Chapter 8. Bug fixes
This part describes bugs fixed in Red Hat Enterprise Linux 9.2 that have a significant impact on users.
8.1. Installer and image creation
The installer now displays correct total disk space in Custom partitioning with multipath or DDF RAID devices
Previously, when Custom partitioning was selected in Installer on a system with a multipath or DDF RAID device, the total disk space was not reported correctly and member disk devices were listed as available for partitioning.
With this update, the Custom partitioning in Installer reports correct value for total disk space and only allows to use the DDF RAID or multipath device as a whole.
The installer now adds configuration options correctly into the yum repo files
Previously, the installer did not add configuration options correctly into yum repo files while including and excluding packages from additional installation repositories. With this update, yum repo files are created correctly. As a result, using the --excludepkgs=
or --includepkgs=
options in the repo
kickstart command now excludes or includes the specified packages during installation as expected.
Using the filename
DHCP option no longer blocks downloading the kickstart
file for installation
Previously, when building a path for getting the kickstart file from an NFS server, the installer did not consider the filename
DHCP option. As a consequence, the installer did not download the kickstart file and was blocking the installation process. With this update, the filename
DHCP option correctly constructs a path to the kickstart file. As a result, the kickstart file is downloaded properly, and the installation process starts correctly.
The installer now creates a new GPT disk layout while custom partitioning
Previously, the installer did not change the disk layout to GPT when inst.gpt
was specified on the kernel command line, and the user removed all partitions from a disk with the MBR disk layout on the custom partitioning spoke. As a consequence, the MBR disk layout remained on the disk.
With this update, the installer creates a new GPT disk layout on the disk if inst.gpt
is specified on the kernel command line, and all partitions are removed from a disk on the custom partitioning spoke.
Bugzilla:2127100
Installer now lists all PPC PreP Boot
or BIOS Boot
partitions during custom partitioning
Previously, when adding multiple PPC PreP Boot
or BIOS Boot
partitions during custom partitioning, the Custom Partitioning screen displayed only one partition of a related type. As a consequence, the Custom Partitioning screen did not reflect the real state of the intended partitioning layout, making the partitioning process difficult and non-transparent.
With this update, the Custom Partitioning screen correctly displays all PPC PreP Boot
or BIOS Boot
partitions in the partitions list. As a result, users can now better understand and manage the intended partitioning layout.
Anaconda now validates LUKS passphrases for the FIPS requirements
Previously, Anaconda did not check if the length of LUKS passphrases satisfies the FIPS requirements, while the underlying tools performed this check. As a consequence, installing in FIPS mode with a passphrase shorter than 8 characters caused the installer to terminate prematurely.
With this update, the installer has been improved to validate and enforce the minimum length for passphrase. As a result, the installer informs if the LUKS passphrase is too short for use in the FIPS mode and prevents the unexpected termination.
8.2. Subscription management
Subscription manager no longer denies registration and fetching of Red Hat content
Previously, subscription-manager
operated in container mode when run under OpenShift Container Platform (OCP) because of improved container detection logic in RHEL 9. As a consequence, the system was unable to use the provided subscription credentials and therefore not fetching Red Hat content.
This update fixed the container detection logic so that subscription-manager
running under OCP does not detect the system (that is the running pod) as a container. As a result, you can now use the provided subscription credentials or even register using your own credentials to fetch Red Hat content from an OpenShift container.
subscription-manager
no longer retains nonessential text in the terminal
Starting with RHEL 9.1, subscription-manager
displays progress information while processing any operation. Previously, for some languages, typically non-Latin, progress messages did not clean up after the operation finished. With this update, all the messages are cleaned up properly when the operation finishes.
If you have disabled the progress messages before, you can re-enable them by entering the following command:
# subscription-manager config --rhsm.progress_messages=1
Bugzilla:2136694
8.3. Software management
RPM no longer hangs during a transaction involving the fapolicyd
service restart
Previously, if you tried to update a package that caused the fapolicyd
service to be restarted, for example, systemd
, the RPM transaction stopped responding because the fapolicyd
plug-in failed to communicate with the fapolicyd
daemon.
