RHEL 9 GA Announcement
Update: 18 May 2022. Hot Off the Presses: Red Hat Enterprise Linux 9 has been announced on the Red Hat Blog and the documentation in the Red Hat portal has been updated. I’ve performed a fresh install and it looks really nice!
Update: 17 May 2022. Red Hat Enterprise Linux 9 is now available in the Red Hat portal.
Update: 10 May 2022. At Red Hat Summit on Tuesday 10 May, Red Hat formally unveiled RHEL 9:
- Red Hat Press Release: Red Hat Defines a New Epicenter for Innovation with Red Hat Enterprise Linux 9
RHEL 9 is expected to be available for download from the Red Hat portal next week (week commencing 16 May 2022) and on the Azure from 24 May. This post will be updated with links to the official documentation as the product is released.
Press and forum links
- The Register: At last, Red Hat Enterprise Linux 9.0 slips out
- ZDNet: Red Hat Enterprise Linux 9: Security baked in
- VentureBeat: Red Hat’s Paul Cormier on RHEL 9, the edge and open source innovation
- Container Journal: Red Hat Adds Automated Container Rollback Capability in RHEL 9
- It’s FOSS News: Red Hat Enterprise Linux 9 Announced as the Next-Gen Backbone of Enterprise IT
- Azure Blog: Manage Red Hat workloads seamlessly on Azure – RHEL 9 will be available on Azure from May 24.
- Phoronix: RHEL9 Reaching GA Shortly, RHIVOS Woos GM For Software-Defined Vehicles
- LWN.net: Red Hat Enterprise Linux 9 released
- Red Hat Blog – Hot Off the Presses: Red Hat Enterprise Linux 9
- Red Hat Developer – What’s new in Red Hat Enterprise Linux 9
- Press Release: Red Hat Defines a New Epicenter for Innovation with Red Hat Enterprise Linux 9
- Release Notes for Red Hat Enterprise Linux 9.0
- Considerations in adopting RHEL 9
- Package listing for Red Hat Enterprise Linux 9
- Instructions for an in-place upgrade from Red Hat Enterprise Linux 8 to Red Hat Enterprise Linux 9
- Installing RHEL 9 using the graphical user interface
- Performing an advanced RHEL installation – Installing RHEL using Kickstart
- Boot options for RHEL Installer Installing and configuring RHEL with boot options
- Customizing Anaconda – Changing the installer appearance and creating custom add-ons on Red Hat Enterprise Linux 9
- Security hardening – Securing Red Hat Enterprise Linux 9
- Deploying Red Hat Enterprise Linux 9 on public cloud platforms
RHEL 9 Beta
Red Hat announced the beta release of Red Hat Enterprise Linux 9 in the blog post What’s new in Red Hat Enterprise Linux 9 Beta on 3 November 2021.
Let’s have a look at some facts about the beta:
- The release has a codename of ‘Plow‘ (following on from Oopta which was the name for RHEL 8)
- The kernel is based on 5.14.0 (versus 4.18.0 in RHEL8)
- glibc is at version 2.34
- systemd is at version 249
- python is at version 3.9
- bash is at version 5.1.8
- dnf is at version 4.10
- rpm is at version 4.16
- sudo is at version 1.9.5
- The release is based on Fedora 34 – list of changes in Fedora 34
Official Documentation – Beta
- Release Notes for Red Hat Enterprise Linux 9.0 Beta
- Considerations in adopting RHEL 9 – An overview of changes in Red Hat Enterprise Linux 9 since Red Hat Enterprise Linux 8
- Red Hat Developers – Red Hat Enterprise Linux 9 is now available
Press and forum links – Beta
- The Register: CentOS Stream^W^W Red Hat Enterprise Linux 9 emerges in beta form
- Phoronix: Red Hat Enterprise Linux 9.0 Beta Released
- ZDNet: The first fruits of CentOS Stream: Red Hat Enterprise Linux 9 Beta
- Network World: Red Hat Enterprise Linux 9 drops in beta version
- Silicon Angle: Red Hat focuses on simplified automation and container development in RHEL 9 Beta release
- 9 to 5 Linux: Red Hat Enterprise Linux 9 Enters Beta with Exciting New Features and Many Improvements
- Cloud7 News: Red Hat Enterprise Linux Beta 9 with kernel version 5.14 is now available
- Linux Stoney: Red Hat Enterprise Linux 9 beta testing has begun
What to expect
On 23 February 2022, the The Red Hat Enterprise Linux YouTube Channel hosted an hour long overview of what to expect in RHEL 9.0.
