Red Hat Enterprise Linux 9.3 9.3 Release Notes

Red Hat Enterprise Linux 9.3

9.3 Release Notes

Release Notes for Red Hat Enterprise Linux 9.3

Last Updated: 2024-09-11

Red Hat Enterprise Linux 9.3 9.3 Release Notes

Release Notes for Red Hat Enterprise Linux 9.3

Legal Notice

The text of and illustrations in this document are licensed by Red Hat under a Creative Commons

Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is

available at

http://creativecommons.org/licenses/by-sa/3.0/

. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must

provide the URL for the original version.

Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert,

Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.

Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift,

Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States

and other countries.

Linux ® is the registered trademark of Linus Torvalds in the United States and other countries.

Java ® is a registered trademark of Oracle and/or its affiliates.

XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States

and/or other countries.

MySQL ® is a registered trademark of MySQL AB in the United States, the European Union and

other countries.

Node.js ® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the

official Joyent Node.js open source or commercial project.

The OpenStack ® Word Mark and OpenStack logo are either registered trademarks/service marks

or trademarks/service marks of the OpenStack Foundation, in the United States and other

countries and are used with the OpenStack Foundation's permission. We are not affiliated with,

endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.

All other trademarks are the property of their respective owners.

Abstract

The Release Notes provide high-level coverage of the improvements and additions that have been

implemented in Red Hat Enterprise Linux 9.3 and document known problems in this release, as well

as notable bug fixes, Technology Previews, deprecated functionality, and other details. For

information about installing Red Hat Enterprise Linux, see Installation.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Table of Contents

PROVIDING FEEDBACK ON RED HAT DOCUMENTATION

CHAPTER 1. OVERVIEW

1.1. MAJOR CHANGES IN RHEL 9.3

Installer and image creation

1.1.1. Bootloader

RHEL for Edge

Security

Dynamic programming languages, web and database servers

Compilers and development tools

Updated system toolchain

Updated performance tools and debuggers

Updated performance monitoring tools

Updated compiler toolsets

Java implementations in RHEL 9

1.2. IN-PLACE UPGRADE

In-place upgrade from RHEL 8 to RHEL 9

In-place upgrade from RHEL 7 to RHEL 9

1.3. RED HAT CUSTOMER PORTAL LABS

1.4. ADDITIONAL RESOURCES

CHAPTER 2. ARCHITECTURES

CHAPTER 3. DISTRIBUTION OF CONTENT IN RHEL 9

3.1. INSTALLATION

3.2. REPOSITORIES

3.3. APPLICATION STREAMS

3.4. PACKAGE MANAGEMENT WITH YUM/DNF

CHAPTER 4. NEW FEATURES

4.1. INSTALLER AND IMAGE CREATION

4.2. SECURITY

4.3. RHEL FOR EDGE

4.4. SOFTWARE MANAGEMENT

4.5. SHELLS AND COMMAND-LINE TOOLS

4.6. INFRASTRUCTURE SERVICES

4.7. NETWORKING

4.8. KERNEL

4.9. BOOT LOADER

4.10. FILE SYSTEMS AND STORAGE

4.11. HIGH AVAILABILITY AND CLUSTERS

4.12. DYNAMIC PROGRAMMING LANGUAGES, WEB AND DATABASE SERVERS

4.13. COMPILERS AND DEVELOPMENT TOOLS

4.14. IDENTITY MANAGEMENT

4.15. GRAPHICS INFRASTRUCTURES

4.16. THE WEB CONSOLE

4.17. RED HAT ENTERPRISE LINUX SYSTEM ROLES

4.18. VIRTUALIZATION

4.19. RHEL IN CLOUD ENVIRONMENTS

4.20. SUPPORTABILITY

4.21. CONTAINERS

Table of Contents

CHAPTER 5. IMPORTANT CHANGES TO EXTERNAL KERNEL PARAMETERS

New kernel parameters

Updated kernel parameters

Removed kernel parameters

CHAPTER 6. DEVICE DRIVERS

6.1. NEW DRIVERS

Network drivers

Graphics drivers and miscellaneous drivers

6.2. UPDATED DRIVERS

Network driver updates

Storage driver updates

CHAPTER 7. AVAILABLE BPF FEATURES

CHAPTER 8. BUG FIXES

8.1. INSTALLER AND IMAGE CREATION

8.2. SECURITY

8.3. SUBSCRIPTION MANAGEMENT

8.4. SOFTWARE MANAGEMENT

8.5. SHELLS AND COMMAND-LINE TOOLS

8.6. NETWORKING

8.7. KERNEL

8.8. BOOT LOADER

8.9. FILE SYSTEMS AND STORAGE

8.10. HIGH AVAILABILITY AND CLUSTERS

8.11. COMPILERS AND DEVELOPMENT TOOLS

8.12. IDENTITY MANAGEMENT

8.13. THE WEB CONSOLE

8.14. RED HAT ENTERPRISE LINUX SYSTEM ROLES

8.15. VIRTUALIZATION

CHAPTER 9. TECHNOLOGY PREVIEWS

9.1. INSTALLER AND IMAGE CREATION

9.2. SECURITY

9.3. SHELLS AND COMMAND-LINE TOOLS

9.4. INFRASTRUCTURE SERVICES

9.5. NETWORKING

9.6. KERNEL

9.7. FILE SYSTEMS AND STORAGE

9.8. COMPILERS AND DEVELOPMENT TOOLS

9.9. IDENTITY MANAGEMENT

9.10. DESKTOP

9.11. VIRTUALIZATION

9.12. RHEL IN CLOUD ENVIRONMENTS

9.13. CONTAINERS

CHAPTER 10. DEPRECATED FUNCTIONALITY

10.1. INSTALLER AND IMAGE CREATION

10.2. SECURITY

10.3. SUBSCRIPTION MANAGEMENT

10.4. SHELLS AND COMMAND-LINE TOOLS

10.5. NETWORKING

10.6. KERNEL

110

116

118

119

121

122

125

129

131

132

133

135

136

137

139

140

141

143

144

146

147

Red Hat Enterprise Linux 9.3 9.3 Release Notes

10.7. FILE SYSTEMS AND STORAGE

10.8. DYNAMIC PROGRAMMING LANGUAGES, WEB AND DATABASE SERVERS

10.9. COMPILERS AND DEVELOPMENT TOOLS

10.10. IDENTITY MANAGEMENT

10.11. DESKTOP

10.12. GRAPHICS INFRASTRUCTURES

10.13. RED HAT ENTERPRISE LINUX SYSTEM ROLES

10.14. VIRTUALIZATION

10.15. CONTAINERS

10.16. DEPRECATED PACKAGES

CHAPTER 11. KNOWN ISSUES

11.1. INSTALLER AND IMAGE CREATION

11.2. SECURITY

11.3. RHEL FOR EDGE

11.4. SOFTWARE MANAGEMENT

11.5. SHELLS AND COMMAND-LINE TOOLS

11.6. INFRASTRUCTURE SERVICES

11.7. NETWORKING

11.8. KERNEL

11.9. FILE SYSTEMS AND STORAGE

11.10. DYNAMIC PROGRAMMING LANGUAGES, WEB AND DATABASE SERVERS

11.11. IDENTITY MANAGEMENT

11.12. DESKTOP

11.13. GRAPHICS INFRASTRUCTURES

11.14. RED HAT ENTERPRISE LINUX SYSTEM ROLES

11.15. VIRTUALIZATION

11.16. RHEL IN CLOUD ENVIRONMENTS

11.17. SUPPORTABILITY

11.18. CONTAINERS

APPENDIX A. LIST OF TICKETS BY COMPONENT

APPENDIX B. REVISION HISTORY

148

149

150

151

152

153

155

170

174

178

179

181

183

187

189

190

194

195

196

201

203

205

214

Table of Contents

Red Hat Enterprise Linux 9.3 9.3 Release Notes

PROVIDING FEEDBACK ON RED HAT DOCUMENTATION

We appreciate your feedback on our documentation. Let us know how we can improve it.

Submitting feedback through Jira (account required)

1. Log in to the Jira website.

2. Click Create in the top navigation bar

3. Enter a descriptive title in the Summary field.

4. Enter your suggestion for improvement in the Description field. Include links to the relevant

parts of the documentation.

5. Click Create at the bottom of the dialogue.

PROVIDING FEEDBACK ON RED HAT DOCUMENTATION

CHAPTER 1. OVERVIEW

1.1. MAJOR CHANGES IN RHEL 9.3

Installer and image creation

Key highlights for image builder:

Enhancement to the AWS EC2 AMD or Intel 64-bit architecture AMI image to support UEFI

boot, in addition to the legacy BIOS boot.

For more information, see New features - Installer and image creation .

1.1.1. Bootloader

New default behavior of grub2-mkconfig with BLS

With this release, the grub2-mkconfig command no longer overwrites the kernel command line in Boot

Loader Specification (BLS) snippets with GRUB_CMDLINE_LINUX by default. Each kernel in the boot

loader menu takes its kernel command line from its BLS snippet. This new default behavior is caused by

the GRUB_ENABLE_BLSCFG=true option.

For details, see New features in Bootloader.

RHEL for Edge

Key highlights for RHEL for Edge:

Support added to the following image types:

minimal-raw

edge-vsphere

edge-ami

New FIDO Device Onboarding Servers container images available

rhel9/fdo-manufacturing-server

rhel9/fdo-owner-onboarding-server

rhel9/fdo-rendezvous-server

rhel9/fdo-serviceinfo-api-server

For more information, see New features - RHEL for Edge .

Security

Key security-related highlights:

Keylime was rebased to version 7.3.0.

The keylime RHEL System Role is available. With this role, you can more easily configure the

Keylime verifier and Keylime registrar.

OpenSSH was migrated further from the less secure SHA-1 message digest for cryptographic

purposes, and instead applies the more secure SHA-2 in additional scenarios.

Red Hat Enterprise Linux 9.3 9.3 Release Notes

The pcsc-lite-ccid USB Chip/Smart Card Interface Device(CCID)) and Integrated Circuit Card

Device (ICCD) driver was rebased to version 1.5.2.

RHEL 9.3 introduces further improvements to support the Extended Master Secret (EMS)

extension (RFC 7627) required by the FIPS-140-3 standard for all TLS 1.2 connections.

SEtools, the collection of graphical tools, command-line tools, and libraries for SELinux policy

analysis, was rebased to version 4.4.3.

OpenSCAP was rebased to version 1.3.8.

SCAP Security Guide was rebased to version 0.1.69, most notably:

ANSSI profiles were updated to version 2.0.

Three new SCAP profiles were added for RHEL 9 aligned with the CCN-STIC-610A22

Guide.

See New features - Security for more information.

Dynamic programming languages, web and database servers

Later versions of the following Application Streams are now available:

Redis 7

Node.js 20

In addition, the Apache HTTP Server has been updated to version 2.4.57.

See New features - Dynamic programming languages, web and database servers for more information.

Compilers and development tools

Updated system toolchain

The following system toolchain component has been updated in RHEL 9.3:

GCC 11.4.1

Updated performance tools and debuggers

The following performance tools and debuggers have been updated in RHEL 9.3:

Valgrind 3.21

SystemTap 4.9

elfutils 0.189

Updated performance monitoring tools

The following performance monitoring tools have been updated in RHEL 9.3:

PCP 6.0.5

Grafana 9.2.10

Updated compiler toolsets

The following compiler toolsets have been updated in RHEL 9.3:

GCC Toolset 13 (new)

CHAPTER 1. OVERVIEW

LLVM Toolset 16.0.6

Rust Toolset 1.71.1

Go Toolset 1.20.10

For detailed changes, see New features - Compilers and development tools .

Java implementations in RHEL 9

The RHEL 9 AppStream repository includes:

The java-21-openjdk packages, which provide the OpenJDK 21 Java Runtime Environment and

the OpenJDK 21 Java Software Development Kit. An OpenJDK 21.0.1 security release is also

available to install. It is recommended that you install the OpenJDK 21.0.1 update to acquire the

latest security fixes.

The java-17-openjdk packages, which provide the OpenJDK 17 Java Runtime Environment and

the OpenJDK 17 Java Software Development Kit.

The java-11-openjdk packages, which provide the OpenJDK 11 Java Runtime Environment and

the OpenJDK 11 Java Software Development Kit.

The java-1.8.0-openjdk packages, which provide the OpenJDK 8 Java Runtime Environment

and the OpenJDK 8 Java Software Development Kit.

The Red Hat build of OpenJDK packages share a single set of binaries between its portable Linux

releases and RHEL 9.3 and later releases. With this update, there is a change in the process of rebuilding

the OpenJDK packages on RHEL from the source RPM. For more information about the new rebuilding

process, see the README.md file which is available in the SRPM package of the Red Hat build of

OpenJDK and is also installed by the java-*-openjdk-headless packages under the /usr/share/doc tree.

For more information, see OpenJDK documentation.

1.2. IN-PLACE UPGRADE

In-place upgrade from RHEL 8 to RHEL 9

The supported in-place upgrade paths currently are:

From RHEL 8.6 to RHEL 9.0, RHEL 8.8 to RHEL 9.2, and RHEL 8.9 to RHEL 9.3 on the following

architectures:

64-bit Intel

64-bit AMD

64-bit ARM

IBM POWER 9 (little endian)

IBM Z architectures, excluding z13

From RHEL 8.6 to RHEL 9.0 and RHEL 8.8 to RHEL 9.2 on systems with SAP HANA

For more information, see Supported in-place upgrade paths for Red Hat Enterprise Linux .

For instructions on performing an in-place upgrade, see Upgrading from RHEL 8 to RHEL 9 .

If you are upgrading to RHEL 9.2 with SAP HANA, ensure that the system is certified for SAP before the

Red Hat Enterprise Linux 9.3 9.3 Release Notes

If you are upgrading to RHEL 9.2 with SAP HANA, ensure that the system is certified for SAP before the

upgrade. For instructions on performing an in-place upgrade on systems with SAP environments, see

How to in-place upgrade SAP environments from RHEL 8 to RHEL 9 .

Notable enhancements include:

Requirements on disk space have been significantly reduced on systems with XFS filesystems

formatted with ftype=0.

Disk images created during the upgrade process for upgrade purposes now have dynamic sizes.

The LEAPP_OVL_SIZE environment variable is not needed anymore.

Issues with the calculation of the required free space on existing disk partitions have been fixed.

The missing free disk space is now correctly detected before the required reboot of the system,

and the report correctly displays file systems that do not have enough free space to proceed

the upgrade RPM transaction.

Third-party drivers can now be managed during the in-place upgrade process using custom

leapp actors.

An overview of the pre-upgrade and upgrade reports is now printed in the terminal.

Upgrades of RHEL Real Time and RHEL Real Time for Network Functions Virtualization (NFV) in

Red Hat OpenStack Platform are now supported.

In-place upgrade from RHEL 7 to RHEL 9

It is not possible to perform an in-place upgrade directly from RHEL 7 to RHEL 9. However, you can

perform an in-place upgrade from RHEL 7 to RHEL 8 and then perform a second in-place upgrade to

RHEL 9. For more information, see Upgrading from RHEL 7 to RHEL 8 .

1.3. RED HAT CUSTOMER PORTAL LABS

Red Hat Customer Portal Labs is a set of tools in a section of the Customer Portal available at

https://access.redhat.com/labs/. The applications in Red Hat Customer Portal Labs can help you

improve performance, quickly troubleshoot issues, identify security problems, and quickly deploy and

configure complex applications. Some of the most popular applications are:

Registration Assistant

Kickstart Generator

Red Hat Product Certificates

Red Hat CVE Checker

Kernel Oops Analyzer

Red Hat Code Browser

VNC Configurator

Red Hat OpenShift Container Platform Update Graph

Red Hat Satellite Upgrade Helper

JVM Options Configuration Tool

CHAPTER 1. OVERVIEW

Load Balancer Configuration Tool

Red Hat OpenShift Data Foundation Supportability and Interoperability Checker

Ansible Automation Platform Upgrade Assistant

Ceph Placement Groups (PGs) per Pool Calculator

1.4. ADDITIONAL RESOURCES

Capabilities and limits of Red Hat Enterprise Linux 9 as compared to other versions of the system are

available in the Knowledgebase article Red Hat Enterprise Linux technology capabilities and limits .

Information regarding the Red Hat Enterprise Linux life cycle is provided in the Red Hat Enterprise

Linux Life Cycle document.

The Package manifest document provides a package listing for RHEL 9, including licenses and

application compatibility levels.

Application compatibility levels are explained in the Red Hat Enterprise Linux 9: Application

Compatibility Guide document.

Major differences between RHEL 8 and RHEL 9, including removed functionality, are documented in

Considerations in adopting RHEL 9 .

Instructions on how to perform an in-place upgrade from RHEL 8 to RHEL 9 are provided by the

document Upgrading from RHEL 8 to RHEL 9 .

The Red Hat Insights service, which enables you to proactively identify, examine, and resolve known

technical issues, is available with all RHEL subscriptions. For instructions on how to install the Red Hat

Insights client and register your system to the service, see the Red Hat Insights Get Started page.

NOTE

Public release notes include links to access the original tracking tickets, but private

release notes are not viewable so do not include links.

[1]

Public release notes include links to access the original tracking tickets, but private release notes are not

viewable so do not include links.

Red Hat Enterprise Linux 9.3 9.3 Release Notes

CHAPTER 2. ARCHITECTURES

Red Hat Enterprise Linux 9.3 is distributed with the kernel version 5.14.0-362.8.1, which provides support

for the following architectures at the minimum required version (stated in parentheses):

AMD and Intel 64-bit architectures (x86-64-v2)

The 64-bit ARM architecture (ARMv8.0-A)

IBM Power Systems, Little Endian (POWER9)

64-bit IBM Z (z14)

Make sure you purchase the appropriate subscription for each architecture. For more information, see

Get Started with Red Hat Enterprise Linux - additional architectures .

CHAPTER 2. ARCHITECTURES

CHAPTER 3. DISTRIBUTION OF CONTENT IN RHEL 9

3.1. INSTALLATION

Red Hat Enterprise Linux 9 is installed using ISO images. Two types of ISO image are available for the

AMD64, Intel 64-bit, 64-bit ARM, IBM Power Systems, and IBM Z architectures:

Installation ISO: A full installation image that contains the BaseOS and AppStream repositories

and allows you to complete the installation without additional repositories. On the Product

Downloads page, the Installation ISO is referred to as Binary DVD.

NOTE

The Installation ISO image is in multiple GB size, and as a result, it might not fit on

optical media formats. A USB key or USB hard drive is recommended when using

the Installation ISO image to create bootable installation media. You can also use

the Image Builder tool to create customized RHEL images. For more information

about Image Builder, see the Composing a customized RHEL system image

document.

Boot ISO: A minimal boot ISO image that is used to boot into the installation program. This

option requires access to the BaseOS and AppStream repositories to install software packages.

The repositories are part of the Installation ISO image. You can also register to Red Hat CDN or

Satellite during the installation to use the latest BaseOS and AppStream content from Red Hat

CDN or Satellite.

See the Performing a standard RHEL 9 installation document for instructions on downloading ISO

images, creating installation media, and completing a RHEL installation. For automated Kickstart

installations and other advanced topics, see the Performing an advanced RHEL 9 installation document.

3.2. REPOSITORIES

Red Hat Enterprise Linux 9 is distributed through two main repositories:

BaseOS

AppStream

Both repositories are required for a basic RHEL installation, and are available with all RHEL

subscriptions.

Content in the BaseOS repository is intended to provide the core set of the underlying operating

system functionality that provides the foundation for all installations. This content is available in the

RPM format and is subject to support terms similar to those in previous releases of RHEL. For more

information, see the Scope of Coverage Details document.

Content in the AppStream repository includes additional user-space applications, runtime languages,

and databases in support of the varied workloads and use cases.

In addition, the CodeReady Linux Builder repository is available with all RHEL subscriptions. It provides

additional packages for use by developers. Packages included in the CodeReady Linux Builder

repository are unsupported.

For more information about RHEL 9 repositories and the packages they provide, see the Package

Red Hat Enterprise Linux 9.3 9.3 Release Notes

For more information about RHEL 9 repositories and the packages they provide, see the Package

manifest.

3.3. APPLICATION STREAMS

Multiple versions of user-space components are delivered as Application Streams and updated more

frequently than the core operating system packages. This provides greater flexibility to customize RHEL

without impacting the underlying stability of the platform or specific deployments.

Application Streams are available in the familiar RPM format, as an extension to the RPM format called

modules, as Software Collections, or as Flatpaks.

Each Application Stream component has a given life cycle, either the same as RHEL 9 or shorter. For

RHEL life cycle information, see Red Hat Enterprise Linux Life Cycle .

RHEL 9 improves the Application Streams experience by providing initial Application Stream versions

that can be installed as RPM packages using the traditional dnf install command.

NOTE

Certain initial Application Streams in the RPM format have a shorter life cycle than Red

Hat Enterprise Linux 9.

Some additional Application Stream versions will be distributed as modules with a shorter life cycle in

future minor RHEL 9 releases. Modules are collections of packages representing a logical unit: an

application, a language stack, a database, or a set of tools. These packages are built, tested, and

released together.

Always determine what version of an Application Stream you want to install and make sure to review the

Red Hat Enterprise Linux Application Stream Lifecycle first.

Content that needs rapid updating, such as alternate compilers and container tools, is available in rolling

streams that will not provide alternative versions in parallel. Rolling streams may be packaged as RPMs

or modules.

For information about Application Streams available in RHEL 9 and their application compatibility level,

see the Package manifest. Application compatibility levels are explained in the Red Hat Enterprise Linux

9: Application Compatibility Guide document.

3.4. PACKAGE MANAGEMENT WITH YUM/DNF

In Red Hat Enterprise Linux 9, software installation is ensured by DNF. Red Hat continues to support the

usage of the yum term for consistency with previous major versions of RHEL. If you type dnf instead of

yum, the command works as expected because both are aliases for compatibility.

Although RHEL 8 and RHEL 9 are based on DNF, they are compatible with YUM used in RHEL 7.

For more information, see Managing software with the DNF tool.

CHAPTER 3. DISTRIBUTION OF CONTENT IN RHEL 9

CHAPTER 4. NEW FEATURES

This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 9.3.

4.1. INSTALLER AND IMAGE CREATION

Support to both legacy and UEFI boot for AWS EC2 images

Previously, RHEL image builder created EC2 AMD or Intel 64-bit architecture AMIs images with support

only for the legacy boot type. As a consequence, it was not possible to take advantage of certain AWS

features requiring UEFI boot, such as secure boot. This enhancement extends the AWS EC2 AMD or

Intel 64-bit architecture AMI image to support UEFI boot, in addition to the legacy BIOS boot. As a

result, it is now possible to take advantage of AWS features which require booting the image with UEFI.

Jira:RHELDOCS-16339

[1]

New boot option inst.wait_for_disks= to add wait time for loading a Kickstart file or the

kernel drivers

Sometimes, it may take a few seconds to load a Kickstart file or the kernel drivers from the device with

the OEMDRV label during the boot process. To adjust the wait time, you can now use the new boot

option, inst.wait_for_disks=. Using this option, you can specify how many seconds to wait before the

installation. The default time is set to 5 seconds, however, you can use 0 seconds to minimize the delay.

