6.8 Release Notes
Red Hat Enterprise Linux 6.8
Release Notes for Red Hat Enterprise Linux 6.8
Edition 8
Abstract
The Release Notes provide high-level coverage of the improvements and additions that have been implemented in Red Hat Enterprise Linux 6.8 and document known problems in this release. For information about notable bug fixes, Technology Previews, deprecated functionality, and other details, refer to the Technical Notes.
Preface
Red Hat Enterprise Linux minor releases are an aggregation of individual enhancement, security, and bug fix errata. The Red Hat Enterprise Linux 6.8 Release Notes document describes the major changes made to the Red Hat Enterprise Linux 6 operating system and its accompanying applications for this minor release, as well as known problems. The Technical Notes document provides a list of notable bug fixes, all currently available Technology Previews, deprecated functionality, and other information.
Capabilities and limits of Red Hat Enterprise Linux 6 as compared to other versions of the system are available in the Red Hat Knowledgebase article available at https://access.redhat.com/articles/rhel-limits.
For information regarding the Red Hat Enterprise Linux life cycle, refer to https://access.redhat.com/support/policy/updates/errata/.
Chapter 1. Overview
Red Hat Enterprise Linux 6.8 is the last feature update in this major release, allowing enterprise customers access to upstream innovation on the secure, stable, and reliable Red Hat Enterprise Linux 6 platform. This section highlights the most notable enhancements.
Security
- libreswan, an implementation of one of the most widely supported and standardized VPN protocols, replaces openswan as the Red Hat Enterprise Linux 6 VPN endpoint solution, giving Red Hat Enterprise Linux 6 customers access to recent advances in VPN security.
For more information about new security features, refer to Chapter 13, Security.
Authentication and Interoperability
- Enhancements to Red Hat Identity Management include increased client-side performance as well as simplified client management through the addition of new capabilities to the System Security Services Daemon (SSSD). For example, cached authentication lookup on the client reduces the unnecessary exchange of user credentials with Active Directory servers. Also, support for adcli simplifies the management of Red Hat Enterprise Linux 6 systems interoperating with an Active Directory domain. In addition, SSSD now supports user authentication using smart cards, for both system login and related functions, such as sudo.
For details about new Identity Management and SSSD enhancements, as well as other features related to authentication and interoperability, refer to Chapter 3, Authentication and Interoperability.
System and Subscription Management
- Relax-and-Recover (ReAR) is a new a system archiving utility that enables administrators to create local backups in ISO format that can be centrally archived and replicated remotely for simplified disaster recovery operations.
- An enhanced yum utility simplifies the process of locating required packages to add and enable new platform features.
For details about subscription-management related features, see Chapter 16, System and Subscription Management.
Storage
- Red Hat Enterprise Linux 6.8 provides increased visibility into storage usage and performance through dmstats, a program that displays and manages I/O statistics for user-defined regions of devices using the device-mapper driver.
For other storage features, see Chapter 15, Storage.
File Systems
- The Scalable File System Add-on for Red Hat Enterprise Linux 6 now supports XFS file-system sizes up to 300 TB.
For detailed changes in file systems, refer to Chapter 8, File Systems.
Deploy Anywhere
- An updated Red Hat Enterprise Linux 6.8 platform image enables customers to migrate their traditional workloads into container-based applications. The image is available in the Red Hat Container Registry and is suitable for deployment on Red Hat Enterprise Linux 7 or Red Hat Enterprise Linux Atomic Host.
Red Hat Insights
Since Red Hat Enterprise Linux 6.7, the Red Hat Insights service is available. Red Hat Insights is a proactive service designed to enable you to identify, examine, and resolve known technical issues before they affect your deployment. Insights leverages the combined knowledge of Red Hat Support Engineers, documented solutions, and resolved issues to deliver relevant, actionable information to system administrators.
The service is hosted and delivered through the customer portal at https://access.redhat.com/insights/ or through Red Hat Satellite. To register your systems, follow the Getting Started Guide for Insights. For further information, data security and limits, refer to https://access.redhat.com/insights/splash/.
Red Hat Customer Portal Labs
Red Hat Customer Portal Labs is a set of tools in a section of the Customer Portal available at https://access.redhat.com/labs/. The applications in Red Hat Customer Portal Labs can help you improve performance, quickly troubleshoot issues, identify security problems, and quickly deploy and configure complex applications. Some of the most popular applications are, for example:
Part I. New Features
This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 6.8.
Chapter 2. General Updates
Cross channel package dependency improvements
The
yum
utility has been enhanced to prompt the end user to search disabled package repositories on the system when a package dependency error occurs. This change will allow users to quickly resolve dependency errors by first checking all known channels for the missing package dependency.
To enable this functionality, execute
yum update yum subscription-manager
prior to upgrading your machine to Red Hat Enterprise Linux 6.8.
See the System and Subscription Management chapter for further details on the implementation of this feature. (BZ#1197245)
Packages moved to the Optional
Channel
The following packages have been moved to the
Optional
channel:
- gnome-devel-docs
- libstdc++-docs
- xorg-x11-docs
Note that if any of these packages have previously been installed, using the
yum update
command for updating these packages can lead to problems causing the update to fail. Enable the Optional
channel before updating the mentioned installed packages or uninstall them before updating your system.
For detailed instructions on how to subscribe your system to the
Optional
channel, see the relevant Knowledgebase articles on Red Hat Customer Portal: https://access.redhat.com/solutions/392003 for Red Hat Subscription Management or https://access.redhat.com/solutions/70019 if your system is registered with RHN Classic. (BZ#1300789)
Chapter 3. Authentication and Interoperability
SSSD smart card support
SSSD now supports smart cards for local authentication. With this feature, the user can use a smart card to log on to the system using a text-based or graphical console, as well as local services such as the
sudo
service. The user places the smart card into the reader and provides the user name and the smart card PIN at the login prompt. If the certificate on the smart card is verified, the user is successfully authenticated.
Note that SSSD currently does not enable the user to acquire a Kerberos ticket using a smart card. To obtain a Kerberos ticket, the user is still required to authenticate using the
kinit
utility.
To enable smart card support in Red Hat Enterprise Linux 6, you must allow SSSD to prompt for password, one-time password (OTP), or the smart card PIN by modifying the
auth
lines of the /etc/pam.d/password-auth
and /etc/pam.d/system-auth
PAM configuration files. For detailed information, see the Identity Management Guide: http://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#idm-smart-cards (BZ#1270027)
Cache authentication in SSSD
Authentication against cache without a reconnection attempt is now available in SSSD even in online mode. Authenticating directly against the network server repeatedly can cause excessive application latency, which can make the login process overly time-consuming. (BZ#1237142)
The ou=sudoers,$DC part of the IdM server compatibility plug-in tree can now be disabled for better performance
The Identity Management (IdM) client is now able to look up
sudo
rules in the cn=sudorules,cn=sudo,$DC
part of the IdM server's LDAP tree instead of the ou=sudoers,$DC
compatibility tree generated by the slapi-nis
Directory Server plug-in.
In environments where the compatibility tree is not required for other operations, such as for legacy client support, users can now disable the
ou=sudoers,$DC
part of the tree. This allows better performance because generating the compatibility tree using slapi-nis
is resource-intensive, especially in environments with a large number of authentication operations. (BZ#1244957)
SSSD enables UID and GID mapping on individual clients
It is now possible to map users to a different UID and GID on specific Red Hat Enterprise Linux clients through client-side configuration by using SSSD provided by the
sss_override
utility. This client-side override possibility can resolve problems caused by UID and GID duplication or ease transition from a legacy system that previously used different ID mapping.
Note that the overrides are stored in the SSSD cache; removing the cache therefore also removes the overrides. See the sss_override(8) man page for more details about this feature. (BZ#1269422)
Caching for initgroups
operations
The SSSD fast memory cache now supports the
initgroups
operations, which enhances the speed of initgroups
processing and improves the performance of some applications, such as GlusterFS and slapi-nis
. (BZ#1269421)
New packages: adcli
This update adds the adcli packages to Red Hat Enterprise Linux 6. The
adcli
utility allows users to manage host, user, and group objects in Active Directory (AD) from a Red Hat Enterprise Linux 6 client. The main use of the utility is joining a host to an AD domain and to renew the credentials of the host.
The
adcli
utility is site-aware and does not require additional configuration to join an AD domain. On clients that run the SSSD service, adcli
can renew the host credentials on a regular basis. (BZ#1279725)
SSSD is now able to automatically renew the host credentials of Linux clients joined to AD
Certain Windows utilities can remove hosts from Active Directory (AD) after their password has not been updated for a long time. This is because these utilities consider such clients inactive.
With this feature, the host password of Linux clients joined to AD is regularly updated, which indicates the client is still actively used. As a result, Red Hat Enterprise Linux clients joined to AD are not removed in the described situation. (BZ#1290761)
SSSD can now automatically adjust ID ranges for AD clients in environments with large RIDs
The automatic ID mapping mechanism included in the SSSD service is now able to merge ID range domains. Previously, if the relative ID (RID) of the Active Directory (AD) domain was larger than 200,000, which is the default size of the ID range assigned by SSSD, the administrator was required to manually adjust the ID range assigned by SSSD to correspond with the RID.
With this enhancement, for AD clients with ID mapping enabled, SSSD automatically adjusts the ID ranges in the described situation. As a result, the administrator is no longer required to adjust the ID range manually, and the default SSSD ID mapping mechanism works even in large AD environments. (BZ#1268902)
SSSD now supports GPOs from different domain controllers
The System Security Services Daemon (SSSD) service has been updated to support group policy objects (GPOs) from different domain controllers. (BZ#1221365)
Support for SSLv2 has been disabled
SSLv2 is insecure and should not be used in current deployments, and thus has been disabled without a way to override. All modern browsers and frameworks cannot negotiate SSLv2 connections in default configuration and many cannot be configured to perform SSLv2 negotiation. A recent OpenSSL vulnerability (CVE-2015-3197) shows that keeping this code is a liability. In addition, upstream has already removed support for SSLv2 (MZBZ#1228555). (BZ#1304812)
OpenLDAP now supports TLSv1.2
The TLS layer of OpenLDAP has been enhanced to support the cipher string value
TLSv1.2
along with new ciphers from the TLSv1.2 suite. Additionally, the new cipher strings AESGCM
, SHA256
, and SHA384
have been added. With this update, the cipher string DEFAULT
selects a subset of the Network Security Services (NSS) defaults in order to be up to date with current security development. Note that the cipher string DEFAULT
currently excludes AESGCM
ciphers, in order not to break the Security Strength Factor (SSF) functionality. (BZ#1300701)
nss now supports ECDSA certificates
By default, the NSS library did not enable TLS cipher suites that use Elliptic Curve Cryptography (ECC). Applications that did not change the NSS default configuration were unable to connect to servers that mandated support for ECC key exchange, such as ECDHE. In particular, connecting to servers that use certificates with ECDSA keys failed.