This post is not endorsed or affiliated with Red Hat – the information provided is based on experience, documentation and publicly available information. Feel free to leave feedback at the end of this page if anything needs correction.
For an up to date roadmap discussion on RHEL please contact your Red Hat Account rep.
The easiest way to get the RHEL 9 Beta is to sign up for the no-cost developer program. Once done you can download a QCOW image, Boot ISO or Binary DVD from the Red Hat portal by clicking on the Downloads link in the top bar, and first selecting Red Hat Enterprise Linux 8. On the following page change the ‘product variant’ to ‘Red Hat Enterprise Linux for x86_64 Beta’ and the page should refresh with ‘9.0 Beta (latest)’.
Alternatively, you can follow this link: No-cost RHEL for developers subscription
Be aware that as of 16 January 2022, Red Hat had published three dated sets of ISOs. One with a modification date of 30 October 2021, one with a modification date of 8 December 2021 (labelled Update 1) and another with a modification date of 11 January 2022 (labelled Update 2). You will most likely want the most up to date version. (Note: that the link on the developers website wasn’t updated for update 1 or 2 when I visited on 13 January)
Revisiting the Red Hat Enterprise Linux for x86_64 Beta 9 in the middle of February 2022 we saw that Update 3 has been released, in March 2022 we have Update 4 and April 2022 we have Update 5 – here’s a quick table to sumarise:
|Red Hat Enterprise Linux 9.0 Beta Binary DVD||2021-10-30|
|Red Hat Enterprise Linux 9.0 Beta Update 1 Binary DVD||2021-12-08|
|Red Hat Enterprise Linux 9.0 Beta Update 2 Binary DVD||2022-01-11|
|Red Hat Enterprise Linux 9.0 Beta Update 3 Binary DVD||2022-02-01|
|Red Hat Enterprise Linux 9.0 Beta Update 4 Binary DVD||2022-03-01|
|Red Hat Enterprise Linux 9.0 Beta Update 5 Binary DVD||2022-04-05|
One nice surprise is that if you installed an earlier release (I installed update 1) and registered it with Red Hat, you will be able to receive the updates. There’s no need to re-install.
Note that these updates are just package updates rather than formal ‘errata’ with Security, Bugfix and Enhancement classifications.
Let’s take a look at some of the more significant changes that enterprises may need to take into account when deploying RHEL 9.
SSH root logins
By default logging in as root with a password over SSH is disabled. This is a good security measure and helps prevent brute-force attacks. Best practice is to create an admin user with sudo privileges at install time and use that. If root login via SSH is required, an SSH key-pair could be used. If you need to revert to the previous behavior and allow root password, this can be enabled as follows (from this link):
%post echo "PermitRootLogin yes" > /etc/ssh/sshd_config.d/01-permitrootlogin.conf %end
OpenSSH SCP deprecation
One of the most important security changes for OpenSSH in Red Hat Enterprise Linux (RHEL) 9 is the deprecation of the SCP protocol. These are the changes that we have implemented:https://www.redhat.com/en/blog/openssh-scp-deprecation-rhel-9-what-you-need-know
* The scp command line tool uses the SFTP protocol for file transfers by default.
* Usage of the SCP protocol can be restored using the newly added -O option.
* Usage of the SCP protocol can be completely disabled on the system. If the file /etc/ssh/disable_scp exists, any attempt to use the SCP protocol will fail.
