a Technology Preview

io_uring is a new and effective asynchronous I/O interface, which is now available as a Technology Preview. By default, this feature is disabled. You can enable this interface by setting the kernel.io_uring_disabled sysctl variable to any one of the following values:

FDO now provides storing and querying Owner Vouchers from a SQL backend as a Technology Preview

With this Technology Preview, FDO manufacturer-server, onboarding-server, and rendezvous-server are available for storing and querying Owner Vouchers from a SQL backend. As a result, you can select a SQL datastore in the FDO servers options, along with credentials and other parameters, to store the Owner Vouchers.

GIMP available as a Technology Preview in RHEL 9

GNU Image Manipulation Program (GIMP) 2.99.8 is now available in RHEL 9 as a Technology Preview. The gimp package version 2.99.8 is a pre-release version with a set of improvements, but a limited set of features and no guarantee for stability. As soon as the official GIMP 3 is released, it will be introduced into RHEL 9 as an update of this pre-release version.

Socket API for TuneD available as a Technology Preview

The socket API for controlling TuneD through a UNIX domain socket is now available as a Technology Preview. The socket API maps one-to-one with the D-Bus API and provides an alternative communication method for cases where D-Bus is not available. By using the socket API, you can control the TuneD daemon to optimize the performance, and change the values of various tuning parameters. The socket API is disabled by default, you can enable it in the tuned-main.conf file.

WireGuard VPN is available as a Technology Preview

WireGuard, which Red Hat provides as an unsupported Technology Preview, is a high-performance VPN solution that runs in the Linux kernel. It uses modern cryptography and is easier to configure than other VPN solutions. Additionally, the small code-basis of WireGuard reduces the surface for attacks and, therefore, improves the security.

kTLS available as a Technology Preview

RHEL provides kernel Transport Layer Security (KTLS) as a Technology Preview. kTLS handles TLS records using the symmetric encryption or decryption algorithms in the kernel for the AES-GCM cipher. kTLS also includes the interface for offloading TLS record encryption to Network Interface Controllers (NICs) that provides this functionality.

The systemd-resolved service is available as a Technology Preview

The systemd-resolved service provides name resolution to local applications. The service implements a caching and validating DNS stub resolver, a Link-Local Multicast Name Resolution (LLMNR), and Multicast DNS resolver and responder.

The PRP and HSR protocols are now available as a Technology Preview

This update adds the hsr kernel module that provides the following protocols:

NetworkManager and the Nmstate API support MACsec hardware offload

You can use both NetworkManager and the Nmstate API to enable MACsec hardware offload if the hardware supports this feature. As a result, you can offload MACsec operations, such as encryption, from the CPU to the network interface card.

NetworkManager enables configuring HSR and PRP interfaces

High-availability Seamless Redundancy (HSR) and Parallel Redundancy Protocol (PRP) are network protocols that provide seamless failover against failure of any single network component. Both protocols are transparent to the application layer, meaning that users do not experience any disruption in communication or any loss of data, because a switch between the main path and the redundant path happens very quickly and without awareness of the user. Now it is possible to enable and configure HSR and PRP interfaces using the NetworkManager service through the nmcli utility and the DBus message system.

Offloading IPsec encapsulation to a NIC is now available as a Technology Preview

This update adds the IPsec packet offloading capabilities to the kernel. Previously, it was possible to only offload the encryption to a network interface controller (NIC). With this enhancement, the kernel can now offload the entire IPsec encapsulation process to a NIC to reduce the workload.

Network drivers for modems in RHEL are available as Technology Preview

Device manufacturers support Federal Communications Commission (FCC) locking as the default setting. FCC provides a lock to bind WWAN drivers to a specific system where WWAN drivers provide a channel to communicate with modems. Based on the modem PCI ID, manufacturers integrate unlocking tools on Red Hat Enterprise Linux for ModemManager. However, a modem remains unusable if not unlocked previously even if the WWAN driver is compatible and functional. Red Hat Enterprise Linux provides the drivers for the following modems with limited functionality as a Technology Preview:

