Red Hat Enterprise Linux 9.4 9.4 Release Notes
Red Hat Enterprise Linux 9.4 9.4 Release Notes
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons
Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is
available at
http://creativecommons.org/licenses/by-sa/3.0/
. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must
provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert,
Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift,
Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States
and other countries.
Linux ® is the registered trademark of Linus Torvalds in the United States and other countries.
XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States
and/or other countries.
MySQL ® is a registered trademark of MySQL AB in the United States, the European Union and
other countries.
Node.js ® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the
official Joyent Node.js open source or commercial project.
The OpenStack ® Word Mark and OpenStack logo are either registered trademarks/service marks
or trademarks/service marks of the OpenStack Foundation, in the United States and other
countries and are used with the OpenStack Foundation's permission. We are not affiliated with,
endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
Abstract
The Release Notes provide high-level coverage of the improvements and additions that have been
implemented in Red Hat Enterprise Linux 9.4 and document known problems in this release, as well
as notable bug fixes, Technology Previews, deprecated functionality, and other details. For
information about installing Red Hat Enterprise Linux, see Installation.
Table of Contents
Table of Contents
. . . . . . . . . . . . . FEEDBACK
PROVIDING . . . . . . . . . . . . ON
. . . .RED
. . . . .HAT
. . . . .DOCUMENTATION
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5. . . . . . . . . . . . .
.CHAPTER
. . . . . . . . . . 1.. .OVERVIEW
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6. . . . . . . . . . . . .
1.1. MAJOR CHANGES IN RHEL 9.4 6
Installer and image creation 6
RHEL for Edge 6
Security 6
Dynamic programming languages, web and database servers 6
Compilers and development tools 7
Updated performance tools and debuggers 7
Updated performance monitoring tools 7
Updated compiler toolsets 7
Identity Management 7
Virtualization 7
Containers 7
1.2. IN-PLACE UPGRADE 8
In-place upgrade from RHEL 8 to RHEL 9 8
In-place upgrade from RHEL 7 to RHEL 9 9
1.3. RED HAT CUSTOMER PORTAL LABS 9
1.4. ADDITIONAL RESOURCES 10
. . . . . . . . . . . 2.
CHAPTER . . ARCHITECTURES
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11. . . . . . . . . . . . .
. . . . . . . . . . . 3.
CHAPTER . . DISTRIBUTION
. . . . . . . . . . . . . . . . OF
. . . .CONTENT
. . . . . . . . . . .IN
. . .RHEL
. . . . . .9. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
..............
3.1. INSTALLATION 12
3.2. REPOSITORIES 12
3.3. APPLICATION STREAMS 13
3.4. PACKAGE MANAGEMENT WITH YUM/DNF 13
. . . . . . . . . . . 4.
CHAPTER . . .NEW
. . . . .FEATURES
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
..............
4.1. INSTALLER AND IMAGE CREATION 14
4.2. SECURITY 14
4.3. RHEL FOR EDGE 20
4.4. SHELLS AND COMMAND-LINE TOOLS 21
4.5. INFRASTRUCTURE SERVICES 21
4.6. NETWORKING 22
4.7. KERNEL 28
4.8. BOOT LOADER 30
4.9. FILE SYSTEMS AND STORAGE 30
4.10. HIGH AVAILABILITY AND CLUSTERS 32
4.11. DYNAMIC PROGRAMMING LANGUAGES, WEB AND DATABASE SERVERS 33
4.12. COMPILERS AND DEVELOPMENT TOOLS 39
4.13. IDENTITY MANAGEMENT 44
4.14. THE WEB CONSOLE 49
4.15. RED HAT ENTERPRISE LINUX SYSTEM ROLES 50
4.16. VIRTUALIZATION 54
4.17. RHEL IN CLOUD ENVIRONMENTS 56
4.18. CONTAINERS 57
.CHAPTER
. . . . . . . . . . 5.
. . IMPORTANT
. . . . . . . . . . . . . .CHANGES
. . . . . . . . . . .TO
. . . .EXTERNAL
. . . . . . . . . . . .KERNEL
. . . . . . . . .PARAMETERS
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
..............
New kernel parameters 60
Updated kernel parameters 62
1
Red Hat Enterprise Linux 9.4 9.4 Release Notes
.CHAPTER
. . . . . . . . . . 6.
. . .DEVICE
. . . . . . . .DRIVERS
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
..............
6.1. NEW DRIVERS 66
6.2. UPDATED DRIVERS 71
. . . . . . . . . . . 7.
CHAPTER . . AVAILABLE
. . . . . . . . . . . . .BPF
. . . . .FEATURES
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72
..............
.CHAPTER
. . . . . . . . . . 8.
. . .BUG
. . . . .FIXES
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
..............
8.1. INSTALLER AND IMAGE CREATION 91
8.2. SECURITY 92
8.3. SUBSCRIPTION MANAGEMENT 94
8.4. SOFTWARE MANAGEMENT 94
8.5. SHELLS AND COMMAND-LINE TOOLS 95
8.6. NETWORKING 98
8.7. KERNEL 99
8.8. FILE SYSTEMS AND STORAGE 100
8.9. HIGH AVAILABILITY AND CLUSTERS 101
8.10. DYNAMIC PROGRAMMING LANGUAGES, WEB AND DATABASE SERVERS 102
8.11. COMPILERS AND DEVELOPMENT TOOLS 103
8.12. IDENTITY MANAGEMENT 104
8.13. THE WEB CONSOLE 107
8.14. RED HAT ENTERPRISE LINUX SYSTEM ROLES 107
8.15. VIRTUALIZATION 109
.CHAPTER
. . . . . . . . . . 9.
. . .TECHNOLOGY
. . . . . . . . . . . . . . . PREVIEWS
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112
..............
9.1. INSTALLER AND IMAGE CREATION 112
9.2. SECURITY 113
9.3. RHEL FOR EDGE 114
9.4. SHELLS AND COMMAND-LINE TOOLS 114
9.5. INFRASTRUCTURE SERVICES 115
9.6. NETWORKING 115
9.7. KERNEL 117
9.8. FILE SYSTEMS AND STORAGE 118
9.9. COMPILERS AND DEVELOPMENT TOOLS 119
9.10. IDENTITY MANAGEMENT 119
9.11. DESKTOP 121
9.12. THE WEB CONSOLE 122
9.13. VIRTUALIZATION 122
9.14. RHEL IN CLOUD ENVIRONMENTS 123
9.15. CONTAINERS 123
.CHAPTER
. . . . . . . . . . 10.
. . . DEPRECATED
. . . . . . . . . . . . . . . FUNCTIONALITIES
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
...............
10.1. INSTALLER AND IMAGE CREATION 125
10.2. SECURITY 127
10.3. SUBSCRIPTION MANAGEMENT 129
10.4. SHELLS AND COMMAND-LINE TOOLS 129
10.5. INFRASTRUCTURE SERVICES 130
10.6. NETWORKING 131
10.7. KERNEL 132
10.8. FILE SYSTEMS AND STORAGE 132
10.9. DYNAMIC PROGRAMMING LANGUAGES, WEB AND DATABASE SERVERS 134
2
Table of Contents
.CHAPTER
. . . . . . . . . . 11.
. . .KNOWN
. . . . . . . . .ISSUES
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
...............
11.1. INSTALLER AND IMAGE CREATION 157
11.2. SECURITY 161
11.3. RHEL FOR EDGE 167
11.4. SOFTWARE MANAGEMENT 167
11.5. SHELLS AND COMMAND-LINE TOOLS 167
11.6. INFRASTRUCTURE SERVICES 170
11.7. NETWORKING 170
11.8. KERNEL 171
11.9. FILE SYSTEMS AND STORAGE 175
11.10. DYNAMIC PROGRAMMING LANGUAGES, WEB AND DATABASE SERVERS 177
11.11. IDENTITY MANAGEMENT 178
11.12. DESKTOP 182
11.13. GRAPHICS INFRASTRUCTURES 183
11.14. THE WEB CONSOLE 183
11.15. RED HAT ENTERPRISE LINUX SYSTEM ROLES 184
11.16. VIRTUALIZATION 185
11.17. RHEL IN CLOUD ENVIRONMENTS 190
11.18. SUPPORTABILITY 192
11.19. CONTAINERS 193
. . . . . . . . . . . .A.
APPENDIX . . LIST
. . . . . .OF
. . . TICKETS
. . . . . . . . . .BY
. . . COMPONENT
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194
...............
. . . . . . . . . . . .B.
APPENDIX . . REVISION
. . . . . . . . . . . HISTORY
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
................
3
Red Hat Enterprise Linux 9.4 9.4 Release Notes
4
PROVIDING FEEDBACK ON RED HAT DOCUMENTATION
4. Enter your suggestion for improvement in the Description field. Include links to the relevant
parts of the documentation.
5
Red Hat Enterprise Linux 9.4 9.4 Release Notes
CHAPTER 1. OVERVIEW
From the RHEL 9.4 release distribution and onwards, you can specify arbitrary custom mount
points, except for specific paths that are reserved for the operating system.
You can create different partitioning modes, such as auto-lvm, lvm, and raw.
You can customize tailoring options for a profile and add it to your blueprint customizations by
using selected and unselected options, to add and remove rules.
For more information, see New features - Installer and image creation .
You can now create FIPS compliant RHEL for Edge images.
With this Technology Preview, you can now use the FDO onboarding process by storing and
querying Owner Vouchers from the Sqlite or Postgresql databases.
Security
The SELinux userspace release 3.6 introduces deny rules for further customizing SELinux policies.
The Keylime server components, the verifier and registrar, are available as containers.
The Rsyslog log processing system introduces customizable TLS/SSL encryption settings and
additional options that relate to capability dropping.
The OpenSSL TLS toolkit adds a drop-in directory for provider-specific configuration files.
The Linux kernel cryptographic API (libkcapi) 1.4.0 introduces new tools and options. Notably, with the
new -T option, you can specify target file names in hash-sum calculations.
The stunnel TLS/SSL tunneling service 5.71 changes the behavior of OpenSSL 1.1 and later versions in
FIPS mode. Besides this change, version 5.71 provides many new features such as support for modern
PostgreSQL clients.
Python 3.12
Ruby 3.3
PHP 8.2
nginx 1.24
6
CHAPTER 1. OVERVIEW
MariaDB 10.11
PostgreSQL 16
See New features - Dynamic programming languages, web and database servers for more information.
Valgrind 3.22
SystemTap 5.0
elfutils 0.190
PCP 6.2.0
GCC Toolset 13
Go Toolset 1.21.7
For detailed changes, see New features - Compilers and development tools .
Identity Management
Key highlights for Identity Management:
You can enable and configure passwordless authentication in SSSD to use a biometric device
that is compatible with the FIDO2 specification, for example a YubiKey.
Virtualization
RHEL 9.4 introduces full support for KVM virtual machines on the 64-bit ARM architecture.
In addition, external snapshot for virtual machines are now fully supported and have become the default
mechanism for a number of snapshot operations.
For more information about virtualization features introduced in this release, see New features -
Virtualization.
Containers
7
Red Hat Enterprise Linux 9.4 9.4 Release Notes
The podman farm build command for creating multi-architecture container images is available
as a Technology Preview.
Podman v4.9 RESTful API now displays data of progress when you pull or push an image to the
registry.
The Container Network Interface (CNI) network stack is deprecated and will be removed in a
future release.
From RHEL 8.8 to RHEL 9.2, and RHEL 8.10 to RHEL 9.4 on the following architectures:
64-bit Intel
64-bit AMD
64-bit ARM
From RHEL 8.8 to RHEL 9.2 and RHEL 8.10 to RHEL 9.4 on systems with SAP HANA
For instructions on performing an in-place upgrade, see Upgrading from RHEL 8 to RHEL 9 .
For instructions on performing an in-place upgrade on systems with SAP environments, see How to in-
place upgrade SAP environments from RHEL 8 to RHEL 9.
For information regarding how Red Hat supports the in-place upgrade process, see the In-place
upgrade Support Policy.
New logic has been implemented to determine the expected states of the systemd services
8
CHAPTER 1. OVERVIEW
New logic has been implemented to determine the expected states of the systemd services
after the upgrade.
Locally stored DNF repositories can now be used for the in-place upgrade.
Issues with performing the in-place upgrade with custom DNF repositories accessed by using
HTTPS have been fixed.
If the /etc/pki/tls/openssl.cnf configuration file has been modified, the file is now replaced with
the target default OpenSSL configuration file during the upgrade to prevent issues after the
upgrade. See the pre-upgrade report for more information.
Registration Assistant
Kickstart Generator
VNC Configurator
9
Red Hat Enterprise Linux 9.4 9.4 Release Notes
Information regarding the Red Hat Enterprise Linux life cycle is provided in the Red Hat Enterprise
Linux Life Cycle document.
The Package manifest document provides a package listing for RHEL 9, including licenses and
application compatibility levels.
Application compatibility levels are explained in the Red Hat Enterprise Linux 9: Application
Compatibility Guide document.
Major differences between RHEL 8 and RHEL 9, including removed functionality, are documented in
Considerations in adopting RHEL 9 .
Instructions on how to perform an in-place upgrade from RHEL 8 to RHEL 9 are provided by the
document Upgrading from RHEL 8 to RHEL 9 .
The Red Hat Insights service, which enables you to proactively identify, examine, and resolve known
technical issues, is available with all RHEL subscriptions. For instructions on how to install the Red Hat
Insights client and register your system to the service, see the Red Hat Insights Get Started page.
NOTE
Public release notes include links to access the original tracking tickets, but private
tracking tickets are not viewable so do not include links.[1]
[1] Public release notes include links to access the original tracking tickets, but private tracking tickets are not
viewable so do not include links.
10
CHAPTER 2. ARCHITECTURES
CHAPTER 2. ARCHITECTURES
Red Hat Enterprise Linux 9.4 is distributed with the kernel version 5.14.0-427.13.1, which provides
support for the following architectures at the minimum required version (stated in parentheses):
Make sure you purchase the appropriate subscription for each architecture. For more information, see
Get Started with Red Hat Enterprise Linux - additional architectures .
11
Red Hat Enterprise Linux 9.4 9.4 Release Notes
3.1. INSTALLATION
Red Hat Enterprise Linux 9 is installed using ISO images. Two types of ISO image are available for the
AMD64, Intel 64-bit, 64-bit ARM, IBM Power Systems, and IBM Z architectures:
Installation ISO: A full installation image that contains the BaseOS and AppStream repositories
and allows you to complete the installation without additional repositories. On the Product
Downloads page, the Installation ISO is referred to as Binary DVD.
NOTE
The Installation ISO image is in multiple GB size, and as a result, it might not fit on
optical media formats. A USB key or USB hard drive is recommended when using
the Installation ISO image to create bootable installation media. You can also use
the Image Builder tool to create customized RHEL images. For more information
about Image Builder, see the Composing a customized RHEL system image
document.
Boot ISO: A minimal boot ISO image that is used to boot into the installation program. This
option requires access to the BaseOS and AppStream repositories to install software packages.
The repositories are part of the Installation ISO image. You can also register to Red Hat CDN or
Satellite during the installation to use the latest BaseOS and AppStream content from Red Hat
CDN or Satellite.
See the Performing a standard RHEL 9 installation document for instructions on downloading ISO
images, creating installation media, and completing a RHEL installation. For automated Kickstart
installations and other advanced topics, see the Performing an advanced RHEL 9 installation document.
3.2. REPOSITORIES
Red Hat Enterprise Linux 9 is distributed through two main repositories:
BaseOS
AppStream
Both repositories are required for a basic RHEL installation, and are available with all RHEL
subscriptions.
Content in the BaseOS repository is intended to provide the core set of the underlying operating
system functionality that provides the foundation for all installations. This content is available in the
RPM format and is subject to support terms similar to those in previous releases of RHEL. For more
information, see the Scope of Coverage Details document.
Content in the AppStream repository includes additional user-space applications, runtime languages,
and databases in support of the varied workloads and use cases.
In addition, the CodeReady Linux Builder repository is available with all RHEL subscriptions. It provides
additional packages for use by developers. Packages included in the CodeReady Linux Builder
repository are unsupported.
For more information about RHEL 9 repositories and the packages they provide, see the Package
12
CHAPTER 3. DISTRIBUTION OF CONTENT IN RHEL 9
For more information about RHEL 9 repositories and the packages they provide, see the Package
manifest.
Application Streams are available in the familiar RPM format, as an extension to the RPM format called
modules, as Software Collections, or as Flatpaks.
Each Application Stream component has a given life cycle, either the same as RHEL 9 or shorter. For
RHEL life cycle information, see Red Hat Enterprise Linux Life Cycle .
RHEL 9 improves the Application Streams experience by providing initial Application Stream versions
that can be installed as RPM packages using the traditional dnf install command.
NOTE
Certain initial Application Streams in the RPM format have a shorter life cycle than Red
Hat Enterprise Linux 9.
Some additional Application Stream versions will be distributed as modules with a shorter life cycle in
future minor RHEL 9 releases. Modules are collections of packages representing a logical unit: an
application, a language stack, a database, or a set of tools. These packages are built, tested, and
released together.
Always determine what version of an Application Stream you want to install and make sure to review the
Red Hat Enterprise Linux Application Stream Lifecycle first.
Content that needs rapid updating, such as alternate compilers and container tools, is available in Rolling
Streams that will not provide alternative versions in parallel. Rolling Streams might be packaged as
RPMs or modules.
For information about Application Streams available in RHEL 9 and their application compatibility level,
see the Package manifest. Application compatibility levels are explained in the Red Hat Enterprise Linux
9: Application Compatibility Guide document.
Although RHEL 8 and RHEL 9 are based on DNF, they are compatible with YUM used in RHEL 7.
For more information, see Managing software with the DNF tool.
13
Red Hat Enterprise Linux 9.4 9.4 Release Notes
With the default org.ssgproject.content rule namespace, you can omit the prefix for rules under this
namespace. For example: the org.ssgproject.content_grub2_password and grub2_password are
functionally equivalent.
When you build an image from that blueprint, it creates a tailoring file with a new tailoring profile ID and
saves it to the image as /usr/share/xml/osbuild-oscap-tailoring/tailoring.xml. The new profile ID will
have _osbuild_tailoring appended as a suffix to the base profile. For example, if you use the cis base
profile, xccdf_org.ssgproject.content_profile_cis_osbuild_tailoring.
Jira:RHELDOCS-17792[1]
Bugzilla:1932480[1]
4.2. SECURITY
Keylime verifier and registrar containers available
You can now configure Keylime server components, the verifier and registrar, as containers. When
configured to run inside a container, the Keylime registrar monitors the tenant systems from the
container without any binaries on the host. The container deployment provides better isolation,
modularity, and reproducibility of Keylime components.
Jira:RHELDOCS-16721[1]
libkcapi now provides an option for specifying target file names in hash-sum calculations
This update of the libkcapi (Linux kernel cryptographic API) packages introduces the new option -T for
specifying target file names in hash-sum calculations. The value of this option overrides file names
specified in processed HMAC files. You can use this option only with the -c option, for example:
14
CHAPTER 4. NEW FEATURES
Jira:RHEL-15298[1]
ANY
Allows both encrypt-then-mac and encrypt-and-mac MACs.
DISABLE_ETM
Disallows encrypt-then-mac MACs.
DISABLE_NON_ETM
Disallows MACs that do not use encrypt-then-mac.
Note that ciphers that use implicit MACs are always allowed because they use authenticated encryption.
Jira:RHEL-15925
Jira:RHEL-24462[1]
nvme-stas
rust-afterburn
rust-coreos-installer
bootc
As a result, these services do not run with the unconfined_service_t SELinux label anymore, and run
successfully in SELinux enforcing mode.
Jira:RHEL-12591 [1]
Jira:RHEL-21452
15
Red Hat Enterprise Linux 9.4 9.4 Release Notes
Jira:RHEL-1548
Jira:RHEL-23474[1]
Jira:RHEL-18219
Jira:RHEL-17193
Added the getpolicyload binary that prints the number of policy reloads performed on the
current system.
Jira:RHEL-16233
The gnutls_hkdf_expand function now accepts only arguments with lengths less than or equal
to 255 times hash digest size, to comply with RFC 5869 2.3.
Length limit for TLS PSK usernames has been increased to 65535 characters.
16
CHAPTER 4. NEW FEATURES
GnuTLS now checks the contents of the Change Cipher Spec message to be equal to 1 when
the TLS version is older than 1.3.
GnuTLS now supports EdDSA key generation on PKCS #11 tokens, which previously did not
work.
Jira:RHEL-14891[1]
The nettle library package has been rebased to 3.9.1. This version provides various bug fixes,
optimizations and enhancements, most notably:
Improved performance of the SHA-256 hash function on 64-bit IBM Z, AMD and Intel 64-bit
architectures
Improved performance of the Poly1305 hash function on IBM Power Systems, Little Endian,
AMD and Intel 64-bit architectures
Jira:RHEL-14890 [1]
The p11-kit packages have been updated to upstream version 0.25.3. The packages contain the p11-kit
tool for managing PKCS #11 modules, the trust tool for operating on the trust policy store, and the p11-
kit library. Notable enhancements include the following:
Added utility commands to list and manage objects of a token (list-tokens, list-
mechanisms, list-objects, import-object, export-object, delete-object, and generate-
keypair)
17
Red Hat Enterprise Linux 9.4 9.4 Release Notes
Jira:RHEL-14834[1]
The libkcapi library, which provides access to the Linux kernel crypto API, has been rebased to upstream
version 1.4.0. The update includes various enhancements and bug fixes, most notably:
Jira:RHEL-5367[1]
Jira:RHEL-5222
Jira:RHEL-2469[1]
The stunnel TLS/SSL tunneling service has been rebased to upstream version 5.71.
You can use the protocolHeader service-level option to insert custom connect protocol
negotiation headers.
You can use the protocolHost option to control the client SMTP protocol negotiation
HELO/EHLO value.
18
CHAPTER 4. NEW FEATURES
You can now configure session resumption by using the service-level sessionResume option.
Added support to request client certificates in server mode with CApath (previously, only
CAfile was supported).
In client mode, OCSP stapling is requested and verified when verifyChain is set.
Inconclusive OCSP verification breaks TLS negotiation. You can disable this by setting
OCSPrequire = no.
Jira:RHEL-2468[1]
libcapng.default
Determines Rsyslog’s actions when it encounters errors while dropping capabilities. The default value
is on, which caused Rsyslog to exit if an error related to libcapng-related occurs.
libcapng.enable
Determines whether Rsyslog drops capabilities during startup. If this option is disabled,
libcapng.default has no impact.
Jira:RHEL-943[1]
The Linux Audit system has been updated to version 3.1.2, which provides bug fixes, enhancements, and
performance improvements over the previously released version 3.0.7. Notable enhancements include:
You can use the new keyword this-hour in the start and end options of the ausearch and
aureport tools.
Support for the io_uring asynchronous I/O API has been added.
User-friendly keywords for signals have been added to the auditctl program.
The Python binding has been changed to prevent setting Audit rules from the Python API. This
19
Red Hat Enterprise Linux 9.4 9.4 Release Notes
The Python binding has been changed to prevent setting Audit rules from the Python API. This
change was made due to a bug in the Simplified Wrapper and Interface Generator (SWIG).
Jira:RHEL-14896[1]
Jira:RHEL-937, Jira:RHEL-943
The PCI DSS profile is aligned with the PCI DSS policy version 4.0.
STIG profiles are aligned with the latest DISA STIG policies.
For additional information, see the SCAP Security Guide release notes .
Jira:RHEL-21425
edge-installer
edge-simplified-installer
edge-raw-image
edge-ami
edge-vsphere
IMPORTANT
20
CHAPTER 4. NEW FEATURES
IMPORTANT
You can enable FIPS mode only during the image provisioning process. You cannot
change to FIPS mode after the non-FIPS image build starts.
Jira:RHELDOCS-17263[1]
Added support for the AES-XTS key type by using the CPACF protected keys.
Added support for importing and exporting the Edwards and Montgomery keys.
For security reasons, the 2 key parts of an AES-XTS key should not be the same. This update
adds checks to the key generation and import process to ensure this.
Jira:RHEL-11412 [1]
The synce4l protocol has been updated to version 1.0.0. This update adds support for kernel Digital
Phase Locked Loop (DPLL) interface.
Jira:RHEL-10089[1]
The chrony suite has been updated to version 4.5. Notable changes include:
Added support for the AES-GCM-SIV cipher to shorten Network Time Security (NTS) cookies
to improve reliability of NTS over the internet, where some providers block or limit the rate of
longer Network Time Protocol (NTP) messages.
Added periodic refresh of IP addresses of NTP sources specified by hostname. The default
interval is two weeks and it can be disabled by adding refresh 0 parameter to the chrony.conf
file.
21
Red Hat Enterprise Linux 9.4 9.4 Release Notes
Added the hwtstimeout directive to configure timeout for late hardware transmit timestamps.
Added experimental support for corrections provided by Precision Time Protocol (PTP)
transparent clocks to reach accuracy of PTP with hardware timestamping.
Fixed reloading of modified sources specified by IP address from the sourcedir directories.
Jira:RHEL-6522
The linuxptp protocol has been updated to version 4.2. Notable changes include:
Added support for notifications on clock updates and changes in the Precision Time Protocol
(PTP) parent dataset, for example, clock class.
Added support for PTP Power Profile, namely IEEE C37.238-2011 and IEEE C37.238-2017.
Jira:RHEL-2026
4.6. NETWORKING
The nft utility can now reset nftables rule-contained states
With this enhancement, you can use the nft reset command to reset nftables rule-contained states. For
example, use this feature to reset counter and quota statement values.
Jira:RHEL-5980[1]
22
CHAPTER 4. NEW FEATURES
Jira:RHEL-9308[1]
NetworkManager now supports configuring the switchdev mode for advanced hardware
offload
With this enhancement, you can configure the following new properties in NetworkManager connection
profiles:
sriov.eswitch-mode
sriov.eswitch-inline-mode
sriov.eswitch-encap-mode
With these properties, you can configure the eSwitch of smart network interface controllers (Smart
NICs). For example, use the sriov.eswitch-mode setting to change the mode from legacy SR-IOV to
switchdev to use advanced hardware offload features.
Jira:RHEL-1441
Jira:RHEL-1471[1]
1. Create a YAML file, for example, new.yml with the configuration that you want to apply.
2. Create a revert configuration file that contains the differences between intended settings in
new.yml and the current state:
4. If you want now to switch back to the previous state, apply revert.yml.
Alternatively, you can use the NetworkState::generate_revert(current) call if you use the Nmstate API
to create a revert configuration.
Jira:RHEL-1434
23
Red Hat Enterprise Linux 9.4 9.4 Release Notes
Jira:RHEL-1605
With this update, you can set the priority of bond ports in the nmstate framework by using the priority
property in the ports-config section of the configuration file. An example YAML file can look as follows:
---
interfaces:
- name: bond99
type: bond
state: up
link-aggregation:
mode: active-backup
ports-config:
- name: eth2
priority: 15
When an active port within the bonded interface is down, the RHEL kernel elects the next active port
that has the highest numerical value in the priority property from the pool of all backup ports.
