Chapter 6. RHEL 8.1.0 release
6.1. New features
This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 8.1.
6.1.1. Installer and image creation
Modules can now be disabled during Kickstart installation
With this enhancement, users can now disable a module to prevent the installation of packages from the module. To disable a module during Kickstart installation, use the command:
module --name=foo --stream=bar --disable
(BZ#1655523)
Support for the repo.git
section to blueprints is now available
A new repo.git
blueprint section allows users to include extra files in their image build. The files must be hosted in git repository that is accessible from the lorax-composer
build server.
Image Builder now supports image creation for more cloud providers
With this update, the Image Builder expanded the number of Cloud Providers that the Image Builder can create an image for. As a result, now you can create RHEL images that can be deployed also on Google Cloud and Alibaba Cloud as well as run the custom instances on these platforms.
6.1.2. Software management
dnf-utils
has been renamed to yum-utils
With this update, the dnf-utils
package, that is a part of the YUM stack, has been renamed to yum-utils
. For compatibility reasons, the package can still be installed using the dnf-utils
name, and will automatically replace the original package when upgrading your system.
(BZ#1722093)
6.1.3. Subscription management
subscription-manager
now reports the role, usage and add-ons values
With this update, the subscription-manager
can now display the Role, Usage and Add-ons values for each subscription available in the current organization, which is registered to either the Customer Portal or to the Satellite.
To show the available subscriptions with the addition of Role, Usage and Add-ons values for those subscriptions use:
# subscription-manager list --available
To show the consumed subscriptions including the additional Role, Usage and Add-ons values use:
# subscription-manager list --consumed
(BZ#1665167)
6.1.4. Infrastructure services
tuned
rebased to version 2.12
The tuned
packages have been upgraded to upstream version 2.12, which provides a number of bug fixes and enhancements over the previous version, notably:
- Handling of devices that have been removed and reattached has been fixed.
- Support for negation of CPU list has been added.
-
Performance of runtime kernel parameter configuration has been improved by switching from the
sysctl
tool to a new implementation specific toTuned
.
chrony
rebased to version 3.5
The chrony
packages have been upgraded to upstream version 3.5, which provides a number of bug fixes and enhancements over the previous version, notably:
- Support for more accurate synchronization of the system clock with hardware timestamping in RHEL 8.1 kernel has been added.
- Hardware timestamping has received significant improvements.
- The range of available polling intervals has been extended.
- The filter option has been added to NTP sources.
New FRRouting routing protocol stack is available
With this update, Quagga has been replaced by Free Range Routing (FRRouting, or FRR), which is a new routing protocol stack. FRR is provided by the frr
package available in the AppStream repository.
FRR provides TCP/IP-based routing services with support for multiple IPv4 and IPv6 routing protocols, such as BGP
, IS-IS
, OSPF
, PIM
, and RIP
.
With FRR installed, the system can act as a dedicated router, which exchanges routing information with other routers in either internal or external network.
(BZ#1657029)
GNU enscript now supports ISO-8859-15 encoding
With this update, support for ISO-8859-15 encoding has been added into the GNU enscript program.
Improved accuracy of measuring system clock offset in phc2sys
The phc2sys program from the linuxptp
packages now supports a more accurate method for measuring the offset of the system clock.
(BZ#1677217)
ptp4l now supports team interfaces in active-backup mode
With this update, support for team interfaces in active-backup mode has been added into the PTP Boundary/Ordinary Clock (ptp4l).
(BZ#1685467)
The PTP
time synchronization on macvlan
interfaces is now supported
This update adds support for hardware timestamping on macvlan
interfaces into the Linux kernel. As a result, macvlan
interfaces can now use the Precision Time Protocol
(PTP) for time synchronization.
(BZ#1664359)
6.1.5. Security
New package: fapolicyd
The fapolicyd
software framework introduces a form of application whitelisting and blacklisting based on a user-defined policy. The application whitelisting feature provides one of the most efficient ways to prevent running untrusted and possibly malicious applications on the system.
The fapolicyd
framework provides the following components:
-
fapolicyd
service -
fapolicyd
command-line utilities -
yum
plugin - rule language
Administrator can define the allow
and deny
execution rules, both with possibility of auditing, based on a path, hash, MIME type, or trust for any application.
Note that every fapolicyd
setup affects overall system performance. The performance hit varies depending on the use case. The application whitelisting slow-downs the open()
and exec()
system calls, and therefore primarily affects applications that perform such system calls frequently.
See the fapolicyd(8)
, fapolicyd.rules(5)
, and fapolicyd.conf(5)
man pages for more information.
(BZ#1673323)
New package: udica
The new udica
package provides a tool for generation SELinux policies for containers. With udica
, you can create a tailored security policy for better control of how a container accesses host system resources, such as storage, devices, and network. This enables you to harden your container deployments against security violations and it also simplifies achieving and maintaining regulatory compliance.
See the Creating SELinux policies for containers section in the RHEL 8 Using SELinux title for more information.
(BZ#1673643)
SELinux user-space tools updated to version 2.9
The libsepol
, libselinux
, libsemanage
, policycoreutils
, checkpolicy
, and mcstrans
SELinux user-space tools have been upgraded to the latest upstream release 2.9, which provides many bug fixes and enhancements over the previous version.
(BZ#1672638, BZ#1672642, BZ#1672637, BZ#1672640, BZ#1672635, BZ#1672641)
SETools updated to version 4.2.2
The SETools collection of tools and libraries has been upgraded to the latest upstream release 4.2.2, which provides the following changes:
- Removed source policy references from man pages, as loading source policies is no longer supported
- Fixed a performance regression in alias loading
selinux-policy
rebased to 3.14.3
The selinux-policy
package has been upgraded to upstream version 3.14.3, which provides a number of bug fixes and enhancements to the allow rules over the previous version.
A new SELinux type: boltd_t
A new SELinux type, boltd_t
, confines boltd
, a system daemon for managing Thunderbolt 3 devices. As a result, boltd
now runs as a confined service in SELinux enforcing mode.
(BZ#1684103)
A new SELinux policy class: bpf
A new SELinux policy class, bpf
, has been introduced. The bpf
class enables users to control the Berkeley Packet Filter (BPF) flow through SElinux, and allows inspection and simple manipulation of Extended Berkeley Packet Filter (eBPF) programs and maps controlled by SELinux.
(BZ#1673056)
OpenSCAP rebased to version 1.3.1
The openscap
packages have been upgraded to upstream version 1.3.1, which provides many bug fixes and enhancements over the previous version, most notably:
- Support for SCAP 1.3 source data streams: evaluating, XML schemas, and validation
- Tailoring files are included in ARF result files
-
OVAL details are always shown in HTML reports, users do not have to provide the
--oval-results
option -
HTML report displays OVAL test details also for OVAL tests included from other OVAL definitions using the OVAL
extend_definition
element - OVAL test IDs are shown in HTML reports
- Rule IDs are shown in HTML guides
OpenSCAP now supports SCAP 1.3
The OpenSCAP suite now supports data streams conforming to the latest version of the SCAP standard - SCAP 1.3. You can now use SCAP 1.3 data streams, such as those contained in the scap-security-guide
package, in the same way as SCAP 1.2 data streams without any additional usability restrictions.
scap-security-guide
rebased to version 0.1.46
The scap-security-guide
packages have been upgraded to upstream version 0.1.46, which provides many bug fixes and enhancements over the previous version, most notably: * SCAP content conforms to the latest version of SCAP standard, SCAP 1.3 * SCAP content supports UBI images
OpenSSH rebased to 8.0p1
The openssh
packages have been upgraded to upstream version 8.0p1, which provides many bug fixes and enhancements over the previous version, most notably:
-
Increased default RSA key size to 3072 bits for the
ssh-keygen
tool -
Removed support for the
ShowPatchLevel
configuration option - Applied numerous GSSAPI key exchange code fixes, such as the fix of Kerberos cleanup procedures
-
Removed fall back to the
sshd_net_t
SELinux context -
Added support for
Match final
blocks -
Fixed minor issues in the
ssh-copy-id
command -
Fixed Common Vulnerabilities and Exposures (CVE) related to the
scp
utility (CVE-2019-6111, CVE-2018-20685, CVE-2019-6109)
Note, that this release introduces minor incompatibility of scp
as mitigation of CVE-2019-6111. If your scripts depend on advanced bash expansions of the path during an scp download, you can use the -T
switch to turn off these mitigations temporarily when connecting to trusted servers.
libssh
now complies with the system-wide crypto-policies
The libssh
client and server now automatically load the /etc/libssh/libssh_client.config
file and the /etc/libssh/libssh_server.config
, respectively. This configuration file includes the options set by the system-wide crypto-policies
component for the libssh
back end and the options set in the /etc/ssh/ssh_config
or /etc/ssh/sshd_config
OpenSSH configuration file. With automatic loading of the configuration file, libssh
now use the system-wide cryptographic settings set by crypto-policies
. This change simplifies control over the set of used cryptographic algorithms by applications.
(BZ#1610883, BZ#1610884)
An option for rsyslog
to preserve case of FROMHOST
is available
This update to the rsyslog
service introduces the option to manage letter case preservation of the FROMHOST
property for the imudp
and imtcp
modules. Setting the preservecase
value to on
means the FROMHOST
property is handled in a case sensitive manner. To avoid breaking existing configurations, the default values of preservecase
are on
for imtcp
and off
for imudp
.
(BZ#1614181)
6.1.6. Networking
PMTU discovery and route redirection is now supported with VXLAN and GENEVE tunnels
The kernel in Red Hat Enterprise Linux (RHEL) 8.0 did not handle Internet Control Message Protocol (ICMP) and ICMPv6 messages for Virtual Extensible LAN (VXLAN) and Generic Network Virtualization Encapsulation (GENEVE) tunnels. As a consequence, Path MTU (PMTU) discovery and route redirection was not supported with VXLAN and GENEVE tunnels in RHEL releases prior to 8.1. With this update, the kernel handles ICMP "Destination Unreachable" and "Redirect Message", as well as ICMPv6 "Packet Too Big" and "Destination Unreachable" error messages by adjusting the PMTU and modifying forwarding information. As a result, RHEL 8.1 supports PMTU discovery and route redirection with VXLAN and GENEVE tunnels.
(BZ#1652222)
Notable changes in XDP and networking eBPF features in kernel
The XDP and the networking eBPF features in the kernel
package have been upgraded to upstream version 5.0, which provides a number of bug fixes and enhancements over the previous version:
-
eBPF programs can now better interact with the TCP/IP stack, perform flow dissection, have wider range of
bpf
helpers available, and have access to new map types. - XDP metadata are now available to AF_XDP sockets.
(BZ#1687459)
The new PTP_SYS_OFFSET_EXTENDED
control for ioctl()
improves the accuracy of measured system-PHC ofsets
This enhancement adds the PTP_SYS_OFFSET_EXTENDED
control for more accurate measurements of the system precision time protocol (PTP) hardware clock (PHC) offset to the ioctl()
function. The PTP_SYS_OFFSET
control which, for example, the chrony
service uses to measure the offset between a PHC and the system clock is not accurate enough. With the new PTP_SYS_OFFSET_EXTENDED
control, drivers can isolate the reading of the lowest bits. This improves the accuracy of the measured offset. Network drivers typically read multiple PCI registers, and the driver does not read the lowest bits of the PHC time stamp between two readings of the system clock.
(BZ#1677215)
ipset rebased to version 7.1
The ipset
packages have been upgraded to upstream version 7.1, which provides a number of bug fixes and enhancements over the previous version:
-
The
ipset
protocol version 7 introduces theIPSET_CMD_GET_BYNAME
andIPSET_CMD_GET_BYINDEX
operations. Additionally, the user space component can now detect the exact compatibility level that the kernel component supports. - A significant number of bugs have been fixed, such as memory leaks and use-after-free bugs.
(BZ#1649090)
6.1.7. Kernel
Kernel version in RHEL 8.1
Red Hat Enterprise Linux 8.1 is distributed with the kernel version 4.18.0-147.
(BZ#1797671)
Live patching for the kernel is now available
Live patching for the kernel, kpatch
, provides a mechanism to patch the running kernel without rebooting or restarting any processes. Live kernel patches will be provided for selected minor release streams of RHEL covered under the Extended Update Support (EUS) policy to remediate Critical and Important CVEs.
To subscribe to the kpatch
stream for the RHEL 8.1 version of the kernel, install the kpatch-patch-4_18_0-147
package provided by the RHEA-2019:3695 advisory.
For more information, see Applying patches with kernel live patching in Managing, monitoring and updating the kernel.
(BZ#1763780)
Extended Berkeley Packet Filter in RHEL 8
Extended Berkeley Packet Filter (eBPF) is an in-kernel virtual machine that allows code execution in the kernel space, in the restricted sandbox environment with access to a limited set of functions. The virtual machine executes special assembly-like code. The code is then loaded to the kernel and translated to the native machine code with just-in-time compilation. There are numerous components shipped by Red Hat that utilize the eBPF virtual machine. Each component is in a different development phase, and thus not all components are currently fully supported.
In RHEL 8.1, the BPF Compiler Collection (BCC) tools package is fully supported on the AMD and Intel 64-bit architectures. The BCC tools package is a collection of dynamic kernel tracing utilities that use the eBPF virtual machine.
The following eBPF components are currently available as a Technology Preview:
- The BCC tools package on the following architectures: the 64-bit ARM architecture, IBM Power Systems, Little Endian, and IBM Z
- The BCC library on all architectures
-
The
bpftrace
tracing language - The eXpress Data Path (XDP) feature
For details regarding the Technology Preview components, see Section 6.5.2, “Kernel”.
(BZ#1780124)
Red Hat Enterprise Linux 8 now supports early kdump
The early kdump
feature allows the crash kernel and initramfs to load early enough to capture the vmcore
information even for early crashes.
For more details about early kdump
, see the /usr/share/doc/kexec-tools/early-kdump-howto.txt
file.
(BZ#1520209)
RHEL 8 now supports ipcmni_extend
A new kernel command line parameter ipcmni_extend
has been added to Red Hat Enterprise Linux 8. The parameter extends a number of unique System V Inter-process Communication (IPC) identifiers from the current maximum of 32 KB (15 bits) up to 16 MB (24 bits). As a result, users whose applications produce a lot of shared memory segments are able to create a stronger IPC identifier without exceeding the 32 KB limit.
Note that in some cases using ipcmni_extend
results in a small performance overhead and it should be used only if the applications need more than 32 KB of unique IPC identifier.
(BZ#1710480)
The persistent memory initialization code supports parallel initialization
The persistent memory initialization code enables parallel initialization on systems with multiple nodes of persistent memory. The parallel initialization greatly reduces the overall memory initialization time on systems with large amounts of persistent memory. As a result, these systems can now boot much faster.
(BZ#1634343)
TPM userspace tool has been updated to the last version
The tpm2-tools
userspace tool has been updated to version 2.0. With this update, tpm2-tools
is able to fix many defects.
The rngd
daemon is now able to run with non-root privileges
The random number generator daemon (rngd
) checks whether data supplied by the source of randomness is sufficiently random and then stores the data in the kernel’s random-number entropy pool. With this update, rngd
is able to run with non-root user privileges to enhance system security.
Full support for the ibmvnic
driver
With the introduction of Red Hat Enterprise Linux 8.0, the IBM Virtual Network Interface Controller (vNIC) driver for IBM POWER architectures, ibmvnic
, was available as a Technology Preview. vNIC is a PowerVM virtual networking technology that delivers enterprise capabilities and simplifies network management. It is a high-performance, efficient technology that when combined with SR-IOV NIC provides bandwidth control Quality of Service (QoS) capabilities at the virtual NIC level. vNIC significantly reduces virtualization overhead, resulting in lower latencies and fewer server resources, including CPU and memory, required for network virtualization.
Starting with Red Hat Enterprise Linux 8.1 the ibmvnic
device driver is fully supported on IBM POWER9 systems.
(BZ#1665717)
Intel ® Omni-Path Architecture (OPA) Host Software
Intel Omni-Path Architecture (OPA) host software is fully supported in Red Hat Enterprise Linux 8.1. Intel OPA provides Host Fabric Interface (HFI) hardware with initialization and setup for high performance data transfers (high bandwidth, high message rate, low latency) between compute and I/O nodes in a clustered environment.
UBSan
has been enabled in the debug kernel in RHEL 8
The Undefined Behavior Sanitizer
(UBSan
) utility exposes undefined behavior flaws in C code languages at runtime. This utility has now been enabled in the debug kernel because the compiler behavior was, in some cases, different than developers' expectations. Especially, in the case of compiler optimization, where subtle, obscure bugs would appear. As a result, running the debug kernel with UBSan
enabled allows the system to easily detect such bugs.
(BZ#1571628)
The fadump
infrastructure now supports re-registering in RHEL 8
The support has been added for re-registering (unregistering and registering) of the firmware-assisted dump (fadump
) infrastructure after any memory hot add/remove operation to update the crash memory ranges. The feature aims to prevent the system from potential racing issues during unregistering and registering fadump
from userspace during udev
events.
(BZ#1710288)
The determine_maximum_mpps.sh
script has been introduced in RHEL for Real Time 8
The determine_maximum_mpps.sh
script has been introduced to help use the queuelat
test program. The script executes queuelat
to determine the maximum packets per second a machine can handle.
kernel-rt
source tree now matches the latest RHEL 8 tree
The kernel-rt
sources have been upgraded to be based on the latest Red Hat Enterprise Linux kernel source tree, which provides a number of bug fixes and enhancements over the previous version.
The ssdd
test has been added to RHEL for Real Time 8
The ssdd
test has been added to enable stress testing of the tracing subsystem. The test runs multiple tracing threads to verify locking is correct within the tracing system.
6.1.8. Hardware enablement
Memory Mode for Optane DC Persistent Memory technology is fully supported
Intel Optane DC Persistent Memory storage devices provide data center-class persistent memory technology, which can significantly increase transaction throughput.
To use the Memory Mode technology, your system does not require any special drivers or specific certification. Memory Mode is transparent to the operating system.
IBM Z now supports system boot signature verification
Secure Boot allows the system firmware to check the authenticity of cryptographic keys that were used to sign the kernel space code. As a result,the feature improves security since only code from trusted vendors can be executed.
Note that IBM z15 is required to use Secure Boot.
(BZ#1659399)
6.1.9. File systems and storage
Support for Data Integrity Field/Data Integrity Extension (DIF/DIX)
DIF/DIX is supported on configurations where the hardware vendor has qualified it and provides full support for the particular host bus adapter (HBA) and storage array configuration on RHEL.
DIF/DIX is not supported on the following configurations:
- It is not supported for use on the boot device.
- It is not supported on virtualized guests.
- Red Hat does not support using the Automatic Storage Management library (ASMLib) when DIF/DIX is enabled.
DIF/DIX is enabled or disabled at the storage device, which involves various layers up to (and including) the application. The method for activating the DIF on storage devices is device-dependent.
For further information on the DIF/DIX feature, see What is DIF/DIX.
(BZ#1649493)
Optane DC memory systems now supports EDAC reports
Previously, EDAC was not reporting memory corrected/uncorrected events if the memory address was within a NVDIMM module. With this update, EDAC can properly report the events with the correct memory module information.
(BZ#1571534)
The VDO Ansible module has been moved to Ansible packages
Previously, the VDO Ansible module was provided by the vdo
RPM package. Starting with this release, the module is provided by the ansible
package instead.
The original location of the VDO Ansible module file was:
/usr/share/doc/vdo/examples/ansible/vdo.py
The new location of the file is:
/usr/lib/python3.6/site-packages/ansible/modules/system/vdo.py
The vdo
package continues to distribute Ansible playbooks.
