Red Hat Enterprise Linux 9 (RHEL 9) was released on 17 May 2022. As an enterprise operating system with ten years of support until 2032, this article highlights some of the changes and new features that are available along with links to the official documents, press releases and relevant blog posts.
A smooth install of @RHEL 9 and registration with the No-cost Red Hat Enterprise Linux Individual Developer Subscription from @rhdevelopers should see this being updated for 10 years until 2032! A great developer experience – thank you @RedHat! pic.twitter.com/ujzmo7bmCR
— Unix Sys Admin (@UnixSysAdmin) May 18, 2022
It’s worth mentioning that since this article was originally written, there have been some updates, of so if you are deploying on a new server, this is the version you’ll probably want to deploy the latest release.
- RHEL 9.4 is now available as of 30 April 2024
- RHEL 9.3 is now available as of 8 November 2023
- RHEL 9.2 is now available as of 10 May 2023
- RHEL 9.1 is now available as of 15 November 22
Press and forum links
- The Register: At last, Red Hat Enterprise Linux 9.0 slips out
- ZDNet: Red Hat Enterprise Linux 9: Security baked in
- VentureBeat: Red Hat’s Paul Cormier on RHEL 9, the edge and open source innovation
- Container Journal: Red Hat Adds Automated Container Rollback Capability in RHEL 9
- It’s FOSS News: Red Hat Enterprise Linux 9 Announced as the Next-Gen Backbone of Enterprise IT
- Azure Blog: Manage Red Hat workloads seamlessly on Azure – RHEL 9 will be available on Azure from May 24.
- Phoronix: RHEL9 Reaching GA Shortly, RHIVOS Woos GM For Software-Defined Vehicles
- Phoronix: Red Hat Enterprise Linux 9.0 Performing Well, Great Benefit To Newer Intel Xeon & AMD EPYC Servers (7 June 2022)
- LWN.net: Red Hat Enterprise Linux 9 released
Official Documentation
- Red Hat Blog – Hot Off the Presses: Red Hat Enterprise Linux 9
- Red Hat Developer – What’s new in Red Hat Enterprise Linux 9
- Press Release: Red Hat Defines a New Epicenter for Innovation with Red Hat Enterprise Linux 9
- Release Notes for Red Hat Enterprise Linux 9.0
- Considerations in adopting RHEL 9
- Package listing for Red Hat Enterprise Linux 9
- Instructions for an in-place upgrade from Red Hat Enterprise Linux 8 to Red Hat Enterprise Linux 9
- Installing RHEL 9 using the graphical user interface
- Performing an advanced RHEL installation – Installing RHEL using Kickstart
- Boot options for RHEL Installer Installing and configuring RHEL with boot options
- Customizing Anaconda – Changing the installer appearance and creating custom add-ons on Red Hat Enterprise Linux 9
- Security hardening – Securing Red Hat Enterprise Linux 9
- Deploying Red Hat Enterprise Linux 9 on public cloud platforms
- Red Hat Training Blog – Upskill on RHEL 9 Training and exam updates for RHEL 9.
RHEL 9 Facts
Let’s have a look at some facts RHEL 9 and see how it compares to RHEL 8, released three years earlier:
- The release has a codename of ‘Plow‘ (following on from Oopta which was the name for RHEL 8)
- The kernel is based on 5.14.0 (versus 4.18.0 in RHEL 8)
- glibc is at version 2.34 (versus 2.28 in RHEL 8)
- systemd is at version 249 (versus 239 in RHEL 8)
- python is at version 3.9 (versus 3.6 in RHEL 8)
- bash is at version 5.1.8 (versus 4.4 in RHEL 8)
- dnf is at version 4.10 (versus 4.7 in RHEL 8.6 / 4.0 in RHEL 8.0)
- rpm is at version 4.16 (versus 4.14 in RHEL 8)
- sudo is at version 1.9.5 (versus 1.8 in RHEL 8)
- The release is based on Fedora 34 – list of changes in Fedora 34
What’s new in RHEL 9
On 1 June 2022, the The Red Hat Enterprise Linux YouTube Channel hosted an hour long overview of what’s new in RHEL 9.