The priority property is relevant for the following modes of the bond interface:
active-backup
balance-tlb
balance-alb
Jira:RHEL-1438[1]
Jira:RHEL-16470
registration-protocol: VLAN Registration Protocol. The valid values are gvrp (GARP VLAN
Registration Protocol), mvrp (Multiple VLAN Registration Protocol), and none.
reorder-headers: reordering of output packet headers. The valid values are true and false.
loose-binding: loose binding of the interface to the operating state of its primary device. The
valid values are true and false.
24
CHAPTER 4. NEW FEATURES
Your YAML configuration file can look similar to the following example:
---
interfaces:
- name: eth1.101
type: vlan
state: up
vlan:
base-iface: eth1
id: 101
registration-protocol: mvrp
loose-binding: true
reorder-headers: true
Jira:RHEL-19142
If the client-identifier option is not set in NetworkManager, then the actual value depends on the type
of DHCP clients in use, such as NetworkManager internal DHCP client or dhclient. Generally, DHCP
clients send a client-identifier. Therefore, in almost all cases, you do not need to set the none option. As
a result, this option is only useful in case of some unusual DHCP server configurations that require
clients to not send a client-identifier.
Jira:RHEL-1469
With this update, the users of the nmstate framework can configure MACsec interfaces to protect their
communication on Layer 2 of the Open Systems Interconnection (OSI) model. As a result, there is no
need to encrypt individual services later on Layer 7. Also, the feature eliminates associated challenges
such as managing large amounts of certificates for each endpoint.
Jira:RHEL-1420
netfilter update
The kernel package has been upgraded to version 5.14.0-405 in RHEL 9. As a result, the rebase also
provided multiple enhancements and bug fixes in the netfilter component of the RHEL kernel. The most
notable change includes:
The nftables subsystem is able to match various inner header fields of the tunnel packets. This
enables more granular and effective control over network traffic, especially in environments
where tunneling protocols are used.
Jira:RHEL-16630[1]
The firewalld service does not remove all existing rules from the iptables configuration if both following
conditions are met:
25
Red Hat Enterprise Linux 9.4 9.4 Release Notes
This change aims at reducing unnecessary operations (firewall rules flushes) and improves integration
with other software.
Jira:RHEL-427 [1]
Jira:RHEL-21223 [1]
Jira:RHEL-1425
Jira:RHEL-5736[1]
Notable features:
Align ip6tables opt-in column if empty helps when piping output to jc --iptables
Print numeric protocol numbers with --numeric for a more stable output
Notable fixes:
26
CHAPTER 4. NEW FEATURES
Broken ebtables among match when used in multiple rules restored through ebtables-restore
Program could crash when renaming a chain depending on the number of chains already present
Stricter checking of "chain lines" in iptables-restore input to detect invalid chain names
Jira:RHEL-14147
The nftables utility has been upgraded to version 1.0.9, which provides multiple bug fixes and
enhancements. Notable changes include:
New last statement recording when it has seen a packet for the last time
Jira:RHEL-14191
The firewalld package has been upgraded to version 1.3, which provides multiple bug fixes and
enhancements. Notable changes include:
27
Red Hat Enterprise Linux 9.4 9.4 Release Notes
New reset-to-defaults CLI option: This option resets configuration of the firewalld service to
defaults. This allows users to erase firewalld configuration and start over with the default
settings.
Enable the --add-masquerade CLI option for policies with ingress-zone=ZONE, where ZONE
has interfaces assigned with the --add-interface CLI option. This removes a restriction and
enables usage of interfaces (instead of sources) in common scenarios.
Jira:RHEL-14485
4.7. KERNEL
Kernel version in RHEL 9.4
Red Hat Enterprise Linux 9.4 is distributed with the kernel version 5.14.0-427.13.1.
rteval now supports adding and removing arbitrary CPUs from the default measurement
CPU list
With the rteval utility, you can add (using the + sign) or subtract (using the - sign) CPUs to the default
measurement CPU list when using the --measurement-cpulist parameter, instead of having to specify
an entire new list. Additionally, --measurement-run-on-isolcpus is introduced for adding the set of all
isolated CPUs to the default measurement CPU list. This option covers the most common use case of a
real-time application running on isolated CPUs. Other use cases require a more generic feature. For
example, some real-time applications used one isolated CPU for housekeeping, requiring it to be
excluded from the default measurement CPU list. As a result, you can now not only add, but also remove
arbitrary CPUs from the default measurement CPU list in a flexible way. Removing takes precedence
over adding. This rule applies to both, CPUs specified with +/- signs and to those defined with --
measurement-run-on-isolcpus.
Jira:RHEL-9912 [1]
The rtla utility has been upgraded to the latest upstream version, which provides multiple bug fixes and
enhancements. Notable changes include:
Added the -C option to specify additional control groups for rtla threads to run in, apart from
the main rtla thread.
Added the --house-keeping option to place rtla threads on a housekeeping CPU and to put
measurement threads on different CPUs.
Added support to the timerlat tracer so that you can run timerlat hist and timerlat top threads
in user space.
28
CHAPTER 4. NEW FEATURES
Jira:RHEL-10079[1]
With this release, the cyclicdeadline utility supports generating a histogram of latencies. You can use
this feature to get more insight into the frequency of latency spikes of different sizes, rather than
getting just one worst-case number.
Jira:RHEL-9910[1]
The RHEL kernel provides the SGX version 1 and 2 functionality. Version 1 enables platforms using the
Flexible Launch Control mechanism to use the SGX technology. Version 2 adds Enclave Dynamic
Memory Management (EDMM). Notable features include:
Modifying EPCM permissions of regular enclave pages that belong to an initialized enclave.
In this release, SGX moves from Technology Preview to a fully supported feature.
Bugzilla:2041883[1]
In this release, IDXD moves from a Technology Preview to a fully supported feature.
Jira:RHEL-10097[1]
The eBPF facility has been rebased to Linux kernel version 6.6
Notable changes and enhancements include:
New dynamic pointers (dynptrs) of the skb and xdp type, which enable for more ergonomic
and less brittle iteration through data and variable-sized accesses in BPF programs.
A new BPF netfilter program type and minimal support to hook BPF programs to netfilter
hooks, such as prerouting or forward.
New reference-counted local kptrs useful for adding a node to both the BPF list and
29
Red Hat Enterprise Linux 9.4 9.4 Release Notes
New reference-counted local kptrs useful for adding a node to both the BPF list and
rbtree.
At load time, BPF programs can detect whether a particular kfunc exists or not.
Several new kfuncs for working with dynptrs, cgroups, sockets, and cpumasks.
New BPF links for attaching multiple uprobes and usdt probes, which is significantly faster and
saves extra file descriptors (FDs).
The BPF map element count is enabled for all program types.
The memory usage reporting for all BPF map types is more precise.
Jira:RHEL-10691[1]
Jira:RHEL-16325 [1]
This release adds DEP/NX support in the GRUB and shim boot loaders. This can prevent certain
vulnerabilities during the pre-boot stage, such as a malicious EFI driver that might start certain attacks
without the DEP/NX protection.
Jira:RHEL-10288[1]
Jira:RHEL-12898
30
CHAPTER 4. NEW FEATURES
Jira:RHEL-8357
Previously, the multipathd command would only monitor Integrity Fabric Performance Impact
Notification (PFIN-Li) events on SCSI devices. multipathd could listen for Link Integrity events sent by
a Fibre Channel fabric and use it to mark paths as marginal. This feature was only supported for
multipath devices on top of SCSI devices, and multipathd was unable to mark Non-volatile Memory
Express (NVMe) device paths as marginal by limiting the use of this feature.
With this update, multipathd supports detecting FPIN-Li events for both SCSI and NVMe devices. As a
result, multipath now does not use paths without a good fabric connection, while other paths are
available. This helps to avoid IO delays in such situations.
Jira:RHEL-6678
This enhancement adds the max_retries option to the defaults section of the multipath.conf file. By
default this option is unset, and uses the SCSI layer’s default value of 5 retries. The valid values for this
option is from 0 to 5. When this option is set, it overrides the default value of the max_retries sysfs
attribute for SCSI devices. This attribute controls the number of times the SCSI layer retries I/O
commands before returning failure when it encounters certain error types.
If users encounter an issue where multipath’s path checkers return success but I/O to a device is
hanging, they can set this option to decrease the time before the I/O will be retried down another path.
Jira:RHEL-1729[1]
Previously, to resize a multipath device, you had to manually run the multipathd resize map <name>
command. With this update, the auto_resize option is now added to the defaults section of the
multipath.conf file. This option controls when the multipathd command can automatically resize a
multipath device. The following are the different values for auto_resize:
By default, auto_resize is set to never. In this case, multipathd works without any change.
If auto_resize is set to grow_only, multipathd automatically resizes the multipath device when
the device’s paths have grown in size.
As a result, when this option is enabled, you no longer need to manually resize your multipath devices.
Jira:RHEL-986[1]
31
Red Hat Enterprise Linux 9.4 9.4 Release Notes
for SCSI. A change in the multipath.conf is required for a RHEL host to use this feature and send only
I/O to ANA optimized paths when available. Without this change, device mapper was sending I/O to
both ANA optimized and ANA non-optimized paths.
NOTE
This change is only for NVMeoFC. FCP multipath.conf content already had this setting
for supporting ALUA previously.
Jira:RHEL-1830
The stratis-cli package has been upgraded to version 3.6.0. Notable bug fixes and enhancements
include:
The stratis-cli command-line interface supports an additional option to set the file system size
limit on creation. The set-size-limit and unset-size-limit are two new file system commands,
which sets or unsets the file system size limit after creating a file system.
stratis-cli now incorporates password verification when it is used to set a key in the kernel
keyring by using a manual entry.
stratis-cli now supports specifying a pool either by name or by UUID when stopping a pool.
stratis-cli also gets updates with various internal improvements, and now enforces a
requirement of at least the python 3.9 version in its package configuration.
Jira:RHEL-2265[1]
The boom package has been upgraded to version 3.6.0. Notable enhancements include:
Support for multi-volume snapshot boot syntax supported by the systemd command.
The new --mount and --no-fstab options are added to specify additional volumes to mount at
the boot entry.
Jira:RHEL-16813
Jira:RHEL-1492 [1]
The pcs command-line interface now allows you to specify values for Pacemaker time properties
32
CHAPTER 4. NEW FEATURES
The pcs command-line interface now allows you to specify values for Pacemaker time properties
according to the ISO 8601 duration specification standard.
Jira:RHEL-7672
Displaying cluster status that shows the age of the cluster status and when the cluster state is
being reloaded
Jira:RHEL-7582, Jira:RHEL-7739
Jira:RHEL-7724
Python introduces a new type statement and new type parameter syntax for generic classes and
functions.
Formatted string literal (f-strings) have been formalized in the grammar and can now be
integrated into the parser directly.
You can now use the buffer protocol from Python code.
To improve security, the built-in hashlib implementations of the SHA1, SHA3, SHA2-384,
SHA2-512, and MD5 cryptographic algorithms have been replaced with formally verified code
from the HACL* project. The built-in implementations remain available as fallback if OpenSSL
does not provide them.
Dictionary, list, and set comprehensions in CPython are now inlined. This significantly increases
the speed of a comprehension execution.
33
Red Hat Enterprise Linux 9.4 9.4 Release Notes
Python 3.12 and packages built for it can be installed in parallel with Python 3.9 and Python 3.11 on the
same system.
$ python3.12
$ python3.12 -m pip --help
For information about the length of support of Python 3.12, see Red Hat Enterprise Linux Application
Streams Life Cycle.
Jira:RHEL-14941
export PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING=true
However, individual calls to the affected functions can still enable stricter behavior.
You can achieve the same result by creating the /etc/python/email.cfg configuration file with the
following content:
[email_addr_parsing]
PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING = true
For more information, see the Knowledgebase article Mitigation of CVE-2023-27043 introducing
stricter parsing of email addresses in Python.
Jira:RHELDOCS-17369[1]
34
CHAPTER 4. NEW FEATURES
You can use the new Prism parser instead of Ripper. Prism is a portable, error tolerant, and
maintainable recursive descent parser for the Ruby language.
YJIT, the Ruby just-in-time (JIT) compiler implementation, is no longer experimental and it
provides major performance improvements.
The Regexp matching algorithm has been improved to reduce the impact of potential Regular
Expression Denial of Service (ReDoS) vulnerabilities.
The new experimental RJIT (a pure-Ruby JIT) compiler replaces MJIT. Use YJIT in production.
You must now use the Lrama LALR parser generator instead of Bison.
The Racc gem has been promoted from a default gem to a bundled gem.
If you want to upgrade from an earlier ruby module stream, see Switching to a later stream .
For information about the length of support of Ruby 3.3, see Red Hat Enterprise Linux Application
Streams Life Cycle.
Jira:RHEL-17089[1]
Readonly classes
Constraints in traits
If you want to upgrade from the php:8.1 stream, see Switching to a later stream .
For details regarding PHP usage on RHEL 9, see Using the PHP scripting language.
For information about the length of support for the php module streams, see the Red Hat Enterprise
Linux Application Streams Life Cycle.
35
Red Hat Enterprise Linux 9.4 9.4 Release Notes
Jira:RHEL-14699[1]
The name() method of the perl-DateTime-TimeZone module now returns the time zone name
The perl-DateTime-TimeZone module has been updated to version 2.62, which changed the value that
is returned by the name() method from the time zone alias to the main time zone name.
For more information and an example, see the Knowledgebase article Change in the perl-DateTime-
TimeZone API related to time zone name and alias.
Jira:RHEL-35685
Encryption keys are now automatically rotated for TLS session tickets when using shared
memory in the ssl_session_cache directive.
Memory usage has been optimized in configurations with Secure Sockets Layer (SSL) proxy.
You can now disable looking up IPv4 addresses while resolving by using the ipv4=off parameter
of the resolver directive.
nginx now supports the $proxy_protocol_tlv_* variables, which store the values of the Type-
Length-Value (TLV) fields that appear in the PROXY v2 TLV protocol.
Other changes:
Header lines are now represented as linked lists in the internal API.
nginx now concatenates identically named header strings passed to the FastCGI, SCGI, and
uwsgi back ends in the $r->header_in() method of the ngx_http_perl_module, and during
lookups of the $http_..., $sent_http_..., $sent_trailer_..., $upstream_http_..., and
$upstream_trailer_... variables.
nginx now displays a warning if protocol parameters of a listening socket are redefined.
nginx now closes connections with lingering if pipelining was used by the client.
The logging level of various SSL errors has been lowered, for example, from Critical to
Informational.
For information about the length of support for the nginx module streams, see the Red Hat Enterprise
36
CHAPTER 4. NEW FEATURES
For information about the length of support for the nginx module streams, see the Red Hat Enterprise
Linux Application Streams Life Cycle.
Jira:RHEL-14713[1]
Support for the Secure Socket Layer (SSL) protocol version 3; the MariaDB server now requires
correctly configured SSL to start.
Support for the natural sort order through the natural_sort_key() function.
systemd socket activation files available in the /usr/share/ directory. Note that they are not a
part of the default configuration in RHEL as opposed to upstream.
For MariaDB and MySQL clients, the connection property specified on the command line (for
example, --port=3306), now forces the protocol type of communication between the client and
the server, such as tcp, socket, pipe, or memory.
For more information about changes in MariaDB 10.11, see Notable differences between MariaDB 10.5
and MariaDB 10.11.
If you want to upgrade from MariaDB 10.5, see Upgrading from MariaDB 10.5 to MariaDB 10.11 .
For information about the length of support for the mariadb module streams, see Red Hat Enterprise
Linux Application Streams Life Cycle.
Jira:RHEL-3638
37
Red Hat Enterprise Linux 9.4 9.4 Release Notes
The libpq library now supports connection-level load balancing. You can use the new
load_balance_hosts option for more efficient load balancing.
You can now create custom configuration files and include them in the pg_hba.conf and
pg_ident.conf files.
PostgreSQL now supports regular expression matching on database and role entries in the
pg_hba.conf file.
PostgreSQL is no longer distributed with the postmaster binary. Users who start the
postgresql server by using the provided systemd unit file (the systemctl start postgres
command) are not affected by this change. If you previously started the postgresql server
directly through the postmaster binary, you must now use the postgres binary instead.
PostgreSQL no longer provides documentation in PDF format within the package. Use the
online documentation instead.
If you want to upgrade from an earlier postgresql stream within RHEL 9, follow the procedure described
in Switching to a later stream and then migrate your PostgreSQL data as described in Migrating to a
RHEL 9 version of PostgreSQL.
For information about the length of support for the postgresql module streams, see the Red Hat
Enterprise Linux Application Streams Life Cycle.
Jira:RHEL-3635
You can now use the new --source option with the git check-attr command to read the
.gitattributes file from the provided tree-ish object instead of the current working directory.
Git can now pass information from the WWW-Authenticate response-type header to credential
helpers.
In case of an empty commit, the git format-patch command now writes an output file
containing a header of the commit instead of creating an empty file.
38
CHAPTER 4. NEW FEATURES
You can now use the git blame --contents=<file> <revision> -- <path> command to find the
origins of lines starting at <file> contents through the history that leads to <revision>.
The git log --format command now accepts the %(decorate) placeholder for further
customization to extend the capabilities provided by the --decorate option.
Jira:RHEL-17100[1]
The git lfs push command can now read references and object IDs from standard input.
Git LFS now supports the WWW-Authenticate response-type header as a credential helper.
Jira:RHEL-17101[1]
Clang changes:
Improved code generation for the std::move function and similar in unoptimized builds.
For more information, see the LLVM and Clang upstream release notes.
Jira:RHEL-9283
39
Red Hat Enterprise Linux 9.4 9.4 Release Notes
Jira:RHEL-12963
Jira:RHEL-11871 [1]
Jira:RHEL-9346
The elfutils package has been updated to version 0.190. Notable improvements include:
The eu-readelf utility now supports a new -Ds, --use-dynamic --symbol option to show
symbols through the dynamic segment without using ELF sections.
A new eu-scrlines utility compiles a list of source files associated with a specified DWARF or
ELF file.
A debuginfod server schema has changed for a 60% compression in file name representation
(this requires reindexing).
Jira:RHEL-12489
The systemtap package has been updated to version 5.0. Notable enhancements include:
Jira:RHEL-12488
40
CHAPTER 4. NEW FEATURES
The GCC compiler has been updated to version 13.2.1, which provides many bug fixes and
enhancements that are available in upstream GCC.
binutils now support AMD CPUs based on the znver5 core through the -march=znver5
compiler switch.
The annobin plugin for GCC now defaults to using a more compressed format for the notes
that it stores in object files, resulting in smaller object files and faster link times, especially in
large, complex programs.
The following tools and versions are provided by GCC Toolset 13:
Tool Version
GCC 13.2.1
GDB 12.1
binutils 2.40
dwz 0.14
annobin 12.32
To run a shell session where tool versions from GCC Toolset 13 override system versions of these tools:
For more information, see GCC Toolset 13 and Using GCC Toolset .
Jira:RHEL-23798[1]
Compiling with GCC and the -fstack-protector flag no longer fails to guard dynamic stack
allocations on 64-bit ARM
41
Red Hat Enterprise Linux 9.4 9.4 Release Notes
Previously, on the 64-bit ARM architecture, the system GCC compiler with the -fstack-protector flag
failed to detect a buffer overflow in functions containing a C99 variable-length array or an alloca()-
allocated object. Consequently, an attacker could overwrite saved registers on the stack. With this
update, the buffer overflow detection on 64-bit ARM has been fixed. As a result, applications compiled
with the system GCC are more secure.
Jira:RHEL-17638[1]
GCC Toolset 13: Compiling with GCC and the -fstack-protector flag no longer fails to guard
dynamic stack allocations on 64-bit ARM
Previously, on the 64-bit ARM architecture, the GCC compiler with the -fstack-protector flag failed to
detect a buffer overflow in functions containing a C99 variable-length array or an alloca()-allocated
object. Consequently, an attacker could overwrite saved registers on the stack. With this update, the
buffer overflow detection on 64-bit ARM has been fixed. As a result, applications compiled with GCC are
more secure.
Jira:RHEL-16998
The pcp package has been updated to version 6.2.0. Notable improvements include:
New tools:
pmlogredact
pcp-buddyinfo
pcp-meminfo
pcp-netstat
pcp-slabinfo
pcp-zoneinfo
Jira:RHEL-2317 [1]
Jira:RHEL-7505
42
CHAPTER 4. NEW FEATURES
With this enhancement, you can access performance monitoring hardware using papi events presets on
the following processor microarchitectures:
AMD Zen 4
Jira:RHEL-13046[1]
Jira:RHEL-17567
The cmake package has been updated to version 3.26. Notable improvements include:
cmake can now query the /etc/os-release file for operating system identification information.
Added support for Perl 5 in the Simplified Wrapper and Interface Generator (SWIG) tool.
Jira:RHEL-7393
The valgrind package has been updated to version 3.22. Notable improvements include:
valgrind memcheck now checks that the values given to the C functions memalign,
posix_memalign, and aligned_alloc, and the C++17 aligned new operator are valid alignment
values.
valgrind memcheck now supports mismatch detection for C++14 sized and C++17 aligned new
and delete operators.
Added support for lazy reading of DWARF debugging information, resulting in faster startup
when debuginfo packages are installed.
Jira:RHEL-12490
43
Red Hat Enterprise Linux 9.4 9.4 Release Notes
Added support for suppressing harmless change reports related to flexible array data members.
Improved support for suppressing harmless change reports about enum types.
Jira:RHEL-12491
Jira:RHELDOCS-17841[1]
The ansible-freeipa ipauser and ipagroup modules now support a new renamed state
With this update, you can use the renamed state in ansible-freeipa ipauser module to change the user
name of an existing IdM user. You can also use this state in ansible-freeipa ipagroup module to change
the group name of an existing IdM group.
Jira:RHEL-4962
Identity Management users can now use external identity providers to authenticate to IdM
With this enhancement, you can now associate Identity Management (IdM) users with external identity
providers (IdPs) that support the OAuth 2 device authorization flow. Examples of such IdPs include
Red Hat build of Keycloak, Microsoft Entra ID (formerly Azure Active Directory), GitHub, and Google.
If an IdP reference and an associated IdP user ID exist in IdM, you can use them to enable an IdM user to
authenticate at the external IdP. After performing authentication and authorization at the external IdP,
the IdM user receives a Kerberos ticket with single sign-on capabilities. The user must authenticate with
the SSSD version available in RHEL 9.1 or later.
Jira:RHELPLAN-169666[1]
The ipa package has been updated from version 4.10 to 4.11. Notable changes include:
The installation of an IdM replica now occurs against a chosen server, not only for Kerberos
authentication but also for all IPA API and CA requests.
44
CHAPTER 4. NEW FEATURES
The ansible-freeipa package has been rebased from version 1.11 to 1.12.1.
The ipa-healthcheck package has been rebased from version 0.12 to 0.16.
Jira:RHEL-11652
Jira:SSSD-6216
IdM now supports the idoverrideuser, idoverridegroup and idview Ansible modules
With this update, the ansible-freeipa package now contains the following modules:
idoverrideuser
Allows you to override user attributes for users stored in the Identity Management (IdM) LDAP
server, for example, the user login name, home directory, certificate, or SSH keys.
idoverridegroup
Allows you to override attributes for groups stored in the IdM LDAP server, for example, the name of
the group, its GID, or description.
idview
Allows you to organize user and group ID overrides and apply them to specific IdM hosts.
In the future, you will be able to use these modules to enable AD users to use smart cards to log in to
IdM.
Jira:RHEL-16934
The idp Ansible module allows associating IdM users with external IdPs
With this update, you can use the idp ansible-freeipa module to associate Identity Management (IdM)
users with external identity providers (IdP) that support the OAuth 2 device authorization flow. If an IdP
reference and an associated IdP user ID exist in IdM, you can use them to enable IdP authentication for
an IdM user.
After performing authentication and authorization at the external IdP, the IdM user receives a Kerberos
ticket with single sign-on capabilities. The user must authenticate with the SSSD version available in
RHEL 8.7 or later.
Jira:RHEL-16939
getcert add-ca returns a new return code if a certificate is already present or tracked
With this update, the getcert command returns a specific return code, 2, if you try to add or track a
certificate that is already present or tracked. Previously, the command returned return code 1 on any
error condition.
45
Red Hat Enterprise Linux 9.4 9.4 Release Notes
Jira:RHEL-22302
Jira:RHEL-19134
To enforce OTP usage for all LDAP clients, administrators can use the following command:
To change back to the previous OTP behavior for all LDAP clients, use the following command:
Jira:RHEL-23377[1]
Jira:RHEL-19130
The 389-ds-base package has been updated to version 2.4.5. Notable bug fixes and enhancements over
version 2.3.4 include:
https://www.port389.org/docs/389ds/releases/release-2-3-5.html
https://www.port389.org/docs/389ds/releases/release-2-3-6.html
https://www.port389.org/docs/389ds/releases/release-2-3-7.html
https://www.port389.org/docs/389ds/releases/release-2-4-0.html
https://www.port389.org/docs/389ds/releases/release-2-4-1.html
https://www.port389.org/docs/389ds/releases/release-2-4-2.html
https://www.port389.org/docs/389ds/releases/release-2-4-3.html
https://www.port389.org/docs/389ds/releases/release-2-4-4.html
46
CHAPTER 4. NEW FEATURES
https://www.port389.org/docs/389ds/releases/release-2-4-5.html
Jira:RHEL-15907
Transparent Huge Pages are now disabled by default for the ns-slapd process
When large database caches are used, Transparent Huge Pages (THP) can have a negative effect on
Directory Server performance under heavy load, for example, high memory footprint, high CPU usage
and latency spikes. With this enhancement, a new THP_DISABLE=1 configuration option was added to
the /usr/lib/systemd/system/[email protected]/custom.conf drop-in configuration file for the dirsrv
systemd unit to disable THP for the ns-slapd process.
In addition, the Directory Server health check tool now detects the THP settings. If you enabled THP
system-wide and for the Directory Server instance, the health check tool informs you about the enabled
THP and prints recommendations on how to disable them.
Jira:RHEL-5142
The new lastLoginHistSize configuration attribute is now available for the Account Policy
plug-in
Previously, when a user did a successful bind, only the time of the last login was available. With this
update, you can use the new lastLoginHistSize configuration attribute to manage a history of
successful logins. By default, the last five successful logins are saved.
Note that for the lastLoginHistSize attribute to collect statistics of successful logins, you must enable
the alwaysRecordLogin attribute for the Account Policy plug-in.
Jira:RHEL-5133[1]
The new notes=M message in the access log to identify MFA binds
With this update, when you configure the two-factor authentication for user accounts by using a pre-
bind authentication plug-in, such as MFA plug-in, the Directory Server log files record the following
messages during BIND operations:
Note that for the access and security logs to record such messages, the pre-bind authentication plug-in
must set the flag by using the SLAPI API if a bind was part of this plug-in.
47
Red Hat Enterprise Linux 9.4 9.4 Release Notes
Jira:RHELDOCS-17838[1]
Note that for performance reasons, you must index the member, manager, parentOrganization, and
memberof attributes if the client application performs searches against these attributes by using the
inchainMatch matching rule.