For more information about this option, see Storage boot options.

Bugzilla:2171811

Ability to select required kernel while installing RHEL on ARM using GUI and TUI

Previously, you could install RHEL on ARM with kernel-64k page size only by using the Kickstart method.

With this update, you can now install RHEL on ARM using the GUI or the TUI and selecting the required

kernel version. The option to select the required kernel is available on the Software Selection screen

under Kernel Options.

Bugzilla:2164819

[1]

Support for VMware VSphere (OVA)

This update adds support to build VMware VSphere OVA files by using RHEL image builder. The Open

Virtual Appliance (OVA) file is a virtual appliance used by the VMware VSphere virtualization application.

The OVA file contains files used to describe a virtual machine, such as an OVF descriptor file, one or

more virtual machine disk image files (VMDK), optional manifest (MF) and certificate files. By using the

VMware VSphere (.ova), you can more easily deploy the image to VMware vSphere by using the vSphere

GUI client. You can further customize the resulting VM before you boot the image.

Jira:RHELDOCS-16877

[1]

New network Kickstart options to control DNS handling

You can now control DNS handling using the network Kickstart command with the following new

options. Use these new options with the --device option.

The --ipv4-dns-search and --ipv6-dns-search options allow you to set DNS search domains

manually. These options mirror their NetworkManager properties, for example:

network --device ens3 --ipv4-dns-search domain1.example.com,domain2.example.com

Red Hat Enterprise Linux 9.3 9.3 Release Notes

The --ipv4-ignore-auto-dns and --ipv6-ignore-auto-dns options allow you to ignore DNS

settings from DHCP. They do not require any arguments.

Bugzilla:2065754

[1]

Minimal RHEL installation now installs only the s390utils-core package

In RHEL 8.4 and later, the s390utils-base package is split into an s390utils-core package and an

auxiliary s390utils-base package. As a result, setting the RHEL installation to minimal-environment

installs only the necessary s390utils-core package and not the auxiliary s390utils-base package. If you

want to use the s390utils-base package with a minimal RHEL installation, you must manually install the

package after completing the RHEL installation or explicitly install s390utils-base using a Kickstart file.

Bugzilla:1932480

[1]

4.2. SECURITY

Keylime rebased to version 7.3.0

The Keylime packages have been updated to upstream version 7.3.0. This version provides various

enhancements and bug fixes. Most notably, the allow and exclude lists are combined into the Keylime

runtime policy. You can combine the two lists by using the convert_runtime_policy.py script.

In addition, the update fixes two vulnerabilities with the moderate impact rating: CVE-2023-38200 and

CVE-2023-38201.

Jira:RHEL-476

[1]

Ports for Keylime have stricter rules in SELinux policy

Ports used by Keylime are now labeled as keylime_port_t in the Keylime SELinux policy. The policy now

allows TCP connections for ports with this label. This is because the previous Keylime SELinux policy

allowed connecting to all undefined ports and also most of the ports used by Keylime were in the

undefined group. As a result, this update increases the granularity of the Keylime SELinux policy, and

port security can be more strict and better targeted.

Jira:RHEL-595

[1]

Audit now supports FANOTIFY record fields

This update of the audit packages introduces support for FANOTIFY Audit record fields. The Audit

subsystem now logs additional information in the AUDIT_FANOTIFY record, notably:

fan_type to specify the type of a FANOTIFY event

fan_info to specify additional context information

sub_trust and obj_trust to indicate trust levels for a subject and an object involved in an event

As a result, you can better understand why the Audit system denied access in certain cases. This can

help you write policies for tools such as the fapolicyd framework.

Jira:RHELPLAN-161087

[1]

fapolicyd now provides rule numbers for troubleshooting

With this enhancement, new kernel and Audit components allow the fapolicyd service to send the

CHAPTER 4. NEW FEATURES

With this enhancement, new kernel and Audit components allow the fapolicyd service to send the

number of the rule that causes a denial to the fanotify API. As a result, you can troubleshoot problems

related to fapolicyd more precisely.

Jira:RHEL-624

crypto-policies now provides the NO-ENFORCE-EMS subpolicy for TLS 1.2 connections in

FIPS mode

The system-wide cryptographic policies now contain the NO-ENFORCE-EMS subpolicy. After applying

the new subpolicy, the system no longer requires the Extended Master Secret (EMS) extension (RFC

7627) for all TLS 1.2 connections negotiated in FIPS mode. This allows the system to connect to legacy

systems without support for EMS or TLS 1.3. Note that this violates the requirements of the FIPS-140-3

standard. You can apply the subpolicy by entering the update-crypto-policies --set FIPS:NO-

ENFORCE-EMS command.

Bugzilla:2216257

[1]

GnuTLS requires EMS with TLS 1.2 in FIPS mode

To comply with the FIPS-140-3 standard, GnuTLS servers and clients require the Extended Master

Secret (EMS) extension (RFC 7627) for all TLS 1.2 connections negotiated in FIPS mode. If your

scenario requires preserving compatibility with older servers and clients that do not support EMS and

you cannot use TLS 1.3, you can apply the NO-ENFORCE-EMS system-wide cryptographic subpolicy:

# update-crypto-policies --set FIPS:NO-ENFORCE-EMS

WARNING

If you allow TLS 1.2 connections without EMS, your system no longer meets the

FIPS-140-3 requirements.

Bugzilla:2157953

NSS now enforce EMS in FIPS mode

The Network Security Services (NSS) libraries now contain the TLS-REQUIRE-EMS policy to require

the Extended Master Secret (EMS) extension (RFC 7627) for all TLS 1.2 connections as mandated by

the FIPS 140-3 standard. NSS use the new policy when the system-wide cryptographic policies are set to

FIPS.

If your scenario requires interoperating with legacy systems without support for EMS or TLS 1.3, you can

apply the NO-ENFORCE-EMS system-wide cryptographic subpolicy. Such a change violates the FIPS-

140-3 requirements.

Bugzilla:2157950

OpenSSL now supports disabling EMS in FIPS mode

You can now configure the OpenSSL cryptographic libraries to allow for TLS 1.2 connections without the

Extended Master Secret (EMS) extension (RFC 7627) in FIPS mode by editing the

/etc/pki/tls/fips_local.cnf file. In a text editor of your choice, add the following section to the



Red Hat Enterprise Linux 9.3 9.3 Release Notes

configuration file:

[fips_sect]

tls1-prf-ems-check = 0

activate = 1

Then, locate the SSL configuration section in the /etc/pki/tls/openssl.cnf file. The default SSL

configuration section is crypto_policy. At the end of the SSL configuration section, add the following

line:

Options=RHNoEnforceEMSinFIPS

The previous configuration changes allow the system in FIPS mode to connect to legacy systems

without support for EMS or TLS 1.3.

WARNING

You can stop enforcing EMS for TLS 1.2 in FIPS mode by entering the update-

crypto-policies --set FIPS:NO-ENFORCE-EMS command. In both cases, such a

configuration change violates the requirements of the FIPS-140-3 standard.

Bugzilla:2216256

[1]

OpenSSH further enforces SHA-2

As part of the effort to migrate further from the less secure SHA-1 message digest for cryptographic

purposes, the following changes were made in OpenSSH:

Added a check on sshd startup whether using SHA-1 is configured on the system. If it is not

available, OpenSSH does not try to use SHA-1 for operations. This eliminates loading DSS keys

when they are present and also enforces advertising rsa-sha2 combinations when they are

available.

On SSH private key conversion, OpenSSH explicitly uses SHA-2 for testing RSA keys.

When SHA-1 signatures are unavailable on the server side, sshd uses SHA-2 to confirm host key

proof. This might be incompatible with clients on RHEL 8 and earlier versions.

When the SHA-1 algorithm is unavailable on the client side, OpenSSH uses SHA-2.

On the client side, OpenSSH permits SHA-2-based key proofs from the server when SHA-1 was

used in key proof request or when the hash algorithm is not specified (assuming default). This is

aligned with the already present exception for RSA certificates, and allows connecting by using

modern algorithms when supported.

Bugzilla:2070163

OpenSSL now contains protections against Bleichenbacher-like attacks

This release of the OpenSSL TLS toolkit introduces API-level protections against Bleichenbacher-like

attacks on the RSA PKCS #1 v1.5 decryption process. The RSA decryption now returns a randomly



CHAPTER 4. NEW FEATURES

generated deterministic message instead of an error if it detects an error when checking padding during

a PKCS #1 v1.5 decryption. The change provides general protection against vulnerabilities such as CVE-

2020-25659 and CVE-2020-25657.

You can disable this protection by calling the EVP_PKEY_CTX_ctrl_str(ctx,

"rsa_pkcs1_implicit_rejection". "0") function on the RSA decryption context, but this makes your

system more vulnerable.

Bugzilla:2153471

OpenSSL now supports Brainpool curves configurable through the Groups option

This update of the OpenSSL TLS toolkit introduces support for Brainpool curves in Elliptic Curve

Cryptography (ECC). Additionally, you can control the curves with the system-wide cryptographic

policies through the Groups configuration option.

The following Brainpool curves are enabled in OpenSSL ECC:

brainpoolP256r1

brainpoolP256t1

brainpoolP320r1

brainpoolP320t1

brainpoolP384r1

brainpoolP384t1

brainpoolP512r1

brainpoolP512t1

Bugzilla:2188180

crypto-policies now supports OpenSSL ECC Brainpool curves

With this update of the system-wide cryptographic policies, you can now control the following Brainpool

Elliptic Curve Cryptography (ECC) curves in OpenSSL by using the group option:

BRAINPOOL-P256R1

BRAINPOOL-P384R1

BRAINPOOL-P512R1.

For example, you can enable all supported Brainpool elliptic curves in OpenSSL by creating a subpolicy

that contains the following line:

group = BRAINPOOL-*+

Bugzilla:2193324

[1]

crypto-policies now use the same group order as OpenSSL by default

In this release, the system-wide cryptographic policies (crypto-policies) control the group order in the

OpenSSL Groups configuration option. To preserve the performance in OpenSSL, crypto-policies use

Red Hat Enterprise Linux 9.3 9.3 Release Notes

the default group order that matches the order of the OpenSSL built-in preferences. As a result, the

RHEL cryptographic back ends that support crypto-policies for controlling the group order, such as

GnuTLS, now use the same order as OpenSSL.

Jira:RHEL-591

[1]

crypto-policies permitted_enctypes no longer break replications in FIPS mode

Before this update, an IdM server running on RHEL 8 sent an AES-256-HMAC-SHA-1-encrypted service

ticket that an IdM replica running RHEL 9 in FIPS mode. Consequently, the default permitted_enctypes

krb5 configuration broke a replication between the RHEL 8 IdM server and the RHEL 9 IdM replica in

FIPS mode.

This update of the system-wide cryptographic policies reorders the permitted_enctypes krb5

configuration option values to allow prioritization of more interoperable encryption types by default. As a

result, the permitted_enctypes configuration no longer break replications between a RHEL 8 IdM

servers and a RHEL 9 IdM replica in FIPS mode.

NOTE

If you use Kerberos, verify the order of the values of permitted_enctypes in the

/etc/crypto-policies/back-ends/krb5.config file. If your scenario requires a different

order, apply a custom cryptographic subpolicy.

Bugzilla:2225222

pcsc-lite-ccid rebased to 1.5.2

The pcsc-lite-ccid package has been updated to version 1.5.2. This version provides various bug fixes

and enhancements, most notably:

Support for new readers

Fix for Alcor Micro AU9560

Bugzilla:2209457

opensc rebased to 0.23

The opensc packages have been updated to version 0.23. This version provides various bug fixes and

enhancements, most notably:

Added support for encryption and decryption using symmetric keys

Added support for signing data with a length of more than 512 bytes

Disabled old card driver support by default

Removed support for old drivers MioCOS and JCOP

Jira:RHEL-280

[1]

setools rebased to 4.4.3

The setools packages have been updated to version 4.4.3. This version provides various bug fixes and

enhancements, most notably:

CHAPTER 4. NEW FEATURES

Fixed compilation with Cython 3.0.0

Improved man pages

Removed unused options in sediff, sesearch, and apol

Added the -r option to seinfoflow command to get flows analysis into the source type

Rules with no permissions are automatically rejected as an invalid policy

Bugzilla:2231801, Bugzilla:2184140

Additional services confined in the SELinux policy

This update adds additional rules to the SELinux policy that confine the following systemd services:

qat

systemd-pstore

boothd

fdo-manufacturing-server

fdo-rendezvous-server

fdo-client-linuxapp

fdo-owner-onboarding-server

As a result, these services do not run with the unconfined_service_t SELinux label anymore, and run

successfully in SELinux enforcing mode.

Bugzilla:2080443

[1]

, Bugzilla:2026795, Bugzilla:2181565, Bugzilla:2128833

OpenSCAP rebased to 1.3.8

The OpenSCAP packages have been rebased to upstream version 1.3.8. This version provides various

bug fixes and enhancements, most notably:

Fixed systemd probes to not ignore some systemd units

Added offline capabilities to the shadow OVAL probe

Added offline capabilities to the sysctl OVAL probe

Added auristorfs to the list of network filesystems

Created a workaround for issues with tailoring files produced by the autotailor utility

Bugzilla:2217442

SCAP Security Guide rebased to version 0.1.69

The SCAP Security Guide (SSG) packages have been rebased to upstream version 0.1.69. This version

provides various enhancements and bug fixes. Most notably, it introduces three new SCAP profiles for

RHEL 9 aligned with the CCN-STIC-610A22 Guide issued by the National Cryptologic Center of Spain

in October 2022:

Red Hat Enterprise Linux 9.3 9.3 Release Notes

Profile name Profile ID Policy version

CCN Red Hat Enterprise Linux 9 -

Advanced

xccdf_org.ssgproject.conten

t_profile_ccn_advanced

2022-10

CCN Red Hat Enterprise Linux 9 -

Basic

xccdf_org.ssgproject.conten

t_profile_ccn_basic

2022-10

CCN Red Hat Enterprise Linux 9 -

Intermediate

xccdf_org.ssgproject.conten

t_profile_ccn_intermediate

2022-10

Bugzilla:2221697

ANSSI-BP-028 security profiles updated to version 2.0

The following French National Agency for the Security of Information Systems (ANSSI) BP-028 in the

SCAP Security Guide were updated to be aligned with version 2.0:

ANSSI-BP-028 Minimal Level

ANSSI-BP-028 Intermediary Level

ANSSI-BP-028 Enhanced Level

ANSSI-BP-028 High Level

Bugzilla:2155790

python3-greenlet-devel is now available in CRB

The python3-greenlet-devel package is now available in the CodeReady Linux Builder (CRB) repository,

which you must explicitly enable. See the How to enable and make use of content within CodeReady

Linux Builder Knowledgebase article for more information. Note that packages included in the CRB

repository are unsupported.

Bugzilla:2149497

SSG rule to check the group used by the pam_wheel.so module is simplified

The CIS Benchmark requires restricting the su command in favor of the sudo command. SCAP Security

Guide (SSG) fulfills this requirement with the pam_wheel.so module, which restricts the su command

to a specific group. This update improves the rule that checks whether this group exists and has no

members. As a result, the rule is more efficient and simplifies the interpretation of the assessment

report.

Jira:RHEL-1905

4.3. RHEL FOR EDGE

New FIDO Device Onboarding Servers container images are available

The following FIDO Device Onboarding Servers container images for onboarding IoT and edge

computing devices are now available in the Red Hat Container Catalog :

rhel9/fdo-manufacturing-server container image

CHAPTER 4. NEW FEATURES

rhel9/fdo-owner-onboarding-server container image

rhel9/fdo-rendezvous-server container image

rhel9/fdo-serviceinfo-api-server container image

Jira:RHELPLAN-163133

[1]

The minimal-raw image type now supports 64-bit ARM architectures

With this enhancement, you can create a minimal-raw image type with support for 64-bit ARM

architecture, and AMD and Intel 64-bit architectures. The minimal-raw image is pre-packaged,

bootable, minimal RPM image, compressed in the xz format. To boot the image, you must decompress

it and copy to any bootable device, such as an SD card. To decompress the image, run the following

command:

$ xz -d <_uuid-minimal-raw.img_.xz>

Jira:RHELPLAN-163665

[1]

The Commit ID is now supported as a value for the --parent argument of composer-cli CLI

You can now use the image Commit ID as a value for the --parent argument of the composer-cli

command line. To get the image Commit ID, download and extract the RHEL for Edge Commit image.

You can find the ref name and the commit ID in the extracted .tar file.

Jira:RHELDOCS-16386

[1]

Support to build RHEL for Edge .ami images

With this enhancement, you have support to build .ami images for RHEL for Edge by using on-premise

RHEL image builder. During the initial boot, you can customize the blueprint with Ignition to inject the

credentials into the image. You can upload the .ami image to AWS and boot an EC2 instance in AWS.

Jira:RHELDOCS-16708

[1]

Support to build .vmdk images for RHEL for Edge

With this enhancement, you have support to build a .vmdk image for RHEL for Edge by using on-

premise RHEL image builder. You can customize the blueprint with Ignition to inject the credentials into

the image during the initial boot. You can load the image on vSphere and boot the image in a VM

vSphere. The image is compatible with ESXi 7.0 U2, ESXi 8.0, and later. The VM is compatible with

versions 19 and 20.

Jira:RHELDOCS-16709

[1]

You can now log in to an Edge system as the initial user without setting a password

Previously, logging in as the initial user created during the FDO onboarding process did not work

because the system asked for a password that was not set with the useradd command. With this

enhancement, the password is now set to optional, and you can log in even if you did not previously set a

password by using the useradd command. Note that you can log in with an SSH key without entering a

password, and if it fails, you will be prompted to enter a password.

Jira:RHELDOCS-17101

[1]

Red Hat Enterprise Linux 9.3 9.3 Release Notes

4.4. SOFTWARE MANAGEMENT

New DNF Automatic reboot option for an automatic reboot after an upgrade

With this enhancement, you can use the DNF Automatic reboot option to set your system to

automatically reboot to apply the changes after an upgrade.

The reboot option supports the following settings:

never does not reboot the system. This is the current behavior.

when-changed triggers a reboot after any upgrade.

when-needed triggers a reboot only when rebooting is required to apply changes, for example,

when systemd or the kernel is upgraded.

You can use the reboot_command option to customize the command used to reboot. The default

reboot command is shutdown -r.

Bugzilla:2124793

The new --poweroff option allows you to shut down the system after installing updates

With this enhancement, the new --poweroff option has been added to the reboot command of the dnf

system-upgrade plugin. You can use this option to shut down the system after installing updates

instead of rebooting.

Bugzilla:2157844

New dnf leaves and show-leaves plug-ins are now available for the DNF API

With this enhancement, the following new DNF plug-ins are available that list packages installed on your

system that are not required as dependencies of other installed packages:

dnf leaves lists all packages.

show-leaves lists newly installed packages and packages that became unrequired as

dependencies of other installed packages after a transaction.

Bugzilla:2134638

4.5. SHELLS AND COMMAND-LINE TOOLS

The NetBackup services are now enabled for backup restoration

When using the NetBackup (NBU) backup method, ReaR now includes the unit files for the NetBackup

services version 10.1.1 in the rescue image and starts them when the rescue system boots. As a result, you

can restore the system backup by using the NBU backup method during the recovery process and

complete the restore successfully.

Bugzilla:2188593

opencryptoki rebased to 3.21.0

The opencryptoki package has been rebased to version 3.21.0, which provides many enhancements and

bug fixes. Most notably, opencryptoki now supports the following features:

Concurrent hardware security module (HSM) master key changes

CHAPTER 4. NEW FEATURES

The protected-key option to transform a chosen key into a protected key

Additional key types, such as DH, DSA, and generic secret key types

EP11 host library version 4

AES-XTS key type

IBM-specific Kyber key type and mechanism

Additional IBM-specific Dilithium key round 2 and 3 variants

Additionally, pkcsslotd slot manager no longer runs as root and opencryptoki offers further hardening.

With this update, you can also use the following set of new commands:

p11sak set-key-attr

To modify keys

p11sak copy-key

To copy keys

p11sak import-key

To import keys

p11sak export-key

To export keys

Bugzilla:2160061

[1]

Updated systemd-udevd assigns consistent network device names to InfiniBand interfaces

Introduced in RHEL 9, the new version of the systemd package contains the updated systemd-udevd

device manager. The device manager changes the default names of InfiniBand interfaces to consistent

names selected by systemd-udevd.

You can define custom naming rules for naming InfiniBand interfaces by following the Renaming IPoIB

devices using systemd link file procedure.

For more details of the naming scheme, see the systemd.net-naming-scheme(7) man page.

Bugzilla:2136937

4.6. INFRASTRUCTURE SERVICES

Postfix now supports SRV lookups

With this enhancement, you can now use the Postfix DNS service records resolution (SRV) to

automatically configure mail clients and balance load of servers. Additionally, you can prevent mail

delivery disruptions caused by temporary DNS issues or misconfigured SRV records by using the

following SRV-related options in your Postfix configuration:

use_srv_lookup

You can enable discovery for the specified service by using DNS SRV records.

allow_srv_lookup_fallback

You can use a cascading approach to locating a service.

ignore_srv_lookup_error

Red Hat Enterprise Linux 9.3 9.3 Release Notes

You can ensure that the service discovery remains functional even if SRV records are not available or

encounter errors.

Bugzilla:2134789

Generic LF-to-CRLF driver is available in cups-filters

With this enhancement, you can now use the Generic LF-to-CRLF driver, which converts LF characters

to CR+LF characters for printers accepting files with CR+LF characters. The carriage return (CR) and

line feed (LF) are control characters that mark the end of lines. As a result, by using this driver, you can

send an LF character terminated file from your application to a printer accepting only CR+LF characters.

The Generic LF-to-CRLF driver is a renamed version of the text-only driver from RHEL 7. The new

name reflects its actual functionality.

Bugzilla:2229784

4.7. NETWORKING

RHEL on ARM now fully supports wifi adapters in RHEL 9.3

With this enhancement, you can now enable access to wifi adapters for several cards for the arm64

platforms.

For details on configuring wifi connections, see Managing wifi connections.

Bugzilla:2208365

[1]

NetworkManager now supports the no-aaaa option in resolv.conf

NetworkManager now supports adding the no-aaaa DNS option in the resolv.conf file. By using the no-

aaaa value in the DNS option setting, you can disable IPv6 DNS resolution.

Bugzilla:2176137

nmstate now supports mixing static DNS search along with dynamic DNS name servers

The nmstate framework now supports both static Domain Name System (DNS) search domains and

dynamic DNS name servers, which nmstate obtained from Dynamic Host Configuration Protocol

(DHCP) or the autoconf mechanism. Previously, static DNS search domains could not co-exist with

dynamic DNS name servers because the dynamic configurations were discarded by nmstate. This often

led to unnecessary complexity and limitations in network setup and management. This enhancement

aims to bring more flexibility in managing DNS configurations. As a result, nmstate attempts to find a

network interface to store the DNS configuration in the following order:

1. The preferred interface, which currently holds the DNS configuration and is still valid for DNS

2. An automatic interface

3. An IP enabled interface

Note that this enhancement does not remove the DNS name servers learned from DHCP.

