Red Hat Enterprise Linux 9 (RHEL 9) was released on 17 May 2022. As an enterprise operating system with ten years of support until 2032, this article highlights some of the changes and new features that are available along with links to the official documents, press releases and relevent blog posts.
Press and forum links
- The Register: At last, Red Hat Enterprise Linux 9.0 slips out
- ZDNet: Red Hat Enterprise Linux 9: Security baked in
- VentureBeat: Red Hat’s Paul Cormier on RHEL 9, the edge and open source innovation
- Container Journal: Red Hat Adds Automated Container Rollback Capability in RHEL 9
- It’s FOSS News: Red Hat Enterprise Linux 9 Announced as the Next-Gen Backbone of Enterprise IT
- Azure Blog: Manage Red Hat workloads seamlessly on Azure – RHEL 9 will be available on Azure from May 24.
- Phoronix: RHEL9 Reaching GA Shortly, RHIVOS Woos GM For Software-Defined Vehicles
- Phoronix: Red Hat Enterprise Linux 9.0 Performing Well, Great Benefit To Newer Intel Xeon & AMD EPYC Servers (7 June 2022)
- LWN.net: Red Hat Enterprise Linux 9 released
- Red Hat Blog – Hot Off the Presses: Red Hat Enterprise Linux 9
- Red Hat Developer – What’s new in Red Hat Enterprise Linux 9
- Press Release: Red Hat Defines a New Epicenter for Innovation with Red Hat Enterprise Linux 9
- Release Notes for Red Hat Enterprise Linux 9.0
- Considerations in adopting RHEL 9
- Package listing for Red Hat Enterprise Linux 9
- Instructions for an in-place upgrade from Red Hat Enterprise Linux 8 to Red Hat Enterprise Linux 9
- Installing RHEL 9 using the graphical user interface
- Performing an advanced RHEL installation – Installing RHEL using Kickstart
- Boot options for RHEL Installer Installing and configuring RHEL with boot options
- Customizing Anaconda – Changing the installer appearance and creating custom add-ons on Red Hat Enterprise Linux 9
- Security hardening – Securing Red Hat Enterprise Linux 9
- Deploying Red Hat Enterprise Linux 9 on public cloud platforms
- Red Hat Training Blog – Upskill on RHEL 9 Training and exam updates for RHEL 9.
RHEL 9 Facts
Let’s have a look at some facts RHEL 9 and see how it compares to RHEL 8, released three years earlier:
- The release has a codename of ‘Plow‘ (following on from Oopta which was the name for RHEL 8)
- The kernel is based on 5.14.0 (versus 4.18.0 in RHEL 8)
- glibc is at version 2.34 (versus 2.28 in RHEL 8)
- systemd is at version 249 (versus 239 in RHEL 8)
- python is at version 3.9 (versus 3.6 in RHEL 8)
- bash is at version 5.1.8 (versus 4.4 in RHEL 8)
- dnf is at version 4.10 (versus 4.7 in RHEL 8.6 / 4.0 in RHEL 8.0)
- rpm is at version 4.16 (versus 4.14 in RHEL 8)
- sudo is at version 1.9.5 (versus 1.8 in RHEL 8)
- The release is based on Fedora 34 – list of changes in Fedora 34
What’s new in RHEL 9
On 1 June 2022, the The Red Hat Enterprise Linux YouTube Channel hosted an hour long overview of what’s new in RHEL 9.
This post is not endorsed or affiliated with Red Hat – the information provided is based on experience, documentation and publicly available information. Feel free to leave feedback at the end of this page if anything needs correction.
For an up to date roadmap discussion on RHEL please contact your Red Hat Account rep.
The easiest way to get the RHEL 9 is to sign up for the no-cost developer program. Once done you can download a QCOW image, Boot ISO or Binary DVD from the Red Hat portal by clicking on the Downloads link in the top bar, and first selecting Red Hat Enterprise Linux 9.
Alternatively, you can follow this link: No-cost RHEL for developers subscription
Let’s take a look at some of the more significant changes that enterprises may need to take into account when deploying RHEL 9.