For more information on Ansible, see http://docs.ansible.com/.
Aero adapters are now fully supported
The following Aero adapters, previously available as a Technology Preview, are now fully supported:
-
PCI ID 0x1000:0x00e2 and 0x1000:0x00e6, controlled by the
mpt3sas
driver -
PCI ID 0x1000:Ox10e5 and 0x1000:0x10e6, controlled by the
megaraid_sas
driver
(BZ#1663281)
LUKS2 now supports online re-encryption
The Linux Unified Key Setup version 2 (LUKS2) format now supports re-encrypting encrypted devices while the devices are in use. For example, you do not have to unmount the file system on the device to perform the following tasks:
- Change the volume key
- Change the encryption algorithm
When encrypting a non-encrypted device, you must still unmount the file system, but the encryption is now significantly faster. You can remount the file system after a short initialization of the encryption.
Additionally, the LUKS2 re-encryption is now more resilient. You can select between several options that prioritize performance or data protection during the re-encryption process.
To perform the LUKS2 re-encryption, use the cryptsetup reencrypt
subcommand. Red Hat no longer recommends using the cryptsetup-reencrypt
utility for the LUKS2 format.
Note that the LUKS1 format does not support online re-encryption, and the cryptsetup reencrypt
subcommand is not compatible with LUKS1. To encrypt or re-encrypt a LUKS1 device, use the cryptsetup-reencrypt
utility.
For more information on disk encryption, see Encrypting block devices using LUKS.
New features of ext4 available in RHEL 8
In RHEL8, following are the new fully supported features of ext4:
Non-default features:
-
project
-
quota
-
mmp
-
Non-default mount options:
-
bsddf|minixdf
-
grpid|bsdgroups and nogrpid|sysvgroups
-
resgid=n and resuid=n
-
errors={continue|remount-ro|panic}
-
commit=nrsec
-
max_batch_time=usec
-
min_batch_time=usec
-
grpquota|noquota|quota|usrquota
-
prjquota
-
dax
-
lazytime|nolazytime
-
discard|nodiscard
-
init_itable|noinit_itable
-
jqfmt={vfsold|vfsv0|vfsv1}
-
usrjquota=aquota.user|grpjquota=aquota.group
-
For more information on features and mount options, see the ext4
man page. Other ext4 features, mount options or both, or combination of features, mount options or both may not be fully supported by Red Hat. If your special workload requires a feature or mount option that is not fully supported in the Red Hat release, contact Red Hat support to evaluate it for inclusion in our supported list.
(BZ#1741531)
NVMe over RDMA now supports an Infiniband
in the target mode for IBM Coral systems
In RHEL 8.1, NVMe over RDMA now supports an Infiniband
in the target mode for IBM Coral systems, with a single NVMe PCIe add in card as the target.
6.1.10. High availability and clusters
Pacemaker now defaults the concurrent-fencing
cluster property to true
If multiple cluster nodes need to be fenced at the same time, and they use different configured fence devices, Pacemaker will now execute the fencing simultaneously, rather than serialized as before. This can result in greatly sped up recovery in a large cluster when multiple nodes must be fenced.
Extending a shared logical volume no longer requires a refresh on every cluster node
With this release, extending a shared logical volume no longer requires a refresh on every cluster node after running the lvextend
command on one cluster node. For the full procedure to extend the size of a GFS2 file system, see Growing a GFS2 file system.
(BZ#1649086)
Maximum size of a supported RHEL HA cluster increased from 16 to 32 nodes
With this release, Red Hat supports cluster deployments of up to 32 full cluster nodes.
(BZ#1693491)
Commands for adding, changing, and removing corosync links have been added to pcs
The Kronosnet (knet) protocol now allows you to add and remove knet links in running clusters. To support this feature, the pcs
command now provides commands to add, change, and remove knet links and to change a upd/udpu link in an existing cluster. For information on adding and modifying links in an existing cluster, see Adding and modifying links in an existing cluster. (BZ#1667058)
6.1.11. Dynamic programming languages, web and database servers
A new module stream: php:7.3
RHEL 8.1 introduces PHP 7.3
, which provides a number of new features and enhancements. Notable changes include:
-
Enhanced and more flexible
heredoc
andnowdoc
syntaxes - The PCRE extension upgraded to PCRE2
- Improved multibyte string handling
- Support for LDAP controls
- Improved FastCGI Process Manager (FPM) logging
- Several deprecations and backward incompatible changes
For more information, see Migrating from PHP 7.2.x to PHP 7.3.x.
Note that the RHEL 8 version of PHP 7.3
does not support the Argon2
password hashing algorithm.
To install the php:7.3
stream, use:
# yum module install php:7.3
If you want to upgrade from the php:7.2
stream, see Switching to a later stream.
A new module stream: ruby:2.6
A new module stream, ruby:2.6
, is now available. Ruby 2.6.3
, included in RHEL 8.1, provides numerous new features, enhancements, bug and security fixes, and performance improvements over version 2.5 distributed in RHEL 8.0.
Notable enhancements include:
- Constant names are now allowed to begin with a non-ASCII capital letter.
- Support for an endless range has been added.
-
A new
Binding#source_location
method has been provided. -
$SAFE
is now a process global state and it can be set back to0
.
The following performance improvements have been implemented:
-
The
Proc#call
andblock.call
processes have been optimized. -
A new garbage collector managed heap, Transient heap (
theap
), has been introduced. - Native implementations of coroutines for individual architectures have been introduced.
In addition, Ruby 2.5
, provided by the ruby:2.5
stream, has been upgraded to version 2.5.5, which provides a number of bug and security fixes.
To install the ruby:2.6
stream, use:
# yum module install ruby:2.6
If you want to upgrade from the ruby:2.5
stream, see Switching to a later stream.
(BZ#1672575)
A new module stream: nodejs:12
RHEL 8.1 introduces Node.js 12
, which provides a number of new features and enhancements over version 10. Notable changes include:
- The V8 engine upgraded to version 7.4
-
A new default HTTP parser,
llhttp
(no longer experimental) - Integrated capability of heap dump generation
- Support for ECMAScript 2015 (ES6) modules
- Improved support for native modules
- Worker threads no longer require a flag
- A new experimental diagnostic report feature
- Improved performance
To install the nodejs:12
stream, use:
# yum module install nodejs:12
If you want to upgrade from the nodejs:10
stream, see Switching to a later stream.
(BZ#1685191)
Judy-devel
available in CRB
The Judy-devel
package is now available as a part of the mariadb-devel:10.3
module in the CodeReady Linux Builder repository (CRB). As a result, developers are now able to build applications with the Judy
library.
To install the Judy-devel
package, enable the mariadb-devel:10.3
module first:
# yum module enable mariadb-devel:10.3 # yum install Judy-devel
(BZ#1657053)
FIPS compliance in Python 3
This update adds support for OpenSSL FIPS mode to Python 3
. Namely:
-
In FIPS mode, the
blake2
,sha3
, andshake
hashes use the OpenSSL wrappers and do not offer extended functionality (such as keys, tree hashing, or custom digest size). -
In FIPS mode, the
hmac.HMAC
class can be instantiated only with an OpenSSL wrapper or a string with OpenSSL hash name as thedigestmod
argument. The argument must be specified (instead of defaulting to themd5
algorithm).
Note that hash functions support the usedforsecurity
argument, which allows using insecure hashes in OpenSSL FIPS mode. The user is responsible for ensuring compliance with any relevant standards.
FIPS compliance changes in python3-wheel
This update of the python3-wheel
package removes a built-in implementation for signing and verifying data that is not compliant with FIPS.
(BZ#1731526)
A new module stream: nginx:1.16
The nginx 1.16
web and proxy server, which provides a number of new features and enhancements over version 1.14, is now available. For example:
-
Numerous updates related to SSL (loading of SSL certificates and secret keys from variables, variable support in the
ssl_certificate
andssl_certificate_key
directives, a newssl_early_data
directive) -
New
keepalive
-related directives -
A new
random
directive for distributed load balancing -
New parameters and improvements to existing directives (port ranges for the
listen
directive, a newdelay
parameter for thelimit_req
directive, which enables two-stage rate limiting) -
A new
$upstream_bytes_sent
variable - Improvements to User Datagram Protocol (UDP) proxying
Other notable changes include:
-
In the
nginx:1.16
stream, thenginx
package does not require thenginx-all-modules
package, thereforenginx
modules must be installed explicitly. When you installnginx
as module, thenginx-all-modules
package is installed as a part of thecommon
profile, which is the default profile. -
The
ssl
directive has been deprecated; use thessl
parameter for thelisten
directive instead. -
nginx
now detects missing SSL certificates during configuration testing. -
When using a host name in the
listen
directive,nginx
now creates listening sockets for all addresses that the host name resolves to.
To install the nginx:1.16
stream, use:
# yum module install nginx:1.16
If you want to upgrade from the nginx:1.14
stream, see Switching to a later stream.
(BZ#1690292)
perl-IO-Socket-SSL
rebased to version 2.066
The perl-IO-Socket-SSL
package has been upgraded to version 2.066, which provides a number of bug fixes and enhancements over the previous version, for example:
- Improved support for TLS 1.3, notably a session reuse and an automatic post-handshake authentication on the client side
- Added support for multiple curves, automatic setting of curves, partial trust chains, and support for RSA and ECDSA certificates on the same domain
(BZ#1632600)
perl-Net-SSLeay
rebased to version 1.88
The perl-Net-SSLeay
package has been upgraded to version 1.88, which provides multiple bug fixes and enhancements. Notable changes include:
- Improved compatibility with OpenSSL 1.1.1, such as manipulating a stack of certificates and X509 stores, and selecting elliptic curves and groups
- Improved compatibility with TLS 1.3, for example, a session reuse and a post-handshake authentication
-
Fixed memory leak in the
cb_data_advanced_put()
subroutine.
(BZ#1632597)
6.1.12. Compilers and development tools
GCC Toolset 9 available
Red Hat Enterprise Linux 8.1 introduces GCC Toolset 9, an Application Stream containing more up-to-date versions of development tools.
The following tools and versions are provided by GCC Toolset 9:
Tool | Version |
---|---|
GCC | 9.1.1 |
GDB | 8.3 |
Valgrind | 3.15.0 |
SystemTap | 4.1 |
Dyninst | 10.1.0 |
binutils | 2.32 |
elfutils | 0.176 |
dwz | 0.12 |
make | 4.2.1 |
strace | 5.1 |
ltrace | 0.7.91 |
annobin | 8.79 |
GCC Toolset 9 is available as an Application Stream in the form of a Software Collection in the AppStream
repository. GCC Toolset is a set of tools similar to Red Hat Developer Toolset for RHEL 7.
To install GCC Toolset 9:
# yum install gcc-toolset-9
To run a tool from GCC Toolset 9:
$ scl enable gcc-toolset-9 tool
To run a shell session where tool versions from GCC Toolset 9 take precedence over system versions of these tools:
$ scl enable gcc-toolset-9 bash
For detailed instructions regarding usage, see Using GCC Toolset.
(BZ#1685482)
Upgraded compiler toolsets
The following compiler toolsets, distributed as Application Streams, have been upgraded with RHEL 8.1:
- Clang and LLVM Toolset, which provides the LLVM compiler infrastructure framework, the Clang compiler for the C and C++ languages, the LLDB debugger, and related tools for code analysis, to version 8.0.1
-
Rust Toolset, which provides the Rust programming language compiler
rustc
, thecargo
build tool and dependency manager, and required libraries, to version 1.37 -
Go Toolset, which provides the Go (
golang
) programming language tools and libraries, to version 1.12.8.
(BZ#1731502, BZ#1691975, BZ#1680091, BZ#1677819, BZ#1681643)
SystemTap rebased to version 4.1
The SystemTap instrumentation tool has been updated to upstream version 4.1. Notable improvements include:
- The eBPF runtime backend can handle more features of the scripting language such as string variables and rich formatted printing.
- Performance of the translator has been significantly improved.
- More types of data in optimized C code can now be extracted with DWARF4 debuginfo constructs.
General availability of the DHAT tool
Red Hat Enterprise Linux 8.1 introduces the general availability of the DHAT
tool. It is based on the valgrind
tool version 3.15.0.
You can find changes/improvements in valgrind
tool functionality below:
- use --tool=dhat instead of --tool=exp-dhat,
-
--show-top-n and --sort-by options have been removed because
dhat
tool now prints the minimal data after the program ends, -
a new viewer
dh_view.html
, which is a JavaScript programm, contains the profile results. A short message explains how to view the results after the run is ended, - the documentation for a viewer is located: /usr/libexec/valgrind/dh_view.html,
-
the documentation for the
DHAT
tool is located: /usr/share/doc/valgrind/html/dh-manual.html, -
the support for amd64 (x86_64): the
RDRAND
andF16C insn
set extensions is added, -
in
cachegrind
thecg_annotate
command has a new option, --show-percs, which prints percentages next to all event counts, -
in
callgrind
thecallgrind_annotate
command has a new option, --show-percs, which prints percentages next to all event counts, -
in
massif
the default value for --read-inline-info is now yes, -
in
memcheck
option --xtree-leak=yes, which outputs leak result inxtree
format, automatically activates the option --show-leak-kinds=all, -
the new option --show-error-list=no|yes displays the list of the detected errors and the used suppression at the end of the run. Previously, the user could specify the option -v for
valgrind
command, which shows a lot of information that might be confusing. The option -s is an equivalent to the option --show-error-list=yes.
(BZ#1683715)
elfutils rebased to version 0.176
The elfutils packages have been updated to upstream version 0.176. This version brings various bug fixes, and resolves the following vulnerabilities:
Notable improvements include:
-
The
libdw
library has been extended with thedwelf_elf_begin()
function which is a variant ofelf_begin()
that handles compressed files. -
A new
--reloc-debug-sections-only
option has been added to theeu-strip
tool to resolve all trivial relocations between debug sections in place without any other stripping. This functionality is relevant only forET_REL
files in certain circumstances.
(BZ#1683705)
Additional memory allocation checks in glibc
Application memory corruption is a leading cause of application and security defects. Early detection of such corruption, balanced against the cost of detection, can provide significant benefits to application developers.
To improve detection, six additional memory corruption checks have been added to the malloc
metadata in the GNU C Library (glibc
), which is the core C library in RHEL. These additional checks have been added at a very low cost to runtime performance.
(BZ#1651283)
GDB can access more POWER8 registers
With this update, the GNU debugger (GDB) and its remote stub gdbserver
can access the following additional registers and register sets of the POWER8 processor line of IBM:
-
PPR
-
DSCR
-
TAR
-
EBB/PMU
-
HTM
(BZ#1187581)
binutils
disassembler can handle NFP binary files
The disassembler tool from the binutils
package has been extended to handle binary files for the Netronome Flow Processor (NFP) hardware series. This functionality is required to enable further features in the bpftool
Berkeley Packet Filter (BPF) code compiler.
(BZ#1644391)
Partially writable GOT sections are now supported on the IBM Z architecture
The IBM Z binaries using the "lazy binding" feature of the loader can now be hardened by generating partially writable Global offset table (GOT) sections. These binaries require a read-write GOT, but not all entries to be writable. This update provides protection for the entries from potential attacks.
(BZ#1525406)
binutils
now supports Arch13 processors of IBM Z
This update adds support for the extensions related to the Arch13 processors into the binutils
packages on IBM Z architecture. As a result, it is now possible to build kernels that can use features available in arch13-enabled CPUs on IBM Z.
(BZ#1659437)
Dyninst
rebased to version 10.1.0
The Dyninst
instrumentation library has been updated to upstream version 10.1.0. Notable changes include:
-
Dyninst supports the Linux PowerPC Little Endian (
ppcle
) and 64-bit ARM (aarch64
) architectures. - Start-up time has been improved by using parallel code analysis.
(BZ#1648441)
Date formatting updates for the Japanese Reiwa era
The GNU C Library now provides correct Japanese era name formatting for the Reiwa era starting on May 1st, 2019. The time handling API data has been updated, including the data used by the strftime
and strptime
functions. All APIs will correctly print the Reiwa era including when strftime
is used along with one of the era conversion specifiers such as %EC
, %EY
, or %Ey
.
(BZ#1577438)
Performance Co-Pilot rebased to version 4.3.2
In RHEL 8.1, the Performance Co-Pilot (PCP) tool has been updated to upstream version 4.3.2. Notable improvements include:
- New metrics have been added - Linux kernel entropy, pressure stall information, Nvidia GPU statistics, and more.
-
Tools such as
pcp-dstat
,pcp-atop
, theperfevent
PMDA, and others have been updated to report the new metrics. -
The
pmseries
andpmproxy
utilities for a performant PCP integration with Grafana have been updated.
This release is backward compatible for libraries, over-the-wire protocol and on-disk PCP archive format.
6.1.13. Identity Management
IdM now supports Ansible roles and modules for installation and management
This update introduces the ansible-freeipa
package, which provides Ansible roles and modules for Identity Management (IdM) deployment and management. You can use Ansible roles to install and uninstall IdM servers, replicas, and clients. You can use Ansible modules to manage IdM groups, topology, and users. There are also example playbooks available.
This update simplifies the installation and configuration of IdM based solutions.
(JIRA:RHELPLAN-2542)
New tool to test the overall fitness of IdM deployment: Healthcheck
This update introduces the Healthcheck
tool in Identity Management (IdM). The tool provides tests verifying that the current IdM server is configured and running correctly.
The major areas currently covered are: * Certificate configuration and expiration dates * Replication errors * Replication topology * AD Trust configuration * Service status * File permissions of important configuration files * Filesystem space
The Healthcheck
tool is available in the command-line interface (CLI).
(JIRA:RHELPLAN-13066)
IdM now supports renewing expired system certificates when the server is offline
With this enhancement, administrators can renew expired system certificates when Identity Management (IdM) is offline. When a system certificate expires, IdM fails to start. The new ipa-cert-fix
command replaces the workaround to manually set the date back to proceed with the renewal process. As a result, the downtime and support costs reduce in the mentioned scenario.
(JIRA:RHELPLAN-13074)
Identity Management supports trust with Windows Server 2019
When using Identity Management, you can now establish a supported forest trust to Active Directory forests that run by Windows Server 2019. The supported forest and domain functional levels are unchanged and supported up to level Windows Server 2016.
(JIRA:RHELPLAN-15036)
samba rebased to version 4.10.4
The samba packages have been upgraded to upstream version 4.10.4, which provides a number of bug fixes and enhancements over the previous version:
- Samba 4.10 fully supports Python 3. Note that future Samba versions will not have any runtime support for Python 2.
- The JavaScript Object Notation (JSON) logging feature now logs the Windows event ID and logon type for authentication messages.
-
The new
vfs_glusterfs_fuse
file system in user space (FUSE) module improves the performance when Samba accesses a GlusterFS volume. To enable this module, addglusterfs_fuse
to thevfs_objects
parameter of the share in the/etc/samba/smb.conf
file. Note thatvfs_glusterfs_fuse
does not replace the existingvfs_glusterfs
module. - The server message block (SMB) client Python bindings are now deprecated and will be removed in a future Samba release. This only affects users who use the Samba Python bindings to write their own utilities.
Samba automatically updates its tdb
database files when the smbd
, nmbd
, or winbind
service starts. Back up the databases files before starting Samba. Note that Red Hat does not support downgrading tdb
database files.
For further information about notable changes, read the upstream release notes before updating: https://www.samba.org/samba/history/samba-4.10.0.html
(BZ#1638001)
Updated system-wide certificate store location for OpenLDAP
The default location for trusted CAs for OpenLDAP has been updated to use the system-wide certificate store (/etc/pki/ca-trust/source
) instead of /etc/openldap/certs
. This change has been made to simplify the setting up of CA trust.
