Support to both legacy and UEFI boot for AWS EC2 images

Previously, RHEL image builder created EC2 AMD or Intel 64-bit architecture AMIs images with support only for the legacy boot type. As a consequence, it was not possible to take advantage of certain AWS features requiring UEFI boot, such as secure boot. This enhancement extends the AWS EC2 AMD or Intel 64-bit architecture AMI image to support UEFI boot, in addition to the legacy BIOS boot. As a result, it is now possible to take advantage of AWS features which require booting the image with UEFI.

New boot option inst.wait_for_disks= to add wait time for loading a Kickstart file or the kernel drivers

Sometimes, it may take a few seconds to load a Kickstart file or the kernel drivers from the device with the OEMDRV label during the boot process. To adjust the wait time, you can now use the new boot option, inst.wait_for_disks=. Using this option, you can specify how many seconds to wait before the installation. The default time is set to 5 seconds, however, you can use 0 seconds to minimize the delay. For more information about this option, see Storage boot options.

Ability to select required kernel while installing RHEL on ARM using GUI and TUI

Previously, you could install RHEL on ARM with kernel-64k page size only by using the Kickstart method. With this update, you can now install RHEL on ARM using the GUI or the TUI and selecting the required kernel version. The option to select the required kernel is available on the Software Selection screen under Kernel Options.

Support for VMware VSphere (OVA)

This update adds support to build VMware VSphere OVA files by using RHEL image builder. The Open Virtual Appliance (OVA) file is a virtual appliance used by the VMware VSphere virtualization application. The OVA file contains files used to describe a virtual machine, such as an OVF descriptor file, one or more virtual machine disk image files (VMDK), optional manifest (MF) and certificate files. By using the VMware VSphere (.ova), you can more easily deploy the image to VMware vSphere by using the vSphere GUI client. You can further customize the resulting VM before you boot the image.

New network Kickstart options to control DNS handling

You can now control DNS handling using the network Kickstart command with the following new options. Use these new options with the --device option.

Minimal RHEL installation now installs only the s390utils-core package

In RHEL 8.4 and later, the s390utils-base package is split into an s390utils-core package and an auxiliary s390utils-base package. As a result, setting the RHEL installation to minimal-environment installs only the necessary s390utils-core package and not the auxiliary s390utils-base package. If you want to use the s390utils-base package with a minimal RHEL installation, you must manually install the package after completing the RHEL installation or explicitly install s390utils-base using a Kickstart file.

Keylime rebased to version 7.3.0

The Keylime packages have been updated to upstream version 7.3.0. This version provides various enhancements and bug fixes. Most notably, the allow and exclude lists are combined into the Keylime runtime policy. You can combine the two lists by using the convert_runtime_policy.py script.

Ports for Keylime have stricter rules in SELinux policy

Ports used by Keylime are now labeled as keylime_port_t in the Keylime SELinux policy. The policy now allows TCP connections for ports with this label. This is because the previous Keylime SELinux policy allowed connecting to all undefined ports and also most of the ports used by Keylime were in the undefined group. As a result, this update increases the granularity of the Keylime SELinux policy, and port security can be more strict and better targeted.

Audit now supports FANOTIFY record fields

This update of the audit packages introduces support for FANOTIFY Audit record fields. The Audit subsystem now logs additional information in the AUDIT_FANOTIFY record, notably:

fapolicyd now provides rule numbers for troubleshooting

With this enhancement, new kernel and Audit components allow the fapolicyd service to send the number of the rule that causes a denial to the fanotify API. As a result, you can troubleshoot problems related to fapolicyd more precisely.

crypto-policies now provides the NO-ENFORCE-EMS subpolicy for TLS 1.2 connections in FIPS mode

The system-wide cryptographic policies now contain the NO-ENFORCE-EMS subpolicy. After applying the new subpolicy, the system no longer requires the Extended Master Secret (EMS) extension (RFC 7627) for all TLS 1.2 connections negotiated in FIPS mode. This allows the system to connect to legacy systems without support for EMS or TLS 1.3. Note that this violates the requirements of the FIPS-140-3 standard. You can apply the subpolicy by entering the update-crypto-policies --set FIPS:NO-ENFORCE-EMS command.

GnuTLS requires EMS with TLS 1.2 in FIPS mode

To comply with the FIPS-140-3 standard, GnuTLS servers and clients require the Extended Master Secret (EMS) extension (RFC 7627) for all TLS 1.2 connections negotiated in FIPS mode. If your scenario requires preserving compatibility with older servers and clients that do not support EMS and you cannot use TLS 1.3, you can apply the NO-ENFORCE-EMS system-wide cryptographic subpolicy:

NSS now enforce EMS in FIPS mode

The Network Security Services (NSS) libraries now contain the TLS-REQUIRE-EMS policy to require the Extended Master Secret (EMS) extension (RFC 7627) for all TLS 1.2 connections as mandated by the FIPS 140-3 standard. NSS use the new policy when the system-wide cryptographic policies are set to FIPS.

OpenSSL now supports disabling EMS in FIPS mode

You can now configure the OpenSSL cryptographic libraries to allow for TLS 1.2 connections without the Extended Master Secret (EMS) extension (RFC 7627) in FIPS mode by editing the /etc/pki/tls/fips_local.cnf file. In a text editor of your choice, add the following section to the configuration file:

OpenSSH further enforces SHA-2

As part of the effort to migrate further from the less secure SHA-1 message digest for cryptographic purposes, the following changes were made in OpenSSH:

OpenSSL now contains protections against Bleichenbacher-like attacks

This release of the OpenSSL TLS toolkit introduces API-level protections against Bleichenbacher-like attacks on the RSA PKCS #1 v1.5 decryption process. The RSA decryption now returns a randomly generated deterministic message instead of an error if it detects an error when checking padding during a PKCS #1 v1.5 decryption. The change provides general protection against vulnerabilities such as CVE-2020-25659 and CVE-2020-25657.

OpenSSL now supports Brainpool curves configurable through the Groups option

This update of the OpenSSL TLS toolkit introduces support for Brainpool curves in Elliptic Curve Cryptography (ECC). Additionally, you can control the curves with the system-wide cryptographic policies through the Groups configuration option.

crypto-policies now supports OpenSSL ECC Brainpool curves

With this update of the system-wide cryptographic policies, you can now control the following Brainpool Elliptic Curve Cryptography (ECC) curves in OpenSSL by using the group option:

crypto-policies now use the same group order as OpenSSL by default

In this release, the system-wide cryptographic policies (crypto-policies) control the group order in the OpenSSL Groups configuration option. To preserve the performance in OpenSSL, crypto-policies use the default group order that matches the order of the OpenSSL built-in preferences. As a result, the RHEL cryptographic back ends that support crypto-policies for controlling the group order, such as GnuTLS, now use the same order as OpenSSL.

crypto-policies permitted_enctypes no longer break replications in FIPS mode

Before this update, an IdM server running on RHEL 8 sent an AES-256-HMAC-SHA-1-encrypted service ticket that an IdM replica running RHEL 9 in FIPS mode. Consequently, the default permitted_enctypes krb5 configuration broke a replication between the RHEL 8 IdM server and the RHEL 9 IdM replica in FIPS mode.

pcsc-lite-ccid rebased to 1.5.2

The pcsc-lite-ccid package has been updated to version 1.5.2. This version provides various bug fixes and enhancements, most notably:

opensc rebased to 0.23

The opensc packages have been updated to version 0.23. This version provides various bug fixes and enhancements, most notably:

setools rebased to 4.4.3

The setools packages have been updated to version 4.4.3. This version provides various bug fixes and enhancements, most notably:

Additional services confined in the SELinux policy

This update adds additional rules to the SELinux policy that confine the following systemd services:

New SELinux boolean to allow QEMU Guest Agent executing confined commands

Previously, commands that were supposed to execute in a confined context through the QEMU Guest Agent daemon program, such as mount, failed with an Access Vector Cache (AVC) denial. To be able to execute these commands, the guest-agent must run in the unconfined_t domain.

OpenSCAP rebased to 1.3.8

The OpenSCAP packages have been rebased to upstream version 1.3.8. This version provides various bug fixes and enhancements, most notably:

SCAP Security Guide rebased to version 0.1.69

The SCAP Security Guide (SSG) packages have been rebased to upstream version 0.1.69. This version provides various enhancements and bug fixes. Most notably, it introduces three new SCAP profiles for RHEL 9 aligned with the CCN-STIC-610A22 Guide issued by the National Cryptologic Center of Spain in October 2022:

ANSSI-BP-028 security profiles updated to version 2.0

The following French National Agency for the Security of Information Systems (ANSSI) BP-028 in the SCAP Security Guide were updated to be aligned with version 2.0:

python3-greenlet-devel is now available in CRB

The python3-greenlet-devel package is now available in the CodeReady Linux Builder (CRB) repository, which you must explicitly enable. See the How to enable and make use of content within CodeReady Linux Builder Knowledgebase article for more information. Note that packages included in the CRB repository are unsupported.

SSG rule to check the group used by the pam_wheel.so module is simplified

The CIS Benchmark requires restricting the su command in favor of the sudo command. SCAP Security Guide (SSG) fulfills this requirement with the pam_wheel.so module, which restricts the su command to a specific group. This update improves the rule that checks whether this group exists and has no members. As a result, the rule is more efficient and simplifies the interpretation of the assessment report.

New FIDO Device Onboarding Servers container images are available

The following FIDO Device Onboarding Servers container images for onboarding IoT and edge computing devices are now available in the Red Hat Container Catalog:

The minimal-raw image type now supports 64-bit ARM architectures

With this enhancement, you can create a minimal-raw image type with support for 64-bit ARM architecture, and AMD and Intel 64-bit architectures. The minimal-raw image is pre-packaged, bootable, minimal RPM image, compressed in the xz format. To boot the image, you must decompress it and copy to any bootable device, such as an SD card. To decompress the image, run the following command:

The Commit ID is now supported as a value for the --parent argument of composer-cli CLI

You can now use the image Commit ID as a value for the --parent argument of the composer-cli command line. To get the image Commit ID, download and extract the RHEL for Edge Commit image. You can find the ref name and the commit ID in the extracted .tar file.

Support to build RHEL for Edge .ami images

With this enhancement, you have support to build .ami images for RHEL for Edge by using on-premise RHEL image builder. During the initial boot, you can customize the blueprint with Ignition to inject the credentials into the image. You can upload the .ami image to AWS and boot an EC2 instance in AWS.

Support to build .vmdk images for RHEL for Edge

With this enhancement, you have support to build a .vmdk image for RHEL for Edge by using on-premise RHEL image builder. You can customize the blueprint with Ignition to inject the credentials into the image during the initial boot. You can load the image on vSphere and boot the image in a VM vSphere. The image is compatible with ESXi 7.0 U2, ESXi 8.0, and later. The VM is compatible with versions 19 and 20.

You can now log in to an Edge system as the initial user without setting a password

Previously, logging in as the initial user created during the FDO onboarding process did not work because the system asked for a password that was not set with the useradd command. With this enhancement, the password is now set to optional, and you can log in even if you did not previously set a password by using the useradd command. Note that you can log in with an SSH key without entering a password, and if it fails, you will be prompted to enter a password.

New DNF Automatic reboot option for an automatic reboot after an upgrade

With this enhancement, you can use the DNF Automatic reboot option to set your system to automatically reboot to apply the changes after an upgrade.

The new --poweroff option allows you to shut down the system after installing updates

With this enhancement, the new --poweroff option has been added to the reboot command of the dnf system-upgrade plugin. You can use this option to shut down the system after installing updates instead of rebooting.

New dnf leaves and show-leaves plug-ins are now available for the DNF API

With this enhancement, the following new DNF plug-ins are available that list packages installed on your system that are not required as dependencies of other installed packages:

The NetBackup services are now enabled for backup restoration

When using the NetBackup (NBU) backup method, ReaR now includes the unit files for the NetBackup services version 10.1.1 in the rescue image and starts them when the rescue system boots. As a result, you can restore the system backup by using the NBU backup method during the recovery process and complete the restore successfully.

opencryptoki rebased to 3.21.0

The opencryptoki package has been rebased to version 3.21.0, which provides many enhancements and bug fixes. Most notably, opencryptoki now supports the following features:

Updated systemd-udevd assigns consistent network device names to InfiniBand interfaces

Introduced in RHEL 9, the new version of the systemd package contains the updated systemd-udevd device manager. The device manager changes the default names of InfiniBand interfaces to consistent names selected by systemd-udevd.