Segment Routing over IPv6 (SRv6) is available as a Technology Preview

The RHEL kernel provides Segment Routing over IPv6 (SRv6) as a Technology Preview. You can use this functionality to optimize traffic flows in edge computing or to improve network programmability in data centers. However, the most significant use case is the end-to-end (E2E) network slicing in 5G deployment scenarios. In that area, the SRv6 protocol provides you with the programmable custom network slices and resource reservations to address network requirements for specific applications or services. At the same time, the solution can be deployed on a single-purpose appliance, and it satisfies the need for a smaller computational footprint.

kTLS rebased to version 6.3

The kernel Transport Layer Security (KTLS) functionality is a Technology Preview. In RHEL 9.3, kTLS was rebased to the 6.3 upstream version, and notable changes include:

The Soft-iWARP driver is available as a Technology Preview

Soft-iWARP (siw) is a software, Internet Wide-area RDMA Protocol (iWARP), kernel driver for Linux. Soft-iWARP implements the iWARP protocol suite over the TCP/IP network stack. This protocol suite is fully implemented in software and does not require a specific Remote Direct Memory Access (RDMA) hardware. Soft-iWARP enables a system with a standard Ethernet adapter to connect to an iWARP adapter or to another system with already installed Soft-iWARP.

rvu_af, rvu_nicpf, and rvu_nicvf available as Technology Preview

The following kernel modules are available as Technology Preview for Marvell OCTEON TX2 Infrastructure Processor family:

python-drgn available as a Technology Preview

The python-drgn package brings an advanced debugging utility, which adds emphasis on programmability. You can use its Python command-line interface to debug both the live kernels and the kernel dumps. Additionally, python-drgn offers scripting capabilities for you to automate debugging tasks and conduct intricate analysis of the Linux kernel.

The IAA crypto driver is now available as a Technology Preview

The Intel® In-Memory Analytics Accelerator (Intel® IAA) is a hardware accelerator that provides very high throughput compression and decompression combined with primitive analytic functions.

DAX is now available for ext4 and XFS as a Technology Preview

In RHEL 9, the DAX file system is available as a Technology Preview. DAX provides means for an application to directly map persistent memory into its address space. To use DAX, a system must have some form of persistent memory available, usually in the form of one or more Non-Volatile Dual In-line Memory Modules (NVDIMMs), and a DAX compatible file system must be created on the NVDIMM(s). Also, the file system must be mounted with the dax mount option. Then, an mmap of a file on the dax-mounted file system results in a direct mapping of storage into the application’s address space.

NVMe-oF Discovery Service features available as a Technology Preview

The NVMe-oF Discovery Service features, defined in the NVMexpress.org Technical Proposals (TP) 8013 and 8014, are available as a Technology Preview. To preview these features, use the nvme-cli 2.0 package and attach the host to an NVMe-oF target device that implements TP-8013 or TP-8014. For more information about TP-8013 and TP-8014, see the NVM Express 2.0 Ratified TPs from the https://nvmexpress.org/specifications/ website.

nvme-stas package available as a Technology Preview

The nvme-stas package, which is a Central Discovery Controller (CDC) client for Linux, is now available as a Technology Preview. It handles Asynchronous Event Notifications (AEN), Automated NVMe subsystem connection controls, Error handling and reporting, and Automatic (zeroconf) and Manual configuration.

NVMe TP 8006 in-band authentication available as a Technology Preview

Implementing Non-Volatile Memory Express (NVMe) TP 8006, which is an in-band authentication for NVMe over Fabrics (NVMe-oF) is now available as an unsupported Technology Preview. The NVMe Technical Proposal 8006 defines the DH-HMAC-CHAP in-band authentication protocol for NVMe-oF, which is provided with this enhancement.

jmc-core and owasp-java-encoder available as a Technology Preview

RHEL 9 is distributed with the jmc-core and owasp-java-encoder packages as Technology Preview features for the AMD and Intel 64-bit architectures.

libabigail: Flexible array conversion warning-suppression available as a Technology Preview

With this update, when comparing binaries, you can suppress warnings related to fake flexible arrays that were converted to true flexible arrays by using the following suppression specification:

DNSSEC available as Technology Preview in IdM

Identity Management (IdM) servers with integrated DNS now implement DNS Security Extensions (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are automatically generated and rotated.

