Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 7. Bug fixes
This part describes bugs fixed in Red Hat Enterprise Linux 8.5 that have a significant impact on users.
7.1. Installer and image creation
RHEL installation no longer aborts when Insights client fails to register system
Previously, the RHEL installation failed with an error at the end if the Red Hat Insights client failed to register the system during the installation. With this update, the system completes the installation even if the insights client fails. The user is notified about the error during installation so the error can be handled later independently.
Anaconda allows data encryption for automatically created disk layout in the custom partitioning screen
Previously, requesting encrypted disk layout when the disk layout was automatically created in the custom partitioning screen was not possible. With this update, Anaconda provides an option on the custom partitioning screen to encrypt the automatically created disk layout.
Installation program does not attempt automatic partitioning when partitioning scheme is not specified in the Kickstart file
When using a Kickstart file to perform an automated installation, the installation program does not attempt to perform automatic partitioning when you do not specify any partitioning scheme in the Kickstart file. The installation process is interrupted and allows the user to configure the partitioning.
(BZ#1954408)
RHEL-Edge container image now uses nginx
and serves on port 8080
Previously, the edge-container
image type was unable to run in non-root mode. As a result, Red Hat OpenShift 4 was unable to use the edge-container
image type. With this enhancement, the container now uses nginx
HTTP server to serve the commit and a configuration file that allows the server to run as a non-root user inside the container, enabling its use on Red Hat OpenShift 4. The internal web server now uses the port 8080
instead of 80
.
7.2. Shells and command-line tools
opal-prd
rebased to version 6.7.1
opal-prd
has been upgraded to version 6.7.1. Notable bug fixes and enhancements include:
-
Fixed
xscom
error logging issues caused due toxscom OPAL
call. -
Fixed possible deadlock with the
DEBUG
build. -
Fallback to
full_reboot
iffast-reboot
fails incore/platform
. -
Fixed
next_ungarded_primary
incore/cpu
. - Improved rate limit timer requests and the timer state in Self-Boot Engine (SBE).
(BZ#1921665)
libservicelog
rebased to version 1.1.19
libservicelog
has been upgraded to version 1.1.19. Notable bug fixes and enhancements include:
- Fixed output alignment issue.
-
Fixed
segfault
onservicelog_open()
failure.
(BZ#1844430)
ipmitool sol activate
command no longer crashes
Previously, after upgrading from RHEL 7 to RHEL 8 the ipmitool sol activate
command would crash while trying to access the remote console on an IBM DataPower appliance.
With this update, the bug has been fixed and one can use ipmitool
to access the remote console again.
Relax-and-Recover (ReaR) package now depends on the bootlist executable
Previously, ReaR could produce a rescue image without the bootlist executable on the IBM Power Systems, Little Endian architecture. Consequently, if the powerpc-utils-core
package is not installed, the rescue image did not contain the bootlist executable.
With this update, the ReaR package now depends on the bootlist executable. The dependency ensures that the bootlist executable is present. ReaR does not create a rescue image if the bootlist executable is missing. This avoids creating an invalid rescue image.
rsync with an unprivileged remote user can now be used in ReaR
Previously, when rsync was used to back up and restore the system data (BACKUP=RSYNC)
, the parameters to rsync were incorrectly quoted, and the --fake-super
parameter was not passed to the remote rsync process. Consequently, the file metadata was not correctly saved and restored.
With this update following bugs have been fixed:
- ReaR uses the correct parameters for rsync.
Improved rsync code for error detection during backup and restore:
- If there is a rsync error detected during the backup, ReaR aborts with an error message.
- If there is a rsync error detected during the restore, ReaR displays a warning message.
In the /etc/rear/local.conf
file set BACKUP_INTEGRITY_CHECK=1
to turn the warning into an error message.
Loss of backup data on network shares when using ReaR does not occur anymore
Previously, when a network file system like NFS was used to store the ReaR backups, in case of an error ReaR removed the directory where the NFS was mounted. Consequently, this caused backup data loss.
