Language:
Format:

Chapter 4. New features

This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 9.1.

4.1. Installer and image creation

Automatic FCP SCSI LUN scanning support in installer

The installer can now use the automatic LUN scanning when attaching FCP SCSI LUNs on IBM Z systems. Automatic LUN scanning is available for FCP devices operating in NPIV mode, if it is not disabled through the zfcp.allow_lun_scan kernel module parameter. It is enabled by default. It provides access to all SCSI devices found in the storage area network attached to the FCP device with the specified device bus ID. It is not necessary to specify WWPN and FCP LUNs anymore and it is sufficient to provide just the FCP device bus ID.

(BZ#1937031)

Image builder on-premise now supports the /boot partition customization

Image builder on-premise version now supports building images with custom /boot mount point partition size. You can specify the size of the /boot mount point partition in the blueprint customization, to increase the size of the /boot partition in case the default boot partition size is too small. For example:

[[customizations.filesystem]]
mountpoint = "/boot"
size = "20 GiB"

(JIRA:RHELPLAN-130379)

Added the --allow-ssh kickstart option to enable password-based SSH root logins

During the graphical installation, you have an option to enable password-based SSH root logins. This functionality was not available in kickstart installations. With this update, an option --allow-ssh has been added to the rootpw kickstart command. This option enables the root user to login to the system using SSH with a password.

(BZ#2083269)

Boot loader menu hidden by default

The GRUB boot loader is now configured to hide the boot menu by default. This results in a smoother boot experience. The boot menu is hidden in all of the following cases:

When you restart the system from the desktop environment or the login screen.
During the first system boot after the installation.
When the greenboot package is installed and enabled.

If the previous system boot failed, GRUB always displays the boot menu during the next boot.

To access the boot menu manually, use either of the following options:

Repeatedly press Esc during boot.
Repeatedly press F8 during boot.
Hold Shift during boot.

To disable this feature and configure the boot loader menu to display by default, use the following command:

# grub2-editenv - unset menu_auto_hide

(BZ#2059414)

Minimal RHEL installation now installs only the s390utils-core package

In RHEL 8.4 and later, the s390utils-base package is split into an s390utils-core package and an auxiliary s390utils-base package. As a result, setting the RHEL installation to minimal-environment installs only the necessary s390utils-core package and not the auxiliary s390utils-base package. If you want to use the s390utils-base package with a minimal RHEL installation, you must manually install the package after completing the RHEL installation or explicitly install s390utils-base using a kickstart file.

(BZ#1932480)

Image builder on-premise now supports uploading images to GCP

With this enhancement, you can use image builder CLI to build a gce image, providing credentials for the user or service account that you want to use to upload the images. As a result, image builder creates the image and then uploads the gce image directly to the GCP environment that you specified.

(BZ#2049492)

Image builder on-premise CLI supports pushing a container image directly to a registry

With this enhancement, you can push RHEL for Edge container images directly to a container registry after it has been built, using the image builder CLI. To build the container image:

Set up an upload provider and optionally, add credentials.
Build the container image, passing the container registry and the repository to composer-cli as arguments.
After the image is ready, it is available in the container registry you set up.

(JIRA:RHELPLAN-130376)

Image builder on-premise users now customize their blueprints during the image creation process

With this update, the Edit Blueprint page was removed to unify the user experience in the image builder service and in the image builder app in cockpit-composer. Users can now create their blueprints and add their customization, such as adding packages, and create users, during the image creation process. The versioning of blueprints has also been removed so that blueprints only have one version: the current one. Users have access to older blueprint versions through their already created images.

(JIRA:RHELPLAN-122735)

4.2. RHEL for Edge

RHEL for Edge now supports the fdo-admin cli utility

With this update, you can configure the FDO services directly across all deployment scenarios by using the CLI.

Run the following commands to generate the certificates and keys for the services :

Note

This example takes into consideration that you already installed the fdo-admin-cli RPM package. If you used the source code and compiled it, the correct path is ./target/debug/fdo-admin-tool or ./target/debug/fdo-admin-tool, depending on your build options.

$ mkdir keys
$ for i in "diun" "manufacturer" "device_ca" "owner"; do fdo-admin-tool generate-key-and-cert $i; done
$ ls keys
device_ca_cert.pem  device_ca_key.der  diun_cert.pem  diun_key.der  manufacturer_cert.pem  manufacturer_key.der  owner_cert.pem  owner_key.der

As a result, after you install and start the service, it runs with the default settings.

(JIRA:RHELPLAN-122776)

4.3. Subscription management

The subscription-manager utility displays the current status of actions

The subscription-manager utility now displays with progress information while it is processing the current operation. This is helpful when subscription-manager takes more than usual time to complete its operations related to server communication, for example, registration.

To revert to the previous behavior, enter:

 # subscription-manager config --rhsm.progress_messages=0

(BZ#2092014)

4.4. Software management

The modulesync command is now available to replace certain workflows in RHEL 9

In RHEL 9, modular packages cannot be installed without modular metadata. Previously, you could use the dnf command to download packages, and then use the createrepo_c command to redistribute those packages.

This enhancement introduces the modulesync command to ensure the presence of modular metadata, which ensures package installability. This command downloads RPM packages from modules and creates a repository with modular metadata in a working directory.

(BZ#2066646)

4.5. Shells and command-line tools

Cronie adds support for a randomized time within a selected range

The Cronie utility now supports the ~ (random within range) operator for cronjob execution. As a result, you can start a cronjob on a randomized time within the selected range.

(BZ#2090691)

ReaR adds new variables for executing commands before and after recovery

With this enhancement, ReaR introduces two new variables for easier automation of commands to be executed before and after recovery:

PRE_RECOVERY_COMMANDS accepts an array of commands. These commands will be executed before recovery starts.
POST_RECOVERY_COMMANDS accepts an array of commands. These commands will be executed after recovery finishes.

These variables are an alternative to PRE_RECOVERY_SCRIPT and POST_RECOVERY_SCRIPT with the following differences:

The earlier PRE_RECOVERY_SCRIPT and POST_RECOVERY_SCRIPT variables accept a single shell command. To pass multiple commands to these variables, you must separate the commands by semicolons.
The new PRE_RECOVERY_COMMANDS and POST_RECOVERY_COMMANDS variables accept arrays of commands, and each element of the array is executed as a separate command.

As a result, providing multiple commands to be executed in the rescue system before and after recovery is now easier and less error-prone.

For more information, see the default.conf file.

(BZ#2111059)

A new package: xmlstarlet

XMLStarlet is a set of command-line utilities for parsing, transforming, querying, validating, and editing XML files. The new xmlstarlet package provides a simple set of shell commands that you can use in a similar way as you use UNIX commands for plain text files such as grep, sed, awk, diff, patch, join, and other.

(BZ#2069689)

opencryptoki rebased to version 3.18.0

The opencryptoki package, which is an implementation of the Public-Key Cryptography Standard (PKCS) #11, has been updated to version 3.18.0. Notable improvements include:

Default to Federal Information Processing Standards (FIPS) compliant token data format (tokversion = 3.12).
Added support for restricting usage of mechanisms and keys with a global policy.
Added support for statistics counting of mechanism usage.
The ICA/EP11 tokens now support libica library version 4.
The p11sak tool enables setting different attributes for public and private keys.
The C_GetMechanismList does not return CKR_BUFFER_TOO_SMALL in the EP11 token.

openCryptoki supports two different token data formats:

the earlier data format, which uses non-FIPS-approved algorithms (such as DES and SHA1)
the new data format, which uses FIPS-approved algorithms only.

The earlier data format no longer works because the FIPS provider allows the use of only FIPS-approved algorithms.

Important

To make openCryptoki work on RHEL 9, migrate the tokens to use the new data format before enabling FIPS mode on the system. This is necessary because the earlier data format is still the default in openCryptoki 3.17. Existing openCryptoki installations that use the earlier token data format will no longer function when the system is changed to FIPS-enabled.

You can migrate the tokens to the new data format by using the pkcstok_migrate utility, which is provided with openCryptoki. Note that pkcstok_migrate uses non-FIPS-approved algorithms during the migration. Therefore, use this tool before enabling FIPS mode on the system. For additional information, see Migrating to FIPS compliance - pkcstok_migrate utility.

(BZ#2044179)

powerpc-utils rebased to version 1.3.10

The powerpc-utils package, which provides various utilities for a PowerPC platform, has been updated to version 1.3.10. Notable improvements include:

Added the capability to parsing the Power architecture platform reference (PAPR) information for energy and frequency in the ppc64_cpu tool.
Improved the lparstat utility to display enhanced error messages, when the lparstat -E command fails on max config systems. The lparstat command reports logical partition-related information.
Fixed reported online memory in legacy format in the lparstat command.
Added support for the acc command for changing the quality of service credits (QoS) dynamically for the NX GZIP accelerator.
Added improvements to format specifiers in printf() and sprintf() calls.
The hcnmgr utility, which provides the HMC tools to hybrid virtual network, includes following enhancements:
- Added the wicked feature to the Hybrid Network Virtualization HNV FEATURE list. The hcnmgr utility supports wicked hybrid network virtualization (HNV) to use the wicked functions for bonding.
- hcnmgr maintains an hcnid state for later cleanup.
- hcnmgr excludes NetworkManager (NM) nmcli code.
- The NM HNV primary slave setting was fixed.
- hcnmgr supports the virtual Network Interface Controller (vNIC) as a backup device.
Fixed the invalid hexadecimal numbering system message in bootlist.
The -l flag included in kpartx utility as -p delimiter value in the bootlist command.
Fixes added to sslot utility to prevent memory leak when listing IO slots.
Added the DRC type description strings for the latest peripheral component interconnect express (PCIe) slot types in the lsslot utility.
Fixed the invalid config address to RTAS in errinjct tool.
Added support for non-volatile memory over fabrics (NVMf) devices in the ofpathname utility. The utility provides a mechanism for converting a logical device name to an open firmware device path and the other way round.
Added fixes to the non-volatile memory (NVMe) support in asymmetric namespace access (ANA) mode in the ofpathname utility.
Installed smt.state file as a configuration file.

(BZ#1920964)

The Redfish modules are now part of the redhat.rhel_mgmt Ansible collection

The redhat.rhel_mgmt Ansible collection now includes the following modules:

redfish_info
redfish_command
redfish_config

With that, users can benefit from the management automation, by using the Redfish modules to retrieve server health status, get information about hardware and firmware inventory, perform power management, change BIOS settings, configure Out-Of-Band (OOB) controllers, configure hardware RAID, and perform firmware updates.

(BZ#2112434)

libvpd rebased to version 2.2.9

The libvpd package, which contains classes for accessing the Vital Product Data (VPD), has been updated to version 2.2.9. Notable improvements include:

Fixed database locking
Updated libtool utility version information

(BZ#2051288)

lsvpd rebased to version 1.7.14

The lsvpd package, which provides commands for constituting a hardware inventory system, has been updated to version 1.7.14. With this update, the lsvpd utility prevents corruption of the database file when you run the vpdupdate command.