The following is an example YAML file to apply this feature:

---

dns-resolver:

config:

CHAPTER 4. NEW FEATURES

search:

- example.com

- example.org

interfaces:

- name: eth1

type: ethernet

state: up

ipv4:

enabled: true

dhcp: true

ipv6:

enabled: true

dhcp: true

autoconf: true

Bugzilla:2179916

nmstate now supports the bridge.vlan-default-pvid NetworkManager configuration option

With this update, you can use the nmstate framework to configure the bridge.vlan-default-pvid

NetworkManager configuration option. By using this option, you can set the default port VLAN identifier

(PVID) for untagged traffic on a bridge interface that supports VLANs, when you use Linux bridge VLAN

filtering. To achieve this result, use the following YAML configuration:

interfaces:

- name: linux-br0

type: linux-bridge

state: up

bridge:

options:

vlan-default-pvid: 5

port:

- name: eth1

stp-hairpin-mode: false

stp-path-cost: 100

stp-priority: 32

vlan:

mode: access

tag: 100

Note that the default value of bridge.vlan-default-pvid is 1. When set to 0 with VLAN filtering enabled,

the untagged traffic is dropped.

Bugzilla:2180795

The NetworkManager service restarts immediately after the dbus service is restarted

Previously, after restarting dbus for some reason, NetworkManager stopped. This behavior was not

optimal and caused a loss of connectivity. Therefore, this enhancement updates NetworkManager to

become more robust and to make it restart automatically upon a dbus restart.

Bugzilla:2161915

The nm-cloud-setup utility now supports IMDSv2 configuration

Users can configure an AWS Red Hat Enterprise Linux EC2 instance with Instance Metadata Service

Version 2 (IMDSv2) with the nm-cloud-setup utility. To comply with improved security that restricts

Red Hat Enterprise Linux 9.3 9.3 Release Notes

unauthorized access to EC2 metadata and new features, integration between AWS and Red Hat services

is necessary to provide advanced features. This enhancement enables the nm-cloud-setup utility to

fetch and save the IMDSv2 tokens, verify an EC2 environment, and retrieve information about available

interfaces and IP configuration by using the secured IMDSv2 tokens.

Bugzilla:2151986

NetworkManager notifies when using the deprecated ifcfg format

Connection profiles in ifcfg format are deprecated in RHEL 9 (see NetworkManager connection profiles

in ifcfg format are deprecated ). With this update, NetworkManager notifies users about the deprecation

of this format:

NetworkManager logs the following warning to the systemd journal if it processes a connection

profile in ifcfg format in the /etc/sysconfig/network-scripts/ directory:

Warning: the ifcfg-rh plugin is deprecated, please migrate connections to the keyfile format

using "nmcli connection migrate"

The nmcli utility reports the following error if you try to modify a property that is not supported

in ifcfg format:

Error: Failed to modify connection '<name>': failed to update connection: The ifcfg-rh plugin

doesn't support setting '<property>'. If you are modifying an existing connection profile saved

in ifcfg-rh format, please migrate the connection to keyfile using 'nmcli connection migrate

<connection_uuid>' or via the Update2() D-Bus API and try again.

As a result of these enhancements, NetworkManager now notifies users if they still use or modify

connection profiles in the deprecated ifcfg format.

For further details about migrating profiles from ifcfg to keyfile format, see Migrating NetworkManager

profiles from ifcfg to keyfile format.

Bugzilla:2190375

NetworkManager now supports the lacp_active option in the bonding configuration

By using NetworkManager, the lacp_active option in bonding configuration provides fine-grained

control over Link Aggregation Control Protocol Data Units (LACPDU) frames. The lacp_active option

also adjusts the behavior of LACPDU frames and controls periodic transmission of these frames in the

bonding setup. To customize network configurations, you can enable or disable periodic transmission of

LACPDU frames by setting lacp_active to ON or OFF.

Bugzilla:2069001

NetworkManager now supports configuration of the ns_ip6_target option for bond interfaces

This enhancement allows setting the arp_interval option by specifying a maximum of 16 IPv6 addresses

as monitoring peers in NetworkManager for configuration of the ns_i6_target option for bond

interfaces. Previously, it was not possible to specify IPv6 monitoring peers in NetworkManager. With

this update, you can configure the ns_ip6_target option in the bond.options parameter by using the

nmcli utility. NetworkManager applies this setting to the bond interface by enabling the specification of

a maximum of 16 IPv6 addresses. This enhancement equally applies to IPv4 and IPv6 settings.

Bugzilla:2069004

NetworkManager now supports both static and DHCP IP configuration on the same network

CHAPTER 4. NEW FEATURES

NetworkManager now supports both static and DHCP IP configuration on the same network

interface

By using the nmstate utility, you can now assign a static IP address with dhcp: true or autoconf: true

value on the DHCP or Ad-Hoc Network Autoconfiguration (autoconf) enabled interface.

With this enhancement, nmstate supports two properties of IP addresses:

valid_lft means valid lifetime in seconds

preferred_lft means preferred lifetime in seconds

Default value of both parameters is forever which means static.

With above properties, nmstate can ignore DHCP/autoconf based IP addresses to avoid converting

dynamic IP addresses to static IP after applying the queried state back. If your scenario requires having

disabled DHCP/autoconf settings with dynamic IP addresses, nmstate converts those dynamic IP to

static IP addresses.

Bugzilla:2177733

nmstate supports MAC address identifiable network interface

The nmstate utility supports network configuration directly to a network interface with a MAC address

instead of an interface name.

This enhancement introduces two properties to the base interface:

identifier : identifies name or mac-address on a network. The default value is name.

profile-name : string

When the identifier variable is set to the mac-address value, nmstate uses the interface.mac-address

over interface.name to choose a network interface for a specific network state. When storing the

network configuration, if the interface.profile-name variable is not assigned, nmstate prefers

interface.profile-name over interface.name. If you check the current network state, the

interface.profile-name remains hidden if it is equal to interface.name.

Bugzilla:2183214

NetworkManager supports defining after how many failed ARP checks the bonding driver

marks a port as down

This enhancement adds the arp_missed_max option to bond connection profiles in NetworkManager. If

you use the Address Resolution Protocol (ARP) monitor to check if ports of a bond are up, you can now

set arp_missed_max to define after how many failed checks the bonding driver marks the port as

down.

Bugzilla:2148684

NetworkManager supports specifying link-related properties

This enhancement adds the following network link properties to NetworkManager connection profiles:

link.tx-queue-length - The size of the transmit (TX) queue length in number of packets.

link.gro-max-size - The maximum size in bytes of a Generic Receive Offload (GRO) packet the

device accepts.

Red Hat Enterprise Linux 9.3 9.3 Release Notes

link.gso-max-segments - The maximum number of segments of a Generic Segmentation

Offload (GSO) packet the device accepts.

link.gso-max-size - The maximum size in bytes of a GSO packet.

Previously, you could configure these kernel settings only by using ip commands or by using such

commands in NetworkManager dispatcher scripts. With this enhancement, you can now configure these

settings directly in connection profiles.

Note that NetworkManager supports these properties only in connection profiles in keyfile format and

not in the deprecated ifcfg format.

Bugzilla:2158328

The nmstate API support available for dhcp-send-hostname and dhcp-custom-hostname

DHCP options

With this enhancement, the nmstate utility supports configuration of the following two DHCP options in

the connection file:

dhcp-send-hostname: true or false value. If a DHCP request needs the hostname or fully

qualified domain name (FQDN) option, the hostname from that option is set. The default is

true.

dhcp-custom-hostname: <string>. Use this option to configure the hostname or FQDN option

in a DHCP request, value type is string.

For DHCPv4 network protocols

If the hostname is FQDN, see the Fully Qualified Domain Name (FQDN), option (81) in RFC

4702.

If the hostname is not FQDN, see the Host Name, option (12) in RFC 2132.

For DHCPv6 network protocols

Supports custom string, empty domain name, overrides the hostname for a DHCP request. See

the Fully Qualified Domain Name (FQDN), option (29) in RFC 4704.

Bugzilla:2187622

NetworkManager rebased to version 1.44.0

The NetworkManager packages have been upgraded to upstream version 1.44.0, which provides several

enhancements and bug fixes over the previous version:

Link-related properties have been added to NetworkManager .

The arp_missed_max, lacp_active, and ns_ip6_target properties have been added to bond

connection profiles.

You can now set a DHCPv6 prefix delegation hint in the ipv6.dhcp-pd-hint connection

property.

Enabling the new rename parameter in the [keyfile] section of the

/etc/NetworkManager/NetworkManager.conf file causes NetworkManager to rename a

connection profile in /etc/NetworkManager/system-connections/ if you change a profile name

CHAPTER 4. NEW FEATURES

(connection.id). If external applications or scripts rely on the file names, do not enable this

parameter.

When you set a hostname that contains a non-public top-level domain (TLD), NetworkManager

now uses this TLD as DNS search domain instead of the full hostname.

NetworkManager now applies DNS options from the [global-dns] section in the

/etc/NetworkManager/NetworkManager.conf file.

To avoid race conditions with other depending services, NetworkManager now acquires the D-

Bus name only after populating the D-Bus tree. Note that this can add a delay when

NetworkManager starts.

NetworkManager now adds a version-id argument to Update2() D-Bus calls to prevent

concurrent profile modifications.F

NetworkManager no longer uses tentative IPv6 addresses to resolve the system hostname from

DNS.

To prevent unexpected behaviors in case of multi-connect profiles, NetworkManager now

tracks the number of auto-connect retries left for each device and connection instead of only

per connection.

NetworkManager sets VLAN filtering options by using the kernel’s netlink interface instead of

the sysfs file system.

The nm-cloud-setup utility now supports Instance Metadata Service Version 2 (IDMSv2) on

Amazon EC2.

Users can now enable and disable wifi and Wireless Wide Area Networks (WWANs) in the nmtui

application.

Bond, bridge, and team connections now use the ignore-carrier=no setting in the [main]

section of the /etc/NetworkManager/NetworkManager.conf file.

Bugzilla:2180966

SCTP rebased to the latest version of the kernel networking tree for RHEL 9

Notable changes in the Stream Control Transmission Protocol (SCTP) networking subsystem include:

Virtual routing and forwarding (VRF) support to segment and isolate SCTP traffic within

complex network environments.

New stream schedulers (fair capacity, and weighted fair queueing) to ensure efficient and

equal resource allocation in the network.

Bugzilla:2189292

MPTCP rebased to the latest version of the kernel networking tree for RHEL 9

Notable changes in the Multipath TCP (MPTCP) protocol extension include:

Support for TCP fastopen (TFO) extension, including the client-side support. This feature

offers latency, efficiency, and performance improvements for your network.

Support multiple mixed IPv4/IPv6 subflows to allow for greater flexibility and adaptability in

networks where both IP versions are used.

Red Hat Enterprise Linux 9.3 9.3 Release Notes

Bugzilla:2193330

[1]

The xdp-tools package rebased to version 1.4.0

The xdp-tools package has been upgraded to version 1.4.0, which provides multiple bug fixes and

enhancements. Notable changes include:

The xdp-bench utility gained support for multi-buffer eXpress Data Path (XDP) and for

benchmarking the xdp_load_bytes() helper in the kernel. This feature enables conducting

network benchmarking tests with large maximum transmission units (MTUs).

The locking of the command line utilities of xdp-tools was improved to prevent stale locks if the

utility did not exit cleanly.

The libxdp library contains a new xsk_umem__create_with_fd() API that accepts an extra file

descriptor of an already open AF_XDP socket. You can use this function as a substitute for the

regular xsk_umem__create() function when a process does not have CAP_NET_RAW

privileges.

Bugzilla:2218500

iproute rebased to version 6.2.0

The iproute packages have been upgraded to upstream version 6.2.0, which provides several

enhancements and bug fixes over the previous version. The most notable changes are:

The new ip stats command manages and shows interface statistics. By default, the ip stats

show command displays statistics for all network devices, including bridges and bonds. You can

filter the output by using the dev and group options. For further details, see the ip-stats(8)

man page.

The ss utility now provides the -T (--threads) option to display thread information, which

extends the -p (--processes) option. For further details, see the ss(8) man page.

You can use the new bridge fdb flush command to remove specific forwarding database (fdb)

entries which match a supplied option. For further details, see the bridge(8) man page.

Jira:RHEL-428

[1]

The kernel supports activating bond ports in a specific order

With this enhancement, the kernel’s netlink interface supports setting a priority on each port if you

configure a bond in active-backup, balance-tlb or balance-alb mode. The priority value uses a 32-bit

Integer, and a higher value means a higher priority. As a result, you can now activate the bond ports in a

specific order.

To use this feature, you can configure the priority by setting the bond-port.prio property when you

create or modify a NetworkManager port connection profile.

Bugzilla:2092194

[1]

firewalld now avoids unnecessary firewall rule flushes

With the release of the RHBA-2023:7748, advisory the firewalld service was upgraded in a sense that it

will not remove all the existing rules from the iptables configuration if both following conditions are met:

firewalld is using the nftables backend.

CHAPTER 4. NEW FEATURES

There are no firewall rules created with the --direct option.

This change aims at reducing unnecessary operations (firewall rules flushes) and improves integration

with other software.

Jira:RHEL-14694

[1]

Introduction of new nmstate attributes for the VLAN interface

With this update of the nmstate framework, the following VLAN attributes were introduced:

registration-protocol: VLAN Registration Protocol. The valid values are gvrp (GARP VLAN

Registration Protocol), mvrp (Multiple VLAN Registration Protocol), and none.

reorder-headers: reordering of output packet headers. The valid values are true and false.

loose-binding: loose binding of the interface to the operating state of its primary device. The

valid values are true and false.

Your YAML configuration file can look similar to the following example:

---

interfaces:

- name: eth1.101

type: vlan

state: up

vlan:

base-iface: eth1

id: 101

registration-protocol: mvrp

loose-binding: true

reorder-headers: true

Jira:RHEL-19142

[1]

4.8. KERNEL

Kernel version in RHEL 9.3

Red Hat Enterprise Linux 9.3 is distributed with the kernel version 5.14.0-362.8.1.

Bugzilla:2232554

Support added for NVIDIA Grace CPUs

Red Hat Enterprise Linux 9.3 adds support for the NVIDIA Grace ARM 64-bit CPU.

Jira:RHELDOCS-17055

[1]

The RHEL kernel now supports AutoIBRS

Automatic Indirect Branch Restricted Speculation (AutoIBRS) is a feature provided by the AMD EPYC

9004 Genoa family of processors and later CPU versions. AutoIBRS is the default mitigation for the

Spectre v2 CPU vulnerability, which boosts performance and improves scalability.

Bugzilla:1898184

[1]

Red Hat Enterprise Linux 9.3 9.3 Release Notes

perf rebased to version 6.2

The perf performance analysis tool has been rebased to version 6.2. Apart from numerous minor bug

fixes and updates, the perf list command now displays Performance Monitor Unit (PMU) events that

contain human-friendly names and descriptions. In addition, this update adds support for the following

processors:

Intel 13th generation of Core processors (Intel Raptor Lake-S)

Intel 14th generation of processors (Intel Meteor Lake)

Intel 5th generation Xeon server processors (Intel Emerald Rapids)

Bugzilla:2177180

[1]

The Intel® QAT kernel driver rebased to upstream version 6.2

The Intel® Quick Assist Technology (QAT) has been rebased to upstream version 6.2. The Intel® QAT

includes accelerators optimized for symmetric and asymmetric cryptography, compression

performance, and other CPU intensive tasks.

The rebase includes many bug fixes and enhancements. The most notable enhancement is the support

available for following hardware accelerator devices for QAT GEN4:

Intel Quick Assist Technology 401xx devices

Intel Quick Assist Technology 402xx devices

Bugzilla:2144528

[1]

vTPM functionality is available for Linux containers

This enhancement introduces virtual Trusted Platform Module (vTPM) for Linux containers and other

virtual environments. vTPM is a virtualized version of TPM that provides a dedicated TPM instance to

use for a secure running environment. With vTPM proxy drivers, programs interact with an emulated

TPM the same way as they interact with physical TPMs.

As a result, each virtual machine can now have a dedicated vTPM instance that is isolated and

encrypted.

Bugzilla:2210263

[1]

crash rebased to version 8.0.3

crash is an interactive utility to analyze a running system and a core dump file created by kdump in case

of a kernel crash. The crash utility has been rebased to version 8.0.3 that includes many bug fixes and

enhancements. The most notable enhancement is the added IPv6 support.

For network interfaces that support IPv6, crash prints IPv6 addresses with the net or net -s command.

The net command displays the list of network devices, names, and the IP address.

The net -s command displays the following information:

The open network socket and sock addresses

The family and the type of sockets and sock addresses

CHAPTER 4. NEW FEATURES

The source and destination address and ports for INET and INET6 families

Bugzilla:2170283

LVM thin-provisioned storage volumes supported as the vmcore dump target

The kdump mechanism now supports thin-provisioned logical volumes as the vmcore target. To

configure LVM thin provisioning, complete the following steps:

1. Create an LVM volume group.

vgcreate vg00 /dev/sdb

2. Create an LVM thin pool of 10 MB available space.

lvcreate -L 10M -T vg00/thinpool

3. Create an LVM thin volume with 300 MB of the file system space.

lvcreate -V 300M -T vg00/thinpool -n thinvol

mkfs.ext4 /dev/vg00/thinvol

4. Configure the LVM thin pool threshold to automatically extend the space.

cat /etc/lvm/lvm.conf

activation {

thin_pool_autoextend_threshold = 70

thin_pool_autoextend_percent = 20

monitoring = 1

}

5. Enable the LVM thin pool monitoring service for the first kernel.

systemctl enable lvm2-monitor.service

systemctl start lvm2-monitor.service

6. Append the following lines to the kdump.conf file to set the LVM thin volume as the kdump

target.

ext4 /dev/vg00/thinvol

path /

7. Start the kdump service.

kdumpctl restart

8. Verify the configuration by triggering a kernel panic and check if the vmcore is saved to

/dev/vg00/thinvol.

As a result, with this enhancement, the kdump mechanism now extends capability to save the vmcore

dump files on thin-provisioned storage volumes.

Bugzilla:2083475

Red Hat Enterprise Linux 9.3 9.3 Release Notes

makedumpfile rebased to upstream version 1.7.3

The makedumpfile tool, which makes the crash dump file small by compressing pages or excluding

memory pages that are not required, has been rebased to upstream version 1.7.3. The rebase includes

many bug fixes and enhancements.

The most notable change is the added 5-level paging mode for standalone dump (sadump) mechanism

on AMD and Intel 64-bit architecture. The 5-level paging mode extends the processor’s linear address

width to allow applications access larger amounts of memory. 5-level paging extends the size of virtual

addresses from 48 to 57 bits and the physical addresses from 46 to 52 bits.

Bugzilla:2173815

Red Hat Enterprise Linux supports ARM’s SystemReady ES and IR tier

Red Hat Enterprise Linux now supports ARM’s SystemReady ES and IR, while previously only the SR tier

was supported. In RHEL 9.3, the NVIDIA Orin, NXP i.MX 8M, and NXP i.MX 8M Mini modules have been

enabled and are candidates for the RHEL hardware certification. Hardware partners are able to submit

certifications by enrolling in the Red Hat hardware certification journey. Customers can use the

supported hardware listed in the catalog for an improved experience in production.

Bugzilla:2195986

[1]

RHEL on ARM now supports Bluetooth

With this enhancement, you can configure a bluetooth device by using the bluetoothctl tool on the

command-line interface.

Bugzilla:2187856

[1]

RHEL on ARM now fully supports USB-attached cameras in RHEL 9.3

This enhancement enables the CONFIG_MEDIA_SUPPORT kernel configuration for RHEL on AMD and

Intel 64-bit architectures platforms. With that, you can now use USB cameras on AMD and Intel 64-bit

architectures systems.

Bugzilla:2192722

[1]

bpf rebased to version 6.3

The Berkeley Packet Filter (BPF) facility has been rebased to Linux kernel version 6.3. Notable changes

and enhancements include:

BPF trampoline is now available on the 64-bit IBM Z architecture.

A new map type - BPF_MAP_TYPE_USER_RINGBUF - and related helpers have been defined

for the communication between the user space and kernel over a BPF-specific ring buffer.

BPF now provides new complex data structures: linked list and rbtree.

BPF trampoline that traces programs now supports struct arguments.

BPF now provides a way to export XDP features supported by a NIC.

Hardware metadata are now exposed to XDP programs by using the BPF kernel functions

(kfuncs) with initial support for RX hash and timestamp metadata.

BPF now provides a helper that sets source and destination NAT addresses and ports in new

CHAPTER 4. NEW FEATURES

BPF now provides a helper that sets source and destination NAT addresses and ports in new

conntrack module entries in BPF programs.

BPF can now write directly to the nf_conn:mark connection mark of the netfilter packet

filtering framework.

Bugzilla:2178930

[1]

4.9. BOOT LOADER

New default behavior of grub2-mkconfig with BLS

In the Boot Loader Specification (BLS) framework, GRUB generates the boot menu dynamically from

BLS snippets at boot, and it is not predefined in the grub.cfg file.

Previously, the grub2-mkconfig command generated a new grub.cfg file and always overwrote the

command-line arguments in all BLS snippets with the value of the GRUB_CMDLINE_LINUX variable

found in the /etc/default/grub file.

With this release, the grub2-mkconfig command no longer overwrites the kernel command line in BLS

snippets with GRUB_CMDLINE_LINUX by default. Each kernel in the boot loader menu takes its kernel

command line from its BLS snippet. This new default behavior is caused by the

GRUB_ENABLE_BLSCFG=true option.

To regenerate grub.cfg so that kernels ignore BLS snippets and take their command line from

GRUB_CMDLINE_LINUX instead, set the GRUB_ENABLE_BLSCFG=false option.

To update the kernel command line in BLS snippets according to GRUB_CMDLINE_LINUX, add the --

update-bls-cmdline option:

# grub2-mkconfig -o /path/to/grub.cfg --update-bls-cmdline

Also note that you can make changes to BLS snippets for individual kernels using grubby:

# grubby --update-kernel /path/to/kernel --args "new args"

Jira:RHELDOCS-16752

[1]

4.10. FILE SYSTEMS AND STORAGE

NFS server now implements courteous server code for nfsd

This update introduces the implementation of courteous server code for nfsd in the RHEL kernel NFS

server. With this new feature, the NFS server avoids revoking leases for clients that have lost contact

with the server for an extended period, provided that there is no conflicting access while the client is out

of contact.

Bugzilla:2180124

DAX mount option and reflink are now compatible

With this update, reflinked files are now generally compatible with DAX mode. The file system DAX

mount option -o dax=always is compatible with reflink-enabled file systems. Files that were reflinked

can be set to DAX mode using inode flags. For more information see the xfs(5) man page.

Red Hat Enterprise Linux 9.3 9.3 Release Notes

Bugzilla:2192730

[1]

New encryption types for the RPCSEC GSS Kerberos V5

The RPCSEC GSS Kerberos V5 mechanism now supports encryption types defined in RFC 6803

(Camellia Encryption for Kerberos 5) and RFC 8009 (AES Encryption with HMAC-SHA2 for Kerberos

5).

The following encryption types have been added:

camellia128-cts-cmac

camellia256-cts-cmac

aes128-cts-hmac-sha256-128

aes256-cts-hmac-sha384-192

This allows NFS clients and NFS servers to use stronger encryption types when negotiating GSS

contexts.