With this update, ReaR now uses a new method to unmount network shares. This new method does not remove the content of the mounted filesystem when it is removes the mount point. The loss of backup data on network shares when using ReaR is now fixed.
ReaR can now be used to back up and recover machines that use ESP
Previously, ReaR did not create Extensible Firmware Interface (EFI) entries when software RAID (MDRAID) is used for the EFI System Partition on machines with Unified Extensible Firmware Interface (UEFI) firmware. When a system with UEFI firmware and EFI System Partition on software RAID were recovered using ReaR; the recovered system was unbootable and required manual intervention to fix the boot EFI variables.
With this update, the support for creating boot EFI entries for software RAID devices is added to ReaR. ReaR can now be used to back up and recover machines that use EFI System Partition (ESP) on software RAID, without manual post-recovery intervention.
/etc/slp.spi file added to openslp package
Previously, the /etc/slp.spi
file was missing in the openslp
package. Consequently, the /usr/bin/slptool
command did not generate output. With this update, /etc/slp.spi
has been added to openslp
.
BM Power Systems, Little Endian architecture machines with multipath can now be safely recovered using ReaR
Previously, the /sys
file system was not mounted in the chroot when ReaR was recovering the system. The ofpathname
executable on the IBM Power Systems, Little Endian architecture failed when installing the boot loader. Consequently, the error remained undetected and the recovered system was unbootable.
With this update, ReaR now mounts the /sys
file system in the recovery chroot. ReaR ensures that ofpathname
is present in the rescue system on Power Systems, Little Endian architecture machines.
The which
utility no longer aborts with a syntax error message when used with an alias
Previously, when you tried to use the which
command with an alias, for example, A=B which ls
, the which
utility aborted with the syntax error message bash: syntax error near unexpected token `('
.
This bug has been fixed, and which
correctly displays the full path of the command without an error message.
(BZ#1940468)
7.3. Infrastructure services
Permissions of the /var/lib/chrony
have changed
Previously, enterprise security scanners would flag the /var/lib/chrony
directory for having world-readable and executable permissions. With this update, the permissions of the /var/lib/chrony
directory have changed to limit access only to the root and chrony users.
7.4. Security
GnuTLS
no longer rejects SHA-1-signed CAs if they are explicitly trusted
Previously, the GnuTLS
library checked signature hash strength of all certificate authorities (CA) even if the CA was explicitly trusted. As a consequence, chains containing CAs signed with the SHA-1 algorithm were rejected with the error message certificate’s signature hash strength is unacceptable
. With this update, GnuTLS
excludes trusted CAs from the signature hash strength checks and therefore no longer rejects certificate chains containing CAs even if they are signed using weak algorithms.
Hardware optimization enabled in FIPS mode
Previously, the Federal Information Processing Standard (FIPS 140-2) did not allow using hardware optimization. Therefore, the operation was disabled in the libgcrypt
package when in the FIPS mode. This update enables hardware optimization in FIPS mode, and as a result, all cryptographic operations are performed faster.
leftikeport
and rightikeport
options work correctly
Previously, Libreswan ignored the leftikeport
and rightikeport
options in any host-to-host Libreswan connections. As a consequence, Libreswam used the default ports regardless of any non-default options settings. With this update, the issue is now fixed and you can use leftikeport
and rightikeport
connection options over the default options.
SELinux policy did not allow GDM to set the GRUB boot_success
flag
Previously, SELinux policy did not allow the GNOME Display Manager (GDM) to set the GRUB boot_success
flag during the power-off and reboot operations. Consequently, the GRUB menu appeared on the next boot. With this update, the SELinux policy introduces a new xdm_exec_bootloader
boolean that allows the GDM to set the GRUB boot_success
flag, and which is enabled by default. As a result, the GRUB boot menu is shown on the first boot and the flicker-free boot support feature works correctly.
selinux-policy
now supports IPsec-based VPNs using TCP encapsulation
Since RHEL 8.4, the libreswan
packages have supported IPsec-based VPNs using TCP encapsulation, but the selinux-policy
package did not reflect this update. As a consequence, when Libreswan was configured to use TCP, the ipsec
service failed to bind to the given TCP port. With this update to the selinux-policy
package, the ipsec
service can bind and connect to the commonly used TCP port 4500
, and therefore you can use TCP encapsulation in IPsec-based VPNs.
