8.0 Release Notes

A firewall interface has been added to the web console

The Networking page in the RHEL 8 web console now includes a Firewall section. In this section, users can enable or disable the firewall, as well as add, remove, and modify firewall rules. (BZ#1647110)

Installing RHEL from a DVD using SE and HMC is now fully supported on IBM Z

The installation of Red Hat Enterprise Linux 8 on IBM Z hardware from a DVD using the Support Element (SE) and Hardware Management Console (HMC) is now fully supported. This addition simplifies the installation process on IBM Z with SE and HMC . When booting from a binary DVD, the installer prompts the user to enter additional kernel parameters. To set the DVD as an installation source, append inst.repo=hmc to the kernel parameters. The installer then enables SE and HMC file access, fetches the images for stage2 from the DVD, and provides access to the packages on the DVD for software selection. The new feature eliminates the requirement of an external network setup and expands the installation options. (BZ#1500792)

Kernel version in RHEL 8.0

Red Hat Enterprise Linux 8.0 is distributed with the kernel version 4.18.0-80. (BZ#1797671)

YUM performance improvement and support for modular content

On Red Hat Enterprise Linux 8, installing software is ensured by the new version of the YUM tool, which is based on the DNF technology ( YUM v4 ). YUM v4 has the following advantages over the previous YUM v3 used on RHEL 7: Increased performance Support for modular content Well-designed stable API for integration with tooling For detailed information about differences between the new YUM v4 tool and the previous version YUM v3 from RHEL 7, see Changes in DNF CLI compared to YUM . YUM v4 is compatible with YUM v3 when using from the command line, editing or creating configuration files. For installing software, you can use the yum command and its particular options in the same way as on RHEL 7. Selected yum plug-ins and utilities have been ported to the new DNF back end, and can be installed under the same names as in RHEL 7. They also provide compatibility symlinks, so the binaries, configuration files and directories can be found in usual locations. Note that the legacy Python API provided by YUM v3 is no longer available. Users are advised to migrate their plug-ins and scripts to the new API provided by YUM v4 (DNF Python API), which is stable and fully supported. The DNF Python API is available at DNF API Reference . The Libdnf and Hawkey APIs (both C and Python) are unstable, and will likely change during Red Hat Enterprise Linux 8 life cycle. For more details on changes of YUM packages and tools availability, see Considerations in adopting RHEL 8 . Some of the YUM v3 features may behave differently in YUM v4 . If any such change negatively impacts your workflows, please open a case with Red Hat Support, as described in How do I open and manage a support case on the Customer Portal? (BZ#1581198)

Notable changes in the recommended Tuned profile in RHEL 8

With this update, the recommended Tuned profile (reported by the tuned-adm recommend command) is now selected based on the following rules - the first rule that matches takes effect: If the syspurpose role (reported by the syspurpose show command) contains atomic , and at the same time: if Tuned is running on bare metal, the atomic-host profile is selected if Tuned is running in a virtual machine, the atomic-guest profile is selected If Tuned is running in a virtual machine, the virtual-guest profile is selected If the syspurpose role contains desktop or workstation and the chassis type (reported by dmidecode ) is Notebook , Laptop , or Portable , then the balanced profile is selected If none of the above rules matches, the throughput-performance profile is selected (BZ#1565598)

The nobody user replaces nfsnobody

In Red Hat Enterprise Linux 7, there was: the nobody user and group pair with the ID of 99, and the nfsnobody user and group pair with the ID of 65534, which is the default kernel overflow ID, too. Both of these have been merged into the nobody user and group pair, which uses the 65534 ID in Red Hat Enterprise Linux 8. New installations no longer create the nfsnobody pair. This change reduces the confusion about files that are owned by nobody but have nothing to do with NFS. (BZ#1591969)

Python 3 is the default Python implementation in RHEL 8

Red Hat Enterprise Linux 8 is distributed with Python 3.6 . The package might not be installed by default. To install Python 3.6 , use the yum install python3 command. Python 2.7 is available in the python2 package. However, Python 2 will have a shorter life cycle and its aim is to facilitate a smoother transition to Python 3 for customers. Neither the default python package nor the unversioned /usr/bin/python executable is distributed with RHEL 8. Customers are advised to use python3 or python2 directly. Alternatively, administrators can configure the unversioned python command using the alternatives command. For more information, see Introduction to Python . (BZ#1580387)

pathfix.py -pn -i %{__python3} PATH ...

