Red Hat Unveils Red Hat Enterprise Linux 10: Key Features and Changes

On May 20, 2025, Red Hat unveiled the release of its distribution Red Hat Enterprise Linux 10. The launch of Red Hat Enterprise Linux 9 occurred in May 2022.

Installation images for RHEL 10 are provided exclusively to registered users of the Red Hat Customer Portal. Alternatively, the public ISO images of CentOS Stream 10 and free RHEL for developers can be used for evaluation. This release supports various architectures, including x86_64, s390x (IBM System z), ppc64le (POWER9), Aarch64 (ARM64), and RISC-V (in preview).

RHEL 10 is built on the package base of CentOS Stream 10, which serves as the upstream source for RHEL. This allows third-party contributors to oversee the preparation of packages, suggest modifications, and influence decision-making processes. Following the 13-year support cycle, RHEL 10 will be maintained until 2035, with an additional three years of extended paid support. Updates for RHEL 9 will continue until the end of May 2032, while RHEL 8 will be supported until 2029.

According to OpenNET, RHEL 10 packages are not available in the public git.centos.org repository and are only provided to customers through a restricted section of the website, governed by a user agreement (EULA) that prohibits redistribution. This prevents the use of these packages for creating derivative distributions. The source code for RHEL remains accessible in the CentOS Stream repository, although it is not fully synchronized with RHEL, and package versions may differ. Rocky Linux, Oracle, and SUSE reproduce RPM package sources from RHEL releases under the OpenELA project.

Key changes and enhancements in RHEL 10 include:

— The removal of X.org Server and associated components. The default graphics stack is now based on the Wayland protocol, with the ability to run X11 applications in a Wayland session facilitated by the XWayland DDX server (the package «xorg-x11-server-Xwayland» is retained).

— The desktop environment has been upgraded to GNOME 47. A new overview mode has been added to the classic GNOME session for viewing open windows, which was previously only available in the standard GNOME session. Libraries for Qt have been updated to version 6.7, with Qt5 packages removed (only Qt 6 is supported).

— RPM packages for Firefox, GIMP, LibreOffice, Inkscape, and Thunderbird are no longer included. Firefox and Thunderbird can now be automatically downloaded and installed using Flatpak from the external repository flatpaks.redhat.io.

— PulseAudio sound server has been replaced by PipeWire.

— Developer package versions have been updated: GCC 14.2, LLVM 19.1.7, Python 3.12, Ruby 3.3, OpenJDK 21, Rust 1.84.1, Go 1.23, Node.js 22, Perl 5.40, PHP 8.3, Git 2.45, Subversion 1.14, SystemTap 5.1, Valgrind 3.23.0.

— Server package updates include: OpenSSH 9.9, nginx 1.26, Apache HTTPD 2.4.62, Varnish Cache 7.4, Squid 6.10, MariaDB 10.11, MySQL 8.4, PostgreSQL 16, PCP 6.3.0, Grafana 10.2.6, libreswan 4.15, Pacemaker 2.1.8, and 389-ds-base 3.0.4.

— System packages have been updated to: Linux kernel 6.12, glibc 2.39, binutils 2.41, NSS 3.101, gnutls 3.8.9, polkit 125, DNF 4.20, and RPM 4.19.

— New packages have been introduced, including tuned-ppd (replacing power-profiles-daemon), libcpuid, and dnsconfd (a background process for DNS caching). With the transition of the Redis database to a proprietary license, the fork Valkey has been proposed. Kea DHCP has replaced ISC DHCP, and the zlib-ng-compat package has replaced zlib.

— In DNF, the default metadata download for package file lists has been disabled. Although this data is rarely used, it is large and can slow down operations. The rpm-sequoia library is employed for working with PGP in DNF and RPM.

— Experimental support for the Composefs filesystem has been added, implemented as an overlay on OverlayFS and EROFS, optimized for efficient shared content storage across multiple mounted disk images.

— The KVM hypervisor now offers experimental (Technology Preview) support for AMD SEV, SEV-SNP, and SEV-ES technologies.

— New users created through the Anaconda installer interface are granted administrator privileges by default (a specific setting is available to disable this behavior). The installer also features a new interface for timezone selection, and the RDP protocol is now used for remote access to the installer instead of VNC.

— Support for quantum-resistant encryption algorithms has been introduced. These algorithms are available in OpenSSL, OpenSSH, and system cryptographic policies (crypto-policies). OpenSSL now supports generating certificate and key files in PKCS #12 format compliant with FIPS requirements. The pkcs11-provider, rather than the openssl-pkcs11 engine, is used to leverage hardware keys in applications like Apache HTTPD, libssh, bind, and others utilizing OpenSSL. File permissions for SSH host keys have changed from 0640 to 0600 (accessible only by the owner). GnuTLS now supports certificate compression methods using zlib, brotli, and zstd.

— In addition to GnuPG, a command line toolkit Sequoia (utilizing the sq and sqv tools) is included, implementing the OpenPGP (RFC-4880) standard in Rust.

— By default, predictable naming for network interfaces is enabled (net.ifnames=1). The NetworkManager now includes Duplicate Address Detection (DAD) for IPv4 to prevent the assignment of the same IP address on different systems within the local network.

— The use of a separate /boot partition has been discontinued in disk images (such as system images for AWS and KVM).

— User-space SELinux tools (libsepol, libselinux, libsemanage, policycoreutils, checkpolicy, mcstrans) have been updated to version 3.8, which introduces the «audit2allow -C» option for output in Common Intermediate Language (CIL). Support for the Wayland protocol has been added to the sandbox utility.

— The Keylime component now supports device identification via IDevID (Initial Device Identity) and IAK (Initial Attestation Key), with TLS 1.3 protocol enabled by default.

— A new file manager (package cockpit-files) has been introduced in the web console for managing files and directories.

— In the CUPS print server, mDNS and broadcast modes have been disabled by default due to recently discovered remote exploitation vulnerabilities.

— Optimizations have been made to glibc functions memcpy and memmove for AMD Zen 3 and Zen 4 processors.

— A significant number of new drivers have been added, including drivers for Intel’s built-in QuickAssist Technology (QAT) accelerator, which offers tools for enhancing computations needed for compression and encryption.

— Packages such as TigerVNC, Totem, power-profiles-daemon, gedit, gtkmm, WebKitGTK, Evolution, Festival, Eye of GNOME, Cheese, and Tweaks have been removed.

— The following packages are no longer supplied: sendmail (users are advised to switch to postfix), redis, dhcp, dhcp-client, mod_security (moved to EPEL), spamassassin (moved to EPEL), xsane, and runc.

— Packages like squashfs and wget, along with interfaces utmp and utmpx in glibc, have been declared deprecated.

— Experimental builds for the RISC-V architecture (HiFive P550) have also been introduced.