Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 8. Bug fixes
This part describes bugs fixed in Red Hat Enterprise Linux 9.1 that have a significant impact on users.
8.1. Installer and image creation
The installer no longer installs earlier versions of packages
Previously, the installer did not correctly load the DNF configuration file during the installation process. As a consequence, the installer sometimes installed earlier versions of select packages in the RPM transaction.
This bug has been fixed, and only the latest versions of packages are now installed from the installation repositories. In cases where it is impossible to install the latest versions of the packages, the installation fails as expected.
Anaconda installation is successful even if changing the network configuration in stage2
Previously, when using the rd.live.ram
boot argument, Anaconda did not unmount an NFS mount point that is used in initramfs
to fetch the installation image into memory. As a consequence, the installation process could become unresponsive or fail with a timeout error if the network configuration was changed in stage2.
To fix this problem, the NFS mount point used to fetch the installation image into memory is unmounted in initramfs
before switchroot. As a result, the installation process is completed without any interruption.
(BZ#2082132)
8.2. Subscription management
virt-who
now connects to ESX servers correctly when in FIPS mode
Previously, when using the virt-who
utility on a RHEL 9 system in FIPS mode, virt-who
could not connect to ESX servers. As a consequence, virt-who
did not report any ESX servers, even if configured for them, and logged the following error message:
ValueError: [digital envelope routines] unsupported
With this update, virt-who
has been fixed to handle FIPS mode correctly, and the described problem no longer occurs.
8.3. Software management
DNF now correctly rolls back a transaction containing an item with the Reason Change
Action type
Previously, running the dnf history rollback
command on a transaction containing an item with the Reason Change
Action type failed. With this update, the issue has been fixed, and dnf history rollback
now works as expected.
8.4. Shells and command-line tools
The vi
command in ReaR no longer results in an infinite loop
Previously, the ReaR rescue system did not contain the vi
executable, only the /bin/vi
script. As a consequence, the /bin/vi
script caused an infinite loop when invoked. With this update, the ReaR rescue system contains the actual vi
executable /usr/libexec/vi
, and running the vi
command no longer leads to an endless loop.
ReaR with the PXE output method no longer fails to store the output files in the rsync OUTPUT_URL
location
Previously, the handling of the OUTPUT_URL
variable with the OUTPUT=PXE
and BACKUP=RSYNC
options was removed. As a consequence, when using an rsync location for OUTPUT_URL
, ReaR failed to copy the initrd
and kernel files to this location, although it uploaded them to the location specified by BACKUP_URL
. With this update, the behavior from RHEL 8.4 and earlier releases is restored. ReaR creates the required files at the designated OUTPUT_URL
destination using rsync.
ReaR no longer fails to display an error message if it does not update the UUID in /etc/fstab
Previously, ReaR did not display an error message during recovery when it failed to update the universally unique identifier (UUID) in /etc/fstab
to match the UUID of the newly created partition in case the UUIDs were different. This could have happened if the rescue image was out of sync with the backup. With this update, an error message occurs during recovery if the restored basic system files do not match the recreated system.
ReaR now supports restoring a system using NetBackup version 9
Previously, restoring a system using the NetBackup (NBU) method with NetBackup version 9 or later failed due to missing libraries and other files. With this update, the NBU_LD_LIBRARY_PATH
variable contains the required library paths and the rescue system now incorporates the required files, and ReaR can use the NetBackup method.
(BZ#2120736)
ReaR no longer displays a false error message about missing symlink targets
Previously, ReaR displayed incorrect error messages about missing symlink targets for the build
and source
symlinks under /usr/lib/modules/
when creating the rescue image. This situation was harmless, and you could safely ignore the error message. With this update, ReaR does not report a false error message about missing symlink targets in this situation.
