The Red Hat team’s work on Red Hat Enterprise Linux continues – it was recently published new version, 9.4. It is characterized by a relatively open development process, and the CentOS Stream 9 package base is used as the basis. This is a “long-running” distribution, support for which will continue until 2032.
What’s new?
Among major changes distribution can be called:
-
Support for Intel SGX (Software Guard Extensions) technology for creating isolated enclaves. Currently, SGX 1 and 2 are supported. And for them, the FLC (Flexible Launch Control) and EDMM (Enclave Dynamic Memory Management) mechanisms are available, allowing you to change access rights to individual enclave memory pages, as well as dynamically change memory pages and expand the enclave.
-
In GRUB and the shim layer, it became possible to use memory protection mechanisms DEP (Data Execution Prevention), NX (No Execute) and XD (Execute Disable). This is necessary to prohibit the execution of instructions in certain areas of memory at the stage before the system boots.
-
The distribution now includes new versions of compilers and tools for developers: GCC Toolset 13, LLVM Toolset 17.0.6, Rust Toolset 1.75.1 and Go Toolset 1.21.7.
-
Separate packages (Application Streams) have appeared with new versions of Python 3.12, Ruby 3.3, PHP 8.2, nginx 1.24, MariaDB 10.11, PostgreSQL 16.
-
Updated versions of Git 2.43.0, Git LFS 3.4.1, Valgrind 3.22, SystemTap 5.0, elfutils 0.190, cmake 3.26. Added new packages maven-openjdk21 and libzip-tools.
-
Security-related packages have been updated: GnuTLS 3.8.3, nettle 3.9.1, p11-kit 0.25.3, libkcapi 1.4.0, stunnel 5.71, audit 3.1.2, SSG (SCAP Security Guide) 0.1.72, openCryptoki 3.22. 0, ipa 4.11.
-
Updated server and system packages: chrony 4.5, linuxptp 4.2, Rsyslog 8.2310, iptables 1.8.10, nftables 1.0.9, firewalld 1.3, stratis-cli 3.6.0, boom 1.6.0, 389-ds-base 2.4.5, samba 4.19.4, Podman 4.9.
-
SELinux (libsepol, libselinux, libsemanage, policycoreutils, checkpolicy, mcstrans) updated to version 3.6. It’s worth noting here that CIL now supports “deny” rules and the “notself” and “other” keywords. Also added a getpolicyload executable to display the number of reloads of SELinux rules.
-
In the Rsyslog logging system, it is possible to change the encryption settings for TLS/SSL and added additional options for resetting privileges.
-
OpenSSL has the ability to place files with TLS settings in a separate directory /etc/pki/tls/openssl.d. This allows you to override the parameters of additional crypto modules without modifying the main OpenSSL configuration file.
-
In addition, an experimental “podman build farm” command has appeared to create container images for several architectures at once. Podman now supports an SQLite-based backend and provides the ability to use containers.conf modules to selectively load settings.
-
IdM (Identity Management) provides the ability to enable mandatory two-factor authentication for LDAP clients using one-time passwords (OTP). The IdM API, which was previously presented as experimental, has been stabilized. 389 Directory Server has added support for the HAProxy protocol, which allows you to correctly determine the IP addresses of clients connecting through a proxy.
-
The IDXD (Data Streaming Accelerator) driver has been upgraded to stable. This is necessary to enable data transfer accelerators that are built into the Intel CPU. Previously, this feature was experimental, but now it has become part of the main functionality. But there are other experimental possibilities, which are discussed below.
-
The implementation of the synce4l protocol has been updated to version 1.0.0, providing support for SyncE (Synchronous Ethernet) frequency synchronization technology, supported in some network cards and network switches and allowing for increased efficiency of data exchange in RAN (Radio Access Network) applications due to more accurate time synchronization. Added support for the kernel-provided DPLL (Digital Phase Locked Loop) interface.
-
An important point: nftables has added the ability to check the fields of internal headers of packets transmitted through tunnels. The nft utility has added the ability to use the “nft reset” command to reset nftables rule states, such as packet counters and quota values.
-
NetworkManager now has the ability to modify the number of channels (packet queues associated with interrupt handlers) for network interfaces and configure the SwitchDev mode.
-
Returned kernel module from TCP Illinois congestion control algorithm implementations. On average, it allows for increased throughput and a more equitable distribution of resources.
-
The capabilities of utilities such as rteval, rtla and cyclicdeadline have also been greatly expanded. Added the ability to use “+” and “-” prefixes to rteval to attach and unpin CPU cores from the list of monitored cores (measurement-cpulist). The rtla utility has been updated to match the Linux 6.6 kernel. Added “rtla -C” option to attach additional cgroups to threads. The ability to visualize delays in the form of a histogram has been added to the cyclicdeadline utility.
-
It is extremely important that hardware support has been expanded. Thus, drivers have been added to support Intel QuickAssist Technology, Intel TPMI, Intel Uncore Frequency, AMD HSMP, AMD XCP, AMD Platform Management and Mellanox PMC. Added octeon_ep driver for Marvell Octeon PCIe Endpoint Network Interface Controllers.
-
Also continue to be experimentally supported:
○ VPN WireGuard
○ kTLS (kernel-level TLS)
○ asynchronous input/output interface io_uring
○ DAX (Direct Access) for ext4 and XFS
○ AMD SEV and SEV-ES in KVM hypervisor
○ systemd-resolved service
○ Sigstore mechanism for verifying containers using digital signatures
○ PRP (Parallel Redundancy Protocol) and HSR (High-availability Seamless Redundancy) protocols
○ hardware acceleration of IPsec by moving packet encapsulation operations to the network card side
○ protocol for managing ACME certificates used in Let’s Encrypt
○ SRv6 (Segment Routing over IPv6
○ package with graphic editor GIMP 2.99.8
○ MPTCP (Multipath TCP) settings via NetworkManager
○ DNSSEC in IdM
○virtio-mem
○ Socket API for TuneD
○ Soft-iWARP (Internet Wide-area RDMA Protocol)
○ GNOME for ARM64 and IBM Z
Installation images are available to registered Red Hat Customer Portal users (you can also use iso images CentOS Stream 9 and free builds RHEL for developers). The release is designed for x86_64, s390x (IBM System z), ppc64le and Aarch64 (ARM64) architectures.
If you have already tried this distribution, tell us how you like it? Have old problems gone away and new ones added?
Acknowledgement and Usage Notice
The editorial team at TechBurst Magazine acknowledges the invaluable contribution of the author of the original article that forms the foundation of our publication. We sincerely appreciate the author’s work. All images in this publication are sourced directly from the original article, where a reference to the author’s profile is provided as well. This publication respects the author’s rights and enhances the visibility of their original work. If there are any concerns or the author wishes to discuss this matter further, we welcome an open dialogue to address potential issues and find an amicable resolution. Feel free to contact us through the ‘Contact Us’ section; the link is available in the website footer.