This update changes the default configuration to enable TLS cipher suites that allow using ECC by default. As a result, applications using NSS defaults for communication over TLS can now connect to servers that use certificates with ECDSA keys. (BZ#1059682)
New SSSD default values for group names
The System Security Services Daemon (SSSD) now uses new default group names that are compatible with Windows and third-party solutions. This affects installations that have the
id_provider
configuration option set to ad
in the /etc/sssd/sssd.conf
file.
If the environment requires a different value for the group name attribute than the new default value of
sAMAccountName
, a manual configuration change is required. For example, this might be required in situations when providing groups with the same name as users. To revert to the old behaviour, set cn
as the attribute value:
1. Set
ldap_group_name = cn
in the /etc/sssd/sssd.conf
file.
2. Run the following commands to clear the SSSD cache:
# service sssd stop # find /var/lib/sss/ ! -type d | xargs rm -f # service sssd start
(BZ#1342458)
Chapter 4. Clustering
New Pacemaker features
The Red Hat Enterprise Linux 6.8 release supports the following Pacemaker features:
- You can now use the
pcs resource relocate run
command to move a resource to its preferred node, as determined by current cluster status, constraints, location of resources and other settings. - When configuring fencing for redundant power supplies, you now are only required to define each device once and to specify that both devices are required to fence the node.
- The new
resource-discovery
location constraint option allows you to indicate whether Pacemaker should perform resource discovery on a node for a specified resource. - Resources will now start as soon as their state has been confirmed on all nodes and all dependencies have been satisfied, rather than waiting for the state of all resources to be confirmed. This allows for faster startup of some services, and more even startup load.
- Clone resources support a new
clone-min
metadata option, specifying that a certain number of instances must be running before any dependent resources can run. This is particularly useful for services behind a virtual IP and haproxy, as is often done with OpenStack.
These features are documented in
Configuring the Red Hat High Availability Add-On with Pacemaker
, available at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Configuring_the_Red_Hat_High_Availability_Add-On_with_Pacemaker/index.html. (BZ#1290458)
Graceful migration of resources when the pacemaker_remote
service is stopped on an active Pacemaker Remote node
If the
pacemaker_remote
service is stopped on an active Pacemaker Remote node, the cluster will gracefully migrate resources off the node before stopping the node. Previously, Pacemaker Remote nodes were fenced when the service was stopped (including by commands such as yum update
), unless the node was first explicitly taken out of the cluster. Software upgrades and other routine maintenance procedures are now much easier to perform on Pacemaker Remote nodes.
Note: All nodes in the cluster must be upgraded to a version supporting this feature before it can be used on any node. (BZ#1297564)
Support for SBD fencing with Pacemaker
The SBD (Storage-Based Death) daemon integrates with Pacemaker, a watchdog device, and, optionally, shared storage to arrange for nodes to reliably self-terminate when fencing is required. SBD can be particularly useful in environments where traditional fencing mechanisms are not possible. For information on using SBD with Pacemaker, see https://access.redhat.com/articles/2212861. (BZ#1313246)
The glocktop
tool has been added to gfs2-utils
The gfs2-utils package now includes the
glocktop
tool, which can be used to troubleshoot locking-related performance problems that concern the Global File System 2 (GFS2). (BZ#1202817)
pcs
now supports exporting a cluster configuration to a list of pcs
commands
With this update, the
pcs config export
command can be used to export a cluster configuration to a list of pcs
commands. Also, the pcs config import-cman
command, which converts a CMAN cluster configuration to a Pacemaker cluster configuration, can now output a list of pcs
commands that can be used to create the Pacemaker cluster configuration file. As a result, the user can determine what commands can be used to set up a cluster based on its configuration files. (BZ#1264795)
Fence agent for APC now supports firmware 6.x
The fence agent for APC now support firmware 6.x. (BZ#1259254)
Chapter 5. Compiler and Tools
dmidecode now supports SMBIOS 3.0.0
This update adds SMBIOS 3.0.0 support to the
dmidecode
utility. Now, dmidecode
can work with 64-bit structures according to SMBIOS 3.0.0 specification. (BZ#1232558)
mcelog now supports additional Intel processors
The
mcelog
utility now supports 6th generation Intel Core processors, Intel Xeon processor E3 v5, and current Intel Pentium and Intel Celeron-branded processors. These new processors report with cpuid 0x4E
and 0x5E
.
Additionally,
mcelog
now also recognizes cpuids for current Intel Atom processors (0x26
, 0x27
, 0x35
, 0x36
, 0x37
, 0x4a
, 0x4c
, 0x4d
, 0x5a
, and 0x5d
) and Intel Xeon processor E5 v4, E7 v4, and Intel Xeon D (0x56
and 0x4f
). (BZ#1255561)
python-linux-procfs rebased to version 0.4.9
The python-linux-procfs packages have been upgraded to upstream version 0.4.9, which provides a number of bug fixes and enhancements over the previous version.
Notable fixes include:
- The package now contains API documentation installed in the
/usr/share/docs/python-linux-procfs
directory. - Handling of space separated fields in
/proc/PID/flags
has been improved which removes parsing errors previously encountered by python-linux-procfs. (BZ#1255725)
trace-cmd rebased to version 2.2.4
The trace-cmd packages have been upgraded to upstream version 2.2.4, which provides a number of bug fixes and enhancements over the previous version.
Notable changes include:
- A new option
-P
is available for thetrace-cmd list
command. Use this option to list loaded plug-in files by path. - The
trace-cmd report
command has a new option,-t
, which can be used to print full time stamps in reports. (BZ#1218670)
tcsh
now supports $anyerror
and $tcsh_posix_status
The
tcsh
command-language interpreter now supports the use of the $anyerror
and $tcsh_posix_status
variables, which define the tcsh behavior in case of an error of any pipelined command. This update brings the tcsh
functionality closer to the Red Hat Enterprise Linux 7 tcsh
version. Note that these two variables have opposite logical meanings. For more information, see the tcsh(1) manual page. (BZ#1256653)
OpenJDK 8 now supports ECC
With this update, OpenJDK 8 supports Elliptic Curve Cryptography (ECC) and the associated ciphers for TLS connections. ECC is in most cases preferable to older cryptographic solutions for making secure network connections.
Additionally, the java-1.8.0 package priority has been expanded to 7 digits. (BZ#1208307)
RC4 is now disabled by default in OpenJDK 6 and OpenJDK 7
Earlier OpenJDK packages allowed the RC4 cryptographic algorithm to be used when making secure connections using Transport Layer Security (TLS). This algorithm is no longer secure, and so has been disabled in this release. To retain its use, it is necessary to revert to the earlier setting of the
jdk.tls.disabledAlgorithms
of SSLv3, DH keySize < 768
. This can be done permanently in the <java.home>/jre/lib/security/java.security
file or by adding the following line:
jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768
to a new text file and passing the location of that file to Java on the command line using the argument
-Djava.security.properties=<path to file>
. (BZ#1217131)
rhino rebased to version 1.7R4
Rhino
, an open-source implementation of JavaScript written in Java, has been rebased to version 1.7R4. This update fixes a JSON-related bug in the java-1.7.0-openjdk package, which uses rhino as a build dependency. Additionally, the previously missing manual page, README and LICENSE files have been added. (BZ#1244351)
pcp rebased to version 3.10.9
Several enhancements have been made to Performance Co-Pilot (PCP). Note that the majority of Performance Metric Domain Agents (PMDA) have been split into their own subrpms. This allows for more streamlined PCP installations.
Additions include new kernel metrics such as Intel NVME device support, IPv6 metrics, and container mappings to LXC containers, several new PMDAs (MIC, json, dm, slurm, pipe), and several new tools, including; pcp-verify(1), pcp-shping(1), pcp-atopsar(1), and pmrep(1). An export to Zabbix tool has also been added via zbxpcp(3). The pcp-atop tool has received a full rewrite, including a new NFS feature set. PCP's Performance Metrics Web Daemon (pmwebd) has received improvements, such as opening directories-as-archives for graphite, as well as adding support for the PCP pmStore(3) protocols. sar2pcp(1) has also been updated to include support for sysstat 11.0.1 commands. (BZ#1248272)
openmpi rebased to version 1.10.2
The openmpi packages have been upgraded to upstream version 1.10.2, which provides a number of bug fixes and enhancements over the previous version. Notable changes include the following:
- The new name of the binary package is openmpi-1.10. Its environment module name on the x86_64 architecture is openmpi-1.10-x86_64.
- To preserve compatibility with Red Hat Enterprise Linux 6.7, openmpi-1.8 is still available. Its package name is openmpi-1.8 and it keeps the environment module name ( openmpi-x86_64 on the x86_64 architecture) it had in Red Hat Enterprise Linux 6.7. (BZ#1130442)
Changes in Open MPI distribution
Open MPI is an open source Message Passing Interface implementation. The compat-openmpi package, which provides earlier versions of Open MPI for backward compatibility with previous minor releases of Red Hat Enterprise Linux 6, has been split into several subpackages based on the Open MPI version.
The names of the subpackages (and their respective environment module names on the x86_64 architecture) are:
- openmpi-1.4 (openmpi-1.4-x86_64)
- openmpi-1.4-psm (openmpi-1.4-psm-x86_64)
- openmpi-1.5.3 (compat-openmpi-x86_64, aliased as openmpi-1.5.3-x86_64)
- openmpi-1.5.3-psm (compat-openmpi-psm-x86_64, aliased as openmpi-1.5.3-psm-x86_64)
- openmpi-1.5.4 (openmpi-1.5.4-x86_64)
- openmpi-1.8 (openmpi-x86_64, aliased as openmpi-1.8-x86_64)
The
yum install openmpi
command in Red Hat Enterprise Linux 6.8 installs the openmpi-1.8 package for maximum compatibility with Red Hat Enterprise Linux 6.7. A later version of Open MPI is available in the openmpi-1.10 package. (BZ#1158864)
Omping is now fully supported
Open Multicast Ping (Omping) is a tool to test the IP multicast functionality, primarily in the local network. This utility allows users to test IP multicast functionality and assists in the diagnosing whether a problem is in the network configuration or there is a bug. In Red Hat Enterprise Linux 6, Omping was previously provided as a Technology Preview and it is now fully supported. (BZ#657370)
elfutils rebased to version 0.164
The
eu-addr2line
utility introduces the following improvements:
- Input addresses are now always interpreted as hexadecimal numbers, never as octal or decimal numbers.
- A new option,
-a
,--addresses
, to print address before each entry. - A new option,
-C
,--demangle
, to show demangled symbols. - A new option,
--pretty-print
, to print all information on one line.
The
eu-strip
utility is now able to:
- Handle ELF files with merged
strtab
andshstrtab
tables. - Handle missing
SHF_INFO_LINK
section flags.
