5.1. New features

This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 8.

5.1.1. The web console Note The web console’s Subscriptions page is now provided by the new subscription-manager-cockpit package. A firewall interface has been added to the web console The Networking page in the RHEL 8 web console now includes a Firewall section. In this section, users can enable or disable the firewall, as well as add, remove, and modify firewall rules. (BZ#1647110) The web console is now available by default Packages for the RHEL 8 web console, also known as Cockpit, are now part of Red Hat Enterprise Linux default repositories, and can therefore be immediately installed on a registered RHEL 8 system. In addition, on a non-minimal installation of RHEL 8, the web console is automatically installed and firewall ports required by the console are automatically open. A system message has also been added prior to login that provides information about how to enable or access the web console. (JIRA:RHELPLAN-10355) Better IdM integration for the web console If your system is enrolled in an Identity Management (IdM) domain, the RHEL 8 web console now uses the domain’s centrally managed IdM resources by default. This includes the following benefits: The IdM domain’s administrators can use the web console to manage the local machine.

The console’s web server automatically switches to a certificate issued by the IdM certificate authority (CA) and accepted by browsers.

Users with a Kerberos ticket in the IdM domain do not need to provide login credentials to access the web console.

SSH hosts known to the IdM domain are accessible to the web console without manually adding an SSH connection. Note that for IdM integration with the web console to work properly, the user first needs to run the ipa-advise utility with the enable-admins-sudo option in the IdM master system. (JIRA:RHELPLAN-3010) The web console is now compatible with mobile browsers With this update, the web console menus and pages can be navigated on mobile browser variants. This makes it possible to manage systems using the RHEL 8 web console from a mobile device. (JIRA:RHELPLAN-10352) The web console front page now displays missing updates and subscriptions If a system managed by the RHEL 8 web console has outdated packages or a lapsed subscription, a warning is now displayed on the web console front page of the system. (JIRA:RHELPLAN-10353) The web console now supports PBD enrollment With this update, you can use the the RHEL 8 web console interface to apply Policy-Based Decryption (PBD) rules to disks on managed systems. This uses the Clevis decryption client to facilitate a variety of security management functions in the web console, such as automatic unlocking of LUKS-encrypted disk partitions. (JIRA:RHELPLAN-10354) Virtual Machines can now be managed using the web console The Virtual Machines page can now be added to the RHEL 8 web console interface, which enables the user to create and manage libvirt-based virtual machines. (JIRA:RHELPLAN-2896)

5.1.2. Installer and image creation Installing RHEL from a DVD using SE and HMC is now fully supported on IBM Z The installation of Red Hat Enterprise Linux 8 on IBM Z hardware from a DVD using the Support Element (SE) and Hardware Management Console (HMC) is now fully supported. This addition simplifies the installation process on IBM Z with SE and HMC. When booting from a binary DVD, the installer prompts the user to enter additional kernel parameters. To set the DVD as an installation source, append inst.repo=hmc to the kernel parameters. The installer then enables SE and HMC file access, fetches the images for stage2 from the DVD, and provides access to the packages on the DVD for software selection. The new feature eliminates the requirement of an external network setup and expands the installation options. (BZ#1500792) Installer now supports the LUKS2 disk encryption format Red Hat Enterprise Linux 8 installer now uses the LUKS2 format by default but you can select a LUKS version from Anaconda’s Custom Partitioning window or by using the new options in Kickstart’s autopart , logvol , part , and RAID commands. LUKS2 provides many improvements and features, for example, it extends the capabilities of the on-disk format and provides flexible ways of storing metadata. (BZ#1547908) Anaconda supports System Purpose in RHEL 8 Previously, Anaconda did not provide system purpose information to Subscription Manager. In Red Hat Enterprise Linux 8.0, you can set the intended purpose of the system during installation by using Anaconda’s System Purpose window or Kickstart’s syspurpose command. When the installation completes, Subscription Manager uses the system purpose information when subscribing the system. (BZ#1612060) Pykickstart supports System Purpose in RHEL 8 Previously, it was not possible for the pykickstart library to provide system purpose information to Subscription Manager. In Red Hat Enterprise Linux 8.0, pykickstart parses the new syspurpose command and records the intended purpose of the system during automated and partially-automated installation. The information is then passed to Anaconda, saved on the newly-installed system, and available for Subscription Manager when subscribing the system. (BZ#1612061) Anaconda supports a new kernel boot parameter in RHEL 8 Previously, you could only specify a base repository from the kernel boot parameters. In Red Hat Enterprise Linux 8, a new kernel parameter, inst.addrepo=<name>,<url> , allows you to specify an additional repository during installation. This parameter has two mandatory values: the name of the repository and the URL that points to the repository. For more information, see https://anaconda-installer.readthedocs.io/en/latest/boot-options.html#inst-addrepo (BZ#1595415) Anaconda supports a unified ISO in RHEL 8 In Red Hat Enterprise Linux 8.0, a unified ISO automatically loads the BaseOS and AppStream installation source repositories. This feature works for the first base repository that is loaded during installation. For example, if you boot the installation with no repository configured and have the unified ISO as the base repository in the GUI, or if you boot the installation using the inst.repo= option that points to the unified ISO. As a result, the AppStream repository is enabled under the Additional Repositories section of the Installation Source GUI window. You cannot remove the AppStream repository or change its settings but you can disable it in Installation Source. This feature does not work if you boot the installation using a different base repository and then change it to the unified ISO. If you do that, the base repository is replaced. However, the AppStream repository is not replaced and points to the original file. (BZ#1610806) Anaconda can install modular packages in Kickstart scripts The Anaconda installer has been extended to handle all features related to application streams: modules, streams and profiles. Kickstart scripts can now enable module and stream combinations, install module profiles, and install modular packages. For more information, see Performing an advanced RHEL installation. (JIRA:RHELPLAN-1943) The nosmt boot option is now available in the RHEL 8 installation options The nosmt boot option is available in the installation options that are passed to a newly-installed RHEL 8 system. (BZ#1677411) RHEL 8 supports installing from a repository on a local hard drive Previously, installing RHEL from a hard drive required an ISO image as the installation source. However, the RHEL 8 ISO image might be too large for some file systems; for example, the FAT32 file system cannot store files larger than 4 GiB. In RHEL 8, you can enable installation from a repository on a local hard drive. You only need to specify the directory instead of the ISO image. For example:`inst.repo=hd:<device>:<path to the repository>` (BZ#1502323) Custom system image creation with Image Builder is available in RHEL 8 The Image Builder tool enables users to create customized RHEL images. Image Builder is available in AppStream in the lorax-composer package. With Image Builder, users can create custom system images which include additional packages. Image Builder functionality can be accessed through: a graphical user interface in the web console

a command line interface in the composer-cli tool. Image Builder output formats include, among others: live ISO disk image

qcow2 file for direct use with a virtual machine or OpenStack

file system image file

cloud images for Azure, VMWare and AWS To learn more about Image Builder, see the documentation title Composing a customized RHEL system image. (JIRA:RHELPLAN-7291, BZ#1628645, BZ#1628646, BZ#1628647, BZ#1628648)

5.1.3. Kernel Kernel version in RHEL 8.0 Red Hat Enterprise Linux 8.0 is distributed with the kernel version 4.18.0-80. (BZ#1797671) ARM 52-bit physical addressing is now available With this update, support for 52-bit physical addressing (PA) for the 64-bit ARM architecture is available. This provides larger address space than previous 48-bit PA. (BZ#1643522) The IOMMU code supports 5-level page tables in RHEL 8 The I/O memory management unit (IOMMU) code in the Linux kernel has been updated to support 5-level page tables in Red Hat Enterprise Linux 8. (BZ#1485546) Support for 5-level paging New P4d_t software page table type has been added into the Linux kernel in order to support 5-level paging in Red Hat Enterprise Linux 8. (BZ#1485532) Memory management supports 5-level page tables With Red Hat Enterprise Linux 7, existing memory bus had 48/46 bit of virtual/physical memory addressing capacity, and the Linux kernel implemented 4 levels of page tables to manage these virtual addresses to physical addresses. The physical bus addressing line put the physical memory upper limit capacity at 64 TB. These limits have been extended to 57/52 bit of virtual/physical memory addressing with 128 PiB of virtual address space and 4 PB of physical memory capacity. With the extended address range, the memory management in Red Hat Enterprise Linux 8 adds support for 5-level page table implementation, to be able to handle the expanded address range. (BZ#1485525) kernel-signing-ca.cer is moved to kernel-core in RHEL 8 In all versions of Red Hat Enterprise Linux 7, the kernel-signing-ca.cer public key was located in the kernel-doc package. However, in Red Hat Enterprise Linux 8, kernel-signing-ca.cer has been relocated to the kernel-core package for every architecture. (BZ#1638465) Spectre V2 mitigation default changed from IBRS to Retpolines The default mitigation for the Spectre V2 vulnerability (CVE-2017-5715) for systems with the 6th Generation Intel Core Processors and its close derivatives [1] has changed from Indirect Branch Restricted Speculation (IBRS) to Retpolines in Red Hat Enterprise Linux 8. Red Hat has implemented this change as a result of Intel’s recommendations to align with the defaults used in the Linux community and to restore lost performance. However, note that using Retpolines in some cases may not fully mitigate Spectre V2. Intel’s Retpoline document [2] describes any cases of exposure. This document also states that the risk of an attack is low. For use cases where complete Spectre V2 mitigation is desired, a user can select IBRS through the kernel boot line by adding the spectre_v2=ibrs flag. If one or more kernel modules were not built with the Retpoline support, the /sys/devices/system/cpu/vulnerabilities/spectre_v2 file will indicate vulnerability and the /var/log/messages file will identify the offending modules. See How to determine which modules are responsible for spectre_v2 returning "Vulnerable: Retpoline with unsafe module(s)"? for further information. [1] "6th generation Intel Core Processors and its close derivatives" are what the Intel’s Retpolines document refers to as "Skylake-generation". [2] Retpoline: A Branch Target Injection Mitigation - White Paper (BZ#1651806) Intel® Omni-Path Architecture (OPA) Host Software Intel Omni-Path Architecture (OPA) host software is fully supported in Red Hat Enterprise Linux 8. Intel OPA provides Host Fabric Interface (HFI) hardware with initialization and setup for high performance data transfers (high bandwidth, high message rate, low latency) between compute and I/O nodes in a clustered environment. For instructions on installing Intel Omni-Path Architecture documentation, see: https://www.intel.com/content/dam/support/us/en/documents/network-and-i-o/fabric-products/Intel_OP_Software_RHEL_8_RN_K51383.pdf (BZ#1683712) NUMA supports more nodes in RHEL 8 With this update, the Non-Uniform Memory Access (NUMA) node count has been increased from 4 NUMA nodes to 8 NUMA nodes in Red Hat Enterprise Linux 8 on systems with the 64-bit ARM architecture. (BZ#1550498) IOMMU passthrough is now enabled by default in RHEL 8 The Input/Output Memory Management Unit (IOMMU) passthrough has been enabled by default. This provides improved performance for AMD systems because Direct Memory Access (DMA) remapping is disabled for the host. This update brings consistency with Intel systems where DMA remapping is also disabled by default. Users may disable such behavior (and enable DMA remapping) by specifying either iommu.passthrough=off or iommu=nopt parameters on the kernel command line, including the hypervisor. (BZ#1658391) RHEL8 kernel now supports 5-level page tables Red Hat Enterprise Linux kernel now fully supports future Intel processors with up to 5 levels of page tables. This enables the processors to support up to 4PB of physical memory and 128PB of virtual address space. Applications that utilize large amounts of memory can now use as much memory as possible as provided by the system without the constraints of 4-level page tables. (BZ#1623590) RHEL8 kernel supports enhanced IBRS for future Intel CPUs Red Hat Enterprise Linux kernel now supports the use of enhanced Indirect Branch Restricted Speculation (IBRS) capability to mitigate the Spectre V2 vulnerability. When enabled, IBRS will perform better than Retpolines (default) to mitigate Spectre V2 and will not interfere with Intel Control-flow Enforcement technology. As a result, the performance penalty of enabling the mitigation for Spectre V2 will be smaller on future Intel CPUs. (BZ#1614144) bpftool for inspection and manipulation of eBPF-based programs and maps added The bpftool utility that serves for inspection and simple manipulation of programs and maps based on extended Berkeley Packet Filtering (eBPF) has been added into the Linux kernel. bpftool is a part of the kernel source tree, and is provided by the bpftool package, which is included as a sub-package of the kernel package. (BZ#1559607) The kernel-rt sources have been updated The kernel-rt sources have been updated to use the latest RHEL kernel source tree. The latest kernel source tree is now using the upstream v4.18 realtime patch set, which provides a number of bug fixes and enhancements over the previous version. (BZ#1592977)