Note
This post is not endorsed or affiliated with Red Hat – the information provided is based on experience, documentation and publicly available information. Feel free to leave feedback at the end of this page if anything needs correction.
For an up to date roadmap discussion on RHEL please contact your Red Hat Account rep.
Getting Started
The easiest way to get the RHEL 9 is to sign up for the no-cost developer program. Once done you can download a QCOW image, Boot ISO or Binary DVD from the Red Hat portal by clicking on the Downloads link in the top bar, and first selecting Red Hat Enterprise Linux 9.
Alternatively, you can follow this link: No-cost RHEL for developers subscription
Significant Changes
Let’s take a look at some of the more significant changes that enterprises may need to take into account when deploying RHEL 9.
SSH root logins
By default logging in as root with a password over SSH is disabled. This is a good security measure and helps prevent brute-force attacks. Best practice is to create an admin user with sudo privileges at install time and use that. If root login via SSH is required, an SSH key-pair could be used. If you need to revert to the previous behavior and allow root password, this can be enabled as follows (from this link) via a kickstart snippet:
%post
echo "PermitRootLogin yes" > /etc/ssh/sshd_config.d/01-permitrootlogin.conf
%end
Or simply via some automation:
echo "PermitRootLogin yes" > /etc/ssh/sshd_config.d/01-permitrootlogin.conf
OpenSSH SCP deprecation
One of the most important security changes for OpenSSH in Red Hat Enterprise Linux (RHEL) 9 is the deprecation of the SCP protocol. These are the changes that we have implemented:
https://www.redhat.com/en/blog/openssh-scp-deprecation-rhel-9-what-you-need-know
* The scp command line tool uses the SFTP protocol for file transfers by default.
* Usage of the SCP protocol can be restored using the newly added -O option.
* Usage of the SCP protocol can be completely disabled on the system. If the file /etc/ssh/disable_scp exists, any attempt to use the SCP protocol will fail.
Satellite registration and subscription manager
The rhsm
command can be used within a kickstart file to register the server to the Red Hat Content Delivery Network (CDN) or a Red Hat Satellite server. To see the list of options that can be used with rhsm
see Performing an advanced RHEL installation. Most organisations will probably want to use a combination like this:
rhsm --organization=XXX --activation-key=XXX --connect-to-insights --proxy=proxy.example.com:8080 --server-hostname=satellite.example.com
Subscription manager is updated so that you can now set the addons, role, service level and so on in one command.
[root@rhel9 ~]# subscription-manager --help | grep Deprecated
addons Deprecated, see 'syspurpose'
role Deprecated, see 'syspurpose'
service-level Deprecated, see 'syspurpose'
usage Deprecated, see 'syspurpose'
[root@rhel9 ~]# subscription-manager syspurpose --help
Syspurpose submodules:
addons Show or modify the system purpose addons setting
role Show or modify the system purpose role setting
service-level Show or modify the system purpose service-level setting
usage Show or modify the system purpose usage setting
So with the combination of rhsm and an activation key or using the subscription-manager
command in a kickstart file, there are a couple of options to registering your server with the correct subscription entitlements.
Network Scripts
The old network-scripts
package has been removed (it was deprecated in the RHEL 8) which means you’ll not find anything in the /etc/sysconfig/network-scripts
directory:
[root@rhel9 ~]# cd /etc/sysconfig/network-scripts/
[root@rhel9 network-scripts]# ls -altr
total 0
drwxr-xr-x. 2 root root 6 Dec 16 08:04 .
drwxr-xr-x. 3 root root 236 Jan 13 09:29 ..
This is probably the biggest change for admins if they’ve been relying on the legacy scripts to date.