(BZ#2051289)

ppc64-diag rebased to version 2.7.8

The ppc64-diag package for platform diagnostics has been updated to version 2.7.8. Notable improvements include:

Updated build dependency to use libvpd utility version 2.2.9 or higher
Fixed extract_opal_dump error message on unsupported platform
Fixed build warning with GCC-8.5 and GCC-11 compilers

(BZ#2051286)

sysctl introduces identic syntax for arguments as systemd-sysctl

The sysctl utility from the procps-ng package, which you can use to modify kernel parameters at runtime, now uses the same syntax for arguments as the systemd-sysctl utility. With this update, sysctl now parses configuration files that contain hyphens (-) or globs (*) on configuration lines. For more information about the systemd-sysctl syntax, see the sysctl.d(5) man page.

(BZ#2052536)

Updated systemd-udevd assigns consistent network device names to InfiniBand interfaces

Introduced in RHEL 9, the new version of the systemd package contains the updated systemd-udevd device manager. The device manager changes the default names of InfiniBand interfaces to consistent names selected by systemd-udevd.

You can define custom naming rules for naming InfiniBand interfaces by following the Renaming IPoIB devices procedure.

For more details of the naming scheme, see the systemd.net-naming-scheme(7) man page.

(BZ#2136937)

4.6. Infrastructure services

chrony now uses DHCPv6 NTP servers

The NetworkManager dispatcher script for chrony updates the Network time protocol (NTP) sources passed from Dynamic Host Configuration Protocol (DHCP) options. Since RHEL 9.1, the script uses NTP servers provided by DHCPv6 in addition to DHCPv4. The DHCP option 56 specifies the usage of DHCPv6, the DHCP option 42 is DHCPv4-specific.

(BZ#2047415)

chrony rebased to version 4.2

The chrony suite has been updated to version 4.2. Notable enhancements over version 4.1 include:

The server interleaved mode has been improved to be more reliable and supports multiple clients behind a single address translator (Network Address Translation - NAT).
Experimental support for the Network Time Protocol Version 4 (NTPv4) extension field has been added to improve time synchronization stability and precision of estimated errors. You can enable this field, which extends the capabilities of the protocol NTPv4, by using the extfield F323 option.
Experimental support for NTP forwarding over the Precision Time Protocol (PTP) has been added to enable full hardware timestamping on Network Interface Cards (NIC) that have timestamping limited to PTP packets. You can enable NTP over PTP by using the ptpport 319 directive.

(BZ#2051441)

unbound rebased to version 1.16.2

The unbound component has been updated to version 1.16.2. unbound is a validating, recursive, and caching DNS resolver. Notable improvements include:

With the ZONEMD Zone Verification with RFC 8976 support, recipients can now verify the zone contents for data integrity and origin authenticity.
With unbound, you can now configure persistent TCP connections.
The SVCB and HTTPS types and handling according to the Service binding and parameter specification through the DNS draft-ietf-dnsop-svcb-https document were added.
unbound takes the default TLS ciphers from crypto policies.
You can use a Special-Use Domain home.arpa. according to the RFC8375. This domain is designated for non-unique use in residential home networks.
unbound now supports selective enabling of tcp-upstream queries for stub or forward zones.
The default of aggressive-nsec option is now yes.
The ratelimit logic was updated.
You can use a new rpz-signal-nxdomain-ra option for unsetting the RA flag when a query is blocked by an Unbound response policy zone (RPZ) nxdomain reply.
With the basic support for Extended DNS Errors (EDE) according to the RFC8914, you can benefit from additional error information.

(BZ#2087120)

The password encryption function is now available in whois

The whois package now provides the /usr/bin/mkpasswd binary, which you can use to encrypt a password with the crypt C library interface.

(BZ#2054043)

frr rebased to version 8.2.2

The frr package for managing dynamic routing stack has been updated to version 8.2.2. Notable changes and enhancements over version 8.0 include:

Added Ethernet VPN (EVPN) route type-5 gateway IP Overlay Index.
Added Autonomous system border router (ASBR) summarization in the Open-shortest-path-first (OSPFv3) protocol.
Improved usage of stub and not-so-stubby-areas (NSSA) in OSPFv3.
Added the graceful restart capability in OSPFv2 and OSPFv3.
The link bandwidth in the border gateway protocol (BGP) is now encoded according to the IEEE 754 standard. To use the previous encoding method, run the neighbor PEER disable-link-bw-encoding-ieee command in the existing configuration.
Added the long-lived graceful restart capability in BGP.
Implemented the extended administrative shutdown communication rfc9003, and the extended optional parameters length rfc9072 in BGP.

(BZ#2069563)

TuneD real-time profiles now auto determine initial CPU isolation setup

TuneD is a service for monitoring your system and optimizing the performance profile. You can also isolate central processing units (CPUs) using the tuned-profiles-realtime package to give application threads the most execution time possible.

Previously, the real-time profiles for systems running the real-time kernel did not load if you did not specify the list of CPUs to isolate in the isolated_cores parameter.

With this enhancement, TuneD introduces the calc_isolated_cores built-in function that automatically calculates housekeeping and isolated cores lists, and applies the calculation to the isolated_cores parameter. With the automatic preset, one core from each socket is reserved for housekeeping, and you can start using the real-time profile without any additional steps. If you want to change the preset, customize the isolated_cores parameter by specifying the list of CPUs to isolate.

(BZ#2093847)

4.7. Security

New packages: keylime

RHEL 9.1 introduces Keylime, a tool for attestation of remote systems, which uses the trusted platform module (TPM) technology. With Keylime, you can verify and continuously monitor the integrity of remote systems. You can also specify encrypted payloads that Keylime delivers to the monitored machines, and define automated actions that trigger whenever a system fails the integrity test.

See Ensuring system integrity with Keylime in the RHEL 9 Security hardening document for more information.

(JIRA:RHELPLAN-92522)

New option in OpenSSH supports setting the minimum RSA key length

Accidentally using short RSA keys makes the system more vulnerable to attacks. With this update, you can set minimum RSA key lengths for OpenSSH servers and clients. To define the minimum RSA key length, use the new RequiredRSASize option in the /etc/ssh/sshd_config file for OpenSSH servers, and in the /etc/ssh/ssh_config file for OpenSSH clients.

(BZ#2066882)

crypto-policies enforce 2048-bit RSA key length minimum for OpenSSH by default

Using short RSA keys makes the system more vulnerable to attacks. Because OpenSSH now supports limiting minimum RSA key length, the system-wide cryptographic policies enforce the 2048-bit minimum key length for RSA by default.

If you encounter OpenSSH failing connections with an Invalid key length error message, start using longer RSA keys.

Alternatively, you can relax the restriction by using a custom subpolicy at the expense of security. For example, if the update-crypto-policies --show command reports that the current policy is DEFAULT:

Define a custom subpolicy by inserting the min_rsa_size@openssh = 1024 parameter into the /etc/crypto-policies/policies/modules/RSA-OPENSSH-1024.pmod file.
Apply the custom subpolicy using the update-crypto-policies --set DEFAULT:RSA-OPENSSH-1024 command.

(BZ#2102774)

New option in OpenSSL supports SHA-1 for signatures

OpenSSL 3.0.0 in RHEL 9 does not support SHA-1 for signature creation and verification by default (SHA-1 key derivation functions (KDF) and hash-based message authentication codes (HMAC) are still supported). However, to support backwards compatibility with RHEL 8 systems that still use SHA-1 for signatures, a new configuration option rh-allow-sha1-signatures is introduced to RHEL 9. This option, if enabled in the alg_section of openssl.cnf, permits the creation and verification of SHA-1 signatures.

This option is automatically enabled if the LEGACY system-wide cryptographic policy (not legacy provider) is set.

Note that this also affects the installation of RPM packages with SHA-1 signatures, which may require switching to the LEGACY system-wide cryptographic policy.

(BZ#2060510, BZ#2055796)

crypto-policies now support sntrup761x25519-sha512@openssh.com

This update of the system-wide cryptographic policies adds support for the sntrup761x25519-sha512@openssh.com key exchange (KEX) method. The post-quantum sntrup761 algorithm is already available in the OpenSSH suite, and this method provides better security against attacks from quantum computers. To enable sntrup761x25519-sha512@openssh.com, create and apply a subpolicy, for example:

# echo 'key_exchange = +SNTRUP' > /etc/crypto-policies/policies/modules/SNTRUP.pmod
# update-crypto-policies --set DEFAULT:SNTRUP

For more information, see the Customizing system-wide cryptographic policies with subpolicies section in the RHEL 9 Security hardening document.

(BZ#2070604)

NSS no longer support RSA keys shorter than 1023 bits

The update of the Network Security Services (NSS) libraries changes the minimum key size for all RSA operations from 128 to 1023 bits. This means that NSS no longer perform the following functions:

Generate RSA keys shorter than 1023 bits.
Sign or verify RSA signatures with RSA keys shorter than 1023 bits.
Encrypt or decrypt values with RSA key shorter than 1023 bits.

(BZ#2091905)

SELinux policy confines additional services

The selinux-policy packages have been updated, and therefore the following services are now confined by SELinux:

ksm
nm-priv-helper
rhcd
stalld
systemd-network-generator
targetclid
wg-quick

(BZ#1965013, BZ#1964862, BZ#2020169, BZ#2021131, BZ#2042614, BZ#2053639, BZ#2111069)

SELinux supports the self keyword in type transitions

SELinux tooling now supports type transition rules with the self keyword in the policy sources. Support for type transitions with the self keyword prepares the SELinux policy for labeling of anonymous inodes.

(BZ#2069718)

SELinux user-space packages updated

SELinux user-space packages libsepol, libselinux, libsemanage, policycoreutils, checkpolicy, and mcstrans were updated to the latest upstream release 3.4. The most notable changes are:

Added support for parallel relabeling through the -T option in the setfiles, restorecon, and fixfiles tools.
- You can either specify the number of process threads in this option or use -T 0 for using the maximum of available processor cores. This reduces the time required for relabeling significantly.
Added the new --checksum option, which prints SHA-256 hashes of modules.
Added new policy utilities in the libsepol-utils package.

(BZ#2079276)

SELinux automatic relabeling is now parallel by default

Because the newly introduced parallel relabeling option significantly reduces the time required for the SELinux relabeling process on multi-core systems, the automatic relabeling script now contains the -T 0 option in the fixfiles command line. The -T 0 option ensures that the setfiles program uses the maximum of available processor cores for relabeling by default.

To use only one process thread for relabeling as in the previous version of RHEL, override this setting by entering either the fixfiles -T 1 onboot command instead of just fixfiles onboot or the echo "-T 1" > /.autorelabel command instead of touch /.autorelabel.

(BZ#2115242)

SCAP Security Guide rebased to 0.1.63

The SCAP Security Guide (SSG) packages have been rebased to upstream version 0.1.63. This version provides various enhancements and bug fixes, most notably:

New compliance rules for sysctl, grub2, pam_pwquality, and build time kernel configuration were added.
Rules hardening the PAM stack now use authselect as the configuration tool. Note: With this change, the rules hardening the PAM stack are not applied if the PAM stack was edited by other means.