Bugzilla:2178741

fuse3 now allows invalidating a directory entry without triggering umount

With this update, a new mechanism has been added to fuse3 package, that allows invalidating a

directory entry without automatically triggering the umount of any mounts that exists on the entry.

Bugzilla:2188182

Stratis storage manager is now available

Stratis is a local storage manager. It provides managed file systems on top of pools of storage with

additional features to the user:

Manage snapshots and thin provisioning

Automatically grow file system sizes as needed

Maintain file systems

Pool Level Encryption

TMP2 and NBDE Support

To administer Stratis storage, use the stratis utility, which communicates with the stratisd background

service.

For more information, see the Stratis documentation: Setting up Stratis file systems.

Bugzilla:2041558

Improvements to GFS2 file system configuration and operation

The following updates have been implemented for GFS2 file systems:

The mkfs.gfs2 command now supports the new -U option, which makes it possible to specify

the file system UUID for the file system you create. If you omit this option, the file system’s

UUID is generated randomly.

CHAPTER 4. NEW FEATURES

The gfs2_jadd command creates journals at a much faster speed than in previous releases.

The GFS2 man pages have been improved.

Bugzilla:2170017

dmpd rebased to version 1.0.2

The dmpd package has been upgraded to version 1.0.2. Notable changes include:

Rewriting the tools in the Rust language for memory safety and for using multiple threads to

boost performance.

Improving the thin_check and cache_check tools to save the time of LVM pool activation

along with the system startup. The required execution time for these tools is now improved by

more than ten times as compared to the previous version.

Updating thin_dump and thin_restore tools to avoid losing sharing of the metadata btrees for

snapshots. Now the restored metadata does not require more space.

Adding new thin_metadata_pack and thin_metadata_unpack tools to compress thin

metadata, typically to a tenth of the size. This is better than the generic compressors. With this

tool, it is easier to pass damaged metadata around for inspection.

Bugzilla:2175198

New per-device counter is added for SCSI devices

A new per-device counter, iotmo_cnt, is now added for the I/O timeouts in the SCSI updates. In

addition to the iorequest_cnt count of I/O requests, the iodone_cnt I/O completions, and the

ioerr_cnt I/O errors, the number of request timeouts can be seen. For example:

/sys/devices/pci0000:16/0000:16:02.0/0000:17:00.0/host2/target2:2:0/2:2:0:0/iorequest_cnt

/sys/devices/pci0000:16/0000:16:02.0/0000:17:00.0/host2/target2:2:0/2:2:0:0/iodone_cnt

/sys/devices/pci0000:16/0000:16:02.0/0000:17:00.0/host2/target2:2:0/2:2:0:0/iotmo_cnt

/sys/devices/pci0000:16/0000:16:02.0/0000:17:00.0/host2/target2:2:0/2:2:0:0/ioerr_cnt

Bugzilla:2171093

[1]

mpathcleanup flushes the multipath devices in device-mapper-multipath

The mpathcleanup tool works on SCSI-based multipath devices and removes the multipath device

along with the SCSI path devices. Some users need to remove multipath devices and their path devices

regularly. Previously, there was no tool available to remove multipath devices and a user-defined script

was required for this operation.

With this new tool, users can now easily remove multipath devices and their underlying storage, and

there is no need to create any script for this operation.

Jira:RHEL-782

[1]

nvme-cli rebased to version 2.4

The nvme-cli package has been upgraded to version 2.4, which provides multiple bug fixes and

enhancements. Notable changes include:

Supports TLS over TCP.

Red Hat Enterprise Linux 9.3 9.3 Release Notes

Fixes incorrect ordering of the systemd auto-connect services to mount file systems using the

/etc/fstab file.

Fixes printing of the u32 values.

Validates storage tag size correctly.

Supports the nvme effects-log command for fabrics controllers.

Bugzilla:2159929

[1]

4.11. HIGH AVAILABILITY AND CLUSTERS

Support for failover of LVM volume groups with missing physical volumes

The LVM-activate resource agent now supports two new options that allow volume group failover if the

volume group is missing physical volumes:

The majoritypvs option allows the system ID to be changed on a volume group when a volume

group is missing physical volumes, provided that a majority of physical volumes are present.

The degraded_activation option allows RAID logical volumes in a volume group to be activated

when legs are missing, provided that sufficient devices are available for RAID to provide all the

data in the logical volume.

Bugzilla:2174911

[1]

IPaddr2 and IPsrcaddr cluster resource agents now support policy-based routing

The IPaddr2 and IPsrcaddr cluster resource agents now support policy-based routing,which enables

you to configure complex routing scenarios. Policy-based routing requires that you configure the

resource agent’s table parameter.

Bugzilla:2142518

The Filesystem resource agent now supports the EFS file system type

The ocf:heartbeat:Filesystem cluster resource agent now supports the Amazon Elastic File System

(EFS). You can now specify fstype=efs when configuring a Filesystem resource.

Bugzilla:2142002

New pcs parsing requires meta keyword when specifying clone meta attributes

To ensure consistency in the pcs command format, configuring clone meta attributes with the pcs

resource clone, pcs resource promotable, and pcs resource create commands without specifying

the meta keyword is now deprecated.

Previously, the meta keyword was ignored in the pcs resource clone and pcs resource promotable

commands. In the pcs resource create command, however, the meta attributes specified after the

meta keyword when it followed the clone keyword were assigned to the resource rather than to the

clone. With this updated parsing algorithm, meta attributes specified after the meta keyword when it

follows the clone keyword are assigned to the clone. To maintain compatibility with existing scripts

which rely on the older format, you must specify the --future command option to enable this new

argument processing when creating a cloned resource with the pcs resource create command.

The following command now creates a resource with the meta attribute mv=v1 and a clone with the

CHAPTER 4. NEW FEATURES

The following command now creates a resource with the meta attribute mv=v1 and a clone with the

meta attribute mv=v2:

pcs resource create dummy1 ocf:pacemaker:Dummy meta m1=v1 clone meta m2=v2 --future

Bugzilla:2168155

Displaying the pcs commands for re-creating configured resource constraints

You can now display the pcs constraint commands that can be used to re-create configured resource

constraints on a different system by using the pcs constraint command with the new --output-

format=cmd option. The default output format is plain text, as in previous releases, which you can

specify with the --output-format=text option. The plain text format has been changed slightly to make it

consistent with the output format of other pcs commands.

Bugzilla:2163953

Rebase Pacemaker packages to version: 2.1.6

The Pacemaker packages have been upgraded to upstream version 2.1.6, which provides several

enhancements and bug fixes over the previous version.

The following features have been added:

Previously, when a Pacemaker Remote connection was lost, Pacemaker would always purge its

transient node attributes. This was unnecessary if the connection was quickly recoverable and

the remote daemon had not restarted in the meantime. Pacemaker Remote nodes now

preserve transient node attributes after a brief, recoverable connection outage.

The alert_snmp.sh.sample alert agent, which is the sample alert agent provided with

Pacemaker, now supports the SNMPv3 protocol and SNMPv2. With this update, you can copy

the alert_snmp.sh.sample agent without modification to use SNMPv3 with Pacemaker alerts.

Pacemaker alerts and alert recipients now support an enabled meta option. Setting this option

to false for an alert disables the alert. Setting this option to true for an alert and false for a

particular recipient disables the alert for that recipient. The default value for this option is true.

You can use this option to temporarily disable an alert for any reason, such as planned

maintenance.

The following bugs have been fixed:

Pacemaker Designated Controller elections no longer finalized until all pending actions are

complete and no action results are lost.

The fence_scsi agent is now able to auto-detect shared lvmlockd devices when the devices

attribute is not set.

Resource stickiness now properly compares against colocation scores.

The crm_resource command now allows banning or moving a bundle with only a single active

replica.

Previously, promotable clone instances were assigned in numerical order, with promoted

instances first. As a result, if a promoted clone instance needed to start, an unpromoted

instance in some cases restarted unexpectedly, because the instance numbers changed. With

this fix, roles are considered when assigning instance numbers to nodes and as a result no

unnecessary restarts occur.

Red Hat Enterprise Linux 9.3 9.3 Release Notes

Bugzilla:2189301

Enhancements to the pcs property command

The pcs property command now supports the following enhancements:

The pcs property config --output-format= option

Specify --output-format=cmd to display the pcs property set command created from the

current cluster properties configuration. You can use this command to re-create configured

cluster properties on a different system.

Specify --output-format=json to display the configured cluster properties in JSON format.

Specify output-format=text to display the configured cluster properties in plain text format,

which is the default value for this option.

The pcs property defaults command, which replaces the deprecated pcs property --defaults

option

The pcs property describe command, which describes the meaning of cluster properties

Bugzilla:2163914

4.12. DYNAMIC PROGRAMMING LANGUAGES, WEB AND DATABASE

SERVERS

A new environment variable in Python to control parsing of email addresses

To mitigate CVE-2023-27043, a backward incompatible change to ensure stricter parsing of email

addresses was introduced in Python 3.

The update in RHSA-2024:2024 introduces a new

PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING environment variable. When you set this

variable to true, the previous, less strict parsing behavior is the default for the entire system:

export PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING=true

However, individual calls to the affected functions can still enable stricter behavior.

You can achieve the same result by creating the /etc/python/email.cfg configuration file with the

following content:

[email_addr_parsing]

PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING = true

For more information, see the Knowledgebase article Mitigation of CVE-2023-27043 introducing

stricter parsing of email addresses in Python.

Jira:RHELDOCS-17369

[1]

A new nodejs:20 module stream is fully supported

A new module stream, nodejs:20, previously available as a Technology Preview, is fully supported with

the release of the RHEA-2023:7252 advisory. The nodejs:20 module stream now provides Node.js

20.9, which is a Long Term Support (LTS) version.

CHAPTER 4. NEW FEATURES

Node.js 20 included in RHEL 9.3 provides numerous new features, bug fixes, security fixes, and

performance improvements over Node.js 18 available since RHEL 9.1.

Notable changes include:

The V8 JavaScript engine has been upgraded to version 11.3.

The npm package manager has been upgraded to version 9.8.0.

Node.js introduces a new experimental Permission Model.

Node.js introduces a new experimental Single Executable Application (SEA) feature.

Node.js provides improvements to the Experimental ECMAScript modules (ESM) loader.

The native test runner, introduced as an experimental node:test module in Node.js 18, is now

considered stable.

Node.js provides various performance improvements.

To install the nodejs:20 module stream, use:

# dnf module install nodejs:20

If you want to upgrade from the nodejs:18 stream, see Switching to a later stream .

For information about the length of support for the nodejs Application Streams, see Red Hat Enterprise

Linux Application Streams Life Cycle.

Bugzilla:2186717

A new filter argument to the Python tarfile extraction functions

To mitigate CVE-2007-4559, Python adds a filter argument to the tarfile extraction functions. The

argument allows turning tar features off for increased safety (including blocking the CVE-2007-4559

directory traversal attack). If a filter is not specified, the 'data' filter, which is the safest but most limited,

is used by default in RHEL. In addition, Python emits a warning when your application has been affected.

For more information, including instructions to hide the warning, see the Knowledgebase article

Mitigation of directory traversal attack in the Python tarfile library (CVE-2007-4559) .

Jira:RHELDOCS-16405

[1]

The HTTP::Tiny Perl module now verifies TLS certificates by default

The default value for the verify_SSL option in the HTTP::Tiny Perl module has been changed from 0 to

1 to verify TLS certificates when using HTTPS. This change fixes CVE-2023-31486 for HTTP::Tiny and

CVE-2023-31484 for the CPAN Perl module.

To make support for TLS verification available, this update adds the following dependencies to the perl-

HTTP-Tiny package:

perl-IO-Socket-SSL

perl-Mozilla-CA

perl-Net-SSLeay

Red Hat Enterprise Linux 9.3 9.3 Release Notes

Bugzilla:2228412

[1]

httpd rebased to version 2.4.57

The Apache HTTP Server has been updated to version 2.4.57, which provides bug fixes, enhancements,

and security fixes over version 2.4.53 available since RHEL 9.1.

Notable enhancements include:

The rotatelogs utility provided with httpd introduces a new -T option to truncate all rotated

logfiles except the initial log file.

The LDAPConnectionPoolTTL directive of the mod_ldap module now accepts negative values

to enable reuse of connections of any age. Previously, a negative value was handled as an error.

Workers from the mod_proxy_hcheck module now correctly time out according to the worker

timeout settings.

The hcmethod parameter of the mod_proxy_hcheck module now provides new GET11,

HEAD11, and OPTIONS11 methods for HTTP/1.1 requests.

Bugzilla:2184403

A new mod_authnz_fcgi module in httpd

The Apache HTTP Server now includes the mod_authnz_fcgi module, which enables FastCGI

authorizer applications to authenticate users and authorize access to resources.

The mod_authnz_fcgi module is not loaded by default. To load this module, uncomment the following

line in the /etc/httpd/conf.modules.d/00-optional.conf file:

LoadModule authnz_fcgi_module modules/mod_authnz_fcgi.so

Bugzilla:2173295

[1]

A new ssl_pass_phrase_dialog directive in nginx:1.22

With this update to the nginx:1.22 module stream, you can use the new ssl_pass_phrase_dialog

directive to configure an external program that is called at nginx start for each encrypted private key.

To use the new directive, add one of the following lines to the /etc/nginx/nginx.conf file:

To call an external program for each encrypted private key file, enter:

ssl_pass_phrase_dialog exec:<path_to_program>;

nginx calls this program with the following two arguments:

The server name specified in the server_name setting.

One of the following algorithms: RSA, DSA, EC, DH, or UNK if a cryptographic algorithm

cannot be recognized.

If you want to manually enter a passphrase for each encrypted private key file, enter:

ssl_pass_phrase_dialog builtin;

CHAPTER 4. NEW FEATURES

This is the default behavior if ssl_pass_phrase_dialog is not configured.

Note that the nginx service fails to start if you use this method but have at least one private key

protected by a passphrase. In this case, use one of the other methods.

If you want systemd to prompt for the passphrase for each encrypted private key when you

start the nginx service by using the systemctl utility, enter:

ssl_pass_phrase_dialog exec:/usr/libexec/nginx-ssl-pass-dialog;

Note that the ssl_pass_phrase_dialog directive in nginx is similar to the SSLPassPhraseDialog

directive in the Apache HTTP Server.

Bugzilla:2170808

A new rhel9/squid container image

The rhel9/squid container image is now available in the Red Hat Container Registry. Squid is a high-

performance proxy caching server for web clients, supporting FTP, gopher, and HTTP data objects.

Unlike traditional caching software, Squid handles all requests in a single, non-blocking, I/O-driven

process. Squid keeps metadata and especially hot objects cached in RAM, caches DNS lookups,

supports non-blocking DNS lookups, and implements negative caching of failed requests.

To pull the new container image, run:

# podman pull registry.redhat.io/rhel9/squid

Bugzilla:2178953

A new module stream: redis:7

Redis 7, an advanced key-value store, is now available as a new module stream, redis:7.

Notable changes over Redis 6 include:

Server-side scripting in the Redis Functions API

Fine-grained access control list (ACL) support

Shared publish/subscribe (pub/sub) support for clusters

Various new commands and command arguments

Redis 7 introduces several backward incompatible changes, for example:

Redis 7 now stores append-only files (AOF) as multiple files in a folder

Redis 7 uses a new version format for Redis Database (RDB) files that is incompatible with

earlier versions

For a complete list of features and incompatible changes, see the upstream release notes.

To install the redis:7 module stream, use:

# dnf module install redis:7

For information about the length of support for the redis Application Streams, see Red Hat Enterprise

Red Hat Enterprise Linux 9.3 9.3 Release Notes

For information about the length of support for the redis Application Streams, see Red Hat Enterprise

Linux Application Streams Life Cycle.

Bugzilla:2129826

4.13. COMPILERS AND DEVELOPMENT TOOLS

A new glibc option to influence optimized routine usage on IBM Z

On the IBM Z architecture, the glibc library selects function implementations based on the hardware

capabilities, such as hwcaps and stfle bits. With this update, you can direct the choice made by the

library by setting the glibc.cpu.hwcaps tunable.

Bugzilla:2169978

[1]

Improved string and memory routine performance on Intel® Xeon® v5-based hardware in

glibc

Previously, the default amount of cache used by glibc for string and memory routines resulted in lower

than expected performance on Intel® Xeon® v5-based systems. With this update, the amount of cache

to use has been tuned to improve performance.

Bugzilla:2213907

The system GCC compiler updated to version 11.4.1

The GNU Compiler Collection (GCC) provides tools for developing applications with the C, C++, and

Fortran programming languages.

The system GCC compiler has been updated to version 11.4.1, which includes numerous bug fixes and

enhancements available in the upstream GCC.

For usage information, see Developing C and C++ applications in RHEL 9 .

Bugzilla:2193180

GCC now supports preserving register arguments

With this update, you can now store argument register content to the stack and generate proper Call

Frame Information (CFI) to allow the unwinder to locate it without negatively impacting performance.

Bugzilla:2168204

[1]

A new -mdaz-ftz option in GCC on the 64-bit Intel architecture

The system version of GNU Compiler Collection (GCC) on the 64-bit Intel architecture now supports

the -mdaz-ftz option to enable flush-to-zero (FTZ) and denormals-are-zero (DAZ) flags in the MXCSR

Control and Status Register.

Bugzilla:2208908

New GCC Toolset 13

GCC Toolset 13 is a compiler toolset that provides recent versions of development tools. It is available as

an Application Stream in the form of a Software Collection in the AppStream repository.

The GCC compiler has been updated to version 13.1.1, which provides many bug fixes and enhancements

that are available in upstream GCC.

CHAPTER 4. NEW FEATURES

The following tools and versions are provided by GCC Toolset 13:

Tool Version

GCC 13.1.1

GDB 12.1

binutils 2.40

dwz 0.14

annobin 12.20

To install GCC Toolset 13, run the following command as root:

# dnf install gcc-toolset-13

To run a tool from GCC Toolset 13:

$ scl enable gcc-toolset-13 tool

To run a shell session where tool versions from GCC Toolset 13 override system versions of these tools:

$ scl enable gcc-toolset-13 bash

For more information, see GCC Toolset 13 and Using GCC Toolset.

Bugzilla:2171919

[1]

, Bugzilla:2171930

GCC Toolset 13: GCC rebased to version 13.1.1

In GCC Toolset 13, the GNU Compiler Collection (GCC) has been updated to version 13.1.1. Notable

changes include:

General improvements

OpenMP:

OpenMP 5.0: Fortran now supports some non-rectangular loop nests. Such support was

added for C/C++ in GCC 11.

Many OpenMP 5.1 features have been added.

Initial support for OpenMP 5.2 features has been added.

A new debug info compression option value, -gz=zstd, is now available.

The -Ofast, -ffast-math, and -funsafe-math-optimizations options no longer add startup code

to alter the floating-point environment when producing a shared object with the -shared

option.

GCC can now emit its diagnostics using Static Analysis Results Interchange Format (SARIF), a

Red Hat Enterprise Linux 9.3 9.3 Release Notes

GCC can now emit its diagnostics using Static Analysis Results Interchange Format (SARIF), a

JSON-based format suited for capturing the results of static analysis tools (such as GCC’s -

fanalyzer). You can also use SARIF to capture other GCC warnings and errors in a machine-

readable format.

Link-time optimization improvements have been implemented.

New languages and language-specific improvements

C family:

A new -Wxor-used-as-pow option warns about uses of the exclusive or ( ^) operator where the

user might have meant exponentiation.

Three new function attributes have been added for documenting int arguments that are file

descriptors:

attribute((fd_arg(N)))

attribute((fd_arg_read(N)))

attribute((fd_arg_write(N)))

These attributes are also used by -fanalyzer to detect misuses of file descriptors.

A new statement attribute, attribute((assume(EXPR)));, has been added for C++23 portable

assumptions. The attribute is supported also in C or earlier C++.

GCC can now control when to treat the trailing array of a structure as a flexible array member

for the purpose of accessing the elements of such an array. By default, all trailing arrays in

aggregates are treated as flexible array members. Use the new command-line option -fstrict-

flex-arrays to control what array members are treated as flexible arrays.

Several C23 features have been implemented:

Introduced the nullptr constant.

Enumerations enhanced to specify underlying types.

Requirements for variadic parameter lists have been relaxed.

Introduced the auto feature to enable type inference for object definitions.

Introduced the constexpr specifier for object definitions.

Introduced storage-class specifiers for compound literals.

Introduced the typeof object (previously supported as an extension) and the

typeof_unqual object.

Added new keywords: alignas, alignof, bool, false, static_assert, thread_local, and true.

Added the [[noreturn]] attribute to specify that a function does not return execution to its

caller.

Added support for empty initializer braces.

CHAPTER 4. NEW FEATURES

Added support for STDC_VERSION_*_H header version macros.

Removed the ATOMIC_VAR_INIT macro.

Added the unreachable macro for the <stddef.h> header.

Removed trigraphs.

Removed unprototyped functions.

Added printf and scanf format checking through the -Wformat option for the %wN and

%wfN format length modifiers.

Added support for identifier syntax of Unicode Standard Annex (UAX) 31.

Existing features adopted in C23 have been adjusted to follow C23 requirements and are

not diagnosed using the -std=c2x -Wpedantic option.

A new -Wenum-int-mismatch option warns about mismatches between an enumerated type

and an integer type.

C++:

Implemented excess precision support through the -fexcess-precision option. It is enabled by

default in strict standard modes such as -std=c++17, where it defaults to -fexcess-

precision=standard. In GNU standard modes such as -std=gnu++20, it defaults to -fexcess-

precision=fast, which restores previous behavior.

The -fexcess-precision option affects the following architectures:

Intel 32- and 64-bit using x87 math, in some cases on Motorola 68000, where float and

double expressions are evaluated in long double precision.

64-bit IBM Z systems where float expressions are evaluated in double precision.

Several architectures that support the std::float16_t or std::bfloat16_t types, where these

types are evaluated in float precision.

Improved experimental support for C++23, including::

Added support for labels at the end of compound statements.

Added a type trait to detect reference binding to a temporary.

Reintroduced support for volatile compound operations.

Added support for the #warning directive.

Added support for delimited escape sequences.

Added support for named universal character escapes.

Added a compatibility and portability fix for the char8_t type.

Added static operator() function objects.

Simplified implicit moves.

Rewriting equality in expressions is now less of a breaking change.

Red Hat Enterprise Linux 9.3 9.3 Release Notes

Removed non-encodable wide character literals and wide multicharacter literals.

Relaxed some constexpr function restrictions.

Extended floating-point types and standard names.

Implemented portable assumptions.

Added support for UTF-8 as a portable source file encoding standard.

Added support for static operator[] subscripts.

New warnings:

-Wself-move warns when a value is moved to itself with std::move.

-Wdangling-reference warns when a reference is bound to a temporary whose lifetime has

ended.

The -Wpessimizing-move and -Wredundant-move warnings have been extended to warn

in more contexts.

The new -nostdlib++ option enables linking with g++ without implicitly linking in the C++

standard library.

Changes in the libstdc++ runtime library

Improved experimental support for C++20, including:

Added the <format> header and the std::format function.