The nmcli
command can be used to modify the network configuration. Network configuration will be written to files in the /etc/NetworkManager/system-connections/
directory:
[root@rhel9 system-connections]# ls -l /etc/NetworkManager/system-connections/
total 4
-rw-------. 1 root root 264 Feb 26 15:57 'Ethernet connection 1.nmconnection'
[root@rhel9 system-connections]# cat /etc/NetworkManager/system-connections/Ethernet\ connection\ 1.nmconnection
[connection]
id=Ethernet connection 1
uuid=XXX-XXX-XXX-XXX-XXX
type=ethernet
interface-name=eth0
permissions=
[ethernet]
mac-address-blacklist=
[ipv4]
dns-search=
method=auto
[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=auto
[proxy]
Red Hat posted the following notes about this change on 13 July 2022:
2038 Support
It’s very likely that servers built in 2022 will still be around in 2038 (even if they are unsupported). As such, ext4 filesystems can now be created which support timestamps beyond the year 2038 – see Year 2038 problem.
Ansible
The upstream releases of Ansible have now moved ansible-core. This includes smaller set of Ansible modules that would have been found in Ansible Engine. In RHEL 7 through to RHEL 8.5, Red Hat shipped Red Hat Ansible Engine through a yum repository such as ansible-2.9-for-rhel-8-x86_64-rpms. RHEL 9 (and 8.6) moved to ansible-core delivered as an application stream repository. On RHEL 8.6 you’ll likely need to migrate from ansible-engine to ansible-core because Ansible Engine 2.9 will be end of life 18 November 2022 (see Red Hat Ansible Automation Platform Life Cycle). On the RHEL 9, ansible-core 2.12 is provided:
[root@rhel9 ~]# dnf info ansible-core
Updating Subscription Management repositories.
Last metadata expiration check: 0:24:39 ago on Fri 15 Jul 2022 14:52:57 BST.
Available Packages
Name : ansible-core
Version : 2.12.2
Release : 1.el9
Architecture : x86_64
Size : 2.4 M
Source : ansible-core-2.12.2-1.el9.src.rpm
Repository : rhel-9-for-x86_64-appstream-rpms
Summary : SSH-based configuration management, deployment, and task execution system
URL : http://ansible.com
License : GPLv3+
Description : Ansible is a radically simple model-driven configuration management,
: multi-node deployment, and remote task execution system. Ansible works
: over SSH and does not require any software or daemons to be installed
: on remote nodes. Extension modules can be written in any language and
: are transferred to managed machines automatically.
Updating Subscription Management repositories.
Last metadata expiration check: 0:55:12 ago on Sat Feb 26 16:00:17 2022.
Available Packages
Name : ansible-core
Version : 2.12.2
As the ansible.posix.firewalld module is not part of ansible-core, being able to administer firewall configuration would not be possible out of the box. However, a firewall system role can help with this:
[root@p1 ~]# dnf info rhel-system-roles
Updating Subscription Management repositories.
Last metadata expiration check: 0:26:51 ago on Fri 15 Jul 2022 14:52:57 BST.
Available Packages
Name : rhel-system-roles
Version : 1.16.2
Release : 1.el9_0.2
Architecture : noarch
Size : 1.8 M
Source : rhel-system-roles-1.16.2-1.el9_0.2.src.rpm
Repository : rhel-9-for-x86_64-appstream-rpms
Summary : Set of interfaces for unified system management
URL : https://github.com/linux-system-roles
License : GPLv3+ and MIT and BSD and Python
Description : Collection of Ansible roles and modules that provide a stable and
: consistent configuration interface for managing multiple versions
: of Red Hat Enterprise Linux.