The
libdw
library introduces improvements in the following functions:
dwfl_standard_find_debuginfo
now searches any subdirectory of the binary path under the debuginfo root when the separate debug file could not be found by build ID.dwfl_linux_proc_attach
can now be called before anyDwfl_Modules
have been reported.dwarf_peel_type
now also handlesDW_TAG_atomic_type
.
Various new preliminary DWARF5 constants are now recognized, namely
DW_TAG_atomic_type
, DW_LANG_Fortran03
, DW_LANG_Fortran08
, DW_LANG_Haskell
. Additionally, a new header file, elfutils/known-dwarf.h
, is now installed by the devel package. (BZ#1254647)
glibc
now supports BIG5-HKSCS-2008
Previously,
glibc
supported an earlier version of the Hong Kong Supplementary Character Set, BIG5-HKSCS-2004. The BIG5-HKSCS character set map has been updated to the HKSCS-2008 revision of the standard. This allows Red Hat Enterprise Linux customers to write applications processing text that is encoded with this version of the standard. (BZ#1211748)
Human-readable installed-rpms
The format of the
installed-rpms
sosreport list has been simplified to allow for optimal human readability. (BZ#1267677)
OProfile now supports 6th Generation Intel Core processors
With this update, OProfile recognizes the 6th Generation Intel Core processors, and it now provides non-architected performance events for the 6th Generation Intel Core processors instead of defaulting to the small subset of architected performance events. (BZ#1254764)
OProfile updated to recognize the Intel Xeon Processor D-1500 product family
With this update, support for Intel Xeon Processor D-1500 product family has been added to OProfile, and the processor-specific events for this product family are now available.
Note that some events, such as
LLC_REFS
and LLC_MISSES
, may not count correctly. Check http://www.intel.com/content/www/us/en/processors/xeon/xeon-d-1500-specification-update.html for a complete list of performance events affected. (BZ#1231399)
SystemTap
rebased to version 2.9
The
SystemTap
instrumentation system has been rebased to version 2.9. Major improvements in this update include more complete manual pages, more portable and usable netfilter probes, better support for kernel backtraces without debuginfo, better debuginfo-related diagnostics, reduced translator memory usage, and better performance of generated code. (BZ#1254648)
powerpc-utils rebased to version 1.3.0
The powerpc-utils packages have been upgraded to upstream version 1.3.0, which provides a number of bug fixes and enhancements over the previous version. (BZ#1252706)
ipmitool rebased to version 1.8.15
The ipmitool packages have been upgraded to upstream version 1.8.15, which provides a number of bug fixes and enhancements over the previous version. The notable changes include support for the 13G Dell PowerEdge systems, support for host names longer than 64 bytes, and improved IPv6 support. (BZ#1253416)
memtest86+ rebased to version 5.01
The memtest86+ package has been upgraded to upstream version 5.01, which provides a number of bug fixes and enhancements over the previous version. Notable changes include the following:
- Support for up to 2 TB of RAM on AMD64 and Intel 64 CPUs
- Support for new Intel and AMD CPUs, for example Intel Haswell
- Experimental SMT support up to 32 cores
For detailed changes, see http://www.memtest.org/#change (BZ#1009083)
New package: java-1.8.0-ibm
This update adds IBM Java 8 to Red Hat Enterprise Linux 6. The java-1.8.0-ibm package is available in the Supplementary channel. (BZ#1148503)
New option for arpwatch: -p
This update introduces option
-p
for the arpwatch
command of the arpwatch
network monitoring tool. This option disables promiscuous mode. (BZ#1006479)
Chapter 6. Desktop
LibreOffice rebased to version 4.3.7.2
The libreoffice packages have been upgraded to upstream version 4.3.7.2, which provides a number of bug fixes and enhancements over the previous version, including:
- The possibility to print comments in page margin has been added.
- Support for nested comments has been added.
- OpenXML interoperability has been improved.
- Accessibility support has been enhanced.
- The color picker has been improved.
- The start center has been improved.
- Initial HiDPI support has been added.
- The limitation on number of characters in a paragraph has been raised considerably.
For a complete list of bug fixes and enhancements provided by this upgrade, refer to https://wiki.documentfoundation.org/ReleaseNotes/4.3. (BZ#1258467)
mesa now supports additional Intel 3D graphics
The mesa package now supports integrated 3D graphics on 6th generation Intel Core processors, Intel Xeon processor E3 v5, and current Intel Pentium and Intel Celeron-branded processors. (BZ#1135362)
New Vinagre features
This update provides a number of features to Vinagre. Namely:
- The ability to connect through RDP protocol to remote Windows machines has been added.
- If requested, credentials can be stored in a keyring for RDP connections.
- Minimize button has been added to the fullscreen toolbar so that users do not need to leave fullscreen mode to minimize the whole window.
In addition, the
/apps/vinagre/plugins/active-plugins
GConf key is now ignored as it could cause RDP not to be loaded. (BZ#1215093)
vmwgfx
now supports 3D operations under VMware Workstation 10
The
vmwgfx
driver has been updated to version 4.4, which enables vmwgfx
support for 3D operations under VMware Workstation 10. With this upgrade, the vmwgfx
driver now allows virtualized Red Hat Enterprise Linux 6 system to work as intended on Windows workstations. (BZ#1164447)
x3270 rebased to version 3.3.15
The latest update of x3270 in Red Hat Enterprise Linux 6.8 adds support for oversize, dynamic screen resolutions, that is screen adjustment on window resizing, to the IBM 3270 terminal emulator for the X Window System. Viewing larger screen sizes thus works properly and larger files or outputs on the mainframe appear as expected. (BZ#1171849)
icedtea-web rebased to version 1.6.2
The icedtea-web packages have been upgraded to upstream version 1.6.2, which provides a number of bug fixes and enhancements over the previous version. Notable changes include the following:
- The IcedTea-Web documentation and man pages have been significantly expanded.
- IcedTea-Web now supports bash completion.
- The
Custom Policies
andRun in Sandbox
features have been enhanced. - An
-html
switch has been implemented for the Java Web Start (JavaWS) framework, which can serve as a replacement of the AppletViewer program. - It is now possible to use IcedTea-Web to create desktop and menu launchers for applets and JavaWS applications. (BZ#1275523)
Chapter 7. Directory Server in Red Hat Enterprise Linux
About Directory Server for Red Hat Enterprise Linux
This section describes changes in the main server component for Red Hat Directory Server - the 389-ds-base package, which includes the LDAP server itself and command line utilities and scripts for its administration. This package is part of the Red Hat Enterprise Linux base subscription channel and therefore available on all Red Hat Enterprise Linux Server systems due to Red Hat Identity Management components which depend on it.
Additional Red Hat Directory Server components, such as the
Directory Server Console
, are available in the rhel-x86_64-server-6-rhdirserv-9
additional subscription channel. A subscription to this channel is also required to obtain support for Red Hat Directory Server. Changes to the additional components in this channel are not described in this document.
Red Hat Directory Server version 9 is available for Red Hat Enterprise Linux 6. See https://access.redhat.com/products/red-hat-directory-server/get-started-v9 for information about getting started with Directory Server 9, and https://access.redhat.com/documentation/en/red-hat-directory-server/?version=9 for full documentation. (BZ#1333801)
Improved performance when deleting large quantities of multi-valued attributes
The API used to delete entries with large amounts of multi-valued attributes has been replaced with a significantly faster one, causing a large performance improvement in such situations. (BZ#1236148)
Chapter 8. File Systems
XFS runtime statistics are available per file system in the /sys/fs/
directory
The existing XFS global statistics directory has been moved from the
/proc/fs/xfs/
directory to the /sys/fs/xfs/
directory while maintaining compatibility with earlier versions with a symbolic link in /proc/fs/xfs/stat
. New subdirectories will be created and maintained for statistics per file system in /sys/fs/xfs/
, for example /sys/fs/xfs/sdb7/stats
and /sys/fs/xfs/sdb8/stats
. Previously, XFS runtime statistics were available only per server. Now, XFS runtime statistics are available per device. (BZ#1205640)
XFS supported file-system size has been increased
Previously, the supported file-system size for XFS was 100 TB. With this update, the supported file-system size for XFS has been increased to 300 TB. (BZ#1273090)
The use_hostname_for_mounts
autofs
option is now available
A new
autofs
option to override the use of an IP address when mounting to a host name with multiple associated addresses has been implemented. If strict Round Robin DNS is needed, the use_hostname_for_mounts
option enables bypassing the usual availability and proximity check, and the host name is used in mount requests regardless of whether the requests have multiple IP addresses. (BZ#1248798)
Chapter 9. Hardware Enablement
Support for Sealevel model 2803 ROHS converters from USB to serial media
This update introduces support for Sealevel model 2803 ROHS converters from USB to serial media by including their IDs in the kernel. (BZ#1104343)
Backporting of the rtlwifi driver family
The rtlwifi driver family from upstream Linux kernel has been backported to support new Realtek wireless devices such as RTL8188CE, which are used on some variants of Lenovo laptops. (BZ#1263386)
Support for NCT6775 and compatible chips
This update introduces the NCT6775 kernel hwmon driver. This driver enables monitoring of the sensors associated with voltage, temperature, fan speed, and such, on hardware that includes a chip from Nuvoton's Super I/O series. (BZ#1260117)
Ethernet functionality added to mlx5_core
This enhancement update adds Ethernet functionality to the mlx5_core networking driver. The mlx5_core driver acts as a library of common functions, for example, initializing the device after reset required by certain adapter cards. This driver also implements the Ethernet interfaces for some adapter cards. Unlike mlx4_en/core, mlx5 drivers do not require the mlx5_en module as the Ethernet functionalities are built-in in the mlx5_core module. (BZ#1246031)
Support for O2Micro sdhci card reader model 8520
This update introduces support for the O2Micro sdhci card reader model 8520, which is used on newer Lenovo laptops. (BZ#1089109)
Support for solarflare devices and features
This update introduces a driver update that provides support for additional solarflare devices and features. (BZ#1123046)
Wacom Cintiq 27QHD Device Support
With this release, the Wacom Cintiq 27QHD is now supported in Red Hat Enterprise Linux 6. (BZ#1243328)
Wacom Intuos PT Tablet Device Support
With this release, several Wacom Intuos PT Tablets are now supported in Red Hat Enterprise Linux 6.8. The newly supported devices are:
- PTH-650 Intuos5 touch (M)
- CTH-480 Intuos Pen & Touch (S)
- PTH-651 Intuos pro (M) (BZ#1252898)
Support for the Realtek 5229 card reader
This update introduces support for the Realtek 5229 card reader. (BZ#806173)
Support for the AMD GX-212JC processor
This update introduces support for the AMD GX-212JC processor. (BZ#1176662)
ppc64-diag rebased to version 2.7.0
The ppc64-diag packages have been upgraded to upstream version 2.7.0, which provides a number of bug fixes and enhancements over the previous version. Notable changes include the following:
- Several security-related issues have been fixed, such as memory leaks, buffer overflows, and replacing the
popen()
function withexecv()
calls - Diagnostics support for the
5887 disk drive enclosure
has been added - PCI Host Bridge (PHB) hot-plugging support has been added for PowerKVM guests (BZ#1252717)
librtas rebased to version 1.4.0
The librtas packages, which provide an IBM utility for the 64-bit PowerPC architecture support, have been updated to version 1.4.0 to provide various bug fixes and enhancements. With this update, the
libofdt
library has been decommissioned from the librtas package. (BZ#1252716)
lsvpd rebased to version 1.7.6
The lsvpd packages, which provide an IBM utility for the 64-bit PowerPC architecture support, have been updated to version 1.7.6 to provide various bug fixes, enhancements, and security fixes, such as buffer overflow and memory allocation validation. Additionally, the
lsmcode
utility adds support for OpenPower system. (BZ#1148150)
servicelog rebased to version 1.1.13
The servicelog packages, which provide an IBM utility for the 64-bit PowerPC architecture support, have been updated to version 1.1.13 to provide various bug fixes and enhancements. (BZ#1148139)
iprutils rebased to version 2.4.10.1
The iprutils packages, which provide an IBM utility for the 64-bit PowerPC architecture support, have been updated to version 2.4.10.1 to provide various bug fixes and enhancements.
