RHEL 9 Resources

RHEL 9

RHEL 9 GA Announcement

Update: 18 May 2022. Hot Off the Presses: Red Hat Enterprise Linux 9 has been announced on the Red Hat Blog and the documentation in the Red Hat portal has been updated. I’ve performed a fresh install and it looks really nice!

Update: 17 May 2022. Red Hat Enterprise Linux 9 is now available in the Red Hat portal.

RHEL 9 is now available for download – 17 May 2022

Update: 10 May 2022. At Red Hat Summit on Tuesday 10 May, Red Hat formally unveiled RHEL 9:

RHEL 9 is expected to be available for download from the Red Hat portal next week (week commencing 16 May 2022) and on the Azure from 24 May. This post will be updated with links to the official documentation as the product is released.

Press and forum links

Official Documentation

RHEL 9 Beta

Red Hat announced the beta release of Red Hat Enterprise Linux 9 in the blog post What’s new in Red Hat Enterprise Linux 9 Beta on 3 November 2021.

Let’s have a look at some facts about the beta:

  • The release has a codename of ‘Plow‘ (following on from Oopta which was the name for RHEL 8)
  • The kernel is based on 5.14.0 (versus 4.18.0 in RHEL8)
  • glibc is at version 2.34
  • systemd is at version 249
  • python is at version 3.9
  • bash is at version 5.1.8
  • dnf is at version 4.10
  • rpm is at version 4.16
  • sudo is at version 1.9.5
  • The release is based on Fedora 34list of changes in Fedora 34
RHEL 9 - Plow
Red Hat Enterprise Linux 9

Official Documentation – Beta

Press and forum links – Beta

What to expect

On 23 February 2022, the The Red Hat Enterprise Linux YouTube Channel hosted an hour long overview of what to expect in RHEL 9.0.

https://www.youtube.com/watch?v=YHeXhlAWqWc

Notes

This post is not endorsed or affiliated with Red Hat – the information provided is based on experience, documentation and publicly available information. Feel free to leave feedback at the end of this page if anything needs correction.
For an up to date roadmap discussion on RHEL please contact your Red Hat Account rep.

Getting Started

The easiest way to get the RHEL 9 Beta is to sign up for the no-cost developer program. Once done you can download a QCOW image, Boot ISO or Binary DVD from the Red Hat portal by clicking on the Downloads link in the top bar, and first selecting Red Hat Enterprise Linux 8. On the following page change the ‘product variant’ to ‘Red Hat Enterprise Linux for x86_64 Beta’ and the page should refresh with ‘9.0 Beta (latest)’.

Alternatively, you can follow this link: No-cost RHEL for developers subscription

Updates

Be aware that as of 16 January 2022, Red Hat had published three dated sets of ISOs. One with a modification date of 30 October 2021, one with a modification date of 8 December 2021 (labelled Update 1) and another with a modification date of 11 January 2022 (labelled Update 2). You will most likely want the most up to date version. (Note: that the link on the developers website wasn’t updated for update 1 or 2 when I visited on 13 January)

Revisiting the Red Hat Enterprise Linux for x86_64 Beta 9 in the middle of February 2022 we saw that Update 3 has been released, in March 2022 we have Update 4 and April 2022 we have Update 5 – here’s a quick table to sumarise:

LabelModified Date
Red Hat Enterprise Linux 9.0 Beta Binary DVD2021-10-30
Red Hat Enterprise Linux 9.0 Beta Update 1 Binary DVD2021-12-08
Red Hat Enterprise Linux 9.0 Beta Update 2 Binary DVD2022-01-11
Red Hat Enterprise Linux 9.0 Beta Update 3 Binary DVD2022-02-01
Red Hat Enterprise Linux 9.0 Beta Update 4 Binary DVD2022-03-01
Red Hat Enterprise Linux 9.0 Beta Update 5 Binary DVD2022-04-05
RHEL 9 Beta Releases

One nice surprise is that if you installed an earlier release (I installed update 1) and registered it with Red Hat, you will be able to receive the updates. There’s no need to re-install.

RHEL 9 Updates

Note that these updates are just package updates rather than formal ‘errata’ with Security, Bugfix and Enhancement classifications.

Significant Changes

Let’s take a look at some of the more significant changes that enterprises may need to take into account when deploying RHEL 9.

