Chapter 4. New features

This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 9.3.

4.1. Installer and image creation

Support to both legacy and UEFI boot for AWS EC2 images

Previously, RHEL image builder created EC2 AMD or Intel 64-bit architecture AMIs images with support only for the legacy boot type. As a consequence, it was not possible to take advantage of certain AWS features requiring UEFI boot, such as secure boot. This enhancement extends the AWS EC2 AMD or Intel 64-bit architecture AMI image to support UEFI boot, in addition to the legacy BIOS boot. As a result, it is now possible to take advantage of AWS features which require booting the image with UEFI.


New boot option inst.wait_for_disks= to add wait time for loading a kickstart file or the kernel drivers

Sometimes, it may take a few seconds to load a kickstart file or the kernel drivers from the device with the OEMDRV label during the boot process. To adjust the wait time, you can now use the new boot option, inst.wait_for_disks=. Using this option, you can specify how many seconds to wait before the installation. The default time is set to 5 seconds, however, you can use 0 seconds to minimize the delay. For more information about this option, see Storage boot options.


Ability to select desired Kernel while installing RHEL on ARM using GUI and TUI

Previously, you could install RHEL on ARM with Kernel-64k page size only by using the Kickstart method. With this update, you can now install RHEL on ARM using the GUI or the TUI and selecting the desired Kernel version. The option to select the desired kernel is available on the Software Selection screen under Kernel Options.


Support for VMware VSphere (OVA)

This update adds support to build VMware VSphere OVA files by using RHEL image builder. The Open Virtual Appliance (OVA) file is a virtual appliance used by the VMware VSphere virtualization application. The OVA file contains files used to describe a virtual machine, such as an OVF descriptor file, one or more virtual machine disk image files (VMDK), optional manifest (MF) and certificate files. By using the VMware VSphere (.ova), you can more easily deploy the image to VMware vSphere by using the vSphere GUI client. You can further customize the resulting VM before you boot the image.


New network kickstart options to control DNS handling

You can now control DNS handling using the network kickstart command with the following new options. Use these new options with the --device option.

  • The --ipv4-dns-search and --ipv6-dns-search options allow you to set DNS search domains manually. These options mirror their respective NetworkManager properties, for example:

    network --device ens3 --ipv4-dns-search,
  • The --ipv4-ignore-auto-dns and --ipv6-ignore-auto-dns options allow you to ignore DNS settings from DHCP. They do not require any arguments.


Minimal RHEL installation now installs only the s390utils-core package

In RHEL 8.4 and later, the s390utils-base package is split into an s390utils-core package and an auxiliary s390utils-base package. As a result, setting the RHEL installation to minimal-environment installs only the necessary s390utils-core package and not the auxiliary s390utils-base package. If you want to use the s390utils-base package with a minimal RHEL installation, you must manually install the package after completing the RHEL installation or explicitly install s390utils-base using a kickstart file.


4.2. Security

Keylime rebased to version 7.3.0

The Keylime packages have been updated to upstream version 7.3.0. This version provides various enhancements and bug fixes. Most notably, the allow and exclude lists are combined into the Keylime runtime policy. You can combine the two lists by using the script.

In addition, the update fixes two vulnerabilities with the moderate impact rating: CVE-2023-38200 and CVE-2023-38201.


Ports for Keylime have stricter rules in SELinux policy

Ports used by Keylime are now labeled as keylime_port_t in the Keylime SELinux policy. The policy now allows TCP connections for ports with this label. This is because the previous Keylime SELinux policy allowed connecting to all undefined ports and also most of the ports used by Keylime were in the undefined group. As a result, this update increases the granularity of the Keylime SELinux policy, and port security can be more strict and better targeted.


Audit now supports FANOTIFY record fields

This update of the audit packages introduces support for FANOTIFY Audit record fields. The Audit subsystem now logs additional information in the AUDIT_FANOTIFY record, notably:

  • fan_type to specify the type of a FANOTIFY event
  • fan_info to specify additional context information
  • sub_trust and obj_trust to indicate trust levels for a subject and an object involved in an event

As a result, you can better understand why the Audit system denied access in certain cases. This can help you write policies for tools such as the fapolicyd framework.


fapolicyd now provides rule numbers for troubleshooting

With this enhancement, new kernel and Audit components allow the fapolicyd service to send the number of the rule that causes a denial to the fanotify API. As a result, you can troubleshoot problems related to fapolicyd more precisely.


crypto-policies now provides the NO-ENFORCE-EMS subpolicy for TLS 1.2 connections in FIPS mode

The system-wide cryptographic policies now contain the NO-ENFORCE-EMS subpolicy. After applying the new subpolicy, the system no longer requires the Extended Master Secret (EMS) extension (RFC 7627) for all TLS 1.2 connections negotiated in FIPS mode. This allows the system to connect with legacy systems without support for EMS or TLS 1.3. Note that this violates the requirements of the FIPS-140-3 standard. You can apply the subpolicy by entering the update-crypto-policies --set FIPS:NO-ENFORCE-EMS command.


GnuTLS requires EMS with TLS 1.2 in FIPS mode

To comply with the FIPS-140-3 standard, GnuTLS servers and clients require the Extended Master Secret (EMS) extension (RFC 7627) for all TLS 1.2 connections negotiated in FIPS mode. If your scenario requires preserving compatibility with older servers and clients that do not support EMS and you cannot use TLS 1.3, you can apply the NO-ENFORCE-EMS system-wide cryptographic subpolicy:

# update-crypto-policies --set FIPS:NO-ENFORCE-EMS

If you allow TLS 1.2 connections without EMS, your system no longer meets the FIPS-140-3 requirements.


NSS now enforce EMS in FIPS mode

The Network Security Services (NSS) libraries now contain the TLS-REQUIRE-EMS policy to require the Extended Master Secret (EMS) extension (RFC 7627) for all TLS 1.2 connections as mandated by the FIPS 140-3 standard. NSS use the new policy when the system-wide cryptographic policies are set to FIPS.

If your scenario requires interoperating with legacy systems without support for EMS or TLS 1.3, you can apply the NO-ENFORCE-EMS system-wide cryptographic subpolicy. Such a change violates the FIPS-140-3 requirements.


OpenSSL now supports disabling EMS in FIPS mode

You can now configure the OpenSSL cryptographic libraries to allow for TLS 1.2 connections without the Extended Master Secret (EMS) extension (RFC 7627) in FIPS mode by editing the /etc/pki/tls/fips_local.cnf file. In a text editor of your choice, add the following section to the configuration file:

tls1-prf-ems-check = 0
activate = 1

Then, locate the SSL configuration section in the /etc/pki/tls/openssl.cnf file. The default SSL configuration section is crypto_policy. At the end of the SSL configuration section, add the following line:


The previous configuration changes allow the system in FIPS mode to connect with legacy systems without support for EMS or TLS 1.3.


You can stop enforcing EMS for TLS 1.2 in FIPS mode by entering the update-crypto-policies --set FIPS:NO-ENFORCE-EMS command. In both cases, such a configuration change violates the requirements of the FIPS-140-3 standard.


OpenSSH further enforces SHA-2

As part of the effort to migrate further from the less secure SHA-1 message digest for cryptographic purposes, the following changes were made in OpenSSH:

  • Added a check on sshd startup whether using SHA-1 is configured on the system. If it is not available, OpenSSH does not try to use SHA-1 for operations. This eliminates loading DSS keys when they are present and also enforces advertising rsa-sha2 combinations when they are available.
  • On SSH private key conversion, OpenSSH explicitly uses SHA-2 for testing RSA keys.
  • When SHA-1 signatures are unavailable on the server side, sshd uses SHA-2 to confirm host key proof. This might be incompatible with clients on RHEL 8 and earlier versions.
  • When the SHA-1 algorithm is unavailable on the client side, OpenSSH uses SHA-2.
  • On the client side, OpenSSH permits SHA-2-based key proofs from the server when SHA-1 was used in key proof request or when the hash algorithm is not specified (assuming default). This is aligned with the already present exception for RSA certificates, and allows connecting by using modern algorithms when supported.


OpenSSL now contains protections against Bleichenbacher-like attacks

This release of the OpenSSL TLS toolkit introduces API-level protections against Bleichenbacher-like attacks on the RSA PKCS #1 v1.5 decryption process. The RSA decryption now returns a randomly generated deterministic message instead of an error if it detects an error when checking padding during a PKCS #1 v1.5 decryption. The change provides general protection against vulnerabilities such as CVE-2020-25659 and CVE-2020-25657.

You can disable this protection by calling the EVP_PKEY_CTX_ctrl_str(ctx, "rsa_pkcs1_implicit_rejection". "0") function on the RSA decryption context, but this makes your system more vulnerable.


OpenSSL now supports Brainpool curves configurable through the Groups option

This update of the OpenSSL TLS toolkit introduces support for Brainpool curves in Elliptic Curve Cryptography (ECC). Additionally, you can control the curves with the system-wide cryptographic policies through the Groups configuration option.

The following Brainpool curves are enabled in OpenSSL ECC:

  • brainpoolP256r1
  • brainpoolP256t1
  • brainpoolP320r1
  • brainpoolP320t1
  • brainpoolP384r1
  • brainpoolP384t1
  • brainpoolP512r1
  • brainpoolP512t1


crypto-policies now supports OpenSSL ECC Brainpool curves

With this update of the system-wide cryptographic policies, you can now control the following Brainpool Elliptic Curve Cryptography (ECC) curves in OpenSSL by using the group option:


For example, you can enable all supported Brainpool elliptic curves in OpenSSL by creating a subpolicy that contains the following line:

group = BRAINPOOL-*+


crypto-policies now use the same group order as OpenSSL by default

In this release, the system-wide cryptographic policies (crypto-policies) control the group order in the OpenSSL Groups configuration option. To preserve the performance in OpenSSL, crypto-policies use the default group order that matches the order of the OpenSSL built-in preferences. As a result, the RHEL cryptographic back ends that support crypto-policies for controlling the group order, such as GnuTLS, now use the same order as OpenSSL.


crypto-policies permitted_enctypes no longer break replications in FIPS mode

Before this update, an IdM server running on RHEL 8 sent an AES-256-HMAC-SHA-1-encrypted service ticket that an IdM replica running RHEL 9 in FIPS mode. Consequently, the default permitted_enctypes krb5 configuration broke a replication between the RHEL 8 IdM server and the RHEL 9 IdM replica in FIPS mode.

This update of the system-wide cryptographic policies reorders the permitted_enctypes krb5 configuration option values to allow prioritization of more interoperable encryption types by default. As a result, the permitted_enctypes configuration no longer break replications between a RHEL 8 IdM servers and a RHEL 9 IdM replica in FIPS mode.


If you use Kerberos, verify the order of the values of permitted_enctypes in the /etc/crypto-policies/back-ends/krb5.config file. If your scenario requires a different order, apply a custom cryptographic subpolicy.


pcsc-lite-ccid rebased to 1.5.2

The pcsc-lite-ccid package has been updated to version 1.5.2. This version provides various bug fixes and enhancements, most notably:

  • Support for new readers
  • Fix for Alcor Micro AU9560


opensc rebased to 0.23

The opensc packages have been updated to version 0.23. This version provides various bug fixes and enhancements, most notably:

  • Added support for encryption and decryption using symmetric keys
  • Added support for signing data with a length of more than 512 bytes
  • Disabled old card driver support by default
  • Removed support for old drivers MioCOS and JCOP


setools rebased to 4.4.3

The setools packages have been updated to version 4.4.3. This version provides various bug fixes and enhancements, most notably:

  • Fixed compilation with Cython 3.0.0
  • Improved man pages
  • Removed unused options in sediff, sesearch, and apol
  • Added the -r option to seinfoflow command to get flows analysis into the source type
  • Rules with no permissions are automatically rejected as an invalid policy

Bugzilla:2231801, Bugzilla:2184140

Additional services confined in the SELinux policy

This update adds additional rules to the SELinux policy that confine the following systemd services:

  • qat
  • systemd-pstore
  • boothd
  • fdo-manufacturing-server
  • fdo-rendezvous-server
  • fdo-client-linuxapp
  • fdo-owner-onboarding-server

As a result, these services do not run with the unconfined_service_t SELinux label anymore, and run successfully in SELinux enforcing mode.

Bugzilla:2080443[1], Bugzilla:2026795, Bugzilla:2128833, Bugzilla:2181565

New SELinux boolean to allow QEMU Guest Agent executing confined commands

Previously, commands that were supposed to execute in a confined context through the QEMU Guest Agent daemon program, such as mount, failed with an Access Vector Cache (AVC) denial. To be able to execute these commands, the guest-agent must run in the unconfined_t domain.

Therefore, this update adds the SELinux policy boolean virt_qemu_ga_run_unconfined that allows guest-agent to transition to the unconfined domain. In addition, the necessary rules for transitions for the qemu-ga daemon have been added to the SELinux policy boolean.

As a result, you can now execute confined commands through the QEMU Guest Agent without AVC denials by enabling the virt_qemu_ga_run_unconfined boolean.


OpenSCAP rebased to 1.3.8

The OpenSCAP packages have been rebased to upstream version 1.3.8. This version provides various bug fixes and enhancements, most notably:

  • Fixed systemd probes to not ignore some systemd units
  • Added offline capabilities to the shadow OVAL probe
  • Added offline capabilities to the sysctl OVAL probe
  • Added auristorfs to the list of network filesystems
  • Created a workaround for issues with tailoring files produced by the autotailor utility


SCAP Security Guide rebased to version 0.1.69

The SCAP Security Guide (SSG) packages have been rebased to upstream version 0.1.69. This version provides various enhancements and bug fixes. Most notably, it introduces three new SCAP profiles for RHEL 9 aligned with the CCN-STIC-610A22 Guide issued by the National Cryptologic Center of Spain in October 2022:

Profile nameProfile IDPolicy version

CCN Red Hat Enterprise Linux 9 - Advanced



CCN Red Hat Enterprise Linux 9 - Basic



CCN Red Hat Enterprise Linux 9 - Intermediate




ANSSI-BP-028 security profiles updated to version 2.0

The following French National Agency for the Security of Information Systems (ANSSI) BP-028 in the SCAP Security Guide were updated to be aligned with version 2.0:

  • ANSSI-BP-028 Minimal Level
  • ANSSI-BP-028 Intermediary Level
  • ANSSI-BP-028 Enhanced Level
  • ANSSI-BP-028 High Level


python3-greenlet-devel is now available in CRB

The python3-greenlet-devel package is now available in the CodeReady Linux Builder (CRB) repository, which you must explicitly enable. See the How to enable and make use of content within CodeReady Linux Builder Knowledgebase article for more information. Note that packages included in the CRB repository are unsupported.