[root@p1 ~]# ls -l /usr/share/doc/rhel-system-roles/collection/roles/firewall/README.md
-rw-r--r--. 1 root root 8596 Apr 24 22:38 /usr/share/doc/rhel-system-roles/collection/roles/firewall/README.md
Update 20 April 2022, Red Hat have now released an official blog on this topic: Red Hat Blog: Updates to using Ansible in RHEL 8.6 and 9.0
Single user mode
There is an updated process to enter single user mode in RHEL 9 (although according to How to change a forgotten or lost root password this seems to be possible in RHEL 7 and RHEL 8 too, so maybe it was just new to me!). At the boot prompt, use the following:
rw init=/bin/bash
This is typically needed if you forget the root password. Once in single user mode you can use the following to reset the password and reboot the server:
passwd
touch /.autorelabel
exec /sbin/init
The official documentation ‘Configuring basic system settings’ Chapter 23. Changing and resetting the root password uses the rd.break
approach for resetting the password so for production environments you may wish to follow that process.
sudo enhancements
sudo has been upgraded to 1.9.5 compared to 1.8.29 in RHEL 8. sudo is widely used to allow fine-grained administrative access to users. There are some noteable new features in 1.9.5 which are worth a look:
- Intercepting subcommands
- Logging subcommands
- Collecting logs centrally using sudo_logsrvd
- Relays
- JSON-formatted logging
These are all described in detail in 5 new sudo features sysadmins need to know in 2022. One of the most useful will be intercepting subcommands. Say you need to give broad sudo privileges to a user to run pretty much anything they need (for example, because they are unable to tell you exactly what commands they need to run as root), then you can give them the ability to run all commands except a specific set such as systemctl
, firewall-cmd
, setenforce
, dnf
, /usr/bin/bash
, etc. The rationale here is they can perform many activities, but you don’t want the user to change running services, change the firewall setting, disable SELinux or install packages. As an example:
unixsysadmin ALL = (ALL) ALL, !/usr/bin/systemctl, !/usr/bin/firewall-cmd, !/usr/sbin/setenforce, !/usr/bin/dnf, !/usr/bin/bash, !/usr/bin/sh, !/usr/bin/csh
Of course, a cunning user with the above sudo rules you might use the cp
command to copy the binary they require and then call it. They might try something like this:
sudo cp /usr/bin/bash /usr/bin/mash
sudo /usr/bin/mash
Presumably you would then restrict access to commands like ‘cp’ and ‘mv’, but it may quickly become a race to prevent other ways to bypass the copy feature and add them to the interception list. (Example: sudo find bash | cpio -pvmud newbash2
might copy the shell binary to a place they can then execute it). However, when used with other features such as the enhanced logging and a SIEM platform you can hopefully pick up when this activity is attempted.
mailx had been replaced by s-nail
mailx
has been around for a very long time but is no longer being maintained upstream. mailx can be a really handy tool in the sysadmin toolbox for sending emails in scripts. 9 mail/mailx command examples to send emails from command line on Linux has some examples of where mailx can be useful. The replacement utility in RHEL 9 is s-nail
.
Red Hat Satellite support
Red Hat Satellite 6.11 (released 5 July 2022) supports RHEL 9 clients as per the following:
The following thread details an issue one user had with the RHEL 9 Beta and Red Hat Satellite 6.10.
- Reddit: Anyone have any luck kickstarting RHEL 9?
- Foreman Community: Issues kickstarting RHEL9
- Pulp Issue 2365: Issues kickstarting RHEL 9 beta
- Red Hat Bugzilla – 2042730 Issues downloading RHEL 9 Beta packages from repo
DNF/YUM
In RHEL 8, the yum
command is a symlink to dnf
:
[root@rhel8 ~]# ls -l /usr/bin/yum
lrwxrwxrwx. 1 root root 5 Sep 13 11:41 /usr/bin/yum -> dnf-3
In RHEL 9, there is no surprise, the same symlink exists:
[root@rhel9 ~]# ls -l /usr/bin/yum
lrwxrwxrwx. 1 root root 5 Dec 7 08:35 /usr/bin/yum -> dnf-3
Many experienced sysadmins who are managing a range of RHEL environments (RHEL 6 ELS, RHEL 7, RHEL 8 and now RHEL 9) can use ‘yum’ across all of them and the behaviour should generally be the same.
