Chapter 4. New features

This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 8.8.

4.1. Installer and image creation

A new and improved way to create blueprints and images in the image builder web console

With this enhancement, you have access to a unified version of the image builder tool and a significant improvement in your user experience.

Notable enhancements in the image builder dashboard GUI include:

  • You can now customize your blueprints with all the customizations previously supported only in the CLI, such as kernel, file system, firewall, locale, and other customizations.
  • You can import blueprints by either uploading or dragging the blueprint in the .JSON or .TOML format and create images from the imported blueprint.
  • You can also export or save your blueprints in the .JSON or .TOML format.
  • Access to a blueprint list that you can sort, filter, and is case-sensitive.
  • With the image builder dashboard, you can now access your blueprints, images, and sources by navigating through the following tabs:

    • Blueprint - Under the Blueprint tab, you can now import, export, or delete your blueprints.
    • Images - Under the Images tab, you can:

      • Download images.
      • Download image logs.
      • Delete images.
    • Sources - Under the Sources tab, you can:

      • Download images.
      • Download image logs.
      • Create sources for images.
      • Delete images.


Support for 64-bit ARM for .vhd images built with image builder

Previously, Microsoft Azure .vhd images created with the image builder tool were not supported on 64-bit ARM architectures. This update adds support for 64-bit ARM Microsoft Azure .vhd images and now you can build your .vhd images using image builder and upload them to the Microsoft Azure cloud.


4.2. RHEL for Edge

Ability to specify user in a blueprint for simplified-installer images

Previously, when creating a blueprint for a simplified-installer image, you could not specify a user in the blueprint customization, because the customization was not used and was discarded. With this update, when you create an image from the blueprint, this blueprint creates a user under the /usr/lib/passwd directory and a password under the /usr/etc/shadow directory during installation time. You can log in to the device with the username and the password you created for the blueprint. Note that after you access the system, you need to create users, for example, using the useradd command.


Red Hat build of MicroShift enablement for RHEL for Edge images

With this enhancement, you can enable Red Hat build of MicroShift services in a RHEL for Edge system. By using the [[customizations.firewalld.zones]] blueprint customization, you can add support for firewalld sources in the blueprint customization. For that, specify a name for the zone and a list of sources in that specific zone. Sources can be of the form source[/mask]|MAC|ipset:ipset.

The following is a blueprint example on how to configure and customize support for Red Hat build of MicroShift services in a RHEL for Edge system.

name = "microshift"
version = "*"
enabled = ["microshift"]
name = "trusted"
sources = ["", ""]

The Red Hat build of MicroShift installation requirements, such as firewall policies, MicroShift RPM, systemd service, enable you to create a deployment ready for production to achieve workload portability to a minimum field deployed edge device and by default LVM device mapper enablement.


4.3. Software management

New yum offline-upgrade command for offline updates on RHEL

With this enhancement, you can apply offline updates to RHEL by using the new yum offline-upgrade command from the YUM system-upgrade plug-in.


The yum system-upgrade command included in the system-upgrade plug-in is not supported on RHEL.


Applying advisory security filters to yum offline-upgrade is now supported

With this enhancement, the new functionality for advisories filtering has been added. As a result, you can now download packages and their dependencies only from the specified advisory by using the yum offline-upgrade command with advisory security filters (--advisory, --security, --bugfix, and other filters).


The unload_plugins function is now available for the YUM API

With this enhancement, a new unload_plugins function has been added to the YUM API to allow plug-ins unloading.


Note that you must first run the init_plugins function, and then run the unload_plugins function.


New --nocompression option for rpm2archive

With this enhancement, the --nocompression option has been added to the rpm2archive utility. You can use this option to avoid compression when directly unpacking an RPM package.


4.4. Shells and command-line tools

ReaR is now fully supported also on the 64-bit IBM Z architecture

Basic Relax and Recover (ReaR) functionality, previously available on the 64-bit IBM Z architecture as a Technology Preview, is fully supported with the rear package version 2.6-9.el8 or later. You can create a ReaR rescue image on the IBM Z architecture in the z/VM environment only. Backing up and recovering logical partitions (LPARs) is not supported at the moment. ReaR supports saving and restoring disk layout only on Extended Count Key Data (ECKD) direct access storage devices (DASDs). Fixed Block Access (FBA) DASDs and SCSI disks attached through Fibre Channel Protocol (FCP) are not supported for this purpose. The only output method currently available is Initial Program Load (IPL), which produces a kernel and an initial ramdisk (initrd) compatible with the zIPL bootloader.

For more information see Using a ReaR rescue image on the 64-bit IBM Z architecture.

Bugzilla:2130206, Bugzilla:1868421

4.5. Infrastructure services

New synce4l package for frequency synchronization is now available

SyncE (Synchronous Ethernet) is a hardware feature that enables PTP clocks to achieve precise synchronization of frequency at the physical layer. SyncE is supported in certain network interface cards (NICs) and network switches.

With this enhancement, the new synce4l package is now available, which provides support for SyncE. As a result, Telco Radio Access Network (RAN) applications can now achieve more efficient communication due to more accurate time synchronization.


powertop rebased to version 2.15

The powertop package for improving the energy efficiency has been updated to version 2.15. Notable changes and enhancements include:

  • Several Valgrind errors and possible buffer overrun have been fixed to improve the powertop tool stability.
  • Improved compatibility with Ryzen processors and Kaby Lake platforms.
  • Enabled Lake Field, Alder Lake N, and Raptor Lake platforms support.
  • Enabled Ice Lake NNPI and Meteor Lake mobile and desktop support.


tuned rebased to version 2.20.0

The TuneD utility for optimizing the performance of applications and workloads has been updated to version 2.20.0. Notable changes and enhancements over version 2.19.0 include:

  • An extension of API enables you to move devices between plug-in instances at runtime.
  • The plugin_cpu module, which provides fine-tuning of CPU-related performance settings, introduces the following enhancements:

    • The pm_qos_resume_latency_us feature enables you to limit the maximum time allowed for each CPU to transition from an idle state to an active state.
    • TuneD adds support for the intel_pstate scaling driver, which provides scaling algorithms to tune the systems’ power management based on different usage scenarios.
  • The socket API to control TuneD through a Unix domain socket is now available as a Technology Preview. See Socket API for TuneD available as a Technology Preview for more information.

Bugzilla:2133814, Bugzilla:2113925, Bugzilla:2118786, Bugzilla:2095829, Bugzilla:2113900

4.6. Security

FIPS mode now has more secure settings that target FIPS 140-3

The FIPS mode settings in the kernel have been adjusted to conform to the Federal Information Processing Standard (FIPS) 140-3. This change introduces stricter settings to many cryptographic algorithms, functions, and cipher suites. Most notably:

  • The Triple Data Encryption Standard (3DES), Elliptic-curve Diffie-Hellman (ECDH), and Finite-Field Diffie-Hellman (FFDH) algorithms are now disabled. This change affects Bluetooth, DH-related operations in the kernel keyring, and Intel QuickAssist Technology (QAT) cryptographic accelerators.
  • The hash-based message authentication code (HMAC) key now cannot be shorter than 112 bits. The minimum key length is set to 2048 bits for Rivest-Shamir-Adleman (RSA) algorithms.
  • Drivers that used the xts_check_key() function have been updated to use the xts_verify_key() function instead.
  • The following Deterministic Random Bit Generator (DRBG) hash functions are now disabled: SHA-224, SHA-384, SHA512-224, SHA512-256, SHA3-224, and SHA3-384.

Even though the RHEL 8.6 (and newer) kernel in FIPS mode is designed to be compliant with FIPS 140-3, it is not yet certified by the National Institute of Standards and Technology (NIST) Cryptographic Module Validation Program (CMVP). The latest certified kernel module is the updated RHEL 8.5 kernel after the RHSA-2021:4356 advisory update. That certification applies to the FIPS 140-2 standard. You cannot choose whether a cryptographic module conforms to FIPS 140-2 or 140-3. For more information, see the Compliance Activities and Government Standards: FIPS 140-2 and FIPS 140-3 Knowledgebase article.

