Rocky Linux 10: Complete Installation Guide, New Features, and Upgrade Path from Rocky 9

Rocky Linux 10 is the next major release of the community-driven RHEL-compatible distribution, tracking Red Hat Enterprise Linux 10 which introduces the most significant changes to the RHEL ecosystem in a decade. For system administrators running Rocky Linux 8 or 9 in production, understanding what Rocky 10 brings — and what the upgrade path looks like — is essential planning now, not later.

Table of Contents

• What Is Rocky Linux 10
• Key Changes From Rocky Linux 9
• System Requirements
• Installing Rocky Linux 10
• Essential Post-Installation Configuration
• Package Management Changes in DNF5
• Security Changes and New Defaults
• Upgrade Path from Rocky Linux 9
• Container and Virtualization Updates
• Deprecated Features and Migration Requirements

What Is Rocky Linux 10

Rocky Linux is the community-maintained, 1:1 binary-compatible rebuild of Red Hat Enterprise Linux, created after CentOS Linux was discontinued. Rocky Linux 10 tracks RHEL 10, which itself is built on a Linux 6.12 LTS kernel base with substantial toolchain and runtime updates. The distribution is governed by the Rocky Enterprise Software Foundation (RESF) and is fully free to use, modify, and redistribute.

Rocky Linux 10 is a significant release because RHEL 10 breaks compatibility with some legacy configurations, drops several older packages, and introduces new security defaults that will affect everyone migrating from the RHEL 8/9 ecosystem. Understanding these changes before they affect your production fleet is the purpose of this guide.

Key Changes From Rocky Linux 9

Kernel and Core Upgrades

Rocky Linux 10 ships with a Linux 6.12 LTS kernel, a major jump from the 5.14-based kernel in RHEL 9. The newer kernel brings full support for sched_ext (pluggable CPU schedulers), io_uring maturity, improved eBPF tooling, and significantly better ARM64 server support. Systems running specialized hardware — newer NVMe controllers, modern network adapters, and ARM-based servers — will see improved driver coverage without needing additional kernel modules.

Toolchain Updates

• GCC 14 replaces GCC 11 as the default system compiler
• Python 3.12 becomes the default Python version (Python 3.9 is available as a module stream)
• OpenSSL 3.3 replaces OpenSSL 3.0, with TLS 1.0 and 1.1 disabled at the library level
• glibc 2.39 with improved security hardening and FORTIFY_SOURCE enhancements
• systemd 256 with credentials support and improved service sandboxing

DNF5 Replaces DNF4

The package manager transitions from DNF4 to DNF5, which is a complete rewrite in C++ for improved performance and API stability. DNF5 is backwards-compatible with most DNF4 commands but has behavioral differences that affect scripting.

System Requirements

Note that x86 32-bit (i686) is no longer supported. If you are running 32-bit binaries in your applications, you will need to maintain compatibility libraries or containerize those workloads.

Installing Rocky Linux 10

Download and Verify the ISO

# Download Rocky Linux 10 (example - use official mirrors at rockylinux.org)
# Verify the SHA256 checksum after download
sha256sum Rocky-10.0-x86_64-dvd.iso
# Compare against the CHECKSUM file from the download mirror

# GPG verification
gpg --keyserver keyserver.ubuntu.com --recv-keys 702D426D350D275D
gpg --verify Rocky-10.0-x86_64-dvd.iso.CHECKSUM Rocky-10.0-x86_64-dvd.iso

Anaconda Installer Changes

The Anaconda installer in Rocky Linux 10 uses a redesigned interface with significant navigation changes. Key points for automated installations:

# Kickstart file sample for Rocky Linux 10 minimal server
# /root/ks.cfg

#version=RHEL10
text
reboot
url --url="http://mirror.example.com/rocky/10/BaseOS/x86_64/os/"

keyboard --vckeymap=us --xlayouts='us'
lang en_US.UTF-8
timezone America/New_York --utc

# Network - using new NetworkManager keyfile format
network --bootproto=static --device=eth0 --ip=192.168.1.100 --netmask=255.255.255.0 \
        --gateway=192.168.1.1 --nameserver=8.8.8.8 --activate

# Disk layout
clearpart --all --initlabel
autopart --type=lvm --fstype=xfs

# Security
selinux --enforcing
firewall --enabled --service=ssh

# Packages
%packages
@^minimal-environment
vim-enhanced
bash-completion
wget
curl
dnf-utils
%end

# Post-install
%post
dnf update -y
systemctl enable --now cockpit.socket
%end

Boot the Installer

# Create bootable USB on Linux
dd if=Rocky-10.0-x86_64-dvd.iso of=/dev/sdX bs=4M status=progress oflag=sync

# Or use the more reliable approach with Ventoy
# 1. Install Ventoy on USB
# 2. Copy ISO to the USB drive
# 3. Boot and select from menu

Essential Post-Installation Configuration

Enable the EPEL Repository

# Install EPEL for Rocky Linux 10
dnf install -y epel-release

# Verify
dnf repolist

System Update and Key Packages

# Full system update
dnf update -y

# Essential tools
dnf install -y \
    vim-enhanced \
    bash-completion \
    wget curl \
    net-tools \
    bind-utils \
    tar gzip bzip2 \
    lsof \
    strace \
    tcpdump \
    chrony \
    audit

# Enable time synchronization
systemctl enable --now chronyd
timedatectl set-ntp true

Configure SELinux (Do Not Disable It)