SSG rule to check the group used by the module is simplified

The CIS Benchmark requires restricting the su command in favor of the sudo command. SCAP Security Guide (SSG) fulfills this requirement with the module, which restricts the su command to a specific group. This update improves the rule that checks whether this group exists and has no members. As a result, the rule is more efficient and simplifies the interpretation of the assessment report.


4.3. RHEL for Edge

New FIDO Device Onboarding Servers container images are available

The following FIDO Device Onboarding Servers container images for onboarding IoT and edge computing devices are now available in the Red Hat Container Catalog:

  • rhel9/fdo-manufacturing-server container image
  • rhel9/fdo-owner-onboarding-server container image
  • rhel9/fdo-rendezvous-server container image
  • rhel9/fdo-serviceinfo-api-server container image


The minimal-raw image type now supports 64-bit ARM architectures

With this enhancement, you can create a minimal-raw image type with support for 64-bit ARM architecture, and AMD and Intel 64-bit architectures. The minimal-raw image is pre-packaged, bootable, minimal RPM image, compressed in the xz format. To boot the image, you must decompress it and copy to any bootable device, such as an SD card. To decompress the image, run the following command:

$ xz -d <_uuid-minimal-raw.img_.xz>


The Commit ID is now supported as a value for the --parent argument of composer-cli CLI

You can now use the image Commit ID as a value for the --parent argument of the composer-cli command line. To get the image Commit ID, download and extract the RHEL for Edge Commit image. You can find the ref name and the commit ID in the extracted .tar file.


Support to build RHEL for Edge .ami images

With this enhancement, you have support to build .ami images for RHEL for Edge by using on-prem RHEL image builder. During the initial boot, you can customize the blueprint with Ignition to inject the credentials into the image. You can upload the .ami image to AWS and boot an EC2 instance in AWS.


Support to build .vmdk images for RHEL for Edge

With this enhancement, you have support to build a .vmdk image for RHEL for Edge by using on-prem RHEL image builder. You can customize the blueprint with Ignition to inject the credentials into the image during the initial boot. You can load the image on vSphere and boot the image in a VM vSphere. The image is compatible with ESXi 7.0 U2, ESXi 8.0, and later. The VM is compatible with versions 19 and 20.


You can now log in to an Edge system as the initial user without setting a password

Previously, logging in as the initial user created during the FDO onboarding process did not work because the system asked for a password that was not set with the useradd command. With this enhancement, the password is now set to optional, and you can log in even if you did not previously set a password by using the useradd command. Note that you can log in with an SSH key without entering a password, and if it fails, you will be prompted to enter a password.


4.4. Software management

New DNF Automatic reboot option for an automatic reboot after an upgrade

With this enhancement, you can use the DNF Automatic reboot option to set your system to automatically reboot to apply the changes after an upgrade.

The reboot option supports the following settings:

  • never does not reboot the system. This is the current behavior.
  • when-changed triggers a reboot after any upgrade.
  • when-needed triggers a reboot only when rebooting is required to apply changes, for example, when systemd or the kernel is upgraded.

You can use the reboot_command option to customize the command used to reboot. The default reboot command is shutdown -r.


The new --poweroff option allows you to shut down the system after installing updates

With this enhancement, the new --poweroff option has been added to the reboot command of the dnf system-upgrade plugin. You can use this option to shut down the system after installing updates instead of rebooting.


New dnf leaves and show-leaves plug-ins are now available for the DNF API

leave packages are packages installed on your system that are not required as dependencies of other installed packages.

With this enhancement, the following new DNF plug-ins are available:

  • dnf leaves lists all leave packages.
  • show-leaves lists newly installed leave packages and packages that became leave after a transaction.


4.5. Shells and command-line tools

The NetBackup services are now enabled for backup restoration

When using the NetBackup (NBU) backup method, ReaR now includes the unit files for the NetBackup services version 10.1.1 in the rescue image and starts them when the rescue system boots. As a result, you can restore the system backup by using the NBU backup method during the recovery process and complete the restore successfully.


opencryptoki rebased to 3.21.0

The opencryptoki package has been rebased to version 3.21.0, which provides many enhancements and bug fixes. Most notably, opencryptoki now supports the following features:

  • Concurrent hardware security module (HSM) master key changes
  • The protected-key option to transform a chosen key into a protected key
  • Additional key types, such as DH, DSA, and generic secret key types
  • EP11 host library version 4
  • AES-XTS key type
  • IBM-specific Kyber key type and mechanism
  • Additional IBM-specific Dilithium key round 2 and 3 variants

Additionally, pkcsslotd slot manager no longer runs as root and opencryptoki offers further hardening. With this update, you can also use the following set of new commands:

p11sak set-key-attr
To modify keys
p11sak copy-key
To copy keys
p11sak import-key
To import keys
p11sak export-key
To export keys


Updated systemd-udevd assigns consistent network device names to InfiniBand interfaces

Introduced in RHEL 9, the new version of the systemd package contains the updated systemd-udevd device manager. The device manager changes the default names of InfiniBand interfaces to consistent names selected by systemd-udevd.

You can define custom naming rules for naming InfiniBand interfaces by following the Renaming IPoIB devices using systemd link file procedure.

For more details of the naming scheme, see the man page.


4.6. Infrastructure services

Postfix now supports SRV lookups

With this enhancement, you can now use the Postfix DNS service records resolution (SRV) to automatically configure mail clients and balance load of servers. Additionally, you can prevent mail delivery disruptions caused by temporary DNS issues or misconfigured SRV records by using the following SRV-related options in your Postfix configuration:

You can enable discovery for the specified service by using DNS SRV records.
You can use a cascading approach to locating a service.
You can ensure that the service discovery remains functional even if SRV records are not available or encounter errors.


Generic LF-to-CRLF driver is available in cups-filters

With this enhancement, you can now use the Generic LF-to-CRLF driver, which converts LF characters to CR+LF characters for printers accepting files with CR+LF characters. The carriage return (CR) and line feed (LF) are control characters that mark the end of lines. As a result, by using this driver, you can send an LF character terminated file from your application to a printer accepting only CR+LF characters. The Generic LF-to-CRLF driver is a renamed version of the text-only driver from RHEL 7. The new name reflects its actual functionality.


4.7. Networking

RHEL on ARM now fully supports wifi adapters in RHEL 9.3

With this enhancement, you can now enable access to wifi adapters for several cards for the arm64 platforms.

For details on configuring wifi connections, see Managing wifi connections.


NetworkManager now supports the no-aaaa option in resolv.conf

NetworkManager now supports adding the no-aaaa DNS option in the resolv.conf file. By using the no-aaaa value in the DNS option setting, you can disable IPv6 DNS resolution.


nmstate now supports mixing static DNS search along with dynamic DNS name servers

The nmstate framework now supports both static Domain Name System (DNS) search domains and dynamic DNS nameservers, which nmstate obtained from Dynamic Host Configuration Protocol (DHCP) or the autoconf mechanism. Previously, static DNS search domains could not co-exist with dynamic DNS nameservers because the dynamic configurations were discarded by nmstate. This often led to unnecessary complexity and limitations in network setup and management. This enhancement aims to bring more flexibility in managing DNS configurations. As a result, nmstate attempts to find a network interface to store the DNS configuration in the following order:

  1. The preferred interface, which currently holds the DNS configuration and is still valid for DNS
  2. An automatic interface
  3. An IP enabled interface

Note that this enhancement does not remove the DNS nameservers learned from DHCP.

The following is an example YAML file to apply this feature:

  - name: eth1
    type: ethernet
    state: up
      enabled: true
      dhcp: true
      enabled: true
      dhcp: true
      autoconf: true


nmstate now supports the bridge.vlan-default-pvid NetworkManager configuration option

With this update, you can use the nmstate framework to configure the bridge.vlan-default-pvid NetworkManager configuration option. By using this option, you can set the default port VLAN identifier (PVID) for untagged traffic on a bridge interface that supports VLANs, when you use Linux bridge VLAN filtering. To achieve this result, use the following YAML configuration:

  - name: linux-br0
    type: linux-bridge
    state: up
        vlan-default-pvid: 5
        - name: eth1
          stp-hairpin-mode: false
          stp-path-cost: 100
          stp-priority: 32
            mode: access
            tag: 100

Note that the default value of bridge.vlan-default-pvid is 1. When set to 0 with VLAN filtering enabled, the untagged traffic is dropped.


The NetworkManager service restarts immediately after the dbus service is restarted

Previously, after restarting dbus for some reason, NetworkManager stopped. This behavior was not optimal and caused a loss of connectivity. Therefore, this enhancement updates NetworkManager to become more robust and to make it restart automatically upon a dbus restart.


The nm-cloud-setup utility now supports IMDSv2 configuration

Users can configure an AWS Red Hat Enterprise Linux EC2 instance with Instance Metadata Service Version 2 (IMDSv2) with the nm-cloud-setup utility. To comply with improved security that restricts unauthorized access to EC2 metadata and new features, integration between AWS and Red Hat services is necessary to provide advanced features. This enhancement enables the nm-cloud-setup utility to fetch and save the IMDSv2 tokens, verify an EC2 environment, and retrieve information about available interfaces and IP configuration by using the secured IMDSv2 tokens.


NetworkManager notifies when using the deprecated ifcfg format

Connection profiles in ifcfg format are deprecated in RHEL 9 (see NetworkManager connection profiles in ifcfg format are deprecated). With this update, NetworkManager notifies users about the deprecation of this format:

  • NetworkManager logs the following warning to the systemd journal if it processes a connection profile in ifcfg format in the /etc/sysconfig/network-scripts/ directory:

    Warning: the ifcfg-rh plugin is deprecated, please migrate connections to the keyfile format using "nmcli connection migrate"
  • The nmcli utility reports the following error if you try to modify a property that is not supported in ifcfg format:

    Error: Failed to modify connection '<name>': failed to update connection: The ifcfg-rh plugin doesn't support setting '<property>'. If you are modifying an existing connection profile saved in ifcfg-rh format, please migrate the connection to keyfile using 'nmcli connection migrate <connection_uuid>' or via the Update2() D-Bus API and try again.

As a result of these enhancements, NetworkManager now notifies users if they still use or modify connection profiles in the deprecated ifcfg format.

For further details about migrating profiles from ifcfg to keyfile format, see Migrating NetworkManager profiles from ifcfg to keyfile format.


NetworkManager now supports the lacp_active option in the bonding configuration

By using NetworkManager, the lacp_active option in bonding configuration provides fine-grained control over Link Aggregation Control Protocol Data Units (LACPDU) frames. The lacp_active option also adjusts the behavior of LACPDU frames and controls periodic transmission of these frames in the bonding setup. To customize network configurations, you can enable or disable periodic transmission of LACPDU frames by setting lacp_active to ON or OFF, respectively.


NetworkManager now supports configuration of the ns_ip6_target option for bond interfaces

This enhancement allows setting the arp_interval option by specifying a maximum of 16 IPv6 addresses as monitoring peers in NetworkManager for configuration of the ns_i6_target option for bond interfaces. Previously, it was not possible to specify IPv6 monitoring peers in NetworkManager. With this update, you can configure the ns_ip6_target option in the bond.options parameter by using the nmcli utility. NetworkManager applies this setting to the bond interface by enabling the specification of a maximum of 16 IPv6 addresses. This enhancement equally applies to IPv4 and IPv6 settings.


NetworkManager now supports both static and DHCP IP configuration on the same network interface

By using the nmstate utility, you can now assign a static IP address with dhcp: true and/or autoconf: true value on the DHCP or Ad-Hoc Network Autoconfiguration (autoconf) enabled interface.

With this enhancement, nmstate supports two properties of IP addresses:

  • valid_lft means valid lifetime in seconds
  • preferred_lft means preferred lifetime in seconds

Default value of both parameters is forever which means static.

With above properties, nmstate can ignore DHCP/autoconf based IP addresses to avoid converting dynamic IP addresses to static IP after applying the queried state back. If your scenario requires having disabled DHCP/autoconf settings with dynamic IP addresses, nmstate converts those dynamic IP to static IP addresses.


nmstate supports MAC address identifiable network interface

The nmstate utility supports network configuration directly to a network interface with a MAC address instead of an interface name.

This enhancement introduces two properties to the base interface:

  • identifier : identifies name or mac-address on a network. The default value is name.
  • profile-name : string

When the identifier variable is set to the mac-address value, nmstate uses the interface.mac-address over to choose a network interface for a specific network state. When storing the network configuration, if the interface.profile-name variable is not assigned, nmstate prefers interface.profile-name over If you check the current network state, the interface.profile-name remains hidden if it is equal to


NetworkManager supports defining after how many failed ARP checks the bonding driver marks a port as down

This enhancement adds the arp_missed_max option to bond connection profiles in NetworkManager. If you use the Address Resolution Protocol (ARP) monitor to check if ports of a bond are up, you can now set arp_missed_max to define after how many failed checks the bonding driver marks the port as down.


NetworkManager supports specifying link-related properties

This enhancement adds the following network link properties to NetworkManager connection profiles:

  • link.tx-queue-length - The size of the transmit (TX) queue length in number of packets.
  • link.gro-max-size - The maximum size in bytes of a Generic Receive Offload (GRO) packet the device accepts.
  • link.gso-max-segments - The maximum number of segments of a Generic Segmentation Offload (GSO) packet the device accepts.
  • link.gso-max-size - The maximum size in bytes of a GSO packet.