Directory Server uses the In Chain plug-in that is enabled by default to implement the inchainMatch
matching rule. However, because inchainMatch is expensive to compute, an access control instruction
(ACI) limits the matching rule usage.
For more details, refer to Using inchainMatch matching rule to find the ancestry of an LDAP entry .
Jira:RHELDOCS-17256[1]
If an untrusted proxy server initiates a bind request, Directory Server rejects the request and records the
following message to the error log file:
Jira:RHEL-5130
The samba packages have been upgraded to upstream version 4.19.4, which provides bug fixes and
enhancements over the previous version. The most notable changes are:
Command-line options in the smbget utility have been renamed and removed for a consistent
user experience. However, this can break existing scripts or jobs that use the utility. See the
smbget --help command and smbget(1) man page for further details about the new options.
If the winbind debug traceid option is enabled, the winbind service now logs, additionally, the
following fields:
48
CHAPTER 4. NEW FEATURES
Samba no longer uses its own cryptography implementations and, instead, now fully uses
cryptographic functionality provided by the GnuTLS library.
Note that the server message block version 1 (SMB1) protocol has been deprecated since Samba 4.11
and will be removed in a future release.
Back up the database files before starting Samba. When the smbd, nmbd, or winbind services start,
Samba automatically updates its tdb database files. Red Hat does not support downgrading tdb
database files.
After updating Samba, use the testparm utility to verify the /etc/samba/smb.conf file.
Jira:RHEL-16476
Users can use existing tools and scripts even if the IdM API is enhanced to enable multiple versions of
API commands. These enhancements do not change the behavior of a command in an incompatible way.
This has the following benefits:
Administrators can use previous or later versions of IdM on the server than on the managing
client.
Developers can use a specific version of an IdM call, even if the IdM version changes on the
server.
The communication with the server is possible, regardless if one side uses, for example, a newer version
that introduces new options for a feature.
NOTE
While IdM API provides a JSON-RPC interface, this type of access is not supported. Red Hat
recommends accessing the API with Python instead. Using Python automates important parts such
as the metadata retrieval from the server, which allows listing all available commands.
Bugzilla:1513934
Jira:RHELDOCS-17060[1]
The Storage section of the web console is now redesigned. The new design improved visibility across all
49
Red Hat Enterprise Linux 9.4 9.4 Release Notes
The Storage section of the web console is now redesigned. The new design improved visibility across all
views. The overview page now presents all storage objects in a comprehensive table, which makes it
easier to perform operations directly. You can click any row to view detailed information and any
supplementary actions. Additionally, you can now resize partitions from the Storage section.
Jira:RHELDOCS-17056[1]
At a specified interval (optional configuration); by default, the AD provider updates the DNS
record every 24 hours.
You can change these and other settings using the new variables in ad_integration. For example, you
can set ad_dyndns_refresh_interval to 172800 to change the DNS record refresh interval to 48 hours.
For more details regarding the role variables, see the resources in the /usr/share/doc/rhel-system-
roles/ad_integration/ directory.
Jira:RHELDOCS-17372 [1]
The Storage RHEL system roles now support shared LVM device management
The RHEL system roles now support the creation and management of shared logical volumes and
volume groups.
Jira:RHEL-1535
Jira:RHEL-16342
Using the rhc_insights.remediation parameter has no impact on RHEL 7 systems as the Insights
50
CHAPTER 4. NEW FEATURES
Using the rhc_insights.remediation parameter has no impact on RHEL 7 systems as the Insights
Remediation feature is currently not available on RHEL 7.
Jira:RHEL-16976
Jira:RHEL-16542
Jira:RHEL-16552
The Nmstate API and the network RHEL system role now support new route types
With this enhancement, you can use the following route types with the Nmstate API and the network
RHEL system role:
blackhole
prohibit
unreachable
Jira:RHEL-19579[1]
The ad_integration RHEL system role now supports custom SSSD domain configuration
settings
Previously, when using the ad_integration RHEL system role, it was not possible to add custom settings
to the domain configuration section in the sssd.conf file using the role. With this enhancement, the
ad_integration role can now modify the sssd.conf file and, as a result, you can use custom SSSD
settings.
Jira:RHEL-17668
The ad_integration RHEL system role now supports custom SSSD settings
Previously, when using the ad_integration RHEL system role, it was not possible to add custom settings
to the [sssd] section in the sssd.conf file using the role. With this enhancement, the ad_integration
role can now modify the sssd.conf file and, as a result, you can use custom SSSD settings.
Jira:RHEL-21133
51
Red Hat Enterprise Linux 9.4 9.4 Release Notes
Jira:RHEL-16964
Jira:RHEL-16541
Jira:RHEL-15932
The logging role supports general queue and general action parameters in output modules
Previously, it was not possible to configure general queue parameters and general action parameters
with the logging role. With this update, the logging RHEL system role supports configuration of general
queue parameters and general action parameters in output modules.
Jira:RHEL-15439
For more information about this system role, see Installing and configuring PostgreSQL by using the
postgresql RHEL system role.
Jira:RHEL-18962
Similarly, existing file systems can be removed using the same approach by ensuring that the safe mode
is disabled.
Jira:RHEL-16212
Enablement of the repositories containing resilient storage packages, such as dlm or gfs2. A
Resilient Storage subscription is needed to access the repository.
Configuration of fencing levels, allowing a cluster to use multiple devices to fence nodes.
For information about the parameters you configure to implement these features, see Configuring a
52
CHAPTER 4. NEW FEATURES
For information about the parameters you configure to implement these features, see Configuring a
high-availability cluster by using the ha_cluster RHEL system role.
In the journald RHEL system role, the journald_forward_to_syslog variable controls whether the
received messages should be forwarded to the traditional syslog daemon or not. The default value of
this variable is false. With this enhancement, you can now configure the ForwardToSyslog flag by
setting journald_forward_to_syslog to true in the inventory. As a result, when using remote logging
systems such as Splunk, the logs are available in the /var/log files.
Jira:RHEL-21117
Jira:RHEL-16974
Jira:RHEL-19091
Jira:RHEL-5972
Previously, even though the rsyslog_max_message_size parameter was not supported, the logging
RHEL system role was using rsyslog_max_message_size instead of using the
logging_max_message_size parameter. This enhancement ensures that
logging_max_message_size is used and not rsyslog_max_message_size to set the maximum size
for the log messages.
Jira:RHEL-15037
Previously, in the logging RHEL system role, when the ratelimit_interval variable was not set, the role
53
Red Hat Enterprise Linux 9.4 9.4 Release Notes
Previously, in the logging RHEL system role, when the ratelimit_interval variable was not set, the role
would use the ratelimit_burst variable to set the rsyslog ratelimit.burst setting. But it had no effect
because it is also required to set ratelimit_interval.
With this enhancement, if ratelimit_interval is not set, the role does not set ratelimit.burst. If you want
to set ratelimit.burst, you must set both ratelimit_interval and ratelimit_burst variables.
Jira:RHEL-19046
With this release, the selinux RHEL system role prints an error message when you specify a non-existent
module in the selinux_modules.path variable.
Jira:RHEL-19043
With this update, the selinux RHEL system role supports configuring SELinux ports, file contexts, and
boolean mappings on nodes that have SELinux set to disabled. This is useful for configuration scenarios
before you enable SELinux to permissive or enforcing mode on a system.
Jira:RHEL-15870
The metrics RHEL system role now supports configuring PMIE webhooks
With this update, you can automatically configure the`global webhook_endpoint` PMIE variable using
the metrics_webhook_endpoint variable for the metrics RHEL system role. This enables you to
provide a custom URL for your environment that receives messages about important performance
events, and is typically used with external tools such as Event-Driven Ansible.
Jira:RHEL-13760
Jira:RHEL-16336
4.16. VIRTUALIZATION
Virtualization is now supported on ARM 64
This update introduces support for creating KVM virtual machines on systems that use ARM 64 (also
known as AArch64) CPUs. Note, however, that certain virtualization features and functionalities that are
available on AMD64 and Intel 64 systems might work differently or be unsupported on ARM 64.
For details, see How virtualization on ARM 64 differs from AMD 64 and Intel 64 .
Jira:RHEL-14097
54
CHAPTER 4. NEW FEATURES
VM snapshots that are fully supported. External snapshots work more reliably both in the command-line
interface and in the RHEL web console. This also applies to snapshots of running VMs, known as live
snapshots.
Note, however, that some commands and utilities might still create internal snapshots. To verify that
your snapshot is fully supported, ensure that it is configured as external. For example:
Jira:RHEL-7528
It is recommended to use this feature on high-speed networks (20 Gbps and higher).
Jira:RHELDOCS-16970[1]
Jira:RHEL-13004[1], Jira:RHEL-7100
By assigning a cryptographic coprocessor as a mediated device to a Secure Execution VM, you can now
use hardware encryption without compromising the security of the VM.
Jira:RHEL-11597 [1]
Jira:RHEL-7568
Add an SSH public key during virtual machine (VM) creation. This public key will be stored in the
~/.ssh/authorized_keys file of the designated non-root user on the newly created VM, which
provides you with an immediate SSH access to the specified user account.
Select a pre-formatted block device type when creating a new storage pool. This is a more
55
Red Hat Enterprise Linux 9.4 9.4 Release Notes
Select a pre-formatted block device type when creating a new storage pool. This is a more
robust alternative to a physical disk device type, as it prevents unintentional reformatting of a
raw disk device.
This update also changes some default behavior in the Virtual Machines page:
In the Add disk dialog, the Always attach option is now set by default.
The Create snapshot action now uses an external snapshot insted of an internal snapshot,
which is deprecated in RHEL 9. External snapshots are more reliable and also work for raw
images, not just for qcow2 images. You can also select a memory snapshot file location if you
want to retain the memory state of the running VM.
Jira:RHELDOCS-17000 [1]
With this update, RHEL 9 introduces support for the virtio-mem feature on AMD64 and Intel 64
systems. With virtio-mem, you can dynamically add or remove host memory in virtual machines (VMs).
For more information on virtio-mem, see: Adding and removing virtual machine memory by using virtio-
mem
Jira:RHELDOCS-17053[1]
You can now replace SPICE with VNC in the web console
With this update, you can use the web console to replace the SPICE remote display protocol with the
VNC protocol in an existing virtual machine (VM).
Because the support for the SPICE protocol has been removed in RHEL 9, VMs that use the SPICE
protocol fail to start on a RHEL 9 host. For example, RHEL 8 VMs use SPICE by default, so you must
switch from SPICE to VNC for a successful migration to RHEL 9.
Jira:RHEL-17434
Jira:RHEL-7416
Jira:RHEL-7478
56
CHAPTER 4. NEW FEATURES
protocol to connect to Instance Metadata Service (IMDS). As a result, you can configure RHEL
instances with cloud-init on EC2 with a dual-stack IPv4 and IPv6 connection. In addition, you can launch
EC2 instances of RHEL with cloud-init in IPv6-only subnet.
Jira:RHEL-7278
Jira:RHEL-7311[1]
4.18. CONTAINERS
Podman now supports containers.conf modules
You can use Podman modules to load a predetermined set of configurations. Podman modules are
containers.conf files in the TOML format.
You can load the modules on-demand with the podman --module <your_module_name> command to
override the system and user configuration files. Working with modules involve the following facts:
You can specify modules multiple times by using the --module option.
If <your_module_name> is the absolute path, the configuration file will be loaded directly.
The relative paths are resolved relative to the three module directories mentioned previously.
Jira:RHELPLAN-167829[1]
You can now use Podman to load the modules on-demand by using the podman --module
<your_module_name> command and to override the system and user configuration files.
A new podman farm command with a set of the create, set, remove, and update
57
Red Hat Enterprise Linux 9.4 9.4 Release Notes
A new podman farm command with a set of the create, set, remove, and update
subcommands has been added. With these commands, you can farm out builds to machines
running podman for different architectures.
A new podman-compose command has been added, which runs Compose workloads by using
an external compose provider such as Docker compose.
The podman build command now supports the --layer-label and --cw options.
The podman generate systemd command is deprecated. Use Quadlet to run containers and
pods under systemd.
The podman build command now supports Containerfiles with the HereDoc syntax.
The podman kube play command now supports a new --publish-all option. Use this option to
expose all containerPorts on the host.
For more information about notable changes, see upstream release notes .
Jira:RHELPLAN-167796[1]
Jira:RHELPLAN-167823[1]
Jira:RHELDOCS-16241[1]
If you have explicitly configured the database backend by using the database_backend option in the
containers.conf file, then Podman will continue to use the specified backend.
Jira:RHELPLAN-168180[1]
Jira:RHELDOCS-16955[1]
58
CHAPTER 4. NEW FEATURES
You can use the multi-line HereDoc instructions (Here Document notation) in the Containerfile file to
simplify this file and reduce the number of image layers caused by performing multiple RUN directives.
For example, the original Containerfile can contain the following RUN directives:
Instead of multiple RUN directives, you can use the HereDoc notation:
RUN <<EOF
dnf update
dnf -y install golang
dnf -y install java
EOF
Jira:RHELPLAN-168185[1]
Jira:RHELPLAN-167396[1]
59
Red Hat Enterprise Linux 9.4 9.4 Release Notes
accept_memory=
[MM]
Values:
lazy (default)
By default, unaccepted memory is accepted lazily to avoid prolonged boot times. The lazy option
adds some runtime overhead until all memory is eventually accepted. In most cases, the overhead is
negligible.
eager
For some workloads or for debugging purposes, you can use accept_memory=eager to accept all
memory at once during boot.
arm64.nomops
[ARM64]
cgroup_favordynmods=
[KNL]
Values:
true
false
early_page_ext
[KNL]
Enforces page_ext initialization to earlier stages to cover more early boot allocations.
Note that as side effect, some optimizations might be disabled to achieve that: for example, parallelized
memory initialization is disabled. Therefore, the boot process might take longer, especially on systems
with much memory.
fw_devlink.sync_state=
60
CHAPTER 5. IMPORTANT CHANGES TO EXTERNAL KERNEL PARAMETERS
[KNL]
When all devices that could probe have finished probing, this parameter controls what to do with devices
that have not yet received their sync_state() calls.
Values:
strict (default)
Continue waiting on consumers to probe successfully.
timeout
Give up waiting on consumers and call sync_state() on any devices that have not yet received their
sync_state() calls after deferred_probe_timeout has expired or by late_initcall() if
CONFIG_MODULES is false.
ia32_emulation=
[X86-64]
Values:
true
Allows loading 32-bit programs and executing 32-bit syscalls, essentially overriding
IA32_EMULATION_DEFAULT_DISABLED at boot time.
false
Unconditionally disables IA32 emulation.
kunit.enable=
[KUNIT]
mtrr=debug
[X86]
rcupdate.rcu_cpu_stall_cputime=
[KNL]
Provide statistics on the CPU time and count of interrupts and tasks during the sampling period. For
multiple continuous RCU stalls, all sampling periods begin at half of the first RCU stall timeout.
rcupdate.rcu_exp_stall_task_details=
[KNL]
Print stack dumps of any tasks blocking the current expedited RCU grace period during an expedited
RCU CPU stall warning.
spec_rstack_overflow=
61
Red Hat Enterprise Linux 9.4 9.4 Release Notes
[X86]
Values:
off
Disable mitigation
microcode
Enable only microcode mitigation.
safe-ret (default)
Enable software-only safe RET mitigation.
ibpb
Enable mitigation by issuing IBPB on kernel entry.
ibpb-vmexit
Issue IBPB only on VMEXIT. This mitigation is specific to cloud environments.
workqueue.unbound_cpus=
[KNL,SMP]
amd_iommu=
[HW, X86-64]
Values:
fullflush
Deprecated, equivalent to iommu.strict=1.
off
Do not initialize any AMD IOMMU found in the system.
force_isolation
Force device isolation for all devices. The IOMMU driver is not allowed anymore to lift isolation
requirements as needed. This option does not override iommu=pt.
force_enable
Force enable the IOMMU on platforms known to be buggy with IOMMU enabled. Use this option with
care.
New: pgtbl_v1 (default)
Use version 1 page table for DMA-API.
New: pgtbl_v2
62
CHAPTER 5. IMPORTANT CHANGES TO EXTERNAL KERNEL PARAMETERS
nosmt
[KNL, PPC, S390]
nosmt=force
Force disable SMT. Cannot be undone using the sysfs control file.
page_reporting.page_reporting_order=
[KNL]
Value: integer.
tsc=
Disable clocksource stability checks for TSC.
Values:
[x86] reliable
Mark tsc clocksource as reliable. This disables clocksource verification at runtime, and the stability
checks done at bootup. Used to enable high-resolution timer mode on older hardware, and in
virtualized environment.
[x86] noirqtime
Do not use TSC to do irq accounting. Used to run time disable IRQ_TIME_ACCOUNTING on any
platforms where RDTSC is slow and this accounting might add overhead.
[x86] unstable
Mark the TSC clocksource as unstable. This marks the TSC unconditionally unstable at bootup and
avoids any further wobbles once the TSC watchdog notices.
[x86] nowatchdog
Disable clocksource watchdog. Used in situations with strict latency requirements, where
interruptions from clocksource watchdog are not acceptable.
[x86] recalibrate
Force recalibration against a HW timer (HPET or PM timer) on systems whose TSC frequency was
obtained from HW or FW using either an MSR or CPUID(0x15). Warn if the difference is more than
500 ppm.
New: [x86] watchdog
63
Red Hat Enterprise Linux 9.4 9.4 Release Notes
Use TSC as the watchdog clocksource with which to check other HW timers (HPET or PM timer), but
only on systems where TSC has been deemed trustworthy.
An earlier tsc=nowatchdog suppresses this. A later tsc=nowatchdog overrides this. A console
message flags any such suppression or overriding.
usbcore.authorized_default=
[USB]
Values:
New: -1 (default)
Authorized (same as 1).
0
Not authorized.
1
Authorized.
2
Authorized if the device connects to an internal port.
sysfs.deprecated
io_uring_group
Values:
1
A process must either be privileged (CAP_SYS_ADMIN) or be in the io_uring_group group to
create an io_uring instance.
-1 (default)
Only processes with the CAP_SYS_ADMIN capability can create io_uring instances.
numa_balancing_promote_rate_limit_MBps
Too high promotion or demotion throughput between different memory types might hurt application
latency. You can use this parameter to rate-limit the promotion throughput. The per-node maximum
promotion throughput in MB/s is limited to be no more than the set value.
A rule of thumb is to set this to less than 1/10 of the PMEM node write bandwidth.
io_uring_disabled
Prevents all processes from creating new io_uring instances. Enabling this shrinks the attack surface of
the kernel.
64
CHAPTER 5. IMPORTANT CHANGES TO EXTERNAL KERNEL PARAMETERS
Values:
New: 0
All processes can create io_uring instances as normal.
New: 1
io_uring creation is disabled for unprivileged processes not in the io_uring_group group.
io_uring_setup() fails with -EPERM. Existing io_uring instances can still be used.
See the documentation for io_uring_group for more information.
New: 2 (default)
io_uring creation is disabled for all processes. io_uring_setup() always fails with -EPERM. Existing
io_uring instances can still be used.
65
Red Hat Enterprise Linux 9.4 9.4 Release Notes
IAA Compression Accelerator Crypto Driver iaa_crypto AMD and Intel 64-bit
architectures
66
CHAPTER 6. DEVICE DRIVERS
CAN bus driver for Bosch M_CAN controller on PCI m_can_pci IBM Power Systems, AMD and
bus Intel 64-bit architectures
CAN bus driver for Bosch M_CAN controller m_can IBM Power Systems, AMD and
Intel 64-bit architectures
CAN driver for 8 devices USB2CAN interfaces usb_8dev IBM Power Systems, AMD and
Intel 64-bit architectures
CAN driver for EMS Dr. Thomas Wuensche CAN/USB ems_usb IBM Power Systems, AMD and
interfaces Intel 64-bit architectures
CAN driver for Kvaser CAN/USB devices kvaser_usb IBM Power Systems, AMD and
Intel 64-bit architectures
CAN driver for PEAK-System USB adapters peak_usb IBM Power Systems, AMD and
Intel 64-bit architectures
Intel® Infrastructure Data Path Function Linux Driver idpf 64-bit ARM architecture, IBM
Power Systems, AMD and Intel
64-bit architectures
Marvell Octeon EndPoint NIC Driver octeon_ep 64-bit ARM architecture, IBM
Power Systems, AMD and Intel
64-bit architectures
Microchip MCP251xFD Family CAN controller driver mcp251xfd AMD and Intel 64-bit
architectures
NXP imx8 DWMAC Specific Glue layer dwmac-imx 64-bit ARM architecture
67
Red Hat Enterprise Linux 9.4 9.4 Release Notes
Realtek 802.11ax wireless 8852C driver rtw89_8852c 64-bit ARM architecture, AMD
and Intel 64-bit architectures
Realtek 802.11ax wireless 8852CE driver rtw89_8852ce 64-bit ARM architecture, AMD
and Intel 64-bit architectures
serial line CAN interface slcan IBM Power Systems, AMD and
Intel 64-bit architectures
Socket-CAN driver for PEAK PCAN PCIe/M.2 FD peak_pciefd IBM Power Systems, AMD and
family cards Intel 64-bit architectures
AMD HSMP Platform Interface Driver - 2.0 amd_hsmp AMD and Intel 64-bit
architectures
AMD Platform Management Framework Driver amd-pmf AMD and Intel 64-bit
architectures
68
CHAPTER 6. DEVICE DRIVERS
Intel Uncore Frequency Common Module intel-uncore- AMD and Intel 64-bit
frequency- architectures
common
Intel Uncore Frequency Limits Driver intel-uncore- AMD and Intel 64-bit
frequency architectures
Intel WMI Thunderbolt force power driver intel-wmi- AMD and Intel 64-bit
thunderbolt architectures
69
Red Hat Enterprise Linux 9.4 9.4 Release Notes
SDHCI platform driver for Synopsys DWC MSHC sdhci-of- 64-bit ARM architecture
dwcmshc
70
CHAPTER 6. DEVICE DRIVERS
Provide Trusted Security Module attestation reports tsm AMD and Intel 64-bit
via configfs architectures
Driver for Microchip Smart Family Controller smartpqi 2.1.24-046 64-bit ARM architecture,
IBM Power Systems, AMD
and Intel 64-bit
architectures
Emulex LightPulse Fibre Channel SCSI driver lpfc 0:14.2.0.16 64-bit ARM architecture,
IBM Power Systems, AMD
and Intel 64-bit
architectures
71
Red Hat Enterprise Linux 9.4 9.4 Release Notes
This chapter contains automatically generated output of the bpftool feature command.
Option Value
CONFIG_BPF y
CONFIG_BPF_SYSCALL y
CONFIG_HAVE_EBPF_JIT y
CONFIG_BPF_JIT y
CONFIG_BPF_JIT_ALWAYS_ON y
CONFIG_DEBUG_INFO_BTF y
CONFIG_DEBUG_INFO_BTF_MODULES y
CONFIG_CGROUPS y
CONFIG_CGROUP_BPF y
CONFIG_CGROUP_NET_CLASSID y
CONFIG_SOCK_CGROUP_DATA y
72
CHAPTER 7. AVAILABLE BPF FEATURES
Option Value
CONFIG_BPF_EVENTS y
CONFIG_KPROBE_EVENTS y
CONFIG_UPROBE_EVENTS y
CONFIG_TRACING y
CONFIG_FTRACE_SYSCALLS y
CONFIG_FUNCTION_ERROR_INJECTIO y
N
CONFIG_BPF_KPROBE_OVERRIDE n
CONFIG_NET y
CONFIG_XDP_SOCKETS y
CONFIG_LWTUNNEL_BPF y
CONFIG_NET_ACT_BPF m
CONFIG_NET_CLS_BPF m
CONFIG_NET_CLS_ACT y
CONFIG_NET_SCH_INGRESS m
CONFIG_XFRM y
CONFIG_IP_ROUTE_CLASSID y
CONFIG_IPV6_SEG6_BPF y
CONFIG_BPF_LIRC_MODE2 n
CONFIG_BPF_STREAM_PARSER y
CONFIG_NETFILTER_XT_MATCH_BPF m
CONFIG_BPFILTER n
CONFIG_BPFILTER_UMH n
73
Red Hat Enterprise Linux 9.4 9.4 Release Notes
Option Value
CONFIG_TEST_BPF m
CONFIG_HZ 1000
74
CHAPTER 7. AVAILABLE BPF FEATURES
75
Red Hat Enterprise Linux 9.4 9.4 Release Notes
76
CHAPTER 7. AVAILABLE BPF FEATURES
77
Red Hat Enterprise Linux 9.4 9.4 Release Notes
78
CHAPTER 7. AVAILABLE BPF FEATURES
79
Red Hat Enterprise Linux 9.4 9.4 Release Notes
80
CHAPTER 7. AVAILABLE BPF FEATURES
81
Red Hat Enterprise Linux 9.4 9.4 Release Notes
82
CHAPTER 7. AVAILABLE BPF FEATURES
83
Red Hat Enterprise Linux 9.4 9.4 Release Notes
84
CHAPTER 7. AVAILABLE BPF FEATURES
85
Red Hat Enterprise Linux 9.4 9.4 Release Notes
86
CHAPTER 7. AVAILABLE BPF FEATURES
tracing
struct_ops
ext
lsm
87
Red Hat Enterprise Linux 9.4 9.4 Release Notes
88
CHAPTER 7. AVAILABLE BPF FEATURES
hash yes
array yes
prog_array yes
perf_event_array yes
percpu_hash yes
percpu_array yes
stack_trace yes
cgroup_array yes
lru_hash yes
lru_percpu_hash yes
lpm_trie yes
array_of_maps yes
hash_of_maps yes
89
Red Hat Enterprise Linux 9.4 9.4 Release Notes
devmap yes
sockmap yes
cpumap yes
xskmap yes
sockhash yes
cgroup_storage yes
reuseport_sockarray yes
percpu_cgroup_storage yes
queue yes
stack yes
sk_storage yes
devmap_hash yes
struct_ops yes
ringbuf yes
inode_storage yes
task_storage yes
bloom_filter yes
user_ringbuf yes
cgrp_storage yes
90
CHAPTER 8. BUG FIXES
Jira:RHEL-11384[1]
The list of valid time zones was previously taken from pytz.common_timezones in the pytz Python
library. This update changes the validation settings for the timezone Kickstart command to use
pytz.all_timezones, which is a superset of the common_timezones list, and allows significantly more
time zones to be specified. This change ensures that old Kickstart files made for Red Hat Enterprise
Linux 6 still specify valid time zones.
Note: This change only applies to the timezone Kickstart command. The time zone selection in the
graphical and text-based interactive interfaces remains unchanged. Existing Kickstart files for Red Hat
Enterprise Linux 9 that had valid time zone selections do not require any updates.
Jira:RHEL-13150[1]
The installer now correctly creates bond device with multiple ports and a BOOTIF option
Previously, the installation program created incorrect connection profiles when the installation was
booted with a bond network device with multiple ports along with the BOOTIF boot option.
Consequently, the device used by the BOOTIF option was not added to the bond device though it was
configured as one of its ports.
With this update, the installation program now correctly creates profiles in initramfs when the BOOTIF
boot option is used. As a result, all the specified ports are now added to the bond device on the installed
system.