Bugzilla:2107595, Bugzilla:2158893, Bugzilla:2175234, Bugzilla:2166715, Bugzilla:2129392, Bugzilla:2152133

Libreswan rebased to 4.9

The libreswan packages have been upgraded to version 4.9. Notable changes over the previous version include:

  • Added support for {left,right}pubkey= to the addconn and whack utilities
  • Added key derivation function (KDF) self-tests
  • Updated list of allowed system calls for the seccomp filter
  • Show host’s authentication key (showhostkey):

    • Added support for Elliptic Curve Digital Signature Algorithm (ECDSA) pubkeys
    • Added the --pem option to print Privacy-Enhanced Mail (PEM)-encoded public key
  • The Internet Key Exchange Protocol Version 2 (IKEv2):

    • Extensible Authentication Protocol – Transport Layer Security (EAP-TLS) support
    • EAP-only authentication support
    • Labeled IPsec improvements
  • The pluto Internet Key Exchange (IKE) daemon:

    • Support for maxbytes and maxpacket counters
    • Changed default value of replay-window from 32 to 128
    • Changed the default value of esn= to either and preferred value to yes
    • Disabled esn when replay-window= is set to 0
    • Dropped obsolete debug options such as crypto-low


SELinux now confines udftools

With this update of the selinux-policy packages, SELinux confines the udftools service.


New SELinux policy for systemd-socket-proxyd

Because the systemd-socket-proxyd service requires particular resources usage, a new policy with the required rules was added to the selinux-policy packages. As a result, the service runs in its SELinux domain.


OpenSCAP rebased to 1.3.7

The OpenSCAP packages have been rebased to upstream version 1.3.7. This version provides various bug fixes and enhancements, most notably:

  • Fixed error when processing OVAL filters (rhbz#2126882)
  • OpenSCAP no longer emits invalid empty xmlfilecontent items if XPath does not match (rhbz#2139060)
  • Prevented Failed to check available memory errors (rhbz#2111040)


scap-security-guide rules for Rsyslog log files are compatible with RainerScript

Rules in scap-security-guide for checking and remediating ownership, group ownership, and permissions of Rsyslog log files are now also compatible with log files defined by using the RainerScript syntax. Modern systems already use the RainerScript syntax in Rsyslog configuration files and the respective rules were not able to recognize this syntax. As a result, scap-security-guide rules can now check and remediate ownership, group ownership, and permissions of Rsyslog log files in both available syntaxes.


STIG security profile updated to version V1R9

The DISA STIG for Red Hat Enterprise Linux 8 profile in the SCAP Security Guide has been updated to align with the latest version V1R9. This release also includes changes published in V1R8.

Use only the current version of this profile because previous versions are no longer valid.

The following STIG IDs have been updated:

  • V1R9

    • RHEL-08-010359 - Selected rule aide_build_database
    • RHEL-08-010510 - Removed rule sshd_disable_compresssion
    • RHEL-08-020040 - New rule to configure tmux keybinding
    • RHEL-08-020041 - New rule to configure starting tmux instead of exec tmux
  • V1R8

    • Multiple STIG IDs - The sshd and sysctl rules can identify and remove duplicate or conflicting configurations.
    • RHEL-08-010200 - SSHD ClientAliveCountMax is configured with value 1.
    • RHEL-08-020352 - Check and remediations now ignore .bash_history.
    • RHEL-08-040137 - Check updated to examine both /etc/fapolicyd/fapolicyd.rules and /etc/fapolicyd/complied.rules.

Automatic remediation might make the system non-functional. Run the remediation in a test environment first.


RHEL 8 STIG profiles are better aligned with the benchmark

Four existing rules that satisfy RHEL 8 STIG requirements were part of the data stream but were previously not included in the STIG profiles (stig and stig_gui). With this update, the following rules are now included in the profiles:

  • accounts_passwords_pam_faillock_dir
  • accounts_passwords_pam_faillock_silent
  • account_password_selinux_faillock_dir
  • fapolicy_default_deny

As a result, the RHEL 8 STIG profiles have a higher coverage.


SCAP Security Guide rebased to 0.1.66

The SCAP Security Guide (SSG) packages have been rebased to upstream version 0.1.66. This version provides various enhancements and bug fixes, most notably:

  • Updated RHEL 8 STIG profiles
  • Deprecated rule account_passwords_pam_faillock_audit in favor of accounts_passwords_pam_faillock_audit


OpenSSL driver can now use certificate chains in Rsyslog

The NetstreamDriverCaExtraFiles directive allows configuring multiple additional certificate authority (CA) files. With this update, you can specify multiple CA files and the OpenSSL library can validate them, which is necessary for SSL certificate chains. As a result, you can use certificate chains in Rsyslog with the OpenSSL driver.


opencryptoki rebased to 3.19.0

The opencryptoki package has been rebased to version 3.19.0, which provides many enhancements and bug fixes. Most notably, opencryptoki now supports the following features:

  • IBM-specific Dilithium keys
  • Dual-function cryptographic functions
  • Cancelling active session-based operations by using the new C_SessionCancel function, as described in the PKCS #11 Cryptographic Token Interface Base Specification v3.0
  • Schnorr signatures through the CKM_IBM_ECDSA_OTHER mechanism
  • Bitcoin key derivation through the CKM_IBM_BTC_DERIVE mechanism
  • EP11 tokens in IBM z16 systems


New SCAP rule for idle session termination

New SCAP rule logind_session_timeout has been added to the scap-security-guide package in ANSSI-BP-028 profiles for Enhanced and High levels. This rule uses a new feature of the systemd service manager and terminates idle user sessions after a certain time. This rule provides automatic configuration of a robust idle session termination mechanism which is required by multiple security policies. As a result, OpenSCAP can automatically check the security requirement related to terminating idle user sessions and, if necessary, remediate it.


fapolicyd now provides filtering of the RPM database

With the new configuration file /etc/fapolicyd/rpm-filter.conf, you can customize the list of RPM-database files that the fapolicyd software framework stores in the trust database. This way, you can block certain applications installed by RPM or allow an application denied by the default configuration filter.


4.7. Networking

The default MPTCP subflow limit is 2

A subflow is a single TCP connection that is part of a Multipath TCP (MPTCP) connection. A subflow limit in MPTCP refers to the maximum number of additional connections that can be created between two MPTCP endpoints. You can use the limit to restrict the number of additional parallel subflows that can be created between the endpoints, to avoid overloading the network and the endpoints. For example the value of 0 allows only the initial subflow.

With this enhancement, the default MPTCP subflow limit has been increased from 0 to 2. This enables you by default to create multiple additional subflows. If you need a different value, you can create a Systemd oneshot unit. The unit should execute the ip mptcp limits set subflows <YOUR_VALUE> command after your network ( is operational during every boot process.


The kernel now logs the listening address in SYN flood messages

This enhancement adds the listening IP address to SYN flood messages:

Possible SYN flooding on port <ip_address>:<port>.

As a result, if many processes are bound to the same port on different IP addresses, administrators can now clearly identify the affected socket.


The nm-initrd-generator profiles now have lower priority than autoconnect profiles

The nm-initrd-generator early boot NetworkManager configuration generator utility generates and configures connection profiles by using the NetworkManager instance running in the boot loader’s initialized initrd RAM disk. The nm-initrd-generator utility generated profiles now have a lower autoconnect priority than the default connection autoconnect priority. This enables generated network profiles in initrd to coexist with user configuration in default root account.


After switching from initrd root account to default root, the same profile stays activated and no new autoconnect happens.


nispor rebased to version 1.2.10

The nispor packages have been upgraded to upstream version 1.2.10, which provides a number of enhancements and bug fixes over the previous version:

  • Added support for NetStateFilter to use the kernel filter on network routes and interfaces.
  • Single Root Input and Output Virtualization (SR-IOV) interfaces can query SR-IOV Virtual Function (SR-IOV VF) information per (VF).
  • Newly supported bonding options: lacp_active, arp_missed_max, and ns_ip6_target.


