From knowledge-patch
Provides AlmaLinux 9.4 through 10.2 compatibility, deprecation, and lifecycle details, covering installation, packages, security, and upgrades.
How this skill is triggered — by the user, by Claude, or both
Slash command
/knowledge-patch:almalinux-knowledge-patchThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Baseline: AlmaLinux 9.3. Covered range: versioned changes from 9.4 through
Baseline: AlmaLinux 9.3. Covered range: versioned changes from 9.4 through
10.2, including 9.8-10.2-ga, plus lifecycle, ELevate, and project-security
updates captured through 2026-07-11.
| Reference | Topics |
|---|---|
| platform-installation.md | Kernels, architectures, x86-64-v2, i686, media, Btrfs, Secure Boot, legacy hardware, lifecycle |
| packages-toolchains.md | Application streams, compilers, debugging tools, package omissions and replacements |
| security-cryptography.md | Crypto policies, OpenSSL, RPMv6, OpenPGPv6, SELinux, Keylime, identity |
| operations-virtualization.md | Networking, logging, containers, IBM POWER KVM, SPICE, kernel behavior |
| system-upgrades.md | Beta conversion, ELevate paths, Leapp contracts, third-party repository transitions |
| security-advisories.md | 2026 kernel, container-escape, local-root, and nginx advisories |
The standard AlmaLinux 10 x86_64 build uses the x86-64-v3 CPU baseline.
Use AlmaLinux's x86_64_v2 build for older CPUs, but account for the fact
that RHEL 10 third-party packages target v3. A v2 system is safest with the
default OS package set or packages rebuilt for v2 (10.0).
AlmaLinux 10.0 removed i686 packages. AlmaLinux 10.2 restores i686
userspace for legacy applications, CI, and containers
(9.8-10.2-ga), but it does not add an i686 installer or 32-bit kernel.
The packages live on vault.almalinux.org, official containers use
linux/386, and the stream is maintained through 2035 (10.2).
Notable packages absent from AlmaLinux include:
9.5: insights-client, kmod-redhat-*, kpatch*,
openssl-fips-provider, rhc, Subscription Manager add-ons,
virt-who, virtio-win, and Windows SPICE packages.9.6: command-line-assistant.10.0: redhat-cloud-client-configuration,
redhat-flatpak-data, redhat-support-lib-python, and
redhat-support-tool.AlmaLinux supplies its own backgrounds, index, logos, release, and related
branding packages (9.7). See the package reference for exact names.
dwz (9.7). System Annobin remains separately versioned.release-catalog).10.1). Do not
assume an upgraded or older installation has the same repository state.Stable ELevate supports AlmaLinux 9.8 to 10.2
(elevate-upgrades). The x86_64_v2 AlmaLinux 9 to AlmaLinux 10 and
Kitten 10 paths use dedicated leapp-data-*x86_64_v2 packages and were
released to NG.
Before chaining CentOS 7 to EL8 to EL9, remove every ELevate-related EL7
package after reaching EL8. Stale leapp-data-* can conflict with
leapp-upgrade-* under /etc/leapp/repos.d/system_upgrade and create
malformed semicolon-suffixed symlinks.
Keep these rules in mind:
--target selects only a published, supported destination minor; an
unreleased target may disappear until it ships.x86_64 architectures can use the standard quickstart with current
map files.BE1229CF for EL8/EL9 and F748182B
for EL10.net.naming-scheme is enabled by default.--enable-experimental-feature explicitly enables experimental Leapp
features, including simplified LiveMode.Use system-upgrades.md for the exact Leapp/data versions, repository mappings, transition actions, and 9.4 or 10.0 beta-to-stable commands.
Media follow AlmaLinux-10.0-$arch-{boot,minimal,dvd}.iso. Only boot media
needs a network source. If discovery fails, use a mirror's
10.0/BaseOS/$arch/kickstart/ path (10.0).
Verify with the AlmaLinux 10 signing key:
wget https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-10
gpg --import RPM-GPG-KEY-AlmaLinux-10
gpg --verify CHECKSUM
sha256sum AlmaLinux-10.0-$(uname -m)-boot.iso
The key fingerprint is
EE6D B7B9 8F5B F5ED D9DA 0DE5 DEE5 C11C C2A1 E572.
10.1).9.8).be2net devices need kernel
5.14.0-427.18.1.el9_4 or later.| Release | Behavior |
|---|---|
| AlmaLinux 9.5 | System crypto-policy algorithm selection extends to Java; OpenSSL 3.2.2 adds TLS certificate compression and TLS 1.3 Brainpool curves. |
| AlmaLinux 9.7 | Select the PQ subpolicy to enable post-quantum algorithms; OpenSSL 3.5 adds ML-KEM, ML-DSA, SLH-DSA, and default hybrid ML-KEM TLS groups. |
| AlmaLinux 10.0 | Crypto policies, OpenSSL, and OpenSSH 9.9 support post-quantum algorithms; OpenSSL adds FIPS-compliant PKCS #12 and pkcs11-provider. |
| AlmaLinux 10.1 | Post-quantum algorithms are on by default in every system crypto policy; RPMv6 supports multiple signatures and Sequoia handles post-quantum RPM and OpenPGPv6 signatures. |
Other high-value security changes:
9.4).9.4); SELinux 3.8 can emit CIL
from audit2allow and supports the sandbox on Wayland (10.0).keylime-policy consolidates policy management (10.0).sudo system role for fleet configuration.9.8-10.2-ga).10.0).10.0).systemd and ps CPU during task cleanup (9.8).Use the package and operations references for complete version matrices.
Advisory status here is from project-news on 2026-07-11. Re-check current
repositories before acting.
| Issue | Exposure | Snapshot status |
|---|---|---|
| GhostLock, CVE-2026-43499 | Local root and container escape; every supported release | Patched kernels in testing |
| Januscape, CVE-2026-53359 | KVM/x86 guest-to-host root escape; every release | Patched kernels in testing |
| Bad Epoll, CVE-2026-46242 | Local root on AlmaLinux 9 and 10 | Patched kernels in testing |
| IPv6 fragmentation flaw | Container-to-host root on AlmaLinux 10 and Kitten 10 | AlmaLinux 10 fix in testing; Kitten fix scheduled |
| CIFSwitch, CVE-2026-46243 | Local root through cifs.spnego under specific namespace/package conditions | Fixed kernels in production; update and reboot |
| CVE-2026-46333 | Read root-owned files through __ptrace_may_access() | Patched kernels in testing; mitigation available |
| NGINX Rift, CVE-2026-42945 | Unauthenticated rewrite-module heap overflow | Fixed packages in production for all supported releases and streams |
Copy Fail, Dirty Frag, and Fragnesia are additional local-root risks for multi-tenant systems, build farms, CI, and untrusted shells. Read security-advisories.md for CVEs, affected contexts, mitigations, and captured package state.
npx claudepluginhub nevaberry/nevaberry-plugins --plugin knowledge-patchProvides RHEL 10.2 reference knowledge covering breaking changes, installation, security, networking, storage, virtualization, containers, and system services. Use to avoid compatibility issues in RHEL administration.
Hardens Linux endpoints using CIS Benchmark recommendations for Ubuntu, RHEL, and CentOS. Useful for deploying new servers, remediating audit findings, or establishing security baselines.
Hardens infrastructure across Docker, Kubernetes/ECS, OS, TLS, secrets, and build pipelines with CIS benchmarks, image scanning, and actionable hardening plans.