Postfix now supports SRV lookups

With this enhancement, you can now use the Postfix DNS service records resolution (SRV) to automatically configure mail clients and balance load of servers. Additionally, you can prevent mail delivery disruptions caused by temporary DNS issues or misconfigured SRV records by using the following SRV-related options in your Postfix configuration:

Generic LF-to-CRLF driver is available in cups-filters

With this enhancement, you can now use the Generic LF-to-CRLF driver, which converts LF characters to CR+LF characters for printers accepting files with CR+LF characters. The carriage return (CR) and line feed (LF) are control characters that mark the end of lines. As a result, by using this driver, you can send an LF character terminated file from your application to a printer accepting only CR+LF characters. The Generic LF-to-CRLF driver is a renamed version of the text-only driver from RHEL 7. The new name reflects its actual functionality.

RHEL on ARM now fully supports wifi adapters in RHEL 9.3

With this enhancement, you can now enable access to wifi adapters for several cards for the arm64 platforms.

NetworkManager now supports the no-aaaa option in resolv.conf

NetworkManager now supports adding the no-aaaa DNS option in the resolv.conf file. By using the no-aaaa value in the DNS option setting, you can disable IPv6 DNS resolution.

nmstate now supports mixing static DNS search along with dynamic DNS name servers

The nmstate framework now supports both static Domain Name System (DNS) search domains and dynamic DNS name servers, which nmstate obtained from Dynamic Host Configuration Protocol (DHCP) or the autoconf mechanism. Previously, static DNS search domains could not co-exist with dynamic DNS name servers because the dynamic configurations were discarded by nmstate. This often led to unnecessary complexity and limitations in network setup and management. This enhancement aims to bring more flexibility in managing DNS configurations. As a result, nmstate attempts to find a network interface to store the DNS configuration in the following order:

nmstate now supports the bridge.vlan-default-pvid NetworkManager configuration option

With this update, you can use the nmstate framework to configure the bridge.vlan-default-pvid NetworkManager configuration option. By using this option, you can set the default port VLAN identifier (PVID) for untagged traffic on a bridge interface that supports VLANs, when you use Linux bridge VLAN filtering. To achieve this result, use the following YAML configuration:

The NetworkManager service restarts immediately after the dbus service is restarted

Previously, after restarting dbus for some reason, NetworkManager stopped. This behavior was not optimal and caused a loss of connectivity. Therefore, this enhancement updates NetworkManager to become more robust and to make it restart automatically upon a dbus restart.

The nm-cloud-setup utility now supports IMDSv2 configuration

Users can configure an AWS Red Hat Enterprise Linux EC2 instance with Instance Metadata Service Version 2 (IMDSv2) with the nm-cloud-setup utility. To comply with improved security that restricts unauthorized access to EC2 metadata and new features, integration between AWS and Red Hat services is necessary to provide advanced features. This enhancement enables the nm-cloud-setup utility to fetch and save the IMDSv2 tokens, verify an EC2 environment, and retrieve information about available interfaces and IP configuration by using the secured IMDSv2 tokens.

NetworkManager notifies when using the deprecated ifcfg format

Connection profiles in ifcfg format are deprecated in RHEL 9 (see NetworkManager connection profiles in ifcfg format are deprecated). With this update, NetworkManager notifies users about the deprecation of this format:

NetworkManager now supports the lacp_active option in the bonding configuration

By using NetworkManager, the lacp_active option in bonding configuration provides fine-grained control over Link Aggregation Control Protocol Data Units (LACPDU) frames. The lacp_active option also adjusts the behavior of LACPDU frames and controls periodic transmission of these frames in the bonding setup. To customize network configurations, you can enable or disable periodic transmission of LACPDU frames by setting lacp_active to ON or OFF.

NetworkManager now supports configuration of the ns_ip6_target option for bond interfaces

This enhancement allows setting the arp_interval option by specifying a maximum of 16 IPv6 addresses as monitoring peers in NetworkManager for configuration of the ns_i6_target option for bond interfaces. Previously, it was not possible to specify IPv6 monitoring peers in NetworkManager. With this update, you can configure the ns_ip6_target option in the bond.options parameter by using the nmcli utility. NetworkManager applies this setting to the bond interface by enabling the specification of a maximum of 16 IPv6 addresses. This enhancement equally applies to IPv4 and IPv6 settings.

NetworkManager now supports both static and DHCP IP configuration on the same network interface

By using the nmstate utility, you can now assign a static IP address with dhcp: true or autoconf: true value on the DHCP or Ad-Hoc Network Autoconfiguration (autoconf) enabled interface.

nmstate supports MAC address identifiable network interface

The nmstate utility supports network configuration directly to a network interface with a MAC address instead of an interface name.

NetworkManager supports defining after how many failed ARP checks the bonding driver marks a port as down

This enhancement adds the arp_missed_max option to bond connection profiles in NetworkManager. If you use the Address Resolution Protocol (ARP) monitor to check if ports of a bond are up, you can now set arp_missed_max to define after how many failed checks the bonding driver marks the port as down.

NetworkManager supports specifying link-related properties

This enhancement adds the following network link properties to NetworkManager connection profiles:

The nmstate API support available for dhcp-send-hostname and dhcp-custom-hostname DHCP options

With this enhancement, the nmstate utility supports configuration of the following two DHCP options in the connection file:

NetworkManager rebased to version 1.44.0

The NetworkManager packages have been upgraded to upstream version 1.44.0, which provides several enhancements and bug fixes over the previous version:

SCTP rebased to the latest version of the kernel networking tree for RHEL 9

Notable changes in the Stream Control Transmission Protocol (SCTP) networking subsystem include:

MPTCP rebased to the latest version of the kernel networking tree for RHEL 9

Notable changes in the Multipath TCP (MPTCP) protocol extension include:

The xdp-tools package rebased to version 1.4.0

The xdp-tools package has been upgraded to version 1.4.0, which provides multiple bug fixes and enhancements. Notable changes include:

iproute rebased to version 6.2.0

The iproute packages have been upgraded to upstream version 6.2.0, which provides several enhancements and bug fixes over the previous version. The most notable changes are:

The kernel supports activating bond ports in a specific order

With this enhancement, the kernel’s netlink interface supports setting a priority on each port if you configure a bond in active-backup, balance-tlb or balance-alb mode. The priority value uses a 32-bit Integer, and a higher value means a higher priority. As a result, you can now activate the bond ports in a specific order.

firewalld now avoids unnecessary firewall rule flushes

With the release of the RHBA-2023:7748, advisory the firewalld service was upgraded in a sense that it will not remove all the existing rules from the iptables configuration if both following conditions are met:

Introduction of new nmstate attributes for the VLAN interface

With this update of the nmstate framework, the following VLAN attributes were introduced:

Kernel version in RHEL 9.3

Red Hat Enterprise Linux 9.3 is distributed with the kernel version 5.14.0-362.8.1.

Support added for NVIDIA Grace CPUs

Red Hat Enterprise Linux 9.3 adds support for the NVIDIA Grace ARM 64-bit CPU.

The RHEL kernel now supports AutoIBRS

Automatic Indirect Branch Restricted Speculation (AutoIBRS) is a feature provided by the AMD EPYC 9004 Genoa family of processors and later CPU versions. AutoIBRS is the default mitigation for the Spectre v2 CPU vulnerability, which boosts performance and improves scalability.

perf rebased to version 6.2

The perf performance analysis tool has been rebased to version 6.2. Apart from numerous minor bug fixes and updates, the perf list command now displays Performance Monitor Unit (PMU) events that contain human-friendly names and descriptions. In addition, this update adds support for the following processors:

The Intel® QAT kernel driver rebased to upstream version 6.2

The Intel® Quick Assist Technology (QAT) has been rebased to upstream version 6.2. The Intel® QAT includes accelerators optimized for symmetric and asymmetric cryptography, compression performance, and other CPU intensive tasks.

vTPM functionality is available for Linux containers

This enhancement introduces virtual Trusted Platform Module (vTPM) for Linux containers and other virtual environments. vTPM is a virtualized version of TPM that provides a dedicated TPM instance to use for a secure running environment. With vTPM proxy drivers, programs interact with an emulated TPM the same way as they interact with physical TPMs.

crash rebased to version 8.0.3

crash is an interactive utility to analyze a running system and a core dump file created by kdump in case of a kernel crash. The crash utility has been rebased to version 8.0.3 that includes many bug fixes and enhancements. The most notable enhancement is the added IPv6 support.

LVM thin-provisioned storage volumes supported as the vmcore dump target

The kdump mechanism now supports thin-provisioned logical volumes as the vmcore target. To configure LVM thin provisioning, complete the following steps:

makedumpfile rebased to upstream version 1.7.3

The makedumpfile tool, which makes the crash dump file small by compressing pages or excluding memory pages that are not required, has been rebased to upstream version 1.7.3. The rebase includes many bug fixes and enhancements.

Red Hat Enterprise Linux supports ARM’s SystemReady ES and IR tier

Red Hat Enterprise Linux now supports ARM’s SystemReady ES and IR, while previously only the SR tier was supported. In RHEL 9.3, the NVIDIA Orin, NXP i.MX 8M, and NXP i.MX 8M Mini modules have been enabled and are candidates for the RHEL hardware certification. Hardware partners are able to submit certifications by enrolling in the Red Hat hardware certification journey. Customers can use the supported hardware listed in the catalog for an improved experience in production.

RHEL on ARM now supports Bluetooth

With this enhancement, you can configure a bluetooth device by using the bluetoothctl tool on the command-line interface.

RHEL on ARM now fully supports USB-attached cameras in RHEL 9.3

This enhancement enables the CONFIG_MEDIA_SUPPORT kernel configuration for RHEL on AMD and Intel 64-bit architectures platforms. With that, you can now use USB cameras on AMD and Intel 64-bit architectures systems.

bpf rebased to version 6.3

The Berkeley Packet Filter (BPF) facility has been rebased to Linux kernel version 6.3. Notable changes and enhancements include:

Change in the default behavior of grub2-mkconfig

Previously, entering the grub2-mkconfig -o /path/to/grub.cfg command generated a new grub.cfg file that contained all the changes that had been made to the /etc/default/grub file. Consequently, the command overwrote the command-line arguments in all BLS snippets with the GRUB_CMDLINE_LINUX variable located in the /etc/default/grub file.

NFS server now implements courteous server code for nfsd

This update introduces the implementation of courteous server code for nfsd in the RHEL kernel NFS server. With this new feature, the NFS server avoids revoking leases for clients that have lost contact with the server for an extended period, provided that there is no conflicting access while the client is out of contact.

DAX mount option and reflink are now compatible

With this update, reflinked files are now generally compatible with DAX mode. The file system DAX mount option -o dax=always is compatible with reflink-enabled file systems. Files that were reflinked can be set to DAX mode using inode flags. For more information see the xfs(5) man page.

New encryption types for the RPCSEC GSS Kerberos V5

The RPCSEC GSS Kerberos V5 mechanism now supports encryption types defined in RFC 6803 (Camellia Encryption for Kerberos 5) and RFC 8009 (AES Encryption with HMAC-SHA2 for Kerberos 5).

fuse3 now allows invalidating a directory entry without triggering umount

With this update, a new mechanism has been added to fuse3 package, that allows invalidating a directory entry without automatically triggering the umount of any mounts that exists on the entry.

Stratis storage manager is now available

Stratis is a local storage manager. It provides managed file systems on top of pools of storage with additional features to the user:

Improvements to GFS2 file system configuration and operation

The following updates have been implemented for GFS2 file systems:

dmpd rebased to version 1.0.2

The dmpd package has been upgraded to version 1.0.2. Notable changes include:

New per-device counter is added for SCSI devices

A new per-device counter, iotmo_cnt, is now added for the I/O timeouts in the SCSI updates. In addition to the iorequest_cnt count of I/O requests, the iodone_cnt I/O completions, and the ioerr_cnt I/O errors, the number of request timeouts can be seen. For example:

mpathcleanup flushes the multipath devices in device-mapper-multipath

The mpathcleanup tool works on SCSI-based multipath devices and removes the multipath device along with the SCSI path devices. Some users need to remove multipath devices and their path devices regularly. Previously, there was no tool available to remove multipath devices and a user-defined script was required for this operation.

nvme-cli rebased to version 2.4

The nvme-cli package has been upgraded to version 2.4, which provides multiple bug fixes and enhancements. Notable changes include:

Support for failover of LVM volume groups with missing physical volumes

The LVM-activate resource agent now supports two new options that allow volume group failover if the volume group is missing physical volumes:

IPaddr2 and IPsrcaddr cluster resource agents now support policy-based routing

The IPaddr2 and IPsrcaddr cluster resource agents now support policy-based routing,which enables you to configure complex routing scenarios. Policy-based routing requires that you configure the resource agent’s table parameter.