Jira:RHEL-4766
Anaconda replaces the misleading error message when failing to boot an installation image
Previously, when the installation program failed to boot the installation image, for example due to
missing source of stage2 specified in inst.stage2 or inst.repo, Anaconda displayed the following
misleading error message:
91
Red Hat Enterprise Linux 9.4 9.4 Release Notes
With this update, Anaconda issues a proper warning message to minimize the confusion.
Jira:RHEL-5638
Jira:RHEL-7999
8.2. SECURITY
Libreswan accepts IPv6 SAN extensions
Previously, IPsec connection failed when setting up certificate-based authentication with a certificate
that contained a subjectAltName (SAN) extension with an IPv6 address. With this update, the pluto
daemon has been modified to accept IPv6 SAN as well as IPv4. As a result, IPsec connection is now
correctly established with IPv6 address embedded in the certificate as an ID.
Jira:RHEL-12278
Rules for managing virtual routing with ip vrf are added to the SELinux policy
You can use the ip vrf command to manage virtual routing of other network services. Previously,
selinux-policy did not contain rules to support this usage. With this update, SELinux policy rules allow
explicit transitions from the ip domain to the httpd, sshd, and named domains. These transitions apply
when the ip command uses the setexeccon library call.
Jira:RHEL-14246[1]
SELinux policy denies SSH login for unconfined users when unconfined_login is set to off
Previously, the SELinux policy was missing a rule to deny unconfined users to log in via SSH when the
unconfined_login boolean was set to off. As a consequence, with unconfined_login set to off, users
still could log in with SSHD to an unconfined domain. This update adds a rule to the SELinux policy, and
as a result, users cannot log in via sshd as unconfined when unconfined_login is off.
Jira:RHEL-1551
Jira:RHEL-11174
92
CHAPTER 8. BUG FIXES
Jira:RHEL-10087
Previously, the SELinux did not assign a private type for the /var/run/tmpfiles.d/static-nodes.conf file.
As a consequence, the kmod utility may fail to work in the SELinux multi-level security (MLS) policy.
This update adds the kmod_var_run_t label for /var/run/tmpfiles.d/static-nodes.conf to the SELinux
policy, and as a result, kmod runs successfully in the SELinux MLS policy.
Jira:RHEL-1553
Previously, the SELinux policy did not assign a private type for the /usr/libexec/selinux/selinux-
autorelabel utility. As a consequence, selinux-autorelabel.service might fail to work in the SELinux
multi-level security (MLS) policy. This update adds the semanage_exec_t label to
/usr/libexec/selinux/selinux-autorelabel, and as a result, selinux-autorelabel.service runs
successfully in the SELinux MLS policy.
Jira:RHEL-14289
Previously, the SELinux policy did not contain the /bin = /usr/bin file context equivalency rule. As a
consequence, the restorecond daemon did not work correctly. This update adds the missing rule to the
policy, and as a consequence, restorecond works correctly in SELinux enforcing mode.
IMPORTANT
This change overrides any local policy modules which use file context specification for a pattern in
/bin.
Jira:RHEL-5032
Jira:RHEL-15432
Jira:RHEL-19051[1]
Previously, the omprog module of Rsyslog could not execute certain external programs, especially
93
Red Hat Enterprise Linux 9.4 9.4 Release Notes
Previously, the omprog module of Rsyslog could not execute certain external programs, especially
programs that contain privileged commands. As a consequence, the use of scripts that involve
privileged commands through omprog was restricted. With this update, the SELinux policy was
adjusted. Place your scripts into the /usr/libexec/rsyslog directory to ensure compatibility with the
adjusted SELinux policy. As a result, Rsyslog now can execute scripts, including those with privileged
commands, through the omprog module.
Jira:RHEL-5196
Jira:RHEL-25263[1]
Jira:RHEL-4079 [1]
Starting with RHEL 9.1, subscription-manager displays progress information while processing any
operation. Previously, for some languages, typically non-Latin, progress messages did not clean up after
the operation finished. With this update, all the messages are cleaned up properly when the operation
finishes.
If you have disabled the progress messages before, you can re-enable them by entering the following
command:
Bugzilla:2136694[1]
94
CHAPTER 8. BUG FIXES
Jira:RHEL-14224
Previously, if the librepo functions were called from an Insights client before logging in root, the
/run/user/0 directory could be created with a wrong SELinux context type. This prevented systemd
from cleaning the directory after you logged out from root.
With this update, the librepo package now sets a default creation type according to default file system
labeling rules defined in a SELinux policy. As a result, systemd now correctly manages the /run/user/0
directory created by librepo.
Jira:RHEL-11240
Previously, if the libdnf functions were called from an Insights client before logging in root, the
/run/user/0 directory could be created with a wrong SELinux context type. This prevented systemd
from cleaning the directory after you logged out from root.
With this update, the libdnf package now sets a default creation type according to default file system
labeling rules defined in a SELinux policy. As a result, systemd now correctly manages the /run/user/0
directory created by libdnf.
Jira:RHEL-11238
The dnf needs-restarting --reboothint command now recommends a reboot to update the
CPU microcode
To fully update the CPU microcode, you must reboot a system. Previously, when you installed the
microcode_ctl package, which contains the updated CPU microcode, the dnf needs-restarting --
reboothint command did not recommend the reboot. With this update, the issue has been fixed, and dnf
needs-restarting --reboothint now recommends a reboot to update the CPU microcode.
Jira:RHEL-4600
NOTE
To preserve the position of the cursor, not all processes are displayed. You can scroll up
through the results to display the remaining processes.
Jira:RHEL-16278
ReaR now determines the presence of a BIOS boot loader when both BIOS and UEFI boot
loaders are installed
Previously, in a hybrid boot loader setup (UEFI and BIOS), when UEFI was used to boot, Relax-and-
95
Red Hat Enterprise Linux 9.4 9.4 Release Notes
Previously, in a hybrid boot loader setup (UEFI and BIOS), when UEFI was used to boot, Relax-and-
Recover (ReaR) restored only the UEFI boot loader and not the BIOS boot loader. This would result in a
system that had a GUID Partition Table (GPT), a BIOS Boot Partition, but not a BIOS boot loader. In
this situation, ReaR failed to create the rescue image, the attempt to produce a backup or a rescue
image by using the rear mkbackup or rear mkrescue command would fail with the following error
message:
ERROR: Cannot autodetect what is used as boot loader, see default.conf about 'BOOTLOADER'.
With this update, ReaR determines the presence of both UEFI and BIOS boot loaders, restores them,
and does not fail when it does not encounter the BIOS boot loader on the system with the BIOS Boot
Partition in GPT. As a result, systems with the hybrid UEFI and BIOS boot loader setup can be backed
up and recovered multiple times.
Jira:RHEL-16864[1]
ReaR no longer uses the logbsize, sunit and swidth mount options during recovery
Previously, when restoring an XFS file system with the parameters different from the original ones by
using the MKFS_XFS_OPTIONS configuration setting, Relax-and-Recover (ReaR) mounted this file
system with mount options applicable for the original file system, but not for the restored file system. As
a consequence, the disk layout recreation would fail with the following error message when ReaR ran the
mount command :
wrong fs type, bad option, bad superblock on and missing codepage or helper program, or other
error.
With this update, ReaR avoids using the logbsize, sunit and swidth mount options when mounting
recreated XFS file systems. As a result, when you use the MKFS_XFS_OPTIONS configuration setting,
the disk layout recreation succeeds.
Jira:RHEL-10478[1]
ReaR recovery no longer fails on systems with a small thin pool metadata size
Previously, ReaR did not save the size of the pool metadata volume when saving a layout of an LVM
volume group with a thin pool. During recovery, ReaR recreated the pool with the default size even if the
system used a non-default pool metadata size.
As a consequence, when the original pool metadata size was smaller than the default size and no free
space was available in the volume group, the layout recreation during system recovery failed with a
message in the log similar to these examples:
Insufficient free space: 230210 extents needed, but only 230026 available
or
Volume group "vg" has insufficient free space (16219 extents): 16226 required.
96
CHAPTER 8. BUG FIXES
With this update, the recovered system has a metadata volume with the same size as the original
system. As a result, the recovery of a system with a small thin pool metadata size and no extra free space
in the volume group finishes successfully.
Jira:RHEL-6984
ReaR now preserves logs from the bprestore command of NetBackup in the rescue system
and the recovered system
Previously, when using the NetBackup integration (BACKUP=NBU), ReaR added the log from the
bprestore command during recovery to a directory that was deleted on exit. Additionally, ReaR did not
save further logs produced by the command under the /usr/openv/netbackup/logs/bprestore/
directory on the recovered system.
As a consequence, if the bprestore command failed during recovery, the logs were deleted unless the
rear recover command was run with the -d or -D option. Moreover, even if the recovery finished
successfully, the logs under /usr/openv/netbackup/logs/bprestore/ directory were lost after a reboot
and could not be examined.
With this update, ReaR keeps the log from the bprestore command in the /var/lib/rear/restore
directory in the rescue system where it persists after the rear recover command has finished until the
rescue system is rebooted. If the system is recovered, all logs from
/usr/openv/netbackup/logs/bprestore/ are copied to the /var/log/rear/recover/restore directory
together with the log from /var/lib/rear/restore in case further examination is required.
Jira:RHEL-17393
ReaR no longer fails during recovery if the TMPDIR variable is set in the configuration file
Previously, the ReaR default configuration file /usr/share/rear/conf/default.conf contained the
following instructions:
The instructions mentioned above did not work correctly because the TMPDIR variable had the same
value in the rescue environment, which was not correct if the directory specified in the TMPDIR variable
did not exist in the rescue image.
As a consequence, when the rescue image was booted, setting and exporting TMPDIR in the
/etc/rear/local.conf file led to the following error :
or the following error and cancel later, when running rear recover:
97
Red Hat Enterprise Linux 9.4 9.4 Release Notes
With this update, ReaR clears the TMPDIR variable in the rescue environment. ReaR also detects when
the variable has been set in /etc/rear/local.conf, and prints a warning if the variable is set. The comment
in /usr/share/rear/conf/default.conf has been changed to instruct to set and export TMPDIR in the
environment before executing rear instead of setting it in /etc/rear/local.conf.
If the command export TMPDIR=… is used in /etc/rear/local.conf, ReaR now prints the following
warning:
Warning: Setting TMPDIR in a configuration file is deprecated. To specify a working area directory
prefix, export TMPDIR before executing 'rear'
Setting TMPDIR in a configuration file such as /etc/rear/local.conf is now deprecated and the
functionality will be removed in a future release. It is recommended to remove such settings from
/etc/rear/local.conf, and to set and export TMPDIR in the environment before calling ReaR instead.
Jira:RHEL-24847
8.6. NETWORKING
wwan_hwsim is now in the kernel-modules-internal package
The wwan_hwsim kernel module provides a framework for simulating and testing various networking
scenarios that use wireless wide area network (WWAN) devices. Previously, wwan_hwsim was a part of
the kernel-modules-extra package. However, with this release, it is moved to the kernel-modules-
internal package, which contains other similarly-oriented utilities. Note that the WWAN feature for PCI
modem is still a Technology Preview.
Jira:RHEL-24618[1]
Cannot display features, because xdp-loader was compiled against an old version of libbpf without
support for querying features.
The utility is now compiled against the correct libbpf version. As a result, the command now works as
expected.
Jira:RHEL-3382
98
CHAPTER 8. BUG FIXES
As a result, when you update the firmware version of the ConnectX-5 adapter to 16.35.3006 or later, the
error message will not appear.
Jira:RHEL-9897[1]
8.7. KERNEL
crash was rebased to version 8.0.4
The crash utility was upgraded to version 8.0.4, which provides multiple bug fixes. Notable repairs
include:
Fixed the segmentation fault when the non-panicking CPUs failed to stop during the kernel
panic.
The critical error incorrectly did not cause the kernel panic when the panic_on_oops kernel
parameter was disabled.
The crash utility did not properly resolve the hashed freelist pointers for the kernels compiled
with the CONFIG_SLAB_FREELIST_HARDENED=y configuration option.
A change in the kernel module memory layout terminology. The change replaced
module_layout with module_memory to better indicate memory-related aspects of the crash
utility. Without this change, crash cannot start a session with an error message such as this:
Jira:RHEL-9009
Previously, if you ran the tuna utility without any subcommand, it would launch the GUI. This behavior
was desirable if you had a display. In the opposite case, tuna on a machine without a display would not
exit gracefully. With this update, tuna detects whether you have a display, and the GUI is launched or not
launched accordingly.
Jira:RHEL-8859[1]
With this update, the AMD TPM bug fix has been revised. As a result, RHEL now detects the Intel TPM
chips correctly.
Jira:RHEL-18985 [1]
RHEL previously failed to recognize NVMe disks when VMD was enabled
When you reset or reattached a driver, the Volume Management Device (VMD) domain previously did
not soft-reset. Consequently, the hardware could not properly detect and enumerate its devices. With
this update, the operating system with VMD enabled now correctly recognizes NVMe disks, especially
when resetting a server or working with a VM machine.
99
Red Hat Enterprise Linux 9.4 9.4 Release Notes
Bugzilla:2128610[1]
Previously, the multipathd command did not disable the queue_if_no_path parameter before
removing a device. This was possible only if there was an outstanding queued I/O to the multipath
device itself, and not to the partition devices. Consequently, multipathd would hang, and could no
longer maintain the multipath devices. With this update, the multipathd now disables queuing before
executing the remove command such as multipath -F, multipath -f <device>, multipathd remove
maps, or multipathd remove map <device>. As a result, multipathd now successfully removes devices
that have outstanding queued I/O.
Jira:RHEL-4998[1]
Jira:RHEL-23572 [1]
The multipath device was configured with the queue_if_no_paths parameter set to several
retries.
A path device was removed from the multipath device that had no working paths and was no
longer queuing I/O.
With this update, the issue has been fixed. As a result, multipath devices no longer restarts queuing I/O if
the queuing is disabled and a path is removed while there are no usable paths.
Jira:RHEL-17234[1]
Jira:RHEL-21545[1]
The kernel no longer crashes when namespaces are added and removed
Previously, when NVMe namespaces were rapidly added and removed, a namespace disappeared
between successive commands used to probe the namespace. In a specific case, a storage array did not
100
CHAPTER 8. BUG FIXES
return an invalid namespace error but instead returned a buffer filled with zero. Consequently, the
kernel crashed due to the divide-by-zero error. With this update, the kernel now validates data from
responses to both the Identify Namespace data structure issued to the storage. As a result, the kernel
no longer crashes.
Jira:RHEL-14751 [1]
The newly allocated sections of the data device are now properly aligned
Previously, when a Stratis pool was expanded, it was possible to allocate the new regions of the pool. But
the newly allocated regions were not correctly aligned with the previously allocated regions.
Consequently, it could cause a performance degradation along with a nonzero entry in the Stratis thin
pool’s alignment_offset file in sysfs. With this update, when the pool expands, the newly allocated
region of the data device is properly aligned with the previously allocated region. As a result, there is no
degradation in performance and no nonzero entry in the Stratis thin pool’s alignment_offset file in
sysfs.
Jira:RHEL-16736
System boots correctly when adding a NVMe-FC device as a mount point in /etc/fstab
Previously, due to a known issue in the nvme-cli nvmf-autoconnect systemd services, systems failed
to boot while adding the Non-volatile Memory Express over Fibre Channel (NVMe-FC) devices as a
mount point in the /etc/fstab file. Consequently, the system entered into an emergency mode. With this
update, a system boots without any issue when mounting an NVMe-FC device.
Jira:RHEL-8171[1]
With the fix in the udisks2-2.9.4-9.el9 firmware authentication, this issue is now resolved and LUNs are
visible during the installation and initial boot.
Bugzilla:2213769[1]
Jira:RHEL-7746
Issues with moving and banning clone and bundle resources now corrected
This bug fix addresses two limitations of moving bundled and clone resources:
When a user tried to move a bundled resource out of its bundle or ban it from running in its
bundle, pcs created a constraint but the constraint had no effect. This caused the move to fail
101
Red Hat Enterprise Linux 9.4 9.4 Release Notes
with an error message. With this fix, pcs disallows moving and banning bundled resources from
their bundles and prints an error message noting that bundled resources cannot be moved out
of their bundles.
When a user tried to move a bundle or clone resource, pcs exited with an error message noting
that bundle or clone resources cannot be moved. This fix relaxes validation of move commands.
It is now possible to move clone and bundle resources. When moving clone resources, you must
specify a destination node if more than one instance of a clone is running. Only one-replica
bundles can be moved.
Jira:RHEL-7744
Output of pcs status command no longer shows warning for expired constraints
Previously, when moving a cluster resource created a temporary location constraint, the pcs status
command displayed a warning even after the constraint expired. With this fix, the pcs status command
filters out expired constraints and they no longer generate a warning message in the command output.
Jira:RHEL-7669
Disabling the auto_tie_breaker quorum option no longer allowed when SBD fencing requires
it
Previously, pcs allowed a user to disable the auto_tie_breaker quorum option even when a cluster
configuration required this option for SBD fencing to work correctly. With this fix, pcs generates an error
message when a user attempts to disable auto_tie_breaker on a system where SBD fencing requires
that the auto_tie_breaker option be enabled.
Jira:RHEL-7730
With this update, you can specify the repository root path by using the new DevBasePath directive in
the httpd.conf file. For example:
<LocationMatch "^/repos/">
DAV svn
DavBasePath /repos
SVNParentPath /var/www/svn
</LocationMatch>
As a result, httpd handles requests correctly if a DAV repository location is configured by using a regular
expression match.
Jira:RHEL-6600
102
CHAPTER 8. BUG FIXES
Previously, the ldconfig utility terminated unexpectedly with a segmentation fault when processing
incomplete shared objects left in the /usr/lib64 directory after an interrupted system upgrade. With this
update, ldconfig ignores temporary files written during system upgrades. As a result, ldconfig no
longer crashes after an interrupted system upgrade.
Jira:RHEL-14383
glibc now uses the number of configured processors for malloc arena tuning
Previously, glibc used the per-thread CPU affinity mask for tuning the maximum arena count for
malloc. As a consequence, restricting the thread affinity mask to a small subset of CPUs in the system
could lead to performance degradation.
glibc has been changed to use the configured number of CPUs for determining the maximum arena
count. As a result, applications use a larger number of arenas, even when running with a restricted per-
thread CPU affinity mask, and the performance degradation no longer occurs.
Jira:RHEL-17157[1]
Improved glibc compatibility with applications using dlclose on shared objects involved in a
dependency cycle
Previously, when unloading a shared object in a dependency cycle using the dlclose function in glibc,
that object’s ELF destructor might not have been called before all other objects were unloaded. As a
consequence of this late ELF destructor execution, applications experienced crashes and other errors
due to the initial shared object’s dependencies already being deinitialized.
With this update, glibc has been fixed to first call the ELF destructor of the immediate object being
unloaded before any other ELF destructors are executed. As a result, compatibility with applications
using dlclose on shared objects involved in a dependency cycle is improved and crashes no longer
occur.
Jira:RHEL-2491 [1]
Previously, make did not check if an executable it was trying to run was actually an executable.
Consequently, if the path included a directory with the same name as the executable, make tried to run
the directory instead. With this update, make now does additional checks when searching for an
executable. As a result, make no longer tries to run directories.
Jira:RHEL-22829
Jira:RHEL-19862[1]
The glibc getaddrinfo function now correctly reads ncsd cache information
Previously, a bug in the glibc getaddrinfo function would cause it to occasionally return empty elements
103
Red Hat Enterprise Linux 9.4 9.4 Release Notes
Previously, a bug in the glibc getaddrinfo function would cause it to occasionally return empty elements
in the list address information structure. With this update, the getaddrinfo function has been fixed to
read and translate ncsd cache data correctly and, as a result, returns correct address information.
Jira:RHEL-16643
Improved glibc compatibility with applications using dlclose on shared objects involved in a
dependency cycle
Previously, when unloading a shared object in a dependency cycle using the dlclose function in glibc,
that object’s ELF destructor might not have been called before all other objects were unloaded. As a
consequence of this late ELF destructor execution, applications experienced crashes and other errors
due to the initial shared object’s dependencies already being deinitialized.
With this update, glibc has been fixed to first call the ELF destructor of the immediate object being
unloaded before any other ELF destructors are executed. As a result, compatibility with applications
using dlclose on shared objects involved in a dependency cycle is improved and crashes no longer
occur.
Jira:RHEL-12362
Previously, the glibc Name Service Switch Caching Daemon ( nscd) could fail to start due to
inconsistent cache expiry information in the persistent cache file. With this update, ncsd now marks
cache entries with inconsistent timing information for deletion and skips them. As a result, ncsd no
longer fails to start due to inconsistent cache expiry information.
Jira:RHEL-3397
Jira:RHEL-2123
Jira:SSSD-7015
IdM clients correctly retrieve information for trusted AD users when their names contain
mixed case characters
Previously, if you attempted a user lookup or authentication of a user, and that trusted Active Directory
(AD) user contained mixed case characters in their names and they were configured with overrides in
IdM, an error was returned preventing users from accessing IdM resources.
104
CHAPTER 8. BUG FIXES
With this update, a case-sensitive comparison is replaced with a case-insensitive comparison that
ignores the case of a character. As a result, IdM clients can now lookup users of an AD trusted domain,
even if their usernames contain mixed case characters and they are configured with overrides in IdM.
Jira:SSSD-6096
SSSD correctly returns an error if no grace logins remain while changing a password
Previously, if a user’s LDAP password had expired, SSSD tried to change the password even after the
initial bind of the user failed as there were no more grace logins left. However, the error returned to the
user did not indicate the reason for the failure. With this update, the request to change the password is
aborted if the bind fails and SSSD returns an error message indicating there are no more grace logins
and the password must be changed by another means.
Jira:SSSD-6184
Jira:SSSD-6081
Jira:SSSD-6652
Jira:SSSD-6425
KDC now runs extra checks when general constrained delegation requests is processed
Previously, the forwardable flag in Kerberos tickets issued by KDCs running on Red Hat Enterprise Linux
8 was vulnerable, allowing unauthorized modification without detection. This vulnerability could lead to
impersonation attacks, even from or by users without specific privileges. With this update, KDC runs
extra checks when it processes general constrained delegation requests, ensuring detection and
rejection of unauthorized flag modifications, thus removing the vulnerability.
Jira:RHEL-9984[1]
Check on the forwardable flag is disabled in cases where SIDs are generated for the domain
Previously, the update providing a fix for CVE-2020-17049 relied on the Kerberos PAC to run certain
checks on the ticket forwardable flag when the KDC processes a general constrained delegation
request. However, the PAC is generated only on domains where the SIDs generation task was executed
105
Red Hat Enterprise Linux 9.4 9.4 Release Notes
in the past. While this task is automatically performed for all IdM domains created on Red Hat Enterprise
Linux (RHEL) 8.5 and newer, domains initialized on older versions require manual execution of this task.
In case the SIDs generation task was never executed manually for IdM domains initialized on RHEL 8.4
and older, the PAC will be missing on Kerberos tickets, resulting in rejection of all general constrained
delegation requests. This includes IdM’s HTTP API, which relies on general constrained delegation.
With this update, the check of the forwardable flag is disabled in cases where SIDs were not generated
for the domain. Services relying on general constrained delegation, including IdM HTTP API, continue
working. However, Red Hat recommends running the SIDs generation task on the domain as soon as
possible, especially if the domain has custom general constrained delegation rules configured. Until this
is done, the domain remains vulnerable to CVE-2020-17049.
Jira:RHEL-22313
Jira:RHEL-12143 [1]
Directory Server no longer fails after abandoning the paged result search
Previously, a race condition was a reason for heap corruption and Directory Server failure during
abandoning paged result search. With this update, the race condition was fixed, and Directory Server
failure no longer occurs.
Jira:RHEL-16830[1]
If the nsslapd-numlisteners attribute value is more than 2, Directory Server no longer fails
Previously, if the nsslapd-numlisteners attribute value was higher than 2, Directory Server sometimes
closed the listening file descriptor instead of the accepted file descriptor. As a consequence, a
segmentation fault occurred in Directory Server. With this update, Directory Server closes the correct
descriptor and continues listening on ports correctly.
Jira:RHEL-17175
The autobind operation now does not impacts operations performed on other connections
Previously, when the autobind operation was in progress, Directory Server stopped listening to new
operations on any connection. With this update, the autobind operation does not impact the operations
performed on the other connection.
Jira:RHEL-5111
The IdM client installer no longer specifies the TLS CA configuration in the ldap.conf file
Previously, the IdM client installer specified the TLS CA configuration in the ldap.conf file. With this
update, OpenLDAP uses the default truststore and the IdM client installer does not set up the TLS CA
configuration in the ldap.conf file.
Bugzilla:2094673
106
CHAPTER 8. BUG FIXES
With this update, the problem has been fixed and the VNC console works correctly at most resolutions,
with the exception of ultra high resolutions, such as 3840 x 2160 px.
Note that a small offset between the recorded and displayed positions of the cursor might still be
present. However, this does not significantly impact the usability of the VNC console.
Bugzilla:2030836
Jira:RHEL-18026[1]
Previously, when the from: or to: settings were set to the 0.0.0.0/0 or ::/0 addresses in the routing rule,
the network RHEL system role failed to configure the routing rule and rejected the settings as invalid.
With this update, the network role allows 0.0.0.0/0 and ::/0 for from: and to: in routing rule validation. As
a result, the role successfully configures the routing rules without raising the validation errors.
Jira:RHEL-1683
Jira:RHEL-3540
The Kdump system role works correctly when the kexec_crash_size file is busy
The /sys/kernel/kexec_crash_size file provides the size of the memory region allocated for crash
kernel memory.
Previously, the Kdump system role failed when the /sys/kernel/kexec_crash_size file was busy. With
107
Red Hat Enterprise Linux 9.4 9.4 Release Notes
Previously, the Kdump system role failed when the /sys/kernel/kexec_crash_size file was busy. With
this update, the system role retries reading the file when it is available. As a result, the system role no
longer fails when the file is busy.
Jira:RHEL-3353
Previously, the selinux RHEL system role used the item loop variable. This might have resulted in the
following warning message when you called the selinux role from another role:
With this release, the selinux role uses __selinux_item as a loop variable. As a result, the warning that
the item variable is already in use is no longer displayed even if you call the selinux role from another
role.
Jira:RHEL-19040
The ha_cluster system role now correctly configures a firewall on a qnetd host
Previously, when a user configured a qnetd host and set the ha_cluster_manage_firewall variable to
true by using the ha_cluster system role, the role did not enable high-availability services in the firewall.
With this fix, the ha_cluster system role now correctly configures a firewall on a qnetd host.
Jira:RHEL-17875
The postgresql RHEL system role now installs the correct version of PostgreSQL
Previously, if you tried to run the postgresql RHEL system role with the postgresql_version: "15"
variable defined on a RHEL managed node, PostgreSQL version 13 was installed instead of version 15.
This bug has been fixed, and the postgresql role installs the version set in the variable.
Jira:RHEL-5274
Previously, when the keylime_server role playbook provided incorrect information, the role incorrectly
reported the start as successful. With this update, the role now correctly reports a failure when incorrect
information is provided, and the timeout when waiting for opened ports has been reduced from
approximately 300 seconds to approximately 30 seconds.