The cmx
operation with no parameter no longer crashes the CIM Client
The cmx
operation calls a method and returns XML, a parameter specifies the name of the called method. Previously, the command line sblim-wbemcli
Common Information Model (CIM) Client crashed when running the cmx
operation without an additional parameter. With this update, the cmx
operation requires the parameter that defines the name of the called method. Invoking the cmx
operation without this parameter results in an error message, and the CIM Client no longer crashes.
free
command uses a new calculation method for used memory
Previously, the calculation of used memory in the free
utility subtracted free space, cache space and buffer space from the total memory. Consequently, a discrepancy occurred when you compared the value of used memory with outcome of another tool because the free
utility did not calculate shared memory. With this update, the free
command uses a new calculation method that provides clear state of free memory and considers the unreclaimable cache. Used memory is now any memory that is not available, and includes also tmpfs
objects that are in the virtual memory.
8.5. Infrastructure services
Unbound no longer validates SHA-1-based RSA signatures
Previously, OpenSSL did not validate SHA-1-based RSA signatures in the DEFAULT system-wide cryptographic policy. As a consequence, when Unbound tried to validate such signatures, the error from OpenSSL caused the resolution to fail. With this update, Unbound disables validation support of all RSA/SHA1 (algorithm number 5) and RSASHA1-NSEC3-SHA1 (algorithm number 7) signatures, which resolves the query. Note that this makes the result insecure under all system-wide cryptographic policies.
8.6. Security
OpenSSH key generation uses FIPS-compatible interfaces
The OpenSSL cryptographic library, which is used by OpenSSH, provides two interfaces: legacy and modern. Previously, OpenSSH used the legacy interface for key generation, which did not comply with Federal Information Processing Standards (FIPS) requirements. With this update, the ssh-keygen
utility uses the FIPS-compliant API instead of the low-level FIPS-incompatible API. As a result, OpenSSH key generation is FIPS-compliant.
Cryptography not approved by FIPS no longer works in OpenSSL in FIPS mode
Previously, cryptography that was not FIPS-approved worked in the OpenSSL toolkit regardless of system settings. Consequently, you could use cryptographic algorithms and ciphers that should be disabled when the system is running in FIPS mode, for example:
- TLS cipher suites using the RSA key exchange worked.
- RSA-based algorithms for public-key encryption and decryption worked despite using the PKCS #1 and SSLv23 paddings or using keys shorter than 2048 bits.
This update contains fixes ensuring that cryptography not approved by FIPS no longer works in OpenSSL in FIPS mode.
Specifying arbitrary curves removed from OpenSSL
Previously, the checks of explicit curve parameters safety were incomplete. As a consequence, arbitrary elliptic curves with sufficiently large p
values worked in RHEL. With this update, the checks now verify that the explicit curve parameters match one of the well-known supported curves. As a result, the option to specify arbitrary curves through the use of explicit curve parameters has been removed from OpenSSL. Parameter files, private keys, public keys, and certificates that specify arbitrary explicit curves no longer work in OpenSSL. Using explicit curve parameters to specify one of the well known and supported curves such as P-224, P-256, P-384, P-521, and secp256k1
remains supported in non-FIPS mode.
(BZ#2066412)
OpenSSL req
uses AES-256-CBC for private keys encryption
Previously, the OpenSSL req
tool encrypted private key files by using the 3DES algorithm. Because the 3DES algorithm is insecure and disallowed in the current FIPS 140 standard for cryptographic modules, req
now generates private key files encrypted using the AES-256-CBC algorithm instead. The overall PKCS#8 file format remains unchanged.
OpenSSL no longer fails to connect when FFDHE is used
Previously, TLS connections that use the finite-field-based Diffie-Hellman ephemeral (FFDHE) key exchange mechanism sometimes failed when processing FFDHE key shares from a client. This was caused by overly restrictive checks in OpenSSL. As a consequence, the OpenSSL server aborted the connection with an internal_error
alert. With this update, OpenSSL accepts smaller but still compliant client key shares. As a result, connections between OpenSSL and other implementations no longer randomly abort when using FFDHE key exchanges.
