ProHoster > Blog > internet news > Red Hat Enterprise Linux 9.1 distribution release

Red Hat Enterprise Linux 9.1 distribution release

Red Hat has published the release of the Red Hat Enterprise Linux 9.1 distribution. Ready-made installation images are available for registered users of the Red Hat Customer Portal (you can also use CentOS Stream 9 iso images to evaluate the functionality). The release is built for the x86_64, s390x (IBM System z), ppc64le, and Aarch64 (ARM64) architectures. The sources for the Red Hat Enterprise Linux 9 rpm packages are located in the CentOS Git repository.

The RHEL 9 branch evolves with a more open development process and uses the CentOS Stream 9 package base as a basis. CentOS Stream is positioned as an upstream project for RHEL, allowing third parties to control the preparation of packages for RHEL, propose changes and influence decisions. In accordance with the 10-year support cycle for the distribution, RHEL 9 will be maintained until 2032.

Key changes:

  • Updated server and system packages: firewalld 1.1.1, chrony 4.2, unbound 1.16.2, frr 8.2.2, Apache httpd 2.4.53, opencryptoki 3.18.0, powerpc-utils 1.3.10, libvpd 2.2.9, lsvpd 1.7.14. 64, ppc2.7-diag 5.3.7, PCP 7.5.13, Grafana 4.16.1, samba XNUMX.
  • New versions of compilers and developer tools are included: GCC 11.2.1, GCC Toolset 12, LLVM Toolset 14.0.6, binutils 2.35.2, PHP 8.1, Ruby 3.1, Node.js 18, Rust Toolset 1.62, Go Toolset 1.18.2. 3.8, Maven 17, java-11-openjdk (java-1.8.0-openjdk and java-7.0-openjdk also continue to ship), .NET 10.2, GDB 3.19, Valgrind 4.7, SystemTap 12.1.0, Dyninst 0.187, elfutils XNUMX.
  • The eBPF (Berkeley Packet Filter) subsystem carries over the improvements implemented in the Linux 5.15 and 5.16 kernels. For example, for BPF programs, the ability to query and process timer events, the ability to get and set socket options for setsockopt, support for calling kernel module functions, a probabilistic data storage structure (BPF map) bloom filter, and the ability to bind tags to function parameters have been added.
  • The set of patches for real-time systems used in the kernel-rt kernel has been updated to the state corresponding to the 5.15-rt kernel.
  • The implementation of the MPTCP (MultiPath TCP) protocol has been updated, which is used to organize the operation of a TCP connection with the delivery of packets simultaneously along several routes through different network interfaces. Changes carried over from the Linux 5.19 kernel (for example, adding support for fallback of MPTCP connections to plain TCP and offering an API for managing MPTCP streams from user space).
  • On systems with 64-bit ARM, AMD and Intel processors, the ability to change the operation of the Real-Time mode in the kernel at runtime is provided by writing the mode name to the file "/sys/kernel/debug/sched/preempt" or at boot time via a kernel parameter "preempt=" (none, voluntary and full modes are supported).
  • GRUB bootloader settings have been changed to hide the default boot menu, showing the menu if a previous boot failed. To display the menu during boot, you can hold down the Shift key or periodically press the Esc or F8 keys. To disable hiding, you can use the "grub2-editenv - unset menu_auto_hide" command.
  • Support for creating virtual hardware clocks (PHC, PTP Hardware Clocks) has been added to the PTP (Precision Time Protocol) driver.
  • Added modulesync command that downloads RPM packages from modules and creates a repository in the working directory with the metadata needed to install module packages
  • tuned, a service for monitoring system state and optimizing profiles to achieve maximum performance taking into account the current load, provides the ability to use the tuned-profiles-realtime package to isolate CPU cores and provide application threads with all available resources.
  • NetworkManager implements translation of connection profiles from the ifcfg settings format (/etc/sysconfig/network-scripts/ifcfg-*) to a format based on the keyfile file. You can use the "nmcli connection migrate" command to migrate profiles.
  • The SELinux toolkit has been updated to release 3.4, in which the performance of relabeling (relabel) has been improved due to parallelization of operations, the "-m" ("--checksum") option has been added to the semodule utility to obtain SHA256 hashes of modules, mcstrans has been switched to the PCRE2 library. Added new utilities for working with access policies: sepol_check_access, sepol_compute_av, sepol_compute_member, sepol_compute_relabel, sepol_validate_transition. Added SELinux policies to secure ksm, nm-priv-helper, rhcd, stalld, systemd-network-generator, targetclid and wg-quick services.
  • Provided the ability to use the Clevis client (clevis-luks-systemd) to automatically unlock disk partitions encrypted with LUKS and mounted at a later stage of boot, without the need to use the "systemctl enable clevis-luks-askpass.path" command.
  • The capabilities of the toolkit for preparing system images have been expanded, which now supports uploading images to GCP (Google Cloud Platform), putting the image directly into the container registry, adjusting the size of the /boot partition, and adjusting parameters (Blueprint) during image generation (for example, adding packages and user creation).
  • A keylime utility has been added for attestation (authentication and continuous integrity monitoring) of an external system using TPM (Trusted Platform Module) technology, for example, to verify the authenticity of Edge and IoT devices located in an uncontrolled location where unauthorized access is possible.
