Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 8. Bug fixes
This part describes bugs fixed in Red Hat Enterprise Linux 8.9 that have a significant impact on users.
8.1. Installer and image creation
The --noverifyssl
option for liveimg
no longer checks the server’s certificate for images downloaded using HTTPS
Previously, the installer ignored the --noverifyssl
option from the liveimg
kickstart command. Consequently, if the server’s certificate could not be validated for images downloaded using the HTTPS protocol, the installation process failed. With this update, this issue has been fixed, and the --noverifyssl
option of the liveimg
kickstart command works as expected.
8.2. Security
Booting from an NFS filesystem now works with SELinux set to enforcing mode
Previously, when using NFS as the root filesystem, SELinux labels were not forwarded from the server, causing boot failures when SELinux was set to enforcing mode.
With this fix, SELinux has been fixed to correctly flag NFS mounts created before the initial SELinux policy load as supporting security labels. As a result, the NFS mount now forwards SELinux labels between the server and the client and the boot can succeed with SELinux set to enforcing mode.
Bugzilla:1753646[1]
The automatic screen lock now works correctly even when a USB smart-card reader is removed
Before RHEL 8.9, the opensc
packages incorrectly handled removing USB smart-card readers. Consequently, the system remained unlocked even if the GNOME Display Manager (GDM) was configured to lock the screen when a smart card was removed. Furthermore, after reconnecting the USB reader, the screen also did not lock after removing the smart card. In this release, the code for handling removals of USB smart-card readers has been fixed. As a result, the screen is correctly locked even when a smart card or a USB smart-card reader is removed.
The SCAP enable_fips_mode
rule now checks only fips=1
on 64-bit IBM Z architecture
Previously, the SCAP Security Guide rule enable_fips_mode
did check the contents of the /boot/grub2/grubenv
file. Consequently, the 64-bit IBM Z architecture did not use /boot/grub2/grubenv
file for FIPS mode. With this update, the OVAL rule enable_fips_mode
now test if argument fips=1
for Linux kernel is present in /boot/loader/entries/.*.conf
file on 64-bit IBM Z architecture.
SCAP journald
rules no longer remediate to invalid configuration
Previously, the SCAP Security Guide rules journald_compress
, journald_forward_to_syslog
, and journald_storage
contained a bug in the remediation script which added extra quotes to the respective options within the /etc/systemd/journald.conf
configuration file. Consequently, the journald
service failed to parse the configuration options and ignored them. Therefore, the configuration options were not effective and OpenSCAP reported false pass results. With this update, the rules and remediations scripts have been fixed to not add the extra quotes. The rule now create a valid configuration for journald
.
Images can now be configured with security profiles
SCAP Security Guide rules that configure mount point options have been reworked, and you can now use them also for hardening images when building an operating system image in image builder. As a result, you can now build images with partition configuration aligned with a specific security profile.
Removed strict requirements from SSG rules related to AIDE configuration
Previously, the SCAP Security Guide (SSG) rule aide_build_database
required the existence of both /var/lib/aide/aide.db.new.gz
and /var/lib/aide/aide.db.gz
files to pass. Because the AIDE
utility does not require the /var/lib/aide/aide.db.new.gz
file, this update removed the corresponding requirement from the aide_build_database
rule. As a result, the rule requires only the /var/lib/aide/aide.db.gz
file to pass.
In addition, the SCAP Security Guide rule aide_periodic_cron_checking
is now less strict on entries in /etc/cron.daily
and /etc/cron.weekly
files. You can now schedule the aide --check
command with additional wrappers while staying compliant with the rule.
SCAP rules related to pam_faillock
have correct descriptions
Previously, the SCAP Security Guide rules related to the pam_faillock
contained descriptions that were misaligned with some profile values. Consequently, the descriptions were not correct. With this update, the rules descriptions are now using XCCDF variables.
This change affects the following rules:
-
accounts_passwords_pam_faillock_deny
-
accounts_passwords_pam_faillock_interval
-
accounts_passwords_pam_faillock_dir
-
accounts_passwords_pam_faillock_unlock_time
The file_permissions_efi_user_cfg
SCAP rule no longer fails when /boot/efi
is mounted
Previously, the default permissions of UEFI files were not accepted. Therefore, it was not possible to change the permissions with the chmod
command when the /boot/efi
partition used a virtual file allocation table (VFAT) file system. Consequently, the file_permissions_efi_user_cfg
rule failed. This update changes the default permissions from 0600
to 0700
. Because the 0700
permission is also accepted by CIS, the assessment and remediation are now better aligned with CIS profiles.