[mysqld]
default_authentication_plugin=caching_sha2_password

GNOME Shell, version 3.28 in RHEL 8

GNOME Shell, version 3.28 is available in Red Hat Enterprise Linux (RHEL) 8. Notable enhancements include: New GNOME Boxes features New on-screen keyboard Extended devices support, most significantly integration for the Thunderbolt 3 interface Improvements for GNOME Software, dconf-editor and GNOME Terminal (BZ#1649404)

# gsettings set org.gnome.mutter experimental-features "['scale-monitor-framebuffer']"

Firmware updates using fwupd are available

RHEL 8 supports firmware updates, such as UEFI capsule, Device Firmware Upgrade (DFU), and others, using the fwupd daemon. The daemon allows session software to update device firmware on a local machine automatically. To view and apply updates, you can use: A GUI software manager, such as GNOME Software The fwupdmgr command-line tool The metadata files are automatically downloaded from the Linux Vendor Firmware Service (LVFS) secure portal, and submitted into fwupd over D-Bus. The updates that need to be applied are downloaded displaying user notifications and update details. The user must explicitly agree with the firmware update action before the update is performed. Note that the access to LVFS is disabled by default. To enable the access to LVFS, either click the slider in the sources dialog in GNOME Software, or run the fwupdmgr enable-remote lvfs command. If you use fwupdmgr to get the updates list, you will be asked if you want to enable LVFS. With access to LVFS, you will get firmware updates directly from the hardware vendor. Note that such updates have not been verified by Red Hat QA. (BZ#1504934)

New password syntax checks in Directory Server

This enhancement adds new password syntax checks to Directory Server. Administrators can now, for example, enable dictionary checks, allow or deny using character sequences and palindromes. As a result, if enabled, the password policy syntax check in Directory Server enforces more secure passwords. (BZ#1334254)

p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2

Boost updated to version 1.66

The Boost C++ library has been updated to upstream version 1.66. The version of Boost included in Red Hat Enterprise Linux 7 is 1.53. For details, see the upstream changelogs: https://www.boost.org/users/history/ This update introduces the following changes breaking compatibility with previous versions: The bs_set_hook() function, the splay_set_hook() function from splay containers, and the bool splay = true extra parameter in the splaytree_algorithms() function in the Intrusive library have been removed. Comments or string concatenation in JSON files are no longer supported by the parser in the Property Tree library. Some distributions and special functions from the Math library have been fixed to behave as documented and raise an overflow_error instead of returning the maximum finite value. Some headers from the Math library have been moved into the directory libs/math/include_private . Behavior of the basic_regex<>::mark_count() and basic_regex<>::subexpression(n) functions from the Regex library has been changed to match their documentation. Use of variadic templates in the Variant library may break metaprogramming functions. The boost::python::numeric API has been removed. Users can use boost::python::numpy instead. Arithmetic operations on pointers to non-object types are no longer provided in the Atomic library. (BZ#1494495)

Support for Data Integrity Field/Data Integrity Extension (DIF/DIX)

DIF/DIX is supported on configurations where the hardware vendor has qualified it and provides full support for the particular host bus adapter (HBA) and storage array configuration on RHEL. DIF/DIX is not supported on the following configurations: It is not supported for use on the boot device. It is not supported on virtualized guests. Red Hat does not support using the Automatic Storage Management library (ASMLib) when DIF/DIX is enabled. DIF/DIX is enabled or disabled at the storage device, which involves various layers up to (and including) the application. The method for activating the DIF on storage devices is device-dependent. For further information on the DIF/DIX feature, see What is DIF/DIX . (BZ#1649493)

