Chapter 6. Bug fixes

The Kickstart installations now applies the dhcpclass option correctly

The application of the kickstart configuration is moved from NetworkManager to Anaconda by using the NetworkManager API. Previously, Anaconda handled only commands specified in the %pre section. During installation, this change had caused omission of the dhcpclass option in the kickstart network command, which led to incorrect application of network configuration. With this update, the handling of the dhcpclass option in Anaconda by using the NetworkManager API has been corrected. As a result, the dhcpclass option defined in kickstart configurations is now properly applied during the installation process.

Improved installer stability during virtual network devices configuration

Previously, the installer could crash when creating a VLAN network device over an existing virtual network device (for example, Team or Bond) in the GUI. This occurred when the underlying device’s state changed during the configuration update to the user interface for the new device state.

Stale network link configuration files no longer cause rendering your OS unbootable

Previously, the RHEL installer created stale /etc/systemd/network/ link configuration files during the installation. The outdated configuration files interfere with the intended network settings. This leads to an unbootable system if the boot is from NVMe over TCP. With this fix, users no longer need to manually remove, /etc/systemd/network/10-anaconda-ifname-nbft*.link files and regenerate the initramfs by running the dracut -f command.

Non-constant time code paths removed from OpenSSL EC signatures

Previously, OpenSSL used non-constant time code paths for Elliptic Curve Digital Signature Algorithm (ECDSA) signatures. This could have exposed the signature operations to attacks similar to the Minerva attack and potentially reveal the private key. This update removes non-constant time code paths in OpenSSL EC signatures, and as a result, this vulnerability is no longer present.

SELinux policy correctly labels npm

Previously, the npm service executable was labeled with the generic lib_t SELinux type. As a consequence, npm could not be executed. In this update, the npm executable has been explicitly labeled in the SELinux policy with the bin_t type. As a result, the npm service starts successfully and runs in the unconfined_service_t domain.

SELinux policy adds rules for sysadm_r users to define input/output log directory through sudo

Previously, the SELinux policy did not contain rules to allow confined administrators to run any command to specify the input/output log directory by using sudo when the iolog_dir option was defined in the sudo configuration. As a consequence, confined administrators in the sysadm_r role could not execute commands by using sudo with the iolog_dir option. This update adds a rule to the SELinux policy, and as a result, sysadm_r users can execute commands by using sudo with iolog_dir.

Audit rules for /proc are now correctly loaded during the boot

Before this update, the system failed to load Audit watch rules for the /proc directory during the boot phase. Consequently, the administrator had to load the rules manually later, and the rules were not applied during the boot. The bug has been fixed, and the system now loads the Audit rules related to /proc during the boot phase.

Audit in the immutable mode no longer prevents auditd from starting

Previously, if the Audit system was set to the immutable mode by adding the -e 2 rule, the augenrules command exited with a return code of 1 instead of 0 when restarting the auditd service or running the augenrules --load command. Consequently, the system interprets the return code of 1 as an error, and this prevents it from starting auditd at boot. With this update, augenrules exits with a zero return code when Audit is set to the immutable mode, and the system can correctly start auditd in this scenario.

IPsec ondemand connections no longer fail to establish

Previously, when an IPsec connection with the ondemand option was set up by using the TCP protocol, the connection failed to establish. With this update, the new Libreswan package makes sure that the initial IKE negotiation completes over TCP. As a result, Libreswan successfully establishes the connection even in TCP mode of IKE negotiation.

update-ca-trust extract no longer fails to extract certificates with long names

When extracting certificates from the trust store, the trust tool internally derives the file name from the certificates’ object label. For long enough labels, the resulting path might previously have exceeded the system’s maximum file name length. As a consequence, the trust tool failed to create a file with a name that exceeded the maximum file name length of a system. With this update, the derived name is always truncated to within 255 characters. As a result, file creation does not fail when the object label of a certificate is too long.

subscription-manager no longer retains nonessential text in the terminal

Starting with RHEL 9.1, subscription-manager displays progress information while processing any operation. Previously, for some languages, typically non-Latin, progress messages did not clean up after the operation finished. With this update, all the messages are cleaned up properly when the operation finishes.