SSG remediations are now aligned with configure_openssl_cryptopolicy
Previously, the SCAP Security Guide (SSG) remediation added the =
character to the opensslcnf.config
file. This syntax dit not match the description of the configure_openssl_cryptopolicy
rule. Consequently, compliance checks might fail after remediations that inserted .include =
instead of .include
to opensslcnf.config
. With this release, the remediation scripts are aligned with the rule description, and SSG remediations that use configure_openssl_cryptopolicy
no longer fail due to additional =
.
The postfix_prevent_unrestricted_relay
rule now accepts white spaces around the =
sign
Previously, the OVAL check of the SCAP rule xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay
was too strict and it did not account for postconf
configuration assignment statements which contained white spaces around the =
sign. As a consequence, the final report reported this rule as failing even for configurations that technically met the rule’s requirements. With this update, the rule was modified so that the check accepts statements with white spaces around the =
sign. As a result, the final report rule now marks this rule as passing for correct configuration statements.
SCAP rules now correctly evaluate whether the /var/log
and /var/log/audit
partitions exist
Previously, some SCAP rules relevant to the /var/log
and /var/log/audit
partitions were evaluated and remediated even when the appropriate disk partition did not exist. This affected the following rules:
-
mount_option_var_log_audit_nodev
-
mount_option_var_log_audit_noexec
-
mount_option_var_log_audit_nosuid
-
mount_option_var_log_nodev
-
mount_option_var_log_noexec
-
mount_option_var_log_nosuid
As a consequence, these rules were evaluated and incorrectly reported as failing in the final report even when the directories /var/log
or /var/log/audit
were not mount points for individual partitions. This update adds an applicability check to determine whether /var/log
or /var/log/audit
are mount points for individual partitions. As a consequence, the rules are not evaluated in configurations when the directories are not mount points for individual partitions and the rules are marked as notapplicable
in the final report.
The SCAP rule accounts_passwords_pam_faillock_interval
now covers new STIG IDs
Previously, the SCAP Security Guide rule accounts_passwords_pam_faillock_interval
did not cover RHEL-08-020012 and RHEL-08-020013. Consequently, the rule accounts_passwords_pam_faillock_interval
checked for faillock
configuration in all of these three files: /etc/pam.d/password-auth
, /etc/pam.d/system-auth
, and /etc/security/faillock.conf
. With this update, the rule now covers STIG IDs RHEL-08-020012 and RHEL-08-020013.
Red Hat CVE feeds have been updated
The version 1 of Red Hat Common Vulnerabilities and Exposures (CVE) feeds at https://access.redhat.com/security/data/oval/ has been sunset and replaced by version 2 of the CVE feeds located at https://access.redhat.com/security/data/oval/v2/.
Consequently, the links in SCAP source data streams provided by the scap-security-guide
package have been updated to link to the new version of the Red Hat CVE feeds.
The wget
utility no longer fails TLS handshake when accessing restricted resources
Previously, when ticket-based session resumption was enabled in TLS, the wget
utility expected a TLS session to be resumed even when the server requested the client to re-authenticate to access restricted resources. This behavior caused wget
to fail the second TLS handshake. With this update, wget
properly initiates a new handshake and the access to restricted resources no longer fails.
Settings from pam_cap
are correctly applied on SELinux-enabled systems
Previously, the SELinux policy did not contain rules for using the pam_cap
module. As a consequence, granting login capabilities controlled by pam_cap
to users in the /etc/security/capability.conf
configuration file did not work when the users logged in by using ssh
or the console. This update adds a new rule to the policy. As a result, granting capabilities in /etc/security/capability.conf
now works, and user capabilities configured with pam_cap
are taken into account when logging in.
The systemd-fsck-root
service is now correctly labeled on SELinux-enabled systems
Previously, the /run/fsck
directory was created by the systemd-fsck-root
service or the fsck
command but the SELinux policy did not contain rules for proper labeling of the directory. As a consequence, the systemd-fsck-root
service did not work correctly. With this update, the correct label and file transition for /run/fsck
were added to the policy. As a result, the systemd-fsck-root
service works without reporting errors.