SSH root logins

By default logging in as root with a password over SSH is disabled. This is a good security measure and helps prevent brute-force attacks. Best practice is to create an admin user with sudo privileges at install time and use that. If root login via SSH is required, an SSH key-pair could be used. If you need to revert to the previous behavior and allow root password, this can be enabled as follows (from this link):

%post
echo "PermitRootLogin yes" > /etc/ssh/sshd_config.d/01-permitrootlogin.conf
%end

OpenSSH SCP deprecation

One of the most important security changes for OpenSSH in Red Hat Enterprise Linux (RHEL) 9 is the deprecation of the SCP protocol. These are the changes that we have implemented:
* The scp command line tool uses the SFTP protocol for file transfers by default.
* Usage of the SCP protocol can be restored using the newly added -O option.
* Usage of the SCP protocol can be completely disabled on the system. If the file /etc/ssh/disable_scp exists, any attempt to use the SCP protocol will fail.

https://www.redhat.com/en/blog/openssh-scp-deprecation-rhel-9-what-you-need-know

Satellite registration and subscription manager

The rhsm command can be used within a kickstart file to register the server to the Red Hat Content Delivery Network (CDN) or a Red Hat Satellite server. To see the list of options that can be used with rhsm see Performing an advanced RHEL installation. Most organisations will probably want to use a combination like this:

rhsm --organization=XXX --activation-key=XXX --connect-to-insights --proxy=proxy.example.com:8080 --server-hostname=satellite.example.com

Subscription manager is updated so that you can now set the addons, role, service level and so on in one command.

[root@rhel9 ~]# subscription-manager --help | grep Deprecated
  addons         Deprecated, see 'syspurpose'
  role           Deprecated, see 'syspurpose'
  service-level  Deprecated, see 'syspurpose'
  usage          Deprecated, see 'syspurpose'

[root@rhel9 ~]# subscription-manager syspurpose --help 
Syspurpose submodules:
  
    addons              Show or modify the system purpose addons setting
    role                Show or modify the system purpose role setting
    service-level       Show or modify the system purpose service-level setting
    usage               Show or modify the system purpose usage setting

So with the combination of rhsm and an activation key or using the subscription-manager command in a kickstart file, there are a couple of options to registering your server with the correct subscription entitlements.

Network Scripts

The old network-scripts package has been removed (it was deprecated in the RHEL 8) which means you’ll not find anything in the /etc/sysconfig/network-scripts directory:

[root@rhel9 ~]# cd /etc/sysconfig/network-scripts/
[root@rhel9 network-scripts]# ls -altr
total 0
drwxr-xr-x. 2 root root   6 Dec 16 08:04 .
drwxr-xr-x. 3 root root 236 Jan 13 09:29 ..

This is probably the biggest change for admins if they’ve been relying on the legacy scripts to date.

The nmcli command can be used to modify the network configuration. Network configuration will be written to files in the /etc/NetworkManager/system-connections/ directory:

[root@rhel9 system-connections]# ls -l /etc/NetworkManager/system-connections/
total 4
-rw-------. 1 root root 264 Feb 26 15:57 'Ethernet connection 1.nmconnection'
[root@rhel9 system-connections]# cat /etc/NetworkManager/system-connections/Ethernet\ connection\ 1.nmconnection
[connection]
id=Ethernet connection 1
uuid=XXX-XXX-XXX-XXX-XXX
type=ethernet
interface-name=eth0
permissions=

[ethernet]
mac-address-blacklist=

[ipv4]
dns-search=
method=auto

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=auto

[proxy]

2038 Support

It’s very likely that servers built in 2022 will still be around in 2038 (even if they are unsupported). As such, ext4 filesystems can now be created which support timestamps beyond the year 2038 – see Year 2038 problem.

Ansible

The upstream releases of Ansible have now moved ansible-core. This includes smaller set of Ansible modules that would have been found in Ansible Engine. In RHEL 7 through to RHEL 8.5, Red Hat shipped Red Hat Ansible Engine through a yum repository such as ansible-2.9-for-rhel-8-x86_64-rpms. RHEL 9 Beta (and 8.6) will move to ansible-core delivered as an application stream repository. On RHEL 8.6 you’ll likely need to migrate from ansible-engine to ansible-core because Ansible Engine 2.9 will be end of life 18 November 2022 (see Red Hat Ansible Automation Platform Life Cycle). On the RHEL 9 Beta, ansible-core 2.12 is provided:

[root@rhel9 ~]# dnf info ansible-core
Updating Subscription Management repositories.
Last metadata expiration check: 0:55:12 ago on Sat Feb 26 16:00:17 2022.
Available Packages
Name         : ansible-core
Version      : 2.12.1

As the ansible.posix.firewalld module is not part of ansible-core, being able to administer firewall configuration would not be possible out of the box. However, a firewall system role can help with this:

[root@rhel9 ~]# dnf info rhel-system-roles
Failed to set locale, defaulting to C.UTF-8
Updating Subscription Management repositories.
Last metadata expiration check: 0:00:30 ago on Sat Feb 26 17:00:00 2022.
Available Packages
Name         : rhel-system-roles
Version      : 1.11.0
Release      : 1.el9
Architecture : noarch
Size         : 1.7 M
Source       : rhel-system-roles-1.11.0-1.el9.src.rpm
Repository   : rhel-9-for-x86_64-appstream-beta-rpms