  • The RHEL for Edge edition provides the ability to use the fdo-admin utility to configure FDO (FIDO Device Onboard) services and create certificates and keys for them.
  • SSSD (System Security Services Daemon) added support for caching SID requests (for example, GID / UID checks) in RAM, which made it possible to speed up copy operations of a large number of files through the Samba server. Support for integration with Windows Server 2022 is provided.
  • In OpenSSH, the default minimum RSA key size is limited to 2048 bits, and the NSS libraries no longer support RSA keys smaller than 1023 bits. To configure your own restrictions, the RequiredRSASize parameter has been added to OpenSSH. Added support for key exchange method [email protected], resistant to hacking on quantum computers.
  • The ReaR toolkit (Relax-and-Recover) adds the ability to execute arbitrary commands before and after recovery.
  • The driver for the Intel E800 Ethernet adapters supports the iWARP and RoCE protocols.
  • A new httpd-core package has been added, which has moved the core set of Apache httpd components, sufficient to run an HTTP server and associated with a minimum number of dependencies. Additional modules such as mod_systemd and mod_brotli have been added to the httpd package and documentation has been included.
  • A new xmlstarlet package has been added that includes utilities for parsing, transforming, validating, extracting data, and editing XML files, similar to grep, sed, awk, diff, patch, and join, but not for text files, but for XML.
  • The capabilities of system roles have been expanded, for example, support for setting up routing rules and using the nmstate API has been added to the network role, support for filtering by regular expressions (startmsg.regex, endmsg.regex) has been added to the logging role, support has been added to the storage role for sections that are dynamically allocated storage space (“thin provisioning”), the ability to manage via /etc/ssh/sshd_config has been added to the sshd role, the export of Postfix performance statistics has been added to the metrics role, the ability to overwrite past configuration has been implemented in the firewall role and support for adding, updating and deleting has been provided services depending on the state.
  • Updated isolated container management toolkit, including packages such as Podman, Buildah, Skopeo, crun and runc. Added support for GitLab Runner in containers with runtime Podman. The netavark utility and the Aardvark DNS server are provided to configure the container network subsystem.
  • Added support for the ap-check command to mdevctl to configure forwarding access to crypto accelerators to virtual machines.
  • Added a Technology Preview ability to authenticate users using external providers (IdP, identity provider) that support the OAuth 2.0 protocol extension "Device Authorization Grant" to provide OAuth access tokens to devices without using a browser.
  • For the Wayland-based GNOME session, builds of Firefox using Wayland are provided. X11-based builds executed in the Wayland environment using the XWayland component are moved to a separate firefox-x11 package.
  • The Wayland-based session is enabled by default for systems with Matrox GPUs (Wayland was previously not used with Matrox GPUs due to limitations and performance issues that have now been resolved).
  • Implemented support for GPUs integrated in 12th generation Intel Core processors, including Intel Core i3 12100T - i9 12900KS, Intel Pentium Gold G7400 and G7400T, Intel Celeron G6900 and G6900T Intel Core i5-12450HX - i9-12950HX and Intel Core i3-1220P - i7-1280P. Added support for AMD Radeon RX 6[345]00 and AMD Ryzen 5/7/9 6[689]00 GPUs.
  • To control the activation of protection against vulnerabilities in the MMIO (Memory Mapped Input Output) mechanism, the kernel boot parameter “mmio_stale_data” is implemented, which can take the values ​​“full” (enable buffer cleaning when switching to user space and VM), “full,nosmt” ( as "full" + SMT / Hyper-Threads is additionally disabled) and "off" (protection is disabled).
  • To control the activation of protection against the Retbleed vulnerability, the “retbleed” kernel boot parameter has been implemented, through which you can disable protection (“off”) or select the vulnerability blocking algorithm (auto, nosmt, ibpb, unret).
  • The acpi_sleep kernel boot parameter supports new options to control sleep: s3_bios, s3_mode, s3_beep, s4_hwsig, s4_nohwsig, old_ordering, nonvs, sci_force_enable, and nobl.
  • Added a large portion of new drivers for network devices, storage systems and graphics chips.
  • Continued to provide experimental (Technology Preview) support for KTLS (TLS implementation at the kernel level), VPN WireGuard, Intel SGX (Software Guard Extensions), Intel IDXD (Data Streaming Accelerator), DAX (Direct Access) for ext4 and XFS, AMD SEV and SEV -ES in KVM hypervisor, systemd-resolved service, Stratis storage manager, Sigstore for container verification by digital signatures, GIMP 2.99.8 graphical editor package, MPTCP (Multipath TCP) settings via NetworkManager, ACME (Automated Certificate Management Environment) server, virtio-mem, a KVM hypervisor for ARM64.
  • The GTK 2 toolkit and related packages adwaita-gtk2-theme, gnome-common, gtk2, gtk2-immodules and hexchat have been deprecated. Declared X.org Server deprecated (RHEL 9 defaults to a Wayland-based GNOME session), which is planned to be removed in the next major RHEL branch, but retain the ability to run X11 applications from a Wayland session using the XWayland DDX server.

Source: opennet.ru

Add a comment