The Filesystem resource agent now supports the EFS file system type

The ocf:heartbeat:Filesystem cluster resource agent now supports the Amazon Elastic File System (EFS). You can now specify fstype=efs when configuring a Filesystem resource.

New pcs parsing requires meta keyword when specifying clone meta attributes

To ensure consistency in the pcs command format, configuring clone meta attributes with the pcs resource clone, pcs resource promotable, and pcs resource create commands without specifying the meta keyword is now deprecated.

Displaying the pcs commands for re-creating configured resource constraints

You can now display the pcs constraint commands that can be used to re-create configured resource constraints on a different system by using the pcs constraint command with the new --output-format=cmd option. The default output format is plain text, as in previous releases, which you can specify with the --output-format=text option. The plain text format has been changed slightly to make it consistent with the output format of other pcs commands.

Rebase Pacemaker packages to version: 2.1.6

The Pacemaker packages have been upgraded to upstream version 2.1.6, which provides several enhancements and bug fixes over the previous version.

Enhancements to the pcs property command

The pcs property command now supports the following enhancements:

A new environment variable in Python to control parsing of email addresses

To mitigate CVE-2023-27043, a backward incompatible change to ensure stricter parsing of email addresses was introduced in Python 3.

A new nodejs:20 module stream is fully supported

A new module stream, nodejs:20, previously available as a Technology Preview, is fully supported with the release of the RHEA-2023:7252 advisory. The nodejs:20 module stream now provides Node.js 20.9, which is a Long Term Support (LTS) version.

A new filter argument to the Python tarfile extraction functions

To mitigate CVE-2007-4559, Python adds a filter argument to the tarfile extraction functions. The argument allows turning tar features off for increased safety (including blocking the CVE-2007-4559 directory traversal attack). If a filter is not specified, the 'data' filter, which is the safest but most limited, is used by default in RHEL. In addition, Python emits a warning when your application has been affected.

The HTTP::Tiny Perl module now verifies TLS certificates by default

The default value for the verify_SSL option in the HTTP::Tiny Perl module has been changed from 0 to 1 to verify TLS certificates when using HTTPS. This change fixes CVE-2023-31486 for HTTP::Tiny and CVE-2023-31484 for the CPAN Perl module.

httpd rebased to version 2.4.57

The Apache HTTP Server has been updated to version 2.4.57, which provides bug fixes, enhancements, and security fixes over version 2.4.53 available since RHEL 9.1.

A new mod_authnz_fcgi module in httpd

The Apache HTTP Server now includes the mod_authnz_fcgi module, which enables FastCGI authorizer applications to authenticate users and authorize access to resources.

A new ssl_pass_phrase_dialog directive in nginx:1.22

With this update to the nginx:1.22 module stream, you can use the new ssl_pass_phrase_dialog directive to configure an external program that is called at nginx start for each encrypted private key.

A new rhel9/squid container image

The rhel9/squid container image is now available in the Red Hat Container Registry. Squid is a high-performance proxy caching server for web clients, supporting FTP, gopher, and HTTP data objects. Unlike traditional caching software, Squid handles all requests in a single, non-blocking, I/O-driven process. Squid keeps metadata and especially hot objects cached in RAM, caches DNS lookups, supports non-blocking DNS lookups, and implements negative caching of failed requests.

A new module stream: redis:7

Redis 7, an advanced key-value store, is now available as a new module stream, redis:7.

A new glibc option to influence optimized routine usage on IBM Z

On the IBM Z architecture, the glibc library selects function implementations based on the hardware capabilities, such as hwcaps and stfle bits. With this update, you can direct the choice made by the library by setting the glibc.cpu.hwcaps tunable.

Improved string and memory routine performance on Intel® Xeon® v5-based hardware in glibc

Previously, the default amount of cache used by glibc for string and memory routines resulted in lower than expected performance on Intel® Xeon® v5-based systems. With this update, the amount of cache to use has been tuned to improve performance.

The system GCC compiler updated to version 11.4.1

The GNU Compiler Collection (GCC) provides tools for developing applications with the C, C++, and Fortran programming languages.

GCC now supports preserving register arguments

With this update, you can now store argument register content to the stack and generate proper Call Frame Information (CFI) to allow the unwinder to locate it without negatively impacting performance.

A new -mdaz-ftz option in GCC on the 64-bit Intel architecture

The system version of GNU Compiler Collection (GCC) on the 64-bit Intel architecture now supports the -mdaz-ftz option to enable flush-to-zero (FTZ) and denormals-are-zero (DAZ) flags in the MXCSR Control and Status Register.

New GCC Toolset 13

GCC Toolset 13 is a compiler toolset that provides recent versions of development tools. It is available as an Application Stream in the form of a Software Collection in the AppStream repository.

GCC Toolset 13: GCC rebased to version 13.1.1

In GCC Toolset 13, the GNU Compiler Collection (GCC) has been updated to version 13.1.1. Notable changes include:

GCC Toolset 13: annobin rebased to version 12.20

GCC Toolset 13 provides the annobin package version 12.20. Notable enhancements include:

GCC Toolset 13: GDB rebased to version 12.1

GCC Toolset 13 provides GDB version 12.1.

GCC Toolset 13: bintuils rebased to version 2.40

GCC Toolset 13 provides the binutils package version 2.40. Notable enhancements include:

libabigail rebased to version 2.3

The libabigail package has been updated to version 2.3. Notable improvements include:

The find-debuginfo script in debugedit now supports the -q (--quiet) flag

With this update, you can use the find-debuginfo script’s -q (--quiet) flag in the debugedit utility to silence non-error output from the script.

Valgrind rebased to version 3.21.0

Valgrind has been updated to version 3.21.0. Notable enhancements include:

systemtap rebased to version 4.9

The systemtap package has been upgraded to version 4.9. Notable changes include:

elfutils rebased to version 0.189

The elfutils package has been updated to version 0.189. Notable improvements and bug fixes include:

libpfm rebased to version 4.13

The libpfm package has been updated to version 4.13. With this update, libpfm can access performance monitoring hardware native events for the following processor microarchitectures:

papi supports new processor microarchitectures

With this enhancement, you can access performance monitoring hardware using papi events presets on the following processor microarchitectures:

papi now supports fast performance event count read operations for 64-bit ARM processors

Previously on 64-bit ARM processors, all performance event counter read operations required the use of a resource-intensive system call. papi has been updated for 64-bit ARM to let processes monitoring themselves with the performance counters use a faster user-space read of the performance event counters. Setting the /proc/sys/kernel/perf_user_access parameter to 1 reduces the average number of clock cycles for papi to read 2 counters from 724 cycles to 29 cycles.

LLVM Toolset rebased to version 16.0.6

LLVM Toolset has been updated to version 16.0.6.

Rust Toolset rebased to version 1.71.1

Rust Toolset has been updated to version 1.71.1. Notable changes include:

The Rust profiler_builtins runtime component is now available

With this enhancement, the Rust profile_builtins runtime component is now available. This runtime component enables the following compiler options:

Go Toolset rebased to version 1.20.10

Go Toolset has been updated to version 1.20.10.

pcp rebased to version 6.0.5

The pcp package has been updated to version 6.0.5. Notable changes include:

PCP’s pmie utility now supports generating webhook events

The Performance Metrics Inference Engine (pmie) utility from Performance Co-Pilot (PCP) now supports generating webhook events. With this update, configured pmie rules generate events in a format consumable by Event-Driven Ansible (EDA). As a result, EDA can respond to PCP rules.

grafana rebased to version 9.2.10

The grafana package has been updated to version 9.2.10. Notable changes include:

Grafana no longer enables weak cryptographic ciphers

With this update, Grafana no longer enables ciphers that are considered weak for encrypting secure communication. The affected ciphers are:

.NET 8.0 is available

Red Hat Enterprise Linux 9.3 is distributed with .NET version 8.0. Notable improvements include:

samba rebased to version 4.18.6

The samba packages have been upgraded to upstream version 4.18.6, which provides bug fixes and enhancements over the previous version. The most notable changes:

The ipaclient role now allows configuring user subID ranges on the IdM level

With this update, the ipaclient ansible-freeipa role provides the ipaclient_subid option, using which you can configure subID ranges on the Identity Management (IdM) level. Without the new option set explicitly to true, the ipaclient role keeps the default behavior and installs the client without subID ranges configured for IdM users.

Multiple IdM groups and services can now be managed in a single Ansible task

With this enhancement in ansible-freeipa, you can add, modify, and delete multiple Identity Management (IdM) user groups and services by using a single Ansible task. For that, use the groups and services options of the ipagroup and ipaservice modules.

ansible-freeipa ipaserver role now supports Random Serial Numbers

With this update, you can use the ipaserver_random_serial_numbers=true option with the ansible-freeipa ipaserver role. This way, you can generate fully random serial numbers for certificates and requests in PKI when installing an Identity Management (IdM) server using Ansible. With RSNv3, you can avoid range management in large IdM installations and prevent common collisions when reinstalling IdM.

ipa rebased to version 4.10.2

The ipa package has been upgraded to version 4.10.2. Notable changes include:

The ipaserver_remove_on_server and ipaserver_ignore_topology_disconnect options are now available in the ipaserver role

If removing a replica from an Identity Management (IdM) topology by using the remove_server_from_domain option of the ipaserver ansible-freeipa role leads to a disconnected topology, you must now specify which part of the domain you want to preserve. Specifically, you must do the following:

IdM now supports the min_lifetime parameter

With this enhancement, the min_lifetime parameter has been added to the /etc/gssproxy/*.conf file. The min_lifetime parameter triggers the renewal of a service ticket in case its remaining lifetime is lower than this value.

You can now manage IdM certificates using the ipacert Ansible module

You can now use the ansible-freeipa ipacert module to request or retrieve SSL certificates for Identity Management (IdM) users, hosts and services. The users, hosts and services can then use these certificates to authenticate to IdM. You can also revoke the certificates, and restore certificates that have been put on hold.

The optional_pac_tkt_chksum option helps preserve interoperability between different versions of krb5

You can now use the optional_pac_tkt_chksum option to preserve the interoperability between RHEL Kerberos Distribution Center (KDC) servers running different versions of the krb5 package. Specifically, you can change their behavior regarding Privilege Attribute Certificate (PAC) ticket signature verification. If you set the optional_pac_tkt_chksum string attribute to true for the Kerberos principal expected to sign a ticket, then the KDC does not reject service for user (S4U) requests containing a ticket that lacks the PAC ticket signature. The principal to sign the ticket is the ticket-granting service (TGS) one or a cross-realm TGS one, depending on the realm of the ticket’s target service.

IdM now supports resource-based constrained delegation

With this update, IdM now supports resource-based constrained delegation (RBCD). RBCD allows a granular control of delegation on a resource level and access can be set by the owner of the service to which credentials are delegated.

RHEL 9.3 provides 389-ds-base 2.3.4

RHEL 9.3 is distributed with the 389-ds-base package version 2.3.4. Notable bug fixes and enhancements over version 2.3.4 include:

Directory Server can now close a client connection if a bind operation fails

Previously, when a bind operation failed, some applications that ignore the bind return code could load Director Server with further requests.

Automembership plug-in improvements. It no longer cleans up groups by default

Previously, the automember rebuild task went through all the automember rules and removed all the memberships, then the task rebuilt the memberships from scratch. Thus, the rebuild task was expensive, especially if other be_txn plugins are enabled.

New passwordAdminSkipInfoUpdate: on/off configuration option is now available

You can add a new passwordAdminSkipInfoUpdate: on/off setting under the cn=config entry to provide a fine grained control over password updates performed by password administrators. When you enable this setting, password updates do not update certain attributes, for example, passwordHistory,passwordExpirationTime,passwordRetryCount, pwdReset, and passwordExpWarned.

New slapi_memberof() plug-in function is now available for Directory Server plug-ins and client applications

The new slapi_memberof() function retrieves distinguished names (DNs) of groups to which the given entry belongs directly or indirectly. Previously, MemberOf, Referential Integrity, and ACL plug-ins implemented their own mechanism to retrieve such groups. With this update, you can use the slapi_memberof() function that introduces a unified mechanism to return group DNs.