[root@rhel9 ~]# ls -l /usr/share/doc/rhel-system-roles/collection/roles/firewall/README.md
-rw-r--r--. 1 root root 7236 Dec  9 14:41 /usr/share/doc/rhel-system-roles/collection/roles/firewall/README.md

Update 20 April 2022, Red Hat have now released an official blog on this topic: Red Hat Blog: Updates to using Ansible in RHEL 8.6 and 9.0

Single user mode

There is an updated process to enter single user mode in RHEL 9 (although according to How to change a forgotten or lost root password this seems to be possible in RHEL 7 and RHEL 8 too, so maybe it was just new to me!). At the boot prompt, use the following:

rw init=/bin/bash

This is typically needed if you forget the root password. Once in single user mode you can use the following to reset the password and reboot the server:

passwd
touch /.autorelabel
exec /sbin/init

The official documentation ‘Configuring basic system settings’ Chapter 23. Changing and resetting the root password uses the rd.break approach for resetting the password so for production environments you may wish to follow that process.

sudo enhancements

sudo has been upgraded to 1.9.5 compared to 1.8.29 in RHEL 8. sudo is widely used to allow fine-grained administrative access to users. There are some noteable new features in 1.9.5 which are worth a look:

  • Intercepting subcommands
  • Logging subcommands
  • Collecting logs centrally using sudo_logsrvd
  • Relays
  • JSON-formatted logging

These are all described in detail in 5 new sudo features sysadmins need to know in 2022. One of the most useful will be intercepting subcommands. Say you need to give broad sudo privileges to a user to run pretty much anything they need (for example, because they are unable to tell you exactly what commands they need to run as root), then you can give them the ability to run all commands except a specific set such as systemctl, firewall-cmd, setenforce, dnf, /usr/bin/bash, etc. The rationale here is they can perform many activities, but you don’t want the user to change running services, change the firewall setting, disable SELinux or install packages. As an example:

unixsysadmin ALL = (ALL) ALL, !/usr/bin/systemctl, !/usr/bin/firewall-cmd, !/usr/sbin/setenforce, !/usr/bin/dnf, !/usr/bin/bash, !/usr/bin/sh, !/usr/bin/csh

Of course, a cunning user with the above sudo rules you might use the cp command to copy the binary they require and then call it. They might try something like this:

sudo cp /usr/bin/bash /usr/bin/mash
sudo /usr/bin/mash

Presumably you would then restrict access to commands like ‘cp’ and ‘mv’, but it may quickly become a race to prevent other ways to bypass the copy feature and add them to the interception list. (Example: sudo find bash | cpio -pvmud newbash2 might copy the shell binary to a place they can then execute it). However, when used with other features such as the enhanced logging and a SIEM platform you can hopefully pick up when this activity is attempted.

mailx had been replaced by s-nail

mailx has been around for a very long time but is no longer being maintained upstream. mailx can be a really handy tool in the sysadmin toolbox for sending emails in scripts. 9 mail/mailx command examples to send emails from command line on Linux has some examples of where mailx can be useful. The replacement utility in RHEL 9 is s-nail.

Red Hat Satellite support

The following thread details an issue one user has with the RHEL 9 Beta and Red Hat Satellite 6.10.

DNF/YUM

In RHEL 8, the ‘yum’ command is a symlink to dnf:

[root@rhel8 ~]# ls -l /usr/bin/yum
lrwxrwxrwx. 1 root root 5 Sep 13 11:41 /usr/bin/yum -> dnf-3

In RHEL 9, there is no surprise, the same symlink exists:

[root@rhel9 ~]# ls -l /usr/bin/yum
lrwxrwxrwx. 1 root root 5 Dec  7 08:35 /usr/bin/yum -> dnf-3

Many experienced sysadmins who are managing a range of RHEL environments (RHEL 6 ELS, RHEL 7, RHEL 8 and now RHEL 9) can use ‘yum’ across all of them and the behaviour should generally be the same.