ACME available as a Technology Preview

The Automated Certificate Management Environment (ACME) service is now available in Identity Management (IdM) as a Technology Preview. ACME is a protocol for automated identifier validation and certificate issuance. Its goal is to improve security by reducing certificate lifetimes and avoiding manual processes from certificate lifecycle management.

GNOME for the 64-bit ARM architecture available as a Technology Preview

The GNOME desktop environment is available for the 64-bit ARM architecture as a Technology Preview.

GNOME for the IBM Z architecture available as a Technology Preview

The GNOME desktop environment is available for the IBM Z architecture as a Technology Preview.

The RHEL web console can now manage WireGuard connections

Starting with RHEL 9.4, you can use the RHEL web console to create and manage WireGuard VPN connections. Note that, both the WireGuard technology and its web console integration are unsupported Technology Previews.

Creating nested virtual machines

Nested KVM virtualization is provided as a Technology Preview for KVM virtual machines (VMs) running on Intel, AMD64, and IBM Z hosts with RHEL 9. With this feature, a RHEL 7, RHEL 8, or RHEL 9 VM that runs on a physical RHEL 9 host can act as a hypervisor, and host its own VMs.

AMD SEV and SEV-ES for KVM virtual machines

As a Technology Preview, RHEL 9 provides the Secure Encrypted Virtualization (SEV) feature for AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine (VM), SEV encrypts the VM’s memory to protect the VM from access by the host. This increases the security of the VM.

Intel TDX in RHEL guests

As a Technology Preview, the Intel Trust Domain Extension (TDX) feature can now be used in RHEL 9.2 and later guest operating systems. If the host system supports TDX, you can deploy hardware-isolated RHEL 9 virtual machines (VMs), called trust domains (TDs). Note, however, that TDX currently does not work with kdump, and enabling TDX will cause kdump to fail on the VM.

A unified kernel image of RHEL is now available as a Technology Preview

As a Technology Preview, you can now obtain the RHEL kernel as a unified kernel image (UKI) for virtual machines (VMs). A unified kernel image combines the kernel, initramfs, and kernel command line into a single signed binary file.

Intel vGPU available as a Technology Preview

As a Technology Preview, it is possible to divide a physical Intel GPU device into multiple virtual devices referred to as mediated devices. These mediated devices can then be assigned to multiple virtual machines (VMs) as virtual GPUs. As a result, these VMs share the performance of a single physical Intel GPU.

CPU clusters on ARM 64

As a Technology Preview, you can now create KVM virtual machines that use multiple ARM 64 CPU clusters in their CPU topology.

Live migrating a VM with a Mellanox virtual function is now available as a Technology Preview

As a Technology Preview, you can now live migrate a virtual machine (VM) with an attached virtual function (VF) of a Mellanox networking device.

RHEL is now available on Azure confidential VMs as a Technology Preview

With the updated RHEL kernel, you can now create and run RHEL confidential virtual machines (VMs) on Microsoft Azure as a Technology Preview. The newly added unified kernel image (UKI) now enables booting encrypted confidential VM images on Azure. The UKI is available as a kernel-uki-virt package in RHEL 9 repositories.

The podman-machine command is unsupported

The podman-machine command for managing virtual machines, is available only as a Technology Preview. Instead, run Podman directly from the command line.

Building multi-architecture images is available as a Technology Preview

The podman farm build command, which you can use to create multi-architecture container images, is available as a Technology Preview.

A new rhel9/rhel-bootc container image is available as a Technology Preview

The rhel9/rhel-bootc container image is now available in the Red Hat Container Registry as a Technology Preview. With the RHEL bootable container images, you can build, test, and deploy an operating system exactly as a container. The RHEL bootable container images differ from the existing application Universal Base Images (UBI) thanks to the following enhancements: RHEL bootable container images contain additional components necessary to boot, such as, kernel, initrd, bootloader, firmware, between others. There are no changes to existing container images. For more information, see Red Hat Ecosystem Catalog.