OpenSSL-based applications now work correctly with the Turkish locale
Because the OpenSSL
library uses case-insensitive string comparison functions, OpenSSL-based applications did not work correctly with the Turkish locale, and omitted checks caused applications using this locale to crash. This update provides a patch to use the Portable Operating System Interface (POSIX) locale for case-insensitive string comparison. As a result, OpenSSL-based applications such as curl work correctly with the Turkish locale.
Permissions for insights-client
added to the SELinux policy
The new insights-client
service requires permissions which were not in the previous selinux-policy
versions. As a consequence, some components of insights-client
did not work correctly and reported access vector cache (AVC) error messages. This update adds new permissions to the SELinux policy. As a result, insights-client
runs correctly without reporting AVC errors.
(BZ#2081425, BZ#2077377, BZ#2087765, BZ#2107363)
SELinux staff_u
users no longer can incorrectly switch to unconfined_r
Previously, when the secure_mode
boolean was enabled, staff_u
users could switch to the unconfined_r
role, which was not expected behavior. As a consequence, staff_u
users could perform privileged operations affecting the security of the system. With this update, the SELinux policy has been fixed, and staff_u
users no longer can incorrectly switch to unconfined_r
.
OpenSCAP no longer produces incorrect errors when checking available memory
Previously, when evaluating some XCCDF rules, OpenSCAP incorrectly showed the error message Failed to check available memory
and produced invalid scan results. For example, this occurred for rules accounts_user_dot_no_world_writable_programs
, accounts_user_dot_group_ownership
and accounts_users_home_files_permissions
. With this update, the bug in error handling is fixed and the error message appears only for real failures.
fagenrules --load
now works correctly
Previously, the fapolicyd
service did not correctly handle the signal hang up (SIGHUP). Consequently, fapolicyd
terminated after receiving SIGHUP, and the fagenrules --load
command did not work correctly. This update contains a fix for the problem. As a result, fagenrules --load
now works correctly, and rule updates no longer require manual restarts of fapolicyd
.
8.7. Networking
An instance now retains the primary IP address even after starting the nm-cloud-setup
service in Alibaba Cloud
Previously, after launching an instance in the Alibaba Cloud, the nm-cloud-setup
service configured the incorrect IP address as the primary IP address in case of multiple IPv4 addresses. Consequently, this affected the selection of the IPv4 source address for outgoing connections. With this update, after configuring secondary IP addresses manually, the NetworkManager
package fetches the primary IP address from primary-ip-address
metadata and configures both primary and secondary IP addresses correctly.
The NetworkManager
utility enforces correct ordering of manually added IPv6 addresses
In general, the ordering of IPv6 addresses affects the priority for source address selection. For example when you make an outgoing TCP connection. Previously, the relative priority of IPv6 addresses added through the manual
, dhcpv6
, and autoconf6
methods was not correct. This update fixes the problem and the ordering priority now reflects this logic: manual
> dhcpv6
> autoconf6
. Also, the order of addresses under the ipv6.addresses
setting was reversed so that the address added first has the highest priority.
8.8. Kernel
Network socket tagging works again
Certain legacy cgroup
v1 controllers that have no cgroup
v2 equivalent, such as net_prio
or net_cls
, previously interfered with the cgroup
v2 socket tagging when they were mounted together with other cgroup
v2 controllers in a mixed cgroup
v1/v2 environment. As a consequence, a mixed cgroup
v1/v2 environment using either the net_prio
or net_cls
v1 controller disabled proper network socket tagging with cgroup
v2. This update eliminates this limitation, which makes it possible to use a mixed cgroup v1/v2 environment network socket tagging.
(BZ#2060150)
The kexec-tools
package now supports the default crashkernel
memory reservation values
The kexec-tools
package now maintains the default crashkernel
memory reservation values. The kdump
service uses the default value to reserve the crash kernel memory for each kernel. This implementation also improves memory allocation for kdump
when a system has less than 4 GB of available memory.