Previously, you could configure these kernel settings only by using ip commands or by using such commands in NetworkManager dispatcher scripts. With this enhancement, you can now configure these settings directly in connection profiles.

Note that NetworkManager supports these properties only in connection profiles in keyfile format and not in the deprecated ifcfg format.


The nmstate API support available for dhcp-send-hostname and dhcp-custom-hostname DHCP options

With this enhancement, the nmstate utility supports configuration of the following two DHCP options in the connection file:

  • dhcp-send-hostname: true or false value. If a DHCP request needs the hostname or fully qualified domain name (FQDN) option, the hostname from that option is set. The default is true.
  • dhcp-custom-hostname: <string>. Use this option to configure the hostname or FQDN option in a DHCP request, value type is string.

    For DHCPv4 network protocols
  • If the hostname is FQDN, see the Fully Qualified Domain Name (FQDN), option (81) in RFC 4702.
  • If the hostname is not FQDN, see the Host Name, option (12) in RFC 2132.

    For DHCPv6 network protocols

    Supports custom string, empty domain name, overrides the hostname for a DHCP request. See the Fully Qualified Domain Name (FQDN), option (29) in RFC 4704.


NetworkManager rebased to version 1.44.0

The NetworkManager packages have been upgraded to upstream version 1.44.0, which provides a number of enhancements and bug fixes over the previous version:

  • Link-related properties have been added to NetworkManager.
  • The arp_missed_max, lacp_active, and ns_ip6_target properties have been added to bond connection profiles.
  • You can now set a DHCPv6 prefix delegation hint in the ipv6.dhcp-pd-hint connection property.
  • Enabling the new rename parameter in the [keyfile] section of the /etc/NetworkManager/NetworkManager.conf file causes NetworkManager to rename a connection profile in /etc/NetworkManager/system-connections/ if you change a profile name ( If external applications or scripts rely on the file names, do not enable this parameter.
  • When you set a hostname that contains a non-public top-level domain (TLD), NetworkManager now uses this TLD as DNS search domain instead of the full hostname.
  • NetworkManager now applies DNS options from the [global-dns] section in the /etc/NetworkManager/NetworkManager.conf file.
  • To avoid race conditions with other depending services, NetworkManager now acquires the D-Bus name only after populating the D-Bus tree. Note that this can add a delay when NetworkManager starts.
  • NetworkManager now adds a version-id argument to Update2() D-Bus calls to prevent concurrent profile modifications.
  • NetworkManager no longer uses tentative IPv6 addresses to resolve the system hostname from DNS.
  • To prevent unexpected behaviors in case of multi-connect profiles, NetworkManager now tracks the number of auto-connect retries left for each device and connection instead of only per connection.
  • NetworkManager sets VLAN filtering options by using the kernel’s netlink interface instead of the sysfs file system.
  • The nm-cloud-setup utility now supports Instance Metadata Service Version 2 (IDMSv2) on Amazon EC2.
  • Users can now enable and disable wifi and Wireless Wide Area Networks (WWANs) in the nmtui application.
  • Bond, bridge, and team connections now use the ignore-carrier=no setting in the [main] section of the /etc/NetworkManager/NetworkManager.conf file.


SCTP rebased to the latest version of the kernel networking tree for RHEL 9

Notable changes in the Stream Control Transmission Protocol (SCTP) networking subsystem include:

  • Virtual routing and forwarding (VRF) support to segment and isolate SCTP traffic within complex network environments.
  • New stream schedulers (fair capacity, and weighted fair queueing) to ensure efficient and equal resource allocation in the network.


MPTCP rebased to the latest version of the kernel networking tree for RHEL 9

Notable changes in the Multipath TCP (MPTCP) protocol extension include:

  • Support for TCP fastopen (TFO) extension, including the client-side support. This feature offers latency, efficiency, and performance improvements for your network.
  • Support multiple mixed IPv4/IPv6 subflows to allow for greater flexibility and adaptability in networks where both IP versions are used.


The xdp-tools package rebased to version 1.4.0

The xdp-tools package has been upgraded to version 1.4.0, which provides multiple bug fixes and enhancements. Notable changes include:

  • The xdp-bench utility gained support for multi-buffer eXpress Data Path (XDP) and for benchmarking the xdp_load_bytes() helper in the kernel. This feature enables conducting network benchmarking tests with large maximum transmission units (MTUs).
  • The locking of the command line utilities of xdp-tools was improved to prevent stale locks if the utility did not exit cleanly.
  • The libxdp library contains a new xsk_umem__create_with_fd() API that accepts an extra file descriptor of an already open AF_XDP socket. You can use this function as a substitute for the regular xsk_umem__create() function when a process does not have CAP_NET_RAW privileges.


iproute rebased to version 6.2.0

The iproute packages have been upgraded to upstream version 6.2.0, which provides a number of enhancements and bug fixes over the previous version. The most notable changes are:

  • The new ip stats command manages and shows interface statistics. By default, the ip stats show command displays statistics for all network devices, including bridges and bonds. You can filter the output by using the dev and group options. For further details, see the ip-stats(8) man page.
  • The ss utility now provides the -T (--threads) option to display thread information, which extends the -p (--processes) option. For further details, see the ss(8) man page.
  • You can use the new bridge fdb flush command to remove specific forwarding database (fdb) entries which match a supplied option. For further details, see the bridge(8) man page.


The kernel supports activating bond ports in a specific order

With this enhancement, the kernel’s netlink interface supports setting a priority on each port if you configure a bond in active-backup, balance-tlb or balance-alb mode. The priority value uses a 32-bit Integer, and a higher value means a higher priority. As a result, you can now activate the bond ports in a specific order.

To use this feature, you can configure the priority by setting the bond-port.prio property when you create or modify a NetworkManager port connection profile.


4.8. Kernel

Kernel version in RHEL 9.3

Red Hat Enterprise Linux 9.3 is distributed with the kernel version 5.14.0-362.8.1.


Support added for NVIDIA Grace CPUs

Red Hat Enterprise Linux 9.3 adds support for the NVIDIA Grace ARM 64-bit CPU.


The RHEL kernel now supports AutoIBRS

Automatic Indirect Branch Restricted Speculation (AutoIBRS) is a feature provided by the AMD EPYC 9004 Genoa family of processors and later CPU versions. AutoIBRS is the default mitigation for the Spectre v2 CPU vulnerability, which boosts performance and improves scalability.


perf rebased to version 6.2

The perf performance analysis tool has been rebased to version 6.2. Apart from numerous minor bug fixes and updates, the perf list command now displays Performance Monitor Unit (PMU) events that contain human-friendly names and descriptions. In addition, this update adds support for the following processors:

  • Intel 13th generation of Core processors (Intel Raptor Lake-S)
  • Intel 14th generation of processors (Intel Meteor Lake)
  • Intel 5th generation Xeon server processors (Intel Emerald Rapids)


The Intel® QAT kernel driver rebased to upstream version 6.2

The Intel® Quick Assist Technology (QAT) has been rebased to upstream version 6.2. The Intel® QAT includes accelerators optimized for symmetric and asymmetric cryptography, compression performance, and other CPU intensive tasks.

The rebase includes many bug fixes and enhancements. The most notable enhancement is the support available for following hardware accelerator devices for QAT GEN4:

  • Intel Quick Assist Technology 401xx devices
  • Intel Quick Assist Technology 402xx devices


vTPM functionality is available for Linux containers

This enhancement introduces virtual Trusted Platform Module (vTPM) for Linux containers and other virtual environments. vTPM is a virtualized version of TPM that provides a dedicated TPM instance to use for a secure running environment. With vTPM proxy drivers, programs interact with an emulated TPM the same way as they interact with physical TPMs.

As a result, each virtual machine can now have a dedicated vTPM instance that is isolated and encrypted.


crash rebased to version 8.0.3

crash is an interactive utility to analyze a running system and a core dump file created by kdump in the event of a kernel crash. The crash utility has been rebased to version 8.0.3 that includes many bug fixes and enhancements. The most notable enhancement is the added IPv6 support.

For network interfaces that support IPv6, crash prints IPv6 addresses with the net or net -s command.

  • The net command displays the list of network devices, names, and the IP address.
  • The net -s command displays the following information:

    • The open network socket and sock addresses
    • The family and the type of sockets and sock addresses
    • The source and destination address and ports for INET and INET6 families


LVM thin provisioned storage volumes supported as the vmcore dump target

The kdump mechanism now supports thin provisioned logical volumes as the vmcore target. To configure LVM thin provisioning, complete following steps:

  1. Create a LVM volume group.

    vgcreate vg00 /dev/sdb
  2. Create a LVM thin pool of 10 MB available space.

    lvcreate -L 10M -T vg00/thinpool
  3. Create a LVM thin volume with 300 MB of the file system space.

    lvcreate -V 300M -T vg00/thinpool -n thinvol
    mkfs.ext4 /dev/vg00/thinvol
  4. Configure the LVM thin pool threshold to automatically extend the space.

    cat /etc/lvm/lvm.conf
    activation {
    	thin_pool_autoextend_threshold = 70
    	thin_pool_autoextend_percent = 20
    	monitoring = 1
  5. Enable the LVM thin pool monitoring service for the first kernel.

    systemctl enable lvm2-monitor.service
    systemctl start lvm2-monitor.service
  6. Append the following lines to the kdump.conf file to set the LVM thin volume as the kdump target.

    ext4 /dev/vg00/thinvol
    path /
  7. Start the kdump service.

    kdumpctl restart
  8. Verify the configuration by triggering a kernel panic and check if the vmcore is saved to /dev/vg00/thinvol.

As a result, with this enhancement, the kdump mechanism now extends capability to save the vmcore dump files on thin provisioned storage volumes.


makedumpfile rebased to upstream version 1.7.3

The makedumpfile tool, which makes the crash dump file small by compressing pages or excluding memory pages that are not required, has been rebased to upstream version 1.7.3. The rebase includes many bug fixes and enhancements.

The most notable change is the added 5-level paging mode for standalone dump (sadump) mechanism on AMD and Intel 64-bit architecture. The 5-level paging mode extends the processor’s linear address width to allow applications access larger amounts of memory. 5-level paging extends the size of virtual addresses from 48 to 57 bits and the physical addresses from 46 to 52 bits.


Red Hat Enterprise Linux supports ARM’s SystemReady ES and IR tier

Red Hat Enterprise Linux now supports ARM’s SystemReady ES and IR, while previously only the SR tier was supported. In RHEL 9.3, the NVIDIA Orin, NXP i.MX 8M, and NXP i.MX 8M Mini modules have been enabled and are candidates for the RHEL hardware certification. Hardware partners are able to submit certifications by enrolling in the Red Hat hardware certification journey. Customers can use the supported hardware listed in the catalog for an improved experience in production.


RHEL on ARM now supports Bluetooth

With this enhancement, you can configure a bluetooth device by using the bluetoothctl tool on the command-line interface.


RHEL on ARM now fully supports USB-attached cameras in RHEL 9.3

This enhancement enables the CONFIG_MEDIA_SUPPORT kernel configuration for RHEL on AMD and Intel 64-bit architectures platforms. With that, you can now use USB cameras on AMD and Intel 64-bit architectures systems.


bpf rebased to version 6.3

The Berkeley Packet Filter (BPF) facility has been rebased to Linux kernel version 6.3. Notable changes and enhancements include:

  • BPF trampoline is now available on the 64-bit IBM Z architecture.
  • A new map type - BPF_MAP_TYPE_USER_RINGBUF - and related helpers have been defined for the communication between the user space and kernel over a BPF-specific ring buffer.
  • BPF now provides new complex data structures: linked list and rbtree.
  • BPF trampoline that traces programs now supports struct arguments.
  • BPF now provides a way to export XDP features supported by a NIC.
  • Hardware metadata are now exposed to XDP programs by using the BPF Kernel Functions (kfuncs) with initial support for RX hash and timestamp metadata.
  • BPF now provides a helper that sets source and destination NAT addresses and ports in new conntrack module entries in BPF programs.
  • BPF can now write directly to the nf_conn:mark connection mark of the netfilter packet filtering framework.


4.9. Boot loader

Change in the default behavior of grub2-mkconfig

Previously, entering the grub2-mkconfig -o /path/to/grub.cfg command generated a new grub.cfg file that contained all the changes that had been made to the /etc/default/grub file. Consequently, the command overwrote the command-line arguments in all BLS snippets with the GRUB_CMDLINE_LINUX variable located in the /etc/default/grub file.

With this update, the behavior of GRUB variables has changed as follows:

  • If you set the GRUB_ENABLE_BLSCFG= parameter to true, running the grub2-mkconfig -o /path/to/grub.cfg command makes all the changes to the grub.cfg file that you had made in the /etc/default/grub file except from the kernel command line. In such a case, BLS snippets do not get updated.
  • If you set the GRUB_ENABLE_BLSCFG= parameter to false, BLS snippets do not get updated, but the changes are still made to the grub.cfg file.

In case you want to update the kernel command line, enter:

# grub2-mkconfig -o /path/to/grub.cfg --update-bls-cmdline

Also note that you can make changes to BLS snippets for individual kernels using grubby:

# grubby --update-kernel /path/to/kernel --args "new args"


4.10. File systems and storage

NFS server now implements courteous server code for nfsd

This update introduces the implementation of courteous server code for nfsd in the RHEL kernel NFS server. With this new feature, the NFS server avoids revoking leases for clients that have lost contact with the server for an extended period, as long as there is no conflicting access while the client is out of contact.


DAX mount option and reflink are now compatible

With this update, reflinked files are now generally compatible with DAX mode. The file system DAX mount option -o dax=always is compatible with reflink-enabled file systems. Files that were reflinked can be set to DAX mode using inode flags. For more information see the xfs(5) man page.


New encryption types for the RPCSEC GSS Kerberos V5

The RPCSEC GSS Kerberos V5 mechanism now supports encryption types defined in RFC 6803 (Camellia Encryption for Kerberos 5) and RFC 8009 (AES Encryption with HMAC-SHA2 for Kerberos 5).

