7.7 Release Notes

SSSD now fully supports sudo rules stored in AD

The System Security Services Daemon (SSSD) now fully supports sudo rules stored in Active Directory (AD). This feature was first introduced in Red Hat Enterprise Linux 7.0 as a Technology Preview. Note that the administrator must update the AD schema to support sudo rules.

SSSD no longer uses the fallback_homedir value from the [nss] section as fallback for AD domains

Prior to RHEL 7.7, the SSSD fallback_homedir parameter in an Active Directory (AD) provider had no default value. If fallback_homedir was not set, SSSD used instead the value from the same parameter from the [nss] section in the /etc/sssd/sssd.conf file. To increase security, SSSD in RHEL 7.7 introduced a default value for fallback_homedir. As a consequence, SSSD no longer falls back to the value set in the [nss] section. If you want to use a different value than the default for the fallback_homedir parameter in an AD domain, you must manually set it in the domain’s section.

Directory Server rebased to version 1.3.9.1

The 389-ds-base packages have been upgraded to upstream version 1.3.9.1, which provides a number of bug fixes and enhancements over the previous version.

The Directory Server Auto Membership plug-in can now be additionally invoked by modify operations

This update enhances the Auto Membership plug-in in Directory Server to work with modify operations. Previously, the plug-in was only invoked by ADD operations. When an administrator changed a user entry, and that change impacted what Auto Membership groups the user belonged to, the user was not removed from the old group and only added to the new group. With the enhancement provided by this update, users can now configure that Directory Server removes the user from the old group in the mentioned scenario.

The replicaLastUpdateStatusJSON status attribute has been added to replication agreements in Directory Server

This update introduces the replicaLastUpdateStatusJSON status attribute to the cn=<replication_agreement_name>,cn=replica,cn=<suffix_DN>,cn=mapping tree,cn=config entry. The status displayed in the replicaLastUpdateStatus attribute was vague and unclear. The new attribute provides a clear status message and result code and can be parsed by other applications that support the JSON format.

IdM now provides a utility to promote a CA to a CRL generation master

With this enhancement, administrators can promote an existing Identity Management (IdM) certificate authority (CA) to a certificate revocation list (CRL) generation master or remove this feature from a CA. Previously, multiple manual steps were required to configure an IdM CA as CRL generation master, and the procedure was error-prone. As a result, administrators can now use the ipa-crlgen-manage enable and ipa-crlgen-manage disable commands to enable and disable CRL generation on an IdM CA.

A command to detect and remove orphaned automember rules has been added to IdM

Automember rules in Identity Management (IdM) can refer to a hostgroup or a group that has been deleted. Previously, the ipa automember-rebuild command failed unexpectedly and it was difficult to diagnose the reason of the failure. This enhancement adds ipa automember-find-orphans to IdM to IdM to identify and remove such orphaned automember rules.

IdM now supports IP addresses in the SAN extension of certificates

In certain situations, administrators need to issue certificates with an IP address in the Subject Alternative Name (SAN) extension. This update adds this feature. As a result, administrators can set an IP address in the SAN extension if the address is managed in the IdM DNS service and associated with the subject host or service principal.

IdM now supports renewing expired system certificates when the server is offline

With this enhancement, administrators can renew expired system certificates when Identity Management (IdM) is offline. When a system certificate expires, IdM fails to start. The new ipa-cert-fix command replaces the workaround to manually set the date back to proceed with the renewal process. As a result, the downtime and support costs reduce in the mentioned scenario.

pki-core rebased to version 10.5.16

The pki-core packages have been upgraded to upstream version 10.5.16, which provides a number of bug fixes and enhancements over the previous version.

Certificate System can now create CSRs with SKI extension for external CA signing

With this enhancement, Certificate System supports creating a certificate signing request (CSR) with the Subject Key Identifier (SKI) extension for external certificate authority (CA) signing. Certain CAs require this extension either with a particular value or derived from the CA public key. As a result, administrators can now use the pki_req_ski parameter in the configuration file passed to the pkispawn utility to create a CSR with SKI extension.

Uninstalling Certificate System no longer removes all log files

Previously, Certificate System removed all corresponding logs when you uninstalled subsystems. With this update, by default, the pkidestroy utility no longer removes the logs. To remove the logs when you uninstall a subsystem, pass the new --remove-logs parameter to pkidestroy. Additionally, this update adds the --force parameter to pkidestroy. Previously, an incomplete installation left some files and directories, which prevented a complete uninstallation of a Certificate System instance. Pass --force to pkidestroy to completely remove a subsystem and all corresponding files of an instance.

The pkispawn utility now supports using keys created in the NSS database during CA, KRA, and OCSP installations

Previously, during a Certificate System installation, the pkispawn utility only supported creating new keys and importing existing keys for system certificates. With this enhancement, pkispawn now supports using keys the administrator generates directly in the NSS database during certificate authority (CA), key recovery authority (KRA), and online certificate status protocol (OCSP) installations.

Certificate System now preserves the logs of previous installations when reinstalling the service

Previously, the pkispawn utility reported a name collision error when installing a Certificate System subsystem on a server with an existing Certificate System log directory structure. With this enhancement, Certificate System reuses the existing log directory structure to preserve logs of previous installations.

Certificate System now supports additional strong ciphers by default

With this update, the following additional ciphers, which are compliant with the Federal Information Processing Standard (FIPS), are enabled by default in Certificate System:

The samba packages have been to version 4.9.1

The samba packages have been upgraded to upstream version 4.9.1, which provides a number of bug fixes and enhancements over the previous version. The most notable changes include:

Maximum size of a supported RHEL HA cluster increased from 16 to 32 nodes

With this release, Red Hat supports cluster deployments of up to 32 full cluster nodes.

Improved status display of fencing actions

The output of the pcs status command now shows failed and pending fence actions.

New packages: python3

New python3 packages are available in RHEL 7, which provide the Python 3.6 interpreter, as well as the pip and setuptools utilities. Previously, Python 3 versions were available only as a part of Red Hat Software Collections.

New packages: compat-sap-c++-8

The compat-sap-c++-8 packages contain the libstdc++ library named compat-sap-c++-8.so, which is a runtime compatibility library needed for SAP applications. The compat-sap-c++-8 packages are based on GCC 8.

The elfutils packages have been rebased to version 0.176

The elfutils packages have been upgraded to upstream version 0.176. Notable changes include:

gcc-libraries rebased to version 8.3.1

The gcc-libraries packages have been updated to the upstream version 8.3.1 which brings a number of bug fixes.

Geolite2 Databases are now available

This update introduces Geolite2 Databases as an addition to the legacy Geolite Databases, provided by the GeoIP package.

Date formatting updates for the Japanese Reiwa era

The GNU C Library now provides correct Japanese era name formatting for the Reiwa era starting on May 1st, 2019. The time handling API data has been updated, including the data used by the strftime and strptime functions. All APIs will correctly print the Reiwa era including when strftime is used along with one of the era conversion specifiers such as %EC, %EY, or %Ey.

SystemTap rebased to version 4.0

The SystemTap instrumentation tool has been upgraded to upstream version 4.0. Notable improvements include:

Valgrind rebased to version 3.14

The Valgrind packages have been upgraded to upstream version 3.14, which provides a number of bug fixes and enhancements over the previous version:

Performance Co-Pilot rebased to version 4.3.2

The Performance Co-Pilot (PCP) has been updated to upstream version 4.3.2. Notable improvements include:

ptp4l now supports team interfaces in active-backup mode

With this update, support for team interfaces in active-backup mode has been added into the PTP Boundary/Ordinary Clock (ptp4l).

linuxptp rebased to version 2.0

The linuxptp packages have been upgraded to upstream version 2.0, which provides a number of bug fixes and enhancements over the previous version.

The DateTime::TimeZone Perl module is now aware of recent time zone updates

The Olson time zone database has been updated to version 2018i. Previously, applications written in the Perl language that use the DateTime::TimeZone module mishandled time zones that changed their specifications since version 2017b due to the outdated database.

The trace-cmd packages have been updated to version 2.7

The updated packages provide the latest bug fixes and upstream features. As a result, the Red Hat Enterprise Linux users can now use an up-to-date trace-cmd command.

vim rebased to version 7.4.629

The vim packages have been upgraded to upstream version 7.4.629, which is in RHEL 6. This version provides a number of bug fixes and enhancements over the previous version.

cups-filters updated

The cups-filters packages, distributed in version 1.0.35, have been updated to provide the following enhancements:

Mutter now allows for mass-deployable homogenized display configuration

The Mutter window manager now makes it possible to deploy pre-set display configurations for all users on a system. As a result, Mutter no longer requires that the configuration for each user is copied to its own configuration directory, but it can use a system wide configuration file instead. This feature makes Mutter suitable for mass deployment of homogenized display configuration.

Improved quota reports

The quota tool in non-verbose mode now distinguishes between a file system with no limits and a file system with limits but with no used resources. Previously, none was printed for both use cases, which was confusing.

The graphical installation program now detects if SMT is enabled

Previously, the RHEL 7 graphical installation program did not detect if Simultaneous Multithreading (SMT) was enabled on a system. With this update, the installation program now detects if SMT is enabled on a system. If it is enabled, a warning message is displayed in the Status bar, which is located at the bottom of the Installation Summary window.

New --g-libs option for the find-debuginfo.sh script

This update introduces the new --g-libs option for the find-debuginfo.sh script. This new option is an alternative to previous -g option, which instructed the script to remove only debugging symbols from both binary and library files. The new --g-libs option works the same way as -g, but only for library files. The binary files are stripped completely.

The Image Builder rebased to version 19.7.33 and fully supported

The Image Builder, provided by the lorax-composer package in the RHEL 7 Extras Channel, has been upgraded to version 19.7.33.

Kernel version in RHEL 7.7

Red Hat Enterprise Linux 7.7 is distributed with the kernel version 3.10.0-1062.

Live patching for the kernel is now available

Live patching for the kernel, kpatch, provides a mechanism to patch a running kernel without rebooting or restarting any processes. Live kernel patches will be provided for selected minor release streams of RHEL covered under the Extended Update Support (EUS) policy to remediate Critical and Important CVEs.

The IMA and EVM features are now supported on all architectures

The Integrity Measurement Architecture (IMA) and Extended Verification Module (EVM) are now fully supported on all available architectures. In RHEL 7.6, they were supported only on the AMD64 and Intel 64 architecture.

