Red Hat Enterprise Linux 10 — Release Summary & Best Practices
Red Hat Enterprise Linux 10 — Release Summary & Best Practices
Release Summary
Red Hat Enterprise Linux 10 (RHEL 10) was released in May 2025, built on the upstream CentOS Stream 10 and using the Linux kernel 6.11 series. It represents a major generational shift — a deliberate narrowing of scope, a stronger push toward immutable infrastructure, and a tighter integration with the broader Red Hat hybrid cloud portfolio including OpenShift and Ansible Automation Platform.
Key Highlights
| Area | What Changed |
|---|---|
| Kernel | 6.11 LTS — improved io_uring, eBPF, hardware offload |
| Python | Python 3.12 default; Python 3.6/3.8 removed entirely |
| Security | SHA-1 disabled by default across the board; FIPS 140-3 compliant |
| Networking | nftables fully replaces iptables; ifcfg format removed |
| Storage | XFS default; ext4 still supported but deprioritized |
| Init | systemd 256 |
| Containers | Podman 5.x default; Docker not included or supported |
| Web Console | Cockpit enhanced with fleet management capabilities |
| Subscription | Simple Content Access (SCA) default — no per-system entitlement needed |
| Support Lifecycle | Full support to 2030; Maintenance to 2032; ELS to 2035 |
What Was Removed
- 32-bit x86 support — completely dropped
- ifcfg network scripts — replaced entirely by NetworkManager keyfiles
- Cockpit-machines VGA console — replaced by noVNC
- SHA-1 — disabled in all cryptographic policies
- Python 2 — no longer available in any supported form
- rsyslog — journald + systemd-journald is the logging path forward
Installation Best Practices
- Use Kickstart for automated, repeatable installs — define your partitioning, packages, users, and post-install scripts in version-controlled
.ksfiles - Enable Simple Content Access at subscription time — eliminates per-host entitlement tracking overhead
- Set the crypto policy at install time:
update-crypto-policies --set FIPSfor regulated environments - Use LVM for all non-root partitions to allow online resizing
- Separate
/var,/tmp,/home, and/bootonto distinct logical volumes — prevents runaway writes from filling the root filesystem - Disable kdump on non-critical VMs to reclaim reserved memory (typically 128–256 MB)
Security Best Practices
Crypto & TLS
- Run
update-crypto-policies --set DEFAULTorFIPSdepending on compliance posture — neverLEGACY - SHA-1 is disabled by default in RHEL 10 — do not re-enable it
- Use
openssl ciphers -v 'DEFAULT'to verify active cipher list after policy application - Prefer TLS 1.3 for all new service configurations
SSH Hardening
# /etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
X11Forwarding no
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2
AllowGroups ssh-users
SELinux
- Never disable SELinux — run in
enforcingmode at all times - Use
audit2allowandsemanageto build custom policies rather than switching to permissive - Verify with:
getenforce(should returnEnforcing) - Label custom directories:
semanage fcontext -a -t httpd_sys_content_t "/data/web(/.*)?"
Firewall (nftables via firewalld)
firewall-cmd --permanent --add-service=ssh
firewall-cmd --permanent --remove-service=cockpit # if not needed
firewall-cmd --reload
firewall-cmd --list-all
- Do not mix
nftcommands directly withfirewalld— manage through firewalld only - iptables commands are now shims — transition any legacy scripts to nftables syntax
User & Privilege Management
- Use sudo with minimal privilege — avoid broad
ALL=(ALL) ALLgrants - Leverage SSSD for centralized identity (AD or LDAP)
- Enable PAM faillock:
authconfig --enablefaillockor configure/etc/security/faillock.conf - Set password policies via
/etc/security/pwquality.conf
Networking Best Practices
RHEL 10 uses NetworkManager keyfiles exclusively — ifcfg scripts are gone.