It is recommend to use the latest version of iprutils. If a system has already installed iprutils-2.4.9-2.el6, then to remove it, run the following command:
rpm -e --noscripts iprutils
(BZ#1252715)
Chapter 10. Installation and Booting
Using an HTTPS source for kickstart files is now supported
With this update, it is now possible to specify HTTPS sources for kickstart files. (BZ#1259880)
Increased debug logging for NetworkManager
The default log level of the
NetworkManager
utility has been increased to make debugging the installation process easier. (BZ#831777)
Automatic network device configuration using 802.1q VLAN tags from the iBFT
The installer configures network devices automatically, based on the iSCSI Boot Firmware Table (iBFT). Before this update, if 802.1q VLAN tagging was required for a device, the installer was not able to apply this information to the installed system. Now, if the 802.1q VLAN ID of a device is specified in the iBFT, the installer will use this information to automatically configure the device on the installed system. (BZ#831002)
Chapter 11. Kernel
The /proc/pid/cmdline file length is now unlimited
The
/proc/pid/cmdline
file length limit for the ps
command was previously hard-coded in the kernel to 4096 characters. This update makes sure the length of /proc/pid/cmdline
is unlimited, which is especially useful for listing processes with long command line arguments. (BZ#1100069)
Support for LSO and LRO
This update adds support for Large Send Offload (LSO) and Large Receive Offload (LRO) to the PowerVM virtual Ethernet driver (ibmveth). The enhancement allows you to enable LRO on the Shared Ethernet Adapter (SEA) in a mixed AIX and Linux Central Electronics Complex (CEC), allowing better networking performance and better interoperability with AIX in a shared ethernet adapter environment. (BZ#1233272)
ipr rebased to version 2.6.3
The
ipr
driver has been upgraded to upstream version 2.6.3, which provides a number of enhancements and bug fixes over the previous version. Namely, the update enables new SAS VRAID adapters on IBM Power Systems and includes recent performance improvements. As a result, the update improves disk performance and supports recent adapters on IBM Power Systems. (BZ#1252713)
ixgbe rebased to version 4.2.1
The
ixgbe
NIC driver has been upgraded to upstream version 4.2.1, which provides a number of bug fixes and enhancements over the previous version. Notably:
- Null pointer crashes related to VLAN support have been fixed.
- Two more devices from the Intel X550 Ethernet controller family are now supported: IDs 15AC and 15AD have been added.
- Several PHY-related problems have been addressed: link disruptions and link flapping.
- Added PHY-related support for Intel X550.
- Performance has been improved. (BZ#1249244)
L2 cache information is gathered using the CPUID instruction
With this update, Level 2 (L2) processor cache information such as the base cache or the number of cache leaves is gathered using the
CPUID
instruction. (BZ#987679)
bnx2 rebased to version 2.2.6
The
bnx2
NIC driver has been upgraded to upstream version 2.2.6, which provides a number of bug fixes and enhancements over the previous version. Notably:
- Bandwidth allocation for some MF modes has been fixed.
- Toggling of
rxvlan
can now be disabled. - A chip initialization bug has been fixed.
- Inconsistent use of page sizes has been fixed. (BZ#1252124)
e100 rebased to version 3.5.24-k2-NAPI
The e100 NIC driver has been upgraded to upstream version 3.5.24-k2-NAPI, which provides a number of bug fixes over the previous version. Notably, the update adds error checking around DMA mapping to avoid resource leaks and fixes a possible NULL pointer dereference during initialization. (BZ#1150338)
e1000e rebased to version 3.2.6-k
The e1000e driver has been upgraded to upstream version 3.2.6-k, which provides a number of bug fixes over the previous version. Notably, the new version prevents possible data corruption and enables both ULP and EEE in Sx mode. (BZ#1249241)
MLDv1 and MLDv2 snooping added to bridge
With this update, the bridge module adds support to IPv6 multicast by snooping for MLDv1 and MLDv2. Now, IPv6 multicast messages are sent only to ports with subscribed multicast receivers. (BZ#587714)
perf has been updated
To support a greater range of hardware and incorporate numerous bug fixes,
perf
has been updated. Notable enhancements include:
- Added support for additional model numbers of 5th Generation Intel Core i7 processors.
- Added support for Intel Xeon v5 mobile and desktop processors.
- Enabled support for the uncore subsystem for Intel Xeon v3 and v4 processors.
- Enabled support for the uncore subsystem for Intel Xeon Processor D-1500. (BZ#1216217)
EDAC support for Intel Xeon v4
The kernel has been updated to incorporate new code that adds EDAC (Error Detection and Correction) support for the Xeon v4 memory controllers from Intel. (BZ#1245372)
Crash dump performance enhancements
The time taken to complete a crash dump on systems with large quantities of memory has been reduced in
kexec-tools
and makedumpfile
by making use of mmap() to remove empty and unneeded pages. (BZ#1097904)
Interval Tree Support for Intel Xeon v3 and v4 core processors with Gen graphics
To enable access to the GPU functionality of some Intel processors without recompiling a custom kernel, Interval Tree support has been added. (BZ#1251197)
CPU microcode update for Intel processors
The kernel has been updated to contain the latest microcode definitions for all Intel processors. This is the latest update from Intel at the time of publishing and is designated version 20151106. (BZ#1244968)
Minimal support for secondary endpoints with nf_conntrack_proto_sctp
Basic multihoming support has been added to Stream Control Transmission Protocol (SCTP), allowing traffic between secondary endpoints to pass through where it would previously be classified as invalid and blocked by most common firewall configurations. (BZ#1267612)
The sch_qfq scheduler now supports QFQ+
The
sch_qfq
scheduler now supports the Quick Fair Queuing Plus (QFQ+) algorithm, which improves the scheduler's efficiency and accuracy. At the same time, a number of bug fixes have been applied to further improve the behavior of sch_qfq
under various conditions. (BZ#1152235)
Tracking and capturing I/O statistics for the tape driver is available
It is now possible to track and capture I/O performance statistics, and measure tape device performance. The user can use the statistics exposed in the
/sys/class/scsi_tape/
tree with custom tools. (BZ#875277)
mpt2sas and mpt3sas merged
The source codes of
mpt2sas
and mpt3sas
drivers have been merged. Unlike in upstream, Red Hat Enterprise Linux 6 continues to maintain two binary drivers for compatibility reasons. (BZ#717090)
Firmware-assisted Crash Dumping
Red Hat Enterprise Linux 6.8 introduces support for firmware-assisted dump (fadump), which provides an alternative dumping mechanism to kdump. Fadump is supported only on PowerPC architecture. The goal of fadump is to enable the dump of a crashed system, and to do so from a fully-reset system, and to minimize the total elapsed time until the system is back in production use. Fadump is integrated with kdump infrastructure present in the user space to seemlessly switch between kdump and fadump mechanisms. (BZ#1254923)
Setting an SELinux context label for a block device
To be able to label device nodes, most commonly disks, as used by certain applications, this update provides the possibility to apply SELinux labels on device nodes created by
udev
. The system administrator can set a new option to give a label to a newly created device node as follows:
SECLABEL{selinux}="label"
(BZ#1015300)
New packages: libevdev
The
libevdev
packages have been added to Red Hat Enterprise Linux 6.8. These packages contain a library to wrap kernel evdev devices and provide a proper API to interact with these devices. (BZ#1250806)
lpfc driver update
With the latest update, LPE31000, LPE32000 HBAs, and all HBA variants of this architecture now detect and enable both Broadcom-ECD certified SFP and QSFP optics. For firmware rev 11.0.204.0 and later, unqualified optics are disabled, the network link shows
link down
state, and an error message is logged to the log file.
The lpfc driver in Red Hat Enterprise Linux 6.8 displays the following message and the network link does not come up:
3176 Misconfigured Physical Port - Port Name [wwpn] Unknown event status [status]
The users are recommended to use only Broadcom-ECD certified SFP and QSFP optics. If any of the 3176 messages are seen in the logs and the link does not come up, contact Broadcom-ECD technical support. (BZ#1295468)
Chapter 12. Networking
NetworkManager-openswan now supports libreswan
In Red Hat Enterprise Linux 6.8, the openswan IPsec implementation is considered obsolete and replaced by the libreswan implementation. The NetworkManager-openswan package now supports both openswan and libreswan in order to facilitate migration. (BZ#1267394)
New package: chrony
A new package, chrony, has been added to Red Hat Enterprise Linux 6.
chrony
is a versatile implementation of the Network Time Protocol (NTP), which can usually synchronize the system clock with a better accuracy than the ntpd
daemon from the ntp package. It can be also used with the timemaster
service from the linuxptp package to synchronize the clock to Precision Time Protocol (PTP) domains with sub-microsecond accuracy if hardware timestamping is available, and provide a fallback to other PTP domains or NTP sources. (BZ#1274811)
New packages: ldns
The ldns packages contain a library with the aim to simplify DNS programming in C. All low-level DNS/DNSSEC operations are supported. A higher level API has been defined which allows a programmer to, for instance, create or sign packets. (BZ#1284961)
wpa_supplicant
can now send logs into the syslog
Previously,
wpa_supplicant
could only save log messages into the /var/log/wpa_supplicant.log
file. This update adds the capability to save log messages into the system log, allowing you to use additional features provided by syslog such as remote logging.
