Kickstart includes new options for the network command to set DNS configuration information for a device. The following new options are available:

• --ipv4-dns-search and --ipv6-dns-search: can be used to configure DNS search domains as a comma-separated list.

• --ipv4-ignore-auto-dns and --ipv6-ignore-auto-dns: can be used to disable automatic DNS configuration by DHCP.

Use DNF-automatic reboot option after performing an upgrade to automatically reboot the system and apply changes.

reboot = [never , when-changed, when-needed]

where:

• never (default behavior) – The system is not rebooted following an upgrade.
• when-changed –The system is automatically rebooted following any upgrade changes.
• when-needed – The system is only automatically rebooted following upgrade changes to systemd or the kernel.

You can also include a reboot_command entry to customize the reboot behavior. For example, to skip the 5 minute delay following an upgrade, you can specify the shutdown - r

reboot_command = shutdown -r

Use the DNF system-upgrade plugin reboot --poweroff flag to shutdown the system after installing updates, instead of rebooting.

dnf system-upgrade reboot --poweroff

DNS service records resolution (SRV) entries can be used by Postfix to automatically configure mail clients and balance server load. Furthermore, Postfix can handle temporary DNS issues and provides configurable options for fault-resilience in case of SRV record failures. You can configure SRV handling for Postfix by setting the following options in the Postfix server configuration:

• use_srv_lookup=smtp

  Enables discovery of the specified service by using DNS SRV records.

• allow_srv_lookup_fallback= yes

  Configures the service for SRV lookup fallback, so that Postfix falls back to using MX and IP address records in the case where an SRV entry lookup fails either because of misconfiguration or a missing entry, but continues to use SRV for the service.

• ignore_srv_lookup_error=yes

  Configures the service to stop using SRV when a lookup fails, and to switch to using MX or IP address records instead.

A Generic LF-to-CRLF, lftocrlf, print driver is available for configuration when using the Common UNIX Printing System (CUPS). This driver enables you to convert a line ending with a Line Feed (LF) control character to a Carriage Return Line Feed (CRLF) control character.

The lftocrlf print driver is a renamed version of the text-only driver available in Oracle Linux 7, so that the name describes its actual functionality.

Aside from security fixes, this updated version of Keylime includes the convert_runtime_policy.py script that lets you combine allow and exclude lists into the runtime policy.

The Keylime SELinux policy labels ports used by Keylime with the label keylime_port_t and allows TCP connections for ports with the label set. By labeling ports for Keylime the SELinux policy is more specific and port security can be more targeted.

The NO-ENFORCE-EMS subpolicy is included in the system-wide cryptographic policies. When this subpolicy is enforced, the system no longer requires the Extended Master Secret (EMS) extension (RFC 7627) for all TLS 1.2 connections negotiated in FIPS mode. The system can therefore connect with legacy systems that don't work with EMS or TLS 1.3. Note, however, that applying the subpolicy would result in noncompliance with the requirements of the FIPS-140-3 standard.

To apply the subpolicy, use the following command:

sudo update-crypto-policies --set FIPS:NO-ENFORCE-EMS

The FIPS-140-3 standard requires the Extended Master Secret (EMS) extension in GnuTLS servers and clients for all TLS 1.2 connections in FIPS mode.

If you need to preserve compatibility with older servers and clients that don't work with EMS on TLS 1.2 and, at the same time, you can't use TLS 1.3, apply the NO-ENFORCE-EMS subpolicy instead. Enter the following command:

sudo update-crypto-policies --set FIPS:NO-ENFORCE-EMS

The Network Security Services (NSS) libraries contain the TLS-REQUIRE-EMS policy. This policy enforces the use of the Extended Master Secret (EMS) extension for all TLS 1.2 connections as required by the FIPS 140-3 standard. NSS enforces the TLS-REQUIRE-EMS policy when system-wide cryptographic policies are set to FIPS.

If you need to work with older servers and clients that don't enforce EMS and, at the same time, you can't use TLS 1.3, apply the NO-ENFORCE-EMS subpolicy instead. Enter the following command:

sudo update-crypto-policies --set FIPS:NO-ENFORCE-EMS

However, applying the subpolicy would violate the requirements of the FIPS-140-3 standard.

You can configure the OpenSSL cryptographic libraries so you can use TLS 1.2 connections without the Extended Master Secret (EMS) extension in FIPS mode. Do the following:

1. Edit the /etc/pki/tls/fips_local.cnf file by adding the following section:

   [fips_sect]
   tls1-prf-ems-check = 0
   activate = 1

2. Open the /etc/pki/tls/openssl.cnf and navigate to the SSL configuration section whose section heading is [crypto_policy].

   At the end of the section, add the following line:

   Options=RHNoEnforceEMSinFIPS

You can also stop enforcing EMS for TLS 1.2 in FIPS mode with the following command:

sudo update-crypto-policies --set FIPS:NO-ENFORCE-EMS

However, whether you use the previous steps or the single command, disabling EMS for TLS 1.2 in FIPS mode would violate the requirements of the FIPS-140-3 standard.