Directory Server now replaces the virtual attribute nsRole with an indexed attribute for managed and filtered roles

Previously, LDAP searches that contained the virtual attribute nsRole in the filter were time consuming because that attribute cannot be indexed. With this update, when you perform the ldapsearch with virtual attribute nsRole in the filter, Directory Server replaces the nsRole attribute the following way:

New nsslapd-numlisteners configuration option is now available

The nsslapd-numlisteners attribute specifies the number of listener threads Directory Server can use to monitor established connections. You can improve the response times when the server experiences a large number of client connection by increasing the attribute value.

IdM supports the option to control the encryption type used to sign the PAC

By default, the Kerberos Key Distribution Center (KDC) generates an AES HMAC-SHA2 signature for the Privilege Attribute Certificate (PAC). However, this encryption type is not supported by Active Directory (AD). As a result, AD cross-realm constrained delegation requests are not processed correctly.

Identity Management API is now fully supported

The Identity Management (IdM) API was available as a Technology Preview in RHEL 9.2 and as of RHEL 9.3, it is fully supported.

Intel Arc A-Series graphics is now fully supported

The Intel Arc A-Series graphics (Alchemist or DG2) feature, previously available as a Technology Preview, is now fully supported. Intel Arc A-Series graphics is a GPU that enables hardware acceleration, mostly used in PC gaming.

Podman health check action is now available

You can select one of the following Podman health check actions when creating a new container:

Stratis is now available in the RHEL web console

With this update, the Red Hat Enterprise Linux web console provides the ability to manage Stratis storage.

New RHEL System Role for managing systemd units

The rhel-system-role package now contains the systemd RHEL System Role. You can use this role to deploy unit files and manage systemd units on multiple systems. You can automate systemd functionality by providing systemd unit files and templates, and by specifying the state of those units, such as started, stopped, masked and other.

New option in the ssh role to disable configuration backups

You can now prevent old configuration files from being backed up before they are overwritten by setting the new ssh_backup option to false. Previously, backup configuration files were created automatically, which might be unnecessary. The default value of the ssh_backup option is true, which preserves the original behavior.

keylime_server RHEL System Role

With the new keylime_server RHEL System Role, you can use Ansible Playbooks to configure the verifier and registrar Keylime components on RHEL 9 systems. Keylime is a remote machine attestation tool that uses the trusted platform module (TPM) technology.

Support for new ha_cluster System Role features

The ha_cluster System Role now supports the following features:

storage system role supports configuring the stripe size for RAID LVM volumes

With this update, you can now specify a custom stripe size when creating RAID LVM devices. For better performance, use the custom stripe size for SAP HANA. The recommended stripe size for RAID LVM volumes is 64 KB.

The network RHEL system role supports the auto-dns option to control automatic DNS record updates

This enhancement provides support for defined name servers and search domains. You can now use only the name servers and search domains specified in dns and dns_search properties while disabling automatically configured name servers and search domains such as dns record from DHCP. With this enhancement, you can disable automatically auto dns record by changing the auto-dns settings.

The network RHEL system role supports the no-aaaa DNS option

You can now use the no-aaaa option to configure DNS settings on managed nodes. Previously, there was no option to suppress AAAA queries generated by the stub resolver, including AAAA lookups triggered by NSS-based interfaces such as getaddrinfo; only DNS lookups were affected. With this enhancement, you can now suppress AAAA queries generated by the stub resolver.

The ad_integration RHEL System Role can now rejoin an AD domain

With this update, you can now use the ad_integration RHEL System Role to rejoin an Active Directory (AD) domain. To do this, set the ad_integration_force_rejoin variable to true. If the realm_list output shows that host is already in an AD domain, it will leave the existing domain before rejoining it.

The certificate RHEL System Role now allows changing certificate file mode when using certmonger

Previously, certificates created by the certificate RHEL System Role with the certmonger provider used a default file mode. However, in some use-cases you might require a more restrictive mode. With this update, you can now set a different certificate and a key file mode using the mode parameter.

The postgresql RHEL System Role is now available

The new postgresql RHEL System Role installs, configures, manages, and starts the PostgreSQL server. The role also optimizes the database server settings to improve performance.

podman RHEL System Role now supports Quadlets, health checks, and secrets

Starting with Podman 4.6, you can use the podman_quadlet_specs variable in the podman RHEL System Role. You can define a Quadlet by specifying a unit file, or in the inventory by a name, a type of unit, and a specification. Types of a unit can be the following: container, kube, network, and volume. Note that Quadlets work only with root containers on RHEL 8. Quadlets work with rootless containers on RHEL 9.

Improved performance of the selinux System Role with restorecon -T 0

The selinux System Role now uses the -T 0 option with the restorecon command in all applicable cases. This improves the performance of tasks that restore default SELinux security contexts on files.

The rhc System Role now supports setting a proxy server type

The newly introduced attribute scheme under the rhc_proxy parameter enables you to configure the proxy server type by using the rhc system role. You can set two values: http, the default and https.

firewall RHEL System Role supports variables related to ipsets

With this update of the firewall RHEL System Role, you can define, modify, and delete ipsets. Also, you can add and remove those ipsets from firewall zones. Alternatively, you can use those ipsets when defining firewall rich rules.

RHEL System Roles now have new volume options for mount point customization

With this update, you can now specify mount_user, mount_group, and mount_permissions parameters for your mount directory.

The firewall RHEL System Role has an option to disable conflicting services, and it no longer fails if firewalld is masked

Previously, the firewall System Role failed when the firewalld service was masked on the role run or in the presence of conflicting services. This update brings two notable enhancements:

Resetting the firewall RHEL System Role configuration now requires minimal downtime

Previously, when you reset the firewall role configuration by using the previous: replaced variable, the firewalld service restarted. Restarting adds downtime and prolongs the period of an open connection in which firewalld does not block traffic from active connections. With this enhancement, the firewalld service completes the configuration reset by reloading instead of restarting. Reloading minimizes the downtime and reduces the opportunity to bypass firewall rules. As a result, using the previous: replaced variable to reset the firewall role configuration now requires minimal downtime.

sevctl is now fully compatible with AMD EPYC Rome and Milan

With this update, the sevctl utility correctly recognizes the latest AMD EPYC cores, including the AMD EPYC Rome and AMD EPYC Milan series. As a result, you can use sevctl to configure the features of AMD Secure Encrypted Virtualization (SEV) that are available on these CPUs.

virtio-vga and virtio-gpu devices now support blob resources

It is now possible for virtio-vga and virtio-gpu devices to use blob memory resources, which improves their performance in certain scenarios. To attach a blob resource to a virtio graphics device, add a blob="on" option to the corresponding <video> section in the virtual machine’s XML configuration. For example:

Virtualization support for 4th Generation Intel Xeon Scalable processors

With this update, virtualization on RHEL 9 adds support for the 4th Generation Intel Xeon Scalable processors, formerly known as Sapphire Rapids. As a result, virtual machines hosted on RHEL 9 can now use the SapphireRapids CPU model and utilise new features that the processors provide.

Improved memory reclaiming for Secure Execution on IBM Z

When using a virtual machine (VM) with IBM Secure Execution on IBM Z, you can now set up enhanced memory reclaiming for the VM. If the VM is using 32 GiB or more RAM, this setting improves the performance of rebooting or stopping the VM.

New virtualization features in the RHEL web console

With this update, the RHEL web console includes new features in the Virtual Machines page. You can now:

cloud-init supports NetworkManager keyfiles

With this update, the cloud-init utility can use a NetworkManager (NM) keyfile to configure the network of the created cloud instance.

cloud-init now uses VMware datasources by default on ESXi

When creating RHEL virtual machines (VMs) on a host that uses the VMware ESXi hypervisor, such as the VMware vSphere cloud platform. This improves the performance and stability of creating an ESXi instance of RHEL by using cloud-init. Note, however, that ESXi is still compatible with Open Virtualization Format (OVF) datasources, and you can use an OVF datasource if a VMware one is not available.

sos rebased to version 4.6

The sos utility, for collecting configuration, diagnostic, and troubleshooting data, has been rebased to version 4.6. This update provides the following enhancements:

Podman supports pulling and pushing images compressed with zstd

You can pull and push images compressed with the zstd format. The zstd compression is more efficient and faster than gzip. It can reduce the amount of network traffic and storage involved in pulling and pushing the image.

Quadlet in Podman is now available

Beginning with Podman v4.6, you can use Quadlet to automatically generate a systemd service file from a container description. The Quadlets might be easier to use than the podman generate systemd command because the description focuses on the relevant container details and without the technical complexity of running containers under systemd.

The Container Tools packages have been updated

The updated Container Tools RPM meta-package, which contain the Podman, Buildah, Skopeo, crun, and runc tools, are now available. This update applies a series of bug fixes and enhancements over the previous version.

Podman now supports a Podmansh login shell

Beginning with Podman v4.6, you can use the Podmansh login shell to manage user access and control. Configure your settings to use the /usr/bin/podmansh command as a login shell instead of a standard shell command, for example, /usr/bin/bash. When a user logs into a system setup, the podmansh command runs the user’s session into a Podman container named podmansh. Containers into which users log in are defined using the Quadlet files, which are created in the /etc/containers/systemd/users/ directory. In these files, set the ContainerName field in the [Container] section to podmansh. The systemd automatically starts podmansh when the user session starts and continues running until all user sessions exit.

Clients for sigstore signatures with Fulcio and Rekor are now available

With Fulcio and Rekor servers, you can now create signatures by using short-term certificates based on an OpenID Connect (OIDC) server authentication, instead of manually managing a private key. Clients for sigstore signatures with Fulcio and Rekor, previously available as a Technology Preview, are now fully supported. This added functionality is the client side support only, and does not include either the Fulcio or Rekor servers.

The pasta networking mode is now available

Starting with Podman v4.4.1, you can use the pasta network mode. It is a high-performance replacement of the default network mode slirp4netns and supports IPv6 forwarding. To select the pasta network mode, install the passt package to use the podman run command with the --network=pasta option. With Podman v4.6, you can set default rootless network mode in the /etc/containers/containers.conf configuration file by using the default_rootless_network_cmd field under the [network] section.

UBI 9 Micro Container Image no longer contains zoneinfo installed by tzdata

With this update, the time zone information provided by the tzdata package is no longer included in UBI 9 Micro container images, consequently reducing the image size. The UBI 9 Minimal and UBI 9 Micro containers are UTC-only, and users should reinstall the tzdata package to get the full zoneinfo, if needed.

The installation program now correctly processes the --proxy option of the url Kickstart command

Previously, the installation program did not correctly process the --proxy option of the url Kickstart command. As a consequence, you could not use the specified proxy to fetch the installation image. With this update, the issue is fixed and the --proxy option now works as expected.

The --noverifyssl option for liveimg no longer checks the server’s certificate for images downloaded using HTTPS

Previously, the installation program ignored the --noverifyssl option from the liveimg Kickstart command. Consequently, if the server’s certificate could not be validated for images downloaded using the HTTPS protocol, the installation process failed. With this update, this issue has been fixed, and the --noverifyssl option of the liveimg Kickstart command works correctly.

Anaconda now validates LUKS passphrases for the FIPS requirements

Previously, Anaconda did not check whether the length of LUKS passphrases satisfied the FIPS requirements, even though the underlying tools performed this check. As a consequence, installing in FIPS mode with a passphrase shorter than 8 characters caused the installer to stop prematurely.

The new version of xfsprogs no longer shrinks the size of /boot

Previously, the xfsprogs package with the 5.19 version in the RHEL 9.3 caused the size of /boot to shrink. As a consequence, it caused a difference in the available space on the /boot partition, if compared to the RHEL 9.2 version. This fix increases the /boot partition to 600 MiB for all images, instead of 500 MiB, and the /boot partition is no longer affected by space issues.

OpenSSL commands cms and smime can encrypt files in FIPS mode

Previously, the default configuration of the cms and smime OpenSSL commands used legacy encryption algorithms, such as 3DES or PKCS #1 v1.5. These algorithms are disabled in FIPS mode. As a result, encrypting files by using the smime command with the default settings did not work on systems in FIPS mode. This update introduces the following changes:

SELinux allows mail replication in Dovecot

You can configure the Dovecot high-performance mail delivery agent for high availability with two-way replication set, but the SELinux policy previously did not contain rules for the dovecot-deliver utility to communicate over a pipe in the runtime filesystem. As a consequence, mail replication in Dovecot did not work. With this update, permissions have been added to the SELinux policy, and as a result, mail replication in Dovecot works.