If the memory reserved by the default crashkernel
value is not sufficient on your system, you can use the kdumpctl estimate
command to get an estimated value without triggering a crash. The estimated crashkernel=
value may not be accurate and can serve as a reference to set an appropriate crashkernel=
value.
(BZ#1959203)
Systems can successfully run dynamic LPAR operations
Previously, users could not run dynamic logical partition (DLPAR) operations from the Hardware Management Console (HMC) if either of these conditions were met:
-
The Secure Boot feature was enabled that implicitly enables kernel
lockdown
mechanism in integrity mode. -
The kernel
lockdown
mechanism was manually enabled in integrity or confidentiality mode.
In RHEL 9, kernel lockdown
completely blocked Run Time Abstraction Services (RTAS) access to system memory accessible through the /dev/mem
character device file. Several RTAS calls required write access to /dev/mem
to function properly. Consequently, RTAS calls did not execute correctly and users would see the following error message:
HSCL2957 Either there is currently no RMC connection between the management console and the partition <LPAR name> or the partition does not support dynamic partitioning operations. Verify the network setup on the management console and the partition and ensure that any firewall authentication between the management console and the partition has occurred. Run the management console diagrmc command to identify problems that might be causing no RMC connection.
With this update, the problem has been fixed by providing a very narrow PowerPC-specific exception to lockdown
. The exception permits RTAS to access the required /dev/mem
areas. As a result, the problem no longer manifests in the described scenario.
(BZ#2046472)
No kernel warnings after setting the ring buffer value from rx
to max
The kernel was producing a warning message Missing unregister, handled but fix driver
when an internal function expecting a clean input was called with a reused, already initialized structure. With this update, the problem has been fixed by reinitializing the structure before registering it again.
(BZ#2054379)
8.9. Boot loader
grubby
now passes arguments to future kernels
When installing a newer version of the kernel, the grubby
tool did not pass the kernel command-line arguments from the previous kernel version. As a consequence, the GRUB boot loader ignored user settings. With this fix, the user settings now persist after installing the new kernel version.
8.10. File systems and storage
Journal entries no longer stop the journal writes
Previously, in the VDO driver during device-mapper suspend operation and after resuming device operation, some journal blocks could still be marked as waiting for some metadata updates to be made before they could be reused, even though those updates had already been done. When enough journal entries were made for the journal to wrap around back to the same physical block, it was not available. Journal writes would stop, waiting for the block to become available, which never happened. Consequently, when some operations on a VDO device included a suspend or resume cycle, the device was in a frozen state after some journal updates. The journal updates before this device state were unpredictable because it was depended on previous allocation patterns within VDO, and the incoming write or discard patterns. With this update, after the suspend or resume cycle saving data to storage, the internal data structure state is reset and lockups no longer happened.
Adding a data device no longer triggers assertion failure
Previously, when adding additional devices to the cache, Stratis did not use cache immediately after initialization. As a consequence, the stratisd
service returned an assertion failure message whenever a user attempted to add additional data devices to a pool. With this fix, cache is now used immediately after initialization and no assertion failures occur.
Resolved errors when adding new data devices to the encrypted pool
Previously, whenever the user initialized an encrypted pool with encrypted data devices, using a Clevis bind command on a tang server, specified with the --trust-url
option, stratisd
did not include the thumbprint part of the Clevis tang configuration in the internal data structures. Consequently, a failure occurred when attempting to add new data devices to the pool. With this update, the internal data structures of stratisd
now include the thumbprint part of the Clevis tang configuration.
Connecting to NVMe namespaces from Broadcom initiators on AMD EPYC systems no longer require non-default IOMMU settings
By default, the RHEL kernel enables the IOMMU on AMD-based platforms. Previously, the lpfc
driver did not use the scatter-gather list accessor macros. Consequently, certain servers with AMD processors encountered NVMe I/O problems, such as I/Os failing due to transfer length mismatches.
