5.3 Release Notes
Red Hat Enterprise Linux 5
Release Notes for all architectures.
Abstract
This document details the Release Notes for Red Hat Enterprise Linux 5.3.
1. Release Notes Updates
This section contains information about Red Hat Enterprise Linux 5.3 that did not make it into the Release Notes included in the distribution.
1.1. Feature Updates
- audit Update
- The audit packages contain user-space utilities for storing and searching the audit records generated by the audit subsystem in the Linux 2.6 kernel.These updated packages upgrade the auditd daemon and its utilities to the newer upstream version 1.7.7, which provides the following enhancements over the previous version:
- the auditctl program, which is used to control the behavior of the audit subsystem, now supports multiple keys in the audit rules.
- a new utility, ausyscall, which is used to cross-reference syscall name and number information, is now provided in these updated packages.
- the aureport program has been enhanced to provide reports about keys it sees in audit events.
- event log parsing for the ausearch and aureport programs has been improved.
- a sample STIG rules file, named "stig.rules", is newly provided in these updated packages. This file contains the auditctl rules which are loaded whenever the audit daemon is started by init scripts.
In addition to the listed enhancements, these updated audit packages also include a new feature to allow a server to aggregate the logs of remote systems. The following instructions can be followed to enable this feature:- The audispd-plugins package should be installed on all clients (but need not be installed on the server), and the parameters for "remote_server" and "port" should be set in the /etc/audisp/audisp-remote.conf configuration file.
- On the server, which aggregates the logs, the "tcp_listen_port" parameter in the /etc/audit/auditd.conf file must be set to the same port number as the clients.
- Because the auditd daemon is protected by SELinux, semanage (the SELinux policy management tool) must also have the same port listed in its database. If the server and client machines had all been configured to use port 1000, for example, then running this command would accomplish this:
semanage port -a -t audit_port_t -p tcp 1000
- The final step in configuring remote log aggregation is to edit the /etc/hosts.allow configuration file to inform tcp_wrappers which machines or subnets the auditd daemon should allow connections from.
- wpa_supplicant re-base
- wpa_supplicant has been re-based to the latest upstream stable version 0.5.10 and include backported fixes for a number of issues that may affect users of wireless drivers that depend on the kernel's mac80211 wireless stack. Specific fixes and enhancements include:
- Support for a D-Bus control interface has been added. D-Bus is a popular lightweight Inter-Process Communication mechanism, and the addition of this control interface to wpa_supplicant allows applications (like NetworkManager) to more reliably control the supplicant.
- Cisco Aironet 340/350 wireless cards were not able to successfully connect to 802.1x-enabled wireless networks, often used in security sensitive organizations. During the connection process at the 4-Way WPA handshake stage, sending encryption keys to the driver would clear the wireless card firmware's authentication state. With this update, the supplicant uses an alternate method of supplying encryption keys to the kernel driver, allowing authentication state to be preserved in the Aironet firmware and 802.1x connections to succeed.
- Kernel drivers utilizing the new mac80211 wireless stack were sometimes unable to connect to wireless networks, either failing to find the requested network, or prematurely ending communication with the wireless access point during the connection process. Some drivers were prone to reporting multiple disconnection events during the association process, confusing the supplicant and causing long timeouts. The supplicant also did not sufficiently instruct the driver to disconnect when switching access points. This update fixes these issues and, in conjunction with kernel driver updates, allow more wireless hardware to successfully connect to wireless networks.
- NetworkManager re-base
- NetworkManager has been updated to version 0.7.0. This update provides the following fixes and enhancements:
- NetworkManager would not display a LEAP password, even when the user selected the "show password" option. This has been fixed through a rebase to NetworkManager 0.7.
- During the beta phase, a version of NetworkManager was unable to automatically start network interfaces for which "ONBOOT=no" was present in the ifcfg file. NetworkManager now ignores this value unless "NM_RESPECT_ONBOOT=yes" is also present.
- a NetworkManager plug-in was named for its upstream repository. This could cause end-users to mistake the plug-in for an un-supported addition to Red Hat Enterprise Linux. This plug-in has been renamed to "ifcfg-rh".
- with this update, support has been added to NetworkManager for wired 802.1x authentication. However, after creating an 802.1x-enabled wired connection in the NetworkManager connection editor, it may be necessary to log out, then log back in before the connection can be used from the NetworkManager applet menu.
- NetworkManager attempted to set a hostname, but only after X had already done so. The user could not then open new windows because the authority files had been set by X with a different hostname. NetworkManager no longer sets hostnames.