Bugzilla:2184348[1]
SELinux policy now allows bidirectional communication on D-Bus
Previously, the SELinux policy contained rules to allow only one-way communication between two domains on the D-Bus message bus system. However, such communication must be allowed in both directions. This occurred also when the Pacemaker high-availability cluster resource manager executed the hostnamectl
or timedatectl
commands. As a consequence, these commands executed by Pacemaker timed out without receiving a response on D-Bus because SELinux blocked it. This update to the SELinux policy allows bidirectional communication on D-Bus. As a result, commands that require bidirectional communication on D-Bus executed by Pacemaker finish successfully.
tangd-keygen
now handles non-default umask
correctly
Previously, the tangd-keygen
script did not change file permissions for generated key files. Consequently, on systems with a default user file-creation mode mask (umask
) that prevents reading keys to other users, the tang-show-keys
command returned the error message Internal Error 500
instead of displaying the keys. With this update, tangd-keygen
sets file permissions for generated key files, and therefore the script now works correctly on systems with non-default umask
.
Clevis now handles SHA-256 thumbprints
Before this update, the Clevis client did not recognize SHA-256 thumbprints specified through the thp
configuration option. Consequently, clients did not bind to Tang servers that used SHA-256 thumbprints, and every corresponding clevis encrypt tang
command reported an error. With this update, Clevis recognizes thumbprints using SHA-256 and handles them correctly. As a result, Clevis clients can bind not only to Tang servers using SHA-1 but also SHA-256 thumbprints.
Rsyslog can start even without capabilities
When Rsyslog is executed as a normal user or in a containerized environment, the rsyslog
process has no capabilities. Consequently, Rsyslog in this scenario could not drop capabilities and exited at startup. With this update, the process no longer attempts to drop capabilities if it has no capabilities. As a result, Rsyslog can start even when it has no capabilities.
Jira:RHELPLAN-160541[1]
fapolicyd
service no longer runs programs that are removed from the trusted database
Previously, the fapolicyd
service incorrectly handled a program as trusted even after it was removed from the trusted database. As a result, entering the fapolicyd-cli --update
command had no effect, and the program could be executed even after being removed. With this update, the fapolicyd-cli --update
command correctly updates the trusted programs database, and removed programs can no longer be executed.
fapolicyd
service now creates RPM database files with correct ownership
Previously, the fapolicyd
service created and owned RPM database files in the /var/lib/rpm/
directory. As a result, other programs were unable to access the files, which resulted in availability control errors. With this update, fapolicyd
creates the files with correct ownership, and the errors no longer occur.
8.3. Software management
The yum needs-restarting -s
command now correctly displays the list of systemd services
Previously, when you used the needs-restarting
command with the -s
or --services
option, an error occurred when a non-systemd or malfunctioning process was detected. With this update, the yum needs-restarting -s
command ignores such processes and displays a warning instead with the list of affected systemd services.
The dnf-automatic
command now correctly reports the exit status of transactions
Previously, the dnf-automatic
command returned a successful exit code of a transaction even if some actions during this transaction were not successfully completed. This could cause a security risk on machines that use dnf-automatic
for automatic deployment of errata. With this update, the issue has been fixed, and dnf-automatic
now reports every problem with packages during the transaction.
YUM now handles proxy=_none_
correctly
You can use the YUM proxy=_none_
configuration option to prohibit changing proxy settings. Previously, if you set proxy=_none_
in the main configuration file, YUM detected an error. This update fixes the bug, and YUM now handles proxy=_none_
correctly.
The RHEL 8 YUM proxy=_none_
configuration is compatible with the YUM configuration in RHEL 7.
The needs-restarting
plug-in now correctly requires the system restart when a file owned by dbus
is updated by zlib
Previously, when you ran the YUM needs-restarting
plug-in, it did not prompt to restart the system when a file owned by the dbus
package was updated by the dependent zlib
package. With this update, the issue has been fixed, and the needs-restarting
plug-in now displays a message that you must restart dbus
when zlib
is updated.
8.4. Shells and command-line tools
The which
command no longer fails for a long path
Previously, when you executed the which
command in a directory with a path longer than 256 characters, the command failed with the Can’t get current working directory
error message. With this fix, the which
command now uses the PATH_MAX
value for the path length limit. As a result, the command no longer fails.