With this update, the fapolicyd
plug-in now correctly communicates with the fapolicyd
daemon. As a result, RPM no longer hangs during a transaction which involves the fapolicyd
service restart.
Reverting a DNF upgrade transaction is now possible for a package group or environment
Previously, the dnf history rollback
command failed when attempting to revert an upgrade transaction for a package group or an environment.
With this update, the issue has been fixed, and you can now revert the DNF upgrade transaction for a package group or environment.
Security DNF upgrade is now possible for packages that change their architecture through the upgrade
Patch for BZ#2108969 introduced with RHBA-2022:8295 caused a regression where DNF upgrade using security filters skipped packages that changed their architecture from or to noarch
through the upgrade. Consequently, the missing security upgrades for these packages could leave the system in a vulnerable state.
With this update, the issue has been fixed, and security DNF upgrade no longer skips packages that change architecture from or to noarch
.
Bugzilla:2124480
Qt message QM files with 3-letter names are now packaged when an RPM package is being built or rebuilt
Previously, the find-lang.sh
script could not find Qt message QM files (.qm
) with names consisting of 3 characters. Consequently, these files were not added to an RPM package.
With this update, the issue has been fixed, and the 3-letter Qt message QM files can now be packaged when building or rebuilding an RPM.
8.4. Shells and command-line tools
ReaR handles excluded DASDs on the IBM Z architecture correctly
Previously on the IBM Z architecture, ReaR reformatted all connected Direct Access Storage Devices (DASD) during the recovery process, including those DASDs that users excluded from the saved layout and did not intend to restore their content. As a consequence, if you excluded some DASDs from the saved layout, their data were lost during system recovery. With this update, ReaR no longer formats excluded DASDs during system recovery, including the device from which the ReaR rescue system was booted (using the zIPL bootloader). You are also prompted to confirm the DASD formatting script before ReaR reformats DASDs. This ensures that the data on excluded DASDs survive a system recovery.
ReaR no longer fails to restore non-LVM XFS filesystems
Previously, when you used ReaR to restore a non-LVM XFS filesystems with certain settings and disk mapping, ReaR created the file system with the default settings instead of the specified settings. For example, if you had a file system with the sunit
and swidth
parameters set to non-zero values and you restored the file system using ReaR with disk mapping, the file system would be created with default sunit
and swidth
parameters ignoring the specified values. As a consequence, ReaR failed during mounting the filesystem with specific XFS options. With this update, ReaR correctly restores the file system with the specified settings.
wsmancli
handles HTTP 401 Unauthorized statuses correctly
The wsmancli
utility for managing systems using Web Services Management protocol now handles authentication to better conform to RFC 2616.
Previously, when connecting to a service that requires authentication, the wsmancli
command returned the error message Authentication failed, please retry
immediately after receiving an HTTP 401 Unauthorized response, for example, because of incomplete credentials. To proceed, wsmancli
prompted you to provide both the username and the password, even in situations where you had already provided a part of your credentials.
With this update, wsmancli
requires only credentials that were not previously provided. As a result, the first authentication attempt does not display any error message. An error message is displayed only after you provide the complete credentials and authentication fails.
8.5. Security
USBGuard saves rules even if RuleFile is not defined
Previously, if the RuleFolder
configuration directive in USBGuard was set but RuleFile
was not, the rule set could not be changed. With this update, you can now change the rule set even if RuleFolder is set but RuleFile is not. As a result, you can modify the permanent policy in USBGuard to permanently save newly added rules.
python-sqlalchemy
rebased to 1.4.45
The python-sqlalchemy
package has been rebased to version 1.4.45, which provides many bug fixes over version 1.4.37. Most notably, this version contains a fix for a critical memory bug in the cache key generation.
crypto-policies
now disable NSEC3DSA for BIND
Previously, the system-wide cryptographic policies did not control the NSEC3DSA algorithm in the BIND configuration. Consequently, NSEC3DSA, which does not meet current security requirements, was not disabled on DNS servers. With this update, all cryptographic policies disable NSEC3DSA in the BIND configuration by default.