No additional setup is required to set up CA trust, unless you have service-specific requirements. For example, if you require an LDAP server’s certificate to be only trusted for LDAP client connections, in this case you must set up the CA certificates as you did previously.
(JIRA:RHELPLAN-7109)
New ipa-crl-generation
commands have been introduced to simplify managing IdM CRL master
This update introduces the ipa-crl-generation status/enable/disable
commands. These commands, run by the root user, simplify work with the Certificate Revocation List (CRL) in IdM. Previously, moving the CRL generation master from one IdM CA server to another was a lengthy, manual and error-prone procedure.
The ipa-crl-generation status
command checks if the current host is the CRL generation master. The ipa-crl-generation enable
command makes the current host the CRL generation master in IdM if the current host is an IdM CA server. The ipa-crl-generation disable
command stops CRL generation on the current host.
Additionally, the ipa-server-install --uninstall
command now includes a safeguard checking whether the host is the CRL generation master. This way, IdM ensures that the system administrator does not remove the CRL generation master from the topology.
(JIRA:RHELPLAN-13068)
OpenID Connect support in keycloak-httpd-client-install
The keycloak-httpd-client-install
identity provider previously supported only the SAML (Security Assertion Markup Language) authentication with the mod_auth_mellon
authentication module. This rebase introduces the mod_auth_openidc
authentication module support, which allows you to configure also the OpenID Connect authentication.
The keycloak-httpd-client-install
identity provider allows an apache instance to be configured as an OpenID Connect client by configuring mod_auth_openidc
.
(BZ#1553890)
Setting up IdM as a hidden replica is now available as a Technology Preview
This enhancement enables administrators to set up an Identity Management (IdM) replica as a hidden replica. A hidden replica is an IdM server that has all services running and available. However, it is not advertised to other clients or masters because no SRV
records exist for the services in DNS, and LDAP server roles are not enabled. Therefore, clients cannot use service discovery to detect hidden replicas.
Hidden replicas are primarily designed for dedicated services that can otherwise disrupt clients. For example, a full backup of IdM requires to shut down all IdM services on the master or replica. Since no clients use a hidden replica, administrators can temporarily shut down the services on this host without affecting any clients. Other use cases include high-load operations on the IdM API or the LDAP server, such as a mass import or extensive queries.
To install a new hidden replica, use the ipa-replica-install --hidden-replica
command. To change the state of an existing replica, use the ipa server-state
command.
SSSD now enforces AD GPOs by default
The default setting for the SSSD option ad_gpo_access_control
is now enforcing
. In RHEL 8, SSSD enforces access control rules based on Active Directory Group Policy Objects (GPOs) by default.
Red Hat recommends ensuring GPOs are configured correctly in Active Directory before upgrading from RHEL 7 to RHEL 8. If you would not like to enforce GPOs, change the value of the ad_gpo_access_control
option in the /etc/sssd/sssd.conf
file to permissive
.
(JIRA:RHELPLAN-51289)
6.1.14. Desktop
Modified workspace switcher in GNOME Classic
Workspace switcher in the GNOME Classic environment has been modified. The switcher is now located in the right part of the bottom bar, and it is designed as a horizontal strip of thumbnails. Switching between workspaces is possible by clicking on the required thumbnail. Alternatively, you can also use the combination of Ctrl+Alt+down/up arrow keys to switch between workspaces. The content of the active workspace is shown in the left part of the bottom bar in form of the window list.
When you press the Super key within the particular workspace, you can see the window picker, which includes all windows that are open in this workspace. However, the window picker no longer displays the following elements that were available in the previous release of RHEL:
- dock (vertical bar on the left side of the screen)
- workspace switcher (vertical bar on the right side of the screen)
- search entry
For particular tasks that were previously achieved with the help of these elements, adopt the following approaches:
To launch applications, instead of using dock, you can:
- Use the Applications menu on the top bar
- Press the kdb:[Alt + F2] keys to make the Enter a Command screen appear, and write the name of the executable into this screen.
- To switch between workspaces, instead of using the vertical workspace switcher, use the horizontal workspace switcher in the right bottom bar.
- If you require the search entry or the vertical workspace switcher, use GNOME Standard environment instead of GNOME Classic.
6.1.15. Graphics infrastructures
DRM rebased to Linux kernel version 5.1
The Direct Rendering Manager (DRM) kernel graphics subsystem has been rebased to upstream Linux kernel version 5.1, which provides a number of bug fixes and enhancements over the previous version. Most notably:
-
The
mgag200
driver has been updated. The driver continues providing support for HPE Proliant Gen10 Systems, which use Matrox G200 eH3 GPUs. The updated driver also supports current and new Dell EMC PowerEdge Servers. -
The
nouveau
driver has been updated to provide hardware enablement to current and future Lenovo platforms that use NVIDIA GPUs. -
The
i915
display driver has been updated for continued support of current and new Intel GPUs. - Bug fixes for Aspeed AST BMC display chips have been added.
- Support for AMD Raven 2 set of Accelerated Processing Units (APUs) has been added.
- Support for AMD Picasso APUs has been added.
- Support for AMD Vega GPUs has been added.
- Support for Intel Amber Lake-Y and Intel Comet Lake-U GPUs has been added.
(BZ#1685552)
Support for AMD Picasso graphic cards
This update introduces the amdgpu
graphics driver. As a result AMD Picasso graphics cards are now fully supported on RHEL 8.
(BZ#1685427)
6.1.16. The web console
Enabling and disabling SMT
Simultaneous Multi-Threading (SMT) configuration is now available in RHEL 8. Disabling SMT in the web console allows you to mitigate a class of CPU security vulnerabilities such as:
Adding a search box in the Services page
The Services page now has a search box for filtering services by:
- Name
- Description
- State
In addition, service states have been merged into one list. The switcher buttons at the top of the page have also been changed to tabs to improve user experience of the Services page.
Adding support for firewall zones
The firewall settings on the Networking page now supports:
- Adding and removing zones
- Adding or removing services to arbitrary zones and
-
Configuring custom ports in addition to
firewalld
services.
Adding improvements to Virtual Machines configuration
With this update, the RHEL 8 web console includes a lot of improvements in the Virtual Machines page. You can now:
- Manage various types of storage pools
- Configure VM autostart
- Import existing qcow images
- Install VMs through PXE boot
- Change memory allocation
- Pause/resume VMs
- Configure cache characteristics (directsync, writeback)
- Change the boot order
6.1.17. Red Hat Enterprise Linux system roles
A new storage
role added to RHEL system roles
The storage
role has been added to RHEL system roles provided by the rhel-system-roles
package. The storage
role can be used to manage local storage using Ansible.
Currently, the storage
role supports the following types of tasks:
- Managing file systems on whole disks
- Managing LVM volume groups
- Managing logical volumes and their file systems
For more information, see Managing file systems and Configuring and managing logical volumes.
(BZ#1691966)
6.1.18. Virtualization
WALinuxAgent rebased to version 2.2.38
The WALinuxAgent package has been upgraded to upstream version 2.2.38, which provides a number of bug fixes and enhancements over the previous version.
In addition, WALinuxAgent is no longer compatible with Python 2, and applications dependant on Python 2. As a result, applications and extensions written in Python 2 will need to be converted to Python 3 to establish compatibility with WALinuxAgent.
Windows automatically finds the needed virtio-win drivers
Windows can now automatically find the virtio-win drivers it needs from the driver ISO without requiring the user to select the folder in which they are located.
KVM supports 5-level paging
With Red Hat Enterprise Linux 8, KVM virtualization supports the 5-level paging feature. On selected host CPUs, this significantly increases the physical and virtual address space that the host and guest systems can use.
(BZ#1526548)
Smart card sharing is now supported on Windows guests with ActivClient drivers
This update adds support for smart card sharing in virtual machines (VMs) that use a Windows guest OS and ActivClient drivers. This enables smart card authentication for user logins using emulated or shared smart cards on these VMs.
(BZ#1615840)
New options have been added for virt-xml
The virt-xml
utility can now use the following command-line options:
-
--no-define
- Changes done to the virtual machine (VM) by thevirt-xml
command are not saved into persistent configuration. -
--start
- Starts the VM after performing requested changes.
Using these two options together allows users to change the configuration of a VM and start the VM with the new configuration without making the changes persistent. For example, the following command changes the boot order of the testguest VM to network for the next boot, and initiates the boot:
virt-xml testguest --start --no-define --edit --boot network
(JIRA:RHELPLAN-13960)
IBM z14 GA2 CPUs supported by KVM
With this update, KVM supports the IBM z14 GA2 CPU model. This makes it possible to create virtual machines on IBM z14 GA2 hosts that use RHEL 8 as the host OS with an IBM z14 GA2 CPU in the guest.
(JIRA:RHELPLAN-13649)
Nvidia NVLink2 is now compatible with virtual machines on IBM POWER9
Nvidia VGPUs that support the NVLink2 feature can now be assigned to virtual machines (VMs) running in a RHEL 8 host on an IBM POWER9 system. This makes it possible for these VMs to use the full performance potential of NVLink2.
(JIRA:RHELPLAN-12811)
6.2. New Drivers
Network Drivers
- Serial Line Internet Protocol support (slip.ko.xz)
- Platform CAN bus driver for Bosch C_CAN controller (c_can_platform.ko.xz)
- virtual CAN interface (vcan.ko.xz)
- Softing DPRAM CAN driver (softing.ko.xz)
- serial line CAN interface (slcan.ko.xz)
- CAN driver for EMS Dr. Thomas Wuensche CAN/USB interfaces (ems_usb.ko.xz)
- CAN driver for esd CAN-USB/2 and CAN-USB/Micro interfaces (esd_usb2.ko.xz)
- Socket-CAN driver for SJA1000 on the platform bus (sja1000_platform.ko.xz)
- Socket-CAN driver for PLX90xx PCI-bridge cards with the SJA1000 chips (plx_pci.ko.xz)
- Socket-CAN driver for EMS CPC-PCI/PCIe/104P CAN cards (ems_pci.ko.xz)
- Socket-CAN driver for KVASER PCAN PCI cards (kvaser_pci.ko.xz)
- Intel® 2.5G Ethernet Linux Driver (igc.ko.xz)
- Realtek 802.11ac wireless PCI driver (rtwpci.ko.xz)
- Realtek 802.11ac wireless core module (rtw88.ko.xz)
- MediaTek MT76 devices support (mt76.ko.xz)
- MediaTek MT76x0U (USB) support (mt76x0u.ko.xz)
- MediaTek MT76x2U (USB) support (mt76x2u.ko.xz)
Graphics Drivers and Miscellaneous Drivers
- Virtual Kernel Mode Setting (vkms.ko.xz)
- Intel GTT (Graphics Translation Table) routines (intel-gtt.ko.xz)
- Xen frontend/backend page directory based shared buffer handling (xen-front-pgdir-shbuf.ko.xz)
- LED trigger for audio mute control (ledtrig-audio.ko.xz)
- Host Wireless Adapter Radio Control Driver (hwa-rc.ko.xz)
- Network Block Device (nbd.ko.xz)
- Pericom PI3USB30532 Type-C mux driver (pi3usb30532.ko.xz)
- Fairchild FUSB302 Type-C Chip Driver (fusb302.ko.xz)
- TI TPS6598x USB Power Delivery Controller Driver (tps6598x.ko.xz)
- Intel PCH Thermal driver (intel_pch_thermal.ko.xz)
- PCIe AER software error injector (aer_inject.ko.xz)
- Simple stub driver for PCI SR-IOV PF device (pci-pf-stub.ko.xz)
- mISDN Digital Audio Processing support (mISDN_dsp.ko.xz)
- ISDN layer 1 for Cologne Chip HFC-4S/8S chips (hfc4s8s_l1.ko.xz)
- ISDN4Linux: Call diversion support (dss1_divert.ko.xz)
- CAPI4Linux: Userspace /dev/capi20 interface (capi.ko.xz)
- USB Driver for Gigaset 307x (bas_gigaset.ko.xz)
- ISDN4Linux: Driver for HYSDN cards (hysdn.ko.xz)
- mISDN Digital Audio Processing support (mISDN_dsp.ko.xz)
- mISDN driver for Winbond w6692 based cards (w6692.ko.xz)
- mISDN driver for CCD’s hfc-pci based cards (hfcpci.ko.xz)
- mISDN driver for hfc-4s/hfc-8s/hfc-e1 based cards (hfcmulti.ko.xz)
- mISDN driver for NETJet (netjet.ko.xz)
- mISDN driver for AVM FRITZ!CARD PCI ISDN cards (avmfritz.ko.xz)
Storage Drivers
- NVMe over Fabrics TCP host (nvme-tcp.ko.xz)
- NVMe over Fabrics TCP target (nvmet-tcp.ko.xz)
- device-mapper writecache target (dm-writecache.ko.xz)
6.3. Updated Drivers
Network Driver Updates
- QLogic FastLinQ 4xxxx Ethernet Driver (qede.ko.xz) has been updated to version 8.37.0.20.
- QLogic FastLinQ 4xxxx Core Module (qed.ko.xz) has been updated to version 8.37.0.20.
- Broadcom BCM573xx network driver (bnxt_en.ko.xz) has been updated to version 1.10.0.
- QLogic BCM57710/57711/57711E/57712/57712_MF/57800/57800_MF/57810/57810_MF/57840/57840_MF Driver (bnx2x.ko.xz) has been updated to version 1.713.36-0.
- Intel® Gigabit Ethernet Network Driver (igb.ko.xz) has been updated to version 5.6.0-k.
- Intel® 10 Gigabit Virtual Function Network Driver (ixgbevf.ko.xz) has been updated to version 4.1.0-k-rh8.1.0.
- Intel® 10 Gigabit PCI Express Network Driver (ixgbe.ko.xz) has been updated to version 5.1.0-k-rh8.1.0.
- Intel® Ethernet Switch Host Interface Driver (fm10k.ko.xz) has been updated to version 0.26.1-k.
- Intel® Ethernet Connection E800 Series Linux Driver (ice.ko.xz) has been updated to version 0.7.4-k.
- Intel® Ethernet Connection XL710 Network Driver (i40e.ko.xz) has been updated to version 2.8.20-k.
- The Netronome Flow Processor (NFP) driver (nfp.ko.xz) has been updated to version 4.18.0-147.el8.x86_64.
- Elastic Network Adapter (ENA) (ena.ko.xz) has been updated to version 2.0.3K.
Graphics and Miscellaneous Driver Updates
- Standalone drm driver for the VMware SVGA device (vmwgfx.ko.xz) has been updated to version 2.15.0.0.
- hpe watchdog driver (hpwdt.ko.xz) has been updated to version 2.0.2.
Storage Driver Updates
- Driver for HP Smart Array Controller version 3.4.20-170-RH3 (hpsa.ko.xz) has been updated to version 3.4.20-170-RH3.
- LSI MPT Fusion SAS 3.0 Device Driver (mpt3sas.ko.xz) has been updated to version 28.100.00.00.
- Emulex LightPulse Fibre Channel SCSI driver 12.2.0.3 (lpfc.ko.xz) has been updated to version 0:12.2.0.3.
- QLogic QEDF 25/40/50/100Gb FCoE Driver (qedf.ko.xz) has been updated to version 8.37.25.20.
- Cisco FCoE HBA Driver (fnic.ko.xz) has been updated to version 1.6.0.47.
- QLogic Fibre Channel HBA Driver (qla2xxx.ko.xz) has been updated to version 10.01.00.15.08.1-k1.
- Driver for Microsemi Smart Family Controller version 1.2.6-015 (smartpqi.ko.xz) has been updated to version 1.2.6-015.
- QLogic FastLinQ 4xxxx iSCSI Module (qedi.ko.xz) has been updated to version 8.33.0.21.
- Broadcom MegaRAID SAS Driver (megaraid_sas.ko.xz) has been updated to version 07.707.51.00-rc1.
6.4. Bug fixes
This part describes bugs fixed in Red Hat Enterprise Linux 8.1 that have a significant impact on users.
6.4.1. Installer and image creation
Using the version
or inst.version
kernel boot parameters no longer stops the installation program
Previously, booting the installation program from the kernel command line using the version
or inst.version
boot parameters printed the version, for example anaconda 30.25.6
, and stopped the installation program.
With this update, the version
and inst.version
parameters are ignored when the installation program is booted from the kernel command line, and as a result, the installation program is not stopped.
(BZ#1637472)
The xorg-x11-drv-fbdev
, xorg-x11-drv-vesa
, and xorg-x11-drv-vmware
video drivers are now installed by default
Previously, workstations with specific models of NVIDIA graphics cards and workstations with specific AMD accelerated processing units did not display the graphical login window after a RHEL 8.0 Server installation. This issue also impacted virtual machines relying on EFI for graphics support, such as Hyper-V. With this update, the xorg-x11-drv-fbdev
, xorg-x11-drv-vesa
, and xorg-x11-drv-vmware
video drivers are installed by default and the graphical login window is displayed after a RHEL 8.0 and later Server installation.
(BZ#1687489)
Rescue mode no longer fails without displaying an error message
Previously, running rescue mode on a system with no Linux partitions resulted in the installation program failing with an exception. With this update, the installation program displays the error message “You don’t have any Linux partitions” when a system with no Linux partitions is detected.
(BZ#1628653)
The installation program now sets the lvm_metadata_backup
Blivet flag for image installations
Previously, the installation program failed to set the lvm_metadata_backup
Blivet flag for image installations. As a consequence, LVM backup files were located in the /etc/lvm/
subdirectory after an image installation. With this update, the installation program sets the lvm_metadata_backup
Blivet flag, and as a result, there are no LVM backup files located in the /etc/lvm/
subdirectory after an image installation.
(BZ#1673901)
The RHEL 8 installation program now handles strings from RPM
Previously, when the python3-rpm
library returned a string, the installation program failed with an exception. With this update, the installation program can now handle strings from RPM.
The inst.repo
kernel boot parameter now works for a repository on a hard drive that has a non-root path
Previously, the RHEL 8 installation process could not proceed without manual intervention if the inst.repo=hd:<device>:<path>
kernel boot parameter was pointing to a repository (not an ISO image) on a hard drive, and a non-root (/) path was used. With this update, the installation program can now propagate any <path>
for a repository located on a hard drive, ensuring the installation proceeds as normal.
The --changesok
option now allows the installation program to change the root password
Previously, using the --changesok
option when installing Red Hat Enterprise Linux 8 from a Kickstart file did not allow the installation program to change the root password. With this update, the --changesok
option is successfully passed by Kickstart, and as a result, users specifying the pwpolicy root –changesok
option in their Kickstart file can now change the root password using the GUI, even if the password has already been set by Kickstart.
(BZ#1584145)
Image Building no longer fails when using lorax-composer
API
Previously, when using lorax-composer
API from a subscribed RHEL system, the image building process always failed. Anaconda could not access the repositories, because the subscription certificates from the host are not passed through. To fix the issue update lorax-composer
, pykickstart
, and Anaconda
packages. That will allow to pass supported CDN certificates.
6.4.2. Shells and command-line tools
systemd
in debug mode no longer produces unnecessary log messages
When using the systemd
system and service manager in debug mode, systemd
previously produced unnecessary and harmless log messages that started with:
"Failed to add rule for system call ..."
With this update, systemd
has been fixed to no longer produce these unnecessary debug messages.
6.4.3. Security
fapolicyd
no longer prevents RHEL updates
When an update replaces the binary of a running application, the kernel modifies the application binary path in memory by appending the " (deleted)" suffix. Previously, the fapolicyd
file access policy daemon treated such applications as untrusted, and prevented them from opening and executing any other files. As a consequence, the system was sometimes unable to boot after applying updates.