NetworkManager rebased to version 1.40.16

The NetworkManager packages have been upgraded to upstream version 1.40.16, which provides a number of bug fixes over the previous version:

  • The nm-cloud-setup utility preserves externally added addresses.
  • A race condition was fixed that prevented the automatic activation of MACsec connections at boot.
  • NetworkManager now correctly calculates expiration times for items configured from IPv6 neighbor discovery messages.
  • NetworkManager now automatically updates the /etc/resolv.conf file when the configuration changes.
  • NetworkManager no longer sets non-existent interfaces as primary when activating a bond.
  • Setting a primary interface in a bond now always works, even if the interface does not exist when you active the bond.
  • The NetworkManager --print-config command no longer prints duplicate entries.
  • The ifcfg-rh plug-in can now read InfiniBand P-Key connection profiles without an explicit interface name.
  • The nmcli utility can now remove a bond port connection profile from a bond.
  • A race condition was fixed that could occur during the activation of veth profiles if the peer already existed.
  • NetworkManager now rejects DHCPv6 leases if all addresses fail IPv6 duplicate address detection (DAD).
  • NetworkManager now waits until interfaces are connected before trying to resolve the system hostname on these interfaces from DNS.
  • Profiles created by the nm-initrd-generator utility now have a lower-than-default priority.

For further information about notable changes, read the upstream release notes.


4.8. Kernel

Kernel version in RHEL 8.8

Red Hat Enterprise Linux 8.8 is distributed with the kernel version 4.18.0-477.10.


Secure Execution guest dump encryption with customer keys

This new feature allows Secure Execution guests to use hypervisor-initiated dumps to collect kernel crash information from KVM when the kdump utility does not work. Note that hypervisor-initiated dumps for Secure Execution are designed for the IBM Z Series z16 and LinuxONE Emperor 4 hardware.


The sfc driver has split into sfc and sfc_siena

Following the changes in the upstream driver, the sfc NIC driver is now split into 2 different drivers: sfc and sfc_siena. sfc_siena supports the deprecated Siena family devices.

Note that custom configurations of the kernel module parameters and udev rules applied to sfc do not affect sfc_siena as they are now independent drivers. To customize both drivers, replicate the configuration options for sfc_siena.


The stmmac driver is now fully supported

Red Hat now fully supports the stmmac driver for Intel® Elkhart Lake systems on a chip (SoCs).


The rtla meta-tool adds the osnoise and timerlat tracers for improved tracer capabilities

The Real-Time Linux Analysis (rtla) is a meta-tool that includes a set of commands that analyze the real-time properties of Linux. rtla leverages kernel tracing capabilities to provide accurate information about the properties and root causes of unexpected system results. rtla currently adds support for osnoise and timerlat tracer commands. The osnoise tracer reports a kernel thread per CPU. The timerlat tracer periodically prints the timer latency at the timer IRQ handler and the thread handler.

Note that to use the timerlat feature of rtla, you must disable admission control by using the sysctl -w kernel.sched_rt_runtime_us=-1 script.


The output format for cgroups and irqs has been improved to provide better readability

With this enhancement, the tuna show_threads command output for the cgroup utility is now structured based on the terminal size. You can also configure additional spacing to the cgroups output by adding the new -z or --spaced option to the show_threads command. As a result, you can now view the cgroups output in an improved readable format that is adaptable to your terminal size.


The rteval command output now includes the program loads and measurement threads information

The rteval command now displays a report summary with the number of program loads, measurement threads, and the corresponding CPU that ran these threads. This information helps to evaluate the performance of a real-time kernel under load on specific hardware platforms.

The rteval report is written to an XML file along with the boot log for the system and saved to the rteval-<date>-N-tar.bz2 compressed file. The date specifies the report generation date and N is the counter for the Nth run.

To generate an rteval report, enter the following command:

# rteval --summarize rteval-<date>-N.tar.bz2


The -W and --bucket-width options have been added to the oslat program to measure latency

With this enhancement, you can specify a latency range for a single bucket at nanosecond accuracy. Widths that are not multiples of 1000 nanoseconds indicate nanosecond precision. By using the new options, -W or --bucket-width, you can modify the latency interval between buckets to measure latency within sub-microseconds delay time.

For example to set a latency bucket width of 100 nanoseconds for 32 buckets over a duration of 10 seconds to run on CPU range of 1-4 and omit zero bucket size, run the following command:

# oslat -b 32 -D 10s -W 100 -z -c 1-4

Note that before using the option, you must determine what level of precision is significant in relation to the error measurement.


The Ethernet Port Configuration Tool (EPCT) utility support enabled in E810 with Intel ice driver

With this enhancement, the devlink port split command now supports the Intel ice driver. The Ethernet Port Configuration Tool (EPCT) is a command line utility that allows you to change the link type of a device. The devlink utility, which displays device information and resources of devices, is dependent on EPCT. As a result of this enhancement, the ice driver implements support for EPCT, which enables you to list and view the configurable devices using Intel ice drivers.


The Intel ice driver rebased to version 6.0.0

The Intel ice driver has been upgraded to upstream version 6.0.0, which provides a number of enhancements and bug fixes over previous versions. The notable enhancements include:

  • Point-to-Point Protocol over Ethernet (PPPoE) protocol hardware offload
  • Inter-Integrated Circuit (I2C) protocol write command
  • VLAN Tag Protocol Identifier (TPID) filters in the Ethernet switch device driver model (switchdev)
  • Double VLAN tagging in switchdev


Hosting Secure Boot certificates for IBM zSystems

Starting with IBM z16 A02/AGZ and LinuxONE Rockhopper 4 LA2/AGL, you can manage certificates used to validate Linux kernels when starting the system with Secure Boot enabled on the Hardware Management Console (HMC). Notably:

  • You can load certificates in a system certificate store using the HMC in DPM and classic mode from an FTP server that can be accessed by the HMC. It is also possible to load certificates from a USB device attached to the HMC.
  • You can associate certificates stored in the certificate store with an LPAR partition. Multiple certificates can be associated with a partition and a certificate can be associated with multiple partitions.
  • You can de-associate certificates in the certificate store from a partition by using HMC interfaces.
  • You can remove certificates from the certificate store.
  • You can associate up to 20 certificates with a partition.

The built-in firmware certificates are still available. In particular, as soon as you use the user-managed certificate store, the built-in certificates will no longer be available.

Certificate files loaded into the certificate store must meet the following requirements:

  • They have the PEM- or DER-encoded X.509v3 format and one of the following filename extensions: .pem, .cer, .crt, or .der.
  • They are not expired.
  • The key usage attribute must be Digital Signature.
  • The extended key usage attribute must contain Code Signing.

A firmware interface allows a Linux kernel running in a logical partition to load the certificates associated with this partition. Linux on IBM Z stores these certificates in the .platform keyring, allowing the Linux kernel to verify kexec kernels and third party kernel modules to be verified using certificates associated with that partition.

It is the responsibility of the operator to only upload verified certificates and to remove certificates that have been revoked.


The Red Hat Secure Boot CA 3 certificate that you need to load into the HMC is available at Product Signing Keys.


4.9. High availability and clusters

New enable-authfile Booth configuration option

When you create a Booth configuration to use the Booth ticket manager in a cluster configuration, the pcs booth setup command now enables the new enable-authfile Booth configuration option by default. You can enable this option on an existing cluster with the pcs booth enable-authfile command. Additionally, the pcs status and pcs booth status commands now display warnings when they detect a possible enable-authfile misconfiguration.


pcs can now run the validate-all action of resource and stonith agents

When creating or updating a resource or a STONITH device, you can now specify the --agent-validation option. With this option, pcs uses an agent’s validate-all action, when it is available, in addition to the validation done by pcs based on the agent’s metadata.

Bugzilla:1816852, Bugzilla:2159455

4.10. Dynamic programming languages, web and database servers

Python 3.11 available in RHEL 8

RHEL 8.8 introduces Python 3.11, provided by the new package python3.11 and a suite of packages built for it, as well as the ubi8/python-311 container image.

Notable enhancements compared to the previously released Python 3.9 include:

  • Significantly improved performance.
  • Structural Pattern Matching using the new match keyword (similar to switch in other languages).
  • Improved error messages, for example, indicating unclosed parentheses or brackets.
  • Exact line numbers for debugging and other use cases.
  • Support for defining context managers across multiple lines by enclosing the definitions in parentheses.
  • Various new features related to type hints and the typing module, such as the new X | Y type union operator, variadic generics, and the new Self type.
  • Precise error locations in tracebacks pointing to the expression that caused the error.
  • A new tomllib standard library module which supports parsing TOML.
  • An ability to raise and handle multiple unrelated exceptions simultaneously using Exception Groups and the new except* syntax.

Python 3.11 and packages built for it can be installed in parallel with Python 3.9, Python 3.8, and Python 3.6 on the same system.

Note that, unlike the previous versions, Python 3.11 is distributed as standard RPM packages instead of a module.