The dnf autoremove command behavior is now consistent with the man page documentation and the command now considers the package installation reason

Previously, when you removed unnecessary packages by using the dnf autoremove command, installed packages marked as installonly were removed. However, the dnf(8) man page documentation contained information that installonly packages were excluded from the dnf autoremove operations.

The dnf-automatic systemd service no longer fails to apply security updates

Previously, when you used the dnf-automatic-install systemd service to only apply security fixes, the automatic upgrade of the samba-client-libs package failed. With this update, dnf-automatic applies security updates the same way as the DNF tool. As a result, the dnf-automatic service no longer fails to apply security updates.

dnf remove --duplicates no longer exits with non-zero exit code and error message

Previously, if you ran the dnf remove --duplicates command when no duplicate packages were present on the system, dnf exited with non-zero exit code and the No duplicated packages found for removal. error on standard error output (stderr). With this update, dnf now exits with 0 and does not write anything on stderr. Note that the same issue was also fixed for the dnf remove --oldinstallonly command when no older versions of installonly packages are installed.

dnf remove-n now removes only packages with the matching RPM names

Previously, if you had installed some package and another package that has the name of the former package in the RPM Provides directive, a first invocation of the dnf remove-n command removed the former package. A repeated invocation of the command removed the latter package.

dnf reinstall now respects a cost of the repositories when reinstalling a package

Previously, if you reinstalled a package available in multiple repositories, the package was not reinstalled from a repository with the lowest cost. With this update, the DNF tool supplies packages from all repositories to a dependency solver if the packages have the equal name-epoch-version-release-architecture identifier. As a result, the dnf reinstall command now respects the cost of the repositories.

dnf-system-upgrade now points to its documentation by using a secure HTTPS link

Previously, the dnf-system-upgrade service documentation used the insecure HTTP link to access its documentation. With this update, the URL now uses the secure HTTPS schema.

dnf history rollback now correctly executes during a repeated rollback of an RPM transaction that includes installation and upgrade of the same package

Previously, when you performed a repeated rollback on an RPM transaction that included installation and upgrade of the same package, the dnf history rollback command attempted to perform a bogus transaction. This transaction failed instead of doing nothing because the rollback to the latest transaction had nothing to roll back.

microdnf no longer fails to reinstall packages that conflict with an RPM symbol they provide

Previously, when you reinstalled a package with the microdnf package manager, the RPM transaction failed. With this update, libdnf creates an RPM transaction where the package being reinstalled provides an RPM symbol that the package also conflicts with. As a result, microdnf can now reinstall packages that conflict with an RPM symbol they provide.

Interpreting the Anaconda kickstart script no longer hangs when you install the system

Previously, when you installed the system with the Anaconda kickstart script, interpreting this script randomly hung. With this update, the libdnf memory management allows applying a query after increasing the number of available packages. As a result, system installation does not hang because the libdnf library does not throw an exception after enabling a repository.

DNF(8) now includes information about dnf makecache --timer not trying further mirrors if the first mirror fails

Previously, the information that the dnf makecache --timer command does not try further mirrors in a repository mirrorlist if the first mirror failed was not included in the DNF(8) man page. With this update, the documentation was updated to include this information.

The pkla-compact binary is executed when the polkit is called on the logind-session-monitor event

Previously, re-verification of the authorizations for polkit actions was triggered by any logind-session-monitor event for all users, for example, login, logout, session state change. Adittionally, each CheckAuthorization request executed the polkit-pkla-compat binary to check for legacy .pkla configuration files even if no such files are present on the system, which causes CPU usage to increase by the polkit daemon.

Improved dovecot stability for missing sieve scripts

Previously, dovecot did not properly track optional sieve scripts. As a result, if the hash group for the path of the missing script matched that of another script, the LDA process could crash during the email delivery.

