Chapter 10. Known issues

Unable to build ISOs from a signed container

Trying to build an ISO disk image from a GPG or a simple signed container results in an error, similar to the following:

Hostname resolution fails with encrypted DNS and custom CA in boot options

While using the inst.repo= or inst.stage2= boot options in the kernel command line along with a remote installation URL, an encrypted DNS, and a custom CA certificate in the kickstart file, the installer attempts to download the install.img stage2 image before processing the kickstart file. Consequently, the hostname resolution fails, leading to display of some errors before successfully fetching the stage2 image. Workaround: Define the installation source in the kickstart file instead of the kernel command line.

Installer becomes unresponsive during final RPM installation stage

An installer may become unresponsive during the RPM installation process at the final stage. Before the issue occurs, you may see the repeated Configuring rootfiles.noarch messages. Workaround: Restart the installation process.

Disabled keyboard layout switching by using shortcut during installation

To prevent confusion caused by a broken keyboard shortcut to change keyboard layout, this feature has been disabled in Anaconda. You cannot change keyboard layouts by using shortcuts during installation. Workaround: Use the keyboard layout icon on the top bar to switch layouts.

Bonding device with LACP takes longer to become operational, causing subscription failures

When configuring a bonding device with LACP by using both kernel command-line boot options and a Kickstart file, the connection is created during the initramfs stage but reactivated in Anaconda. As a consequence, it causes a temporary disruption that leads to system subscription failure via the rhsm Kickstart command.

The services Kickstart command fails to disable the firewalld service

A bug in Anaconda prevents the services --disabled=firewalld command from disabling the firewalld service in Kickstart. Workaround: Use the firewall --disabled command instead. As a result, the firewalld service is disabled properly.

Installation program fails if /boot partition is not created when using ostreecontainer

When using the ostreecontainer Kickstart command to install a bootable container, the installation fails if the /boot partition is not created. This issue occurs because the installation program requires a dedicated /boot partition to proceed with the container deployment.

Kickstart installation fails with an unknown disk error when 'ignoredisk' command precedes 'iscsi' command

Installing RHEL by using the kickstart method fails if the ignoredisk command is placed before the iscsi command. This issue occurs because the iscsi command attaches the specified iSCSI device during command parsing, while the ignoredisk command resolves device specifications simultaneously. If the ignoredisk command references an iSCSI device name before it is attached by the iscsi command, the installation fails with an "unknown disk" error.

The USB CD-ROM drive is not available as an installation source in Anaconda

Installation fails when the USB CD-ROM drive is the source for it and the Kickstart ignoredisk --only-use= command is specified. In this case, Anaconda cannot find and use this source disk.

Driver disk menu fails to display user inputs on the console

When you start RHEL installation using the inst.dd option on the kernel command line with a driver disk, the console fails to display the user input. Consequently, it appears that the application does not respond to the user input and stops responding, but displays the output which is confusing for users. However, this behavior does not affect the functionality, and user input gets registered after pressing Enter.

Anaconda may not work correctly on s390x and ppc64le architectures

Image mode for RHEL supports pp64le and s390x architectures besides the already supported x86_64 and ARM architectures. However, Anaconda may not function correctly on s390x and ppc64le architectures.

Anaconda installer appears as unresponsive in the rescue mode

When booting into a rescue mode and selecting the Continue or Skip to shell options, you might experience an issue where the Anaconda installer appears to be frozen. Despite the lack of visible response, the installer is still functional and reacting to your inputs; however, the prompt does not display on the screen, leading to confusion.

SELinux policy rules for four libvirt services temporarily changed into permissive mode

Previously, the SELinux policy was changed to reflect the replacement of the legacy monolithic libvirtd daemon with a new set of modular daemons. Because this change requires testing of a lot of scenarios, the following services have been temporarily changed into SELinux permissive mode:

Cryptographic tokens do not work in FIPS mode with pkcs11-provider

When the system runs in FIPS mode, the pkcs11-provider OpenSSL provider does not work correctly and the OpenSSL TLS toolkit falls back to the default provider. Consequently, OpenSSL fails to load PKCS #11 keys, and cryptographic tokens do not work in this scenario.

pass:uname command produces an unknown output

The uname command displays unknown output with flags pass:--hardware-platform and pass:--processor. In the previous RHEL versions, pass:uname -i and pass:uname -p were aliases for pass:uname -m and are not portable even across GNU/Linux distributions.