To discourage the use of the less secure SHA-1 algorithm, OpenSSH applies the following changes:

• Checks sshd startup whether SHA-1 is configured. If it's unavailable, OpenSSH doesn't use SHA-1 for operations. Thus, DSS keys, if present, aren't loaded. Further, the advertising of rsa-sha2 combinations, when available, is enforced.

• On SSH private key conversion, OpenSSH explicitly uses SHA-2 for testing RSA keys.

• The sshd daemon uses SHA-2 to confirm host key proof if SHA-1 signatures are unavailable on the server side. However, this configuration might be incompatible with clients that use Oracle Linux 8 and earlier versions.

• The sshd daemon also uses SHA-2 if SHA-1 signatures are unavailable on the client side.

• On the client side, OpenSSH accepts SHA-2-based key proofs from the server if SHA-1 is used in the key proof request or when the hash algorithm isn't specified and the default configuration is used. This behavior is aligned with the already present exception for RSA certificates, and lets connections be established by using modern algorithms.

The following brainpool curves are enabled in OpenSSL Elliptic Curve Cryptography:

• brainpoolP256r1

• brainpoolP256t1

• brainpoolP320r1

• brainpoolP320t1

• brainpoolP384r1

• brainpoolP384t1

• brainpoolP512r1

• brainpoolP512t1

The updated pcsc-lite-ccid package provides various bug fixes and enhancements such as the ability to work with new readers and a fix for Alcor Micro AU9560 card reader.

The updated opensc package provides various bug fixes and enhancements such as the following:

• Works with encryption and decryption using symmetric keys

• Can be used to sign data with a length of more than 512 bytes

• Automatically disables old card driver functionality

• Removes functionality for the MioCOS and JCOP drivers

New rules are added to the SELinux policy that confine the following systemd services:

• qat

• systemd-pstore

• boothd

• fdo-manufacturing-server

• fdo-rendezvous-server

• fdo-client-linuxapp

• fdo-owner-onboarding-server

The listed services no longer run with the unconfined_service_t SELinux label, and run in SELinux enforcing mode.

The OpenSCAP packages are updated to version 1.3.8. Notable changes include:

• Fixes to systemd probes to not ignore some systemd units.
• Addition of offline capabilities to the shadow OVAL probe.
• Addition of offline capabilities to the sysctl OVAL probe.
• Addition of auristorfs to the list of network file systems.
• Improved handling of tailoring files generated by autotailor.

Updates to the SCAP Security Guide include the following notable changes:

• Password aging rules no longer ignore empty string as passwords.
• The remote OVAL content URL is updated to be more specific to Oracle Linux 9 to improve memory usage when scanning with --fetch-remote-resources.
• Rules related to /var/log and /var/log/audit are now only applicable if those partitions exist.
• Bash remediations are fixed to handle ISO9660 partitions in the fstab.

The Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI) BP-028 profiles in the SCAP security guide were updated to align with the version 2.0 guidelines described at https://cyber.gouv.fr/publications/recommandations-de-securite-relatives-un-systeme-gnulinux.

The Audit service includes information about fanotify events in appropriate audit record fields, as follows:

• fan_type: Specifies the type of fanotify event.

• fan_info: Specifies added context information.

• sub_trust and obj_trust: Specify trust levels for a subject and an object in an event.

The fanotify information can clarify causes of access denials in certain cases, and thereby helps with creating policies for tools such as the fapolicyd framework.

Fapolicyd is updated along with kernel and Auditd components to include the rule number when outputting to the audit log so that it's easier to troubleshoot policy related issues.

The updated setools packages include the following features:

• Fixed compilation with Cython 3.0.0

• Improved manual pages

• Removed unused options in sediff, sesearch, and apol

• Added the -r option to seinfoflow command to get flows analysis into the source type

• Automatically rejects as an invalid policy rules that have no permissions set

The python3-greenlet-devel package, used for developing coroutines for in-process concurrent programming, is now available in the unsupported CodeReady Linux Builder repository. Previous versions of this package were available in the EPEL repository.

The iproute packages have been updated to version 6.2.0. This update provides various enhancements and bug fixes over the previous version. The most notable changes include:

• New ip stats command to view and manage interface statistics. See the ip-stats(8) manual page for more information.

• New --threads option used by the ss command to display thread information. See the ss(8) manual page for more information.

• New bridge fdb flush command to flush forwarding database entries. See the bridge(8) manual page for more information.

The NetworkManager packages have been upgraded to upstream version 1.44.0. This update provides various enhancements and bug fixes over the previous version.

