Red Hat has released the Red Hat Enterprise Linux 9 distribution . Ready-made installation images will soon be available to download to registered users of the Red Hat Customer Portal (you can also use iso images CentOS Stream 9 The release is built for the x86_64, s390x (IBM System z), ppc64le, and Aarch64 (ARM64) architectures. The sources for the Red Hat Enterprise Linux 9 rpm packages are located in Git repository CentOS In accordance with the 10-year support cycle for the RHEL 9 distribution, it will be maintained until 2032. Updates for RHEL 7 will continue to be released until June 30, 2024, RHEL 8 until May 31, 2029.
The Red Hat Enterprise Linux 9 distribution is notable for its move to a more open development process. Unlike previous branches, the CentOS Stream 9 . CentOS Stream is positioned as an upstream project for RHEL, enabling third-party participants to control the preparation of packages for RHEL, propose their changes and influence decisions. Previously, a snapshot of one of the Fedora releases was used as the basis for a new RHEL branch, which was finalized and stabilized behind closed doors, without the ability to control the development progress and decisions made. Now based on the Fedora snapshot, with the participation of the community, the CentOS Stream branch is being formed, in which preparatory work is carried out and the basis for a new significant branch of RHEL is formed.
Key changes :
- Updated system environment and assembly tools. is used to build packages GCC 11 . The standard C library has been updated to glibc 2.34 . The Linux kernel package is based on release 5.14 . RPM package manager has been updated to version 4.16 with support for integrity control via fapolicyd.
- The migration of the distribution to Python 3 has been completed. The default branch is Python 3.9 . Python 2 has been discontinued.
- The desktop is based on GNOME 40 (RHEL 8 shipped GNOME 3.28) and the GTK 4 . In GNOME 40, virtual desktops in the Activities Overview mode have been switched to landscape orientation and are displayed as a continuous scrolling chain from left to right. Each desktop shown in overview mode provides a visual representation of the available windows that are dynamically panned and zoomed as the user interacts. Provides a seamless transition between the list of programs and virtual desktops.
- GNOME has a power-profiles-daemon handler that provides the ability to switch on the fly between power save mode, power balance mode, and maximum performance mode.
- All audio streams have been moved to the PipeWire , which is now the default instead of PulseAudio and JACK. Using PipeWire allows you to provide professional audio processing capabilities in a regular desktop edition, get rid of fragmentation and unify the audio infrastructure for different applications.
- By default, the GRUB boot menu is hidden if RHEL is the only distribution installed on the system and if the last boot was successful. To display the menu during boot, just hold down the Shift key or press the Esc or F8 key several times. Of the changes in the bootloader, the placement of GRUB configuration files for all architectures in the same /boot/grub2/ directory is also noted (the /boot/efi/EFI/redhat/grub.cfg file is now a symbolic link to /boot/grub2/grub.cfg), those. the same installed system can be booted using both EFI and BIOS.
- Components for support of various languages are placed in langpacks packages, allowing you to vary the level of installed language support. For example, the langpacks-core-font package offers only fonts, langpacks-core provides the glibc locale, base font, and input method, and langpacks provides translations, additional fonts, and spelling dictionaries.
- Updated security components. The distribution includes a new branch of the OpenSSL 3.0 . By default, more modern and secure cryptographic algorithms are enabled (for example, the use of SHA-1 in TLS, DTLS, SSH, IKEv2 and Kerberos is disabled, TLS 1.0, TLS 1.1, DTLS 1.0, RC4, Camellia, DSA, 3DES and FFDHE-1024 are disabled) . The OpenSSH package has been updated to version 8.6p1. Cyrus SASL moved to GDBM backend instead of Berkeley DB. The NSS (Network Security Services) libraries no longer support the DBM (Berkeley DB) format. GnuTLS has been updated to version 3.7.2.
- Significantly improved SELinux performance and reduced memory consumption. Removed support for setting “SELINUX=disabled” to disable SELinux in /etc/selinux/config (the specified setting now only disables policy loading, and actually disabling SELinux functionality now requires passing “selinux=0” to the kernel).
- Added experimental support for VPN WireGuard .
- By default, SSH login as root is disabled.
- deprecated . iptables-nft packet filter management tools (iptables, ip6tables, ebtables and arptables utilities) and ipset have been to manage the firewall nftables .
- A new mptcpd daemon is included for configuring MPTCP (MultiPath TCP), an extension of the TCP protocol for organizing the operation of a TCP connection with the delivery of packets simultaneously along several routes through different network interfaces bound to different IP addresses. Using mptcpd makes it possible to configure MPTCP without using the iproute2 utility.
- The network-scripts package has been removed, NetworkManager should be used to configure network connections. Support for the ifcfg settings format has been retained, but NetworkManager defaults to a format based on the keyfile.
- New versions of compilers and developer tools included: GCC 11.2, LLVM/Clang 12.0.1, Rust 1.54, Go 1.16.6, Node.js 16, OpenJDK 17, Perl 5.32, PHP 8.0, Python 3.9, Ruby 3.0, Git 2.31, Subversion 1.14, binutils 2.35, CMake 3.20.2, Maven 3.6, Ant 1.10.
- Updated server packages Apache HTTP Server 2.4.48, nginx 1.20, Varnish Cache 6.5, Squid 5.1.
- Updated DBMS MariaDB 10.5, MySQL 8.0, PostgreSQL 13, Redis 6.2.
- By default, Clang is used to build the QEMU emulator, which allowed some additional protection mechanisms to be applied in the KVM hypervisor, such as SafeStack to protect against Return-Oriented Programming (ROP) exploitation methods.
- In SSSD (System Security Services Daemon), the detail of the logs has been increased, for example, the task completion time is now attached to the events and the authentication flow is reflected. Added search functionality to analyze settings and performance issues.
- Support for IMA (Integrity Measurement Architecture) has been expanded to check the integrity of operating system components using digital signatures and hashes.
- By default, a single unified cgroup hierarchy (cgroup v2) is enabled. Cgroups v2 can be used, for example, to limit memory, CPU, and I/O consumption. The key difference between cgroups v2 and v1 is the use of a common cgroups hierarchy for all resource types, instead of separate hierarchies for CPU allocation, memory management, and I/O. Separate hierarchies led to difficulties in organizing interaction between handlers and to additional costs of kernel resources when applying rules for a process mentioned in different hierarchies.
- Added support for precise time synchronization based on the NTS (Network Time Security) protocol, which uses elements of a public key infrastructure (PKI) and allows the use of TLS and authenticated encryption AEAD (Authenticated Encryption with Associated Data) for cryptographic protection of client-server interaction over the NTP protocol ( Network Time Protocol). The chrony NTP server has been updated to version 4.1.
- Provided experimental (Technology Preview) support for KTLS (TLS implementation at the kernel level), Intel SGX (Software Guard Extensions), DAX (Direct Access) for ext4 and XFS, support for AMD SEV and SEV-ES in the KVM hypervisor.