The following encryption types have been added:

  • camellia128-cts-cmac
  • camellia256-cts-cmac
  • aes128-cts-hmac-sha256-128
  • aes256-cts-hmac-sha384-192

This allows NFS clients and NFS servers to use stronger encryption types when negotiating GSS contexts.


fuse3 now allows invalidating a directory entry without triggering umount

With this update, a new mechanism has been added to fuse3 package, that allows invalidating a directory entry without automatically triggering the umount of any mounts that exists on the entry.


Stratis storage manager is now available

Stratis is a local storage manager. It provides managed file systems on top of pools of storage with additional features to the user:

  • Manage snapshots and thin provisioning
  • Automatically grow file system sizes as needed
  • Maintain file systems
  • Pool Level Encryption
  • TMP2 and NBDE Support

To administer Stratis storage, use the stratis utility, which communicates with the stratisd background service.

For more information, see the Stratis documentation: Setting up Stratis file systems.


Improvements to GFS2 file system configuration and operation

The following updates have been implemented for GFS2 file systems:

  • The mkfs.gfs2 command now supports the new -U option, which makes it possible to specify the file system UUID for the file system you create. If you omit this option, the file system’s UUID is generated randomly.
  • The gfs2_jadd command creates journals at a much faster speed than in previous releases.
  • The GFS2 man pages have been improved.


dmpd rebased to version 1.0.2

The dmpd package has been upgraded to version 1.0.2. Notable changes include:

  • Rewriting the tools in the Rust language for memory safety and for using multiple threads to boost performance.
  • Improving the thin_check and cache_check tools to save the time of LVM pool activation along with the system startup. The required execution time for these tools is now improved by more than ten times as compared to the previous version.
  • Updating thin_dump and thin_restore tools to avoid losing sharing of the metadata btrees for snapshots. Now the restored metadata does not require more space.
  • Adding new thin_metadata_pack and thin_metadata_unpack tools to compress thin metadata, typically to a tenth of the size. This is better than the generic compressors. With this tool, it is easier to pass damaged metadata around for inspection.


New per-device counter is added for SCSI devices

A new per-device counter, iotmo_cnt, is now added for the I/O timeouts in the SCSI updates. In addition to the iorequest_cnt count of I/O requests, the iodone_cnt I/O completions, and the ioerr_cnt I/O errors, the number of request timeouts can be seen. For example:



mpathcleanup flushes the multipath devices in device-mapper-multipath

The mpathcleanup tool works on SCSI-based multipath devices and removes the multipath device along with the SCSI path devices. Some users need to remove multipath devices and their path devices regularly. Previously, there was no tool available to remove multipath devices and a user-defined script was required for this operation.

With this new tool, users can now easily remove multipath devices and their underlying storage, and there is no need to create any script for this operation.


nvme-cli rebased to version 2.4

The nvme-cli package has been upgraded to version 2.4, which provides multiple bug fixes and enhancements. Notable changes include:

  • Supports TLS over TCP.
  • Fixes incorrect ordering of the systemd auto-connect services to mount file systems using the /etc/fstab file.
  • Fixes printing of the u32 values.
  • Validates storage tag size correctly.
  • Supports the nvme effects-log command for fabrics controllers.


4.11. High availability and clusters

Support for failover of LVM volume groups with missing physical volumes

The LVM-activate resource agent now supports two new options that allow volume group failover if the volume group is missing physical volumes:

  • The majoritypvs option allows the system ID to be changed on a volume group when a volume group is missing physical volumes, as long as a majority of physical volumes are present.
  • The degraded_activation option allows RAID logical volumes in a volume group to be activated when legs are missing, as long as sufficient devices are available for RAID to provide all the data in the logical volume.


IPaddr2 and IPsrcaddr cluster resource agents now support policy-based routing

The IPaddr2 and IPsrcaddr cluster resource agents now support policy-based routing,which enables you to configure complex routing scenarios. Policy-based routing requires that you configure the resource agent’s table parameter.


The Filesystem resource agent now supports the EFS file system type

The ocf:heartbeat:Filesystem cluster resource agent now supports the Amazon Elastic File System (EFS). You can now specify fstype=efs when configuring a Filesystem resource.


New pcs parsing requires meta keyword when specifying clone meta attributes

To ensure consistency in the pcs command format, configuring clone meta attributes with the pcs resource clone, pcs resource promotable, and pcs resource create commands without specifying the meta keyword is now deprecated.

Previously, the meta keyword was ignored in the pcs resource clone and pcs resource promotable commands. In the pcs resource create command, however, the meta attributes specified after the meta keyword when it followed the clone keyword were assigned to the resource rather than to the clone. With this updated parsing algorithm, meta attributes specified after the meta keyword when it follows the clone keyword are assigned to the clone. To maintain compatibility with existing scripts which rely on the older format, you must specify the --future command option to enable this new argument processing when creating a cloned resource with the pcs resource create command.

The following command now creates a resource with the meta attribute mv=v1 and a clone with the meta attribute mv=v2:

pcs resource create dummy1 ocf:pacemaker:Dummy meta m1=v1 clone meta m2=v2 --future


Displaying the pcs commands for re-creating configured resource constraints

You can now display the pcs constraint commands that can be used to re-create configured resource constraints on a different system by using the pcs constraint command with the new --output-format=cmd option. The default output format is plain text, as in previous releases, which you can specify with the --output-format=text option. The plain text format has been changed slightly to make it consistent with the output format of other pcs commands.


Rebase Pacemaker packages to version: 2.1.6

The Pacemaker packages have been upgraded to upstream version 2.1.6, which provides a number of enhancements and bug fixes over the previous version.

The following features have been added:

  • Previously, when a Pacemaker Remote connection was lost, Pacemaker would always purge its transient node attributes. This was unnecessary if the connection was quickly recoverable and the remote daemon had not restarted in the meantime. Pacemaker Remote nodes now preserve transient node attributes after a brief, recoverable connection outage.
  • The alert agent, which is the sample alert agent provided with Pacemaker, now supports the SNMPv3 protocol as well as SNMPv2. With this update, you can copy the agent without modification to use SNMPv3 with Pacemaker alerts.
  • Pacemaker alerts and alert recipients now support an enabled meta option. Setting this option to false for an alert disables the alert. Setting this option to true for an alert and false for a particular recipient disables the alert for that recipient. The default value for this option is true. You can use this option to temporarily disable an alert for any reason, such as planned maintenance.

The following bugs have been fixed:

  • Pacemaker Designated Controller elections no longer finalized until all pending actions are complete and no action results are lost.
  • The fence_scsi agent is now able to auto-detect shared lvmlockd devices when the devices attribute is not set.
  • Resource stickiness now properly compares against colocation scores.
  • The crm_resource command now allows banning or moving a bundle with only a single active replica.
  • Previously, promotable clone instances were assigned in numerical order, with promoted instances first. As a result, if a promoted clone instance needed to start, an unpromoted instance in some cases restarted unexpectedly, because the instance numbers changed. With this fix, roles are considered when assigning instance numbers to nodes and as a result no unnecessary restarts occur.


Enhancements to the pcs property command

The pcs property command now supports the following enhancements:

  • The pcs property config --output-format= option

    • Specify --output-format=cmd to display the pcs property set command created from the current cluster properties configuration. You can use this command to re-create configured cluster properties on a different system.
    • Specify --output-format=json to display the configured cluster properties in JSON format.
    • Specify output-format=text to display the configured cluster properties in plain text format, which is the default value for this option.
  • The pcs property defaults command, which replaces the deprecated pcs property --defaults option
  • The pcs property describe command, which describes the meaning of cluster properties


4.12. Dynamic programming languages, web and database servers

A new nodejs:20 module stream is fully supported

A new module stream, nodejs:20, previously available as a Technology Preview, is fully supported with the release of the RHEA-2023:7252 advisory. The nodejs:20 module stream now provides Node.js 20.9, which is a Long Term Support (LTS) version.

Node.js 20 included in RHEL 9.3 provides numerous new features, bug fixes, security fixes, and performance improvements over Node.js 18 available since RHEL 9.1.

Notable changes include:

  • The V8 JavaScript engine has been upgraded to version 11.3.
  • The npm package manager has been upgraded to version 9.8.0.
  • Node.js introduces a new experimental Permission Model.
  • Node.js introduces a new experimental Single Executable Application (SEA) feature.
  • Node.js provides improvements to the Experimental ECMAScript modules (ESM) loader.
  • The native test runner, introduced as an experimental node:test module in Node.js 18, is now considered stable.
  • Node.js provides various performance improvements.

To install the nodejs:20 module stream, use:

# dnf module install nodejs:20

If you want to upgrade from the nodejs:18 stream, see Switching to a later stream.

For information about the length of support for the nodejs Application Streams, see Red Hat Enterprise Linux Application Streams Life Cycle.


A new filter argument to the Python tarfile extraction functions

To mitigate CVE-2007-4559, Python adds a filter argument to the tarfile extraction functions. The argument allows turning tar features off for increased safety (including blocking the CVE-2007-4559 directory traversal attack). If a filter is not specified, the 'data' filter, which is the safest but most limited, is used by default in RHEL. In addition, Python emits a warning when your application has been affected.

For more information, including instructions to hide the warning, see the Knowledgebase article Mitigation of directory traversal attack in the Python tarfile library (CVE-2007-4559).


The HTTP::Tiny Perl module now verifies TLS certificates by default

The default value for the verify_SSL option in the HTTP::Tiny Perl module has been changed from 0 to 1 to verify TLS certificates when using HTTPS. This change fixes CVE-2023-31486 for HTTP::Tiny and CVE-2023-31484 for the CPAN Perl module.

To make support for TLS verification available, this update adds the following dependencies to the perl-HTTP-Tiny package:

  • perl-IO-Socket-SSL
  • perl-Mozilla-CA
  • perl-Net-SSLeay


httpd rebased to version 2.4.57

The Apache HTTP Server has been updated to version 2.4.57, which provides bug fixes, enhancements, and security fixes over version 2.4.53 available since RHEL 9.1.

Notable enhancements include:

  • The rotatelogs utility provided with httpd introduces a new -T option to truncate all rotated logfiles except the initial logfile.
  • The mod_ssl module no longer tests existence of certificate and key files when dumping the httpd configuration.
  • The LDAPConnectionPoolTTL directive of the mod_ldap module now accepts negative values to enable reuse of connections of any age. Previously, a negative value was handled as an error.
  • Workers from the mod_proxy_hcheck module now correctly time out according to the worker timeout settings.
  • The hcmethod parameter of the mod_proxy_hcheck module now provides new GET11, HEAD11, and OPTIONS11 methods for HTTP/1.1 requests.


A new mod_authnz_fcgi module in httpd

The Apache HTTP Server now includes the mod_authnz_fcgi module, which enables FastCGI authorizer applications to authenticate users and authorize access to resources.

The mod_authnz_fcgi module is not loaded by default. To load this module, uncomment the following line in the /etc/httpd/conf.modules.d/00-optional.conf file:

LoadModule authnz_fcgi_module modules/


A new ssl_pass_phrase_dialog directive in nginx:1.22

With this update to the nginx:1.22 module stream, you can use the new ssl_pass_phrase_dialog directive to configure an external program that is called at nginx start for each encrypted private key.

To use the new directive, add one of the following lines to the /etc/nginx/nginx.conf file:

  • To call an external program for each encrypted private key file, enter:

    ssl_pass_phrase_dialog exec:<path_to_program>;

    nginx calls this program with the following two arguments:

    • The server name specified in the server_name setting.
    • One of the following algorithms: RSA, DSA, EC, DH, or UNK if a cryptographic algorithm cannot be recognized.
  • If you want to manually enter a passphrase for each encrypted private key file, enter:

    ssl_pass_phrase_dialog builtin;

    This is the default behavior if ssl_pass_phrase_dialog is not configured.

    Note that the nginx service fails to start if you use this method but have at least one private key protected by a passphrase. In this case, use one of the other methods.

  • If you want systemd to prompt for the passphrase for each encrypted private key when you start the nginx service by using the systemctl utility, enter:

    ssl_pass_phrase_dialog exec:/usr/libexec/nginx-ssl-pass-dialog;

Note that the ssl_pass_phrase_dialog directive in nginx is similar to the SSLPassPhraseDialog directive in the Apache HTTP Server.


A new rhel9/squid container image

The rhel9/squid container image is now available in the Red Hat Container Registry. Squid is a high-performance proxy caching server for web clients, supporting FTP, gopher, and HTTP data objects. Unlike traditional caching software, Squid handles all requests in a single, non-blocking, I/O-driven process. Squid keeps metadata and especially hot objects cached in RAM, caches DNS lookups, supports non-blocking DNS lookups, and implements negative caching of failed requests.

To pull the new container image, run:

# podman pull


A new module stream: redis:7

Redis 7, an advanced key-value store, is now available as a new module stream, redis:7.

Notable changes over Redis 6 include:

  • Server-side scripting in the Redis Functions API
  • Fine-grained access control list (ACL) support
  • Shared publish/subscribe (pub/sub) support for clusters
  • Various new commands and command arguments

Redis 7 introduces several backward incompatible changes, for example:

  • Redis 7 now stores append-only files (AOF) as multiple files in a folder
  • Redis 7 uses a new version format for Redis Database (RDB) files that is incompatible with earlier versions

For a complete list of features and incompatible changes, see the upstream release notes.

To install the redis:7 module stream, use:

# dnf module install redis:7

For information about the length of support for the redis Application Streams, see Red Hat Enterprise Linux Application Streams Life Cycle.


4.13. Compilers and development tools

A new glibc option to influence optimized routine usage on IBM Z

On the IBM Z architecture, the glibc library selects function implementations based on the hardware capabilities, such as hwcaps and stfle bits. With this update, you can direct the choice made by the library by setting the glibc.cpu.hwcaps tunable.


Improved string and memory routine performance on Intel® Xeon® v5-based hardware in glibc

Previously, the default amount of cache used by glibc for string and memory routines resulted in lower than expected performance on Intel® Xeon® v5-based systems. With this update, the amount of cache to use has been tuned to improve performance.


The system GCC compiler updated to version 11.4.1

The GNU Compiler Collection (GCC) provides tools for developing applications with the C, C++, and Fortran programming languages.