# mkfs.xfs -m reflink=0 block-device

lpfc_enable_fc4_type=3

qla2xxx.ql2xnvmeenable=1

New pcs commands to list available watchdog devices and test watchdog devices

In order to configure SBD with Pacemaker, a functioning watchdog device is required. This release supports the pcs stonith sbd watchdog list command to list available watchdog devices on the local node, and the pcs stonith sbd watchdog test command to test a watchdog device. For information on the sbd command line tool, see the sbd (8) man page. (BZ#1578891)

nftables replaces iptables as the default network packet filtering framework

The nftables framework provides packet classification facilities and it is the designated successor to the iptables , ip6tables , arptables , and ebtables tools. It offers numerous improvements in convenience, features, and performance over previous packet-filtering tools, most notably: lookup tables instead of linear processing a single framework for both the IPv4 and IPv6 protocols rules all applied atomically instead of fetching, updating, and storing a complete ruleset support for debugging and tracing in the ruleset ( nftrace ) and monitoring trace events (in the nft tool) more consistent and compact syntax, no protocol-specific extensions a Netlink API for third-party applications Similarly to iptables , nftables use tables for storing chains. The chains contain individual rules for performing actions. The nft tool replaces all tools from the previous packet-filtering frameworks. The libnftables library can be used for low-level interaction with nftables Netlink API over the libmnl library. The iptables , ip6tables , ebtables and arptables tools are replaced by nftables-based drop-in replacements with the same name. While external behavior is identical to their legacy counterparts, internally they use nftables with legacy netfilter kernel modules through a compatibility interface where required. Effect of the modules on the nftables ruleset can be observed using the nft list ruleset command. Since these tools add tables, chains, and rules to the nftables ruleset, be aware that nftables rule-set operations, such as the nft flush ruleset command, might affect rule sets installed using the formerly separate legacy commands. To quickly identify which variant of the tool is present, version information has been updated to include the back-end name. In RHEL 8, the nftables-based iptables tool prints the following version string:

$ iptables --version
iptables v1.8.0 (nf_tables)

For comparison, the following version information is printed if legacy iptables tool is present:

$ iptables --version
iptables v1.8.0 (legacy)

(BZ#1644030)

| % iptables-translate -A INPUT -j CHECKSUM --checksum-fill
| nft # -A INPUT -j CHECKSUM --checksum-fill

| % sudo iptables-save >/tmp/iptables.dump
| % iptables-restore-translate -f /tmp/iptables.dump
| # Translated by iptables-restore-translate v1.8.0 on Wed Oct 17 17:00:13 2018
| add table ip nat
| ...

SWID tag of the RHEL 8.0 release

To enable identification of RHEL 8.0 installations using the ISO/IEC 19770-2:2015 mechanism, software identification (SWID) tags are installed in files /usr/lib/swidtag/redhat.com/com.redhat.RHEL-8-<architecture>.swidtag and /usr/lib/swidtag/redhat.com/com.redhat.RHEL-8.0-<architecture>.swidtag . The parent directory of these tags can also be found by following the /etc/swid/swidtags.d/redhat.com symbolic link. The XML signature of the SWID tag files can be verified using the xmlsec1 verify command, for example:

xmlsec1 verify --trusted-pem /etc/pki/swid/CA/redhat.com/redhatcodesignca.cert /usr/share/redhat.com/com.redhat.RHEL-8-x86_64.swidtag

The certificate of the code signing certification authority can also be obtained from the Product Signing Keys page on the Customer Portal. (BZ#1636338)