OpenSSL in SECLEVEL=3
now works with PSK cipher suites
Previously, pre-shared key (PSK) cipher suites were not recognized as performing perfect forward secrecy (PFS) key exchange methods. As a consequence, the ECDHE-PSK
and DHE-PSK
cipher suites did not work with OpenSSL configured to SECLEVEL=3
, for example, when the system-wide cryptographic policy was set to FUTURE
. The new version of the openssl
package fixes this problem.
Clevis now correctly skips commented-out devices in crypttab
Previously, Clevis tried to unlock commented-out devices in the crypttab
file, causing the clevis-luks-askpass
service to run even if the device was not valid. This caused unnecessary service runs and made it difficult to troubleshoot.
With this fix, Clevis ignores commented-out devices. Now, if an invalid device is commented out, Clevis does not attempt to unlock it, and clevis-luks-askpass
finishes appropriately. This makes it easier to troubleshoot and reduces unnecessary service runs.
Clevis no longer requests too much entropy from pwmake
Previously, the pwmake
password generation utility displayed unwanted warnings when Clevis used pwmake
to create passwords for storing data in LUKS
metadata, which caused Clevis to use lower entropy. With this update, Clevis is limited to 256 entropy bits provided to pwmake
, which eliminates an unwanted warning and uses the correct amount of entropy.
USBGuard no longer causes a confusing warning
Previously, a race condition could happen in USBGuard when a parent process finished sooner than the first child process. As a consequence, systemd
reported that a process was present with a wrongly identified parent PID (PPID). With this update, a parent process waits for the first child process to finish in working mode. As a result, systemd
no longer reports such warnings.
OOM killer no longer terminates usbguard
prematurely
Previously, the usbguard.service
file did not contain a definition of the OOMScoreAdjust
option for the systemd
service. Consequently, when the system was low on resources, the usbguard-daemon
process could be terminated before other unprivileged processes. With this update, usbguard.service
file now includes OOMScoreAdjust
setting, which prevents the Out-of-Memory (OOM) killer terminate the usbguard-daemon
process prematurely.
logrotate
no longer incorrectly signals Rsyslog in log rotation
Previously, the argument order was incorrectly set in the logrotate
script, which caused a syntax error. This resulted in logrotate
not correctly signaling Rsyslog during log rotation.
With this update, the order of the arguments in logrotate
is fixed and logrotate
signals Rsyslog correctly after log rotation even when the POSIXLY_CORRECT
environment variable is set.
imklog
no longer calls free()
on missing objects
Previously, the imklog
module called a free()
function on an already freed object. Consequently, imklog
could cause a segmentation fault. With this update, the object is no longer freed twice.
fagenrules --load
now works correctly
Previously, the fapolicyd
service did not correctly handle the signal hang up (SIGHUP). Consequently, fapolicyd
terminated after receiving SIGHUP, and the fagenrules --load
command did not work correctly. This update contains a fix for the problem. As a result, fagenrules --load
now works correctly, and rule updates no longer require manual restarts of fapolicyd
.
Scans and remediations correctly ignore SCAP Audit rules Audit key
Previously, Audit watch rules that were defined without an Audit key (-k
or -F
key) encountered the following problems:
- The rules were marked as non-compliant even if other parts of the rule were correct.
- Bash remediation fixed the path and permissions of the watch rule, but it did not add the Audit key correctly.
-
Remediation sometimes did not fix the missing key, returning an
error
instead of afixed
value.