SSH root logins
By default logging in as root with a password over SSH is disabled. This is a good security measure and helps prevent brute-force attacks. Best practice is to create an admin user with sudo privileges at install time and use that. If root login via SSH is required, an SSH key-pair could be used. If you need to revert to the previous behavior and allow root password, this can be enabled as follows (from this link):
%post echo "PermitRootLogin yes" > /etc/ssh/sshd_config.d/01-permitrootlogin.conf %end
OpenSSH SCP deprecation
One of the most important security changes for OpenSSH in Red Hat Enterprise Linux (RHEL) 9 is the deprecation of the SCP protocol. These are the changes that we have implemented:https://www.redhat.com/en/blog/openssh-scp-deprecation-rhel-9-what-you-need-know
* The scp command line tool uses the SFTP protocol for file transfers by default.
* Usage of the SCP protocol can be restored using the newly added -O option.
* Usage of the SCP protocol can be completely disabled on the system. If the file /etc/ssh/disable_scp exists, any attempt to use the SCP protocol will fail.
Satellite registration and subscription manager
rhsm command can be used within a kickstart file to register the server to the Red Hat Content Delivery Network (CDN) or a Red Hat Satellite server. To see the list of options that can be used with
rhsm see Performing an advanced RHEL installation. Most organisations will probably want to use a combination like this:
rhsm --organization=XXX --activation-key=XXX --connect-to-insights --proxy=proxy.example.com:8080 --server-hostname=satellite.example.com
Subscription manager is updated so that you can now set the addons, role, service level and so on in one command.
[root@rhel9 ~]# subscription-manager --help | grep Deprecated addons Deprecated, see 'syspurpose' role Deprecated, see 'syspurpose' service-level Deprecated, see 'syspurpose' usage Deprecated, see 'syspurpose' [root@rhel9 ~]# subscription-manager syspurpose --help Syspurpose submodules: addons Show or modify the system purpose addons setting role Show or modify the system purpose role setting service-level Show or modify the system purpose service-level setting usage Show or modify the system purpose usage setting
So with the combination of rhsm and an activation key or using the subscription-manager command in a kickstart file, there are a couple of options to registering your server with the correct subscription entitlements.
network-scripts package has been removed (it was deprecated in the RHEL 8) which means you’ll not find anything in the
[root@rhel9 ~]# cd /etc/sysconfig/network-scripts/ [root@rhel9 network-scripts]# ls -altr total 0 drwxr-xr-x. 2 root root 6 Dec 16 08:04 . drwxr-xr-x. 3 root root 236 Jan 13 09:29 ..
This is probably the biggest change for admins if they’ve been relying on the legacy scripts to date.
nmcli command can be used to modify the network configuration. Network configuration will be written to files in the
[root@rhel9 system-connections]# ls -l /etc/NetworkManager/system-connections/ total 4 -rw-------. 1 root root 264 Feb 26 15:57 'Ethernet connection 1.nmconnection' [root@rhel9 system-connections]# cat /etc/NetworkManager/system-connections/Ethernet\ connection\ 1.nmconnection [connection] id=Ethernet connection 1 uuid=XXX-XXX-XXX-XXX-XXX type=ethernet interface-name=eth0 permissions= [ethernet] mac-address-blacklist= [ipv4] dns-search= method=auto [ipv6] addr-gen-mode=stable-privacy dns-search= method=auto [proxy]
Red Hat posted the following notes about this change on 13 July 2022:
It’s very likely that servers built in 2022 will still be around in 2038 (even if they are unsupported). As such, ext4 filesystems can now be created which support timestamps beyond the year 2038 – see Year 2038 problem.
