• timezone --ntpservers

• timezone --nontp

• logging --level

• %packages --excludeWeakdeps

• %packages --instLangs

• %anaconda

• pwpolicy

Even though specific options are listed as deprecated, the base command and the other options remain available and operative. If you use a deprecated command in kickstart files, warnings are generated in the logs. To change deprecated command warnings to errors, set the inst.ksstrict boot option.

Instead of using this package, use the gnome-initial-setup package as a replacement.

The dump utility that's included in the dump package is deprecated.

You can alternatively use the tar or dd to achieve similar functionality.

Note that the restore utility, originally included in the dump package, remains available in Oracle Linux 9 and can be installed by using the restore package.

The use of a SQLite backend database for the Bacula backup utility is deprecated and might be removed in a future release of Oracle Linux 9. Bacula can use a MySQL backend database and you can migrate existing deployments to MySQL. Avoid using SQLite for new deployments of the Bacula backup utility.

The SHA1 algorithm is deprecated in Oracle Linux 9. Digital signatures using SHA-1 hash algorithm are no longer considered secure and therefore not allowed on Oracle Linux 9 systems by default. Oracle Linux 9 has been updated to avoid using SHA-1 in security-related use cases.

However, the HMAC-SHA1 message authentication code and the Universal Unique Identifier (UUID) values can still be created by using SHA-1.

In cases where you need SHA-1 to verify existing or third party cryptographic signatures, you can enable SHA-1 as follows:

sudo update-crypto-policies --set DEFAULT:SHA1

As an alternative, you can switch the systemwide crypto policies to the LEGACY policy. However, this policy also enables other algorithms that are not secure, and therefore risks making the system vulnerable.

In the scp utility, secure copy protocol (SCP) is replaced by the SSH File Transfer Protocol (SFTP) by default. Likewise, SCP is deprecated in the libssh library.

Oracle Linux 9 doesn't use SCP in the OpenSSH suite.

• MD2

• MD4

• MDC2

• Whirlpool

• RIPEMD160

• Blowfish

• CAST

• DES

• IDEA

• RC2

• RC4

• RC5

• SEED

• PBKDF1

The implementations of these algorithms have been moved to the legacy provider in OpenSSL

For instructions on how to load the legacy provider and enable support for the deprecated algorithms, see the /etc/pki/tls/openssl.cnf configuration file.

The Digest-MD5 authentication mechanism in the Simple Authentication Security Layer (SASL) framework is deprecated. The mechanism might be from the cyrus-sasl packages in a future major release.

The /etc/system-fips file was used to indicate the FIPS mode in the system. This file is removed in Oracle Linux 9.

To install Oracle Linux 9 in FIPS mode, add the fips=1 parameter to the kernel command line during the system installation. To check whether Oracle Linux 9 is operating in FIPS mode, use the fips-mode-setup --check command.

The libcrypt.so.1 cryptogarhic library is deprecated and might be removed in a future Oracle Linux version.

The /etc/fapolicyd/fapolicyd.rules file is deprecated. You can store policy rules for fapolicyd in the /etc/fapolicyd/rules.d/ directory. The fagenrules script merges all component rule files in this directory to the /etc/fapolicyd/compiled.rules file.

Rules in /etc/fapolicyd/fapolicyd.trust continue to be processed by fapolicyd for backward compatibility.

RSA encryption without padding for OpenSSL in FIPS mode is no longer accepted. However, key encapsulation with RSA (RSASVE) which doesn't use padding continues to be supported for OpenSSL.

The teamd service, and the libteam library, and support for configuring network teams are deprecated in favor of network bonds. You should use network bonds instead, which have similar functions as teams, and which would receive enhancements and updates.

Network configurations profiles used to be in ifcfg format and stored in the /etc/sysconfig/network-scripts directory. This format is deprecated. In Oracle Linux 9, new network configurations are stored in /etc/NetworkManager/system-connections in keyfile format. This format works with all the connection settings provided by NetworkManager.

However, information in the /etc/sysconfig/network-scripts remain operative, and modifications to existing profiles continue to update the older files.

With the deprecation of the iptables framework, the iptables backend and the direct interface are also deprecated.

Therefore, the following packages are also deprecated:

• iptables-devel

• iptables-libs

• iptables-nft

• iptables-nft-services

• iptables-utils

As an alternative to using direct interface, use the native features in firewalld to configure the required rules.

The PF_KEYv2 API is used to configure kernel IPsec implementation. However, thie API isn't maintained upstream. Therefore, this API is deprecated. Instead, use the netlink API as a replacement.

The crashkernel=auto option is deprecated and no longer supported on Oracle Linux 9 and is also unsupported for UEK R7. Some platforms, such as the Raspberry Pi have maximum limits for crashkernel memory reservation and these must be specified explicitly. This option will be removed in a future UEK release.

Asynchronous Transfer Mode (ATM) encapsulation enables Layer-2 (Point-to-Point Protocol, Ethernet) or Layer-3 (IP) connectivity for the ATM Adaptation Layer 5 (AAL-5). Currently, these protocols are used only in chipsets that use ADSL technology, which are being phased out.

The kexec_load system call for kexec-tools is deprecated.

The kexec_file_load system call replaces kexec_load and is the default system call.

The lvm2-activation-generator program is deprecated, together with its generated services as follows:

• lvm2-activation

• lvm2-activation-early

• lvm2-activation-net

The lvm.conf event_activation that used to activate these services no longer works. The only method that is used for automatic activation of volume groups is event based activation.

The Persistent Memory Development Kit (pmdk) is a collection of libraries and tools for simplifying the management and access of persistent memory devices. This set of libraries are deprecated, including the -debuginfo packages.