The system GCC compiler has been updated to version 11.4.1, which includes numerous bug fixes and enhancements available in the upstream GCC.

For usage information, see Developing C and C++ applications in RHEL 9.


GCC now supports preserving register arguments

With this update, you can now store argument register content to the stack and generate proper Call Frame Information (CFI) to allow the unwinder to locate it without negatively impacting performance.


A new -mdaz-ftz option in GCC on the 64-bit Intel architecture

The system version of GNU Compiler Collection (GCC) on the 64-bit Intel architecture now supports the -mdaz-ftz option to enable flush-to-zero (FTZ) and denormals-are-zero (DAZ) flags in the MXCSR Control and Status Register.


New GCC Toolset 13

GCC Toolset 13 is a compiler toolset that provides recent versions of development tools. It is available as an Application Stream in the form of a Software Collection in the AppStream repository.

The GCC compiler has been updated to version 13.1.1, which provides many bug fixes and enhancements that are available in upstream GCC.

The following tools and versions are provided by GCC Toolset 13:












To install GCC Toolset 13, run the following command as root:

# dnf install gcc-toolset-13

To run a tool from GCC Toolset 13:

$ scl enable gcc-toolset-13 tool

To run a shell session where tool versions from GCC Toolset 13 override system versions of these tools:

$ scl enable gcc-toolset-13 bash

For more information, see GCC Toolset 13 and Using GCC Toolset.

Bugzilla:2171919[1], Bugzilla:2171930

GCC Toolset 13: GCC rebased to version 13.1.1

In GCC Toolset 13, the GNU Compiler Collection (GCC) has been updated to version 13.1.1. Notable changes include:

General improvements

  • OpenMP:

    • OpenMP 5.0: Fortran now supports some non-rectangular loop nests. Such support was added for C/C++ in GCC 11.
    • Many OpenMP 5.1 features have been added.
    • Initial support for OpenMP 5.2 features has been added.
  • A new debug info compression option value, -gz=zstd, is now available.
  • The -Ofast, -ffast-math, and -funsafe-math-optimizations options no longer add startup code to alter the floating-point environment when producing a shared object with the -shared option.
  • GCC can now emit its diagnostics using Static Analysis Results Interchange Format (SARIF), a JSON-based format suited for capturing the results of static analysis tools (like GCC’s -fanalyzer). You can also use SARIF to capture other GCC warnings and errors in a machine-readable format.
  • Link-time optimization improvements have been implemented.

New languages and language-specific improvements

C family:

  • A new -Wxor-used-as-pow option warns about uses of the exclusive or (^) operator where the user might have meant exponentiation.
  • Three new function attributes have been added for documenting int arguments that are file descriptors:

    • attribute((fd_arg(N)))
    • attribute((fd_arg_read(N)))
    • attribute((fd_arg_write(N)))

    These attributes are also used by -fanalyzer to detect misuses of file descriptors.

  • A new statement attribute, attribute((assume(EXPR)));, has been added for C++23 portable assumptions. The attribute is supported also in C or earlier C++.
  • GCC can now control when to treat the trailing array of a structure as a flexible array member for the purpose of accessing the elements of such an array. By default, all trailing arrays in aggregates are treated as flexible array members. Use the new command-line option -fstrict-flex-arrays to control what array members are treated as flexible arrays.


  • Several C23 features have been implemented:

    • Introduced the nullptr constant.
    • Enumerations enhanced to specify underlying types.
    • Requirements for variadic parameter lists have been relaxed.
    • Introduced the auto feature to enable type inference for object definitions.
    • Introduced the constexpr specifier for object definitions.
    • Introduced storage-class specifiers for compound literals.
    • Introduced the typeof object (previously supported as an extension) and the typeof_unqual object.
    • Added new keywords: alignas, alignof, bool, false, static_assert, thread_local, and true.
    • Added the [[noreturn]] attribute to specify that a function does not return execution to its caller.
    • Added support for empty initializer braces.
    • Added support for STDC_VERSION_*_H header version macros.
    • Removed the ATOMIC_VAR_INIT macro.
    • Added the unreachable macro for the <stddef.h> header.
    • Removed trigraphs.
    • Removed unprototyped functions.
    • Added printf and scanf format checking through the -Wformat option for the %wN and %wfN format length modifiers.
    • Added support for identifier syntax of Unicode Standard Annex (UAX) 31.
    • Existing features adopted in C23 have been adjusted to follow C23 requirements and are not diagnosed using the -std=c2x -Wpedantic option.
  • A new -Wenum-int-mismatch option warns about mismatches between an enumerated type and an integer type.


  • Implemented excess precision support through the -fexcess-precision option. It is enabled by default in strict standard modes like -std=c++17, where it defaults to -fexcess-precision=standard. In GNU standard modes like -std=gnu++20, it defaults to -fexcess-precision=fast, which restores previous behavior.

    The -fexcess-precision option affects the following architectures:

    • Intel 32- and 64-bit using x87 math, in some cases on Motorola 68000, where float and double expressions are evaluated in long double precision.
    • 64-bit IBM Z systems where float expressions are evaluated in double precision.
    • Several architectures that support the std::float16_t or std::bfloat16_t types, where these types are evaluated in float precision.
  • Improved experimental support for C++23, including::

    • Added support for labels at the end of compound statements.
    • Added a type trait to detect reference binding to a temporary.
    • Reintroduced support for volatile compound operations.
    • Added support for the #warning directive.
    • Added support for delimited escape sequences.
    • Added support for named universal character escapes.
    • Added a compatibility and portability fix for the char8_t type.
    • Added static operator() function objects.
    • Simplified implicit moves.
    • Rewriting equality in expressions is now less of a breaking change.
    • Removed non-encodable wide character literals and wide multicharacter literals.
    • Relaxed some constexpr function restrictions.
    • Extended floating-point types and standard names.
    • Implemented portable assumptions.
    • Added support for UTF-8 as a portable source file encoding standard.
    • Added support for static operator[] subscripts.
  • New warnings:

    • -Wself-move warns when a value is moved to itself with std::move.
    • -Wdangling-reference warns when a reference is bound to a temporary whose lifetime has ended.
    • The -Wpessimizing-move and -Wredundant-move warnings have been extended to warn in more contexts.
  • The new -nostdlib++ option enables linking with g++ without implicitly linking in the C++ standard library.

Changes in the libstdc++ runtime library

  • Improved experimental support for C++20, including:

    • Added the <format> header and the std::format function.
    • Added support in the <chrono> header for the std::chrono::utc_clock clock, other clocks, time zones, and the std::format function.
  • Improved experimental support for C++23, including:

    • Additions to the <ranges> header: views::zip, views::zip_transform, views::adjacent, views::adjacent_transform, views::pairwise, views::slide, views::chunk, views::chunk_by, views::repeat, views::chunk_by, views::cartesian_product, views::as_rvalue, views::enumerate, views::as_const.
    • Additions to the <algorithm> header: ranges::contains, ranges::contains_subrange, ranges::iota, ranges::find_last, ranges::find_last_if, ranges::find_last_if_not, ranges::fold_left, ranges::fold_left_first, ranges::fold_right, ranges::fold_right_last, ranges::fold_left_with_iter, ranges::fold_left_first_with_iter.
    • Support for monadic operations for the std::expected class template.
    • Added constexpr modifiers to the std::bitset, std::to_chars and std::from_chars functions.
    • Added library support for extended floating-point types.
  • Added support for the <experimental/scope> header from version 3 of the Library Fundamentals Technical Specification (TS).
  • Added support for the <experimental/synchronized_value> header from version 2 of the Concurrency TS.
  • Added support for many previously unavailable features in freestanding mode. For example:

    • The std::tuple class template is now available for freestanding compilation.
    • The libstdc++ library adds components to the freestanding subset, such as std::array and std::string_view.
    • The libstdc++ library now respects the -ffreestanding compiler option, so it is no longer necessary to build a separate freestanding installation of the libstdc++ library. Compiling with -ffreestanding will restrict the available features to the freestanding subset, even if the libstdc++ library was built as a full, hosted implementation.

New targets and target-specific Improvements

The 64-bit ARM architecture:

  • Added support for the armv9.1-a, armv9.2-a, and armv9.3-a arguments for the -march= option.

The 32- and 64-bit AMD and Intel architectures:

  • For both C and C++, the __bf16 type is supported on systems with Streaming SIMD Extensions 2 and above enabled.
  • The real __bf16 type is now used for AVX512BF16 instruction intrinsics. Previously, __bfloat16, a typedef of short, was used. Adjust your AVX512BF16 related source code when upgrading GCC 12 to GCC 13.
  • Added new Instruction Set Architecture (ISA) extensions to support the following Intel instructions:

    • AVX-IFMA whose instruction intrinsics are available through the -mavxifma compiler switch.
    • AVX-VNNI-INT8 whose instruction intrinsics are available through the -mavxvnniint8 compiler switch.
    • AVX-NE-CONVERT whose instruction intrinsics are available through the -mavxneconvert compiler switch.
    • CMPccXADD whose instruction intrinsics are available through the -mcmpccxadd compiler switch.
    • AMX-FP16 whose instruction intrinsics are available through the -mamx-fp16 compiler switch.
    • PREFETCHI whose instruction intrinsics are available through the -mprefetchi compiler switch.
    • RAO-INT whose instruction intrinsics are available through the -mraoint compiler switch.
    • AMX-COMPLEX whose instruction intrinsics are available through the -mamx-complex compiler switch.
  • GCC now supports AMD CPUs based on the znver4 core through the -march=znver4 compiler switch. The switch makes GCC consider using 512-bit vectors when auto-vectorizing.

Improvements to the static analyzer

  • The static analyzer has gained 20 new warnings:

    • -Wanalyzer-allocation-size
    • -Wanalyzer-deref-before-check
    • -Wanalyzer-exposure-through-uninit-copy
    • -Wanalyzer-imprecise-fp-arithmetic
    • -Wanalyzer-infinite-recursion
    • -Wanalyzer-jump-through-null
    • -Wanalyzer-out-of-bounds
    • -Wanalyzer-putenv-of-auto-var
    • -Wanalyzer-tainted-assertion
    • Seven new warnings relating to misuse of file descriptors:

      • -Wanalyzer-fd-access-mode-mismatch
      • -Wanalyzer-fd-double-close
      • -Wanalyzer-fd-leak
      • -Wanalyzer-fd-phase-mismatch (for example, calling accept on a socket before calling listen on it)
      • -Wanalyzer-fd-type-mismatch (for example, using a stream socket operation on a datagram socket)
      • -Wanalyzer-fd-use-after-close
      • -Wanalyzer-fd-use-without-check

        • Also implemented special-casing handling of the behavior of the open, close, creat, dup, dup2, dup3, pipe, pipe2, read, and write functions.
    • Four new warnings for misuses of the <stdarg.h> header:

      • -Wanalyzer-va-list-leak warns about missing a va_end macro after a va_start or va_copy macro.
      • -Wanalyzer-va-list-use-after-va-end warns about a va_arg or va_copy macro used on a va_list object type that has had the va_end macro called on it.
      • -Wanalyzer-va-arg-type-mismatch type-checks va_arg macro usage in interprocedural execution paths against the types of the parameters that were actually passed to the variadic call.
      • -Wanalyzer-va-list-exhausted warns if a va_arg macro is used too many times on a va_list object type in interprocedural execution paths.
  • Numerous other improvements.

Backwards incompatible changes

For C++, construction of global iostream objects such as std::cout, std::cin is now done inside the standard library, instead of in every source file that includes the <iostream> header. This change improves the startup performance of C++ programs, but it means that code compiled with GCC 13.1 will crash if the correct version of is not used at runtime. See the documentation about using the correct at runtime. Future GCC releases will mitigate the problem so that the program cannot be run at all with an earlier incompatible


GCC Toolset 13: annobin rebased to version 12.20

GCC Toolset 13 provides the annobin package version 12.20. Notable enhancements include:

  • Added support for moving annobin notes into a separate debug info file. This results in reduced executable binary size.
  • Added support for a new smaller note format reduces the size of the separate debuginfo files and the time taken to create these files.


GCC Toolset 13: GDB rebased to version 12.1

GCC Toolset 13 provides GDB version 12.1.

Notable bug fixes and enhancements include:

  • GDB now styles source code and disassembler by default. If styling interferes with automation or scripting of GDB, you can disable it by using the maint set gnu-source-highlight enabled off and maint set style disassembler enabled off commands.
  • GDB now displays backtraces whenever it encounters an internal error. If this affects scripts or automation, you can use the maint set backtrace-on-fatal-signal off command to disable this feature.

C/C++ improvements:

  • GDB now treats functions or types involving C++ templates similarly to function overloads. You can omit parameter lists to set breakpoints on families of template functions, including types or functions composed of multiple template types. Tab completion has gained similar improvements.

Terminal user interface (TUI):

  • tui layout

    tui focus

    tui refresh

    tui window height
    These are the new names for the old layout, focus, refresh, and winheight TUI commands respectively. The old names still exist as aliases to these new commands.

  • tui window width


    Use the new tui window width command, or the winwidth alias, to adjust the width of a TUI window when windows are laid out in horizontal mode.

  • info win

    This command now includes information about the width of the TUI windows in its output.

Machine Interface (MI) changes:

  • The default version of the MI interpreter is now 4 (-i=mi4).
  • The -add-inferior command with no flag now inherits the connection of the current inferior. This restores the behavior of GDB prior to version 10.
  • The -add-inferior command now accepts a --no-connection flag that causes the new inferior to start without a connection.
  • The script field in breakpoint output (which is syntactically incorrect in MI 3 and earlier) has become a list in MI 4. This affects the following commands and events:

    • -break-insert
    • -break-info
    • =breakpoint-created
    • =breakpoint-modified

      Use the -fix-breakpoint-script-output command to enable the new behavior with earlier MI versions.

New commands:

  • maint set internal-error backtrace [on|off]

    maint show internal-error backtrace

    maint set internal-warning backtrace [on|off]

    maint show internal-warning backtrace

    GDB can now print a backtrace of itself when it encounters internal error or internal warning. This is enabled by default for internal errors and disabled by default for internal warnings.