Flatpak
Flatpak is a popular way running applications in containers and typically used for desktop applications. RHEL 8 ships with 1.8.5 of flatpak, but RHEL 9 updates this to 1.10. Here’s one method to get started using the ‘community’ flatpak repo at flathub.org to install their version of Firefox:
[root@rhel9 ~]# dnf install -y flatpak
[root@rhel9 ~]# flatpak remote-add flathub https://flathub.org/repo/flathub.flatpakrepo
[root@rhel9 ~]# flatpak search firefox
Name Description Application ID Version Branch Remotes
Firefox Fast, Private & Safe Web Browser org.mozilla.firefox 97.0.1 stable flathub
Mojave-GTK Mojave-Style Theme for GTK Flatpak Applications ?tk.Gtk3theme.Mojave-light 0.1 3.22 flathub
Firestorm? Client for accessing 3D virtual worlds ?ormviewer.FirestormViewer 6.3.9.58205 stable flathub
Joplin A free, open source note taking and to-do application, which can handle? net.cozic.joplin_desktop 2.7.13 stable flathub
LibreWolf LibreWolf Web Browser ?itlab.librewolf-community 97.0.1-1 stable flathub
[root@rhel9 ~]# flatpak install flathub org.mozilla.firefox
Looking for matches?
Required runtime for org.mozilla.firefox/x86_64/stable (runtime/org.freedesktop.Platform/x86_64/21.08) found in remote flathub
Do you want to install it? [Y/n]:
However, I discovered there is an official RHEL flatpak repository as described in Introducing the Red Hat Flatpak runtime for desktop containers. To set this up, run:
[root@rhel9 ~]# flatpak remote-add rhel https://flatpaks.redhat.io/rhel.flatpakrepo
To get a list of packages available in the repositories, run:
[root@rhel9 ~]# flatpak remote-ls
With both flathub and rhel flatpak repos configured, we see that there are a handful of packages available in the RHEL repository:
[root@rhel9 ~]# flatpak remote-ls | grep -i rhel
GNU Image Manipulation Program org.gimp.GIMP stable x86_64 rhel
Inkscape org.inkscape.Inkscape stable x86_64 rhel
LibreOffice org.libreoffice.LibreOffice stable x86_64 rhel
Firefox org.mozilla.Firefox stable x86_64 rhel
Thunderbird org.mozilla.Thunderbird 91.5.0 stable x86_64 rhel
Red Hat Platform com.redhat.Platform 8 el8 x86_64 rhel
Red Hat SDK com.redhat.Sdk 8 el8 x86_64 rhel
SHA-1 Deprecation
RHEL has been moved forward earlier than Fedora, and SHA-1 signed packages is now blocked by default. For more information see the official blog post Enhancing RHEL Security: Understanding SHA-1 deprecation on RHEL 9.
Connecting to a RHEL 6 server (RHEL 6 is currently in Extended Lifecycle Support) from a RHEL 9 server may well fail with an error such as:
ssh_dispatch_run_fatal: Connection to w.x.y.z port 22: error in libcrypto
To workaround the issue, follow the official recommendation as detailed in SSH from RHEL 9 to RHEL 6 systems does not work. See also The Register: Dealing with legacy issues around Red Hat crypto versions? Here’s a fix and SSH from RHEL 9 to RHEL 5 or RHEL 6
Disable SELinux
Disabling SELinux should be discouraged as it reduces the security posture of your server. However, should you need to do this, it’s not longer enough to change the setting in /etc/sysconfig/selinux
This is because the system will now start with SELinux enabled but no policy set. The recommended way is now to add the following kernel options:
selinux=0
Grub Menu Hidden
If the previous boot of RHEL was successful and there are no other operating systems configured, the grub menu will be hidden by default.