Satellite registration and subscription manager
rhsm command can be used within a kickstart file to register the server to the Red Hat Content Delivery Network (CDN) or a Red Hat Satellite server. To see the list of options that can be used with
rhsm see Performing an advanced RHEL installation. Most organisations will probably want to use a combination like this:
rhsm --organization=XXX --activation-key=XXX --connect-to-insights --proxy=proxy.example.com:8080 --server-hostname=satellite.example.com
Subscription manager is updated so that you can now set the addons, role, service level and so on in one command.
[root@rhel9 ~]# subscription-manager --help | grep Deprecated addons Deprecated, see 'syspurpose' role Deprecated, see 'syspurpose' service-level Deprecated, see 'syspurpose' usage Deprecated, see 'syspurpose' [root@rhel9 ~]# subscription-manager syspurpose --help Syspurpose submodules: addons Show or modify the system purpose addons setting role Show or modify the system purpose role setting service-level Show or modify the system purpose service-level setting usage Show or modify the system purpose usage setting
So with the combination of rhsm and an activation key or using the subscription-manager command in a kickstart file, there are a couple of options to registering your server with the correct subscription entitlements.
network-scripts package has been removed (it was deprecated in the RHEL 8) which means you’ll not find anything in the
[root@rhel9 ~]# cd /etc/sysconfig/network-scripts/ [root@rhel9 network-scripts]# ls -altr total 0 drwxr-xr-x. 2 root root 6 Dec 16 08:04 . drwxr-xr-x. 3 root root 236 Jan 13 09:29 ..
This is probably the biggest change for admins if they’ve been relying on the legacy scripts to date.
nmcli command can be used to modify the network configuration. Network configuration will be written to files in the
[root@rhel9 system-connections]# ls -l /etc/NetworkManager/system-connections/ total 4 -rw-------. 1 root root 264 Feb 26 15:57 'Ethernet connection 1.nmconnection' [root@rhel9 system-connections]# cat /etc/NetworkManager/system-connections/Ethernet\ connection\ 1.nmconnection [connection] id=Ethernet connection 1 uuid=XXX-XXX-XXX-XXX-XXX type=ethernet interface-name=eth0 permissions= [ethernet] mac-address-blacklist= [ipv4] dns-search= method=auto [ipv6] addr-gen-mode=stable-privacy dns-search= method=auto [proxy]
It’s very likely that servers built in 2022 will still be around in 2038 (even if they are unsupported). As such, ext4 filesystems can now be created which support timestamps beyond the year 2038 – see Year 2038 problem.
The upstream releases of Ansible have now moved ansible-core. This includes smaller set of Ansible modules that would have been found in Ansible Engine. In RHEL 7 through to RHEL 8.5, Red Hat shipped Red Hat Ansible Engine through a yum repository such as ansible-2.9-for-rhel-8-x86_64-rpms. RHEL 9 Beta (and 8.6) will move to ansible-core delivered as an application stream repository. On RHEL 8.6 you’ll likely need to migrate from ansible-engine to ansible-core because Ansible Engine 2.9 will be end of life 18 November 2022 (see Red Hat Ansible Automation Platform Life Cycle). On the RHEL 9 Beta, ansible-core 2.12 is provided:
[root@rhel9 ~]# dnf info ansible-core Updating Subscription Management repositories. Last metadata expiration check: 0:55:12 ago on Sat Feb 26 16:00:17 2022. Available Packages Name : ansible-core Version : 2.12.1
As the ansible.posix.firewalld module is not part of ansible-core, being able to administer firewall configuration would not be possible out of the box. However, a firewall system role can help with this:
[root@rhel9 ~]# dnf info rhel-system-roles Failed to set locale, defaulting to C.UTF-8 Updating Subscription Management repositories. Last metadata expiration check: 0:00:30 ago on Sat Feb 26 17:00:00 2022. Available Packages Name : rhel-system-roles Version : 1.11.0 Release : 1.el9 Architecture : noarch Size : 1.7 M Source : rhel-system-roles-1.11.0-1.el9.src.rpm Repository : rhel-9-for-x86_64-appstream-beta-rpms [root@rhel9 ~]# ls -l /usr/share/doc/rhel-system-roles/collection/roles/firewall/README.md -rw-r--r--. 1 root root 7236 Dec 9 14:41 /usr/share/doc/rhel-system-roles/collection/roles/firewall/README.md
Update 20 April 2022, Red Hat have now released an official blog on this topic: Red Hat Blog: Updates to using Ansible in RHEL 8.6 and 9.0
Single user mode
There is an updated process to enter single user mode in RHEL 9 (although according to How to change a forgotten or lost root password this seems to be possible in RHEL 7 and RHEL 8 too, so maybe it was just new to me!). At the boot prompt, use the following:
This is typically needed if you forget the root password. Once in single user mode you can use the following to reset the password and reboot the server:
passwd touch /.autorelabel exec /sbin/init
The official documentation ‘Configuring basic system settings’ Chapter 23. Changing and resetting the root password uses the
rd.break approach for resetting the password so for production environments you may wish to follow that process.