Spectre V2 mitigation default changed from IBRS to Retpoline in new installations of RHEL 7.7

The default mitigation for the Spectre V2 vulnerability (CVE-2017-5715) for systems with the 6th Generation Intel Core Processors and its close derivatives [1] has changed from Indirect Branch Restricted Speculation (IBRS) to Retpoline in new installations of RHEL 7.7. Red Hat has implemented this change as a result of Intel’s recommendations to align with the defaults used in the Linux community and to restore lost performance. However, note that using Retpoline in some cases may not fully mitigate Spectre V2. Intel’s Retpoline document [2] describes any cases of exposure. This document also states that the risk of an attack is low.

PMTU discovery and route redirection is now supported with VXLAN and GENEVE tunnels

Previously, the kernel in Red Hat Enterprise Linux (RHEL) did not handle Internet Control Message Protocol (ICMP) and ICMPv6 messages for Virtual Extensible LAN (VXLAN) and Generic Network Virtualization Encapsulation (GENEVE) tunnels. As a consequence, Path MTU (PMTU) discovery and route redirection was not supported with VXLAN and GENEVE tunnels. With this update, the kernel handles ICMP "Destination Unreachable" and "Redirect Message", as well as ICMPv6 "Packet Too Big" and "Destination Unreachable" error messages by adjusting the PMTU and modifying forwarding information. As a result, PMTU discovery and route redirection are now supported with VXLAN and GENEVE tunnels.

A new kernel command-line option to disable hardware transactional memory on IBM POWER

RHEL 7.7 introduces the ppc_tm=off kernel command-line option. When the user passes ppc_tm=off at boot time, the kernel disables hardware transactional memory on IBM POWER systems and makes it unavailable to applications. Previously, the RHEL 7 kernel unconditionally made the hardware transactional memory feature on IBM POWER systems available to applications whenever it was supported by hardware and firmware.

Intel® Omni-Path Architecture (OPA) Host Software

Intel® Omni-Path Architecture (OPA) host software is fully supported in Red Hat Enterprise Linux 7.7. Intel OPA provides Host Fabric Interface (HFI) hardware with initialization and setup for high performance data transfers (high bandwidth, high message rate, low latency) between compute and I/O nodes in a clustered environment.

IBPB cannot be directly disabled

With this RHEL kernel source code update, it is not possible to directly disable the Indirect Branch Prediction Barrier (IBPB) control mechanism. Red Hat does not anticipate any performance issues from this setting.

kernel-rt source tree now matches the latest RHEL 7 tree

The kernel-rt sources have been upgraded to be based on the latest Red Hat Enterprise Linux kernel source tree, which provides a number of bug fixes and enhancements over the previous version.

The RHEL 7 kernel-rt timer wheel has been updated to a non-cascading timer wheel

The current timer wheel has been switched to a non-cascading wheel which improves the timer subsystem and reduces the overheads on many operations. With the backport of the non-cascading timer wheel, kernel-rt is very close to the upstream kernel in enabling the backport of future improvements.

rpz-drop now prevents BIND for repetitive resolving of unreachable domain

The Berkeley Internet Name Domain (BIND) version distributed with RHEL 7.7 introduces the rpz-drop policy, which enables to mitigate DNS amplification attacks. Previously, if an attacker generated a lot of queries for an irresolvable domain, BIND was constantly trying to resolve such queries, which caused considerable load on CPU. With rpz-drop, BIND does not process the queries when the target domain is unreachable. This behavior significantly saves CPU capacity.

bind rebased to version 9.11

The bind packages have been upgraded to upstream version 9.11, which provides a number of bug fixes and enhancements over the previous version:

ipset rebased to version 7.1

The ipset packages have been upgraded to upstream version 7.1, which provides a number of bug fixes and enhancements over the previous version:

NetworkManager now supports VLAN filtering on bridge interfaces

With this enhancement, administrators can configure virtual LAN (VLAN) filtering on bridge interfaces in the corresponding NetworkManager connection profiles. This enables administrators to define VLANs directly on bridge ports.

NetworkManager now supports configuring policy routing rules

Previously, users must set up policy routing rules outside of NetworkManager, for example by using the dispatcher script provided by the NetworkManager-dispatcher-routing-rules package. With this update, users can now configure rules as part of a connection profile. As a result, NetworkManager adds the rules when the profile is activated and removes the rules when the profile is deactivated.

NSS now supports keys restricted to RSASSA-PSS

The Network Security Services (NSS) library now supports keys restricted to Rivest–Shamir–Adleman Signature Scheme with Appendix – Probabilistic Signature Scheme (RSASSA-PSS). The legacy signature scheme, Public Key Cryptography Standard #1 (PKCS#1) v1.5, permits the keys to be reused for encrypting data or keys. This makes those keys vulnerable to signature forging attacks published by Bleichenbacher. Restricting the keys to the RSASSA-PSS algorithm makes them resilient to attacks that utilize decryption.

NSS now accepts signatures with the NULL object only when correctly included in PKCS#1 v1.5 DigestInfo

The first specification of PKCS#1 v1.5-compatible signatures used text that could be interpreted in two different ways. The encoding of parameters that are encrypted by the signer could include an encoding of a NULL ASN.1 object or omit it. Later revisions of the standard made the requirement to include the NULL object encoding explicit.

OpenSC supports HID Crescendo 144K smart cards

With this enhancement, OpenSC supports HID Crescendo 144K smart cards. These tokens are not fully compatible with the Common Access Card (CAC) specification. The token also use some more advanced parts of the specification than CAC tokens issued by the government. The OpenSC driver has been enhanced to manage these tokens and special cases of the CAC specification to support HID Crescendo 144K smart cards.

AES-GCM ciphers are enabled in OpenSSH in FIPS mode

Previously, AES-GCM ciphers were allowed in FIPS mode only in TLS. In the current version, we clarified with NIST that these ciphers can be allowed and certified in OpenSSH, as well.

SCAP Security Guide supports Universal Base Image

SCAP Security Guide security policies have been enhanced to support Universal Base Image (UBI) containers and UBI images, including ubi-minimal images. This enables configuration compliance scanning of UBI containers and images using the atomic scan command. UBI containers and images can be scanned against any profile shipped in SCAP Security Guide. Only the rules that are relevant to secure configuration of UBI are evaluated, which prevents false positives and produces relevant results. The rules that are not applicable to UBI images and containers are skipped automatically.

scap-security-guide rebased to version 0.1.43

The scap-security-guide packages have been upgraded to upstream version 0.1.43, which provides a number of bug fixes and enhancements over the previous version, most notably:

tangd_port_t allows changes of the default port for Tang

This update introduces the tangd_port_t SELinux type that allows the tangd service run as confined with SELinux enforcing mode. That change helps to simplify configuring a Tang server to listen on a user-defined port and it also preserves the security level provided by SELinux in enforcing mode.

A new SELinux type: boltd_t

A new SELinux type, boltd_t, confines boltd, a system daemon for managing Thunderbolt 3 devices. As a result, boltd now runs as a confined service in SELinux enforcing mode.

A new SELinux policy class: bpf

A new SELinux policy class, bpf, has been introduced. The bpf class enables users to control the Berkeley Packet Filter (BPF) flow through SElinux, and allows inspection and simple manipulation of Extended Berkeley Packet Filter (eBPF) programs and maps controlled by SELinux.

shadow-utils rebased to version 4.6

The shadow-utils packages have been upgraded to upstream version 4.6, which provides a number of bug fixes and enhancements over the previous version, most notably the newuidmap and newgidmap commands for manipulating the UID and GID namespace mapping.

chrony rebased to version 3.4

The chrony packages have been upgraded to upstream version 3.4, which provides a number of bug fixes and enhancements over the previous version, notably:

GNU enscript now supports ISO-8859-15 encoding

With this update, support for ISO-8859-15 encoding has been added into the GNU enscript program.

ghostscript rebased to version 9.25

The ghostscript packages have been upgraded to upstream version 9.25, which provides a number of bug fixes and enhancements over the previous version.

libssh2 package rebased to version 1.8.0

This update rebases the libssh2 package to version 1.8.0.

ReaR updates

ReaR has been updated to a later version. Notable bug fixes and enhancements over the previous version include:

tuned rebased to version 2.11

The tuned packages have been upgraded to upstream version 2.11, which provides a number of bug fixes and enhancements over the previous version, notably:

New packages: xorriso

Xorriso is a program for creating and manipulating ISO 9660 images, and for writing CD-ROMs or DVD-ROMs. The program includes the xorrisofs command, which is a recommended replacement for the genisoimage utility. The xorrisofs command has a compatible interface with genisoimage, and provides multiple enhancements over genisoimage. For example, with xorrisofs, maximum file size is no longer limited to 4 GB. Xorriso is suitable for backups, and it is used by Relax-and-Recover (ReaR), a recovery and system migration utility.

Support for Data Integrity Field/Data Integrity Extension (DIF/DIX)

DIF/DIX is supported on configurations where the hardware vendor has qualified it and provides full support for the particular host bus adapter (HBA) and storage array configuration on RHEL.

New scan_lvs configuration setting

A new lvm.conf configuration file setting, scan_lvs, has been added and set to 0 by default. The new default behavior stops LVM from looking for PVs that may exist on top of LVs; that is, it will not scan active LVs for more PVs. The default setting also prevents LVM from creating PVs on top of LVs.

The web console rebased to version 195

The web console, provided by the cockpit packages, has been upgraded to version 195, which provides a number of new features and bug fixes.

virt-v2v can now convert SUSE Linux VMs

You can now use the virt-v2v utility to convert virtual machines (VMs) that use SUSE Linux Enterprise Server (SLES) and SUSE Linux Enterprise Desktop (SLED) guest operating systems (OSs) from non-KVM hypervisors to KVM.

virt-v2v can now use vmx configuration files to convert VMware guests

The virt-v2v utility now includes the vmx input mode, which enables the user to convert a guest virtual machine from a VMware vmx configuration file. Note that to do this, you also need access to the corresponding VMware storage, for example by mounting the storage using NFS. It is also possible to access the storage using SSH, by adding the -it ssh parameter.

virt-v2v converts VMWare guests faster and more reliably

The virt-v2v utility can now use the VMWare Virtual Disk Development Kit (VDDK) to convert a VMWare guest virtual machine to a KVM guest. This enables virt-v2v to connect directly to the VMWare ESXi hypervisor, which improves the speed and reliability of the conversion.

virt-v2v can convert UEFI guests for RHV

Using the virt-v2v utility, it is now possible to convert virtual machines that use the UEFI firmware to run in Red Hat Virtualization (RHV).

virt-v2v removes VMware Tools more reliably

This update makes it more likely that the virt-v2v utility automatically attempts to remove VMware Tools software from a VMware virtual machine that virt-v2v is converting to KVM. Notably, virt-v2v now attempts to remove VMWare Tools in the following scenarios:

Directory Server flushes the entry cache after a back end transaction plug-in failed

Previously, if a back end transaction plug-in failed, Directory Server rolled-back the operation, but did not revert the changes in the entry cache. As a consequence, the entry cache contained incorrect entries. With this update, Directory Server flushes the entry cache after a back end transaction plug-in failed. As a result, clients retrieve the correct data when querying the database in the mentioned situation.