5.1.4. Software management YUM performance improvement and support for modular content On Red Hat Enterprise Linux 8, installing software is ensured by the new version of the YUM tool, which is based on the DNF technology (YUM v4). YUM v4 has the following advantages over the previous YUM v3 used on RHEL 7: Increased performance

Support for modular content

Well-designed stable API for integration with tooling For detailed information about differences between the new YUM v4 tool and the previous version YUM v3 from RHEL 7, see Changes in DNF CLI compared to YUM. YUM v4 is compatible with YUM v3 when using from the command line, editing or creating configuration files. For installing software, you can use the yum command and its particular options in the same way as on RHEL 7. Selected yum plug-ins and utilities have been ported to the new DNF back end, and can be installed under the same names as in RHEL 7. They also provide compatibility symlinks, so the binaries, configuration files and directories can be found in usual locations. Note that the legacy Python API provided by YUM v3 is no longer available. Users are advised to migrate their plug-ins and scripts to the new API provided by YUM v4 (DNF Python API), which is stable and fully supported. The DNF Python API is available at DNF API Reference. The Libdnf and Hawkey APIs (both C and Python) are unstable, and will likely change during Red Hat Enterprise Linux 8 life cycle. For more details on changes of YUM packages and tools availability, see Considerations in adopting RHEL 8. Some of the YUM v3 features may behave differently in YUM v4. If any such change negatively impacts your workflows, please open a case with Red Hat Support, as described in How do I open and manage a support case on the Customer Portal? (BZ#1581198) Notable RPM features in RHEL 8 Red Hat Enterprise Linux 8 is distributed with RPM 4.14. This version introduces many enhancements over RPM 4.11, which is available in RHEL 7. The most notable features include: The debuginfo packages can be installed in parallel

packages can be installed in parallel Support for weak dependencies

Support for rich or boolean dependencies

Support for packaging files above 4 GB in size

Support for file triggers Also, the most notable changes include: Stricter spec-parser

Simplified signature checking the output in non-verbose mode

Additions and deprecation in macros (BZ#1581990) RPM now validates the entire package contents before starting an installation On Red Hat Enterprise Linux 7, the RPM utility verified payload contents of individual files while unpacking. However, this is insufficient for multiple reasons: If the payload is damaged, it is only noticed after executing script actions, which are irreversible.

If the payload is damaged, upgrade of a package aborts after replacing some files of the previous version, which breaks a working installation.

The hashes on individual files are performed on uncompressed data, which makes RPM vulnerable to decompressor vulnerabilities. On Red Hat Enterprise Linux 8, the entire package is validated prior to the installation in a separate step, using the best available hash. Packages built on Red Hat Enterprise Linux 8 use a new SHA-256 hash on the compressed payload. On signed packages, the payload hash is additionally protected by the signature, and thus cannot be altered without breaking a signature and other hashes on the package header. Older packages use the MD5 hash of the header and payload unless it is disabled by configuration. The %_pkgverify_level macro can be used to additionally enable enforcing signature verification before installation or disable the payload verification completely. In addition, the %_pkgverify_flags macro can be used to limit which hashes and signatures are allowed. For example, it is possible to disable the use of the weak MD5 hash at the cost of compatibility with older packages. (JIRA:RHELPLAN-10596)

5.1.5. Infrastructure services Notable changes in the recommended Tuned profile in RHEL 8 With this update, the recommended Tuned profile (reported by the tuned-adm recommend command) is now selected based on the following rules - the first rule that matches takes effect: If the syspurpose role (reported by the syspurpose show command) contains atomic , and at the same time: if Tuned is running on bare metal, the atomic-host profile is selected if Tuned is running in a virtual machine, the atomic-guest profile is selected

If Tuned is running in a virtual machine, the virtual-guest profile is selected

profile is selected If the syspurpose role contains desktop or workstation and the chassis type (reported by dmidecode ) is Notebook , Laptop , or Portable , then the balanced profile is selected

role contains or and the chassis type (reported by ) is , , or , then the profile is selected If none of the above rules matches, the throughput-performance profile is selected (BZ#1565598) Files produced by named can be written in the working directory Previously, the named daemon stored some data in the working directory, which has been read-only in Red Hat Enterprise Linux. With this update, paths have been changed for selected files into subdirectories, where writing is allowed. Now, default directory Unix and SELinux permissions allow writing into the directory. Files distributed inside the directory are still read-only to named. (BZ#1588592) Geolite Databases have been replaced by Geolite2 Databases Geolite Databases that were present in Red Hat Enterprise Linux 7 were replaced by Geolite2 Databases on Red Hat Enterprise Linux 8. Geolite Databases were provided by the GeoIP package. This package together with the legacy database is no longer supported in the upstream. Geolite2 Databases are provided by multiple packages. The libmaxminddb package includes the library and the mmdblookup command line tool, which enables manual searching of addresses. The geoipupdate binary from the legacy GeoIP package is now provided by the geoipupdate package, and is capable of downloading both legacy databases and the new Geolite2 databases. (JIRA:RHELPLAN-6746) CUPS logs are handled by journald In RHEL 8, the CUPS logs are no longer stored in specific files within the /var/log/cups directory, which was used in RHEL 7. In RHEL 8, all types of CUPS logs are centrally-logged in the systemd journald daemon together with logs from other programs. To access the CUPS logs, use the journalctl -u cups command. For more information, see Working with CUPS logs. (JIRA:RHELPLAN-12764) Notable BIND features in RHEL 8 RHEL 8 includes BIND (Berkeley Internet Name Domain) in version 9.11. This version of the DNS server introduces multiple new features and feature changes compared to version 9.10. New features: A new method of provisioning secondary servers called Catalog Zones has been added.

has been added. Domain Name System Cookies are now sent by the named service and the dig utility.

service and the utility. The Response Rate Limiting feature can now help with mitigation of DNS amplification attacks.

feature can now help with mitigation of DNS amplification attacks. Performance of response-policy zone (RPZ) has been improved.

A new zone file format called map has been added. Zone data stored in this format can be mapped directly into memory, which enables zones to load significantly faster.

has been added. Zone data stored in this format can be mapped directly into memory, which enables zones to load significantly faster. A new tool called delv (domain entity lookup and validation) has been added, with dig-like semantics for looking up DNS data and performing internal DNS Security Extensions (DNSSEC) validation.

(domain entity lookup and validation) has been added, with dig-like semantics for looking up DNS data and performing internal DNS Security Extensions (DNSSEC) validation. A new mdig command is now available. This command is a version of the`dig` command that sends multiple pipelined queries and then waits for responses, instead of sending one query and waiting for the response before sending the next query.

command is now available. This command is a version of the`dig` command that sends multiple pipelined queries and then waits for responses, instead of sending one query and waiting for the response before sending the next query. A new prefetch option, which improves the recursive resolver performance, has been added.

option, which improves the recursive resolver performance, has been added. A new in-view zone option, which allows zone data to be shared between views, has been added. When this option is used, multiple views can serve the same zones authoritatively without storing multiple copies in memory.

zone option, which allows zone data to be shared between views, has been added. When this option is used, multiple views can serve the same zones authoritatively without storing multiple copies in memory. A new max-zone-ttl option, which enforces maximum TTLs for zones, has been added. When a zone containing a higher TTL is loaded, the load fails. Dynamic DNS (DDNS) updates with higher TTLs are accepted but the TTL is truncated.

option, which enforces maximum TTLs for zones, has been added. When a zone containing a higher TTL is loaded, the load fails. Dynamic DNS (DDNS) updates with higher TTLs are accepted but the TTL is truncated. New quotas have been added to limit queries that are sent by recursive resolvers to authoritative servers experiencing denial-of-service attacks.