SELinux policy now prevents staff_u
users from switching to unconfined_r
Previously, when the secure_mode
boolean was enabled, staff_u
users could incorrectly switch to the unconfined_r
role. As a consequence, staff_u
users could perform privileged operations affecting the security of the system. With this fix, SELinux policy prevents staff_u
users from switching to the unconfined_r
role using the newrole
command. As a result, unprivileged users cannot run privileged operations.
OSCAP Anaconda Addon
now handles customized profiles
Previously, the OSCAP Anaconda Addon
plugin did not correctly handle security profiles with customizations in separate files. Consequently, the customized profiles were not available in the RHEL graphical installation even when you specified them in the corresponding Kickstart section. The handling has been fixed, and you can use customized SCAP profiles in the RHEL graphical installation.
(BZ#1691305)
OpenSCAP no longer fails during evaluation of the STIG profile and other SCAP content
Previously, initialization of the cryptography library in OpenSCAP was not performed properly in OpenSCAP, specifically in the filehash58
probe. As a consequence, a segmentation fault occurred while evaluating SCAP content containing the filehash58_test
Open Vulnerability Assessment Language (OVAL) test. This affected in particular the evaluation of the STIG profile for Red Hat Enterprise Linux 8. The evaluation failed unexpectedly and results were not generated. The process of initializing libraries has been fixed in the new version of the openscap
package. As a result, OpenSCAP no longer fails during the evaluation of the STIG profile for RHEL 8 and other SCAP content that contains the filehash58_test
OVAL test.
Ansible updates banner files only when needed
Previously, the playbook used for banner remediation always removed the file and recreated it. As a consequence, the banner file inodes were always modified regardless of need. With this update, the Ansible remediation playbook has been improved to use the copy
module, which first compares existing content with the intended content and only updates the file when needed. As a result, banner files are only updated when the existing content differs from the intended content.
USB devices now work correctly with the DISA STIG profile
Previously, the DISA STIG profile enabled the USBGuard
service but did not configure any initially connected USB devices. Consequently, the USBGuard
service blocked any device that was not specifically allowed. This made some USB devices, such as smart cards, unreachable. With this update, the initial USBGuard configuration is generated when applying the DISA STIG profile and allows the use of any connected USB device. As a result, USB devices are not blocked and work correctly.
OSCAP Anaconda Addon
now installs all selected packages in text mode
Previously, the OSCAP Anaconda Addon
plugin did not evaluate rules that required certain partition layout or package installations and removals before the installation started when running in text mode. Consequently, when a security policy profile was specified using Kickstart and the installation was running in text mode, any additional packages required by a selected security profile were not installed. OSCAP Anaconda Addon
now performs the required checks before the installation starts regardless of whether the installation is graphical or text-based, and all selected packages are installed also in text mode.
rpm_verify_permissions
removed from the CIS profile
The rpm_verify_permissions
rule, which compares file permissions to package default permissions, has been removed from the Center for Internet Security (CIS) Red Hat Enterprise Linux 8 Benchmark. With this update, the CIS profile is aligned with the CIS RHEL 8 benchmark, and as a result, this rule no longer affects users who harden their systems according to CIS.
7.5. Kernel
A revert of upstream patch allows some systemd
services and user-space workloads to run as expected
The backported upstream change to the mknod()
system call caused the open()
system call to be more privileged with respect to device nodes than mknod()
. Consequently, multiple user-space workloads and some systemd
services in containers became unresponsive. With this update, the incorrect behavior has been reverted and no crashes occur any more.