To install packages from the python3.11 stack, use, for example:

# yum install python3.11
# yum install python3.11-pip

To run the interpreter, use, for example:

$ python3.11
$ python3.11 -m pip --help

See Installing and using Python for more information.

Note that Red Hat will continue to provide support for Python 3.6 until the end of life of RHEL 8. Similarly to Python 3.9, Python 3.11 will have a shorter life cycle; see Red Hat Enterprise Linux Application Streams Life Cycle.


nodejs:18 rebased to version 18.14 with npm rebased to version 9

Node.js 18.14, released in RHSA-2023:1583, includes a SemVer major upgrade of npm from version 8 to version 9. This update was necessary due to maintenance reasons and may require you to adjust your npm configuration.

Notably, auth-related settings that are not scoped to a specific registry are no longer supported. This change was made for security reasons. If you used unscoped authentication configurations, the supplied token was sent to every registry listed in the .npmrc file.

If you use unscoped authentication tokens, generate and supply registry-scoped tokens in your .npmrc file.

If you have configuration lines using _auth, such as // in your .npmrc files, replace them with //${NPM_TOKEN} and supply the scoped token that you generated.

For a complete list of changes, see the upstream changelog.


git rebased to version 2.39.1

The Git version control system has been updated to version 2.39.1, which provides bug fixes, enhancements, and performance improvements over the previously released version 2.31.

Notable enhancements include:

  • The git log command now supports a format placeholder for the git describe output: git log --format=%(describe)
  • The git commit command now supports the --fixup<commit> option which enables you to fix the content of the commit without changing the log message. With this update, you can also use:

    • The --fixup=amend:<commit> option to change both the message and the content.
    • The --fixup=reword:<commit> option to update only the commit message.
  • You can use the new --reject-shallow option with the git clone command to disable cloning from a shallow repository.
  • The git branch command now supports the --recurse-submodules option.
  • You can now use the git merge-tree command to:

    • Test if two branches can merge.
    • Compute a tree that would result in the merge commit if the branches were merged.
  • You can use the new safe.bareRepository configuration variable to filter out bare repositories.


git-lfs rebased to version 3.2.0

The Git Large File Storage (LFS) extension has been updated to version 3.2.0, which provides bug fixes, enhancements, and performance improvements over the previously released version 2.13.

Notable changes include:

  • Git LFS introduces a pure SSH-based transport protocol.
  • Git LFS now provides a merge driver.
  • The git lfs fsck utility now additionally checks that pointers are canonical and that expected LFS files have the correct format.
  • Support for the NT LAN Manager (NTLM) authentication protocol has been removed. Use Kerberos or Basic authentication instead.


A new module stream: nginx:1.22

The nginx 1.22 web and proxy server is now available as the nginx:1.22 module stream. This update provides a number of bug fixes, security fixes, new features, and enhancements over the previously released version 1.20.

New features:

  • nginx now supports:

    • OpenSSL 3.0 and the SSL_sendfile() function when using OpenSSL 3.0.
    • The PCRE2 library.
    • POP3 and IMAP pipelining in the mail proxy module.
  • nginx now passes the Auth-SSL-Protocol and Auth-SSL-Cipher header lines to the mail proxy authentication server.

Enhanced directives:

  • Multiple new directives are now available, such as ssl_conf_command and ssl_reject_handshake.
  • The proxy_cookie_flags directive now supports variables.
  • nginx now supports variables in the following directives: proxy_ssl_certificate, proxy_ssl_certificate_key, grpc_ssl_certificate, grpc_ssl_certificate_key, uwsgi_ssl_certificate, and uwsgi_ssl_certificate_key.
  • The listen directive in the stream module now supports a new fastopen parameter, which enables TCP Fast Open mode for listening sockets.
  • A new max_errors directive has been added to the mail proxy module.

Other changes:

  • nginx now always returns an error if:

    • The CONNECT method is used.
    • Both Content-Length and Transfer-Encoding headers are specified in the request.
    • The request header name contains spaces or control characters.
    • The Host request header line contains spaces or control characters.
  • nginx now blocks all HTTP/1.0 requests that include the Transfer-Encoding header.
  • nginx now establishes HTTP/2 connections using the Application Layer Protocol Negotiation (ALPN) and no longer supports the Next Protocol Negotiation (NPN) protocol.

To install the nginx:1.22 stream, use:

# yum module install nginx:1.22

If you want to upgrade from the nginx:1.20 stream, see Switching to a later stream.

For more information, see Setting up and configuring NGINX.

For information about the length of support for the nginx module streams, see the Red Hat Enterprise Linux Application Streams Life Cycle.


mod_security rebased to version 2.9.6

The mod_security module for the Apache HTTP Server has been updated to version 2.9.6, which provides new features, bug fixes, and security fixes over the previously available version 2.9.2.

Notable enhancements include:

  • Adjusted parser activation rules in the modsecurity.conf-recommended file.
  • Enhancements to the way mod_security parses HTTP multipart requests.
  • Added a new MULTIPART_PART_HEADERS collection.
  • Added microsec timestamp resolution to the formatted log timestamp.
  • Added missing Geo Countries.


New packages: tomcat

RHEL 8.8 introduces the Apache Tomcat server version 9. Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory environment and released under the Apache Software License version 2.0.


A new module stream: postgresql:15

RHEL 8.8 introduces PostgreSQL 15, which provides a number of new features and enhancements over version 13. Notable changes include:

  • You can now access PostgreSQL JSON data by using subscripts. Example query:

    SELECT ('{ "postgres": { "release": 15 }}'::jsonb)['postgres']['release'];
  • PostgreSQL now supports multirange data types and extends the range_agg function to aggregate multirange data types.
  • PostgreSQL improves monitoring and observability:

    • You can now track progress of the COPY commands and Write-ahead-log (WAL) activity.
    • PostgreSQL now provides statistics on replication slots.
    • By enabling the compute_query_id parameter, you can now uniquely track a query through several PostgreSQL features, including pg_stat_activity or EXPLAIN VERBOSE.
  • PostgreSQL improves support for query parallelism by the following:

    • Improved performance of parallel sequential scans.
    • The ability of SQL Procedural Language (PL/pgSQL) to execute parallel queries when using the RETURN QUERY command.
    • Enabled parallelism in the REFRESH MATERIALIZED VIEW command.
  • PostgreSQL now includes the SQL standard MERGE command. You can use MERGE to write conditional SQL statements that can include the INSERT, UPDATE, and DELETE actions in a single statement.
  • PostgreSQL provides the following new functions for using regular expressions to inspect strings: regexp_count(), regexp_instr(), regexp_like(), and regexp_substr().
  • PostgreSQL adds the security_invoker parameter, which you can use to query data with the permissions of the view caller, not the view creator. This helps you ensure that view callers have the correct permissions for working with the underlying data.
  • PostgreSQL improves performance, namely in its archiving and backup facilities.
  • PostgreSQL adds support for the LZ4 and Zstandard (zstd) lossless compression algorithms.
  • PostgreSQL improves its in-memory and on-disk sorting algorithms.
  • The updated postgresql.service systemd unit file now ensures that the postgresql service is started after the network is up.

The following changes are backwards incompatible:

  • The default permissions of the public schema have been modified. Newly created users need to grant permission explicitly by using the GRANT ALL ON SCHEMA public TO myuser; command. For example:

    postgres=# CREATE USER mydbuser;
    postgres=# GRANT ALL ON SCHEMA public TO mydbuser;
    postgres=# \c postgres mydbuser
    postgres=$ CREATE TABLE mytable (id int);
  • The libpq PQsendQuery() function is no longer supported in pipeline mode. Modify affected applications to use the PQsendQueryParams() function instead.

See also Using PostgreSQL.

To install the postgresql:15 stream, use:

# yum module install postgresql:15

If you want to upgrade from an earlier postgresql stream within RHEL 8, follow the procedure described in Switching to a later stream and then migrate your PostgreSQL data as described in Migrating to a RHEL 8 version of PostgreSQL.

For information about the length of support for the postgresql module streams, see the Red Hat Enterprise Linux Application Streams Life Cycle.


4.11. Compilers and development tools

A new module stream: swig:4.1

RHEL 8.8 introduces the Simplified Wrapper and Interface Generator (SWIG) version 4.1, available as a new module stream, swig:4.1.