(BZ#2070563)

Added a maximum size option for Rsyslog error files

Using the new action.errorfile.maxsize option, you can specify a maximum number of bytes of the error file for the Rsyslog log processing system. When the error file reaches the specified size, Rsyslog cannot write any additional errors or other data in it. This prevents the error file from filling up the file system and making the host unusable.

(BZ#2064318)

clevis-luks-askpass is now enabled by default

The /lib/systemd/system-preset/90-default.preset file now contains the enable clevis-luks-askpass.path configuration option and the installation of the clevis-systemd sub-package ensures that the clevis-luks-askpass.path unit file is enabled. This enables the Clevis encryption client to unlock also LUKS-encrypted volumes that mount late in the boot process. Before this update, the administrator must use the systemctl enable clevis-luks-askpass.path command to enable Clevis to unlock such volumes.

(BZ#2107078)

fapolicyd rebased to 1.1.3

The fapolicyd packages have been upgraded to version 1.1.3. Notable improvements and bug fixes include:

Rules can now contain the new subject PPID attribute, which matches the parent PID (process ID) of a subject.
The OpenSSL library replaced the Libgcrypt library as a cryptographic engine for hash computations.
The fagenrules --load command now works correctly.

(BZ#2100041)

4.8. Networking

The act_ctinfo kernel module has been added

This enhancement adds the act_ctinfo kernel module to RHEL. Using the ctinfo action of the tc utility, administrators can copy the conntrack mark or the value of the differentiated services code point (DSCP) of network packets into the socket buffer’s mark metadata field. As a result, you can use conditions based on the conntrack mark or the DSCP value to filter traffic. For further details, see the tc-ctinfo(8) man page.

(BZ#2027894)

cloud-init updates network configuration at every boot on Microsoft Azure

Microsoft Azure does not change the instance ID when an administrator updates the network interface configuration while a VM is offline. With this enhancement, the cloud-init service always updates the network configuration when the VM boots to ensure that RHEL on Microsoft Azure uses the latest network settings.

As a consequence, if you manually configure settings on interfaces, such as an additional search domain, cloud-init may override them when you reboot the VM. For further details and a workaround, see the cloud-init-22.1-5 updates network config on every boot solution.

(BZ#2144898)

The PTP driver now supports virtual clocks and time stamping

With this enhancement, the Precision Time Protocol (PTP) driver can create virtual PTP Hardware Clocks (PHCs) on top of a free-running PHC by writing to /sys/class/ptp/ptp*/n_vclocks. As a result, users can run multiple domain synchronization with hardware time stamps on one interface.

(BZ#2066451)

firewalld was rebased to version 1.1.1

The firewalld packages have been upgraded to version 1.1.1. This version provides multiple bug fixes and enhancements over the previous version:

New features:

Rich rules support NetFilter-log (NFLOG) target for user-space logging. Note that there is not any NFLOG capable logging daemon in RHEL. However, you can use the tcpdump -i nflog command to collect the logs you need.
Support for port forwarding in policies with ingress-zones=HOST and egress-zones={ANY, source based zone}.

Other notable changes include:

Support for the afp, http3, jellyfin, netbios-ns, ws-discovery, and ws-discovery-client services
Tab-completion and sub-options in Z Shell for the policy option

(BZ#2040689)

NetworkManager now supports advmss, rto_min, and quickack route attributes

With this enhancement, administrators can configure the ipv4.routes setting with the following attributes:

rto_min (TIME) - configure the minimum TCP re-transmission timeout in milliseconds when communicating with the route destination
quickack (BOOL) - a per-route setting to enable or disable TCP quick ACKs
advmss (NUMBER) - advertise maximum segment size (MSS) to the route destination when establishing TCP connections. If unspecified, Linux uses a default value calculated from the maximum transmission unit (MTU) of the first hop device

Benefit of implementing the new functionality of ipv4.routes with the mentioned attributes is that there is no need to run the dispatcher script.

Note that once you activate a connection with the mentioned route attributes, such changes are set in the kernel.

(BZ#2068525)

Support for the 802.ad vlan-protocol option in nmstate

The nmstate API now supports creating the linux-bridge interfaces using the 802.ad vlan-protocol option. This feature enables the configuration of Service-Tag VLANs. The following example illustrates usage of this functionality in a yaml configuration file.

---
interfaces:
  - name: br0
    type: linux-bridge
    state: up
    bridge:
      options:
        vlan-protocol: 802.1ad
      port:
        - name: eth1
          vlan:
            mode: trunk
            trunk-tags:
            - id: 500

(BZ#2084474)

The firewalld service can forward NAT packets originating from the local host to a different host and port

You can forward packets sent from the localhost that runs the firewalld service to a different destination port and IP address. The functionality is useful, for example, to forward ports on the loopback device to a container or a virtual machine. Prior to this change, firewalld could only forward ports when it received a packet that originated from another host. For more details and an illustrative configuration, see Using DNAT to forward HTTPS traffic to a different host.

(BZ#2039542)

NetworkManager now supports migration from ifcfg-rh to key file

Users can migrate their existing connection profile files from the ifcfg-rh format to the key file format. This way, all connection profiles will be in one location and in the preferred format. The key file format has the following advantages:

Closely resembles the way how NetworkManager expresses network configuration
Guarantees compatibility with future RHEL releases
Is easier to read
Supports all connection profiles

To migrate the connections, run:

# nmcli connection migrate

Note that the ifcfg-rh files will work correctly during the RHEL 9 lifetime. However, migrating the configuration to the key file format guarantees compatibility beyond RHEL 9.

For more details, see the nmcli(1), nm-settings-keyfile(5), and nm-settings-ifcfg-rh(5) manual pages.

(BZ#2059608)

More DHCP and IPv6 auto-configuration attributes have been added to the nmstate API

This enhancement adds support for the following attributes to the nmstate API:

dhcp-client-id for DHCPv4 connections as described in RFC 2132 and 4361.
dhcp-duid for DHCPv6 connections as described in RFC 8415.
addr-gen-mode for IPv6 auto-configuration. You can set this attribute to:
- eui64 as described in RFC 4862
- stable-privacy as described in RFC 7217

(BZ#2082043)

NetworkManager now clearly indicates that WEP support is not available in RHEL 9

The wpa_supplicant packages in RHEL 9.0 and later no longer contain the deprecated and insecure Wired Equivalent Privacy (WEP) security algorithm. This enhancement updates NetworkManager to reflect these changes. For example, the nmcli device wifi list command now returns WEP access points at the end of the list in gray color, and connecting to a WEP-protected network returns a meaningful error message.

For secure encryption, use only wifi networks with Wi-Fi Protected Access 2 (WPA2) and WPA3 authentication.

(BZ#2030997)

The MPTCP code has been updated

The MultiPath TCP (MPTCP) code in the kernel has been updated and upstream Linux 5.19. This update provides a number of bug fixes and enhancements over the previous version:

The FASTCLOSE option has been added to close MPTCP connections without a full three-way handshake.
The MP_FAIL option has been added to enable fallback to TCP even after the initial handshake.
The monitoring capabilities have been improved by adding additional Management Information Base (MIB) counters.
Monitor support for MPTCP listener sockets has been added. Use the ss utility to monitor the sockets.

(BZ#2079368)

4.9. Kernel

Kernel version in RHEL 9.1

Red Hat Enterprise Linux 9.1 is distributed with the kernel version 5.14.0-162.

(BZ#2125549)

Memory consumption of the list_lru has been optimized

The internal kernel data structure, list_lru, tracks the "Least Recently Used" status of kernel inodes and directory entries for files. Previously, the number of list_lru allocated structures was directly proportional to the number of mount points and the number of present memory cgroups. Both these numbers increased with the number of running containers leading to memory consumption of O(n^2) where n is the number of running containers. This update optimizes the memory consumption of list_lru in the system to O(n). As a result, sufficient memory is now available for the user applications, especially on the systems with a large number of running containers.

(BZ#2013413)

BPF rebased to Linux kernel version 5.16

The Berkeley Packet Filter (BPF) facility has been rebased to Linux kernel version 5.16 with multiple bug fixes and enhancements. The most notable changes include:

Streamlined internal BPF program sections handling and bpf_program__set_attach_target() API in the libbpf userspace library.
The bpf_program__set_attach_target() API sets the BTF based attach targets for BPF based programs.
Added support for the BTF_KIND_TAG kind, which allows you to tag declarations.
Added support for the bpf_get_branch_snapshot() helper, which enables the tracing program to capture the last branch records (LBR) from the hardware.
Added the legacy kprobe events support in the libbpf userspace library that enables kprobe tracepoint events creation through the legacy interface.
Added the capability to access hardware timestamps through BPF specific structures with the __sk_buff helper function.
Added support for a batched interface for RX buffer allocation in AF_XDP buffer pool, with driver support for i40e and ice.
Added the legacy uprobe support in libbpf userspace library to complement recently merged legacy kprobe.
Added the bpf_trace_vprintk() as variadic printk helper.
Added the libbpf opt-in for stricter BPF program section name handling as part of libbpf 1.0 effort.
Added the libbpf support to locate specialized maps, such as perf RB and internally delete BTF type identifiers while creating them.
Added the bloomfilter BPF map type to test if an element exists in a set.
Added support for kernel module function calls from BPF.
Added support for typeless and weak ksym in light skeleton.
Added support for the BTF_KIND_DECL_TAG kind.

For more information on the full list of BPF features available in the running kernel, use the bpftool feature command.

(BZ#2069045)

BTF data is now located in the kernel module

BPF Type Format (BTF) is the metadata format that encodes the debug information related to BPF program and map. Previously, the BTF data for kernel modules was stored in the kernel-debuginfo package. As a consequence, it was necessary to install the corresponding kernel-debuginfo package in order to use BTF for kernel modules. With this update, the BTF data is now located directly in the kernel module. As a result, you do not need to install any additional packages for BTF to work.

(BZ#2097188)

The kernel-rt source tree has been updated to RHEL 9.1 tree

The kernel-rt sources have been updated to use the latest Red Hat Enterprise Linux kernel source tree. The real-time patch set has also been updated to the latest upstream version, v5.15-rt. These updates provide a number of bug fixes and enhancements.

(BZ#2061574)

Dynamic preemptive scheduling enabled on ARM and AMD and Intel 64-bit architectures

RHEL 9 provides the dynamic scheduling feature on the ARM and AMD and Intel 64-bit architectures. This enhancement enables changing the preemption mode of the kernel at boot or runtime instead of the compile time. The /sys/kernel/debug/sched/preempt file contains the current setting and allows runtime modification.

Using the DYNAMIC_PREEMPT option, you can set the preempt= variable at boot time to either none, voluntary or full with voluntary preemption being the default. Using dynamic preemptive handling, you can override the default preemption model to improve scheduling latency.

(BZ#2065226)

stalld rebased to version 1.17

The stalld program, which provides the stall daemon, is a mechanism to prevent the starvation state of operating system threads in a Linux system. This version monitors the threads for the starvation state. Starvation occurs when a thread is on a CPU run queue for longer than the starvation threshold.

This stalld version includes many improvements and bug fixes over the previous version. The notable change includes the capability to detect runnable dying tasks.