Flatpak

Flatpak is a popular way running applications in containers and typically used for desktop applications. RHEL 8 ships with 1.8.5 of flatpak, but RHEL 9 updates this to 1.10. Here’s one method to get started using the ‘community’ flatpak repo at flathub.org to install their version of Firefox:

[root@rhel9 ~]# dnf install -y flatpak
[root@rhel9 ~]# flatpak remote-add flathub https://flathub.org/repo/flathub.flatpakrepo
[root@rhel9 ~]# flatpak search firefox
Name       Description                                                              Application ID             Version     Branch Remotes
Firefox    Fast, Private & Safe Web Browser                                         org.mozilla.firefox        97.0.1      stable flathub
Mojave-GTK Mojave-Style Theme for GTK Flatpak Applications                          ?tk.Gtk3theme.Mojave-light 0.1         3.22   flathub
Firestorm? Client for accessing 3D virtual worlds                                   ?ormviewer.FirestormViewer 6.3.9.58205 stable flathub
Joplin     A free, open source note taking and to-do application, which can handle? net.cozic.joplin_desktop   2.7.13      stable flathub
LibreWolf  LibreWolf Web Browser                                                    ?itlab.librewolf-community 97.0.1-1    stable flathub
[root@rhel9 ~]# flatpak install flathub org.mozilla.firefox
Looking for matches?
Required runtime for org.mozilla.firefox/x86_64/stable (runtime/org.freedesktop.Platform/x86_64/21.08) found in remote flathub
Do you want to install it? [Y/n]:

However, I discovered there is an official RHEL flatpak repository as described in Introducing the Red Hat Flatpak runtime for desktop containers. To set this up, run:

[root@rhel9 ~]# flatpak remote-add rhel https://flatpaks.redhat.io/rhel.flatpakrepo

To get a list of packages available in the repositories, run:

[root@rhel9 ~]# flatpak remote-ls

With both flathub and rhel flatpak repos configured, we see that there are a handful of packages available in the RHEL repository:

[root@rhel9 ~]# flatpak remote-ls | grep -i rhel
GNU Image Manipulation Program	org.gimp.GIMP		stable	x86_64	rhel
Inkscape	org.inkscape.Inkscape		stable	x86_64	rhel
LibreOffice	org.libreoffice.LibreOffice		stable	x86_64	rhel
Firefox	org.mozilla.Firefox		stable	x86_64	rhel
Thunderbird	org.mozilla.Thunderbird	91.5.0	stable	x86_64	rhel
Red Hat Platform	com.redhat.Platform	8	el8	x86_64	rhel
Red Hat SDK	com.redhat.Sdk	8	el8	x86_64	rhel

Disable SELinux

Disabling SELinux should be discouraged as it reduces the security posture of your server. However, should you need to do this, it’s not longer enough to change the setting in /etc/sysconfig/selinux This is because the system will now start with SELinux enabled but no policy set. The recommended way is now to add the following kernel options:

selinux=0

Grub Menu Hidden

If the previous boot of RHEL was successful and there are no other operating systems configured, the grub menu will be hidden by default.

teamd

teamd is now deprecated with bonding being the preferred method for binding multiple interfaces together.

iptables

As with RHEL 8, nftables is the default backend for firewall-cmd. With RHEL 9, iptables is now deprecated.

Desktop Backgrounds

The RHEL 9 Beta does not come with any Red Hat branded backgrounds by default. However, there are plans to include them as detailed in these links:

Third Party Compatibility

EPEL 9

EPEL 9 (Extra Packages for Enterprise Linux) is now available.

dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm

For additional information, see EPEL – Fedora Project Wiki

Cobbler

There is a Cobbler Pull Request 2894 to add support for RHEL 9 in cobbler.

Downstream rebuilds

Almalinux

I couldn’t find anything formal about an Almalinux 9 Beta as of April 2022, On 19 April 2022, AlmaLinux have announced that AlmaLinux 9 Beta is now available. Links:

Rocky Linux 9

We have begun initializing the foundation (release and core packages) needed to start on Rocky Linux 9. We have begun importing the RHEL 9 beta sources as well as CentOS Stream 9 sources. In the coming days, we plan on bootstrapping the necessary components for 9. We look forward to sharing more about this with you very soon.

https://rockylinux.org/news/community-update-december-2021/

One thought on “RHEL 9 Resources

  1. Excellent information above thank you.

    As someone who is new to RHEL I keenly and anxiously await the release of RHEL9 GA. I am not a techie so there is little point in me sampling these BETA’s

    I’m a little surprised it is taking so long for RHEL9 to go GA considering it is essentially CentOS Stream 9 which itself went through about 6 months of testing, and much of this is based on Fedora (34).

    Is there any information on how a decision is made to move RHEL from BETA to GA.

    Above you show 5 Beta Releases each roughly a month apart holidays permitting. I would be fascinated to see a summary of the Reported issues and fixes for each of the releases from the initial CentOS Stream Beta up to todate.

    I would also be interested in any links to useful intro’s and howto’s to allow a newbie like me to get into the more technical aspects of setting up a server. I find official documentation tend to assume a significant background and familiarity with the product and be lacking in more basic details or information to allow us to get the most out of compatible hardware which may be less commonly used.

Leave a Reply

Your email address will not be published.