This affected the following rules:
-
audit_rules_login_events
-
audit_rules_login_events_faillock
-
audit_rules_login_events_lastlog
-
audit_rules_login_events_tallylog
-
audit_rules_usergroup_modification
-
audit_rules_usergroup_modification_group
-
audit_rules_usergroup_modification_gshadow
-
audit_rules_usergroup_modification_opasswd
-
audit_rules_usergroup_modification_passwd
-
audit_rules_usergroup_modification_shadow
-
audit_rules_time_watch_localtime
-
audit_rules_mac_modification
-
audit_rules_networkconfig_modification
-
audit_rules_sysadmin_actions
-
audit_rules_session_events
-
audit_rules_sudoers
-
audit_rules_sudoers_d
With this update, the Audit key has been removed from checks and from Bash and Ansible remediations. As a result, inconsistencies caused by the key field during checking and remediating no longer occur, and auditors can choose these keys arbitrarily to make searching Audit logs easier.
Keylime no longer fails attestation of systems that access multiple IMA-measured files
Previously, if a system that runs the Keylime agent accessed multiple files measured by the Integrity Measurement Architecture (IMA) in quick succession, the Keylime verifier incorrectly processed the IMA log additions. As a consequence, the running hash did not match the correct Platform Configuration Register (PCR) state, and the system failed attestation. This update fixes the problem and systems that quickly access multiple measured files no longer fail attestation.
Keylime policy generation script no longer causes a segmentation fault and core dump
The create_mb_refstate
script generates policies for measured boot attestation in Keylime. Previously, create_mb_refstate
incorrectly calculated the data length in the DevicePath
field. As a consequence, the script tried to access invalid memory using the incorrectly calculated length, which resulted in a segmentation fault and core dump.
This update, which has been published in the advisory RHBA-2023:0309, prevents the segmentation fault when processing the measured boot event log. As a consequence, you can generate a measured boot policy.
TPM certificates no longer cause Keylime registrar to crash
Previously, some certificates in the Keylime TPM certificate store were malformed x509 certificates and caused the Keylime registrar to crash. This update fixes the problem, and Keylime registrar no longer crashes due to malformed ceritficates.
8.6. Networking
NetworkManager now preserves IP addresses during reapply before acquiring a new DHCP lease
Previously, after changing the connection settings and then using nmcli device reapply
command, NetworkManager did not preserve the DHCP lease. Consequently, the IP address got removed temporarily. With this fix, NetworkManager preserves the DHCP lease and uses it until the lease expires or the client requests a new one. As a result, when the nmcli device reapply
command restarts DHCP client, it does not temporarily remove the IP address.
The firewalld
service now triggers the ipset
deprecation warning only when using direct rules
Previously, the firewalld
service used the deprecated ipset
kernel module when it was not necessary. Consequently, RHEL logged the module’s deprecation warning which could be misleading because the ipset
feature of firewalld
is not deprecated. With this update, firewalld
only uses the deprecated ipset
module and logs the warning if the user explicitly uses ipsets
with the --direct
option.
The HNV
interface now displays the options after reboot
Previously, the nmcli
utility created a Hybrid Network Virtualization (HNV) bond by using NetworkManager API. Consequently, after a reboot, the HNV bond lost the primary port setting. With this fix, nmcli
now uses hcnmgr
to set bonding options for the primary port. The hcnmgr
utility supports migration of live partitions with Single Root Input/Output Virtualization (SR-IOV) for hybrid networks. As a result, the HNV bond interface displays the active slave/primary_reselect
option after reboot.
Bugzilla:2125152
8.7. Kernel
FADump enabled with Secure Boot works correctly
Previously, when Firmware Assisted Dump (FADump) was enabled in the Secure Boot environment and any of the booting components exceeded the allocated memory region, system reboots caused a GRUB Out of Memory (OOM) state. This update provides a fix in kexec-tools
so that Secure Boot and FADump work together correctly.
Bugzilla:2139000
8.8. Boot loader
grubby
now passes arguments to a new kernel correctly
When you add a new kernel using the grubby
tool and do not specify any arguments, or leave the arguments blank, grubby
will not pass any arguments to the new kernel and root
will not be set. Using the --args
and --copy-default
options ensures new arguments are appended to the default arguments.