Added support in the <chrono> header for the std::chrono::utc_clock clock, other clocks,

time zones, and the std::format function.

Improved experimental support for C++23, including:

Additions to the <ranges> header: views::zip, views::zip_transform, views::adjacent,

views::adjacent_transform, views::pairwise, views::slide, views::chunk,

views::chunk_by, views::repeat, views::chunk_by, views::cartesian_product,

views::as_rvalue, views::enumerate, views::as_const.

Additions to the <algorithm> header: ranges::contains, ranges::contains_subrange,

ranges::iota, ranges::find_last, ranges::find_last_if, ranges::find_last_if_not,

ranges::fold_left, ranges::fold_left_first, ranges::fold_right, ranges::fold_right_last,

ranges::fold_left_with_iter, ranges::fold_left_first_with_iter.

Support for monadic operations for the std::expected class template.

Added constexpr modifiers to the std::bitset, std::to_chars and std::from_chars

functions.

Added library support for extended floating-point types.

Added support for the <experimental/scope> header from version 3 of the Library

Fundamentals Technical Specification (TS).

Added support for the <experimental/synchronized_value> header from version 2 of the

Concurrency TS.

CHAPTER 4. NEW FEATURES

Added support for many previously unavailable features in freestanding mode. For example:

The std::tuple class template is now available for freestanding compilation.

The libstdc++ library adds components to the freestanding subset, such as std::array and

std::string_view.

The libstdc++ library now respects the -ffreestanding compiler option, so it is no longer

necessary to build a separate freestanding installation of the libstdc++ library. Compiling

with -ffreestanding will restrict the available features to the freestanding subset, even if

the libstdc++ library was built as a full, hosted implementation.

New targets and target-specific Improvements

The 64-bit ARM architecture:

Added support for the armv9.1-a, armv9.2-a, and armv9.3-a arguments for the -march=

option.

The 32- and 64-bit AMD and Intel architectures:

For both C and C++, the __bf16 type is supported on systems with Streaming SIMD Extensions

2 and above enabled.

The real __bf16 type is now used for AVX512BF16 instruction intrinsics. Previously, __bfloat16,

a typedef of short, was used. Adjust your AVX512BF16 related source code when upgrading

GCC 12 to GCC 13.

Added new Instruction Set Architecture (ISA) extensions to support the following Intel

instructions:

AVX-IFMA whose instruction intrinsics are available through the -mavxifma compiler

switch.

AVX-VNNI-INT8 whose instruction intrinsics are available through the -mavxvnniint8

compiler switch.

AVX-NE-CONVERT whose instruction intrinsics are available through the -mavxneconvert

compiler switch.

CMPccXADD whose instruction intrinsics are available through the -mcmpccxadd compiler

switch.

AMX-FP16 whose instruction intrinsics are available through the -mamx-fp16 compiler

switch.

PREFETCHI whose instruction intrinsics are available through the -mprefetchi compiler

switch.

RAO-INT whose instruction intrinsics are available through the -mraoint compiler switch.

AMX-COMPLEX whose instruction intrinsics are available through the -mamx-complex

compiler switch.

GCC now supports AMD CPUs based on the znver4 core through the -march=znver4 compiler

switch. The switch makes GCC consider using 512-bit vectors when auto-vectorizing.

Improvements to the static analyzer

Red Hat Enterprise Linux 9.3 9.3 Release Notes

The static analyzer has gained 20 new warnings:

-Wanalyzer-allocation-size

-Wanalyzer-deref-before-check

-Wanalyzer-exposure-through-uninit-copy

-Wanalyzer-imprecise-fp-arithmetic

-Wanalyzer-infinite-recursion

-Wanalyzer-jump-through-null

-Wanalyzer-out-of-bounds

-Wanalyzer-putenv-of-auto-var

-Wanalyzer-tainted-assertion

Seven new warnings relating to misuse of file descriptors:

-Wanalyzer-fd-access-mode-mismatch

-Wanalyzer-fd-double-close

-Wanalyzer-fd-leak

-Wanalyzer-fd-phase-mismatch (for example, calling accept on a socket before calling

listen on it)

-Wanalyzer-fd-type-mismatch (for example, using a stream socket operation on a

datagram socket)

-Wanalyzer-fd-use-after-close

-Wanalyzer-fd-use-without-check

Also implemented special-casing handling of the behavior of the open, close, creat,

dup, dup2, dup3, pipe, pipe2, read, and write functions.

Four new warnings for misuses of the <stdarg.h> header:

-Wanalyzer-va-list-leak warns about missing a va_end macro after a va_start or

va_copy macro.

-Wanalyzer-va-list-use-after-va-end warns about a va_arg or va_copy macro used on

a va_list object type that has had the va_end macro called on it.

-Wanalyzer-va-arg-type-mismatch type-checks va_arg macro usage in

interprocedural execution paths against the types of the parameters that were actually

passed to the variadic call.

-Wanalyzer-va-list-exhausted warns if a va_arg macro is used too many times on a

va_list object type in interprocedural execution paths.

Numerous other improvements.

CHAPTER 4. NEW FEATURES

Backwards incompatible changes

For C++, construction of global iostream objects such as std::cout, std::cin is now done inside the

standard library, instead of in every source file that includes the <iostream> header. This change

improves the startup performance of C++ programs, but it means that code compiled with GCC 13.1 will

crash if the correct version of libstdc++.so is not used at runtime. See the documentation about using

the correct libstdc++.so at runtime. Future GCC releases will mitigate the problem so that the program

cannot be run at all with an earlier incompatible libstdc++.so.

Bugzilla:2172093

[1]

GCC Toolset 13: annobin rebased to version 12.20

GCC Toolset 13 provides the annobin package version 12.20. Notable enhancements include:

Added support for moving annobin notes into a separate debug info file. This results in

reduced executable binary size.

Added support for a new smaller note format reduces the size of the separate debuginfo files

and the time taken to create these files.

Bugzilla:2171923

[1]

GCC Toolset 13: GDB rebased to version 12.1

GCC Toolset 13 provides GDB version 12.1.

Notable bug fixes and enhancements include:

GDB now styles source code and disassembler by default. If styling interferes with automation

or scripting of GDB, you can disable it by using the maint set gnu-source-highlight enabled

off and maint set style disassembler enabled off commands.

GDB now displays backtraces whenever it encounters an internal error. If this affects scripts or

automation, you can use the maint set backtrace-on-fatal-signal off command to disable this

feature.

C/C++ improvements:

GDB now treats functions or types involving C++ templates similarly to function overloads. You

can omit parameter lists to set breakpoints on families of template functions, including types or

functions composed of multiple template types. Tab completion has gained similar

improvements.

Terminal user interface (TUI):

tui layout

tui focus

tui refresh

tui window height

These are the new names for the old layout, focus, refresh, and winheight TUI commands. The

old names still exist as aliases to these new commands.

tui window width

winwidth

Red Hat Enterprise Linux 9.3 9.3 Release Notes

Use the new tui window width command, or the winwidth alias, to adjust the width of a TUI

window when windows are laid out in horizontal mode.

info win

This command now includes information about the width of the TUI windows in its output.

Machine Interface (MI) changes:

The default version of the MI interpreter is now 4 (-i=mi4).

The -add-inferior command with no flag now inherits the connection of the current inferior. This

restores the behavior of GDB before version 10.

The -add-inferior command now accepts a --no-connection flag that causes the new inferior to

start without a connection.

The script field in breakpoint output (which is syntactically incorrect in MI 3 and earlier) has

become a list in MI 4. This affects the following commands and events:

-break-insert

-break-info

=breakpoint-created

=breakpoint-modified

Use the -fix-breakpoint-script-output command to enable the new behavior with earlier MI

versions.

New commands:

maint set internal-error backtrace [on|off]

maint show internal-error backtrace

maint set internal-warning backtrace [on|off]

maint show internal-warning backtrace

GDB can now print a backtrace of itself when it encounters internal error or internal warning.

This is enabled by default for internal errors and disabled by default for internal warnings.

exit

You can exit GDB using the new exit command in addition to the existing quit command.

maint set gnu-source-highlight enabled [on|off]

maint show gnu-source-highlight enabled

Enables or disables the GNU Source Highlight library for adding styling to source code. When

disabled, the library is not used even if it is available. When the GNU Source Highlight library is

not used the Python Pygments library is used instead.

set suppress-cli-notifications [on|off]

show suppress-cli-notifications

Controls if printing the notifications is suppressed for CLI or not. CLI notifications occur when

you change the selected context (such as the current inferior, thread, or frame), or when the

program being debugged stops (for example: because of hitting a breakpoint, completing

source-stepping, or an interrupt).

CHAPTER 4. NEW FEATURES

set style disassembler enabled [on|off]

show style disassembler enabled

When enabled, the command applies styling to disassembler output if GDB is compiled with

Python support and the Python Pygments package is available.

Changed commands:

set logging [on|off]

Deprecated and replaced by the set logging enabled [on|off] command.

Printing of floating-point values with base-modifying formats such as /x has been changed to

display the underlying bytes of the value in the required base.

clone-inferior

The clone-inferior command now ensures that the TTY, CMD, and ARGs settings are copied

from the original inferior to the new one. All modifications to the environment variables done

using the set environment or unset environment commands are also copied to the new

inferior.

Python API:

The new gdb.add_history() function takes a gdb.Value object and adds the value it represents

to GDB’s history list. The function returns an integer, which is the index of the new item in the

history list.

The new gdb.history_count() function returns the number of values in GDB’s value history.

The new gdb.events.gdb_exiting event is called with a gdb.GdbExitingEvent object that has

the read-only attribute exit_code containing the value of the GDB exit code. This event is

triggered before GDB’s exit before GDB starts to clean up its internal state.

The new gdb.architecture_names() function returns a list containing all of the possible

Architecture.name() values. Each entry is a string.

The new gdb.Architecture.integer_type() function returns an integer type given a size and a

signed-ness.

The new gdb.TargetConnection object type represents a connection (as displayed by the info

connections command). A sub-class, gdb.RemoteTargetConnection, represents remote and

extended-remote connections.

The gdb.Inferior type now has a connection property that is an instance of the

gdb.TargetConnection object, the connection used by this inferior. This can be None if the

inferior has no connection.

The new gdb.events.connection_removed event registry emits a gdb.ConnectionEvent

event when a connection is removed from GDB. This event has a connection property, a

gdb.TargetConnection object for the connection being removed.

The new gdb.connections() function returns a list of all currently active connections.

The new gdb.RemoteTargetConnection.send_packet(PACKET) method is equivalent to the

existing maint packet CLI command. You can use it to send a specified packet to the remote

target.

Red Hat Enterprise Linux 9.3 9.3 Release Notes

The new gdb.host_charset() function returns the name of the current host character set as a

string.

The new gdb.set_parameter(NAME, VALUE) function sets the GDB parameter NAME to

VALUE.

The new gdb.with_parameter(NAME, VALUE) function returns a context manager that

temporarily sets the GDB parameter NAME to VALUE and then resets it when the context is

exited.

The gdb.Value.format_string method now takes a styling argument, which is a boolean. When

true, the returned string can include escape sequences to apply styling. The styling is present

only if styling is turned on in GDB (see help set styling). When false, which is the default if the

styling argument is not given, no styling is applied to the returned string.

The new read-only attribute gdb.InferiorThread.details is either a string containing additional

target-specific thread-state information, or None if there is no such additional information.

The new read-only attribute gdb.Type.is_scalar is True for scalar types, and False for all other

types.

The new read-only attribute gdb.Type.is_signed should only be read when Type.is_scalar is

True, and will be True for signed types and False for all other types. Attempting to read this

attribute for non-scalar types will raise a ValueError.

You can now add GDB and MI commands implemented in Python.

For more information see the upstream release notes:

What has changed in GDB?

Bugzilla:2172096

[1]

GCC Toolset 13: bintuils rebased to version 2.40

GCC Toolset 13 provides the binutils package version 2.40. Notable enhancements include:

Linkers:

The new -w (--no-warnings) command-line option for the linker suppresses the generation of

any warning or error messages. This is useful in case you need to create a known non-working

binary.

The ELF linker now generates a warning message if:

The stack is made executable

It creates a memory resident segment with all three of the Read, Write and eXecute

permissions set

It creates a thread local data segment with the eXecute permission set.

You can disable these warnings by using the --no-warn-exec-stack or --no-warn-rwx-

segments options.

The linker can now insert arbitrary JSON-format metadata into binaries that it creates.

Other tools:

CHAPTER 4. NEW FEATURES

A new the objdump tool’s --private option to display fields in the file header and section

headers for Portable Executable (PE) format files.

A new --strip-section-headers command-line option for the objcopy and strip utilities to

remove the ELF section header from ELF files.

A new --show-all-symbols command-line option for the objdump utility to display all symbols

that match a given address when disassembling, as opposed to the default function of displaying

only the first symbol that matches an address.

A new -W (--no-weak) option to the nm utility to make it ignore weak symbols.

The objdump utility now supports syntax highlighting of disassembler output for some

architectures. Use the --disassembler-color=MODE command-line option, with MODE being

one of the following:

off

color - This option is supported by all terminal emulators.

extended-color - This option uses 8-bit colors not supported by all terminal emulators.

Bugzilla:2171926

[1]

libabigail rebased to version 2.3

The libabigail package has been updated to version 2.3. Notable improvements include:

The BTF debuginfo format is now supported.

Improved support for Ada range types.

A new [allow_type] directive in suppression specifications is now supported.

Added various new properties for the [supress_type] suppression specification.

The ABIXML file format has been updated to version 2.2.

The SONAME of the library has been changed to reflect its own ABI change.

The libabigail package is available in the CodeReady Linux Builder (CRB) repository. Note that

packages included in the CodeReady Linux Builder repository are unsupported.

Bugzilla:2186931

The find-debuginfo script in debugedit now supports the -q (--quiet) flag

With this update, you can use the find-debuginfo script’s -q (--quiet) flag in the debugedit utility to

silence non-error output from the script.

Bugzilla:2177302

Valgrind rebased to version 3.21.0

Valgrind has been updated to version 3.21.0. Notable enhancements include:

A new abexit value for the --vgdb-stop-at=event1,event2,… option notifies the gdbserver

utility when your program exits abnormally, such as with a nonzero exit code.

Red Hat Enterprise Linux 9.3 9.3 Release Notes

A new --enable-debuginfod=[yes|no] option instructs Valgrind to use the debuginfod servers

listed in the DEBUGINFOD_URLS environment variable to fetch any missing DWARF

debuginfo information for the program running under Valgrind. The default value for this option

is yes.

NOTE

The DEBUGINFOD_URLS environment variable is not set by default.

Valgrind now provides GDB Python commands. These GDB front end commands provide a

better integration in the GDB command-line interface. Benefits of this are, for example, GDB

auto-completion, and command-specific help, searching for a command or command help that

matches a regular expression. For relevant monitoring commands, GDB evaluates arguments to

simplify usage of monitor commands.

The vgdb utility now supports the extended remote protocol when invoked with the --multi

option. The GDB run command is supported in this mode and, as a result, you can run GDB and

Valgrind from a single terminal.

You can use the --realloc-zero-bytes-frees=[yes|no] option to change the behavior of the

realloc() function with a size of zero for tools that intercept the malloc() call.

The memcheck tool now performs checks for the use of the realloc() function with a size of

zero. Use the new --show-realloc-size-zero=[yes|no] switch to disable this feature.

You can use the new --history-backtrace-size=value option for the helgrind tool to configure

the number of entries to record in the stack traces of earlier accesses.

The --cache-sim=[yes|no] cachegrind option now defaults to no and, as a result, only

instruction cache read events are gathered by default.

The source code for the cg_annotate, cg_diff, and cg_merge cachegrind utilities has been

rewritten and, as a result, the utilities have more flexible command line option handling. For

example, they now support the --show-percs and --no-show-percs options and the existing --

show-percs=yes and --show-percs=no options.

The cg_annotate cachegrind utility now supports diffing (using the --diff, --mod-filename,

and --mod-funcname options) and merging (by passing multiple data files). In addition,

cg_annotate now provides more information at the file and function level.

A new user-request for the DHAT tool allows you to override the 1024 byte limit on access

count histograms for blocks of memory.

The following new architecture-specific instruction sets are now supported:

64-bit ARM:

v8.2 scalar and vector Floating-point Absolute Difference (FABD), Floating-point Absolute

Compare Greater than or Equal (FACGE), Floating-point Absolute Compare Greater Than

(FACGT), and Floating-point Add (FADD) instructions.

v8.2 Floating-point (FP) compare and conditional compare instructions.

Zero variants of v8.2 Floating-point (FP) compare instructions.

64-bit IBM Z:

CHAPTER 4. NEW FEATURES

Support for the miscellaneous-instruction-extensions facility 3 and the vector-

enhancements facility 2. This enables programs compiled with the -march=arch13 or -

march=z15 options to be executed under Valgrind.

IBM Power:

ISA 3.1 support is now complete.

ISA 3.0 now supports the deliver a random number (darn) instruction.

ISA 3.0 now supports the System Call Vectored (scv) instruction.

ISA 3.0 now supports the copy, paste, and cpabort instructions.

Bugzilla:2124346

systemtap rebased to version 4.9

The systemtap package has been upgraded to version 4.9. Notable changes include:

A new Language-Server-Protocol (LSP) backend for easier interactive drafting of systemtap

scripts on LSP-capable editors.

Access to a Python/Jupyter interactive notebook front end.

Improved handling of DWARF 5 bit fields.

Bugzilla:2186934

elfutils rebased to version 0.189

The elfutils package has been updated to version 0.189. Notable improvements and bug fixes include:

libelf

The elf_compress tool now supports the ELFCOMPRESS_ZSTD ELF compression type.

libdwfl

The dwfl_module_return_value_location function now returns 0 (no return type) for DWARF

Information Entries (DIEs) that point to a DW_TAG_unspecified_type type tag.

eu-elfcompress

The -t and --type= options now support the Zstandard ( zstd) compression format via the zstd

argument.

Bugzilla:2182061

libpfm rebased to version 4.13

The libpfm package has been updated to version 4.13. With this update, libpfm can access performance

monitoring hardware native events for the following processor microarchitectures:

AMD Zen 2

AMD Zen 3

AMD Zen 4

ARM Neoverse N1

Red Hat Enterprise Linux 9.3 9.3 Release Notes

ARM Neoverse N2

ARM Neoverse V1

ARM Neoverse V2

IBM z16

4th Generation Intel® Xeon® Scalable Processors

Bugzilla:2185652, Bugzilla:2047720, Bugzilla:2111940, Bugzilla:2111924, Bugzilla:2111930, Bugzilla:2111933,

Bugzilla:2111957, Bugzilla:2111946

papi supports new processor microarchitectures

With this enhancement, you can access performance monitoring hardware using papi events presets on

the following processor microarchitectures:

AMD Zen 2

AMD Zen 3

ARM Neoverse N1

ARM Neoverse N2

ARM Neoverse V1

ARM Neoverse V2

Bugzilla:2111923

[1]

, Bugzilla:2111947, Bugzilla:2111942

papi now supports fast performance event count read operations for 64-bit ARM

processors

Previously on 64-bit ARM processors, all performance event counter read operations required the use

of a resource-intensive system call. papi has been updated for 64-bit ARM to let processes monitoring

themselves with the performance counters use a faster user-space read of the performance event

counters. Setting the /proc/sys/kernel/perf_user_access parameter to 1 reduces the average number

of clock cycles for papi to read 2 counters from 724 cycles to 29 cycles.

Bugzilla:2186927

[1]

LLVM Toolset rebased to version 16.0.6

LLVM Toolset has been updated to version 16.0.6.

Notable enhancements include:

Improvements to optimization

Support for new CPU extensions

Improved support for new C++ versions.

Notable backwards incompatible changes include:

Clang’s default C++ standard is now gnu++17 instead of gnu++14.

CHAPTER 4. NEW FEATURES

The -Wimplicit-function-declaration, -Wimplicit-int and -Wincompatible-function-pointer-

types options now default to error for C code. This might affect the behavior of configure

scripts.

By default, Clang 16 uses the libstdc++ library version 13 and binutils 2.40 provided by GCC Toolset 13.

For more information, see the LLVM release notes and Clang release notes.

Bugzilla:2178796

Rust Toolset rebased to version 1.71.1

Rust Toolset has been updated to version 1.71.1. Notable changes include:

A new implementation of multiple producer, single consumer (mpsc) channels to improve

performance

A new Cargo sparse index protocol for more efficient use of the crates.io registry

New OnceCell and OnceLock types for one-time value initialization

A new C-unwind ABI string to enable usage of forced unwinding across Foreign Function

Interface (FFI) boundaries

For more details, see the series of upstream release announcements:

Announcing Rust 1.67.0

Announcing Rust 1.68.0

Announcing Rust 1.69.0

Announcing Rust 1.70.0

Announcing Rust 1.71.0

Bugzilla:2191743

The Rust profiler_builtins runtime component is now available

With this enhancement, the Rust profile_builtins runtime component is now available. This runtime

component enables the following compiler options:

-C instrument-coverage

Enables coverage profiling

-C profile-generate

Enables profile-guided optimization

Bugzilla:2227082

[1]

Go Toolset rebased to version 1.20.10

Go Toolset has been updated to version 1.20.10.

Notable enhancements include:

New functions added in the unsafe package to handle slices and strings without depending on

Red Hat Enterprise Linux 9.3 9.3 Release Notes

New functions added in the unsafe package to handle slices and strings without depending on

the internal representation.

Comparable types can now satisfy comparable constraints.

A new crypto/ecdh package.

The go build and go test commands no longer accept the -i flag.

The go generate and go test commands now accept the -skip pattern option.

The go build, go install, and other build-related commands now support the -pgo and -cover

flags.

The go command now disables cgo by default on systems without a C toolchain.

The go version -m command now supports reading more Go binaries types.

The go command now disables cgo by default on systems without a C toolchain.

Added support for collecting code coverage profiles from applications and integration tests

instead of collecting them only from unit tests.

Bugzilla:2185259

[1]

pcp rebased to version 6.0.5

The pcp package has been updated to version 6.0.5. Notable changes include:

Collector tool features

pmdaproc:

Added support for per-cgroup IRQ PSI metrics in recent kernels

Added a new proc.smaps.pss_dirty metric

pmdasmart: Added NVME disk information and power state metrics

pmdalinux:

Added support for system wide IRQ PSI metrics in recent kernels

Added NUMA external memory fragmentation metric

Added new networking (TCP, ICMP) metrics

pmdaoverhead: A new PMDA to measure overhead for groups of processes

pmdahacluster: Updated to handle Pacemaker 2.1.5 crm_mon output changes

Monitoring tool features

pmieconf:

Added support for webhook actions (Event Driven Ansible)

Added a new pmie rule that checks file descriptor limits

CHAPTER 4. NEW FEATURES

pcp2json: Extended pcp2json with an option to send HTTP POSTs

pcp-atop: Added cgroup, NUMA memory, and NUMA CPU support

pcp-htop: Added support for a new open file descriptors Meter

pcp-ps: Added capability to show multiple archive samples

Bugzilla:2175602

PCP’s pmie utility now supports generating webhook events

The Performance Metrics Inference Engine (pmie) utility from Performance Co-Pilot (PCP) now

supports generating webhook events. With this update, configured pmie rules generate events in a

format consumable by Event-Driven Ansible (EDA). As a result, EDA can respond to PCP rules.

