Chapter 1. Overview

1.1. Major changes in RHEL 9.0

Security

The usage of the SHA-1 message digest for cryptographic purposes has been deprecated in RHEL 9. The digest produced by SHA-1 is not considered secure because of many documented successful attacks based on finding hash collisions. The RHEL core crypto components no longer create signatures using SHA-1 by default. Applications in RHEL 9 have been updated to avoid using SHA-1 in security-relevant use cases.

Among the exceptions, the HMAC-SHA1 message authentication code and the Universal Unique Identifier (UUID) values can still be created using SHA-1 because these use cases do not currently pose security risks. SHA-1 can also be used in limited cases connected with important interoperability and compatibility concerns, such as Kerberos and WPA-2. See the List of RHEL applications using cryptography that is not compliant with FIPS 140-3 section for more details.

For solutions of compatibility problems with systems that still require SHA-1, see the following KCS articles:

OpenSSL is now provided in version 3.0.1, which adds a provider concept, a new versioning scheme, an improved HTTP(S) client, support for new protocols, formats, and algorithms, and many other improvements.

The system-wide cryptographic policies have been adjusted to provide up-to-date secure defaults.

OpenSSH is distributed in version 8.7p1, which provides many enhancements, bug fixes, and security improvements as compared to version 8.0p1, which is distributed in RHEL 8.5.

The SFTP protocol replaces the previously used SCP/RCP protocol in OpenSSH. SFTP offers more predictable filename handling and does not require expansion of glob(3) patterns by the shell on the remote side.

SELinux performance has been substantially improved, including time to load SELinux policy into the kernel, memory overhead, and other parameters. For additional information, see the Improving the performance and space efficiency of SELinux blog post.

RHEL 9 provides the fapolicyd framework in the upstream version 1.1. Among other improvements, you can now use the new rules.d/ and trust.d/ directories, the fagenrules script, and new options for the fapolicyd-cli command.

The SCAP Security Guide (SSG) packages are provided in version 0.1.60, which introduces delta tailoring, updated security profiles, and other improvements.

See Section 4.7, “Security” for more information.

The use of SHA-1 for signatures is restricted in the DEFAULT crypto policy. Except for HMAC, SHA-1 is no longer allowed in TLS, DTLS, SSH, IKEv2, DNSSEC, and Kerberos protocols.

If your scenario requires the use of SHA-1 for verifying existing or third-party cryptographic signatures, you can enable it by entering the following command:

# update-crypto-policies --set DEFAULT:SHA1

Alternatively, you can switch the system-wide crypto policies to the LEGACY policy. Note that LEGACY also enables many other algorithms that are not secure.

Cyrus SASL now uses GDBM instead of Berkeley DB, and the Network Security Services (NSS) libraries no longer support the DBM file format for the trust database.

Support for disabling SELinux through the SELINUX=disabled option in the /etc/selinux/config file has been removed from the kernel. When you disable SELinux only through /etc/selinux/config, the system starts with SELinux enabled but with no policy loaded. If your scenario requires disabling SELinux, add the selinux=0 parameter to your kernel command line.

See the Security section in the Considerations in adopting RHEL 9 document for more information about security-related major differences between RHEL 9 and RHEL 8.

Networking

You can use the new MultiPath TCP daemon (mptcpd) to configure MultiPath TCP (MPTCP) endpoints without using the iproute2 utility. To make MPTCP subflows and endpoints persistent, use a NetworkManager dispatcher script.

By default, NetworkManager now uses the key files to store new connection profiles. Note that the ifcfg format is still supported.

For more information about the features introduced in this release and changes in the existing functionality, see New features - Networking.

The WireGuard VPN technology is now available as an unsupported Technology Preview. For details, see Technology Previews - Networking.

The teamd service and the libteam library are deprecated. As a replacement, configure a bond instead of a network team.

The iptables-nft and ipset are deprecated. These packages include utilities, such as iptables, ip6tables, ebtables and arptables. Use the nftables framework to configure firewall rules.

For more information about deprecated functionality, see Deprecated functionality - Networking.

The network-scripts package has been removed. Use NetworkManager to configure network connections. For more information about functionality that is no longer part of RHEL, see the Networking section in the Considerations in adopting RHEL 9 document.

Dynamic programming languages, web and database servers

RHEL 9.0 provides the following dynamic programming languages:

  • Node.js 16
  • Perl 5.32
  • PHP 8.0
  • Python 3.9
  • Ruby 3.0

RHEL 9.0 includes the following version control systems:

  • Git 2.31
  • Subversion 1.14

The following web servers are distributed with RHEL 9.0:

  • Apache HTTP Server 2.4.51
  • nginx 1.20

The following proxy caching servers are available:

  • Varnish Cache 6.6
  • Squid 5.2

RHEL 9.0 offers the following database servers:

  • MariaDB 10.5
  • MySQL 8.0
  • PostgreSQL 13
  • Redis 6.2

See Section 4.13, “Dynamic programming languages, web and database servers” for more information.

Compilers and development tools

System toolchain

The following system toolchain components are available with RHEL 9.0:

  • GCC 11.2.1
  • glibc 2.34
  • binutils 2.35.2

RHEL 9 system toolchain components include support for POWER10.