# systemctl mask [email protected]

# semanage boolean -l

   allow source_domain  target_type:process2 { nnp_transition nosuid_transition };

   allow init_t fprintd_t:process2 { nnp_transition nosuid_transition };

qemu-kvm 2.12 in RHEL 8

Red Hat Enterprise Linux 8 is distributed with qemu-kvm 2.12. This version fixes multiple bugs and adds a number of enhancements over the version 1.5.3, available in Red Hat Enterprise Linux 7. Notably, the following features have been introduced: Q35 guest machine type UEFI guest boot NUMA tuning and pinning in the guest vCPU hot plug and hot unplug guest I/O threading Note that some of the features available in qemu-kvm 2.12 are not supported on Red Hat Enterprise Linux 8. For detailed information, see "Feature support and limitations in RHEL 8 virtualization" on the Red Hat Customer Portal. (BZ#1559240)

sosreport can report eBPF-based programs and maps

The sosreport tool has been enhanced to report any loaded extended Berkeley Packet Filtering (eBPF) programs and maps in Red Hat Enterprise Linux 8. (BZ#1559836)

PackageKit can now operate on rpm packages

With this update, the support for operating on rpm packages has been added into PackageKit . (BZ#1559414)

QEMU does not handle 8-byte ggtt entries correctly

QEMU occasionally splits an 8-byte ggtt entry write to two consecutive 4-byte writes. Each of these partial writes can trigger a separate host ggtt write. Sometimes the two ggtt writes are combined incorrectly. Consequently, translation to a machine address fails, and an error log occurs. (BZ#1598776)

The Enterprise Security Client uses the opensc library for token detection

Red Hat Enterprise Linux 8.0 only supports the opensc library for smart cards. With this update, the Enterprise Security Client (ESC) use opensc for token detection instead of the removed coolkey library. As a result, applications correctly detect supported tokens. (BZ#1538645)

GCC no longer produces false positive warnings about out-of-bounds access

Previously, when compiling with the -O3 optimization level option, the GNU Compiler Collection (GCC) occasionally returned a false positive warning about an out-of-bounds access, even if the compiled code did not contain it. The optimization has been fixed and GCC no longer displays the false positive warning. (BZ#1246444)

Higher print levels no longer cause iscsiadm to terminate unexpectedly

Previously, the iscsiadm utility terminated unexpectedly when the user specified a print level higher than 0 with the --print or -P option. This problem has been fixed, and all print levels now work as expected. (BZ#1582099)

New /etc/sysconfig/pcsd option to reject client-initiated SSL/TLS renegotiation

When TLS renegotiation is enabled on the server, a client is allowed to send a renegotiation request, which initiates a new handshake. Computational requirements of a handshake are higher on a server than on a client. This makes the server vulnerable to DoS attacks. With this fix, the setting PCSD_SSL_OPTIONS in the /etc/sysconfig/pcsd configuration file accepts the OP_NO_RENEGOTIATION option to reject renegotiations. Note that the client can still open multiple connections to a server with a handshake performed in all of them. (BZ#1566430)

Weak TLS algorithms are no longer allowed for glib-networking

Previously, the glib-networking package was not compatible with RHEL 8 System-wide Crypto Policy. As a consequence, applications using the glib library for networking might allow Transport Layer Security (TLS) connections using weak algorithms than the administrator intended. With this update, the system-wide crypto policy is applied, and now applications using glib for networking allow only TLS connections that are acceptable according to the policy. (BZ#1640534)

SELinux policy now allows iscsiuio processes to connect to the discovery portal

Previously, SELinux policy was too restrictive for iscsiuio processes and these processes were not able to access /dev/uio* devices using the mmap system call. As a consequence, connection to the discovery portal failed. This update adds the missing rules to the SELinux policy and iscsiuio processes work as expected in the described scenario. (BZ#1626446)

dnf and yum can now access the repos regardless of subscription-manager values

Previously, the dnf or yum commands ignored the https:// prefix from a URL added by the subscription-manager service. The updated dnf or yum commands do not ignore invalid https:// URLs. As a consequence, dnf and yum failed to access the repos. To fix the problem, a new configuration variable, proxy_scheme has been added to the /etc/rhsm/rhsm.conf file and the value can be set to either http or https . If no value is specified, subscription-manager set http by default which is more commonly used. Note that if the proxy uses http , most users should not change anything in the configuration in /etc/rhsm/rhsm.conf . If the proxy uses https , users should update the value of proxy_scheme to https . Then, in both cases, users need to run the subscription-manager repos --list command or wait for the rhsmcertd daemon process to regenerate the /etc/yum.repos.d/redhat.repo properly. ( BZ#1654531 )