Compared to SWIG 4.0 released in RHEL 8.4, SWIG 4.1:

  • Adds support for Node.js versions 12 to 18 and removes support for Node.js versions earlier than 6.
  • Adds support for PHP 8.
  • Handles PHP wrapping entirely through PHP C API and no longer generates a .php wrapper by default.
  • Supports only Perl 5.8.0 and later versions.
  • Adds support for Python versions 3.9 to 3.11.
  • Supports only Python 3.3 and later Python 3 versions, and Python 2.7.
  • Provides fixes for various memory leaks in Python-generated code.
  • Improves support for the C99, C++11, C++14, and C++17 standards and starts implementing the C++20 standard.
  • Adds support for the C++ std::unique_ptr pointer class.
  • Includes several minor improvements in C++ template handling.
  • Fixes C++ declaration usage in various cases.

To install the swig:4.1 module stream, use:

# yum module install swig:4.1

If you want to upgrade from an earlier swig module stream, see Switching to a later stream.

For information about the length of support for the swig module streams, see the Red Hat Enterprise Linux Application Streams Life Cycle.


A new module stream: jaxb:4

RHEL 8.8 introduces Jakarta XML Binding (JAXB) 4 as the new jaxb:4 module stream. JAXB is a framework that enables developers to map Java classes to and from XML representations.

To install the jaxb:4 module stream, use:

# yum module install jaxb:4


Updated GCC Toolset 12

GCC Toolset 12 is a compiler toolset that provides recent versions of development tools. It is available as an Application Stream in the form of a Software Collection in the AppStream repository.

Notable changes introduced in RHEL 8.8 include:

  • The GCC compiler has been updated to version 12.2.1, which provides many bug fixes and enhancements that are available in upstream GCC.
  • annobin has been updated to version 11.08.

The following tools and versions are provided by GCC Toolset 12:












To install GCC Toolset 12, run the following command as root:

# yum install gcc-toolset-12

To run a tool from GCC Toolset 12:

$ scl enable gcc-toolset-12 tool

To run a shell session where tool versions from GCC Toolset 12 override system versions of these tools:

$ scl enable gcc-toolset-12 bash

For more information, see GCC Toolset 12.


Security improvements added for glibc

The SafeLinking feature has been added to glibc. As a result, it improves protection for the malloc family of functions against certain single-linked list corruption including the allocator’s thread-local cache.


Improved glibc dynamic loader algorithm

The glibc dynamic loader’s O(n3) algorithm for processing shared objects could result in slower application startup and shutdown times when shared object dependencies are deeply nested. With this update, the dynamic loader’s algorithm has been improved to use a depth-first search (DFS). As a result, application startup and shutdown times are greatly improved in cases where shared object dependencies are deeply nested.

You can select the dynamic loader’s O(n3) algorithm by using the glibc runtime tunable glibc.rtld.dynamic_sort. The default value of the tunable is 2, representing the new DFS algorithm. To select the previous O(n3) algorithm for compatibility, set the tunable to 1:

# GLIBC_TUNABLES=glibc.rtld.dynamic_sort=1


LLVM Toolset rebased to version 15.0.7

LLVM Toolset has been updated to version 15.0.7. Notable changes include:

  • The -Wimplicit-function-declaration and -Wimplicit-int warnings are enabled by default in C99 and newer. These warnings will become errors by default in Clang 16 and beyond.


Rust Toolset rebased to version 1.66.1

Rust Toolset has been updated to version 1.66.1. Notable changes include:

  • The thread::scope API creates a lexical scope in which local variables can be safely borrowed by newly spawned threads, and those threads are all guaranteed to exit before the scope ends.
  • The hint::black_box API adds a barrier to compiler optimization, which is useful for preserving behavior in benchmarks that might otherwise be optimized away.
  • The .await keyword now makes conversions with the IntoFuture trait, similar to the relationship between for and IntoIterator.
  • Generic associated types (GATs) allow traits to include type aliases with generic parameters, enabling new abstractions over both types and lifetimes.
  • A new let-else statement allows binding local variables with conditional pattern matching, executing a divergent else block when the pattern does not match.
  • Labeled blocks allow break statements to jump to the end of the block, optionally including an expression value.
  • rust-analyzer is a new implementation of the Language Server Protocol, enabling Rust support in many editors. This replaces the former rls package, but you might need to adjust your editor configuration to migrate to rust-analyzer .
  • Cargo has a new cargo remove subcommand for removing dependencies from Cargo.toml.


Go Toolset rebased to version 1.19.4

Go Toolset has been updated to version 1.19.4. Notable changes include:

  • Security fixes to the following packages:

    • crypto/tls
    • mime/multipart
    • net/http
    • path/filepath
  • Bug fixes to:

    • The go command
    • The linker
    • The runtime
    • The crypto/x509 package
    • The net/http package
    • The time package


The tzdata package now includes the /usr/share/zoneinfo/leap-seconds.list file

Previously, the tzdata package only shipped the /usr/share/zoneinfo/leapseconds file. Some applications rely on the alternate format provided by the /usr/share/zoneinfo/leap-seconds.list file and, as a consequence, would experience errors.

With this update, the tzdata package now includes both files, supporting applications that rely on either format.


4.12. Identity Management

SSSD support for converting home directories to lowercase

With this enhancement, you can now configure SSSD to convert user home directories to lowercase. This helps to integrate better with the case-sensitive nature of the RHEL environment. The override_homedir option in the [nss] section of the /etc/sssd/sssd.conf file now recognizes the %h template value. If you use %h as part of the override_homedir definition, SSSD replaces %h with the user’s home directory in lowercase.


The ipapwpolicy ansible-freeipa module now supports new password policy options

With this update, the ipapwpolicy module included in the ansible-freeipa package supports additional libpwquality library options:

Specifies the maximum number of the same character in sequence.
Specifies the maximum length of monotonic character sequences (abcd).
Checks if the password is a dictionary word.
Checks if the password contains the username.

If any of the new password policy options are set, the minimum length of passwords is 6 characters. The new password policy settings are applied only to new passwords.

In a mixed environment with RHEL 7 and RHEL 8 servers, the new password policy settings are enforced only on servers running on RHEL 8.4 and later. If a user is logged in to an IdM client and the IdM client is communicating with an IdM server running on RHEL 8.3 or earlier, then the new password policy requirements set by the system administrator do not apply. To ensure consistent behavior, upgrade all servers to RHEL 8.4 and later.


IdM now supports the ipanetgroup Ansible management module

As an Identity Management (IdM) system administrator, you can integrate IdM with NIS domains and netgroups. Using the ipanetgroup ansible-freeipa module, you can achieve the following:

  • You can ensure that an existing IdM netgroup contains specific IdM users, groups, hosts and host groups and nested IdM netgroups.
  • You can ensure that specific IdM users, groups, hosts and host groups and nested IdM netgroups are absent from an existing IdM netgroup.
  • You can ensure that a specific netgroup is present or absent in IdM.


New ipaclient_configure_dns_resolver and ipaclient_dns_servers Ansible ipaclient role variables specifying the client’s DNS resolver  

Previously, when using the ansible-freeipa ipaclient role to install an Identity Management (IdM) client, it was not possible to specify the DNS resolver during the installation process. You had to configure the DNS resolver before the installation.   

With this enhancement, you can specify the DNS resolver when using the ipaclient role to install an IdM client with the ipaclient_configure_dns_resolver and ipaclient_dns_servers variables. Consequently, the ipaclient role modifies the resolv.conf file and the NetworkManager and systemd-resolved utilities to configure the DNS resolver on the client in a similar way that the ansible-freeipa ipaserver role does on the IdM server. As a result, configuring DNS when using the ipaclient role to install an IdM client is now more efficient.


Using the ipa-client-install command-line installer to install an IdM client still requires configuring the DNS resolver before the installation.


Using the ipaclient role to install an IdM client with an OTP requires no prior modification of the Ansible controller

Previously, the kinit command on the Ansible controller was a prerequisite for obtaining a one-time-password (OTP) for Identity Management (IdM) client deployment. The need to obtain the OTP on the controller was a problem for Red Hat Ansible Automation Platform (AAP), where the krb5-workstation package was not installed by default.

With this update, the request for the administrator’s TGT is now delegated to the first specified or discovered IdM server. As a result, you can now use an OTP to authorize the installation of an IdM client with no additional modification of the Ansible controller. This simplifies using the ipaclient role with AAP.