With the release of the RHBA-2020:5241 advisory, fapolicyd
ignores the suffix in the binary path so the binary can match the trust database. As a result, fapolicyd
enforces the rules correctly and the update process can finish.
(BZ#1897092)
SELinux no longer prevents Tomcat from sending emails
Prior to this update, the SELinux policy did not allow the tomcat_t
and pki_tomcat_t
domains to connect to SMTP ports. Consequently, SELinux denied applications on the Tomcat server from sending emails. With this update of the selinux-policy
packages, the policy allows processes from the Tomcat domains access SMTP ports, and SELinux no longer prevents applications on Tomcat from sending emails.
(BZ#1687798)
lockdev
now runs correctly with SELinux
Previously, the lockdev
tool could not transition into the lockdev_t
context even though the SELinux policy for lockdev_t
was defined. As a consequence, lockdev
was allowed to run in the ‘unconfined_t’ domain when used by the root user. This introduced vulnerabilities into the system. With this update, the transition into lockdev_t
has been defined, and lockdev
can now be used correctly with SELinux in enforcing mode.
(BZ#1673269)
iotop
now runs correctly with SELinux
Previously, the iotop
tool could not transition into the iotop_t
context even though the SELinux policy for iotop_t
was defined. As a consequence, iotop
was allowed to run in the ‘unconfined_t’ domain when used by the root user. This introduced vulnerabilities into the system. With this update, the transition into iotop_t
has been defined, and iotop
can now be used correctly with SELinux in enforcing mode.
(BZ#1671241)
SELinux now properly handles NFS ‘crossmnt’
The NFS protocol with the crossmnt
option automatically creates internal mounts when a process accesses a subdirectory already used as a mount point on the server. Previously, this caused SELinux to check whether the process accessing an NFS mounted directory had a mount permission, which caused AVC denials. In the current version, SELinux permission checking skips these internal mounts. As a result, accessing an NFS directory that is mounted on the server side does not require mount permission.
(BZ#1647723)
An SELinux policy reload no longer causes false ENOMEM errors
Reloading the SELinux policy previously caused the internal security context lookup table to become unresponsive. Consequently, when the kernel encountered a new security context during a policy reload, the operation failed with a false "Out of memory" (ENOMEM) error. With this update, the internal Security Identifier (SID) lookup table has been redesigned and no longer freezes. As a result, the kernel no longer returns misleading ENOMEM errors during an SELinux policy reload.
(BZ#1656787)
Unconfined domains can now use smc_socket
Previously, the SELinux policy did not have the allow rules for the smc_socket
class. Consequently, SELinux blocked an access to smc_socket
for the unconfined domains. With this update, the allow rules have been added to the SELinux policy. As a result, the unconfined domains can use smc_socket
.
(BZ#1683642)
Kerberos cleanup procedures are now compatible with GSSAPIDelegateCredentials
and default cache from krb5.conf
Previously, when the default_ccache_name
option was configured in the krb5.conf
file, the kerberos credentials were not cleaned up with the GSSAPIDelegateCredentials
and GSSAPICleanupCredentials
options set. This bug is now fixed by updating the source code to clean up credential caches in the described use cases. After the configuration, the credential cache gets cleaned up on exit if the user configures it.
OpenSSH now correctly handles PKCS #11 URIs for keys with mismatching labels
Previously, specifying PKCS #11 URIs with the object part (key label) could prevent OpenSSH from finding related objects in PKCS #11. With this update, the label is ignored if the matching objects are not found, and keys are matched only by their IDs. As a result, OpenSSH is now able to use keys on smart cards referenced using full PKCS #11 URIs.
(BZ#1671262)
SSH connections with VMware-hosted systems now work properly
The previous version of the OpenSSH
suite introduced a change of the default IP Quality of Service (IPQoS) flags in SSH packets, which was not correctly handled by the VMware virtualization platform. Consequently, it was not possible to establish an SSH connection with systems on VMware. The problem has been fixed in VMWare Workstation 15, and SSH connections with VMware-hosted systems now work correctly.
(BZ#1651763)
curve25519-sha256
is now supported by default in OpenSSH
Previously, the curve25519-sha256
SSH key exchange algorithm was missing in the system-wide crypto policies configurations for the OpenSSH client and server even though it was compliant with the default policy level. As a consequence, if a client or a server used curve25519-sha256
and this algorithm was not supported by the host, the connection might fail. This update of the crypto-policies
package fixes the bug, and SSH connections no longer fail in the described scenario.
Ansible playbooks for OSPP and PCI-DSS profiles no longer exit after encountering a failure
Previously, Ansible remediations for the Security Content Automation Protocol (OSPP) and the Payment Card Industry Data Security Standard (PCI-DSS) profiles failed due to incorrect ordering and other errors in the remediations. This update fixes the ordering and errors in generated Ansible remediation playbooks, and Ansible remediations now work correctly.
Audit transport=KRB5
now works properly
Prior to this update, Audit KRB5 transport mode did not work correctly. Consequently, Audit remote logging using the Kerberos peer authentication did not work. With this update, the problem has been fixed, and Audit remote logging now works properly in the described scenario.
6.4.4. Networking
The kernel now supports destination MAC addresses in bitmap:ipmac
, hash:ipmac
, and hash:mac
IP set types
Previously, the kernel implementation of the bitmap:ipmac
, hash:ipmac
, and hash:mac
IP set types only allowed matching on the source MAC address, while destination MAC addresses could be specified, but were not matched against set entries. As a consequence, administrators could create iptables
rules that used a destination MAC address in one of these IP set types, but packets matching the given specification were not actually classified. With this update, the kernel compares the destination MAC address and returns a match if the specified classification corresponds to the destination MAC address of a packet. As a result, rules that match packets against the destination MAC address now work correctly.
(BZ#1649087)
The gnome-control-center
application now supports editing advanced IPsec settings
Previously, the gnome-control-center
application only displayed the advanced options of IPsec VPN connections. Consequently, users could not change these settings. With this update, the fields in the advanced settings are now editable, and users can save the changes.
The TRACE
target in the iptables-extensions(8)
man page has been updated
Previously, the description of the TRACE
target in the iptables-extensions(8)
man page referred only to the compat
variant, but Red Hat Enterprise Linux 8 uses the nf_tables
variant. As a consequence, the man page did not reference the xtables-monitor
command-line utility to display TRACE
events. The man page has been updated and, as a result, now mentions xtables-monitor
.
Error logging in the ipset
service has been improved
Previously, the ipset
service did not report configuration errors with a meaningful severity in the systemd
logs. The severity level for invalid configuration entries was only informational
, and the service did not report errors for an unusable configuration. As a consequence, it was difficult for administrators to identify and troubleshoot issues in the ipset
service’s configuration. With this update, ipset
reports configuration issues as warnings
in systemd
logs and, if the service fails to start, it logs an entry with the error
severity including further details. As a result, it is now easier to troubleshoot issues in the configuration of the ipset
service.
The ipset
service now ignores invalid configuration entries during startup
The ipset
service stores configurations as sets in separate files. Previously, when the service started, it restored the configuration from all sets in a single operation, without filtering invalid entries that can be inserted by manually editing a set. As a consequence, if a single configuration entry was invalid, the service did not restore further unrelated sets. The problem has been fixed. As a result, the ipset
service detects and removes invalid configuration entries during the restore operation, and ignores invalid configuration entries.
The ipset list
command reports consistent memory for hash
set types
When you add entries to a hash
set type, the ipset
utility must resize the in-memory representation to for new entries by allocating an additional memory block. Previously, ipset
set the total per-set allocated size to only the size of the new block instead of adding the value to the current in-memory size. As a consequence, the ip list
command reported an inconsistent memory size. With this update, ipset
correctly calculates the in-memory size. As a result, the ipset list
command now displays the correct in-memory size of the set, and the output matches the actual allocated memory for hash
set types.
(BZ#1714111)
The kernel now correctly updates PMTU when receiving ICMPv6 Packet Too Big
message
In certain situations, such as for link-local addresses, more than one route can match a source address. Previously, the kernel did not check the input interface when receiving Internet Control Message Protocol Version 6 (ICMPv6) packets. Therefore, the route lookup could return a destination that did not match the input interface. Consequently, when receiving an ICMPv6 Packet Too Big
message, the kernel could update the Path Maximum Transmission Unit (PMTU) for a different input interface. With this update, the kernel checks the input interface during the route lookup. As a result, the kernel now updates the correct destination based on the source address and PMTU works as expected in the described scenario.
(BZ#1721961)
The /etc/hosts.allow
and /etc/hosts.deny
files no longer contain outdated references to removed tcp_wrappers
Previously, the /etc/hosts.allow
and /etc/hosts.deny
files contained outdated information about the tcp_wrappers
package. The files are removed in RHEL 8 as they are no longer needed for tcp_wrappers
which is removed.
6.4.5. Kernel
tpm2-abrmd-selinux
now has a proper dependency on selinux-policy-targeted
Previously, the tpm2-abrmd-selinux
package had a dependency on the selinux-policy-base
package instead of the selinux-policy-targeted
package. Consequently, if a system had selinux-policy-minimum
installed instead of selinux-policy-targeted
, installation of the tpm2-abrmd-selinux
package failed. This update fixes the bug and tpm2-abrmd-selinux
can be installed correctly in the described scenario.
(BZ#1642000)
All /sys/kernel/debug
files can be accessed
Previously, the return value for "Operation not permitted" (EPERM) error remained set until the end of the function regardless of the error. Consequently, any attempts to access certain /sys/kernel/debug
(debugfs) files failed with an unwarranted EPERM error. This update moves the EPERM return value to the following block. As a result, debugfs
files can be accessed without problems in the described scenario.
(BZ#1686755)
NICs are no longer affected by a bug in the qede
driver for the 41000 and 45000 FastLinQ series
Previously, firmware upgrade and debug data collection operations failed due to a bug in the qede
driver for the 41000 and 45000 FastLinQ series. It made the NIC unusable. The reboot (PCI reset) of the host made the NIC operational again.
This issue could occur in the following scenarios:
- during the upgrade of Firmware of the NIC using the inbox driver
-
during the collection of debug data running the
ethtool -d ethx
command -
while running an
sosreport
command that includedethtool -d ethx.
- during the initiation of automatic debug data collection by the inbox driver, such as I/O timeout, Mail Box Command time-out and a Hardware Attention.
To fix this issue, Red Hat released an erratum via Red Hat Bug Advisory (RHBA). Before the release of RHBA, it was recommended to create a case in https://access.redhat.com/support to request for supported fix.
(BZ#1697310)
The generic EDAC GHES
driver now detects which DIMM reported an error
Previously, the EDAC GHES
driver was not able to detect which DIMM reported an error. Consequently, the following error message appeared:
DIMM location: not present. DMI handle: 0x<ADDRESS>
The driver has been now updated to scan the DMI (SMBIOS)
tables to detect the specific DIMM that matches the Desktop Management Interface (DMI) handle 0x<ADDRESS>
. As a result, EDAC GHES
correctly detects which specific DIMM reported a hardware error.
(BZ#1721386)
podman
is able to checkpoint containers in RHEL 8
Previously, the version of the Checkpoint and Restore In Userspace (CRIU) package was outdated. Consequently, CRIU did not support container checkpoint and restore functionality, and the podman
utility failed to checkpoint containers. When running the podman container checkpoint
command, the following error message was displayed:
'checkpointing a container requires at least CRIU 31100'
This update fixes the problem by upgrading the version of the CRIU package. As a result, podman
now supports container checkpoint and restore functionality.
(BZ#1689746)
early-kdump
and standard kdump
no longer fail if the add_dracutmodules+=earlykdump
option is used in dracut.conf
Previously, an inconsistency occurred between the kernel version being installed for early-kdump
and the kernel version initramfs
was generated for. As a consequence, booting failed when early-kdump
was enabled. In addition, if early-kdump
detected that it was being included in a standard kdump
initramfs image, it forced an exit. Therefore the standard kdump
service also failed when trying to rebuild kdump
initramfs if early-kdump
was added as a default dracut
module. As a consequence, early-kdump
and standard kdump
both failed. With this update, early-kdump
uses the consistent kernel name during the installation, only the version differs from the running kernel. Also, the standard kdump
service will forcibly drop early-kdump
to avoid image generation failure. As a result, early-kdump
and standard kdump
no longer fail in the described scenario.
(BZ#1662911)
The first kernel with SME enabled now succeeds in dumping the vmcore
Previously, the encrypted memory in the first kernel with the active Secure Memory Encryption (SME) feature caused a failure of the kdump
mechanism. Consequently, the first kernel was not able to dump the contents (vmcore) of its memory. With this update, the ioremap_encrypted()
function has been added to remap the encrypted memory and modify the related code. As a result, the encrypted first kernel’s memory is now properly accessed, and the vmcore can be dumped and parsed by the crash tools in the described scenario.
(BZ#1564427)
The first kernel with SEV enabled now succeeds in dumping the vmcore
Previously, the encrypted memory in the first kernel with the active Secure Encrypted Virtualization (SEV) feature caused a failure of the kdump
mechanism. Consequently, the first kernel was not able to dump the contents (vmcore) of its memory. With this update, the ioremap_encrypted()
function has been added to remap the encrypted memory and modify the related code. As a result, the first kernel’s encrypted memory is now properly accessed, and the vmcore can be dumped and parsed by the crash tools in the described scenario.
(BZ#1646810)
Kernel now reserves more space for SWIOTLB
Previously, when Secure Encrypted Virtualization (SEV) or Secure Memory Encryption (SME) features was enabled in the kernel, the Software Input Output Translation Lookaside Buffer (SWIOTLB) technology had to be enabled as well and consumed a significant amount of memory. Consequently, the capture kernel failed to boot or got an out-of-memory error. This update fixes the bug by reserving extra crashkernel memory for SWIOTLB while SEV/SME is active. As a result, the capture kernel has more memory reserved for SWIOTLB and the bug no longer appears in the described scenario.
(BZ#1728519)
C-state transitions can now be disabled during hwlatdetect
runs
To achieve real-time performance, the hwlatdetect
utility needs to be able to disable power saving in the CPU during test runs. This update allows hwlatdetect
to turn off C-state transitions for the duration of the test run and hwlatdetect
is now able to detect hardware latencies more accurately.
6.4.6. Hardware enablement
The openmpi
package can be installed now
Previously, a rebase on opensm
package changed its soname
mechanism. As a consequence, the openmpi
package could not be installed due to unresolved dependencies. This update fixes the problem. As a result, the openmpi
package can be installed now without any issue.
(BZ#1717289)
6.4.7. File systems and storage
The RHEL 8 installation program now uses the entry ID to set the default boot entry
Previously, the RHEL 8 installation program used the index of the first boot entry as the default, instead of using the entry ID. As a consequence, adding a new boot entry became the default, as it was sorted first and set to the first index. With this update, the installation program uses the entry ID to set the default boot entry, and as a result, the default entry is not changed, even if boot entries are added and sorted before the default.
The system now boots successfully when SME is enabled with smartpqi
Previously, the system failed to boot on certain AMD machines when the Secure Memory Encryption (SME) feature was enabled and the root disk was using the smartpqi
driver.
When the boot failed, the system displayed a message similar to the following in the boot log:
smartpqi 0000:23:00.0: failed to allocate PQI error buffer
This problem was caused by the smartpqi
driver, which was falling back to the Software Input Output Translation Lookaside Buffer (SWIOTLB) because the coherent Direct Memory Access (DMA) mask was not set.
With this update, the coherent DMA mask is now correctly set. As a result, the system now boots successfully when SME is enabled on machines that use the smartpqi
driver for the root disk.
(BZ#1712272)
FCoE LUNs do not disappear after being created on the bnx2fc
cards
Previously, after creating a FCoE LUN on the bnx2fc
cards, the FCoE LUNs were not attached correctly. As a consequence, FCoE LUNs disappeared after being created on the bnx2fc
cards on RHEL 8.0. With this update, FCoE LUNs are attached correctly. As a result, it is now possible to discover the FCoE LUNs after they are created on the bnx2fc
cards.
(BZ#1685894)
VDO volumes no longer lose deduplication advice after moving to a different-endian platform
Previously, the Universal Deduplication Service (UDS) index lost all deduplication advice after moving the VDO volume to a platform that used a different endian. As a consequence, VDO was unable to deduplicate newly written data against the data that was stored before you moved the volume, leading to lower space savings.
With this update, you can now move VDO volumes between platforms that use different endians without losing deduplication advice.
kdump
service works on large IBM POWER
systems
Previously, RHEL8 kdump
kernel did not start. As a consequence, the kdump initrd
file on large IBM POWER
systems was not created. With this update, squashfs-tools-4.3-19.el8
component is added. This update adds a limit (128) to the number of CPUs which the squashfs-tools-4.3-19.el8
component can use from the available pool (instead of using all the available CPUs). This fixes the running out of resources error. As a result, kdump
service now works on large IBM POWER
systems.
(BZ#1716278)
Verbosity debug options now added to nfs.conf
Previously, the /etc/nfs.conf
file and the nfs.conf(5)
man page did not include the following options:
- verbosity
- rpc-verbosity
As a consequence, users were unaware of the availability of these debug flags. With this update, these flags are now included in the [gssd]
section of the /etc/nfs.conf
file and are also documented in the nfs.conf(8)
man page.
(BZ#1668026)
6.4.8. Dynamic programming languages, web and database servers
Socket::inet_aton()
can now be used from multiple threads safely
Previously, the Socket::inet_aton()
function, used for resolving a domain name from multiple Perl threads, called the unsafe gethostbyname()
glibc
function. Consequently, an incorrect IPv4 address was occasionally returned, or the Perl interpreter terminated unexpectedly. With this update, the Socket::inet_aton()
implementation has been changed to use the thread-safe getaddrinfo()
glibc
function instead of gethostbyname()
. As a result, the inet_aton()
function from Perl Socket
module can be used from multiple threads safely.
6.4.9. Compilers and development tools
gettext
returns untranslated text even when out of memory
Previously, the gettext()
function for text localization returned the NULL value instead of text when out of memory, resulting in applications lacking text output or labels. The bug has been fixed and now, gettext()
- returns untranslated text when out of memory as expected.
The locale
command now warns about LOCPATH
being set whenever it encounters an error during execution
Previously, the locale
command did not provide any diagnostics for the LOCPATH
environment variable when it encountered errors due to an invalid LOCPATH
. The locale
command is now set to warn that LOCPATH
has been set any time it encounters an error during execution. As a result, locale
now reports LOCPATH
along with any underlying errors that it encounters.
gdb
now can read and correctly represent z
registers in core
files on aarch64 SVE
Previously, the gdb
component failed to read z
registers from core
files with aarch64 scalable vector extension (SVE) architecture. With this update, the gdb
component is now able to read z
registers from core
files. As a result, the info register
command successfully shows the z
register contents.
(BZ#1669953)
GCC rebased to version 8.3.1
The GNU Compiler Collection (GCC) has been updated to upstream version 8.3.1. This version brings a large number of miscellaneous bug fixes.
6.4.10. Identity Management
FreeRADIUS now resolves hostnames pointing to IPv6 addresses
In previous RHEL 8 versions of FreeRADIUS, the ipaddr
utility only supported IPv4 addresses. Consequently, for the radiusd
daemon to resolve IPv6 addresses, a manual update of the configuration was required after an upgrade of the system from RHEL 7 to RHEL 8. This update fixes the underlying code, and ipaddr
in FreeRADIUS now uses IPv6 addresses, too.