With this update, you do not need to put IOMMU into passthrough mode with a kernel command-line option in order to connect to NVMe namespaces from Broadcom initiators.
(BZ#2073541)
8.11. High availability and clusters
pcs
now validates the value of stonith-watchdog-timeout
Previously, it was possible to set the stonith-watchdog-timeout
property to a value that is incompatible with SBD configuration. This could result in a fence loop, or could cause the cluster to consider a fencing action to be successful even if the action is not finished. With this fix, pcs
validates the value of stonith-watchdog-property
when you set it, to prevent incorrect configuration.
pcs
now recognizes the mode
option when creating a new Booth ticket
Previously, when a user specified a mode
option when adding a new Booth ticket, pcs
reported the error invalid booth ticket option 'mode'
. With this fix, you can now specify the mode
option when creating a Booth ticket.
pcs
now distinguishes between resources and stonith resources
Previously, some pcs
commands did not distinguish between resources and stonith resources. This allowed users to use pcs resource
sub-commands for stonith resources, and to use pcs stonith
sub-commands for resources that are not stonith resources. This could lead to user confusion or resource misconfiguration. With this update, pcs
displays a warning when there is a resource type mismatch.
8.12. Compilers and development tools
glibc
now restores errno after loading an NSS module
Previously, the Name Service Switch (NSS) implementation in glibc
set errno incorrectly during database enumeration using functions such as getpwent()
if the last NSS module did not provide any data. As a result, applications using these enumeration functions incorrectly observed errors and failed. glibc
now restores errno after loading an NSS module and, as a result, applications using these functions no longer fail.
The auditing interface now saves and restores the x8 register and the full width of the NEON registers for AArch64
Previously, a bug in the implementation of the dynamic loader’s audit interface caused the AArch64
saved register state to be incomplete compared to the procedure call standard. This bug has been fixed and the auditing interface now saves and restores the x8 register and the full width of the NEON registers for AArch64
. Applications using the dynamic loader auditing interface can now inspect and influence the x8 register for AArch64
. To use this new x8 register and have access to the full width of the NEON registers on AArch64
, the audit modules must be recompiled to use the new version of the interface (LAV_CURRENT is 2).
POWER9-optimized strncpy function no longer gives incorrect results
Previously, the POWER9 strncpy function did not use the correct register as the source of the NUL bytes for padding. Consequently, the output buffer contained uninitialized register content instead of the NUL padding. With this update, the strncpy function has been fixed, and the end of the output buffer is now correctly padded with NUL bytes.
Valgrind override of glibc
memmem
function installed on IBMz15 architecture
Previously, a missing valgrind override of the glibc
memmem
function lead to false positive warnings of:
Conditional jump or move depends on uninitialised value(s)
This update includes a valgrind override of the glibc
memmem
function and, as a result, there are no longer false positive warnings when using the memmem
function in programs running under valgrind on the IBMz15 architecture.
8.13. Identity Management
The ipa user-del --preserve user_login
output no longer indicates that the user was deleted
Previously, if you ran the ipa user-del --preserve user_login
command to preserve a user account, the output incorrectly returned the message Deleted user “user_login”
. With this update, the output now returns Preserved user “user_login”
.
PKINIT user authentication now works correctly in the RHEL 9 Kerberos client - Heimdal KDC scenario
Previously, the PKINIT authentication of an IdM user on a RHEL 9 Kerberos client against the Heimdal Kerberos Distribution Center (KDC) failed. This failure occurred because the Kerberos client did not support the supportedCMSTypes
field required in the context of the deprecation of the SHA-1 algorithm in RHEL 9.