Notable changes include:

• New configurable link properties in NetworkManager. For more details, see Network Manager Connection Profiles Include Configurable Link Properties

• New configurable properties for ARP monitoring, LACP active ports, and IPv6 bonding targets. For more information see:

  • Network Manager Includes New arp_missed_max Property for Reporting Port as Down
  • Network Manager Includes New Active Bonding Mode for Sending LACPDU Frames
  • Network Manager Includes New ns_ip6_target Bonding Option Available

• IPv6 Access Services: DHCPv6 Prefix Delegation. Ability to set a DHCPv6 prefix delegation hint in the ipv6.dhcp-pd-hint connection property.

• New rename property available to rename a connection profile. NetworkManager offers a new rename property in the keyfile section of the /etc/NetworkM anager/NetworkManager.conf file that enables you to change the connection profile name. When the rename property is enabled, NetworkManager renames the connection profile and saves it in the /etc/NetworkManager/system-connections/ directory.

  Note:

  Note that if external applications or scripts rely on the file names, don't enable the rename property in [keyfile] section.
• NetworkManager can use TLD as the DNS search domain instead of the full hostname when hostname is set to a nonpublic Top-Level Domain (TLD)

• NetworkManager applies DNS options from the [global-dns] section in the /etc/NetworkManager/NetworkManager.conf file.

• To prevent race conditions from occurring with other depending services, NetworkManager retrieves the D-Bus name only after populating the D-Bus tree. Note that with this new D-Bus processing behavior a delay could occur when starting NetworkManager.

• NetworkManager includes a version-id argument to Update2() D-Bus calls to prevent concurrent profile modifications.

• NetworkManager no longer uses tentative IPv6 addresses to resolve the system hostname from DNS.

• To prevent unexpected connection issues with multiconnect profiles, NetworkManager tracks the remaining number of autoconnect retries for each device and connection, instead of tracking the retries only for a connection.

• NetworkManager sets VLAN filtering options by using the kernel’s netlink interface instead of the sysfs file system.

• A new option is available to enable or disable wifi and Wireless Wide Area Networks (WWANs) using the user interface tool, nmtui.

• A new property is available (ignore-carrier=no) for bond, bridge, and team configurations in the [main] section of the /etc/NetworkManager/NetworkManager.conf file.

• The issue that prevented NetworkManager from starting after restarting the dbus service is fixed. In this update, NetworkManager automatically starts upon a restart the dbus service.

Notable changes in the Stream Control Transmission Protocol (SCTP) networking subsystem include:

• Virtual routing and forwarding (VRF) enables you to segment and isolate SCTP traffic within complex network environments.

• New stream schedulers (fair capacity, and weighted fair queueing) to ensure that efficient and equal resource allocation within the network.

The no-aaaa option can be used to configure DNS settings to suppress AAAA queries. By using this option, IPv6 DNS resolution can be disabled by using the nmcli utility. After the NetworkManager service is restarted, the no-aaaa setting is added to the /etc/resolv.conf file.

The storage connection profile format ifcfg is deprecated in NetworkManager. As of this update, NetworkManager warns users of using the deprecated ifcfg profile format in following manner:

• Warning log entry is added to systemd journal. For example:

  Warning: the ifcfg-rh plugin is deprecated, migrate connections to the keyfile format using "nmcli connection migrate"

• Error message is generated in nmcli utility reports. For example:

  Error: Failed to update connection '<name>': The ifcfg-rh plugin doesn't support setting '<property>'. If you're updating an existing connection profile saved in ifcfg-rh format, migrate the connection to keyfile using 'nmcli connection migrate <connection_uuid>' or the Update2() D-Bus API and try again.

A new bonding mode lacp_active is available for configuration. The option provide fine-grained control over Link Aggregation Control Protocol Data Units (LACPDU) frames in bonding setups. When the LACP is operating in active mode on either end of a link, both ports can send PDUs. By default, the lacp_active option is set ON. To disable the LACP active mode, set the lacp_active option to OFF.

A new bonding option ns_ip6_target is available for configuration with the ns_i6_target option. With this update, you can set IPv6 targets and send IPv6 NS requests to monitor the health of the link to the targets. The IPv6 NS monitoring takes affect when at least one IPv6 address is specified and arp_interval option is set to > 0. The maximum number of configurable ns_ip_targets is 16. The default is 0. Multiple targets must be separated by a comma.

You can use the NetworkManager nmcli utility to configure the bonding option parameters for arp_interval, ns_i6_target, and ns_ip6_target.

You can use the nmstate utility to configure a static IP address by using the dhcp: true or autoconf: true properties on a DHCP or an Ad-Hoc Network Autoconfiguration (autoconf) enabled interface.

With this enhancement, nmstate provides the following IP properties for configuration:

• valid_lft= valid lifetime in seconds of the IP address.

• preferred_lft= preferred lifetime in seconds of the IP address.

By default, valid_lft and preferred_lft have a forever value .

When configured, nmstate can ignore the DHCP/autoconf based IP addresses to avoid converting dynamic IP addresses to static IP after applying the queried state back. Note that in cases where a network environment requires disabling DHCP/autoconf settings or dynamic IP addresses, nmstate converts those dynamic IP addresses to static IP addresses.