SSSD now supports changing LDAP user passwords with the shadow password policy

With this enhancement, if you set ldap_pwd_policy to shadow in the /etc/sssd/sssd.conf file, LDAP users can now change their password stored in LDAP. Previously, password changes were rejected if ldap_pwd_policy was set to shadow as it was not clear if the corresponding shadow LDAP attributes were being updated.

Additionally, if the LDAP server cannot update the shadow attributes automatically, set the ldap_chpass_update_last_change option to True in the /etc/sssd/sssd.conf file to indicate to SSSD to update the attribute.


Configure pam_pwhistory using a configuration file

With this update, you can configure the pam_pwhistory module in the /etc/security/pwhistory.conf configuration file. The pam_pwhistory module saves the last password for each user in order to manage password change history. Support has also been added in authselect which allows you to add the pam_pwhistory module to the PAM stack.

Bugzilla:2068461, Bugzilla:2063379

getcert add-scep-ca now checks if user-provided SCEP CA certificates are in a valid PEM format

To add a SCEP CA to certmonger using the getcert add-scep-ca command, the provided certificate must be in a valid PEM format. Previously, the command did not check the user-provided certificate and did not return an error in case of an incorrect format. With this update, getcert add-scep-ca now checks the user-provided certificate and returns an error if the certificate is not in the valid PEM format.


IdM now supports new Active Directory certificate mapping templates

Active Directory (AD) domain administrators can manually map certificates to a user in AD using the altSecurityIdentities attribute. There are six supported values for this attribute, though three mappings are now considered insecure. As part of May 10,2022 security update, once this update is installed on a domain controller, all devices are in compatibility mode. If a certificate is weakly mapped to a user, authentication occurs as expected but a warning message is logged identifying the certificates that are not compatible with full enforcement mode. As of November 14, 2023 or later, all devices will be updated to full enforcement mode and if a certificate fails the strong mapping criteria, authentication will be denied.

IdM now supports the new mapping templates, making it easier for an AD administrator to use the new rules and not maintain both. IdM now supports the following new mapping templates :

  • Serial Number: LDAPU1:(altSecurityIdentities=X509:<I>{issuer_dn!ad_x500}<SR>{serial_number!hex_ur})
  • Subject Key Id: LDAPU1:(altSecurityIdentities=X509:<SKI>{subject_key_id!hex_u})
  • User SID: LDAPU1:(objectsid={sid})

If you do not want to reissue certificates with the new SID extension, you can create a manual mapping by adding the appropriate mapping string to a user’s altSecurityIdentities attribute in AD.


samba rebased to version 4.17.5

The samba packages have been upgraded to upstream version 4.17.5, which provides bug fixes and enhancements over the previous version. The most notable changes:

  • Security improvements in previous releases impacted the performance of the Server Message Block (SMB) server for high meta data workloads. This update improves he performance in this scenario.
  • The --json option was added to the smbstatus utility to display detailed status information in JSON format.
  • The samba.smb.conf and samba.samba3.smb.conf modules have been added to the smbconf Python API. You can use them in Python programs to read and, optionally, write the Samba configuration natively.

Note that the server message block version 1 (SMB1) protocol is deprecated since Samba 4.11 and will be removed in a future release.

Back up the database files before starting Samba. When the smbd, nmbd, or winbind services start, Samba automatically updates its tdb database files. Red Hat does not support downgrading tdb database files.

After updating Samba, use the testparm utility to verify the /etc/samba/smb.conf file.

For further information about notable changes, read the upstream release notes before updating.


ipa-client-install now supports authentication with PKINIT

Previously, the ipa-client-install supported only password based authentication. This update provides support to ipa-client-install for authentication with PKINIT.

For example:

ipa-client-install --pkinit-identity=FILE:/path/to/cert.pem,/path/to/key.pem --pkinit-anchor=FILE:/path/to/cacerts.pem

To use the PKINIT authentication, you must establish trust between IdM and the CA chain of the PKINIT certificate. For more information see the ipa-cacert-manage(1) man page. Also, the certificate identity mapping rules must map the PKINIT certificate of the host to a principal that has permission to add or modify a host record. For more information see the ipa certmaprule-add man page.


New nsslapd-auditlog-display-attrs configuration parameter for the Directory Server audit log

Previously, it was difficult to determine who changed an entry if the distinguished name (DN) of the entry did not contain clear identifying information. With the new nsslapd-auditlog-display-attrs parameter, you can set additional attributes that Directory Server displays in the audit log to provide more details about the modified entry.

For example, if you set the nsslapd-auditlog-display-attrs parameter to cn, the audit log displays the entry cn attribute in the output:

time: 20221014125914
dn: uid=73747737483,ou=people,dc=example,dc=com
result: 0
*#cn: John Smith*
changetype: modify
replace: displayName
displayName: jsmith
replace: modifiersname
modifiersname: cn=dm
replace: modifytimestamp
modifytimestamp: 20221014165914Z

Note that if you want the audit log to include all attributes of a modified entry, you can use an asterisk (*) as the parameter value.


Directory server now supports ECDSA private keys for TLS

Previously, you could not use cryptographic algorithms that are stronger than RSA to secure Directory Server connections. With this enhancement, Directory Server now supports both ECDSA and RSA keys.


New pamModuleIsThreadSafe configuration option is now available

When a PAM module is thread-safe, you can improve the PAM authentication throughput and response time of that specific module, by setting the new pamModuleIsThreadSafe configuration option to yes:

`pamModuleIsThreadSafe: yes`

This configuration applies on the PAM module configuration entry (child of cn=PAM Pass Through Auth,cn=plugins,cn=config).

Use pamModuleIsThreadSafe option in the dse.ldif configuration file or the ldapmodify command. Note that the ldapmodify command requires you to restart the server.


4.13. Desktop

The inkscape1 package replaces inkscape

With this release, the new, non-modular inkscape1 package replaces the legacy, modular inkscape package. This also upgrades the Inkscape application from version 0.92 to version 1.0.

Inkscape 1.0 no longer depends on the Python 2 runtime and instead uses Python 3.

For the complete list of changes in Inkscape 1.0, see the upstream release notes:


Kiosk mode supports an on-screen keyboard

You can now use the GNOME on-screen keyboard (OSK) in the kiosk mode session.

To enable the OSK, select the Kiosk (with on-screen keyboard) option from the gear menu at the login screen.

Note that kiosk mode in RHEL 8 is based on the X11 protocol, which causes certain known issues with the OSK. Notably, you cannot type accented characters, such as é or ü, on the OSK. See BZ#1916470 for details.


Support for NTLMv2 in libsoup and Evolution

The libsoup library can now authenticate with the Microsoft Exchange Server using the NT LAN Manager version 2 (NTLMv2) protocol. Previously, libsoup supported only the NTLMv1 protocol, which might be disabled in certain configurations due to security issues.

As a result, Evolution and other applications that internally use libsoup can also authenticate with the Microsoft Exchange Server using NTLMv2.


Custom right-click menu on the desktop

You can now customize the menu that opens when you right-click the desktop background. You can create custom entries in the menu that run arbitrary commands.

To customize the menu, see Customizing the right-click menu on the desktop.


Disable swipe to switch workspaces

Previously, swiping up or down with three fingers always switched the workspace on a touch screen. With this release, you can disable the workspace switching.

For details, see Disabling swipe to switch workspaces.


4.14. The web console

The web console now performs additional steps for binding LUKS-encrypted root volumes to NBDE

With this update, the RHEL web console performs additional steps required for binding LUKS-encrypted root volumes to Network-Bound Disk Encryption (NBDE) deployments. After you select an encrypted root file system and a Tang server, you can skip adding the rd.neednet=1 parameter to the kernel command line, installing the clevis-dracut package, and regenerating an initial ramdisk (initrd). For non-root file systems, the web console now enables the and clevis-luks-akspass.path systemd units, installs the clevis-systemd package, and adds the _netdev parameter to the fstab and crypttab configuration files. As a result, you can now use the graphical interface for all Clevis-client configuration steps when creating NBDE deployments for automated unlocking of LUKS-encrypted root volumes.