The upstream releases of Ansible have now moved ansible-core. This includes smaller set of Ansible modules that would have been found in Ansible Engine. In RHEL 7 through to RHEL 8.5, Red Hat shipped Red Hat Ansible Engine through a yum repository such as ansible-2.9-for-rhel-8-x86_64-rpms. RHEL 9 (and 8.6) moved to ansible-core delivered as an application stream repository. On RHEL 8.6 you’ll likely need to migrate from ansible-engine to ansible-core because Ansible Engine 2.9 will be end of life 18 November 2022 (see Red Hat Ansible Automation Platform Life Cycle). On the RHEL 9, ansible-core 2.12 is provided:
[root@rhel9 ~]# dnf info ansible-core Updating Subscription Management repositories. Last metadata expiration check: 0:24:39 ago on Fri 15 Jul 2022 14:52:57 BST. Available Packages Name : ansible-core Version : 2.12.2 Release : 1.el9 Architecture : x86_64 Size : 2.4 M Source : ansible-core-2.12.2-1.el9.src.rpm Repository : rhel-9-for-x86_64-appstream-rpms Summary : SSH-based configuration management, deployment, and task execution system URL : http://ansible.com License : GPLv3+ Description : Ansible is a radically simple model-driven configuration management, : multi-node deployment, and remote task execution system. Ansible works : over SSH and does not require any software or daemons to be installed : on remote nodes. Extension modules can be written in any language and : are transferred to managed machines automatically. Updating Subscription Management repositories. Last metadata expiration check: 0:55:12 ago on Sat Feb 26 16:00:17 2022. Available Packages Name : ansible-core Version : 2.12.2
As the ansible.posix.firewalld module is not part of ansible-core, being able to administer firewall configuration would not be possible out of the box. However, a firewall system role can help with this:
[root@p1 ~]# dnf info rhel-system-roles Updating Subscription Management repositories. Last metadata expiration check: 0:26:51 ago on Fri 15 Jul 2022 14:52:57 BST. Available Packages Name : rhel-system-roles Version : 1.16.2 Release : 1.el9_0.2 Architecture : noarch Size : 1.8 M Source : rhel-system-roles-1.16.2-1.el9_0.2.src.rpm Repository : rhel-9-for-x86_64-appstream-rpms Summary : Set of interfaces for unified system management URL : https://github.com/linux-system-roles License : GPLv3+ and MIT and BSD and Python Description : Collection of Ansible roles and modules that provide a stable and : consistent configuration interface for managing multiple versions : of Red Hat Enterprise Linux. [root@p1 ~]# ls -l /usr/share/doc/rhel-system-roles/collection/roles/firewall/README.md -rw-r--r--. 1 root root 8596 Apr 24 22:38 /usr/share/doc/rhel-system-roles/collection/roles/firewall/README.md
Update 20 April 2022, Red Hat have now released an official blog on this topic: Red Hat Blog: Updates to using Ansible in RHEL 8.6 and 9.0
Single user mode
There is an updated process to enter single user mode in RHEL 9 (although according to How to change a forgotten or lost root password this seems to be possible in RHEL 7 and RHEL 8 too, so maybe it was just new to me!). At the boot prompt, use the following:
This is typically needed if you forget the root password. Once in single user mode you can use the following to reset the password and reboot the server:
passwd touch /.autorelabel exec /sbin/init
The official documentation ‘Configuring basic system settings’ Chapter 23. Changing and resetting the root password uses the
rd.break approach for resetting the password so for production environments you may wish to follow that process.
sudo has been upgraded to 1.9.5 compared to 1.8.29 in RHEL 8. sudo is widely used to allow fine-grained administrative access to users. There are some noteable new features in 1.9.5 which are worth a look:
- Intercepting subcommands
- Logging subcommands
- Collecting logs centrally using sudo_logsrvd
- JSON-formatted logging
unixsysadmin ALL = (ALL) ALL, !/usr/bin/systemctl, !/usr/bin/firewall-cmd, !/usr/sbin/setenforce, !/usr/bin/dnf, !/usr/bin/bash, !/usr/bin/sh, !/usr/bin/csh
Of course, a cunning user with the above sudo rules you might use the
cp command to copy the binary they require and then call it. They might try something like this:
sudo cp /usr/bin/bash /usr/bin/mash sudo /usr/bin/mash
Presumably you would then restrict access to commands like ‘cp’ and ‘mv’, but it may quickly become a race to prevent other ways to bypass the copy feature and add them to the interception list. (Example:
sudo find bash | cpio -pvmud newbash2 might copy the shell binary to a place they can then execute it). However, when used with other features such as the enhanced logging and a SIEM platform you can hopefully pick up when this activity is attempted.
mailx had been replaced by s-nail
mailx has been around for a very long time but is no longer being maintained upstream. mailx can be a really handy tool in the sysadmin toolbox for sending emails in scripts. 9 mail/mailx command examples to send emails from command line on Linux has some examples of where mailx can be useful. The replacement utility in RHEL 9 is
These are all described in detail in 5 new sudo features sysadmins need to know in 2022. One of the most useful will be intercepting subcommands. Say you need to give broad sudo privileges to a user to run pretty much anything they need (for example, because they are unable to tell you exactly what commands they need to run as root), then you can give them the ability to run all commands except a specific set such as
/usr/bin/bash, etc. The rationale here is they can perform many activities, but you don’t want the user to change running services, change the firewall setting, disable SELinux or install packages. As an example:
Red Hat Satellite support
Red Hat Satellite 6.11 (released 5 July 2022) supports RHEL 9 clients as per the following:
The following thread details an issue one user had with the RHEL 9 Beta and Red Hat Satellite 6.10.