The nslookup utility now looks up both IPv6 and IPv4 addresses by default.

utility now looks up both IPv6 and IPv4 addresses by default. The named service now checks whether other name server processes are running before starting up.

service now checks whether other name server processes are running before starting up. When loading a signed zone, named now checks whether a Resource Record Signature’s (RSIG) inception time is in the future, and if so, it regenerates the RRSIG immediately.

now checks whether a Resource Record Signature’s (RSIG) inception time is in the future, and if so, it regenerates the RRSIG immediately. Zone transfers now use smaller message sizes to improve message compression, which reduces network usage. Feature changes: The version 3 XML schema for the statistics channel, including new statistics and a flattened XML tree for faster parsing, is provided by the HTTP interface. The legacy version 2 XML schema is no longer supported.

schema for the statistics channel, including new statistics and a flattened XML tree for faster parsing, is provided by the HTTP interface. The legacy version schema is no longer supported. The named service now listens on both IPv6 and IPv4 interfaces by default.

service now listens on both IPv6 and IPv4 interfaces by default. The named service no longer supports GeoIP. Access control lists (ACLs) defined by presumed location of query sender are unavailable. (JIRA:RHELPLAN-1820)

5.1.7. Dynamic programming languages, web and database servers Python 3 is the default Python implementation in RHEL 8 Red Hat Enterprise Linux 8 is distributed with Python 3.6 . The package might not be installed by default. To install Python 3.6 , use the yum install python3 command. Python 2.7 is available in the python2 package. However, Python 2 will have a shorter life cycle and its aim is to facilitate a smoother transition to Python 3 for customers. Neither the default python package nor the unversioned /usr/bin/python executable is distributed with RHEL 8. Customers are advised to use python3 or python2 directly. Alternatively, administrators can configure the unversioned python command using the alternatives command. For details, see Using Python in Red Hat Enterprise Linux 8. (BZ#1580387) Python scripts must specify major version in hashbangs at RPM build time In RHEL 8, executable Python scripts are expected to use hashbangs (shebangs) specifying explicitly at least the major Python version. The /usr/lib/rpm/redhat/brp-mangle-shebangs buildroot policy (BRP) script is run automatically when building any RPM package. This script attempts to correct hashbangs in all executable files. When the script encounters ambiguous Python hashbangs that do not specify the major version of Python, it generates errors and the RPM build fails. Examples of such ambiguous hashbangs include: #! /usr/bin/python

#! /usr/bin/env python To modify hashbangs in the Python scripts causing these build errors at RPM build time, use the pathfix.py script from the platform-python-devel package: pathfix.py -pn -i %{__python3} PATH ... Multiple PATHs can be specified. If a PATH is a directory, pathfix.py recursively scans for any Python scripts matching the pattern ^[a-zA-Z0-9_]+\.py$ , not only those with an ambiguous hashbang. Add the command for running pathfix.py to the %prep section or at the end of the %install section. For more information, see Handling hashbangs in Python scripts. (BZ#1583620) Notable changes in PHP Red Hat Enterprise Linux 8 is distributed with PHP 7.2 . This version introduces the following major changes over PHP 5.4 , which is available in RHEL 7: PHP uses FastCGI Process Manager (FPM) by default (safe for use with a threaded httpd )

uses FastCGI Process Manager (FPM) by default (safe for use with a threaded ) The php_value and php-flag variables should no longer be used in the httpd configuration files; they should be set in pool configuration instead: /etc/php-fpm.d/*.conf

and variables should no longer be used in the configuration files; they should be set in pool configuration instead: PHP script errors and warnings are logged to the /var/log/php-fpm/www-error.log file instead of /var/log/httpd/error.log

script errors and warnings are logged to the file instead of When changing the PHP max_execution_time configuration variable, the httpd ProxyTimeout setting should be increased to match

configuration variable, the setting should be increased to match The user running PHP scripts is now configured in the FPM pool configuration (the /etc/php-fpm.d/www.conf file; the apache user is the default)

scripts is now configured in the FPM pool configuration (the file; the user is the default) The php-fpm service needs to be restarted after a configuration change or after a new extension is installed

service needs to be restarted after a configuration change or after a new extension is installed The zip extension has been moved from the php-common package to a separate package, php-pecl-zip The following extensions have been removed: aspell

mysql (note that the mysqli and pdo_mysql extensions are still available, provided by php-mysqlnd package)

(note that the and extensions are still available, provided by package) memcache (BZ#1580430, BZ#1691688) Notable changes in Ruby RHEL 8 provides Ruby 2.5 , which introduces numerous new features and enhancements over Ruby 2.0.0 available in RHEL 7. Notable changes include: Incremental garbage collector has been added.

The Refinements syntax has been added.

syntax has been added. Symbols are now garbage collected.

The $SAFE=2 and $SAFE=3 safe levels are now obsolete.

and safe levels are now obsolete. The Fixnum and Bignum classes have been unified into the Integer class.

and classes have been unified into the class. Performance has been improved by optimizing the Hash class, improved access to instance variables, and the Mutex class being smaller and faster.

class, improved access to instance variables, and the class being smaller and faster. Certain old APIs have been deprecated.

Bundled libraries, such as RubyGems , Rake , RDoc , Psych , Minitest , and test-unit , have been updated.

, , , , , and , have been updated. Other libraries, such as mathn , DL , ext/tk , and XMLRPC , which were previously distributed with Ruby , are deprecated or no longer included.

, , , and , which were previously distributed with , are deprecated or no longer included. The SemVer versioning scheme is now used for Ruby versioning. (BZ#1648843) Notable changes in Perl Perl 5.26 , distributed with RHEL 8, introduces the following changes over the version available in RHEL 7: Unicode 9.0 is now supported.

is now supported. New op-entry , loading-file , and loaded-file SystemTap probes are provided.

, , and probes are provided. Copy-on-write mechanism is used when assigning scalars for improved performance.

The IO::Socket::IP module for handling IPv4 and IPv6 sockets transparently has been added.

module for handling IPv4 and IPv6 sockets transparently has been added. The Config::Perl::V module to access perl -V data in a structured way has been added.

module to access data in a structured way has been added. A new perl-App-cpanminus package has been added, which contains the cpanm utility for getting, extracting, building, and installing modules from the Comprehensive Perl Archive Network (CPAN) repository.

package has been added, which contains the utility for getting, extracting, building, and installing modules from the Comprehensive Perl Archive Network (CPAN) repository. The current directory . has been removed from the @INC module search path for security reasons.

has been removed from the module search path for security reasons. The do statement now returns a deprecation warning when it fails to load a file because of the behavioral change described above.

statement now returns a deprecation warning when it fails to load a file because of the behavioral change described above. The do subroutine(LIST) call is no longer supported and results in a syntax error.

call is no longer supported and results in a syntax error. Hashes are randomized by default now. The order in which keys and values are returned from a hash changes on each perl run. To disable the randomization, set the PERL_PERTURB_KEYS environment variable to 0 .

run. To disable the randomization, set the environment variable to . Unescaped literal { characters in regular expression patterns are no longer permissible.

characters in regular expression patterns are no longer permissible. Lexical scope support for the $_ variable has been removed.

variable has been removed. Using the defined operator on an array or a hash results in a fatal error.

operator on an array or a hash results in a fatal error. Importing functions from the UNIVERSAL module results in a fatal error.

module results in a fatal error. The find2perl , s2p , a2p , c2ph , and pstruct tools have been removed.

, , , , and tools have been removed. The ${^ENCODING} facility has been removed. The encoding pragma’s default mode is no longer supported. To write source code in other encoding than UTF-8 , use the encoding’s Filter option.

facility has been removed. The pragma’s default mode is no longer supported. To write source code in other encoding than , use the encoding’s option. The perl packaging is now aligned with upstream. The perl package installs also core modules, while the /usr/bin/perl interpreter is provided by the perl-interpreter package. In previous releases, the perl package included just a minimal interpreter, whereas the perl-core package included both the interpreter and the core modules.

packaging is now aligned with upstream. The package installs also core modules, while the interpreter is provided by the package. In previous releases, the package included just a minimal interpreter, whereas the package included both the interpreter and the core modules. The IO::Socket::SSL Perl module no longer loads a certificate authority certificate from the ./certs/my-ca.pem file or the ./ca directory, a server private key from the ./certs/server-key.pem file, a server certificate from the ./certs/server-cert.pem file, a client private key from the ./certs/client-key.pem file, and a client certificate from the ./certs/client-cert.pem file. Specify the paths to the files explicitly instead. (BZ#1511131) Node.js new in RHEL Node.js , a software development platform for building fast and scalable network applications in the JavaScript programming language, is provided for the first time in RHEL. It was previously available only as a Software Collection. RHEL 8 provides Node.js 10 . (BZ#1622118) Notable changes in SWIG RHEL 8 includes the Simplified Wrapper and Interface Generator (SWIG) version 3.0, which provides numerous new features, enhancements, and bug fixes over the version 2.0 distributed in RHEL 7. Most notably, support for the C++11 standard has been implemented. SWIG now supports also Go 1.6 , PHP 7 , Octave 4.2 , and Python 3.5 . (BZ#1660051) Notable changes in Apache httpd RHEL 8 is distributed with the Apache HTTP Server 2.4.37. This version introduces the following changes over httpd available in RHEL 7: HTTP/2 support is now provided by the mod_http2 package, which is a part of the httpd module.

package, which is a part of the module. Automated TLS certificate provisioning and renewal using the Automatic Certificate Management Environment (ACME) protocol is now supported with the mod_md package (for use with certificate providers such as Let’s Encrypt )

package (for use with certificate providers such as ) The Apache HTTP Server now supports loading TLS certificates and private keys from hardware security tokens directly from PKCS#11 modules. As a result, a mod_ssl configuration can now use PKCS#11 URLs to identify the TLS private key, and, optionally, the TLS certificate in the SSLCertificateKeyFile and SSLCertificateFile directives.

modules. As a result, a configuration can now use URLs to identify the TLS private key, and, optionally, the TLS certificate in the and directives. The multi-processing module (MPM) configured by default with the Apache HTTP Server has changed from a multi-process, forked model (known as prefork ) to a high-performance multi-threaded model, event . Any third-party modules that are not thread-safe need to be replaced or removed. To change the configured MPM, edit the /etc/httpd/conf.modules.d/00-mpm.conf file. See the httpd.conf(5) man page for more information. For more information about changes in httpd and its usage, see Setting up the Apache HTTP web server. (BZ#1632754, BZ#1527084, BZ#1581178) The nginx web server new in RHEL RHEL 8 introduces nginx 1.14 , a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage. nginx was previously available only as a Software Collection. The nginx web server now supports loading TLS private keys from hardware security tokens directly from PKCS#11 modules. As a result, an nginx configuration can use PKCS#11 URLs to identify the TLS private key in the ssl_certificate_key directive. (BZ#1545526) Database servers in RHEL 8 RHEL 8 provides the following database servers: MySQL 8.0 , a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon, mysqld , and many client programs.