Jira:RHEL-15909
The podman RHEL system role now sets and cancels linger properly for rootless containers
Previously, the podman RHEL system role did not set and cancel linger properly for rootless containers.
Consequently, deploying secrets or containers for rootless users produced errors in some cases, and
failed to cancel linger when removing resources in some cases. With this update, the podman RHEL
system role ensures that linger is enabled for rootless users before doing any secret or container
resource management, and ensures that linger is canceled for rootless users when there are no more
secrets or container resources to be managed. As a result, the role correctly manages lingering for
rootless users.
Jira:RHEL-22228
108
CHAPTER 8. BUG FIXES
Previously, the nbde_server RHEL system role assumed that the only file in the tangd socket override
directory was the override.conf file for a custom port. Consequently, the role deleted the directory if
there was no port customization without checking other files, and the system re-created the directory in
subsequent runs.
With this release, the role has been fixed to prevent changing attributes of the port override file and
deleting the directory if there are other files. As a result, the role correctly works if tangd socket override
files are managed also outside of the role.
Jira:RHEL-25508
Jira:RHEL-21401
Jira:RHEL-22309
The rhc system role no longer fails on the registered systems when rhc_auth contains
activation keys
Previously, a failure occurred when you executed playbook files on the registered systems with the
activation key specified in the rhc_auth parameter. This issue has been resolved. It is now possible to
execute playbook files on the already registered systems, even when activation keys are provided in the
rhc_auth parameter.
Bugzilla:2186218
8.15. VIRTUALIZATION
RT VMs with a FIFO scheduler now boots correctly
Previously, after setting a real-time (RT) virtual machine (VM) to use the fifo setting for the vCPU
scheduler, the VM became unresponsive when you attempted to boot it. Instead, the VM displayed the
Guest has not initialized the display (yet) error. With this update, the error has been fixed, and setting
fifo for the vCPU scheduler works as expected in the described circumstances.
Jira:RHEL-2815[1]
A dump failure no longer blocks IBM Z VMs with Secure Execution from running
Previously, when a dump of an IBM Z virtual machine (VM) with Secure Execution failed, the VM
remained in a paused state and was blocked from running. For example, dumping a VM by using the
virsh dump command fails if there is not enough space on the disk.
109
Red Hat Enterprise Linux 9.4 9.4 Release Notes
The underlying code has been fixed and Secure Execution VMs resume operation successfully after a
dump failure.
Jira:RHEL-16695 [1]
The installation program shows the expected system disk to install RHEL on VM
Previously, when installing RHEL on a VM using virtio-scsi devices, it was possible that these devices did
not appear in the installation program because of a device-mapper-multipath bug. Consequently,
during installation, if some devices had a serial set and some did not, the multipath command was
claiming all the devices that had a serial. Due to this, the installation program was unable to find the
expected system disk to install RHEL in the VM.
With this update, multipath correctly sets the devices with no serial as having no World Wide Identifier
(WWID) and ignores them. On installation, multipath only claims devices that multipathd uses to bind a
multipath device, and the installation program shows the expected system disk to install RHEL in the
VM.
Bugzilla:1926147 [1]
This problem was caused by a limitation in the vTPM device. With this update, the problem has been
fixed and VMs with more than 250 queues and with vTPM enabled now work reliably.
Jira:RHEL-13335 [1]
Windows guests boot more reliably after a v2v conversion on hosts with AMD EPYC CPUs
After using the virt-v2v utility to convert a virtual machine (VM) that uses Windows 11 or a Windows
Server 2022 as the guest OS, the VM previously failed to boot. This occurred on hosts that use AMD
EPYC series CPUs. Now, the underlying code has been fixed and VMs boot as expected in the described
circumstances.
Bugzilla:2168082[1]
Before this update, the nodedev-dumpxml utility did not list attributes correctly for mediated devices
that were created using the nodedev-create command. This has been fixed, and nodedev-dumpxml
now displays the attributes of the affected mediated devices properly.
Bugzilla:2143158
Previously, restarting the virtqemud or libvirtd services prevented virtiofs storage devices from being
attached to virtual machines (VMs) on your host. This bug has been fixed, and you can now attach
virtiofs devices in the described scenario as expected.
Bugzilla:2078693
110
CHAPTER 8. BUG FIXES
Previously, if no PCI slots were available, adding a Watchdog card to a running virtual machine (VM)
failed with the following error:
With this update, the problem has been fixed and adding a Watchdog card to a running VM now works as
expected.
Bugzilla:2173584
Previously, the virtio-gpu device was incompatible with blob memory resources on IBM Z systems. As a
consequence, if you configured a virtual machine (VM) with virtio-gpu on an IBM Z host to use blob
resources, the VM did not have any graphical output.
With this update, virtio devices have an optional blob attribute. Setting blob to on enables the use of
blob resources in the device. This prevents the described problem in virtio-gpu devices, and can also
accelerate the display path by reducing or eliminating copying of pixel data between the guest and host.
Note that blob resource support requires QEMU version 6.1 or later.
Jira:RHEL-7135
Reinstalling virtio-win drivers no longer causes DNS configuration to reset on the guest
In virtual machines (VMs) that use a Windows guest operating system, reinstalling or upgrading virtio-
win drivers for the network interface controller (NIC) previously caused DNS settings in the guest to
reset. As a consequence, your Windows guest in some cases lost network connectivity.
With this update, the described problem has been fixed. As a result, if you reinstall or upgrade from the
latest version of virtio-win, the problem no longer occurs. Note, however, that upgrading from a prior
version of virtio-win will not fix the problem, and DNS resets might still occur in your Windows guests.
Jira:RHEL-1860[1]
111
Red Hat Enterprise Linux 9.4 9.4 Release Notes
For information on Red Hat scope of support for Technology Preview features, see Technology Preview
Features Support Scope.
Jira:RHEL-10216 [1]
ostreecontainer
clearpart, zerombr
autopart
part
logvol, volgroup
lang
rootpw
sshkey
user
When you specify a group within the user command, the user account can be assigned only to a group
that already exists in the container image. Kickstart commands not listed here are allowed to be used
with ostreecontainer command, however, they are not guaranteed to work as expected with package-
based installations.
However, the following Kickstart commands are unsupported together with ostreecontainer:
%packages (any necessary packages must be already available in the container image)
112
CHAPTER 9. TECHNOLOGY PREVIEWS
url (if there is a need to fetch a stage2 image for installation, for example, PXE installations use
inst.stage2= on the kernel instead of providing a URL for stage2 inside the Kickstart file)
liveimg
vnc
authconfig and authselect (provide relevant configuration in the container image instead)
module
repo
zipl
zfcp
Installation of bootable OSTree native containers is not supported in interactive installations that use
partial Kickstart files.
Note: When customizing a mount point, you must define the mount point in the /mnt directory and
ensure that the mount point directory exists inside /var/mnt in the container image.
Jira:RHEL-2250[1]
Boot loader installation and configuration via bootupd / bootupctl in Anaconda is now
available as a Technology Preview
As the ostreecontainer Kickstart command is now available in Anaconda as a Technology Preview, you
can use it to install the operating system from an OSTree commit encapsulated in an OCI image.
Anaconda automatically arranges a boot loader installation and configuration via the
bootupd/bootupctl tool contained within the container image, even without an explicit boot loader
configuration in Kickstart.
Jira:RHEL-17205 [1]
Jira:RHELDOCS-17468[1]
Jira:RHELDOCS-17733[1]
9.2. SECURITY
113
Red Hat Enterprise Linux 9.4 9.4 Release Notes
The updated gnutls packages can use kernel TLS (kTLS) for accelerating data transfer on encrypted
channels as a Technology Preview. To enable kTLS, add the tls.ko kernel module using the modprobe
command, and create a new configuration file /etc/crypto-policies/local.d/gnutls-ktls.txt for the
system-wide cryptographic policies with the following content:
[global]
ktls = true
Note that the current version does not support updating traffic keys through TLS KeyUpdate
messages, which impacts the security of AES-GCM ciphersuites. See the RFC 7841 - TLS 1.3 document
for more information.
Bugzilla:2108532[1]
0
All processes can create io_uring instances as usual.
1
io_uring creation is disabled for unprivileged processes. The io_uring_setup fails with the -EPERM
error unless the calling process is privileged by the CAP_SYS_ADMIN capability. Existing io_uring
instances can still be used.
2
io_uring creation is disabled for all processes. The io_uring_setup always fails with -EPERM.
Existing io_uring instances can still be used. This is the default setting.
An updated version of the SELinux policy to enable the mmap system call on anonymous inodes is also
required to use this feature.
By using the io_uring command pass-through, an application can issue commands directly to the
underlying hardware, such as nvme.
Jira:RHEL-11792[1]
Jira:RHELDOCS-17752[1]
114
CHAPTER 9. TECHNOLOGY PREVIEWS
Bugzilla:2047161[1]
Bugzilla:2113900
9.6. NETWORKING
WireGuard VPN is available as a Technology Preview
WireGuard, which Red Hat provides as an unsupported Technology Preview, is a high-performance VPN
solution that runs in the Linux kernel. It uses modern cryptography and is easier to configure than other
VPN solutions. Additionally, the small code-basis of WireGuard reduces the surface for attacks and,
therefore, improves the security.
Bugzilla:1613522 [1]
Bugzilla:1570255[1]
Bugzilla:2020529
The PRP and HSR protocols are now available as a Technology Preview
115
Red Hat Enterprise Linux 9.4 9.4 Release Notes
This update adds the hsr kernel module that provides the following protocols:
The IEC 62439-3 standard defines these protocols, and you can use this feature to configure zero-loss
redundancy in Ethernet networks.
Bugzilla:2177256[1]
Jira:RHEL-24337
High-availability Seamless Redundancy (HSR) and Parallel Redundancy Protocol (PRP) are network
protocols that provide seamless failover against failure of any single network component. Both
protocols are transparent to the application layer, meaning that users do not experience any disruption
in communication or any loss of data, because a switch between the main path and the redundant path
happens very quickly and without awareness of the user. Now it is possible to enable and configure HSR
and PRP interfaces using the NetworkManager service through the nmcli utility and the DBus message
system.
Jira:RHEL-5852
Note that offloading the IPsec encapsulation process to a NIC also reduces the ability of the kernel to
monitor and filter such packets.
Bugzilla:2178699[1]
Intel IPC over Shared Memory (IOSM) - Intel XMM 7360 LTE Advanced
116
CHAPTER 9. TECHNOLOGY PREVIEWS
Bugzilla:2186375[1]
Bugzilla:2183538[1]
9.7. KERNEL
The Soft-iWARP driver is available as a Technology Preview
Soft-iWARP (siw) is a software, Internet Wide-area RDMA Protocol (iWARP), kernel driver for Linux.
Soft-iWARP implements the iWARP protocol suite over the TCP/IP network stack. This protocol suite is
fully implemented in software and does not require a specific Remote Direct Memory Access (RDMA)
hardware. Soft-iWARP enables a system with a standard Ethernet adapter to connect to an iWARP
adapter or to another system with already installed Soft-iWARP.
Bugzilla:2023416[1]
The following kernel modules are available as Technology Preview for Marvell OCTEON TX2
Infrastructure Processor family:
rvu_nicpf
Marvell OcteonTX2 NIC Physical Function driver
rvu_nicvf
Marvell OcteonTX2 NIC Virtual Function driver
rvu_nicvf
Marvell OcteonTX2 RVU Admin Function driver
Bugzilla:2040643 [1]
The python-drgn package brings an advanced debugging utility, which adds emphasis on
117
Red Hat Enterprise Linux 9.4 9.4 Release Notes
The python-drgn package brings an advanced debugging utility, which adds emphasis on
programmability. You can use its Python command-line interface to debug both the live kernels and the
kernel dumps. Additionally, python-drgn offers scripting capabilities for you to automate debugging
tasks and conduct intricate analysis of the Linux kernel.
Jira:RHEL-6973[1]
The iaa_crypto driver, which offloads compression and decompression operations from the CPU, has
been introduced in RHEL 9.4 as a Technology Preview. It supports compression and decompression
compatible with the DEFLATE compression standard described in RFC 1951. The iaa_crypto driver is
designed to work as a layer underneath higher-level compression devices such as zswap.
Jira:RHEL-20145[1]
Bugzilla:1995338[1]
Bugzilla:2021672[1]
The nvme-stas package, which is a Central Discovery Controller (CDC) client for Linux, is now available
as a Technology Preview. It handles Asynchronous Event Notifications (AEN), Automated NVMe
subsystem connection controls, Error handling and reporting, and Automatic (zeroconf) and Manual
configuration.
This package consists of two daemons, Storage Appliance Finder (stafd) and Storage Appliance
Connector (stacd).
118
CHAPTER 9. TECHNOLOGY PREVIEWS
Bugzilla:1893841 [1]
For more information, see the dhchap-secret and dhchap-ctrl-secret option descriptions in the nvme-
connect(1) man page.
Bugzilla:2027304[1]
RHEL 9 is distributed with the jmc-core and owasp-java-encoder packages as Technology Preview
features for the AMD and Intel 64-bit architectures.
jmc-core is a library providing core APIs for Java Development Kit (JDK) Mission Control, including
libraries for parsing and writing JDK Flight Recording files, and libraries for Java Virtual Machine (JVM)
discovery through Java Discovery Protocol (JDP).
Note that since RHEL 9.2, jmc-core and owasp-java-encoder are available in the CodeReady Linux
Builder (CRB) repository, which you must explicitly enable. See How to enable and make use of content
within CodeReady Linux Builder for more information.
Bugzilla:1980981
With this update, when comparing binaries, you can suppress warnings related to fake flexible arrays that
were converted to true flexible arrays by using the following suppression specification:
[suppress_type]
type_kind = struct
has_size_change = true
has_strict_flexible_array_data_member_conversion = true
Jira:RHEL-16629[1]
Users who decide to secure their DNS zones with DNSSEC are advised to read and follow these
119
Red Hat Enterprise Linux 9.4 9.4 Release Notes
Users who decide to secure their DNS zones with DNSSEC are advised to read and follow these
documents:
Note that IdM servers with integrated DNS use DNSSEC to validate DNS answers obtained from other
DNS servers. This might affect the availability of DNS zones that are not configured in accordance with
recommended naming practices.
Bugzilla:2084180
In RHEL, the ACME service uses the Red Hat Certificate System (RHCS) PKI ACME responder. The
RHCS ACME subsystem is automatically deployed on every certificate authority (CA) server in the IdM
deployment, but it does not service requests until the administrator enables it. RHCS uses the
acmeIPAServerCert profile when issuing ACME certificates. The validity period of issued certificates is
90 days. Enabling or disabling the ACME service affects the entire IdM deployment.
IMPORTANT
It is recommended to enable ACME only in an IdM deployment where all servers are
running RHEL 8.4 or later. Earlier RHEL versions do not include the ACME service, which
can cause problems in mixed-version deployments. For example, a CA server without
ACME can cause client connections to fail, because it uses a different DNS Subject
Alternative Name (SAN).
WARNING
Currently, RHCS does not remove expired certificates. Because ACME certificates
expire after 90 days, the expired certificates can accumulate and this can affect
performance.
To enable ACME across the whole IdM deployment, use the ipa-acme-manage enable
command:
# ipa-acme-manage enable
The ipa-acme-manage command was successful
To disable ACME across the whole IdM deployment, use the ipa-acme-manage disable
command:
120
CHAPTER 9. TECHNOLOGY PREVIEWS
# ipa-acme-manage disable
The ipa-acme-manage command was successful
To check whether the ACME service is installed and if it is enabled or disabled, use the ipa-
acme-manage status command:
# ipa-acme-manage status
ACME is enabled
The ipa-acme-manage command was successful
Bugzilla:2084181 [1]
9.11. DESKTOP
GNOME for the 64-bit ARM architecture available as a Technology Preview
The GNOME desktop environment is available for the 64-bit ARM architecture as a Technology Preview.
You can now connect to the desktop session on a 64-bit ARM server using VNC. As a result, you can
manage the server using graphical applications.
Using Firefox, you can connect to the Cockpit service on the server.
Certain applications, such as LibreOffice, only provide a command-line interface, and their graphical
interface is disabled.
Jira:RHELPLAN-27394[1]
You can now connect to the desktop session on an IBM Z server using VNC. As a result, you can manage
the server using graphical applications.
Using Firefox, you can connect to the Cockpit service on the server.
121
Red Hat Enterprise Linux 9.4 9.4 Release Notes
Certain applications, such as LibreOffice, only provide a command-line interface, and their graphical
interface is disabled.
Jira:RHELPLAN-27737[1]
Jira:RHELDOCS-17520[1]
9.13. VIRTUALIZATION
Creating nested virtual machines
Nested KVM virtualization is provided as a Technology Preview for KVM virtual machines (VMs) running
on Intel, AMD64, and IBM Z hosts with RHEL 9. With this feature, a RHEL 7, RHEL 8, or RHEL 9 VM that
runs on a physical RHEL 9 host can act as a hypervisor, and host its own VMs.
Jira:RHELDOCS-17040[1]
In addition, the enhanced Encrypted State version of SEV (SEV-ES) is also provided as Technology
Preview. SEV-ES encrypts all CPU register contents when a VM stops running. This prevents the host
from modifying the VM’s CPU registers or reading any information from them.
Note that SEV and SEV-ES work only on the 2nd generation of AMD EPYC CPUs (codenamed Rome)
or later. Also note that RHEL 9 includes SEV and SEV-ES encryption, but not the SEV and SEV-ES
security attestation.
Jira:RHELPLAN-65217 [1]
Bugzilla:1955275[1]
UKIs can be used in virtualized and cloud environments, especially in confidential VMs where strong
122
CHAPTER 9. TECHNOLOGY PREVIEWS
UKIs can be used in virtualized and cloud environments, especially in confidential VMs where strong
SecureBoot capabilities are required. The UKI is available as a kernel-uki-virt package in RHEL 9
repositories.
Currently, the RHEL UKI can only be used in a UEFI boot configuration.
Bugzilla:2142102[1]
Note that this feature is deprecated and was removed entirely with the RHEL 9.3 release.
Jira:RHELDOCS-17050 [1]
Jira:RHEL-7043[1]
This feature is currently available only on a Mellanox CX-7 networking device. The VF on the Mellanox
CX-7 networking device uses a new mlx5_vfio_pci driver, which adds functionality that is necessary for
the live migration, and libvirt binds the new driver to the VF automatically.
Jira:RHEL-13007[1]
Currently, the RHEL UKI can only be used in a UEFI boot configuration.
Jira:RHELPLAN-139800[1]
9.15. CONTAINERS
The podman-machine command is unsupported
The podman-machine command for managing virtual machines, is available only as a Technology
123
Red Hat Enterprise Linux 9.4 9.4 Release Notes
The podman-machine command for managing virtual machines, is available only as a Technology
Preview. Instead, run Podman directly from the command line.
Jira:RHELDOCS-16861 [1]
A farm is a group of machines that have a UNIX podman socket running in them. The nodes in the farm
can have different machines of different architectures. The podman farm build command is faster than
the podman build --arch --platform command.
You can use podman farm build to perform the following actions:
Push the images to the registry specified by using the --tag option.
Jira:RHELPLAN-154436[1]
Jira:RHELDOCS-17803[1]
Jira:RHEL-18157 [1]
124
CHAPTER 10. DEPRECATED FUNCTIONALITIES
For the most recent list of deprecated functionality within a particular major release, see the latest
version of release documentation. For information about the length of support, see Red Hat Enterprise
Linux Life Cycle and Red Hat Enterprise Linux Application Streams Life Cycle .
A package can be deprecated and not recommended for further use. Under certain circumstances, a
package can be removed from the product. Product documentation then identifies more recent
packages that offer functionality similar, identical, or more advanced to the one deprecated, and
provides further recommendations.
For information regarding functionality that is present in RHEL 8 but has been removed in RHEL 9, see
Considerations in adopting RHEL 9 .
timezone --ntpservers
timezone --nontp
logging --level
%packages --excludeWeakdeps
%packages --instLangs
%anaconda
pwpolicy
nvdimm
Note that where only specific options are listed, the base command and its other options are still
available and not deprecated. Using the deprecated commands in Kickstart files prints a warning in the
logs. You can turn the deprecated command warnings into errors with the inst.ksstrict boot option.
Bugzilla:1899167[1]
User and Group customizations in the edge-commit and edge-container blueprints have been
deprecated
Specifying a user or group customization in the blueprints is deprecated for the edge-commit and
edge-container image types, because the user customization disappears when you upgrade the image
and do not specify the user in the blueprint again.
Note that specifying a user or group customization in blueprints that are used to deploy an existing
125
Red Hat Enterprise Linux 9.4 9.4 Release Notes
Note that specifying a user or group customization in blueprints that are used to deploy an existing
OSTree commit, such as edge-raw-image, edge-installer, and edge-simplified-installer image types
remains supported.
Bugzilla:2173928
Jira:RHELDOCS-16393[1]
The provider_hostip and provider_fedora_geoip values of the inst.geoloc boot option are
deprecated
The provider_hostip and provider_fedora_geoip values that specified the GeoIP API for the
inst.geoloc= boot option are deprecated. As a replacement, you can use the
geolocation_provider=URL option to set the required geolocation in the installation program
configuration file. You can still use the inst.geoloc=0 option to disable the geolocation.
Bugzilla:2127473
Capturing screenshots from the Anaconda GUI with a global hot key is deprecated
Previously, users could capture screenshots of the Anaconda GUI by using a global hot key. This meant
that users could extract the screenshots manually from the installation environment for any further
usage. This functionality has been deprecated.
Jira:RHELDOCS-17166[1]
Jira:RHELDOCS-17309[1]
Jira:RHELDOCS-17702
Unable to load an updated driver from the driver update disc in the installation
environment
A new version of a driver from the driver update disc might not load if the same driver from the
installation initial RAM disk has already been loaded. As a consequence, an updated version of the driver
cannot be applied to the installation environment.
As a workaround, use the modprobe.blacklist= kernel command line option together with the inst.dd
126
CHAPTER 10. DEPRECATED FUNCTIONALITIES
option. For example, to ensure that an updated version of the virtio_blk driver from a driver update disc
is loaded, use modprobe.blacklist=virtio_blk and then continue with the usual procedure to apply
drivers from the driver update disk. As a result, the system can load an updated version of the driver and
use it in the installation environment.
Jira:RHEL-4762
10.2. SECURITY
SHA-1 is deprecated for cryptographic purposes
The usage of the SHA-1 message digest for cryptographic purposes has been deprecated in RHEL 9.
The digest produced by SHA-1 is not considered secure because of many documented successful
attacks based on finding hash collisions. The RHEL core crypto components no longer create signatures
using SHA-1 by default. Applications in RHEL 9 have been updated to avoid using SHA-1 in security-
relevant use cases.
Among the exceptions, the HMAC-SHA1 message authentication code and the Universal Unique
Identifier (UUID) values can still be created using SHA-1 because these use cases do not currently pose
security risks. SHA-1 also can be used in limited cases connected with important interoperability and
compatibility concerns, such as Kerberos and WPA-2. See the List of RHEL applications using
cryptography that is not compliant with FIPS 140-3 section in the RHEL 9 Security hardening document
for more details.
If your scenario requires the use of SHA-1 for verifying existing or third-party cryptographic signatures,
you can enable it by entering the following command:
Alternatively, you can switch the system-wide crypto policies to the LEGACY policy. Note that LEGACY
also enables many other algorithms that are not secure.
Jira:RHELPLAN-110763[1]
fapolicyd.rules is deprecated
The /etc/fapolicyd/rules.d/ directory for files containing allow and deny execution rules replaces the
/etc/fapolicyd/fapolicyd.rules file. The fagenrules script now merges all component rule files in this
directory to the /etc/fapolicyd/compiled.rules file. Rules in /etc/fapolicyd/fapolicyd.trust are still
processed by the fapolicyd framework but only for ensuring backward compatibility.
Bugzilla:2054740
In the scp utility, SCP is replaced by the SSH File Transfer Protocol (SFTP) by default.
Jira:RHELPLAN-99136[1]
127
Red Hat Enterprise Linux 9.4 9.4 Release Notes
Bugzilla:2168665
Jira:RHELDOCS-17958[1]
As a part of the ongoing migration of deprecated OpenSSL engines to the Providers API, the pkcs11-
provider package replaces the openssl-pkcs11 package (engine_pkcs11). The openssl-pkcs11
package is now deprecated. The openssl-pkcs11 package might be removed in a future major release.
Jira:RHELDOCS-16716[1]
RHEL 8 and 9 OpenSSL certificate and signing containers are now deprecated
The OpenSSL portable certificate and signing containers available in the ubi8/openssl and
ubi9/openssl repositories in the Red Hat Ecosystem Catalog are now deprecated due to low demand.
Jira:RHELDOCS-17974 [1]
Bugzilla:1995600[1]
OpenSSL deprecates MD2, MD4, MDC2, Whirlpool, Blowfish, CAST, DES, IDEA, RC2, RC4,
RC5, SEED, and PBKDF1
The OpenSSL project has deprecated a set of cryptographic algorithms because they are insecure,
uncommonly used, or both. Red Hat also discourages the use of those algorithms, and RHEL 9 provides
them for migrating encrypted data to use new algorithms. Users must not depend on those algorithms
for the security of their systems.
The implementations of the following algorithms have been moved to the legacy provider in OpenSSL:
MD2, MD4, MDC2, Whirlpool, Blowfish, CAST, DES, IDEA, RC2, RC4, RC5, SEED, and PBKDF1.
See the /etc/pki/tls/openssl.cnf configuration file for instructions on how to load the legacy provider
and enable support for the deprecated algorithms.
Bugzilla:1975836
Support for indicating FIPS mode through the /etc/system-fips file has been removed, and the file will
not be included in future versions of RHEL. To install RHEL in FIPS mode, add the fips=1 parameter to
128
CHAPTER 10. DEPRECATED FUNCTIONALITIES
the kernel command line during the system installation. You can check whether RHEL operates in FIPS
mode by using the fips-mode-setup --check command.
Jira:RHELPLAN-103232[1]
The libcrypt.so.1 library is now deprecated, and it might be removed in a future version of RHEL.
Bugzilla:2034569
To register your system, use other supported authorization methods, such as including paired options --
username / --password OR --org / --activationkey with the subscription-manager register
command.
Bugzilla:2163716
In RHEL 9, Red Hat recommends using the tar, dd, or bacula, backup utility, based on type of usage,
which provides full and safe backups on ext2, ext3, and ext4 file systems.
Note that the restore utility from the dump package remains available and supported in RHEL 9 and is
available as the restore package.
Bugzilla:1997366[1]
Jira:RHEL-6856
The %vmeff metric from the sysstat package has been deprecated
The %vmeff metric from the sysstat package to measure the page reclaim efficiency will no longer be
129
Red Hat Enterprise Linux 9.4 9.4 Release Notes
The %vmeff metric from the sysstat package to measure the page reclaim efficiency will no longer be
supported in a future major version of RHEL. The values of the %vmeff column returned by the sar -B
command are incorrect because sysstat does not parse all relevant /proc/vmstat values provided by
later kernel versions.
