Menu Close
Settings Close

Language and Page Formatting Options

Chapter 9. Technology Previews

This part provides a list of all Technology Previews available in Red Hat Enterprise Linux 9.

For information on Red Hat scope of support for Technology Preview features, see Technology Preview Features Support Scope.

9.1. Shells and command-line tools

ReaR available on the 64-bit IBM Z architecture as a Technology Preview

Basic Relax and Recover (ReaR) functionality is now available on the 64-bit IBM Z architecture as a Technology Preview. You can create a ReaR rescue image on IBM Z only in the z/VM environment. Backing up and recovering logical partitions (LPARs) has not been tested.

The only output method currently available is Initial Program Load (IPL). IPL produces a kernel and an initial ramdisk (initrd) that can be used with the zIPL bootloader.


Currently, the rescue process reformats all the DASDs (Direct Attached Storage Devices) connected to the system. Do not attempt a system recovery if there is any valuable data present on the system storage devices. This also includes the device prepared with the zIPL bootloader, ReaR kernel, and initrd that were used to boot into the rescue environment. Ensure to keep a copy.

For more information, see Using a ReaR rescue image on the 64-bit IBM Z architecture.


GIMP available as a Technology Preview in RHEL 9

GNU Image Manipulation Program (GIMP) 2.99.8 is now available in RHEL 9 as a Technology Preview. The gimp package version 2.99.8 is a pre-release version with a set of improvements, but a limited set of features and no guarantee for stability. As soon as the official GIMP 3 is released, it will be introduced into RHEL 9 as an update of this pre-release version.

In RHEL 9, you can install gimp easily as an RPM package.


9.2. Security

gnutls now uses KTLS as a Technology Preview

The updated gnutls packages can use Kernel TLS (KTLS) for accelerating data transfer on encrypted channels as a Technology Preview. To enable KTLS, add the tls.ko kernel module using the modprobe command, and create a new configuration file /etc/crypto-policies/local.d/gnutls-ktls.txt for the system-wide cryptographic policies with the following content:

ktls = true

Note that the current version does not support updating traffic keys through TLS KeyUpdate messages, which impacts the security of AES-GCM ciphersuites. See the RFC 7841 - TLS 1.3 document for more information.


9.3. Networking

WireGuard VPN is available as a Technology Preview

WireGuard, which Red Hat provides as an unsupported Technology Preview, is a high-performance VPN solution that runs in the Linux kernel. It uses modern cryptography and is easier to configure than other VPN solutions. Additionally, the small code-basis of WireGuard reduces the surface for attacks and, therefore, improves the security.

For further details, see Setting up a WireGuard VPN.


Configuring Multipath TCP using NetworkManager is available as a Technology Preview

With this update, the NetworkManager utility provides you with the Multipath TCP (MPTCP) functionality. You can use nmcli commands to control MPTCP and make its settings persistent.

For more information, see Understanding Multipath TCP: High availability for endpoints and the networking highway of the future and RFC 8684: TCP Extensions for Multipath Operation with Multiple Addresses.


KTLS available as a Technology Preview

RHEL provides Kernel Transport Layer Security (KTLS) as a Technology Preview. KTLS handles TLS records using the symmetric encryption or decryption algorithms in the kernel for the AES-GCM cipher. KTLS also includes the interface for offloading TLS record encryption to Network Interface Controllers (NICs) that provides this functionality.


The systemd-resolved service is available as a Technology Preview

The systemd-resolved service provides name resolution to local applications. The service implements a caching and validating DNS stub resolver, a Link-Local Multicast Name Resolution (LLMNR), and Multicast DNS resolver and responder.

Note that systemd-resolved is an unsupported Technology Preview.


9.4. Kernel

The Intel data streaming accelerator driver for kernel is available as a Technology Preview

The Intel data streaming accelerator driver (IDXD) for the kernel is currently available as a Technology Preview. It is an Intel CPU integrated accelerator and includes the shared work queue with process address space ID (pasid) submission and shared virtual memory (SVM).


SGX available as a Technology Preview

Software Guard Extensions (SGX) is an Intel® technology for protecting software code and data from disclosure and modification. The RHEL kernel partially provides the SGX v1 and v1.5 functionality. The version 1 enables platforms using the Flexible Launch Control mechanism to use the SGX technology.


The Soft-iWARP driver is available as a Technology Preview

Soft-iWARP (siw) is a software, Internet Wide-area RDMA Protocol (iWARP), kernel driver for Linux. Soft-iWARP implements the iWARP protocol suite over the TCP/IP network stack. This protocol suite is fully implemented in software and does not require a specific Remote Direct Memory Access (RDMA) hardware. Soft-iWARP enables a system with a standard Ethernet adapter to connect to an iWARP adapter or to another system with already installed Soft-iWARP.