(BZ#1902543)
Improved performance regression in memory accounting operations
Previously, a slab memory controller was increasing the frequency of memory accounting operations per slab. Consequently, a performance regression occurred due to an increased number of memory accounting operations. To fix the problem, the memory accounting operations have been streamlined to use as much caching and as little atomic operations as possible. As a result, a slight performance regression still remains. However, the user experience is much better.
(BZ#1959772)
Hard lockups and system panic no longer occur when issuing multiple SysRg-T magic keys
Issuing multiple SysRg-T magic key sequences to a system caused an interrupt to be disabled for an extended period of time, depending on the serial console speed, and on the volume of information being printed out. This prolonged disabled-interrupt time often resulted in a hard lockup followed by a system panic. This update brings the SysRg-T key sequence to substantially reduce the period when interrupt is disabled. As a result, no hard lockups or system panic occur in the described scenario.
(BZ#1954363)
Certain BCC utilities do not display the "macro redefined" warning anymore
Macro redefinitions in some compiler-specific kernel headers caused some BPF Compiler Collection (BCC) utilities to display the following zero-impact warning:
warning: '__no_sanitize_address' macro redefined [-Wmacro-redefined]
With this update, the problem has been fixed by removing the macro redefinitions. As a result, the relevant BCC utilities no longer display the warning in this scenario.
(BZ#1907271)
kdump
no longer fails to dump vmcore on SSH or NFS targets
Previously, when configuring a network interface card (NIC) port to a static IP address and setting kdump
to dump vmcore
on SSH or NFS dump targets, the kdump
service started with the following error message:
ipcalc: command not found
Consequently, a kdump
on SSH or NFS dump targets eventually failed.
This update fixes the problem and the kexec-tools
utility no longer depends on the ipcalc
tool for IP address and netmask calculation. As a result, the kdump
works as expected when you use SSH or NFS dump targets.
(BZ#1931266)
Certain networking kernel drivers now properly display their version
The behavior for module versioning of many networking kernel drivers changed in RHEL 8.4. Consequently, those drivers did not display their version. Alternatively, after executing the ethtool -i
command, the drivers displayed the kernel version instead of the driver version. This update fixes the bug by providing the kernel module strings. As a result, users can determine versions of the affected kernel drivers.
(BZ#1944639)
The hwloc
commands now return correct data on single CPU Power9 and Power10 logical partitions
With the hwloc
utility of version 2.2.0, any single-node Non-Uniform Memory Access (NUMA) system that ran a Power9 or Power10 CPU was considered to be "disallowed". Consequently, all hwloc
commands did not work, because NODE0 (socket 0, CPU 0) was offline and the hwloc
source code expected NODE0 to be online. The following error message was displayed:
Topology does not contain any NUMA node, aborting!
With this update, hwloc
has been fixed so that its source code checks to see if NODE0 is online before querying it. If NODE0 is not online, the code proceeds to the next online NODE.
As a result, the hwloc
command does not return any errors in the described scenario.
7.6. File systems and storage
Records obtained from getaddrinfo()
now include a default TTL
Previously, API did not convey time-to-live (TTL) information, which left TTL unset for address records obtained through getaddrinfo()
, even if they were obtained from the DNS. As a consequence, the key.dns_resolver
upcall program did not set an expiry time on dns_resolver
records, unless the records included a component obtained directly from the DNS, such as an SRV or AFSDB record. With this update, records from getaddrinfo()
now include a default TTL of 10 minutes to prevent an unset expiry time.