  • exit

    You can exit GDB using the new exit command in addition to the existing quit command.

  • maint set gnu-source-highlight enabled [on|off]

    maint show gnu-source-highlight enabled
    Enables or disables the GNU Source Highlight library for adding styling to source code. When disabled, the library is not used even if it is available. When the GNU Source Highlight library is not used the Python Pygments library is used instead.

  • set suppress-cli-notifications [on|off]

    show suppress-cli-notifications

    Controls if printing the notifications is suppressed for CLI or not. CLI notifications occur when you change the selected context (such as the current inferior, thread, or frame), or when the program being debugged stops (for example: because of hitting a breakpoint, completing source-stepping, or an interrupt).

  • set style disassembler enabled [on|off]

    show style disassembler enabled

    When enabled, the command applies styling to disassembler output if GDB is compiled with Python support and the Python Pygments package is available.

Changed commands:

  • set logging [on|off]

    Deprecated and replaced by the set logging enabled [on|off] command.

  • print

    Printing of floating-point values with base-modifying formats like /x has been changed to display the underlying bytes of the value in the desired base.

  • clone-inferior

    The clone-inferior command now ensures that the TTY, CMD, and ARGs settings are copied from the original inferior to the new one. All modifications to the environment variables done using the set environment or unset environment commands are also copied to the new inferior.

Python API:

  • The new gdb.add_history() function takes a gdb.Value object and adds the value it represents to GDB’s history list. The function returns an integer, which is the index of the new item in the history list.
  • The new gdb.history_count() function returns the number of values in GDB’s value history.
  • The new event is called with a gdb.GdbExitingEvent object that has the read-only attribute exit_code containing the value of the GDB exit code. This event is triggered prior to GDB’s exit before GDB starts to clean up its internal state.
  • The new gdb.architecture_names() function returns a list containing all of the possible values. Each entry is a string.
  • The new gdb.Architecture.integer_type() function returns an integer type given a size and a signed-ness.
  • The new gdb.TargetConnection object type represents a connection (as displayed by the info connections command). A sub-class, gdb.RemoteTargetConnection, represents remote and extended-remote connections.
  • The gdb.Inferior type now has a connection property that is an instance of the gdb.TargetConnection object, the connection used by this inferior. This can be None if the inferior has no connection.
  • The new event registry emits a gdb.ConnectionEvent event when a connection is removed from GDB. This event has a connection property, a gdb.TargetConnection object for the connection being removed.
  • The new gdb.connections() function returns a list of all currently active connections.
  • The new gdb.RemoteTargetConnection.send_packet(PACKET) method is equivalent to the existing maint packet CLI command. You can use it to send a specified packet to the remote target.
  • The new gdb.host_charset() function returns the name of the current host character set as a string.
  • The new gdb.set_parameter(NAME, VALUE) function sets the GDB parameter NAME to VALUE.
  • The new gdb.with_parameter(NAME, VALUE) function returns a context manager that temporarily sets the GDB parameter NAME to VALUE and then resets it when the context is exited.
  • The gdb.Value.format_string method now takes a styling argument, which is a boolean. When true, the returned string can include escape sequences to apply styling. The styling is present only if styling is turned on in GDB (see help set styling). When false, which is the default if the styling argument is not given, no styling is applied to the returned string.
  • The new read-only attribute gdb.InferiorThread.details is either a string containing additional target-specific thread-state information, or None if there is no such additional information.
  • The new read-only attribute gdb.Type.is_scalar is True for scalar types, and False for all other types.
  • The new read-only attribute gdb.Type.is_signed should only be read when Type.is_scalar is True, and will be True for signed types and False for all other types. Attempting to read this attribute for non-scalar types will raise a ValueError.
  • You can now add GDB and MI commands implemented in Python.

For more information see the upstream release notes:

What has changed in GDB?


GCC Toolset 13: bintuils rebased to version 2.40

GCC Toolset 13 provides the binutils package version 2.40. Notable enhancements include:


  • The new -w (--no-warnings) command-line option for the linker suppresses the generation of any warning or error messages. This is useful in case you need to create a known non-working binary.
  • The ELF linker now generates a warning message if:

    • The stack is made executable
    • It creates a memory resident segment with all three of the Read, Write and eXecute permissions set
    • It creates a thread local data segment with the eXecute permission set.

      You can disable these warnings by using the --no-warn-exec-stack or --no-warn-rwx-segments options.

  • The linker can now insert arbitrary JSON-format metadata into binaries that it creates.

Other tools:

  • A new the objdump tool’s --private option to display fields in the file header and section headers for Portable Executable (PE) format files.
  • A new --strip-section-headers command-line option for the objcopy and strip utilities to remove the ELF section header from ELF files.
  • A new --show-all-symbols command-line option for the objdump utility to display all symbols that match a given address when disassembling, as opposed to the default function of displaying only the first symbol that matches an address.
  • A new -W (--no-weak) option to the nm utility to make it ignore weak symbols.
  • The objdump utility now supports syntax highlighting of disassembler output for some architectures. Use the --disassembler-color=MODE command-line option, with MODE being one of the following:

    • off
    • color - This option is supported by all terminal emulators.
    • extended-color - This option uses 8-bit colors not supported by all terminal emulators.


libabigail rebased to version 2.3

The libabigail package has been updated to version 2.3. Notable improvements include:

  • The BTF debuginfo format is now supported.
  • Improved support for Ada range types.
  • A new [allow_type] directive in suppression specifications is now supported.
  • Added various new properties for the [supress_type] suppression specification.
  • The ABIXML file format has been updated to version 2.2.
  • The SONAME of the library has been changed to reflect its own ABI change.

The libabigail package is available in the CodeReady Linux Builder (CRB) repository. Note that packages included in the CodeReady Linux Builder repository are unsupported.


The find-debuginfo script in debugedit now supports the -q (--quiet) flag

With this update, you can use the find-debuginfo script’s -q (--quiet) flag in the debugedit utility to silence non-error output from the script.


Valgrind rebased to version 3.21.0

Valgrind has been updated to version 3.21.0. Notable enhancements include:

  • A new abexit value for the --vgdb-stop-at=event1,event2,…​ option notifies the gdbserver utility when your program exits abnormally, such as with a non-zero exit code.
  • A new --enable-debuginfod=[yes|no] option instructs Valgrind to use the debuginfod servers listed in the DEBUGINFOD_URLS environment variable to fetch any missing DWARF debuginfo information for the program running under Valgrind. The default value for this option is yes.


    The DEBUGINFOD_URLS environment variable is not set by default.

  • Valgrind now provides GDB Python commands. These GDB front end commands provide a better integration in the GDB command-line interface. Benefits of this are, for example, GDB auto-completion, and command-specific help, searching for a command or command help that matches a regular expression. For relevant monitoring commands, GDB evaluates arguments to simplify usage of monitor commands.
  • The vgdb utility now supports the extended remote protocol when invoked with the --multi option. The GDB run command is supported in this mode and, as a result, you can run GDB and Valgrind from a single terminal.
  • You can use the --realloc-zero-bytes-frees=[yes|no] option to change the behavior of the realloc() function with a size of zero for tools that intercept the malloc() call.
  • The memcheck tool now performs checks for the use of the realloc() function with a size of zero. Use the new --show-realloc-size-zero=[yes|no] switch to disable this feature.
  • You can use the new --history-backtrace-size=value option for the helgrind tool to configure the number of entries to record in the stack traces of earlier accesses.
  • The --cache-sim=[yes|no] cachegrind option now defaults to no and, as a result, only instruction cache read events are gathered by default.
  • The source code for the cg_annotate, cg_diff, and cg_merge cachegrind utilities has been rewritten and, as a result, the utilities have more flexible command line option handling. For example, they now support the --show-percs and --no-show-percs options as well as the existing --show-percs=yes and --show-percs=no options.
  • The cg_annotate cachegrind utility now supports diffing (using the --diff, --mod-filename, and --mod-funcname options) and merging (by passing multiple data files). In addition, cg_annotate now provides more information at the file and function level.
  • A new user-request for the DHAT tool allows you to override the 1024 byte limit on access count histograms for blocks of memory.

The following new architecture-specific instruction sets are now supported:

  • 64-bit ARM:

    • v8.2 scalar and vector Floating-point Absolute Difference (FABD), Floating-point Absolute Compare Greater than or Equal (FACGE), Floating-point Absolute Compare Greater Than (FACGT), and Floating-point Add (FADD) instructions.
    • v8.2 Floating-point (FP) compare and conditional compare instructions.
    • Zero variants of v8.2 Floating-point (FP) compare instructions.
  • 64-bit IBM Z:

    • Support for the miscellaneous-instruction-extensions facility 3 and the vector-enhancements facility 2. This enables programs compiled with the -march=arch13 or -march=z15 options to be executed under Valgrind.
  • IBM Power:

    • ISA 3.1 support is now complete.
    • ISA 3.0 now supports the deliver a random number (darn) instruction.
    • ISA 3.0 now supports the System Call Vectored (scv) instruction.
    • ISA 3.0 now supports the copy, paste, and cpabort instructions.


systemtap rebased to version 4.9

The systemtap package has been upgraded to version 4.9. Notable changes include:

  • A new Language-Server-Protocol (LSP) backend for easier interactive drafting of systemtap scripts on LSP-capable editors.
  • Access to a Python/Jupyter interactive notebook frontend.
  • Improved handling of DWARF 5 bitfields.


elfutils rebased to version 0.189

The elfutils package has been updated to version 0.189. Notable improvements and bug fixes include:

The elf_compress tool now supports the ELFCOMPRESS_ZSTD ELF compression type.
The dwfl_module_return_value_location function now returns 0 (no return type) for DWARF Information Entries (DIEs) that point to a DW_TAG_unspecified_type type tag.
The -t and --type= options now support the Zstandard (zstd) compression format via the zstd argument.


libpfm rebased to version 4.13

The libpfm package has been updated to version 4.13. With this update, libpfm can access performance monitoring hardware native events for the following processor microarchitectures:

  • AMD Zen 2
  • AMD Zen 3
  • AMD Zen 4
  • ARM Neoverse N1
  • ARM Neoverse N2
  • ARM Neoverse V1
  • ARM Neoverse V2
  • IBM z16
  • 4th Generation Intel® Xeon® Scalable Processors

Bugzilla:2185652, Bugzilla:2111924, Bugzilla:2111946, Bugzilla:2111957, Bugzilla:2047720, Bugzilla:2111940, Bugzilla:2111933, Bugzilla:2111930

papi supports new processor microarchitectures

With this enhancement, you can access performance monitoring hardware using papi events presets on the following processor microarchitectures:

  • AMD Zen 2
  • AMD Zen 3
  • ARM Neoverse N1
  • ARM Neoverse N2
  • ARM Neoverse V1
  • ARM Neoverse V2

Bugzilla:2111923[1], Bugzilla:2111947, Bugzilla:2111942

papi now supports fast performance event count read operations for 64-bit ARM processors

Previously on 64-bit ARM processors, all performance event counter read operations required the use of a resource-intensive system call. papi has been updated for 64-bit ARM to let processes monitoring themselves with the performance counters use a faster user-space read of the performance event counters. Setting the /proc/sys/kernel/perf_user_access parameter to 1 reduces the average number of clock cycles for papi to read 2 counters from 724 cycles to 29 cycles.


LLVM Toolset rebased to version 16.0.6

LLVM Toolset has been updated to version 16.0.6.

Notable enhancements include:

  • Improvements to optimization
  • Support for new CPU extensions
  • Improved support for new C++ versions.

Notable backwards incompatible changes include:

  • Clang’s default C++ standard is now gnu++17 instead of gnu++14.
  • The -Wimplicit-function-declaration, -Wimplicit-int and -Wincompatible-function-pointer-types options now default to error for C code. This might affect the behavior of configure scripts.

By default, Clang 16 uses the libstdc++ library version 13 and binutils 2.40 provided by GCC Toolset 13.

For more information, see the LLVM release notes and Clang release notes.


Rust Toolset rebased to version 1.71.1

Rust Toolset has been updated to version 1.71.1. Notable changes include:

  • A new implementation of multiple producer, single consumer (mpsc) channels to improve performance
  • A new Cargo sparse index protocol for more efficient use of the registry
  • New OnceCell and OnceLock types for one-time value initialization
  • A new C-unwind ABI string to enable usage of forced unwinding across Foreign Function Interface (FFI) boundaries

For more details, see the series of upstream release announcements:


The Rust profiler_builtins runtime component is now available

With this enhancement, the Rust profile_builtins runtime component is now available. This runtime component enables the following compiler options:

-C instrument-coverage
Enables coverage profiling
-C profile-generate
Enables profile-guided optimization


Go Toolset rebased to version 1.20.10

Go Toolset has been updated to version 1.20.10.

Notable enhancements include:

  • New functions added in the unsafe package to handle slices and strings without depending on the internal representation.
  • Comparable types can now satisfy comparable constraints.
  • A new crypto/ecdh package.
  • The go build and go test commands no longer accept the -i flag.
  • The go generate and go test commands now accept the -skip pattern option.
  • The go build, go install, and other build-related commands now support the -pgo and -cover flags.
  • The go command now disables cgo by default on systems without a C toolchain.
  • The go version -m command now supports reading more Go binaries types.
  • The go command now disables cgo by default on systems without a C toolchain.
  • Added support for collecting code coverage profiles from applications and integration tests instead of collecting them only from unit tests.


pcp rebased to version 6.0.5

The pcp package has been updated to version 6.0.5. Notable changes include:

Collector tool features

  • pmdaproc:

    • Added support for per-cgroup IRQ PSI metrics in recent kernels
    • Added a new proc.smaps.pss_dirty metric
  • pmdasmart: Added NVME disk information and power state metrics
  • pmdalinux:

    • Added support for system wide IRQ PSI metrics in recent kernels
    • Added NUMA external memory fragmentation metric
    • Added new networking (TCP, ICMP) metrics
  • pmdaoverhead: A new PMDA to measure overhead for groups of processes
  • pmdahacluster: Updated to handle Pacemaker 2.1.5 crm_mon output changes

Monitoring tool features

  • pmieconf:

    • Added support for webhook actions (Event Driven Ansible)
    • Added a new pmie rule that checks file descriptor limits
  • pcp2json: Extended pcp2json with an option to send HTTP POSTs
  • pcp-atop: Added cgroup, NUMA memory, and NUMA CPU support
  • pcp-htop: Added support for a new open file descriptors Meter
  • pcp-ps: Added capability to show multiple archive samples


PCP’s pmie utility now supports generating webhook events

The Performance Metrics Inference Engine (pmie) utility from Performance Co-Pilot (PCP) now supports generating webhook events. With this update, configured pmie rules generate events in a format consumable by Event-Driven Ansible (EDA). As a result, EDA can respond to PCP rules.

