Review: RHEL 9 delivers better security, management

RHEL 9.0, the latest major release of  Red Hat Enterprise Linux, delivers tighter security, as well as improved installation, distribution, and management for enterprise server and cloud environments.

The operating system, code named Plow, is a significant upgrade over RHEL 8.0 and makes it easier for application developers to test and deploy containers.

Available in server and desktop versoins, RHEL remains one of the top Linux distributions for running enterprise workloads because of its stability, dependability, and robustness. 

It is free for software-development purposes, but instances require registration with the Red Hat Subscription Management (RHSM) service. Red Hat, owned by IBM, provides 24X7 subscription-based customer support as well as professional integration services. With the money Red Hat receives from subscriptions, it supports other open source efforts, including those that provide upstream features that eventually end up in RHEL itself.

How can RHEL 9 fit into my environment?

RHEL 9 can be run on a variety of physical hardware, as a virtual machine on hypervisors, in containers, or as instances in Infrastructure as a Service (IaaS) public cloud services. It supports legacy x86 hardware as well as 64-bit x86_64-v2, aarch64, and ARMv8.0-A hardware architectures. RHEL 9 supports IBM Power 9, Power 10, and Z-series (z14) hardware platforms.

RHEL also supports a variety of data-storage file systems, including the common Ext4 file system, GFS2 and XFS. Legacy support for Ext2, Ext3, and vfat (FAT32) still exists.

RHEL scales to large amounts of persistent and transient store, and RHEL 9 increases maximum amount of memory to 48 TB for x86_64 architectures.

Installing RHEL 9

The first step is downloading the operating system and following  some  straight-forward steps.

When installing RHEL 9, users are prompeted for “Software Selection” options, and we chose Server with GUI. There are others such as Minimal Install, Server, Workstation, Custom Operating System, and Virtualization Host. 

At this point, additional software can be chosen based on the environment and install functions like DNS Name Server, File and Storage Server, Debugging Tools, GNOME, and Guest Agents, if running a hypervisor. These allow tailoring the type of install based on the role of the server. Next, users can select add-ons for additional environment software to install automatically.

RHEL9 comes with Linux Kernel 5.14.0-70. The latest Linux kernel is 5.19, but Red Hat prioritizes stability and supportability over bleeding-edge features of the latest versions.

Server with GUI or any of the desktop variants of RHEL 9 come with the GNOME 40 desktop environment. (The latest GNOME version is 42.)  For a graphical interface, RHEL 9 uses the Wayland 1.19 graphics-display server protocol with NVIDIA drivers. Wayland is the C library communications protocol that specifies how data will be sent to the display server and clients.  The latest Wayland release is 1.21 with RHEL again opting for stability and general availability.

The RHEL 9 desktop environment, like most Linux distributions, can run the LibreOffice 7.1.8.1 set of desktop productivity applications.  The latest LibreOffice version is 7.3.

Scott Hogg

RHEL upgrades

Application development

RHEL is a solid operating system for application developers who plan to move working code into production. RHEL 9 comes with GNU Compiler Collection (GCC) 11.2.1 with LLVM, glibc 2.34, and binutils 2.35.  Link Time Optimization (LTO) is now enabled by default to help make executables smaller and more efficient.

RHEL 9 comes with Python 3.9 installed by default and supports modern programming languages like Rust and Go. RHEL 9 also comes with updated programming languages including Node.js, Ruby 3.0.3, Perl 5.32, and PHP 8.0.

Red Hat offers the OpenShift Container Platform as its primary product for running Linux containers in a Kubernetes management environment. OpenShift runs on RHEL, and RHEL 9 has available Universal Base Image (UBI) images to support building containerized applications. RHEL 9 also has automatic container updates and rollbacks, and the Podman tool can help notify DevOps teams if containers are failing and automatically rollback to known-good configurations.

Package management

Linux software-package management systems have been evolving in recent years. The yum (Yellow-Dog Updater Modified) software update utility is being deprecated, but the command itself is still supported. The transition to dnf (Dandified Yum) has occurred, and the yum command is just a symbolic link to dnf3. 

RHEL 9 comes with Red Hat Package Manager (RPM) 4.16, and the rpm command can still be used to install files with the .rpm file extension. Flatpak (formerly sdg-app) is another method of packaging and distributing software to Linux systems. Flatpak defines permissions and resource access that apps require.

RHEL 9 also supports the Red Hat Software Collections (RHSCL) for releasing semi-annual stable updates of critical application software. RHSCL provides updates to software-development tools, web services, database software, and other key software for application environments.