With this update, the RHEL 9 Kerberos client sends a list of signature algorithms including sha512WithRSAEncryption
, and sha256WithRSAEncryption
as supportedCMSTypes
during PKINIT to Heimdal KDC. Heimdal KDC uses sha512WithRSAEncryption
and, as a result, PKINIT authentication works correctly.
Handling unreadable objects in an LDAP group’s member list
Before this update, SSSD inconsistently handled the unreadable objects in an LDAP group’s member list and this resulted in unreadable objects causing an error or in certain situations unreadable objects were ignored.
With this update, SSSD has a new option ldap_ignore_unreadable_references
to modify this behavior. If the ldap_ignore_unreadable_references
option is set to false
, unreadable objects cause an error and if set to true
, unreadable objects are ignored. The default is set to false
and because of the original inconsistent behavior, after the update, some group lookups may fail. In this case, set ldap_ignore_unreadable_references = True
in the corresponding [domain/name of the domain]
section in the /etc/sssd/sssd.conf
file.
This allows unreadable objects to be handled in a consistent manner and the behavior can be tuned using the new ldap_ignore_unreadable_references
option.
8.14. Desktop
Subscription enrolling with Activation keys has been fixed
Previously, you could not enroll your Red Hat subscription in Settings using Activation keys. Settings displayed the following error after pressing :
Failed to register system; Failed to RegisterWithActivationKeys: Unknown arguments: dict_keys(['enable_content'])
With this update, the problem has been fixed, and you can now enroll your subscription using Activation keys as expected in Settings.
8.15. Graphics infrastructures
X.org now enables the X11 SECURITY extension
Previously, the X.org display server did not provide the X11 SECURITY
extension. As a consequence, applications that used this extension terminated unexpectedly.
With this update, X.org enables the X11 SECURITY
extension. As a result, applications that depend on the extension now work as expected.
(BZ#1894612)
Matrox GPU with a VGA display now works as expected
Prior to this release, your display showed no graphical output if you used the following system configuration:
- A GPU in the Matrox MGA G200 family
- A display connected over the VGA controller
- UEFI switched to legacy mode
As a consequence, you could not use or install RHEL on this configuration.
With this update, the mgag200
driver has been significantly rewritten, and as a result, the graphics output now works as expected.
(BZ#2100898)
8.16. The web console
Removing USB host devices using the web console now works as expected
Previously, when you attached a USB device to a virtual machine (VM), the device number and bus number of the USB device changed after they were passed to the VM. As a consequence, using the web console to remove such devices failed due to the incorrect correlation of the device and bus numbers. With this update, the issue has been fixed and you can remove the USB host devices using the web console.
(JIRA:RHELPLAN-109067)
Attaching multiple host devices using the web console now works as expected
Previously, when you selected multiple devices to attach to a virtual machine (VM) using the web console, only a single device was attached and the rest were ignored. With this update, the issue has been fixed and you can now simultaneously attach multiple host devices using the web console.
(JIRA:RHELPLAN-115603)
8.17. Red Hat Enterprise Linux system roles
The network
RHEL role manages ansible_managed
parameter in the configuration files
Previously, the Ansible role was unable to provide the correct ansible_managed
header for the network
role managed configuration files. As a consequence, system administrators were uncertain about which files were managed by Ansible. With this fix, the role managed files have a correct ansible_managed
header, and system administrators can reliably tell about which files are managed Ansible.
Fixed a typo to support active-backup
for the correct bonding mode
Previously, there was a typo,active_backup
, in supporting the InfiniBand port while specifying active-backup
bonding mode. Due to this typo, the connection failed to support the correct bonding mode for the InfiniBand bonding port. This update fixes the typo by changing bonding mode to active-backup
. The connection now successfully supports the InfiniBand bonding port.