You can calculate the %vmeff value manually from the /proc/vmstat file. For details, see Why the sar(1)
tool reports %vmeff values beyond 100 % in RHEL 8 and RHEL 9?
Jira:RHELDOCS-17015[1]
To specify a custom directory for ReaR temporary files, export the variable in the shell environment
before executing ReaR. For example, execute the export TMPDIR=… statement and then execute the
rear command in the same shell session or script.
Jira:RHELDOCS-18049[1]
The cgroups is a kernel subsystem used for process tracking, system resource allocation and
partitioning. Systemd service manager supports booting in the cgroups v1 mode and in cgroups v2
mode. In Red Hat Enterprise Linux 9, the default mode is v2. In Red Hat Enterprise Linux 10, systemd will
not support booting in the cgroups v1 mode and only cgroups v2 mode will be available.
Jira:RHELDOCS-17545[1]
Jira:RHELDOCS-17135[1]
The sendmail , libotr, mod_security, and spamassassin packages are now deprecated
The following packages are deprecated in RHEL 9 and will not be distributed in later major versions of
RHEL:
sendmail - Red Hat recommends migrating to the postfix mail daemon, which is supported.
libotr
mod_security
spamassassin
Jira:RHEL-22385[1]
130
CHAPTER 10. DEPRECATED FUNCTIONALITIES
10.6. NETWORKING
Network teams are deprecated in RHEL 9
The teamd service and the libteam library are deprecated in Red Hat Enterprise Linux 9 and will be
removed in the next major release. As a replacement, configure a bond instead of a network team.
Red Hat focuses its efforts on kernel-based bonding to avoid maintaining two features, bonds and
teams, that have similar functions. The bonding code has a high customer adoption, is robust, and has an
active community development. As a result, the bonding code receives enhancements and updates.
For details about how to migrate a team to a bond, see Migrating a network team configuration to
network bond.
Bugzilla:1935544[1]
Bugzilla:1894877[1]
Bugzilla:2089200
Jira:RHEL-17708
131
Red Hat Enterprise Linux 9.4 9.4 Release Notes
Jira:RHEL-17619[1]
Jira:RHEL-1015[1]
10.7. KERNEL
ATM encapsulation is deprecated in RHEL 9
Asynchronous Transfer Mode (ATM) encapsulation enables Layer-2 (Point-to-Point Protocol, Ethernet)
or Layer-3 (IP) connectivity for the ATM Adaptation Layer 5 (AAL-5). Red Hat has not been providing
support for ATM NIC drivers since RHEL 7. The support for ATM implementation is being dropped in
RHEL 9. These protocols are currently used only in chipsets, which support the ADSL technology and
are being phased out by manufacturers. Therefore, ATM encapsulation is deprecated in Red Hat
Enterprise Linux 9.
For more information, see PPP Over AAL5, Multiprotocol Encapsulation over ATM Adaptation Layer 5 ,
and Classical IP and ARP over ATM .
Bugzilla:2058153
Bugzilla:2113873[1]
Red Hat focuses its efforts on kernel-based bonding to avoid maintaining two features, bonds and
teams, that have similar functions. The bonding code has a high customer adoption, is robust, and has an
active community development. As a result, the bonding code receives enhancements and updates.
For details about how to migrate a team to a bond, see Migrating a network team configuration to
network bond.
Bugzilla:2013884 [1]
132
CHAPTER 10. DEPRECATED FUNCTIONALITIES
Bugzilla:2038183
Persistent Memory Development Kit ( pmdk) and support library have been deprecated in
RHEL 9
pmdk is a collection of libraries and tools for System Administrators and Application Developers to
simplify managing and accessing persistent memory devices. pmdk and support library have been
deprecated in RHEL 9. This also includes the -debuginfo packages.
The following list of binary packages produced by pmdk, including the nvml source package have been
deprecated:
libpmem
libpmem-devel
libpmem-debug
libpmem2
libpmem2-devel
libpmem2-debug
libpmemblk
libpmemblk-devel
libpmemblk-debug
libpmemlog
libpmemlog-devel
libpmemlog-debug
libpmemobj
libpmemobj-devel
libpmemobj-debug
libpmempool
libpmempool-devel
libpmempool-debug
pmempool
daxio
133
Red Hat Enterprise Linux 9.4 9.4 Release Notes
pmreorder
pmdk-convert
libpmemobj++
libpmemobj++-devel
libpmemobj++-doc
Jira:RHELDOCS-16432[1]
Jira:RHEL-30730[1]
Statistics and configuration values for dm-vdo targets will no longer be accessible through sysfs. But
these values are still accessible by using dmsetup message stats, dmsetup status, and dmsetup table
dmsetup commands
Jira:RHEL-30525
RHEL 8 and RHEL 9 currently provide Berkeley DB (libdb) version 5.3.28, which is distributed under the
LGPLv2 license. The upstream Berkeley DB version 6 is available under the AGPLv3 license, which is
more restrictive.
The libdb package is deprecated as of RHEL 9 and might not be available in future major RHEL releases.
In addition, cryptographic algorithms have been removed from libdb in RHEL 9 and multiple libdb
dependencies have been removed from RHEL 9.
Users of libdb are advised to migrate to a different key-value database. For more information, see the
Knowledgebase article Available replacements for the deprecated Berkeley DB (libdb) in RHEL .
134
CHAPTER 10. DEPRECATED FUNCTIONALITIES
Bugzilla:2111072
Some PKCS1 v1.5 modes are now deprecated in Go’s FIPS mode
Some PKCS1 v1.5 modes are not approved in FIPS-140-3 for encryption and are disabled. They will no
longer work in Go’s FIPS mode.
Bugzilla:2092016[1]
Jira:RHELDOCS-17917[1]
OpenDNSSec supports exporting Digital Signatures and authentication records using the SHA-1
algorithm. The use of the SHA-1 algorithm is no longer supported. With the RHEL 9 release, SHA-1 in
OpenDNSSec is deprecated and it might be removed in a future minor release. Additionally,
OpenDNSSec support is limited to its integration with Red Hat Identity Management. OpenDNSSec is
not supported standalone.
Bugzilla:1979521
To retrieve user and group information from local files with SSSD:
a. Explicitly configure a local domain with the id_provider=files option in the sssd.conf
configuration file.
[domain/local]
id_provider=files
...
135
Red Hat Enterprise Linux 9.4 9.4 Release Notes
[sssd]
enable_files_domain = true
Jira:RHELPLAN-100639[1]
Jira:RHELPLAN-139805[1]
Jira:SSSD-6596
Jira:SSSD-6601
To improve the security, by default, SMB1 is disabled in the Samba server and client utilities.
Jira:RHELDOCS-16612[1]
10.12. DESKTOP
GTK 2 is now deprecated
The legacy GTK 2 toolkit and the following, related packages have been deprecated:
adwaita-gtk2-theme
gnome-common
gtk2
gtk2-immodules
136
CHAPTER 10. DEPRECATED FUNCTIONALITIES
hexchat
Several other packages currently depend on GTK 2. These have been modified so that they no longer
depend on the deprecated packages in a future major RHEL release.
If you maintain an application that uses GTK 2, Red Hat recommends that you port the application to
GTK 4.
Jira:RHELPLAN-131882 [1]
LibreOffice is deprecated
The LibreOffice RPM packages are now deprecated and will be removed in a future major RHEL release.
LibreOffice continues to be fully supported through the entire life cycle of RHEL 7, 8, and 9.
As a replacement for the RPM packages, Red Hat recommends that you install LibreOffice from either
of the following sources provided by The Document Foundation:
Jira:RHELDOCS-16300 [1]
The following Motif packages have been deprecated, including their development and debugging
variants:
motif
openmotif
openmotif21
openmotif22
Red Hat recommends using the GTK toolkit as a replacement. GTK is more maintainable and provides
new features compared to Motif.
Jira:RHELPLAN-98983[1]
137
Red Hat Enterprise Linux 9.4 9.4 Release Notes
Jira:RHEL-19092
The network system role displays a deprecation warning when configuring teams on RHEL 9
nodes
The network teaming capabilities have been deprecated in RHEL 9. As a result, using the network RHEL
system role on a RHEL 8 control node to configure a network team on RHEL 9 nodes, shows a warning
about the deprecation.
Bugzilla:1999770
10.15. VIRTUALIZATION
SecureBoot image verification using SHA1-based signatures is deprecated
Performing SecureBoot image verification using SHA1-based signatures on UEFI (PE/COFF)
executables has become deprecated. Instead, Red Hat recommends using signatures based on the
SHA2 algorithm, or later.
Bugzilla:1935497[1]
Bugzilla:1965079
Instead of qcow2-v2, Red Hat strongly recommends using qcow2-v3. To convert a qcow2-v2 image to a
later format version, use the qemu-img amend command.
Bugzilla:1951814
Jira:RHELPLAN-10304[1]
The monolithic libvirt daemon, libvirtd, has been deprecated in RHEL 9, and will be removed in a future
major release of RHEL. Note that you can still use libvirtd for managing virtualization on your
hypervisor, but Red Hat recommends switching to the newly introduced modular libvirt daemons. For
instructions and details, see the RHEL 9 Configuring and Managing Virtualization document.
Jira:RHELPLAN-113995[1]
138
CHAPTER 10. DEPRECATED FUNCTIONALITIES
For Intel: models before Intel Xeon 55xx and 75xx Processor families (also known as Nehalem)
To check whether your VM is using a deprecated CPU model, use the virsh dominfo utility, and look for
a line similar to the following in the Messages section:
Bugzilla:2060839
Jira:RHELPLAN-153267[1]
Since RHEL 9.3, the Intel vGPU feature has been removed entirely.
Bugzilla:2206599[1]
Jira:RHELDOCS-17989
Using Windows Server 2012 or Windows 8 as a guest operating system is not supported
Because Microsoft ended support for the following versions of Windows, Red Hat also removed support
for using these versions as a guest operating system in this update.
Windows 8
Windows 8.1
139
Red Hat Enterprise Linux 9.4 9.4 Release Notes
Jira:RHEL-11810
10.16. CONTAINERS
Running RHEL 9 containers on a RHEL 7 host is not supported
Running RHEL 9 containers on a RHEL 7 host is not supported. It might work, but it is not guaranteed.
For more information, see Red Hat Enterprise Linux Container Compatibility Matrix .
Jira:RHELPLAN-100087[1]
Bugzilla:2069279[1]
Bugzilla:2106816
For more information, see Switching the network stack from CNI to Netavark .
Jira:RHELDOCS-16756[1]
Jira:RHELDOCS-17102 [1]
The support for pasta as a network name value is deprecated and will not be accepted in the next major
140
CHAPTER 10. DEPRECATED FUNCTIONALITIES
release of Podman, version 5.0. You can use the pasta network name value to create a unique network
mode within Podman by employing the podman run --network and podman create --network
commands.
Jira:RHELDOCS-17038[1]
Jira:RHELDOCS-17495[1]
Jira:RHELDOCS-17518[1]
The BoltDB database backend will be deprecated. The new SQLite database backend is
available.
The containers.conf file will be read-only. The system connections and farm information will be
stored in the podman.connections.json file, managed only by Podman. Podman continues to
support the old configuration options such as [engine.service_destinations] and the [farms]
section. You can still add connections or farms manually if needed, however, it is not possible to
delete a connection from the containers.conf file with the podman system connection rm
command.
The pasta network mode will be the default network mode for rootless containers. The
slirp4netns network mode will be deprecated.
Jira:RHELDOCS-17462 [1]
Jira:RHELDOCS-18106[1]
This section lists packages that have been deprecated and will probably not be included in a future
141
Red Hat Enterprise Linux 9.4 9.4 Release Notes
This section lists packages that have been deprecated and will probably not be included in a future
major release of Red Hat Enterprise Linux.
For changes to packages between RHEL 8 and RHEL 9, see Changes to packages in the Considerations
in adopting RHEL 9 document.
IMPORTANT
The support status of deprecated packages remains unchanged within RHEL 9. For more
information about the length of support, see Red Hat Enterprise Linux Life Cycle and
Red Hat Enterprise Linux Application Streams Life Cycle .
aacraid
adwaita-gtk2-theme
af_key
anaconda-user-help
autocorr-af
autocorr-bg
autocorr-ca
autocorr-cs
autocorr-da
autocorr-de
autocorr-dsb
autocorr-el
autocorr-en
autocorr-es
autocorr-fa
autocorr-fi
autocorr-fr
autocorr-ga
autocorr-hr
autocorr-hsb
autocorr-hu
autocorr-is
142
CHAPTER 10. DEPRECATED FUNCTIONALITIES
autocorr-it
autocorr-ja
autocorr-ko
autocorr-lb
autocorr-lt
autocorr-mn
autocorr-nl
autocorr-pl
autocorr-pt
autocorr-ro
autocorr-ru
autocorr-sk
autocorr-sl
autocorr-sr
autocorr-sv
autocorr-tr
autocorr-vi
autocorr-vro
autocorr-zh
cheese
cheese-libs
clutter
clutter-gst3
clutter-gtk
cogl
daxio
dbus-glib
dbus-glib-devel
dhcp-client
143
Red Hat Enterprise Linux 9.4 9.4 Release Notes
dhcp-common
dhcp-relay
dhcp-server
enchant
enchant-devel
eog
evolution
evolution-bogofilter
evolution-devel
evolution-help
evolution-langpacks
evolution-mapi
evolution-mapi-langpacks
evolution-pst
evolution-spamassassin
festival
festival-data
festvox-slt-arctic-hts
flite
flite-devel
firewire-core
gedit
gedit-plugin-bookmarks
gedit-plugin-bracketcompletion
gedit-plugin-codecomment
gedit-plugin-colorpicker
gedit-plugin-colorschemer
gedit-plugin-commander
gedit-plugin-drawspaces
144
CHAPTER 10. DEPRECATED FUNCTIONALITIES
gedit-plugin-findinfiles
gedit-plugin-joinlines
gedit-plugin-multiedit
gedit-plugin-sessionsaver
gedit-plugin-smartspaces
gedit-plugin-synctex
gedit-plugin-terminal
gedit-plugin-textsize
gedit-plugin-translate
gedit-plugin-wordcompletion
gedit-plugins
gedit-plugins-data
ghostscript-x11
gnome-common
gnome-photos
gnome-photos-tests
gnome-screenshot
gnome-themes-extra
gtk2
gtk2-devel
gtk2-devel-docs
gtk2-immodule-xim
gtk2-immodules
highcontrast-icon-theme
inkscape
inkscape-docs
inkscape-view
iptables-devel
iptables-libs
145
Red Hat Enterprise Linux 9.4 9.4 Release Notes
iptables-nft
iptables-nft-services
iptables-utils
libdb
libgdata
libgdata-devel
libpmem
libpmem-debug
libpmem-devel
libpmem2
libpmem2-debug
libpmem2-devel
libpmemblk
libpmemblk-debug
libpmemblk-devel
libpmemlog
libpmemlog-debug
libpmemlog-devel
libpmemobj
libpmemobj-debug
libpmemobj-devel
libpmempool
libpmempool-debug
libpmempool-devel
libreoffice
libreoffice-base
libreoffice-calc
libreoffice-core
libreoffice-data
146
CHAPTER 10. DEPRECATED FUNCTIONALITIES
libreoffice-draw
libreoffice-emailmerge
libreoffice-filters
libreoffice-gdb-debug-support
libreoffice-graphicfilter
libreoffice-gtk3
libreoffice-help-ar
libreoffice-help-bg
libreoffice-help-bn
libreoffice-help-ca
libreoffice-help-cs
libreoffice-help-da
libreoffice-help-de
libreoffice-help-dz
libreoffice-help-el
libreoffice-help-en
libreoffice-help-eo
libreoffice-help-es
libreoffice-help-et
libreoffice-help-eu
libreoffice-help-fi
libreoffice-help-fr
libreoffice-help-gl
libreoffice-help-gu
libreoffice-help-he
libreoffice-help-hi
libreoffice-help-hr
libreoffice-help-hu
libreoffice-help-id
147
Red Hat Enterprise Linux 9.4 9.4 Release Notes
libreoffice-help-it
libreoffice-help-ja
libreoffice-help-ko
libreoffice-help-lt
libreoffice-help-lv
libreoffice-help-nb
libreoffice-help-nl
libreoffice-help-nn
libreoffice-help-pl
libreoffice-help-pt-BR
libreoffice-help-pt-PT
libreoffice-help-ro
libreoffice-help-ru
libreoffice-help-si
libreoffice-help-sk
libreoffice-help-sl
libreoffice-help-sv
libreoffice-help-ta
libreoffice-help-tr
libreoffice-help-uk
libreoffice-help-zh-Hans
libreoffice-help-zh-Hant
libreoffice-impress
libreoffice-langpack-af
libreoffice-langpack-ar
libreoffice-langpack-as
libreoffice-langpack-bg
libreoffice-langpack-bn
libreoffice-langpack-br
148
CHAPTER 10. DEPRECATED FUNCTIONALITIES
libreoffice-langpack-ca
libreoffice-langpack-cs
libreoffice-langpack-cy
libreoffice-langpack-da
libreoffice-langpack-de
libreoffice-langpack-dz
libreoffice-langpack-el
libreoffice-langpack-en
libreoffice-langpack-eo
libreoffice-langpack-es
libreoffice-langpack-et
libreoffice-langpack-eu
libreoffice-langpack-fa
libreoffice-langpack-fi
libreoffice-langpack-fr
libreoffice-langpack-fy
libreoffice-langpack-ga
libreoffice-langpack-gl
libreoffice-langpack-gu
libreoffice-langpack-he
libreoffice-langpack-hi
libreoffice-langpack-hr
libreoffice-langpack-hu
libreoffice-langpack-id
libreoffice-langpack-it
libreoffice-langpack-ja
libreoffice-langpack-kk
libreoffice-langpack-kn
libreoffice-langpack-ko
149
Red Hat Enterprise Linux 9.4 9.4 Release Notes
libreoffice-langpack-lt
libreoffice-langpack-lv
libreoffice-langpack-mai
libreoffice-langpack-ml
libreoffice-langpack-mr
libreoffice-langpack-nb
libreoffice-langpack-nl
libreoffice-langpack-nn
libreoffice-langpack-nr
libreoffice-langpack-nso
libreoffice-langpack-or
libreoffice-langpack-pa
libreoffice-langpack-pl
libreoffice-langpack-pt-BR
libreoffice-langpack-pt-PT
libreoffice-langpack-ro
libreoffice-langpack-ru
libreoffice-langpack-si
libreoffice-langpack-sk
libreoffice-langpack-sl
libreoffice-langpack-sr
libreoffice-langpack-ss
libreoffice-langpack-st
libreoffice-langpack-sv
libreoffice-langpack-ta
libreoffice-langpack-te
libreoffice-langpack-th
libreoffice-langpack-tn
libreoffice-langpack-tr
150
CHAPTER 10. DEPRECATED FUNCTIONALITIES
libreoffice-langpack-ts
libreoffice-langpack-uk
libreoffice-langpack-ve
libreoffice-langpack-xh
libreoffice-langpack-zh-Hans
libreoffice-langpack-zh-Hant
libreoffice-langpack-zu
libreoffice-math
libreoffice-ogltrans
libreoffice-opensymbol-fonts
libreoffice-pdfimport
libreoffice-pyuno
libreoffice-sdk
libreoffice-sdk-doc
libreoffice-ure
libreoffice-ure-common
libreoffice-wiki-publisher
libreoffice-writer
libreoffice-x11
libreoffice-xsltfilter
libreofficekit
libsoup
libsoup-devel
libuser
libuser-devel
libwpe
libwpe-devel
mcpp
mod_auth_mellon
151
Red Hat Enterprise Linux 9.4 9.4 Release Notes
motif
motif-devel
pmdk-convert
pmempool
python3-pytz
qla4xxx
qt5
qt5-assistant
qt5-designer
qt5-devel
qt5-doctools
qt5-linguist
qt5-qdbusviewer
qt5-qt3d
qt5-qt3d-devel
qt5-qt3d-doc
qt5-qt3d-examples
qt5-qtbase
qt5-qtbase-common
qt5-qtbase-devel
qt5-qtbase-doc
qt5-qtbase-examples
qt5-qtbase-gui
qt5-qtbase-mysql
qt5-qtbase-odbc
qt5-qtbase-postgresql
qt5-qtbase-private-devel
qt5-qtbase-static
qt5-qtconnectivity
152
CHAPTER 10. DEPRECATED FUNCTIONALITIES
qt5-qtconnectivity-devel
qt5-qtconnectivity-doc
qt5-qtconnectivity-examples
qt5-qtdeclarative
qt5-qtdeclarative-devel
qt5-qtdeclarative-doc
qt5-qtdeclarative-examples
qt5-qtdeclarative-static
qt5-qtdoc
qt5-qtgraphicaleffects
qt5-qtgraphicaleffects-doc
qt5-qtimageformats
qt5-qtimageformats-doc
qt5-qtlocation
qt5-qtlocation-devel
qt5-qtlocation-doc
qt5-qtlocation-examples
qt5-qtmultimedia
qt5-qtmultimedia-devel
qt5-qtmultimedia-doc
qt5-qtmultimedia-examples
qt5-qtquickcontrols
qt5-qtquickcontrols-doc
qt5-qtquickcontrols-examples
qt5-qtquickcontrols2
qt5-qtquickcontrols2-devel
qt5-qtquickcontrols2-doc
qt5-qtquickcontrols2-examples
qt5-qtscript
153
Red Hat Enterprise Linux 9.4 9.4 Release Notes
qt5-qtscript-devel
qt5-qtscript-doc
qt5-qtscript-examples
qt5-qtsensors
qt5-qtsensors-devel
qt5-qtsensors-doc
qt5-qtsensors-examples
qt5-qtserialbus
qt5-qtserialbus-devel
qt5-qtserialbus-doc
qt5-qtserialbus-examples
qt5-qtserialport
qt5-qtserialport-devel
qt5-qtserialport-doc
qt5-qtserialport-examples
qt5-qtsvg
qt5-qtsvg-devel
qt5-qtsvg-doc
qt5-qtsvg-examples
qt5-qttools
qt5-qttools-common
qt5-qttools-devel
qt5-qttools-doc
qt5-qttools-examples
qt5-qttools-libs-designer
qt5-qttools-libs-designercomponents
qt5-qttools-libs-help
qt5-qttools-static
qt5-qttranslations
154
CHAPTER 10. DEPRECATED FUNCTIONALITIES
qt5-qtwayland
qt5-qtwayland-devel
qt5-qtwayland-doc
qt5-qtwayland-examples
qt5-qtwebchannel
qt5-qtwebchannel-devel
qt5-qtwebchannel-doc
qt5-qtwebchannel-examples
qt5-qtwebsockets
qt5-qtwebsockets-devel
qt5-qtwebsockets-doc
qt5-qtwebsockets-examples
qt5-qtx11extras
qt5-qtx11extras-devel
qt5-qtx11extras-doc
qt5-qtxmlpatterns
qt5-qtxmlpatterns-devel
qt5-qtxmlpatterns-doc
qt5-qtxmlpatterns-examples
qt5-rpm-macros
qt5-srpm-macros
team
tigervnc
tigervnc-icons
tigervnc-license
tigervnc-selinux
tigervnc-server
tigervnc-server-minimal
tigervnc-server-module
155
Red Hat Enterprise Linux 9.4 9.4 Release Notes
webkit2gtk3
webkit2gtk3-devel
webkit2gtk3-jsc
webkit2gtk3-jsc-devel
wpebackend-fdo
wpebackend-fdo-devel
xorg-x11-server-Xorg
yp-tools
ypbind
ypserv
156
CHAPTER 11. KNOWN ISSUES
To work around this problem, verify that the BaseOS and AppStream repositories are available to the
installation program or use the authselect Kickstart command during installation.
Bugzilla:1640697[1]
The reboot --kexec and inst.kexec commands do not provide a predictable system state
Performing a RHEL installation with the reboot --kexec Kickstart command or the inst.kexec kernel
boot parameters do not provide the same predictable system state as a full reboot. As a consequence,
switching to the installed system without rebooting can produce unpredictable results.
Note that the kexec feature is deprecated and will be removed in a future release of Red Hat Enterprise
Linux.
Bugzilla:1697896[1]
To work around this problem, do not run Anaconda on the production system. Instead, run Anaconda in a
temporary virtual machine to keep the SELinux policy unchanged on a production system. Running
anaconda as part of the system installation process such as installing from boot.iso or dvd.iso is not
affected by this issue.
Bugzilla:2050140
Local Media installation source is not detected when booting the installation from a USB
that is created using a third party tool
When booting the RHEL installation from a USB that is created using a third party tool, the installation
program fails to detect the Local Media installation source (only Red Hat CDN is detected).
This issue occurs because the default boot option int.stage2= attempts to search for iso9660 image
format. However, a third party tool might create an ISO image with a different format.
When booting the installation, click the Tab key to edit the kernel command line, and change
the boot option inst.stage2= to inst.repo=.
157
Red Hat Enterprise Linux 9.4 9.4 Release Notes
When using a third party tool such as Rufus to create a bootable USB device, first regenerate
the RHEL ISO image on a Linux system, and then use the third party tool to create a bootable
USB device.
For more information on the steps involved in performing any of the specified workaround, see,
Installation media is not auto-detected during the installation of RHEL 8.3 .
Bugzilla:1877697[1]
To work around this problem, use the harddrive --partition=sdX --dir=/ command to install from USB
CD-ROM drive. As a result, the installation does not fail.
Jira:RHEL-4707
To workaround this problem, add the following script in the Kickstart file to format the disc before the
installation starts.
Note: Before performing the workaround, backup the data available on the disk. The wipefs command
formats all the existing data from the disk.
%pre
wipefs -a /dev/sda
%end
Jira:RHEL-4711
To work around this problem, ensure you configure an administrator user account or the root password
is set and the root account is unlocked. As a result, users can perform administrative tasks on the
installed system.
Bugzilla:2047713
New XFS features prevent booting of PowerNV IBM POWER systems with firmware older
than version 5.10
PowerNV IBM POWER systems use a Linux kernel for firmware, and use Petitboot as a replacement for
GRUB. This results in the firmware kernel mounting /boot and Petitboot reading the GRUB config and
booting RHEL.
158
CHAPTER 11. KNOWN ISSUES
The RHEL 9 kernel introduces bigtime=1 and inobtcount=1 features to the XFS filesystem, which
kernels with firmware older than version 5.10 do not understand.
To work around this problem, you can use another filesystem for /boot, for example ext4.
Bugzilla:1997832 [1]
RHEL for Edge installer image fails to create mount points when installing an rpm-ostree
payload
When deploying rpm-ostree payloads, used for example in a RHEL for Edge installer image, the
installation program does not properly create some mount points for custom partitions. As a
consequence, the installation is aborted with the following error:
The command 'mount --bind /mnt/sysimage/data /mnt/sysroot/data' exited with the code 32.
Use an automatic partitioning scheme and do not add any mount points manually.
Manually assign mount points only inside /var directory. For example, /var/my-mount-point),
and the following standard directories: /, /boot, /var.