RHEL installation now succeeds even when PReP is not 4 or 8 MiB in size
Previously, the RHEL installer could not install the boot loader if the PowerPC Reference Platform (PReP) partition was of a different size than 4 MiB or 8 MiB on a disk that used 4 kiB sectors. As a consequence, you could not install RHEL on the disk.
With this release, the problem has been fixed. As a result, the installer can now install RHEL on the disk as expected.
Bugzilla:2026579
8.9. File systems and storage
Installer creating LUKSv2 devices with sector size of 512 bytes
Previously, the RHEL installer created LUKSv2 devices with 4096 bytes sectors if the disk had 4096 bytes physical sectors. With this update, installer now creates LUKSv2 devices with sector size of 512 bytes to offer better disk compatibility with different physical sector sizes used together in one LVM volume group even when the LVM physical volumes are encrypted.
supported_speeds sysfs
attribute reports correct speed values
Previously, because of an incorrect definition in the qla2xxx
driver, the supported_speeds sysfs
attribute for the HBA reported 20 Gb/s speed instead of the expected 64 Gb/s speed. Consequently, if the HBA supported 64 Gb/s link speed, the supported_speeds sysfs
value was incorrect, which affected the reported speed value.
With this update, the supported_speeds sysfs
attribute for HBA reports the correct speed values, which are 16 Gb/s, 32 Gb/s, and 64 Gb/s. You can view the speed values by executing the cat /sys/class/fc_host/host*/supported_speeds
command.
Bugzilla:2069758
The lpfc
driver is in a valid state during the D_ID
port swap
Previously, the SAN Boot host, after issuing the NetApp giveback operation, resulted in LVM hung task warnings and stalled I/O. This problem occurred even when alternate paths were available in a DM-Multipath environment due to the fiber channel D_ID
port swap. As a consequence of the race condition, the D_ID
port swap resulted in an inconsistent state in the lpfc
driver, which prevented I/O from being issued.
With this fix, the lpfc
driver now ensures a valid state when the D_ID
port swap occurs. As a result, a fiber channel D_ID
port swap does not cause hung I/O.
Bugzilla:2173947
8.10. High availability and clusters
pcs
no longer allows you to modify cluster properties that should not be changed
Previously, the pcs
command line interface allowed you to modify cluster properties that should not be changed or for which change does not take effect. With this fix, pcs
no longer allows you to modify these cluster properties: cluster-infrastructure
, cluster-name
, dc-version
, have-watchdog
, and last-lrm-refresh
.
pcs
now displays cluster properties that are not explicitly configured
Previously, a pcs
command to display the value of a specific cluster property did not list values that are not explicitly configured in the CIB. With this fix, if a cluster property is not set pcs
displays the default value for the property.
Cluster resources that call crm_mon
now stop cleanly at shutdown
Previously, the crm_mon
utility returned a nonzero exit status while Pacemaker was in the process of shutting down. Resource agents that called crm_mon
in their monitor action, such as ocf:heartbeat:pqsql
, could incorrectly return a failure at cluster shutdown. With this fix, crm_mon
returns success even if the cluster is in the process of shutting down. Resources that call crm_mon
now stop cleanly at cluster shutdown.
OCF resource agent metadata actions can now call crm_node
without causing unexpected fencing
As of RHEL 8.5, OCF resource agent metadata actions blocked the controller and crm_node
queries performed controller requests. As a result, if an agent’s metadata action called crm_node
, it blocked the controller for 30 seconds until the action timed out. This could cause other actions to fail and the node to be fenced.
With this fix, the controller now performs metadata actions asynchronously. An OCF resource agent metadata action can now call crm_node
without issue.
Pacemaker now rechecks resource assignments immediately when resource order changes
As of RHEL 8.7, Pacemaker did not recheck resource assignments when the order of resources in the CIB changed with no changes to the resource definition. If configuration reordering would cause resources to move, that would not take place until the next natural transition, up to the value of cluster-recheck-interval-property
. This could cause issues if resource stickiness is not configured for a resource.
With this change, Pacemaker rechecks resource assignments when the order of the resources in the CIB changes, as it did for earlier Pacemaker releases. The cluster now responds immediately to these changes, if needed.