ReaR now supports UEFI Secure Boot with OUTPUT=USB
Previously, the OUTPUT=USB
ReaR output method, which stores the rescue image on a bootable disk drive, did not respect the SECURE_BOOT_BOOTLOADER
setting. Consequently, on systems with UEFI Secure Boot enabled, the disk with the rescue image would not boot because the bootloader was not signed.
With this fix, the OUTPUT=USB
ReaR output method now uses the bootloader that you specify in the SECURE_BOOT_BOOTLOADER
setting when creating the rescue disk. To use the signed UEFI shim bootloader, change the following setting in the /etc/rear/local.conf
file:
SECURE_BOOT_BOOTLOADER=/boot/efi/EFI/redhat/shimx64.efi
As a result, the rescue disk is bootable when UEFI Secure Boot is enabled. It is safe to set the variable to this value on all systems with UEFI, even when Secure Boot is not enabled. It is even recommended for consistency. For details about the UEFI boot procedure and the shim bootloader, see UEFI: what happens when booting the system.
ipmievd
now recognizes SEL response correctly when a SEL request times out
The ipmievd
service sends System Event Log (SEL) requests through the /dev/ipmi0
device. Previously, due to a missing ID check of the returned IPMI message, a timed-out request led to incorrect processing of the next request. For example, if the Baseboard Management Controller (BMC) was reset, the SEL request from the ipmievd
service timed out due to no SEL response. Consequently, ipmievd
did not work correctly due to a non-corresponding SEL response. As a result, you did not get the correct hardware state, and a large amount of wrong hardware information was output to /var/log/messages
. With this fix, ipmitool
and ipmievd
now check the ID of the returned IPMI message against the ID of the request and skip non-corresponding SEL requests. ipmevd
no longer logs incorrect hardware information.
Bugzilla:2224567[1]
8.5. Networking
Intel Corporation I350 Gigabit Fiber Network Connection now provides a link after kernel update
Previously, hardware configurations with Small Formfactor Pluggable (SFP) transceiver modules without External Thermal Sensor (ETS) caused the igb
driver to erroneously initialize the Inter-Integrated Circuit (I2C) to read ETS. As a consequence, connections did not obtain links. With this bug fix, the igb
driver only initializes I2C when SFP with ETS is available. As a result, connections obtain links.
Bugzilla:2130727[1]
8.6. Boot loader
grubby
now passes arguments to a new kernel correctly
When you add a new kernel using the grubby
tool and do not specify any arguments, or leave the arguments blank, grubby
will not pass any arguments to the new kernel and root
will not be set. Using the --args
and --copy-default
options ensures new arguments are appended to the default arguments.
8.7. File systems and storage
multipathd
adds the persistent reservation registration key to all paths
Previously, when the multipathd
daemon started and it recognized a registration key for the persistent reservations on one path of an existing multipath device, not all paths of that device had the registration key. As a consequence, if new paths appeared to a multipath device with persistent reservations while multipathd
was stopped, persistent reservations were not set up on those. This allowed IO processing on the paths, even if they were supposed to be forbidden by the reservation key.
With this fix, if multipathd
finds a persistent reservation registration key on any device path, it adds the key to all active paths. As a result, multipath devices now have persistent reservations set up correctly on all the paths, even if path devices first appear while multipathd
is not running.
LUNs are now visible during the OS installation
Previously, the system was not using the authentication information from firmware sources, specifically in cases involving iSCSI hardware offload with CHAP (Challenge-Handshake Authentication Protocol) authentication stored in the iSCSI iBFT (Boot Firmware Table). As a consequence, the iSCSI login failed during installation.
With the fix in the udisks2-2.9.4-9.el9
firmware authentication, this issue is now resolved and LUNs are visible during the installation and initial boot.
Bugzilla:2213193[1]
8.8. High availability and clusters
Pacemaker Designated Controller elections no longer finalized until all pending actions are complete
When a cluster elects a new Designated Controller (DC), all nodes send their current history to the new DC, which saves it to the CIB. As a consequence, if actions were already in progress when a new DC is elected, and the actions finish after the nodes send their current history to the new DC, the actions' results could be lost. With this fix, DC elections are not finalized until all pending actions are complete and no action results are lost.