Jira:RHEL-4741
NetworkManager fails to start after the installation when connected to a network but
without DHCP or a static IP address configured
Starting with RHEL 9.0, Anaconda activates network devices automatically when there is no specific ip=
or Kickstart network configuration set. Anaconda creates a default persistent configuration file for each
Ethernet device. The connection profile has the ONBOOT and autoconnect value set to true. As a
consequence, during the start of the installed system, RHEL activates the network devices, and the
networkManager-wait-online service fails.
Delete all connections using the nmcli utility except one connection you want to use. For
example:
Replace <connection_name> with the name of the connection you want to delete.
Disable the auto connect network feature in Anaconda if no specific ip= or Kickstart network
configuration is set.
159
Red Hat Enterprise Linux 9.4 9.4 Release Notes
c. Click Configure.
d. On the General tab, clear the Connect automatically with priority checkbox.
e. Click Save.
Bugzilla:2115783 [1]
Configure the network, for example using the nmcli tool, as a part of the %pre script.
Use the installation program boot options to configure the network for the %pre script.
As a result, it is possible to use the network for tasks in the %pre section and the Kickstart installation
process completes.
Bugzilla:2173992
Enabling the FIPS mode is not supported when building rpm-ostree images with RHEL image
builder
Currently, there is no support to enable the FIPS mode when building rpm-ostree images with RHEL
image builder.
Jira:RHEL-4655
Images built with the stig profile remediation fails to boot with FIPS error
FIPS mode is not supported by RHEL image builder. When using RHEL image builder customized with
the xccdf_org.ssgproject.content_profile_stig profile remediation, the system fails to boot with the
following error:
Enabling the FIPS policy manually after the system image installation with the fips-mode-setup --
enable command does not work, because the /boot directory is on a different partition. System boots
successfully if FIPS is disabled. Currently, there is no workaround available.
NOTE
You can manually enable FIPS after installing the image by using the fips-mode-setup --
enable command.
Jira:RHEL-4649
160
CHAPTER 11. KNOWN ISSUES
When you start RHEL installation using the inst.dd option on the kernel command line with a driver disk,
the console fails to display the user input. Consequently, it appears that the application does not
respond to the user input and stops responding, but displays the output which is confusing for users.
However, this behavior does not affect the functionality, and user input gets registered after pressing
Enter.
As a workaround, to see the expected results, ignore the absence of user inputs in the console and
press Enter when you finish adding inputs.
Jira:RHEL-4737
Kickstart installation fails due to missing packages with systemd service files in %packages
section
If the Kickstart file uses the services --enabled=… directive to enable systemd services and packages
containing the specified service file are not included in the %packages section, the RHEL installation
process fails with the following error:
To work around this problem, include the package with the service file in Kickstart’s %packages section.
As a result, RHEL installation completes, enabling expected services during installation.
Jira:RHEL-9633[1]
Currently, you cannot build base disk images which come from private registries by using bootc-image-
builder. To workaround this issue, copy the private registry into your localhost, then build the image with
the following arguments:
--local
Jira:RHEL-34054
11.2. SECURITY
161
Red Hat Enterprise Linux 9.4 9.4 Release Notes
OpenSSL does not detect if a PKCS #11 token supports the creation of raw RSA or RSA-
PSS signatures
The TLS 1.3 protocol requires support for RSA-PSS signatures. If a PKCS #11 token does not support raw
RSA or RSA-PSS signatures, server applications that use the OpenSSL library fail to work with an RSA
key if the key is held by the PKCS #11 token. As a result, TLS communication fails in the described
scenario.
To work around this problem, configure servers and clients to use TLS version 1.2 as the highest TLS
protocol version available.
Bugzilla:1681178[1]
OpenSSL incorrectly handles PKCS #11 tokens that does not support raw RSA or RSA-PSS
signatures
The OpenSSL library does not detect key-related capabilities of PKCS #11 tokens. Consequently,
establishing a TLS connection fails when a signature is created with a token that does not support raw
RSA or RSA-PSS signatures.
To work around the problem, add the following lines after the .include line at the end of the
crypto_policy section in the /etc/pki/tls/openssl.cnf file:
SignatureAlgorithms =
RSA+SHA256:RSA+SHA512:RSA+SHA384:ECDSA+SHA256:ECDSA+SHA512:ECDSA+SHA384
MaxProtocol = TLSv1.2
Bugzilla:1685470 [1]
To work around this problem, do not copy files to a destination that is the same as the source location
using this syntax.
Bugzilla:2056884
The OSCAP Anaconda add-on does not fetch tailored profiles in the graphical installation
The OSCAP Anaconda add-on does not provide an option to select or deselect tailoring of security
profiles in the RHEL graphical installation. Starting from RHEL 8.8, the add-on does not take tailoring
into account by default when installing from archives or RPM packages. Consequently, the installation
displays the following error message instead of fetching an OSCAP tailored profile:
162
CHAPTER 11. KNOWN ISSUES
To work around this problem, you must specify paths in the %addon org_fedora_oscap section of your
Kickstart file, for example:
xccdf-path = /usr/share/xml/scap/sc_tailoring/ds-combined.xml
tailoring-path = /usr/share/xml/scap/sc_tailoring/tailoring-xccdf.xml
As a result, you can use the graphical installation for OSCAP tailored profiles only with the
corresponding Kickstart specifications.
Jira:RHEL-1824
# cd /usr/share/scap-security-guide/ansible
3. Run the relevant Ansible Playbook using environment variables that define the path to the
additional Ansible collections:
# ANSIBLE_COLLECTIONS_PATH=/usr/share/rhc-worker-
playbook/ansible/collections/ansible_collections/ ansible-playbook -c local -i localhost, rhel9-
playbook-cis_server_l1.yml
Replace cis_server_l1 with the ID of the profile against which you want to remediate the
system.
NOTE
Jira:RHEL-1800
163
Red Hat Enterprise Linux 9.4 9.4 Release Notes
client components (keylime_verifier and keylime_tenant) cannot connect to the Keylime agent. To
work around this problem, use just one certificate instead of multiple certificates.
Jira:RHELPLAN-157225[1]
Jira:RHEL-11867[1]
Jira:RHEL-1518[1]
Jira:RHEL-24345[1]
Jira:RHEL-520[1]
Default SELinux policy allows unconfined executables to make their stack executable
The default state of the selinuxuser_execstack boolean in the SELinux policy is on, which means that
unconfined executables can make their stack executable. Executables should not use this option, and it
might indicate poorly coded executables or a possible attack. However, due to compatibility with other
tools, packages, and third-party products, Red Hat cannot change the value of the boolean in the
default policy. If your scenario does not depend on such compatibility aspects, you can turn the boolean
off in your local policy by entering the command setsebool -P selinuxuser_execstack off.
Bugzilla:2064274
164
CHAPTER 11. KNOWN ISSUES
When applied to SSH servers, each of these rules configures an option (ClientAliveCountMax and
ClientAliveInterval) that no longer behaves as previously. As a consequence, OpenSSH no longer
disconnects idle SSH users when it reaches the timeout configured by these rules. As a workaround,
these rules have been temporarily removed from the DISA STIG for RHEL 9 and DISA STIG with GUI for
RHEL 9 profiles until a solution is developed.
Bugzilla:2038978
To work around this problem, do not use GnuPG options that involve SHA-1. As a result, you will prevent
GnuPG from lowering the default system security by using the insecure SHA-1 signatures.
Bugzilla:2070722
rpm_verify_hashes
rpm_verify_permissions
rpm_verify_ownership
file_permissions_unauthorized_world_writable
no_files_unowned_by_user
dir_perms_world_writable_system_owned
file_permissions_unauthorized_suid
165
Red Hat Enterprise Linux 9.4 9.4 Release Notes
file_permissions_unauthorized_sgid
file_permissions_ungroupowned
dir_perms_world_writable_sticky_bits
For more details and more workarounds, see the related Knowledgebase article.
Bugzilla:2161499
Jira:RHELPLAN-44202[1]
Algorithm negotiations no longer support AES-128 ciphers, the secp256r1 elliptic curve, and the
FFDHE-2048 group.
Jira:RHEL-2735 [1]
You can work around this problem by performing the following steps:
1. Create a new file named local_fdo_update.cil and enter the missing SELinux policy rules:
# semodule -i local_fdo_update.cil
166
CHAPTER 11. KNOWN ISSUES
As a consequence, FDO can connect to the PostgreSQL database and also fix problems related to
SQLite permissions over /var/lib/fdo/, where the SQLite database files are expected to be located.
Jira:RHEL-28814
Jira:RHEL-45727
Jira:RHELDOCS-16574[1]
Bugzilla:2073510
Bugzilla:2056318
167
Red Hat Enterprise Linux 9.4 9.4 Release Notes
If you cannot use one of the recommended solutions, install the initscripts package.
Bugzilla:2018112 [1]
To manage services, use the systemctl commands or install the chkconfig package manually.
For more information about systemd, see Introduction to systemd. For instructions on how to use the
systemctl utility, see Managing system services with systemctl .
Bugzilla:2053598[1]
Bugzilla:2082303
Setting the console keymap requires the libxkbcommon library on your minimal install
In RHEL 9, certain systemd library dependencies have been converted from dynamic linking to dynamic
loading, so that your system opens and uses the libraries at runtime when they are available. With this
change, a functionality that depends on such libraries is not available unless you install the necessary
library. This also affects setting the keyboard layout on systems with a minimal install. As a result, the
localectl --no-convert set-x11-keymap gb command fails.
Jira:RHEL-6105
The %vmeff metric from the sysstat package displays incorrect values
The sysstat package provides the %vmeff metric to measure the page reclaim efficiency. The values of
the %vmeff column returned by the sar -B command are incorrect because sysstat does not parse all
relevant /proc/vmstat values provided by later kernel versions. To work around this problem, you can
calculate the %vmeff value manually from the /proc/vmstat file. For details, see Why the sar(1) tool
reports %vmeff values beyond 100 % in RHEL 8 and RHEL 9?
Jira:RHEL-12009
168
CHAPTER 11. KNOWN ISSUES
register new services without limits set by the SLP implementation. By using UDP and spoofing the
source address, an attacker can request the service list, creating a Denial of service on the spoofed
address.
To prevent external attackers from accessing the SLP service, disable SLP on all systems running on
untrusted networks, such as those directly connected to the internet. Alternatively, to work around this
problem, configure firewalls to block or filter traffic on UDP and TCP port 427.
Jira:RHEL-6995[1]
The ReaR rescue image on UEFI systems with Secure Boot enabled fails to boot with the
default settings
ReaR image creation by using the rear mkrescue or rear mkbackup command fails with the following
message:
grub2-mkstandalone may fail to make a bootable EFI image of GRUB2 (no /usr/*/grub*/x86_64-
efi/moddep.lst file)
(...)
grub2-mkstandalone: error: /usr/lib/grub/x86_64-efi/modinfo.sh doesn't exist. Please specify --target
or --directory.
The missing files are part of the grub2-efi-x64-modules package. If you install this package, the rescue
image is created successfully without any errors. When the UEFI Secure Boot is enabled, the rescue
image is not bootable because it uses a boot loader that is not signed.
To work around this problem, add the following variables to the /etc/rear/local.conf or
/etc/rear/site.conf ReaR configuration file):
UEFI_BOOTLOADER=/boot/efi/EFI/redhat/grubx64.efi
SECURE_BOOT_BOOTLOADER=/boot/efi/EFI/redhat/shimx64.efi
With the suggested workaround, the image can be produced successfully even on systems without the
grub2-efi-x64-modules package, and it is bootable on systems with Secure Boot enabled. In addition,
during the system recovery, the bootloader of the recovered system is set to the EFI shim bootloader.
For more information about UEFI, Secure Boot, and shim bootloader, see the UEFI: what happens
when booting the system Knowledge Base article.
Jira:RHELDOCS-18064[1]
Jira:RHEL-26275[1]
169
Red Hat Enterprise Linux 9.4 9.4 Release Notes
Jira:RHELDOCS-16427 [1]
As a result, certain DNSSEC records signed with the SHA-1, RSA/SHA1, and RSASHA1-NSEC3-SHA1
digest algorithms fail to verify in Red Hat Enterprise Linux 9 and the affected domain names become
vulnerable.
To work around this problem, upgrade to a different signature algorithm, such as RSA/SHA-256 or
elliptic curve keys.
For more information and a list of top-level domains that are affected and vulnerable, see the DNSSEC
records signed with RSASHA1 fail to verify solution.
Bugzilla:2070495
named fails to start if the same writable zone file is used in multiple zones
BIND does not allow the same writable zone file in multiple zones. Consequently, if a configuration
includes multiple zones which share a path to a file that can be modified by the named service, named
fails to start. To work around this problem, use the in-view clause to share one zone between multiple
views and make sure to use different paths for different zones. For example, include the view names in
the path.
Note that writable zone files are typically used in zones with allowed dynamic updates, secondary zones,
or zones maintained by DNSSEC.
Bugzilla:1984982
The libotr library and toolkit for off-the-record (OTR) messaging provides end-to-end encryption for
instant messaging conversations. However, the libotr library does not conform to the Federal
Information Processing Standards (FIPS) due to its use of the gcry_pk_sign() and gcry_pk_verify()
functions. As a result, you cannot use the libotr library in FIPS mode.
Bugzilla:2086562
11.7. NETWORKING
kTLS does not support offloading of TLS 1.3 to NICs
Kernel Transport Layer Security (kTLS) does not support offloading of TLS 1.3 to NICs. Consequently,
software encryption is used with TLS 1.3 even when the NICs support TLS offload. To work around this
problem, disable TLS 1.3 if offload is required. As a result, you can offload only TLS 1.2. When TLS 1.3 is in
use, there is lower performance, since TLS 1.3 cannot be offloaded.
Bugzilla:2000616[1]
170
CHAPTER 11. KNOWN ISSUES
Kernel Transport Layer Security (kTLS) protocol does not support updating the session key, which is
used by the symmetric cipher. Consequently, the user cannot update the key, which causes a connection
break. To work around this problem, disable kTLS. As a result, with the workaround, it is possible to
successfully update the session key.
Bugzilla:2013650[1]
11.8. KERNEL
Customer applications with dependencies on kernel page size might need updating when
moving from 4k to 64k page size kernel
RHEL is compatible with both 4k and 64k page size kernels. Customer applications with dependencies
on a 4k kernel page size might require updating when moving from 4k to 64k page size kernels. Known
instances of this include jemalloc and dependent applications.
The jemalloc memory allocator library is sensitive to the page size used in the system’s runtime
environment. The library can be built to be compatible with 4k and 64k page size kernels, for example,
when configured with --with-lg-page=16 or env JEMALLOC_SYS_WITH_LG_PAGE=16 (for
jemallocator Rust crate). Consequently, a mismatch can occur between the page size of the runtime
environment and the page size that was present when compiling binaries that depend on jemalloc. As a
result, using a jemalloc-based application triggers the following error:
Use the appropriate build configuration or environment options to create 4k and 64k page size
compatible binaries.
Build any user space packages that use jemalloc after booting into the final 64k kernel and
runtime environment.
For example, you can build the fd-find tool, which also uses jemalloc, with the cargo Rust package
manager. In the final 64k environment, trigger a new build of all dependencies to resolve the mismatch in
the page size by entering the cargo command:
Bugzilla:2167783[1]
Upgrading to the latest real-time kernel with dnf does not install multiple kernel versions in
parallel
Installing the latest real-time kernel with the dnf package manager requires resolving package
dependencies to retain the new and current kernel versions simultaneously. By default, dnf removes the
older kernel-rt package during the upgrade.
As a workaround, add the current kernel-rt package to the installonlypkgs option in the /etc/yum.conf
configuration file, for example, installonlypkgs=kernel-rt.
The installonlypkgs option appends kernel-rt to the default list used by dnf. Packages listed in
installonlypkgs directive are not removed automatically and therefore support multiple kernel versions
to install simultaneously.
Note that having multiple kernels installed is a way to have a fallback option when working with a new
171
Red Hat Enterprise Linux 9.4 9.4 Release Notes
Note that having multiple kernels installed is a way to have a fallback option when working with a new
kernel version.
Bugzilla:2181571 [1]
The Delay Accounting functionality does not display the SWAPIN and IO% statistics columns
by default
The Delayed Accounting functionality, unlike early versions, is disabled by default. Consequently, the
iotop application does not show the SWAPIN and IO% statistics columns and displays the following
warning:
The Delay Accounting functionality, using the taskstats interface, provides the delay statistics for all
tasks or threads that belong to a thread group. Delays in task execution occur when they wait for a
kernel resource to become available, for example, a task waiting for a free CPU to run on. The statistics
help in setting a task’s CPU priority, I/O priority, and rss limit values appropriately.
As a workaround, you can enable the delayacct boot option either at run time or boot.
Note that this command enables the feature system wide, but only for the tasks that you start
after running this command.
kernel.task_delayacct = 1
For more information, see How to set sysctl variables on Red Hat Enterprise Linux .
As a result, the iotop application displays the SWAPIN and IO% statistics columns.
Bugzilla:2132480[1]
Hardware certification of the real-time kernel on systems with large core-counts might
require passing the skew-tick=1 boot parameter
Large or moderate sized systems with numerous sockets and large core-counts can experience latency
spikes due to lock contentions on xtime_lock, which is used in the timekeeping system. As a
consequence, latency spikes and delays in hardware certifications might occur on multiprocessing
systems. As a workaround, you can offset the timer tick per CPU to start at a different time by adding
the skew_tick=1 boot parameter.
172
CHAPTER 11. KNOWN ISSUES
3. Verify the new settings by displaying the kernel parameters you pass during boot.
cat /proc/cmdline
Note that enabling skew_tick=1 causes a significant increase in power consumption and, therefore, it
must be enabled only if you are running latency sensitive real-time workloads.
Jira:RHEL-9318[1]
The kdump mechanism fails to capture the vmcore file on LUKS-encrypted targets
When running kdump on systems with Linux Unified Key Setup (LUKS) encrypted partitions, systems
require a certain amount of available memory. When the available memory is less than the required
amount of memory, the systemd-cryptsetup service fails to mount the partition. Consequently, the
second kernel fails to capture the crash dump file on the LUKS-encrypted targets.
As a workaround, query the Recommended crashkernel value and gradually increase the memory size
to an appropriate value. The Recommended crashkernel value can serve as reference to set the
required memory size.
# kdumpctl estimate
# reboot
Jira:RHEL-11196[1]
The kdump service fails to build the initrd file on IBM Z systems
On the 64-bit IBM Z systems, the kdump service fails to load the initial RAM disk ( initrd) when znet
related configuration information such as s390-subchannels reside in an inactive NetworkManager
connection profile. Consequently, the kdump mechanism fails with the following error:
173
Red Hat Enterprise Linux 9.4 9.4 Release Notes
Configure a network bond or bridge by re-using the connection profile that has the znet
configuration information:
Copy the znet configuration information from the inactive connection profile to the active
connection profile:
b. Update the active profile with configuration information from the inactive connection:
#!/bin/bash
inactive_connection=enc600
active_connection=bridge-slave-enc600
for name in nettype subchannels options; do
field=802-3-ethernet.s390-$name
val=$(nmcli --get-values "$field"connection show "$inactive_connection")
nmcli connection modify "$active_connection" "$field" $val"
done
# kdumpctl restart
Bugzilla:2064708
The iwl7260-firmware breaks Wi-Fi on Intel Wi-Fi 6 AX200, AX210, and Lenovo ThinkPad P1
Gen 4
After updating the iwl7260-firmware or iwl7260-wifi driver to the version provided by RHEL 9.1 and
later, the hardware gets into an incorrect internal state. reports its state incorrectly. Consequently, Intel
Wifi 6 cards might not work and display the error message:
An unconfirmed workaround is to power off the system and back on again. Do not reboot.
Bugzilla:2129288[1]
The weak-modules script provided by the kmod package determines which modules are kABI-
compatible with installed kernels. However, while checking modules' kernel compatibility, weak-
modules processes modules symbol dependencies from higher to lower release of the kernel for which
174
CHAPTER 11. KNOWN ISSUES
they were built. As a consequence, modules with inter-dependencies built against different kernel
releases might be interpreted as non-compatible, and therefore the weak-modules script fails to work
in this scenario.
To work around the problem, build or put the extra modules against the latest stock kernel before you
install the new kernel.
Bugzilla:2103605[1]
Jira:RHEL-15404[1]
dkms provides an incorrect warning on program failure with correctly compiled drivers on
64-bit ARM CPUs
The Dynamic Kernel Module Support (dkms) utility does not recognize that the kernel headers for 64-
bit ARM CPUs work for both the kernels with 4 kB and 64 kB page sizes. As a result, when the kernel
update is performed and the kernel-64k-devel package is not installed, dkms provides an incorrect
warning on why the program failed on correctly compiled drivers. To work around this problem, install
the kernel-headers package, which contains header files for both types of ARM CPU architectures and
is not specific to dkms and its requirements.
Jira:RHEL-25967 [1]
By default, Native NVMe multipathing is enabled in RHEL 9. For more information, see Enabling
multipathing on NVMe devices.
Bugzilla:2033080[1]
As a result, complex virtual device stacks are correctly deactivated during shutdown and do not produce
error messages.
Bugzilla:2011699[1]
175
Red Hat Enterprise Linux 9.4 9.4 Release Notes
Disabling quota accounting is no longer possible for an XFS filesystem mounted with
quotas enabled
Starting with RHEL 9.2, it is no longer possible to disable quota accounting on an XFS filesystem which
has been mounted with quotas enabled.
To work around this issue, disable quota accounting by remounting the filesystem, with the quota option
removed.
Bugzilla:2160619[1]
Bugzilla:2185048
Jira:RHEL-8164[1]
Jira:RHEL-8466[1]
ARM-based systems fail to update with a 64k page size kernel when vdo is installed
While installing the vdo package, RHEL installs the kmod-kvdo package and a kernel with 4k page size
as dependencies. As a consequence, updates from RHEL 9.3 to 9.x fail because kmod-kvdo conflicts
with the 64k kernel. To work around this issue, remove the vdo package and its dependencies before
attempting to update.
Jira:RHEL-8354
When using a QLogic Corp. FastLinQ QL45000 Series 10/25/40/50GbE, FCOE Controller
automatically enables the lldpad daemon on systems running Red Hat Virtualization. As a consequence,
I/O operations are aborted with an error, for example, [qedf_eh_abort:xxxx]:1: Aborting
io_req=ff5d85a9dcf3xxxx.
To work around this problem, disableLink Layer Discovery Protocol (LLDP) and then enable it for
interfaces that can be set on the vdsm configuration level. For more information,
https://access.redhat.com/solutions/6963195.
Jira:RHEL-8104[1]
176
CHAPTER 11. KNOWN ISSUES
Jira:RHEL-25730[1]
To prevent remote code execution and mitigate CVE-2024-32004, stricter ownership checks have
been introduced in Git for cloning local repositories. Since the update introduced in the RHSA-
2024:4083 advisory, Git treats local repositories with potentially unsafe ownership as dubious.
As a consequence, if you attempt to clone from a repository locally hosted through git-daemon and you
are not the owner of the repository, Git returns a security alert about dubious ownership and fails to
clone or fetch from the repository.
To work around this problem, explicitly mark the repository as safe by executing the following command:
Jira:RHELDOCS-18435[1]
Bugzilla:2157708
The --ssl-fips-mode option in MySQL and MariaDB does not change FIPS mode
The --ssl-fips-mode option in MySQL and MariaDB in RHEL works differently than in upstream.
In RHEL 9, if you use --ssl-fips-mode as an argument for the mysqld or mariadbd daemon, or if you use
ssl-fips-mode in the MySQL or MariaDB server configuration files, --ssl-fips-mode does not change
FIPS mode for these database servers.
Instead:
If you set --ssl-fips-mode to ON, the mysqld or mariadbd server daemon does not start.
If you set --ssl-fips-mode to OFF on a FIPS-enabled system, the mysqld or mariadbd server
daemons still run in FIPS mode.
This is expected because FIPS mode should be enabled or disabled for the whole RHEL system, not for
specific components.
Therefore, do not use the --ssl-fips-mode option in MySQL or MariaDB in RHEL. Instead, ensure FIPS
177
Red Hat Enterprise Linux 9.4 9.4 Release Notes
Therefore, do not use the --ssl-fips-mode option in MySQL or MariaDB in RHEL. Instead, ensure FIPS
mode is enabled on the whole RHEL system:
Preferably, install RHEL with FIPS mode enabled. Enabling FIPS mode during the installation
ensures that the system generates all keys with FIPS-approved algorithms and continuous
monitoring tests in place. For information about installing RHEL in FIPS mode, see Installing the
system in FIPS mode.
Alternatively, you can switch FIPS mode for the entire RHEL system by following the procedure
in Switching the system to FIPS mode .
Bugzilla:1991500
Jira:RHEL-4902
The DEFAULT:SHA1 subpolicy has to be set on RHEL 9 clients for PKINIT to work against
AD KDCs
The SHA-1 digest algorithm has been deprecated in RHEL 9, and CMS messages for Public Key
Cryptography for initial authentication (PKINIT) are now signed with the stronger SHA-256 algorithm.
However, the Active Directory (AD) Kerberos Distribution Center (KDC) still uses the SHA-1 digest
algorithm to sign CMS messages. As a result, RHEL 9 Kerberos clients fail to authenticate users by using
PKINIT against an AD KDC.
To work around the problem, enable support for the SHA-1 algorithm on your RHEL 9 systems with the
following command:
Bugzilla:2060798
The PKINIT authentication of a user fails if a RHEL 9 Kerberos agent communicates with a
non-RHEL-9 and non-AD Kerberos agent
If a RHEL 9 Kerberos agent, either a client or Kerberos Distribution Center (KDC), interacts with a non-
RHEL-9 Kerberos agent that is not an Active Directory (AD) agent, the PKINIT authentication of the
user fails. To work around the problem, perform one of the following actions:
Set the RHEL 9 agent’s crypto-policy to DEFAULT:SHA1 to allow the verification of SHA-1
signatures:
Update the non-RHEL-9 and non-AD agent to ensure it does not sign CMS data using the
178
CHAPTER 11. KNOWN ISSUES
Update the non-RHEL-9 and non-AD agent to ensure it does not sign CMS data using the
SHA-1 algorithm. For this, update your Kerberos client or KDC packages to the versions that use
SHA-256 instead of SHA-1:
Note that for other operating systems, it is the krb5-1.20 release that ensures that the agent signs CMS
data with SHA-256 instead of SHA-1.
See also The DEFAULT:SHA1 subpolicy has to be set on RHEL 9 clients for PKINIT to work against AD
KDCs.
Jira:RHEL-4875
Since FIPS compliance is a process that involves both technical and organizational agreements, consult
your FIPS auditor before enabling the AD-SUPPORT subpolicy to allow technical measures to support
AES SHA-1 HMAC encryption types, and then install RHEL IdM:
Bugzilla:2057471
Heimdal client fails to authenticate a user using PKINIT against RHEL 9 KDC
By default, a Heimdal Kerberos client initiates the PKINIT authentication of an IdM user by using Modular
Exponential (MODP) Diffie-Hellman Group 2 for Internet Key Exchange (IKE). However, the MIT
Kerberos Distribution Center (KDC) on RHEL 9 only supports MODP Group 14 and 16.