The composefs filesystem is now available as a Technology Preview

The composefs read-only filesystem is now available as a Technology Preview. This is generally intended only to be used by the bootc/ostree and podman projects at the current time. With composefs, you can use these projects to create and use read-only images, share file data between images, and validate images on runtime. As a result, you have a fully verified filesystem tree mounted, with opportunistic fine-grained sharing of identical files.

Deprecated Kickstart commands

The following Kickstart commands have been deprecated:

User and Group customizations in the edge-commit and edge-container blueprints have been deprecated

Specifying a user or group customization in the blueprints is deprecated for the edge-commit and edge-container image types, because the user customization disappears when you upgrade the image and do not specify the user in the blueprint again.

The initial-setup package now has been deprecated

The initial-setup package has been deprecated in Red Hat Enterprise Linux 9.3 and will be removed in the next major RHEL release. As a replacement, use gnome-initial-setup for the graphical user interface.

The provider_hostip and provider_fedora_geoip values of the inst.geoloc boot option are deprecated

The provider_hostip and provider_fedora_geoip values that specified the GeoIP API for the inst.geoloc= boot option are deprecated. As a replacement, you can use the geolocation_provider=URL option to set the required geolocation in the installation program configuration file. You can still use the inst.geoloc=0 option to disable the geolocation.

Capturing screenshots from the Anaconda GUI with a global hotkey is deprecated

Previously, users could capture screenshots of the Anaconda GUI by using a global hotkey. This meant that users could extract the screenshots manually from the installation environment for any further usage. This functionality has been deprecated.

Anaconda built-in help has been deprecated

The built-in documentation from spokes and hubs of all Anaconda user interfaces, which is available during Anaconda installation, has been deprecated. As a replacement, the Anaconda user interfaces will be self-descriptive and users can refer to the official RHEL documentation in the future major RHEL release.

Support for NVDIMM devices has been deprecated

Previously, the installation program allowed reconfiguring NVDIMM devices during installation. This support for NVDIMM devices during the Kickstart and GUI installation has been deprecated, and will be removed in the next major RHEL release. The NVDIMM devices in the sector mode will still be visible and usable in the installation program.

Unable to load an updated driver from the driver update disc in the installation environment

A new version of a driver from the driver update disc might not load if the same driver from the installation initial ramdisk has already been loaded. As a consequence, an updated version of the driver cannot be applied to the installation environment.

SHA-1 is deprecated for cryptographic purposes

The usage of the SHA-1 message digest for cryptographic purposes has been deprecated in RHEL 9. The digest produced by SHA-1 is not considered secure because of many documented successful attacks based on finding hash collisions. The RHEL core crypto components no longer create signatures using SHA-1 by default. Applications in RHEL 9 have been updated to avoid using SHA-1 in security-relevant use cases.

fapolicyd.rules is deprecated

The /etc/fapolicyd/rules.d/ directory for files containing allow and deny execution rules replaces the /etc/fapolicyd/fapolicyd.rules file. The fagenrules script now merges all component rule files in this directory to the /etc/fapolicyd/compiled.rules file. Rules in /etc/fapolicyd/fapolicyd.trust are still processed by the fapolicyd framework but only for ensuring backward compatibility.

SCP is deprecated in RHEL 9

The secure copy protocol (SCP) is deprecated because it has known security vulnerabilities. The SCP API remains available for the RHEL 9 lifecycle but using it reduces system security.

OpenSSL requires padding for RSA encryption in FIPS mode

OpenSSL no longer supports RSA encryption without padding in FIPS mode. RSA encryption without padding is uncommon and is rarely used. Note that key encapsulation with RSA (RSASVE) does not use padding but is still supported.

OpenSSL deprecates the Engines API

The OpenSSL 3.0 TLS toolkit deprecated the Engines API. The Engines interface is superseded by the Providers API. The migration of applications and existing engines to Providers is underway. The deprecated Engines API may be removed in a future major release.

openssl-pkcs11 is now deprecated

As a part of the ongoing migration of deprecated OpenSSL engines to the Providers API, the pkcs11-provider package replaces the openssl-pkcs11 package (engine_pkcs11). The openssl-pkcs11 package is now deprecated. The openssl-pkcs11 package may be removed in a future major release.