The ds-replcheck utility no longer incorrectly reports non-matching tombstone entries on replicas

Previously, if an administrator ran the ds-replcheck utility on different Directory Server replicas with tombstones present, ds-replcheck reported that one of the replicas was missing the tombstone entries. It is expected that tombstone entries do not match on each replica. With this update, ds-replcheck no longer searches for tombstone entries. As a result, the utility does not report missing tombstone entries as a problem.

Directory Server no longer crashes when shutting down the service while a cleanAllRUV task is running

Previously, stopping the Directory Server service while a cleanAllRUV task was running freed resources the task was using. As a consequence, the service terminated unexpectedly. With this update, Directory Server increments a reference counter that enables the task to complete before the service shutdown process proceeds. As a result, the server no longer crashes in the mentioned scenario.

Directory Server now correctly rejects the current password if passwordInHistory is set to 0

Previously, administrators could not set the passwordInHistory attribute in Directory Server to 0. As a consequence, Users could reset their password to the same password as they currently use. With this update, users can now set passwordInHistory to 0 and, as a result, to check the current password.

Directory Server no longer truncates nsSSL3Ciphers values longer than 1023 characters

Previously, Directory Server used a fixed buffer size to store the preferred TLS ciphers set in the nsSSL3Ciphers parameter in the cn=encryption,cn=config entry. As a consequence, if the value was longer than 1024 characters, the server truncated the value and used only ciphers specified in the first 1023 characters. With this fix, Directory Server no longer uses a fixed buffer size to store the value. As a result, the setting works as expected.

Directory Server no longer uses the CoS attribute with a higher priority than the real attribute

Previously, Directory Server used the operational-default Class of Service (CoS) attribute with a higher priority than the real attribute. As a consequence, the server overwrote the attribute set in a local password with the CoS policy defined in a subtree. This update fixes the problem. As a result, CoS-defined password policies work as expected.

Directory Server now updates the pwdLastSet field of a user on password changes

Previously, if password synchronization was enabled and a user changed a password in Directory Server, the server did not set the pwdLastSet attribute. As a consequence, Active Directory (AD) still forced the user to update the password. Directory Server now updates pwdLastSet in the mentioned scenario. As a result. AD does not force the user to change the password again.

Searches with scope one no longer return incomplete results in Directory Server

Previously, when a user performed a search with a scope set to one, the search operation did not return all expected entries. With this update, Directory Server correctly creates the entry candidates list for one level searches. As a result, the server returns the expected entries.

Directory Server no longer ignores IPv6 addresses in an ACI if both IPv6 and IPv4 addresses are used

Administrators can specify both IPv4 and IPv6 addresses in Access Control Instructions (ACI) to allow or deny access. Previously, if an ACI contained both IPv4 and IPv6 addresses, Directory Server ignored the IPv6 address. As a consequence, the ACI did not work as expected. This update fixes the parsing of the ip keyword in ACIs. As a result, IP-based ACIs work as expected in the mentioned scenario.

Replicating modrdn operations to read-only Directory Server now succeeds

The conflict entry management in Directory Server requires to add tracking entries for modrdn operations. Previously, adding these entries failed on read-only consumers and, as a consequence, modrdn operations could not be replicated to such instances. This update fixes the problem. As a result, replicating modrdn operations to read-only consumers succeeds.

The time after which Directory Server deletes tasks has been changed

Previously, Directory Server deleted task entries 2 minutes after a task finished. As a consequence, applications that were monitoring the task could miss the task result. This update changes the time after which the server deletes tasks. By default, all completed tasks are now deleted after 1 hour, except import and export tasks, which are deleted 24 hours after completion.

Directory Server did not return the shadowWarning attribute if passwordWarning was set lower than 86400

Previously, Directory Server did not return the shadowWarning attribute in searches if the passwordWarning attribute in the cn=config entry was set to a value lower than 86400 seconds (1 day). This update fixes the problem. As a result, the server returns the value of the shadowWarning attribute in the mentioned scenario.

krb5 memory caches are now thread-safe

Previously, the memory caches of the Kerberos V5 login program (krb5) were not completely thread-safe. As a consequence, multi-threaded access terminated unexpectedly in some cases. With this update, the memory caches are cleaned up to be more thread-safe. As a result, no more crashes occur.

krb5 configurations prohibited by FIPS 140-2 can now work again

Previously, Red Hat Enterprise Linux 7.6 build of the Kerberos V5 (krb5) system increased compliance with FIPS 140-2. As a consequence, certain previously permitted configurations that were prohibited by FIPS 140-2 stopped working. With this update, the changes have been reverted, because krb5 only requires to work in FIPS mode, not be FIPS-compliant. As a result, configurations prohibited by FIPS 140-2 can now work again.

Certificate System starts even if the value in the numSubordinates attribute exceeds the number of profile entries

The LDAP numSubordinates operational attribute defines the expected number of profile entries. Previously, Certificate System did not start until all profiles and lightweight Certificate Authorities (CA) were loaded. As a consequence, if the value in the attribute exceeds the number of profile entries the start process did not complete. With this update, a watchdog timer forces the start process to proceed after a short delay in the mentioned scenario and Certificate System logs the unexpected condition. As a result, the Certificate System starts completes even when numSubordinates in the profiles or lightweight CA subtrees exceeds the number of entries in the search result.

TLS_RSA_* ciphers are now disabled by default in Certificate System

Previously, by default, TLS_RSA_* ciphers were enabled in Certificate System. However, in environments with certain hardware security modules (HSM) in Federal Information Processing Standard (FIPS) mode, these ciphers are not supported. As a consequence, the SSL handshake failed and the connection was not established. This update disables TLS_RSA_* ciphers by default. As a result, connections work with those HSMs in FIPS mode.

The Certificate System REST API no longer stores clear text passwords in log files

Previously, the Certificate System REST API did not filter out plain password values. As a consequence, passwords were visible in clear text in log files. With this update, the server replaces password attribute values with "(sensitive)". As a result, clear text passwords are no longer visible in logs.

Client authentication can now be disabled in Certificate System

A previous version of Certificate System added a feature to enforce TLS client authentication when authenticating through CMCAuth. However, certain older applications do not support TLS client authentication and failed to connect to Certificate System. This update adds the bypassClientAuth configuration parameter to the /var/lib/pki/pki-instance_name/ca/conf/CS.cfg file. As a result, administrators can now set this parameter to true to disable client authentication if not supported by certain applications.

Certificate System CA installations succeed when using a PKCS #12 file

Previously, the default value of the pki_ca_signing_cert_path parameter was set to a predefined path. Due to a recent change in the way the pkispawn utility validates the parameter when an administrator used a PKCS #12 file to install a certificate authority (CA), the installation failed with an Invalid certificate path: pki_ca_signing_cert_path=/etc/pki/pki-tomcat/external_ca.cert error. This update fixes the problem by removing the default value of pki_ca_signing_cert_path. As a result, the CA installation succeeds in the mentioned scenario.

The pki utility correctly asks for a password

Previously, if the user did not provide a password using command-line options, the pki utility did not prompt for a password. As a consequence, pki incorrectly reported Error: Missing user password and the operation failed. The pki utility has been fixed to prompt for a password under the described circumstances.

Certificate System automatically shuts down if signed audit logs cannot be stored due to a full file system

Previously, if audit signing was enabled and the file system on which Certificate System stored the signed audit logs was full, Certificate System continued operating but did not log further operations. To prevent missing signed audit logs, Certificate System now shuts down automatically in the mentioned scenario.

SSSD uses the AD LDAP server to retrieve POSIX attributes for initgroup lookups

The SSSD service uses the Active Directory (AD) global catalog (GC) for initgroup lookups, but the POSIX attributes, such as the user home directory or shell, are not replicated to the GC set by default. Consequently, when SSSD requests the POSIX attributes during SSSD lookups, SSSD incorrectly considers the attributes to be removed from the server, because they are not present in the GC, and removes them from the SSSD cache as well. With this update, initgroup lookups now switch between LDAP and GC connection as appropriate, because the AD LDAP server contains the POSIX attributes even without schema modification. As a result, POSIX attributes, such as shell or home directory, are no longer overwritten or missing.

Changing the shell with ypchsh no longer results in an overwritten password when NIS uses passwd.adjunct

Previously, when the NIS server was set up to support the passwd.adjunct map and the user changed the shell on a NIS client by using the ypchsh command, the yppasswdd daemon overwrote the user’s password hash inside passwd.adjunct with the ##username string. Consequently, the affected user was unable to log in due to a corrupted password hash. This bug has been fixed, and yppasswdd no longer overwrites the user’s password hash while updating the user’s shell information. As a result, the user can successfully log in the new shell after running ypchsh.

The SystemTap Dyninst backend works without the dyninst-devel package

The stap --dyninst command uses the SystemTap Dyninst backend. Previously, this backend did not work when the dyninst-devel package was not installed. As a consequence, SystemTap terminated unexpectedly, and users had to manually install dyninst-devel and run the ldconfig tool as a workaround. This bug has been fixed and the SystemTap Dyninst backend now works without the dyninst-devel package.

GDB breakpoint default source file works for symbolic links

Previously, the GDB debugger could not locate the symbol table information for the default source file, if the file was a symbolic link. As a consequence, users could not set breakpoints by omitting the source file name and using the default, such as break 63. This bug has been fixed and users can now use default source files with breakpoints for files behind symbolic links.