Mounting ephemeral disks on Azure now works more reliably

Previously, mounting an ephemeral disk on a virtual machine (VM) running on the Microsoft Azure platform failed if the VM was "stopped(deallocated)" and then started. This update ensures that reconnecting disks is handled correctly in the described circumstances, which prevents the problem from occurring. (BZ#1615599)

eBPF available as a Technology Preview

The extended Berkeley Packet Filtering (eBPF) feature is available as a Technology Preview for both networking and tracing. eBPF enables the user space to attach custom programs onto a variety of points (sockets, trace points, packet reception) to receive and process data. The feature includes a new system call bpf() , which supports creating various types of maps, and also to insert various types of programs into the kernel. Note that the bpf() syscall can be successfully used only by a user with the CAP_SYS_ADMIN capability, such as a root user. See the bpf (2) man page for more information. (BZ#1559616)

VNC remote console available as a Technology Preview for the 64-bit ARM architecture

On the 64-bit ARM architecture, the Virtual Network Computing (VNC) remote console is available as a Technology Preview. Note that the rest of the graphics stack is currently unverified for the 64-bit ARM architecture. (BZ#1698565)

The cluster-aware MD RAID1 is available as a technology preview.

RAID1 cluster is not enabled by default in the kernel space. If you want to have a try with RAID1 cluster, you need to build the kernel with RAID1 cluster as a module first, use the following steps: Enter the make menuconfig command. Enter the make && make modules && make modules_install && make install command. Enter the reboot command. ( BZ#1654482 )

DNSSEC available as Technology Preview in IdM

Identity Management (IdM) servers with integrated DNS now support DNS Security Extensions (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are automatically generated and rotated. Users who decide to secure their DNS zones with DNSSEC are advised to read and follow these documents: DNSSEC Operational Practices, Version 2: http://tools.ietf.org/html/rfc6781#section-2 Secure Domain Name System (DNS) Deployment Guide: http://dx.doi.org/10.6028/NIST.SP.800-81-2 DNSSEC Key Rollover Timing Considerations: http://tools.ietf.org/html/rfc7583 Note that IdM servers with integrated DNS use DNSSEC to validate DNS answers obtained from other DNS servers. This might affect the availability of DNS zones that are not configured in accordance with recommended naming practices. ( BZ#1664718 )

Aero adapters available as a Technology Preview

The following Aero adapters are available as a Technology Preview: PCI ID 0x1000:0x00e2 and 0x1000:0x00e6, controlled by the mpt3sas driver PCI ID 0x1000:Ox10e5 and 0x1000:0x10e6, controlled by the megaraid_sas driver (BZ#1663281)

# xfs_info /mount-point | grep ftype

Pacemaker podman bundles available as a Technology Preview

Pacemaker container bundles now run on the podman container platform, with the container bundle feature being available as a Technology Preview. There is one exception to this feature being Technology Preview: Red Hat fully supports the use of Pacemaker bundles for Red Hat Openstack. (BZ#1619620)

XDP available as a Technology Preview

The eXpress Data Path (XDP) feature, which is available as a Technology Preview, provides a means to attach extended Berkeley Packet Filter (eBPF) programs for high-performance packet processing at an early point in the kernel ingress data path, allowing efficient programmable packet analysis, filtering, and manipulation. (BZ#1503672)