Nginx does not support PKCS #11 and TPM

The OpenSSL engines API was deprecated in RHEL 9 and removed from Nginx in RHEL 10. The corresponding functionality using the current OpenSSL providers API is not yet available. As a consequence, the Nginx HTTP server does not work with hardware security modules (HSMs) through PKCS #11 and Trusted Platform Module (TPM) devices.

Using the incorrect Perl database driver for MariaDB and MySQL can lead to unexpected results

The MariaDB database is a fork of MySQL. Over time, these services developed independently and are no longer fully compatible. These differences also affect the Perl database drivers. Consequently, if you use the DBD::mysql driver in a Perl application to connect to a MariaDB database, or the DBD::MariaDB driver to connect to a MySQL database, operations can lead to unexpected results. For example, the driver can return incorrect data from read operations. To avoid such problems, use the Perl driver in your application that matches the database service.

VMware vCenter cannot correctly remove a SATA disk from a running RHEL VM

When using the VMWare vCenter interface to remove a SATA disk from a running RHEL 10 guest on the VMware ESXi hypervisor, the disk currently does not get removed fully. It stops being functional and disappears from the guest in the vCenter inteface, but the SCSI interface still detects the disk as attached in the guest. 

The wpa_supplicant service no longer relies on the OpenSSL Engine API

In RHEL 10, engines are not compatible according to Federal Information Processing Standards (FIPS) therefore the corresponding OpenSSL Engine API has been removed. Consequently, the dependent wpa_supplicant service cannot load X509 certificates and keys that are stored in PKCS11 URI format. As a result, any EAP-TLS authentication method and variants using PKCS11 will not be able to connect to the relevant network anymore.

The kernel can panic if you reduce the number of SR-IOV VFs at runtime

If all of the following conditions apply, the Linux kernel can panic:

crashkernel boot parameter does not load in rhel-guest-image

Presently, RHEL cloud image built by osbuild misses the crashkernel kernel parameter. As a result, kdump.service fails to start.

The kdump service fails during boot

After the installation of registry.redhat.io/rhel9/rhel-bootc container image to a physical system, the kdump.service fails.

Reverse Mapping B+Tree (rmapbt) performance impact

By default, the XFS file system enables the rmapbt feature, which has potential performance regressions in write-heavy workloads with small block sizes. Evaluate performance-sensitive applications carefully, particularly those that heavily rely on writing small data blocks.

Inconsistent NVMe device names after reboot

A new kernel feature that enables asynchronous NVMe namespace scans is introduced in RHEL 10, to accelerate NVMe disk detection. As a consequence of the asynchronous scans, the /dev/nvmeXnY device files might point to different namespaces after each reboot. This can lead to inconsistent device names. At this time, there is no known workaround for this issue.

ACL roles should not reference location constraints with two rules

In Red Hat Enterprise Linux 10, more than one top-level rule in a location constraint is not supported. When upgrading from RHEL 9 to RHEL 10, verify that any ACL roles you have configured do not reference a location constraint with two rules and are still valid.

The new version of TBB is incompatible

RHEL 10 includes the Threading Building Blocks (TBB) library version 2021.11.0, which is incompatible with the versions distributed with previous releases of RHEL. You must rebuild applications that use TBB to make them run on RHEL 10.

IdM in FIPS mode does not support using the NTLMSSP protocol to establish a two-way cross-forest trust

Establishing a two-way cross-forest trust between Active Directory (AD) and Identity Management (IdM) with FIPS mode enabled fails because the New Technology LAN Manager Security Support Provider (NTLMSSP) authentication is not FIPS-compliant. IdM in FIPS mode does not accept the RC4 NTLM hash that the AD domain controller uses when attempting to authenticate.

Installing a RHEL 7 IdM client with a RHEL 10 IdM server in FIPS mode fails due to EMS enforcement

The TLS Extended Master Secret (EMS) extension (RFC 7627) is now mandatory for TLS 1.2 connections on FIPS-enabled RHEL 10 systems. This is in accordance with FIPS-140-3 requirements. However, the openssl version available in RHEL 7.9 and lower does not support EMS. In consequence, installing a RHEL 7 Identity Management (IdM) client with a FIPS-enabled IdM server running on RHEL 10 fails.

DNSSEC not working correctly in RHEL IdM

The DNS Security Extensions (DNSSEC) do not function correctly in Identity Management (IdM) in RHEL 10.0 because of multiple unresolved issues stemming from the replacement of the openssl-pkcs11 OpenSSL engine with the pkcs11-provider OpenSSL provider.

