--- name: rhel-knowledge-patch description: "RHEL changes since training cutoff (latest: 10.1) — Valkey replaces Redis, Podman v5 with pasta networking, post-quantum crypto, ISC Kea DHCP, stricter TLS/FIPS policies. Load before working with RHEL." license: MIT version: "10.1" metadata: author: Nevaberry --- # RHEL 10+ Knowledge Patch Claude's baseline knowledge covers RHEL through 9.3. This skill provides changes from RHEL 10.0 (2025-06-10) onwards. ## Breaking Changes Quick Reference | What Changed | Old (RHEL 9) | New (RHEL 10+) | |--------------|-------------|----------------| | Redis | `redis` package | Removed — use `valkey` 7.2 | | Sendmail | `sendmail` package | Removed — use `postfix` | | DHCP server | `dhcp`/`dhclient` | Removed — use `dhcpcd` or ISC Kea | | Network teaming | `teamd`/`libteam` | Removed — use bonding | | FIPS setup | `fips-mode-setup` | Removed — enable at install with `fips=1` kernel arg | | FIPS check | `/etc/system-fips` | Removed — read `/proc/sys/crypto/fips_enabled` | | TLS crypto policy | RSA key exchange allowed | RSA key exchange rejected in DEFAULT policy | | SHA-1 in TLS | Allowed in LEGACY | Disallowed even in LEGACY policy | | OpenSSL Engines | ENGINE API available | Removed — use providers (e.g. `pkcs11-provider`) | | CA trust bundle | `/etc/pki/tls/certs/ca-bundle.crt` | `/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem` | | Installer remote | VNC (`inst.vnc`) | RDP (`inst.rdp`, `inst.rdp.password`) | | Default user privs | Non-admin | Admin by default | | GFS2 | Supported | Removed | | Container cgroups | v1 default | v2 default | | Rootless networking | `slirp4netns` | `pasta` | ## Software Versions (RHEL 10.0) Python 3.12, Ruby 3.3, Node.js 22, Perl 5.40, PHP 8.3, GCC 14.2, glibc 2.39, LLVM 19.1.7, Rust 1.84.1, Go 1.23, MariaDB 10.11, MySQL 8.4, PostgreSQL 16, Valkey 7.2, Apache 2.4.62, nginx 1.26, Git 2.45, OpenSSH 9.9, GnuTLS 3.8.9. **RHEL 10.1 adds**: GCC Toolset 15, Python 3.13 (alternate AppStream). ## Podman v5 Changes Podman v5 is the default in RHEL 10. Key differences from v4: - `pasta` is default rootless network (not `slirp4netns`) - cgroups v2 only (v1 no longer default) - `podman farm build` fully supported for multi-arch images - Quadlets support pods (`.pod` files) - `podman update` changes are persistent (SQLite and BoltDB backends) - `containers.conf` is read-only for connections/farms — use `podman.connections.json` - `--compat-volumes` option for builds (VOLUME instruction handling) - `zstd:chunked` compression for push/pull - sigstore signatures replace GPG for image verification See [references/podman-v5.md](references/podman-v5.md) for Quadlet keys and CLI option details. ## Security and Crypto Policy RHEL 10 makes significant crypto policy changes: - **DEFAULT policy** rejects TLS ciphers with RSA key exchange (use LEGACY to re-enable) - **LEGACY policy** disallows SHA-1 signatures in TLS - DSA and SEED algorithms removed from NSS - RSA PKCS#1 v1.5 encryption deprecated in GnuTLS - Post-quantum algorithms (PQ) available as Technology Preview via crypto-policies - Sequoia PGP tools `sq` and `sqv` complement GnuPG - OpenSSL ENGINE API removed — migrate to `pkcs11-provider` - HeartBeat and SRP removed from TLS See [references/security-changes.md](references/security-changes.md) for details. ## OpenSSH 9.9 - Ed25519 keys generated by default (except FIPS mode — defaults to RSA) - `ChannelTimeout` keyword in `sshd_config` for inactive channel closure - `EnableEscapeCommandline` option in `ssh_config` - Agent key restriction and forwarding controls ## Removed Infrastructure ```bash # These packages no longer exist in RHEL 10: # sendmail → postfix # redis → valkey # dhcp/dhclient → dhcpcd or ISC Kea # teamd/libteam → use bonding # fips-mode-setup → fips=1 kernel arg at install # scap-workbench → oscap CLI # oscap-anaconda-addon → RHEL image builder OpenSCAP integration ``` See [references/removed-features.md](references/removed-features.md) for the full list. ## Installer Changes - RDP replaces VNC: `inst.rdp`, `inst.rdp.password`, `inst.rdp.username` - Wayland compositor replaces Xorg in installer (`inst.xdriver` removed) - No separate `/boot` partition on disk images - New users get admin privileges by default - Kickstart: `--teamslaves`/`--teamconfig` removed (use `--bondslaves`/`--bondopts`) - Kickstart: `auth`/`authconfig` removed (use `authselect`) - Kickstart: `timezone --ntpservers` removed (use `timesource --ntp-server`)