The fence_scsi
agent is now able to auto-detect shared lvmlockd
devices
Previously, the fence_scsi
agent did not auto-detect shared lvmlockd
devices. With this update, fence_scsi
is able to auto-detect lvmlockd
devices when the devices
attribute is not set.
Resource stickiness now properly compares against colocation scores
Chained resource colocations are resources colocated with the resource that is colocated with the resource being assigned. Previously, if the original colocation had a finite negative score, and the chained colocation was mandatory, the original resource being assigned could be banned from its node even if resource-stickiness was set to INFINITY
. With this fix, chained colocations are now taken into account proportionally and stickiness properly compares against colocation scores.
Bugzilla:1632951[1]
The crm_resource
command now allows banning or moving a bundle with only a single active replica
Previously, when the crm_resource
command checked where a bundle with a single replica was active, the command counted both the node where the container was active and the guest node that was created for the container itself. As a result, the crm_resource
command would not ban or move a bundle with a single active replica. With this fix, the crm_resource
command now only counts nodes where a bundle’s containers are active when determining the number of active replicas.
The mysql
resource agent now works correctly with promotable clone resources
Previously, the mysql
resource agent moved cloned resources that were operating in a Master role between nodes, due to promotion scores changing between promoted and non-promoted values. With this fix, a promoted node stays promoted.
Unpromoted clone instances no longer restart unnecessarily
Previously, promotable clone instances were assigned in numerical order, with promoted instances first. As a result, if a promoted clone instance needed to start, an unpromoted instance in some cases restarted unexpectedly, because the instance numbers changed. With this fix, roles are considered when assigning instance numbers to nodes and as a result no unnecessary restarts occur.
A fence watchdog configured as a second fencing device now fences a node when the first device times out
Previously, when a watchdog fencing device was configured as the second device in a fencing topology, the watchdog timeout would not be considered when calculating the timeout for the fencing operation. As a result, if the first device timed out the fencing operation would time out even though the watchdog would fence the node. With this fix, the watchdog timeout is included in the fencing operation timeout and the fencing operation succeeds if the first device times out.
Location constraints with rules no longer displayed when listing is grouped by nodes
Location constraints with rules cannot have a node assigned. Previously, when you grouped the listing by nodes, location constraints with rules were displayed under an empty node. With this fix, the location constraints with rules are no longer displayed and a warning is given indicating that constraints with rules are not displayed.
pcs
command to update multipath SCSI devices now works correctly
Due to changes in the Pacemaker CIB file, the pcs stonith update-scsi-devices
command stopped working as designed, causing an unwanted restart of some cluster resources. With this fix, this command works correctly and updates SCSI devices without requiring a restart of other cluster resources running on the same node.
Memory footprint of pcsd-ruby
daemon now reduced when pscd
Web UI is open
Previously, when the pcsd
Web UI was open, memory usage of the pcsd-ruby
daemon increased steadily over the course of several hours. With this fix, the web server that runs in the pcsd-ruby
daemon now periodically performs a graceful restart. This frees the allocated memory and reduces the memory footprint.
Bugzilla:2189958[1]
The azure-events-az
resource agent no longer produces an error with Pacemaker 2.1 and later
The azure-events-az
resource agent executes the crm_simulate -Ls
command and parses the output. With Pacemaker 2.1 and later, the output of the crm_simulate
command no longer contains the text Transition Summary:
, which resulted in an error. With this fix, the agent no longer yields an error when this text is missing.
8.9. Compilers and development tools
systemtap
scripts using guru mode now compile more quickly
The systemtap
guru mode liveness analysis uses the dyninst
library to parse binaries. Newer kernels enable mitigation code with CONFIG_RETPOLINE=y
, replacing traditional RET instructions, with jumps to a thunk. As a consequence, binary analysis took a much longer time due to the liveness analysis needing to examine all additional edges of the control flow graph introduced by the jumps to the thunk.
With this update, systemtap
disables liveness analysis when the kernel code is using thunks and, as a result, systemtap
scripts using guru mode compile more quickly.
eu-addr2line -C
now correctly recognizes other arguments
Previously, when you used the -C
argument in eu-addr2line
command from elfutils
, the following single character argument disappeared. Consequently, the eu-addr2line -Ci
command behaved the same way as eu-addr2line -C
while eu-addr2line -iC
worked as expected. This bug has been fixed, and eu-addr2line -Ci
now recognizes both arguments.
eu-addr2line -i
now correctly handles code compiled with GCC link-time optimization
Previously, the dwarf_getscopes
function from the libdw
library included in elfutils
was unable to find an abstract origin definition of a function that was compiled with GCC link-time optimization. Consequently, when you used the -i
argument in the eu-addr2line
command, eu-addr2line
was unable to show inline functions for code compiled with gcc -flto
. With this update, the libdw dwarf_getscopes
function looks in the correct compile unit for the inlined scope, and eu-addr2line -i
works as expected.