The print-config option in nvram command does not result in segmentation fault

Previously, when the nvram command was run with the print-config option, it resulted in segmentation fault. The segmentation fault occurred because the code tried to access memory beyond the limit of the data present in the varlen index. The varlen index is the length of the string provided by the user.

The nvram --nvram-size command does not result in segmentation fault

Previously, when the nvram-size command exceeded the default size value, a segmentation fault was encountered.

ReaR now interprets square brackets enclosing IPv6 addresses in URLs as expected

Previously, square brackets in OUTPUT_URL and BACKUP_URL were not interpreted correctly. Specifying an IPv6 address instead of a host name requires enclosing the address in square brackets, for example, [::1] for localhost. Since the brackets were not interpreted correctly, using an IPv6 address in a sshfs:// or nfs:// URL was not possible.

CPU usage rises negligibly when NetworkManager processes large regularly updated routing tables

Previously, when external routing daemons updated big IPv6 tables of more than thousands of routes, NetworkManager increased its CPU usage to almost 100%. This could slow down the overall system performance and network configuration. The problem has been fixed by updating the NetworkManager source code to ignore the changes to routes for routing protocols other than a small set of protocols. As a result, the CPU usage rises negligibly in the previously described circumstances.

The value for ipv6.ip6-privacy no longer changes between connection activations

Originally, when the global default value was not set for the ipv6.ip6-privacy parameter, its value reverted to the value from the /proc/sys/net/ipv6/conf/default/use_tempaddr file. A recent change to the NetworkManager source code caused it to incorrectly fall back to the value read from the /proc/sys/net/ipv6/conf/IFNAME/use_tempaddr file instead. As a consequence, IPv6 address generation changed, and the value for ipv6.ip6-privacy could change between connection activations. The problem has been fixed by reverting back to the original behavior. As a result, the value for ipv6.ip6-privacy does not change anymore between connection activations.

The xdp-loader features command now works as expected

The xdp-loader utility was compiled against the previous version of libbpf. As a consequence, xdp-loader features failed with an error:

Mellanox ConnectX-5 adapter works in the DMFS mode

Previously, while using the Ethernet switch device driver model (switchdev) mode, the mlx5 driver failed if configured in the device managed flow steering (DMFS) mode on the ConnectX-5 adapter. Consequently, the following error message appeared:

eBPF programs in Linux Falcon Sensor caused a kernel panic on load

Previously, eBPF programs used by the Linux Falcon Sensor in user-mode caused kernel panics. As a consequence, some of the kernels of RHEL v9.4 were affected when loading such programs.

RHEL previously failed to recognize NVMe disks when VMD was enabled

When you reset or reattached a driver, the Volume Management Device (VMD) domain previously did not soft-reset. Consequently, the hardware could not properly detect and enumerate its devices. With this update, the operating system with VMD enabled now correctly recognizes NVMe disks, especially when resetting a server or working with a VM machine.

multipathd now displays a message instead of being unresponsive

Previously, on executing the multipathd show maps topology command or any other command without any multipath devices, the command used to hang and timeout without any other response. With this update, the multipathd command now displays ok where there is no output to return without hanging and timing out.

multipath now correctly associates the paths with native multipathd NVMe devices

Previously, the multipath command displayed native multipathd NVMe devices with namespace 1, as the first defined namespace in their path, instead of displaying the correct path. With this fix, multipath now correctly matches the paths to the native multipathd NVMe devices while listing them. As a result, while using multipath to view native multipathd NVMe devices, you can see the correct paths, where the namespace ID of the path matches the namespace ID of NVMe devices.

Modification in flush_on_last_del parameter of multipathd resolves service hanging issue

Previously, multipathd could hang while trying to automatically remove an unused multipath device whose last path was deleted. In this case, the multipath device was set to queue IO when there were no usable paths

System boots correctly when adding a NVMe-FC device as a mount point in /etc/fstab

Previously, due to a known issue in the nvme-cli nvmf-autoconnect systemd services, systems failed to boot while adding the Non-volatile Memory Express over Fibre Channel (NVMe-FC) devices as a mount point in the /etc/fstab file. Consequently, the system entered into an emergency mode. With this update, a system boots without any issue when mounting an NVMe-FC device.

