Chapter 7. Deprecated functionality

Deprecated Kickstart commands

The following Kickstart commands have been deprecated: timezone --ntpservers timezone --nontp logging --level %packages --excludeWeakdeps %packages --instLangs %anaconda pwpolicy Note that where only specific options are listed, the base command and its other options are still available and not deprecated. Using the deprecated commands in Kickstart files prints a warning in the logs. You can turn the deprecated command warnings into errors with the inst.ksstrict boot option. (BZ#1899167)

Setting the TMPDIR variable in the ReaR configuration file is deprecated

Setting the TMPDIR environment variable in the /etc/rear/local.conf or /etc/rear/site.conf ReaR configuration file), by using a statement such as export TMPDIR=…​ , does not work and is deprecated. To specify a custom directory for ReaR temporary files, export the variable in the shell environment before executing ReaR. For example, execute the export TMPDIR=…​ statement and then execute the rear command in the same shell session or script. Jira:RHELDOCS-18049

SHA-1 is deprecated for cryptographic purposes

The usage of the SHA-1 message digest for cryptographic purposes has been deprecated in RHEL 9. The digest produced by SHA-1 is not considered secure because of many documented successful attacks based on finding hash collisions. The RHEL core crypto components no longer create signatures using SHA-1 by default. Applications in RHEL 9 have been updated to avoid using SHA-1 in security-relevant use cases. Among the exceptions, the HMAC-SHA1 message authentication code and the Universal Unique Identifier (UUID) values can still be created using SHA-1 because these use cases do not currently pose security risks. SHA-1 also can be used in limited cases connected with important interoperability and compatibility concerns, such as Kerberos and WPA-2. See the List of RHEL applications using cryptography that is not compliant with FIPS 140-3 section in the RHEL 9 Security hardening document for more details. If your scenario requires the use of SHA-1 for verifying existing or third-party cryptographic signatures, you can enable it by entering the following command:

# update-crypto-policies --set DEFAULT:SHA1

Alternatively, you can switch the system-wide crypto policies to the LEGACY policy. Note that LEGACY also enables many other algorithms that are not secure. (JIRA:RHELPLAN-110763)

ipset and iptables-nft have been deprecated

The ipset and iptables-nft packages have been deprecated in RHEL. The iptables-nft package contains different tools such as iptables , ip6tables , ebtables and arptables . These tools will no longer receive new features and using them for new deployments is not recommended. As a replacement, prefer using the nft command-line tool provided by the nftables package. Existing setups should migrate to nft if possible. When you load the iptables , ip6tables , ebtables , arptables , nft_compat , or ipset module, the module logs the following warning to the /var/log/messages file:

Warning: <module_name> - this driver is not recommended for new deployments. It continues to be supported in this RHEL release, but it is likely to be removed in the next major release. Driver updates and fixes will be limited to critical issues. Please contact Red Hat Support for additional information.

For more information on migrating to nftables, see Migrating from iptables to nftables , as well as the iptables-translate(8) and ip6tables-translate(8) man pages. ( BZ#1945151 )

ATM encapsulation is deprecated in RHEL 9

Asynchronous Transfer Mode (ATM) encapsulation enables Layer-2 (Point-to-Point Protocol, Ethernet) or Layer-3 (IP) connectivity for the ATM Adaptation Layer 5 (AAL-5). Red Hat has not been providing support for ATM NIC drivers since RHEL 7. The support for ATM implementation is being dropped in RHEL 9. These protocols are currently used only in chipsets, which support the ADSL technology and are being phased out by manufacturers. Therefore, ATM encapsulation is deprecated in Red Hat Enterprise Linux 9. For more information, see PPP Over AAL5 , Multiprotocol Encapsulation over ATM Adaptation Layer 5 , and Classical IP and ARP over ATM . ( BZ#2058153 )

lvm2-activation-generator and its generated services removed in RHEL 9.0

The lvm2-activation-generator program and its generated services lvm2-activation , lvm2-activation-early , and lvm2-activation-net are removed in RHEL 9.0. The lvm.conf event_activation setting, used to activate the services, is no longer functional. The only method for auto activating volume groups is event based activation. ( BZ#2038183 )

libdb has been deprecated

RHEL 8 and RHEL 9 currently provide Berkeley DB ( libdb ) version 5.3.28, which is distributed under the LGPLv2 license. The upstream Berkeley DB version 6 is available under the AGPLv3 license, which is more restrictive. The libdb package is deprecated as of RHEL 9 and might not be available in future major RHEL releases. In addition, cryptographic algorithms have been removed from libdb in RHEL 9 and multiple libdb dependencies have been removed from RHEL 9. Users of libdb are advised to migrate to a different key-value database. For more information, see the Knowledgebase article Available replacements for the deprecated Berkeley DB (libdb) in RHEL . (BZ#1927780, BZ#1974657 , JIRA:RHELPLAN-80695)

SHA-1 in OpenDNSSec is now deprecated

OpenDNSSec supports exporting Digital Signatures and authentication records using the SHA-1 algorithm. The use of the SHA-1 algorithm is no longer supported. With the RHEL 9 release, SHA-1 in OpenDNSSec is deprecated and it might be removed in a future minor release. Additionally, OpenDNSSec support is limited to its integration with Red Hat Identity Management. OpenDNSSec is not supported standalone. ( BZ#1979521 )

[domain/local]
id_provider=files
								Enable the files provider by setting enable_files_domain=true in the sssd.conf configuration file.
							
[sssd]
enable_files_domain = true

# authselect enable-feature with-files-provider

The SMB1 protocol is deprecated in Samba

Starting with Samba 4.11, the insecure Server Message Block version 1 (SMB1) protocol is deprecated and will be removed in a future release. To improve the security, by default, SMB1 is disabled in the Samba server and client utilities. Jira:RHELDOCS-16612

X.org Server is now deprecated

The X.org display server is deprecated, and will be removed in a future major RHEL release. The default desktop session is now the Wayland session in most cases. The X11 protocol remains fully supported using the XWayland back end. As a result, applications that require X11 can run in the Wayland session. Red Hat is working on resolving the remaining problems and gaps in the Wayland session. For the outstanding problems in Wayland , see the Known issues section. You can switch your user session back to the X.org back end. For more information, see Selecting GNOME environment and display protocol . (JIRA:RHELPLAN-121048)

The networking system role displays a deprecation warning when configuring teams on RHEL 9 nodes

The network teaming capabilities have been deprecated in RHEL 9. As a result, using the networking RHEL system role on an RHEL 8 controller to configure a network team on RHEL 9 nodes, shows a warning about its deprecation. ( BZ#1999770 )

SecureBoot image verification using SHA1-based signatures is deprecated

Performing SecureBoot image verification using SHA1-based signatures on UEFI (PE/COFF) executables has become deprecated. Instead, Red Hat recommends using signatures based on the SHA2 algorithm, or later. (BZ#1935497)

Running RHEL 9 containers on a RHEL 7 host is not supported

Running RHEL 9 containers on a RHEL 7 host is not supported. It might work, but it is not guaranteed. For more information, see Red Hat Enterprise Linux Container Compatibility Matrix . (JIRA:RHELPLAN-100087)