(BZ#1661674)
7.7. High availability and clusters
The ocf:heartbeat:pgsql
resource agent and some third-party agents no longer fail to stop during a shutdown process
In the RHEL 8.4 GA release, Pacemaker’s crm_mon
command-line tool was modified to display a "shutting down" message rather than the usual cluster information when Pacemaker starts to shut down. As a consequence, shutdown progress, such as the stopping of resources, could not be monitored. In this situation, resource agents that parse crm_mon
output in their stop operation (such as the ocf:heartbeat:pgsql
agent distributed with the resource-agents package, or some custom or third-party agents) could fail to stop, leading to cluster problems. This bug has been fixed, and the described problem no longer occurs.
7.8. Dynamic programming languages, web and database servers
pyodbc
works again with MariaDB 10.3
The pyodbc
module did not work with the MariaDB 10.3
server included in the RHEL 8.4 release. The root cause in the mariadb-connector-odbc
package has been fixed, and pyodbc
now works with MariaDB 10.3
as expected.
Note that earlier versions of the MariaDB 10.3
server and the MariaDB 10.5
server were not affected by this problem.
7.9. Compilers and development tools
GCC Toolset 11: GCC 11 now defaults to DWARF 4
While upstream GCC 11 defaults to using the DWARF 5 debugging format, GCC of GCC Toolset 11 defaults to DWARF 4 to stay compatible with RHEL 8 components, for example, rpmbuild
.
(BZ#1974402)
The tunables framework now parses GLIBC_TUNABLES
correctly
Previously, the tunables framework did not parse the GLIBC_TUNABLES
environment variable correctly for non-setuid children of setuid programs. As a consequence, in some cases all tunables remained in non-setuid children of setuid programs. With this update, tunables in the GLIBC_TUNABLES
environment variable are correctly parsed. As a result, only a restricted subset of identified tunables are now inherited by non-setuid children of setuid programs.
(BZ#1934155)
The semctl
system call wrapper in glibc
now treats SEM_STAT_ANY
like SEM_STAT
Previously, the semctl
system call wrapper in glibc
did not treat the kernel argument SEM_STAT_ANY
like SEM_STAT
. As a result, glibc
did not pass the address of the result object struct semid_ds
to the kernel, so that the kernel failed to update it. With this update, glibc
now treats SEM_STAT_ANY
like SEM_STAT
, and as a result, applications can obtain struct semid_ds
data using SEM_STAT_ANY
.
Glibc
now includes definitions for IPPROTO_ETHERNET
, IPPROTO_MPTCP
, and INADDR_ALLSNOOPERS_GROUP
Previously, the Glibc
system library headers (/usr/include/netinet/in.h
) did not include definitions of IPPROTO_ETHERNET
, IPPROTO_MPTCP
, and INADDR_ALLSNOOPERS_GROUP
. As a consequence, applications needing these definitions failed to compile. With this update, the system library headers now include the new network constant definitions for IPPROTO_ETHERNET
, IPPROTO_MPTCP
, and INADDR_ALLSNOOPERS_GROUP
resulting in correctly compiling applications.
gcc
rebased to version 8.5
The GNU Compiler Collection (GCC) has been rebased to upstream version 8.5, which provides a number of bug fixes over the previous version.
Incorrect file decryption using OpenSSL aes-cbc
mode
The OpenSSL EVP aes-cbc
mode did not decrypt files correctly, because it expects to handle padding while the Go CryptoBlocks interface expects full blocks. This issue has been fixed by disabling padding before executing EVP operations in OpenSSL.
7.10. Identity Management
FreeRADIUS no longer incorrectly generating default certificates when the bootstrap script is run
A bootstrap script runs each time FreeRADIUS is started. Previously, this script generated new testing certificates in the /etc/raddb/certs
directory and as a result, the FreeRADIUS server sometimes failed to start as these testing certificates were invalid. For example, the certificates might have expired. With this update, the bootstrap script checks the /etc/raddb/certs
directory and if it contains any testing or customer certificates, the script is not run and the FreeRADIUS server should start correctly.
Note that the testing certificates are only for testing purposes during the configuration of FreeRADIUS and should not be used in a real environment. The bootstrap script should be deleted once the users' certificates are used.