The DNS stub resolver in glibc no longer rejects valid host names, such as hostname-.example.com

The DNS stub resolver in glibc rejected certain valid host names, such as hostname-.example.com, and accepted some invalid names. As a consequence, some host names on the Internet could not be resolved. To fix the problem, the DNS name validation functions, such as res hnok, have been adjusted to match user expectations and specifications more closely. As a result, host names of the form hostname-.example.com can now be resolved successfully if they exist in DNS.

iconv no longer hangs when converting from certain IBM character sets

Previously, the glibc converters for the IBM930, IBM933, IBM935, IBM937, and IBM393 character sets returned an error and failed to advance to the next input character when they encountered invalid redundant shift sequences. As a consequence, converting from these character sets using the iconv tool with the -c option to discard these characters made the tool unresponsive, because it could not progress beyond the first occurence of a redundant shift sequence. The converters have been modified to accept these sequences and continue correctly. As a result, the conversions mentioned above are now possible.

iconv can convert between the IBM273 and ISO-8859-1 character sets

Previously, the glibc implementation of the IBM273 character set was not equivalent to the ISO-8859-1 character set. It did not have a representation for the Unicode character MACRON, instead it used the corresponding byte to represent the OVERLINE Unicode character, which has the same visual representation as a MACRON. As a consequence, using the iconv tool provided by glibc to convert IBM273 text containing an OVERLINE character to ISO-8859-1 or ISO-8859-1 text containing a MACRON character to IBM273 resulted in an error during conversion. To fix this bug, the IBM273 character set was made equivalent to the ISO-8859-1 character set by replacing its OVERLINE representation with MACRON. As a result, both character sets now use the MACRON Unicode character, are equivalent, and conversion from one to the other does not lead to an error.

getifaddrs calls can no longer unexpectedly terminate applications

Previously, the network interface list produced by the getifaddrs function in the glibc library could lack interface names if the interfaces changed in the kernel at the same time. As a consequence, applications using getifaddrs could terminate unexpectedly in such situation. This has been fixed and getifaddrs now ensures the list is identical to kernel state. As a result, the unexpected termination mentioned above cannot happen.

Makefiles containing explicit targets before implicit work again

Previously, mixing implicit (pattern) and explicit targets in Makefiles was deprecated. After update to version 3.82, the make build tool returned errors for mixed targets. As a consequence, legacy Makefiles containing mixed targets could not be used. With this update, make can correctly parse situations where an explicit target is listed before an implicit target. As a result, certain legacy Makefiles can now be used again without modification. However, implicit targets before explicit targets still result in an error.

PCP now reports all process details on large systems

Previously, the Performance Co-Pilot (PCP) toolkit failed to report certain process details in some cases on very large systems. The code reading the process details files was changed so that it can read data of arbitrary length, instead of only the first 1024 bytes. As a result, the described PCP error can no longer happen.

strip no longer crashes with certain executable files

Previously, the strip tool contained untrue assumptions about executable file structure. As a consequence, attempting to strip certain executable files could unexpectedly terminate strip. The assumptions about structure have been changed such that this problem can no longer happen and strip works correctly.

Optimized CPU consumption by libdb

A previous update to the libdb database caused an excessive CPU consumption in the trickle thread. With this update, the CPU usage has been optimized.

passwd --stdin no longer limits the password length to 79 characters

When changing a password using the passwd command with the --stdin option, the length of the password was limited to 79 characters. Consequently, when you entered a password longer than 79 characters via standard input, only the first 79 characters were accepted, and no warning was shown. With this update, passwd has been fixed to align the accepted size of the password with size defined by Pluggable Authentication Module (PAM). As a result, the passwd --stdin command now accepts passwords longer than 79 characters, but not longer than PAM_MAX_RESP_SIZE - 1 characters. If that limit is exceeded, passwd reports an error to the standard error output, and exits with exit code 1.

fixfiles no longer incorrectly fails

Previously, the fixfiles script failed if the /etc/selinux/fixfiles_exclude_dirs file contained at least one entry and the /etc/selinux/targeted/contexts/files/file_contexts.local file was not present. With this update, the requirement for existence of /etc/selinux/targeted/contexts/files/file_contexts.local has been removed, and fixfiles now works correctly in the described scenario.

System no longer boots to a blank screen when Xinerama is enabled

When the Xinerama extension was enabled in /etc/X11/xorg.conf on a system using the nvidia or nouveau driver, the RANDR X extension got disabled. Consequently, login screen failed to start upon boot due to the RANDR X extension being disabled. This bug has been fixed and the login screen now starts properly even with Xinerama enabled.

Soft lock-ups fixed during boot in the kernel with i915

On a rare occasion when a GM45 system had an improper firmware configuration, an incorrect DisplayPort hot-plug signal could cause the i915 driver to be overloaded on boot. Consequently, certain GM45 systems experienced very slow boot times while the video driver attempted to work around the problem. In some cases, the kernel also reported soft lock-ups. This bug has been fixed and the lock-ups no longer occur in the described scenario.

X.org server no longer crashes during fast user switching

Previously, the X.Org X11 qxl video driver did not emulate the leaving virtual terminal event on shutdown. Consequently, the X.Org display server terminated unexpectedly during fast user switching, and the current user session was terminated when switching a user. With this update, qxl has been fixed, and the X.org server no longer crashes during fast user switching.

Non-root users can now access SMB shares mounted using the multiuser option

In Red Hat Enterprise Linux (RHEL) 7.5, a fix was added to handle NT LAN Manager (NTLM) authentication when no domain was specified. This change affected how the cifs.ko kernel module selected the domain name when using NTLM. As a consequence, when a server message block (SMB) share was mounted with the multiuser option, an incorrect domain name was selected and non-root users failed to access the mounted SMB share. This update reverts the fix. As a result, shares mounted with multiuser can now be accessed by non-root users in RHEL 7.7.

Setting disk quota limits over a network works again for users occupying more than 4 GB of space on the network file system

Previously, the setquota utility was unable to handle an occupied space greater than 4 GB when communicating with an NFS server due to an incorrect format of the used disk size. Consequently, when setting disk quota limits for a user exceeding 4 GB of used space on a NFS-mounted file system, setquota failed to perform the operation. This update corrects the conversion of the used disk size to an RPC protocol format, and the described problem no longer occurs.

NVDIMM commands are added to the Kickstart script file anaconda-ks.cfg after installation

The installer creates a Kickstart script equivalent to the configuration used for system installation. This script is stored in the /root/anaconda-ks.cfg file. Previously, when the graphical user interface was used to install RHEL, the nvdimm commands used for configuring Non-Volatile Dual In-line Memory (NVDIMM) devices were not added to this file. This bug has been fixed and the Kickstart file now contains the nvdimm commands as expected.

The graphical installation program no longer permits an invalid passphrase

Previously, when installing RHEL 7 using the graphical installation program, it was possible to leave the passphrase field in the Partitioning Disk Encryption Passphrase dialog box empty, click the Save Passphrase button, and finish your partitioning tasks. As a consequence, partitioning was misconfigured and you had to cancel the disk encryption process or enter a valid passphrase. With this update, the Save Passphrase button is available only when you enter a valid and non-empty passphrase.

Using the version or inst.version kernel boot parameters no longer stops the installation program

Previously, booting the installation program from the kernel command line using the version or inst.version boot parameters printed the version, for example anaconda 30.25.6, and stopped the installation program.

The RHEL 7.7 graphical installation now displays supported NVDIMM device sector sizes

Previously, when configuring NVDIMM devices using the graphical user interface (GUI), it was possible to enter an unsupported sector size. No warning message was displayed, and as a consequence, a reconfiguration error occurred. With this update, the sector size dialog box contains a drop-down list that displays only the supported sector sizes of 512 and 4096.

Cancelling a job initiated from cockpit-composer no longer fails

Image build process did not support cancelling an image build. As a consequence, cancelling a job initiated from cockpit-composer GUI using composer-cli compose cancel resulted in a hung compose API server, causing newly queued job builds to not start, and remain in waiting state. To fix the problem, a feature to cancel the Image build process was implemented. As a result, cancelling a job initiated from cockpit-composer no longer fails.

The rpm command now supports the --setcaps and --restore options

This update introduces the --setcaps and --restore options for the rpm command.

GRUB 2 regexp command is no longer missing

Previously, the module providing the regexp command for the Grand Unified Bootloader version 2 (GRUB2) was missing in the GRUB2 EFI binary. As a consequence, on UEFI systems with Secure Boot enabled, using regexp failed with the error: can’t find command `regexp` message. With this update, the module providing regexp is included in the GRUB2 EFI binary and works correctly in the described situation.

Netfilter now supports zero-length CIDR values in certain IP set types

Previously, the kernel rejected a zero-length Classless Inter-domain Routing (CIDR) network mask value in the first and the last parameter in hash:net,port,net and hash:net6,port,net6 IP set types. As a consequence, Netfilter could not match a port against all network destinations. With this update, zero-length CIDR values are allowed in the first and the last parameter of the mentioned IP set types. As a result, administrators can create firewall rules that match a port that is valid for all destinations.

AVC denials for NFS mounted directories mounted on the server side

NFS crossmnt mounts automatically create internal mounts when a process accesses a subdirectory that is used as a mount point on the server. Consequently, SELinux checks whether the process accessing an NFS mounted directory has a mount permission, which may cause Access Vector Cache (AVC) denials. In this update, SELinux permission checking is skipped for internal mounts of this type. As a result, mount permission is not needed when accessing an NFS directory that is mounted on the server side.

The intel_pstate driver loads on the Intel Skylake-X systems with HWP disabled

Previously, with the Intel Skylake-X systems, it was impossible to load the intel_pstate driver if Hardware P-States (HWP) were disabled. As a consequence, the kernel defaulted to loading the acpi_cpufreq driver. This update fixes the problem and intel_pstate now loads correctly in the described scenario.

Data corruption no longer occurs on RAID 10 reshape on top of VDO

Previously, RAID 10 reshape (with both LVM and "mdadm") on top of VDO corrupted data. With this fix, the data corruption no longer occurs. However, Stacking RAID 10 (or other RAID types) on top of VDO does not take advantage of the deduplication and compression capabilities of VDO and is not recommended.

write-behind in RAID1 no longer triggers a kernel panic

Previously, the write-behind mode in the Redundant Array of Independent Disks Mode 1 (RAID1) virtualization technology used the upper layer bio structures. The structures were freed immediately after the bio structures written to bottom layer disks came back. As a consequence, a kernel panic was triggered and the write-behind function could not be used. This update fixes the problem and write-behind can now be used without triggering a kernel panic in the described scenario.