LUNs are now visible during the operating system installation

Previously, the system was not using the authentication information from firmware sources, specifically in cases involving iSCSI hardware offload with CHAP (Challenge-Handshake Authentication Protocol) authentication stored in the iSCSI iBFT (Boot Firmware Table). As a consequence, the iSCSI login failed during installation.

pcs output no longer wrapped when piped to the grep utility

Previously, when the pcs output was piped to another process, the output width always defaulted to 80 characters. This made it difficult to use the grep utility to look for specific lines in the output. With this change, pcs does not wrap its output when piped to grep.

pcsd processes now consistently stop correctly and promptly

Previously, the creation method for pcsd processes sometimes caused a deadlock during process termination. The processes were then terminated only after a systemd timeout. This fix changes the process creation method and there is no longer a deadlock when the processes are stopped. As a result, pcsd consistently stops correctly within a short time.

pcs validation of SBD options

Previously, when you enabled SBD with the pcs stonith sbd enable command and specified values for SBD options that are not valid, it resulted in SBD misconfiguration. The pcs command-line interface has been updated to validate the values for SBD options. When the values are not valid, pcs reports the error and does not create or update an SBD configuration.

Ability to remove Booth configuration from a Booth arbitrator node

Previously, running the pcs booth destroy command to remove Booth configuration from a Booth arbitrator node yielded an error. This happened because the command did not remove Booth configuration from nodes that are not part of the cluster. It is now possible to remove Booth configuration from Booth arbitrators.

pcs no longer validates fencing topology with fencing levels greater than 9

The Pacemaker cluster resource manager ignores fencing topology levels greater than 9. Configuring levels greater than 9 may lead to failed fencing. With this update, you can configure fencing levels with values of only 1 to 9 in the pcs command-line interface and fencing topology works correctly.

The CIB manager no longer increases in size indefinitely with each request from an asynchronous client

Previously, when the CIB manager received a request from an asynchronous client, it leaked a small amount of memory. This caused the CIB manager process gradually to grow in size. With this fix, the relevant memory is freed for asynchronous clients and the CIB manager process does not grow in size indefinitely.

The crm_node -i command now correctly parses a node ID

Previously, the crm_node -i and the equivalent crm_node --cluster-id commands would sometimes show a "Node is not known to cluster" message instead of the local node’s cluster ID as expected. With this fix, node IDs are properly parsed and the command works as intended.

GCC Toolset 13: GCC now compiles code correctly on IBM POWER9, Little Endian with vectorization enabled

Previously, when compiling code on IBM POWER9, Little Endian with vectorization enabled, the GCC compiler generated incorrect code. The Register Transfer Language (RTL) pattern in the expander has been fixed, and the code now compiles correctly.

glibc dynamic linker prevents reentrant malloc calls made by applications using TLS access from custom malloc implementations

Some applications provide a custom malloc dynamic memory allocation implementation that uses global-dynamic thread-local storage (TLS) instead of initial-exec TLS. Prior to this update, applications with bundled malloc calls that use global-dynamic TLS could experience reentrant calls into the application’s malloc subsystem. As a consequence, the application malloc call crashed due to stack exhaustion or unexpected state of internal data structures. With this update, the glibc dynamic linker detects TLS access from custom malloc implementations. If a TLS access during a malloc call is detected, further calls during TLS processing are skipped, and reentrant malloc calls are prevented.

TLS data is no longer overwritten by calls to dlopen() from an ELF constructor

Previously, the glibc dynamic linker did not track the initialization status of thread-local storage (TLS) correctly in certain cases where the dlopen() function was invoked from an ELF constructor. Consequently, TLS data was reverted to its original value after it had been modified by the application. With this update, the dynamic linker uses a separate flag to track TLS initialization for each shared object. As a result, TLS data is no longer unexpectedly overwritten by calls to the dlopen() function from an ELF constructor.