FreeRADIUS no longer fails to create a core dump file
Previously, FreeRADIUS did not create a core dump file when allow_core_dumps
was set to yes
. Consequently, no core dump files were created if any process failed. With this update, when you set allow_core_dumps
to yes
, FreeRADIUS now creates a core dump file if any process fails.
SSSD correctly evaluates the default setting for the Kerberos keytab name in /etc/krb5.conf
Previously, if you defined a non-standard location for your krb5.keytab
file, SSSD did not use this location and used the default /etc/krb5.keytab
location instead. As a result, when you tried to log into the system, the login failed as the /etc/krb5.keytab
contained no entries.
With this update, SSSD now evaluates the default_keytab_name
variable in the /etc/krb5.conf
and uses the location specified by this variable. SSSD only uses the default /etc/krb5.keytab
location if the default_keytab_name
variable is not set.
(BZ#1737489)
Running sudo commands no longer exports the KRB5CCNAME environment variable
Previously, after running sudo
commands, the environment variable KRB5CCNAME
pointed to the Kerberos credential cache of the original user, which might not be accessible to the target user. As a result Kerberos related operations might fail as this cache is not accessible. With this update, running sudo
commands no longer sets the KRB5CCNAME
environment variable and the target user can use their default Kerberos credential cache.
(BZ#1879869)
Kerberos now only requests permitted encryption types
Previously, RHEL did not apply permitted encryption types specified in the permitted_enctypes
parameter in the /etc/krb5.conf
file if the default_tgs_enctypes
or default_tkt_enctypes
parameters were not set. Consequently, Kerberos clients were able to request deprecated cipher suites, such as RC4, which might cause other processes to fail. With this update, RHEL applies the encryption types set in permitted_enctypes
to the default encryption types as well, and processes can only request permitted encryption types.
If you use Red Hat Identity Management (IdM) and want to set up a trust with Active Directory (AD), note that the RC4 cipher suite, which is deprecated in RHEL 8, is the default encryption type for users, services, and trusts between AD domains in an AD forest. You can use one of the following options:
- (Preferred): Enable strong AES encryption types in AD. For details, see the AD DS: Security: Kerberos "Unsupported etype" error when accessing a resource in a trusted domain Microsoft article.
-
Use the
update-crypto-policies --set DEFAULT:AD-SUPPORT
command on RHEL hosts that should be members of an AD domain to enable the deprecated RC4 encryption type for backwards compatibility with AD.
The replication session update speed is now enhanced
Previously, when the changelog contained larger updates, the replication session started from the beginning of the changelog. This slowed the session down. The using of a small buffer to store the update from a changelog during the replication session caused this. With this update, the replication session checks that the buffer is large enough to store the update at the starting point. The replication session starts sending updates immediately.
The database indexes created by plug-ins are now enabled
Previously, when a server plug-in created its own database indexes, you had to enable those indexes manually. With this update, the indexes are enabled immediately after creation by default.
7.11. Red Hat Enterprise Linux system roles
Role tasks no longer change when running the same output
Previously, several of the role tasks would report as CHANGED
when running the same input once again, even if there were no changes. Consequently, the role was not acting idempotent. To fix the issue, perform the following actions:
-
Check if configuration variables change before applying them. You can use the option
--check
for this verification. -
Do not add a
Last Modified: $date
header to the configuration file.
As a result, the role tasks are idempotent.
relayhost
parameter no longer incorrectly defined in the Postfix documentation
Previously, the relayhost
parameter of the Postfix RHEL system role was defined as relay_host
in the doc /usr/share/doc/rhel-system-roles/postfix/README.md
documentation provided by rhel-system-roles
. This update fixes the issue and the relayhost
parameter is now correctly defined in the Postfix
documentation.