Enabling a single resource and monitoring operation no longer enables monitoring operations for all resources in a resource group
Previously, after unmanaging all resources and monitoring operations in a resource group, managing one of the resources in that group along with its monitoring operation re-enabled the monitoring operations for all resources in the resource group. This could trigger unexpected cluster behavior.
With this fix, managing a resource and re-enabling its monitoring operation re-enables the monitoring operation for that resource only and not for the other resources in a resource group.
8.11. Compilers and development tools
DNS lookup can now succeed even when some CNAME records are invalid
Previously, the glibc
DNS stub resolver treated CNAME records with owner names that are not host names as DNS packet errors. Consequently, the DNS query failed because of the DNS packet errors. With this update, the glibc
stub resolver now skips invalid CNAME records and the corresponding alias information is not extracted. Therefore, DNS lookups can now succeed even if the server response includes a CNAME chain that contains a domain name that is not a host name.
golang
now supports 4096 bit keys in x509 FIPS mode
Previously, golang
did not support the 4096 bit keys in x509 FIPS mode. Consequently, when the user used 4096 bit keys the program crashed. With this update, golang
now supports 4096 bit keys in x509 FIPS mode.
You can install SciPy using pip
on all architectures
Previously, the openblas-devel
package did not contain a pkg-config file for the OpenBLAS library. As a consequence, in certain scenarios, it was impossible to determine the compiler and linker flags using the pkgconf
utility while compiling with OpenBLAS. For example, this caused a failure of the pip install scipy
command on the 64-bit IBM Z and IBM Power Systems, Little Endian architectures.
This update adds the openblas.pc
file to the openblas-devel
package on all supported architectures. As a result, you can install the SciPy library using the pip
package installer.
Note that in RHEL 9, it is recommended to build your applications against the flexiblas-devel
package and link your projects to the FlexiBLAS wrapper library.
Bugzilla:2115737
The tzset
function in glibc
now sets the daylight variable to a non-zero value if there is any DST rule in the TZ data
Previously, the tzset
function in glibc
would set the daylight variable to 0 if the last DST transition in the time zone data file did not result in a clock change due to a simultaneous change in the standard time offset. Consequently, when applications use the daylight variable to check if DST was ever active, they do not get the right result and perform incorrect actions based on this information. To fix this, the tzset
function now sets the daylight variable to a non-zero value if there is any DST rule in the time zone data, regardless of offset. As a result, applications now observe the presence of DST rules regardless of offset changes.
OpenJDK RSAPSSSignature implementation now validates RSA keys before using them
Previously, the RSAPSSSignature implementation in OpenJDK did not fully check if given RSA keys could be used by the SunRSASign provider before attempting to use them, which would result in errors when using custom security providers. The bug is now fixed and, as a result, the RSAPSSSignature implementation now validates RSA keys and allows other providers to handle these keys when it cannot.
The OpenJDK XML signature provider is now functional in FIPS mode
Previously, the OpenJDK XML signature provider was unable to operate in FIPS mode. As a result of enhancements to FIPS mode support the OpenJDK XML signature provider is now enabled in FIPS mode.
OpenJDK in FIPS mode no longer experiences unexpected errors with certain PKCS#11 tokens
Previously, some PKCS#11 tokens were not fully initialized before use by OpenJDK in FIPS mode resulting in unexpected errors. With this upgrade, these errors are now expected and handled by the FIPS support code.
8.12. Identity Management
Authentication to external IdPs that require a client secret is now possible
Previously, SSSD did not properly pass client secrets to external identity providers (IdPs). Consequently, authentication failed against external IdPs that you previously configured with the ipa idp-add --secret
command to require a client secret. With this update, SSSD passes the client secret to the IdP and users can authenticate.
Jira:RHELPLAN-148303
IdM now supports setting hostmasks for sudo
rules using Ansible
Previously, the ipa sudorule-add-host
command allowed setting a hostmask to be used by the sudo
rule, but this option was not present in the ansible-freeipa
package. With this update, you can now use the ansible-freeipa
hostmask
variable to define a list of hostmasks to which a particular sudo
rule, defined in Identity Management (IdM), applies.