To enable this feature, configure all local pmie rules to send to a webhook at a given endpoint (URL):

# pmieconf modify global webhook_endpoint https://localhost:443/<endpoint>

# pmieconf modify global webhook_action yes

Bugzilla:2185803

grafana rebased to version 9.2.10

The grafana package has been updated to version 9.2.10. Notable changes include:

The heatmap panel is now used throughout Grafana.

Geomaps can now measure both distance and area.

The Alertmanager is now based on Prometheus Alertmanager version 0.24.

Grafana Alerting rules now return an Error state by default on execution error or timeout.

Expressions can now be used on public dashboards.

The join transformation now supports inner joins.

Public dashboards now allow sharing Grafana dashboards.

A new Prometheus streaming parser is now available as an opt-in feature.

For more information, see the upstream release notes:

What’s new in Grafana v9.1

What’s new in Grafana v9.2

Bugzilla:2193018

Grafana no longer enables weak cryptographic ciphers

With this update, Grafana no longer enables ciphers that are considered weak for encrypting secure

communication. The affected ciphers are:

AES128-GCM-SHA256

Red Hat Enterprise Linux 9.3 9.3 Release Notes

AES128-SHA

AECDHE-RSA-AES128-SHA

AES256-GCM-SHA384

AES256-SHA

ECDHE-RSA-AES256-SHA

Bugzilla:2190025

[1]

.NET 8.0 is available

Red Hat Enterprise Linux 9.3 is distributed with .NET version 8.0. Notable improvements include:

Added support for the C#12 and F#8 language versions.

Added support for building container images using the .NET Software Development Kit directly.

Many performance improvements to the garbage collector (GC), Just-In-Time (JIT) compiler,

and the base libraries.

Jira:RHELPLAN-164399

[1]

4.14. IDENTITY MANAGEMENT

samba rebased to version 4.18.6

The samba packages have been upgraded to upstream version 4.18.6, which provides bug fixes and

enhancements over the previous version. The most notable changes:

Security improvements in previous releases impacted the performance of the Server Message

Block (SMB) server for high metadata workloads. This update improves the performance in this

scenario.

The new wbinfo --change-secret-at=<domain_controller> command enforces the change of

the trust account password on the specified domain controller.

By default, Samba stores access control lists (ACLs) in the security.NTACL extended attribute

of files. You can now customize the attribute name with the acl_xattr:<security_acl_name>

setting in the /etc/samba/smb.conf file. Note that a custom extended attribute name is not a

protected location as security.NTACL. Consequently, users with local access to the server can

be able to modify the custom attribute’s content and compromise the ACL.

Note that the server message block version 1 (SMB1) protocol has been deprecated since Samba 4.11

and will be removed in a future release.

Back up the database files before starting Samba. When the smbd, nmbd, or winbind services start,

Samba automatically updates its tdb database files. Red Hat does not support downgrading tdb

database files.

After updating Samba, use the testparm utility to verify the /etc/samba/smb.conf file.

Bugzilla:2190415

The ipaclient role now allows configuring user subID ranges on the IdM level

CHAPTER 4. NEW FEATURES

With this update, the ipaclient ansible-freeipa role provides the ipaclient_subid option, using which

you can configure subID ranges on the Identity Management (IdM) level. Without the new option set

explicitly to true, the ipaclient role keeps the default behavior and installs the client without subID

ranges configured for IdM users.

Previously, the role configured the sssd authselect profile that in turn customized the

/etc/nsswitch.conf file. The subID database did not use IdM and relied only on the local files of

/etc/subuid and /etc/subgid.

Bugzilla:2175767

Multiple IdM groups and services can now be managed in a single Ansible task

With this enhancement in ansible-freeipa, you can add, modify, and delete multiple Identity

Management (IdM) user groups and services by using a single Ansible task. For that, use the groups and

services options of the ipagroup and ipaservice modules.

Using the groups option available in ipagroup, you can specify multiple group variables that only apply

to a particular group. This group is defined by the name variable, which is the only mandatory variable

for the groups option.

Similarly, using the services option available in ipaservice, you can specify multiple service variables

that only apply to a particular service. This service is defined by the name variable, which is the only

mandatory variable for the services option.

Jira:RHELDOCS-16474

[1]

ansible-freeipa ipaserver role now supports Random Serial Numbers

With this update, you can use the ipaserver_random_serial_numbers=true option with the ansible-

freeipa ipaserver role. This way, you can generate fully random serial numbers for certificates and

requests in PKI when installing an Identity Management (IdM) server using Ansible. With RSNv3, you can

avoid range management in large IdM installations and prevent common collisions when reinstalling IdM.

IMPORTANT

RSNv3 is supported only for new IdM installations. If enabled, it is required to use RSNv3

on all PKI services.

Jira:RHELDOCS-16462

[1]

ipa rebased to version 4.10.2

The ipa package has been upgraded to version 4.10.2. Notable changes include:

Searching and listing certificates in the IdM CLI and Web UI now offer better performance.

For more information, see the upstream FreeIPA release notes.

Bugzilla:2196426

The ipaserver_remove_on_server and ipaserver_ignore_topology_disconnect options are now

available in the ipaserver role

If removing a replica from an Identity Management (IdM) topology by using the

remove_server_from_domain option of the ipaserver ansible-freeipa role leads to a disconnected

topology, you must now specify which part of the domain you want to preserve. Specifically, you must do

Red Hat Enterprise Linux 9.3 9.3 Release Notes

the following:

Specify the ipaserver_remove_on_server value to identify which part of the topology you

want to preserve.

Set ipaserver_ignore_topology_disconnect to True.

Note that if removing a replica from IdM by using the remove_server_from_domain option preserves a

connected topology, neither of these options is required.

Bugzilla:2127903

IdM now supports the min_lifetime parameter

With this enhancement, the min_lifetime parameter has been added to the /etc/gssproxy/*.conf file.

The min_lifetime parameter triggers the renewal of a service ticket in case its remaining lifetime is lower

than this value.

By default its value is 15 seconds. For network volume clients such as NFS, to reduce the risk of losing

access in case the KDC is momentarily unavailable, set this value to 60 seconds.

Bugzilla:2181465

You can now manage IdM certificates using the ipacert Ansible module

You can now use the ansible-freeipa ipacert module to request or retrieve SSL certificates for Identity

Management (IdM) users, hosts and services. The users, hosts and services can then use these

certificates to authenticate to IdM. You can also revoke the certificates, and restore certificates that

have been put on hold.

Bugzilla:2127907

The optional_pac_tkt_chksum option helps preserve interoperability between different

versions of krb5

You can now use the optional_pac_tkt_chksum option to preserve the interoperability between RHEL

Kerberos Distribution Center (KDC) servers running different versions of the krb5 package. Specifically,

you can change their behavior regarding Privilege Attribute Certificate (PAC) ticket signature

verification. If you set the optional_pac_tkt_chksum string attribute to true for the Kerberos principal

expected to sign a ticket, then the KDC does not reject service for user (S4U) requests containing a

ticket that lacks the PAC ticket signature. The principal to sign the ticket is the ticket-granting service

(TGS) one or a cross-realm TGS one, depending on the realm of the ticket’s target service.

Since the krb5-1.20 release, MIT Kerberos KDCs have required the presence of ticket signatures in

PACs based on the encrypted part of Kerberos tickets so that they could process S4U requests

successfully. Previously, this was a problem in gradual upgrade scenarios where certain KDCs used krb5-

1.19 or older, while others used krb5-1.20 or newer. KDCs using the newer versions of krb5 for S4U

requests rejected service tickets that were provided by KDCs using the older versions of krb5 if a service

used them for S4U requests.

For more information about how this feature is used in Identity Management (IdM), see this pull request.

Bugzilla:2178298

IdM now supports resource-based constrained delegation

With this update, IdM now supports resource-based constrained delegation (RBCD). RBCD allows a

CHAPTER 4. NEW FEATURES

With this update, IdM now supports resource-based constrained delegation (RBCD). RBCD allows a

granular control of delegation on a resource level and access can be set by the owner of the service to

which credentials are delegated.

RBCD can be useful, for example, in an integration between IdM and Active Directory (AD), because AD

enforces the use of RBCD when both target and proxy services belong to different forests.

IMPORTANT

Currently, only services in the IdM domain can be configured with RBCD rules. If the

target service is part of an AD domain, the permission can only be granted on the AD side.

As AD domain controllers cannot resolve IdM service information to create the rule, this is

not currently supported.

For more information on delegation scenarios, see the FreeIPA design page.

Bugzilla:2165880

RHEL 9.3 provides 389-ds-base 2.3.4

RHEL 9.3 is distributed with the 389-ds-base package version 2.3.4. Notable bug fixes and

enhancements over version 2.3.4 include:

https://www.port389.org/docs/389ds/releases/release-2-2-8.html

https://www.port389.org/docs/389ds/releases/release-2-2-9.html

https://www.port389.org/docs/389ds/releases/release-2-3-0.html

https://www.port389.org/docs/389ds/releases/release-2-3-1.html

https://www.port389.org/docs/389ds/releases/release-2-3-2.html

https://www.port389.org/docs/389ds/releases/release-2-3-3.html

https://www.port389.org/docs/389ds/releases/release-2-3-4.html

Bugzilla:2188627

Directory Server can now close a client connection if a bind operation fails

Previously, when a bind operation failed, some applications that ignore the bind return code could load

Director Server with further requests.

With the new nsslapd-close-on-failed-bind configuration attribute under the cn=config entry, the

server can close a client connection when the bind operation fails. As a result, the server load can be

reduced.

Bugzilla:1987471

Automembership plug-in improvements. It no longer cleans up groups by default

Previously, the automember rebuild task went through all the automember rules and removed all the

memberships, then the task rebuilt the memberships from scratch. Thus, the rebuild task was expensive,

especially if other be_txn plugins are enabled.

With this update, the Automembership plug-in has the following improvements:

Red Hat Enterprise Linux 9.3 9.3 Release Notes

Only one rebuilt task is allowed at a time.

The Automembership plug-in now does not clean up previous members by default. Use the new

CLI option --cleanup to intentionally clean up memberships before rebuilding from scratch:

# dsconf slapd-instance_name plugins automember fixup -f objectclass=posixaccount -s sub

--cleanup "ou=people,dc=example,dc=com"

Improved logging to show fixup progress.

Bugzilla:2149025

New passwordAdminSkipInfoUpdate: on/off configuration option is now available

You can add a new passwordAdminSkipInfoUpdate: on/off setting under the cn=config entry to

provide a fine grained control over password updates performed by password administrators. When you

enable this setting, password updates do not update certain attributes, for example,

passwordHistory,passwordExpirationTime,passwordRetryCount, pwdReset, and

passwordExpWarned.

Bugzilla:2166332

New slapi_memberof() plug-in function is now available for Directory Server plug-ins and

client applications

The new slapi_memberof() function retrieves distinguished names (DNs) of groups to which the given

entry belongs directly or indirectly. Previously, MemberOf, Referential Integrity, and ACL plug-ins

implemented their own mechanism to retrieve such groups. With this update, you can use the

slapi_memberof() function that introduces a unified mechanism to return group DNs.

Bugzilla:2189946

Directory Server now replaces the virtual attribute nsRole with an indexed attribute for

managed and filtered roles

Previously, LDAP searches that contained the virtual attribute nsRole in the filter were time consuming

because that attribute cannot be indexed. With this update, when you perform the ldapsearch with

virtual attribute nsRole in the filter, Directory Server replaces the nsRole attribute the following way:

For managed roles, the nsRole attribute is replaced with the nsRoleDN attribute.

For filtered roles, the nsRole attribute is replaced with the nsRoleFilter attribute.

As a result, response time for search with the nsRole attribute improves because the search becomes

indexed.

Note that this update does not apply to nested roles.

Bugzilla:2189954

New nsslapd-numlisteners configuration option is now available

The nsslapd-numlisteners attribute specifies the number of listener threads Directory Server can use

to monitor established connections. You can improve the response times when the server experiences a

large number of client connection by increasing the attribute value.

Bugzilla:1975930

CHAPTER 4. NEW FEATURES

IdM supports the option to control the encryption type used to sign the PAC

By default, the Kerberos Key Distribution Center (KDC) generates an AES HMAC-SHA2 signature for

the Privilege Attribute Certificate (PAC). However, this encryption type is not supported by Active

Directory (AD). As a result, AD cross-realm constrained delegation requests are not processed correctly.

With this enhancement, you can now control the encryption type used to sign the PAC by setting the

pac_privsvr_entype attribute on the TGS principal, krbtgt/[realm]@[realm], to the required encryption

type for the target realm. In IdM, this string attribute is automatically configured when an AD trust exists.

WARNING: This update is about standalone MIT realms. Do not change the Kerberos Distribution

Center (KDC) configuration in RHEL Identity Management.

For example, for an MIT realm and an AD realm, to ensure cross-realm ticket-granting tickets (TGT) use

AD-compatible encryption types, an administrator must configure the cross-realm TGS principal as

shown below on the MIT side. This results in cross-realm TGTs using the AES 256 HMAC-SHA1

encryption type and constrained delegation requests being processed correctly.

kadmin.local <<EOF

setstr krbtgt/AD@IPA pac_privsvr_enctype aes256-cts-hmac-sha1-96

setstr krbtgt/IPA@AD pac_privsvr_enctype aes256-cts-hmac-sha1-96

EOF

Bugzilla:2060421

Identity Management API is now fully supported

The Identity Management (IdM) API was available as a Technology Preview in RHEL 9.2 and as of RHEL

9.3, it is fully supported.

Users can use existing tools and scripts even if the IdM API is enhanced to enable multiple versions of

API commands. These enhancements do not change the behavior of a command in an incompatible way.

This has the following benefits:

Administrators can use previous or later versions of IdM on the server than on the managing

client.

Developers can use a specific version of an IdM call, even if the IdM version changes on the

server.

The communication with the server is possible, regardless if one side uses, for example, a newer version

that introduces new options for a feature.

NOTE

While IdM API provides a JSON-RPC interface, this type of access is not supported. Red Hat

recommends accessing the API with Python instead. Using Python automates important parts such

as the metadata retrieval from the server, which allows listing all available commands.

Bugzilla:1513934

4.15. GRAPHICS INFRASTRUCTURES

Intel Arc A-Series graphics is now fully supported

The Intel Arc A-Series graphics (Alchemist or DG2) feature, previously available as a Technology

Red Hat Enterprise Linux 9.3 9.3 Release Notes

The Intel Arc A-Series graphics (Alchemist or DG2) feature, previously available as a Technology

Preview, is now fully supported. Intel Arc A-Series graphics is a GPU that enables hardware acceleration,

mostly used in PC gaming.

Bugzilla:2101598

[1]

4.16. THE WEB CONSOLE

Podman health check action is now available

You can select one of the following Podman health check actions when creating a new container:

No action (default): Take no action.

Restart: Restart the container.

Stop: Stop the container.

Force stop: Force stops the container, it does not wait for the container to exit.

Jira:RHELDOCS-16247

[1]

Stratis is now available in the RHEL web console

With this update, the Red Hat Enterprise Linux web console provides the ability to manage Stratis

storage.

To learn more about Stratis, see Setting up Stratis file systems using the web console .

Jira:RHELPLAN-122345

[1]

4.17. RED HAT ENTERPRISE LINUX SYSTEM ROLES

New RHEL system role for managing systemd units

The rhel-system-role package now contains the systemd RHEL system role. You can use this role to

deploy unit files and manage systemd units on multiple systems. You can automate systemd

functionality by providing systemd unit files and templates, and by specifying the state of those units,

such as started, stopped, masked and other.

Bugzilla:2224384

New option in the ssh role to disable configuration backups

You can now prevent old configuration files from being backed up before they are overwritten by

setting the new ssh_backup option to false. Previously, backup configuration files were created

automatically, which might be unnecessary. The default value of the ssh_backup option is true, which

preserves the original behavior.

Bugzilla:2216753

keylime_server RHEL system role

With the new keylime_server RHEL system role, you can use Ansible Playbooks to configure the verifier

and registrar Keylime components on RHEL 9 systems. Keylime is a remote machine attestation tool

that uses the trusted platform module (TPM) technology.

CHAPTER 4. NEW FEATURES

Bugzilla:2224385

Support for new ha_cluster system role features

The ha_cluster system role now supports the following features:

Configuration of resource and resource operation defaults, including multiple sets of defaults

with rules.

Loading and blocking of SBD watchdog kernel modules. This makes installed hardware

watchdogs available to the cluster.

Assignment of distinct passwords to the cluster hosts and the quorum device. This allows you to

configure a deployment where the same quorum hosts are joined to multiple, separate clusters,

and the passwords of the hacluster user on these clusters are different.

For information about the parameters you configure to implement these features, see Configuring a

high-availability cluster by using the ha_cluster RHEL system role.

Bugzilla:2185065, Bugzilla:2185067, Bugzilla:2216481

storage system role supports configuring the stripe size for RAID LVM volumes

With this update, you can now specify a custom stripe size when creating RAID LVM devices. For better

performance, use the custom stripe size for SAP HANA. The recommended stripe size for RAID LVM

volumes is 64 KB.

Bugzilla:2181656

The network RHEL system role supports the auto-dns option to control automatic DNS

record updates

This enhancement provides support for defined name servers and search domains. You can now use

only the name servers and search domains specified in dns and dns_search properties while disabling

automatically configured name servers and search domains such as dns record from DHCP. With this

enhancement, you can disable automatically auto dns record by changing the auto-dns settings.

Bugzilla:2211194

The network RHEL system role supports the no-aaaa DNS option

You can now use the no-aaaa option to configure DNS settings on managed nodes. Previously, there

was no option to suppress AAAA queries generated by the stub resolver, including AAAA lookups

triggered by NSS-based interfaces such as getaddrinfo; only DNS lookups were affected. With this

enhancement, you can now suppress AAAA queries generated by the stub resolver.

Bugzilla:2218592

The ad_integration RHEL system role can now rejoin an AD domain

With this update, you can now use the ad_integration RHEL system role to rejoin an Active Directory

(AD) domain. To do this, set the ad_integration_force_rejoin variable to true. If the realm_list output

shows that host is already in an AD domain, it will leave the existing domain before rejoining it.

Bugzilla:2211723

The certificate RHEL system role now allows changing certificate file mode when using

certmonger

Red Hat Enterprise Linux 9.3 9.3 Release Notes

Previously, certificates created by the certificate RHEL system role with the certmonger provider used

a default file mode. However, in some use-cases you might require a more restrictive mode. With this

update, you can now set a different certificate and a key file mode using the mode parameter.

Bugzilla:2218204

The postgresql RHEL system role is now available

The new postgresql RHEL system role installs, configures, manages, and starts the PostgreSQL server.

The role also optimizes the database server settings to improve performance.

The role supports the currently released and supported versions of PostgreSQL on RHEL 8 and RHEL 9

managed nodes.

For more information, see Installing and configuring PostgreSQL by using the postgresql RHEL system

role.

Bugzilla:2151373

podman RHEL system role now supports Quadlets, health checks, and secrets

Starting with Podman 4.6, you can use the podman_quadlet_specs variable in the podman RHEL

system role. You can define a Quadlet by specifying a unit file, or in the inventory by a name, a type of

unit, and a specification. Types of a unit can be the following: container, kube, network, and volume.

Note that Quadlets work only with root containers on RHEL 8. Quadlets work with rootless containers on

RHEL 9.

The health checks are supported only for Quadlet Container types. In the [Container] section, specify

the HealthCmd field to define the health check command and HealthOnFailure field to define the

action when a container is unhealthy. Possible options are none, kill, restart, and stop.

You can use the podman_secrets variable to manage secrets. For details, see upstream

documentation.

Jira:RHELPLAN-154441

[1]

Improved performance of the selinux system role with restorecon -T 0

The selinux system role now uses the -T 0 option with the restorecon command in all applicable cases.

This improves the performance of tasks that restore default SELinux security contexts on files.

Bugzilla:2179460

The rhc system role now supports setting a proxy server type

The newly introduced attribute scheme under the rhc_proxy parameter enables you to configure the

proxy server type by using the rhc system role. You can set two values: http, the default and https.

Bugzilla:2211748

firewall RHEL system role supports variables related to ipsets

With this update of the firewall RHEL system role, you can define, modify, and delete ipsets. Also, you

can add and remove those ipsets from firewall zones. Alternatively, you can use those ipsets when

defining firewall rich rules.

You can manage ipsets with the firewall RHEL system role using the following variables:

CHAPTER 4. NEW FEATURES

ipset

ipset_type

ipset_entries

short

description

state: present or state: absent

permanent: true

The following are some notable benefits of this enhancement:

You can reduce the complexity of the rich rules that define rules for many IP addresses.

You can add or remove IP addresses from sets as needed without modifying multiple rules.

For more details, see resources in the /usr/share/doc/rhel-system-roles/firewall/ directory.

Bugzilla:2229802

RHEL system roles now have new volume options for mount point customization

With this update, you can now specify mount_user, mount_group, and mount_permissions

parameters for your mount directory.

Bugzilla:2181657

The firewall RHEL system role has an option to disable conflicting services, and it no longer

fails if firewalld is masked

Previously, the firewall system role failed when the firewalld service was masked on the role run or in

the presence of conflicting services. This update brings two notable enhancements:

The linux-system-roles.firewall role always attempts to install, unmask, and enable the firewalld

service on role run. You can now add a new variable firewall_disable_conflicting_services to your

playbook to disable known conflicting services, for example, iptables.service, nftables.service, and

ufw.service. The firewall_disable_conflicting_services variable is set to false by default. To disable

conflicting services, set the variable to true.

Bugzilla:2222761

Resetting the firewall RHEL system role configuration now requires minimal downtime

Previously, when you reset the firewall role configuration by using the previous: replaced variable, the

firewalld service restarted. Restarting adds downtime and prolongs the period of an open connection in

which firewalld does not block traffic from active connections. With this enhancement, the firewalld

service completes the configuration reset by reloading instead of restarting. Reloading minimizes the

downtime and reduces the opportunity to bypass firewall rules. As a result, using the previous: replaced

variable to reset the firewall role configuration now requires minimal downtime.

Bugzilla:2223764

4.18. VIRTUALIZATION

Red Hat Enterprise Linux 9.3 9.3 Release Notes

sevctl is now fully compatible with AMD EPYC Rome and Milan

With this update, the sevctl utility correctly recognizes the latest AMD EPYC cores, including the AMD

EPYC Rome and AMD EPYC Milan series. As a result, you can use sevctl to configure the features of

AMD Secure Encrypted Virtualization (SEV) that are available on these CPUs.

Note, however, that advanced SEV functions, such as SEV-ES and SEV-SNP are only provided as

Technology Previews in RHEL 9, and therefore unsupported.

Bugzilla:2104857

[1]

virtio-vga and virtio-gpu devices now support blob resources

It is now possible for virtio-vga and virtio-gpu devices to use blob memory resources, which improves

their performance in certain scenarios. To attach a blob resource to a virtio graphics device, add a

blob="on" option to the corresponding <video> section in the virtual machine’s XML configuration. For

example:

<video>

</video>

Note, however, that this feature currently does not work on IBM Z hosts.

