Зміни у Fedora 40 для системних адміністраторів

Installer changes

For a list of changes in Fedora’s Anaconda installer and related components such as Kickstart, see the upstream release notes.

Fedora IoT Bootable Container

There is now a bootable image available for Fedora IoT edition. This provides new means for users to consume Fedora IoT, which may better suit their environments and ecosystem, allowing wider adoption.

You can download the new image at the official Fedora IoT page. Also see the documentation.

389 Directory Server 3.0.0

Fedora 40 provides a new major release of 389 Directory Server, a significant upgrade from version 2.4.4 available in previous releases.

One major change is that, starting with this version, new instances are created using LMDB by default, instead of BerkeleyDB which was the default previously. See here for more information.

Switch pam_userdb from BerkeleyDB to GDBM

pam_userdb was built with support for BerkeleyDB, but this project is no longer maintained as open source, so it has been replaced by GDBM in Fedora 40. See the Fedora System Administrator’s Guide for information about how to convert.

Support for the enumeration feature has been removed for AD and IPA backends

The enumeration feature provides the ability to list all users or groups using getent passwd or getent group' without arguments. Support for the `enumeration feature has been removed for AD and FreeIPA providers.

sss_ssh_knownhostsproxy tool will be replaced in future releases

sss_ssh_knownhostsproxy tool has been deprecated and will be replaced by a new, more efficient tool. See upstream ticket for details.

Removing SSSD files provider

Previously deprecated SSSD "files provider" feature that allows handling of local users has been removed in Fedora 40. This does not affect default configuration where local users are handled by glibc module (libnss_files.so.2), which is most cases. In case of specific configuration that requires SSSD to handle local users (smart card authentication or session recording of local users), switch to proxy provider instead. If you fall into one of these use cases, see the upstream documentation for more details.

Authselect minimal profile replaced by local

The minimal profile for Authselect is now replaced by local. The new local profile is based on minimal but gains additional optional features, it is used to serve local users and groups without SSSD. This migration from minimal to local profile is performed automatically with a new installation or upgrade to Fedora 40 and users are not affected. However, users should adapt their scripts to the new local profile since the minimal profile is no longer available.

bogofilter to use SQLite

Bogofilter (bogofilter package) is a fast anti-spam filtering mechanism that uses Bayesian statistical analysis to classify emails as either spam or non-spam. It uses Berkeley DB (libdb package) as its database engine for storing word probabilities and other relevant data used in the filtering process.

With this release, Bogofilter switched its database engine from Berkeley DB to SQLite, because Fedora deprecated the libdb package.

Bogofilter supports only one database backend at a time, therefore the updated bogofilter package will be unable to process the libdb data. As a result, the new package provides a migration script. Alternatively, you can migrate your word lists manually with this command bogomigrate-berkeley ~/.bogofilter/wordlist.db.

Podman 5

The podman container engine has been upgraded to version 5, which provides multiple bug fixes and enhancements. Notable changes include:

  • Dropped support for cgroups version 1 (environments have to switch to cgroups version 2)

  • Deprecated Container Networking Interface (CNI) plugins (environments have to switch to the netavark network stack)

  • Deprecated BoltDB

  • Set passt as the default rootless network service instead of slirp4netns

  • Improved handling of the containers.conf file

  • Isolated podman bindings to ensure improved usability

For full extent of updates, see the upstream release notes.

ROCm 6

The ROCm stack for graphics processing unit (GPU) computation has been updated to version 6, which provides multiple bug fixes and enhancements. Notable changes include:

  • Improved performance in areas like lower precision math and attention layers

  • New hipSPARSELt library to accelerate AI workloads through the AMD sparse matrix core technique

  • Latest support for AI frameworks like PyTorch, TensorFlow, and JAX

  • New support for libraries such as DeepSpeed, ONNX-RT, and CuPy

For full extent of updates, see the upstream release notes.

Stratis 3.6

This upgrade includes new releases of stratisd 3.6.7 and stratis-cli 3.6.0.

These releases include a number of improvements, bug fixes, and housekeeping changes. The following is a brief summary of the changes.

stratisd 3.6.7 includes a fix to a bug introduced in stratisd 3.6.6 which caused the stratis-min pool start command to fail if the pool was encrypted and the password to unlock the pool was specified on the command-line. It also includes a fix to a bug introduced in stratisd 3.6.4 which prevented automatically unlocking a pool when mounting a filesystem specified in /etc/fstab.

stratisd 3.6.6 fixes a bug where it would be possible to misreport the PID of an already running instance of stratisd when attempting to start another instance. It also includes restrictions on the size of the string values in the Stratis pool-level metadata.

stratisd 3.6.5 includes a modification to its internal locking mechanism which allows a lock which does not conflict with a currently held lock to precede a lock that does. This change relaxes a fairness restriction that gave precedence to locks based solely on the order in which they had been placed on a wait queue.

stratisd 3.6.4 includes a fix for stratisd-min handling of the start command sent by stratis-min to unencrypted pools. It also captures and logs errors messages emitted by the thin_check or mkfs.xfs executables.

stratisd 3.6.3 explicitly sets the nrext64 option to 0 when invoking mkfs.xfs. A recent version of XFS changed the default for nrext64 to 1. Explicitly setting the value to 0 prevents stratisd from creating XFS filesystems that are unmountable on earlier kernels.

stratisd 3.6.2 includes a fix in the way thin devices are allocated in order to avoid misalignment of distinct sections of the thin data device. Such misalignments may result in a performance degradation.

stratisd 3.6.1 includes a fix to correct a problem where stratisd would fail to unlock a pool if the pool was encrypted using both Clevis and the kernel keyring methods but the key in the kernel keyring was unavailable.

stratisd 3.6.0 extends its functionality to allow a user to set a limit on the size of a filesystem and includes a number of additional enhancements.