9.5. File systems and storage

DAX is now available for ext4 and XFS as a Technology Preview

In RHEL 9, the DAX file system is available as a Technology Preview. DAX provides means for an application to directly map persistent memory into its address space. To use DAX, a system must have some form of persistent memory available, usually in the form of one or more Non-Volatile Dual In-line Memory Modules (NVDIMMs), and a DAX compatible file system must be created on the NVDIMM(s). Also, the file system must be mounted with the dax mount option. Then, an mmap of a file on the dax-mounted file system results in a direct mapping of storage into the application’s address space.


Stratis is available as a Technology Preview

Stratis is a local storage manager. It provides managed file systems on top of pools of storage with additional features to the user:

  • Manage snapshots and thin provisioning
  • Automatically grow file system sizes as needed
  • Maintain file systems

To administer Stratis storage, use the stratis utility, which communicates with the stratisd background service.

Stratis is provided as a Technology Preview.

For more information, see the Stratis documentation: Setting up Stratis file systems.


NVMe-oF Discovery Service features available as a Technology Preview

The NVMe-oF Discovery Service features, defined in the Technical Proposals (TP) 8013 and 8014, are available as a Technology Preview. To preview these features, use the nvme-cli 2.0 package and attach the host to an NVMe-oF target device that implements TP-8013 or TP-8014. For more information about TP-8013 and TP-8014, see the NVM Express 2.0 Ratified TPs from the website.


nvme-stas package available as a Technology Preview

The nvme-stas package, which is a Central Discovery Controller (CDC) client for Linux, is now available as a Technology Preview. It handles Asynchronous Event Notifications (AEN), Automated NVMe subsystem connection controls, Error handling and reporting, and Automatic (zeroconf) and Manual configuration.

This package consists of two daemons, Storage Appliance Finder (stafd) and Storage Appliance Connector (stacd).


9.6. Dynamic programming languages, web and database servers

A new nodejs:18 module stream available as a Technology Preview

A new module stream, nodejs:18, is now available as a Technology Preview. A future update will provide a Long Term Support (LTS) version of Node.js 18, which will be fully supported.

Node.js 18 included in RHEL 9.1 provides numerous new features together with bug and security fixes over Node.js 16.

Notable changes include:

  • The V8 engine has been upgraded to version 10.2.
  • The npm package manager has been upgraded to version 8.19.2.
  • Node.js now provides a new experimental fetch API.
  • Node.js now provides a new experimental node:test module, which facilitates the creation of tests that report results in the Test Anything Protocol (TAP) format.

To install the nodejs:18 module stream, use:

# dnf module install nodejs:18


9.7. Compilers and development tools

jmc-core and owasp-java-encoder available as a Technology Preview

RHEL 9 is distributed with the jmc-core and owasp-java-encoder packages as Technology Preview features.

jmc-core is a library providing core APIs for Java Development Kit (JDK) Mission Control, including libraries for parsing and writing JDK Flight Recording files, as well as libraries for Java Virtual Machine (JVM) discovery through Java Discovery Protocol (JDP).

The owasp-java-encoder package provides a collection of high-performance low-overhead contextual encoders for Java.


9.8. Identity Management

DNSSEC available as Technology Preview in IdM

Identity Management (IdM) servers with integrated DNS now implement DNS Security Extensions (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are automatically generated and rotated.

Users who decide to secure their DNS zones with DNSSEC are advised to read and follow these documents:

Note that IdM servers with integrated DNS use DNSSEC to validate DNS answers obtained from other DNS servers. This might affect the availability of DNS zones that are not configured in accordance with recommended naming practices.


Identity Management JSON-RPC API available as Technology Preview

An API is available for Identity Management (IdM). To view the API, IdM also provides an API browser as a Technology Preview.

Previously, the IdM API was enhanced to enable multiple versions of API commands. These enhancements could change the behavior of a command in an incompatible way. Users are now able to continue using existing tools and scripts even if the IdM API changes. This enables:

  • Administrators to use previous or later versions of IdM on the server than on the managing client.
  • Developers can use a specific version of an IdM call, even if the IdM version changes on the server.

In all cases, the communication with the server is possible, regardless if one side uses, for example, a newer version that introduces new options for a feature.

For details on using the API, see Using the Identity Management API to Communicate with the IdM Server (TECHNOLOGY PREVIEW).


RHEL IdM allows delegating user authentication to external identity providers as a Technology Preview

In RHEL IdM, you can now associate users with external identity providers (IdP) that support the OAuth 2 device authorization flow. When these users authenticate with the SSSD version available in RHEL 9.1, they receive RHEL IdM single sign-on capabilities with Kerberos tickets after performing authentication and authorization at the external IdP.

