Changes in Fedora 41 For System Administrators
Installation release notes
Release notes for matters related to the installation of Fedora 41 - the Anaconda installer, kickstart, etc., can be found in the upstream Release Notes on Readthedocs.
Self-encrypting drives support in the installer
Starting with Fedora 41, the Anaconda installer has built-in support for self-encrypting hard drives - that is, native hardware encryption on TCG OPAL2 compliant drives.
For more information, see the upstream Cryptsetup release notes.
DNF 5
The default package manager in Fedora 41 is DNF 5. This is a large upgrade that brings many enhancements, notably:
-
Reduced footprint: The dnf5 package is a fully-featured package manager that doesn’t require Python dependencies. It also reduces the number of software management tools in Fedora by replacing both the dnf and microdnf packages. The installation size of the
dnf5
stack in an empty container is approximately 60% smaller than the dnf installation.Additionally, in previous Fedora releases,
dnf
,microdnf
, andPackageKit
used their own caches, leading to significant metadata redundancy. Withdnf5
anddnf5daemon
, which share metadata, this redundancy will be eliminated. -
Faster query processing: The processing of package metadata is now significantly faster. Executing commands such as
repoquery
to list packages available in repositories is now twice as fast compared todnf
. Similarly, operations like listing dependencies or parsing numerous command-line arguments are notably expedited, potentially saving users seconds to tens of seconds in waiting time for the results. -
Lowered maintenance costs: Many functional duplicates in dnf were eliminated during the development of the new
dnf5
package manager. This was partly because the integration of the originalPackageKit
anddnf
libraries into the originallibdnf
library was never completed. Plugins are now included in the same package as the core functionality. -
Consolidated and streamlined API: The API for managing packages, working with repositories, and solving package dependencies is now consolidated into a single component, providing a unified solution. The original dnf API underwent a review process, during which unused workflows and obsolete methods were removed, while improving usability for users.
-
Enhanced command-line outputs: Transaction tables now offer more detailed information, verbose scriptlet outputs are redirected and organized by package name into log files, individual commands come with their own man pages, bash completion has been enhanced, and numerous other improvements have been made.
-
统一用户体验:现在为用户提供了跨服务器、工作站和容器的统一用户体验,因为`dnf5`是那里部署的唯一包管理器。现有的`dnf`、
yum`和`microdnf`命令已链接到`dnf5
,同时将提供兼容性别名以方便迁移。配置文件现在在`dnf5`组件之间共享。API用户将遇到统一的代码风格和命名约定。现在通过SWIG绑定(以前是CPython和SWIG)从单一来源提供各种脚本语言接口。
For information about this release, see the upstream DNF5 documentation, particularly the list of changes between DNF and DNF5. Developers should also check the DBus API bindings for dnfdaemon.
RPM 4.20
RPM in Fedora 41 has been updated to version 4.20, which provides a number of improvements, such as:
-
Hands-free packaging
-
Declarative build system
-
Dynamic spec generation extended
-
File trigger scriptlet arguments
-
Support for spec local dependency generators
-
Support for sysusers 'm' directive
-
Guaranteed per-build directory
-
-
Public plugin API
-
Increased install scriptlet isolation
See the upstream release notes for details.
DNF and bootc in Image Mode Fedora variants
Starting with Fedora 41, the Fedora Atomic Desktops, Fedora CoreOS and Fedora IOT will ship bootc
and DNF5 as part of the image. Now you can use dnf
commands as part of container builds that use these Fedora variants as the base image. While rpm-ostree
is still available, you can now use bootc
to manage your image mode deployments and updates.
When running dnf on a booted image mode system, DNF will give a better error message pointing to the available tools on your booted system to accomplish your task. This is the start of a process to enable DNF with rpm-ostree
features and the re-focus on bootc
to manage image mode deployments.
SPDX Migration
RPM packages use SPDX identifiers as a standard for licenses. 90 % of the packages have been migrated to SPDX identifiers. The remaining packages are estimated to be migrated to SPDX in Fedora 42. A list of all licenses allowed (and used) in Fedora Linux can be found at Fedora Legal page. Out of 90%, nine percent of the packages have a temporary license LicenseRef-Callaway-*
that conforms to SPDX, but needs to be assigned the correct license ID from the SPDX organization.
Remove ifcfg support in NetworkManager
NetworkManager removes support for connection profiles stored in ifcfg format. It is deprecated upstream and the native Keyfile format is valid and a better replacement. The following packages are being dropped. NetworkManager-initscripts-ifcfg-rh
, NetworkManager-dispatcher-routing-rules
and NetworkManager-initscripts-updown
.
Running SSSD with reduced privileges
To support general system hardening (running software with least privileges possible), the SSSD service is now configured to run under sssd
or root
user using the systemd
service configuration files. This service user now defaults to sssd
and irrespective of what service user is configured, root
or sssd
, all root capabilities are dropped with the exception of a few privileged helper processes.