The following connection profile link properties in NetworkManager are available for configuration.

• link.tx-queue-length

  Sets the number of packets allowed per the kernel transit queue of the network device.

• link.gro-max-size

  Sets the maximum size in bytes of a Generic Receive Offload (GRO) packet the device can accept.

• link.gso-max-segments

  Sets maximum number of segments of a Generic Segmentation Offload (GSO) packet the device can accept.

• link.gso-max-size

  The maximum size in bytes of a GSO packet.

A new arp_missed_max property is available to bond connection profiles in NetworkManager. When using the Address Resolution Protocol (ARP) monitor to check if ports of a bond are up, you can set the arp_missed_max option to define after how many failed checks the bonding driver marks the port as down.

The kernel’s netlink interface enables you to set priority values on ports for the following bonding configuration modes: active-backup, balance-tlb, or balance-alb. The new priority property (bond-port.prio) accepts 32-bit integer values. Increasing the value increases the priority order for activating the ports.

The bond-port.prio property is available for configuration inNetworkManager port connection profile.

You can use the nmstate utility to directly configure network interfaces identified by a Media Access Control (MAC) address instead of a user identified interface name.

With this update, the following properties are configurable for a base interface:

• identifier = identifies name or mac-address on a network. The default value is name.

• profile-name = string

Usage Notes:

nmstate includes the following two new configurable DHCP properties:

• dhcp-send-hostname = true | false (default = true)

  When a DHCP client sends a DHCP request with its hostname, the DHCP server adds the domain name specified to create an FQDN for the client.

• dhcp-custom-hostname = hostname | Fully Qualified Domain Name (FQDN)

Usage Notes for DHCPv4:

• If the hostname is set to FQDN, see the Fully Qualified Domain Name (FQDN), option (81) in RFC 4702.
• If the hostname isn't set to FQDN, see the Host Name, option (12) in RFC 2132.

Within the nmstate framework, as Oracle Linux 9.3, you can configure NetworkManager to use the bridge.vlan-default-pvid option to filter untagged traffic on bridge VLAN interfaces.

Syntax Usage:

bridge.vlan-default-pvid: [n]

Assigns default Port VLAN ID (pvid) to incoming untagged frames.

Example: Bridge VLAN Default PVID Assignment - Using YAML

interfaces:
  - name: linux-br0
    type: linux-bridge
    state: up
    bridge:
      options:
        vlan-default-pvid: [0-4094]
      port:
        - name: eth1
          stp-hairpin-mode: false
          stp-path-cost: 100
          stp-priority: 32
          vlan:
            mode: access
            tag: 100

nmstate can handle static DNS search domains to coexist with dynamic DNS nameservers. This enhancement offers greater flexibility in network set up and DNS management.

The following interface configuration example depicts the use of this new functionality:

dns-resolver:
  config:
    search:
      - example.com
      - example.org
interfaces:
  - name: eth1
    type: ethernet
    state: up
    ipv4:
      enabled: true
      dhcp: true
    ipv6:
      enabled: true
      dhcp: true
      autoconf: true

Version 8.0.3 of the Crash utility addresses both bug fixes and enhancements. Crash is an interactive utility used to analyze the Linux system state while it's running, or after a kernel failure and the creation of a core kdump file. The most notable enhancement is the added IPv6 functionality. For example:

• The Crash utility prints IPv6 addresses with the net or net -s command. net displays the list of network devices, names, and the IP address. net -s command displays the following information:

  • Open network socket and sock addresses

  • Sockets types and addresses

  • Source and destination addresses, and ports for INET and INET6 families

The Intel® Quick Assist Technology (QAT), as of version 6.2, includes both bug fixes and enhancements. The most notable enhancement includes added functionality for the following QAT GEN4 hardware accelerator devices:

• Intel Quick Assist Technology 401xx devices

• Intel Quick Assist Technology 402xx devices

The updated driver is only available in RHCK.

The perf performance analysis tool is updated to version 6.2 to include minor bug fixes and updates. As of this update, the perf list command displays human-friendly names and descriptions for Performance Monitor Unit (PMU) events.

RHCK can handle Automatic Indirect Branch Restricted Speculation (AutoIBRS) configurations on AMD processors. AutoIBRS is a feature provided by the AMD EPYC 9004 Genoa family of processors and later CPU versions. AutoIBRS is the default mitigation used for the Spectre v2 CPU to reduce vulnerabilities, boost performance, and improve scalability.