Notable features include:

  • Adding, modifying, and deleting references to external IdPs with ipa idp-* commands
  • Enabling IdP authentication for users with the ipa user-mod --user-auth-type=idp command

For additional information, see Using external identity providers to authenticate to IdM.


sssd-idp sub-package available as a Technology Preview

The sssd-idp sub-package for SSSD contains the oidc_child and krb5 idp plugins, which are client-side components that perform OAuth2 authentication against Identity Management (IdM) servers. This feature is available only with IdM servers on RHEL 8.7 and higher, and RHEL 9.1 and higher.


SSSD internal krb5 idp plugin available as a Technology Preview

The SSSD krb5 idp plugin allows you to authenticate against an external identity provider (IdP) using the OAuth2 protocol. This feature is available only with IdM servers on RHEL 8.7 and higher, and RHEL 9.1 and higher.


ACME implementation in RHCS available as Technology Preview

Server certificate issuance through an Automated Certificate Management Environment (ACME) responder is available for Red Hat Certificate System (RHCS). The ACME responder supports the ACME v2 protocol (RFC 8555).

Previously, users had to use the Certificate Authority (CA)'s proprietary certificate signing request (CSR) submission routines. The routines sometimes required certificate authority (CA) agents to manually review the requests and issue the certificates.

The RHCS ACME responder now provides a standard mechanism for automatic server certificate issuance and life cycle management without involving CA agents. The feature allows the RHCS CA to integrate with existing certificate issuance infrastructure to target public CAs for deployment and internal CAs for development.

Note that this Technology Preview only includes an ACME server implementation. No ACME client is shipped as part of this release. Additionally, this ACME preview does not retain issuance data or handle user registration.

Be aware that future RHEL updates can potentially break ACME installations.

For more information, see the IETF definition of ACME and Installing ACME Responder on GitHub.


9.9. The web console

Stratis available as a Technology Preview in the RHEL web console

With this update, the Red Hat Enterprise Linux web console provides the ability to manage Stratis storage as a Technology Preview.

To learn more about Stratis, see What is Stratis.


9.10. Virtualization

RHEL VMs can now be deployed to VMware ESXi instances running on ARM64 processors

As a Technology Preview, it is now possible to deploy RHEL virtual machines to VMware ESXi hypervisor instances running on 64-bit ARM-based processors.


AMD SEV and SEV-ES for KVM virtual machines

As a Technology Preview, RHEL 9 provides the Secure Encrypted Virtualization (SEV) feature for AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine (VM), SEV encrypts the VM’s memory to protect the VM from access by the host. This increases the security of the VM.

In addition, the enhanced Encrypted State version of SEV (SEV-ES) is also provided as Technology Preview. SEV-ES encrypts all CPU register contents when a VM stops running. This prevents the host from modifying the VM’s CPU registers or reading any information from them.

Note that SEV and SEV-ES work only on the 2nd generation of AMD EPYC CPUs (codenamed Rome) or later. Also note that RHEL 9 includes SEV and SEV-ES encryption, but not the SEV and SEV-ES security attestation.


Virtualization is now available on ARM 64

As a Technology Preview, it is now possible to create KVM virtual machines on systems using ARM 64 CPUs.


virtio-mem is now available on AMD64, Intel 64, and ARM 64

As a Technology Preview, RHEL 9 introduces the virtio-mem feature on AMD64, Intel 64, and ARM 64 systems. Using virtio-mem makes it possible to dynamically add or remove host memory in virtual machines (VMs).

To use virtio-mem, define virtio-mem memory devices in the XML configuration of a VM and use the virsh update-memory-device command to request memory device size changes while the VM is running. To see the current memory size exposed by such memory devices to a running VM, view the XML configuration of the VM.

(BZ#2014487, BZ#2044162, BZ#2044172)

9.11. RHEL in cloud environments

RHEL confidential VMs are now available on Azure as a Technology Preview

With the updated RHEL kernel, you can now create and run confidential virtual machines (VMs) on Microsoft Azure as a Technology Preview. However, it is not yet possible to encrypt RHEL confidential VM images during boot on Azure.


9.12. Containers

The capability for multiple trusted GPG keys for signing images is available as a Technology Preview

The /etc/containers/policy.json file supports a new keyPaths field which accepts a list of files containing the trusted keys. Because of this, the container images signed with GA and Beta GPG keys are now accepted in the default configuration.

For example:

"": [
            "type": "signedBy",
            "keyType": "GPGKeys",
            "keyPaths": ["/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release", "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta"]


The sigstore signatures are now available as a Technology Preview

Beginning with Podman 4.2, you can use the sigstore format of container image signatures. The sigstore signatures are stored in the container registry together with the container image without the need to have a separate signature server to store image signatures.