To enable this feature, configure all local pmie rules to send to a webhook at a given endpoint (URL):

# pmieconf modify global webhook_endpoint https://localhost:443/<endpoint>
# pmieconf modify global webhook_action yes


grafana rebased to version 9.2.10

The grafana package has been updated to version 9.2.10. Notable changes include:

  • The heatmap panel is now used throughout Grafana.
  • Geomaps can now measure both distance and area.
  • The Alertmanager is now based on Prometheus Alertmanager version 0.24.
  • Grafana Alerting rules now return an Error state by default on execution error or timeout.
  • Expressions can now be used on public dashboards.
  • The join transformation now supports inner joins.
  • Public dashboards now allow sharing Grafana dashboards.
  • A new Prometheus streaming parser is now available as an opt-in feature.

For more information, see the upstream release notes:


Grafana no longer enables weak cryptographic ciphers

With this update, Grafana no longer enables ciphers that are considered weak for encrypting secure communication. The affected ciphers are:

  • AES128-GCM-SHA256
  • AES128-SHA
  • AES256-GCM-SHA384
  • AES256-SHA


.NET 8.0 is available

Red Hat Enterprise Linux 9.3 is distributed with .NET version 8.0. Notable improvements include:

  • Added support for the C#12 and F#8 language versions.
  • Added support for building container images using the .NET Software Development Kit directly.
  • Many performance improvements to the garbage collector (GC), Just-In-Time (JIT) compiler, and the base libraries.


4.14. Identity Management

samba rebased to version 4.18.6

The samba packages have been upgraded to upstream version 4.18.6, which provides bug fixes and enhancements over the previous version. The most notable changes:

  • Security improvements in previous releases impacted the performance of the Server Message Block (SMB) server for high metadata workloads. This update improves the performance in this scenario.
  • The new wbinfo --change-secret-at=<domain_controller> command enforces the change of the trust account password on the specified domain controller.
  • By default, Samba stores access control lists (ACLs) in the security.NTACL extended attribute of files. You can now customize the attribute name with the acl_xattr:<security_acl_name> setting in the /etc/samba/smb.conf file. Note that a custom extended attribute name is not a protected location as security.NTACL. Consequently, users with local access to the server can be able to modify the custom attribute’s content and compromise the ACL.

Note that the server message block version 1 (SMB1) protocol has been deprecated since Samba 4.11 and will be removed in a future release.

Back up the database files before starting Samba. When the smbd, nmbd, or winbind services start, Samba automatically updates its tdb database files. Red Hat does not support downgrading tdb database files.

After updating Samba, use the testparm utility to verify the /etc/samba/smb.conf file.


The ipaclient role now allows configuring user subID ranges on the IdM level

With this update, the ipaclient ansible-freeipa role provides the ipaclient_subid option, using which you can configure subID ranges on the Identity Management (IdM) level. Without the new option set explicitly to true, the ipaclient role keeps the default behavior and installs the client without subID ranges configured for IdM users.

Previously, the role configured the sssd authselect profile that in turn customized the /etc/nsswitch.conf file. The subID database did not use IdM and relied only on the local files of /etc/subuid and /etc/subgid.


Multiple IdM groups and services can now be managed in a single Ansible task

With this enhancement in ansible-freeipa, you can add, modify, and delete multiple Identity Management (IdM) user groups and services by using a single Ansible task. For that, use the groups and services options of the ipagroup and ipaservice modules, respectively.

Using the groups option available in ipagroup, you can specify multiple group variables that only apply to a particular group. This group is defined by the name variable, which is the only mandatory variable for the groups option.

Similarly, using the services option available in ipaservice, you can specify multiple service variables that only apply to a particular service. This service is defined by the name variable, which is the only mandatory variable for the services option.


ansible-freeipa ipaserver role now supports Random Serial Numbers

With this update, you can use the ipaserver_random_serial_numbers=true option with the ansible-freeipa ipaserver role. This way, you can generate fully random serial numbers for certificates and requests in PKI when installing an Identity Management (IdM) server using Ansible. With RSNv3, you can avoid range management in large IdM installations and prevent common collisions when reinstalling IdM.


RSNv3 is supported only for new IdM installations. If enabled, it is required to use RSNv3 on all PKI services.


ipa rebased to version 4.10.2

The ipa package has been upgraded to version 4.10.2. Notable changes include:

  • Searching and listing certificates in the IdM CLI and Web UI now offer better performance.

For more information, see the upstream FreeIPA release notes.


The ipaserver_remove_on_server and ipaserver_ignore_topology_disconnect options are now available in the ipaserver role

If removing a replica from an Identity Management (IdM) topology by using the remove_server_from_domain option of the ipaserver ansible-freeipa role leads to a disconnected topology, you must now specify which part of the domain you want to preserve. Specifically, you must do the following:

  • Specify the ipaserver_remove_on_server value to identify which part of the topology you want to preserve.
  • Set ipaserver_ignore_topology_disconnect to True.

Note that if removing a replica from IdM by using the remove_server_from_domain option preserves a connected topology, neither of these options is required.


IdM now supports the min_lifetime parameter

With this enhancement, the min_lifetime parameter has been added to the /etc/gssproxy/*.conf file. The min_lifetime parameter triggers the renewal of a service ticket in case its remaining lifetime is lower than this value.

By default its value is 15 seconds. For network volume clients such as NFS, to reduce the risk of losing access in case the KDC is momentarily unavailable, set this value to 60 seconds.


You can now manage IdM certificates using the ipacert Ansible module

You can now use the ansible-freeipa ipacert module to request or retrieve SSL certificates for Identity Management (IdM) users, hosts and services. The users, hosts and services can then use these certificates to authenticate to IdM. You can also revoke the certificates, as well as restore certificates that have been put on hold.


The optional_pac_tkt_chksum option helps preserve interoperability between different versions of krb5

You can now use the optional_pac_tkt_chksum option to preserve the interoperability between RHEL Kerberos Distribution Center (KDC) servers running different versions of the krb5 package. Specifically, you can change their behavior regarding Privilege Attribute Certificate (PAC) ticket signature verification. If you set the optional_pac_tkt_chksum string attribute to true for the Kerberos principal expected to sign a ticket, then the KDC does not reject service for user (S4U) requests containing a ticket that lacks the PAC ticket signature. The principal to sign the ticket is the ticket-granting service (TGS) one or a cross-realm TGS one, depending on the realm of the ticket’s target service.

Since the krb5-1.20 release, MIT Kerberos KDCs have required the presence of ticket signatures in PACs based on the encrypted part of Kerberos tickets so that it could process S4U requests successfully. Previously, this was a problem in gradual upgrade scenarios where certain KDCs used krb5-1.19 or older, while others used krb5-1.20 or newer. KDCs using the newer versions of krb5 for S4U requests rejected service tickets that were provided by KDCs using the older versions of krb5 if a service used them for S4U requests.

For more information about how this feature is used in Identity Management (IdM), see this pull request.


RHEL 9.3 provides 389-ds-base 2.3.4

RHEL 9.3 is distributed with the 389-ds-base package version 2.3.4. Notable bug fixes and enhancements over version 2.3.4 include:


Directory Server can now close a client connection if a bind operation fails

Previously, when a bind operation failed, some applications that ignore the bind return code could load Director Server with further requests.

With the new nsslapd-close-on-failed-bind configuration attribute under the cn=config entry, the server can close a client connection when the bind operation fails. As a result, the server load can be reduced.


Automembership plug-in improvements. It no longer cleans up groups by default

Previously, the automember rebuild task went through all the automember rules and removed all the memberships, then the task rebuilt the memberships from scratch. Thus, the rebuild task was expensive, especially if other be_txn plugins are enabled.

With this update, the Automembership plug-in has the following improvements:

  • Only one rebuilt task is allowed at a time.
  • The Automembership plug-in now does not clean up previous members by default. Use the new CLI option --cleanup to intentionally clean up memberships before rebuilding from scratch:

    # dsconf slapd-instance_name plugins automember fixup -f objectclass=posixaccount -s sub --cleanup "ou=people,dc=example,dc=com"
  • Improved logging to show fixup progress.


New passwordAdminSkipInfoUpdate: on/off configuration option is now available

You can add a new passwordAdminSkipInfoUpdate: on/off setting under the cn=config entry to provide a fine grained control over password updates performed by password administrators. When you enable this setting, password updates do not update certain attributes, for example, passwordHistory,passwordExpirationTime,passwordRetryCount, pwdReset, and passwordExpWarned.


New slapi_memberof() plug-in function is now available for Directory Server plug-ins and client applications

The new slapi_memberof() function retrieves distinguished names (DNs) of groups to which the given entry belongs directly or indirectly. Previously, MemberOf, Referential Integrity, and ACL plug-ins implemented their own mechanism to retrieve such groups. With this update, you can use the slapi_memberof() function that introduces a unified mechanism to return group DNs.


Directory Server now replaces the virtual attribute nsRole with an indexed attribute for managed and filtered roles

Previously, LDAP searches that contained the virtual attribute nsRole in the filter were time consuming because that attribute can not be indexed. With this update, when you perform the ldapsearch with virtual attribute nsRole in the filter, Directory Server replaces the nsRole attribute the following way:

  • For managed roles, the nsRole attribute is replaced with the nsRoleDN attribute.
  • For filtered roles, the nsRole attribute is replaced with the nsRoleFilter attribute.

As a result, response time for search with the nsRole attribute improves because the search becomes indexed.

Note that this update does not apply to nested roles.


New nsslapd-numlisteners configuration option is now available

The nsslapd-numlisteners attribute specifies the number of listener threads Directory Server can use to monitor established connections. You can improve the response times when the server experiences a large number of client connection by increasing the attribute value.


IdM supports the option to control the encryption type used to sign the PAC

By default, the Kerberos Key Distribution Center (KDC) generates an AES HMAC-SHA2 signature for the Privilege Attribute Certificate (PAC). However, this encryption type is not supported by Active Directory (AD). As a result, AD cross-realm constrained delegation requests are not processed correctly.

With this enhancement, you can now control the encryption type used to sign the PAC by setting the pac_privsvr_entype attribute on the TGS principal, krbtgt/[realm]@[realm], to the required encryption type for the target realm. In IdM, this string attribute is automatically configured when an AD trust exists.

WARNING: This update is about standalone MIT realms. Do not change the Kerberos Distribution Center (KDC) configuration in RHEL Identity Management.

For example, for an MIT realm and an AD realm, to ensure cross-realm ticket-granting tickets (TGT) use AD-compatible encryption types, an administrator must configure the cross-realm TGS principal as shown below on the MIT side. This results in cross-realm TGTs using the AES 256 HMAC-SHA1 encryption type and constrained delegation requests being processed correctly.

kadmin.local <<EOF
setstr krbtgt/AD@IPA pac_privsvr_enctype aes256-cts-hmac-sha1-96
setstr krbtgt/IPA@AD pac_privsvr_enctype aes256-cts-hmac-sha1-96


4.15. Graphics infrastructures

Intel Arc A-Series graphics is now fully supported

The Intel Arc A-Series graphics (Alchemist or DG2) feature, previously available as a Technology Preview, is now fully supported. Intel Arc A-Series graphics is a GPU that enables hardware acceleration, mostly used in PC gaming.


4.16. The web console

Podman healthcheck action is now available

You can select one of the following Podman healthcheck actions when creating a new container:

  • No action (default): Take no action.
  • Restart: Restart the container.
  • Stop: Stop the container.
  • Force stop: Force stops the container, it does not wait for the container to exit.


Stratis is now available in the RHEL web console

With this update, the Red Hat Enterprise Linux web console provides the ability to manage Stratis storage.

To learn more about Stratis, see Setting up Stratis file systems using the web console.


4.17. Red Hat Enterprise Linux System Roles

New RHEL System Role for managing systemd units

The rhel-system-role package now contains the systemd RHEL System Role. You can use this role to deploy unit files and manage systemd units on multiple systems. You can automate systemd functionality by providing systemd unit files and templates, and by specifying the state of those units, such as started, stopped, masked and other.


New option in the ssh role to disable configuration backups

You can now prevent old configuration files from being backed up before they are overwritten by setting the new ssh_backup option to false. Previously, backup configuration files were created automatically, which might be unnecessary. The default value of the ssh_backup option is true, which preserves the original behavior.


keylime_server RHEL System Role

With the new keylime_server RHEL System Role, you can use Ansible playbooks to configure the verifier and registrar Keylime components on RHEL 9 systems. Keylime is a remote machine attestation tool that uses the trusted platform module (TPM) technology.


Support for new ha_cluster System Role features

The ha_cluster System Role now supports the following features:

  • Configuration of resource and resource operation defaults, including multiple sets of defaults with rules.
  • Loading and blocking of SBD watchdog kernel modules. This makes installed hardware watchdogs available to the cluster.
  • Assignment of distinct passwords to the cluster hosts and the quorum device. This allows you to configure a deployment where the same quorum hosts are joined to multiple, separate clusters, and the passwords of the hacluster user on these clusters are different.

For information about the parameters you configure to implement these features, see Configuring a high-availability cluster by using the ha_cluster RHEL System Role.