The kdump utility includes added functionality for configuring thin provisioned logical volumes as the vmcore target. The configuration of LVM thin provisioning includes these steps:

1. Create a LVM volume group.

   vgcreate vg00 /dev/sdb

2. Create a LVM thin pool of 10 MB available space.

   lvcreate -L 10M -T vg00/thinpool

3. Create a LVM thin volume with 300 MB of the file system space.

   lvcreate -V 300M -T vg00/thinpool -n thinvol
   mkfs.ext4 /dev/vg00/thinvol

4. Configure the LVM thin pool threshold to automatically extend the space.

   cat /etc/lvm/lvm.conf
   activation {
   	thin_pool_autoextend_threshold = 70
   	thin_pool_autoextend_percent = 20
   	monitoring = 1
   }

5. Enable the LVM thin pool monitoring service for the first kernel.

   systemctl enable lvm2-monitor.service
   systemctl start lvm2-monitor.service

6. Append the following lines to the kdump.conf file to set the LVM thin volume as the kdump target.

   ext4 /dev/vg00/thinvol
   path /

7. Start the kdump service.

   kdumpctl restart

8. Verify the configuration by triggering a kernel panic and check if the vmcore is saved to /dev/vg00/thinvol.

With this enhancement, the kdump utility can save the vmcore dump files on thin provisioned storage volumes.

The makedumpfile utility is updated to version 1.7.3. This tool is used to reduce the size of dump files by compression and by excluding pages.

Notable changes include the addition of a 5-level paging mode for standalone dump on x86_64 architectures, to extend processor linear address width to give applications access to more memory.

The nvme-cli package as of version 2.4 provides bug fixes and enhancements. Notable changes include:

• Functionality for TLS over TCP configurations.

• Functionality for nvme effects-log command for fabrics controllers.

• Fixes for the incorrect ordering of systemd for auto-connect services when mounting file systems using the /etc/fstab configuration file.:

• Fixes for printing issues seen with u32 values.

• Fixes for incorrect validation storage tag size.

New functionality is added for NSFv4 Courteous Server in RHCK. The NFSv4 Courteous Server enables clients to continue operation even after experiencing a transient network outage by enabling clients’ uncontested locks to remain valid on the server when network outage lasts longer than the NFSv4 lease period. NSFv4 Courteous Server functionality was developed by Oracle for upstream Linux (v5.19) and is available in UEK7 Update 1 as part of our ongoing effort to improve NFS for Linux users. For more information see https://blogs.oracle.com/linux/post/nfsv4-courteous-server.

The DAX file system mount option -o dax=always is compatible with reflink-enabled XFS file systems. This compatible option is useful for users configuring persistent memory direct access targets. Note that this feature is available on RHCK but is under development in UEK.

A new SCSI device counter (iotmo_cnt) is available for I/O timeouts seen. For example:

/sys/devices/pci0000:16/0000:16:02.0/0000:17:00.0/host2/target2:2:0/2:2:0:0/iorequest_cnt
/sys/devices/pci0000:16/0000:16:02.0/0000:17:00.0/host2/target2:2:0/2:2:0:0/iodone_cnt
/sys/devices/pci0000:16/0000:16:02.0/0000:17:00.0/host2/target2:2:0/2:2:0:0/iotmo_cnt
/sys/devices/pci0000:16/0000:16:02.0/0000:17:00.0/host2/target2:2:0/2:2:0:0/ioerr_cnt

A new mpathcleanup tool is available for use to help manage multipath device cleanup. This tool works on SCSI-based multipath devices and removes the multipath device along with the SCSI path devices. This enhancement is helpful for users that often need to remove multipath devices and their underlying storage path devices.

The dmpd package, as of version 1.0.2, includes the following changes:

• Memory safety and performance improvements for Rust language tool

• Updates for thin_check and cache_check tools to save execution time for LVM pool activiation and system start up.

• Updates for thin_dump and thin_restore tools to handle metadata btrees sharing for snapshots.

• Updates for thin_metadata_pack and thin_metadata_unpack tools to compress thin metadata (typically to a tenth of the size). These tools typically make it easier to submit damaged metadata for inspection.

The Pacemaker packages as of version 2.1.6 include the following enhancements and bug fixes:

• Pacemaker remote nodes updated to preserve transient node attributes after a brief, recoverable connection outage.
• Sample alert agent (alert_snmp.sh.sample) updated to include SNMPv3 configurations. With this update, you can copy the Pacemaker alert_snmp.sh.sample agent without making modifications for SNMPv3 .

• New enabled meta option configuration that enables you to temporarily disable an Pacemaker alert for any reason, such as planned maintenance

  Setting this option to false for an alert disables the alert. Setting this option to true for an alert and false for a particular recipient disables the alert for that recipient. The default value for this option is true.

• Pacemaker centralizes cluster decision-making for electing a Designated Controller (DC) is no longer complete until all pending actions and results are processed

• Pacemaker fencing agent (fence_scsi) enables you to automatically detect shared lvmlockd devices for when the devices parameter is undefined.

• Resource stickiness updated to make comparisons against colocation constraint scores.

• Updated crm_resource command that enables banning clones or moving bundle resources with a single active replica.

• An unpromoted clone instance no longer gets moved when a cloned resource starts on a node with a higher promotable score. With this fix, no unnecessary restarts occur because roles are considered part of the process when assigning node instance numbers.