sudo has been upgraded to 1.9.5 compared to 1.8.29 in RHEL 8. sudo is widely used to allow fine-grained administrative access to users. There are some noteable new features in 1.9.5 which are worth a look:
- Intercepting subcommands
- Logging subcommands
- Collecting logs centrally using sudo_logsrvd
- JSON-formatted logging
These are all described in detail in 5 new sudo features sysadmins need to know in 2022. One of the most useful will be intercepting subcommands. Say you need to give broad sudo privileges to a user to run pretty much anything they need (for example, because they are unable to tell you exactly what commands they need to run as root), then you can give them the ability to run all commands except a specific set such as
/usr/bin/bash, etc. The rationale here is they can perform many activities, but you don’t want the user to change running services, change the firewall setting, disable SELinux or install packages. As an example:
unixsysadmin ALL = (ALL) ALL, !/usr/bin/systemctl, !/usr/bin/firewall-cmd, !/usr/sbin/setenforce, !/usr/bin/dnf, !/usr/bin/bash, !/usr/bin/sh, !/usr/bin/csh
Of course, a cunning user with the above sudo rules you might use the
cp command to copy the binary they require and then call it. They might try something like this:
sudo cp /usr/bin/bash /usr/bin/mash sudo /usr/bin/mash
Presumably you would then restrict access to commands like ‘cp’ and ‘mv’, but it may quickly become a race to prevent other ways to bypass the copy feature and add them to the interception list. (Example:
sudo find bash | cpio -pvmud newbash2 might copy the shell binary to a place they can then execute it). However, when used with other features such as the enhanced logging and a SIEM platform you can hopefully pick up when this activity is attempted.
mailx had been replaced by s-nail
mailx has been around for a very long time but is no longer being maintained upstream. mailx can be a really handy tool in the sysadmin toolbox for sending emails in scripts. 9 mail/mailx command examples to send emails from command line on Linux has some examples of where mailx can be useful. The replacement utility in RHEL 9 is
Red Hat Satellite support
The following thread details an issue one user has with the RHEL 9 Beta and Red Hat Satellite 6.10.
- Reddit: Anyone have any luck kickstarting RHEL 9?
- Foreman Community: Issues kickstarting RHEL9
- Pulp Issue 2365: Issues kickstarting RHEL 9 beta
- Red Hat Bugzilla – 2042730 Issues downloading RHEL 9 Beta packages from repo
In RHEL 8, the ‘yum’ command is a symlink to dnf:
[root@rhel8 ~]# ls -l /usr/bin/yum lrwxrwxrwx. 1 root root 5 Sep 13 11:41 /usr/bin/yum -> dnf-3
In RHEL 9, there is no surprise, the same symlink exists:
[root@rhel9 ~]# ls -l /usr/bin/yum lrwxrwxrwx. 1 root root 5 Dec 7 08:35 /usr/bin/yum -> dnf-3
Many experienced sysadmins who are managing a range of RHEL environments (RHEL 6 ELS, RHEL 7, RHEL 8 and now RHEL 9) can use ‘yum’ across all of them and the behaviour should generally be the same.
Flatpak is a popular way running applications in containers and typically used for desktop applications. RHEL 8 ships with 1.8.5 of flatpak, but RHEL 9 updates this to 1.10. Here’s one method to get started using the ‘community’ flatpak repo at flathub.org to install their version of Firefox:
[root@rhel9 ~]# dnf install -y flatpak [root@rhel9 ~]# flatpak remote-add flathub https://flathub.org/repo/flathub.flatpakrepo [root@rhel9 ~]# flatpak search firefox Name Description Application ID Version Branch Remotes Firefox Fast, Private & Safe Web Browser org.mozilla.firefox 97.0.1 stable flathub Mojave-GTK Mojave-Style Theme for GTK Flatpak Applications ?tk.Gtk3theme.Mojave-light 0.1 3.22 flathub Firestorm? Client for accessing 3D virtual worlds ?ormviewer.FirestormViewer 184.108.40.206205 stable flathub Joplin A free, open source note taking and to-do application, which can handle? net.cozic.joplin_desktop 2.7.13 stable flathub LibreWolf LibreWolf Web Browser ?itlab.librewolf-community 97.0.1-1 stable flathub [root@rhel9 ~]# flatpak install flathub org.mozilla.firefox Looking for matches? Required runtime for org.mozilla.firefox/x86_64/stable (runtime/org.freedesktop.Platform/x86_64/21.08) found in remote flathub Do you want to install it? [Y/n]:
However, I discovered there is an official RHEL flatpak repository as described in Introducing the Red Hat Flatpak runtime for desktop containers. To set this up, run:
[root@rhel9 ~]# flatpak remote-add rhel https://flatpaks.redhat.io/rhel.flatpakrepo
To get a list of packages available in the repositories, run:
[root@rhel9 ~]# flatpak remote-ls
With both flathub and rhel flatpak repos configured, we see that there are a handful of packages available in the RHEL repository:
[root@rhel9 ~]# flatpak remote-ls | grep -i rhel GNU Image Manipulation Program org.gimp.GIMP stable x86_64 rhel Inkscape org.inkscape.Inkscape stable x86_64 rhel LibreOffice org.libreoffice.LibreOffice stable x86_64 rhel Firefox org.mozilla.Firefox stable x86_64 rhel Thunderbird org.mozilla.Thunderbird 91.5.0 stable x86_64 rhel Red Hat Platform com.redhat.Platform 8 el8 x86_64 rhel Red Hat SDK com.redhat.Sdk 8 el8 x86_64 rhel
Disabling SELinux should be discouraged as it reduces the security posture of your server. However, should you need to do this, it’s not longer enough to change the setting in
/etc/sysconfig/selinux This is because the system will now start with SELinux enabled but no policy set. The recommended way is now to add the following kernel options:
Grub Menu Hidden
If the previous boot of RHEL was successful and there are no other operating systems configured, the grub menu will be hidden by default.
teamd is now deprecated with bonding being the preferred method for binding multiple interfaces together.
As with RHEL 8, nftables is the default backend for firewall-cmd. With RHEL 9, iptables is now deprecated.
The RHEL 9 Beta does not come with any Red Hat branded backgrounds by default. However, there are plans to include them as detailed in these links:
- Reddit: How To Get RHEL Branded Desktop Backgrounds In the RHEL 9 Beta?
- Jaiden Archer Star Git Repo – RHEL 9 Wallpaper Concepts
Third Party Compatibility
EPEL 9 (Extra Packages for Enterprise Linux) is now available.
dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
For additional information, see EPEL – Fedora Project Wiki
I couldn’t find anything formal about an Almalinux 9 Beta as of April 2022, On 19 April 2022, AlmaLinux have announced that AlmaLinux 9 Beta is now available. Links:
- AlmaLinux 9 Blog – AlmaLinux 9 Beta – Now Available
- AlmaLinux Wiki – AlmaLinux 9.0 Beta Release Notes
Rocky Linux 9
We have begun initializing the foundation (release and core packages) needed to start on Rocky Linux 9. We have begun importing the RHEL 9 beta sources as well as CentOS Stream 9 sources. In the coming days, we plan on bootstrapping the necessary components for 9. We look forward to sharing more about this with you very soon.https://rockylinux.org/news/community-update-december-2021/