Booting from an NFS filesystem now works with SELinux set to enforcing mode

Previously, when using NFS as the root filesystem, SELinux labels were not forwarded from the server, causing boot failures when SELinux was set to enforcing mode.

rabbitmq no longer fails with IPv6

Previously, when you deployed rabbitmq server with IPv6 enabled, the inet_gethost command tried to access the /proc/sys/net/ipv6/conf/all/disable_ipv6 file. Consequently, the system denied access to /proc/sys/net/ipv6/conf/all/disable_ipv6. With this update, system can now read /proc/sys/net/ipv6/conf/all/disable_ipv6, and rabbitmq now works with IPv6.

Registration to Insights through cloud-init is no longer blocked by SELinux

Previously, the SELinux policy did not contain a rule that allows the cloud-init script to run the insights-client service. Consequently, an attempt to run the insights-client --register command by the cloud-init script failed. With this update, the missing rule has been added to the policy, and you can register to Insights through cloud-init with SELinux in enforcing mode.

Users in the staff_r SELinux role can now run scap_workbench probes

Previously, the selinux-policy packages did not contain rules for users in the staff_r SELinux role required to run the scap-workbench utility. Consequently, scap-workbench probes failed when run by user in the staff_r SELinux role. With this update, the missing rules have been added to selinux-policy, and SELinux users can now run scap_workbench probes.

Permissions for insights-client added to the SELinux policy

The insights-client service requires permissions that were not in the previous versions of the selinux-policy. As a consequence, some components of insights-client did not work correctly and reported access vector cache (AVC) error messages. This update adds new permissions to the SELinux policy. As a result, insights-client runs correctly without reporting AVC errors.

Keylime allowlist generation script updated

The Keylime script create_allowlist.sh generates an allowlist for the Keylime policy. In RHEL 9.3, it was replaced with the create_runtime_policy.sh script, which failed when trying to convert the allowlist to the JSON runtime policy.

Keylime no longer requires a specific file for tls_dir = default

Previously, when the tls_dir variable was set to default in Keylime verifier or registrar configuration, Keylime rejected custom certificate authority (CA) certificates that had a different file name than cacert.crt. With this update, the problem no longer occurs, and you can use custom CA certificate files even with the tls_dir = default setting.

Environment variables can override Keylime agent options with underscores

Previously, when a Keylime agent configuration option name contained an underscore (_), overriding this option through environment variables did not work. With this update, the override through environment variables works correctly even when an option name contains an underscore.

Keylime registrar correctly identifies IPv6 addresses

Previously, the Keylime registrar did not correctly recognize IPv6 addresses, and therefore failed to bind its listening port. With this update, the registrar properly identifies IPv6 addresses and, consequently, binds to its port correctly.

Keylime agent correctly handles IPv6 addresses

Previously, when registering a Keylime agent by using an IPv6 address not enclosed in brackets, [ ], the keylime_tenant utility failed with an error. With this update, keylime_tenant handles IPv6 addresses correctly even when they are not enclosed in brackets.

Keylime no longer fails measured boot attestation due to new events in QEMU VMs

An update of the edk2-ovmf package introduced a new type of events in the measured boot log for virtual systems operated by QEMU. These events caused failures in Keylime measured boot attestation. With this update, Keylime handles these events correctly.

Keylime webhook notifier correctly closes TLS sessions

Previously, the keylime webhook notifier did not correctly close TLS sessions. This caused warnings being reported on the listener side. This update fixed this issue, and the webhook notifier now correctly closes TLS sessions.

gpg-agent now works as an SSH agent in FIPS mode

Previously, the gpg-agent tool created MD5 fingerprints when adding keys to the ssh-agent program even though FIPS mode disabled the MD5 digest. As a consequence, the ssh-add utility failed to add the keys to the authentication agent.

tangd-keygen now handles non-default umask correctly

Previously, the tangd-keygen script did not change file permissions for generated key files. Consequently, on systems with a default user file-creation mode mask (umask) that prevents reading keys to other users, the tang-show-keys command returned the error message Internal Error 500 instead of displaying the keys. With this update, tangd-keygen sets file permissions for generated key files, and therefore the script now works correctly on systems with non-default umask.

fapolicyd service no longer runs programs that are removed from the trusted database

Previously, the fapolicyd service incorrectly handled a program as trusted even after it was removed from the trusted database. As a result, entering the fapolicyd-cli --update command had no effect, and the program could be executed even after being removed. With this update, the fapolicyd-cli --update command correctly updates the trusted programs database, and removed programs can no longer be executed.

fapolicyd no longer causes the system to hang after mount and umount

Previously, when the mount or umount actions were run twice followed by the fapolicyd-cli --update command, the fapolicyd service might enter an endless loop. As a result, the system stopped responding. With this update, the service runs the fapolicyd-cli --update command correctly, and the service handles any number of mount or umount actions.

Keylime now accepts concatenated PEM certificates

Previously, when Keylime received a certificate chain as multiple certificates in the PEM format concatenated in a single file, the keylime-agent-rust Keylime component produced a TLS handshake failure. As a consequence, the client components (keylime_verifier and keylime_tenant) could not connect to the Keylime agent. With this update, keylime-agent-rust correctly handles multiple certificates including intermediary CA certificates. As a result, you can now use concatenated PEM certificates with Keylime.

Rsyslog can start even without capabilities

When Rsyslog is executed as a normal user or in a containerized environment, the rsyslog process has no capabilities. Consequently, Rsyslog in this scenario could not drop capabilities and exited at startup. With this update, the process no longer attempts to drop capabilities if it has no capabilities. As a result, Rsyslog can start even when it has no capabilities.

io_uring now works without SELinux denials

Previously, the io_uring kernel interface missed the map permission in the SELinux policy. Consequently, the mmap system call failed and the io_uring interface did not work properly. With this update, the map permissions have been allowed in SELinux policy and the interface now works without SELinux denials.

oscap-anaconda-addon can now harden Network Servers for CIS

Previously, installing RHEL Network Servers with a CIS security profile (cis, cis_server_l1, cis_workstation_l1, or cis_workstation_l2) was not possible with the Network Servers package group selected. This problem is fixed by excluding the tftp package in oscap-anaconda-addon-2.0.0-17.el9 provided with RHEL 9.3. As a consequence, you can install CIS-hardened RHEL Network Servers with the Network Servers package group.

Rules checking home directories apply only to local users

Multiple compliance profiles provided by the scap-security-guide package contain the following rules that check the correct configuration of user home directories:

Password age rules apply only to local users

Some compliance profiles, for example CIS and DISA STIG, contain the following rules checking password age and password expiration of user account passwords:

Red Hat CVE feeds have been updated

The version 1 of Red Hat Common Vulnerabilities and Exposures (CVE) feeds at https://access.redhat.com/security/data/oval/ has been discontinued and replaced by the version 2 of the CVE feeds located at https://access.redhat.com/security/data/oval/v2/.

Rules related to journald configuration no longer add extra quotes

Previously, the SCAP Security Guide rules journald_compress, journald_forward_to_syslog, and journald_storage previously contained a bug in the remediation script which caused adding extra quotes to the configuration options in the /etc/systemd/journald.conf configuration file. Consequently, the journald system service failed to parse the configuration options and ignored them. Therefore, the configuration options were not effective. This caused false pass results in OpenSCAP scans. With this update, the rules and remediations scripts no longer add the extra quotes. As a result, these rules now produce a valid configuration for journald.

Files under /var/lib/fdo now get the correct SElinux label

Previously, there was a security issue that allowed the FDO process to access the entire host. With this update, by using the service-info-api server with SElinux, you can add any file to send to the device under the /var/lib/fdo directory, and, as a consequence, the files under /var/lib/fdo will now get the correct SElinux label.

subscription-manager no longer retains nonessential text in the terminal

Starting with RHEL 9.1, subscription-manager displays progress information while processing any operation. Previously, for some languages, typically non-Latin, progress messages did not clean up after the operation finished. With this update, all the messages are cleaned up properly when the operation finishes.

The dnf needs-restarting -s command now correctly displays the list of systemd services

Previously, when you used the needs-restarting command with the -s or --services option, an error occurred when a non-systemd or malfunctioning process was detected. With this update, the dnf needs-restarting -s command ignores such processes and displays a warning instead with the list of affected systemd services.

The dnf-automatic command now correctly reports the exit status of transactions

Previously, the dnf-automatic command returned a successful exit code of a transaction even if some actions during this transaction were not successfully completed. This could cause a security risk on machines that use dnf-automatic for automatic deployment of errata. With this update, the issue has been fixed and dnf-automatic now reports every problem with packages during the transaction.

Installing packages with IMA signatures on file systems without extended file attributes no longer fails

Previously, RPM tried to apply IMA signatures to files even if they did not support these signatures. As a consequence, package installation failed. With this update, RPM skips applying IMA signatures. As a result, package installation no longer fails.

The rsyslog logging service now starts at boot of the rescue system

Previously, the rsyslog service for message logging did not automatically start in the rescue system. The /dev/log socket kept receiving messages during the recovery process with no service listening at this socket. Consequently, the /dev/log socket was filled with messages and caused the recovery process to be stuck. For example, the grub2-mkconfig command to regenerate the GRUB configuration produces a high amount of log messages depending on the number of mounted file systems. If you used ReaR to recover systems with many mounted file systems, numerous log messages would fill the /dev/log socket, and the recovery process froze.

The which command no longer fails for a long path

Previously, when you executed the which command in a directory with a path longer than 256 characters, the command failed with the Can’t get current working directory error message. With this fix, the which command now uses the PATH_MAX value for the path length limit. As a result, the command no longer fails.

ReaR now supports UEFI Secure Boot with OUTPUT=USB

Previously, the OUTPUT=USB ReaR output method, which stores the rescue image on a bootable disk drive, did not respect the SECURE_BOOT_BOOTLOADER setting. Consequently, on systems with UEFI Secure Boot enabled, the disk with the rescue image would not boot because the boot loader was not signed.

System recovered by ReaR no longer fails to mount all VG logical volumes

The /etc/lvm/devices/system.devices file represents the Logical Volume Manager (LVM) system devices and controls device visibility and usability to LVM. By default, the system.devices feature is enabled in RHEL 9 and when active, it replaces the LVM device filter.

Intel Corporation I350 Gigabit Fiber Network Connection now provides a link after kernel update

Previously, hardware configurations with Small Formfactor Pluggable (SFP) transceiver modules without External Thermal Sensor (ETS) caused the igb driver to erroneously initialize the Inter-Integrated Circuit (I2C) to read ETS. As a consequence, connections did not obtain links. With this bug fix, the igb driver only initializes I2C when SFP with ETS is available. As a result, connections obtain links.

The nm-cloud-setup service no longer removes manually-configured secondary IP addresses from interfaces

Based on the information received from the cloud environment, the nm-cloud-setup service configured network interfaces. While you had the option to disable nm-cloud-setup for manual interface configuration, certain scenarios led to conflicts. In some cases, other services on the host would independently configure interfaces, including the addition of secondary IP addresses. nm-cloud-setup incorrectly removed these secondary IP addresses when triggered again by the systemd timer unit. This update for the NetworkManager package fixes the problem. You only need to wait for the systemd timer unit to trigger nm-cloud-setup. If you do not want to wait for the timer, you can enable nm-cloud-setup manually with the following command:

RHEL previously failed to recognize NVMe disks when VMD was enabled

When you reset or reattached a driver, the Volume Management Device (VMD) domain previously did not soft-reset. Consequently, the hardware could not properly detect and enumerate its devices. With this update, the operating system with VMD enabled now correctly recognizes NVMe disks, especially when resetting a server or working with a VM machine.

GRUB now correctly handles non-debug kernel variants

Previously, in systems with multiple kernel RPMs installed, entering the dnf install kernel-$VERSION or dnf update commands set the last-installed kernel as the default kernel. This occurred, for example, in systems with the standard kernel and real-time kernel on AMD and Intel 64-bit architectures, or kernel (4k) and kernel-64k on 64-bit ARM architecture. As a consequence, the system could boot into the unneeded kernel on future reboots. With this update, GRUB uses the DEFAULTKERNEL variable in the /etc/sysconfig/kernel configuration file, and the default kernel remains the proper variant and latest version.

The lpfc driver is in a valid state during the D_ID port swap

Previously, the SAN Boot host, after issuing the NetApp giveback operation, resulted in LVM hung task warnings and stalled I/O. This problem occurred even when alternate paths were available in a DM-Multipath environment due to the fiber channel D_ID port swap. As a consequence of the race condition, the D_ID port swap resulted in an inconsistent state in the lpfc driver, which prevented I/O from being issued.

multipathd adds the persistent reservation registration key to all paths

Previously, when the multipathd daemon started and it recognized a registration key for the persistent reservations on one path of an existing multipath device, not all paths of that device had the registration key. As a consequence, if new paths appeared to a multipath device with persistent reservations while multipathd was stopped, persistent reservations were not set up on those. This allowed IO processing on the paths, even if they were supposed to be forbidden by the reservation key.