Automatic host keytab renewal via adcli run by SSSD is failing

In direct SSSD-AD integration, SSSD checks daily if the machine account password is older than the configured age in days and, if needed, tries to renew it. The configured age is set by the ad_maximum_machine_account_password_age value, with a default of 30 days. A value of 0 disables the renewal attempt.

dsctl healthcheck can report a wrong database type

If you created an instance with the Lightning Memory-Mapped Database Manager (LMDB) database type, running the dsctl healthcheck command can result in one of the following error messages, because Directory Server checks a wrong configuration parameter:

An error message is displayed during migration from BDB to LMDB

When you run the dsctl dblib bdb2mdb command to migrate from Berkeley Database (BDB) to Lightning Memory-Mapped Database Manager (LMDB) and you have not enabled the replication, the following error message is displayed in the output:

ldapmodify does not delete a single specific value from any attribute in cn=config

Currently, when you try to delete a value from any attribute in cn=config, the value remains in the attribute and the server may require a restart to fully remove it.

SSSD retrieves incomplete list of members if the group size exceeds 1500 members

During the integration of SSSD with Active Directory, SSSD retrieves incomplete group member lists when the group size exceeds 1500 members. This issue occurs because Active Directory’s MaxValRange policy, which restricts the number of members retrievable in a single query, is set to 1500 by default.

Standard mouse cursor is offset in VMs when using Mutter

When you use a standard mouse within a virtual machine (VM) configuration in the Mutter compositing window manager, you might notice an offset between the physical mouse cursor and the actual pointer within the virtual environment. The actual pointer might not even be visible in the virtual environment.

Standard mouse cursor is offset in VMs when using Mutter

When you use a standard mouse within a virtual machine (VM) configuration in the Mutter compositing window manager, you might notice an offset between the physical mouse cursor and the actual pointer within the virtual environment. The actual pointer might not even be visible in the virtual environment.

VNC console in the RHEL web console does not work correctly on ARM64

Currently, when you import a virtual machine (VM) in the RHEL web console on ARM64 architecture and then you try to interact with it in the VNC console, the console does not react to your input.

ansible-core does not install sshpass as a dependency

The ansible-core package does not install the sshpass package as a dependency. Consequently, you can not use Ansible to manage systems over SSH with an SSH password.

Installing the VirtIO-Win bundle cannot be canceled

Currently, if you start the installation of virtio-win drivers from the VirtIO-Win installer bundle in a Windows guest operating system, clicking the Cancel button during the installation does not correctly abort it. The installer wizard interface displays a "Setup Failed" screen, but the drivers are installed and the IP address of the guest is reset.

Secure Execution VMs cannot boot with file-backed memory backing

If you configure a virtual machines (VMs) with enabled Secure Execution to use file-backed memory backing, the VM currently fails to boot, and instead displays a Protected boot has failed error.

VMs sending discard I/O requests might pause when discard_granularity is not configured

The host kernel fails misaligned discard I/O requests and QEMU uses the werror= policy parameter to respond to such failures. When werror is set to stop: werror=stop,  a failed discard request causes the virtual machine (VM) to pause. This is usually undesirable because there is no way to correct this situation and resume the VM again.

The --migrate-disks-detect-zeroes option might not work for VM migration

Currently, when migrating virtual machines (VMs) on RHEL 10, the --migrate-disks-detect-zeroes option might not work and the migration might proceed without zeroed block detection on the specified disk. This problem is caused by a bug in QEMU where mirroring jobs had been relying on punching holes, which results in a sparse destination file.

A virtual machine with a large amount of bootable data disks might fail to start

If you attempt to start a virtual machine (VM) with a large amount of bootable data disks, the VM might fail to boot with this error: Something has gone seriously wrong: import_mok_state() failed: Volume Full

Too many open files in a virtiofs shared directory can crash the vrtiofsd process

When accessing a virtiofs shared directory with a large amount of open files from a virtual machine (VM), the operation might fail with the following error: Too many open files and the virtiofsd process might crash.

VMs with large memory cannot boot on SEV-SNP host with AMD Genoa CPUs

Currently, virtual machines (VMs) cannot boot on hosts that use a 4th Generation AMD EPYC processor (also known as Genoa) and have the AMD Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP) feature enabled. Instead of booting, a kernel panic occurs in the VM.