RHEL 8 and 9 OpenSSL certificate and signing containers are now deprecated

The OpenSSL portable certificate and signing containers available in the ubi8/openssl and ubi9/openssl repositories in the Red Hat Ecosystem Catalog are now deprecated due to low demand.

Digest-MD5 in SASL is deprecated

The Digest-MD5 authentication mechanism in the Simple Authentication Security Layer (SASL) framework is deprecated, and it might be removed from the cyrus-sasl packages in a future major release.

OpenSSL deprecates MD2, MD4, MDC2, Whirlpool, Blowfish, CAST, DES, IDEA, RC2, RC4, RC5, SEED, and PBKDF1

The OpenSSL project has deprecated a set of cryptographic algorithms because they are insecure, uncommonly used, or both. Red Hat also discourages the use of those algorithms, and RHEL 9 provides them for migrating encrypted data to use new algorithms. Users must not depend on those algorithms for the security of their systems.

/etc/system-fips is now deprecated

Support for indicating FIPS mode through the /etc/system-fips file has been removed, and the file will not be included in future versions of RHEL. To install RHEL in FIPS mode, add the fips=1 parameter to the kernel command line during the system installation. You can check whether RHEL operates in FIPS mode by using the fips-mode-setup --check command.

libcrypt.so.1 is now deprecated

The libcrypt.so.1 library is now deprecated, and it might be removed in a future version of RHEL.

The deprecated --token option of subscription-manager register will stop working at the end of November 2024

The deprecated --token=<TOKEN> option of the subscription-manager register command will no longer be a supported authentication method from the end of November 2024. The default entitlement server, subscription.rhsm.redhat.com, will no longer be allowing token-based authentication. As a consequence, if you use subscription-manager register --token=<TOKEN>, the registration will fail with the following error message:

The dump utility from the dump package has been deprecated

The dump utility used for backup of file systems has been deprecated and will not be available in RHEL 9.

The SQLite database backend in Bacula has been deprecated

The Bacula backup system supported multiple database backends: PostgreSQL, MySQL, and SQLite. The SQLite backend has been deprecated and will become unsupported in a later release of RHEL. As a replacement, migrate to one of the other backends (PostgreSQL or MySQL) and do not use the SQLite backend in new deployments.

The %vmeff metric from the sysstat package has been deprecated

The %vmeff metric from the sysstat package to measure the page reclaim efficiency will no longer be supported in a future major version of RHEL. The values of the %vmeff column returned by the sar -B command are incorrect because sysstat does not parse all relevant /proc/vmstat values provided by later kernel versions.

Setting the TMPDIR variable in the ReaR configuration file is deprecated

Setting the TMPDIR environment variable in the /etc/rear/local.conf or /etc/rear/site.conf ReaR configuration file), by using a statement such as export TMPDIR=…​, is deprecated.

cgroupsv1 is now deprecated in RHEL 9

The cgroups is a kernel subsystem used for process tracking, system resource allocation and partitioning. Systemd service manager supports booting in the cgroups v1 mode as well as in cgroups v2 mode. In Red Hat Enterprise Linux 9, the default mode is v2. In Red Hat Enterprise Linux 10, systemd will not support booting in the cgroups v1 mode and only cgroups v2 mode will be available.

Client-side and server-side DHCP packages are deprecated

Internet Systems Consortium (ISC) has announced the end of maintenance for ISC DHCP as of the end of 2022. As a result, Red Hat has decided to deprecate the use of client-side and server-side DHCP packages in RHEL 9 and not to distribute them in later major versions of RHEL. Customers must prepare for the transition to available alternatives, such as dhcpcd and ISC Kea.

The sendmail, libotr, mod_security, and spamassassin packages are now deprecated

The following packages are deprecated in RHEL 9 and will not be distributed in later major versions of RHEL:

Network teams are deprecated in RHEL 9

The teamd service and the libteam library are deprecated in Red Hat Enterprise Linux 9 and will be removed in the next major release. As a replacement, configure a bond instead of a network team.