, a multi-user, multi-threaded SQL database server. It consists of the server daemon, , and many client programs. MariaDB 10.3 , a multi-user, multi-threaded SQL database server. For all practical purposes, MariaDB is binary-compatible with MySQL .

, a multi-user, multi-threaded SQL database server. For all practical purposes, is binary-compatible with . PostgreSQL 10 and PostgreSQL 9.6 , an advanced object-relational database management system (DBMS).

and , an advanced object-relational database management system (DBMS). Redis 5 , an advanced key-value store. It is often referred to as a data structure server because keys can contain strings, hashes, lists, sets, and sorted sets. Redis is provided for the first time in RHEL. Note that the NoSQL MongoDB database server is not included in RHEL 8.0 because it uses the Server Side Public License (SSPL). (BZ#1647908) Notable changes in MySQL 8.0 RHEL 8 is distributed with MySQL 8.0 , which provides, for example, the following enhancements: MySQL now incorporates a transactional data dictionary, which stores information about database objects.

now incorporates a transactional data dictionary, which stores information about database objects. MySQL now supports roles, which are collections of privileges.

now supports roles, which are collections of privileges. The default character set has been changed from latin1 to utf8mb4 .

to . Support for common table expressions, both nonrecursive and recursive, has been added.

MySQL now supports window functions, which perform a calculation for each row from a query, using related rows.

now supports window functions, which perform a calculation for each row from a query, using related rows. InnoDB now supports the NOWAIT and SKIP LOCKED options with locking read statements.

now supports the and options with locking read statements. GIS-related functions have been improved.

JSON functionality has been enhanced.

The new mariadb-connector-c packages provide a common client library for MySQL and MariaDB . This library is usable with any version of the MySQL and MariaDB database servers. As a result, the user is able to connect one build of an application to any of the MySQL and MariaDB servers distributed with RHEL 8. In addition, the MySQL 8.0 server distributed with RHEL 8 is configured to use mysql_native_password as the default authentication plug-in because client tools and libraries in RHEL 8 are incompatible with the caching_sha2_password method, which is used by default in the upstream MySQL 8.0 version. To change the default authentication plug-in to caching_sha2_password , edit the /etc/my.cnf.d/mysql-default-authentication-plugin.cnf file as follows: [mysqld] default_authentication_plugin=caching_sha2_password (BZ#1649891, BZ#1519450, BZ#1631400) Notable changes in MariaDB 10.3 MariaDB 10.3 provides numerous new features over the version 5.5 distributed in RHEL 7, such as: Common table expressions

System-versioned tables

FOR loops

loops Invisible columns

Sequences

Instant ADD COLUMN for InnoDB

for Storage-engine independent column compression

Parallel replication

Multi-source replication In addition, the new mariadb-connector-c packages provide a common client library for MySQL and MariaDB . This library is usable with any version of the MySQL and MariaDB database servers. As a result, the user is able to connect one build of an application to any of the MySQL and MariaDB servers distributed with RHEL 8. Other notable changes include: MariaDB Galera Cluster , a synchronous multi-master cluster, is now a standard part of MariaDB .

, a synchronous multi-master cluster, is now a standard part of . InnoDB is used as the default storage engine instead of XtraDB .

is used as the default storage engine instead of . The mariadb-bench subpackage has been removed.

The default allowed level of the plug-in maturity has been changed to one level less than the server maturity. As a result, plug-ins with a lower maturity level that were previously working, will no longer load. See also Using MariaDB on Red Hat Enterprise Linux 8. (BZ#1637034, BZ#1519450, BZ#1688374) Notable changes in PostgreSQL RHEL 8.0 provides two versions of the PostgreSQL database server, distributed in two streams of the postgresql module: PostgreSQL 10 (the default stream) and PostgreSQL 9.6 . RHEL 7 includes PostgreSQL version 9.2. Notable changes in PostgreSQL 9.6 are, for example: Parallel execution of the sequential operations: scan , join , and aggregate

, , and Enhancements to synchronous replication

Improved full-text search enabling users to search for phrases

The postgres_fdw data federation driver now supports remote join , sort , UPDATE , and DELETE operations

data federation driver now supports remote , , , and operations Substantial performance improvements, especially regarding scalability on multi-CPU-socket servers Major enhancements in PostgreSQL 10 include: Logical replication using the publish and subscribe keywords

and keywords Stronger password authentication based on the SCRAM-SHA-256 mechanism

mechanism Declarative table partitioning

Improved query parallelism

Significant general performance improvements

Improved monitoring and control See also Using PostgreSQL on Red Hat Enterprise Linux 8. (BZ#1660041) Notable changes in Squid RHEL 8.0 is distributed with Squid 4.4 , a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. This release provides numerous new features, enhancements, and bug fixes over the version 3.5 available in RHEL 7. Notable changes include: Configurable helper queue size

Changes to helper concurrency channels

Changes to the helper binary

Secure Internet Content Adaptation Protocol (ICAP)

Improved support for Symmetric Multi Processing (SMP)

Improved process management

Removed support for SSL

Removed Edge Side Includes (ESI) custom parser

Multiple configuration changes (BZ#1656871) Varnish Cache new in RHEL Varnish Cache , a high-performance HTTP reverse proxy, is provided for the first time in RHEL. It was previously available only as a Software Collection. Varnish Cache stores files or fragments of files in memory that are used to reduce the response time and network bandwidth consumption on future equivalent requests. RHEL 8.0 is distributed with Varnish Cache 6.0 . (BZ#1633338)

5.1.8. Desktop GNOME Shell, version 3.28 in RHEL 8 GNOME Shell, version 3.28 is available in Red Hat Enterprise Linux (RHEL) 8. Notable enhancements include: New GNOME Boxes features

New on-screen keyboard

Extended devices support, most significantly integration for the Thunderbolt 3 interface

Improvements for GNOME Software, dconf-editor and GNOME Terminal (BZ#1649404) Wayland is the default display server With Red Hat Enterprise Linux 8, the GNOME session and the GNOME Display Manager (GDM) use Wayland as their default display server instead of the X.org server, which was used with the previous major version of RHEL. Wayland provides multiple advantages and improvements over X.org. Most notably: Stronger security model

Improved multi-monitor handling

Improved user interface (UI) scaling

The desktop can control window handling directly. Note that the following features are currently unavailable or do not work as expected: Multi-GPU setups are not supported under Wayland .

. The NVIDIA binary driver does not work under Wayland .

binary driver does not work under . The xrandr utility does not work under Wayland due to its different approach to handling, resolutions, rotations, and layout. Note that other X.org utilities for manipulating the screen do not work under Wayland , either.

utility does not work under due to its different approach to handling, resolutions, rotations, and layout. Note that other utilities for manipulating the screen do not work under , either. Screen recording, remote desktop, and accessibility do not always work correctly under Wayland .

. No clipboard manager is available.

Wayland ignores keyboard grabs issued by X11 applications, such as virtual machines viewers.

ignores keyboard grabs issued by X11 applications, such as virtual machines viewers. Wayland inside guest virtual machines (VMs) has stability and performance problems, so it is recommended to use the X11 session for virtual environments. If you upgrade to RHEL 8 from a RHEL 7 system where you used the X.org GNOME session, your system continues to use X.org. The system also automatically falls back to X.org when the following graphics drivers are in use: The NVIDIA binary driver

The cirrus driver

driver The mga driver

driver The aspeed driver You can disable the use of Wayland manually: To disable Wayland in GDM , set the WaylandEnable=false option in the /etc/gdm/custom.conf file.

in , set the option in the file. To disable Wayland in the GNOME session, select the legacy X11 option by using the cogwheel menu on the login screen after entering your login name. For more details on Wayland, see https://wayland.freedesktop.org/. (BZ#1589678) Locating RPM packages that are in repositories not enabled by default Additional repositories for desktop are not enabled by default. The disablement is indicated by the enabled=0 line in the corresponding .repo file. If you attempt to install a package from such repository using PackageKit, PackageKit shows an error message announcing that the application is not available. To make the package available, replace previously used enabled=0 line in the respective .repo file with enabled=1 . (JIRA:RHELPLAN-2878) GNOME Sofware for package management The gnome-packagekit package that provided a collection of tools for package management in graphical environment on Red Hat Enterprise Linux 7 is no longer available. On Red Hat Enterprise Linux 8, similar functionality is provided by the GNOME Software utility, which enables you to install and update applications and gnome-shell extensions. GNOME Software is distributed in the gnome-software package. (JIRA:RHELPLAN-3001) Fractional scaling available for GNOME Shell on Wayland On a GNOME Shell on Wayland session, the fractional scaling feature is available. The feature makes it possible to scale the GUI by fractions, which improves the appearance of scaled GUI on certain displays. Note that the feature is currently considered experimental and is, therefore, disabled by default. To enable fractional scaling, run the following command: # gsettings set org.gnome.mutter experimental-features "['scale-monitor-framebuffer']" (BZ#1668883)

5.1.9. Hardware enablement Firmware updates using fwupd are available RHEL 8 supports firmware updates, such as UEFI capsule, Device Firmware Upgrade (DFU), and others, using the fwupd daemon. The daemon allows session software to update device firmware on a local machine automatically. To view and apply updates, you can use: A GUI software manager, such as GNOME Software

The fwupdmgr command-line tool The metadata files are automatically downloaded from the Linux Vendor Firmware Service (LVFS) secure portal, and submitted into fwupd over D-Bus. The updates that need to be applied are downloaded displaying user notifications and update details. The user must explicitly agree with the firmware update action before the update is performed. Note that the access to LVFS is disabled by default. To enable the access to LVFS, either click the slider in the sources dialog in GNOME Software, or run the fwupdmgr enable-remote lvfs command. If you use fwupdmgr to get the updates list, you will be asked if you want to enable LVFS. With access to LVFS, you will get firmware updates directly from the hardware vendor. Note that such updates have not been verified by Red Hat QA. (BZ#1504934) Memory Mode for Optane DC Persistent Memory technology is fully supported Intel Optane DC Persistent Memory storage devices provide data center-class persistent memory technology, which can significantly increase transaction throughput. To use the Memory Mode technology, your system does not require any special drivers or specific certification. Memory Mode is transparent to the operating system. (BZ#1718422)