The Nuxwdog
service no longer fails to start the PKI server in HSM environments
Previously, due to bugs, the keyutils
package was not installed as a dependency of the pki-core
package. Additionally, the Nuxwdog
watchdog service failed to start the public key infrastructure (PKI) server in environments that use a hardware security module (HSM). These problems have been fixed. As a result, the required keyutils
package is now installed automatically as a dependency, and Nuxwdog
starts the PKI server as expected in environments with HSM.
The IdM server now works correctly in the FIPS mode
Previously, the SSL connector for Tomcat server was incompletely implemented. As a consequence, the Identity Management (IdM) server with an installed certificate server did not work on machines with the FIPS mode enabled. This bug has been fixed by adding JSSTrustManager
and JSSKeyManager
. As a result, the IdM server works correctly in the described scenario.
Note that there are several bugs that prevent the IdM server from running in the FIPS mode in RHEL 8. This update fixes just one of them.
The KCM credential cache is now suitable for a large number of credentials in a single credential cache
Previously, if the Kerberos Credential Manager (KCM) contained a large number of credentials, Kerberos operations, such as kinit, failed due to a limitation of the size of entries in the database and the number of these entries.
This update introduces the following new configuration options to the kcm
section of the sssd.conf
file:
-
max_ccaches (integer)
-
max_uid_ccaches (integer)
-
max_ccache_size (integer)
As a result, KCM can now handle a large number of credentials in a single ccache.
For further information on the configuration options, see sssd-kcm man page.
(BZ#1448094)
Samba no longer denies access when using the sss
ID mapping plug-in
Previously, when you ran Samba on the domain member with this configuration and added a configuration that used the sss
ID mapping back end to the /etc/samba/smb.conf
file to share directories, changes in the ID mapping back end caused errors. Consequently, Samba denied access to files in certain cases, even if the user or group existed and it was known by SSSD. The problem has been fixed. As a result, Samba no longer denies access when using the sss
plug-in.
Default SSSD time-out values no longer conflict with each other
Previously, there was a conflict between the default time-out values. The default values for the following options have been changed to improve the failover capability:
- dns_resolver_op_timeout - set to 2s (previously 6s)
- dns_resolver_timeout - set to 4s (previously 6s)
- ldap_opt_timeout - set to 8s (previously 6s)
Also, a new dns_resolver_server_timeout
option, with default value of 1000 ms has been added, which specifies the time out duration for SSSD to switch from one DNS server to another.
(BZ#1382750)
6.4.11. Desktop
systemctl isolate multi-user.target
now displays the console prompt
When running the systemctl isolate multi-user.target
command from GNOME Terminal in a GNOME Desktop session, only a cursor was displayed, and not the console prompt. This update fixes gdm
, and the console prompt is now displayed as expected in the described situation.
6.4.12. Graphics infrastructures
The 'i915' display driver now supports display configurations up to 3×4K.
Previously, it was not possible to have display configurations larger than 2×4K when using the 'i915' display driver in an Xorg session. With this update, the 'i915' driver now supports display configurations up to 3×4K.
(BZ#1664969)
Linux guests no longer display an error when initializing the GPU driver
Previously, Linux guests returned a warning when initializing the GPU driver. This happened because Intel Graphics Virtualization Technology –g (GVT -g) only simulates the DisplayPort
(DP) interface for guest and leaves the ‘EDP_PSR_IMR’ and ‘EDP_PSR_IIR’ registers as default memory-mapped I/O (MMIO) read/write registers. To resolve this issue, handlers have been added to these registers and the warning is no longer returned.
(BZ#1643980)
6.4.13. The web console
It is possible to login to RHEL web console with session_recording shell
Previously, it was not possible for users of the tlog
shell (which enables session recording) to log in to the RHEL web console. This update fixes the bug. The previous workaround of adding the tlog-rec-session
shell to /etc/shells/
should be reverted after installing this update.
(BZ#1631905)
6.4.14. Virtualization
Hot-plugging PCI devices to a pcie-to-pci bridge controller works correctly
Previously, if a guest virtual machine configuration contained a pcie-to-pci-bridge controller that had no endpoint devices attached to it at the time the guest was started, hot-plugging new devices to that controller was not possible. This update improves how hot-plugging legacy PCI devices on a PCIe system is handled, which prevents the problem from occurring.
Enabling nested virtualization no longer blocks live migration
Previously, the nested virtualization feature was incompatible with live migration. As a consequence, enabling nested virtualization on a RHEL 8 host prevented migrating any virtual machines (VMs) from the host, as well as saving VM state snapshots to disk. This update fixes the described problem, and the impacted VMs are now possible to migrate.
6.4.15. Supportability
redhat-support-tool
now creates an sosreport
archive
Previously, the redhat-support-tool
utility was unable to create an sosreport
archive. The workaround was running the sosreport
command separately and then entering the redhat-support-tool addattachment -c
command to upload the archive. Users can also use the web UI on Customer Portal which creates the customer case and uploads the sosreport
archive.
In addition, command options such as findkerneldebugs
, btextract
, analyze
, or diagnose
do not work as expected and will be fixed in a future release.
6.5. Technology Previews
This part provides a list of all Technology Previews available in Red Hat Enterprise Linux 8.1.
For information on Red Hat scope of support for Technology Preview features, see Technology Preview Features Support Scope.
6.5.1. Networking
TIPC
has full support
The Transparent Inter Process Communication (TIPC
) is a protocol specially designed for efficient communication within clusters of loosely paired nodes. It works as a kernel module and provides a tipc
tool in iproute2
package to allow designers to create applications that can communicate quickly and reliably with other applications regardless of their location within the cluster. This feature is now fully supported in RHEL 8.
(BZ#1581898)
eBPF for tc available as a Technology Preview
As a Technology Preview, the Traffic Control (tc) kernel subsystem and the tc tool can attach extended Berkeley Packet Filtering (eBPF) programs as packet classifiers and actions for both ingress and egress queueing disciplines. This enables programmable packet processing inside the kernel network data path.
nmstate
available as a Technology Preview
Nmstate is a network API for hosts. The nmstate
packages, available as a Technology Preview, provide a library and the nmstatectl
command-line utility to manage host network settings in a declarative manner. The networking state is described by a pre-defined schema. Reporting of the current state and changes to the desired state both conform to the schema.
For further details, see the /usr/share/doc/nmstate/README.md
file and the examples in the /usr/share/doc/nmstate/examples
directory.
(BZ#1674456)
AF_XDP
available as a Technology Preview
Address Family eXpress Data Path
(AF_XDP
) socket is designed for high-performance packet processing. It accompanies XDP
and grants efficient redirection of programmatically selected packets to user space applications for further processing.
(BZ#1633143)
XDP available as a Technology Preview
The eXpress Data Path (XDP) feature, which is available as a Technology Preview, provides a means to attach extended Berkeley Packet Filter (eBPF) programs for high-performance packet processing at an early point in the kernel ingress data path, allowing efficient programmable packet analysis, filtering, and manipulation.
(BZ#1503672)
KTLS available as a Technology Preview
In Red Hat Enterprise Linux 8, Kernel Transport Layer Security (KTLS) is provided as a Technology Preview. KTLS handles TLS records using the symmetric encryption or decryption algorithms in the kernel for the AES-GCM cipher. KTLS also provides the interface for offloading TLS record encryption to Network Interface Controllers (NICs) that support this functionality.
(BZ#1570255)
The systemd-resolved
service is now available as a Technology Preview
The systemd-resolved
service provides name resolution to local applications. The service implements a caching and validating DNS stub resolver, an Link-Local Multicast Name Resolution (LLMNR), and Multicast DNS resolver and responder.
Note that, even if the systemd
package provides systemd-resolved
, this service is an unsupported Technology Preview.
(BZ#1906489)
6.5.2. Kernel
Control Group v2 available as a Technology Preview in RHEL 8
Control Group v2 mechanism is a unified hierarchy control group. Control Group v2 organizes processes hierarchically and distributes system resources along the hierarchy in a controlled and configurable manner.
Unlike the previous version, Control Group v2 has only a single hierarchy. This single hierarchy enables the Linux kernel to:
- Categorize processes based on the role of their owner.
- Eliminate issues with conflicting policies of multiple hierarchies.
Control Group v2 supports numerous controllers:
CPU controller regulates the distribution of CPU cycles. This controller implements:
- Weight and absolute bandwidth limit models for normal scheduling policy.
- Absolute bandwidth allocation model for real time scheduling policy.
Memory controller regulates the memory distribution. Currently, the following types of memory usages are tracked:
- Userland memory - page cache and anonymous memory.
- Kernel data structures such as dentries and inodes.
- TCP socket buffers.
- I/O controller regulates the distribution of I/O resources.
- Writeback controller interacts with both Memory and I/O controllers and is Control Group v2 specific.
The information above was based on link: https://www.kernel.org/doc/Documentation/cgroup-v2.txt. You can refer to the same link to obtain more information about particular Control Group v2 controllers.
kexec fast reboot
as a Technology Preview
The kexec fast reboot
feature, continues to be available as a Technology Preview. Rebooting is now significantly faster thanks to kexec fast reboot
. To use this feature, load the kexec kernel manually, and then reboot the operating system.
eBPF available as a Technology Preview
Extended Berkeley Packet Filter (eBPF) is an in-kernel virtual machine that allows code execution in the kernel space, in the restricted sandbox environment with access to a limited set of functions.
The virtual machine includes a new system call bpf()
, which supports creating various types of maps, and also allows to load programs in a special assembly-like code. The code is then loaded to the kernel and translated to the native machine code with just-in-time compilation. Note that the bpf()
syscall can be successfully used only by a user with the CAP_SYS_ADMIN
capability, such as the root user. See the bpf
(2) man page for more information.
The loaded programs can be attached onto a variety of points (sockets, tracepoints, packet reception) to receive and process data.
There are numerous components shipped by Red Hat that utilize the eBPF virtual machine. Each component is in a different development phase, and thus not all components are currently fully supported. All components are available as a Technology Preview, unless a specific component is indicated as supported.
The following notable eBPF components are currently available as a Technology Preview:
- The BPF Compiler Collection (BCC) tools package, a collection of dynamic kernel tracing utilities that use the eBPF virtual machine. The BCC tools package is available as a Technology Preview on the following architectures: the 64-bit ARM architecture, IBM Power Systems, Little Endian, and IBM Z. Note that it is fully supported on the AMD and Intel 64-bit architectures.
-
bpftrace
, a high-level tracing language that utilizes the eBPF virtual machine. - The eXpress Data Path (XDP) feature, a networking technology that enables fast packet processing in the kernel using the eBPF virtual machine.
(BZ#1559616)
Soft-RoCE available as a Technology Preview
Remote Direct Memory Access (RDMA) over Converged Ethernet (RoCE) is a network protocol which implements RDMA over Ethernet. Soft-RoCE is the software implementation of RoCE which supports two protocol versions, RoCE v1 and RoCE v2. The Soft-RoCE driver, rdma_rxe
, is available as an unsupported Technology Preview in RHEL 8.
(BZ#1605216)
6.5.3. Hardware enablement
The igc
driver available as a Technology Preview for RHEL 8
The igc
Intel 2.5G Ethernet Linux wired LAN driver is now available on all architectures for RHEL 8 as a Technology Preview. The ethtool
utility also supports igc
wired LANs.
(BZ#1495358)
6.5.4. File systems and storage
NVMe/TCP is available as a Technology Preview
Accessing and sharing Nonvolatile Memory Express (NVMe) storage over TCP/IP networks (NVMe/TCP) and its corresponding nvme-tcp.ko
and nvmet-tcp.ko
kernel modules have been added as a Technology Preview.
The use of NVMe/TCP as either a storage client or a target is manageable with tools provided by the nvme-cli
and nvmetcli
packages.
NVMe/TCP provides a storage transport option along with the existing NVMe over Fabrics (NVMe-oF) transport, which include Remote Direct Memory Access (RDMA) and Fibre Channel (NVMe/FC).
(BZ#1696451)
File system DAX is now available for ext4 and XFS as a Technology Preview
In Red Hat Enterprise Linux 8.1, file system DAX is available as a Technology Preview. DAX provides a means for an application to directly map persistent memory into its address space. To use DAX, a system must have some form of persistent memory available, usually in the form of one or more Non-Volatile Dual In-line Memory Modules (NVDIMMs), and a file system that supports DAX must be created on the NVDIMM(s). Also, the file system must be mounted with the dax
mount option. Then, an mmap
of a file on the dax-mounted file system results in a direct mapping of storage into the application’s address space.
(BZ#1627455)
OverlayFS
OverlayFS is a type of union file system. It enables you to overlay one file system on top of another. Changes are recorded in the upper file system, while the lower file system remains unmodified. This allows multiple users to share a file-system image, such as a container or a DVD-ROM, where the base image is on read-only media.
OverlayFS remains a Technology Preview under most circumstances. As such, the kernel logs warnings when this technology is activated.
Full support is available for OverlayFS when used with supported container engines (podman
, cri-o
, or buildah
) under the following restrictions:
-
OverlayFS is supported for use only as a container engine graph driver or other specialized use cases, such as squashed
kdump
initramfs. Its use is supported primarily for container COW content, not for persistent storage. You must place any persistent storage on non-OverlayFS volumes. You can use only the default container engine configuration: one level of overlay, one lowerdir, and both lower and upper levels are on the same file system. - Only XFS is currently supported for use as a lower layer file system.
Additionally, the following rules and limitations apply to using OverlayFS:
- The OverlayFS kernel ABI and user-space behavior are not considered stable, and might change in future updates.
OverlayFS provides a restricted set of the POSIX standards. Test your application thoroughly before deploying it with OverlayFS. The following cases are not POSIX-compliant:
-
Lower files opened with
O_RDONLY
do not receivest_atime
updates when the files are read. -
Lower files opened with
O_RDONLY
, then mapped withMAP_SHARED
are inconsistent with subsequent modification. Fully compliant
st_ino
ord_ino
values are not enabled by default on RHEL 8, but you can enable full POSIX compliance for them with a module option or mount option.To get consistent inode numbering, use the
xino=on
mount option.You can also use the
redirect_dir=on
andindex=on
options to improve POSIX compliance. These two options make the format of the upper layer incompatible with an overlay without these options. That is, you might get unexpected results or errors if you create an overlay withredirect_dir=on
orindex=on
, unmount the overlay, then mount the overlay without these options.
-
Lower files opened with
To determine whether an existing XFS file system is eligible for use as an overlay, use the following command and see if the
ftype=1
option is enabled:# xfs_info /mount-point | grep ftype
- SELinux security labels are enabled by default in all supported container engines with OverlayFS.
- Several known issues are associated with OverlayFS in this release. For details, see Non-standard behavior in the Linux kernel documentation.
For more information about OverlayFS, see the Linux kernel documentation.
(BZ#1690207)
Stratis is now available as a Technology Preview
Stratis is a new local storage manager. It provides managed file systems on top of pools of storage with additional features to the user.
Stratis enables you to more easily perform storage tasks such as:
- Manage snapshots and thin provisioning
- Automatically grow file system sizes as needed
- Maintain file systems
To administer Stratis storage, use the stratis
utility, which communicates with the stratisd
background service.
Stratis is provided as a Technology Preview.
For more information, see the Stratis documentation: Setting up Stratis file systems.
(JIRA:RHELPLAN-1212)
A Samba server, available to IdM and AD users logged into IdM hosts, can now be set up on an IdM domain member as a Technology Preview
With this update, you can now set up a Samba server on an Identity Management (IdM) domain member. The new ipa-client-samba
utility provided by the same-named package adds a Samba-specific Kerberos service principal to IdM and prepares the IdM client. For example, the utility creates the /etc/samba/smb.conf
with the ID mapping configuration for the sss
ID mapping back end. As a result, administrators can now set up Samba on an IdM domain member.
Due to IdM Trust Controllers not supporting the Global Catalog Service, AD-enrolled Windows hosts cannot find IdM users and groups in Windows. Additionally, IdM Trust Controllers do not support resolving IdM groups using the Distributed Computing Environment / Remote Procedure Calls (DCE/RPC) protocols. As a consequence, AD users can only access the Samba shares and printers from IdM clients.
For details, see Setting up Samba on an IdM domain member.
(JIRA:RHELPLAN-13195)
6.5.5. High availability and clusters
Pacemaker podman
bundles available as a Technology Preview
Pacemaker container bundles now run on the podman
container platform, with the container bundle feature being available as a Technology Preview. There is one exception to this feature being Technology Preview: Red Hat fully supports the use of Pacemaker bundles for Red Hat Openstack.
(BZ#1619620)
Heuristics in corosync-qdevice
available as a Technology Preview
Heuristics are a set of commands executed locally on startup, cluster membership change, successful connect to corosync-qnetd
, and, optionally, on a periodic basis. When all commands finish successfully on time (their return error code is zero), heuristics have passed; otherwise, they have failed. The heuristics result is sent to corosync-qnetd
where it is used in calculations to determine which partition should be quorate.
New fence-agents-heuristics-ping
fence agent
As a Technology Preview, Pacemaker now supports the fence_heuristics_ping
agent. This agent aims to open a class of experimental fence agents that do no actual fencing by themselves but instead exploit the behavior of fencing levels in a new way.
If the heuristics agent is configured on the same fencing level as the fence agent that does the actual fencing but is configured before that agent in sequence, fencing issues an off
action on the heuristics agent before it attempts to do so on the agent that does the fencing. If the heuristics agent gives a negative result for the off
action it is already clear that the fencing level is not going to succeed, causing Pacemaker fencing to skip the step of issuing the off
action on the agent that does the fencing. A heuristics agent can exploit this behavior to prevent the agent that does the actual fencing from fencing a node under certain conditions.
A user might want to use this agent, especially in a two-node cluster, when it would not make sense for a node to fence the peer if it can know beforehand that it would not be able to take over the services properly. For example, it might not make sense for a node to take over services if it has problems reaching the networking uplink, making the services unreachable to clients, a situation which a ping to a router might detect in that case.
(BZ#1775847)
6.5.6. Identity Management
Identity Management JSON-RPC API available as Technology Preview
An API is available for Identity Management (IdM). To view the API, IdM also provides an API browser as Technology Preview.
In Red Hat Enterprise Linux 7.3, the IdM API was enhanced to enable multiple versions of API commands. Previously, enhancements could change the behavior of a command in an incompatible way. Users are now able to continue using existing tools and scripts even if the IdM API changes. This enables:
- Administrators to use previous or later versions of IdM on the server than on the managing client.
- Developers to use a specific version of an IdM call, even if the IdM version changes on the server.
In all cases, the communication with the server is possible, regardless if one side uses, for example, a newer version that introduces new options for a feature.
For details on using the API, see Using the Identity Management API to Communicate with the IdM Server (TECHNOLOGY PREVIEW).
DNSSEC available as Technology Preview in IdM
Identity Management (IdM) servers with integrated DNS now support DNS Security Extensions (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are automatically generated and rotated.
Users who decide to secure their DNS zones with DNSSEC are advised to read and follow these documents:
- DNSSEC Operational Practices, Version 2: http://tools.ietf.org/html/rfc6781#section-2
- Secure Domain Name System (DNS) Deployment Guide: http://dx.doi.org/10.6028/NIST.SP.800-81-2
- DNSSEC Key Rollover Timing Considerations: http://tools.ietf.org/html/rfc7583
Note that IdM servers with integrated DNS use DNSSEC to validate DNS answers obtained from other DNS servers. This might affect the availability of DNS zones that are not configured in accordance with recommended naming practices.