The LVM-activate resource agent includes the following configuration options for enabling a volume group failover when the volume group is missing physical volumes:

• The majoritypvs option enables you to change the volume group system ID when the volume group is missing physical volumes.

• The degraded_activation option enables RAID logical volumes in a volume group to be activated with missing legs.

As Oracle Linux 9.3, the IPaddr2 and IPsrcaddr cluster resource agents can handle policy-based routing. Policy-based routing enables you to configure complex routing scenarios. To use policy-based routing, you need to configure the resource agent’s table parameter.

The pcs command format for pcs resource clone, pcs resource promotable, and pcs resource create commands must specify a meta keyword when configuring clone meta attributes. For example, the following syntax creates a Pacemaker resource (pcs resource create) by using the meta attribute mv=v1 and a clone meta attribute mv=v2:

pcs resource create dummy1 ocf:pacemaker:Dummy meta m1=v1 clone meta m2=v2 --future

To maintain compatibility with existing scripts which rely on an older command format, you must specify the --future command option to enable the new argument processing when creating a cloned resource with the pcs resource create command.

You can use the pcs constraint command to that can be used to re-create configured resource constraints on a different system by using the pcs constraint command with the new --output-format=cmd option. The default output format is plain text, as in previous releases, which you can specify with the --output-format=text option. The plain text format has been changed slightly to make it consistent with the output format of other pcs commands.

The pcs property command includes the following updates:

• The pcs property config --output-format= option

  • --output-format=cmd

    Use to display the pcs property set command created from the current cluster properties configuration. You can use this command to re-create configured cluster properties on a different system.

  • --output-format=json

    Use to display the configured cluster properties in JSON format

  • output-format=text

    Use to display the configured cluster properties in plain text format, which is the default value for this option.

• The pcs property defaults command replaces the deprecated pcs property --defaults command option

• The pcs property describe command identifies the meaning of cluster properties.

The HTTP::Tiny Perl module is updated to perform TLS certificate verification by default when using HTTPS. The update adds the following dependencies to the perl-HTTP-Tiny package:

• perl-IO-Socket-SSL

• perl-Mozilla-CA

• perl-Net-SSLeay

The verify_SSL option is changed from 0 to 1 when the package is installed.

This updated version of thee Apache HTTP Server contains bug fixes, enhancements, and security fixes, such as the following:

• The HTTP daemon's rotatelogs utility has a -T option which truncates rotated logfiles except the initial logfile.

• In httpd configuration dumping operations, the mod_ssl module no longer tests existence of certificate and key files.

• In the mod_ldap module, the LDAPConnectionPoolTTL directive accepts negative values. This feature enables reuse of connections of any age.

• Workers from the mod_proxy_hcheck module work correctly based on worker timeout settings.

• The mod_proxy_hcheck module's hcmethod parameter includes these new methods for HTTP/1.1 requests:

  • GET11

  • HEAD11

  • OPTIONS11

The httpd daemon includes the mod_authnz_fcgi module, enabling FastCGI authorizer applications to authenticate users and authorize access to resources.

The module must be manually configured to load, as follows:

1. Create a configuration file in the /etc/httpd/conf.mudles.d directory.

2. Add the following line to the file:

   LoadModule authnz_fcgi_module modules/mod_authnz_fcgi.so

The nginx:1.22 module stream includes the new ssl_pass_phrase_dialog directive. Use the directive to configure an external program that's called when nginx is start for each encrypted private key.

To use the new directive, add one of the following lines to the /etc/nginx/nginx.conf file:

• ssl_pass_phrase_dialog exec:<path_to_program>;

  Add this line if you're using an external program. This program is called for each encrypted private key file with two arguments:

  • Server name

  • One of the following algorithms: RSA, DSA, EC, DH, or UNK if a cryptographic algorithm can't be recognized.

• ssl_pass_phrase_dialog builtin;

  Add this line to manually enter a passphrase for each encrypted private key file. Entering a passphrase is the default behavior when ssl_pass_phrase_dialog isn't configured.

• ssl_pass_phrase_dialog exec:/usr/libexec/nginx-ssl-pass-dialog;

  Add this line to use this helper script so you can enter a passphrase for each encrypted private key at the nginx service start when you use the systemctl command.

Redis 7 is now available as a new module stream called redis:7. Changes from Redis 6 include the following:

• Server-side scripting in the Redis Functions API

• Fine-grained access control lists (ACLs)

• Shared publish/subscribe (pub/sub) functionality for clusters

• New commands and command arguments

Some Redis 7 features are incompatible with earlier versions, such as the following:

• Redis 7 now stores append-only files (AOF) as several files in a folder.

• Redis 7 uses a new version format for Redis Database (RDB) files.

For a complete list of features and incompatible changes, see the upstream release notes.

To install the redis:7 module stream, issue the following command:

sudo dnf module install redis:7

For information about the length of support for the redis Application Streams, see Oracle Linux: Product Life Cycle Information.