Security

Integrity Measurement Architecture (IMA) can detect files that have been maliciously modified and assess the integrity of the Linux kernel. To validate the authenticity and integrity of the OS distribution, RHEL 9 supports IMA along with Extended Verification Module (EVM) to protect file-extended attributes. RHEL 9 Malware Detection, provided with Red Hat Insights, can perform a security assessment by using YARA pattern-matching software to show evidence of malware.

RHEL 9 also provides greater control over root-user password authentication using SSH. It is possible to disable root-user login with basic passwords to help improve server security. Updated classes, permissions, and features of SELinux are part of RHEL 9 to leverage Linux Kernel security capabilities.

RHEL 9 also uses OpenSSL 3.0.1, which improves the cryptographic libraries and processes to improve confidentiality and integrity of web communications.

Red Hat systems are often used in environments that require heightened levels of security and must meet certain security compliance requirements. Governments often require Security Technical Implementation Guide (STIG) configuration standards along with validation using Security Content Automation Protocol (SCAP).  RHEL 9 supports OpenSCAP 1.3.6 and can use the SCAP Security Guide (SSG) and the RHEL 9 Open Vulnerability Assessment Language (OVAL) signatures to check for compliance.

Management and operations

Red Hat Insights is a management and operations service that reviews RHEL systems for compliance, vulnerabilities, patch, gain configuration advice, and optimization. Red Hat Insights Image Builder allows creation of custom RHEL images for simplified deployment to environments including cloud infrastructure. 

Red Hat offers Image Builder as-a-Service to customize and standardize a preferred RHEL 9 image and run it in an IaaS cloud service provider. Image Builder can create blueprints to customize the bootable ISO installer image. The new version of Image Builder supports creation of separate logical filesystems.  This helps when meeting security-compliance requirements that call for specific directories and file systems to use dedicated partitions for STIGs.

Web-based monitoring and administration tool Cockpit comes with RHEL 9, making management and operations easier for those new to Red Hat system management.

Red Hat emphasizes uptime and supportability while keeping systems patched. RHEL 9 supports kernel live patch management that allows patching a running Linux kernel without rebooting or restarting processes.

Red Hat systems often run in cloud environments.  RHEL 9 includes Resource Optimization for cloud deployments to help size the system appropriately for its workload and to balance performance and costs.

Getting started with RHEL 9

The first step toward using RHEL 9 is installing it in a test environment to get to know how it works. The  60-day demo subscription can get you started.  It is important to thoroughly test RHEL 9 before lifting and shifting workloads onto new RHEL 9 systems; upgrading in-place is discouraged.

Next, perform an asset inventory of all the RHEL systems in the environment. It’s okay to admit that there are some old RHEL 6 and 7 systems in the environment in desperate need of upgrades. Some organizations may even have a few RHEL 5 and CentOS 4 systems lurking about their data centers.  Those older servers are ideal candidates for RHEL 9 upgrades.

Red Hat contributes to many open-source software projects, and CentOS Linux is their upstream source for RHEL. Check out CentOS Stream 9 (released December 3, 2021) to experience what features may be coming to RHEL 9.1.

If you want to check out the latest Linux features for free, the Fedora Project (now Fedora 36) may be something to download and install. Fedora is intended to have the most leading-edge features and provide a vision for the future progression of the RHEL OS. Red Hat is the primary contributor to the Fedora Project, but it also has worldwide community contributors.

Fedora Workstation 36 (released May 10, 2022) comes with the latest GNOME 42 desktop along with many other new features and software. Fedora 37 will be released in December 2022, an aggressive release schedule that promotes innovation and rapid evolution of new features.

Red Hat release and support schedule

Red Hat provides long-term support for customers who run production applications for many years and require the stability. It also publishes its release schedule and the support life cycle of the operating systems. The schedule had been for a new release every five years, but with RHEL 9 has returned to a three-year cadence. Dot releases occur annually, so RHEL 9.1 should be out around May 2023.

Support for major RHEL releases span 10 years, five years of full support followed by five years of maintenance. For example, RHEL 6 was released May of 2011 and is now in the Extended Life-cycle Support (ELS) phase for customers who purchase that Add-on subscription). 

RHEL 9 won’t enter the ELS phase until May 2032.  It’s hard to plan that far in advance, but Red Hat has a long tradition of honoring commitments to customers.  Here is a diagram of the lifespan of RHEL 9 from the RHEL support matrix.

Scott Hogg

Based on the transparency of the release schedule and Red Hat’s history of meeting it, we can expect RHEL 10 to be out sometime in May 2025.