6.5.7. Graphics infrastructures
VNC remote console available as a Technology Preview for the 64-bit ARM architecture
On the 64-bit ARM architecture, the Virtual Network Computing (VNC) remote console is available as a Technology Preview. Note that the rest of the graphics stack is currently unverified for the 64-bit ARM architecture.
(BZ#1698565)
6.5.8. Red Hat Enterprise Linux system roles
The postfix
role of RHEL system roles available as a Technology Preview
Red Hat Enterprise Linux system roles provides a configuration interface for Red Hat Enterprise Linux subsystems, which makes system configuration easier through the inclusion of Ansible Roles. This interface enables managing system configurations across multiple versions of Red Hat Enterprise Linux, as well as adopting new major releases.
The rhel-system-roles
packages are distributed through the AppStream repository.
The postfix
role is available as a Technology Preview.
The following roles are fully supported:
-
kdump
-
network
-
selinux
-
storage
-
timesync
For more information, see the Knowledgebase article about RHEL system roles.
(BZ#1812552)
rhel-system-roles-sap
available as a Technology Preview
The rhel-system-roles-sap
package provides Red Hat Enterprise Linux (RHEL) system roles for SAP, which can be used to automate the configuration of a RHEL system to run SAP workloads. These roles greatly reduce the time to configure a system to run SAP workloads by automatically applying the optimal settings that are based on best practices outlined in relevant SAP Notes. Access is limited to RHEL for SAP Solutions offerings. Please contact Red Hat Customer Support if you need assistance with your subscription.
The following new roles in the rhel-system-roles-sap
package are available as a Technology Preview:
-
sap-preconfigure
-
sap-netweaver-preconfigure
-
sap-hana-preconfigure
For more information, see Red Hat Enterprise Linux system roles for SAP.
Note: RHEL 8.1 for SAP Solutions is scheduled to be validated for use with SAP HANA on Intel 64 architecture and IBM POWER9. Other SAP applications and database products, for example, SAP NetWeaver and SAP ASE, can use RHEL 8.1 features. Please consult SAP Notes 2369910 and 2235581 for the latest information about validated releases and SAP support.
(BZ#1660832)
rhel-system-roles-sap
rebased to version 1.1.1
With the RHBA-2019:4258 advisory, the rhel-system-roles-sap
package has been updated to provide multiple bug fixes. Notably:
- SAP system roles work on hosts with non-English locales
-
kernel.pid_max
is set by thesysctl
module -
nproc
is set to unlimited for HANA (see SAP note 2772999 step 9) - hard process limit is set before soft process limit
-
code that sets process limits now works identically to role
sap-preconfigure
-
handlers/main.yml
only works for non-uefi systems and is silently ignored on uefi systems -
removed unused dependency on
rhel-system-roles
-
removed
libssh2
from thesap_hana_preconfigure_packages
- added further checks to avoid failures when certain CPU settings are not supported
- converted all true and false to lowercase
- updated minimum package handling
- host name and domain name set correctly
- many minor fixes
The rhel-system-roles-sap
package is available as a Technology Preview.
(BZ#1766622)
6.5.9. Virtualization
Select Intel network adapters now support SR-IOV in RHEL guests on Hyper-V
As a Technology Preview, Red Hat Enterprise Linux guest operating systems running on a Hyper-V hypervisor can now use the single-root I/O virtualization (SR-IOV) feature for Intel network adapters supported by the ixgbevf
and iavf
drivers. This feature is enabled when the following conditions are met:
- SR-IOV support is enabled for the network interface controller (NIC)
- SR-IOV support is enabled for the virtual NIC
- SR-IOV support is enabled for the virtual switch
- The virtual function (VF) from the NIC is attached to the virtual machine.
The feature is currently supported with Microsoft Windows Server 2019 and 2016.
(BZ#1348508)
KVM virtualization is usable in RHEL 8 Hyper-V virtual machines
As a Technology Preview, nested KVM virtualization can now be used on the Microsoft Hyper-V hypervisor. As a result, you can create virtual machines on a RHEL 8 guest system running on a Hyper-V host.
Note that currently, this feature only works on Intel systems. In addition, nested virtualization is in some cases not enabled by default on Hyper-V. To enable it, see the following Microsoft documentation:
https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/nested-virtualization
(BZ#1519039)
AMD SEV for KVM virtual machines
As a Technology Preview, RHEL 8 introduces the Secure Encrypted Virtualization (SEV) feature for AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine (VM), SEV encrypts VM memory so that the host cannot access data on the VM. This increases the security of the VM if the host is successfully infected by malware.
Note that the number of VMs that can use this feature at a time on a single host is determined by the host hardware. Current AMD EPYC processors support up to 15 running VMs using SEV.
Also note that for VMs with SEV configured to be able to boot, you must also configure the VM with a hard memory limit. To do so, add the following to the VM’s XML configuration:
<memtune> <hard_limit unit='KiB'>N</hard_limit> </memtune>
The recommended value for N is equal to or greater then the guest RAM + 256 MiB. For example, if the guest is assigned 2 GiB RAM, N should be 2359296 or greater.
(BZ#1501618, BZ#1501607, JIRA:RHELPLAN-7677)
Intel vGPU
As a Technology Preview, it is now possible to divide a physical Intel GPU device into multiple virtual devices referred to as mediated devices
. These mediated devices can then be assigned to multiple virtual machines (VMs) as virtual GPUs. As a result, these VMs share the performance of a single physical Intel GPU.
Note that only selected Intel GPUs are compatible with the vGPU feature. In addition, assigning a physical GPU to VMs makes it impossible for the host to use the GPU, and may prevent graphical display output on the host from working.
(BZ#1528684)
Nested virtualization now available on IBM POWER 9
As a Technology Preview, it is now possible to use the nested virtualization features on RHEL 8 host machines running on IBM POWER 9 systems. Nested virtualization enables KVM virtual machines (VMs) to act as hypervisors, which allows for running VMs inside VMs.
Note that nested virtualization also remains a Technology Preview on AMD64 and Intel 64 systems.
Also note that for nested virtualization to work on IBM POWER 9, the host, the guest, and the nested guests currently all need to run one of the following operating systems:
- RHEL 8
- RHEL 7 for POWER 9
(BZ#1505999, BZ#1518937)
Creating nested virtual machines
As a Technology Preview, nested virtualization is available for KVM virtual machines (VMs) in RHEL 8. With this feature, a VM that runs on a physical host can act as a hypervisor, and host its own VMs.
Note that nested virtualization is only available on AMD64 and Intel 64 architectures, and the nested host must be a RHEL 7 or RHEL 8 VM.
(JIRA:RHELPLAN-14047)
6.5.10. Containers
The podman-machine
command is unsupported
The podman-machine
command for managing virtual machines, is available only as a Technology Preview. Instead, run Podman directly from the command line.
(JIRA:RHELDOCS-16861)
6.6. Deprecated functionality
This part provides an overview of functionality that has been deprecated in Red Hat Enterprise Linux 8.1.
Deprecated devices are fully supported, which means that they are tested and maintained, and their support status remains unchanged within Red Hat Enterprise Linux 8. However, these devices will likely not be supported in the next major version release, and are not recommended for new deployments on the current or future major versions of RHEL.
For the most recent list of deprecated functionality within a particular major release, see the latest version of release documentation. For information about the length of support, see Red Hat Enterprise Linux Life Cycle and Red Hat Enterprise Linux Application Streams Life Cycle.
A package can be deprecated and not recommended for further use. Under certain circumstances, a package can be removed from the product. Product documentation then identifies more recent packages that offer functionality similar, identical, or more advanced to the one deprecated, and provides further recommendations.
For information regarding functionality that is present in RHEL 7 but has been removed in RHEL 8, see Considerations in adopting RHEL 8.
For information regarding functionality that is present in RHEL 8 but has been removed in RHEL 9, see Considerations in adopting RHEL 9.
6.6.1. Installer and image creation
Several Kickstart commands and options have been deprecated
Using the following commands and options in RHEL 8 Kickstart files will print a warning in the logs.
-
auth
orauthconfig
-
device
-
deviceprobe
-
dmraid
-
install
-
lilo
-
lilocheck
-
mouse
-
multipath
-
bootloader --upgrade
-
ignoredisk --interactive
-
partition --active
-
reboot --kexec
Where only specific options are listed, the base command and its other options are still available and not deprecated.
For more details and related changes in Kickstart, see the Kickstart changes section of the Considerations in adopting RHEL 8 document.
(BZ#1642765)
The --interactive
option of the ignoredisk
Kickstart command has been deprecated
Using the --interactive option
in future releases of Red Hat Enterprise Linux will result in a fatal installation error. It is recommended that you modify your Kickstart file to remove the option.
(BZ#1637872)
6.6.2. Software management
The rpmbuild --sign
command has been deprecated
With this update, the rpmbuild --sign
command has become deprecated. Using this command in future releases of Red Hat Enterprise Linux can result in an error. It is recommended that you use the rpmsign
command instead.
6.6.3. Security
TLS 1.0 and TLS 1.1 are deprecated
The TLS 1.0 and TLS 1.1 protocols are disabled in the DEFAULT
system-wide cryptographic policy level. If your scenario, for example, a video conferencing application in the Firefox web browser, requires using the deprecated protocols, switch the system-wide cryptographic policy to the LEGACY
level:
# update-crypto-policies --set LEGACY
For more information, see the Strong crypto defaults in RHEL 8 and deprecation of weak crypto algorithms Knowledgebase article on the Red Hat Customer Portal and the update-crypto-policies(8)
man page.
DSA is deprecated in RHEL 8
The Digital Signature Algorithm (DSA) is considered deprecated in Red Hat Enterprise Linux 8. Authentication mechanisms that depend on DSA keys do not work in the default configuration. Note that OpenSSH
clients do not accept DSA host keys even in the LEGACY
system-wide cryptographic policy level.
(BZ#1646541)
SSL2
Client Hello
has been deprecated in NSS
The Transport Layer Security (TLS
) protocol version 1.2 and earlier allow to start a negotiation with a Client Hello
message formatted in a way that is backward compatible with the Secure Sockets Layer (SSL
) protocol version 2. Support for this feature in the Network Security Services (NSS
) library has been deprecated and it is disabled by default.
Applications that require support for this feature need to use the new SSL_ENABLE_V2_COMPATIBLE_HELLO
API to enable it. Support for this feature may be removed completely in future releases of Red Hat Enterprise Linux 8.
(BZ#1645153)
TPM 1.2 is deprecated
The Trusted Platform Module (TPM) secure cryptoprocessor standard version was updated to version 2.0 in 2016. TPM 2.0 provides many improvements over TPM 1.2, and it is not backward compatible with the previous version. TPM 1.2 is deprecated in RHEL 8, and it might be removed in the next major release.
(BZ#1657927)
6.6.4. Networking
Network scripts are deprecated in RHEL 8
Network scripts are deprecated in Red Hat Enterprise Linux 8 and they are no longer provided by default. The basic installation provides a new version of the ifup
and ifdown
scripts which call the NetworkManager service through the nmcli tool. In Red Hat Enterprise Linux 8, to run the ifup
and the ifdown
scripts, NetworkManager must be running.
Note that custom commands in /sbin/ifup-local
, ifdown-pre-local
and ifdown-local
scripts are not executed.
If any of these scripts are required, the installation of the deprecated network scripts in the system is still possible with the following command:
~]# yum install network-scripts
The ifup
and ifdown
scripts link to the installed legacy network scripts.
Calling the legacy network scripts shows a warning about their deprecation.
(BZ#1647725)
6.6.5. Kernel
Diskless boot has been deprecated
Diskless booting allows multiple systems to share a root filesystem via the network. While convenient, it is prone to introducing network latency in realtime workloads. With a future minor update of RHEL for Real Time 8, the diskless booting will no longer be supported.
The rdma_rxe
Soft-RoCE driver is deprecated
Software Remote Direct Memory Access over Converged Ethernet (Soft-RoCE), also known as RXE, is a feature that emulates Remote Direct Memory Access (RDMA). In RHEL 8, the Soft-RoCE feature is available as an unsupported Technology Preview. However, due to stability issues, this feature has been deprecated and will be removed in RHEL 9.
(BZ#1878207)
6.6.6. Hardware enablement
The qla3xxx
driver is deprecated
The qla3xxx
driver has been deprecated in RHEL 8. The driver will likely not be supported in future major releases of this product, and thus it is not recommended for new deployments.
(BZ#1658840)
The dl2k
, dnet
, ethoc
, and dlci
drivers are deprecated
The dl2k
, dnet
, ethoc
, and dlci
drivers have been deprecated in RHEL 8. The drivers will likely not be supported in future major releases of this product, and thus they are not recommended for new deployments.
(BZ#1660627)
6.6.7. File systems and storage
The elevator
kernel command line parameter is deprecated
The elevator
kernel command line parameter was used in earlier RHEL releases to set the disk scheduler for all devices. In RHEL 8, the parameter is deprecated.
The upstream Linux kernel has removed support for the elevator
parameter, but it is still available in RHEL 8 for compatibility reasons.
Note that the kernel selects a default disk scheduler based on the type of device. This is typically the optimal setting. If you require a different scheduler, Red Hat recommends that you use udev
rules or the Tuned service to configure it. Match the selected devices and switch the scheduler only for those devices.
For more information, see Setting the disk scheduler.
(BZ#1665295)
NFSv3 over UDP has been disabled
The NFS server no longer opens or listens on a User Datagram Protocol (UDP) socket by default. This change affects only NFS version 3 because version 4 requires the Transmission Control Protocol (TCP).
NFS over UDP is no longer supported in RHEL 8.
(BZ#1592011)
6.6.8. Desktop
The libgnome-keyring
library has been deprecated
The libgnome-keyring
library has been deprecated in favor of the libsecret
library, as libgnome-keyring
is not maintained upstream, and does not follow the necessary cryptographic policies for RHEL. The new libsecret
library is the replacement that follows the necessary security standards.
(BZ#1607766)
6.6.9. Graphics infrastructures
AGP graphics cards are no longer supported
Graphics cards using the Accelerated Graphics Port (AGP) bus are not supported in Red Hat Enterprise Linux 8. Use the graphics cards with PCI-Express bus as the recommended replacement.
(BZ#1569610)
6.6.10. The web console
The web console no longer supports incomplete translations
The RHEL web console no longer provides translations for languages that have translations available for less than 50 % of the Console’s translatable strings. If the browser requests translation to such a language, the user interface will be in English instead.
6.6.11. Virtualization
virt-manager has been deprecated
The Virtual Machine Manager application, also known as virt-manager, has been deprecated. The RHEL 8 web console, also known as Cockpit, is intended to become its replacement in a subsequent release. It is, therefore, recommended that you use the web console for managing virtualization in a GUI. Note, however, that some features available in virt-manager may not be yet available the RHEL 8 web console.
(JIRA:RHELPLAN-10304)
Virtual machine snapshots are not properly supported in RHEL 8
The current mechanism of creating virtual machine (VM) snapshots has been deprecated, as it is not working reliably. As a consequence, it is recommended not to use VM snapshots in RHEL 8.
Note that a new VM snapshot mechanism is under development and will be fully implemented in a future minor release of RHEL 8.
The Cirrus VGA virtual GPU type has been deprecated
With a future major update of Red Hat Enterprise Linux, the Cirrus VGA GPU device will no longer be supported in KVM virtual machines. Therefore, Red Hat recommends using the stdvga, virtio-vga, or qxl devices instead of Cirrus VGA.
(BZ#1651994)
6.6.12. Deprecated packages
The following packages have been deprecated and will probably not be included in a future major release of Red Hat Enterprise Linux:
- 389-ds-base-legacy-tools
- authd
- custodia
- hostname
- libidn
- net-tools
- network-scripts
- nss-pam-ldapd
- sendmail
- yp-tools
- ypbind
- ypserv
6.7. Known issues
This part describes known issues in Red Hat Enterprise Linux 8.
6.7.1. Installer and image creation
The auth
and authconfig
Kickstart commands require the AppStream repository
The authselect-compat
package is required by the auth
and authconfig
Kickstart commands during installation. Without this package, the installation fails if auth
or authconfig
are used. However, by design, the authselect-compat
package is only available in the AppStream repository.
To work around this problem, verify that the BaseOS and AppStream repositories are available to the installer or use the authselect
Kickstart command during installation.
(BZ#1640697)
The reboot --kexec
and inst.kexec
commands do not provide a predictable system state
Performing a RHEL installation with the reboot --kexec
Kickstart command or the inst.kexec
kernel boot parameters do not provide the same predictable system state as a full reboot. As a consequence, switching to the installed system without rebooting can produce unpredictable results.
Note that the kexec
feature is deprecated and will be removed in a future release of Red Hat Enterprise Linux.
(BZ#1697896)
Anaconda installation includes low limits of minimal resources setting requirements
Anaconda initiates the installation on systems with minimal resource settings required available and do not provide previous message warning about the required resources for performing the installation successfully. As a result, the installation can fail and the output errors do not provide clear messages for possible debug and recovery. To work around this problem, make sure that the system has the minimal resources settings required for installation: 2GB memory on PPC64(LE) and 1GB on x86_64. As a result, it should be possible to perform a successful installation.
(BZ#1696609)
Installation fails when using the reboot --kexec
command
The RHEL 8 installation fails when using a Kickstart file that contains the reboot --kexec
command. To avoid the problem, use the reboot
command instead of reboot --kexec
in your Kickstart file.
Support secure boot for s390x in the installer
RHEL 8.1 provides support for preparing boot disks for use in IBM Z environments that enforce the use of secure boot. The capabilities of the server and Hypervisor used during installation determine if the resulting on-disk format contains secure boot support or not. There is no way to influence the on-disk format during installation.
Consequently, if you install RHEL 8.1 in an environment that supports secure boot, the system is unable to boot when moved to an environment lacking secure boot support, as it is done in some fail-over scenarios.
To work around this problem, you need to configure the zipl
tool that controls the on-disk boot format. zipl
can be configured to write the previous on-disk format even if the environment in which it is run supports secure boot. Perform the following manual steps as root user once the installation of RHEL 8.1 is completed:
-
Edit the configuration file
/etc/zipl.conf
Add a line containing "secure=0" to the section labelled "defaultboot".
Example contents of the `zipl.conf` file after the change:
[defaultboot] defaultauto prompt=1 timeout=5 target=/boot secure=0
-
Run the
zipl
tool without parameters
After performing these steps, the on-disk format of the RHEL 8.1 boot disk will no longer contain secure boot support. As a result, the installation can be booted in environments that lack secure boot support.
(BZ#1659400)
RHEL 8 initial setup cannot be performed via SSH
Currently, the RHEL 8 initial setup interface does not display when logged in to the system using SSH. As a consequence, it is impossible to perform the initial setup on a RHEL 8 machine managed via SSH. To work around this problem, perform the initial setup in the main system console (ttyS0) and, afterwards, log in using SSH.
(BZ#1676439)
The default value for the secure=
boot option is not set to auto
Currently, the default value for the secure=
boot option is not set to auto. As a consequence, the secure boot feature is not available because the current default is disabled. To work around this problem, manually set secure=auto
in the [defaultboot]
section of the /etc/zipl.conf
file. As a result, the secure boot feature is made available. For more information, see the zipl.conf
man page.
(BZ#1750326)
Copying the content of the Binary DVD.iso
file to a partition omits the .treeinfo
and .discinfo
files
During local installation, while copying the content of the RHEL 8 Binary DVD.iso image file to a partition, the *
in the cp <path>/\* <mounted partition>/dir
command fails to copy the .treeinfo
and .discinfo
files. These files are required for a successful installation. As a result, the BaseOS and AppStream repositories are not loaded, and a debug-related log message in the anaconda.log
file is the only record of the problem.