5.1.10. Identity Management New password syntax checks in Directory Server This enhancement adds new password syntax checks to Directory Server. Administrators can now, for example, enable dictionary checks, allow or deny using character sequences and palindromes. As a result, if enabled, the password policy syntax check in Directory Server enforces more secure passwords. (BZ#1334254) Directory Server now provides improved internal operations logging support Several operations in Directory Server, initiated by the server and clients, cause additional operations in the background. Previously, the server only logged for internal operations the Internal connection keyword, and the operation ID was always set to -1 . With this enhancement, Directory Server logs the real connection and operation ID. You can now trace the internal operation to the server or client operation that caused this operation. (BZ#1358706) The tomcatjss library supports OCSP checking using the responder from the AIA extension With this enhancement, the tomcatjss library supports Online Certificate Status Protocol (OCSP) checking using the responder from the Authority Information Access (AIA) extension of a certificate. As a result, administrators of Red Hat Certificate System can now configure OCSP checking that uses the URL from the AIA extension. (BZ#1636564) The pki subsystem-cert-find and pki subsystem-cert-show commands now show the serial number of certificates With this enhancement, the pki subsystem-cert-find and pki subsystem-cert-show commands in Certificate System show the serial number of certificates in their output. The serial number is an important piece of information and often required by multiple other commands. As a result, identifying the serial number of a certificate is now easier. (BZ#1566360) The pki user and pki group commands have been deprecated in Certificate System With this update, the new pki <subsystem>-user and pki <subsystem>-group commands replace the pki user and pki group commands in Certificate System. The replaced commands still works, but they display a message that the command is deprecated and refer to the new commands. (BZ#1394069) Certificate System now supports offline renewal of system certificates With this enhancement, administrators can use the offline renewal feature to renew system certificates configured in Certificate System. When a system certificate expires, Certificate System fails to start. As a result of the enhancement, administrators no longer need workarounds to replace an expired system certificate. (BZ#1669257) Certificate System can now create CSRs with SKI extension for external CA signing With this enhancement, Certificate System supports creating a certificate signing request (CSR) with the Subject Key Identifier (SKI) extension for external certificate authority (CA) signing. Certain CAs require this extension either with a particular value or derived from the CA public key. As a result, administrators can now use the pki_req_ski parameter in the configuration file passed to the pkispawn utility to create a CSR with SKI extension. (BZ#1656856) SSSD no longer uses the fallback_homedir value from the [nss] section as fallback for AD domains Prior to RHEL 7.7, the SSSD fallback_homedir parameter in an Active Directory (AD) provider had no default value. If fallback_homedir was not set, SSSD used instead the value from the same parameter from the [nss] section in the /etc/sssd/sssd.conf file. To increase security, SSSD in RHEL 7.7 introduced a default value for fallback_homedir . As a consequence, SSSD no longer falls back to the value set in the [nss] section. If you want to use a different value than the default for the fallback_homedir parameter in an AD domain, you must manually set it in the domain’s section. (BZ#1652719) SSSD now allows you to select one of the multiple Smartcard authentication devices By default, the System Security Services Daemon (SSSD) tries to detect a device for Smartcard authentication automatically. If there are multiple devices connected, SSSD selects the first one it detects. Consequently, you cannot select a particular device, which sometimes leads to failures. With this update, you can configure a new p11_uri option for the [pam] section of the sssd.conf configuration file. This option enables you to define which device is used for Smartcard authentication. For example, to select a reader with the slot id 2 detected by the OpenSC PKCS#11 module, add: p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2 to the [pam] section of sssd.conf . For details, see the man sssd.conf page. (BZ#1620123) Local users are cached by SSSD and served through the nss_sss module In RHEL 8, the System Security Services Daemon (SSSD) serves users and groups from the /etc/passwd and /etc/groups files by default. The sss nsswitch module precedes files in the /etc/nsswitch.conf file. The advantage of serving local users through SSSD is that the nss_sss module has a fast memory-mapped cache that speeds up Name Service Switch (NSS) lookups compared to accessing the disk and opening the files on each NSS request. Previously, the Name service cache daemon ( nscd ) helped accelerate the process of accessing the disk. However, using nscd in parallel with SSSD is cumbersome, as both SSSD and nscd use their own independent caching. Consequently, using nscd in setups where SSSD is also serving users from a remote domain, for example LDAP or Active Directory, can cause unpredictable behavior. With this update, the resolution of local users and groups is faster in RHEL 8. Note that the root user is never handled by SSSD, therefore root resolution cannot be impacted by a potential bug in SSSD. Note also that if SSSD is not running, the nss_sss module handles the situation gracefully by falling back to nss_files to avoid problems. You do not have to configure SSSD in any way, the files domain is added automatically. (JIRA:RHELPLAN-10439) KCM replaces KEYRING as the default credential cache storage In RHEL 8, the default credential cache storage is the Kerberos Credential Manager (KCM) which is backed by the sssd-kcm deamon. KCM overcomes the limitations of the previously used KEYRING, such as its being difficult to use in containerized environments because it is not namespaced, and to view and manage quotas. With this update, RHEL 8 contains a credential cache that is better suited for containerized environments and that provides a basis for building more features in future releases. (JIRA:RHELPLAN-10440) Active Directory users can now administer Identity Management With this update, RHEL 8 allows adding a user ID override for an Active Directory (AD) user as a member of an Identity Management (IdM) group. An ID override is a record describing what a specific AD user or group properties should look like within a specific ID view, in this case the Default Trust View. As a consequence of the update, the IdM LDAP server is able to apply access control rules for the IdM group to the AD user. AD users are now able to use the self service features of IdM UI, for example to upload their SSH keys, or change their personal data. An AD administrator is able to fully administer IdM without having two different accounts and passwords. Note that currently, selected features in IdM may still be unavailable to AD users. (JIRA:RHELPLAN-10442) sssctl prints an HBAC rules report for an IdM domain With this update, the sssctl utility of the System Security Services Daemon (SSSD) can print an access control report for an Identity Management (IdM) domain. This feature meets the need of certain environments to see, for regulatory reasons, a list of users and groups that can access a specific client machine. Running sssctl access-report domain_name on an IdM client prints the parsed subset of host-based access control (HBAC) rules in the IdM domain that apply to the client machine. Note that no other providers than IdM support this feature. (JIRA:RHELPLAN-10443) Identity Management packages are available as a module In RHEL 8, the packages necessary for installing an Identity Management (IdM) server and client are shipped as a module. The client stream is the default stream of the idm module and you can download the packages necessary for installing the client without enabling the stream. The IdM server module stream is called the DL1 stream. The stream contains multiple profiles corresponding to different types of IdM servers: server, dns, adtrust, client, and default. To download the packages in a specific profile of the DL1 stream: Enable the stream. Switch to the RPMs delivered through the stream. Run the yum module install idm:DL1/profile_name command. To switch to a new module stream once you have already enabled a specific stream and downloaded packages from it: Remove all the relevant installed content and disable the current module stream. Enable the new module stream. (JIRA:RHELPLAN-10438) Session recording solution for RHEL 8 added A session recording solution has been added to Red Hat Enterprise Linux 8 (RHEL 8). A new tlog package and its associated web console session player enable to record and playback the user terminal sessions. The recording can be configured per user or user group via the System Security Services Daemon (SSSD) service. All terminal input and output is captured and stored in a text-based format in a system journal. The input is inactive by default for security reasons not to intercept raw passwords and other sensitive information. The solution can be used for auditing of user sessions on security-sensitive systems. In the event of a security breach, the recorded sessions can be reviewed as a part of a forensic analysis. The system administrators are now able to configure the session recording locally and view the result from the RHEL 8 web console interface or from the Command-Line Interface using the tlog-play utility. (JIRA:RHELPLAN-1473) authselect simplifies the configuration of user authentication This update introduces the authselect utility that simplifies the configuration of user authentication on RHEL 8 hosts, replacing the authconfig utility. authselect comes with a safer approach to PAM stack management that makes the PAM configuration changes simpler for system administrators. authselect can be used to configure authentication methods such as passwords, certificates, smart cards, and fingerprint. Note that authselect does not configure services required to join remote domains. This task is performed by specialized tools, such as realmd or ipa-client-install . (JIRA:RHELPLAN-10445)

5.1.12. File systems and storage Support for Data Integrity Field/Data Integrity Extension (DIF/DIX) DIF/DIX is supported on configurations where the hardware vendor has qualified it and provides full support for the particular host bus adapter (HBA) and storage array configuration on RHEL. DIF/DIX is not supported on the following configurations: It is not supported for use on the boot device.

It is not supported on virtualized guests.

Red Hat does not support using the Automatic Storage Management library (ASMLib) when DIF/DIX is enabled. DIF/DIX is enabled or disabled at the storage device, which involves various layers up to (and including) the application. The method for activating the DIF on storage devices is device-dependent. For further information on the DIF/DIX feature, see What is DIF/DIX. (BZ#1649493) XFS now supports shared copy-on-write data extents The XFS file system supports shared copy-on-write data extent functionality. This feature enables two or more files to share a common set of data blocks. When either of the files sharing common blocks changes, XFS breaks the link to common blocks and creates a new file. This is similar to the copy-on-write (COW) functionality found in other file systems. Shared copy-on-write data extents are: Fast Creating shared copies does not utilize disk I/O. Space-efficient Shared blocks do not consume additional disk space. Transparent Files sharing common blocks act like regular files. Userspace utilities can use shared copy-on-write data extents for: Efficient file cloning, such as with the cp --reflink command

command Per-file snapshots This functionality is also used by kernel subsystems such as Overlayfs and NFS for more efficient operation. Shared copy-on-write data extents are now enabled by default when creating an XFS file system, starting with the xfsprogs package version 4.17.0-2.el8 . Note that Direct Access (DAX) devices currently do not support XFS with shared copy-on-write data extents. To create an XFS file system without this feature, use the following command: # mkfs.xfs -m reflink=0 block-device Red Hat Enterprise Linux 7 can mount XFS file systems with shared copy-on-write data extents only in the read-only mode. (BZ#1494028) Maximum XFS file system size is 1024 TiB The maximum supported size of an XFS file system has been increased from 500 TiB to 1024 TiB. File systems larger than 500 TiB require that: the metadata CRC feature and the free inode btree feature are both enabled in the file system format, and