NetworkManager connection profiles in ifcfg format are deprecated

In RHEL 9.0 and later, connection profiles in ifcfg format are deprecated. The next major RHEL release will remove the support for this format. However, in RHEL 9, NetworkManager still processes and updates existing profiles in this format if you modify them.

The iptables back end in firewalld is deprecated

In RHEL 9, the iptables framework is deprecated. As a consequence, the iptables backend and the direct interface in firewalld are also deprecated. Instead of the direct interface you can use the native features in firewalld to configure the required rules.

The firewalld lockdown feature is deprecated.

The lockdown feature in firewalld is deprecated because it cannot prevent processes that are running as root from adding themselves to the allow list. The lockdown feature may be removed in a future major RHEL release.

The connection.master, connection.slave-type, and connection.autoconnect-slaves properties are deprecated

Red Hat is committed to using conscious language. For details about this initiative, see Making open source more inclusive. Therefore, the connection.master, connection.slave-type, and connection.autoconnect-slaves properties were renamed. To ensure backward compatibility, aliases have been created that map the old property names to the new ones:

The PF_KEYv2 kernel API is deprecated

Applications can configure the kernel’s IPsec implementation by using the PV_KEYv2 and the newer netlink API. PV_KEYv2 is not actively maintained upstream and misses important security features, such as modern ciphers, offload, and extended sequence number support. As a result, starting with RHEL 9.3, the PV_KEYv2 API is deprecated and will be removed in the next major RHEL release. If you use this kernel API in your application, migrate it to use the modern netlink API as an alternative.

ATM encapsulation is deprecated in RHEL 9

Asynchronous Transfer Mode (ATM) encapsulation enables Layer-2 (Point-to-Point Protocol, Ethernet) or Layer-3 (IP) connectivity for the ATM Adaptation Layer 5 (AAL-5). Red Hat has not been providing support for ATM NIC drivers since RHEL 7. The support for ATM implementation is being dropped in RHEL 9. These protocols are currently used only in chipsets, which support the ADSL technology and are being phased out by manufacturers. Therefore, ATM encapsulation is deprecated in Red Hat Enterprise Linux 9.

The kexec_load system call for kexec-tools has been deprecated

The kexec_load system call, which loads the second kernel, will not be supported in future RHEL releases. The kexec_file_load system call replaces kexec_load and is now the default system call on all architectures.

Network teams are deprecated in RHEL 9

The teamd service and the libteam library are deprecated in Red Hat Enterprise Linux 9 and will be removed in the next major release. As a replacement, configure a bond instead of a network team.

lvm2-activation-generator and its generated services removed in RHEL 9.0

The lvm2-activation-generator program and its generated services lvm2-activation, lvm2-activation-early, and lvm2-activation-net are removed in RHEL 9.0. The lvm.conf event_activation setting, used to activate the services, is no longer functional. The only method for auto activating volume groups is event based activation.

Persistent Memory Development Kit (pmdk) and support library have been deprecated in RHEL 9

pmdk is a collection of libraries and tools for System Administrators and Application Developers to simplify managing and accessing persistent memory devices. pmdk and support library have been deprecated in RHEL 9. This also includes the -debuginfo packages.

The md-linear and md-faulty modules have been deprecated

The following MD RAID kernel modules have been deprecated, and will be removed in a future major RHEL release:

The VDO sysfs parameters have been deprecated

The Virtual Data Optimizer (VDO) sysfs parameters have been deprecated and will be removed in a future major RHEL release. Except for log_level, all module-level sysfs parameters for the kvdo module will be removed. For individual dm-vdo targets, all sysfs parameters specific to VDO will also be removed. There is no change for the parameters that are common to all DM targets. Configuration values for dm-vdo targets, which are currently set by updating the removed module-level parameters, can no longer be changed.

libdb has been deprecated

RHEL 8 and RHEL 9 currently provide Berkeley DB (libdb) version 5.3.28, which is distributed under the LGPLv2 license. The upstream Berkeley DB version 6 is available under the AGPLv3 license, which is more restrictive.

Smaller size of keys than 2048 are deprecated by openssl 3.0 in Go’s FIPS mode

Key sizes smaller than 2048 bits are deprecated by openssl 3.0 and no longer work in Go’s FIPS mode.