As a result, you can now automate setting host masks for IdM sudo
rules with Ansible.
The dscreate
utility now works correctly when it uses a custom path with the db_dir
parameter
Previously, an instance that used custom directory paths failed to start because the custom directories had a wrong SELinux label. As a consequence, SELinux denied access to these directories and the instance was not created. With this release, dscreate
utility sets correct SELinux labels for the custom instance directories.
A password change for the Directory Server replication manager account now works correctly
Previously, after a password change, Directory Server did not properly update the password cache for the replication agreement. As a consequence, when you changed the password for the replication manager account, the replication failed. With this update, Directory Server updates the cache properly and, as a result, the replication works as expected.
The IdM client installer no longer specifies the TLS CA configuration in the ldap.conf
file
Previously, the IdM client installer specified the TLS CA configuration in the ldap.conf
file. With this update, OpenLDAP uses the default trust store and the IdM client installer does not set up the TLS CA configuration in the ldap.conf
file.
IdM clients correctly retrieve information for trusted AD users when their names contain mixed case characters
Previously, if you attempted a user lookup or authentication of a user, and that trusted Active Directory (AD) user contained mixed case characters in their names and they were configured with overrides in IdM, an error was returned preventing users from accessing IdM resources.
With the release of RHBA-2023:4359, a case-sensitive comparison is replaced with a case-insensitive comparison that ignores the case of a character. As a result, IdM clients can now lookup users of an AD trusted domain, even if their usernames contain mixed case characters and they are configured with overrides in IdM.
Jira:SSSD-6096
8.13. Graphics infrastructures
Matrox G200e now shows output on a VGA display
Previously, your display might have shown no graphical output if you used the following system configuration:
- The Matrox G200e GPU
- A display connected over the VGA controller
As a consequence, you could not use or install RHEL on this configuration.
With this release, the problem has been fixed. As a result, RHEL boots and shows graphical output as expected.
Bugzilla:1960467
8.14. The web console
The web console NBDE binding steps now work also on volume groups with a root file system
In RHEL 9.2.0, due to a bug in the code for determining whether or not the user was adding a Tang key to the root file system, the binding process in the web console crashed when there was no file system on the LUKS container at all. Because the web console displayed the error message TypeError: Qe(…) is undefined
after you had clicked the Trust key
button in the Verify key
dialog, you had to perform all the required steps in the command-line interface in the described scenario.
With the release of the RHBA-2023:4346 advisory, the web console correctly handles additions of Tang keys to root file systems. As a result, the web console finishes all binding steps required for the automated unlocking of LUKS-encrypted volumes using Network-Bound Disk Encryption (NBDE) in various scenarios.
8.15. Red Hat Enterprise Linux system roles
The nbde_client
system role now correctly handles different names of clevis-luks-askpass
The nbde_client
system role has been updated to handle the systems on which the clevis-luks-askpass
systemd
unit has a different name. The role now correctly works with different names of clevis-luks-askpass
on managed nodes, which requires unlocking also LUKS-encrypted volumes that mount late in the boot process.
The ha_cluster
system role logs no longer display unencrypted passwords and secrets
The ha_cluster
system role accepts parameters that can be passwords or other secrets. Previously, some of the tasks would log their inputs and outputs. As a result, the role logs could contain unencrypted passwords and other secrets.
With this update, the tasks have been changed to use the Ansible no_log: true
directive and the task output is no longer displayed in the role logs. The ha_cluster
system role logs no longer contain passwords and other secrets. While this update protects secure information, the role logs now provide less information that you can use when debugging your configuration.
Clusters configured with ha_cluster
system role to use SBD and not start on boot now work correctly
Previously, if a user configured a cluster using the ha_cluster
system role to use SBD and not start on boot, then the SBD service was disabled and SBD did not start. With this fix, the SBD service is always enabled if a cluster is set to use SBD whether or not the cluster is configured to start on boot.