Postfix
RHEL system role README.md no longer missing variables under the "Role Variables" section
Previously, the Postfix
RHEL system role variables, such as postfix_check
, postfix_backup
, postfix_backup_multiple
were not available under the "Role Variables" section. Consequently, users were not able to consult the Postfix role documentation. This update adds role variable documentation to the Postfix
README section. The role variables are documented and available for users in the doc/usr/share/doc/rhel-system-roles/postfix/README.md
documentation provided by rhel-system-roles
.
Postfix
role README no longer uses plain role name
Previously, the examples provided in the /usr/share/ansible/roles/rhel-system-roles.postfix/README.md
used the plain version of the role name, postfix
, instead of using rhel-system-roles.postfix
. Consequently, users would consult the documentation and incorrectly use the plain role name instead of Full Qualified Role Name (FQRN). This update fixes the issue, and the documentation contains examples with the FQRN, rhel-system-roles.postfix
, enabling users to correctly write playbooks.
The output log of timesync
only reports harmful errors
Previously, the timesync
RHEL system role used the ignore_errors
directive with separate checking for task failure in many tasks. Consequently, the output log of the successful role run was full of harmless errors. The users were safe to ignore those errors, but still they were distressing to see. In this update, the relevant tasks have been rewritten not to use ignore_errors
. As a result, the output log is now clean, and only role-stopping errors are reported.
The requirements.txt
file no longer missing in the Ansible collection
Previously, the requirements.txt
file, responsible for specifying the python dependencies, was missing in the Ansible collection. This fix adds the missing file with the correct dependencies at the /usr/share/ansible/collections/ansible_collections/redhat/rhel_system_roles/requirements.tx
path.
Traceback
no longer observed when set type: partition
for storage_pools
Previously, when setting the variable type
as partition
for storage_pools
in a playbook, running this playbook would fail and indicate traceback
. This update fixes the issue and the Traceback
error no longer appears.
SElinux
role no longer perform unnecessary reloads
Previously, the SElinux
role would not check if changes were actually applied before reloading the SElinux
policy. As a consequence, the SElinux
policy was being reloaded unnecessarily, which had an impact on the system resources. With this fix, the SElinux
role now uses ansible handlers and conditionals to ensure that the policy is only reloaded if there is a change. As a result, the SElinux
role runs much faster.
sshd
role no longer fails to start with the installed sshd_config
file on the RHEL6 host.
Previously, when a managed node was running RHEL6, the version of OpenSSH did not support "Match all" in the Match criteria, which was added by the install task. As a consequence, sshd
failed to start with the installed sshd_config
file on the RHEL6 host. This update fixes the issue by replacing "Match all" with "Match address *" for the RHEL6 sshd_config
configuration file, as the criteria is supported in the version of OpenSSH. As a result, the sshd
RHEL system role successfully starts with the installed sshd_config
file on the RHEL6 host.
The SSHD role name in README.md
examples no longer incorrect
Previously, in the sshd README.md
file, the examples reference calling the role with the willshersystems.sshd
name. This update fixes the issue, and now the example references correctly refers to the role as "rhel_system_roles.sshd".
The key/certs
source files are no longer copied when tls
is false
Previously, in the logging
RHEL system role elasticsearch output, if the key/certs
source files path on the control host were configured in the playbook, they would be copied to the managed hosts, even if tls
was set to false
. Consequently, if the key/cert
file paths were configured and tls
was set to false
, the command would fail, because the copy source files did not exist. This update fixes the issue, and copying the key/certs
is executed only when the tls
param is set to true
.
Task to enable logging for targeted hosts in the metric
role now works
Previously, a bug in the metric
RHEL system role prevented referring to targeted hosts in the enabling the performance metric logging
task. Consequently, the control file for performance metric logging was not generated. This update fixes the issue, and now the targeted hosts are correctly referred to. As a result, the control file is successfully created, enabling the performance metric logging execution.
sshd_hostkey_group
and sshd_hostkey_mode
variables now configurable in the playbook
Previously, the sshd_hostkey_group
and sshd_hostkey_mode
variables were unintentionally defined in both defaults
and vars
files. Consequently, users were unable to configure those variables in the playbook. With this fix, the sshd_hostkey_group
is renamed to __sshd_hostkey_group
and sshd_hostkey_mode
to __sshd_hostkey_mode
for defining the constant value in the vars
files. In the default
file, sshd_hostkey_group
is set to __sshd_hostkey_group
and sshd_hostkey_mode
to __sshd_hostkey_mode
. As a result, users can now configure the sshd_hostkey_group
and sshd_hostkey_mode
variables in the playbook.