Some PKCS1 v1.5 modes are now deprecated in Go’s FIPS mode

Some PKCS1 v1.5 modes are not approved in FIPS-140-3 for encryption and are disabled. They will no longer work in Go’s FIPS mode.

32-bit packages are deprecated

Linking against 32-bit multilib packages is deprecated. The *.i686 packages will remain supported for the life cycle of Red Hat Enterprise Linux 9, but will be removed in the next major version of RHEL.

SHA-1 in OpenDNSSec is now deprecated

OpenDNSSec supports exporting Digital Signatures and authentication records using the SHA-1 algorithm. The use of the SHA-1 algorithm is no longer supported. With the RHEL 9 release, SHA-1 in OpenDNSSec is deprecated and it might be removed in a future minor release. Additionally, OpenDNSSec support is limited to its integration with Red Hat Identity Management. OpenDNSSec is not supported standalone.

The SSSD implicit files provider domain is disabled by default

The SSSD implicit files provider domain, which retrieves user information from local files such as /etc/shadow and group information from /etc/groups, is now disabled by default.

The SSSD files provider has been deprecated

The SSSD files provider has been deprecated in Red Hat Enterprise Linux (RHEL) 9. The files provider might be removed from a future release of RHEL.

The enumeration feature has been deprecated for AD and IdM

The enumeration feature enables you to list all users or groups by using getent passwd or getent group commands without arguments for Active Directory (AD), Identity Management (IdM), and LDAP providers. Support for the enumeration feature has been deprecated for AD and IdM in Red Hat Enterprise Linux (RHEL) 9. The enumeration feature will be removed for AD and IdM in RHEL 10.

The libsss_simpleifp subpackage has been deprecated

The libsss_simpleifp subpackage that provides the libsss_simpleifp.so library has been deprecated in Red Hat Enterprise Linux (RHEL) 9. The libsss_simpleifp subpackage might be removed from a future release of RHEL.

The SMB1 protocol is deprecated in Samba

Starting with Samba 4.11, the insecure Server Message Block version 1 (SMB1) protocol is deprecated and will be removed in a future release.

GTK 2 is now deprecated

The legacy GTK 2 toolkit and the following, related packages have been deprecated:

LibreOffice is deprecated

The LibreOffice RPM packages are now deprecated and will be removed in a future major RHEL release. LibreOffice continues to be fully supported through the entire life cycle of RHEL 7, 8, and 9.

Motif has been deprecated

The Motif widget toolkit has been deprecated in RHEL, because development in the upstream Motif community is inactive.

The mssql_ha_cluster_run_role has been deprecated

The mssql_ha_cluster_run_role variable has been deprecated. Instead, use the mssql_manage_ha_cluster variable.

The network System Role displays a deprecation warning when configuring teams on RHEL 9 nodes

The network teaming capabilities have been deprecated in RHEL 9. As a result, using the network RHEL System Role on a RHEL 8 control node to configure a network team on RHEL 9 nodes, shows a warning about the deprecation.

SecureBoot image verification using SHA1-based signatures is deprecated

Performing SecureBoot image verification using SHA1-based signatures on UEFI (PE/COFF) executables has become deprecated. Instead, Red Hat recommends using signatures based on the SHA2 algorithm, or later.

The virtual floppy driver has become deprecated

The isa-fdc driver, which controls virtual floppy disk devices, is now deprecated, and will become unsupported in a future release of RHEL. Therefore, to ensure forward compatibility with migrated virtual machines (VMs), Red Hat discourages using floppy disk devices in VMs hosted on RHEL 9.

qcow2-v2 image format is deprecated

With RHEL 9, the qcow2-v2 format for virtual disk images has become deprecated, and will become unsupported in a future major release of RHEL. In addition, the RHEL 9 Image Builder cannot create disk images in the qcow2-v2 format.

virt-manager has been deprecated

The Virtual Machine Manager application, also known as virt-manager, has been deprecated. The RHEL web console, also known as Cockpit, is intended to become its replacement in a subsequent release. It is, therefore, recommended that you use the web console for managing virtualization in a GUI. Note, however, that some features available in virt-manager might not be yet available in the RHEL web console.

libvirtd has become deprecated

The monolithic libvirt daemon, libvirtd, has been deprecated in RHEL 9, and will be removed in a future major release of RHEL. Note that you can still use libvirtd for managing virtualization on your hypervisor, but Red Hat recommends switching to the newly introduced modular libvirt daemons. For instructions and details, see the RHEL 9 Configuring and Managing Virtualization document.