# Create a new static connection
nmcli connection add type ethernet con-name eth0-static ifname eth0 \
ipv4.method manual ipv4.addresses 10.10.100.50/24 \
ipv4.gateway 10.10.100.1 ipv4.dns 10.10.100.10
# Apply
nmcli connection up eth0-static
# Verify
nmcli device show eth0
- Configure DNS search domains explicitly — do not rely on DHCP for DNS in production
- Use nmstate (
nmstatectl) for declarative network configuration in automated deployments - Disable IPv6 only if explicitly required — prefer dual-stack and use firewalld to control IPv6 traffic
- Set MTU explicitly for 10GbE+ interfaces:
nmcli connection modify eth0 802-3-ethernet.mtu 9000
Storage Best Practices
- XFS is the recommended filesystem for all data volumes — better parallelism and online growth support
- Use
xfs_repairfor filesystem checks —fsck.xfsis a no-op - Enable LVM thin provisioning for environments with variable storage growth
- Schedule fstrim via systemd timer for SSD/NVMe volumes:
systemctl enable --now fstrim.timer - Monitor filesystem usage:
df -hTand set up alerts at 80% / 90% thresholds - For NFS mounts, use
nfs4with Kerberos (sec=krb5) in regulated environments
System Management Best Practices
Patching
# Check available updates
dnf check-update
# Apply all updates
dnf update -y
# Apply security updates only
dnf update --security -y
# View update history
dnf history list
- Subscribe to RHSA advisories via Red Hat Customer Portal or email
- Test patches on a non-production system before applying to production
- Use Ansible (RHEL System Roles) to orchestrate patching at scale
- Enable DNF Automatic for security-only automatic updates on lower-criticality systems
Logging
- journald is the primary log collector in RHEL 10
- Forward to a central SIEM: configure
/etc/systemd/journald.confor usersyslogas a forwarding layer to your Splunk/Elastic/etc. - Set journal size limits to prevent
/var/log/journalfrom filling disk:
# /etc/systemd/journald.conf
SystemMaxUse=2G
SystemKeepFree=500M
Performance
- Use
tunedprofiles appropriate to workload:throughput-performancefor database/batch workloadslatency-performancefor interactive/real-time workloadsvirtual-guestwhen running as a VM (default in most cases)
tuned-adm recommend
tuned-adm profile virtual-guest
Container Best Practices (Podman 5.x)
RHEL 10 is fully container-native — Docker is not supported.
# Run rootless container
podman run -d --name myapp -p 8080:8080 myimage:latest
# Generate systemd service from container
podman generate systemd --new --name myapp > ~/.config/systemd/user/myapp.service
systemctl --user enable --now myapp
# Use Quadlets (preferred in RHEL 10) for declarative container management
# Place .container files in /etc/containers/systemd/
- Use rootless Podman wherever possible — no daemon, no root requirement
- Use Quadlets (
.container,.volume,.networkfiles) for declarative, systemd-managed containers - Store container images in a private registry — do not pull from Docker Hub in production without scanning
- Use Podman secrets or external vaults (HashiCorp Vault) for credentials — never embed in container definitions
Automation Integration
RHEL 10 is designed to be managed at scale via Ansible. Red Hat provides RHEL System Roles for standardized configuration:
# Install system roles
dnf install rhel-system-roles
# Available roles include:
# - rhel_system_roles.timesync (NTP)
# - rhel_system_roles.selinux (SELinux policy)
# - rhel_system_roles.network (NetworkManager)
# - rhel_system_roles.storage (LVM, filesystems)
# - rhel_system_roles.firewall (firewalld)
# - rhel_system_roles.certificate (cert management)
- Use Image Builder (
composer-cli) to create custom RHEL 10 images for consistent deployments - Manage subscriptions at scale with Red Hat Satellite or Ansible + subscription-manager
- Use Insights (cloud.redhat.com) for drift detection, vulnerability advisories, and remediation playbooks
RHEL 10 support lifecycle: Full Support until 2030 · Maintenance until 2032 · Extended Life until 2035
No comments to display
No comments to display