Removal of the sss_ssh_knownhostsproxy
tool
The sss_ssh_knownhostsproxy
tool was deprecated in the previous release and has now been removed. It is replaced by the sss_ssh_knownhosts
tool. See man sss_ssh_knownhosts(1)
to learn how to use it.
Consistent device naming in Fedora Cloud
Previously, the Fedora Cloud edition used to set the net.ifnames=0
kernel command-line parameter during the kickstart process. This would disable the consistent naming for networking devices and ensured that Ethernet devices kept their traditional names such as eth0
, eth1
, and so on. With this update, net.ifnames=0
has been removed from the Fedora Cloud kickstart file to ensure consistency in the network device naming and to align with the other Fedora editions.
Remove network-scripts
With this update, the long-deprecated package network-scripts
will be removed. The package provided the legacy utilities ifup
and ifdown
, as well as the network.service
. Network scripts heavily depend on the Dynamic Host Configuration Protocol (DHCP) client, and without active development, there is no chance of updating them to use an alternative client.
Packages that depend to some extent on network-scripts
:
Note that this change also affects all users with local custom network-scripts that require functionality from the network-scripts
package.
Access to all versions of Kubernetes and its related components
Starting with Fedora 41, all supported versions of Kubernetes, CRI-O and CRI-Tools will be available concurrently. As an example, Fedora 41 has the following Kubernetes RPMs at release:
-
kubernetes1.29
-
kubernetes1.30
-
kubernetes1.31
This is a significant change from the past Fedora releases, which only had a single version of Kubernetes available in Fedora repositories. CRI-O and CRI-Tools RPMs also share this change with versions available to complement Kubernetes. For more information, see this Fedora Quick Doc.
TuneD is the default power profile management modules/release-notes/pages
TuneD replaced power-profiles-daemon
as a default power profile management daemon for the following Fedora workstation spins:
-
KDE Plasma
-
GNOME
The server users can customize the desktop-exposed power profiles by editing the /etc/tuned/ppd.conf
file in the command-line. The workstation users can set the power profile through the GUI control center.
The tuned-ppd
package provides a drop-in replacement for the power-profiles-daemon
, which allows it to be used with the current desktops.
Those applications that already use power-profiles-daemon
can access TuneD without modifying the code.
Netavark uses nftables
by default
Netavark is a container networking tool used by Podman. Netavark manages interfaces and firewall rules and with this Fedora update, it will use nftables
by default to create firewall rules for containers.
Unprivileged updates for Fedora Atomic Desktops
On Atomic Desktops, the policy controlling access to the rpm-ostree
daemon has been updated to:
-
Enable users to update the system without having elevated privileges or typing a password. Note that this change only applies to system updates and repository meta updates; not to other operations.
-
Reduce access to the most privileged operations (such as changing the kernel arguments, or rebasing to another image) of
rpm-ostree
for administrators to avoid mistakes. Only the following operations will remain password-less to match the behavior of the package mode Fedora with thednf
command:-
install and uninstall packages
-
upgrade the image
-
rollback the image
-
cancel transactions
-
cleanup deployment
-
ComposeFS enabled by default for Fedora CoreOS and IoT editions
On Fedora CoreOS and Fedora IoT systems, the root mount of the system (/
) is now mounted using composefs
, which makes it a truly read only filesystem, increasing the system integrity and robustness. This is the first step toward a full at runtime verification of filesystem integrity.
Enable bootupd on Fedora Silverblue and Kinoite editions
On Atomic Desktops, the bootloader is now automatically updated using bootupd
. New systems are now installed with a static GRUB configuration which relies only on the Boot Loader Specification configuration files and is not regenerated for each update.
Multiple versioned Kubernetes packages
The upstream Kubernetes project maintains 3 concurrent versions with a new release every 4 months. Previously, in Fedora, only one of these versions was always provided, and matched with a specific release. Starting with Fedora 41, all currently supported Kubernetes versions are provided, using separate packages named after each major version. Using the kubernetes-client
rpm as an example, instead of kubernetes-client-1.29.2-1.fc41
, Fedora now offers kubernetes1.29-client-1.29.2-1.fc41
, kubernetes1.28-client-1.28.5-1.fc41
, and kubernetes1.27-client-1.27.8-1.fc41
.
Upgrading to Fedora 41 on a machine with Fedora 40 or Fedora 39 requires a manual step by the user to select the appropriate versioned Kubernetes package.
For more information, see the Fedora Quick Docs.
dm-vdo and vdo-8.3
Fedora 41 is the first Fedora release that provides the dm-vdo
(virtual data optimizer) device mapper target, along with the vdo
user tools package.