To work around the problem, copy the missing .treeinfo
and .discinfo
files to the partition.
(BZ#1687747)
Self-signed HTTPS server cannot be used in Kickstart installation
Currently, the installer fails to install from a self-signed https server when the installation source is specified in the kickstart file and the --noverifyssl
option is used:
url --url=https://SERVER/PATH --noverifyssl
To work around this problem, append the inst.noverifyssl
parameter to the kernel command line when starting the kickstart installation.
For example:
inst.ks=<URL> inst.noverifyssl
(BZ#1745064)
6.7.2. Software management
yum repolist
ends on first unavailable repository with skip_if_unavailable=false
The repository configuration option skip_if_unavailable
is by default set as follows:
skip_if_unavailable=false
This setting forces the yum repolist
command to end on first unavailable repository with an error and exit status 1. Consequently, yum repolist
does not continue listing available repositiories.
Note that it is possible to override this setting in each repository’s *.repo
file.
However, if you want to keep the default settings, you can work around the problem by using yum repolist
with the following option:
--setopt=*.skip_if_unavailable=True
(BZ#1697472)
6.7.3. Subscription management
syspurpose addons
have no effect on the subscription-manager attach --auto
output.
In Red Hat Enterprise Linux 8, four attributes of the syspurpose
command-line tool have been added: role
,usage
, service_level_agreement
and addons
. Currently, only role
, usage
and service_level_agreement
affect the output of running the subscription-manager attach --auto
command. Users who attempt to set values to the addons
argument will not observe any effect on the subscriptions that are auto-attached.
(BZ#1687900)
6.7.4. Shells and command-line tools
Applications using Wayland
protocol cannot be forwarded to remote display servers
In Red Hat Enterprise Linux 8.1, most applications use the Wayland protocol by default instead of the X11 protocol. As a consequence, the ssh server cannot forward the applications that use the Wayland protocol but is able to forward the applications that use the X11 protocol to a remote display server.
To work around this problem, set the environment variable GDK_BACKEND=x11
before starting the applications. As a result, the application can be forwarded to remote display servers.
systemd-resolved.service
fails to start on boot
The systemd-resolved
service occasionally fails to start on boot. If this happens, restart the service manually after the boot finishes by using the following command:
# systemctl start systemd-resolved
However, the failure of systemd-resolved
on boot does not impact any other services.
(BZ#1640802)
6.7.5. Infrastructure services
Support for DNSSEC in dnsmasq
The dnsmasq
package introduces Domain Name System Security Extensions (DNSSEC) support for verifying hostname information received from root servers.
Note that DNSSEC validation in dnsmasq is not compliant with FIPS 140-2. Do not enable DNSSEC in dnsmasq on Federal Information Processing Standard (FIPS) systems, and use the compliant validating resolver as a forwarder on the localhost.
(BZ#1549507)
6.7.6. Security
redhat-support-tool
does not work with the FUTURE
crypto policy
Because a cryptographic key used by a certificate on the Customer Portal API does not meet the requirements by the FUTURE
system-wide cryptographic policy, the redhat-support-tool
utility does not work with this policy level at the moment. To work around this problem, use the DEFAULT
crypto policy while connecting to the Customer Portal API.
SELINUX=disabled
in /etc/selinux/config
does not work properly
Disabling SELinux using the SELINUX=disabled
option in the /etc/selinux/config
results in a process in which the kernel boots with SELinux enabled and switches to disabled mode later in the boot process. This might cause memory leaks and race conditions and consequently also kernel panics. To work around this problem, disable SELinux by adding the selinux=0
parameter to the kernel command line as described in the Changing SELinux modes at boot time section of the Using SELinux title if your scenario really requires to completely disable SELinux.
(JIRA:RHELPLAN-34199)
libselinux-python
is available only through its module
The libselinux-python
package contains only Python 2 bindings for developing SELinux applications and it is used for backward compatibility. For this reason, libselinux-python
is no longer available in the default RHEL 8 repositories through the dnf install libselinux-python
command.
To work around this problem, enable both the libselinux-python
and python27
modules, and install the libselinux-python
package and its dependencies with the following commands:
# dnf module enable libselinux-python # dnf install libselinux-python
Alternatively, install libselinux-python
using its install profile with a single command:
# dnf module install libselinux-python:2.8/common
As a result, you can install libselinux-python
using the respective module.
(BZ#1666328)
udica
processes UBI 8 containers only when started with --env container=podman
The Red Hat Universal Base Image 8 (UBI 8) containers set the container
environment variable to the oci
value instead of the podman
value. This prevents the udica
tool from analyzing a container JavaScript Object Notation (JSON) file.
To work around this problem, start a UBI 8 container using a podman
command with the --env container=podman
parameter. As a result, udica
can generate an SELinux policy for a UBI 8 container only when you use the described workaround.
Removing the rpm-plugin-selinux
package leads to removing all selinux-policy
packages from the system
Removing the rpm-plugin-selinux
package disables SELinux on the machine. It also removes all selinux-policy
packages from the system. Repeated installation of the rpm-plugin-selinux
package then installs the selinux-policy-minimum
SELinux policy, even if the selinux-policy-targeted
policy was previously present on the system. However, the repeated installation does not update the SELinux configuration file to account for the change in policy. As a consequence, SELinux is disabled even upon reinstallation of the rpm-plugin-selinux
package.
To work around this problem:
-
Enter the
umount /sys/fs/selinux/
command. -
Manually install the missing
selinux-policy-targeted
package. -
Edit the
/etc/selinux/config
file so that the policy is equal toSELINUX=enforcing
. -
Enter the command
load_policy -i
.
As a result, SELinux is enabled and running the same policy as before.
(BZ#1641631)
SELinux prevents systemd-journal-gatewayd
to call newfstatat()
on shared memory files created by corosync
SELinux policy does not contain a rule that allows the systemd-journal-gatewayd
daemon to access files created by the corosync
service. As a consequence, SELinux denies systemd-journal-gatewayd
to call the newfstatat()
function on shared memory files created by corosync
.
To work around this problem, create a local policy module with an allow rule which enables the described scenario. See the audit2allow(1)
man page for more information on generating SELinux policy allow and dontaudit rules. As a result of the previous workaround, systemd-journal-gatewayd
can call the function on shared memory files created by corosync
with SELinux in enforcing mode.
(BZ#1746398)
Negative effects of the default logging setup on performance
The default logging environment setup might consume 4 GB of memory or even more and adjustments of rate-limit values are complex when systemd-journald
is running with rsyslog
.
See the Negative effects of the RHEL default logging setup on performance and their mitigations Knowledgebase article for more information.
(JIRA:RHELPLAN-10431)
Parameter not known
errors in the rsyslog
output with config.enabled
In the rsyslog
output, an unexpected bug occurs in configuration processing errors using the config.enabled
directive. As a consequence, parameter not known
errors are displayed while using the config.enabled
directive except for the include()
statements.
To work around this problem, set config.enabled=on
or use include()
statements.
(BZ#1659383)
Certain rsyslog
priority strings do not work correctly
Support for the GnuTLS priority string for imtcp
that allows fine-grained control over encryption is not complete. Consequently, the following priority strings do not work properly in rsyslog
:
NONE:+VERS-ALL:-VERS-TLS1.3:+MAC-ALL:+DHE-RSA:+AES-256-GCM:+SIGN-RSA-SHA384:+COMP-ALL:+GROUP-ALL
To work around this problem, use only correctly working priority strings:
NONE:+VERS-ALL:-VERS-TLS1.3:+MAC-ALL:+ECDHE-RSA:+AES-128-CBC:+SIGN-RSA-SHA1:+COMP-ALL:+GROUP-ALL
As a result, current configurations must be limited to the strings that work correctly.
Connections to servers with SHA-1 signatures do not work with GnuTLS
SHA-1 signatures in certificates are rejected by the GnuTLS secure communications library as insecure. Consequently, applications that use GnuTLS as a TLS backend cannot establish a TLS connection to peers that offer such certificates. This behavior is inconsistent with other system cryptographic libraries. To work around this problem, upgrade the server to use certificates signed with SHA-256 or stronger hash, or switch to the LEGACY policy.
(BZ#1628553)
TLS 1.3 does not work in NSS in FIPS mode
TLS 1.3 is not supported on systems working in FIPS mode. As a result, connections that require TLS 1.3 for interoperability do not function on a system working in FIPS mode.
To enable the connections, disable the system’s FIPS mode or enable support for TLS 1.2 in the peer.
OpenSSL
incorrectly handles PKCS #11 tokens that does not support raw RSA or RSA-PSS signatures
The OpenSSL
library does not detect key-related capabilities of PKCS #11 tokens. Consequently, establishing a TLS connection fails when a signature is created with a token that does not support raw RSA or RSA-PSS signatures.
To work around the problem, add the following lines after the .include
line at the end of the crypto_policy
section in the /etc/pki/tls/openssl.cnf
file:
SignatureAlgorithms = RSA+SHA256:RSA+SHA512:RSA+SHA384:ECDSA+SHA256:ECDSA+SHA512:ECDSA+SHA384 MaxProtocol = TLSv1.2
As a result, a TLS connection can be established in the described scenario.
The OpenSSL TLS
library does not detect if the PKCS#11
token supports creation of raw RSA
or RSA-PSS
signatures
The TLS-1.3
protocol requires the support for RSA-PSS
signature. If the PKCS#11
token does not support raw RSA
or RSA-PSS
signatures, the server applications which use OpenSSL
TLS
library will fail to work with the RSA
key if it is held by the PKCS#11
token. As a result, TLS
communication will fail.
To work around this problem, configure server or client to use the TLS-1.2
version as the highest TLS
protocol version available.
OpenSSL generates a malformed status_request
extension in the CertificateRequest
message in TLS 1.3
OpenSSL servers send a malformed status_request
extension in the CertificateRequest
message if support for the status_request
extension and client certificate-based authentication are enabled. In such case, OpenSSL does not interoperate with implementations compliant with the RFC 8446
protocol. As a result, clients that properly verify extensions in the ‘CertificateRequest’ message abort connections with the OpenSSL server. To work around this problem, disable support for the TLS 1.3 protocol on either side of the connection or disable support for status_request
on the OpenSSL server. This will prevent the server from sending malformed messages.
ssh-keyscan
cannot retrieve RSA keys of servers in FIPS mode
The SHA-1
algorithm is disabled for RSA signatures in FIPS mode, which prevents the ssh-keyscan
utility from retrieving RSA keys of servers operating in that mode.
To work around this problem, use ECDSA keys instead, or retrieve the keys locally from the /etc/ssh/ssh_host_rsa_key.pub
file on the server.
scap-security-guide
PCI-DSS remediation of Audit rules does not work properly
The scap-security-guide
package contains a combination of remediation and a check that can result in one of the following scenarios:
- incorrect remediation of Audit rules
- scan evaluation containing false positives where passed rules are marked as failed
Consequently, during the RHEL 8.1 installation process, scanning of the installed system reports some Audit rules as either failed or errored.
To work around this problem, follow the instructions in the RHEL-8.1 workaround for remediating and scanning with the scap-security-guide PCI-DSS profile Knowledgebase article.
Certain sets of interdependent rules in SSG can fail
Remediation of SCAP Security Guide
(SSG) rules in a benchmark can fail due to undefined ordering of rules and their dependencies. If two or more rules need to be executed in a particular order, for example, when one rule installs a component and another rule configures the same component, they can run in the wrong order and remediation reports an error. To work around this problem, run the remediation twice, and the second run fixes the dependent rules.
A utility for security and compliance scanning of containers is not available
In Red Hat Enterprise Linux 7, the oscap-docker
utility can be used for scanning of Docker containers based on Atomic technologies. In Red Hat Enterprise Linux 8, the Docker- and Atomic-related OpenSCAP commands are not available.
To work around this problem, see the Using OpenSCAP for scanning containers in RHEL 8 article on the Customer Portal. As a result, you can use only an unsupported and limited way for security and compliance scanning of containers in RHEL 8 at the moment.
(BZ#1642373)
OpenSCAP
does not provide offline scanning of virtual machines and containers
Refactoring of OpenSCAP
codebase caused certain RPM probes to fail to scan VM and containers file systems in offline mode. For that reason, the following tools were removed from the openscap-utils
package: oscap-vm
and oscap-chroot
. Also, the openscap-containers
package was completely removed.
(BZ#1618489)
OpenSCAP rpmverifypackage
does not work correctly
The chdir
and chroot
system calls are called twice by the rpmverifypackage
probe. Consequently, an error occurs when the probe is utilized during an OpenSCAP scan with custom Open Vulnerability and Assessment Language (OVAL) content.
To work around this problem, do not use the rpmverifypackage_test
OVAL test in your content or use only the content from the scap-security-guide
package where rpmverifypackage_test
is not used.
(BZ#1646197)
SCAP Workbench fails to generate results-based remediations from tailored profiles
The following error occurs when trying to generate results-based remediation roles from a customized profile using the SCAP Workbench tool:
Error generating remediation role .../remediation.sh: Exit code of oscap was 1: [output truncated]
To work around this problem, use the oscap
command with the --tailoring-file
option.
(BZ#1640715)
OSCAP Anaconda Addon
does not install all packages in text mode
The OSCAP Anaconda Addon
plugin cannot modify the list of packages selected for installation by the system installer if the installation is running in text mode. Consequently, when a security policy profile is specified using Kickstart and the installation is running in text mode, any additional packages required by the security policy are not installed during installation.
To work around this problem, either run the installation in graphical mode or specify all packages that are required by the security policy profile in the security policy in the %packages
section in your Kickstart file.
As a result, packages that are required by the security policy profile are not installed during RHEL installation without one of the described workarounds, and the installed system is not compliant with the given security policy profile.
OSCAP Anaconda Addon
does not correctly handle customized profiles
The OSCAP Anaconda Addon
plugin does not properly handle security profiles with customizations in separate files. Consequently, the customized profile is not available in the RHEL graphical installation even when you properly specify it in the corresponding Kickstart section.
To work around this problem, follow the instructions in the Creating a single SCAP data stream from an original DS and a tailoring file Knowledgebase article. As a result of this workaround, you can use a customized SCAP profile in the RHEL graphical installation.
(BZ#1691305)
6.7.7. Networking
The formatting of the verbose output of arptables
now matches the format of the utility on RHEL 7
In RHEL 8, the iptables-arptables
package provides an nftables
-based replacement of the arptables
utility. Previously, the verbose output of arptables
separated counter values only with a comma, while arptables
on RHEL 7 separated the described output with both a space and a comma. As a consequence, if you used scripts created on RHEL 7 that parsed the output of the arptables -v -L
command, you had to adjust these scripts. This incompatibility has been fixed. As a result, arptables
on RHEL 8.1 now also separates counter values with both a space and a comma.
(BZ#1676968)
nftables
does not support multi-dimensional IP set types
The nftables
packet-filtering framework does not support set types with concatenations and intervals. Consequently, you cannot use multi-dimensional IP set types, such as hash:net,port
, with nftables
.
To work around this problem, use the iptables
framework with the ipset
tool if you require multi-dimensional IP set types.
(BZ#1593711)
IPsec network traffic fails during IPsec offloading when GRO is disabled
IPsec offloading is not expected to work when Generic Receive Offload (GRO) is disabled on the device. If IPsec offloading is configured on a network interface and GRO is disabled on that device, IPsec network traffic fails.
To work around this problem, keep GRO enabled on the device.
(BZ#1649647)
6.7.8. Kernel
The i40iw module does not load automatically on boot
Due to many i40e NICs not supporting iWarp and the i40iw module not fully supporting suspend/resume, this module is not automatically loaded by default to ensure suspend/resume works properly. To work around this problem, manually edit the /lib/udev/rules.d/90-rdma-hw-modules.rules
file to enable automated load of i40iw.
Also note that if there is another RDMA device installed with a i40e device on the same machine, the non-i40e RDMA device triggers the rdma service, which loads all enabled RDMA stack modules, including the i40iw module.
(BZ#1623712)
Network interface is renamed to kdump-<interface-name>
when fadump
is used
When firmware-assisted dump (fadump
) is utilized to capture a vmcore and store it to a remote machine using SSH or NFS protocol, the network interface is renamed to kdump-<interface-name>
if <interface-name>
is generic, for example, *eth#, or net#. This problem occurs because the vmcore capture scripts in the initial RAM disk (initrd
) add the kdump- prefix to the network interface name to secure persistent naming. The same initrd
is used also for a regular boot, so the interface name is changed for the production kernel too.
(BZ#1745507)
Systems with a large amount of persistent memory experience delays during the boot process
Systems with a large amount of persistent memory take a long time to boot because the initialization of the memory is serialized. Consequently, if there are persistent memory file systems listed in the /etc/fstab
file, the system might timeout while waiting for devices to become available. To work around this problem, configure the DefaultTimeoutStartSec
option in the /etc/systemd/system.conf
file to a sufficiently large value.
(BZ#1666538)
KSM sometimes ignores NUMA memory policies
When the kernel shared memory (KSM) feature is enabled with the merge_across_nodes=1
parameter, KSM ignores memory policies set by the mbind() function, and may merge pages from some memory areas to Non-Uniform Memory Access (NUMA) nodes that do not match the policies.
To work around this problem, disable KSM or set the merge_across_nodes
parameter to 0
if using NUMA memory binding with QEMU. As a result, NUMA memory policies configured for the KVM VM will work as expected.
(BZ#1153521)
The system enters the emergency mode at boot-time when fadump
is enabled
The system enters the emergency mode when fadump
(kdump
) or dracut
squash module is enabled in the initramfs
scheme because systemd
manager fails to fetch the mount information and configure the LV partition to mount. To work around this problem, add the following kernel command line parameter rd.lvm.lv=<VG>/<LV>
to discover and mount the failed LV partition appropriately. As a result, the system will boot successfully in the described scenario.
(BZ#1750278)
Using irqpoll
in the kdump kernel command line causes a vmcore generation failure
Due to an existing underlying problem with the nvme
driver on the 64-bit ARM architectures running on the Amazon Web Services (AWS) cloud platforms, the vmcore generation fails if the irqpoll
kdump command line argument is provided to the first kernel. Consequently, no vmcore is dumped in the /var/crash/ directory after a kernel crash. To work around this problem:
-
Add
irqpoll
to theKDUMP_COMMANDLINE_REMOVE
key in the /etc/sysconfig/kdump file. -
Restart the
kdump
service by running thesystemctl restart kdump
command.
As a result, the first kernel correctly boots and the vmcore is expected to be captured upon the kernel crash.
(BZ#1654962)
Debug kernel fails to boot in crash capture environment in RHEL 8
Due to memory-demanding nature of the debug kernel, a problem occurs when the debug kernel is in use and a kernel panic is triggered. As a consequence, the debug kernel is not able to boot as the capture kernel, and a stack trace is generated instead. To work around this problem, increase the crash kernel memory accordingly. As a result, the debug kernel successfully boots in the crash capture environment.
(BZ#1659609)
softirq
changes can cause the localhost interface to drop UDP packets when under heavy load
Changes in the Linux kernel’s software interrupt (softirq
) handling are done to reduce denial of service (DOS) effects. Consequently, this leads to situations where the localhost interface drops User Datagram Protocol (UDP) packets under heavy load.
To work around this problem, increase the size of the network device backlog buffer to value 6000:
echo 6000 > /proc/sys/net/core/netdev_max_backlog
In Red Hat tests, this value was sufficient to prevent packet loss. More heavily loaded systems might require larger backlog values. Increased backlogs have the effect of potentially increasing latency on the localhost interface.
The result is to increase the buffer and allow more packets to be waiting for processing, which reduces the chances of dropping localhost packets.