To activate this feature, add the new
-s
option into OTHER_ARGS
in the /etc/sysconfig/wpa_supplicant
configuration file. (BZ#822128)
Enhancements in system-config-network
The
Network Configuration
tool (the system-config-network package) has received multiple user interface improvements in this release. Notable enhancements include additional fields for the PEERDNS
and ONBOOT
settings and an added Delete
button in the list of interfaces. (BZ#1214729)
New packages: unbound
Unbound is a validating, recursive, and caching DNS resolver. It is designed as a set of modular components that also support DNS Security Extensions (DNSSEC). (BZ#1284964)
nm-connection-editor
now allows a higher range of VLAN ids
The VLAN id is no longer limited to the range 0-100 in
nm-connection-editor
. The new allowed range is between 0 and 4095. (BZ#1258218)
NetworkManager
supports locking Wi-Fi network connections to a specific radio frequency band
NetworkManager
now allows you to specify a certain frequency band such for a Wi-Fi connection. To lock a connection to a certain band, use the new BAND=
option in the connection configuration file in the /etc/sysconfig/network-scripts/
directory. Values for this option are based on the IEEE 802.11 protocol specifications; to specify the 2.4 GHz band, use BAND=bg
, and to specify the 5 GHz band, use BAND=a
. (BZ#1254070)
NetworkManager
now supports iBFT
A plug-in for iSCSI Boot Firmware Table (iBFT) configuration has been added to
NetworkManager
. This plug-in ensures that initial network configuration for hosts booting from iSCSI in a VLAN is correct. (BZ#1198325)
Chapter 13. Security
TLS 1.2 support added to basic system components
With these updates, basic system tools, such as
yum
, stunnel
, vsftpd
, Git
, or Postfix
have been modified to support the 1.2 version of the TLS protocol. This is to ensure that the tools are not vulnerable to security exploits that exist for older versions of the protocol. (BZ#1253743)
NSS now enables the TLS version 1.2 protocol by default
In order to satisfy current best security practices, the Transport Layer Security (TLS) 1.2 protocol has been enabled by default in NSS. This means that it is no longer necessary to explicitly enable it in applications that use NSS library defaults.
If both sides of TLS connection enable TLS 1.2, this protocol version is now used automatically. (BZ#1272504)
pycurl
now provides options to require TLSv1.1 or 1.2
With this update,
pycurl
has been enhanced to support options that make it possible to require the use of the 1.1 or 1.2 versions of the TLS protocol, which improves the security of communication. (BZ#1260406)
PHP cURL
module now supports TLS 1.1 and TLS 1.2
Support for the TLS protocol version 1.1 and 1.2, which was previously made available in the
curl
library, has been added to the PHP cURL
extension. (BZ#1255920)
openswan
deprecated in favor of libreswan
The openswan packages have been deprecated, and libreswan packages have been introduced as a direct replacement for
openswan
. libreswan
is a more stable and secure VPN solution for Red Hat Enterprise Linux 6. libreswan
is already available as the VPN endpoint solution for Red Hat Enterprise Linux 7. openswan
will be replaced by libreswan
during system upgrade. See https://access.redhat.com/articles/2089191 for instructions on how to migrate from openswan
to libreswan
.
Note that the openswan packages remain available in the repository. To install
openswan
instead of libreswan
, use the -x
option of yum
to exclude libreswan: yum install openswan -x libreswan
. (BZ#1266222)
SELinux support added for GlusterFS
With this update, the SELinux mandatory access control is provided for the glusterd (GlusterFS Management Service) and glusterfsd (NFS server) processes as a part of Red Hat Gluster Storage. (BZ#1241112)
shadow-utils rebased to version 4.1.5.1
The shadow-utils package, which provides utilities for managing user and group accounts, has been rebased to version 4.1.5.1. This is the same as the version of shadow-utils in Red Hat Enterprise Linux 7. Enhancements include improved auditing, which was corrected to provide a better record of system-administrator actions on the user-account database. The main new feature added to this package is the support for operation in chroot environments using the
--root
option of the respective tools. (BZ#1257643)
audit rebased to version 2.4.5
The audit package, which provides the user-space utilities for storing and searching the audit records generated by the
audit
subsystem in the Linux kernel, has been rebased to version 2.4.5. This update includes enhanced event interpretation facilities that provide more system-call names and arguments to make the understanding of events easier.
This update also has an important behavior change in the way that
auditd
records events to disk. If you are using either data
or sync
modes for the flush
setting in auditd.conf
, you will see a performance decrease in auditd's
ability to log events. This is because it was previously not properly informing the kernel that full synchronous writes should be used. This was corrected, which has improved the reliability of the operation, but this has come at the expense of performance. If the performance drop is not tolerable, the flush
setting should be changed to incremental
and the freq
setting will control how often auditd
instructs the kernel to synchronize all records to disk. A freq
setting of 100
should give good performance while making sure that new records are flushed to disk periodically. (BZ#1257650)
LWP now supports host name and certificate verification
Certificate and host-name verification, which is disabled by default, has been implemented in the World Wide Web library for Perl (LWP, also called libwww-perl). This allows users of the
LWP::UserAgent
Perl module to verify the identity of HTTPS servers. To enable the verification, make sure the IO::Socket::SSL
Perl module is installed and the PERL_LWP_SSL_VERIFY_HOSTNAME
environment variable set to 1
or that the application is modified to set the ssl_opts
option correctly. See LWP::UserAgent
POD for more details. (BZ#745800)
Perl Net:SSLeay
now supports elliptic curve parameters
Support for elliptic-curve parameters has been added to the Perl
Net:SSLeay
module, which contains bindings to the OpenSSL library. Namely, the EC_KEY_new_by_curve_name()
, EC_KEY_free*()
, SSL_CTX_set_tmp_ecdh()
, and OBJ_txt2nid()
subroutines have been ported from upstream. This is required for the support of the Elliptic Curve Diffie–Hellman Exchange (ECDHE) key exchange in the IO::Socket::SSL
Perl module. (BZ#1044401)
Perl IO::Socket::SSL
now supports ECDHE
Support for Elliptic Curve Diffie–Hellman Exchange (ECDHE) has been added to the
IO::Socket::SSL
Perl module. The new SSL_ecdh_curve
option can be used for specifying a suitable curve by the Object Identifier (OID) or Name Identifier (NID). As a result, it is now possible to override the default elliptic curve parameters when implementing a TLS client using IO::Socket:SSL
. (BZ#1078084)
openscap rebased to version 1.2.8
OpenSCAP, a set of libraries providing a path for the integration of SCAP standards, has been rebased to 1.2.8, the latest upstream version. Notable enhancements include support for the OVAL-5.11 and OVAL-5.11.1 language versions, the introduction of a verbose mode, which helps to understand the details of running scans, two new commands,
oscap-ssh
and oscap-vm
, for scanning over SSH and scanning of inactive virtual systems respectively, native support for bz2 archives, and a modern interface for HTML reports and guides. (BZ#1259037)
scap-workbench rebased to version 1.1.1
The scap-workbench package has been rebased to version 1.1.1, which provides a new SCAP Security Guide integration dialog. It can help the administrator choose a product that needs to be scanned instead of choosing content files. The new version also offers a number of performance and user-experience improvements, including improved rule searching in the tailoring window and the possibility to fetch remote resources in SCAP content using the GUI. (BZ#1269551)
scap-security-guide rebased to version 0.1.28
The scap-security-guide package has been rebased to the latest upstream version (0.1.28), which offers a number of important fixes and enhancements. These include several improved or completely new profiles for both Red Hat Enterprise Linux 6 and 7, added automated checks and remediation scripts for many rules, human readable OVAL IDs that are consistent between releases, or HTML-formatted guides accompanying each profile. (BZ#1267509)
Support for SSLv3 and RC4 disabled in luci
The use of the insecure SSLv3 protocol and RC4 algorithm has been disabled in
luci
, the web-based high availability administration application. By default, only TLSv1.0 and higher protocol versions are allowed, and the digest algorithm used for self-managed certificates has been updated to SHA256. It is possible to re-enable SSLv3 (by uncommenting the allow_insecure
options in relevant sections of the /etc/sysconfig/luci
configuration file), but that is only for unlikely and unpredictable cases and should be used with extreme caution.
This update also adds the possibility to adjust the most important SSL/TLS properties (in addition to the mentioned
allow_insecure
): the path to the certificate pair and the cipher list. These settings can be used either globally, or independently for both secure channels (HTTPS web UI access and connection with ricci
instances). (BZ#1156167)
Chapter 14. Servers and Services
mod_nss now supports server-side SNI
This update adds server-side Server Name Indication (SNI) support to the
mod_nss
package. (BZ#1295490)
Non-root user support in httpd
mod_rewrite
The
mod_rewrite
module provided with the Apache HTTP Server now supports running external mapping programs as a non-root user. This reduces security risk from using mod_rewrite
mapping because a non-privileged process can be used. (BZ#1035230)
tomcat6 now supports disableURLRewriting
This update adds the
disableURLRewriting
attribute to the Tomcat 6 servlet container. The attribute allows to disable support for using URL rewriting to track session IDs for specific contexts. (BZ#1221877)
Logging capabilities of the tftp
server have been enhanced
As a result of improved logging, the Trivial File Transfer Protocol (TFTP) server can now track successes and failures. For example, a log event is now created when a client successfully finishes downloading a file, or the
file not found
message is provided in case of a failure. (BZ#917817)
Squid
can log IP addresses and ports of remote hosts
In previous versions, the
Squid
caching and forwarding web proxy had the ability to log the URL, which included the host name. However, Squid
could not log the IP address of the destination server. This update enables Squid
to log IP addresses and ports of remote hosts, which is especially useful when dealing with hosts that have multiple IP addresses. (BZ#848124)
new ignore-client-uids option
When a client machine can boot different operating systems (OS), each OS can send a different DHCP client identifier (UID) and consequently obtain a different IP address from the server. Now, the user can configure a server to treat such a machine as a single entity regardless of the OS it runs at the moment with a new
ignore-client-uids
option.
This option causes the server to not record a client's UID in its lease. To configure
ignore-client-uids
, add the following line to the /etc/dhcp/dhcpd.conf
file:
ignore-client-uids true;
This configuration causes that the UID for clients will not be recorded. If this statement is not present or has a value of false or off, then client UIDs will be recorded. (BZ#1196768)
A Tuned
profile optimized for Oracle database servers has been included
A new
oracle
Tuned
profile, which is specifically optimized for the Oracle databases load, is now available. The new profile is delivered in the tuned-profiles-oracle subpackage, so that other related profiles can be added in the future. The oracle
profile is based on the enterprise-storage
profile, but modifies kernel parameters based on Oracle database requirements and turns transparent huge pages off. (BZ#1196294)
New package: squid34
A new package squid34 version 3.4.14 has been released. This package cannot be installed together with the squid package. squid34 improves stability and fixes multiple bugs originally reported against squid.