8.10. Identity Management
SSSD now uses sAMAccountName
when evaluating GPO-based access control
Previously, if ldap_user_name
was set to a value other than sAMAccountName
on an AD client, GPO-based access control failed. With this update, SSSD now always uses sAMAccountName
when evaluating GPO-based access control. Even if ldap_user_name
is set to a value different from sAMAccountName
on an AD client, GPO-based access control now works correctly.
SSSD now handles duplicate attributes in the user_attributes
option when retrieving users
Previously, if sssd.conf
contained duplicate attributes in the user_attributes
option, SSSD did not handle these duplicates correctly. As a consequence, users with those attributes could not be retrieved. With this update, SSSD now handles duplicates correctly. As a result, users with duplicate attributes can now be retrieved.
Changing a security parameter now works correctly
Previously, when you changed a security parameter by using the dsconf instance_name security set
command, the operation failed with the error:
Name 'log' is not defined
With this update, the security parameter change works as expected.
Directory Server now calculates the dtablesize
based on the maximum number of opened descriptors
Previously, an administrator could set the connection table size manually by using the nsslapd-conntablesize
configuration parameter. Consequently, when the connection table size was set too low, it affected the number of connections the server was able to support. With this update, Directory Server now calculates the size of the connection table dynamically effectively resolving the issue with too small connection table size. In addition, you no longer need to manually change the connection table size.
The dsctl healthcheck
command now uses the password storage scheme PBKDF2-SHA512
by default
Previously, the dsctl healthcheck
command used SSHA512
password storage scheme by default. Consequently, the command reported a warning because it did not detect the new password storage scheme PBKDF2-SHA512
. With this update, the dsctl healthcheck
command now uses PBKDF2-SHA512
password storage scheme by default and no warnings occur.
Paged searches from a regular user now do not impact performance
Previously, when Directory Server was under the search load, paged searches from a regular user could impact the server performance because a lock conflicted with the thread that polls for network events. In addition, if a network issue occurred while sending the page search, the whole server was unresponsive until the nsslapd-iotimeout
parameter expired. With this update, the lock was split into several parts to avoid the contention with the network events. As a result, no performance impact during paged searches from a regular user.
You can now enable and disable ciphers in Directory Server as expected
Previously, when you tried to enable or disable specific ciphers in addition to default ciphers by using the web console, the server enabled or disabled only the specific ciphers and logged an error similar to the following:
Security Initialization - SSL alert: Failed to set SSL cipher preference information: invalid ciphers <default,+cipher_name>: format is +cipher1,-cipher2... (Netscape Portable Runtime error 0 - no error)
Currently, the network security services (NSS) do not support handling default ciphers and specific ciphers at the same time. As a result, Directory Server can enable or disable either specific ciphers or default ciphers. With this update, when you set the default ciphers, the web console now prompts that Allow Specific Ciphers and Deny Specific Ciphers fields will be cleared.
Deleting the IdM admin
user is now no longer permitted
Previously, nothing prevented you from deleting the Identity Management (IdM) admin
user if you were a member of the admins
group. The absence of the admin
user causes the trust between IdM and Active Directory (AD) to stop functioning correctly. With this update, you can no longer delete the admin
user. As a result, the IdM-AD trust works correctly.
IdM clients correctly retrieve information for trusted AD users when their names contain mixed case characters
Previously, if you attempted a user lookup or authentication of a user, and that trusted Active Directory (AD) user contained mixed case characters in their names and they were configured with overrides in IdM, an error was returned preventing users from accessing IdM resources.
With the release of RHBA-2023:4525, a case-sensitive comparison is replaced with a case-insensitive comparison that ignores the case of a character. As a result, IdM clients can now lookup users of an AD trusted domain, even if their usernames contain mixed case characters and they are configured with overrides in IdM.