The default amount of cache used by glibc for string and memory routines is tuned to improve performance on Intel Xeon v5 hardware.

The GNU Compiler Collection (GCC) provides tools for developing applications with the C, C++, and Fortran programming languages. Its system GCC compiler is now updated to version 11.4.1.

GCC is updated to preserve register argument content and generate proper Call Frame Information (CFI) to make it easier for the unwinder to find this information without negatively impacting performance.

GCC Toolset 13 is a compiler toolset that provides recent versions of development tools. The toolset is available as an Application Stream in the form of a Software Collection in the AppStream repository.

The following tools and versions are available in the GCC Toolset 13:

• GCC 13.1.1
• GDB 12.1
• binutils 2.40
• dwz 0.14
• annobin 12.20

To install the toolset, type:

sudo dnf install gcc-toolset-13

To run a tool from GCC Toolset 13, type:

$ scl enable gcc-toolset-13 tool

To run a shell session where tool versions from GCC Toolset 13 override system versions of these tools, type:

scl enable gcc-toolset-13 bash

The GCC Toolset 13 includes version 2.40 of binutils which includes the following notable changes:

• Added a -w (--no-warnings) option for the linker to disable warning messages.

• Improved warning messages in the ELF linker for notifications around permissions changes.

• Added a --private option in the objdump tool that shows the fields in the file header and section headers for Portable Executable (PE) format files.
• Added a --show-all-symbols option for the objdump tool to show all symbols matching an address when disassembling.
• Added a --strip-section-headers option for the objcopy and strip tools to remove the ELF section header from ELF files.
• Added a -W (--no-weak) option to the nm tool to set it to ignore weak symbols.

• Added syntax highlighting for disassembler output in the objdump tool.

libabigail version 2.3 includes the following features:

• Works with the BTF debuginfo format.

• Improvements to Ada range types.

• Availability of new [allow_type] directive in suppression specifications.

• Addition of new properties for the [supress_type] suppression specification.

• Update of the ABIXML to version 2.2.

• Change of the SONAME of the library to reflect its own ABI change.

In the debugedit utility, the find-debuginfo script can be configured with the -q (--quiet) flag to silence non error output from the script.

This updated version include the following changes:

• A new Language-Server-Protocol (LSP) backend for easier interactive drafting of systemtap scripts on LSP-capable editors.

• Access to a Python/Jupyter interactive notebook frontend.

• Improved handling of DWARF 5 bitfields.

Notable features include the following:

• In libelf, the elf_compress tool accepts the ELFCOMPRESS_ZSTD ELF compression type.

• In libdwfl, the dwfl_module_return_value_location function returns 0 (no return type) for DWARF Information Entries (DIEs) that point to a DW_TAG_unspecified_type type tag.

• In eu-elfcompress, the -t and --type= options can handle the Zstandard (zstd) compression format through the zstd argument.

This version provides access to performance monitoring hardware native events for a wider range of processor microarchitectures, including ARM Neoverse, AMD Zen 4, and 4th Generation Intel Xeon processors.

In this version, some enhancements include the following:

• Improved optimization

• Addition of new CPU extensions

• Improvements for new C++ versions.

This version also includes changes that are incompatible with earlier versions, such as the following:

• Clang’s default C++ standard is gnu++17 instead of gnu++14.

• The following options default to error for the C code and might affect the behavior of configure scripts:

  • -Wimplicit-function-declaration

  • -Wimplicit-int

  • -Wincompatible-function-pointer-types

By default, Clang 16 uses the libstdc++ library version 13 and binutils 2.40 provided by GCC Toolset 13.

The updated version includes the following features:

• A new implementation of multiple producer, single consumer (mpsc) channels to improve performance

• A new Cargo sparse index protocol for more efficient use of the crates.io registry

• New OnceCell and OnceLock types for one-time value initialization

• A new C-unwind ABI string to enable usage of forced unwinding across Foreign Function Interface (FFI) boundaries

Further, the following compiler options for Rust profiler_builtins runtime component are available:

• -C instrument-coverage for coverage profiling

• -C profile-generate for profile-guided optimization

The Performance Co-Pilot, pcp, package is updated to version 6.0.5 and includes many new collector and monitoring tool features.

The updated version has the following collector tool features:

• pmdaproc:

  • Per-cgroup IRQ PSI metrics in recent kernels

  • New proc.smaps.pss_dirty metric

• pmdasmart: More NVME disk information and power state metrics

• pmdalinux:

  • System wide IRQ PSI metrics in recent kernels

  • More NUMA external memory fragmentation metric

  • New networking (TCP, ICMP) metrics

• pmdaoverhead: New PMDA to measure overhead for groups of processes

• pmdahacluster: Updated to handle Pacemaker 2.1.5 crm_mon output changes

The updated version has the following monitoring tool features:

• pmieconf:

  • Added webhook actions (Event Driven Ansible)

  • Added a new pmie rule that checks file descriptor limits

• pcp2json: Extended pcp2json with an option to send HTTP POSTs

• pcp-atop: Added cgroup, NUMA memory, and NUMA CPU

• pcp-htop: Added a new open file descriptors Meter

• pcp-ps: Added capability to show multiple archive samples

The Performance Metrics Inference Engine (pmie) utility from Performance Co-Pilot (PCP) is updated to generate webhook events. Configured pmie rules generate events in a format which Event-Driven Ansible (EDA) reads so that EDA can respond to the rules.