The most important new features in squid34 include:
- Helper protocol extensions
- SSL Server Certificate Validator
- Store-ID
- TPROXY Support for OpenBSD 5.1 and later, and FreeBSD 9 and later
- Transaction Annotations
- Multicast DNS (BZ#1265328)
The BIND server now supports CAA records
Certification Authority Authorization (CAA) support has been added to the Berkeley Internet Name Domain (BIND) server. Now, users can restrict Certification Authorities by specifying the DNS record. (BZ#1252611)
The LocalAddress
and LocalPort
keywords are now supported for Match
conditions in sshd_config
Systems connected to several physical networks might require different access policies. With this update, you can enforce different policies for different local addresses or ports directly in
sshd_config
, without the need to run several services with different configuration files. (BZ#1211673)
Support for disabling selected GSSAPI key exchange algorithms
After CVE-2015-4000 (Logjam) was discovered, the
gss-group1-sha1
algorithm is not considered secure anymore. Previously, there was no possibility to disable this single key exchange method. With this update, the administrator can disable this or other selected algorithms used by GSSAPI key exchange in sshd_config
. (BZ#1253060)
New authorized_keys_command
option in pam_ssh_agent_auth
Managing
sudo
rules across multiple systems might require to list SSH keys from LDAP, which was previously not possible. With this update, you can set up pam_ssh_agent_auth
to get the authorized keys from LDAP or a different service easily. The feature has been backported from the upstream version. (BZ#1299555)
Chapter 15. Storage
The multipath
utility can now save data between prioritizer calls
This feature has been implemented in the asymmetric logical unit access (ALUA) prioritizer, and reduces the number of commands sent to the target array. As a result, target arrays are no longer overloaded with commands if there is a large number of paths. (BZ#1081395)
Asynchronous checkers can use the multipath checker_timeout option
Asynchronous checkers now use the
checker_timeout
option in the multipath.conf
file to determine when to stop waiting for a response from the array and fail the non-responsive path. This behavior for asynchronous checkers can be configured in the same way as for synchronous checkers. (BZ#1153704)
nfsidmap -d option added
The
nfsidmap -d
option has been added to display the system's effective NFSv4 domain name on stdout. (BZ#948680)
Configurable connection timeout for mounted CIFS shares
Idling CIFS clients send an echo call every 60 seconds. The echo interval is hard-coded, and is used to calculate the timeout value for an unreachable server. This timeout value is usually set to (2 * echo interval) + 17 seconds. With this feature, users can change the echo interval setting, which enables them to change the timeout interval for unresponsive servers. To change the echo interval, use the
echo_interval=n
mount option, where n is the echo interval in seconds. (BZ#1234960)
Support for device-mapper statistics facility (dmstats
)
The Red Hat Enterprise Linux 6.8 release supports a device-mapper statistics facility, the
dmstats
program. The dmstats
program displays and manages I/O statistics for user-defined regions of devices that use the device-mapper driver. The dmstats
program provides a similar functionality to the iostats
program, but at levels of finer granularity than a whole device. For information on the dmstats
program, see the dmstats
(8) man page. (BZ#1267664)
Support for raw format mode in multipathd formatted output commands
The multipathd formatted ouput commands now offer a
raw
format mode that removes the headers and additional padding between fields. Support for additional format wildcards has been added as well. Raw format mode makes it easer to collect and parse information about multipath devices, particularly for use in scripting. For information on raw format mode, see the DM Multipath
Guide. (BZ#1145442)
Chapter 16. System and Subscription Management
New search-disabled-repos
plug-in for yum
The
search-disabled-repos
plug-in for yum
has been added to the subscription-manager packages. This plug-in allows users to successfully complete yum
operations that fail due to the source repository being dependent on a disabled repository. When search-disabled-repos
is installed in the described scenario, yum
displays instructions to temporarily enable repositories that are currently disabled and to search for missing dependencies.
If you choose to follow the instructions and turn off the default
notify_only
behavior in the /etc/yum/pluginconf.d/search-disabled-repos.conf
file, future yum
operations will prompt you to temporarily or permanently enable all the disabled repositories needed to fulfill the yum
transaction. (BZ#1268376)
Easier troubleshooting with yum
The
yum
utility is now able to identify certain frequently occurring errors and provides a link to a relevant Red Hat Knowledgebase article. This helps users identify typical problems and address their cause. (BZ#1248686)
New package: rear
Relax-and-Recover
(rear) is a recovery and system migration utility. Written in bash
, it allows you to use tools already present on your system to continuously create recovery images which can be saved locally or on a remote server, and to use these images to easily restore the system in case of software or hardware failure. The tool also supports integration with various external tools such as backup solutions ( Symantec NetBackup
, duplicity
, IBM TSM
, etc.) and monitoring systems ( Nagios
, Opsview
).
The rear utility is available in base channels for all variants of Red Hat Enterprise Linux 6.8 on all architectures.
The utility produces a bootable image and restores from backup using this image. It also allows to restore to different hardware and can therefore be used as a migration utility as well. (BZ#981637)
iostat
now supports separate statistics for r_await
and w_await
The
iostat
tool now supports separate statistics for r_await
(average time for read requests issued to the device to be served) and w_await
(average time for write requests issued to the device to be served) in the Device Utilization Report. Use the -x
option to obtain a report which includes this information. (BZ#1185057)
TLS 1.1 and 1.2 are now enabled by default in libcurl
Previously, versions 1.1 and 1.2 of the TLS protocol were disabled by default in
libcurl
. Users were required to explicitly enable these TLS versions in utilities based on libcurl
in order to allow these utilities to securely communicate with servers that do not accept SSL 3.0 and TLS 1.0 connections. With this update, TLS 1.1 and TLS 1.2 are no longer disabled by default in libcurl
. You can, however, explicitly disable them using the libcurl API. (BZ#1289205)
libcurl
can now connect to SCP and SFTP servers through a HTTP proxy
Implementations of the
SCP
and SFTP
protocols in libcurl
have been enhanced and now support tunneling through HTTP proxies. (BZ#1258566)
abrt
can now exclude specific programs from being dumped
Previously, ignoring crashes of blacklisted programs in
abrt
did not prevent it from creating their core dumps - the dumps were still written to disk and then deleted. This approach allowed abrt
to notify system administrators of a crash while not using disk space to store unneeded crash dumps. However, creating these dumps only to delete them later was unnecessarily wasting system resources. This update introduces a new configuration option IgnoredPaths
in the /etc/abrt/plugins/CCpp.conf
configuration file, which allows you to specify a comma-separated list of file system path globs which will not be dumped at all. (BZ#1208713)
User and group whitelisting added to abrt
Previously,
abrt
allowed all users to generate and collect core dumps, which could potentially enable any user to maliciously generate a large number of core dumps and waste system resources. This update adds a whitelisting functionality to abrt
, and you can now only allow specific users or groups to generate core dumps. Use the new AllowedUsers = user1, user2, ...
and AllowedGroups = group1, group2, ...
options in the /etc/abrt/plugins/CCpp.conf
configuration file to restrict core dump generation and collection to these users or groups, or leave these options empty to configure abrt
to process core dumps for all users and groups. (BZ#1256705)
libvpd rebased to version 2.2.5
The libvpd packages have been upgraded to upstream version 2.2.5, which provides a number of bug fixes and enhancements over the previous version. Notably, this version includes:
- Improved error handling
- Security improvements such as fixing a potential buffer overflow and memory allocation validation (BZ#1148140)
libservicelog rebased to version 1.1.15
The libservicelog packages have been upgraded to upstream version 1.1.15, which provides a number of bug fixes and enhancements over the previous version. (BZ#1148141)
sysctl
configuration files can now contain longer lines
Previously,
sysctl
configuration files could only contain lines up to 255 characters long. With this update, the maximum acceptable line length has been increased to 4095 characters. (BZ#1201024)
ps
can now display thread cgroups
This update introduces a new format specifier
thcgr
, which can be used to display the cgroup of each listed thread. (BZ#1284076)
reporter-upload
now allows configuring optional SSH keys
The
reporter-upload
tool, which is used by abrt
to submit collected problem data, now allows you to use optional SSH key files. You can specify a key file using one of the following ways:
- The
SSHPublicKey
andSSHPrivateKey
options in the/etc/libreport/plugins/upload.conf
configuration file. - Using
-b
and-r
command line options for the public and private key, respectively. - Setting the
Upload_SSHPublicKey
andUpload_SSHPrivateKey
environment variables, respectively.
If none of these options or variables are used,
reporter-upload
will attempt to use the default SSH key from the user's ~/.ssh/
directory. (BZ#1261120)
Chapter 17. Virtualization
Support for Hyper-V storage with 4096-byte sectors
Red Hat Enterprise Linux guests running on the Microsoft Hyper-V hypervisor are now able to properly handle 4096-byte sectors for Hyper-V storage when such sector size is reported by the host. This can significantly improve the I/O performance of Red Hat Enterprise Linux guests running on the described type of storage. (BZ#1217570)
Red Hat Enterprise Linux guests now support reporting kernel crashes on Hyper-V
Red Hat Enterprise Linux guests running on the Microsoft Hyper-V hypervisor are now able to report kernel crashes to the Hyper-V host. If such a crash occurs, the kernel panic notification data is captured in the Windows Event Viewer as a
18590
event. The event contains the relative instruction pointer (RIP) and 4 basic CPU registers. (BZ#1229904)
Hyper-V guests now support TRIM
Red Hat Enterprise Linux virtual machines on Hyper-V now support performing the TRIM operation on Hyper-V virtual hard disk (VHDX) files. This prevents VHDX files on these machines from growing to excessive sizes. As a result, it is now possible to use thin-provisioned VHDX storage. (BZ#1247699)
Hyper-V guests now support Windows 10 protocol
This update introduces support for Windows 10 and Windows Server 2016 host protocols when Red Hat Enterprise Linux is running as a guest on Microsoft Hyper-V. (BZ#1267592)
Setting the account password is now possible for any guest user
The
guest-set-user-password
command has been introduced for the QEMU guest agent. This allows setting the account password for any guest user, including the root, when using QEMU and KVM. (BZ#1174181)
virtio-win support for Windows 10
The virtio-win package now includes drivers for Windows 10, which allows users of virtio-win to create Windows 10 guests. (BZ#1275050)
Red Hat Enterprise Linux 6 Hyper-V Generation 2 guests fully supported
With Red Hat Enterprise 6.8, it is fully supported for Red Hat Enterprise Linux 6 to be hosted as Generation 2 virtual machines on the 2012 R2 and later versions of the Microsoft Hyper-V Server host. In addition to the functions supported in the previous generation, Generation 2 provides new functions on a virtual machine, such as boot from a SCSI virtual hard disk, or UEFI firmware support. (BZ#1056676)
New package: WALinuxAgent
The Microsoft Azure Linux Agent (WALA) version 2.0.16 has been included in the Extras channel. This agent supports the provisioning and running of Linux Virtual Machines in the Windows Azure cloud and should be installed on Linux images that are built to run in the Windows Azure environment. (BZ#1215872)
virt-who rebased to version 0.16-7
virt-who
queries of the Hyper-V hypervisor have been extended to include the capacity (socket counts so that the subscription applied to the hypervisor can be evaluated), name, and type to be displayed in the SMS inventory to make it easier for the user to identify the system.- the
virt-who
interval,VIRTWHO_INTERVAL=
, has been extended to 1 minute to prevent from failures in communication with Subscription-Manager. virt-who
now supports connecting Red Hat Enterprise Virtualization Manager (RHEV-M) and the Hyper-V hypervisor through proxy.virt-who
now allows filtering for hosts that are sent byvirt-who
to Red Hat Subscription-Manager.virt-who
is able to report which virtual guests of virtual machines are active on all known hypervisors. (BZ#1258765)
Chapter 18. Red Hat Software Collections
Red Hat Software Collections is a Red Hat content set that provides a set of dynamic programming languages, database servers, and related packages that you can install and use on all supported releases of Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7 on AMD64 and Intel 64 architectures. Red Hat Developer Toolset is included as a separate Software Collection.