The behavior may not be desired if, for example, you often want to change the boot parameters or wish to use Grub to boot into another operating system. To change this behaviour, use the grub2-editenv
command:
grub2-editenv list # List the current grub settings
grub2-editenv - unset menu_auto_hide # Disable the auto-hide
tuned
tuned is a dynamic adaptive system tuning daemon that tunes system settings dynamically depending on usage. It was installed as part of the default server installation in RHEL 7 and RHEL 8 but now needs to be manually added in RHEL 9.
Link: Reddit: RHEL 9.0 Tuned not in core package group
teamd
teamd is now deprecated with bonding being the preferred method for binding multiple interfaces together.
iptables
As with RHEL 8, nftables is the default backend for firewall-cmd
. With RHEL 9, iptables
is now deprecated.
redhat-support-tool
redhat-support-tool
is a useful utility for uploading diagnostic log files directly to the Red Hat customer support portal and attaching it to your case. Unfortunately, this is no longer available in RHEL 9.
Note: redhat-support-tool and redhat-support-lib-python have been deprecated in RHEL 8 and will not be shipped in RHEL 9 onwards
https://access.redhat.com/articles/445443
To programmatically upload and manage attachments in RHEL 9, please see the official Red Hat Support Tool (RHST) Deprecation Guide
abrt
abrtd is a daemon that watches for application crashes. When a crash occurs, it collects the problem data (core file, application’s command line etc.) and takes action according to the type of application that crashed and according to the configuration in the abrt.conf config file. Unfortunately, abrtd is not available in RHEL 9 – see https://access.redhat.com/solutions/6765051
Desktop Backgrounds
The RHEL 9 Beta did not come with any Red Hat branded backgrounds by default. However, RHEL 9 GA sees a pleasant dark wallpaper with the number 9 and Red Hat logo in the background.
Here were some links to the discussions around the RHEL 9 background in the beta.
- Reddit: How To Get RHEL Branded Desktop Backgrounds In the RHEL 9 Beta?
- Jaiden Archer Star Git Repo – RHEL 9 Wallpaper Concepts
Third Party Compatibility
EPEL 9
EPEL 9 (Extra Packages for Enterprise Linux) is now available.
dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
For additional information, see EPEL – Fedora Project Wiki
Cobbler
There is a Cobbler Pull Request 2894 to add support for RHEL 9 in cobbler.
Downstream rebuilds
AlmaLinux
On May 26 2022, less that 10 days after RHEL 9 was released, AlmaLinux announced that their rebuild was now available: AlmaLinux 9 Blog: AlmaLinux 9 Now Available.
Rocky Linux 9
On 14 July 2022, Rocky Linux have announced that Rocky Linux 9.0 is now available.
Page History
Update: 19 May 2022: Add link to RHEL 9.2 availability
Update: 20 December 2022: Add link to RHEL 9.1 availability, how to disable the grub hidden menu
Update: 21 August 2022: Add link about RHEL 9 to RHEL 5/6 SSH issues
Update: 17 July 2022: Add link to Red Hat documentation about RHEL 9 networking, Satellite 6.11 support for RHEL 9
Update: 15 July 2022: Add link to performance notes in Phoronix post, move Beta details to own beta page.
Update: 5 June 2022: Added notes about tuned, redhat-support-tool and abrt.
Update: 18 May 2022. Hot Off the Presses: Red Hat Enterprise Linux 9 has been announced on the Red Hat Blog and the documentation in the Red Hat portal has been updated. I’ve performed a fresh install and it looks really nice!
Update: 17 May 2022. Red Hat Enterprise Linux 9 is now available in the Red Hat portal.
Exciting times – looks like #RHEL 9 is now available for download in the @RedHatSupport portal! Time to get installing! 🙂 #sysadmin pic.twitter.com/2z0A414tmF
— Unix Sys Admin (@UnixSysAdmin) May 17, 2022
Update: 10 May 2022. At Red Hat Summit on Tuesday 10 May, Red Hat formally unveiled RHEL 9.
RHEL 9 is expected to be available for download from the Red Hat portal next week (week commencing 16 May 2022) and on the Azure from 24 May. This post will be updated with links to the official documentation as the product is released.