The kernel now supports destination MAC addresses in bitmap:ipmac, hash:ipmac, and hash:mac IP set types

Previously, the kernel implementation of the bitmap:ipmac, hash:ipmac, and hash:mac IP set types only allowed matching on the source MAC address, while destination MAC addresses could be specified, but were not matched against set entries. As a consequence, administrators could create iptables rules that used a destination MAC address in one of these IP set types, but packets matching the given specification were not actually classified. With this update, the kernel compares the destination MAC address and returns a match if the specified classification corresponds to the destination MAC address of a packet. As a result, rules that match packets against the destination MAC address now work correctly.

The kdump kernel is now able to boot after a CPU hot add or hot remove operation

When running Red Hat Enterprise Linux 7 on the little-endian variant of IBM Power Systems with kdump enabled, the kdump crash kernel failed to boot if triggered by the kexec system call after a CPU hot add or hot remove operation. This update fixes the bug by utilizing the CPU online and offline events. As a result, kdump kernel manages to boot in the described scenario.

dnsmasq no longer uses ports lower than 1024 as a source port

Previously, the Domain Name System forwarder (dnsmasq) used for queries all ports below 1024. However, Berkeley Internet Name Domain (BIND) drops DNS queries incoming from some of the low ports. Consequently, the target port 464 was ignored by BIND. With this update, dnsmasq has been fixed to not use custom random port generator, but it now lets the operating system to assign random ports instead. As a result, dnsmasq no longer uses ports lower than 1024 as a source port, which prevents the described problem with BIND.

Dnsmasq with enabled cache no longer returns cached responses without DNSSEC records

Previously, dnsmasq service with enabled cache returned cached responses without DNSSEC records, even if query had DNSSEC OK bit set. As a consequence, returned replies could not pass DNSSEC validation by client under the dnsmasq. That causes clients under dnsmasq not able to use DNSSEC validation. To fix this, always forward requests with DNSSEC OK bit set and do not use cached values, unless DNSSEC validation is enabled locally. As a result, clients under dnsmasq can successfully validate all responses.

The ipset service can now load sets which depends on other sets

Τhe ipset service saves IP sets (lists of IP addresses) in separate files. In Red Hat Enterprise Linux (RHEL) 7.6, when starting the service, each set was loaded sequentially ignoring dependencies between them. As a consequence, the service failed to load IP sets with dependencies on other sets. With this update, the ipset service creates first all the sets included in the saved configuration, and then adds their entries. As a result, IP sets with dependencies on other sets can now be loaded.

Error logging in the ipset service has been improved

Previously, the ipset service did not report configuration errors with a meaningful severity in the systemd logs. The severity level for invalid configuration entries was only informational, and the service did not report errors for an unusable configuration. As a consequence, it was difficult for administrators to identify and troubleshoot issues in the ipset service’s configuration. With this update, ipset reports configuration issues as warnings in systemd logs and, if the service fails to start, it logs an entry with the error severity including further details. As a result, it is now easier to troubleshoot issues in the configuration of the ipset service.

The ipset service now ignores invalid configuration entries during startup

The ipset service stores configurations as sets in separate files. Previously, when the service started, it restored the configuration from all sets in a single operation, without filtering invalid entries that can be inserted by manually editing a set. As a consequence, if a single configuration entry was invalid, the service did not restore further unrelated sets. The problem has been fixed. As a result, the ipset service detects and removes invalid configuration entries during the restore operation, and ignores invalid configuration entries.

firewalld rebased to version 0.6.3

The firewalld packages have been upgraded to upstream version 0.6.3, which provides a number of bug fixes over the previous version:

An SELinux policy reload no longer causes false ENOMEM

Reloading SELinux policy previously caused the internal security context lookup table to become unresponsive. Consequently, when the kernel encountered a new security context during a policy reload, the operation failed with a false "Out of memory" (ENOMEM) error. With this update, the internal Security Identifier (SID) lookup table has been redesigned and no longer freezes. As a result, the kernel no longer returns misleading ENOMEM errors during an SELinux policy reload.

NSS now processes X.509 certificates for use with IPsec correctly

Previously, the NSS library did not properly process X.509 certificates for use with IPsec. As a consequence, if X.509 certificates had non-empty Extended Key Usage (EKU) attributes that did not contain serverAuth and clientAuth attributes, the Libreswan IPsec implementation incorrectly rejected validation of the certificates. With this update, the IPsec profiles in NSS have been fixed, and Libreswan can now accept the described certificates.

NSS no longer accepts RSA PKCS#1 v1.5 signatures made with an RSA-PSS key

RSA-PSS keys can be used for creating RSA-PSS signatures only and signatures made with those keys that use the PKCS#1 v1.5 algorithm violate the standard. Previously, the Network Security Services (NSS) libraries did not check the type of an RSA public key used by a server when validating signatures made using a corresponding private key. Consequently, NSS accepted RSA PKCS#1 v1.5 signatures as valid, even if they were made with an RSA-PSS key.

Accessing authorized keys no longer fails when switching users

Previously, group information cache in OpenSSH was not cleaned when changing the user for retrieving authorized keys using the AuthorizedKeysCommand* configuration options. Consequently, an attempt to access authorized keys failed for the new user due to incorrect group information. This bug has been fixed, and authorized keys can now be successfully accessed when the user is changed.

scap-security-guide now correctly skips rules that are not applicable to containers and container images

SCAP Security Guide content can be used to scan containers and container images now. Rules that are not applicable to containers and container images have been marked with a specific CPE identifier. As a result, the evaluation of these rules is skipped automatically, and the result not applicable is reported when scanning containers and container images.

Ansible playbooks from the SCAP Security Guide no longer fail due to common errors

Ansible tasks included in the SCAP Security Guide content were previously unable to handle certain common cases, such as missing configuration files, non-existent files, or uninstalled packages. As a consequence, when using an Ansible playbook from the SCAP Security Guide or generated by the oscap command, the ansible-playbook command terminated with every error. With this update, the Ansible tasks have been updated to handle common cases, and Ansible playbooks from the SCAP Security Guide can be successfully executed even if common errors are encountered during the playbook execution.

SCAP Security Guide now correctly checks the dconf configuration

Prior to this update, OVAL (Open Vulnerability and Assessment Language) checks used in the SCAP Security Guide project did not check the dconf binary database directly, but it checked only the respective key files. This could lead to false positives or negatives in scanning results. With this update, SCAP Security Guide adds one more check component, which ensures that the dconf binary database is up-to-date with regards to those key files. As a result, the complex check now checks the dconf configuration correctly.

SELinux now allow gssd_t processes to access kernel keyrings of other processes

Previously, an allow rule for the gssd_t type was missing in the SELinux policy. As a consequence, SELinux in enforcing mode occasionally prevented processes running as gssd_t from accessing kernel keyrings of other processes and could block for example sec=krb5 mounts. The rule has been added to the policy, and processes running as gssd_t are now able to access keyrings of other processes.

SELinux no longer blocks snapperd from managing all non-security directories

Prior to this update, an allow rule for the snapper daemon (snapperd) was missing in the SELinux policy. Consequently, snapper was not able to create a configuration file on a btrfs volume for a new snapshot with SELinux in enforcing mode. With this update, the missing rule has been added, and SELinux now allows snapperd to manage all non-security directories.

sudo I/O logging function now works also for SELinux-confined users

Prior to this update of the SELinux policy, rules that allow user domains to use generic pseudoterminal interfaces were missing. As a consequence, the I/O logging function of the sudo utility did not work for SELinux-confined users. The missing rules have been added to the policy, and the I/O logging function no longer fails in the described scenario.

sudo configured using LDAP now handles sudoRunAsGroup correctly

Previously, the sudo tool configured using LDAP did not correctly handle the case when the sudoRunAsGroup attribute was defined and the sudoRunAsUser attribute was not. As a consequence, the root user was used as the target user. With this update, the handling of sudoRunAsGroup has been fixed to match the behavior documented in the sudoers.ldap(5) man page, and sudo now works properly in the described scenario.

chronyd no longer fails to synchronize with NTP servers after reboot

Previously, when an interface was controlled by network scripts and NetworkManager was enabled at the same time, the chrony NetworkManager dispatcher script switched NTP sources to the offline state on boot. As a consequence, chronyd was prevented from synchronizing the system clock. With this update, the chrony dispatcher script ignores events that are not related to interfaces coming up or down. As a result, chronyd now synchronizes with NTP servers as expected under the described circumstances.

CUPS no longer denies access if SSSD running on the same server is configured with ignore_group_members = true

When System Security Services Daemon (SSSD) uses the ignore_group_members = true setting in the /etc/sssd/sssd.conf file, the getgrnam() function returns the group structure without group members of groups retrieved by SSSD. This is expected behavior. Previously, CUPS used only getgrnam() to verify if a user is a member of a group. As a consequence, if SSSD was configured with the mentioned setting on a CUPS server that used groups to allow access to the server for members of a group, CUPS denied access to users in these groups. With this update, CUPS now additionally uses the getgrouplist() function, which returns group members even if SSSD is configured with ignore_group_members = true. As a result, CUPS correctly determines access based on group memberships in the mentioned scenario.

Running dbus-daemon no longer fails to activate a system service

With the rebase of the D-Bus message bus daemon (dbus-daemon) to version 1.10.24, locations of several dbus tools were migrated. The dbus-send executable was moved from the /bin directory to the /usr/bin directory; the dbus-daemon-launch-helper executable was moved from the libdir directory to the libexecdir directory. Consequently, if a scriptlet in a package called the dbus-send command to send a message to D-Bus, and triggered a service activation, the activation could fail. With this update, the bug has been fixed by creating compatibility symlinks between the old and new locations of dbus-daemon-launch-helper. As a result, any running instance of dbus-daemon can now call the system bus and activate a system service.

Teaming in the rescue system works correctly again

Updates provided by the advisory RHBA-2019:0498 fixed several problems in ReaR, affecting complex network configurations. However, in case of teaming, this update introduced another problem. If the team had multiple member interfaces, the team device was not configured correctly in the rescue system. As a consequence, after applying an update provided by RHBA-2019:0498, a work around was needed to preserve the previous behavior. This update fixes the bug in ReaR, and teaming in the rescue system now works correctly.