Certain cryptographic subpolicies are now available in the web console

This update of the RHEL web console extends the options in the Change crypto policy dialog. Besides the four system-wide cryptographic policies, you can also apply the following subpolicies through the graphical interface now:

  • DEFAULT:SHA1 is the DEFAULT policy with the SHA-1 algorithm enabled.
  • LEGACY:AD-SUPPORT is the LEGACY policy with less secure settings that improve interoperability for Active Directory services.
  • FIPS:OSPP is the FIPS policy with further restrictions inspired by the Common Criteria for Information Technology Security Evaluation standard.


4.15. Red Hat Enterprise Linux System Roles

New IPsec customization parameters for the vpn RHEL System Role

Because certain network devices require IPsec customization to work correctly, the following parameters have been added to the vpn RHEL System Role:


Do not change the following parameters without advanced knowledge. Most scenarios do not require their customization.

Furthermore, for security reasons, encrypt a value of the shared_key_content parameter by using Ansible Vault.

  • Tunnel parameters:

    • shared_key_content
    • ike
    • esp
    • ikelifetime
    • salifetime
    • retransmit_timeout
    • dpddelay
    • dpdtimeout
    • dpdaction
    • leftupdown
  • Per-host parameters:
  • leftid
  • rightid

As a result, you can use the vpn role to configure IPsec connectivity to a wide range of network devices.


The ha_cluster System Role now supports automated execution of the firewall, selinux, and certificate System Roles

The ha_cluster RHEL System Role now supports the following features:

Using the firewall and selinux System Roles to manage port access
To configure the ports of a cluster to run the firewalld and selinux services, you can set the new role variables ha_cluster_manage_firewall and ha_cluster_manage_selinux to true. This configures the cluster to use the firewall and selinux System Roles, automating and performing these operations within the ha_cluster System Role. If these variables are set to their default value of false, the roles are not performed. With this release, the firewall is no longer configured by default, because it is configured only when ha_cluster_manage_firewall is set to true.
Using the certificate System Role to create a pcsd private key and certificate pair
The ha_cluster System Role now supports the ha_cluster_pcsd_certificates role variable. Setting this variable passes on its value to the certificate_requests variable of the certificate System Role. This provides an alternative method for creating the private key and certificate pair for pcsd.


The ha_cluster System Role now supports quorum device configuration

A quorum device acts as a third-party arbitration device for a cluster. A quorum device is recommended for clusters with an even number of nodes. With two-node clusters, the use of a quorum device can better determine which node survives in a split-brain situation. You can now configure a quorum device with the ha_cluster System Role, both qdevice for a cluster and qnetd for an arbitration node.


The metrics System Role does not work with disabled fact gathering

Ansible fact gathering might be disabled in your environment for performance or other reasons. In such configurations, it is not currently possible to use the metrics System Role. To work around this problem, enable fact caching, or do not use the metrics System Role if it is not possible to use fact gathering.


The postfix RHEL System Role can now use the firewall and selinux RHEL System Roles to manage port access

With this enhancement, you can automate managing port access by using the new role variables postfix_manage_firewall and postfix_manage_selinux:

  • If they are set to true, each role is used to manage the port access.
  • If they are set to false, which is default, the roles do not engage.


The vpn RHEL System Role can now use the firewall and selinux roles to manage port access

With this enhancement, you can automate managing port access in the vpn RHEL System Role through the firewall and selinux roles. If you set the new role variables vpn_manage_firewall and vpn_manage_selinux to true, the roles manage port access.


The metrics RHEL System Role now can use the firewall role and the selinux role to manage port access

With this enhancement, you can control access to ports. If you set the new role variables metrics_manage_firewall and metrics_manage_firewall to true, the roles will manage port access. You can now automate and perform these operations directly by using the metrics role.


The nbde_server RHEL System Role now can use the firewall and selinux roles to manage port access

With this enhancement, you can use the firewall and selinux roles to manage ports access. If you set the new role variables nbde_server_manage_firewall and nbde_server_manage_selinux to true, the roles manage port access. You can now automate these operations directly by using the nbde_server role.


The initscripts network provider supports route metric configuration of the default gateway

With this update, you can use the initscripts network provider in the RHEL System Role to configure the route metric of the default gateway.

The reasons for such a configuration could be:

  • Distributing the traffic load across the different paths
  • Specifying primary routes and backup routes
  • Leveraging routing policies to send traffic to specific destinations through specific paths


The network System Role supports setting a DNS priority value

This enhancement adds the dns_priority parameter to the RHEL network System Role. You can set this parameter to a value from -2147483648 to 2147483647. The default value is 0. Lower values have a higher priority. Note that negative values cause the System Role to exclude other configurations with a greater numeric priority value. Consequently, in presence of at least one negative priority value, the System Role uses only DNS servers from connection profiles with the lowest priority value.

As a result, you can use the network System Role to define the order of DNS servers in different connection profiles.


Added support for the cloned MAC address

Cloned MAC address is the MAC address of the device WAN port which is the same as the MAC address of the machine. With this update, users can specify the bonding or bridge interface with the MAC address or the strategy such as random or preserve to get the default MAC address for the bonding or bridge interface.


The cockpit RHEL System Role integration with the firewall, selinux, and certificate roles

This enhancement enables you to integrate the cockpit role with the firewall role and the selinux role to manage port access and the certificate role to generate certificates.

To control the port access, use the new cockpit_manage_firewall and cockpit_manage_selinux variables. Both variables are set to false by default and are not executed. Set them to true to allow the firewall and selinux roles to manage the RHEL web console service port access. The operations will then be executed within the cockpit role.

Note that you are responsible for managing port access for firewall and SELinux.

To generate certificates, use the new cockpit_certificates variable. The variable is set to false by default and is not executed. You can use this variable the same way you would use the certificate_request variable in the certificate role. The cockpit role will then use the certificate role to manage the RHEL web console certificates.


The selinux RHEL System Role now supports the local parameter

This update of the selinux RHEL System Role introduces support for the local parameter. By using this parameter, you can remove only your local policy modifications and preserve the built-in SELinux policy.


New RHEL System Role for direct integration with Active Directory

The new rhel-system-roles.ad_integration RHEL System Role was added to the rhel-system-roles package. As a result, administrators can now automate direct integration of a RHEL system with an Active Directory domain.


New Ansible Role for Red Hat Insights and subscription management

The rhel-system-roles package now includes the remote host configuration (rhc) system role. This role enables administrators to easily register RHEL systems to Red Hat Subscription Management (RHSM) and Satellite servers. By default, when you register a system by using the rhc system role, the system connects to Red Hat Insights. With the new rhc system role, administrators can now automate the following tasks on the managed nodes:

  • Configure the connection to Red Hat Insights, including automatic update, remediations, and tags for the system.
  • Enable and disable repositories.
  • Configure the proxy to use for the connection.
  • Set the release of the system.

For more information about how to automate these tasks, see Using the RHC system role to register the system.


Microsoft SQL Server Ansible role supports asynchronous high availability replicas

Previously, Microsoft SQL Server Ansible role supported only primary, synchronous, and witness high availability replicas. Now, you can set the mssql_ha_replica_type variable to asynchronous to configure it with asynchronous replica type for a new or existing replica.


Microsoft SQL Server Ansible role supports the read-scale cluster type

Previously, Microsoft SQL Ansible role supported only the external cluster type. Now, you can configure the role with a new variable mssql_ha_ag_cluster_type. The default value is external, use it to configure the cluster with Pacemaker. To configure the cluster without Pacemaker, use the value none for that variable.


Microsoft SQL Server Ansible role can generate TLS certificates

Previously, you needed to generate a TLS certificate and a private key on the nodes manually before configuring the Microsoft SQL Ansible role. With this update, the Microsoft SQL Server Ansible role can use the redhat.rhel_system_roles.certificate role for that purpose. Now, you can set the mssql_tls_certificates variable in the format of the certificate_requests variable of the certificate role to generate a TLS certificate and a private key on the node.


Microsoft SQL Server Ansible role supports configuring SQL Server version 2022

Previously, Microsoft SQL Ansible role supported only configuring SQL Server version 2017 and version 2019. This update provides you with the support for SQL Server version 2022 for Microsoft SQL Ansible role. Now, you can set mssql_version value to 2022 for configuring a new SQL Server 2022 or upgrading SQL Server from version 2019 to version 2022. Note that upgrade of an SQL Server from version 2017 to version 2022 is unavailable.