Bugzilla:2185065, Bugzilla:2185067, Bugzilla:2216481

storage system role supports configuring the stripe size for RAID LVM volumes

With this update, you can now specify a custom stripe size when creating RAID LVM devices. For better performance, use the custom stripe size for SAP HANA. The recommended stripe size for RAID LVM volumes is 64 KB.


The network RHEL system role supports the auto-dns option to control automatic DNS record updates

This enhancement provides support for defined name servers and search domains. You can now use only the name servers and search domains specified in dns and dns_search properties while disabling automatically configured name servers and search domains such as dns record from DHCP. With this enhancement, you can disable automatically auto dns record by changing the auto-dns settings.


The network RHEL system role supports the no-aaaa DNS option

You can now use the no-aaaa option to configure DNS settings on managed nodes. Previously, there was no option to suppress AAAA queries generated by the stub resolver, including AAAA lookups triggered by NSS-based interfaces such as getaddrinfo; only DNS lookups were affected. With this enhancement, you can now suppress AAAA queries generated by the stub resolver.


The ad_integration RHEL System Role can now rejoin an AD domain

With this update, you can now use the ad_integration RHEL System Role to rejoin an Active Directory (AD) domain. To do this, set the ad_integration_force_rejoin variable to true. If the realm_list output shows that host is already in an AD domain, it will leave the existing domain before rejoining it.


The certificate RHEL System Role now allows changing certificate file mode when using certmonger

Previously, certificates created by the certificate RHEL System Role with the certmonger provider used a default file mode. However, in some use-cases you may require a more restrictive mode. With this update, you can now set a different certificate and a key file mode using the mode parameter.


The postgresql RHEL System Role is now available

The new postgresql RHEL System Role installs, configures, manages, and starts the PostgreSQL server. The role also optimizes the database server settings to improve performance.

The role supports the currently released and supported versions of PostgreSQL on RHEL 8 and RHEL 9 managed nodes.

For more information, see Installing and configuring PostgreSQL by using the postgresql RHEL System Role.


podman RHEL System Role now supports Quadlets, healthchecks, and secrets

Starting with Podman 4.6, you can use the podman_quadlet_specs variable in the podman RHEL System Role. You can define a Quadlet by specifying a unit file, or in the inventory by a name, a type of unit, and a specification. Types of a unit can be the following: container, kube, network, and volume. Note that Quadlets work only with root containers on RHEL 8. Quadlets work with rootless containers on RHEL 9.

The healthchecks are supported only for Quadlet Container types. In the [Container] section, specify the HealthCmd field to define the healthcheck command and HealthOnFailure field to define the action when a container is unhealthy. Possible options are none, kill, restart, and stop.

You can use the podman_secrets variable to manage secrets. For details, see upstream documentation.


Improved performance of the selinux System Role with restorecon -T 0

The selinux System Role now uses the -T 0 option with the restorecon command in all applicable cases. This improves the performance of tasks that restore default SELinux security contexts on files.


The rhc System Role now supports setting a proxy server type

The newly introduced attribute scheme under the rhc_proxy parameter enables you to configure the proxy server type by using the rhc system role. You can set two values: http, the default and https.


firewall RHEL System Role supports variables related to ipsets

With this update of the firewall RHEL System Role, you can define, modify, and delete ipsets. Also, you can add and remove those ipsets from firewall zones. Alternatively, you can use those ipsets when defining firewall rich rules.

You can manage ipsets with the firewall RHEL System Role using the following variables:

  • ipset
  • ipset_type
  • ipset_entries
  • short
  • description
  • state: present or state: absent
  • permanent: true

The following are some notable benefits of this enhancement:

  • You can reduce the complexity of the rich rules that define rules for many IP addresses.
  • You can add or remove IP addresses from sets as needed without modifying multiple rules.

For more details, see resources in the /usr/share/doc/rhel-system-roles/firewall/ directory.


RHEL System Roles now have new volume options for mount point customization

With this update, you can now specify mount_user, mount_group, and mount_permissions parameters for your mount directory.


The firewall RHEL System Role has an option to disable conflicting services, and it no longer fails if firewalld is masked

Previously, the firewall System Role failed when the firewalld service was masked on the role run or in the presence of conflicting services. This update brings two notable enhancements:

The linux-system-roles.firewall role always attempts to install, unmask, and enable the firewalld service on role run. You can now add a new variable firewall_disable_conflicting_services to your playbook to disable known conflicting services, for example, iptables.service, nftables.service, and ufw.service. The firewall_disable_conflicting_services variable is set to false by default. To disable conflicting services, set the variable to true.


Resetting the firewall RHEL System Role configuration now requires minimal downtime

Previously, when you reset the firewall role configuration by using the previous: replaced variable, the firewalld service restarted. Restarting adds downtime and prolongs the period of an open connection in which firewalld does not block traffic from active connections. With this enhancement, the firewalld service completes the configuration reset by reloading instead of restarting. Reloading minimizes the downtime and reduces the opportunity to bypass firewall rules. As a result, using the previous: replaced variable to reset the firewall role configuration now requires minimal downtime.


4.18. Virtualization

sevctl is now fully compatible with AMD EPYC Rome and Milan

With this update, the sevctl utility correctly recognizes the latest AMD EPYC cores, including the AMD EPYC Rome and AMD EPYC Milan series. As a result, you can use sevctl to configure the respective features of AMD Secure Encrypted Virtualization (SEV) that are available on these CPUs.

Note, however, that advanced SEV functions, such as SEV-ES and SEV-SNP are only provided as Technology Previews in RHEL 9, and therefore unsupported.


virtio-vga and virtio-gpu devices now support blob resources

It is now possible for virtio-vga and virtio-gpu devices to use blob memory resources, which improves their performance in certain scenarios. To attach a blob resource to a virtio graphics device, add a blob="on" option to the corresponding <video> section in the virtual machine’s XML configuration. For example:

  <model type="virtio" heads="1" primary="yes" blob="on"/>
  <address type="pci" domain="0x0000" bus="0x00" slot="0x01" function="0x0"/>

Note, however, that this feature currently does not work on IBM Z hosts.


Virtualization support for 4th Generation Intel Xeon Scalable processors

With this update, virtualization on RHEL 9 adds support for the 4th Generation Intel Xeon Scalable processors, formerly known as Sapphire Rapids. As a result, virtual machines hosted on RHEL 9 can now use the SapphireRapids CPU model and utilise new features that the processors provide.


Improved memory reclaiming for Secure Execution on IBM Z

When using a virtual machine (VM) with IBM Secure Execution on IBM Z, you can now set up enhanced memory reclaiming for the VM. If the VM is using 32 GiB or more RAM, this setting improves the performance of rebooting or stopping the VM.

To set up enhanced memory reclaiming in a VM, add the <async-teardown enabled='yes'/> line to the <features></features> section in its XML configuration.


New virtualization features in the RHEL web console

With this update, the RHEL web console includes new features in the Virtual Machines page. You can now:

  • Select the Create and edit button for a virtual machine (VM) based on a cloud image, which allows you to edit all of the VM properties before the VM is installed.
  • Create a raw storage volume during virtual machine creation.
  • Set up a virtual socket (vsock) to enable communication between the host and the VM over a socket.

    Note that a virtual socket requires vsock-aware software, such as socat, to enable the communication.


4.19. RHEL in cloud environments

cloud-init supports NetworkManager keyfiles

With this update, the cloud-init utility can use a NetworkManager (NM) keyfile to configure the network of the created cloud instance.

Note that by default, cloud-init still uses the sysconfig method for network setup. To configure cloud-init to use a NM keyfile instead, edit the /etc/cloud/cloud.cfg and set network-manager as the primary network renderer:

# cat /etc/cloud/cloud.cfg

      renderers: ['network-manager', 'eni', 'netplan', 'sysconfig', 'networkd']


cloud-init now uses VMware datasources by default on ESXi

When creating RHEL virtual machines (VMs) on a host that uses the VMware ESXi hypervisor, such as the VMware vSphere cloud platform. This improves the performance and stability of creating an ESXi instance of RHEL by using cloud-init. Note, however, that ESXi is still compatible with Open Virtualization Format (OVF) datasources, and you can use an OVF datasource if a VMware one is not available.


4.20. Supportability

sos rebased to version 4.6

The sos utility, for collecting configuration, diagnostic, and troubleshooting data, has been rebased to version 4.6. This update provides the following enhancements:

  • sos reports now include the contents of both /boot/grub2/custom.cfg and /boot/grub2/user.cfg files that might contain critical information for troubleshooting boot issues. (BZ#2213951)
  • The sos plugin for OVN-Kubernetes collects additional logs for the interconnect environment. With this update, sos also collects logs from the ovnkube-controller container when both ovnkube-node and ovnkube-controller containers are merged into one.

In addition, notable bug fixes include:

  • sos now correctly gathers cgroup data in the OpenShift Container Platform 4 environment (BZ#2186361).
  • While collecting sos reports with the sudo plugin enabled, sos now removes the bindpw option properly. (BZ#2143272)
  • The subscription_manager plugin no longer collects proxy usernames and passwords from the /var/lib/rhsm/ path. (BZ#2177282)
  • The virsh plugin no longer collects the SPICE remote-display passwords in virt-manager logs, which prevents sos from disclosing passwords in its reports. (BZ#2184062)
  • The sos utility now masks all potential private information present in plain text in system files when generating the sos report. (BZ#2187859)
  • sos completes the tailed log collection even when the size of the log file is exceeded and when a plugin times out. (BZ#2203141)
  • When entering the sos collect command on a Pacemaker cluster node, sos collects an sos report from the same cluster node. (BZ#2186460)
  • When collecting data from a host in the OpenShift Container Platform 4 environment, sos now uses the sysroot path, which ensures that only the correct data are assembled. (BZ#2075720)
  • The sos report --clean command obfuscates all MAC addresses as intended. (BZ#2207562)
  • Disabling the hpssm plugin no longer raises exceptions. (BZ#2216608)
  • The sos clean command follows permissions of sanitized files. (BZ#2218279)

For details on each release of sos, see upstream release notes.


4.21. Containers

Podman supports pulling and pushing images compressed with zstd

You can pull and push images compressed with the zstd format. The zstd compression is more efficient and faster than gzip. It can reduce the amount of network traffic and storage involved in pulling and pushing the image.


Quadlet in Podman is now available

Beginning with Podman v4.6, you can use Quadlet to automatically generate a systemd service file from a container description. The Quadlets might be easier to use than the podman generate systemd command because the description focuses on the relevant container details and without the technical complexity of running containers under systemd.

For more details, see the Quadlet upstream documentation and the Make systemd better for Podman with Quadlet article.


The Container Tools packages have been updated

The updated Container Tools RPM meta-package, which contain the Podman, Buildah, Skopeo, crun, and runc tools, are now available. This update applies a series of bug fixes and enhancements over the previous version.

Notable changes in Podman v4.6 include:

  • The podman kube play command now supports the --configmap=<path> option to provide Kubernetes YAML file with environment variables used within the containers of the pod.
  • The podman kube play command now supports multiple Kubernetes YAML files for the --configmap option.
  • The podman kube play command now supports containerPort names and port numbers within liveness probes.
  • The podman kube play command now adds the ctrName as an alias to the pod network.
  • The podman kube play and podman kube generate commands now support SELinux filetype labels and ulimit annotations.
  • A new command, podman secret exists, has been added, which verifies if a secret with the given name exists.
  • The podman create, podman run, podman pod create, and podman pod clone commands now support a new option, --shm-size-systemd, which allows limiting tmpfs sizes for systemd-specific mounts.
  • The podman create and podman run commands now support a new option, --security-opt label=nested, which allows SELinux labeling within a confined container.
  • Podman now supports auto updates for containers running inside a pod.
  • Podman can now use an SQLite database as a backend for increased stability. The default remains the BoltDB database. You can select the database by setting the database_backend field in the containers.conf file.
  • Podman now supports Quadlets to automatically generate a systemd service file from the container description. The description focuses on the relevant container details and hides the technical complexity of running containers under systemd.

For further information about notable changes, see upstream release notes.


Podman now supports a Podmansh login shell

Beginning with Podman v4.6, you can use the Podmansh login shell to manage user access and control. Configure your settings to use the /usr/bin/podmansh command as a login shell instead of a standard shell command, for example, /usr/bin/bash. When a user logs into a system setup, the podmansh command runs the user’s session into a Podman container named podmansh. Containers into which users log in are defined using the Quadlet files, which are created in the /etc/containers/systemd/users/ directory. In these files, set the ContainerName field in the [Container] section to podmansh. The systemd automatically starts podmansh when the user session starts and continues running until all user sessions exit.

For more information, see Podman v4.6.0 Introduces Podmansh: A Revolutionary Login Shell.


Clients for sigstore signatures with Fulcio and Rekor are now available

With Fulcio and Rekor servers, you can now create signatures by using short-term certificates based on an OpenID Connect (OIDC) server authentication, instead of manually managing a private key. Clients for sigstore signatures with Fulcio and Rekor, previously available as a Technology Preview, are now fully supported. This added functionality is the client side support only, and does not include either the Fulcio or Rekor servers.

Add the fulcio section in the policy.json file. To sign container images, use the podman push --sign-by-sigstore=file.yml or skopeo copy --sign-by-sigstore=file.yml commands, where file.yml is the sigstore signing parameter file.

To verify signatures, add the fulcio section and the rekorPublicKeyPath or rekorPublicKeyData fields in the policy.json file. For more information, see containers-policy.json man page.


The pasta networking mode is now available

Starting with Podman v4.4.1, you can use the pasta network mode. It is a high-performance replacement of the default network mode slirp4netns and supports IPv6 forwarding. To select the pasta network mode, install the passt package to use the podman run command with the --network=pasta option. With Podman v4.6, you can set default rootless network mode in the /etc/containers/containers.conf configuration file by using the default_rootless_network_cmd field under the [network] section.


UBI 9 Micro Container Image no longer contains zoneinfo installed by tzdata

With this update, the timezone information provided by the tzdata package is no longer included in UBI 9 Micro container images, consequently reducing the image size. The UBI 9 Minimal and UBI 9 Micro containers are UTC-only, and users should reinstall the tzdata package to get the full zoneinfo, if needed.