Jira:SSSD-6096
8.11. Graphics infrastructures
The installer no longer freezes on servers with ASPEED 2600
Previously, the graphical RHEL 8.8 installer became unresponsive with a black screen when you started the installer on a server with the ASPEED 2600 On System Management Chipset. Consequently, you could not install RHEL 8.8 on the server.
With this release, the problem has been fixed. As a result, the installation now proceeds as expected with ASPEED 2600.
Bugzilla:2189645[1]
8.12. The web console
The web console NBDE binding steps now work also on volume groups with a root file system
In RHEL 8.8, due to a bug in the code for determining whether or not the user was adding a Tang key to the root file system, the binding process in the web console crashed when there was no file system on the LUKS container at all. Because the web console displayed the error message TypeError: Qe(…) is undefined
after you had clicked the Trust key
button in the Verify key
dialog, you had to perform all the required steps in the command-line interface in the described scenario.
With this update, the web console correctly handles additions of Tang keys to root file systems. As a result, the web console finishes all binding steps required for the automated unlocking of LUKS-encrypted volumes using Network-Bound Disk Encryption (NBDE) in various scenarios.
VNC console now works at most resolutions
Previously, when using the Virtual Network Computing (VNC) console under certain display resolutions, a mouse offset problem was present or only a part of the interface was visible. Consequently, using the VNC console was not possible.
With this update, the problem has been fixed and the VNC console works correctly at most resolutions, with the exception of ultra high resolutions, such as 3840x2160.
Note that a small offset between the recorded and displayed positions of the cursor might still be present. However, this does not significantly impact the usability of the VNC console.
8.13. Red Hat Enterprise Linux system roles
The storage
role can now resize the mounted file systems without unmounting
Previously, the storage
role was unable to resize mounted devices, even if the file system supported online resizing. As a consequence, the storage
role unmounted all file systems prior to resizing, which failed for file systems that were in use, for example, while resizing the /
directory of the running system.
With this update, the storage
role now supports resizing mounted file systems that support online resizing such as XFS and Ext4. As a result, the mounted file systems can now be resized without unmounting them.
The certificate
RHEL system role now checks for the certificate key size when determining whether to perform a new certificate request
Previously, the certificate
RHEL system role did not check the key size of a certificate when evaluating whether to request a new certificate. As a consequence, the role sometimes did not issue new certificate requests in cases where it should. With this update, certificate
now checks the key_size
parameter to determine if a new certificate request should be performed.
Insights tags created by using the rhc
role are now applied correctly
Previously, when you created Insights tags by using the rhc
role, tags were not stored in the correct file. Consequently, tags were not sent to Insights and as a result they were not applied to the systems in the Insights inventory.
With this fix, tags are stored correctly and applied to the systems present in the Insights inventory.
The firewall
RHEL system role on RHEL 7 no longer attempts to install non-existent Python packages
Previously, when the firewall
role on RHEL 7 was called from another role, and that role was using python3
, the firewall
role attempted to install the python3-firewall
library for that version of Python. However, that library is not available in RHEL 7. Consequently, the python3-firewall
library was not found, and you received the following error message:
No package matching 'python3-firewall' found available, installed or updated
With this update, the firewall
role does not attempt to install the python-firewall
or python3-firewall
library. As a result, the firewall
role does not fail on RHEL 7 when python3
is installed on the managed node.
Failure to remove data from member disks before creation no longer persists
Previously, when creating RAID volumes, the system did not effectively eliminate existing data from member disks before forming the RAID volume. With this update, RAID volumes remove any per-existing data from member disks as needed.
The podman_registries_conf
variable now configures unqualified-search-registries
field correctly
Previously, after configuring the podman_registries_conf
variable, the podman
RHEL system role failed. Consequently, unqualified-search-registries = ["registry.access.redhat.com"]
setting was not generated in the /etc/containers/registries.conf.d/50-systemroles.conf
file. With this update, this problem has been fixed.
raid_chunk_size
parameter no longer returns an error message
Previously, raid_chunk_size
attribute was not allowed for RAID pools and volumes. With this update, you can now configure the raid_chunk_size
attribute for RAID pools and volumes without encountering any restrictions.
Running the firewall
RHEL system role in check mode with non-existent services no longer fails
Previously, running the firewall
role in check mode with non-existent services would fail. This fix implements better compliance with Ansible best practices for check mode. As a result, non-existent services being enabled or disabled no longer fails the role in check mode. Instead, a warning prompts you to confirm that the service is defined in a previous playbook.