Microsoft SQL Server Ansible role supports configuration of the Active Directory authentication

With this update, the Microsoft SQL Ansible role supports configuration of the Active Directory authentication for an SQL Server. Now, you can configure the Active Directory authentication by setting variables with the mssql_ad_ prefix.


The logging RHEL System Role integration with the firewall, selinux, and certificate roles

This enhancement enables you to integrate the logging role with the firewall role and the selinux role to manage port access and the certificate role to generate certificates.

To control the port access, use the new logging_manage_firewall and logging_manage_selinux variables. Both variables are set to false by default and are not executed. Set them to true to execute the roles within the logging role.

Note that you are responsible for managing port access for firewall and SELinux.

To generate certificates, use the new logging_certificates variable. The variable is set to false by default and the certificate role is not executed. You can use this variable the same way you would use the certificate_request variable in the certificate role. The logging role will then use the certificate role to manage the certificates.


Routing rule is able to look up a route table by its name

With this update, the RHEL System Role supports looking up a route table by its name when you define a routing rule. This feature provides quick navigation for complex network configurations where you need to have different routing rules for different network segments.


Microsoft SQL Server Ansible role supports configuring SQL Server version 2022

Previously, Microsoft SQL Ansible role supported only configuring SQL Server version 2017 and version 2019. This update provides you with the support for SQL Server version 2022 for Microsoft SQL Ansible role. Now, you can set mssql_version value to 2022 for configuring a new SQL Server 2022 or upgrading SQL Server from version 2019 to version 2022. Note that upgrade of an SQL Server from version 2017 to version 2022 is unavailable.


The journald RHEL System Role is now available

The journald service collects and stores log data in a centralized database. With this enhancement, you can use the journald System Role variables to automate the configuration of the systemd journal, and configure persistent logging by using the Red Hat Ansible Automation Platform.


The sshd RHEL System Role can now use the firewall and selinux RHEL System Roles to manage port access

With this enhancement, you can automate managing port access by using the new role variables sshd_manage_firewall and sshd_manage_selinux. If they are set to true, each role is used to manage the port access. If they are set to false, which is default, the roles do not engage.


4.16. Virtualization

Hardware cryptographic devices can now be automatically hot-plugged

Previously, it was only possible to define cryptographic devices for passthrough if they were present on the host before the mediated device was started. Now, you can define a mediated device matrix that lists all the cryptographic devices that you want to pass through to your virtual machine (VM). As a result, the specified cryptographic devices are automatically passed through to the running VM if they become available later. Also, if the devices become unavailable, they are removed from the VM, but the guest operating system keeps running normally.


Improved performance for PCI passthrough devices on IBM Z

With this update, the PCI passthrough implementation on IBM Z hardware has been enhanced through multiple improvements to I/O handling. As a result, PCI devices passed through to KVM virtual machines (VMs) on IBM Z hosts now have significantly better performance.

In addition, ISM devices can now be assigned to VMs on IBM Z hosts.


RHEL 8 guests now support SEV-SNP

On virtual machines (VMs) that use RHEL 8 as a guest operating system, you can now use AMD Secure Encrypted Virtualization (SEV) with the Secure Nested Paging (SNP) feature. Among other benefits, SNP enhances SEV by improving its memory integrity protection, which helps prevent hypervisor-based attacks such as data replay or memory re-mapping. Note that for SEV-SNP to work on a RHEL 8 VM, the host running the VM must support SEV-SNP as well.


zPCI device assignment

It is now possible to attach zPCI devices as pass-through devices to virtual machines (VMs) hosted on RHEL running on IBM Z hardware. For example, thís enables the use of NVMe flash drives in VMs.


4.17. Supportability

The sos utility is moving to a 4-week update cadence

Instead of releasing sos updates with RHEL minor releases, the sos utility release cadence is changing from 6 months to 4 weeks. You can find details about the updates for the sos package in the RPM changelog every 4 weeks or you can read a summary of sos updates in the RHEL Release Notes every 6 months.


The sos clean command now obfuscates IPv6 addresses

Previously, the sos clean command did not obfuscate IPv6 addresses, leaving some customer-sensitive data in the collected sos report. With this update, sos clean detects and obfuscates IPv6 addresses as expected.


4.18. Containers

New podman RHEL System Role is now available

Beginning with Podman 4.2, you can use the podman System Role to manage Podman configuration, containers, and systemd services that run Podman containers.


Podman now supports events for auditing

Beginning with Podman v4.4, you can gather all relevant information about a container directly from a single event and journald entry. To enable Podman auditing, modify the container.conf configuration file and add the events_container_create_inspect_data=true option to the [engine] section. The data is in JSON format, the same as from the podman container inspect command. For more information, see How to use new container events and auditing features in Podman 4.4.


The Container Tools packages have been updated

The updated Container Tools packages, which contain the Podman, Buildah, Skopeo, crun, and runc tools, are now available. This update applies a series of bug fixes and enhancements over the previous version.

Notable changes in Podman v4.4 include:

  • Introduce Quadlet, a new systemd-generator that easily creates and maintains systemd services using Podman.
  • A new command, podman network update, has been added, which updates networks for containers and pods.
  • A new command, podman buildx version, has been added, which shows the buildah version.
  • Containers can now have startup healthchecks, allowing a command to be run to ensure the container is fully started before the regular healthcheck is activated.
  • Support a custom DNS server selection using the podman --dns command.
  • Creating and verifying sigstore signatures using Fulcio and Rekor is now available.
  • Improved compatibility with Docker (new options and aliases).
  • Improved Podman’s Kubernetes integration - the commands podman kube generate and podman kube play are now available and replace the podman generate kube and podman play kube commands. The podman generate kube and podman play kube commands are still available but it is recommended to use the new podman kube commands.
  • Systemd-managed pods created by the podman kube play command now integrate with sd-notify, using the io.containers.sdnotify annotation (or io.containers.sdnotify/$name for specific containers).
  • Systemd-managed pods created by podman kube play can now be auto-updated, using the annotation (or$name for specific containers).

Podman has been upgraded to version 4.4, for further information about notable changes, see upstream release notes.


Aardvark and Netavark now support custom DNS server selection

The Aardvark and Netavark network stack now support custom DNS server selection for containers instead of the default DNS servers on the host. You have two options for specifying the custom DNS server:

  • Add the dns_servers field in the containers.conf configuration file.
  • Use the new --dns Podman option to specify an IP address of the DNS server.

The --dns option overrides the values in the container.conf file.


Skopeo now supports generating sigstore key pairs

You can use the skopeo generate-sigstore-key command to generate a sigstore public/private key pair. For more information, see skopeo-generate-sigstore-key man page.


Toolbox is now available

With the toolbox utility, you can use the containerized command-line environment without installing troubleshooting tools directly on your system. Toolbox is built on top of Podman and other standard container technologies from OCI. For more information, see toolbx.


The capability for multiple trusted GPG keys for signing images is available

The /etc/containers/policy.json file supports a new keyPaths field which accepts a list of files containing the trusted keys. Because of this, the container images signed with Red Hat’s General Availability and Beta GPG keys are now accepted in the default configuration.

For example:

"": [
            "type": "signedBy",
            "keyType": "GPGKeys",
            "keyPaths": ["/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release", "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta"]


RHEL 8 Extended Update Support

The RHEL Container Tools are now supported in RHEL 8 Extended Update Support (EUS) releases. More information on Red Hat Enterprise Linux EUS is available in Container Tools AppStream - Content Availability, Red Hat Enterprise Linux (RHEL) Extended Update Support (EUS) Overview.


The sigstore signatures are now available

Beginning with Podman 4.2, you can use the sigstore format of container image signatures. The sigstore signatures are stored in the container registry together with the container image without the need to have a separate signature server to store image signatures.


Podman now supports the pre-execution hooks

The root-owned plugin scripts located in the /usr/libexec/podman/pre-exec-hooks and /etc/containers/pre-exec-hooks directories define a fine-control over container operations, especially blocking unauthorized actions.

The /etc/containers/podman_preexec_hooks.txt file must be created by an administrator and can be empty. If /etc/containers/podman_preexec_hooks.txt does not exist, the plugin scripts will not be executed. If all plugin scripts return zero value, then the podman command is executed, otherwise, the podman command exits with the inherited exit code.

Red Hat recommends using the following naming convention to execute the scripts in the correct order: DDD-plugin_name.lang, for example Note that the plugin scripts are valid at the time of creation. Containers created before plugin scripts are not affected.