When stalld detects a starving thread, the program changes the scheduling class of the thread to the SCHED_DEADLINE policy, which gives the thread a small slice of time for the specified CPU to run the thread. When the timeslice is used, the thread returns to its original scheduling policy and stalld continues to monitor the thread states.

(BZ#2107275)

The tpm2-tools package has been rebased to tpm2-tools-5.2-1 version

The tpm2-tools package has been rebased to version tpm2-tools-5.2-1. This upgrade provides many significant enhancements and bug fixes. Most notable changes include:

Adds support for public-key output at primary object creation using the tpm2_createprimary and tpm2_create tools.
Adds support for the tpm2_print tool to print public-key output formats. tpm2_print decodes a Trusted Platform Module (TPM) data structure and prints enclosed elements.
Adds support to the tpm2_eventlog tool for reading logs larger than 64 KB.
Adds the tpm2_sessionconfig tool to support displaying and configuring session attributes.

For more information on notable changes, see the /usr/share/doc/tpm2-tools/Changelog.md file.

(BZ#2090748)

Intel E800 devices now support iWARP and RoCE protocols

With this enhancement, you can now use the enable_iwarp and enable_roce devlink parameters to turn on and off iWARP or RoCE protocol support. With this mandatory feature, you can configure the device with one of the protocols. The Intel E800 devices do not support both protocols simultaneously on the same port.

To enable or disable the iWARP protocol for a specific E800 device, first obtain the PCI location of the card:

$ lspci | awk '/E810/ {print $1}'
44:00.0
44:00.1
$

Then enable, or disable, the protocol. You can use use pci/0000:44:00.0 for the first port, and pci/0000:44:00.1 for second port of the card as argument to the devlink command

$ devlink dev param set pci/0000:44:00.0 name enable_iwarp value true cmode runtime
$ devlink dev param set pci/0000:44:00.0 name enable_iwarp value false cmode runtime

To enable or disable the RoCE protocol for a specific E800 device, obtain the PCI location of the card as shown above. Then use one of the following commands:

$ devlink dev param set pci/0000:44:00.0 name enable_roce value true cmode runtime
$ devlink dev param set pci/0000:44:00.0 name enable_roce value false cmode runtime

(BZ#2096127)

4.10. Boot loader

GRUB is signed by new keys

Due to security reasons, GRUB is now signed by new keys. As a consequence, you need to update the RHEL firmware to version FW1010.30 (or later) or FW1020 to be able to boot the little-endian variant of IBM Power Systems with the Secure Boot feature enabled.

(BZ#2074761)

Configurable disk access retries when booting a VM on IBM POWER

You can now configure how many times the GRUB boot loader retries accessing a remote disk when a logical partition (lpar) virtual machine (VM) boots on the IBM POWER architecture. Lowering the number of retries can prevent a slow boot in certain situations.

Previously, GRUB retried accessing disks 20 times when disk access failed at boot. This caused problems if you performed a Live Partition Mobility (LPM) migration on an lpar system that connected to slow Storage Area Network (SAN) disks. As a consequence, the boot might have taken very long on the system until the 20 retries finished.

With this update, you can now configure and decrease the number of disk access retries using the ofdisk_retries GRUB option. For details, see Configure disk access retries when booting a VM on IBM POWER.

As a result, the lpar boot is no longer slow after LPM on POWER, and the lpar system boots without the failed disks.

(BZ#2070725)

4.11. File systems and storage

Stratis now enables setting the file system size upon creation

You can now set the required size when creating a file system. Previously, the automatic default size was 1 TiB. With this enhancement, users can set an arbitrary filesystem size. The lower limit must not go below 512 MiB.

(BZ#1990905)

Improved overprovision management of Stratis pools

With the improvements to the management of thin provisioning, you can now have improved warnings, precise allocation of space for the pool metadata, improved predictability, overall safety, and reliability of thin pool management. A new distinct mode disables overprovisioning. With this enhancement, the user can disable overprovisioning to ensure that a pool contains enough space to support all its file systems, even if these are completely full.

(BZ#2040352)

Stratis now provides improved individual pool management

You can now stop and start stopped individual Stratis pools. Previously, stratisd attempted to start all available pools for all devices it detected. This enhancement provides more flexible management of individual pools within Stratis, better debugging and recovery capabilities. The system no longer requires a reboot to perform recovery and maintenance operations for a single pool.

(BZ#2039960)

Enabled protocol specific configuration of multipath device paths

Previously due to different optimal configurations for the different protocols, it was impossible to set the configuration correctly without setting an option for each individual protocol. With this enhancement, users can now configure multipath device paths based on their path transport protocol. Use the protocol subsection of the overrides section in the /etc/multipath.conf file to correctly configure multipath device paths, based on their protocol.

(BZ#2084365)

New libnvme feature library

Previously, the NVMe storage command line interface utility (nvme-cli) included all of the helper functions and definitions. This enhancement brings a new libnvme library to RHEL 9.1. The library includes:

Type definitions for NVMe specification structures
Enumerations and bit fields
Helper functions to construct, dispatch, and decode commands and payloads
Utilities to connect, scan, and manage NVMe devices

With this update, users do not need to duplicate the code and multiple projects and packages, such as nvme-stas, and can rely on this common library.

(BZ#2099619)

A new library libnvme is now available

With this update, nvme-cli is divided in two different projects: * nvme-cli now only contains the code specific to the nvme tool * libnvme library now contains all type definitions for NVMe specification structures, enumerations, bit fields, helper functions to construct, dispatch, decode commands and payloads, and utilities to connect, scan, and manage NVMe devices.

(BZ#2090121)

4.12. High availability and clusters

Support for High Availability on Red Hat OpenStack platform

You can now configure a high availability cluster on the Red Hat OpenStack platform. In support of this feature, Red Hat provides the following new cluster agents:

fence_openstack: fencing agent for HA clusters on OpenStack
openstack-info: resource agent to configure the openstack-info cloned resource, which is required for an HA cluster on OpenStack
openstack-virtual-ip: resource agent to configure a virtual IP address resource
openstack-floating-ip: resource agent to configure a floating IP address resource
openstack-cinder-volume: resource agent to configure a block storage resource

(BZ#2121838)

pcs supports updating multipath SCSI devices without requiring a system restart

You can now update multipath SCSI devices with the pcs stonith update-scsi-devices command. This command updates SCSI devices without causing a restart of other cluster resources running on the same node.

(BZ#2024522)

Support for cluster UUID

During cluster setup, the pcs command now generates a UUID for every cluster. Since a cluster name is not a unique cluster identifier, you can use the cluster UUID to identify clusters with the same name when you administer multiple clusters.

You can display the current cluster UUID with the pcs cluster config [show] command. You can add a UUID to an existing cluster or regenerate a UUID if it already exists by using the pcs cluster config uuid generate command.

(BZ#2054671)

New pcs resource config command option to display the pcs commands that re-create configured resources

The pcs resource config command now accepts the --output-format=cmd option. Specifying this option displays the pcs commands you can use to re-create configured resources on a different system.

(BZ#2058251)

New pcs stonith config command option to display the pcs commands that re-create configured fence devices

The pcs stonith config command now accepts the --output-format=cmd option. Specifying this option displays the pcs commands you can use to re-create configured fence devices on a different system.

(BZ#2058252)

Pacemaker rebased to version 2.1.4

The Pacemaker packages have been upgraded to the upstream version of Pacemaker 2.1.4. Notable changes include:

The multiple-active resource parameter now accepts a value of stop_unexpected, The multiple-active resource parameter determines recovery behavior when a resource is active on more than one node when it should not be. By default, this situation requires a full restart of the resource, even if the resource is running successfully where it should be. A value of stop_unexpected for this parameter specifies that only unexpected instances of a multiply-active resource are stopped. It is the user’s responsibility to verify that the service and its resource agent can function with extra active instances without requiring a full restart.
Pacemaker now supports the allow-unhealthy-node resource meta-attribute. When this meta-attribute is set to true, the resource is not forced off a node due to degraded node health. When health resources have this attribute set, the cluster can automatically detect if the node’s health recovers and move resources back to it.
Users can now specify Access Control Lists (ACLS) for a system group using the pcs acl group command. Pacemaker previously allowed ACLs to be specified for individual users, but it is sometimes simpler and would conform better with local policies to specify ACLs for a system group, and to have them apply to all users in that group. This command was present in earlier releases but had no effect.

(BZ#2072108)

Samba no longer automatically installed with cluster packages

As of this release, installing the packages for the RHEL High Availability Add-On no longer installs the Samba packages automatically. This also allows you to remove the Samba packages without automatically removing the HA packages as well. If your cluster uses Samba resources you must now manually install them.

(BZ#1826455)

4.13. Dynamic programming languages, web and database servers

The nodejs:18 module stream is now fully supported

The nodejs:18 module stream, previously available as a Technology Preview, is fully supported with the release of the RHSA-2022:8832 advisory. The nodejs:18 module stream now provides Node.js 18.12, which is a Long Term Support (LTS) version.

Node.js 18 included in RHEL 9.1 provides numerous new features together with bug and security fixes over Node.js 16.

Notable changes include:

The V8 engine has been upgraded to version 10.2.
The npm package manager has been upgraded to version 8.19.2.
Node.js now provides a new experimental fetch API.
Node.js now provides a new experimental node:test module, which facilitates the creation of tests that report results in the Test Anything Protocol (TAP) format.
Node.js now prefers IPv6 addresses over IPv4.

To install the nodejs:18 module stream, use:

# dnf module install nodejs:18

(BZ#2083072)

A new module stream: php:8.1

RHEL 9.1 adds PHP 8.1 as a new php:8.1 module stream.

With PHP 8.1, you can:

Define a custom type that is limited to one of a discrete number of possible values using the Enumerations (Enums) feature
Declare a property with the readonly modifier to prevent modification of the property after initialization
Use fibers, full-stack, interruptible functions

To install the php:8.1 module stream, use:

# dnf module install php:8.1

For details regarding PHP usage on RHEL 9, see Using the PHP scripting language.

(BZ#2070040)

A new module stream: ruby:3.1

RHEL 9.1 introduces Ruby 3.1.2 in a new ruby:3.1 module stream. This version provides a number of performance improvements, bug and security fixes, and new features over Ruby 3.0 distributed with RHEL 9.0.

Notable enhancements include:

The Interactive Ruby (IRB) utility now provides an autocomplete feature and a documentation dialog
A new debug gem, which replaces lib/debug.rb, provides improved performance, and supports remote debugging and multi-process/multi-thread debugging
The error_highlight gem now provides a fine-grained error location in the backtrace
Values in the hash literal data types and keyword arguments can now be omitted
The pin operator (^) now accepts an expression in pattern matching
Parentheses can now be omitted in one-line pattern matching
YJIT, a new experimental in-process Just-in-Time (JIT) compiler, is now available on the AMD and Intel 64-bit architectures
The TypeProf For IDE utility has been introduced, which is an experimental static type analysis tool for Ruby code in IDEs

The following performance improvements have been implemented in Method Based Just-in-Time Compiler (MJIT):

For workloads like Rails, the default maximum JIT cache value has increased from 100 to 10000
Code compiled using JIT is no longer canceled when a TracePoint for class events is enabled

Other notable changes include:

The tracer.rb file has been removed
Since version 4.0, the Psych YAML parser uses the safe_load method by default

To install the ruby:3.1 module stream, use:

# dnf module install ruby:3.1

(BZ#2063773)

httpd rebased to version 2.4.53

The Apache HTTP Server has been updated to version 2.4.53, which provides bug fixes, enhancements, and security fixes over version 2.4.51 distributed with RHEL 9.0.