The virtio balloon driver sometimes does not work on Windows 10 and Windows 11 VMs

Under certain circumstances, the virtio-balloon driver does not work correctly on virtual machines (VMs) that use a Windows 10 or Windows 11 guest operating system. As a consequence, such VMs might not use their assigned memory efficiently.

Windows 11 VMs with a memory balloon device set might close unexpectedly during reboot

Currently, rebooting virtual machines (VMs) that use a Windows 11 guest operating system and a memory balloon device in some cases fails with a DRIVER POWER STAT FAILURE blue-screen error.

Windows VM with VBS and IOMMU device fails to boot

When you boot a Windows VM with Virtualization Based Security (VBS) enabled and an Input-Output Memory Management Unit (IOMMU) device by using the qemu-kvm utility, the booting sequence only shows the boot screen, resulting in an incomplete booting process.

Windows VM running on Sapphire Rapids CPU with hypervisor launch type set to auto might fail to boot when restarted

If you set the hypervisor launch type to auto in a Windows virtual machine (VM) running on a Sapphire Rapids CPU, the VM might fail to boot when it is restarted. For example, you can set the hypervisor launch type to auto by using the bcdedit /set hypervisorlaunchtype Auto command.

Hot-plugging vCPUs and memory to Windows guests with VBS does not work

Currently, Windows Virtualization-based Security (VBS) is not compatible with hot-plugging CPU and memory resources. As a consequence, attempting to attach memory or vCPUs to a running Windows virtual machine (VM) with VBS enabled only adds the resources to the VM after the guest system is restarted. 

RDMA devices currently do not work on vSphere

When using a RHEL 10 instance on the VMware vSphere platform, the vmw_pvrdma module currently does not install properly. As a consequence, VMware paravirtual remote direct memory access (PVRDMA) devices do not work on the affected instances.

The leapp upgrade fails when upgrading from RHEL 9.6 to RHEL 10.0 for the cloud-init network configuration

If you deploy RHEL 9.6 with the cloud-init default configuration and with sysconfig as the default network configuration directory, the sysconfig configuration files do not support the ifcfg legacy format for RHEL 10.0. Consequently, the leapp upgrade fails when upgrading from RHEL 9.6 to RHEL 10.0 for the legacy network configuration files, such as ifcfg-<enp1s0>.

Upgrading a RHEL 9.6 guest on VMware ESXi to RHEL 10.0 causes cloud-init to rewrite the network configuration

After a upgrading a RHEL guest on the VMware ESXi hypervisor from RHEL 9.6 to RHEL 10.0, the cloud-init tool currently cannot detect the VMware data source and cannot restore its configuration from the cache. As a consequence, cloud-init reverts to the None data source, and rewrites the network configuration of the guest.

Nested VM with KVM virtualization and OVMF fails to boot on Azure or Hyper-V when using AMD EPYC processor

A nested VM with Open Virtual Machine Firmware (OVMF) fails to boot when run on a RHEL VM with KVM virtualization enabled in the Azure cloud or Hyper-V using the AMD EPYC processor. The VM fails to boot up with following log message:

BIOS or UEFI supported Hyper-V Windows Server 2016 VM fails to boot if a host uses the AMD EPYC CPU processor

With the Hyper-V enabled setting, Hyper-V Windows Server 2016 VM fails to boot on the AMD EPYC CPU host.

Podman and bootc do not share the same registry login process

Podman and bootc use different registry login processes when pulling images. As a consequence, if you login to an image by using Podman, logging to a registry for bootc will not work on that image. When you install an image mode for RHEL system, and login to registry.redhat.io by using the following command:

cloud-init growpart skips with composefs is enabled

When composefs is enabled, if you generate an image from the generic base image, then the rootfs will note grow the filesystem, prompting an error similar to:

FIPS bootc image creation fails on FIPS enabled host

Building a disk image on a host by using Podman with enabled the FIPS mode fails with the exit code 3 because of the update-crypto-policies package:

Insufficient disk space can cause deployment failure

Deploying a bootc container image on a package mode system without enough free disk space can result in installation errors and prevent the system from booting. Ensure adequate disk space is available for the image to install and adjust the provision logical volume before deployment.

RHEL images on Azure marked as LVM require default layout resizing

When using system-reinstall-bootc or bootc install on Azure, RHEL images marked as LVM will require resizing the default layout.

Configuration file changes are not applied immediately

When making changes in the etc/xdg/command-line-assistant/config.toml configuration file, it takes around 30 to 60 seconds for the command line assistant daemon to recognize the changes, instead of applying the changes immediately. The command line assistant is also missing the reload functionality.