To enable this feature, configure all local pmie rules to send to a webhook at a specific endpoint or URL, for example:

sudo pmieconf modify global webhook_endpoint https://localhost:443/endpoint
sudo pmieconf modify global webhook_action yes

In this release, .NET is updated to version 8.0 which provides support for C#12 and F#8 programming languages and for building container images by directly using the .NET Software Development Kit. This version also includes performance improvements in the garbage collector (GC), Just-In-Time (JIT) compiler, and the base libraries.

The sevctl tool recognizes the latest AMD EPYC cores, including the AMD EPYC Rome and AMD EPYC Milan series so that you can configure AMD Secure Encrypted Virtualization (SEV) features for these CPU models.

The Podman, Buildah, Skopeo, crun, and runc packages in the container-tools module are updated for version 4.6.

Notable changes in Podman v4.6 include:

• Updates to the podman kube play command, including:
  • a --configmap=<path> option to provide one or more Kubernetes YAML files with environment variables to be used within the containers of the pod;
  • the ability to use containerPort names and port numbers in liveness probes;
  • automatic addition of ctrName as an alias to the pod network
  • handling of SELinux filetype labels and ulimit annotations.
• The podman secret exists command is added to verifiy whether a secret with the specified name exists.
• The --shm-size-systemd option is available in the podman create, podman run, podman pod create, and podman pod clone commands to limit the size of tmpfs for systemd mounts.
• The --security-opt label=nested option can be specified to use SELinux labeling within a confined container when using the podman create command.
• Podman can automatically update containers running inside a pod.
• You can configure Podman to use a SQLite database as a backend database. The default database type is the BoltDB database. You can change the database type by setting the database_backend field in the containers.conf file. Changing the backend database requires that you reset Podman back to its initial state first. All existing containers and pods are lost and must be re-created after the backend database is changed. This feature is available as a technology preview.
• Quadlets can be used to automatically generate a systemd service file from the container description. See Quadlet in Podman Available.

Quadlet is available in Podman 4.6. Quadlets can be used to automatically generate a systemd service file from the container description. The container description is in the systemd unit file format and simplifies the technical complexity of running containers under systemd. Quadlet formatted descriptions might be easier to write and maintain than systemd unit files.

Note that you can't run quadlets in rootless mode, unless you enable cgroups v2 by setting the systemd.unified_cgroup_hierarchy=1 option as a kernel command line argument at boot time. For example, run any of the following commands, before rebooting the system:

sudo grubby --update-kernel=/boot/vmlinuz-$(uname -r) --args="systemd.unified_cgroup_hierarchy=1"
sudo grubby --update-kernel=DEFAULT --args="systemd.unified_cgroup_hierarchy=1"
sudo grubby --update-kernel=ALL --args="systemd.unified_cgroup_hierarchy=1"

For more details, see the Quadlet upstream documentation.

The Podman login shell is available beginning with Podman v4.6. Configure the user settings to use /usr/bin/podmansh as the login shell. The command then runs the user's session into a Podman container named podmansh.

Quadlet files define which containers users can log into. The quadlets are typically stored as configuration files in /etc/containers/systemd/users/<uid>/podmansh.container, where <uid> is the user ID for each user. In these files, the ContainerName field in the [Container] section is set to podmansh. If a proxy is used, the proxy details can also be added into the [Service] section as follows:

[Service]
Environment="http_proxy=http://proxy.example.com:80"
Environment="https_proxy=http://proxy.example.com:80"

Systemd automatically starts the Podman shell when the user session starts and continues running until all user sessions exit.

Note that podmansh user session is connected through SSH. Sometimes you might need to try to connect again if the previous connection fails.

For more information, see https://blog.podman.io/2023/08/podman-v4-6-introduces-podmansh-a-revolutionary-login-shell/.

The Supportability and Serviceability (sos) utility for collecting configuration, diagnostic, and troubleshooting data is updated to Version 4.6 with enhancements such as the following:

• Improvements to the reporting and logging methods that aid in troubleshooting.
• Fixes in gathering of cgroup data and other information for generation of reports.
• Fixes that improve security in the manner that usernames, passwords, and other sensitive data are handled when data is collected for reports.

For details on each release of sos, see upstream release notes.

The cloud-init utility can work with NetworkManager keyfiles to configure the network of the created cloud instance.

network:
      renderers: ['network-manager', 'eni', 'netplan', 'sysconfig', 'networkd']