Red Hat Developer Toolset is designed for developers working on the Red Hat Enterprise Linux platform. It provides current versions of the GNU Compiler Collection, GNU Debugger, and other development, debugging, and performance monitoring tools. Since Red Hat Software Collections 2.3, the Eclipse development platform is provided as a separate Software Collection.
Dynamic languages, database servers, and other tools distributed with Red Hat Software Collections do not replace the default system tools provided with Red Hat Enterprise Linux, nor are they used in preference to these tools. Red Hat Software Collections uses an alternative packaging mechanism based on the
scl
utility to provide a parallel set of packages. This set enables optional use of alternative package versions on Red Hat Enterprise Linux. By using the scl
utility, users can choose which package version they want to run at any time.
Important
Red Hat Software Collections has a shorter life cycle and support term than Red Hat Enterprise Linux. For more information, see the Red Hat Software Collections Product Life Cycle.
See the Red Hat Software Collections documentation for the components included in the set, system requirements, known problems, usage, and specifics of individual Software Collections.
See the Red Hat Developer Toolset documentation for more information about the components included in this Software Collection, installation, usage, known problems, and more.
Part II. Known Issues
This part documents known problems in Red Hat Enterprise Linux 6.8.
Chapter 19. General Updates
resource-agents-sap-hana shipped in an incorrect channel
The resource-agents-sap-hana package has been available as part of the High Availability Add-On in Red Hat Enterprise Linux 6.7 and 6.8. However, asynchronous updates for this package were made available through the Red Hat Enterprise Linux for SAP HANA repository. Consequently, package updates on systems that do not enable both the Red Hat Enterprise Linux High Availability Add-On and Red Hat Enterprise Linux for SAP HANA repositories can fail. To avoid this problem, enable both the RHEL for SAP HANA and Red Hat Enterprise Linux High Availability channels in Red Hat Subscription Manager, Red Hat Network, or Red Hat Network Satellite prior to updating any applicable systems. If you do not have access to SAP HANA content, remove the resource-agents-sap-hana package by running the
rpm -e
command. (BZ#1334776)
Incorrect information about the expected default settings of services in Red Hat Enterprise Linux 7
The module of Preupgrade Assistant that handles
initscripts
provides incorrect information about the expected default settings of the services in Red Hat Enterprise Linux 7 according to the /usr/lib/systemd/system-preset/90-default.preset
file in Red Hat Enterprise Linux 7 and according to the current settings of the Red Hat Enterprise Linux 6 system. In addition, the module does not check the default settings of the system but only the settings for the runlevel used during the processing of the check script, which might not be the default runlevel of the system. As a consequence, initscripts
are not handled in the anticipated way and the new system needs more manual action than expected. However, the user is informed about the settings that will be chosen for relevant services, despite the presumable default settings. (BZ#1366671)
The default value of first_valid_uid
in Dovecot has changed in Red Hat Enterprise Linux 7
Since Red Hat Enterprise Linux 7.3, the default value of the
first_valid_uid
configuration option of Dovecot has changed from 500
in Red Hat Enterprise Linux 6 to 1000
in Red Hat Enterprise Linux 7. Consequently, if a Red Hat Enterprise Linux 6 installation does not have first_valid_uid
explicitly defined, the Dovecot
configuration will not allow users with UID less than 1000
to log in after the update to Red Hat Enterprise Linux 7.
To avoid breaking of the configuration, redefine
first_valid_uid
to 500
after the upgrade in the /etc/dovecot/conf.d/10-mail.conf
file. Note that only installations where first_valid_uid
is not explicitly defined are affected by this problem. (BZ#1388967)
Chapter 20. Authentication and Interoperability
Do not use SELinux in enforcing mode when sharing the root directory
Samba requires a shared directory to be labeled
samba_share_t
when SELinux is in enforcing mode. However, when sharing the whole root directory of the system by using the path = /
configuration in the /etc/samba/smb.conf
file, labeling the root directory as samba_share_t
causes critical system malfunctions.
Red Hat strongly discourages users from labeling the root directory with the
samba_share_t
label. Therefore, do not use SELinux in enforcing mode when sharing the root directory using Samba. (BZ#1320172)
SSSD does not support the LDAP externalUser attribute
The System Security Services Daemon (SSSD) service is missing support for the
externalUser
LDAP attribute of the Identity Management (IdM) schema. In consequence, the assignment of sudo
rules to local accounts, such as by using the /etc/passwd
file, fails. The problem affects only accounts outside of the IdM domains and Active Directory (AD) trusted domains.
To work around this problem, set the LDAP
sudo
search base as follows in the [domain]
section of the /etc/sssd/sssd.conf
file:
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
This enables SSSD to resolve users defined in
externalUser
. (BZ#1321884)
SSSD incorrectly creates local overrides in an AD environment
The
sss_override
tool creates case-insensitive distinguished names (DN) when the id_provider
option is set to ad
in the /etc/sssd/sssd.conf
file. However, the DNs in the SSSD cache are stored case-sensitive. As a consequence, local overrides are not created for users from the Active Directory (AD) subdomain or for users with mixed-case account names. (BZ#1327272)
sssd_be
does not terminate forked child processes
When the
id_provider
option is set to ad
in the /etc/sssd/sssd.conf
file, a helper process inside sssd_be
processes sometimes fails. In consequence, the process is spawning new sssd_be
instances, which consume additional memory. To work around this problem, install the adcli package and restart the sssd
daemon. (BZ#1336453)
SSSD fails to manage sudo rules from the IdM LDAP tree
The System Security Services Daemon (SSSD) currently uses the IdM LDAP tree by default. As a consequence, it is not possible to assign sudo rules to non-POSIX groups. To work around this problem, modify the
/etc/sssd/sssd.conf
file to set your domain to use the compat
tree again:
[domain/EXAMPLE] ... ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
As a result, SSSD will load sudo rules from the
compat
tree and you will be able to assign rules to non-POSIX groups.
Note that Red Hat recommends to configure groups referenced in sudo rules as POSIX groups.
The HP keyboard KUS1206 does not handle smart cards correctly and can become unresponsive
When using the HP keyboard KUS1206 with a built-in smart card reader, you might experience the following problems:
- The keyboard detects smart cards inconsistently.
- When the user logs in to the system with a password and the smart card is not inserted, the following message appears continuously in the
/var/log/messages
file:pcscd: commands.c:957:CmdGetSlotStatus Card absent or mute
- The keyboard sometimes becomes unresponsive.
Chapter 21. Compiler and Tools
LVM2 detection on FCoE storage and mounting of file systems specified in /etc/fstab
on FCoE storage can fail
The
fcoe
init scripts cannot determine what devices can be assigned through the FCoE storage fabric, and therefore whether the startup process needs to wait for device discovery. Consequently, logical volume (LVM2) detection on FCoE attached storage and mounting of file systems specified in /etc/fstab
on FCoE storage can fail during system startup due to an incomplete FCoE device discovery.
To work around this problem, use
/dev/disk/by-path/fc-*
symbolic links as the specified block special device in /etc/fstab
along with the _netdev
mount option. The fcoe
init script waits longer for the specified devices to attach.
Sometimes, Fibre Channel by-path symbolic links are not a suitable option, such as when using LVM2 or mounting by labels. You can, starting with version 1.0.28 of the fcoe-utils packages, use the
MINIMUM_WAIT
option in the /etc/fcoe/config
file in such cases.
The default value of
MINIMUM_WAIT
is 0. Set the value to the number of seconds you want the fcoe
init script to delay allowing device discovery to complete. Using MINIMUM_WAIT
adds time to the system boot process, but could be necessary to allow block devices to be present before LVM2 and file system mounting scripts are run. (BZ#980961)
Chapter 22. Desktop
Using Radeon or Nouveau can cause incorrectly rendered graphics
A bug in the Xorg server can, under rare circumstances, cause graphics to be rendered incorrectly if using the Radeon or Nouveau graphics device driver. For example, the Thunderbird message pane can be displayed incorrectly.
For Nouveau, as a workaround, add the
WrappedFB
option to the xorg.conf
file as follows:
Section "Device" Identifier "nouveau-device" Driver "nouveau" Option "WrappedFB" "true" EndSection
This workaround avoids the faulty logic in the X server, and the Thunderbird message pane will be displayed correctly. (BZ#1076595)
Chapter 23. Installation and Booting
BFS installation fails on VV when automatic LVM partitioning is selected
When attempting installation using Boot From SAN (BFS) with an HP StoreServ 3PAR Storage Volume (VV), the installation fails during disk partitioning and LVM volume group activation with the message:
Volume group "VolGroup" has insufficient free space.
The failure is seen across all StoreServ volume types (Std VV, TPVV, TDVV). To work around this problem, if using LVM, select the Custom Partition Layout option and reduce the swap and /home partition size by 1-2 GB. If not using LVM, Select the Standard Partition option. (BZ#1190264)
Using the --nocore
option in the %packages
section of a kickstart file may result in a broken system
If the
--nocore
option is used in the %packages
section of a kickstart file, core system packages and libraries will not be installed, which may result in the system being unable to perform essential tasks such as user creation, and may render the system unusable. To avoid this problem, do not use --nocore
. (BZ#1191897)
The zipl boot loader requires target information in each section
When calling the
zipl
tool manually from a command line using a section name as a parameter, the tool was previously using the target defined in the default section of the /etc/zipl.conf
file. In the current version of zipl
the default sections' target is not being used automatically, resulting in an error.