# Check SELinux status
getenforce
sestatus

# View recent denials
ausearch -m avc -ts recent | audit2why

# Generate a policy module for a specific process (do this, not setenforce 0)
ausearch -m avc -ts recent -c nginx | audit2allow -M nginx-policy
semodule -i nginx-policy.pp

Package Management Changes in DNF5

What Changed

DNF5 is a performance-focused rewrite. The most important behavioral changes:

# DNF4 (Rocky 9)                    # DNF5 (Rocky 10)
dnf install package                 dnf install package      # Same
dnf remove package                  dnf remove package       # Same
dnf module list                     dnf module list          # Same
dnf history undo last               dnf history undo         # Slightly different
dnf --enablerepo=epel install pkg   dnf install --repo=epel pkg  # Flag changed

# New DNF5-specific commands
dnf repomanager --list               # Enhanced repo management
dnf config-manager --setopt=...      # Direct config editing

Module Streams in Rocky 10

# List available module streams
dnf module list

# Enable a specific stream (e.g., Node.js 22 instead of default 20)
dnf module enable nodejs:22
dnf install nodejs

# Switch streams
dnf module reset nodejs
dnf module enable nodejs:20
dnf distro-sync

Security Changes and New Defaults

Cryptographic Policy Changes

Rocky Linux 10 enforces a stricter system-wide cryptographic policy. TLS 1.0 and 1.1 are disabled by default. SHA-1 signatures are rejected. RSA keys under 2048 bits are rejected. This will break legacy integrations with old software.

# Check current crypto policy
update-crypto-policies --show

# List available policies
update-crypto-policies --list

# If you have legacy systems requiring TLS 1.1 (not recommended)
update-crypto-policies --set LEGACY

# Check what a policy enables
update-crypto-policies --show LEGACY

SSH Changes

# RSA key authentication still works but RSA-SHA1 signatures are rejected
# Ensure your clients use RSA-SHA2-256 or RSA-SHA2-512
# In /etc/ssh/sshd_config, these are the new defaults:
# PubkeyAcceptedAlgorithms = rsa-sha2-256,rsa-sha2-512,ecdsa-sha2-nistp256,...
# HostKeyAlgorithms - excludes ssh-rsa (SHA-1 based)

# Regenerate weak SSH host keys if migrating
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""

Firewalld and nftables

iptables is fully removed in Rocky Linux 10. All firewall management goes through firewalld, which uses nftables as its backend. Any scripts using iptables or ip6tables directly must be migrated.

# Check firewall status
firewall-cmd --state
firewall-cmd --list-all

# Add a service
firewall-cmd --permanent --add-service=https
firewall-cmd --reload

# Add a specific port
firewall-cmd --permanent --add-port=8080/tcp
firewall-cmd --reload

# View nftables rules directly (what firewalld generates)
nft list ruleset

Upgrade Path from Rocky Linux 9

Rocky Linux does not support direct in-place upgrades from major version to major version using the standard dnf upgrade. The supported methods are:

Method 1: Leapp Upgrade (Recommended for Production)

# Install the Leapp upgrade tool on Rocky Linux 9
dnf install leapp-upgrade

# Run the pre-upgrade assessment (no changes made yet)
leapp preupgrade --target 10.0

# Review the report
cat /var/log/leapp/leapp-report.txt

# Address any inhibitors in the report, then run the upgrade
leapp upgrade --target 10.0

# System will reboot into the upgrade environment and complete automatically

Method 2: Fresh Install with Data Migration

For complex systems or when Leapp reports too many inhibitors, a fresh installation with application data migration is often cleaner. Export your configurations and data, perform a fresh Rocky Linux 10 install, and restore. This approach takes more planning but avoids subtle compatibility issues.

Pre-Upgrade Checklist

• Ensure backup of all critical data is current and tested
• Document installed packages: rpm -qa > packages-before-upgrade.txt
• Export systemd service configurations
• Note custom kernel parameters in /etc/sysctl.conf
• Test your application against RHEL 10 UBI container before upgrading production
• Check that third-party software vendors support RHEL 10

Container and Virtualization Updates

Podman 5 as Default

Rocky Linux 10 ships Podman 5 as the default container runtime. Docker is not included in any official repository. The Podman CLI is compatible with Docker commands in most cases.

# Pull and run a container
podman run --rm -it ubuntu:24.04 bash

# Manage with systemd (rootless)
podman generate systemd --name my-container --files --new
systemctl --user enable container-my-container.service

# Compose-style deployments
dnf install podman-compose
podman-compose up -d

Deprecated Features and Migration Requirements

Key Removals in Rocky Linux 10

• iptables — Removed entirely, use firewalld/nftables
• Python 2 — Not available in any form, migrate all Python 2 code
• XFS V4 format — Only V5 is supported; existing V4 filesystems require reformatting
• NFS v2 — Only NFS v3 and v4 are supported
• LUKS1 — New encrypted volumes use LUKS2 by default; existing LUKS1 volumes still work but cannot be converted to LUKS2 in-place
• 32-bit (i686) kernel — x86_64 only; 32-bit userspace libraries remain available
• authconfig — Replaced by authselect; update any provisioning scripts

Conclusion

Rocky Linux 10 is a major version with real breaking changes that demand careful planning. The toolchain is significantly modernized, security defaults are stricter, and some familiar tools have been removed or replaced. The reward for this migration work is a platform supported through 2032 with a Linux 6.12 LTS kernel, full eBPF capabilities, and the latest development toolchains. Start your evaluation now by testing your applications against the RHEL 10 UBI container images, then plan your Leapp-based upgrade or fresh installation strategy well before Rocky 9 approaches its end-of-life window.