RHEL system roles internal links in README.md
are no longer broken
Previously, the internal links available in the README.md
files were broken. Consequently, if a user clicked a specific section documentation link, it would not redirect users to the specific README.md
section. This update fixes the issue and now the internal links point users to the correct section.
7.12. RHEL in cloud environments
nm-cloud-setup
utility now sets the correct default route on Microsoft Azure
Previously, on Microsoft Azure, the nm-cloud-setup
utility failed to detect the correct gateway of the cloud environment. As a consequence, the utility set an incorrect default route, and connectivity failed. This update fixes the problem. As a result, nm-cloud-setup
utility now sets the correct default route on Microsoft Azure.
SSH keys are now generated correctly on EC2 instances created from a backup AMI
Previously, when creating a new Amazon EC2 instance of RHEL 8 from a backup Amazon Machine Image (AMI), cloud-init
deleted existing SSH keys on the VM but did not create new ones. Consequently, the VM in some cases could not connect to the host.
This problem has been fixed for newly created RHEL 8.5 VMs. For VMs that were upgraded from RHEL 8.4 or earlier, you must work around the issue manually.
To do so, edit the cloud.cfg
file and changing the ssh_genkeytypes: ~
line to ssh_genkeytypes: ['rsa', 'ecdsa', 'ed25519']
. This makes it possible for SSH keys to be deleted and generated correctly when provisioning a RHEL 8 VM in the described circumstances.
RHEL 8 running on AWS ARM64 instances can now reach the specified network speed
When using RHEL 8 as a guest operating system in a virtual machine (VM) that runs on an Amazon Web Services (AWS) ARM64 instance, the VM previously had lower than expected network performance when the iommu.strict=1
kernel parameter was used or when no iommu.strict
parameter was defined.
This problem no longer occurs in RHEL 8.5 Amazon Machine Images (AMIs) provided by Red Hat. In other types of images, you can work around the issue by changing the parameter to iommu.strict=0
. This includes:
- RHEL 8.4 and earlier images
-
RHEL 8.5 images upgraded from an earlier version using
yum update
- RHEL 8.5 images not provided by Red Hat
(BZ#1836058)
Core dumping RHEL 8 virtual machines to a remote machine on Azure now works more reliably
Previously, using the kdump
utility to save the core dump file of a RHEL 8 virtual machine (VM) on a Microsoft Azure hypervisor to a remote machine did not work correctly when the VM was using a NIC with enabled accelerated networking. As a consequence, the dump file was saved after approximately 200 seconds, instead of immediately. In addition, the following error message was logged on the console before the dump file is saved.
device (eth0): linklocal6: DAD failed for an EUI-64 address
With this update, the underlying code has been fixed, and in the described circumstances, dump files are now saved immediately.
(BZ#1854037)
Hibernating RHEL 8 guests now works correctly when FIPS mode is enabled
Previously, it was not possible to hibernate a virtual machine (VM) that was using RHEL 8 as its guest operating system if the VM was using FIPS mode. The underlying code has been fixed and the affected VMs can now hibernate correctly.
(BZ#1934033, BZ#1944636)
7.13. Containers
UBI 9-Beta containers can run on RHEL 7 and 8 hosts
Previously, the UBI 9-Beta container images had an incorrect seccomp profile set in the containers-common
package. As a consequence, containers were not able to deal with certain system calls causing a failure. With this update, the problem has been fixed.