- Reddit: Anyone have any luck kickstarting RHEL 9?
- Foreman Community: Issues kickstarting RHEL9
- Pulp Issue 2365: Issues kickstarting RHEL 9 beta
- Red Hat Bugzilla – 2042730 Issues downloading RHEL 9 Beta packages from repo
In RHEL 8, the ‘yum’ command is a symlink to dnf:
[root@rhel8 ~]# ls -l /usr/bin/yum lrwxrwxrwx. 1 root root 5 Sep 13 11:41 /usr/bin/yum -> dnf-3
In RHEL 9, there is no surprise, the same symlink exists:
[root@rhel9 ~]# ls -l /usr/bin/yum lrwxrwxrwx. 1 root root 5 Dec 7 08:35 /usr/bin/yum -> dnf-3
Many experienced sysadmins who are managing a range of RHEL environments (RHEL 6 ELS, RHEL 7, RHEL 8 and now RHEL 9) can use ‘yum’ across all of them and the behaviour should generally be the same.
Flatpak is a popular way running applications in containers and typically used for desktop applications. RHEL 8 ships with 1.8.5 of flatpak, but RHEL 9 updates this to 1.10. Here’s one method to get started using the ‘community’ flatpak repo at flathub.org to install their version of Firefox:
[root@rhel9 ~]# dnf install -y flatpak [root@rhel9 ~]# flatpak remote-add flathub https://flathub.org/repo/flathub.flatpakrepo [root@rhel9 ~]# flatpak search firefox Name Description Application ID Version Branch Remotes Firefox Fast, Private & Safe Web Browser org.mozilla.firefox 97.0.1 stable flathub Mojave-GTK Mojave-Style Theme for GTK Flatpak Applications ?tk.Gtk3theme.Mojave-light 0.1 3.22 flathub Firestorm? Client for accessing 3D virtual worlds ?ormviewer.FirestormViewer 22.214.171.124205 stable flathub Joplin A free, open source note taking and to-do application, which can handle? net.cozic.joplin_desktop 2.7.13 stable flathub LibreWolf LibreWolf Web Browser ?itlab.librewolf-community 97.0.1-1 stable flathub [root@rhel9 ~]# flatpak install flathub org.mozilla.firefox Looking for matches? Required runtime for org.mozilla.firefox/x86_64/stable (runtime/org.freedesktop.Platform/x86_64/21.08) found in remote flathub Do you want to install it? [Y/n]:
However, I discovered there is an official RHEL flatpak repository as described in Introducing the Red Hat Flatpak runtime for desktop containers. To set this up, run:
[root@rhel9 ~]# flatpak remote-add rhel https://flatpaks.redhat.io/rhel.flatpakrepo
To get a list of packages available in the repositories, run:
[root@rhel9 ~]# flatpak remote-ls
With both flathub and rhel flatpak repos configured, we see that there are a handful of packages available in the RHEL repository:
[root@rhel9 ~]# flatpak remote-ls | grep -i rhel GNU Image Manipulation Program org.gimp.GIMP stable x86_64 rhel Inkscape org.inkscape.Inkscape stable x86_64 rhel LibreOffice org.libreoffice.LibreOffice stable x86_64 rhel Firefox org.mozilla.Firefox stable x86_64 rhel Thunderbird org.mozilla.Thunderbird 91.5.0 stable x86_64 rhel Red Hat Platform com.redhat.Platform 8 el8 x86_64 rhel Red Hat SDK com.redhat.Sdk 8 el8 x86_64 rhel
RHEL has been moved forward earlier than Fedora, and SHA-1 signed packages is now blocked by default. For more information see the official blog post Enhancing RHEL Security: Understanding SHA-1 deprecation on RHEL 9.