Perftools no longer fail to process LTO debug information

Previously, the Binary File Descriptor (BFD) library from the binutils collection, which is used by performance tools to read debug information from binary files, was unable to handle debug information generated by the GCC compiler with the Link Time Optimization (LTO) enabled. As a consequence, perftools displayed error messages and failed to execute correctly when examining files that contained LTO debug information. The BFD library has been updated to handle debug information generated during compilation with LTO enabled, and the affected perftools successfully process such debug information.

The ipa-replica-manage command no longer resets the nsslapd-ignore-time-skew setting during forced replication

Previously, the ipa-replica-manage force-sync command reset the nsslapd-ignore-time-skew setting to off, regardless of the configured value. With this update, the nsslapd-ignore-time-skew setting is no longer overwritten during forced replication.

The ipa idrange-add command now warns that Directory Server must be restarted on all IdM servers

Previously, the ipa idrange-add command did not warn the administrator that they must restart the Directory Server (DS) service on all IdM servers after creating a new range. As a consequence, the administrator sometimes created a new user or group with a UID or GID belonging to the new range without restarting the DS service. The addition resulted in the new user or group not having an SID assigned. With this update, a warning that DS needs to be restarted on all IdM servers is added to the command output.

certmonger now correctly renews KDC certificates on hidden replicas

Previously, when the certificate was about to expire, certmonger failed to renew the KDC certificate on hidden replicas. This happened because the renewal process only considered non-hidden replicas as active KDCs. With this update, the hidden replicas are treated as active KDCs, and certmonger renews the KDC certificate successfully on these servers.

AD administrators can now deploy IdM replicas

Previously, during the installation of a RHEL Identity Management (IdM) replica, checking if the provided Kerberos principal had the required privilege did not extend to checking user ID overrides. Consequently, a replica connection check failed while trying to deploy a replica using the credentials of an AD administrator that had an ID override with the needed privilege.

Integration between shadow-utils and sss_cache for local user caching is disabled

In RHEL 9, the SSSD implicit files provider domain, which retrieves user information from local files such as /etc/shadow and group information from /etc/groups, was disabled by default. However, the integration in shadow-utils was not fully disabled, which resulted in calls to sss_cache when adding or deleting local users. The unnecessary cache updates caused performance issues for some users. With this update, the shadow-utils integration with sss_cache is fully disabled, and the performance issues caused by unnecessary cache updates no longer occur.

Directory Server no longer ignores nsslapd-idletimeout

Previously, if a connection was open by a non Directory Manager user, Directory Server could ignore the nsslapd-idletimeout value and did not close the connection after the specified amount of time. With this update, Directory Server closes connection as expected after reaching the configured idle time.

Search operations now return large groups faster

Previously, if searches of large static groups used a filter that contained equality matching components with the uniquemember attribute, for example, '(uniquemember=uid=foo,ou=people,<suffix>)', such searches were slow and CPU-intensive. With this update, during search filter evaluation, Directory Server uses an internal structure where the member distinguished names (DNs) are sorted, which makes searches of large groups faster and less CPU-intensive.

One-level scoped search no longer fails to return sub-suffixes

Previously, when you ran the ldapsearch command with the -s option set to one, the search result did not contain sub-suffixes of the entry specified in the -b option. With this update, the one-level scoped search successfully returns immediate children of the entry.

The Referential Integrity plug-in no longer leads to the server failure

Previously, when you used the Referential Integrity plug-in with the deferred check, the thread that processed the check could access the released data structure at shutdown leading to server failure. With this update, the plug-in no longer releases the data structure until the deferred checking thread stops and no failure occurs.

The dscreate ds-root command now accepts a relative path

Previously, when you tried to create an instance as a non-root user and provided a bin_dir argument value that contained a relative path, the relative path was written to the defaults.inf file causing the instance creation failure. With this update, when you provide a relative path as the bin_dir argument value, the instance is now created successfully.

Offline import of LDIF files now runs correctly

Previously, before an offline import the cache autotuning operation was not triggered. As a result, the import operation was slow when performed by the ldif2db script. With this update, Directory Server triggers the cache autotuning before the ldif2db operation increasing the import performance.