LUNs are now visible during the operating system installation

Previously, the system was not using the authentication information from firmware sources, specifically in cases involving iSCSI hardware offload with CHAP (Challenge-Handshake Authentication Protocol) authentication stored in the iSCSI iBFT (Boot Firmware Table). As a consequence, the iSCSI login failed during installation.

System boots correctly when adding a NVMe-FC device as a mount point in /etc/fstab

Previously, due to a known issue in the nvme-cli nvmf-autoconnect systemd services, systems failed to boot while adding the Non-volatile Memory Express over Fibre Channel (NVMe-FC) devices as a mount point in the /etc/fstab file. Consequently, the system entered into an emergency mode. With this update, a system boots without any issue when mounting an NVMe-FC device.

The pcs config checkpoint diff command now works correctly for all configuration sections

As of the RHEL 9.0 release, the pcs config checkpoint diff command had stopped showing the differences for the following configuration sections: Fencing Levels, Ordering Constraints, Colocation Constraints, Ticket Constraints, Resources Defaults, and Operations Defaults. As of the RHEL 9.1 release, the pcs config checkpoint diff command had stopped showing the differences for the Resources and Stonith devices configuration sections. This is because as the code responsible for displaying each of the different configuration sections switched to a new mechanism for loading CIB files, the loaded content was cached. The second file used for the difference comparison was not loaded and the cached content of the first file was used instead. As a result, the diff command yielded no output. With this fix, the CIB file content is no longer cached and the pcs config checkpoint diff command shows differences for all configuration sections.

pcsd Web UI now displays cluster status when fence levels are configured

Previously, the pcsd Web UI did not display cluster status when fence levels were configured. With this fix, you can now view the cluster status and change the cluster settings with the Web UI when fence levels are configured.

A fence watchdog configured as a second fencing device now fences a node when the first device times out

Previously, when a watchdog fencing device was configured as the second device in a fencing topology, the watchdog timeout would not be considered when calculating the timeout for the fencing operation. As a result, if the first device timed out the fencing operation would time out even though the watchdog would fence the node. With this fix, the watchdog timeout is included in the fencing operation timeout and the fencing operation succeeds if the first device times out.

Location constraints with rules no longer displayed when listing is grouped by nodes

Location constraints with rules cannot have a node assigned. Previously, when you grouped the listing by nodes, location constraints with rules were displayed under an empty node. With this fix, the location constraints with rules are no longer displayed and a warning is given indicating that constraints with rules are not displayed.

pcs command to update multipath SCSI devices now works correctly

Due to changes in the Pacemaker CIB file, the pcs stonith update-scsi-devices command stopped working as designed, causing an unwanted restart of some cluster resources. With this fix, this command works correctly and updates SCSI devices without requiring a restart of other cluster resources running on the same node.

Memory footprint of pcsd-ruby daemon now reduced when pscd Web UI is open

Previously, when the pcsd Web UI was open, memory usage of the pcsd-ruby daemon increased steadily over the course of several hours. With this fix, the web server that runs in the pcsd-ruby daemon now periodically performs a graceful restart. This frees the allocated memory and reduces the memory footprint.

The azure-events-az resource agent no longer produces an error with Pacemaker 2.1 and later

The azure-events-az resource agent executes the crm_simulate -Ls command and parses the output. With Pacemaker 2.1 and later, the output of the crm_simulate command no longer contains the text Transition Summary:, which resulted in an error. With this fix, the agent no longer yields an error when this text is missing.

The mysql resource agent now works correctly with promotable clone resources

Previously, the mysql resource agent moved cloned resources that were operating in a Promoted role between nodes, due to promotion scores changing between promoted and non-promoted values. With this fix, a node in a Promoted role remains in a Promoted role.

The fence_scsi agent is now able to auto-detect shared lvmlockd devices

Previously, the fence_scsi agent did not auto-detect shared lvmlockd devices. With this update, fence_scsi is able to auto-detect lvmlockd devices when the devices attribute is not set.

The glibc system() function now restores the previous signal mask unconditionally

Previously, if the glibc system() function was called concurrently from multiple threads, the signal mask for the SIGCHLD signal might not be restored correctly. As a consequence, the SIGCHLD signal remained blocked after the return from the glibc system() function on some threads.

eu-addr2line -C now correctly recognizes other arguments

Previously, when you used the -C argument in eu-addr2line command from elfutils, the following single character argument disappeared. Consequently, the eu-addr2line -Ci command behaved the same way as eu-addr2line -C while eu-addr2line -iC worked as expected. This bug has been fixed, and eu-addr2line -Ci now recognizes both arguments.

eu-addr2line -i now correctly handles code compiled with GCC link-time optimization

Previously, the dwarf_getscopes function from the libdw library included in elfutils was unable to find an abstract origin definition of a function that was compiled with GCC link-time optimization. Consequently, when you used the -i argument in the eu-addr2line command, eu-addr2line was unable to show inline functions for code compiled with gcc -flto. With this update, the libdw dwarf_getscopes function looks in the correct compile unit for the inlined scope, and eu-addr2line -i works as expected.

Programs using papi no longer stop when shutting down

Previously, papi initialized threads before papi initialized some components. Because of this, entries for certain components describing the number of elements in arrays were not set to correct values and zero-sized memory allocations were attempted. As a consequence, later accesses and frees of those zero-sized memory allocations caused the programs to stop.

The OpenJDK XML signature provider is now functional in FIPS mode

Previously, the OpenJDK XML signature provider was unable to operate in FIPS mode. As a result of enhancements to FIPS mode support the OpenJDK XML signature provider is now enabled in FIPS mode.

Paged searches from a regular user now do not impact performance

Previously, when Directory Server was under the search load, paged searches from a regular user could impact the server performance because a lock conflicted with the thread that polls for network events. In addition, if a network issue occurred while sending the page search, the whole server was unresponsive until the nsslapd-iotimeout parameter expired. With this update, the lock was split into several parts to avoid the contention with the network events. As a result, no performance impact during paged searches from a regular user.

Schema replication now works correctly in Directory Server

Previously, when Directory Server replicated a schema to a new server, it added all the schema to the 99user.ldif file on the remote replica. It seemed it was all custom schema because X-ORIGIN keyword was set to user defined for all definitions. As a result, it could cause issues with the web console and possibly for customers who monitor the schema and expect the X-ORIGIN keyword to have specific values. With this update, schema replication works as expected.

Referral mode is now working correctly in Directory Server

Previously, CLI set nsslapd-referral configuration attribute to the backend and not to the mapping tree. As a result, referral mode did not work. With this update, the nsslapd-referral attribute is set correctly and the referral mode works as expected.

The LMDB import now works faster

Previously, to build the entryrdn index, LMDB import worker threads waited for other worker threads to ensure that the parent entry was processed. This generated lock contention that drastically slowed import. With this update, the LDIF import over LMDB database was redesigned and the provider thread stores the data about the entry RDN and its parents in a temporary database that the worker thread uses to build the entryrdn index. As a result, worker threads synchronization is no longer needed and the average import rate is better.

The dirsrv service now starts correctly after reboot

Previously, dirsrv service could fail to start after reboot because dirsrv service did not explicitly wait for systemd-tmpfiles-setup.service to finish. This led to a race condition. With this update, dirsrv service waits for the systemd-tmpfiles-setup.service to finish and no longer fail to start after reboot.

Changing a security parameter now works correctly

Previously, when you changed a security parameter by using the dsconf instance_name security set command, the operation failed with the error:

SSSD now uses sAMAccountName when evaluating GPO-based access control

Previously, if ldap_user_name was set to a value other than sAMAccountName on an AD client, GPO-based access control failed. With this update, SSSD now always uses sAMAccountName when evaluating GPO-based access control. Even if ldap_user_name is set to a value different from sAMAccountName on an AD client, GPO-based access control now works correctly.

SSSD now handles duplicate attributes in the user_attributes option when retrieving users

Previously, if sssd.conf contained duplicate attributes in the user_attributes option, SSSD did not handle these duplicates correctly. As a consequence, users with those attributes could not be retrieved. With this update, SSSD now handles duplicates correctly. As a result, users with duplicate attributes can now be retrieved.

The dynamic Kerberos PAC ticket signature enforcement mechanism now fixes cross-version incompatibility in IdM

Previously, if your Identity Management (IdM) deployment featured servers running on both RHEL 9 and RHEL 8, the incompatibility caused by the upstream implementation of the Privilege Attribute Certificate (PAC) ticket signature support caused certain operations to fail. With this update, the implementation of the dynamic ticket signature enforcement mechanism feature in RHEL 9 fixes this cross-version incompatibility. For this feature to actually take effect, you must:

SHA-1 signature verification can now be allowed in FIPS mode

Previously, it was not possible to allow the use of SHA-1 signature verification when Identity Management (IdM) was in FIPS mode. This is because IdM uses the FIPS-140-3 standard, which does not allow SHA-1 signatures. This situation caused problems with Active Directory (AD) interoperability, because AD only complies with the older FIPS-140-2 standard and therefore requires SHA-1 signatures.

Deleting the IdM admin user is now no longer permitted

Previously, nothing prevented you from deleting the Identity Management (IdM) admin user if you were a member of the admins group. The absence of the admin user causes the trust between IdM and Active Directory (AD) to stop functioning correctly. With this update, you can no longer delete the admin user. As a result, the IdM-AD trust works correctly.

ipa-kdb no longer causes krb5kdc to fail

Previously, the ipa-kdb driver did not differentiate between the absence of a server host object and a connection failure. Consequently, the krb5kdc server sometimes stopped unexpectedly because of a NULL LDAP context produced by a connection issue with the LDAP server.

The IdM client installer no longer specifies the TLS CA configuration in the ldap.conf file

Previously, the IdM client installer specified the TLS CA configuration in the ldap.conf file. With this update, OpenLDAP uses the default truststore and the IdM client installer does not set up the TLS CA configuration in the ldap.conf file.

IdM clients correctly retrieve information for trusted AD users when their names contain mixed case characters

Previously, if you attempted a user lookup or authentication of a user, and that trusted Active Directory (AD) user contained mixed case characters in their names and they were configured with overrides in IdM, an error was returned preventing users from accessing IdM resources.

The web console NBDE binding steps now work also on volume groups with a root file system

In RHEL 9.2, due to a bug in the code for determining whether or not the user was adding a Tang key to the root file system, the binding process in the web console crashed when there was no file system on the LUKS container at all. Because the web console displayed the error message TypeError: Qe(…​) is undefined after you had clicked the Trust key button in the Verify key dialog, you had to perform all the required steps in the command-line interface in the described scenario.

VNC console now works at most resolutions

Previously, when using the Virtual Network Computing (VNC) console under certain display resolutions, a mouse offset problem was present or only a part of the interface was visible. Consequently, using the VNC console was not possible.

The storage role can now resize the mounted file systems without unmounting

Previously, the storage role was unable to resize mounted devices, even if the file system supported online resizing. As a consequence, the storage role unmounted all file systems before resizing, which failed for file systems that were in use, for example, while resizing the / directory of the running system.

The podman_registries_conf variable now configures unqualified-search-registries field correctly

Previously, after configuring the podman_registries_conf variable, the podman RHEL System Role failed. Consequently, unqualified-search-registries = ["registry.access.redhat.com"] setting was not generated in the /etc/containers/registries.conf.d/50-systemroles.conf file. With this update, this problem has been fixed.

The kdump role adds authorized_keys idempotently

Previously, the task to add authorized_key added an extra newline character every time. Consequently the role was not acting idempotent. With this fix, adding a new authorized_key works correctly and adds only a single key value idempotently.

The kdump system role does not fail if kdump_authorized_keys is missing

Previously, the kdump system role failed to add SSH authorized keys if the user defined in the kdump_ssh_user variable did not have access to the .ssh directory in the home directory or an empty .ssh/authorized_keys file. With this fix, the kdump system role now correctly adds authorized keys to the SSH configuration. As a result, the key based authentication works reliably in the described scenario.

Failure to remove data from member disks before creation no longer persists

Previously, when creating RAID volumes, the system did not effectively eliminate existing data from member disks before forming the RAID volume. With this update, RAID volumes remove any per-existing data from member disks as needed.