the allocation group size is at least 512 GiB. In RHEL 8, the mkfs.xfs utility creates file systems that meet these requirements by default. Growing a smaller file system that does not meet these requirements to a new size greater than 500 TiB is not supported. (BZ#1563617) ext4 file system now supports metadata checksum With this update, ext4 metadata is protected by checksums . This enables the file system to recognize the corrupt metadata, which avoids damage and increases the file system resilience. (BZ#1695584) VDO now supports all architectures Virtual Data Optimizer (VDO) is now available on all of the architectures supported by RHEL 8. For the list of supported architectures, see Chapter 2, Architectures. (BZ#1534087) The BOOM boot manager simplifies the process of creating boot entries BOOM is a boot manager for Linux systems that use boot loaders supporting the BootLoader Specification for boot entry configuration. It enables flexible boot configuration and simplifies the creation of new or modified boot entries: for example, to boot snapshot images of the system created using LVM. BOOM does not modify the existing boot loader configuration, and only inserts additional entries. The existing configuration is maintained, and any distribution integration, such as kernel installation and update scripts, continue to function as before. BOOM has a simplified command-line interface (CLI) and API that ease the task of creating boot entries. (BZ#1649582) LUKS2 is now the default format for encrypting volumes In RHEL 8, the LUKS version 2 (LUKS2) format replaces the legacy LUKS (LUKS1) format. The dm-crypt subsystem and the cryptsetup tool now uses LUKS2 as the default format for encrypted volumes. LUKS2 provides encrypted volumes with metadata redundancy and auto-recovery in case of a partial metadata corruption event. Due to the internal flexible layout, LUKS2 is also an enabler of future features. It supports auto-unlocking through the generic kernel-keyring token built in libcryptsetup that allow users unlocking of LUKS2 volumes using a passphrase stored in the kernel-keyring retention service. Other notable enhancements include: The protected key setup using the wrapped key cipher scheme.

Easier integration with Policy-Based Decryption (Clevis).

Up to 32 key slots - LUKS1 provides only 8 key slots. For more details, see the cryptsetup(8) and cryptsetup-reencrypt(8) man pages. (BZ#1564540) NVMe/FC is fully supported on Broadcom Emulex and Marvell Qlogic Fibre Channel adapters The NVMe over Fibre Channel (NVMe/FC) transport type is now fully supported in Initiator mode when used with Broadcom Emulex and Marvell Qlogic Fibre Channel 32Gbit adapters that feature NVMe support. NVMe over Fibre Channel is an additional fabric transport type for the Nonvolatile Memory Express (NVMe) protocol, in addition to the Remote Direct Memory Access (RDMA) protocol that was previously introduced in Red Hat Enterprise Linux. Enabling NVMe/FC: To enable NVMe/FC in the lpfc driver, edit the /etc/modprobe.d/lpfc.conf file and add the following option: lpfc_enable_fc4_type=3

To enable NVMe/FC in the qla2xxx driver, edit the /etc/modprobe.d/qla2xxx.conf file and add the following option: qla2xxx.ql2xnvmeenable=1 Additional restrictions: Multipath is not supported with NVMe/FC.

NVMe clustering is not supported with NVMe/FC.

kdump is not supported with NVMe/FC.

is not supported with NVMe/FC. Booting from Storage Area Network (SAN) NVMe/FC is not supported. (BZ#1649497) New scan_lvs configuration setting A new lvm.conf configuration file setting, scan_lvs , has been added and set to 0 by default. The new default behavior stops LVM from looking for PVs that may exist on top of LVs; that is, it will not scan active LVs for more PVs. The default setting also prevents LVM from creating PVs on top of LVs. Layering PVs on top of LVs can occur by way of VM images placed on top of LVs, in which case it is not safe for the host to access the PVs. Avoiding this unsafe access is the primary reason for the new default behavior. Also, in environments with many active LVs, the amount of device scanning done by LVM can be significantly decreased. The previous behavior can be restored by changing this setting to 1. (BZ#1676598) New overrides section of the DM Multipath configuration file The /etc/multipath.conf file now includes an overrides section that allows you to set a configuration value for all of your devices. These attributes are used by DM Multipath for all devices unless they are overwritten by the attributes specified in the multipaths section of the /etc/multipath.conf file for paths that contain the device. This functionality replaces the all_devs parameter of the devices section of the configuration file, which is no longer supported. (BZ#1643294) Installing and booting from NVDIMM devices is now supported Prior to this update, Nonvolatile Dual Inline Memory Module (NVDIMM) devices in any mode were ignored by the installer. With this update, kernel improvements to support NVDIMM devices provide improved system performance capabilities and enhanced file system access for write-intensive applications like database or analytic workloads, as well as reduced CPU overhead. This update introduces support for: The use of NVDIMM devices for installation using the nvdimm Kickstart command and the GUI, making it possible to install and boot from NVDIMM devices in sector mode and reconfigure NVDIMM devices into sector mode during installation.

Kickstart command and the GUI, making it possible to install and boot from NVDIMM devices in sector mode and reconfigure NVDIMM devices into sector mode during installation. The extension of Kickstart scripts for Anaconda with commands for handling NVDIMM devices.

scripts for with commands for handling NVDIMM devices. The ability of grub2 , efibootmgr , and efivar system components to handle and boot from NVDIMM devices. (BZ#1499442) The detection of marginal paths in DM Multipath has been improved The multipathd service now supports improved detection of marginal paths. This helps multipath devices avoid paths that are likely to fail repeatedly, and improves performance. Marginal paths are paths with persistent but intermittent I/O errors. The following options in the /etc/multipath.conf file control marginal paths behavior: marginal_path_double_failed_time ,

, marginal_path_err_sample_time ,

, marginal_path_err_rate_threshold , and

, and marginal_path_err_recheck_gap_time . DM Multipath disables a path and tests it with repeated I/O for the configured sample time if: the listed multipath.conf options are set,

options are set, a path fails twice in the configured time, and

other paths are available. If the path has more than the configured err rate during this testing, DM Multipath ignores it for the configured gap time, and then retests it to see if it is working well enough to be reinstated. For more information, see the multipath.conf man page. (BZ#1643550) Multiqueue scheduling on block devices Block devices now use multiqueue scheduling in Red Hat Enterprise Linux 8. This enables the block layer performance to scale well with fast solid-state drives (SSDs) and multi-core systems. The traditional schedulers, which were available in RHEL 7 and earlier versions, have been removed. RHEL 8 supports only multiqueue schedulers. (BZ#1647612)

5.1.13. High availability and clusters New pcs commands to list available watchdog devices and test watchdog devices In order to configure SBD with Pacemaker, a functioning watchdog device is required. This release supports the pcs stonith sbd watchdog list command to list available watchdog devices on the local node, and the pcs stonith sbd watchdog test command to test a watchdog device. For information on the sbd command line tool, see the sbd (8) man page. (BZ#1578891) The pcs command now supports filtering resource failures by an operation and its interval Pacemaker now tracks resource failures per a resource operation on top of a resource name, and a node. The pcs resource failcount show command now allows filtering failures by a resource, node, operation, and interval. It provides an option to display failures aggregated per a resource and node or detailed per a resource, node, operation, and its interval. Additionally, the pcs resource cleanup command now allows filtering failures by a resource, node, operation, and interval. (BZ#1591308) Timestamps enabled in corosync log The corosync log did not previously contain timestamps, which made it difficult to relate it to logs from other nodes and daemons. With this release, timestamps are present in the corosync log. (BZ#1615420) New formats for pcs cluster setup , pcs cluster node add and pcs cluster node remove commands In Red Hat Enterprise Linux 8, pcs fully supports Corosync 3, knet , and node names. Node names are now required and replace node addresses in the role of node identifier. Node addresses are now optional. In the pcs host auth command, node addresses default to node names.

command, node addresses default to node names. In the pcs cluster setup and pcs cluster node add commands, node addresses default to the node addresses specified in the pcs host auth command. With these changes, the formats for the commands to set up a cluster, add a node to a cluster, and remove a node from a cluster have changed. For information on these new command formats, see the help display for the pcs cluster setup , pcs cluster node add and pcs cluster node remove commands. (BZ#1158816) New pcs commands Red Hat Enterprise Linux 8 introduces the following new commands. RHEL 8 introduces a new command, pcs cluster node add-guest | remove-guest , which replaces the pcs cluster remote-node add | remove command in RHEL 7.

, which replaces the command in RHEL 7. RHEL 8 introduces a new command, pcs quorum unblock , which replaces the pcs cluster quorum unblock command in RHEL 7.

, which replaces the command in RHEL 7. The pcs resource failcount reset command has been removed as it duplicates the functionality of the pcs resource cleanup command.

command has been removed as it duplicates the functionality of the command. RHEL 8 introduces new commands which replace the pcs resource [show] command in RHEL 7: The pcs resource [status] command in RHEL 8 replaces the pcs resource [show] command in RHEL 7. The pcs resource config command in RHEL 8 replaces the pcs resource [show] --full command in RHEL 7. The pcs resource config resource id command in RHEL 8 replaces the pcs resource show resource id command in RHEL 7.

RHEL 8 introduces new commands which replace the pcs stonith [show] command in RHEL 7: The pcs stonith [status] command in RHEL 8 replaces the pcs stonith [show] command in RHEL 7. The pcs stonith config command in RHEL 8 replaces the pcs stonith [show] --full command in RHEL 7. The pcs stonith config resource id command in RHEL 8 replaces the pcs stonith show resource id command in RHEL 7.