The dsconf schema matchingrules list command now displays the new inchainMatch matching rule

Previously, the dsconf utility did not display the supported inchainMatch matching rule in the list of matching rules because inchainMatch was registered without matching syntax. With this update, the syntax for the inchainMatch is defined, and when you run the dsconf schema matchingrules list command, the inchainMatch is displayed in the list.

The IdM client installer no longer specifies the TLS CA configuration in the ldap.conf file

Previously, the IdM client installer specified the TLS CA configuration in the ldap.conf file. With this update, OpenLDAP uses the default truststore and the IdM client installer does not set up the TLS CA configuration in the ldap.conf file.

cockpit-machines now correctly removes USB host devices

The cockpit-machines add-on did not correctly handle removals of USB host devices from running virtual machines. Consequently, when you clicked Remove in the RHEL web console, instead of successful removal, you saw the following error message:

Implementation of multiple sets of key-value pairs of node attributes is now consistent with other cluster configuration components

The ha_cluster RHEL system role supports only one set of key-value pairs for each configuration item. Previously, when you configured multiple sets of node attributes, the sets were merged into a single set. With this update, the role uses only the first set you define and ignores the other sets. This behavior is now consistent with how the role implements multiple sets of key-value pairs for other configuration components that use a key-value pair structure.

No property conflicts between the NetworkManager service and the NetworkManager plugin

Previously, the network RHEL system role did not request user consent to restart the NetworkManager service when updates were available to networking packages, particularly, due to wireless interface changes. Consequently, this led to potential conflicts between the NetworkManager service and the NetworkManager plugin. Alternatively, the NetworkManager plugin was failing to run correctly. The problem has been fixed by making the network RHEL system role ask user for their consent to restart the NetworkManager service. As a result, there are no property conflicts between the NetworkManager service and the NetworkManager plugin in the described scenario.

GRUB2 on RHEL 9 and RHEL 10 Beta UEFI managed nodes correctly prompts for a password

Previously, the bootloader RHEL system role incorrectly placed the password information in the /boot/efi/EFI/redhat/user.cfg file on managed nodes that ran RHEL 9 and RHEL 10 Beta with UEFI Secure Boot feature. The correct location was the /boot/grub2/user.cfg file. Consequently, when you rebooted the managed node to modify any boot loader entry, GRUB2 did not prompt you for a password. This update fixes the problem by setting the path for user.cfg to /boot/grub2/ in the source code. When you reboot the OS on a UEFI Secure Boot managed node to modify any boot loader entry, GRUB2 prompts you to input your password.

You cannot set the name parameter for the imuxsock input type

Previously, the logging RHEL system role incorrectly set a name parameter for the imuxsock input type. As a consequence, this input type did not support the name parameter and the rsyslog utility on the managed node printed this error …​parameter 'name' not known — typo in config file?…​. This update fixes the logging RHEL system role to ensure that the name parameter is not associated with the imuxsock input type.

Running the storage RHEL system role on a system with a pre-existing Stratis pool works as expected

Previously, the storage RHEL system role could not process the existing devices and device formats. This caused the role to fail on systems with a pre-existing Stratis pool, when checking if Stratis format conformed to the configuration specified by the playbook. Consequently, the playbook failed with an error, however the Stratis pool itself was not damaged or changed. This update makes the storage RHEL system role work correctly with Stratis devices and other formats without labelling support. As a result, running a playbook on a system with a pre-existing Stratis pool no longer fails.

Removing Quadlet-defined networks using podman works irrespective of a custom NetworkName directive

When removing networks, the podman RHEL system role was using the "systemd- + name of the Quadlet file" syntax for the network name. Consequently, if the Quadlet file had a different NetworkName directive in it, the removal would fail. With this update, the podman source code has been updated to use "the Quadlet file name + the NetworkName directive from that file" as a name of the network to remove. As a result, removal of networks defined by Quadlet files using the podman RHEL system role works both with and without a custom NetworkName directive in the Quadlet file.