The following list of pmdk-related binary packages, including the nvml source package, have been deprecated:

• libpmem
• libpmem-devel
• libpmem-debug
• libpmem2
• libpmem2-devel
• libpmem2-debug
• libpmemblk
• libpmemblk-devel
• libpmemblk-debug
• libpmemlog
• libpmemlog-devel
• libpmemlog-debug
• libpmemobj
• libpmemobj-devel
• libpmemobj-debug
• libpmempool
• libpmempool-devel
• libpmempool-debug
• pmempool
• daxio
• pmreorder
• pmdk-convert
• libpmemobj++
• libpmemobj++-devel
• libpmemobj++-doc

Deprecation of the Berkely DB (libdb) package includes the removal of cryptographic algorithms and dependencies. Users of libdb should migrate to a different key-value database.

OpenSSL 3.0 has deprecated keys smaller than 2048 bits. Keys smaller than 2048 bits might not work in FIPS mode.

SomePKCS1 v1.5 modes aren't approved in FIPS-140-3 for encryption and are disabled.

The SSSD files provider, which retrieves user information from local files such as /etc/shadow and group information from /etc/groups, is deprecated and disabled by default in Oracle Linux 9.

To retrieve user and group information from local files with SSSD:

1. Configure SSSD. Choose one of the following options:

   1. Explicitly configure a local domain with the id_provider=files option in the sssd.conf configuration file.

      [domain/local]
      id_provider=files
      ...

   2. Enable the files provider by setting enable_files_domain=true in the sssd.conf configuration file.

      [sssd]
      enable_files_domain = true

2. Configure the name services switch.

   sudo authselect enable-feature with-files-provider

Note that the files provider might be removed from a future release of Oracle Linux.

The OpenLDAP project has deprecated the -h and -p options in its utilities, and recommends using the -H option instead to specify the LDAP URI. The -h and -p options will be removed from Oracle Linux products that use OpenLDAP in future releases.

Because of optimizations to filter reordering, the nsslapd-idlistscanlimit parameter results in having a negative impact on search performance and is therefore deprecated. Further, the parameter's default value is changed to 2147483646

Beginning with Samba 4.11, the Server Message Block version 1 (SMB1) protocol is deprecated because of its insecure features. By default, this protocol is disabled in both Samba server and client utilities.

In Oracle Linux 9, the X.org display server is deprecated, and consequently, the xorg-x11-server-Xorg package.

The default desktop session is the Wayland session. However, the X11 protocol continues to be supported by using the XWayland backend. Therefore, applications that require X11 can run in Wayland sessions.

The legacy GTK 2 toolkit and the following, related packages are deprecated:

• adwaita-gtk2-theme
• gnome-common
• gtk2
• gtk2-immodules
• hexchat

If you maintain an application that uses GTK 2, port the application to GTK 4 as soon as possible.

The Motif widget tool is deprecated, including the following packages:

• motif
• openmotif
• openmotif21
• openmotif22

Likewise, the motif-static package has been removed. In place of Motif, use the GTK toolkit.

The LibreOffice RPM packages are now deprecated. However, LibreOffice itself continues to be supported.

As a replacement for the RPM packages, you can use the following sources to install LibreOffice:

• Official Flatpak package in the Flathub repository: https://flathub.org/apps/org.libreoffice.LibreOffice.
• Official RPM packages: https://www.libreoffice.org/download/download-libreoffice/.

Likewise, the Inkscape Flatpak image (inkscape-flatpak) is also deprecated. As a replacement, use the inkscape RPM package from https://inkscape.org/.

The use of SHA1-based signatures to perform SecureBoot image verification on UEFI (PE/COFF) executables is deprecated. Instead, use signatures that are based on SHA-2 or later.

In place of the deprecated Virtual Machine Manager (virt-manager), use the web console, otherwise known as Cockpit.

Support for creating snapshots of VMs is limited only to those that do not use UEFI firmware. However, the operation might cause the QEMU monitor to become blocked and affects hypervisor operations.

As an alternative, use external snapshots.

As a replacement of the deprecated libvirtd daemon, use the modular daemons in the libvirt library. For example, the virtqemud handles QEMU drivers.

The isa-fdc driver controls virtual floppy disk devices. To ensure compatibility with migrated virtual machines (VMs), you should not use floppy disk devices in virtual machines that you subsequently host on Oracle Linux 9.

For virtual disk images, use the qcow2-v3 format instead.

The following legacy CPU models are deprecated for use in VMs:

• For Intel® : models prior to Intel® Xeon 55xx and 75xx Processor families (also known as Nehalem)
• For AMD: models prior to AMD Opteron G4

To check whether a VM is using a deprecated CPU model, use the virsh dominfo command, and look for a line similar to the following in the Messages section:

tainted: use of deprecated configuration settings
deprecated configuration: CPU model 'i486'

In this release, RDMA-based live migration of virtual machines is deprecated. You can still use the rdma:// migration URI for migrating VMs to Remote Direct Memory Access. However, this method might no longer work in a future release.

Creating Oracle Linux 9 containers on an Oracle Linux 7 host is unsupported. Attempts to deploy this configuration might succeed, but is not guaranteed.

Support for using the SHA-11 algorithm to generate the filename of the rootless network namespace is removed in Podman. You should restart rootless containers that were configured by using Podman earlier than version 4.1.1. Restarting these containers rather than just using slirp4netns ensures that these containers and join the network and connect with containers that were created with upgraded Podman versions.

The Container Network Interface (CNI) network stack is deprecated. You can use the Netavark network stack with Podman and other Open Container Initiative (OCI) container management applications. The Netavark network stack for Podman is also compatible with advanced Docker functionalities.