Notable changes in the mod_proxy and mod_proxy_connect modules include:

mod_proxy: The length limit of the name of the controller has been increased
mod_proxy: You can now selectively configure timeouts for backend and frontend
mod_proxy: You can now disable TCP connections redirection by setting the SetEnv proxy-nohalfclose parameter
mod_proxy and mod_proxy_connect: It is forbidden to change a status code after sending it to a client

In addition, a new ldap function has been added to the expression API, which can help prevent the LDAP injection vulnerability.

(BZ#2079939)

A new default for the LimitRequestBody directive in httpd configuration

To fix CVE-2022-29404, the default value for the LimitRequestBody directive in the Apache HTTP Server has been changed from 0 (unlimited) to 1 GiB.

On systems where the value of LimitRequestBody is not explicitly specified in an httpd configuration file, updating the httpd package sets LimitRequestBody to the default value of 1 GiB. As a consequence, if the total size of the HTTP request body exceeds this 1 GiB default limit, httpd returns the 413 Request Entity Too Large error code.

If the new default allowed size of an HTTP request message body is insufficient for your use case, update your httpd configuration files within the respective context (server, per-directory, per-file, or per-location) and set your preferred limit in bytes. For example, to set a new 2 GiB limit, use:

LimitRequestBody 2147483648

Systems already configured to use any explicit value for the LimitRequestBody directive are unaffected by this change.

(BZ#2128016)

New package: httpd-core

Starting with RHEL 9.1, the httpd binary file with all essential files has been moved to the new httpd-core package to limit the Apache HTTP Server’s dependencies in scenarios where only the basic httpd functionality is needed, for example, in containers.

The httpd package now provides systemd-related files, including mod_systemd, mod_brotli, and documentation.

With this change, the httpd package no longer provides the httpd Module Magic Number (MMN) value. Instead, the httpd-core package now provides the httpd-mmn value. As a consequence, fetching httpd-mmn from the httpd package is no longer possible.

To obtain the httpd-mmn value of the installed httpd binary, you can use the apxs binary, which is a part of the httpd-devel package. To obtain the httpd-mmn value, use the following command:

# apxs -q HTTPD_MMN
20120211

(BZ#2065677)

pcre2 rebased to version 10.40

The pcre2 package, which provides the Perl Compatible Regular Expressions library v2, has been updated to version 10.40.

With this update, the use of the \K escape sequence in lookaround assertions is forbidden, in accordance with the respective change in Perl 5.32. If you rely on the previous behavior, you can use the PCRE2_EXTRA_ALLOW_LOOKAROUND_BSK option. Note that when this option is set, \K is accepted only inside positive assertions but is ignored in negative assertions.

(BZ#2086494)

4.14. Compilers and development tools

The updated GCC compiler is now available for RHEL 9.1

The system GCC compiler, version 11.2.1, has been updated to include numerous bug fixes and enhancements available in the upstream GCC.

The GNU Compiler Collection (GCC) provides tools for developing applications with the C, C++, and Fortran programming languages.

For usage information, see Developing C and C++ applications in RHEL 9.

(BZ#2063255)

New GCC Toolset 12

GCC Toolset 12 is a compiler toolset that provides recent versions of development tools. It is available as an Application Stream in the form of a Software Collection in the AppStream repository.

The GCC compiler has been updated to version 12.1.1, which provides many bug fixes and enhancements that are available in upstream GCC.

The following tools and versions are provided by GCC Toolset 12:

Tool	Version
GCC	12.1.1
GDB	11.2
binutils	2.35
dwz	0.14
annobin	10.76

To install GCC Toolset 12, run the following command as root:

# dnf install gcc-toolset-12

To run a tool from GCC Toolset 12:

$ scl enable gcc-toolset-12 tool

To run a shell session where tool versions from GCC Toolset 12 override system versions of these tools:

$ scl enable gcc-toolset-12 bash

For more information, see GCC Toolset 12.

(BZ#2077465)

GCC Toolset 12: Annobin rebased to version 10.76

In GCC Toolset 12, the Annobin package has been updated to version 10.76.

Notable bug fixes and enhancements include:

A new command line option for annocheck tells it to avoid using the debuginfod service, if it is unable to find debug information in another way. Using debuginfod provides annocheck with more information, but it can also cause significant slow downs in annocheck’s performance if the debuginfod server is unavailable.
The Annobin sources can now be built using meson and ninja rather than configure and make if desired.
Annocheck now supports binaries built by the Rust 1.18 compiler.

Additionally, the following known issue has been reported in the GCC Toolset 12 version of Annobin:

Under some circumstances it is possible for a compilation to fail with an error message that looks similar to the following:

cc1: fatal error: inaccessible plugin file
opt/rh/gcc-toolset-12/root/usr/lib/gcc/architecture-linux-gnu/12/plugin/gcc-annobin.so
expanded from short plugin name gcc-annobin: No such file or directory

To work around the problem, create a symbolic link in the plugin directory from annobin.so to gcc-annobin.so:

# cd /opt/rh/gcc-toolset-12/root/usr/lib/gcc/architecture-linux-gnu/12/plugin
# ln -s annobin.so gcc-annobin.so

Where architecture is replaced with the architecture being used:

aarch64
i686
ppc64le
s390x
x86_64

(BZ#2077438)

GCC Toolset 12: binutils rebased to version 2.38

In GCC Toolset 12, the binutils package has been updated to version 2.38.

Notable bug fixes and enhancements include:

All tools in the binutils package now support options to display or warn about the presence of multibyte characters.
The readelf and objdump tools now automatically follow any links to separate debuginfo files by default. This behavior can be disabled by using the --debug-dump=no-follow-links option for readelf or the --dwarf=no-follow-links option for objdump.

(BZ#2077445)

GCC 12 and later supports _FORTIFY_SOURCE level 3

With this enhancement, users can build applications with -D_FORTIFY_SOURCE=3 in the compiler command line when building with GCC version 12 or later. _FORTIFY_SOURCE level 3 improves coverage of source code fortification, thus improving security for applications built with -D_FORTIFY_SOURCE=3 in the compiler command line. This is supported in GCC versions 12 and later and all Clang in RHEL 9 with the __builtin_dynamic_object_size builtin.

(BZ#2033683)

DNS stub resolver option now supports no-aaaa option

With this enhancement, glibc now recognizes the no-aaaa stub resolver option in /etc/resolv.conf and the RES_OPTIONS environment variable. When this option is active, no AAAA queries will be sent over the network. System administrators can disable AAAA DNS lookups for diagnostic purposes, such as ruling out that the superfluous lookups on IPv4-only networks do not contribute to DNS issues.

(BZ#2096191)

Added support for IBM Z Series z16

The support is now available for the s390 instruction set with the IBM z16 platform. IBM z16 provides two additional hardware capabilities in glibc that are HWCAP_S390_VXRS_PDE2 and HWCAP_S390_NNPA. As a result, applications can now use these capabilities to deliver optimized libraries and functions.

(BZ#2077838)

Applications can use the restartable sequence features through the new glibc interfaces

To accelerate the sched_getcpu function (especially on aarch64), it is necessary to use the restartable sequences (rseq) kernel feature by default in glibc. To allow applications to continuously use the shared rseq area, glibc now provides the __rseq_offset, __rseq_size and __rseq_flags symbols which were first added in glibc 2.35 upstream version. With this enhancement, the performance of the sched_getcpu function is increased and applications can now use the restartable sequence features through the new glibc interfaces.

(BZ#2085529)

GCC Toolset 12: GDB rebased to version 11.2

In GCC Toolset 12, the GDB package has been updated to version 11.2.

Notable bug fixes and enhancements include:

New support for the 64-bit ARM architecture Memory Tagging Extension (MTE). See new commands with the memory-tag prefix.
--qualified option for -break-insert and -dprintf-insert. This option looks for an exact match of the user’s event location instead of searching in all scopes.
For example, break --qualified foo will look for a symbol named foo in the global scope. Without --qualified, GDB will search all scopes for a symbol with that name.
--force-condition: Any supplied condition is defined even if it is currently invalid.
-break-condition --force: Likewise for the MI command.
-file-list-exec-source-files accepts optional REGEXP to limit output.
.gdbinit search path includes the config directory. The order is:
1. $XDG_CONFIG_HOME/gdb/gdbinit
2. $HOME/.config/gdb/gdbinit
3. $HOME/.gdbinit
Support for ~/.config/gdb/gdbearlyinit or ~/.gdbearlyinit.
-eix and -eiex early initialization file options.

Terminal user interface (TUI):

Support for mouse actions inside terminal user interface (TUI) windows.
Key combinations that do not act on the focused window are now passed to GDB.

New commands:

show print memory-tag-violations
set print memory-tag-violations
memory-tag show-logical-tag
memory-tag with-logical-tag
memory-tag show-allocation-tag
memory-tag check
show startup-quietly and set startup-quietly: A way to specify -q or -quiet in GDB scripts. Only valid in early initialization files.
show print type hex and set print type hex: Tells GDB to print sizes or offsets for structure members in hexadecimal instead of decimal.
show python ignore-environment and set python ignore-environment: If enabled, GDB’s Python interpreter ignores Python environment variables, much like passing -E to the Python executable. Only valid in early initialization files.
show python dont-write-bytecode and set python dont-write-bytecode: If off, these commands suppress GDB’s Python interpreter from writing bytecode compiled objects of imported modules, much like passing -B to the Python executable. Only valid in early initialization files.

Changed commands:

break LOCATION if CONDITION: If CONDITION is invalid, GDB refuses to set a breakpoint. The -force-condition option overrides this.
CONDITION -force N COND: Same as the previous command.
inferior [ID]: When ID is omitted, this command prints information about the current inferior. Otherwise, unchanged.
ptype[/FLAGS] TYPE | EXPRESSION: Use the /x flag to use hexadecimal notation when printing sizes and offsets of struct members. Use the /d flag to do the same but using decimal.
info sources: Output has been restructured.

Python API:

Inferior objects contain a read-only connection_num attribute.
New gdb.Frame.level() method.
New gdb.PendingFrame.level() method.
gdb.BreakpoiontEvent emitted instead of gdb.Stop.

(BZ#2077494)

GDB supports Power 10 PLT instructions

GDB now supports Power 10 PLT instructions. With this update, users are able to step into shared library functions and inspect stack backtraces using GDB version 10.2-10 and later.