Enabling implicit files provider to fix cockpit-session-recording
SSSD configuration
A disabled SSSD implicit files provider caused the cockpit-session-recording
modules to create an invalid System Security Services Daemon (SSSD) configuration. This update unconditionally enables the files provider and as a result, the SSSD configuration created by cockpit-session-recording
now works as expected.
The nbde_client_clevis
role no longer reports traceback to users
Previously, the nbde_client_clevis
role sometimes failed in exception, causing a traceback and reporting sensitive data, such as the encryption_password
field, back to the user. With this update, the role no longer reports sensitive data, only the appropriate error messages.
Bugzilla:2162782
Setting stonith-watchdog-timeout
property with the ha_cluster
system role now works in a stopped cluster
Previously, when you set the stonith-watchdog-timeout
property with the ha_cluster
system role in a stopped cluster, the property reverted to its previous value and the role failed. With this fix, configuring the stonith-watchdog-timeout
property by using the ha_cluster
system role works properly.
Network traffic is now directed through the intended network interface when using initscripts
with the networking
RHEL system role
Previously, when using the initscripts
provider, the routing configuration for network connections did not specify the output device that the traffic should go through. Consequently, the kernel could use a different output device than the user intended. Now, if the network interface name is specified in the playbook for the connection, it is used as the output device in the route configuration file. This aligns the behavior with NetworkManager, which configures the output device in routes when activating profiles on devices. As a result, the users can ensure that the traffic is directed through the intended network interface.
The selinux
role now manages policy modules idempotently
Previously, the selinux
role copied an existing module to the managed node every time, reporting a change even when the module was already present. With this update, the selinux
role checks if the module has been installed on the managed node, and does not attempt to copy and install the module if it is already installed.
The rhc
system role no longer fails on the registered systems when rhc_auth
contains activation keys
Previously, a failure occurred when you executed playbook files on the registered systems with the activation key specified in the rhc_auth
parameter. This issue has been resolved. It is now possible to execute playbook files on the already registered systems, even when activation keys are provided in the rhc_auth
parameter.
8.16. Virtualization
System time on nested VMs now works reliably
Previously, system time on nested virtual machines (VMs) in some cases desynchronised from the Level 0 and level 1 hosts. This also sometimes caused the nested VM to become unresponsive or terminate unexpectedly.
With this update, the time handling code in the KVM host kernel code has been fixed, which prevents the described errors from occurring.
Bugzilla:2140899
VMs on IBM Z no longer fail to start when using memfd
memory backing
Previously, on IBM Z hosts, virtual machines (VMs) failed to boot if they were configured to use the memfd
type of hugepage memory backing, for example as follows:
<memoryBacking> <hugepages/> <source type='memfd'/> </memoryBacking>
With this update, the underlying cause has been fixed, and the affected VMs now start correctly.
VNC can now reliably connect to UEFI VMs after migration
Previously, if you enabled or disabled a message queue while migrating a virtual machine (VM), the Virtual Network Computing (VNC) client failed to connect to the VM after the migration was complete.
This problem affected only UEFI-based VMs that used the Open Virtual Machine Firmware (OVMF).
The problem has been fixed, and the VNC client now reliably connects to UEFI VMs after the migration is complete.
Jira:RHELPLAN-135600
The installer shows the expected system disk to install RHEL on VM
Previously, when installing RHEL on a VM using virtio-scsi
devices, it was possible that these devices did not appear in the installer because of a device-mapper-multipath
bug. Consequently, during installation, if some devices had a serial set and some did not, the multipath
command was claiming all the devices that had a serial. Due to this, the installer was unable to find the expected system disk to install RHEL in the VM.
With this update, multipath
correctly sets the devices with no serial as having no World Wide Identifier (WWID) and ignores them. On installation, multipath
only claims devices that multipathd
uses to bind a multipath device, and the installer shows the expected system disk to install RHEL in the VM.
Bugzilla:1926147