Performance tools and debuggers

The following performance tools and debuggers are available with RHEL 9.0:

  • GDB 10.2
  • Valgrind 3.18.1
  • SystemTap 4.6
  • Dyninst 11.0.0
  • elfutils 0.186
Performance monitoring tools

The following performance monitoring tools are available with RHEL 9.0:

  • PCP 5.3.5
  • Grafana 7.5.11
Compiler toolsets

The following compiler toolsets are available with RHEL 9.0:

  • LLVM Toolset 13.0.1
  • Rust Toolset 1.58.1
  • Go Toolset 1.17.7

For detailed changes, see Section 4.14, “Compilers and development tools”.

Java implementations in RHEL 9

The RHEL 9 AppStream repository includes:

  • The java-17-openjdk packages, which provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit.
  • The java-11-openjdk packages, which provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit.
  • The java-1.8.0-openjdk packages, which provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.

For more information, see OpenJDK documentation.

Java tools

The following Java tools are available with RHEL 9.0:

  • Maven 3.6
  • Ant 1.10

See Section 4.14, “Compilers and development tools” for more information.

Desktop

The GNOME environment has been updated from GNOME 3.28 to GNOME 40 with many new features.

The X.org display server is deprecated, and will be removed in a future major RHEL release. The default desktop session is now the Wayland session in most cases.

When using the NVIDIA drivers, the desktop session now selects the Wayland display protocol by default, if the driver configuration supports Wayland. In previous RHEL releases, the NVIDIA drivers always disabled Wayland.

The PipeWire service now manages all audio output and input. PipeWire replaces the PulseAudio service in general use cases and the JACK service in professional use cases.

See Section 4.16, “Desktop” for more information.

Virtualization

In RHEL 9, the libvirt library uses modular daemons that handle individual virtualization driver sets on your host. This makes it possible to fine-grain a variety of tasks that involve virtualization drivers, such as resource load optimization and monitoring.

The QEMU emulator is now built using the Clang compiler. This enables the RHEL 9 KVM hypervisor to use a number of advanced security and debugging features. One of these features is SafeStack, which makes virtual machines (VMs) hosted on RHEL 9 significantly more secure against attacks based on Return-Oriented Programming (ROP).

In addition, Virtual Trusted Platform Module (vTPM) is now fully supported. Using vTPM, you can add a TPM virtual crypto-processor to a VM, which can then be used for generating, storing, and managing cryptographic keys.

Finally, the virtiofs feature has been implemented, which you can use to more efficiently share files between a RHEL 9 host and its VMs.

For more information about virtualization features introduced in this release, see Section 4.20, “Virtualization”.

1.2. In-place upgrade

In-place upgrade from RHEL 8 to RHEL 9

  • From RHEL 8.6 to RHEL 9.0 on the following architectures:

    • 64-bit Intel
    • 64-bit AMD
    • 64-bit ARM
    • IBM POWER 9 (little endian)
    • IBM Z architectures, excluding z13
  • From RHEL 8.6 to RHEL 9.0 on systems with SAP HANA

For more information, see Supported in-place upgrade paths for Red Hat Enterprise Linux.

For instructions on performing an in-place upgrade, see Upgrading from RHEL 8 to RHEL 9.

For instructions on performing an in-place upgrade on systems with SAP environments, see How to in-place upgrade SAP environments from RHEL 8 to RHEL 9.

In-place upgrade from RHEL 7 to RHEL 9

It is not possible to perform an in-place upgrade directly from RHEL 7 to RHEL 9. However, you can perform an in-place upgrade from RHEL 7 to RHEL 8 and then perform a second in-place upgrade to RHEL 9. For more information, see Upgrading from RHEL 7 to RHEL 8.

1.3. Red Hat Customer Portal Labs

Red Hat Customer Portal Labs is a set of tools in a section of the Customer Portal available at https://access.redhat.com/labs/. The applications in Red Hat Customer Portal Labs can help you improve performance, quickly troubleshoot issues, identify security problems, and quickly deploy and configure complex applications. Some of the most popular applications are:

1.4. Additional resources

Capabilities and limits of Red Hat Enterprise Linux 9 as compared to other versions of the system are available in the Knowledgebase article Red Hat Enterprise Linux technology capabilities and limits.

Information regarding the Red Hat Enterprise Linux life cycle is provided in the Red Hat Enterprise Linux Life Cycle document.

The Package manifest document provides a package listing for RHEL 9, including licenses and application compatibility levels.

Application compatibility levels are explained in the Red Hat Enterprise Linux 9: Application Compatibility Guide document.

Major differences between RHEL 8 and RHEL 9, including removed functionality, are documented in Considerations in adopting RHEL 9.

Instructions on how to perform an in-place upgrade from RHEL 8 to RHEL 9 are provided by the document Upgrading from RHEL 8 to RHEL 9.

The Red Hat Insights service, which enables you to proactively identify, examine, and resolve known technical issues, is available with all RHEL subscriptions. For instructions on how to install the Red Hat Insights client and register your system to the service, see the Red Hat Insights Get Started page.