(BZ#1870017)

The dyninst packaged rebased to version 12.1

The dyninst package has been rebased to version 12.1. Notable bug fixes and enhancements include:

Initial support for glibc-2.35 multiple namespaces
Concurrency fixes for DWARF parallel parsing
Better support for the CUDA and CDNA2 GPU binaries
Better support for IBM POWER Systems (little endian) register access
Better support for PIE binaries
Corrected parsing for catch blocks
Corrected access to 64-bit Arm (aarch64) floating point registers

(BZ#2057675)

A new fileset /etc/profile.d/debuginfod.*

Added new fileset for activating organizational debuginfod services. To get a system-wide debuginfod client activation you must add the URL to /etc/debuginfod/FOO.urls file.

(BZ#2088774)

Rust Toolset rebased to version 1.62.1

Rust Toolset has been updated to version 1.62.1. Notable changes include:

Destructuring assignment allows patterns to assign to existing variables in the left-hand side of an assignment. For example, a tuple assignment can swap to variables: (a, b) = (b, a);
Inline assembly is now supported on 64-bit x86 and 64-bit ARM using the core::arch::asm! macro. See more details in the "Inline assembly" chapter of the reference, /usr/share/doc/rust/html/reference/inline-assembly.html (online at https://doc.rust-lang.org/reference/inline-assembly.html).
Enums can now derive the Default trait with an explicitly annotated #[default] variant.
Mutex, CondVar, and RwLock now use a custom futex-based implementation rather than pthreads, with new optimizations made possible by Rust language guarantees.
Rust now supports custom exit codes from main, including user-defined types that implement the newly-stabilized Termination trait.
Cargo supports more control over dependency features. The dep: prefix can refer to an optional dependency without exposing that as a feature, and a ? only enables a dependency feature if that dependency is enabled elsewhere, like package-name?/feature-name.
Cargo has a new cargo add subcommand for adding dependencies to Cargo.toml.
For more details, please see the series of upstream release announcements:

(BZ#2075337)

LLVM Toolset rebased to version 14.0.6

LLVM Toolset has been rebased to version 14.0.6. Notable changes include:

On 64-bit x86, support for AVX512-FP16 instructions has been added.
Support for the Armv9-A, Armv9.1-A and Armv9.2-A architectures has been added.
On PowerPC, added the __ibm128 type to represent IBM double-double format, also available as __attribute__((mode(IF))).

clang changes:

if consteval for C++2b is now implemented.
On 64-bit x86, support for AVX512-FP16 instructions has been added.
Completed support of OpenCL C 3.0 and C++ for OpenCL 2021 at experimental state.
The -E -P preprocessor output now always omits blank lines, matching GCC behavior. Previously, up to 8 consecutive blank lines could appear in the output.
Support -Wdeclaration-after-statement with C99 and later standards, and not just C89, matching GCC’s behavior. A notable use case is supporting style guides that forbid mixing declarations and code, but want to move to newer C standards.

For more information, see the LLVM Toolset and Clang upstream release notes.

(BZ#2061041)

Go Toolset rebased to version 1.18.2

Go Toolset has been rebased to version 1.18.2.

Notable changes include:

The introduction of generics while maintaining backwards compatibility with earlier versions of Go.
A new fuzzing library.
New debug/buildinfo and net/netip packages.
The go get tool no longer builds or installs packages. Now, it only handles dependencies in go.mod.
If the main module’s go.mod file specifies go 1.17 or higher, the go mod download command used without any additional arguments only downloads source code for the explicitly required modules in the main module’s go.mod file. To also download source code for transitive dependencies, use the go mod download all command.
The go mod vendor subcommand now supports a -o option to set the output directory.
The go mod tidy command now retains additional checksums in the go.sum file for modules whose source code is required to verify that only one module in the build list provides each imported package. This change is not conditioned on the Go version in the main module’s go.mod file.

(BZ#2075169)

A new module stream: maven:3.8

RHEL 9.1 introduces Maven 3.8 as a new module stream.

To install the maven:3.8 module stream, use:

# dnf module install maven:3.8

(BZ#2083112)

.NET version 7.0 is available

Red Hat Enterprise Linux 9.1 is distributed with .NET version 7.0. Notable improvements include:

Support for IBM Power (ppc64le)

For more information, see Release Notes for .NET 7.0 RPM packages and Release Notes for .NET 7.0 containers.

(BZ#2112027)

4.15. Identity Management

SSSD now supports memory caching for SID requests

With this enhancement, SSSD now supports memory caching for SID requests, which are GID and UID lookups by SID and vice versa. Memory caching results in improved performance, for example, when copying large amounts of files to or from a Samba server.

(JIRA:RHELPLAN-123369)

The ipaservicedelegationtarget and ipaservicedelegationrule Ansible modules are now available

You can now use the ipaservicedelegationtarget and ipaservicedelegationrule ansible-freeipa modules to, for example, configure a web console client to allow an Identity Management (IdM) user that has authenticated with a smart card to do the following:

Use sudo on the RHEL host on which the web console service is running without being asked to authenticate again.
Access a remote host using SSH and access services on the host without being asked to authenticate again.

The ipaservicedelegationtarget and ipaservicedelegationrule modules utilize the Kerberos S4U2proxy feature, also known as constrained delegation. IdM traditionally uses this feature to allow the web server framework to obtain an LDAP service ticket on the user’s behalf. The IdM-AD trust system uses the feature to obtain a cifs principal.

(JIRA:RHELPLAN-117109)

SSSD support for anonymous PKINIT for FAST

With this enhancement, SSSD now supports anonymous PKINIT for Flexible Authentication via Secure Tunneling (FAST), also called Kerberos armoring in Active Directory. Until now, to use FAST, a Kerberos keytab was needed to request the required credentials. You can now use anonymous PKINIT to create this credential cache to establish the FAST session.

To enable anonymous PKINIT, perform the following steps:

Set krb5_fast_use_anonymous_pkinit to true in the [domain] section of the sssd.conf file.
Restart SSSD.
In an IdM environment, you can verify that anonymous PKINIT was used to establish the FAST session by logging in as the IdM user. A cache file with the FAST ticket is created and the Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS indicates that anonymous PKINIT was used:
```
klist /var/lib/sss/db/fast_ccache_IPA.VM
Ticket cache: FILE:/var/lib/sss/db/fast_ccache_IPA.VM
Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
Valid starting Expires Service principal
03/10/2022 10:33:45 03/10/2022 10:43:45 krbtgt/IPA.VM@IPA.VM
```

(JIRA:RHELPLAN-123368)

IdM now supports Random Serial Numbers

With this update, Identity Management (IdM) now includes dogtagpki 11.2.0, which allows you to use Random Serial Numbers version 3 (RSNv3). You can enable RSNv3 by using the --random-serial-numbers option when running ipa-server-install or ipa-ca-install. With RSNv3 enabled, IdM generates fully random serial numbers for certificates and requests in PKI without range management. Using RSNv3, you can avoid range management in large IdM installations and prevent common collisions when reinstalling IdM.

Important

RSNv3 is supported only for new IdM installations. If enabled, it is required to use RSNv3 on all PKI services.

(BZ#747959)

IdM now supports a limit on the number of LDAP binds allowed after a user password has expired

With this enhancement, you can set the number of LDAP binds allowed when the password of an Identity Management (IdM) user has expired:

-1: IdM grants the user unlimited LDAP binds before the user must reset the password. This is the default value, which matches the previous behavior.
0: This value disables all LDAP binds once a password is expired. In effect, the users must reset their password immediately.
1-MAXINT: The value entered allows exactly that many binds post-expiration.

The value can be set in the global password policy and in group policies.

Note that the count is stored per server.

In order for a user to reset their own password they need to bind with their current, expired password. If the user has exhausted all post-expiration binds, then the password must be administratively reset.

(BZ#2091988)

New ipasmartcard_server and ipasmartcard_client roles

With this update, the ansible-freeipa package provides Ansible roles to configure Identity Management (IdM) servers and clients for smart card authentication. The ipasmartcard_server and ipasmartcard_client roles replace the ipa-advise scripts to automate and simplify the integration. The same inventory and naming scheme are used as in the other ansible-freeipa roles.

(BZ#2076567)

IdM now supports configuring an AD Trust with Windows Server 2022

With this enhancement, you can establish a cross-forest trust between Identity Management (IdM) domains and Active Directory forests that use Domain Controllers running Windows Server 2022.

(BZ#2122716)

The ipa-dnskeysyncd and ipa-ods-exporter debug messages are no longer logged to /var/log/messages by default

Previously, ipa-dnskeysyncd, the service that is responsible for the LDAP-to-OpenDNSSEC synchronization, and ipa-ods-exporter, the Identity Management (IdM) OpenDNSSEC exporter service, logged all debug messages to /var/log/messages by default. As a consequence, log files grew substantially. With this enhancement, you can configure the log level by setting debug=True in the /etc/ipa/dns.conf file. For more information, refer to default.conf(5), the man page for the IdM configuration file.

(BZ#2083218)

samba rebased to version 4.16.1

The samba packages have been upgraded to upstream version 4.16.1, which provides bug fixes and enhancements over the previous version:

By default, the smbd process automatically starts the new samba-dcerpcd process on demand to serve Distributed Computing Environment / Remote Procedure Calls (DCERPC). Note that Samba 4.16 and later always requires samba-dcerpcd to use DCERPC. If you disable the rpc start on demand helpers setting in the [global] section in the /etc/samba/smb.conf file, you must create a systemd service unit to run samba-dcerpcd in standalone mode.
The Cluster Trivial Database (CTDB) recovery master role has been renamed to leader. As a result, the following ctdb sub-commands have been renamed:
- recmaster to leader
- setrecmasterrole to setleaderrole
The CTDB recovery lock configuration has been renamed to cluster lock.
CTDB now uses leader broadcasts and an associated timeout to determine if an election is required.

Note that the server message block version 1 (SMB1) protocol is deprecated since Samba 4.11 and will be removed in a future release.

Back up the database files before starting Samba. When the smbd, nmbd, or winbind services start, Samba automatically updates its tdb database files. Note that Red Hat does not support downgrading tdb database files.

After updating Samba, verify the /etc/samba/smb.conf file using the testparm utility.

For further information about notable changes, read the upstream release notes before updating.

(BZ#2077487)

SSSD now supports direct integration with Windows Server 2022

With this enhancement, you can use SSSD to directly integrate your RHEL system with Active Directory forests that use Domain Controllers running Windows Server 2022.

(BZ#2070793)

Improved SSSD multi-threaded performance

Previously, SSSD serialized parallel requests from multi-threaded applications, such as Red Hat Directory Server and Identity Management. This update fixes all SSSD client libraries, such as nss and pam, so they do not serialize requests, therefore allowing requests from multiple threads to be executed in parallel for better performance. To enable the previous behavior of serialization, set the environment variable SSS_LOCKFREE to NO.

(BZ#1978119)

Directory Server now supports canceling the Auto Membership plug-in task.

Previously, the Auto Membership plug-in task could generate high CPU usage on the server if Directory Server has complex configuration (large groups, complex rules and interaction with other plugins). With this enhancement, you can cancel the Auto Membership plug-in task. As a result, performance issues no longer occur.

(BZ#2052527)

Directory Server now supports recursive delete operations when using ldapdelete

With this enhancement, Directory Server now supports the Tree Delete Control [1.2.840.113556.1.4.805] OpenLDAP control. As a result, you can use the ldapdelete utility to recursively delete subentries of a parent entry.