The kdump
role adds authorized_keys
idempotently
Previously, the task to add authorized_key
added an extra newline character every time. Consequently the role was not acting idempotent. With this fix, adding a new authorized_key
works correctly and adds only a single key value idempotently.
The kdump
system role does not fail if authorized_keys
are missing
Previously, the kdump
system role failed to add SSH
authorized keys if the user defined in the kdump_ssh_user
variable did not have access to the .ssh
directory in the home
directory or an empty .ssh/authorized_keys
file. With this fix, the kdump
system role now correctly adds authorized keys to the SSH
configuration. As a result, the key based authentication works reliably in the described scenario.
The firewall
RHEL system role correctly reports changes when using previous: replaced
in check mode
Previously, the firewall
role was not checking whether any files would be changed when using the previous: replaced
parameter in check mode. As a consequence, the role gave an error about undefined variables. This fix adds new check variables to the check mode to assess whether any files would be changed by the previous: replaced
parameter. The check for the firewalld.conf
file assesses the rpm
database to determine whether the file has been changed from the version shipped in the package. As a result, the firewall
role now correctly reports changes when using the previous: replaced
parameter.
Jira:RHEL-899[1]
Enabling kdump
for system role requires using the failure_action
configuration parameter on RHEL 9 and later versions
Previously, using the default
option during kdump
configuration was not successful and printed the following warning in logs:
kdump: warning: option 'default' was renamed 'failure_action' and will be removed in the future. please update /etc/kdump.conf to use option 'failure_action' instead.
Consequently, the role did not enable kdump
successfully if default
option was used. This update fixes the problem and you can configure kernel dump parameters on multiple systems by using the failure_action
parameter. As a result, enabling kdump
works successfully in the described scenario.
Jira:RHEL-907[1]
The firewall
RHEL system role correctly reports changes when assigning zones to Network Manager interfaces
Previously, the Network Manager interface assignment reported changes when no changes were present. With this fix, the try_set_zone_of_interface
module in the file library/firewall_lib.py
returns a second value, which denotes whether the interface’s zone was changed. As a result, the module now correctly reports changes when assigning zones to interfaces handled by Network Manager.
Jira:RHEL-918[1]
The kdump
role successfully updates .ssh/authorized_keys
for kdump_ssh_server
authentication
Previously, the .ssh
directory was not accessible by the kdump
role to securely authenticate users to log into kdump_ssh_server
. As a consequence, the kdump
role did not update the .ssh/authorized_keys
file and the SSH mechanism to verify the kdump_ssh_server
failed. This update fixes the problem. As a result the kdump_ssh_user
authentication on kdump_ssh_server
works reliably.
Jira:RHEL-1398[1]
The previous: replaced
parameter of the firewall
system role now overrides the previous configuration without deleting it
Previously, if you added the previous: replaced
parameter to the variable list, the firewall
system role removed all existing user-defined settings and reset firewalld
to the default settings. This fix uses the fallback configuration in firewalld
, which was introduced in the EL7 release, to retain the previous configuration. As a result, when you use the previous: replaced
parameter in the variable list, the firewall.conf
configuration file is not deleted on reset, but the file and comments in the file are retained.
Jira:RHEL-1496[1]
The kdump
role adds multiple keys to authorized_keys
idempotently
Previously, adding multiple SSH keys to the authorized_keys
file at the same time replaced the key value of one host by another. This update fixes the problem by using the lineinfile
module to manage the authorized_keys
file. lineinfile
iterates the tasks in sequence, checking for an existing key and writing the new key in one atomic operation on a single host at one time. As a result, adding SSH keys on multiple hosts works correctly, and does not replace the key value from another host.
Note: Use the serial: 1
play serial keyword at play level to control the number of hosts executing at one time.
Jira:RHEL-1500[1]
8.14. Virtualization
Hot plugging a Watchdog card to a virtual machine no longer fails
Previously, if no PCI slots were available, adding a Watchdog card to a running virtual machine (VM) failed with the following error:
Failed to configure watchdog ERROR Error attempting device hotplug: internal error: No more available PCI slots
With this update, the problem has been fixed and adding a Watchdog card to a running VM now works as expected.