Running the firewall RHEL System Role in check mode with non-existent services no longer fails

Previously, running the firewall role in check mode with non-existent services would fail. This fix implements better compliance with Ansible best practices for check mode. As a result, non-existent services being enabled or disabled no longer fails the role in check mode. Instead, a warning prompts you to confirm that the service is defined in a previous playbook.

The firewall RHEL System Role on RHEL 7 no longer attempts to install non-existent Python packages

Previously, when the firewall role on RHEL 7 was called from another role, and that role was using python3, the firewall role attempted to install the python3-firewall library for that version of Python. However, that library is not available in RHEL 7. Consequently, the python3-firewall library was not found, and you received the following error message:

kdump RHEL System Role updates

The kdump RHEL System Role has been updated to a newer version, which brings the following notable enhancements:

Insights tags created by using the rhc role are now applied correctly

Previously, when you created Insights tags by using the rhc role, tags were not stored in the correct file. Consequently, tags were not sent to Insights and as a result they were not applied to the systems in the Insights inventory.

raid_chunk_size parameter no longer returns an error message

Previously, raid_chunk_size attribute was not allowed for RAID pools and volumes. With this update, you can now configure the raid_chunk_size attribute for RAID pools and volumes without encountering any restrictions.

The certificate RHEL System Role now checks for the certificate key size when determining whether to perform a new certificate request

Previously, the certificate RHEL System Role did not check the key size of a certificate when evaluating whether to request a new certificate. As a consequence, the role sometimes did not issue new certificate requests in cases where it should. With this update, certificate now checks the key_size parameter to determine if a new certificate request should be performed.

The kdump role adds multiple keys to authorized_keys idempotently

Previously, adding multiple SSH keys to the authorized_keys file at the same time replaced the key value of one host by another. This update fixes the problem by using the lineinfile module to manage the authorized_keys file. lineinfile iterates the tasks in sequence, checking for an existing key and writing the new key in one atomic operation on a single host at one time. As a result, adding SSH keys on multiple hosts works correctly, and does not replace the key value from another host.

The kdump role successfully updates .ssh/authorized_keys for kdump_ssh_server authentication

Previously, the .ssh directory was not accessible by the kdump role to securely authenticate users to log into kdump_ssh_server. As a consequence, the kdump role did not update the .ssh/authorized_keys file and the SSH mechanism to verify the kdump_ssh_server failed. This update fixes the problem. As a result the kdump_ssh_user authentication on kdump_ssh_server works reliably.

Enabling kdump for system role requires using the failure_action configuration parameter on RHEL 9 and later versions

Previously, using the default option during kdump configuration was not successful and printed the following warning in logs:

The previous: replaced parameter of the firewall System Role now overrides the previous configuration without deleting it

Previously, if you added the previous: replaced parameter to the variable list, the firewall System Role removed all existing user-defined settings and reset firewalld to the default settings. This fix uses the fallback configuration in firewalld, which was introduced in the EL7 release, to retain the previous configuration. As a result, when you use the previous: replaced parameter in the variable list, the firewall.conf configuration file is not deleted on reset, but the file and comments in the file are retained.

The firewall RHEL System Role correctly reports changes when using previous: replaced in check mode

Previously, the firewall role was not checking whether any files would be changed when using the previous: replaced parameter in check mode. As a consequence, the role gave an error about undefined variables. This fix adds new check variables to the check mode to assess whether any files would be changed by the previous: replaced parameter. The check for the firewalld.conf file assesses the rpm database to determine whether the file has been changed from the version shipped in the package. As a result, the firewall role now correctly reports changes when using the previous: replaced parameter.

The firewall RHEL System Role correctly reports changes when assigning zones to Network Manager interfaces

Previously, the Network Manager interface assignment reported changes when no changes were present. With this fix, the try_set_zone_of_interface module in the file library/firewall_lib.py returns a second value, which denotes whether the interface’s zone was changed. As a result, the module now correctly reports changes when assigning zones to interfaces handled by Network Manager.

The rhc system role no longer fails on the registered systems when rhc_auth contains activation keys

Previously, a failure occurred when you executed playbook files on the registered systems with the activation key specified in the rhc_auth parameter. This issue has been resolved. It is now possible to execute playbook files on the already registered systems, even when activation keys are provided in the rhc_auth parameter.

The NVIDIA graphics device continues working after VM shutdown

Previously, in the RHEL kernel, device power transition delays were more closely aligned to those required by the PCIe specification. As a consequence, some NVIDIA GPUs could become unresponsive when used for device assignment after a shutdown of the attached VM. This update extends the device power transition delay for NVIDIA audio device functions. As a result, NVIDIA GPUs continue to work correctly in this scenario.

Failover virtio NICs are now correctly assigned an IP address on Windows virtual machines

Previously, when starting a Windows virtual machine (VM) with only a failover virtio NIC, the VM failed to assign an IP address to the NIC. Consequently, the NIC was unable to set up a network connection. This problem has been fixed and VM NICs now set up network connections as expected in the described scenario.

The installer shows the expected system disk to install RHEL on VM

Previously, when installing RHEL on a VM using virtio-scsi devices, it was possible that these devices did not appear in the installer because of a device-mapper-multipath bug. Consequently, during installation, if some devices had a serial set and some did not, the multipath command was claiming all the devices that had a serial. Due to this, the installer was unable to find the expected system disk to install RHEL in the VM.

Broadcom network adapters now work correctly on Windows VMs after a live migration

Previously, network adapters from the Broadcom family of devices, such as Broadcom, Qlogic, or Marvell, could not be hot-unplugged during live migration of Windows virtual machines (VMs). As a consequence, the adapters worked incorrectly after the migration was complete. This problem affected only adapters that were attached to Windows VMs using Single-root I/O virtualization (SR-IOV). With this update, the underlying code has been fixed and the problem no longer occurs.

nodedev-dumpxml lists attributes correctly for certain mediated devices

Before this update, the nodedev-dumpxml utility did not list attributes correctly for mediated devices that were created using the nodedev-create command. This has been fixed, and nodedev-dumpxml now displays the attributes of the affected mediated devices properly.

virtiofs devices could not be attached after restarting virtqemud or libvirtd

Previously, restarting the virtqemud or libvirtd services prevented virtiofs storage devices from being attached to virtual machines (VMs) on your host. This bug has been fixed, and you can now attach virtiofs devices in the described scenario as expected.

Hot plugging a Watchdog card to a virtual machine no longer fails

Previously, if no PCI slots were available, adding a Watchdog card to a running virtual machine (VM) failed with the following error:

blob resources do not work correctly for virtio-gpu on IBM Z

The virtio-gpu device is currently not compatible with blob memory resources on IBM Z systems. As a consequence, if you configure a virtual machine (VM) with virtio-gpu on an IBM Z host to use blob resources, the VM does not have any graphical output.

NVMe over Fibre Channel devices are now available in RHEL installation program as a Technology Preview

You can now add NVMe over Fibre Channel devices to your RHEL installation as a Technology Preview. In RHEL installation program, you can select these devices under the NVMe Fabrics Devices section while adding disks on the Installation Destination screen.

gnutls now uses kTLS as a Technology Preview

The updated gnutls packages can use kernel TLS (kTLS) for accelerating data transfer on encrypted channels as a Technology Preview. To enable kTLS, add the tls.ko kernel module using the modprobe command, and create a new configuration file /etc/crypto-policies/local.d/gnutls-ktls.txt for the system-wide cryptographic policies with the following content:

GIMP available as a Technology Preview in RHEL 9

GNU Image Manipulation Program (GIMP) 2.99.8 is now available in RHEL 9 as a Technology Preview. The gimp package version 2.99.8 is a pre-release version with a set of improvements, but a limited set of features and no guarantee for stability. As soon as the official GIMP 3 is released, it will be introduced into RHEL 9 as an update of this pre-release version.

Socket API for TuneD available as a Technology Preview

The socket API for controlling TuneD through a UNIX domain socket is now available as a Technology Preview. The socket API maps one-to-one with the D-Bus API and provides an alternative communication method for cases where D-Bus is not available. By using the socket API, you can control the TuneD daemon to optimize the performance, and change the values of various tuning parameters. The socket API is disabled by default, you can enable it in the tuned-main.conf file.

WireGuard VPN is available as a Technology Preview

WireGuard, which Red Hat provides as an unsupported Technology Preview, is a high-performance VPN solution that runs in the Linux kernel. It uses modern cryptography and is easier to configure than other VPN solutions. Additionally, the small code-basis of WireGuard reduces the surface for attacks and, therefore, improves the security.

kTLS available as a Technology Preview

RHEL provides kernel Transport Layer Security (KTLS) as a Technology Preview. kTLS handles TLS records using the symmetric encryption or decryption algorithms in the kernel for the AES-GCM cipher. kTLS also includes the interface for offloading TLS record encryption to Network Interface Controllers (NICs) that provides this functionality.

The systemd-resolved service is available as a Technology Preview

The systemd-resolved service provides name resolution to local applications. The service implements a caching and validating DNS stub resolver, a Link-Local Multicast Name Resolution (LLMNR), and Multicast DNS resolver and responder.

The PRP and HSR protocols are now available as a Technology Preview

This update adds the hsr kernel module that provides the following protocols:

Offloading IPsec encapsulation to a NIC is now available as a Technology Preview

This update adds the IPsec packet offloading capabilities to the kernel. Previously, it was possible to only offload the encryption to a network interface controller (NIC). With this enhancement, the kernel can now offload the entire IPsec encapsulation process to a NIC to reduce the workload.

Network drivers for modems in RHEL are available as Technology Preview

Device manufacturers support Federal Communications Commission (FCC) locking as the default setting. FCC provides a lock to bind WWAN drivers to a specific system where WWAN drivers provide a channel to communicate with modems. Based on the modem PCI ID, manufacturers integrate unlocking tools on Red Hat Enterprise Linux for ModemManager. However, a modem remains unusable if not unlocked previously even if the WWAN driver is compatible and functional. Red Hat Enterprise Linux provides the drivers for the following modems with limited functionality as a Technology Preview:

Segment Routing over IPv6 (SRv6) is available as a Technology Preview

The RHEL kernel provides Segment Routing over IPv6 (SRv6) as a Technology Preview. You can use this functionality to optimize traffic flows in edge computing or to improve network programmability in data centers. However, the most significant use case is the end-to-end (E2E) network slicing in 5G deployment scenarios. In that area, the SRv6 protocol provides you with the programmable custom network slices and resource reservations to address network requirements for specific applications or services. At the same time, the solution can be deployed on a single-purpose appliance, and it satisfies the need for a smaller computational footprint.

kTLS rebased to version 6.3

The kernel Transport Layer Security (KTLS) functionality is a Technology Preview. With this RHEL release, kTLS has been rebased to the 6.3 upstream version, and notable changes include:

The kdump mechanism with a unified kernel image is available as a Technology Preview

The kdump mechanism with a kernel image contained in a unified kernel image (UKI) is available as a Technology Preview. UKI is a single executable, combining the initramfs, vmlinuz,and the kernel command line in a single file. The UKI key benefit being extending the cryptographic signature for SecureBoot to all components at once.

SGX available as a Technology Preview

Software Guard Extensions (SGX) is an Intel® technology for protecting software code and data from disclosure and modification. The RHEL kernel partially provides the SGX v1 and v1.5 functionality. Version 1 enables platforms using the Flexible Launch Control mechanism to use the SGX technology. Version 2 adds Enclave Dynamic Memory Management (EDMM). Notable features include:

The Intel data streaming accelerator driver for kernel is available as a Technology Preview

The Intel data streaming accelerator driver (IDXD) for the kernel is currently available as a Technology Preview. It is an Intel CPU integrated accelerator and includes the shared work queue with process address space ID (pasid) submission and shared virtual memory (SVM).

The Soft-iWARP driver is available as a Technology Preview

Soft-iWARP (siw) is a software, Internet Wide-area RDMA Protocol (iWARP), kernel driver for Linux. Soft-iWARP implements the iWARP protocol suite over the TCP/IP network stack. This protocol suite is fully implemented in software and does not require a specific Remote Direct Memory Access (RDMA) hardware. Soft-iWARP enables a system with a standard Ethernet adapter to connect to an iWARP adapter or to another system with already installed Soft-iWARP.