The storage RHEL system role is idempotent again

The storage RHEL system role in some cases incorrectly calculated sizes of existing devices. Consequently, running the same playbook again without changes caused the role to attempt resizing the device that already had the correct size, instead of passing without errors. With this update, the size calculation was fixed. As a result, the role now correctly identifies that the device already has the size specified by the playbook and does not try to resize it.

The network units in the Quadlet unit files are now properly cleaned up

The podman RHEL system role was not correctly managing the network units defined under the [Network] section in the Quadlet unit files. Consequently, the network units were not stopped and disabled and subsequent runs would fail due to those units not being cleaned up properly. With this update, podman manages the [Network] units, including stopping and removing. As a result, the [Network] units in the Quadlet unit files are properly cleaned up.

The podman RHEL system role creates new secrets if necessary

The podman RHEL system role incorrectly did not check whether a secret with the same name already existed if you used the skip_existing: true option of the podman_secrets role variable. Consequently, the role did not create any new secret if using that option. This update fixes the podman RHEL system role to check for existing secrets if you use skip_existing: true. As a result, the role properly creates new secrets if they do not exist. Conversely, it does not create a secret of the same name if you use skip_existing: true.

The linger feature can be canceled for the correct users

When processing the instruction list of configuration items from kube files or Quadlet files, the podman RHEL system role was incorrectly using the user ID associated with the entire list. It did not use the user ID associated with the list item to compile the linger file name. Consequently, the linger file was not created and therefore the podman RHEL system role could not cancel the linger feature for the actual user if necessary. With this update, podman uses the correct username to construct the linger file name. As a result, the linger feature can be canceled for the correct users.

The podman RHEL system role can set the ownership of the host directory again

Previously, the podman RHEL system role was using the become keyword with the user when setting the ownership of the host directory. As a consequence, the role could not properly set the ownership. With this update, the podman RHEL system role does not use become with the ordinary user. Instead, it uses the root user. As a result, podman can set the ownership of the host directory.

The podman RHEL system role now correctly searches for subgid values

Subordinate group IDs (subgid) is a range of group ID values assigned to non-root users. By using these values, you can run processes with different group IDs inside a container compared to the host system. Previously, the podman RHEL system role was incorrectly searching in the subgid values using the group name instead of using the user name. Consequently, the difference between the user name and the group name made podman fail to look up the subgid values. This update fixes podman to correctly search for subgid values and the problem no longer appears in this scenario.

The sshd RHEL system role can configure the second sshd service correctly

Running the sshd RHEL system role to configure the second sshd service on your managed nodes caused an error if you did not specify the sshd_config_file role variable. Consequently, your playbook would fail and the sshd service would not be configured correctly. To fix the problem, deriving of the main configuration file has been improved. Also, the documentation resources in the /usr/share/doc/rhel-system-roles/sshd/ directory have been made clearer to avoid this problem. As a result, configuring the second sshd service as described in the above scenario works as expected.

The bootloader RHEL system role generates the missing /etc/default/grub configuration file if necessary

Previously, the bootloader RHEL system role expected the /etc/default/grub configuration file to be present. In some cases, for example on OSTtree systems, /etc/default/grub can be missing. As a consequence, the role failed unexpectedly. With this update, the role generates the missing file with default parameters if necessary.

The cockpit RHEL system role installs all cockpit-related packages that match a wildcard pattern

Previously, the dnf module used through the cockpit RHEL system role did not install all cockpit-related packages. As a consequence, some requested packages were not installed. With this update, the source code of the cockpit RHEL system role was changed to use the dnf module directly with an asterisk wildcard package name and a list of packages to exclude. As a result, the role correctly installs all requested packages that match the wildcard pattern.

The rhc system role no longer fails on the registered systems when rhc_auth contains activation keys

Previously, a failure occurred when you executed playbook files on the registered systems with the activation key specified in the rhc_auth parameter. This issue has been resolved. It is now possible to execute playbook files on the already registered systems, even when activation keys are provided in the rhc_auth parameter.