Disabling SELinux should be discouraged as it reduces the security posture of your server. However, should you need to do this, it’s not longer enough to change the setting in
/etc/sysconfig/selinux This is because the system will now start with SELinux enabled but no policy set. The recommended way is now to add the following kernel options:
Grub Menu Hidden
If the previous boot of RHEL was successful and there are no other operating systems configured, the grub menu will be hidden by default.
tuned is a dynamic adaptive system tuning daemon that tunes system settings dynamically
depending on usage. It was installed as part of the default server installation in RHEL 7 and RHEL 8 but now needs to be manually added in RHEL 9.
Link: Reddit: RHEL 9.0 Tuned not in core package group
teamd is now deprecated with bonding being the preferred method for binding multiple interfaces together.
As with RHEL 8, nftables is the default backend for firewall-cmd. With RHEL 9, iptables is now deprecated.
redhat-support-tool is a useful utility for uploading diagnostic log files directly to the Red Hat customer support portal and attaching it to your case. Unfortunately, this is no longer available in RHEL 9.
Note: redhat-support-tool and redhat-support-lib-python have been deprecated in RHEL 8 and will not be shipped in RHEL 9 onwardshttps://access.redhat.com/articles/445443
abrtd is a daemon that watches for application crashes. When a crash occurs, it collects
the problem data (core file, application’s command line etc.) and takes action according to
the type of application that crashed and according to the configuration in the abrt.conf
config file. Unfortunately, abrtd is not available in RHEL 9 – see https://access.redhat.com/solutions/6765051
The RHEL 9 Beta did not come with any Red Hat branded backgrounds by default. However, RHEL 9 GA sees a pleasant dark wallpaper with the number 9 and Red Hat logo in the background.
Here were some links to the discussions around the RHEL 9 background in the beta.
- Reddit: How To Get RHEL Branded Desktop Backgrounds In the RHEL 9 Beta?
- Jaiden Archer Star Git Repo – RHEL 9 Wallpaper Concepts
Third Party Compatibility
EPEL 9 (Extra Packages for Enterprise Linux) is now available.
dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
For additional information, see EPEL – Fedora Project Wiki
On May 26 2022, less that 10 days after RHEL 9 was released, AlmaLinux announced that AlmaLinux 9 Blog: AlmaLinux 9 Now Available.
I couldn’t find anything formal about an Almalinux 9 Beta as of April 2022, On 19 April 2022, AlmaLinux have announced that AlmaLinux 9 Beta is now available. Links:
- AlmaLinux 9 Blog – AlmaLinux 9 Beta – Now Available
- AlmaLinux Wiki – AlmaLinux 9.0 Beta Release Notes
Rocky Linux 9
On 14 July 2022, Rocky Linux have announced that Rocky Linux 9.0 is now available.
We have begun initializing the foundation (release and core packages) needed to start on Rocky Linux 9. We have begun importing the RHEL 9 beta sources as well as CentOS Stream 9 sources. In the coming days, we plan on bootstrapping the necessary components for 9. We look forward to sharing more about this with you very soon.https://rockylinux.org/news/community-update-december-2021/
Update: 17 July 2022: Add link to Red Hat documentation about RHEL 9 networking, Satellite 6.11 support for RHEL 9
Update: 15 July 2022: Add link to performance notes in Phoronix post, move Beta details to own beta page.
Update: 5 June 2022: Added notes about tuned, redhat-support-tool and abrt.
Update: 18 May 2022. Hot Off the Presses: Red Hat Enterprise Linux 9 has been announced on the Red Hat Blog and the documentation in the Red Hat portal has been updated. I’ve performed a fresh install and it looks really nice!
Update: 17 May 2022. Red Hat Enterprise Linux 9 is now available in the Red Hat portal.
Update: 10 May 2022. At Red Hat Summit on Tuesday 10 May, Red Hat formally unveiled RHEL 9.
- Red Hat Press Release: Red Hat Defines a New Epicenter for Innovation with Red Hat Enterprise Linux 9
RHEL 9 is expected to be available for download from the Red Hat portal next week (week commencing 16 May 2022) and on the Azure from 24 May. This post will be updated with links to the official documentation as the product is released.