(BZ#2057063)

You can now set basic replication options during the Directory Server installation

With this enhancement, you can configure basic replication options like authentication credentials and changelog trimming during an instance installation using an .inf file.

(BZ#2057066)

Directory Server now supports instance creation by a non-root user

Previously, non-root users were not able to create Directory Server instances. With this enhancement, a non-root user can use the dscreate ds-root subcommand to configure an environment where dscreate,dsctl,dsconf commands are used as usual to create and administer Directory Server instances.

(BZ#1872451)

pki packages renamed to idm-pki

The following pki packages are now renamed to idm-pki to better distinguish between IDM packages and Red Hat Certificate System ones:

idm-pki-tools
idm-pki-acme
idm-pki-base
idm-pki-java
idm-pki-ca
idm-pki-kra
idm-pki-server
python3-idm-pki

(BZ#2139877)

4.16. Graphics infrastructures

Wayland is now enabled with Matrox GPUs

The desktop session now enables the Wayland back end with Matrox GPUs.

In previous releases, Wayland was disabled with Matrox GPUs due to performance and other limitations. These problems have now been fixed.

You can still switch the desktop session from Wayland back to Xorg. For more information, see Overview of GNOME environments.

(BZ#2097308)

12th generation Intel Core GPUs are now supported

This release adds support for several integrated GPUs for the 12th Gen Intel Core CPUs. This includes Intel UHD Graphics and Intel Xe integrated GPUs found with the following CPU models:

Intel Core i3 12100T through Intel Core i9 12900KS
Intel Pentium Gold G7400 and G7400T
Intel Celeron G6900 and G6900T
Intel Core i5-12450HX through Intel Core i9-12950HX
Intel Core i3-1220P through Intel Core i7-1280P

(JIRA:RHELPLAN-135601)

Support for new AMD GPUs

This release adds support for several AMD Radeon RX 6000 Series GPUs and integrated graphics of the AMD Ryzen 6000 Series CPUs.

The following AMD Radeon RX 6000 Series GPU models are now supported:

AMD Radeon RX 6400
AMD Radeon RX 6500 XT
AMD Radeon RX 6300M
AMD Radeon RX 6500M

AMD Ryzen 6000 Series includes integrated GPUs found with the following CPU models:

AMD Ryzen 5 6600U
AMD Ryzen 5 6600H
AMD Ryzen 5 6600HS
AMD Ryzen 7 6800U
AMD Ryzen 7 6800H
AMD Ryzen 7 6800HS
AMD Ryzen 9 6900HS
AMD Ryzen 9 6900HX
AMD Ryzen 9 6980HS
AMD Ryzen 9 6980HX

(JIRA:RHELPLAN-135602)

4.17. The web console

Update progress page in the web console now supports an automatic restart option

The update progress page now has a Reboot after completion switch. This reboots the system automatically after installing the updates.

(BZ#2056786)

4.18. Red Hat Enterprise Linux System Roles

The network RHEL System Role supports network configuration using the nmstate API

With this update, the network RHEL System Role supports network configuration through the nmstate API. Users can now directly apply the configuration of the required network state to a network interface instead of creating connection profiles. The feature also allows partial configuration of a network. As a result, the following benefits exist:

decreased network configuration complexity
reliable way to apply the network state changes
no need to track the entire network configuration

(BZ#2072385)

Users can create connections with IPoIB capability using the network RHEL System Role

The infiniband connection type of the network RHEL System Role now supports the Internet Protocol over Infiniband (IPoIB) capability. To enable this feature, define a value to the p_key option of infiniband. Note that if you specify p_key, the interface_name option of the network_connections variable must be left unset. The previous implementation of the network RHEL System Role did not properly validate the p_key value and the interface_name option for the infiniband connection type. Therefore, the IPoIB functionality never worked before. For more information, see a README file in the /usr/share/doc/rhel-system-roles/network/ directory.

(BZ#2086965)

HA Cluster RHEL System Role now supports SBD fencing and configuration of Corosync settings

The HA Cluster System Role now supports the following features:

SBD fencing: Fencing is a crucial part of HA cluster configuration. SBD provides a means for nodes to reliably self-terminate when fencing is required. SBD fencing can be particularly useful in environments where traditional fencing mechanisms are not possible. It is now possible to configure SBD fencing with the HA Cluster System Role.
Corosync settings: The HA Cluster System role now supports the configuration of Corosync settings, such as transport, compression, encryption, links, totem, and quorum. These settings are required to match cluster configuration with customers' needs and environment when the default settings are not suitable.

(BZ#2065337, BZ#2070452, BZ#2079626, BZ#2098212, BZ#2120709, BZ#2120712)

The network RHEL role now configures network settings for routing rules

Previously, you could route the packet based on the destination address field in the packet, but you could not define the source routing and other policy routing rules. With this enhancement, network RHEL role supports routing rules so that the users have control over the packet transmission or route selection.

(BZ#2079622)

The new previous:replaced configuration enables firewall system role to reset the firewall settings to default

System administrators who manage different sets of machines, where each machine has different pre-existing firewall settings, can now use the previous: replaced configuration in the firewall role to ensure that all machines have the same firewall configuration settings. The previous: replaced configuration can erase all the existing firewall settings and replace them with consistent settings.

(BZ#2043010)

New option in the postfix RHEL System Role for overwriting previous configuration

If you manage a group of systems which have inconsistent postfix configurations, you may want to make the configuration consistent on all of them. With this enhancement, you can specify the previous: replaced option within the postfix_conf dictionary to remove any existing configuration and apply the desired configuration on top of a clean postfix installation. As a result, you can erase any existing postfix configuration and ensure consistency on all the systems being managed.

(BZ#2065383)

Enhanced microsoft.sql.server RHEL system role

The following new variables are now available for the microsoft.sql.server RHEL system role:

Variables with the mssql_ha_ prefix to control configuring a high availability cluster.
The mssql_tls_remote_src variable to search for mssql_tls_cert and mssql_tls_private_key values on managed nodes. If you keep the default false setting, the role searches for these files on the control node.
The mssql_manage_firewall variable to manage firewall ports automatically. If this variable is set to false, you must enable firewall ports manually.
The mssql_pre_input_sql_file and mssql_post_input_sql_file variables to control whether you want to run the SQL scripts before the role execution or after it. These new variables replace the former mssql_input_sql_file variable, which did not allow you to influence the time of SQL script execution.

(BZ#2066337)

The logging RHEL System Role supports options startmsg.regex and endmsg.regex in files inputs

With this enhancement, you can now filter log messages coming from files by using regular expressions. Options startmsg_regex and endmsg_regex are now included in the files’ input. The startmsg_regex represents the regular expression that matches the start part of a message, and the endmsg_regex represents the regular expression that matches the last part of a message. As a result, you can now filter messages based upon properties such as date-time, priority, and severity.

(BZ#2112145)

The sshd RHEL System Role verifies the include directive for the drop-in directory

The sshd RHEL System Role on RHEL 9 manages only a file in the drop-in directory, but previously did not verify that the directory is included from the main sshd_config file. With this update, the role verifies that sshd_config contains the include directive for the drop-in directory. As a result, the role more reliably applies the provided configuration.

(BZ#2052081)

The sshd RHEL System Role can be managed through /etc/ssh/sshd_config

The sshd RHEL System Role applied to a RHEL 9 managed node places the SSHD configuration in a drop-in directory (/etc/ssh/sshd_config.d/00-ansible_system_role.conf by default). Previously, any changes to the /etc/ssh/sshd_config file overwrote the default values in 00-ansible_system_role.conf. With this update, you can manage SSHD by using /etc/ssh/sshd_config instead of 00-ansible_system_role.conf while preserving the system default values in 00-ansible_system_role.conf.

(BZ#2052086)

The metrics role consistently uses "Ansible_managed" comment in its managed configuration files

With this update, the metrics role inserts the "Ansible managed" comment to the configuration files, using the Ansible standard ansible_managed variable. The comment indicates that the configuration files should not be directly edited because the metrics role can overwrite the file. As a result, the configuration files contain a declaration stating that the configuration files are managed by Ansible.

(BZ#2065392)

The storage RHEL System Role now supports managing the pool members

The storage RHEL System Role can now add or remove disks from existing LVM pools without removing the pool first. To increase the pool capacity, the storage RHEL system role can add new disks to the pool and free currently allocated disks in the pool for another use.

(BZ#2072742)

Support for thinly provisioned volumes is now available in the storage RHEL System Role

The storage RHEL System Role can now create and manage thinly provisioned LVM logical volumes (LVs). Thin provisioned LVs are allocated as they are written, allowing better flexibility when creating volumes as physical storage provided for thin provisioned LVs can be increased later as the need arises. LVM thin provisioning also allows creating more efficient snapshots because the data blocks common to a thin LV and any of its snapshots are shared.

(BZ#2072745)

Better support for cached volumes is available in the storage RHEL System Role

The storage RHEL System Role can now attach cache to existing LVM logical volumes. LVM cache can be used to improve performance of slower logical volumes by temporarily storing subsets of an LV’s data on a smaller, faster device, for example an SSD. This enhances the previously added support for creating cached volumes by allowing adding (attaching) a cache to an existing, previously uncached volume.

(BZ#2072746)

The logging RHEL System Role now supports template, severity and facility options

The logging RHEL System Role now features new useful severity and facility options to the files inputs as well as a new template option to the files and forwards outputs. Use the template option to specify the traditional time format by using the parameter traditional, the syslog protocol 23 format by using the parameter syslog, and the modern style format by using the parameter modern. As a result, you can now use the logging role to filter by the severity and facility as well as to specify the output format by template.

(BZ#2075119)

RHEL System Roles now available also in playbooks with fact gathering disabled

Ansible fact gathering might be disabled in your environment for performance or other reasons. Previously, it was not possible to use RHEL System Roles in such configurations. With this update, the system detects the ANSIBLE_GATHERING=explicit parameter in your configuration and gather_facts: false parameter in your playbooks, and use the setup: module to gather only the facts required by the given role, if not available from the fact cache.

Note

If you have disabled Ansible fact gathering due to performance, you can enable Ansible fact caching instead, which does not cause a performance hit of retrieving them from source.

(BZ#2078989)

The storage role now has less verbosity by default

The storage role output is now less verbose by default. With this update, users can increase the verbosity of storage role output to only produce debugging output if they are using Ansible verbosity level 1 or above.

(BZ#2079627)

The firewall RHEL System Role does not require the state parameter when configuring masquerade or icmp_block_inversion

When configuring custom firewall zones, variables masquerade and icmp_block_inversion are boolean settings. A value of true implies state: present and a value of false implies state: absent. Therefore, the state parameter is not required when configuring masquerade or icmp_block_inversion.

(BZ#2093423)

You can now add, update, or remove services using absent and present states in the firewall RHEL System Role

With this enhancement, you can use the present state to add ports, modules, protocols, services, and destination addresses, or use the absent state to remove them. Note that to use the absent and present states in the firewall RHEL System Role, set the permanent option to true. With the permanent option set to true, the state settings apply until changed, and remain unaffected by role reloads.