(BZ#1654280) Pacemaker 2.0.0 in RHEL 8 The pacemaker packages have been upgraded to the upstream version of Pacemaker 2.0.0, which provides a number of bug fixes and enhancements over the previous version: The Pacemaker detail log is now /var/log/pacemaker/pacemaker.log by default (not directly in /var/log or combined with the corosync log under /var/log/cluster ).

by default (not directly in or combined with the log under ). The Pacemaker daemon processes have been renamed to make reading the logs more intuitive. For example, pengine has been renamed to pacemaker-schedulerd .

has been renamed to . Support for the deprecated default-resource-stickiness and is-managed-default cluster properties has been dropped. The resource-stickiness and is-managed properties should be set in resource defaults instead. Existing configurations (though not newly created ones) with the deprecated syntax will automatically be updated to use the supported syntax.

and cluster properties has been dropped. The and properties should be set in resource defaults instead. Existing configurations (though not newly created ones) with the deprecated syntax will automatically be updated to use the supported syntax. For a more complete list of changes, see Pacemaker 2.0 upgrade in Red Hat Enterprise Linux 8. It is recommended that users who are upgrading an existing cluster using Red Hat Enterprise Linux 7 or earlier, run pcs cluster cib-upgrade on any cluster node before and after upgrading RHEL on all cluster nodes. (BZ#1543494) Master resources renamed to promotable clone resources Red Hat Enterprise Linux (RHEL) 8 supports Pacemaker 2.0, in which a master/slave resource is no longer a separate type of resource but a standard clone resource with a promotable meta-attribute set to true . The following changes have been implemented in support of this update: It is no longer possible to create master resources with the pcs command. Instead, it is possible to create promotable clone resources. Related keywords and commands have been changed from master to promotable .

command. Instead, it is possible to create clone resources. Related keywords and commands have been changed from to . All existing master resources are displayed as promotable clone resources.

When managing a RHEL7 cluster in the Web UI, master resources are still called master, as RHEL7 clusters do not support promotable clones. (BZ#1542288) New commands for authenticating nodes in a cluster Red Hat Enterprise Linux (RHEL) 8 incorporates the following changes to the commands used to authenticate nodes in a cluster. The new command for authentication is pcs host auth . This command allows users to specify host names, addresses and pcsd ports.

. This command allows users to specify host names, addresses and ports. The pcs cluster auth command authenticates only the nodes in a local cluster and does not accept a node list

command authenticates only the nodes in a local cluster and does not accept a node list It is now possible to specify an address for each node. pcs / pcsd will then communicate with each node using the specified address. These addresses can be different than the ones corosync uses internally.

/ will then communicate with each node using the specified address. These addresses can be different than the ones uses internally. The pcs pcsd clear-auth command has been replaced by the pcs pcsd deauth and pcs host deauth commands. The new commands allow users to deauthenticate a single host as well as all hosts.

command has been replaced by the and commands. The new commands allow users to deauthenticate a single host as well as all hosts. Previously, node authentication was bidirectional, and running the pcs cluster auth command caused all specified nodes to be authenticated against each other. The pcs host auth command, however, causes only the local host to be authenticated against the specified nodes. This allows better control of what node is authenticated against what other nodes when running this command. On cluster setup itself, and also when adding a node, pcs automatically synchronizes tokens on the cluster, so all nodes in the cluster are still automatically authenticated as before and the cluster nodes can communicate with each other. Note that these changes are not backward compatible. Nodes that were authenticated on a RHEL 7 system will need to be authenticated again. (BZ#1549535) The pcs commands now support display, cleanup, and synchronization of fencing history Pacemaker’s fence daemon tracks a history of all fence actions taken (pending, successful, and failed). With this release, the pcs commands allow users to access the fencing history in the following ways: The pcs status command shows failed and pending fencing actions

command shows failed and pending fencing actions The pcs status --full command shows the entire fencing history

command shows the entire fencing history The pcs stonith history command provides options to display and clean up fencing history

command provides options to display and clean up fencing history Although fencing history is synchronized automatically, the pcs stonith history command now supports an update option that allows a user to manually synchronize fencing history should that be necessary (BZ#1620190, BZ#1615891)

5.1.14. Networking nftables replaces iptables as the default network packet filtering framework The nftables framework provides packet classification facilities and it is the designated successor to the iptables , ip6tables , arptables , and ebtables tools. It offers numerous improvements in convenience, features, and performance over previous packet-filtering tools, most notably: lookup tables instead of linear processing

a single framework for both the IPv4 and IPv6 protocols

and protocols rules all applied atomically instead of fetching, updating, and storing a complete ruleset

support for debugging and tracing in the ruleset ( nftrace ) and monitoring trace events (in the nft tool)

) and monitoring trace events (in the tool) more consistent and compact syntax, no protocol-specific extensions

a Netlink API for third-party applications Similarly to iptables , nftables use tables for storing chains. The chains contain individual rules for performing actions. The nft tool replaces all tools from the previous packet-filtering frameworks. The libnftables library can be used for low-level interaction with nftables Netlink API over the libmnl library. The iptables , ip6tables , ebtables and arptables tools are replaced by nftables-based drop-in replacements with the same name. While external behavior is identical to their legacy counterparts, internally they use nftables with legacy netfilter kernel modules through a compatibility interface where required. Effect of the modules on the nftables ruleset can be observed using the nft list ruleset command. Since these tools add tables, chains, and rules to the nftables ruleset, be aware that nftables rule-set operations, such as the nft flush ruleset command, might affect rule sets installed using the formerly separate legacy commands. To quickly identify which variant of the tool is present, version information has been updated to include the back-end name. In RHEL 8, the nftables-based iptables tool prints the following version string: $ iptables --version iptables v1.8.0 (nf_tables) For comparison, the following version information is printed if legacy iptables tool is present: $ iptables --version iptables v1.8.0 (legacy) (BZ#1644030) Notable TCP features in RHEL 8 Red Hat Enterprise Linux 8 is distributed with TCP networking stack version 4.18, which provides higher performances, better scalability, and more stability. Performances are boosted especially for busy TCP server with a high ingress connection rate. Additionally, two new TCP congestion algorithms, BBR and NV , are available, offering lower latency, and better throughput than cubic in most scenarios. (BZ#1562998) firewalld uses nftables by default With this update, the nftables filtering subsystem is the default firewall backend for the firewalld daemon. To change the backend, use the FirewallBackend option in the /etc/firewalld/firewalld.conf file. This change introduces the following differences in behavior when using nftables : iptables rule executions always occur before firewalld rules DROP in iptables means a packet is never seen by firewalld

in means a packet is never seen by ACCEPT in iptables means a packet is still subject to firewalld rules firewalld direct rules are still implemented through iptables while other firewalld features use nftables direct rule execution occurs before firewalld generic acceptance of established connections (BZ#1509026) Notable change in wpa_supplicant in RHEL 8 In Red Hat Enterprise Linux (RHEL) 8, the wpa_supplicant package is built with CONFIG_DEBUG_SYSLOG enabled. This allows reading the wpa_supplicant log using the journalctl utility instead of checking the contents of the /var/log/wpa_supplicant.log file. (BZ#1582538) NetworkManager now supports SR-IOV virtual functions In Red Hat Enterprise Linux 8.0, NetworkManager allows configuring the number of virtual functions (VF) for interfaces that support single-root I/O virtualization (SR-IOV). Additionally, NetworkManager allows configuring some attributes of the VFs, such as the MAC address, VLAN, the spoof checking setting and allowed bitrates. Note that all properties related to SR-IOV are available in the sriov connection setting. For more details, see the nm-settings(5) man page. (BZ#1555013) IPVLAN virtual network drivers are now supported In Red Hat Enterprise Linux 8.0, the kernel includes support for IPVLAN virtual network drivers. With this update, IPVLAN virtual Network Interface Cards (NICs) enable the network connectivity for multiple containers exposing a single MAC address to the local network. This allows a single host to have a lot of containers overcoming the possible limitation on the number of MAC addresses supported by the peer networking equipment. (BZ#1261167) NetworkManager supports a wildcard interface name match for connections Previously, it was possible to restrict a connection to a given interface using only an exact match on the interface name. With this update, connections have a new match.interface-name property which supports wildcards. This update enables users to choose the interface for a connection in a more flexible way using a wildcard pattern. (BZ#1555012) Improvements in the networking stack 4.18 Red Hat Enterprise Linux 8.0 includes the networking stack upgraded to upstream version 4.18, which provides several bug fixes and enhancements. Notable changes include: Introduced new offload features, such as UDP_GSO , and, for some device drivers, GRO_HW .

, and, for some device drivers, . Improved significant scalability for the User Datagram Protocol (UDP).

Improved the generic busy polling code.

Improved scalability for the IPv6 protocol.

Improved scalability for the routing code.

Added a new default transmit queue scheduling algorithm, fq_codel , which improves a transmission delay.

, which improves a transmission delay. Improved scalability for some transmit queue scheduling algorithms. For example, pfifo_fast is now lockless.

is now lockless. Improved scalability of the IP reassembly unit by removing the garbage collection kernel thread and ip fragments expire only on timeout. As a result, CPU usage under DoS is much lower, and the maximum sustainable fragments drop rate is limited by the amount of memory configured for the IP reassembly unit. (BZ#1562987) New tools to convert iptables to nftables This update adds the iptables-translate and ip6tables-translate tools to convert the existing iptables or ip6tables rules into the equivalent ones for nftables . Note that some extensions lack translation support. If such an extension exists, the tool prints the untranslated rule prefixed with the # sign. For example: | % iptables-translate -A INPUT -j CHECKSUM --checksum-fill | nft # -A INPUT -j CHECKSUM --checksum-fill Additionally, users can use the iptables-restore-translate and ip6tables-restore-translate tools to translate a dump of rules. Note that before that, users can use the iptables-save or ip6tables-save commands to print a dump of current rules. For example: | % sudo iptables-save >/tmp/iptables.dump | % iptables-restore-translate -f /tmp/iptables.dump | # Translated by iptables-restore-translate v1.8.0 on Wed Oct 17 17:00:13 2018 | add table ip nat | ... (BZ#1564596) New features added to VPN using NetworkManager In Red Hat Enterprise Linux 8.0, NetworkManager provides the following new features to VPN: Support for the Internet Key Exchange version 2 (IKEv2) protocol.