Virtual machines now work correctly on RHEL 7 nodes in RHOSP 10

Previously, upgrading a Red Hat Enterprise Linux 7 (RHEL 7) node in Red Hat OpenStack Plaform 10 (RHOSP 10) to a later minor version sometimes caused virtual machines (VMs) hosted on that node to become unable to start. This update fixes how the tuned service configures parameters of the kvm-intel module, which prevents the described problem from occurring.

Handling of ksm and ksmtuned in Tuned has been fixed

Previously, Tuned sometimes failed to apply the cpu-partitioning profile if the ksm and ksmtuned services were enabled. With this update, handling of the ksm and ksmtuned services has been fixed. As a result, Tuned now applies the cpu-partitioning profile reliably.

Error messages in /var/log/tuned/tuned.log referring to non-existent sysctl settings no longer occur when a Tuned profile is loaded

Previously, the Tuned daemon treated non-existent sysctl settings as an error. For example net.bridge.bridge-nf-call-ip6tables, net.bridge.bridge-nf-call-iptables, or net.bridge.bridge-nf-call-arptables, which are unavailable on some systems, could trigger error in the /var/log/tuned/tuned.log file:

LVM no longer causes data corruption in the first 128kB of allocatable space of a physical volume

Previously, a bug in the I/O layer of LVM might have caused data corruption in rare cases. The bug could manifest only when the following conditions were true at the same time:

System boot is no longer delayed by ndctl

Previously, a udev rule installed by the ndctl package sometimes delayed the system boot process for several minutes on systems with Non-Volatile Dual In-line Memory Module (NVDIMM) devices. In such cases, systemd displayed a message similar to the following:

The systemd-importd VM and container image import and export service

Latest systemd version now contains the systemd-importd daemon that was not enabled in the earlier build, which caused the machinectl pull-* commands to fail. Note that the systemd-importd daemon is offered as a Technology Preview and should not be considered stable.

Containerized Identity Management server available as Technology Preview

The rhel7/ipa-server container image is available as a Technology Preview feature. Note that the rhel7/sssd container image is now fully supported.

Setting up IdM as a hidden replica is now available as a Technology Preview

This enhancement enables administrators to set up an Identity Management (IdM) replica as a hidden replica. A hidden replica is an IdM server that has all services running and available. However, it is not advertised to other clients or masters because no SRV records exist for the services in DNS, and LDAP server roles are not enabled. Therefore, clients cannot use service discovery to detect hidden replicas.

DNSSEC available as Technology Preview in IdM

Identity Management (IdM) servers with integrated DNS now support DNS Security Extensions (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are automatically generated and rotated.

Identity Management JSON-RPC API available as Technology Preview

An API is available for Identity Management (IdM). To view the API, IdM also provides an API browser as Technology Preview.

Use of AD and LDAP sudo providers

The Active Directory (AD) provider is a back end used to connect to an AD server. Starting with Red Hat Enterprise Linux 7.2, using the AD sudo provider together with the LDAP provider is available as a Technology Preview. To enable the AD sudo provider, add the sudo_provider=ad setting in the [domain] section of the sssd.conf file.

The Custodia secrets service provider is available as a Technology Preview

As a Technology Preview, you can use Custodia, a secrets service provider. Custodia stores or serves as a proxy for secrets, such as keys or passwords.

Heuristics in corosync-qdevice available as a Technology Preview

Heuristics are a set of commands executed locally on startup, cluster membership change, successful connect to corosync-qnetd, and, optionally, on a periodic basis. When all commands finish successfully on time (their return error code is zero), heuristics have passed; otherwise, they have failed. The heuristics result is sent to corosync-qnetd where it is used in calculations to determine which partition should be quorate.

New fence-agents-heuristics-ping fence agent

As a Technology Preview, Pacemaker now supports the fence_heuristics_ping agent. This agent aims to open a class of experimental fence agents that do no actual fencing by themselves but instead exploit the behavior of fencing levels in a new way.

The pcs tool now manages bundle resources in Pacemaker

As a Technology Preview starting with Red Hat Enterprise Linux 7.4, Pacemaker supports a special syntax for launching a Docker container with any infrastructure it requires: the bundle. After you have created a Pacemaker bundle, you can create a Pacemaker resource that the bundle encapsulates. For information on Pacemaker support for containers, see High Availability Add-On Reference.

New LVM and LVM lock manager resource agents

As a Technology Preview, Red Hat Enterprise Linux 7.6 introduces two new resource agents: lvmlockd and LVM-activate.

Wayland available as a Technology Preview

The Wayland display server protocol is available in Red Hat Enterprise Linux as a Technology Preview with the dependent packages required to enable Wayland support in GNOME, which supports fractional scaling. Wayland uses the libinput library as its input driver.

Fractional Scaling available as a Technology Preview

Starting with Red Hat Enterprise Linux 7.5, GNOME provides, as a Technology Preview, fractional scaling to address problems with monitors whose DPI lies in the middle between lo (scale 1) and hi (scale 2).

File system DAX is now available for ext4 and XFS as a Technology Preview

Starting with Red Hat Enterprise Linux 7.3, Direct Access (DAX) provides, as a Technology Preview, a means for an application to directly map persistent memory into its address space.

pNFS block layout is now available

As a Technology Preview, Red Hat Enterprise Linux clients can now mount pNFS shares with the block layout feature.

OverlayFS

OverlayFS is a type of union file system. It allows the user to overlay one file system on top of another. Changes are recorded in the upper file system, while the lower file system remains unmodified. This allows multiple users to share a file-system image, such as a container or a DVD-ROM, where the base image is on read-only media. See the Linux kernel documentation for additional information.

Btrfs file system

The B-Tree file system, Btrfs, is available as a Technology Preview in Red Hat Enterprise Linux 7.

LSI Syncro CS HA-DAS adapters

Red Hat Enterprise Linux 7.1 included code in the megaraid_sas driver to enable LSI Syncro CS high-availability direct-attached storage (HA-DAS) adapters. While the megaraid_sas driver is fully supported for previously enabled adapters, the use of this driver for Syncro CS is available as a Technology Preview. Support for this adapter is provided directly by LSI, your system integrator, or system vendor. Users deploying Syncro CS on Red Hat Enterprise Linux 7.2 and later are encouraged to provide feedback to Red Hat and LSI.

tss2 enables TPM 2.0 for IBM Power LE

The tss2 package adds IBM implementation of a Trusted Computing Group Software Stack (TSS) 2.0 as a Technology Preview for the IBM Power LE architecture. This package enables users to interact with TPM 2.0 devices.

The ibmvnic device driver available as a Technology Preview

Since Red Hat Enterprise Linux 7.3, the IBM Virtual Network Interface Controller (vNIC) driver for IBM POWER architectures, ibmvnic, has been available as a Technology Preview. vNIC is a PowerVM virtual networking technology that delivers enterprise capabilities and simplifies network management. It is a high-performance, efficient technology that when combined with SR-IOV NIC provides bandwidth control Quality of Service (QoS) capabilities at the virtual NIC level. vNIC significantly reduces virtualization overhead, resulting in lower latencies and fewer server resources, including CPU and memory, required for network virtualization.

Aero adapters available as a Technology Preview

The following Aero adapters are available as a Technology Preview:

The ice driver available as a Technology Preview

The Intel® Ethernet Connection E800 Series Linux Driver (ice.ko.xz) is available as a Technology Preview.

The igc driver available as a Technology Preview

The Intel® 2.5G Ethernet Linux Driver (igc.ko.xz) is available as a Technology Preview.

eBPF system call for tracing

Red Hat Enterprise Linux 7.6 introduces the Extended Berkeley Packet Filter tool (eBPF) as a Technology Preview. This tool is enabled only for the tracing subsystem. For details, see the related Red Hat Knowledgebase article.

Heterogeneous memory management included as a Technology Preview

Red Hat Enterprise Linux 7.3 introduced the heterogeneous memory management (HMM) feature as a Technology Preview. This feature has been added to the kernel as a helper layer for devices that want to mirror a process address space into their own memory management unit (MMU). Thus a non-CPU device processor is able to read system memory using the unified system address space. To enable this feature, add experimental_hmm=enable to the kernel command line.

kexec as a Technology Preview

The kexec system call has been provided as a Technology Preview. This system call enables loading and booting into another kernel from the currently running kernel, thus performing the function of the boot loader from within the kernel. Hardware initialization, which is normally done during a standard system boot, is not performed during a kexec boot, which significantly reduces the time required for a reboot.

kexec fast reboot as a Technology Preview

The kexec fast reboot feature, which was introduced in Red Hat Enterprise Linux 7.5, continues to be available as a Technology Preview. kexec fast reboot makes the reboot significantly faster. To use this feature, you must load the kexec kernel manually, and then reboot the operating system.

perf cqm has been replaced by resctrl

The Intel Cache Allocation Technology (CAT) was introduced in Red Hat Enterprise Linux 7.4 as a Technology Preview. However, the perf cqm tool did not work correctly due to an incompatibility between perf infrastructure and Cache Quality of Service Monitoring (CQM) hardware support. Consequently, multiple problems occurred when using perf cqm.

TC HW offloading available as a Technology Preview

Starting with Red Hat Enterprise Linux 7.6, Traffic Control (TC) Hardware offloading has been provided as a Technology Preview.

AMD xgbe network driver available as a Technology Preview

Starting with Red Hat Enterprise Linux 7.6, the AMD xgbe network driver has been provided as a Technology Preview.

Secure Memory Encryption is available only as a Technology Preview

Currently, Secure Memory Encryption (SME) is incompatible with kdump functionality, as the kdump kernel lacks the memory key to decrypt SME-encrypted memory. Red Hat found that with SME enabled, servers under testing might fail to perform some functions and therefore the feature is unfit for use in production. Consequently, SME is changing the support level from Supported to Technology Preview. Customers are encouraged to report any issues found while testing in pre-production to Red Hat or their system vendor.

criu rebased to version 3.5

Red Hat Enterprise Linux 7.2 introduced the criu tool as a Technology Preview. This tool implements Checkpoint/Restore in User-space (CRIU), which can be used to freeze a running application and store it as a collection of files. Later, the application can be restored from its frozen state.

The mlx5_core driver supports the Mellanox ConnectX-6 Dx network adapter as a Technology Preview

This enhancement adds the PCI IDs of the Mellanox ConnectX-6 Dx network adapter to the mlx5_core driver. On hosts that use this adapter, RHEL loads the mlx5_core driver automatically. Note that Red Hat provides this feature as an unsupported Technology Preview.