Virtual machines with a large amount of vCPUs and virtual disks no longer fail

Previously, assigning a large amount of vCPUs and virtual disks to a RHEL virtual machine (VM) might have caused the VM to fail to boot. With this update, the problem has been fixed and virtual machines work normally in these cases.

Using NBD to migrate a VM storage over a TLS connection works correctly

Previously, when migrating a virtual machine (VM) and its storage device by using the Network Block Device (NBD) protocol over a TLS connection, a data race in the TLS handshake might have made the migration appear to be successful. However, it could have caused the QEMU process on the destination VM to become unresponsive to further interactions.

The installer shows the expected system disk to install RHEL on VM

Previously, when installing RHEL on a VM using virtio-scsi devices, it was possible that these devices did not appear in the installer because of a device-mapper-multipath bug. Consequently, during installation, if some devices had a serial set and some did not, the multipath command was claiming all the devices that had a serial. Due to this, the installer was unable to find the expected system disk to install RHEL in the VM.

Windows guests boot more reliably after a v2v conversion on hosts with AMD EPYC CPUs

After using the virt-v2v utility to convert a virtual machine (VM) that uses Windows 11 or a Windows Server 2022 as the guest OS, the VM previously failed to boot. This occurred on hosts that use AMD EPYC series CPUs. Now, the underlying code has been fixed and VMs boot as expected in the described circumstances.

nodedev-dumpxml lists attributes correctly for certain mediated devices

Before this update, the nodedev-dumpxml utility did not list attributes correctly for mediated devices that were created using the nodedev-create command. This has been fixed, and nodedev-dumpxml now displays the attributes of the affected mediated devices properly.

virtiofs devices can now be attached after restarting virtqemud or libvirtd

Previously, restarting the virtqemud or libvirtd services prevented virtiofs storage devices from being attached to virtual machines (VMs) on your host. This bug has been fixed, and you can now attach virtiofs devices in the described scenario as expected.

blob resources now work correctly for virtio-gpu on IBM Z

Previously, the virtio-gpu device was incompatible with blob memory resources on IBM Z systems. As a consequence, if you configured a virtual machine (VM) with virtio-gpu on an IBM Z host to use blob resources, the VM did not have any graphical output.

Resuming a postcopy VM migration now works correctly.

Previously, when performing a postcopy migration of a virtual machine (VM), if a proxy network failure occured during the RECOVER phase of the migration, the VM became unresponsive and the migration could not be resumed. Instead, the recovery command displayed the following error:

Reinstalling virtio-win drivers no longer causes DNS configuration to reset on the guest

In virtual machines (VMs) that use a Windows guest operating system, reinstalling or upgrading virtio-win drivers for the network interface card (NIC) previously caused DNS settings in the guest to reset. As a consequence, your Windows guest in some cases lost network connectivity.

VNC viewer correctly initializes a VM display after live migration of ramfb

This update enhances the ramfb framebuffer device, which you can configure as a primary display for a virtual machine (VM). Previously, ramfb was unable to migrate, which resulted in VMs that use ramfb showing a blank screen after live migration. Now, ramfb is compatible with live migration. As a result, you see the VM desktop display when the migration completes.

The sos clean on an existing archive no longer fails

Previously, an existing archive could not be cleaned by running sos clean due to a regression in the sos code that incorrectly detected the root directory of a tarball and prevented it from cleaning data. As a consequence, sos clean running on an existing sosreport tarball does not clean anything within the tarball. This update adds an implementation of a proper detection of the root directory in the reordered tarball content. As a result, sos clean performs sensitive data obfuscation on an existing sosreport tarball correctly.

The sos stops collecting user’s .ssh configuration

Previously, the sos utility collected the .ssh configuration by default from a user. As a consequence, this action caused a broken system for users that are mounted by using automount utility. With this update, the sos utility no longer collects the .ssh configuration.

Netavark no longer fails resolving DNS TCP queries

Previously, when you ran a container in a Podman network, some domain names would not resolve even though they worked on the host system or in a container not using the Podman network. With this update, Netavark supports TCP DNS queries and the problem is fixed.