(BZ#2100292)

The firewall system role can add or remove an interface to the zone using PCI device ID

Using the PCI device ID, the firewall system role can now assign or remove a network interface to or from a zone. Previously, if only the PCI device ID was known instead of the interface name, users had to first identify the corresponding interface name to use the firewall system role. With this update, the firewall system role can now use the PCI device ID to manage a network interface in a zone.

(BZ#2100942)

The firewall RHEL System Role can provide Ansible facts

With this enhancement, you can now gather the firewall RHEL System Role’s Ansible facts from all of your systems by including the firewall: variable in the playbook with no arguments. To gather a more detailed version of the Ansible facts, use the detailed: true argument, for example:

vars:
  firewall:
    detailed: true

(BZ#2115154)

Added setting of seuser and selevel to the selinux RHEL System Role

Sometimes, it is necessary to set seuser and selevel parameters when setting SELinux context file system mappings. With this update, you can use the seuser and selevel optional arguments in selinux_fcontext to specify SELinux user and level in the SELinux context file system mappings.

(BZ#2115157)

New cockpit System Role variable for setting a custom listening port

The cockpit System Role introduces the cockpit_port variable that allows you to set a custom listening port other than the default 9090 port. Note that if you decide to set a custom listening port, you will also need to adjust your SELinux policy to allow the web console to listen on that port.

(BZ#2115152)

The metrics role can export postfix performance data

You can now use the new metrics_from_postfix boolean variable in the metrics role for recording and detailed performance analysis. With this enhancement, setting the variable enables the pmdapostfix metrics agent on the system, making statistics about postfix available.

(BZ#2051737)

The postfix role consistently uses "Ansible_managed" comment in its managed configuration files

The postfix role generates the /etc/postfix/main.cf configuration file. With this update, the postfix role inserts the "Ansible managed" comment to the configuration files, using the Ansible standard ansible_managed variable. The comment indicates that the configuration files should not be directly edited because the postfix role can overwrite the file. As a result, the configuration files contain a declaration stating that the configuration files are managed by Ansible.

(BZ#2065393)

The nbde-client RHEL System Role supports static IP addresses

In previous versions of RHEL, restarting a system with a static IP address and configured with the nbde_client RHEL System Role changed the system’s IP address. With this update, systems with static IP addresses are supported by the nbde_client role, and their IP addresses do not change after a reboot.

Note that by default, the nbde_client role uses DHCP when booting, and switches to the configured static IP after the system is booted.

(BZ#2070462)

4.19. Virtualization

RHEL web console now features RHEL as an option for the Download an OS VM workflow

With this enhancement, the RHEL web console now supports the installation of RHEL virtual machines (VMs) using the default Download an OS workflow. As a result, you can download and install the RHEL OS as a VM directly within the web console.

(JIRA:RHELPLAN-121982)

Improved KVM architectural compliance

With this update, the architectural compliance of the KVM hypervisor has now been enhanced and made stricter. As a result, the hypervisor is now better prepared to address future changes to Linux-based and other operating systems.

(JIRA:RHELPLAN-117713)

ap-check is now available in RHEL 9

The mdevctl tool now provides a new ap-check support utility. You can use mdevctl to persistently configure cryptographic adapters and domains that are allowed for pass-through usage into virtual machines as well as the matrix and vfio-ap devices. With mdevctl, you do not have to reconfigure these adapters, domains, and devices after every IPL. In addition, mdevctl prevents the distributor from inventing other ways to reconfigure them.

When invoking mdevctl commands for vfio-ap devices, the new ap-check support utility is invoked as part of the mdevctl command to perform additional validity checks against vfio-ap device configurations.

In addition, the chzdev tool now provides the ability to manage the system-wide Adjunct Processor (AP) mask settings, which determine what AP resources are available for vfio-ap devices. When used, chzdev makes it possible to persist these settings by generating an associated udev rule. Using lszdev, you can can now also query the system-wide AP mask settings.

(BZ#1870699)

open-vm-tools rebased to 12.0.5

The open-vm-tools packages have been upgraded to version 12.0.5, which introduces a number of bug fixes and new features. Most notably, support has been added for the Salt Minion tool to be managed through guest OS variables.

(BZ#2061193)

Selected VMs on IBM Z can now boot with kernel command lines longer than 896 bytes

Previously, booting a virtual machine (VM) on a RHEL 9 IBM Z host always failed if the kernel command line of the VM was longer than 896 bytes. With this update, the QEMU emulator can handle kernel command lines longer than 896 bytes. As a result, you can now use QEMU direct kernel boot for VMs with very long kernel command lines, if the VM kernel supports it. Specifically, to use a command line longer than 896 bytes, the VM must use Linux kernel version 5.16-rc1 or later.

(BZ#2044218)

The Secure Execution feature on IBM Z now supports remote attestation

The Secure Execution feature on the IBM Z architecture now supports remote attestation. The pvattest utility can create a remote attestation request to verify the integrity of a guest that has Secure Execution enabled.

Additionally, it is now possible to inject interrupts to guests with Secure Execution through the use of GISA.

(BZ#2001936, BZ#2044300)

VM memory preallocation using multiple threads

You can now define multiple CPU threads for virtual machine (VM) memory allocation in the domain XML configuration, for example as follows:

<memoryBacking>
  <allocation threads='8'/>
</memoryBacking>

This ensures that more than one thread is used for allocating memory pages when starting a VM. As a result, VMs with multiple allocation threads configured start significantly faster, especially if the VMs has large amounts of RAM assigned and backed by hugepages.

(BZ#2064194)

RHEL 9 guests now support SEV-SNP

On virtual machines (VMs) that use RHEL 9 as a guest operating system, you can now use AMD Secure Encrypted Virtualization (SEV) with the Secure Nested Paging (SNP) feature. Among other benefits, SNP enhances SEV by improving its memory integrity protection, which helps prevent hypervisor-based attacks such as data replay or memory re-mapping. Note that for SEV-SNP to work on a RHEL 9 VM, the host running the VM must support SEV-SNP as well.

(BZ#2169738)

4.20. RHEL in cloud environments

New SSH module for cloud-init

With this update, an SSH module has been added to the cloud-init utility, which automatically generates host keys during instance creation.

Note that with this change, the default cloud-init configuration has been updated. Therefore, if you had a local modification, make sure the /etc/cloud/cloud.cfg contains "ssh_genkeytypes: ['rsa', 'ecdsa', 'ed25519']" line.

Otherwise, cloud-init creates an image which fails to start the sshd service. If this occurs, do the following to work around the problem:

Make sure the /etc/cloud/cloud.cfg file contains the following line:
```
ssh_genkeytypes:  ['rsa', 'ecdsa', 'ed25519']
```
Check whether /etc/ssh/ssh_host_* files exist in the instance.
If the /etc/ssh/ssh_host_* files do not exist, use the following command to generate host keys:
```
cloud-init single --name cc_ssh
```
Restart the sshd service:
```
systemctl restart sshd
```

(BZ#2115791)

4.21. Containers

The Container Tools packages have been updated

The Container Tools packages which contain the Podman, Buildah, Skopeo, crun, and runc tools are now available. This update provides a list of bug fixes and enhancements over the previous version.

Notable changes include:

The podman pod create command now supports setting the CPU and memory limits. You can set a limit for all containers in the pod, while individual containers within the pod can have their own limits.
The podman pod clone command creates a copy of an existing pod.
The podman play kube command now supports the security context settings using the BlockDevice and CharDevice volumes.
Pods created by the podman play kube can now be managed by systemd unit files using a podman-kube@<service>.service (for example systemctl --user start podman-play-kube@$(systemd-escape my.yaml).service).
The podman push and podman push manifest commands now support the sigstore signatures.
The Podman networks can now be isolated by using the podman network --opt isolate command.

Podman has been upgraded to version 4.2, for further information about notable changes, see the upstream release notes.

(JIRA:RHELPLAN-118462)

GitLab Runner is now available on RHEL using Podman

Beginning with GitLab Runner 15.1, you can use Podman as the container runtime in the GitLab Runner Docker Executor. For more details, see GitLab’s Release Note.

(JIRA:RHELPLAN-101140)

Podman now supports the --health-on-failure option

The podman run and podman create commands now support the --health-on-failure option to determine the actions to be performed when the status of a container becomes unhealthy.

The --health-on-failure option supports four actions:

none: Take no action, this is the default action.
kill: Kill the container.
restart: Restart the container.
stop: Stop the container.

Note

Do not combine the restart action with the --restart option. When running inside of a systemd unit, consider using the kill or stop action instead to make use of systemd’s restart policy.

(BZ#2097708)

Netavark network stack is now available

The Netavark stack is a network configuration tool for containers. In RHEL 9, the Netavark stack is fully supported and enabled by default.

This network stack has the following capabilities:

Configuration of container networks using the JSON configuration file
Creating, managing, and removing network interfaces, including bridge and MACVLAN interfaces
Configuring firewall settings, such as network address translation (NAT) and port mapping rules
IPv4 and IPv6
Improved capability for containers in multiple networks
Container DNS resolution using the aardvark-dns project

Note

You have to use the same version of Netavark stack and the aardvark-dns authoritative DNS server.

(JIRA:RHELPLAN-132023)

New package: catatonit in the CRB repository

A new catatonit package is now available in the CodeReady Linux Builder (CRB) repository. The catatonit package is used as a minimal init program for containers and can be included within the application container image. Note that packages included in the CodeReady Linux Builder repository are unsupported.

Note that since RHEL 9.0, the podman-catonit package is available in the AppStream repository. The podman-catatonit package is used only by the Podman tool.

(BZ#2074193)

Select Your Language

Chapter 4. New features

4.1. Installer and image creation

4.2. RHEL for Edge

4.3. Subscription management

4.4. Software management

4.5. Shells and command-line tools

4.6. Infrastructure services

4.7. Security

4.8. Networking

4.9. Kernel

4.10. Boot loader

4.11. File systems and storage

4.12. High availability and clusters

4.13. Dynamic programming languages, web and database servers

4.14. Compilers and development tools

4.15. Identity Management

4.16. Graphics infrastructures

4.17. The web console

4.18. Red Hat Enterprise Linux System Roles

4.19. Virtualization

4.20. RHEL in cloud environments

4.21. Containers

Quick Links

Help

Site Info

Related Sites

About

Red Hat legal and privacy links

Red Hat legal and privacy links

Language and Page Formatting Options

Chapter 4. New features

4.1. Installer and image creation

4.2. RHEL for Edge

4.3. Subscription management

4.4. Software management

4.5. Shells and command-line tools

4.6. Infrastructure services

4.7. Security

4.8. Networking

4.9. Kernel

4.10. Boot loader

4.11. File systems and storage

4.12. High availability and clusters

4.13. Dynamic programming languages, web and database servers

4.14. Compilers and development tools

4.15. Identity Management

4.16. Graphics infrastructures

4.17. The web console

4.18. Red Hat Enterprise Linux System Roles

4.19. Virtualization

4.20. RHEL in cloud environments

4.21. Containers

Quick Links

Help

Site Info

Related Sites

Systems Status

About

Red Hat legal and privacy links

Red Hat legal and privacy links