Cisco usNIC driver

Cisco Unified Communication Manager (UCM) servers have an optional feature to provide a Cisco proprietary User Space Network Interface Controller (usNIC), which allows performing Remote Direct Memory Access (RDMA)-like operations for user-space applications. The libusnic_verbs driver, which is available as a Technology Preview, makes it possible to use usNIC devices via standard InfiniBand RDMA programming based on the Verbs API.

Cisco VIC kernel driver

The Cisco VIC Infiniband kernel driver, which is available as a Technology Preview, allows the use of Remote Directory Memory Access (RDMA)-like semantics on proprietary Cisco architectures.

Trusted Network Connect

Trusted Network Connect, available as a Technology Preview, is used with existing network access control (NAC) solutions, such as TLS, 802.1X, or IPsec to integrate endpoint posture assessment; that is, collecting an endpoint’s system information (such as operating system configuration settings, installed packages, and others, termed as integrity measurements). Trusted Network Connect is used to verify these measurements against network access policies before allowing the endpoint to access the network.

SR-IOV functionality in the qlcnic driver

Support for Single-Root I/O virtualization (SR-IOV) has been added to the qlcnic driver as a Technology Preview. Support for this functionality will be provided directly by QLogic, and customers are encouraged to provide feedback to QLogic and Red Hat. Other functionality in the qlcnic driver remains fully supported.

The flower classifier with off-loading support

flower is a Traffic Control (TC) classifier intended to allow users to configure matching on well-known packet fields for various protocols. It is intended to make it easier to configure rules over the u32 classifier for complex filtering and classification tasks. flower also supports the ability to off-load classification and action rules to underlying hardware if the hardware supports it. The flower TC classifier is now provided as a Technology Preview.

The postfix role of RHEL System Roles available as a Technology Preview

Red Hat Enterprise Linux System Roles provides a configuration interface for Red Hat Enterprise Linux subsystems, which makes system configuration easier through the inclusion of Ansible Roles. This interface enables managing system configurations across multiple versions of Red Hat Enterprise Linux, as well as adopting new major releases.

rhel-system-roles-sap available as a Technology Preview

The rhel-system-roles-sap package provides Red Hat Enterprise Linux (RHEL) System Roles for SAP, which can be used to automate the configuration of a RHEL system to run SAP workloads. These roles greatly reduce the time to configure a system to run SAP workloads by automatically applying the optimal settings that are based on best practices outlined in relevant SAP Notes. Access is limited to RHEL for SAP Solutions offerings. Please contact Red Hat Customer Support if you need assistance with your subscription.

SECCOMP can be now enabled in libreswan

As a Technology Preview, the seccomp=enabled|tolerant|disabled option has been added to the ipsec.conf configuration file, which makes it possible to use the Secure Computing mode (SECCOMP). This improves the syscall security by whitelisting all the system calls that Libreswan is allowed to execute. For more information, see the ipsec.conf(5) man page.

pk12util can now import certificates signed with RSA-PSS

The pk12util tool now provides importing a certificate signed with the RSA-PSS algorithm as a Technology Preview.

Support for certificates signed with RSA-PSS in certutil has been improved

Support for certificates signed with the RSA-PSS algorithm in the certutil tool has been improved. Notable enhancements and fixes include:

NSS is now able to verify RSA-PSS signatures on certificates

Since the RHEL 7.5 version of the nss package, the Network Security Services (NSS) libraries provide verifying RSA-PSS signatures on certificates as a Technology Preview. Prior to this update, clients using NSS as the SSL backend were not able to establish a TLS connection to a server that offered only certificates signed with the RSA-PSS algorithm.

USBGuard enables blocking USB devices while the screen is locked as a Technology Preview

With the USBGuard framework, you can influence how an already running usbguard-daemon instance handles newly inserted USB devices by setting the value of the "InsertedDevicePolicy" runtime parameter. This functionality is provided as a Technology Preview, and the default choice is to apply the policy rules to figure out whether to authorize the device or not.

NVMe/FC available as a Technology Preview in Qlogic adapters using the qla2xxx driver

The NVMe over Fibre Channel (NVMe/FC) transport type is available as a Technology Preview in Qlogic adapters using the qla2xxx driver.

Multi-queue I/O scheduling for SCSI

Red Hat Enterprise Linux 7 includes a new multiple-queue I/O scheduling mechanism for block devices known as blk-mq. The scsi-mq package allows the Small Computer System Interface (SCSI) subsystem to make use of this new queuing mechanism. This functionality is provided as a Technology Preview and is not enabled by default. To enable it, add scsi_mod.use_blk_mq=Y to the kernel command line.

Targetd plug-in from the libStorageMgmt API

Since Red Hat Enterprise Linux 7.1, storage array management with libStorageMgmt, a storage array independent API, has been fully supported. The provided API is stable, consistent, and allows developers to programmatically manage different storage arrays and utilize the hardware-accelerated features provided. System administrators can also use libStorageMgmt to manually configure storage and to automate storage management tasks with the included command-line interface.

SCSI-MQ as a Technology Preview in the qla2xxx and lpfc drivers

The qla2xxx driver updated in Red Hat Enterprise Linux 7.4 can enable the use of SCSI-MQ (multiqueue) with the ql2xmqsupport=1 module parameter. The default value is 0 (disabled).

YUM 4 available as Technology Preview

YUM version 4, a next generation of the YUM package manager, is available as a Technology Preview in the Red Hat Enterprise Linux 7 Extras channel.

USB 3.0 support for KVM guests

USB 3.0 host adapter (xHCI) emulation for KVM guests remains a Technology Preview in Red Hat Enterprise Linux 7.

Select Intel network adapters now support SR-IOV in RHEL 7 guest OS on Hyper-V

As a Technology Preview, Red Hat Enterprise Linux 7 guest operating systems running on a Hyper-V hypervisor can now use the single-root I/O virtualization (SR-IOV) feature for Intel network adapters supported by the ixgbevf and i40evf drivers. This feature is enabled when the following conditions are met:

No-IOMMU mode for VFIO drivers

As a Technology Preview, this update adds No-IOMMU mode for virtual function I/O (VFIO) drivers. The No-IOMMU mode provides the user with full user-space I/O (UIO) access to a direct memory access (DMA)-capable device without a I/O memory management unit (IOMMU). Note that in addition to not being supported, using this mode is not secure due to the lack of I/O management provided by IOMMU.

Azure M416v2 as a host for RHEL 7 guests

As a Technology Preview, the Azure M416v2 instance type can now be used as a host for virtual machines that use RHEL 7.6 and later as the guest operating systems.

virt-v2v can convert Debian and Ubuntu guests

As a Technology Preview, the virt-v2v utility can now convert Debian and Ubuntu guest virtual machines. Note that the following problems currently occur when performing this conversion:

GPU-based mediated devices now support the VNC console

As a Technology Preview, the Virtual Network Computing (VNC) console is now available for use with GPU-based mediated devices, such as the NVIDIA vGPU technology. As a result, it is now possible to use these mediated devices for real-time rendering of a virtual machine’s graphical output.

Open Virtual Machine Firmware

The Open Virtual Machine Firmware (OVMF) is available as a Technology Preview in Red Hat Enterprise Linux 7. OVMF is a UEFI secure boot environment for AMD64 and Intel 64 guests. However, OVMF is not bootable with virtualization components available in RHEL 7. Note that OVMF is fully supported in RHEL 8.

Inconsistent warning message when applying an ID range change

In RHEL Identity Management (IdM), you can define multiple identity ranges (ID ranges) associated with a local IdM domain or a trusted Active Directory domain. The information about ID ranges is retrieved by the SSSD daemon on all enrolled systems.

Potential risk when using the default value for ldap_id_use_start_tls option

When using ldap:// without TLS for identity lookups, it can pose a risk for an attack vector. Particularly a man-in-the-middle (MITM) attack which could allow an attacker to impersonate a user by altering, for example, the UID or GID of an object returned in an LDAP search.

GCC thread sanitizer included in RHEL no longer works

Due to incompatible changes in kernel memory mapping, the thread sanitizer included with the GNU C Compiler (GCC) compiler version in RHEL no longer works. Additionally, the thread sanitizer cannot be adapted to the incompatible memory layout. As a result, it is no longer possible to use the GCC thread sanitizer included with RHEL.

Context variables in SystemTap not always accessible

The generation of debug information in the GCC compiler has some limitations. As a consequence, when analyzing the resulting executable files with the SystemTap tool, context variables listed in the form $foo are often inaccessible. To work around this limitation, add the -P option to the $HOME/.systemtap/rc file. This causes SystemTap to always select prologue-searching heuristics. As a result, some of the context variables can become accessible.

ksh with the KEYBD trap mishandles multibyte characters

The Korn Shell (KSH) is unable to correctly handle multibyte characters when the KEYBD trap is enabled. Consequently, when the user enters, for example, Japanese characters, ksh displays an incorrect string. To work around this problem, disable the KEYBD trap in the /etc/kshrc file by commenting out the following line:

Error while upgrading PCP from the RHEL 7.6 version

When you upgrade the pcp packages from the RHEL 7.6 to the RHEL 7.7 version, yum returns the following error message:

Gnome Documents cannot display some documents when installed without LibreOffice

Gnome Documents uses libraries provided by the LibreOffice suite for rendering certain types of documents, such as OpenDocument Text or Open Office XML formats. However, the required libreoffice-filters libraries are missing from the dependency list of the gnome-documents package. Therefore, if you install Gnome Documents on a system that does not have LibreOffice, these document types cannot be rendered.

GNOME Software cannot install packages from unsigned repositories

GNOME Software cannot install packages from repositories that have the following setting in the *.repo file:

Nautilus does not hide icons in the GNOME Classic Session

The GNOME Tweak Tool setting to show or hide icons in the GNOME session, where the icons are hidden by default, is ignored in the GNOME Classic Session. As a result, it is not possible to hide icons in the GNOME Classic Session even though the GNOME Tweak Tool displays this option.

RHEL 7.7 and later installations add spectre_v2=retpoline to Intel Cascade Lake systems

RHEL 7.7 and later installations add the spectre_v2=retpoline kernel parameter to Intel Cascade Lake systems, and as a consequence, system performance is affected. To work around this problem and ensure the best performance, complete the following steps.

