rhel-knowledge-patch

RHEL 10+ Knowledge Patch

Claude's baseline knowledge covers RHEL through 9.3. This skill provides changes from RHEL 10.0 (2025-06-10) onwards.

Breaking Changes Quick Reference

What Changed	Old (RHEL 9)	New (RHEL 10+)
Redis	redis package	Removed — use valkey 7.2
Sendmail	sendmail package	Removed — use postfix
DHCP server	dhcp/dhclient	Removed — use dhcpcd or ISC Kea
Network teaming	teamd/libteam	Removed — use bonding
FIPS setup	fips-mode-setup	Removed — enable at install with fips=1 kernel arg
FIPS check	/etc/system-fips	Removed — read /proc/sys/crypto/fips_enabled
TLS crypto policy	RSA key exchange allowed	RSA key exchange rejected in DEFAULT policy
SHA-1 in TLS	Allowed in LEGACY	Disallowed even in LEGACY policy
OpenSSL Engines	ENGINE API available	Removed — use providers (e.g. pkcs11-provider)
CA trust bundle	/etc/pki/tls/certs/ca-bundle.crt	/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
Installer remote	VNC (inst.vnc)	RDP (inst.rdp, inst.rdp.password)
Default user privs	Non-admin	Admin by default
GFS2	Supported	Removed
Container cgroups	v1 default	v2 default
Rootless networking	slirp4netns	pasta

Software Versions (RHEL 10.0)

Python 3.12, Ruby 3.3, Node.js 22, Perl 5.40, PHP 8.3, GCC 14.2, glibc 2.39, LLVM 19.1.7, Rust 1.84.1, Go 1.23, MariaDB 10.11, MySQL 8.4, PostgreSQL 16, Valkey 7.2, Apache 2.4.62, nginx 1.26, Git 2.45, OpenSSH 9.9, GnuTLS 3.8.9.

RHEL 10.1 adds: GCC Toolset 15, Python 3.13 (alternate AppStream).

Podman v5 Changes

Podman v5 is the default in RHEL 10. Key differences from v4:

• pasta is default rootless network (not slirp4netns)
• cgroups v2 only (v1 no longer default)
• podman farm build fully supported for multi-arch images
• Quadlets support pods (.pod files)
• podman update changes are persistent (SQLite and BoltDB backends)
• containers.conf is read-only for connections/farms — use podman.connections.json
• --compat-volumes option for builds (VOLUME instruction handling)
• zstd:chunked compression for push/pull
• sigstore signatures replace GPG for image verification

See references/podman-v5.md for Quadlet keys and CLI option details.

Security and Crypto Policy

RHEL 10 makes significant crypto policy changes:

• DEFAULT policy rejects TLS ciphers with RSA key exchange (use LEGACY to re-enable)
• LEGACY policy disallows SHA-1 signatures in TLS
• DSA and SEED algorithms removed from NSS
• RSA PKCS#1 v1.5 encryption deprecated in GnuTLS
• Post-quantum algorithms (PQ) available as Technology Preview via crypto-policies
• Sequoia PGP tools sq and sqv complement GnuPG
• OpenSSL ENGINE API removed — migrate to pkcs11-provider
• HeartBeat and SRP removed from TLS

See references/security-changes.md for details.

OpenSSH 9.9

• Ed25519 keys generated by default (except FIPS mode — defaults to RSA)
• ChannelTimeout keyword in sshd_config for inactive channel closure
• EnableEscapeCommandline option in ssh_config
• Agent key restriction and forwarding controls

Removed Infrastructure

# These packages no longer exist in RHEL 10:
# sendmail → postfix
# redis → valkey
# dhcp/dhclient → dhcpcd or ISC Kea
# teamd/libteam → use bonding
# fips-mode-setup → fips=1 kernel arg at install
# scap-workbench → oscap CLI
# oscap-anaconda-addon → RHEL image builder OpenSCAP integration

See references/removed-features.md for the full list.

Installer Changes

• RDP replaces VNC: inst.rdp, inst.rdp.password, inst.rdp.username
• Wayland compositor replaces Xorg in installer (inst.xdriver removed)
• No separate /boot partition on disk images
• New users get admin privileges by default
• Kickstart: --teamslaves/--teamconfig removed (use --bondslaves/--bondopts)
• Kickstart: auth/authconfig removed (use authselect)
• Kickstart: timezone --ntpservers removed (use timesource --ntp-server)