To work around this problem, ensure that the Heimdal client uses MODP Group 14. Set the
pkinit_dh_min_bits parameter in the libdefaults section of the client configuration file to 1759:
[libdefaults]
pkinit_dh_min_bits = 1759
As a result, the Heimdal client completes the PKINIT pre-authentication against the RHEL MIT KDC.
Jira:RHEL-4889
179
Red Hat Enterprise Linux 9.4 9.4 Release Notes
IdM in FIPS mode does not support using the NTLMSSP protocol to establish a two-way
cross-forest trust
Establishing a two-way cross-forest trust between Active Directory (AD) and Identity Management
(IdM) with FIPS mode enabled fails because the New Technology LAN Manager Security Support
Provider (NTLMSSP) authentication is not FIPS-compliant. IdM in FIPS mode does not accept the RC4
NTLM hash that the AD domain controller uses when attempting to authenticate.
Jira:RHEL-12154 [1]
To work around the problem, generate SIDs by running the following command as an IdM administrator
on another IdM replica in the topology:
Afterward, if users still cannot log in, examine the Directory Server error log. You might have to adjust ID
ranges to include user POSIX identities.
See the When upgrading to RHEL9, IDM users are not able to login anymore Knowledgebase solution for
more information.
Jira:RHELPLAN-157939[1]
Migrated IdM users might be unable to log in due to mismatching domain SIDs
If you have used the ipa migrate-ds script to migrate users from one IdM deployment to another, those
users might have problems using IdM services because their previously existing Security Identifiers
(SIDs) do not have the domain SID of the current IdM environment. For example, those users can
retrieve a Kerberos ticket with the kinit utility, but they cannot log in. To work around this problem, see
the following Knowledgebase article: Migrated IdM users unable to log in due to mismatching domain
SIDs.
Jira:RHELPLAN-109613[1]
MIT krb5 user fails to obtain an AD TGT because of incompatible encryption types
generating the user PAC
In MIT krb5 1.20 and later packages, a Privilege Attribute Certificate (PAC) is included in all Kerberos
tickets by default. The MIT Kerberos Distribution Center (KDC) selects the strongest encryption type
available to generate the KDC checksum in the PAC, which currently is the AES HMAC-SHA2
encryption types defined in RFC8009. However, Active Directory (AD) does not support this RFC.
Consequently, in an AD-MIT cross-realm setup, an MIT krb5 user fails to obtain an AD ticket-granting
ticket (TGT) because the cross-realm TGT generated by MIT KDC contains an incompatible KDC
checksum type in the PAC.
To work around the problem, set the disable_pac parameter to true for the MIT realm in the [realms]
section of the /var/kerberos/krb5kdc/kdc.conf configuration file. As a result, the MIT KDC generates
tickets without PAC, which means that AD skips the failing checksum verification and an MIT krb5 user
can obtain an AD TGT.
Bugzilla:2016312
180
CHAPTER 11. KNOWN ISSUES
Potential risk when using the default value for ldap_id_use_start_tls option
When using ldap:// without TLS for identity lookups, it can pose a risk for an attack vector. Particularly a
man-in-the-middle (MITM) attack which could allow an attacker to impersonate a user by altering, for
example, the UID or GID of an object returned in an LDAP search.
Currently, the SSSD configuration option to enforce TLS, ldap_id_use_start_tls, defaults to false.
Ensure that your setup operates in a trusted environment and decide if it is safe to use unencrypted
communication for id_provider = ldap. Note id_provider = ad and id_provider = ipa are not affected
as they use encrypted connections protected by SASL and GSSAPI.
If it is not safe to use unencrypted communication, enforce TLS by setting the ldap_id_use_start_tls
option to true in the /etc/sssd/sssd.conf file. The default behavior is planned to be changed in a future
release of RHEL.
Jira:RHELPLAN-155168[1]
Adding a RHEL 9 replica in FIPS mode to an IdM deployment in FIPS mode that was
initialized with RHEL 8.6 or earlier fails
The default RHEL 9 FIPS cryptographic policy aiming to comply with FIPS 140-3 does not allow the use
of the AES HMAC-SHA1 encryption types' key derivation function as defined by RFC3961, section 5.1.
This constraint is a blocker when adding a RHEL 9 Identity Management (IdM) replica in FIPS mode to a
RHEL 8 IdM environment in FIPS mode in which the first server was installed on a RHEL 8.6 system or
earlier. This is because there are no common encryption types between RHEL 9 and the previous RHEL
versions, which commonly use the AES HMAC-SHA1 encryption types but do not use the AES HMAC-
SHA2 encryption types.
You can view the encryption type of your IdM master key by entering the following command on the
server:
To work around the problem, enable the use of AES HMAC-SHA1 on the RHEL 9 replica:
WARNING
This workaround might violate FIPS compliance.
As a result, adding the RHEL 9 replica to the IdM deployment proceeds correctly.
Note that there is ongoing work to provide a procedure to generate missing AES HMAC-SHA2-
encrypted Kerberos keys on RHEL 7 and RHEL 8 servers. This will achieve FIPS 140-3 compliance on the
RHEL 9 replica. However, this process will not be fully automated, because the design of Kerberos key
cryptography makes it impossible to convert existing keys to different encryption types. The only way is
to ask users to renew their passwords.
Jira:RHEL-4888
181
Red Hat Enterprise Linux 9.4 9.4 Release Notes
search list.
Bugzilla:1608496[1]
Installing a RHEL 7 IdM client with a RHEL 9.2 and later IdM server in FIPS mode fails due
to EMS enforcement
The TLS Extended Master Secret (EMS) extension (RFC 7627) is now mandatory for TLS 1.2
connections on FIPS-enabled RHEL 9.2 and later systems. This is in accordance with FIPS-140-3
requirements. However, the openssl version available in RHEL 7.9 and lower does not support EMS. In
consequence, installing a RHEL 7 Identity Management (IdM) client with a FIPS-enabled IdM server
running on RHEL 9.2 and later fails.
If upgrading the host to RHEL 8 before installing an IdM client on it is not an option, work around the
problem by removing the requirement for EMS usage on the RHEL 9 server by applying a NO-
ENFORCE-EMS subpolicy on top of the FIPS crypto policy:
Note that this removal goes against the FIPS 140-3 requirements. As a result, you can establish and
accept TLS 1.2 connections that do not use EMS, and the installation of a RHEL 7 IdM client succeeds.
Jira:RHEL-4955
The online backup and the online automembership rebuild tasks can acquire two locks
resulting in a deadlock
If the online backup and the online automembership rebuild tasks attempt to acquire the same two locks
in the opposite order, it can lead to an unrecoverable deadlock that requires you to stop and restart the
server. To workaround this problem, do not launch the online backup and the online automembership
rebuild tasks in parallel.
Jira:RHELDOCS-18065[1]
11.12. DESKTOP
VNC is not running after upgrading to RHEL 9
After upgrading from RHEL 8 to RHEL 9, the VNC server fails to start, even if it was previously enabled.
To work around the problem, manually enable the vncserver service after the system upgrade:
As a result, VNC is now enabled and starts after every system boot as expected.
Bugzilla:2060308
To work around this problem, use one of the following solutions to create users:
Run the installation in VNC mode and resize the VNC window.
182
CHAPTER 11. KNOWN ISSUES
Jira:RHEL-11924[1]
As a consequence, you cannot use certain features of applications that use WebKitGTK to display web
pages, such as the following:
Jira:RHEL-4157
Additionally, Wayland is enabled but the desktop session uses X.org by default if the version of the
NVIDIA driver is lower than 510.
Jira:RHELPLAN-119001[1]
Jira:RHELPLAN-119852 [1]
Jira:RHELPLAN-121049 [1]
183
Red Hat Enterprise Linux 9.4 9.4 Release Notes
Currently, when you import a virtual machine (VM) in the RHEL web console on ARM64 architecture and
then you try to interact with it in the VNC console, the console does not react to your input.
Additionally, when you create a VM in the web console on ARM64 architecture, the VNC console does
not display the last lines of your input.
Jira:RHEL-31993 [1]
Bugzilla:2123859
Jira:RHEL-1172
Note that this limitation also impacts installing Microsoft SQL Server when you use the mssql RHEL
system role to install this service.
Jira:RHELDOCS-17719[1]
Jira:RHELDOCS-18329[1]
For RHEL 9 UEFI managed nodes the bootloader_password variable of the bootloader RHEL
system role does not work
Previously, the bootloader_password variable incorrectly placed the password information in the
/boot/efi/EFI/redhat/user.cfg file. The proper location was the /boot/grub2/user.cfg file. Consequently,
when you rebooted the managed node to modify any boot loader entry, GRUB2 did not prompt you for
184
CHAPTER 11. KNOWN ISSUES
a password. To work around this problem, you can manually move the user.cfg file from the incorrect
/boot/efi/EFI/redhat/ directory to the correct /boot/grub2/ directory to achieve the expected behavior.
Jira:RHEL-45705
11.16. VIRTUALIZATION
Installing a virtual machine over https or ssh in some cases fails
Currently, the virt-install utility fails when attempting to install a guest operating system (OS) from an
ISO source over a https or ssh connection - for example using virt-install --cdrom
https://example/path/to/image.iso. Instead of creating a virtual machine (VM), the described operation
ends unexpectedly with an internal error: process exited while connecting to monitor message.
Similarly, using the RHEL 9 web console to install a guest operating system fails and displays an
Unknown driver 'https' error if you use an https or ssh URL, or the Download OS function.
To work around this problem, install qemu-kvm-block-curl and qemu-kvm-block-ssh on the host to
enable https and ssh protocol support. Alternatively, use a different connection protocol or a different
installation source.
Bugzilla:2014229
When you pass through an NVIDIA GPU device to a RHEL virtual machine (VM)
Jira:RHELPLAN-117234[1]
The Milan VM CPU type is sometimes not available on AMD Milan systems
On certain AMD Milan systems, the Enhanced REP MOVSB (erms) and Fast Short REP MOVSB ( fsrm)
feature flags are disabled in the BIOS by default. Consequently, the Milan CPU type might not be
available on these systems. In addition, VM live migration between Milan hosts with different feature flag
settings might fail. To work around these problems, manually turn on erms and fsrm in the BIOS of your
host.
Bugzilla:2077767[1]
A hostdev interface with failover settings cannot be hot-plugged after being hot-
unplugged
After removing a hostdev network interface with failover configuration from a running virtual machine
(VM), the interface currently cannot be re-attached to the same running VM.
Jira:RHEL-7337
Currently, attempting to post-copy migrate a running virtual machine (VM) fails if the VM uses a device
185
Red Hat Enterprise Linux 9.4 9.4 Release Notes
Currently, attempting to post-copy migrate a running virtual machine (VM) fails if the VM uses a device
with the virtual function (VF) failover capability enabled. To work around the problem, use the standard
migration type, rather than post-copy migration.
Jira:RHEL-7335
Host network cannot ping VMs with VFs during live migration
When live migrating a virtual machine (VM) with a configured virtual function (VF), such as a VMs that
uses virtual SR-IOV software, the network of the VM is not visible to other devices and the VM cannot
be reached by commands such as ping. After the migration is finished, however, the problem no longer
occurs.
Jira:RHEL-7336
Bugzilla:2005173[1]
Jira:RHEL-11366
Windows Server 2016 VMs sometimes stops working after hot-plugging a vCPU
Currently, assigning a vCPU to a running virtual machine (VM) with a Windows Server 2016 guest
operating system might cause a variety of problems, such as the VM stopping unexpectedly, becoming
unresponsive, or rebooting.
Bugzilla:1915715
However, this error message does not impact the functionality of the VM and can be ignored. For
details, see the Red Hat KnoweldgeBase .
Bugzilla:2149989 [1]
Restarting the OVS service on a host might block network connectivity on its running VMs
When the Open vSwitch (OVS) service restarts or crashes on a host, virtual machines (VMs) that are
running on this host cannot recover the state of the networking device. As a consequence, VMs might be
completely unable to receive packets.
This problem only affects systems that use the packed virtqueue format in their virtio networking stack.
To work around this problem, use the packed=off parameter in the virtio networking device definition
186
CHAPTER 11. KNOWN ISSUES
To work around this problem, use the packed=off parameter in the virtio networking device definition
to disable packed virtqueue. With packed virtqueue disabled, the state of the networking device can, in
some situations, be recovered from RAM.
Jira:RHEL-333
To work around this problem, wait at least 10 seconds before resuming the post-copy migration or
switch to another port for migration recovery.
Jira:RHEL-7096
sched: CPU #4's llc-sibling CPU #3 is not on the same node! [node: 1 != 0]. Ignoring dependency.
WARNING: CPU: 4 PID: 0 at arch/x86/kernel/smpboot.c:415 topology_sane.isra.0+0x6b/0x80
To work around this issue, do not use AMD EPYC CPUs for NUMA node configurations.
Bugzilla:2176010
NFS failure during VM migration causes migration failure and source VM coredump
Currently, if the NFS service or server is shut down during virtual machine (VM) migration, the source
VM’s QEMU is unable to reconnect to the NFS server when it starts running again. As a result, the
migration fails and a coredump is initiated on the source VM. Currently, there is no workaround available.
Bugzilla:2058982
Bugzilla:2073872
virsh blkiotune --weight command fails to set the correct cgroup I/O controller value
Currently, using the virsh blkiotune --weight command to set the VM weight does not work as
expected. The command fails to set the correct io.bfq.weight value in the cgroup I/O controller
interface file. There is no workaround at this time.
Bugzilla:1970830
Starting a VM with an NVIDIA A16 GPU sometimes causes the host GPU to stop working
Currently, if you start a VM that uses an NVIDIA A16 GPU passthrough device, the NVIDIA A16 GPU
physical device on the host system in some cases stops working.
187
Red Hat Enterprise Linux 9.4 9.4 Release Notes
To work around the problem, reboot the hypervisor and set the reset_method for the GPU device to
bus:
Jira:RHEL-7212[1]
Jira:RHEL-1609[1]
Windows 10 VMs with certain PCI devices might become unresponsive on boot
Currently, a virtual machine (VM) that uses a Windows 10 guest operating system might become
unresponsive during boot if a virtio-win-scsi PCI device with a local disk back end is attached to the
VM. To work around the problem, boot the VM with the multi_queue option enabled.
Jira:RHEL-1084[1]
The repair function of virtio-win-guest-tool for the virtio-win drivers does not work
Currently, when using the Repair button of virtio-win-guest-tool for a virtio-win driver, such as the
Virtio Balloon Driver, the button has no effect. As a consequence, the driver cannot be reinstalled after
being removed on the guest.
Jira:RHEL-1517[1]
Windows 11 VMs with a memory balloon device set might close unexpectedly during reboot
Currently, rebooting virtual machines (VMs) that use a Windows 11 guest operating system and a
memory balloon device in some cases fails with a DRIVER POWER STAT FAILURE blue-screen error.
Jira:RHEL-935[1]
error: Requested operation is not valid: QEMU reports migration is still running
Jira:RHEL-7115
The virtio balloon driver sometimes does not work on Windows 10 VMs
Under certain circumstances, the virtio-balloon driver does not work correctly on virtual machines (VMs)
that use a Windows 10 guest operating system. As a consequence, such VMs might not use their
assigned memory efficiently.
188
CHAPTER 11. KNOWN ISSUES
Jira:RHEL-12118
Jira:RHEL-1212[1]
Jira:RHEL-869
PROCESSOR_START_TIMEOUT
Jira:RHEL-1220
To work around this problem, update the virtio drivers by using Windows Device Manager.
Jira:RHEL-574[1]
Jira:RHEL-1138 [1]
The problem is caused by a missing cpuid flag and the vulnerability is in fact fully mitigated in VMs under
the following conditions:
189
Red Hat Enterprise Linux 9.4 9.4 Release Notes
You have the updated linux-firmware package on the host as described here: cve-2023-
20569.
The host kernel has the mitigation enabled, which is the default behavior. If the mitigation is
enabled, Safe RET is displayed in the lscpu command output on the host.
Jira:RHEL-26152[1]
Virtual machines with a large amount of vCPUs and virtual disks might fail
Currently, assigning a large amount of vCPUs and virtual disks to a RHEL virtual machine (VM) might
cause the VM to fail to boot.
To work around this problem, use Small Computer System Interface (SCSI) virtual storage devices
instead of block devices if possible. For more details, see: Creating SCSI-based storage pools with
vHBA devices by using the CLI
If you need to use virtual block devices, you can also try to reduce the number of interrupt vectors by
starting the VM with a -global virtio-blk-pci.vectors=<number-of-vectors> QEMU option. Try to find a
sufficiently low number of interrupt vectors that allows the VM to boot successfully.
Jira:RHEL-32990[1]
Link status shows up on VM, even when status is down of e1000e or igb model interface
Before booting the VM, set the status of Ethernet link down for the e1000 or igb model network
interface. Despite this, after the VM boots, the network interface keeps the up status, because when
you set the status of Ethernet link down and then stop and re-start the VM, it is automatically set back
to up. Consequently, the correct state of network interface is not maintained. As a workaround, set the
network interface status to down inside the VM by using command:
Alternatively, you can try to remove and add this network interface again while the VM is running.
Jira:RHEL-21867
Using NBD to migrate a VM storage over a TLS connection does not work correctly
Currently, when migrating a virtual machine (VM) and its storage device by using the Network Block
Device (NBD) protocol over a TLS connection, a data race in the TLS handshake might make the
migration appear to be successful. However, it causes the QEMU process on the destination VM to
become unresponsive to further interactions.
If you can trust your network, you can work around this problem by using plaintext rather than TLS
connections for the NBD protocol, which is used during the VM storage migration.
Jira:RHEL-33440
Jira:RHEL-10019[1]
190
CHAPTER 11. KNOWN ISSUES
Cloning or restoring RHEL 9 virtual machines that use LVM on Nutanix AHV causes non-
root partitions to disappear
When running a RHEL 9 guest operating system on a virtual machine (VM) hosted on the Nutanix AHV
hypervisor, restoring the VM from a snapshot or cloning the VM currently causes non-root partitions in
the VM to disappear if the guest is using Logical Volume Management (LVM). As a consequence, the
following problems occur:
After restoring the VM from a snapshot, the VM cannot boot, and instead enters emergency
mode.
To work around these problems, do the following in emergency mode of the VM:
3. Reboot the VM
Alternatively, to prevent the issue from occurring, do the following before cloning a VM or creating a VM
snapshot:
2. Reboot the VM
Bugzilla:2059545[1]
For details and workaround instructions, see the VMware Knowledge Base.
Bugzilla:2037657[1]
RHEL instances on Azure fail to boot if provisioned by cloud-init and configured with an
NFSv3 mount entry
Currently, booting a RHEL virtual machine (VM) on the Microsoft Azure cloud platform fails if the VM
was provisioned by the cloud-init tool and the guest operating system of the VM has an NFSv3 mount
entry in the /etc/fstab file.
Bugzilla:2081114[1]
Setting static IP in a RHEL virtual machine on a VMware host does not work
Currently, when using RHEL as a guest operating system of a virtual machine (VM) on a VMware host,
the DatasourceOVF function does not work correctly. As a consequence, if you use the cloud-init utility
to set the VM’s network to static IP and then reboot the VM, the VM’s network will be changed to
DHCP.
191
Red Hat Enterprise Linux 9.4 9.4 Release Notes
Jira:RHEL-12122
Large VMs might fail to boot into the debug kernel when the kmemleak option is enabled
When attempting to boot a RHEL 9 virtual machine (VM) into the debug kernel, the booting might fail
with the following error if the machine kernel is using the kmemleak=on argument.
This problem affects mainly large VMs because they spend more time in the boot sequence.
To work around the problem, edit the /etc/fstab file on the machine and add extra timeout options to
the /boot and /boot/efi mount points. For example:
Jira:RHELDOCS-16979[1]
11.18. SUPPORTABILITY
Timeout when running sos report on IBM Power Systems, Little Endian
When running the sos report command on IBM Power Systems, Little Endian with hundreds or
thousands of CPUs, the processor plugin reaches its default timeout of 300 seconds when collecting
huge content of the /sys/devices/system/cpu directory. As a workaround, increase the plugin’s timeout
accordingly:
For a permanent change, edit the [plugin_options] section of the /etc/sos/sos.conf file:
[plugin_options]
# Specify any plugin options and their values here. These options take the form
# plugin_name.option_name = value
#rpm.rpmva = off
processor.timeout = 1800
The example value is set to 1800. The particular timeout value highly depends on a specific system. To
set the plugin’s timeout appropriately, you can first estimate the time needed to collect the one plugin
with no timeout by running the following command:
192
CHAPTER 11. KNOWN ISSUES
Bugzilla:1869561 [1]
11.19. CONTAINERS
Running systemd within an older container image does not work
Running systemd within an older container image, for example, centos:7, does not work:
# mkdir /sys/fs/cgroup/systemd
# mount none -t cgroup -o none,name=systemd /sys/fs/cgroup/systemd
# podman run --runtime /usr/bin/crun --annotation=run.oci.systemd.force_cgroup_v1=/sys/fs/cgroup -
-rm -ti centos:7 /usr/lib/systemd/systemd
Jira:RHELPLAN-96940[1]
Include custom logic in the container image to expand the root filesystem, for example:
/usr/bin/growpart /dev/vda 4
unshare -m bin/sh -c 'mount -o remount,rw /sysroot && xfs_growfs /sysroot'
Include a custom logic to use the additional space for secondary filesystems, for example,
/var/lib/containers.
NOTE
Jira:RHEL-33208
193
Red Hat Enterprise Linux 9.4 9.4 Release Notes
Component Tickets
audit Jira:RHEL-14896
bacula Jira:RHEL-6856
bcc Jira:RHEL-16325
bind Bugzilla:1984982
boom-boot Jira:RHEL-16813
bootc-image-builder- Jira:RHEL-34054
container
certmonger Jira:RHEL-22302
chrony Jira:RHEL-6522
194
APPENDIX A. LIST OF TICKETS BY COMPONENT
Component Tickets
clang Jira:RHEL-9346
cmake Jira:RHEL-7393
cockpit-appstream Bugzilla:2030836
crash Jira:RHEL-9009
createrepo_c Bugzilla:2056318
cyrus-sasl Bugzilla:1995600
dnf Bugzilla:2073510
dnf-plugins-core Jira:RHEL-4600
edk2 Bugzilla:1935497
elfutils Jira:RHEL-12489
gcc Jira:RHEL-17638
gcc-toolset-13-binutils Jira:RHEL-23798
gcc-toolset-13-gcc Jira:RHEL-16998
gimp Bugzilla:2047161
git Jira:RHEL-17100
195
Red Hat Enterprise Linux 9.4 9.4 Release Notes
Component Tickets
git-lfs Jira:RHEL-17101
gnupg2 Bugzilla:2070722
grafana Jira:RHEL-7505
grub2 Jira:RHEL-10288
gtk3 Jira:RHEL-11924
httpd Jira:RHEL-6600
iptables Jira:RHEL-14147
jmc-core Bugzilla:1980981
kdump-anaconda-addon Jira:RHEL-11196
196
APPENDIX A. LIST OF TICKETS BY COMPONENT
Component Tickets
kernel-rt Bugzilla:2181571
kmod Bugzilla:2103605
kmod-kvdo Jira:RHEL-8354
197
Red Hat Enterprise Linux 9.4 9.4 Release Notes
Component Tickets
libabigail Jira:RHEL-16629
libdnf Jira:RHEL-11238
libotr Bugzilla:2086562
librepo Jira:RHEL-11240
libreswan Jira:RHEL-12278
librhsm Jira:RHEL-14224
libsepol Jira:RHEL-16233
libxcrypt Bugzilla:2034569
libzip Jira:RHEL-17567
linuxptp Jira:RHEL-2026
llvm-toolset Jira:RHEL-9283
make Jira:RHEL-22829
mariadb Jira:RHEL-3638
maven Jira:RHEL-13046
mysql Bugzilla:1991500
nettle Jira:RHEL-14890
198
APPENDIX A. LIST OF TICKETS BY COMPONENT
Component Tickets
nfs-utils Bugzilla:2081114
nginx Jira:RHEL-14713
nvme-cli Jira:RHEL-1492
nvme-stas Bugzilla:1893841
open-vm-tools Bugzilla:2037657
opencryptoki Jira:RHEL-11412
opensc Jira:RHEL-4079
openscap Bugzilla:2161499
openslp Jira:RHEL-6995
osbuild Jira:RHEL-4655
p11-kit Jira:RHEL-14834
papi Jira:RHEL-9333
pause-container Bugzilla:2106816
pcp Jira:RHEL-2317
199
Red Hat Enterprise Linux 9.4 9.4 Release Notes
Component Tickets
php Jira:RHEL-14699
pki-core Bugzilla:2084181
postgresql Jira:RHEL-3635
procps-ng Jira:RHEL-16278
python3.11-lxml Bugzilla:2157708
realtime-tests Jira:RHEL-9910
restore Bugzilla:1997366
rhel-bootc-container Jira:RHEL-33208
200
APPENDIX A. LIST OF TICKETS BY COMPONENT
Component Tickets
rteval Jira:RHEL-9912
rust Jira:RHEL-12963
s390utils Bugzilla:1932480
samba Jira:RHEL-16476
sos Bugzilla:1869561
sssd_kcm Jira:SSSD-7015
stratis-cli Jira:RHEL-2265
stunnel Jira:RHEL-2468
synce4l Jira:RHEL-10089
201
Red Hat Enterprise Linux 9.4 9.4 Release Notes
Component Tickets
systemtap Jira:RHEL-12488
tigervnc Bugzilla:2060308
tuna Jira:RHEL-8859
tuned Bugzilla:2113900
udisks2 Bugzilla:2213769
unbound Bugzilla:2070495
vdo Jira:RHEL-30525
virt-v2v Bugzilla:2168082
webkit2gtk3 Jira:RHEL-4157
xdp-tools Jira:RHEL-3382
202
APPENDIX A. LIST OF TICKETS BY COMPONENT
Component Tickets
203
Red Hat Enterprise Linux 9.4 9.4 Release Notes
0.1-3
Thu Jul 25 2024, Gabriela Fialová ([email protected])
0.1-2
Thu Jul 18 2024, Gabriela Fialová ([email protected])
0.1-1
Thu Jul 11 2024, Lenka Špačková ([email protected])
0.1-0
Mon Jul 08 2024, Lenka Špačková ([email protected])
0.0-9
Thu Jun 27 2024, Gabriela Fialová ([email protected])
0.0-8
Tue Jun 25 2024, Lenka Špačková ([email protected])
0.0-7
Wed Jun 12 2024, Brian Angelica ([email protected])
0.0-6
Wed May 29 2024, Gabriela Fialová ([email protected])
204
APPENDIX B. REVISION HISTORY
0.0-5
Tue May 28 2024, Lenka Špačková ([email protected])
0.0-4
Thu May 23 2024, Gabriela Fialová ([email protected])
0.0-3
Tue May 21 2024, Lenka Špačková ([email protected])
0.0-2
Thu May 16 2024, Gabriela Fialová ([email protected])
0.0-1
Wed May 01 2024, Gabriela Fialová ([email protected])
0.0-0
Wed March 27 2024, Gabriela Fialová ([email protected])
Release of the Red Hat Enterprise Linux 9.4 Beta Release Notes.
205