RHEL 7 virtual machines sometimes fail to boot on ESXi 5.5

When running Red Hat Enterprise Linux 7 guests with 12 GB RAM or above on a VMware ESXi 5.5 hypervisor, certain components currently initialize with incorrect memory type range register (MTRR) values or incorrectly reconfigure MTRR values across boots. This sometimes causes the guest kernel to panic or the guest to become unresponsive during boot.

Certain NIC firmware can become unresponsive with bnx2x

Due to a bug in the unload sequence of the pre-boot drivers, the firmware of some internet adapters can become unresponsive after the bnx2x driver takes over the device. The bnx2x driver detects the problem and returns the message "storm stats were not updated for 3 times" in the kernel log. To work around this problem, apply the latest NIC firmware updates provided by your hardware vendor. As a result, unloading of the pre-boot firmware now works as expected and the firmware no longer hangs after bnx2x takes over the device.

The i40iw module does not load automatically on boot

Some i40e NICs do not support iWarp and the i40iw module does not fully support suspend and resume operations. Consequently, the i40iw module is not automatically loaded by default to ensure suspend and resume operations work properly. To work around this problem, edit the /lib/udev/rules.d/90-rdma-hw-modules.rules file to enable automated load of i40iw.

The non-interleaved persistent memory configurations cannot use storage

Previously, systems with persistent memory aligned to 64 MB boundaries, prevented creating of namespaces. As a consequence, the non-interleaved persistent memory configurations in some cases were not able to use storage. To work around this problem, use the interleaved mode for the persistent memory. As a result, most of the storage is available for use, however, with limited fault isolation.

System boot might fail due to persistent memory file systems

Systems with a large amount of persistent memory take a long time to boot. If the /etc/fstab file configures persistent memory file systems, the system might time out waiting for the devices to become available. The boot process then fails and presents the user with an emergency prompt.

radeon fails to reset hardware correctly

The radeon kernel driver currently does not reset hardware in the kexec context correctly. Instead, radeon terminates unexpectedly, which causes the rest of the kdump service to fail.

Certain eBPF tools can cause the system to become unresponsive on IBM Z

Due to a bug in the JIT compiler, running certain eBPF tools contained in the bcc-tools package on IBM Z might cause the system to become unresponsive. To work around this problem, avoid using the dcsnoop, runqlen, and slabratetop tools from bcc-tools on IBM Z until a fix is released.

Concurrent SG_IO requests in /dev/sg might cause data corruption

The /dev/sg device driver is missing synchronization of kernel data. Concurrent requests in the driver access the same data at the same time.

Incorrect order for inner and outer VLAN tags

The system receives the inner and outer VLAN tags in a swapped order when using QinQ (IEEE802.1Q in IEEE802.1Q standard) over representor devices when using the mlx5 driver. That happens because the rxvlan offloading switch is not effective on this path and it causes Open vSwitch (OVS) to push this error forward. There is no known workaround.

kdump fails to generate vmcore on Azure instances in RHEL 7

An underlying problem with the serial console implementation on Azure instances booted through the UEFI bootloader causes that the kdump kernel is unable to boot. Consequently, the vmcore of the crashed kernel cannot be captured in the /var/crash/ directory. To work around this problem:

The kdumpctl service fails to load crash kernel if KASLR is enabled

An inappropriate setting of the kptr_restrict kernel tunable causes that contents of the /proc/kcore file are generated as all zeros. As a consequence, the kdumpctl service is not able to access /proc/kcore and to load the crash kernel if Kernel Address Space Layout Randomization (KASLR) is enabled. To work around this problem, keep kptr_restrict set to 1. As a result, kdumpctl is able to load the crash kernel in the described scenario.

Kdump fails in the second kernel

The kdump initramfs archive is a critical component for capturing the crash dump. However, it is strictly generated for the machine it runs on and has no generality. If you did a disk migration or installed a new machine with a disk image, kdump might fail in the second kernel.

Verification of signatures using the MD5 hash algorithm is disabled in Red Hat Enterprise Linux 7

It is impossible to connect to any Wi-Fi Protected Access (WPA) Enterprise Access Point (AP) that requires MD5 signed certificates. To work around this problem, copy the wpa_supplicant.service file from the /usr/lib/systemd/system/ directory to the /etc/systemd/system/ directory and add the following line to the Service section of the file:

Booting from a network device fails when the network driver is restarted

Currently, if the boot device is mounted over the network when using iSCSI or Fibre Channel over Ethernet (FCoE), Red Hat Enterprise Linux (RHEL) fails to boot when the underlying network interface driver is restarted.

freeradius might fail when upgrading from RHEL 7.3

A new configuration property, correct_escapes, in the /etc/raddb/radiusd.conf file was introduced in the freeradius version distributed since RHEL 7.4. When an administrator sets correct_escapes to true, the new regular expression syntax for backslash escaping is expected. If correct_escapes is set to false, the old syntax is expected where backslashes are also escaped. For backward compatibility reasons, false is the default value.

RHEL 7 shows the status of an 802.3ad bond as "Churned" after a switch was unavailable for an extended period of time

Currently, when you configure an 802.3ad network bond and the switch is down for an extended period of time, Red Hat Enterprise Linux properly shows the status of the bond as "Churned", even after the connection returns to a working state. However, this is the intended behavior, as the "Churned" status aims to tell the administrator that a significant link outage occurred. To clear this status, restart the network bond or reboot the host.

Using client-identifier leads to IP address conflict

If the client-identifier option is used, certain network switches ignore the ciaddr field of a dynamic host configuration protocol (DHCP) request. Consequently, the same IP address is assigned to multiple clients, which leads to an IP address conflict. To work around the problem, include the following line in the dhclient.conf file:

Libreswan does not work properly with seccomp=enabled on all configurations

The set of allowed syscalls in the Libreswan SECCOMP support implementation is currently not complete. Consequently, when SECCOMP is enabled in the ipsec.conf file, the syscall filtering rejects even syscalls needed for the proper functioning of the pluto daemon; the daemon is killed, and the ipsec service is restarted.

PKCS#11 devices not supporting RSA-PSS cannot be used with TLS 1.3

The TLS protocol version 1.3 requires RSA-PSS signatures, which are not supported by all PKCS#11 devices, such as hardware security modules (HSM) or smart cards. Currently, server applications using NSS do not check the PKCS#11 module capabilities before negotiating TLS 1.3. As a consequence, attempts to authenticate using PKCS#11 devices that do not support RSA-PSS fail. To work around this problem, use TLS 1.2 instead.

TLS 1.3 does not work in NSS in FIPS mode

TLS 1.3 is not supported on systems working in FIPS mode. As a consequence, connections that require TLS 1.3 for interoperability do not function on a system working in FIPS mode.

OpenSCAP inadvertently accesses remote file systems

The OpenSCAP scanner cannot correctly detect whether the scanned file system is a mounted remote file system or a local file system, and the detection part contains also other bugs. Consequently, the scanner reads mounted remote file systems even if an evaluated rule applies to a local file-system only, and it might generate unwanted traffic on remote file systems.

Manual initialization of MariaDB using mysql_install_db fails

The mysql_install_db script for initializing the MariaDB database calls the resolveip binary from the /usr/libexec/ directory, while the binary is located in /usr/bin/. Consequently, manual initialization of the database using mysql_install_db fails.

mysql-connector-java does not work with MySQL 8.0

The mysql-connector-java database connector provided in RHEL 7 does not work with the MySQL 8.0 database server. To work around this problem, use the rh-mariadb103-mariadb-java-client database connector from Red Hat Software Collections.

Harmless error messages occur when the balanced Tuned profile is used

The balanced Tuned profile has been changed in the way that the cpufreq_conservative kernel module loads when this profile is applied. However, cpufreq_conservative is built-in in the kernel, and it is not available as a module. Consequently, when the balanced profile is used, the following error messages occasionally appear in /var/log/tuned/tuned.log file:

The php-mysqlnd database connector does not work with MySQL 8.0

The default character set has been changed to utf8mb4 in MySQL 8.0 but this character set is unsupported by the php-mysqlnd database connector. Consequently, php-mysqlnd fails to connect in the default configuration. To work around this problem, specify a known character set as a parameter of the MySQL server configuration. For example, modify the /etc/opt/rh/rh-mysql80/my.cnf.d/mysql-server.cnf file to read:

The system halts unexpectedly when using scsi-mq with software FCoE

The host system halts unexpectedly when it is configured to use both multiqueue scheduling (scsi-mq) and software Fibre Channel over Ethernet (FCoE) at the same time.

The system boot sometimes fails on large systems

During the boot process, the udev device manager sometimes generates too many rules on large systems. For example, the problem has manifested on a system with 32 TB of memory and 192 CPUs. As a consequence, the boot process becomes unresponsive or times out and switches to the emergency shell.

When an image is split off from an active/active cluster mirror, the resulting new logical volume has no active component

When you split off an image from an active/active cluster mirror, the resulting new logical appears active but it has no active component. To activate the newly split-off logical volume, deactivate the volume and then activate it with the following commands:

Virtual machines sometimes enable unnecessary CPU vulnerability mitigation

Currently, the MDS_NO CPU flags, which indicate that the CPU is not vulnerable to the Microarchitectural Data Sampling (MDS) vulnerability, are not exposed to guest operating systems. As a consequence, the guest operating system in some cases automatically enables CPU vulnerability mitigation features that are not necessary for the current host.

Modifying a RHEL 8 virtual image on a RHEL 7 host sometimes fails

On RHEL 7 hosts, using virtual image manipulation utilities such as guestfish, virt-sysprep, or virt-customize in some cases fails if the utility targets a virtual image that is using a RHEL 8 file system. This is because RHEL 7 is not fully compatible with certain file-system features in RHEL 8.

Slow connection to RHEL 7 guest console on a Windows Server 2019 host

When using RHEL 7 as a guest operating system in multi-user mode on a Windows Server 2019 host, connecting to a console output of the guest currently takes significantly longer than expected. To work around this problem, connect to the guest using SSH or use Windows Server 2016 as the host.

SMT works only on AMD EPYC CPU models

Currently, only the AMD EPYC CPU models support the simultaneous multithreading (SMT) feature. As a consequence, manually enabling the topoext feature when configuring a virtual machine (VM) with a different CPU model causes the VM not to detect the vCPU topology correctly, and the vCPU does not perform as configured. To work around this problem, do not enable topoext manually and do not use the threads vCPU option on AMD hosts unless the host is using the AMD EPYC model