The IPRouteUtils.get_route_tables_mapping()
function now accepts any whitespace sequence
Previously, a parser for the iproute2
routing table database, such as /etc/iproute2/rt_tables
, asserted that entries in the file were of the form 254 main
and only a single space character separated the numeric id and the name. Consequently, the parser failed to cache all the mappings between the route table name and table id.Therefore the user could not add a static route into the route table by defining the route table name. With this update, the parser accepts any whitespace sequence in between the table ID and table name. As a result, as the parser caches all the mapping between the route table name and table ID, users can add a static route into the route table by defining the route table name.
The forward_port
parameter now accepts both the string
and dict
option
Previously, in the firewall
RHEL system role, the forward_port
parameter only accepted the string
option. However, the role documentation claimed that both string
and dict
options were supported. Consequently, the users reading and following the documentation were getting an error. This bug has been fixed by making forward_port
accept both options. As a result, the users can safely follow the documentation to configure port forwarding.
Configuration by the metrics
role now follows symbolic links correctly
When the mssql pcp
package is installed, the mssql.conf
file is located in /etc/pcp/mssql/
and is targeted by the symbolic link /var/lib/pcp/pmdas/mssql/mssql.conf
. Previously, however, the metrics
role overwrote the symbolic link instead of following it and configuring mssql.conf
. Consequently, running the metrics
role changed the symbolic link to a regular file and the configuration therefore only affected the /var/lib/pcp/pmdas/mssql/mssql.conf
file. This resulted in a failed symbolic link, and the main configuration file /etc/pcp/mssql/mssql.conf
was not affected by the configuration. The issue is now fixed and the follow: yes
option to follow the symbolic link has been added to the metrics
role. As a result, the metrics
role preserves the symbolic links and correctly configures the main configuration file.
The kernel_settings
configobj
is available on managed hosts
Previously, the kernel_settings
role did not install the python3-configobj
package on managed hosts. As a consequence, the role returned an error stating that the configobj
Python module could not be found. With this fix, the role ensures that the python3-configobj
package is present on managed hosts and the kernel_settings
role works as expected.
The mount_options
parameter for volumes is now valid for a volume
Previously, the parameter was accidentally removed from the list of valid parameters for a volume. Consequently, users were unable to set the mount_options
parameter for volumes. With this bug fix, the mount_options
parameter has been added back to the list of valid parameters and the code has been refactored to catch the errors. As a result, the storage
RHEL system role can set the mount_options
parameter for volumes.
The storage
RHEL system role now correctly supports striped and raid0 levels for LVM volumes
The storage
RHEL system role previously incorrectly reported RAID levels striped
and raid0
as not supported for LVM volumes. This is now fixed and the role can now correctly create LVM volumes of all RAID levels supported by LVM: raid0
, raid1
, raid4
, raid5
, raid6
, raid10
, striped
and mirror
.
The metrics
RHEL system role README and documentation now clearly specifies supported Redis and Grafana versions on specific versions of RHEL by the role
Previously, when trying to use the metrics
role with unsupported versions of Redis and Grafana on unsupported platforms, the role failed. This update clarifies the documentation about which versions of Redis and Grafana are supported on which versions of RHEL by the role. As a result, you can avoid trying to use unsupported versions of Redis and Grafana on unsupported platforms.
Minimal RSA key bit length option in the ssh
and sshd
RHEL system roles
Accidentally using short RSA keys might make the system more vulnerable to attacks. With this update, you can set RSA key minimal bit lengths for OpenSSH clients and servers by using the RequiredRSASize
option in the ssh
and sshd
RHEL system roles.
The nbde_client
RHEL system role now uses proper spacing when specifying extra Dracut command line-parameters
The Dracut framework requires proper spacing when specifying additional parameters, such as kernel command-line parameters. If the parameters are not specified with proper spacing, Dracut might not append the specified extra parameters to the kernel command line. With this update, the nbde_client
RHEL system role uses proper spacing when creating add-on Dracut configuration files. As a result, the role correctly sets Dracut command-line parameters.