Legacy CPU models are now deprecated

A significant number of CPU models have become deprecated and will become unsupported for use in virtual machines (VMs) in a future major release of RHEL. The deprecated models are as follows:

RDMA-based live migration is deprecated

With this update, migrating running virtual machines using Remote Direct Memory Access (RDMA) has become deprecated. As a result, it is still possible to use the rdma:// migration URI to request migration over RDMA, but this feature will become unsupported in a future major release of RHEL.

The Intel vGPU feature has been removed

Previously, as a Technology Preview, it was possible to divide a physical Intel GPU device into multiple virtual devices referred to as mediated devices. These mediated devices could then be assigned to multiple virtual machines (VMs) as virtual GPUs. As a result, these VMs shared the performance of a single physical Intel GPU, however only selected Intel GPUs were compatible with this feature.

pmem device passthrough has become deprecated

With this update, the non-volatile memory library (nvml) packages have become deprecated, and will be removed in a future major version of RHEL. As a consequence, when the package removal occurs, it will no longer be possible to pass persistent memory (pmem) devices to the virtual machines (VMs). Note that emulated NVDIMM devices backed by volatile memory or files will still be available, but will not be possible to configure as persistent.

Using Windows Server 2012 or Windows 8 as a guest operating system is not supported

Because Microsoft ended support for the following versions of Windows, Red Hat also removed support for using these versions as a guest operating system in this update.

Running RHEL 9 containers on a RHEL 7 host is not supported

Running RHEL 9 containers on a RHEL 7 host is not supported. It might work, but it is not guaranteed.

SHA1 hash algorithm within Podman has been deprecated

The SHA1 algorithm used to generate the filename of the rootless network namespace is no longer supported in Podman. Therefore, rootless containers started before updating to Podman 4.1.1 or later have to be restarted if they are joined to a network (and not just using slirp4netns) to ensure they can connect to containers started after the upgrade.

rhel9/pause has been deprecated

The rhel9/pause container image has been deprecated.

The CNI network stack has been deprecated

The Container Network Interface (CNI) network stack is deprecated and will be removed from Podman in a future minor release of RHEL. Previously, containers connected to the single Container Network Interface (CNI) plugin only via DNS. Podman v.4.0 introduced a new Netavark network stack. You can use the Netavark network stack with Podman and other Open Container Initiative (OCI) container management applications. The Netavark network stack for Podman is also compatible with advanced Docker functionalities. Containers in multiple networks can access containers on any of those networks.

The Inkscape and LibreOffice Flatpak images are deprecated

The rhel9/inkscape-flatpak and rhel9/libreoffice-flatpak Flatpak images, which are available as Technology Previews, have been deprecated.

pasta as a network name has been deprecated

The support for pasta as a network name value is deprecated and will not be accepted in the next major release of Podman, version 5.0. You can use the pasta network name value to create a unique network mode within Podman by employing the podman run --network and podman create --network commands.

The BoltDB database backend has been deprecated

The BoltDB database backend is deprecated as of RHEL 9.4. In a future version of RHEL, the BoltDB database backend will be removed and will no longer be available to Podman. For Podman, use the SQLite database backend, which is now the default as of RHEL 9.4.

The CNI network stack has been deprecated

The Container Network Interface (CNI) network stack is deprecated and will be removed in a future release. Use the Netavark network stack instead. For more information, see Switching the network stack from CNI to Netavark.

The Podman v5.0 upcoming deprecations

The following will be deprecated in the upcoming Podman v5.0, which will be released in RHEL 9.5 and RHEL 10.0 Beta:

The rhel9/openssl has been deprecated

The rhel9/openssl container image has been deprecated.