`dm-vdo`目标提供在线去重、压缩和精简配置。这些功能可以添加到存储堆栈中,与任何文件系统兼容。`dm-vdo`目标可以由高达256TB的存储支持,并且可以呈现高达4PB的逻辑大小。这个目标最初从2009年开始开发。它于2013年首次发布,并自那时以来一直用于生产环境。它在2017年开源,并于2024年合并到上游Linux内核中。
To support dm-vdo
targets, the vdo
user tool package provides the following tools:
-
vdoformat
, which is required to create and format vdo volumes. -
vdostats
, which displays useful configuration and statistics information for vdo volumes. -
vdoforcerebuild
, which is used in bringing a vdo out of read-only mode following an unrecoverable error.
Additional diagnostic tools are also included in the vdo
package. However, they are rarely needed for normal operation.
Although not required, it is strongly recommended that lvm2
be used to manage vdo volumes. See the lvm2
documentation for more information.
If you have a vdo volume created with the kvdo module, be sure to refer to the kvdo documentation for important considerations prior to attempting to upgrade to a dm-vdo
target.
Stratis 3.7: stratisd 3.7.3 and stratis-cli 3.7.0
This update includes releases of stratisd
3.7.3 and stratis-cli
3.7.0. It includes one significant enhancement, several minor enhancements, and a number of small improvements.
Most significantly, Stratis 3.7.3 extends its functionality to allow a user to revert a snapshot, i.e., to overwrite a Stratis filesystem with a previously taken snapshot of that filesystem. The process of reverting requires two steps. First, a snapshot must be scheduled for revert. However, the revert can only take place when a pool is started. This can be done while stratisd
is running, by stopping and then restarting the pool. A revert may also be occasioned by a reboot of the system stratisd is running on. Restarting stratisd will also cause a scheduled revert to occur, so long as the pool containing the filesystem to be reverted has already been stopped. To support this functionality, stratis-cli
includes two new filesystem subcommands, schedule-revert
and cancel-revert
.
Some additional functionality has been added to support this revert functionality. First, a filesystem’s origin field is now included among its D-Bus properties and updated as appropriate. stratis-cli
displays an origin value in its newly introduced filesystem detail view. stratisd
also support a new filesystem D-Bus method which returns the filesystem metadata. The filesystem debug commands in stratis-cli
now include a get-metadata option which will display the filesystem metadata for a given pool or filesystem. Equivalent functionality has been introduced for the pool metadata as well.
stratisd
also includes a considerable number of dependency version bumps, minor fixes and additional testing, while stratis-cli
includes improvements to its command-line parsing implementation.
Please consult the stratisd and stratis-cli changelogs for additional information about the release.
Fedora repoquery tool
Fedora 41 provides a new tool for querying repositories, fedora-repoquery
, a small commandline tool for doing repoqueries of Fedora, EPEL, eln, and Centos Stream package repositories. It wraps dnf repoquery separating cached repo data under separate repo names for faster cached querying.
See the upstream readme for usage examples, or use fedora-repoquery --help
after installing.
OpenSSL现在默认不信任SHA-1签名
Fedora 41中的OpenSSL默认不再信任SHA-1签名,并阻止它们的创建。这一变化实施的原因是针对SHA-1的选择前缀碰撞攻击变得越来越可行。这使得Fedora的安全默认设置更接近现代加密领域中被认为安全的标准。
您可以通过使用 update-crypto-policies --set FEDORA40
在系统范围内恢复到之前的默认行为,或者使用 runcp FEDORA40 command args
按进程恢复,利用可用的 crypto-policies-extra
工具Copr。这些旧策略将在 Fedora 的未来几个版本中保持维护。然而,通常不建议使用它们。
可重复构建的软件包
Fedora软件包构建现在更加确定,使发行版更接近实现所有软件包完全可重复构建的目标。
更多信息,请参阅Fedora的可重复构建文档。
Libvirt 虚拟网络 NFTables
libvirt虚拟网络已更改为优先使用`nftables`防火墙后端,而不是`iptables`。
这次更改可能存在一些兼容性问题;请参阅链接:变更页面 以获取详细信息和工作方案。
Redis已被Valkey取代
由于 Redis 的许可证变更为 RASLv2/SSPL,导致它与自由和开源原则不兼容,Fedora 41 中已用 Valkey 替换了 Redis。Valkey 是 Redis 的完整替代品,保留了原始的 BSD 许可证。
当升级到 Fedora Linux 41 时,已安装 redis
的系统将通过 valkey-compat
软件包切换到 valkey
。由于 valkey-compat
软件包为大多数常见配置提供配置和数据迁移,因此此变更对用户来说应该是基本透明的。valkey
的 systemd 单元将为 redis
提供别名,以简化用户的迁移过程。
OpenSSL引擎支持已弃用
Fedora 41中已弃用对OpenSSL引擎的支持。引擎与FIPS不兼容,并且相应的API自OpenSSL 3.0起已弃用。目前使用OpenSSL引擎的用户应切换到使用提供者。
Want to help? Learn how to contribute to Fedora Docs ›