The tlog
RHEL system roles is now correctly overlaid by SSSD
Previously, the tlog
RHEL system role relied on the System Security Services Daemon (SSSD) files provider and on enabled authselect
option with-files-domain
to set up correct passwd
entries in the nsswitch.conf
file. In RHEL 9.0, SSSD did not implicitly enable the files provider by default, and consequently the tlog-rec-session
shell overlay by SSSD did not work. With this fix, the tlog
role now updates the nsswitch.conf
to ensure tlog-rec-session
is correctly overlaid by SSSD.
The metrics
RHEL system role automatically restarts pmie
and pmlogger
services after an update to their configuration
Previously, the pmie
and pmlogger
services did not restart after their configuration was changed and waited for handler execution. This caused errors with other metrics
services, which required pmie
and pmlogger
configuration to match their runtime behavior. With this update, the role restarts pmie
and pmlogger
immediately after a configuration update, their configuration matches runtime behavior of dependent metrics services, and they work correctly.
8.18. Virtualization
Network traffic performance in virtual machines is no longer reduced when under heavy load
Previously, RHEL virtual machines had, in some cases, decreased performance when handling high levels of network traffic. The underlying code has been fixed and network traffic performance now works as expected in the described circumstances.
8.19. RHEL in cloud environments
The SR-IOV functionality of a network adapter attached to a Hyper-V VM now works reliably
Previously, when attaching a network adapter with single-root I/O virtualization (SR-IOV) enabled to a RHEL 9 virtual machine (VM) running on Microsoft Hyper-V hypervisor, the SR-IOV functionality in some cases did not work correctly. A bug in the Hyper-V specific memory-mapped I/O (MMIO) allocation code has been fixed and the SR-IOV functionality now works as expected on Hyper-V VMs.
(BZ#2030922)
SR-IOV no longer performs suboptimally in ARM 64 RHEL 9 virtual machines on Azure
Previously, SR-IOV networking devices had significantly lower throughout and higher latency than expected in ARM 64 RHEL 9 virtual machines (VMs) running on a Microsoft Azure platform. The problem has been fixed, and the affected VMs now perform as expected.
(BZ#2068432)
8.20. Containers
podman system connection add
and podman image scp
no longer fail
Podman uses SHA-1 hashes for the RSA key exchange. Previously, the regular SSH connection among machines using RSA keys worked, while the podman system connection add
and podman image scp
commands did not work using the same RSA keys, because the SHA-1 hashes were not accepted for key exchange on RHEL 9. With the update, the problem has been fixed.
(JIRA:RHELPLAN-121180)
Container images signed with a Beta GPG key can now be pulled
Previously, when you pulled RHEL Beta container images, Podman failed with the error message: Error: Source image rejected: None of the signatures were accepted
. The images failed to be pulled due to current builds being configured to not trust the RHEL Beta GPG keys by default. With this update, the /etc/containers/policy.json
file supports a new keyPaths
field which accepts a list of files containing the trusted keys. Because of this, the container images signed with GA and Beta GPG keys are now accepted in the default configuration.
Podman no longer fails to pull a container "X509: certificate signed by unknown authority"
Previously, if you had your own internal registry signed by our own CA certificate, then you had to import the certificate onto your host machine. Otherwise, an error occurs:
x509: certificate signed by unknown authority
With this update, the problem has been fixed.
DNF and YUM no longer fail because of non-matching repository IDs
Previously, DNF and YUM repository IDs did not match the format that DNF or YUM expected. For example, if you ran the following example, the error occurred:
# podman run -ti ubi8-ubi # dnf debuginfo-install dnsmasq ... This system is not registered with an entitlement server. You can use subscription-manager to register.
With this update, the problem has been fixed. Suffix --debug-rpms
was added to all debug repository names (for example ubi-8-appstream-debug-rpms
), and also the suffix -rpms
was added to all UBI repository names (for example ubi-8-appstream-rpms
).
For more information, see Universal Base Images (UBI): Images, repositories, packages, and source code.