Bugzilla:2032406

Virtualization support for 4th Generation Intel Xeon Scalable processors

With this update, virtualization on RHEL 9 adds support for the 4th Generation Intel Xeon Scalable

processors, formerly known as Sapphire Rapids. As a result, virtual machines hosted on RHEL 9 can now

use the SapphireRapids CPU model and utilise new features that the processors provide.

Bugzilla:1880531

[1]

Improved memory reclaiming for Secure Execution on IBM Z

When using a virtual machine (VM) with IBM Secure Execution on IBM Z, you can now set up enhanced

memory reclaiming for the VM. If the VM is using 32 GiB or more RAM, this setting improves the

performance of rebooting or stopping the VM.

To set up enhanced memory reclaiming in a VM, add the <async-teardown enabled='yes'/> line to the

<features></features> section in its XML configuration.

Bugzilla:2168499

[1]

New virtualization features in the RHEL web console

With this update, the RHEL web console includes new features in the Virtual Machines page. You can

now:

Select the Create and edit button for a virtual machine (VM) based on a cloud image, which

allows you to edit all of the VM properties before the VM is installed.

Create a raw storage volume during virtual machine creation.

Set up a virtual socket (vsock) to enable communication between the host and the VM over a

socket.

CHAPTER 4. NEW FEATURES

Note that a virtual socket requires vsock-aware software, such as socat, to enable the

communication.

Jira:RHELDOCS-16487

[1]

4.19. RHEL IN CLOUD ENVIRONMENTS

cloud-init supports NetworkManager keyfiles

With this update, the cloud-init utility can use a NetworkManager (NM) keyfile to configure the network

of the created cloud instance.

Note that by default, cloud-init still uses the sysconfig method for network setup. To configure cloud-

init to use a NM keyfile instead, edit the /etc/cloud/cloud.cfg and set network-manager as the primary

network renderer:

# cat /etc/cloud/cloud.cfg

network:

renderers: ['network-manager', 'eni', 'netplan', 'sysconfig', 'networkd']

Bugzilla:2118235

[1]

cloud-init now uses VMware datasources by default on ESXi

When creating RHEL virtual machines (VMs) on a host that uses the VMware ESXi hypervisor, such as

the VMware vSphere cloud platform. This improves the performance and stability of creating an ESXi

instance of RHEL by using cloud-init. Note, however, that ESXi is still compatible with Open

Virtualization Format (OVF) datasources, and you can use an OVF datasource if a VMware one is not

available.

Bugzilla:2172341

[1]

4.20. SUPPORTABILITY

sos rebased to version 4.6

The sos utility, for collecting configuration, diagnostic, and troubleshooting data, has been rebased to

version 4.6. This update provides the following enhancements:

sos reports now include the contents of both /boot/grub2/custom.cfg and

/boot/grub2/user.cfg files that might contain critical information for troubleshooting boot

issues. (BZ#2213951)

The sos plugin for OVN-Kubernetes collects additional logs for the interconnect environment.

With this update, sos also collects logs from the ovnkube-controller container when both

ovnkube-node and ovnkube-controller containers are merged into one.

In addition, notable bug fixes include:

sos now correctly gathers cgroup data in the OpenShift Container Platform 4 environment

(BZ#2186361).

While collecting sos reports with the sudo plugin enabled, sos now removes the bindpw option

properly. (BZ#2143272)

Red Hat Enterprise Linux 9.3 9.3 Release Notes

The subscription_manager plugin no longer collects proxy usernames and passwords from the

/var/lib/rhsm/ path. (BZ#2177282)

The virsh plugin no longer collects the SPICE remote-display passwords in virt-manager logs,

which prevents sos from disclosing passwords in its reports. (BZ#2184062)

sos now masks usernames and passwords previously displayed in the

/var/lib/iscsi/nodes/<IQN>/<PortalIP>/default file.

IMPORTANT

The generated archive might contain data considered sensitive. Thus, you should

always review the content before passing it to any third party.

(BZ#2187859)

sos completes the tailed log collection even when the size of the log file is exceeded and when

a plugin times out. (BZ#2203141)

When entering the sos collect command on a Pacemaker cluster node, sos collects an sos

report from the same cluster node. (BZ#2186460)

When collecting data from a host in the OpenShift Container Platform 4 environment, sos now

uses the sysroot path, which ensures that only the correct data are assembled. (BZ#2075720)

The sos report --clean command obfuscates all MAC addresses as intended. (BZ#2207562)

Disabling the hpssm plugin no longer raises exceptions. (BZ#2216608)

The sos clean command follows permissions of sanitized files. (BZ#2218279)

For details on each release of sos, see upstream release notes.

Jira:RHELPLAN-156196

[1]

4.21. CONTAINERS

Podman supports pulling and pushing images compressed with zstd

You can pull and push images compressed with the zstd format. The zstd compression is more efficient

and faster than gzip. It can reduce the amount of network traffic and storage involved in pulling and

pushing the image.

Jira:RHELPLAN-154314

[1]

Quadlet in Podman is now available

Beginning with Podman v4.6, you can use Quadlet to automatically generate a systemd service file from

a container description. The Quadlets might be easier to use than the podman generate systemd

command because the description focuses on the relevant container details and without the technical

complexity of running containers under systemd.

For more details, see the Quadlet upstream documentation and the Make systemd better for Podman

with Quadlet article.

Jira:RHELPLAN-154432

[1]

CHAPTER 4. NEW FEATURES

The Container Tools packages have been updated

The updated Container Tools RPM meta-package, which contain the Podman, Buildah, Skopeo, crun,

and runc tools, are now available. This update applies a series of bug fixes and enhancements over the

previous version.

Notable changes in Podman v4.6 include:

The podman kube play command now supports the --configmap=<path> option to provide

Kubernetes YAML file with environment variables used within the containers of the pod.

The podman kube play command now supports multiple Kubernetes YAML files for the --

configmap option.

The podman kube play command now supports containerPort names and port numbers within

liveness probes.

The podman kube play command now adds the ctrName as an alias to the pod network.

The podman kube play and podman kube generate commands now support SELinux filetype

labels and ulimit annotations.

A new command, podman secret exists, has been added, which verifies if a secret with the

given name exists.

The podman create, podman run, podman pod create, and podman pod clone commands

now support a new option, --shm-size-systemd, which allows limiting tmpfs sizes for systemd-

specific mounts.

The podman create and podman run commands now support a new option, --security-opt

label=nested, which allows SELinux labeling within a confined container.

Podman now supports auto updates for containers running inside a pod.

Podman can now use an SQLite database as a backend for increased stability. The default

remains the BoltDB database. You can select the database by setting the database_backend

field in the containers.conf file.

Podman now supports Quadlets to automatically generate a systemd service file from the

container description. The description focuses on the relevant container details and hides the

technical complexity of running containers under systemd.

For further information about notable changes, see upstream release notes.

Jira:RHELPLAN-154438

[1]

Podman now supports a Podmansh login shell

Beginning with Podman v4.6, you can use the Podmansh login shell to manage user access and control.

Configure your settings to use the /usr/bin/podmansh command as a login shell instead of a standard

shell command, for example, /usr/bin/bash. When a user logs into a system setup, the podmansh

command runs the user’s session into a Podman container named podmansh. Containers into which

users log in are defined using the Quadlet files, which are created in the

/etc/containers/systemd/users/ directory. In these files, set the ContainerName field in the

[Container] section to podmansh. The systemd automatically starts podmansh when the user session

starts and continues running until all user sessions exit.

For more information, see Podman v4.6.0 Introduces Podmansh: A Revolutionary Login Shell .

Red Hat Enterprise Linux 9.3 9.3 Release Notes

Jira:RHELPLAN-163003

[1]

Clients for sigstore signatures with Fulcio and Rekor are now available

With Fulcio and Rekor servers, you can now create signatures by using short-term certificates based on

an OpenID Connect (OIDC) server authentication, instead of manually managing a private key. Clients

for sigstore signatures with Fulcio and Rekor, previously available as a Technology Preview, are now fully

supported. This added functionality is the client side support only, and does not include either the Fulcio

or Rekor servers.

Add the fulcio section in the policy.json file. To sign container images, use the podman push --sign-

by-sigstore=file.yml or skopeo copy --sign-by-sigstore=file.yml commands, where file.yml is the

sigstore signing parameter file.

To verify signatures, add the fulcio section and the rekorPublicKeyPath or rekorPublicKeyData fields

in the policy.json file. For more information, see containers-policy.json man page.

Jira:RHELPLAN-160660

[1]

The pasta networking mode is now available

Starting with Podman v4.4.1, you can use the pasta network mode. It is a high-performance

replacement of the default network mode slirp4netns and supports IPv6 forwarding. To select the

pasta network mode, install the passt package to use the podman run command with the --

network=pasta option. With Podman v4.6, you can set default rootless network mode in the

/etc/containers/containers.conf configuration file by using the default_rootless_network_cmd field

under the [network] section.

Jira:RHELDOCS-16240

[1]

UBI 9 Micro Container Image no longer contains zoneinfo installed by tzdata

With this update, the time zone information provided by the tzdata package is no longer included in UBI

9 Micro container images, consequently reducing the image size. The UBI 9 Minimal and UBI 9 Micro

containers are UTC-only, and users should reinstall the tzdata package to get the full zoneinfo, if

needed.

Bugzilla:2223028

CHAPTER 4. NEW FEATURES

CHAPTER 5. IMPORTANT CHANGES TO EXTERNAL KERNEL

PARAMETERS

This chapter provides system administrators with a summary of significant changes in the kernel

distributed with Red Hat Enterprise Linux 9.3. These changes could include, for example, added or

updated proc entries, sysctl, and sysfs default values, boot parameters, kernel configuration options,

or any noticeable behavior changes.

New kernel parameters

amd_pstate=[X86]

With this kernel parameter, you can scale the performance of the AMD CPU. Available values include:

disable - Do not enable amd_pstate as the default scaling driver for the supported

processors.

passive - Use amd_pstate with passive mode as a scaling driver. In this mode autonomous

selection is disabled. Driver requests a required performance level and platform tries to

match the same performance level if it is satisfied by guaranteed performance level.

active - Use amd_pstate_epp driver instance as the scaling driver, driver provides a hint to

the hardware if software wants to bias toward performance (0x0) or energy efficiency (0xff)

to the CPPC firmware. Then CPPC power algorithm will calculate the runtime workload and

adjust the realtime cores frequency.

guided - Activate guided autonomous mode. Driver requests minimum and maximum

performance level and the platform autonomously selects a performance level in this range

and appropriate to the current workload.

arm64.nosve=[ARM64]

With this kernel parameter, you can unconditionally disable Scalable Vector Extension support.

arm64.nosme=[ARM64]

With this kernel parameter, you can unconditionally disable Scalable Matrix Extension support.

gather_data_sampling=[X86,INTEL]

With this kernel parameter, you can control the Gather Data Sampling (GDS) mitigation.

GDS is a hardware vulnerability that allows unprivileged speculative access to data that was

previously stored in vector registers.

This issue is mitigated by default in updated microcode. The mitigation might have a performance

impact but can be disabled. On systems without the microcode mitigation disabling AVX serves as a

mitigation. Available values include:

force - Disable AVX to mitigate systems without microcode mitigation. No effect if the

microcode mitigation is present. Known to cause crashes in userspace with buggy AVX

enumeration.

off - Disable GDS mitigation.

nospectre_bhb=[ARM64]

With this kernel parameter, you can disable all mitigations for Spectre-BHB (branch history injection)

vulnerability. System might allow data leaks with this option.

trace_clock=[FTRACE]

With this kernel parameter, you can set the clock used for tracing events at boot up. Available values

Red Hat Enterprise Linux 9.3 9.3 Release Notes

With this kernel parameter, you can set the clock used for tracing events at boot up. Available values

include:

local - Use the per CPU timestamp counter.

global - Event timestamps are synchronize across CPUs. Might be slower than the local

clock, but better for some race conditions.

counter - Simple counting of events (1, 2, ..) note, some counts might be skipped due to the

infrastructure grabbing the clock more than once per event.

uptime - Use jiffies as the timestamp.

perf - Use the same clock that perf uses.

mono - Use the ktime_get_mono_fast_ns() function for timestamps.

mono_raw - Use the ktime_get_raw_fast_ns() function for timestamps.

boot - Use the ktime_get_boot_fast_ns() function for timestamps.

Architectures might add more clocks, see Documentation/trace/ftrace.rst for more details.

Updated kernel parameters

cgroup.memory=[KNL]

With this kernel parameter, you can pass options to the cgroup memory controller.

This parameter takes the format of: <string>

Available values include:

nosocket - Disable socket memory accounting.

nokmem - Disable kernel memory accounting.

[NEW] nobpf - Disable BPF memory accounting.

hugetlb_free_vmemmap=[KNL]

This kernel parameter enables the feature of freeing unused vmemmap pages associated with each

hugetlb page on boot. For this parameter to work, the

CONFIG_HUGETLB_PAGE_OPTIMIZE_VMEMMAP configuration option must be enabled.

This parameter takes the format of: { on | off (default) }

Available values include:

on - enables this feature

off - disables this feature

NOTE

The vmemmap pages might be allocated from the added memory block itself

when the memory_hotplug.memmap_on_memory module parameter is

enabled. Those vmemmap pages cannot be optimized even if this feature is

enabled. Other vmemmap pages not allocated from the added memory block

itself are not affected.

CHAPTER 5. IMPORTANT CHANGES TO EXTERNAL KERNEL PARAMETERS

intel_pstate=[X86]

You can use this kernel parameter for CPU performance scaling. Available values include:

disable - Do not enable intel_pstate as the default scaling driver for the supported

processors.

[NEW] active - Use intel_pstate driver to bypass the scaling governors layer of cpufreq and

provides it own algorithms for p-state selection. There are two P-state selection algorithms

provided by intel_pstate in the active mode: powersave and performance. The way they

both operate depends on whether or not the hardware managed P-states (HWP) feature has

been enabled in the processor and possibly on the processor model.

passive - Use intel_pstate as a scaling driver, but configure it to work with generic cpufreq

governors (instead of enabling its internal governor). This mode cannot be used along with

the hardware-managed P-states (HWP) feature.

force - Enable intel_pstate on systems that prohibit it by default in favor of acpi-cpufreq.

Forcing the intel_pstate driver instead of acpi-cpufreq might disable platform features,

such as thermal controls and power capping, that rely on ACPI P-States information being

indicated to OSPM and therefore should be used with caution. This option does not work

with processors that are not supported by the intel_pstate driver or on platforms that use

pcc-cpufreq instead of acpi-cpufreq.

no_hwp - Do not enable hardware P state control (HWP) if available.

hwp_only - Only load intel_pstate on systems that support hardware P state control (HWP)

if available.

support_acpi_ppc - Enforce ACPI _PPC performance limits. If the Fixed ACPI Description

Table specifies preferred power management profile as "Enterprise Server" or "Performance

Server", then this feature is turned on by default.

per_cpu_perf_limits - Allow per-logical-CPU P-State performance control limits using the

cpufreq sysfs interface.

kvm-arm.mode=[KVM,ARM]

With this kernel parameter, you can select one of KVM/arm64’s modes of operation. Available values

include:

none - Forcefully disable KVM.

nvhe - Standard nVHE-based mode, without support for protected guests.

protected - nVHE-based mode with support for guests whose state is kept private from the

host. Setting mode to protected disables kexec and hibernation for the host.

[NEW] nested - VHE-based mode with support for nested virtualization. Requires at least

ARMv8.3 hardware. The nested option is experimental and should be used with extreme

caution.

Defaults to VHE/nVHE based on hardware support.

libata.force=[LIBATA]

With this kernel parameter, you can force configurations.

The format is a comma-separated list of "[ID:]VAL" where ID is PORT[.DEVICE]. PORT and DEVICE

Red Hat Enterprise Linux 9.3 9.3 Release Notes

The format is a comma-separated list of "[ID:]VAL" where ID is PORT[.DEVICE]. PORT and DEVICE

are decimal numbers matching port, link or device. Basically, it matches the ATA ID string printed on

console by libata.

If the whole ID part is omitted, the last PORT and DEVICE values are used.

If ID has not been specified yet, the configuration applies to all ports, links and devices.

If only the DEVICE value is omitted, the parameter applies to the port and all links and

devices behind it. DEVICE number of 0 either selects the first device or the first fan-out link

behind PMP device. It does not select the host link. DEVICE number of 15 selects the host link

and device attached to it.

The VAL specifies the configuration to force. As long as there is no ambiguity, shortcut

notation is allowed. For example, both 1.5 and 1.5G would work for 1.5Gbps.

With the libata.force= parameter, you can force the following configurations:

Cable type: 40c, 80c, short40c, unk, ign or sata. Any ID with matching PORT is used.

SATA link speed limit: 1.5Gbps or 3.0Gbps.

Transfer mode: pio[0-7], mwdma[0-4] and udma[0-7]. udma[/][16,25,33,44,66,100,133]

notation is also allowed.

nohrst, nosrst, norst: suppress hard, soft and both resets.

rstonce: only attempt one reset during hot-unplug link recovery.

[NEW] [no]dbdelay: Enable or disable the extra 200ms delay before debouncing a link PHY

and device presence detection.

[no]ncq: Turn on or off NCQ.

[no]ncqtrim: Enable or disable queued DSM TRIM.

[NEW] [no]ncqati: Enable or disable NCQ trim on ATI chipset.

[NEW] [no]trim: Enable or disable (unqueued) TRIM.

[NEW] trim_zero: Indicate that TRIM command zeroes data.

[NEW] max_trim_128m: Set 128M maximum trim size limit.

[NEW] [no]dma: Turn on or off DMA transfers.

atapi_dmadir: Enable ATAPI DMADIR bridge support.

atapi_mod16_dma: Enable the use of ATAPI DMA for commands that are not a multiple of

16 bytes.

[no]dmalog: Enable or disable the use of the READ LOG DMA EXT command to access logs.

[no]iddevlog: Enable or disable access to the identify device data log.

[no]logdir: Enable or disable access to the general purpose log directory.

[NEW] max_sec_128: Set transfer size limit to 128 sectors.

CHAPTER 5. IMPORTANT CHANGES TO EXTERNAL KERNEL PARAMETERS

[NEW] max_sec_1024: Set or clear transfer size limit to 1024 sectors.

[NEW] max_sec_lba48: Set or clear transfer size limit to 65535 sectors.

[NEW] [no]lpm: Enable or disable link power management.

[NEW] [no]setxfer: Indicate if transfer speed mode setting should be skipped.

[NEW] [no]fua: Disable or enable FUA (Force Unit Access) support for devices supporting

this feature.

dump_id: Dump IDENTIFY data.

disable: Disable this device.

NOTE

If there are multiple matching configurations changing the same attribute, the

last one is used.

mitigations=[X86,PPC,S390,ARM64]

With this kernel parameter, you can control optional mitigations for CPU vulnerabilities. This is a set

of curated, arch-independent options, each of which is an aggregation of existing arch-specific

options. Available values include:

off - disable all optional CPU mitigations. This improves system performance, but it can also

expose users to several CPU vulnerabilities. The off value is equivalent to:

if nokaslr then kpti=0 [ARM64]

gather_data_sampling=off [X86]

kvm.nx_huge_pages=off [X86]

l1tf=off [X86]

mds=off [X86]

mmio_stale_data=off [X86]

no_entry_flush [PPC]

no_uaccess_flush [PPC]

nobp=0 [S390]

nopti [X86,PPC]

nospectre_bhb [ARM64]

nospectre_v1 [X86,PPC]

nospectre_v2 [X86,PPC,S390,ARM64]

retbleed=off [X86]

Red Hat Enterprise Linux 9.3 9.3 Release Notes

spec_store_bypass_disable=off [X86,PPC]

spectre_v2_user=off [X86]

srbds=off [X86,INTEL]

ssbd=force-off [ARM64]

tsx_async_abort=off [X86]

Exceptions: This does not have any effect on kvm.nx_huge_pages when

kvm.nx_huge_pages=force.

auto (default) - Mitigate all CPU vulnerabilities, but leave SMT enabled, even if it is

vulnerable. This is for users who do not want to be surprised by SMT getting disabled across

kernel upgrades, or who have other ways of avoiding SMT-based attacks.

auto,nosmt - Mitigate all CPU vulnerabilities, disabling SMT if needed. This is for users who

always want to be fully mitigated, even if it means losing SMT. The auto,nosmt options are

equivalent to:

l1tf=flush,nosmt [X86]

mds=full,nosmt [X86]

tsx_async_abort=full,nosmt [X86]

mmio_stale_data=full,nosmt [X86]

retbleed=auto,nosmt [X86]

nomodeset

With this kernel parameter, you can disable kernel modesetting. Most systems' firmware sets up a

display mode and provides framebuffer memory for output. With nomodeset, DRM and fbdev

drivers will not load if they could possibly displace the preinitialized output. Only the system

framebuffer will be available for use. The drivers will not perform display-mode changes or

accelerated rendering.

This parameter is especially useful as error fallback, or for testing and debugging.

rdt=[HW,X86,RDT]

With this kernel parameter, you can turn on or off individual RDT features. The list includes: cmt,

mbmtotal, mbmlocal, l3cat, l3cdp, l2cat, l2cdp, mba, smba, bmec.

For example, to turn on cmt and turn off mba use:

rdt=cmt,!mba

rodata=[KNL]

With this kernel parameter, you can disable read-only kernel mappings. Available options include:

on - Mark read-only kernel memory as read-only (default).

off - Leave read-only kernel memory writable for debugging.

[NEW] full - Mark read-only kernel memory and aliases as read-only [arm64].

CHAPTER 5. IMPORTANT CHANGES TO EXTERNAL KERNEL PARAMETERS

Removed kernel parameters

nobats=[PPC]

With this kernel parameter, you can forbid the use of BATs for mapping kernel lowmem on "Classic"

PPC cores.

noltlbs=[PPC]

With this kernel parameter, you can forbid the use of huge page and tlb entries for kernel lowmem

mapping on PPC40x and PPC8xx.

swapaccount=[0|1]=[KNL]

With this kernel parameter, you can enable or disable accounting of swap in memory resource

controller. For more information, see Documentation/admin-guide/cgroup-v1/memory.rst.