(BZ#1779337)
6.7.9. Hardware enablement
The HP NMI watchdog in some cases does not generate a crash dump
The hpwdt
driver for the HP NMI watchdog is sometimes not able to claim a non-maskable interrupt (NMI) generated by the HPE watchdog timer because the NMI was instead consumed by the perfmon
driver. As a consequence, hpwdt
in some cases cannot call a panic to generate a crash dump.
(BZ#1602962)
Installing RHEL 8.1 on a test system configured with a QL41000 card results in a kernel panic
While installing RHEL 8.1 on a test system configured with a QL41000
card, the system is unable to handle the kernel NULL pointer dereference at 000000000000003c
card. As a consequence, it results in a kernel panic error. There is no work around available for this issue.
(BZ#1743456)
The cxgb4
driver causes crash in the kdump kernel
The kdump
kernel crashes while trying to save information in the vmcore
file. Consequently, the cxgb4
driver prevents the kdump
kernel from saving a core for later analysis. To work around this problem, add the "novmcoredd" parameter to the kdump kernel command line to allow saving core files.
(BZ#1708456)
6.7.10. File systems and storage
Certain SCSI drivers might sometimes use an excessive amount of memory
Certain SCSI drivers use a larger amount of memory than in RHEL 7. In certain cases, such as vPort creation on a Fibre Channel host bus adapter (HBA), the memory usage might be excessive, depending upon the system configuration.
The increased memory usage is caused by memory preallocation in the block layer. Both the multiqueue block device scheduling (BLK-MQ) and the multiqueue SCSI stack (SCSI-MQ) preallocate memory for each I/O request in RHEL 8, leading to the increased memory usage.
(BZ#1698297)
VDO cannot suspend until UDS has finished rebuilding
When a Virtual Data Optimizer (VDO) volume starts after an unclean system shutdown, it rebuilds the Universal Deduplication Service (UDS) index. If you try to suspend the VDO volume using the dmsetup suspend
command while the UDS index is rebuilding, the suspend command might become unresponsive. The command finishes only after the rebuild is done.
The unresponsiveness is noticeable only with VDO volumes that have a large UDS index, which causes the rebuild to take a longer time.
An NFS 4.0 patch can result in reduced performance under an open-heavy workload
Previously, a bug was fixed that, in some cases, could cause an NFS open operation to overlook the fact that a file had been removed or renamed on the server. However, the fix may cause slower performance with workloads that require many open operations. To work around this problem, it might help to use NFS version 4.1 or higher, which have been improved to grant delegations to clients in more cases, allowing clients to perform open operations locally, quickly, and safely.
(BZ#1748451)
6.7.11. Dynamic programming languages, web and database servers
nginx
cannot load server certificates from hardware security tokens
The nginx
web server supports loading TLS private keys from hardware security tokens directly from PKCS#11 modules. However, it is currently impossible to load server certificates from hardware security tokens through the PKCS#11 URI. To work around this problem, store server certificates on the file system
php-fpm
causes SELinux AVC denials when php-opcache
is installed with PHP 7.2
When the php-opcache
package is installed, the FastCGI Process Manager (php-fpm
) causes SELinux AVC denials. To work around this problem, change the default configuration in the /etc/php.d/10-opcache.ini
file to the following:
opcache.huge_code_pages=0
Note that this problem affects only the php:7.2
stream, not the php:7.3
one.
6.7.12. Compilers and development tools
The ltrace
tool does not report function calls
Because of improvements to binary hardening applied to all RHEL components, the ltrace
tool can no longer detect function calls in binary files coming from RHEL components. As a consequence, ltrace
output is empty because it does not report any detected calls when used on such binary files. There is no workaround currently available.
As a note, ltrace
can correctly report calls in custom binary files built without the respective hardening flags.
(BZ#1618748)
6.7.13. Identity Management
AD users with expired accounts can be allowed to log in when using GSSAPI authentication
The accountExpires
attribute that SSSD uses to see whether an account has expired is not replicated to the global catalog by default. As a result, users with expired accounts can log in when using GSSAPI authentication. To work around this problem, the global catalog support can be disabled by specifying ad_enable_gc=False
in the sssd.conf
file. With this setting, users with expired accounts will be denied access when using GSSAPI authentication.
Note that SSSD connects to each LDAP server individually in this scenario, which can increase the connection count.
(BZ#1081046)
Using the cert-fix
utility with the --agent-uid pkidbuser
option breaks Certificate System
Using the cert-fix
utility with the --agent-uid pkidbuser
option corrupts the LDAP configuration of Certificate System. As a consequence, Certificate System might become unstable and manual steps are required to recover the system.
Changing /etc/nsswitch.conf
requires a manual system reboot
Any change to the /etc/nsswitch.conf
file, for example running the authselect select profile_id
command, requires a system reboot so that all relevant processes use the updated version of the /etc/nsswitch.conf
file. If a system reboot is not possible, restart the service that joins your system to Active Directory, which is the System Security Services Daemon
(SSSD) or winbind
.
No information about required DNS records displayed when enabling support for AD trust in IdM
When enabling support for Active Directory (AD) trust in Red Hat Enterprise Linux Identity Management (IdM) installation with external DNS management, no information about required DNS records is displayed. Forest trust to AD is not successful until the required DNS records are added. To work around this problem, run the 'ipa dns-update-system-records --dry-run' command to obtain a list of all DNS records required by IdM. When external DNS for IdM domain defines the required DNS records, establishing forest trust to AD is possible.
SSSD returns incorrect LDAP group membership for local users
If the System Security Services Daemon (SSSD) serves users from the local files, the files provider does not include group memberships from other domains. As a consequence, if a local user is a member of an LDAP group, the id local_user
command does not return the user’s LDAP group membership. To work around the problem, either revert the order of the databases where the system is looking up the group membership of users in the /etc/nsswitch.conf
file, replacing sss files
with files sss
, or disable the implicit files
domain by adding
enable_files_domain=False
to the [sssd]
section in the /etc/sssd/sssd.conf
file.
As a result, id local_user
returns correct LDAP group membership for local users.
Default PAM settings for systemd-user
have changed in RHEL 8 which may influence SSSD behavior
The Pluggable authentication modules (PAM) stack has changed in Red Hat Enterprise Linux 8. For example, the systemd
user session now starts a PAM conversation using the systemd-user
PAM service. This service now recursively includes the system-auth
PAM service, which may include the pam_sss.so
interface. This means that the SSSD access control is always called.
Be aware of the change when designing access control rules for RHEL 8 systems. For example, you can add the systemd-user
service to the allowed services list.
Please note that for some access control mechanisms, such as IPA HBAC or AD GPOs, the systemd-user
service is has been added to the allowed services list by default and you do not need to take any action.
SSSD does not correctly handle multiple certificate matching rules with the same priority
If a given certificate matches multiple certificate matching rules with the same priority, the System Security Services Daemon (SSSD) uses only one of the rules. As a workaround, use a single certificate matching rule whose LDAP filter consists of the filters of the individual rules concatenated with the |
(or) operator. For examples of certificate matching rules, see the sss-certamp(5) man page.
(BZ#1447945)
Private groups fail to be created with auto_private_group = hybrid when multiple domains are defined
Private groups fail to be created with the option auto_private_group = hybrid when multiple domains are defined and the hybrid option is used by any domain other than the first one. If an implicit files domain is defined along with an AD or LDAP domain in the sssd.conf`file and is not marked as `MPG_HYBRID
, then SSSD fails to create a private group for a user who has uid=gid and the group with this gid does not exist in AD or LDAP.
The sssd_nss responder checks for the value of the auto_private_groups
option in the first domain only. As a consequence, in setups where multiple domains are configured, which includes the default setup on RHEL 8, the option auto_private_group
has no effect.
To work around this problem, set enable_files_domain = false
in the sssd section of of sssd.conf
. As a result, If the enable_files_domain
option is set to false, then sssd does not add a domain with id_provider=files
at the start of the list of active domains, and therefore this bug does not occur.
(BZ#1754871)
python-ply
is not FIPS compatible
The YACC module of the python-ply
package uses the MD5 hashing algorithm to generate the fingerprint of a YACC signature. However, FIPS mode blocks the use of MD5, which is only allowed in non-security contexts. As a consequence, python-ply is not FIPS compatible. On a system in FIPS mode, all calls to ply.yacc.yacc()
fail with the error message:
"UnboundLocalError: local variable 'sig' referenced before assignment"
The problem affects python-pycparser
and some use cases of python-cffi
. To work around this problem, modify the line 2966 of the file /usr/lib/python3.6/site-packages/ply/yacc.py
, replacing sig = md5()
with sig = md5(usedforsecurity=False)
. As a result, python-ply
can be used in FIPS mode.
6.7.14. Desktop
Limitations of the Wayland session
With Red Hat Enterprise Linux 8, the GNOME environment and the GNOME Display Manager (GDM) use Wayland as the default session type instead of the X11 session, which was used with the previous major version of RHEL.
The following features are currently unavailable or do not work as expected under Wayland:
- Multi-GPU setups are not supported under Wayland.
-
X11 configuration utilities, such as
xrandr
, do not work under Wayland due to its different approach to handling, resolutions, rotations, and layout. You can configure the display features using GNOME settings. - Screen recording and remote desktop require applications to support the portal API on Wayland. Certain legacy applications do not support the portal API.
- Pointer accessibility is not available on Wayland.
- No clipboard manager is available.
GNOME Shell on Wayland ignores keyboard grabs issued by most legacy X11 applications. You can enable an X11 application to issue keyboard grabs using the
/org/gnome/mutter/wayland/xwayland-grab-access-rules
GSettings key. By default, GNOME Shell on Wayland enables the following applications to issue keyboard grabs:- GNOME Boxes
- Vinagre
- Xephyr
-
virt-manager
,virt-viewer
, andremote-viewer
-
vncviewer
- Wayland inside guest virtual machines (VMs) has stability and performance problems. RHEL automatically falls back to the X11 session when running in a VM.
If you upgrade to RHEL 8 from a RHEL 7 system where you used the X11 GNOME session, your system continues to use X11. The system also automatically falls back to X11 when the following graphics drivers are in use:
- The proprietary NVIDIA driver
-
The
cirrus
driver -
The
mga
driver -
The
aspeed
driver
You can disable the use of Wayland manually:
-
To disable Wayland in GDM, set the
WaylandEnable=false
option in the/etc/gdm/custom.conf
file. - To disable Wayland in the GNOME session, select the legacy X11 option by using the cogwheel menu on the login screen after entering your login name.
For more details on Wayland, see https://wayland.freedesktop.org/.
Drag-and-drop does not work between desktop and applications
Due to a bug in the gnome-shell-extensions
package, the drag-and-drop functionality does not currently work between desktop and applications. Support for this feature will be added back in a future release.
Disabling flatpak
repositories from Software Repositories is not possible
Currently, it is not possible to disable or remove flatpak
repositories in the Software Repositories tool in the GNOME Software utility.
Generation 2 RHEL 8 virtual machines sometimes fail to boot on Hyper-V Server 2016 hosts
When using RHEL 8 as the guest operating system on a virtual machine (VM) running on a Microsoft Hyper-V Server 2016 host, the VM in some cases fails to boot and returns to the GRUB boot menu. In addition, the following error is logged in the Hyper-V event log:
The guest operating system reported that it failed with the following error code: 0x1E
This error occurs due to a UEFI firmware bug on the Hyper-V host. To work around this problem, use Hyper-V Server 2019 as the host.
(BZ#1583445)
GNOME Shell on Wayland performs slowly when using a software renderer
When using a software renderer, GNOME Shell as a Wayland compositor (GNOME Shell on Wayland) does not use a cacheable framebuffer for rendering the screen. Consequently, GNOME Shell on Wayland is slow. To workaround the problem, go to the GNOME Display Manager (GDM) login screen and switch to a session that uses the X11 protocol instead. As a result, the Xorg display server, which uses cacheable memory, is used, and GNOME Shell on Xorg in the described situation performs faster compared to GNOME Shell on Wayland.
(BZ#1737553)
System crash may result in fadump configuration loss
This issue is observed on systems where firmware-assisted dump (fadump) is enabled, and the boot partition is located on a journaling file system such as XFS. A system crash might cause the boot loader to load an older initrd
that does not have the dump capturing support enabled. Consequently, after recovery, the system does not capture the vmcore
file, which results in fadump configuration loss.
To work around this problem:
If
/boot
is a separate partition, perform the following:- Restart the kdump service
Run the following commands as the root user, or using a user account with CAP_SYS_ADMIN rights:
# fsfreeze -f # fsfreeze -u
-
If
/boot
is not a separate partition, reboot the system.
(BZ#1723501)
Potential risk when using the default value for ldap_id_use_start_tls
option
When using ldap://
without TLS for identity lookups, it can pose a risk for an attack vector. Particularly a man-in-the-middle (MITM) attack which could allow an attacker to impersonate a user by altering, for example, the UID or GID of an object returned in an LDAP search.
Currently, the SSSD configuration option to enforce TLS, ldap_id_use_start_tls
, defaults to false
. Ensure that your setup operates in a trusted environment and decide if it is safe to use unencrypted communication for id_provider = ldap
. Note id_provider = ad
and id_provider = ipa
are not affected as they use encrypted connections protected by SASL and GSSAPI.
If it is not safe to use unencrypted communication, enforce TLS by setting the ldap_id_use_start_tls
option to true
in the /etc/sssd/sssd.conf
file. The default behavior is planned to be changed in a future release of RHEL.
(JIRA:RHELPLAN-155168)
6.7.15. Graphics infrastructures
radeon
fails to reset hardware correctly
The radeon
kernel driver currently does not reset hardware in the kexec context correctly. Instead, radeon
falls over, which causes the rest of the kdump service to fail.
To work around this problem, blacklist radeon
in kdump by adding the following line to the /etc/kdump.conf
file:
dracut_args --omit-drivers "radeon" force_rebuild 1
Restart the machine and kdump. After starting kdump, the force_rebuild 1
line may be removed from the configuration file.
Note that in this scenario, no graphics will be available during kdump, but kdump will work successfully.
(BZ#1694705)
6.7.16. The web console
Unprivileged users can access the Subscriptions page
If a non-administrator navigates to the Subscriptions page of the web console, the web console displays a generic error message “Cockpit had an unexpected internal error”.
To work around this problem, sign in to the web console with a privileged user and make sure to check the Reuse my password for privileged tasks checkbox.
6.7.17. Virtualization
Using cloud-init
to provision virtual machines on Microsoft Azure fails
Currently, it is not possible to use the cloud-init
utility to provision a RHEL 8 virtual machine (VM) on the Microsoft Azure platform. To work around this problem, use one of the following methods:
-
Use the
WALinuxAgent
package instead ofcloud-init
to provision VMs on Microsoft Azure. Add the following setting to the
[main]
section in the/etc/NetworkManager/NetworkManager.conf
file:[main] dhcp=dhclient
(BZ#1641190)
RHEL 8 virtual machines on RHEL 7 hosts in some cases cannot be viewed in higher resolution than 1920x1200
Currently, when using a RHEL 8 virtual machine (VM) running on a RHEL 7 host system, certain methods of displaying the the graphical output of the VM, such as running the application in kiosk mode, cannot use greater resolution than 1920x1200. As a consequence, displaying VMs using those methods only works in resolutions up to 1920x1200, even if the host hardware supports higher resolutions.
(BZ#1635295)
Low GUI display performance in RHEL 8 virtual machines on a Windows Server 2019 host
When using RHEL 8 as a guest operating system in graphical mode on a Windows Server 2019 host, the GUI display performance is low, and connecting to a console output of the guest currently takes significantly longer than expected.
This is a known issue on Windows 2019 hosts and is pending a fix by Microsoft. To work around this problem, connect to the guest using SSH or use Windows Server 2016 as the host.
(BZ#1706541)
Installing RHEL virtual machines sometimes fails
Under certain circumstances, RHEL 7 and RHEL 8 virtual machines created using the virt-install
utility fail to boot if the --location
option is used.
To work around this problem, use the --extra-args
option instead and specify an installation tree reachable by the network, for example:
--extra-args="inst.repo=https://some/url/tree/path"
This ensures that the RHEL installer finds the installation files correctly.
(BZ#1677019)
Displaying multiple monitors of virtual machines that use Wayland is not possible with QXL
Using the remote-viewer
utility to display more than one monitor of a virtual machine (VM) that is using the Wayland display server causes the VM to become unresponsive and the Waiting for display status message to be displayed indefinitely.
To work around this problem, use virtio-gpu
instead of qxl
as the GPU device for VMs that use Wayland.
(BZ#1642887)
virsh iface-\*
commands do not work consistently
Currently, virsh iface-*
commands, such as virsh iface-start
and virsh iface-destroy
, frequently fail due to configuration dependencies. Therefore, it is recommended not to use virsh iface-\*
commands for configuring and managing host network connections. Instead, use the NetworkManager program and its related management applications.
(BZ#1664592)
Customizing an ESXi VM using cloud-init
and rebooting the VM causes IP setting loss and makes booting the VM very slow
Currently, if the cloud-init
service is used to modify a virtual machine (VM) that runs on the VMware ESXi hypervisor to use static IP and the VM is then cloned, the new cloned VM in some cases takes a very long time to reboot. This is caused cloud-init
rewriting the VM’s static IP to DHCP and then searching for an available datasource.
To work around this problem, you can uninstall cloud-init
after the VM is booted for the first time. As a result, the subsequent reboots will not be slowed down.
(BZ#1666961, BZ#1706482)
RHEL 8 virtual machines sometimes cannot boot on Witherspoon hosts
RHEL 8 virtual machines (VMs) that use the pseries-rhel7.6.0-sxxm
machine type in some cases fail to boot on Power9 S922LC for HPC hosts (also known as Witherspoon) that use the DD2.2 or DD2.3 CPU.
Attempting to boot such a VM instead generates the following error message:
qemu-kvm: Requested safe indirect branch capability level not supported by kvm
To work around this problem, configure the virtual machine’s XML configuration as follows:
<domain type='qemu' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'> <qemu:commandline> <qemu:arg value='-machine'/> <qemu:arg value='cap-ibs=workaround'/> </qemu:commandline>
IBM POWER virtual machines do not work correctly with zero memory NUMA nodes
Currently, when an IBM POWER virtual machine (VM) running on a RHEL 8 host is configured with a NUMA node that uses zero memory (memory='0'
), the VM cannot boot. Therefore, Red Hat strongly recommends not using IBM POWER VMs with zero-memory NUMA nodes on RHEL 8.
(BZ#1651474)
Migrating a POWER9 guest from a RHEL 7-ALT host to RHEL 8 fails
Currently, migrating a POWER9 virtual machine from a RHEL 7-ALT host system to RHEL 8 becomes unresponsive with a "Migration status: active" status.
To work around this problem, disable Transparent Huge Pages (THP) on the RHEL 7-ALT host, which enables the migration to complete successfully.
(BZ#1741436)
SMT CPU topology is not detected by VMs when using host passthrough mode on AMD EPYC
When a virtual machine (VM) boots with the CPU host passthrough mode on an AMD EPYC host, the TOPOEXT
CPU feature flag is not present. Consequently, the VM is not able to detect a virtual CPU topology with multiple threads per core. To work around this problem, boot the VM with the EPYC CPU model instead of host passthrough.
Virtual machines sometimes fail to start when using many virtio-blk disks
Adding a large number of virtio-blk devices to a virtual machine (VM) may exhaust the number of interrupt vectors available in the platform. If this occurs, the VM’s guest OS fails to boot, and displays a dracut-initqueue[392]: Warning: Could not boot
error.