To work around the problem, manually edit the
/etc/zipl.conf
configuration file and copy the line starting with target=
from the default section to every section. (BZ#1203627)
The installer displays the number of multipath devices and number of multipath devices selected incorrectly
Multipath devices are configured properly, but the installer displays the number of devices and number of selected devices incorrectly. There is no known workaround at this point. (BZ#914637)
The installer displays the amount of disk space within multipath devices incorrectly
Multipath devices are configured properly, but the installer displays disk space and number of devices incorrectly. There is no known workaround at this point. (BZ#1014425)
Chapter 24. Kernel
e1000e cards might not get an IPv4 address
Some e1000e network interface cards (NICs) might fail to get an IPv4 address assigned after the system is rebooted. To work around this problem, add the following line to the /etc/sysconfig/network-scripts/ifcfg-<interface> file:
LINKDELAY=10
(BZ#822725)
System freeze when loading Intel Skylake integrated graphics cards
On systems with Intel Skylake integrated graphics cards present, the system can freeze during the initial boot process when it starts to load the video driver. This known issue is caused by a race condition in version 2.6.32 of the kernel firmware loader.
As a workaround, if using the installer CD, try installing with the basic video driver. Otherwise, add the
nomodeset
parameter to the kernel command line, which instructs the kernel to not load Intel Skylake integrated graphics driver and use BIOS modes instead. (BZ#1309875)
ecb fails when dracut is not upgraded
When upgrading only the kernel rpm from Red Hat Enterprise Linux 6.7 to version 6.8, it is necessary to also upgrade the dracut package to the latest version, that is dracut-004-409.el6.rpm, to enable the
ecb
module to work.
The
ecb
kernel module is needed by the drbg
kernel module when using the AES implementation on non-x86 architectures. Otherwise, the drbg
AES implementation fails with a warning message while other drbg
modules still work. (BZ#1315832)
kernel panic in xfrm6 stack
During an overload and when Ethernet Flow Control is disabled, if IPSec policy is configured for the IPv6 protocol, sending UDP datagrams over the IPv6 protocol can lead to a kernel panic.
So far, there is no workaround or fix available. (BZ#1327680)
Intel Xeon v5 causes GPU to hang
On GT3 and GT4 architectures, Intel Xeon v5 integrated graphics can experience problems with GPU lock-up, leading to GPU hang.
As a workaround, add the
i915.enable_rc6=0
option to the kernel command line to disable the RC6 power saving state on Intel Xeon v5. (BZ#1323945)
Chapter 25. Networking
The keyingtries
libreswan option set to 0
is mistakenly interpreted as 1
The default value of
keyingtries
is 0
which means 'retry forever'. Due to this bug, if a temporary problem occurs during an active negotiation, the connection will not be attempted more than once.
To work around this problem, set the
keyingtries
option to a sufficiently large number. (BZ#1289498)
Chapter 26. Storage
Change in behavior of lvchange --zero n
When the
lvchange --zero n
command is run against an active thin pool, the change will not take effect until the next time the pool is deactivated. In previous releases it took effect immediately, and this behavior will be reinstated in a future release. (BZ#1328245)
Chapter 27. System and Subscription Management
Some Italian text is missing from subscription-manager
Due to some missing translations in the subscription-manager tool, when using subscription-manager in Italian, some messages will appear in English. (BZ#1318404)
ReaR supports only grub during system recovery
ReaR supports only the grub boot loader. Consequently, ReaR cannot automatically recover a system with a different boot loader. Notably, yaboot is not yet supported by ReaR on PowerPC machines. To work around this problem, edit the boot loader manually. (BZ#1313874)
ReaR works only on the eth0 interface
ReaR produces a rescue system that does not support mounting an NFS server using an interface other than eth0. Consequently, the backup files cannot be downloaded and the system cannot be restored. To work around this problem, ensure that the used interface is eth0 by restarting dhclient. (BZ#1313417)
ReaR fails to create an ISO on IBM System z
ReaR is unable to create an ISO image on IBM System z systems. To work around this problem, use a different type of rescue system than ISO. (BZ#1309597)
ReaR creates two ISO images instead of one
In ReaR, the
OUTPUT_URL
directive enables specifying location for the ISO image containing the rescue system. Currently, with this directive set, ReaR creates two copies of the ISO image: one in the specified directory and one in the /var/lib/rear/output/
default directory. This requires additional space for the image. This is especially important if a full-system backup is included into the ISO image (using the BACKUP=NETFS
and BACKUP_URL=iso:///backup/
configuration).
To work around this behavior, delete the extra ISO image once ReaR has finished working or, to avoid having a period of time with double storage consumption, create the image in the default directory and then move it to the desired location manually.
There is a request for enhancement to change this behavior and make ReaR create only one copy of the ISO image. (BZ#1320551)
Chapter 28. Virtualization
Limited CPU support for Windows 10 and Windows Server 2016 guests
On a Red Hat Enterprise 6 host, Windows 10 and Windows Server 2016 guests can only be created when using the following CPU models:
- the Intel Xeon E series
- the Intel Xeon E7 family
- Intel Xeon v2, v3, and v4
- Opteron G2, G3, G4, G5, and G6
For these CPU models, also make sure to set the CPU model of the guest to match the CPU model detected by running the
virsh capabilities
command on the host. Using the application default or hypervisor default prevents the guests from booting properly.
To be able to use Windows 10 guests on Legacy Intel Core 2 processors (also known as Penryn) or Intel Xeon 55xx and 75xx processor families (also known as Nehalem), add the following flag to the Domain XML file, with either Penryn or Nehalem as MODELNAME:
<cpu mode='custom' match='exact'> <model>MODELNAME</model> <feature name='erms' policy='require'/> </cpu>
Other CPU models are not supported, and both Windows 10 guests and Windows Server 2016 guests created on them are likely to become unresponsive during the boot process. (BZ#1252134)
Resizing VHDX files can take a very long time
When an ext3 file system is being used in the guest, resizing very large Microsoft Hyper-V virtual hard disk (VHDX) devices in some cases causes the VHDX file to grow to an excessive size, and thus takes significantly longer than intended. To work around this problem, use ext4 or xfs file systems, or set the following custom parameters when creating VHDX files:
- VHDX BlockSize = 1MB
- flex_bg=4096
These ensure that VHDX files require the expected amount of disk space, which in turn makes file system operations much faster. (BZ#1024137)
Multifunction does not work correctly when hot-plugging virtual PCI devices
Hot-plugging a new function on a virtual PCI device that has the multifunction option enabled does not correctly trigger PCI device initialization. As a consequence, the guest does not recognize the hot-plugged function, and thus cannot use it. To work around this problem, initiate a rescan of the PCI Host Bridge in the guest, for example with the following command:
# echo 1 > /sys/bus/pci/devices/0000\:00\:00.0/rescan
In the above example, replace 0000\:00\:00.0 with the correct bus:device:function combination of the device you wish to rescan.
This forces the guest device drivers to configure newly hot-plugged devices for use, and thus makes the function available. (BZ#1208430)
Soft-rebooted Windows guests cannot detect some of their bootable devices
Under certain circumstances, soft-rebooting a Windows guest (for example by using the Ctrl+Alt+Del keys) causes the guest not to detect some of its bootable devices. To work around this problem, perform a hard reboot of the guest - for example by the Shutdown button in the virt-manager interface, or by the
system_reset
command in the QEMU monitor console. (BZ#1129549)
Using qemu-img to modify an image that is in use can corrupt the image
Opening a QEMU disk image from multiple processes at the same time, for example by attempting to take a snapshot of a QEMU image while the guest is running, in some cases corrupts the image. To avoid this problem, never use the qemu-img utility to modify images in use by a running virtual machine or any other process. In addition, be aware that querying an image that is being modified by another process may trigger an inconsistent state error. This update also adds an admonition about the mentioned problem to the qemu-img(1) man page. (BZ#1297424)
virtio-win VFD files do not contain Windows 10 drivers
Due to limitations on the floppy device file size, the virtual floppy disk (VFD) files in the virtio-win packages do not contain a Windows 10 folder. If you need to install Windows 10 drivers from a VFD, use the Windows 8 or Windows 8.1 drivers instead. Alternatively, the Windows 10 drivers can be installed from the ISO file in the
/usr/share/virtio-win/
directory. (BZ#1315940)
Booting virtual machines with the fsgsbase
and smep
flags on older host CPUs fails
The
fsgsbase
and smep
CPU flags are not properly emulated on certain older CPU models, such as the early Intel Xeon E processors. As a consequence, using fsgsbase
and smep
when booting a Windows guest virtual machine on a host with one of the described CPUs causes the boot to fail. Similarly, using smep
when booting a Red Hat Enterprise Linux guest virtual machine on a host with one of the described CPUs causes the boot to fail. To work around this problem, do not use fsgsbase
and smep
if the CPU does not support them. (BZ#1371765)
Appendix A. Component Versions
This appendix is a list of components and their versions in the Red Hat Enterprise Linux 6.8 release.
Component
|
Version
|
---|---|
Kernel
|
2.6.32-642
|
QLogic
qla2xxx driver
|
8.07.00.26.06.8-k
|
QLogic ql2xxx firmware
|
ql2100-firmware-1.19.38-3.1
ql2200-firmware-2.02.08-3.1
ql23xx-firmware-3.03.27-3.1
ql2400-firmware-7.03.00-1
ql2500-firmware-7.03.00-1
|
Emulex
lpfc driver
|
0:11.0.0.4
|
iSCSI initiator utils
|
iscsi-initiator-utils-6.2.0.873-21
|
DM-Multipath
|
device-mapper-multipath-0.4.9-93
|
LVM
|
lvm2-2.02.143-7
|
Appendix B. Revision History
Revision History | |||
---|---|---|---|
Revision 0.2-8 | Thu Apr 27 2017 | ||
| |||
Revision 0.2-7 | Tue Mar 21 2017 | ||
| |||
Revision 0.2-6 | Mon Mar 13 2017 | ||
| |||
Revision 0.2-5 | Fri Dec 16 2016 | ||
| |||
Revision 0.2-4 | Thu Oct 27 2016 | ||
| |||
Revision 0.2-3 | Wed Oct 25 2016 | ||
| |||
Revision 0.2-1 | Wed Sep 07 2016 | ||
| |||
Revision 0.2-0 | Mon Aug 29 2016 | ||
| |||
Revision 0.1-9 | Mon Aug 01 2016 | ||
| |||
Revision 0.1-8 | Fri Jul 01 2016 | ||
| |||
Revision 0.1-6 | Wed Jun 08 2016 | ||
| |||
Revision 0.1-4 | Fri Jun 03 2016 | ||
| |||
Revision 0.1-3 | Fri May 27 2016 | ||
| |||
Revision 0.1-2 | Mon May 16 2016 | ||
| |||
Revision 0.1-1 | Thu May 12 2016 | ||
| |||
Revision 0.1-0 | Tue May 10 2016 | ||
| |||
Revision 0.0-5 | Tue Mar 15 2016 | ||
|
Legal Notice
Copyright © 2016-2017 Red Hat, Inc.
This document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0 Unported License. If you distribute this document, or a modified version of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If the document is modified, all Red Hat trademarks must be removed.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.