The postfix role of RHEL system roles available as a Technology Preview

Red Hat Enterprise Linux system roles provides a configuration interface for Red Hat Enterprise Linux subsystems, which makes system configuration easier through the inclusion of Ansible Roles. This interface enables managing system configurations across multiple versions of Red Hat Enterprise Linux, as well as adopting new major releases. The rhel-system-roles packages are distributed through the AppStream repository. The postfix role is available as a Technology Preview. The following roles are fully supported: kdump network selinux timesync For more information, see the Knowledgebase article about RHEL system roles . (BZ#1812552)

AMD SEV for KVM virtual machines

As a Technology Preview, RHEL 8 introduces the Secure Encrypted Virtualization (SEV) feature for AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine (VM), SEV encrypts VM memory so that the host cannot access data on the VM. This increases the security of the VM if the host is successfully infected by malware. Note that the number of VMs that can use this feature at a time on a single host is determined by the host hardware. Current AMD EPYC processors support up to 15 running VMs using SEV. Also note that for VMs with SEV configured to be able to boot, you must also configure the VM with a hard memory limit. To do so, add the following to the VM’s XML configuration:

<memtune>
  <hard_limit unit='KiB'>N</hard_limit>
</memtune>

The recommended value for N is equal to or greater then the guest RAM + 256 MiB. For example, if the guest is assigned 2 GiB RAM, N should be 2359296 or greater. (BZ#1501618, BZ#1501607)

The podman-machine command is unsupported

The podman-machine command for managing virtual machines, is available only as a Technology Preview. Instead, run Podman directly from the command line. (JIRA:RHELDOCS-16861)

The --interactive option of the ignoredisk Kickstart command has been deprecated

Using the --interactive option in future releases of Red Hat Enterprise Linux will result in a fatal installation error. It is recommended that you modify your Kickstart file to remove the option. (BZ#1637872)

NFSv3 over UDP has been disabled

The NFS server no longer opens or listens on a User Datagram Protocol (UDP) socket by default. This change affects only NFS version 3 because version 4 requires the Transmission Control Protocol (TCP). NFS over UDP is no longer supported in RHEL 8. (BZ#1592011)

Network scripts are deprecated in RHEL 8

Network scripts are deprecated in Red Hat Enterprise Linux 8 and they are no longer provided by default. The basic installation provides a new version of the ifup and ifdown scripts which call the NetworkManager service through the nmcli tool. In Red Hat Enterprise Linux 8, to run the ifup and the ifdown scripts, NetworkManager must be running. Note that custom commands in /sbin/ifup-local , ifdown-pre-local and ifdown-local scripts are not executed. If any of these scripts are required, the installation of the deprecated network scripts in the system is still possible with the following command:

~]# yum install network-scripts

The ifup and ifdown scripts link to the installed legacy network scripts. Calling the legacy network scripts shows a warning about their deprecation. (BZ#1647725)

The rdma_rxe Soft-RoCE driver is deprecated

Software Remote Direct Memory Access over Converged Ethernet (Soft-RoCE), also known as RXE, is a feature that emulates Remote Direct Memory Access (RDMA). In RHEL 8, the Soft-RoCE feature is available as an unsupported Technology Preview. However, due to stability issues, this feature has been deprecated and will be removed in RHEL 9. (BZ#1878207)

DSA is deprecated in RHEL 8

The Digital Signature Algorithm (DSA) is considered deprecated in Red Hat Enterprise Linux 8. Authentication mechanisms that depend on DSA keys do not work in the default configuration. Note that OpenSSH clients do not accept DSA host keys even in the LEGACY system-wide cryptographic policy level. (BZ#1646541)

# update-crypto-policies --set LEGACY

Virtual machine snapshots are not properly supported in RHEL 8

The current mechanism of creating virtual machine (VM) snapshots has been deprecated, as it is not working reliably. As a consequence, it is recommended not to use VM snapshots in RHEL 8. Note that a new VM snapshot mechanism is under development and will be fully implemented in a future minor release of RHEL 8. ( BZ#1686057 )