Red Hat Enterprise Linux 9.3 9.3 Release Notes

CHAPTER 6. DEVICE DRIVERS

6.1. NEW DRIVERS

Network drivers

MediaTek MT7601U (USB) support (mt7601u), adds support for MT7601U-based wireless USB

dongles (only in 64-bit ARM architecture)

MediaTek MT76x0E (PCIe) support (mt76x0e), adds support for MT7610/MT7630-based

wireless PCIe devices (only in 64-bit ARM architecture)

MediaTek MT76x0U (USB) support (mt76x0u), adds support for MT7610U-based wireless USB

2.0 dongles (only in 64-bit ARM architecture)

MediaTek MT76x2E (PCIe) support (mt76x2e), adds support for MT7612/MT7602/MT7662-

based wireless PCIe devices (only in 64-bit ARM architecture)

MediaTek MT76x2U (USB) support (mt76x2u), adds support for MT7612U-based wireless USB

3.0 dongles (only in 64-bit ARM architecture)

MediaTek MT7921E (PCIe) support (mt7921e), adds support for MT7921E 802.11ax 2x2:2SS

wireless devices (only in 64-bit ARM architecture)

Atheros driver 802.11n HTC based wireless devices (ath9k_htc) (only in 64-bit ARM

architecture)

Broadcom 802.11n wireless LAN driver (brcmsmac) (only in 64-bit ARM architecture)

Broadcom 802.11n wireless LAN driver utilities (brcmutil) (only in 64-bit ARM architecture)

Broadcom 802.11 wireless LAN fullmac driver (brcmfmac) (only in 64-bit ARM architecture)

Core module for Qualcomm Atheros 802.11ac wireless LAN cards (ath10k_core) (only in 64-bit

ARM architecture)

Core module for Qualcomm Atheros 802.11ax wireless LAN cards (ath11k) (only in 64-bit ARM

architecture)

Device simulator for WWAN framework (wwan_hwsim)

Driver support for Qualcomm Atheros 802.11ac WLAN PCIe/AHB devices (ath10k_pci) (only in

64-bit ARM architecture)

Driver support for Qualcomm Technologies 802.11ax WLAN PCIe devices (ath11k_pci) (only in

64-bit ARM architecture)

Intel® Wireless Wi-Fi driver for Linux (iwlwifi) (only in 64-bit ARM architecture)

Intel® Wireless Wi-Fi Link AGN driver for Linux (iwldvm)- (only in 64-bit ARM architecture)

IOSM Driver (iosm)

Marvell WiFi-Ex Driver version 1.0 (mwifiex) (only in 64-bit ARM architecture)

Marvell WiFi-Ex PCI-Express Driver version 1.0 (mwifiex_pcie) (only in 64-bit ARM

CHAPTER 6. DEVICE DRIVERS

Marvell WiFi-Ex PCI-Express Driver version 1.0 (mwifiex_pcie) (only in 64-bit ARM

architecture)

Marvell WiFi-Ex SDIO Driver version 1.0 (mwifiex_sdio) (only in 64-bit ARM architecture)

Marvell WiFi-Ex USB Driver version 1.0 (mwifiex_usb) (only in 64-bit ARM architecture)

MediaTek PCIe 5G WWAN modem T7xx driver (mtk_t7xx)

Network/MBIM over MHI (mhi_wwan_mbim) (only in 64-bit ARM architecture, IBM Power

Systems, Little Endian, and AMD and Intel 64-bit architectures)

PCI basic driver for rtlwifi (rtl_pci) (only in 64-bit ARM architecture)

Ralink RT2800 library version 2.3.0 (rt2800lib) (only in 64-bit ARM architecture)

Ralink RT2800 PCI & PCMCIA Wireless LAN driver version 2.3.0 (rt2800pci) (only in 64-bit

ARM architecture)

Ralink RT2800 USB Wireless LAN driver version 2.3.0 (rt2800usb) (only in 64-bit ARM

architecture)

Realtek 802.11ac wireless 8821c driver (rtw88_8821c) (only in 64-bit ARM architecture)

Realtek 802.11ac wireless 8821ce driver (rtw88_8821ce) (only in 64-bit ARM architecture)

Realtek 802.11ac wireless 8822b driver (rtw88_8822b) (only in 64-bit ARM architecture)

Realtek 802.11ac wireless 8822be driver (rtw88_8822be) (only in 64-bit ARM architecture)

Realtek 802.11ac wireless 8822c driver (rtw88_8822c) - (only in 64-bit ARM architecture)

Realtek 802.11ac wireless 8822ce driver (rtw88_8822ce) (only in 64-bit ARM architecture)

Realtek 802.11ac wireless core module (rtw88_core) (only in 64-bit ARM architecture)

Realtek 802.11ac wireless PCI driver (rtw88_pci) (only in 64-bit ARM architecture)

Realtek 802.11ax wireless 8852A driver (rtw89_8852a) (only in 64-bit ARM architecture)

Realtek 802.11ax wireless 8852AE driver (rtw89_8852ae) (only in 64-bit ARM architecture)

Realtek 802.11ax wireless 8852B driver (rtw89_8852b) (only in 64-bit ARM architecture and

AMD and Intel 64-bit architectures)

Realtek 802.11ax wireless 8852BE driver (rtw89_8852be) (only in 64-bit ARM architecture and

AMD and Intel 64-bit architectures)

Realtek 802.11ax wireless core module (rtw89_core) (only in 64-bit ARM architecture)

Realtek 802.11ax wireless PCI driver (rtw89_pci) (only in 64-bit ARM architecture)

Realtek 802.11n PCI wireless core (btcoexist) (only in 64-bit ARM architecture)

Realtek 802.11n PCI wireless core (rtlwifi) (only in 64-bit ARM architecture)

Realtek 802.11n wireless 8723d driver (rtw88_8723d) (only in 64-bit ARM architecture)

Red Hat Enterprise Linux 9.3 9.3 Release Notes

Realtek 802.11n wireless 8723de driver (rtw88_8723de) (only in 64-bit ARM architecture)

Realtek 8188E 802.11n PCI wireless (rtl8188ee) (only in 64-bit ARM architecture)

Realtek 8192C/8188C 802.11n PCI wireless (rtl8192c-common) (only in 64-bit ARM

architecture)

Realtek 8192C/8188C 802.11n PCI wireless (rtl8192ce) (only in 64-bit ARM architecture)

Realtek 8192C/8188C 802.11n USB wireless (rtl8192cu) (only in 64-bit ARM architecture)

Realtek 8192DE 802.11n Dual Mac PCI wireless (rtl8192de) (only in 64-bit ARM architecture)

Realtek 8192EE 802.11n PCI wireless (rtl8192ee) (only in 64-bit ARM architecture)

Realtek 8192S/8191S 802.11n PCI wireless (rtl8192se) (only in 64-bit ARM architecture)

Realtek 8723BE 802.11n PCI wireless (rtl8723be) (only in 64-bit ARM architecture)

Realtek 8723E 802.11n PCI wireless (rtl8723ae) (only in 64-bit ARM architecture)

Realtek 8821ae 802.11ac PCI wireless (rtl8821ae) (only in 64-bit ARM architecture)

Realtek RTL8723AE/RTL8723BE 802.11n PCI wireless common routines (rtl8723-common)

(only in 64-bit ARM architecture)

rt2800 MMIO library version 2.3.0 (rt2800mmio) (only in 64-bit ARM architecture)

rt2x00 library version 2.3.0 (rt2x00lib) (only in 64-bit ARM architecture)

rt2x00 mmio library version 2.3.0 ( rt2x00mmio) (only in 64-bit ARM architecture)

rt2x00 pci library version 2.3.0 ( rt2x00pci) (only in 64-bit ARM architecture)

rt2x00 usb library version 2.3.0 (rt2x00usb) (only in 64-bit ARM architecture)

RTL8XXXu USB mac80211 Wireless LAN Driver (rtl8xxxu) (only in 64-bit ARM architecture)

Shared library for Atheros wireless 802.11n LAN cards (ath9k_common) (only in 64-bit ARM

architecture)

Shared library for Atheros wireless LAN cards (ath) (only in 64-bit ARM architecture)

Support for Atheros 802.11n wireless LAN cards (ath9k_hw) (only in 64-bit ARM architecture)

Support for Atheros 802.11n wireless LAN cards (ath9k) (only in 64-bit ARM architecture)

The new Intel® wireless AGN driver for Linux (iwlmvm) (only in 64-bit ARM architecture)

Thunderbolt/USB4 network driver (thunderbolt_net)

USB basic driver for rtlwifi (rtl_usb) (only in 64-bit ARM architecture)

Graphics drivers and miscellaneous drivers

Atheros AR30xx firmware driver 1.0 (ath3k) (only in 64-bit ARM architecture)

BlueFRITZ! USB driver version 1.2 (bfusb) (only in 64-bit ARM architecture)

CHAPTER 6. DEVICE DRIVERS

Bluetooth HCI UART driver version 2.3 (hci_uart) (only in 64-bit ARM architecture)

Bluetooth support for Broadcom devices version 0.1 (btbcm) (only in 64-bit ARM architecture)

Bluetooth support for Intel devices version 0.1 (btintel) (only in 64-bit ARM architecture)

Bluetooth support for MediaTek devices version 0.1 (btmtk) (only in 64-bit ARM architecture)

Bluetooth support for Realtek devices version 0.1 (btrtl) (only in 64-bit ARM architecture)

Bluetooth virtual HCI driver version 1.5 (hci_vhci) (only in 64-bit ARM architecture)

Broadcom Blutonium firmware driver version 1.2 (bcm203x) (only in 64-bit ARM architecture)

Digianswer Bluetooth USB driver version 0.11 ( bpa10x) (only in 64-bit ARM architecture)

Generic Bluetooth SDIO driver version 0.1 (btsdio) (only in 64-bit ARM architecture)

Generic Bluetooth USB driver version 0.8 (btusb) (only in 64-bit ARM architecture)

Marvell Bluetooth driver version 1.0 (btmrvl) (only in 64-bit ARM architecture)

Marvell BT-over-SDIO driver version 1.0 (btmrvl_sdio) (only in 64-bit ARM architecture)

Linux device driver of the BMC IPMI SSIF interface (ssif_bmc) (only in 64-bit ARM

architecture)

vTPM Driver version 0.1 (tpm_vtpm_proxy)

AMD P-state driver Test module (amd-pstate-ut) (only in AMD and Intel 64-bit architectures)

Compute Express Link (CXL) ACPI driver (cxl_acpi) (only in 64-bit ARM architecture and AMD

and Intel 64-bit architectures)

Compute Express Link (CXL) core driver (cxl_core)

Compute Express Link (CXL) port driver (cxl_port)

NVIDIA Tegra GPC DMA Controller driver (tegra186-gpc-dma) (only in 64-bit ARM

architecture)

DRM Buddy Allocator (drm_buddy) (only in 64-bit IBM Z architecture)

DRM display adapter helper (drm_display_helper) (only in 64-bit IBM Z architecture)

HID driver for EVision devices (hid-evision) (only in 64-bit ARM architecture, IBM Power

Systems, Little Endian, and AMD and Intel 64-bit architectures)

Texas Instruments INA3221 HWMon Driver (ina3221) (only in 64-bit ARM architecture)

I3C core (i3c) (only in 64-bit ARM architecture)

Silvaco dual-role I3C master driver (svc-i3c-master) (only in 64-bit ARM architecture)

Microsoft Azure Network Adapter IB driver (mana_ib) (only in AMD and Intel 64-bit

architectures)

Soft RDMA transport (rdma_rxe)

Red Hat Enterprise Linux 9.3 9.3 Release Notes

i.MX8MP interconnect driver - Generic interconnect drivers for i.MX SOCs (imx8mp-

interconnect) (only in 64-bit ARM architecture)

Linux USB Video Class (uvc) (only in 64-bit ARM architecture, IBM Power Systems, Little

Endian, and AMD and Intel 64-bit architectures)

Common memory handling routines for videobuf2 (videobuf2-memops) (only in 64-bit ARM

architecture)

Device node registration for cec drivers (cec) (only in 64-bit IBM Z architecture)

Device node registration for media drivers (mc) (only in 64-bit ARM architecture)

Driver helper framework for Video for Linux 2 (videobuf2-v4l2) (only in 64-bit ARM

architecture)

Media buffer core framework (videobuf2-common) (only in 64-bit ARM architecture)

USB Video Class driver version 1.1.1 (uvcvideo) (only in 64-bit ARM architecture)

V4L2 DV Timings Helper Functions (v4l2-dv-timings) (only in 64-bit ARM architecture)

Video4Linux2 core driver (videodev) (only in 64-bit ARM architecture)

vmalloc memory handling routines for videobuf2 (videobuf2-vmalloc) (only in 64-bit ARM

architecture)

Framework for SPI NOR (spi-nor) (only in 64-bit ARM architecture)

Marvell CN10K DRAM Subsystem(DSS) PMU (marvell_cn10k_ddr_pmu) (only in 64-bit ARM

architecture)

Marvell CN10K LLC-TAD Perf driver (marvell_cn10k_tad_pmu) (only in 64-bit ARM

architecture)

Intel Meteor Lake PCH pinctrl/GPIO driver (pinctrl-meteorlake) (only in AMD and Intel 64-bit

architectures)

Intel In Field Scan (IFS) device (intel_ifs) (only in AMD and Intel 64-bit architectures)

NVIDIA WMI EC Backlight driver (nvidia-wmi-ec-backlight) (only in AMD and Intel 64-bit

architectures)

QMI encoder/decoder helper (qmi_helpers) (only in 64-bit ARM architecture)

AMD SoundWire driver (soundwire-amd) (only in AMD and Intel 64-bit architectures)

NVIDIA Tegra114 SPI Controller Driver (spi-tegra114) (only in 64-bit ARM architecture)

STMicroelectronics STUSB160x Type-C controller driver (stusb160x) (only in 64-bit ARM

architecture)

MLX5 VFIO PCI - User Level meta-driver for MLX5 device family (mlx5-vfio-pci)

6.2. UPDATED DRIVERS

Network driver updates

CHAPTER 6. DEVICE DRIVERS

Realtek RTL8152/RTL8153 Based USB Ethernet Adapters (r8152) has been updated to version

v1.12.13 (only in 64-bit ARM architecture, IBM Power Systems, Little Endian, and AMD and Intel

64-bit architectures).

Storage driver updates

Broadcom MegaRAID SAS Driver (megaraid_sas) has been updated to version 07.725.01.00-

rc1 (only in 64-bit ARM architecture, IBM Power Systems, Little Endian, and AMD and Intel 64-

bit architectures).

Driver for Microchip Smart Family Controller (smartpqi) has been updated to version 2.1.22-

040 (only in 64-bit ARM architecture, IBM Power Systems, Little Endian, and AMD and Intel 64-

bit architectures).

Emulex LightPulse Fibre Channel SCSI driver (lpfc) has been updated to version 0:14.2.0.12

(only in 64-bit ARM architecture, IBM Power Systems, Little Endian, and AMD and Intel 64-bit

architectures).

MPI3 Storage Controller Device Driver (mpi3mr) has been updated to version 8.4.1.0.0.

Red Hat Enterprise Linux 9.3 9.3 Release Notes

CHAPTER 7. AVAILABLE BPF FEATURES

This chapter provides the complete list of Berkeley Packet Filter (BPF) features available in the kernel

of this minor version of Red Hat Enterprise Linux 9. The tables include the lists of:

System configuration and other options

Available program types and supported helpers

Available map types

This chapter contains automatically generated output of the bpftool feature command.

Table 7.1. System configuration and other options

Option Value

unprivileged_bpf_disabled 2 (bpf() syscall restricted to privileged users, admin can change)

JIT compiler 1 (enabled)

JIT compiler hardening 1 (enabled for unprivileged users)

JIT compiler kallsyms exports 1 (enabled for root)

Memory limit for JIT for unprivileged

users

528482304

CONFIG_BPF y

CONFIG_BPF_SYSCALL y

CONFIG_HAVE_EBPF_JIT y

CONFIG_BPF_JIT y

CONFIG_BPF_JIT_ALWAYS_ON y

CONFIG_DEBUG_INFO_BTF y

CONFIG_DEBUG_INFO_BTF_MODULES y

CONFIG_CGROUPS y

CONFIG_CGROUP_BPF y

CONFIG_CGROUP_NET_CLASSID y

CONFIG_SOCK_CGROUP_DATA y

CHAPTER 7. AVAILABLE BPF FEATURES

CONFIG_BPF_EVENTS y

CONFIG_KPROBE_EVENTS y

CONFIG_UPROBE_EVENTS y

CONFIG_TRACING y

CONFIG_FTRACE_SYSCALLS y

CONFIG_FUNCTION_ERROR_INJECTIO

CONFIG_BPF_KPROBE_OVERRIDE n

CONFIG_NET y

CONFIG_XDP_SOCKETS y

CONFIG_LWTUNNEL_BPF y

CONFIG_NET_ACT_BPF m

CONFIG_NET_CLS_BPF m

CONFIG_NET_CLS_ACT y

CONFIG_NET_SCH_INGRESS m

CONFIG_XFRM y

CONFIG_IP_ROUTE_CLASSID y

CONFIG_IPV6_SEG6_BPF y

CONFIG_BPF_LIRC_MODE2 n

CONFIG_BPF_STREAM_PARSER y

CONFIG_NETFILTER_XT_MATCH_BPF m

CONFIG_BPFILTER n

CONFIG_BPFILTER_UMH n

Option Value

Red Hat Enterprise Linux 9.3 9.3 Release Notes

CONFIG_TEST_BPF m

CONFIG_HZ 1000

bpf() syscall available

Large program size limit available

Bounded loop support available

ISA extension v2 available

ISA extension v3 available

Option Value

Table 7.2. Available program types and supported helpers

Program type Available helpers

socket_filter bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem,

bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call,

bpf_perf_event_output, bpf_skb_load_bytes, bpf_get_current_task,

bpf_get_numa_node_id, bpf_get_socket_cookie, bpf_get_socket_uid,

bpf_skb_load_bytes_relative, bpf_map_push_elem, bpf_map_pop_elem,

bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_strtol, bpf_strtoul,

bpf_probe_read_user, bpf_probe_read_kernel, bpf_probe_read_user_str,

bpf_probe_read_kernel_str, bpf_jiffies64, bpf_ktime_get_boot_ns, bpf_ringbuf_output,

bpf_ringbuf_reserve, bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query,

bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock,

bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf,

bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf,

bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init,

bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs,

bpf_skc_to_unix_sock, bpf_loop, bpf_strncmp, bpf_kptr_xchg,

bpf_map_lookup_percpu_elem, bpf_skc_to_mptcp_sock, bpf_dynptr_from_mem,

bpf_ringbuf_reserve_dynptr, bpf_ringbuf_submit_dynptr, bpf_ringbuf_discard_dynptr,

bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data, bpf_ktime_get_tai_ns,

bpf_user_ringbuf_drain, bpf_cgrp_storage_get, bpf_cgrp_storage_delete

CHAPTER 7. AVAILABLE BPF FEATURES

kprobe bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_probe_read,

bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call,

bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm,

bpf_perf_event_read, bpf_perf_event_output, bpf_get_stackid, bpf_get_current_task,

bpf_current_task_under_cgroup, bpf_get_numa_node_id, bpf_probe_read_str,

bpf_perf_event_read_value, bpf_get_stack, bpf_get_current_cgroup_id,

bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock,

bpf_spin_unlock, bpf_strtol, bpf_strtoul, bpf_send_signal, bpf_probe_read_user,

bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str,

bpf_send_signal_thread, bpf_jiffies64, bpf_get_ns_current_pid_tgid,

bpf_get_current_ancestor_cgroup_id, bpf_ktime_get_boot_ns, bpf_ringbuf_output,

bpf_ringbuf_reserve, bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query,

bpf_get_task_stack, bpf_copy_from_user, bpf_snprintf_btf, bpf_per_cpu_ptr,

bpf_this_cpu_ptr, bpf_task_storage_get, bpf_task_storage_delete,

bpf_get_current_task_btf, bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init,

bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_get_func_ip,

bpf_get_attach_cookie, bpf_task_pt_regs, bpf_get_branch_snapshot, bpf_find_vma,

bpf_loop, bpf_strncmp, bpf_copy_from_user_task, bpf_kptr_xchg,

bpf_map_lookup_percpu_elem, bpf_dynptr_from_mem, bpf_ringbuf_reserve_dynptr,

bpf_ringbuf_submit_dynptr, bpf_ringbuf_discard_dynptr, bpf_dynptr_read,

bpf_dynptr_write, bpf_dynptr_data, bpf_ktime_get_tai_ns, bpf_user_ringbuf_drain,

bpf_cgrp_storage_get, bpf_cgrp_storage_delete

Program type Available helpers

Red Hat Enterprise Linux 9.3 9.3 Release Notes

sched_cls bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem,

bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id,

bpf_skb_store_bytes, bpf_l3_csum_replace, bpf_l4_csum_replace, bpf_tail_call,

bpf_clone_redirect, bpf_get_cgroup_classid, bpf_skb_vlan_push, bpf_skb_vlan_pop,

bpf_skb_get_tunnel_key, bpf_skb_set_tunnel_key, bpf_redirect, bpf_get_route_realm,

bpf_perf_event_output, bpf_skb_load_bytes, bpf_csum_diff, bpf_skb_get_tunnel_opt,

bpf_skb_set_tunnel_opt, bpf_skb_change_proto, bpf_skb_change_type,

bpf_skb_under_cgroup, bpf_get_hash_recalc, bpf_get_current_task,

bpf_skb_change_tail, bpf_skb_pull_data, bpf_csum_update, bpf_set_hash_invalid,

bpf_get_numa_node_id, bpf_skb_change_head, bpf_get_socket_cookie,

bpf_get_socket_uid, bpf_set_hash, bpf_skb_adjust_room, bpf_skb_get_xfrm_state,

bpf_skb_load_bytes_relative, bpf_fib_lookup, bpf_skb_cgroup_id,

bpf_skb_ancestor_cgroup_id, bpf_sk_lookup_tcp, bpf_sk_lookup_udp, bpf_sk_release,

bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock,

bpf_spin_unlock, bpf_sk_fullsock, bpf_tcp_sock, bpf_skb_ecn_set_ce,

bpf_get_listener_sock, bpf_skc_lookup_tcp, bpf_tcp_check_syncookie, bpf_strtol,

bpf_strtoul, bpf_sk_storage_get, bpf_sk_storage_delete, bpf_tcp_gen_syncookie,

bpf_probe_read_user, bpf_probe_read_kernel, bpf_probe_read_user_str,

bpf_probe_read_kernel_str, bpf_jiffies64, bpf_sk_assign, bpf_ktime_get_boot_ns,

bpf_ringbuf_output, bpf_ringbuf_reserve, bpf_ringbuf_submit, bpf_ringbuf_discard,

bpf_ringbuf_query, bpf_csum_level, bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock,

bpf_skc_to_tcp_timewait_sock, bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock,

bpf_snprintf_btf, bpf_skb_cgroup_classid, bpf_redirect_neigh, bpf_per_cpu_ptr,

bpf_this_cpu_ptr, bpf_redirect_peer, bpf_get_current_task_btf,

bpf_ktime_get_coarse_ns, bpf_check_mtu, bpf_for_each_map_elem, bpf_snprintf,

bpf_timer_init, bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel,

bpf_task_pt_regs, bpf_skc_to_unix_sock, bpf_loop, bpf_strncmp, bpf_skb_set_tstamp,

bpf_kptr_xchg, bpf_map_lookup_percpu_elem, bpf_skc_to_mptcp_sock,

bpf_dynptr_from_mem, bpf_ringbuf_reserve_dynptr, bpf_ringbuf_submit_dynptr,

bpf_ringbuf_discard_dynptr, bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data,

bpf_tcp_raw_gen_syncookie_ipv4, bpf_tcp_raw_gen_syncookie_ipv6,

bpf_tcp_raw_check_syncookie_ipv4, bpf_tcp_raw_check_syncookie_ipv6,

bpf_ktime_get_tai_ns, bpf_user_ringbuf_drain, bpf_cgrp_storage_get,

bpf_cgrp_storage_delete

Program type Available helpers

CHAPTER 7. AVAILABLE BPF FEATURES

sched_act bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem,