What’s New in RHEL 9

Red Hat Enterprise Linux 9

Red Hat Enterprise Linux 9 (RHEL 9) was released on 17 May 2022. As an enterprise operating system with ten years of support until 2032, this article highlights some of the changes and new features that are available along with links to the official documents, press releases and relevant blog posts.

It’s worth mentioning that since this article was originally written, there have been some updates, of so if you are deploying on a new server, this is the version you’ll probably want to deploy the latest release.

Official Documentation

RHEL 9 Facts

Let’s have a look at some facts RHEL 9 and see how it compares to RHEL 8, released three years earlier:

  • The release has a codename of ‘Plow‘ (following on from Oopta which was the name for RHEL 8)
  • The kernel is based on 5.14.0 (versus 4.18.0 in RHEL 8)
  • glibc is at version 2.34 (versus 2.28 in RHEL 8)
  • systemd is at version 249 (versus 239 in RHEL 8)
  • python is at version 3.9 (versus 3.6 in RHEL 8)
  • bash is at version 5.1.8 (versus 4.4 in RHEL 8)
  • dnf is at version 4.10 (versus 4.7 in RHEL 8.6 / 4.0 in RHEL 8.0)
  • rpm is at version 4.16 (versus 4.14 in RHEL 8)
  • sudo is at version 1.9.5 (versus 1.8 in RHEL 8)
  • The release is based on Fedora 34list of changes in Fedora 34
RHEL 9 (Plow)
RHEL 9 (Plow)

What’s new in RHEL 9

On 1 June 2022, the The Red Hat Enterprise Linux YouTube Channel hosted an hour long overview of what’s new in RHEL 9.

Note

This post is not endorsed or affiliated with Red Hat – the information provided is based on experience, documentation and publicly available information. Feel free to leave feedback at the end of this page if anything needs correction.
For an up to date roadmap discussion on RHEL please contact your Red Hat Account rep.

Getting Started

The easiest way to get the RHEL 9 is to sign up for the no-cost developer program. Once done you can download a QCOW image, Boot ISO or Binary DVD from the Red Hat portal by clicking on the Downloads link in the top bar, and first selecting Red Hat Enterprise Linux 9.

Alternatively, you can follow this link: No-cost RHEL for developers subscription

Significant Changes

Let’s take a look at some of the more significant changes that enterprises may need to take into account when deploying RHEL 9.

SSH root logins

By default logging in as root with a password over SSH is disabled. This is a good security measure and helps prevent brute-force attacks. Best practice is to create an admin user with sudo privileges at install time and use that. If root login via SSH is required, an SSH key-pair could be used. If you need to revert to the previous behavior and allow root password, this can be enabled as follows (from this link) via a kickstart snippet:

%post
echo "PermitRootLogin yes" > /etc/ssh/sshd_config.d/01-permitrootlogin.conf
%end

Or simply via some automation:

echo "PermitRootLogin yes" > /etc/ssh/sshd_config.d/01-permitrootlogin.conf

OpenSSH SCP deprecation

One of the most important security changes for OpenSSH in Red Hat Enterprise Linux (RHEL) 9 is the deprecation of the SCP protocol. These are the changes that we have implemented:
* The scp command line tool uses the SFTP protocol for file transfers by default.
* Usage of the SCP protocol can be restored using the newly added -O option.
* Usage of the SCP protocol can be completely disabled on the system. If the file /etc/ssh/disable_scp exists, any attempt to use the SCP protocol will fail.

https://www.redhat.com/en/blog/openssh-scp-deprecation-rhel-9-what-you-need-know

Satellite registration and subscription manager

The rhsm command can be used within a kickstart file to register the server to the Red Hat Content Delivery Network (CDN) or a Red Hat Satellite server. To see the list of options that can be used with rhsm see Performing an advanced RHEL installation. Most organisations will probably want to use a combination like this:

rhsm --organization=XXX --activation-key=XXX --connect-to-insights --proxy=proxy.example.com:8080 --server-hostname=satellite.example.com

Subscription manager is updated so that you can now set the addons, role, service level and so on in one command.

[root@rhel9 ~]# subscription-manager --help | grep Deprecated
  addons         Deprecated, see 'syspurpose'
  role           Deprecated, see 'syspurpose'
  service-level  Deprecated, see 'syspurpose'
  usage          Deprecated, see 'syspurpose'

[root@rhel9 ~]# subscription-manager syspurpose --help 
Syspurpose submodules:
  
    addons              Show or modify the system purpose addons setting
    role                Show or modify the system purpose role setting
    service-level       Show or modify the system purpose service-level setting
    usage               Show or modify the system purpose usage setting

So with the combination of rhsm and an activation key or using the subscription-manager command in a kickstart file, there are a couple of options to registering your server with the correct subscription entitlements.

Network Scripts

The old network-scripts package has been removed (it was deprecated in the RHEL 8) which means you’ll not find anything in the /etc/sysconfig/network-scripts directory:

[root@rhel9 ~]# cd /etc/sysconfig/network-scripts/
[root@rhel9 network-scripts]# ls -altr
total 0
drwxr-xr-x. 2 root root   6 Dec 16 08:04 .
drwxr-xr-x. 3 root root 236 Jan 13 09:29 ..

This is probably the biggest change for admins if they’ve been relying on the legacy scripts to date.

The nmcli command can be used to modify the network configuration. Network configuration will be written to files in the /etc/NetworkManager/system-connections/ directory:

[root@rhel9 system-connections]# ls -l /etc/NetworkManager/system-connections/
total 4
-rw-------. 1 root root 264 Feb 26 15:57 'Ethernet connection 1.nmconnection'
[root@rhel9 system-connections]# cat /etc/NetworkManager/system-connections/Ethernet\ connection\ 1.nmconnection
[connection]
id=Ethernet connection 1
uuid=XXX-XXX-XXX-XXX-XXX
type=ethernet
interface-name=eth0
permissions=

[ethernet]
mac-address-blacklist=

[ipv4]
dns-search=
method=auto

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=auto

[proxy]

Red Hat posted the following notes about this change on 13 July 2022:

2038 Support

It’s very likely that servers built in 2022 will still be around in 2038 (even if they are unsupported). As such, ext4 filesystems can now be created which support timestamps beyond the year 2038 – see Year 2038 problem.

Ansible

The upstream releases of Ansible have now moved ansible-core. This includes smaller set of Ansible modules that would have been found in Ansible Engine. In RHEL 7 through to RHEL 8.5, Red Hat shipped Red Hat Ansible Engine through a yum repository such as ansible-2.9-for-rhel-8-x86_64-rpms. RHEL 9 (and 8.6) moved to ansible-core delivered as an application stream repository. On RHEL 8.6 you’ll likely need to migrate from ansible-engine to ansible-core because Ansible Engine 2.9 will be end of life 18 November 2022 (see Red Hat Ansible Automation Platform Life Cycle). On the RHEL 9, ansible-core 2.12 is provided:

[root@rhel9 ~]# dnf info ansible-core
Updating Subscription Management repositories.
Last metadata expiration check: 0:24:39 ago on Fri 15 Jul 2022 14:52:57 BST.
Available Packages
Name         : ansible-core
Version      : 2.12.2
Release      : 1.el9
Architecture : x86_64
Size         : 2.4 M
Source       : ansible-core-2.12.2-1.el9.src.rpm
Repository   : rhel-9-for-x86_64-appstream-rpms
Summary      : SSH-based configuration management, deployment, and task execution system
URL          : http://ansible.com
License      : GPLv3+
Description  : Ansible is a radically simple model-driven configuration management,
             : multi-node deployment, and remote task execution system. Ansible works
             : over SSH and does not require any software or daemons to be installed
             : on remote nodes. Extension modules can be written in any language and
             : are transferred to managed machines automatically.

Updating Subscription Management repositories.
Last metadata expiration check: 0:55:12 ago on Sat Feb 26 16:00:17 2022.
Available Packages
Name         : ansible-core
Version      : 2.12.2

As the ansible.posix.firewalld module is not part of ansible-core, being able to administer firewall configuration would not be possible out of the box. However, a firewall system role can help with this:

[root@p1 ~]# dnf info rhel-system-roles
Updating Subscription Management repositories.
Last metadata expiration check: 0:26:51 ago on Fri 15 Jul 2022 14:52:57 BST.
Available Packages
Name         : rhel-system-roles
Version      : 1.16.2
Release      : 1.el9_0.2
Architecture : noarch
Size         : 1.8 M
Source       : rhel-system-roles-1.16.2-1.el9_0.2.src.rpm
Repository   : rhel-9-for-x86_64-appstream-rpms
Summary      : Set of interfaces for unified system management
URL          : https://github.com/linux-system-roles
License      : GPLv3+ and MIT and BSD and Python
Description  : Collection of Ansible roles and modules that provide a stable and
             : consistent configuration interface for managing multiple versions
             : of Red Hat Enterprise Linux.

[root@p1 ~]# ls -l /usr/share/doc/rhel-system-roles/collection/roles/firewall/README.md 
-rw-r--r--. 1 root root 8596 Apr 24 22:38 /usr/share/doc/rhel-system-roles/collection/roles/firewall/README.md

Update 20 April 2022, Red Hat have now released an official blog on this topic: Red Hat Blog: Updates to using Ansible in RHEL 8.6 and 9.0

Single user mode

There is an updated process to enter single user mode in RHEL 9 (although according to How to change a forgotten or lost root password this seems to be possible in RHEL 7 and RHEL 8 too, so maybe it was just new to me!). At the boot prompt, use the following:

rw init=/bin/bash

This is typically needed if you forget the root password. Once in single user mode you can use the following to reset the password and reboot the server:

passwd
touch /.autorelabel
exec /sbin/init

The official documentation ‘Configuring basic system settings’ Chapter 23. Changing and resetting the root password uses the rd.break approach for resetting the password so for production environments you may wish to follow that process.

sudo enhancements

sudo has been upgraded to 1.9.5 compared to 1.8.29 in RHEL 8. sudo is widely used to allow fine-grained administrative access to users. There are some noteable new features in 1.9.5 which are worth a look:

  • Intercepting subcommands
  • Logging subcommands
  • Collecting logs centrally using sudo_logsrvd
  • Relays
  • JSON-formatted logging

These are all described in detail in 5 new sudo features sysadmins need to know in 2022. One of the most useful will be intercepting subcommands. Say you need to give broad sudo privileges to a user to run pretty much anything they need (for example, because they are unable to tell you exactly what commands they need to run as root), then you can give them the ability to run all commands except a specific set such as systemctl, firewall-cmd, setenforce, dnf, /usr/bin/bash, etc. The rationale here is they can perform many activities, but you don’t want the user to change running services, change the firewall setting, disable SELinux or install packages. As an example:

unixsysadmin ALL = (ALL) ALL, !/usr/bin/systemctl, !/usr/bin/firewall-cmd, !/usr/sbin/setenforce, !/usr/bin/dnf, !/usr/bin/bash, !/usr/bin/sh, !/usr/bin/csh

Of course, a cunning user with the above sudo rules you might use the cp command to copy the binary they require and then call it. They might try something like this:

sudo cp /usr/bin/bash /usr/bin/mash
sudo /usr/bin/mash

Presumably you would then restrict access to commands like ‘cp’ and ‘mv’, but it may quickly become a race to prevent other ways to bypass the copy feature and add them to the interception list. (Example: sudo find bash | cpio -pvmud newbash2 might copy the shell binary to a place they can then execute it). However, when used with other features such as the enhanced logging and a SIEM platform you can hopefully pick up when this activity is attempted.

mailx had been replaced by s-nail

mailx has been around for a very long time but is no longer being maintained upstream. mailx can be a really handy tool in the sysadmin toolbox for sending emails in scripts. 9 mail/mailx command examples to send emails from command line on Linux has some examples of where mailx can be useful. The replacement utility in RHEL 9 is s-nail.

Red Hat Satellite support

Red Hat Satellite 6.11 (released 5 July 2022) supports RHEL 9 clients as per the following:

The following thread details an issue one user had with the RHEL 9 Beta and Red Hat Satellite 6.10.

DNF/YUM

In RHEL 8, the yum command is a symlink to dnf:

[root@rhel8 ~]# ls -l /usr/bin/yum
lrwxrwxrwx. 1 root root 5 Sep 13 11:41 /usr/bin/yum -> dnf-3

In RHEL 9, there is no surprise, the same symlink exists:

[root@rhel9 ~]# ls -l /usr/bin/yum
lrwxrwxrwx. 1 root root 5 Dec  7 08:35 /usr/bin/yum -> dnf-3

Many experienced sysadmins who are managing a range of RHEL environments (RHEL 6 ELS, RHEL 7, RHEL 8 and now RHEL 9) can use ‘yum’ across all of them and the behaviour should generally be the same.

Flatpak

Flatpak is a popular way running applications in containers and typically used for desktop applications. RHEL 8 ships with 1.8.5 of flatpak, but RHEL 9 updates this to 1.10. Here’s one method to get started using the ‘community’ flatpak repo at flathub.org to install their version of Firefox:

[root@rhel9 ~]# dnf install -y flatpak
[root@rhel9 ~]# flatpak remote-add flathub https://flathub.org/repo/flathub.flatpakrepo
[root@rhel9 ~]# flatpak search firefox
Name       Description                                                              Application ID             Version     Branch Remotes
Firefox    Fast, Private & Safe Web Browser                                         org.mozilla.firefox        97.0.1      stable flathub
Mojave-GTK Mojave-Style Theme for GTK Flatpak Applications                          ?tk.Gtk3theme.Mojave-light 0.1         3.22   flathub
Firestorm? Client for accessing 3D virtual worlds                                   ?ormviewer.FirestormViewer 6.3.9.58205 stable flathub
Joplin     A free, open source note taking and to-do application, which can handle? net.cozic.joplin_desktop   2.7.13      stable flathub
LibreWolf  LibreWolf Web Browser                                                    ?itlab.librewolf-community 97.0.1-1    stable flathub
[root@rhel9 ~]# flatpak install flathub org.mozilla.firefox
Looking for matches?
Required runtime for org.mozilla.firefox/x86_64/stable (runtime/org.freedesktop.Platform/x86_64/21.08) found in remote flathub
Do you want to install it? [Y/n]:

However, I discovered there is an official RHEL flatpak repository as described in Introducing the Red Hat Flatpak runtime for desktop containers. To set this up, run:

[root@rhel9 ~]# flatpak remote-add rhel https://flatpaks.redhat.io/rhel.flatpakrepo

To get a list of packages available in the repositories, run:

[root@rhel9 ~]# flatpak remote-ls

With both flathub and rhel flatpak repos configured, we see that there are a handful of packages available in the RHEL repository:

[root@rhel9 ~]# flatpak remote-ls | grep -i rhel
GNU Image Manipulation Program	org.gimp.GIMP		stable	x86_64	rhel
Inkscape	org.inkscape.Inkscape		stable	x86_64	rhel
LibreOffice	org.libreoffice.LibreOffice		stable	x86_64	rhel
Firefox	org.mozilla.Firefox		stable	x86_64	rhel
Thunderbird	org.mozilla.Thunderbird	91.5.0	stable	x86_64	rhel
Red Hat Platform	com.redhat.Platform	8	el8	x86_64	rhel
Red Hat SDK	com.redhat.Sdk	8	el8	x86_64	rhel

SHA-1 Deprecation

RHEL has been moved forward earlier than Fedora, and SHA-1 signed packages is now blocked by default. For more information see the official blog post Enhancing RHEL Security: Understanding SHA-1 deprecation on RHEL 9.

Connecting to a RHEL 6 server (RHEL 6 is currently in Extended Lifecycle Support) from a RHEL 9 server may well fail with an error such as:

ssh_dispatch_run_fatal: Connection to w.x.y.z port 22: error in libcrypto

To workaround the issue, follow the official recommendation as detailed in SSH from RHEL 9 to RHEL 6 systems does not work. See also The Register: Dealing with legacy issues around Red Hat crypto versions? Here’s a fix and SSH from RHEL 9 to RHEL 5 or RHEL 6

Disable SELinux

Disabling SELinux should be discouraged as it reduces the security posture of your server. However, should you need to do this, it’s not longer enough to change the setting in /etc/sysconfig/selinux This is because the system will now start with SELinux enabled but no policy set. The recommended way is now to add the following kernel options:

selinux=0

Grub Menu Hidden

If the previous boot of RHEL was successful and there are no other operating systems configured, the grub menu will be hidden by default.

The behavior may not be desired if, for example, you often want to change the boot parameters or wish to use Grub to boot into another operating system. To change this behaviour, use the grub2-editenv command:

grub2-editenv list # List the current grub settings
grub2-editenv - unset menu_auto_hide # Disable the auto-hide

tuned

tuned is a dynamic adaptive system tuning daemon that tunes system settings dynamically depending on usage. It was installed as part of the default server installation in RHEL 7 and RHEL 8 but now needs to be manually added in RHEL 9.
Link: Reddit: RHEL 9.0 Tuned not in core package group

teamd

teamd is now deprecated with bonding being the preferred method for binding multiple interfaces together.

iptables

As with RHEL 8, nftables is the default backend for firewall-cmd. With RHEL 9, iptables is now deprecated.

redhat-support-tool

redhat-support-tool is a useful utility for uploading diagnostic log files directly to the Red Hat customer support portal and attaching it to your case. Unfortunately, this is no longer available in RHEL 9.

Note: redhat-support-tool and redhat-support-lib-python have been deprecated in RHEL 8 and will not be shipped in RHEL 9 onwards

https://access.redhat.com/articles/445443

To programmatically upload and manage attachments in RHEL 9, please see the official Red Hat Support Tool (RHST) Deprecation Guide

abrt

abrtd is a daemon that watches for application crashes. When a crash occurs, it collects the problem data (core file, application’s command line etc.) and takes action according to the type of application that crashed and according to the configuration in the abrt.conf config file. Unfortunately, abrtd is not available in RHEL 9 – see https://access.redhat.com/solutions/6765051

Desktop Backgrounds

The RHEL 9 Beta did not come with any Red Hat branded backgrounds by default. However, RHEL 9 GA sees a pleasant dark wallpaper with the number 9 and Red Hat logo in the background.

RHEL 9 Desktop
RHEL 9 Desktop

Here were some links to the discussions around the RHEL 9 background in the beta.

Third Party Compatibility

EPEL 9

EPEL 9 (Extra Packages for Enterprise Linux) is now available.

dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm

For additional information, see EPEL – Fedora Project Wiki

Cobbler

There is a Cobbler Pull Request 2894 to add support for RHEL 9 in cobbler.

Downstream rebuilds

AlmaLinux

On May 26 2022, less that 10 days after RHEL 9 was released, AlmaLinux announced that their rebuild was now available: AlmaLinux 9 Blog: AlmaLinux 9 Now Available.

Rocky Linux 9

On 14 July 2022, Rocky Linux have announced that Rocky Linux 9.0 is now available.

Page History

Update: 19 May 2022: Add link to RHEL 9.2 availability

Update: 20 December 2022: Add link to RHEL 9.1 availability, how to disable the grub hidden menu

Update: 21 August 2022: Add link about RHEL 9 to RHEL 5/6 SSH issues

Update: 17 July 2022: Add link to Red Hat documentation about RHEL 9 networking, Satellite 6.11 support for RHEL 9

Update: 15 July 2022: Add link to performance notes in Phoronix post, move Beta details to own beta page.

Update: 5 June 2022: Added notes about tuned, redhat-support-tool and abrt.

Update: 18 May 2022. Hot Off the Presses: Red Hat Enterprise Linux 9 has been announced on the Red Hat Blog and the documentation in the Red Hat portal has been updated. I’ve performed a fresh install and it looks really nice!

Update: 17 May 2022. Red Hat Enterprise Linux 9 is now available in the Red Hat portal.

Update: 10 May 2022. At Red Hat Summit on Tuesday 10 May, Red Hat formally unveiled RHEL 9.

RHEL 9 is expected to be available for download from the Red Hat portal next week (week commencing 16 May 2022) and on the Azure from 24 May. This post will be updated with links to the official documentation as the product is released.

5 thoughts on “What’s New in RHEL 9

  1. Excellent information above thank you.

    As someone who is new to RHEL I keenly and anxiously await the release of RHEL9 GA. I am not a techie so there is little point in me sampling these BETA’s

    I’m a little surprised it is taking so long for RHEL9 to go GA considering it is essentially CentOS Stream 9 which itself went through about 6 months of testing, and much of this is based on Fedora (34).

    Is there any information on how a decision is made to move RHEL from BETA to GA.

    Above you show 5 Beta Releases each roughly a month apart holidays permitting. I would be fascinated to see a summary of the Reported issues and fixes for each of the releases from the initial CentOS Stream Beta up to todate.

    I would also be interested in any links to useful intro’s and howto’s to allow a newbie like me to get into the more technical aspects of setting up a server. I find official documentation tend to assume a significant background and familiarity with the product and be lacking in more basic details or information to allow us to get the most out of compatible hardware which may be less commonly used.

  2. I’m using the following set of instructions to install all the dependencies for Red Hat Linux 9 (or RHEL 9):
    “`
    ————————————– Install PyVips —————————————-
    $ su root
    # dnf install python-requests
    # dnf install python-pip
    # dnf install python-wheel
    # subscription-manager repos –enable codeready-builder-for-rhel-9-x86_64-rpms
    # exit

    $ pip install pyvips

    —————————————– Install LibVips ————————————-
    $ su root

    # subscription-manager repos –enable codeready-builder-for-rhel-9-$(arch)-rpms
    # dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
    # dnf upgrade
    # dnf install snapd
    # systemctl enable –now snapd.socket
    # ln -s /var/lib/snapd/snap /snap

    logout/reboot RHEL9

    $ su root
    # snap wait system seed.loaded
    # snap install libvips

    ——————————— Run the wind.py app ——————————-
    Go to the app folder first, then

    $ python wind.py
    “`
    My Python app runs perfectly under Windows: https://github.com/nakigoe/sea/tree/main/graph_wind_create
    But under RHEL 9 (Red Hat Linux 9) an infamous error pops up: Cannot locate libvips.so.42

Leave a Reply

Your email address will not be published. Required fields are marked *