The stratis-cli 3.6.0 command-line interface has been extended with an additional option to set the filesystem size limit on creation and two new filesystem commands, set-size-limit and unset-size-limit, to set or unset the filesystem size limit after a filesystem has been created.

All releases include sundry internal improvements, conveniences, and minor bug fixes.

Please see the stratisd changelog and the stratis-cli changelog for further details.

Drop delta RPMs

Delta RPM (DRPM) is a feature, which reduces the time and data required to update packages by downloading only the differences (deltas) between the old and the new version of an RPM package. Based on your current version and the delta, your system then locally re-assembles a complete RPM package with a new version of software.

With this Fedora release, DRPMs will no longer be generated during the compose process. Also, the DRPM support in dnf and dnf5 will be disabled by default. Some of the most notable reasons for this change are as follows:

  • It is not possible to produce DRPMs for all packages, because of the way DRPMs are generated during the compose process. As a result, this can lead to upgrades that involve hundreds of packages, but only a small fraction of them (or none at all) have appropriate DRPMs available in the repository.

  • The re-construction of a new RPM version can fail. This causes an additional download of the complete RPM for the new version.

  • The presence of DRPMs in repositories inflate the size of the repository metadata. That metadata need to be downloaded by all users, whether the actual upgrade involves DRPMs or not.

This change aims to bring the following benefits:

  • Simplification of the compose process for "updates" and "updates-testing" repositories, because the generation of DRPMs is skipped.

  • Reduction in bandwidth use for repository metadata updates.

  • Reduction of storage requirements in Fedora infrastructure and on repository mirrors due to smaller metadata and dropped DRPMs.

  • More reliable upgrades for users.

Stop downloading filelists by default

Filelists are XML files that provide important metadata and information that facilitate RPM package installation, management, and maintenance.

With this Fedora release, the DNF behavior changed in a sense that the filelists will no longer be downloaded by default. The reason is, the metadata that filelists provide are unnecessary in the majority of use cases and they are large in size. This leads to a significant slowdown in the user experience.

This change aims to bring the following notable benefits:

  • Significant reduction in processing time and resource usage for RPM package building, installation, testing environment creation, and others

  • Decrease in costs of a Fedora mirror server operation

  • Reduction in RAM requirements of the DNF process, which addresses existing issues when you run the Fedora system on low-memory machines such as the Raspberry Pi’s

Note that you can still use DNF without filelists metadata when querying file provides located in /usr/bin, /usr/sbin or /etc directories.

wget2 as wget

The wget command in Fedora 40 uses Wget2.

GNU Wget2 is the successor to GNU Wget providing a modern implementation of wget backed by a new library: libwget2. The intent to switch from wget 1.x to wget2 is to switch to an implementation that is more actively developed and provides a richer interface for leveraging wget’s functionality.

Enable IPv4 address conflict detection by default in NetworkManager

IPv4 address conflict detection is now enabled by default in NetworkManager. In other words, RFC 5527 is now enabled by default with an interval of 200 ms.

Assign individual, stable MAC addresses for Wi-Fi connections

Fedora 40 adopts stable-ssid as the default mode for assigning individual, stable MAC addresses to Wi-Fi connections in NetworkManager, enhancing user privacy without compromising network stability.

The change adds a new file, /usr/lib/NetworkManager/conf.d/22-wifi-mac-addr.conf, which sets wifi.cloned-mac-address=stable-ssid as the default mode for MAC address selection in Wi-Fi connections within NetworkManager. The stable-ssid mode generates a different MAC address based on each SSID it uses to connect to a network, which is designed to enhance user privacy by making it more difficult for users to be tracked across networks by their hardware MAC address.

This new default value overrides the NetworkManager default of preserve and is applied to all existing and new Wi-Fi profiles in Fedora 40 and later that do not override the default, such as by cloning a specific MAC address in the NetworkManager GUI or independently setting wifi.cloned-mac-address.

With the adoption of stable-ssid as the default in Fedora 40, upgrading to Fedora 40 will apply this new MAC address generation by default, including on existing Wi-Fi profiles. This can result in potentially breaking changes to Wi-Fi connection behavior, particularly for users of networks with features or restrictions that rely on the device’s prior default MAC address.

Users who must maintain consistent MAC addresses for specific networks can address this by manually setting wifi.cloned-mac-address to permanent for specific profiles:

nmcli connection modify [$PROFILE] wifi.cloned-mac-address permanent

Replace [$PROFILE] with the NetworkManager profile name, which is typically the SSID. To list profiles by name, run nmcli connection.

To revert to previous behavior, override the new default by following one of these steps:

  • Create a custom configuration file in /etc/NetworkManager/conf.d/22-wifi-mac-addr.conf, which can be empty or contain specific configurations. This prevents Fedora from loading its default file in /usr/lib.

  • Create a higher priority .conf file, such as /etc/NetworkManager/conf.d/90-wifi-mac-addr.conf, which sets wifi.cloned-mac-address:

    [connection-90-wifi-mac-addr-conf]
    wifi.cloned-mac-address=permanent

For details on the order in which configuration files are loaded and their priority, refer to man NetworkManager.conf. For other available wifi.cloned-mac-address options, see the [NetworkManager documentation](https://networkmanager.dev/docs/api/1.46/settings-802-11-wireless.html).

PostgreSQL 16

Fedora 40 provides version 16 of PostgreSQL. For more information, see the upstream release notes.

Міграція SPDX

RPM packages use SPDX identifiers for licenses as a standard. 63 % of the packages and almost all packeges from ELN set have been migrated to SPDX identifiers. The remaining packages are estimated to be migrated to SPDX in Fedora 41.