SGX available as a Technology Preview

Software Guard Extensions (SGX) is an Intel® technology for protecting software code and data from disclosure and modification. The RHEL kernel partially provides the SGX v1 and v1.5 functionality. Version 1 enables platforms using the Flexible Launch Control mechanism to use the SGX technology. Version 2 adds Enclave Dynamic Memory Management (EDMM). Notable features include:

rvu_af, rvu_nicpf, and rvu_nicvf available as Technology Preview

The following kernel modules are available as Technology Preview for Marvell OCTEON TX2 Infrastructure Processor family:

DAX is now available for ext4 and XFS as a Technology Preview

In RHEL 9, the DAX file system is available as a Technology Preview. DAX provides means for an application to directly map persistent memory into its address space. To use DAX, a system must have some form of persistent memory available, usually in the form of one or more Non-Volatile Dual In-line Memory Modules (NVDIMMs), and a DAX compatible file system must be created on the NVDIMM(s). Also, the file system must be mounted with the dax mount option. Then, an mmap of a file on the dax-mounted file system results in a direct mapping of storage into the application’s address space.

NVMe-oF Discovery Service features available as a Technology Preview

The NVMe-oF Discovery Service features, defined in the NVMexpress.org Technical Proposals (TP) 8013 and 8014, are available as a Technology Preview. To preview these features, use the nvme-cli 2.0 package and attach the host to an NVMe-oF target device that implements TP-8013 or TP-8014. For more information about TP-8013 and TP-8014, see the NVM Express 2.0 Ratified TPs from the https://nvmexpress.org/specifications/ website.

nvme-stas package available as a Technology Preview

The nvme-stas package, which is a Central Discovery Controller (CDC) client for Linux, is now available as a Technology Preview. It handles Asynchronous Event Notifications (AEN), Automated NVMe subsystem connection controls, Error handling and reporting, and Automatic (zeroconf) and Manual configuration.

NVMe TP 8006 in-band authentication available as a Technology Preview

Implementing Non-Volatile Memory Express (NVMe) TP 8006, which is an in-band authentication for NVMe over Fabrics (NVMe-oF) is now available as an unsupported Technology Preview. The NVMe Technical Proposal 8006 defines the DH-HMAC-CHAP in-band authentication protocol for NVMe-oF, which is provided with this enhancement.

The io_uring interface is available as a Technology Preview

io_uring is a new and effective asynchronous I/O interface, which is now available as a Technology Preview. By default, this feature is disabled. You can enable this interface by setting the kernel.io_uring_disabled sysctl variable to any one of the following values:

jmc-core and owasp-java-encoder available as a Technology Preview

RHEL 9 is distributed with the jmc-core and owasp-java-encoder packages as Technology Preview features for the AMD and Intel 64-bit architectures.

DNSSEC available as Technology Preview in IdM

Identity Management (IdM) servers with integrated DNS now implement DNS Security Extensions (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are automatically generated and rotated.

Identity Management JSON-RPC API available as Technology Preview

An API is available for Identity Management (IdM). To view the API, IdM also provides an API browser as a Technology Preview.

sssd-idp sub-package available as a Technology Preview

The sssd-idp sub-package for SSSD contains the oidc_child and krb5 idp plugins, which are client-side components that perform OAuth2 authentication against Identity Management (IdM) servers. This feature is available only with IdM servers on RHEL 9.1 and later.

SSSD internal krb5 idp plugin available as a Technology Preview

The SSSD krb5 idp plugin allows you to authenticate against an external identity provider (IdP) using the OAuth2 protocol. This feature is available only with IdM servers on RHEL 9.1 and later.

RHEL IdM allows delegating user authentication to external identity providers as a Technology Preview

In RHEL IdM, you can now associate users with external identity providers (IdP) that support the OAuth 2 device authorization flow. When these users authenticate with the SSSD version available in RHEL 9.1 or later, they receive RHEL IdM single sign-on capabilities with Kerberos tickets after performing authentication and authorization at the external IdP.

ACME available as a Technology Preview

The Automated Certificate Management Environment (ACME) service is now available in Identity Management (IdM) as a Technology Preview. ACME is a protocol for automated identifier validation and certificate issuance. Its goal is to improve security by reducing certificate lifetimes and avoiding manual processes from certificate lifecycle management.

GNOME for the 64-bit ARM architecture available as a Technology Preview

The GNOME desktop environment is available for the 64-bit ARM architecture as a Technology Preview.

GNOME for the IBM Z architecture available as a Technology Preview

The GNOME desktop environment is available for the IBM Z architecture as a Technology Preview.

Creating nested virtual machines

Nested KVM virtualization is provided as a Technology Preview for KVM virtual machines (VMs) running on Intel, AMD64, and IBM Z hosts with RHEL 9. With this feature, a RHEL 7, RHEL 8, or RHEL 9 VM that runs on a physical RHEL 9 host can act as a hypervisor, and host its own VMs.

AMD SEV and SEV-ES for KVM virtual machines

As a Technology Preview, RHEL 9 provides the Secure Encrypted Virtualization (SEV) feature for AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine (VM), SEV encrypts the VM’s memory to protect the VM from access by the host. This increases the security of the VM.

Virtualization is now available on ARM 64

As a Technology Preview, it is now possible to create KVM virtual machines on systems using ARM 64 CPUs.

virtio-mem is now available on AMD64, Intel 64, and ARM 64

As a Technology Preview, RHEL 9 introduces the virtio-mem feature on AMD64, Intel 64, and ARM 64 systems. Using virtio-mem makes it possible to dynamically add or remove host memory in virtual machines (VMs).

Intel TDX in RHEL guests

As a Technology Preview, the Intel Trust Domain Extension (TDX) feature can now be used in RHEL 9.2 and later guest operating systems. If the host system supports TDX, you can deploy hardware-isolated RHEL 9 virtual machines (VMs), called trust domains (TDs). Note, however, that TDX currently does not work with kdump, and enabling TDX will cause kdump to fail on the VM.

A unified kernel image of RHEL is now available as a Technology Preview

As a Technology Preview, you can now obtain the RHEL kernel as a unified kernel image (UKI) for virtual machines (VMs). A unified kernel image combines the kernel, initramfs, and kernel command line into a single signed binary file.

Intel vGPU available as a Technology Preview

As a Technology Preview, it is possible to divide a physical Intel GPU device into multiple virtual devices referred to as mediated devices. These mediated devices can then be assigned to multiple virtual machines (VMs) as virtual GPUs. As a result, these VMs share the performance of a single physical Intel GPU.

RHEL is now available on Azure confidential VMs as a Technology Preview

With the updated RHEL kernel, you can now create and run RHEL confidential virtual machines (VMs) on Microsoft Azure as a Technology Preview. The newly added unified kernel image (UKI) now enables booting encrypted confidential VM images on Azure. The UKI is available as a kernel-uki-virt package in RHEL 9 repositories.

SQLite database backend for Podman is available as a Technology Preview

Beginning with Podman v4.6, the SQLite database backend for Podman is available as a Technology Preview. To set the database backend to SQLite, add the database_backend = "sqlite" option in the /etc/containers/containers.conf configuration file. Run the podman system reset command to reset storage back to the initial state before you switch to the SQLite database backend. Note that you have to re-create all containers and pods. The SQLite database guarantees good stability and consistency. Other databases in the containers stack will be moved to SQLite as well. The BoltDB remains the default database backend.

The podman-machine command is unsupported

The podman-machine command for managing virtual machines, is available only as a Technology Preview. Instead, run Podman directly from the command line.

Deprecated Kickstart commands

The following Kickstart commands have been deprecated:

User and Group customizations in the edge-commit and edge-container blueprints have been deprecated

Specifying a user or group customization in the blueprints is deprecated for the edge-commit and edge-container image types, because the user customization disappears when you upgrade the image and do not specify the user in the blueprint again.

The initial-setup package now has been deprecated

The initial-setup package has been deprecated in Red Hat Enterprise Linux 9.3 and will be removed in the next major RHEL release. As a replacement, use gnome-initial-setup for the graphical user interface.

The provider_hostip and provider_fedora_geoip values of the inst.geoloc boot option are deprecated

The provider_hostip and provider_fedora_geoip values that specified the GeoIP API for the inst.geoloc= boot option are deprecated. As a replacement, you can use the geolocation_provider=URL option to set the required geolocation in the installation program configuration file. You can still use the inst.geoloc=0 option to disable the geolocation.

SHA-1 is deprecated for cryptographic purposes

The usage of the SHA-1 message digest for cryptographic purposes has been deprecated in RHEL 9. The digest produced by SHA-1 is not considered secure because of many documented successful attacks based on finding hash collisions. The RHEL core crypto components no longer create signatures using SHA-1 by default. Applications in RHEL 9 have been updated to avoid using SHA-1 in security-relevant use cases.

fapolicyd.rules is deprecated

The /etc/fapolicyd/rules.d/ directory for files containing allow and deny execution rules replaces the /etc/fapolicyd/fapolicyd.rules file. The fagenrules script now merges all component rule files in this directory to the /etc/fapolicyd/compiled.rules file. Rules in /etc/fapolicyd/fapolicyd.trust are still processed by the fapolicyd framework but only for ensuring backward compatibility.

SCP is deprecated in RHEL 9

The secure copy protocol (SCP) is deprecated because it has known security vulnerabilities. The SCP API remains available for the RHEL 9 lifecycle but using it reduces system security.

OpenSSL requires padding for RSA encryption in FIPS mode

OpenSSL no longer supports RSA encryption without padding in FIPS mode. RSA encryption without padding is uncommon and is rarely used. Note that key encapsulation with RSA (RSASVE) does not use padding but is still supported.

NTLM and Krb4 are deprecated in Cyrus SASL

The NTLM and Kerberos 4 authentication protocols have been deprecated and might be removed in a future major version of RHEL. These protocols are no longer considered secure and have already been removed from upstream implementations.

Digest-MD5 in SASL is deprecated

The Digest-MD5 authentication mechanism in the Simple Authentication Security Layer (SASL) framework is deprecated, and it might be removed from the cyrus-sasl packages in a future major release.

OpenSSL deprecates MD2, MD4, MDC2, Whirlpool, Blowfish, CAST, DES, IDEA, RC2, RC4, RC5, SEED, and PBKDF1

The OpenSSL project has deprecated a set of cryptographic algorithms because they are insecure, uncommonly used, or both. Red Hat also discourages the use of those algorithms, and RHEL 9 provides them for migrating encrypted data to use new algorithms. Users must not depend on those algorithms for the security of their systems.

/etc/system-fips is now deprecated

Support for indicating FIPS mode through the /etc/system-fips file has been removed, and the file will not be included in future versions of RHEL. To install RHEL in FIPS mode, add the fips=1 parameter to the kernel command line during the system installation. You can check whether RHEL operates in FIPS mode by using the fips-mode-setup --check command.

libcrypt.so.1 is now deprecated

The libcrypt.so.1 library is now deprecated, and it might be removed in a future version of RHEL.

The --token option of the subscription-manager command is deprecated

The --token=<TOKEN> option of the subscription-manager register command is an authentication method that helps register your system to Red Hat. This option depends on capabilities offered by the entitlement server. The default entitlement server, subscription.rhsm.redhat.com, is planning to turn off this capability. As a consequence, attempting to use subscription-manager register --token=<TOKEN> might fail with the following error message:

The dump utility from the dump package has been deprecated

The dump utility used for backup of file systems has been deprecated and will not be available in RHEL 9.

The SQLite database backend in Bacula has been deprecated

The Bacula backup system supported multiple database backends: PostgreSQL, MySQL, and SQLite. The SQLite backend has been deprecated and will become unsupported in a later release of RHEL. As a replacement, migrate to one of the other backends (PostgreSQL or MySQL) and do not use the SQLite backend in new deployments.

Network teams are deprecated in RHEL 9

The teamd service and the libteam library are deprecated in Red Hat Enterprise Linux 9 and will be removed in the next major release. As a replacement, configure a bond instead of a network team.

NetworkManager connection profiles in ifcfg format are deprecated

In RHEL 9.0 and later, connection profiles in ifcfg format are deprecated. The next major RHEL release will remove the support for this format. However, in RHEL 9, NetworkManager still processes and updates existing profiles in this format if you modify them.

The iptables back end in firewalld is deprecated

In RHEL 9, the iptables framework is deprecated. As a consequence, the iptables backend and the direct interface in firewalld are also deprecated. Instead of the direct interface you can use the native features in firewalld to configure the required rules.

The PF_KEYv2 kernel API is deprecated

Applications can configure the kernel’s IPsec implementation by using the PV_KEYv2 and the newer netlink API. PV_KEYv2 is not actively maintained upstream and misses important security features, such as modern ciphers, offload, and extended sequence number support. As a result, starting with RHEL 9.3, the PV_KEYv2 API is deprecated and will be removed in the next major RHEL release. If you use this kernel API in your application, migrate it to use the modern netlink API as an alternative.