Added some more Libreswan options, such as the rightid , leftcert , narrowing , rekey , fragmentation options. For more details on the supported options, see the nm-settings-libreswan man page.

options, such as the , , , , options. For more details on the supported options, see the man page. Updated the default ciphers. This means that when the user does not specify the ciphers, the NetworkManager-libreswan plugin allows the Libreswan application to choose the system default cipher. The only exception is when the user selects an IKEv1 aggressive mode configuration. In this case, the ike = aes256-sha1;modp1536 and eps = aes256-sha1 values are passed to Libreswan . (BZ#1557035) A new data chunk type, I-DATA , added to SCTP This update adds a new data chunk type, I-DATA , and stream schedulers to the Stream Control Transmission Protocol (SCTP). Previously, SCTP sent user messages in the same order as they were sent by a user. Consequently, a large SCTP user message blocked all other messages in any stream until completely sent. When using I-DATA chunks, the Transmission Sequence Number (TSN) field is not overloaded. As a result, SCTP now can schedule the streams in different ways, and I-DATA allows user messages interleaving (RFC 8260). Note that both peers must support the I-DATA chunk type. (BZ#1273139) NetworkManager supports configuring ethtool offload features With this enhancement, NetworkManager supports configuring ethtool offload features, and users no longer need to use init scripts or a NetworkManager dispatcher script. As a result, users can now configure the offload feature as a part of the connection profile using one of the following methods: By using the nmcli utility

utility By editing key files in the /etc/NetworkManager/system-connections/ directory

directory By editing the /etc/sysconfig/network-scripts/ifcfg-* files Note that this feature is currently not supported in graphical interfaces and in the nmtui utility. (BZ#1335409) TCP BBR support in RHEL 8 A new TCP congestion control algorithm, Bottleneck Bandwidth and Round-trip time (BBR) is now supported in Red Hat Enterprise Linux (RHEL) 8. BBR attempts to determine the bandwidth of the bottleneck link and the Round-trip time (RTT). Most congestion algorithms are based on packet loss (including CUBIC, the default Linux TCP congestion control algorithm), which have problems on high-throughput links. BBR does not react to loss events directly, it adjusts the TCP pacing rate to match it with the available bandwidth. Users of TCP BBR should switch to the fq queueing setting on all the involved interfaces. Note that users should explicitly use fq and not fq_codel . For more details, see the tc-fq man page. (BZ#1515987) lksctp-tools , version 1.0.18 in RHEL 8 The lksctp-tools package, version 3.28 is available in Red Hat Enterprise Linux (RHEL) 8. Notable enhancements and bug fixes include: Integration with Travis CI and Coverity Scan

Support for the sctp_peeloff_flags function

function Indication of which kernel features are available

Fixes on Coverity Scan issues (BZ#1568622) Blacklisting SCTP module by default in RHEL 8 To increase security, a set of kernel modules have been moved to the kernel-modules-extra package. These are not installed by default. As a consequence, non-root users cannot load these components as they are blacklisted by default. To use one of these kernel modules, the system administrator must install kernel-modules-extra and explicitly remove the module blacklist. As a result, non-root users will be able to load the software component automatically. (BZ#1642795) Notable changes in driverctl 0.101 Red Hat Enterprise Linux 8.0 is distributed with driverctl 0.101. This version includes the following bug fixes: The shellcheck warnings have been fixed.

warnings have been fixed. The bash-completion is installed as driverctl instead of driverctl-bash-completion.sh .

instead of . The load_override function for non-PCI buses has been fixed.

function for non-PCI buses has been fixed. The driverctl service loads all overrides before it reaches the basic.target systemd target. (BZ#1648411) Added rich rules priorities to firewalld The priority option has been added to rich rules. This allows users to define the desirable priority order during the rule execution and provides more advanced control over rich rules. (BZ#1648497) NVMe over RDMA is supported in RHEL 8 In Red Hat Enterprise Linux (RHEL) 8, Nonvolatile Memory Express (NVMe) over Remote Direct Memory Access (RDMA) supports Infiniband, RoCEv2, and iWARP only in initiator mode. Note that Multipath is supported in failover mode only. Additional restrictions: Kdump is not supported with NVMe/RDMA.

Booting from NVMe device over RDMA is not supported. (BZ#1680177) The nf_tables back end does not support debugging using dmesg Red Hat Enterprise Linux 8.0 uses the nf_tables back end for firewalls that does not support debugging the firewall using the output of the dmesg utility. To debug firewall rules, use the xtables-monitor -t or nft monitor trace commands to decode rule evaluation events. (BZ#1645744) Red Hat Enterprise Linux supports VRF The kernel in RHEL 8.0 supports virtual routing and forwarding (VRF). VRF devices, combined with rules set using the ip utility, enable administrators to create VRF domains in the Linux network stack. These domains isolate the traffic on layer 3 and, therefore, the administrator can create different routing tables and reuse the same IP addresses within different VRF domains on one host. (BZ#1440031) iproute , version 4.18 in RHEL 8 The iproute package is distributed with the version 4.18 in Red Hat Enterprise Linux (RHEL) 8. The most notable change is that the interface alias marked as ethX:Y, such as eth0:1, is no longer supported. To work around this problem, users should remove the alias suffix, which is the colon and the following number before entering ip link show . (BZ#1589317)

5.1.15. Security SWID tag of the RHEL 8.0 release To enable identification of RHEL 8.0 installations using the ISO/IEC 19770-2:2015 mechanism, software identification (SWID) tags are installed in files /usr/lib/swidtag/redhat.com/com.redhat.RHEL-8-<architecture>.swidtag and /usr/lib/swidtag/redhat.com/com.redhat.RHEL-8.0-<architecture>.swidtag . The parent directory of these tags can also be found by following the /etc/swid/swidtags.d/redhat.com symbolic link. The XML signature of the SWID tag files can be verified using the xmlsec1 verify command, for example: xmlsec1 verify --trusted-pem /etc/pki/swid/CA/redhat.com/redhatcodesignca.cert /usr/share/redhat.com/com.redhat.RHEL-8-x86_64.swidtag The certificate of the code signing certification authority can also be obtained from the Product Signing Keys page on the Customer Portal. (BZ#1636338) System-wide cryptographic policies are applied by default Crypto-policies is a component in Red Hat Enterprise Linux 8, which configures the core cryptographic subsystems, covering the TLS, IPsec, DNSSEC, Kerberos, and SSH protocols. It provides a small set of policies, which the administrator can select using the update-crypto-policies command. The DEFAULT system-wide cryptographic policy offers secure settings for current threat models. It allows the TLS 1.2 and 1.3 protocols, as well as the IKEv2 and SSH2 protocols. The RSA keys and Diffie-Hellman parameters are accepted if larger than 2047 bits. See the Consistent security by crypto policies in Red Hat Enterprise Linux 8 article on the Red Hat Blog and the update-crypto-policies(8) man page for more information. (BZ#1591620) OpenSSH rebased to version 7.8p1 The openssh packages have been upgraded to upstream version 7.8p1. Notable changes include: Removed support for the SSH version 1 protocol.

protocol. Removed support for the hmac-ripemd160 message authentication code.

message authentication code. Removed support for RC4 ( arcfour ) ciphers.

) ciphers. Removed support for Blowfish ciphers.

ciphers. Removed support for CAST ciphers.

ciphers. Changed the default value of the UseDNS option to no .

option to . Disabled DSA public key algorithms by default.

public key algorithms by default. Changed the minimal modulus size for Diffie-Hellman parameters to 2048 bits.

parameters to 2048 bits. Changed semantics of the ExposeAuthInfo configuration option.

configuration option. The UsePrivilegeSeparation=sandbox option is now mandatory and cannot be disabled.

option is now mandatory and cannot be disabled. Set the minimal accepted RSA key size to 1024 bits. (BZ#1622511) The automatic OpenSSH server keys generation is now handled by sshd-keygen@.service OpenSSH creates RSA, ECDSA, and ED25519 server host keys automatically if they are missing. To configure the host key creation in RHEL 8, use the sshd-keygen@.service instantiated service. For example, to disable the automatic creation of the RSA key type: # systemctl mask sshd-keygen@rsa.service See the /etc/sysconfig/sshd file for more information. (BZ#1228088) ECDSA keys are supported for SSH authentication This release of the OpenSSH suite introduces support for ECDSA keys stored on PKCS #11 smart cards. As a result, users can now use both RSA and ECDSA keys for SSH authentication. (BZ#1645038) libssh implements SSH as a core cryptographic component This change introduces libssh as a core cryptographic component in Red Hat Enterprise Linux 8. The libssh library implements the Secure Shell (SSH) protocol. Note that the client side of libssh follows the configuration set for OpenSSH through system-wide crypto policies, but the configuration of the server side cannot be changed through system-wide crypto policies. (BZ#1485241) TLS 1.3 support in cryptographic libraries This update enables Transport Layer Security (TLS) 1.3 by default in all major back-end crypto libraries. This enables low latency across the operating system communications layer and enhances privacy and security for applications by taking advantage of new algorithms, such as RSA-PSS or X25519. (BZ#1516728) NSS now use SQL by default The Network Security Services (NSS) libraries now use the SQL file format for the trust database by default. The DBM file format, which was used as a default database format in previous releases, does not support concurrent access to the same database by multiple processes and it has been deprecated in upstream. As a result, applications that use the NSS trust database to store keys, certificates, and revocation information now create databases in the SQL format by default. Attempts to create databases in the legacy DBM format fail. The existing DBM databases are opened in read-only mode, and they are automatically converted to the SQL format. Note that NSS support the SQL file format since Red Hat Enterprise Linux 6. (BZ#1489094) PKCS #11 support for smart cards and HSMs is now consistent across the system With this update, using smart cards and Hardware Security Modules (HSM) with PKCS #11 cryptographic token interface becomes consistent. This means that the user and the administrator can use the same syntax for all related tools in the system. Notable enhancements include: Support for the PKCS #11 Uniform Resource Identifier (URI) scheme that ensures a simplified enablement of tokens on RHEL servers both for administrators and application writers.

A system-wide registration method for smart cards and HSMs using the pkcs11.conf .

. Consistent support for HSMs and smart cards is available in NSS, GnuTLS, and OpenSSL (through the openssl-pkcs11 engine) applications.

engine) applications. The Apache HTTP server ( httpd ) now seamlessly supports HSMs. For more information, see the pkcs11.conf(5) man page. (BZ#1516741) Firefox now works with system-wide registered PKCS #11 drivers The Firefox web browser automatically loads the p11-kit-proxy module and every smart card that is registered system-wide in p11-kit through the pkcs11.conf file is automatically detected. For using TLS client authentication, no additional setup is required and keys from a smart card are automatically used when a server requests them. (BZ#1595638) RSA-PSS is now supported in OpenSC This update adds support for the RSA-PSS cryptographic signature scheme to the OpenSC smart card driver. The new scheme enables a secure cryptographic algorithm required for the TLS 1.3 support in the client software. (BZ#1595626) Notable changes in Libreswan in RHEL 8 The libreswan packages have been upgraded to upstream version 3.27, which provides many bug fixes and enhancements over the previous versions. Most notable changes include: Support for RSA-PSS (RFC 7427) through authby=rsa-sha2 , ECDSA (RFC 7427) through authby=ecdsa-sha2 , CURVE