- an update for NetworkManager that was available in the beta phase would change the run level enablement of the package during installation, and thus prevent NetworkManager from starting. NetworkManager no longer changes run level enablements during installation.
- on a system with more than one network adapter, network keys saved by the user while connecting with one adapter would not be available when the user attempted to connect with the other adapter. NetworkManager can now retrieve and use network keys saved for a different adapter on the same network.
- previously, NetworkManager would not always prompt the user for a new network key if the protocol or key of a wireless network changed. Although NetworkManager would wait for a new key, it would not always open a dialog box and allow the user to provide one. NetworkManager will now open a dialog box when needed.
- several bug fixes and enhancements for NetworkManager were available upstream. NetworkManager has been rebased to version 0.7 to incorporate these improvements, including mobile broadband functionality, Phase2 WPA support, and static IP functionality.
- NetworkManager would would cause a segmentation fault when resuming a session. This was caused by the HAL dropping privileges before connecting to D-Bus, meaning that the HAL could not send signals to NetworkManager. NetworkManager now explicitly permits signals from the HAL.
- sometimes, X would freeze if the NetworkManager menu and a keyring manager window were open at the same time. This updated package includes a patch from upstream that prevents this behavior.
- if NetworkManager requires a network key from the user, it will open a pop-up window. However, the applet previously could not steal focus from metacity and would remain in the background. The window was therefore not obvious to the user. The applet now opens in the foreground, alerting the user to take action.
- when resuming, NetworkManager could sometimes re-establish a wireless connection, but not a route. A fix for this problem from upstream has been included in this update.
- NetworkManager did not previously support Cisco Airo Wi-Fi cards, as these devices did not respond to NetworkManager's attempts to detect them. NetworkManager can now detect and use these cards.
- the NetworkManager applet would wake up and redraw its icon once per second, even when NetworkManager was not active. Now, the applet will not wake up unless NetworkManager is running.
- NetworkManager 0.7 connects faster than libnotify can provide a notification bubble. When this happens, the bubble will appear at the top left corner of the screen, rather than under the taskbar. NetworkManager notification bubbles are now delayed for a few seconds, allowing libnotify to react.
- dbus-glib re-base
- The dbus-glib integration library has been re-based to version 0.73.8 This update provides support to updated versions of NetworkManager and also implements the following bugfix and enhancements
- cleanup of the DBusGProxy objects treated pending remote method calls incorrectly and may have resulted in freeing invalid memory. Consequently, processes using DBusGProxy objects may have crashed when the DBusGProxy object was freed. With this update dbus-glib correctly handles the destruction of DBusGProxy objects, resolving this issue.
- two new function calls,
dbus_g_proxy_call_with_timeout
anddbus_g_proxy_begin_call_with_timeout
, have been added to dbus-glib providing the ability to specify a timeout when making a request to a remote service. - dbus-binding-tool now ignores namespaced Extensible Markup Language (XML) nodes when processing introspection definition files.
- sudo Re-base
- sudo has been re-based to upstream version 1.6.9. This version of sudo now supports LDAP, and allows sub-tree searching instead of just base searching (i.e. tree-level only) for sudo rights. This allows administrators to categorize sudo rights in a tree, making user privileges easier to manage.
Note
theenv_reset
sudoers option from newer sudo will reset the PATH environment variable. This is different from the behaviour in sudo-1.9.8. To keep the old behaviour simply add PATH variable into env_keep insudoers
file. - LVM-based Cluster mirroring
- With this update, the ability to create LVM mirrors in a cluster environment (i.e. while using CLVM) is now available in Red Hat Enterprise Linux It provides for simultaneous access from multiple cluster machines, like when using a cluster-aware file system. This solution is compatible with existing single-machine mirrors. When switching a mirrored logical volume between single-machine and cluster-aware, no resynchronization is necessary.
1.2. Resolved Issues
system-config-network
requires the fonts provided withxorg-x11-fonts-Type1
in order to display. However, this fonts package was not previously set as a dependency forsystem-config-network
and it was therefore possible (for example, in the case of a minimal installation) forsystem-config-network
to be present on a system and yet unable to function because these fonts were missing. This update setsxorg-x11-fonts-Type1
as a dependency forsystem-config-network
to ensure that these fonts will be available and thatsystem-config-network
will display correctly.- In Red Hat Enterprise Linux 5.2, a 64-bit version of httpd was included in addition to the existing 32-bit httpd in the PowerPC architecture. If a user installed both versions, an httpd conflict would occur, preventing httpd from functioning properly.To resolve this issue, the 64-bit version of httpd has been removed from this release. Any systems with the previous 64-bit version of httpd installed should remove the package before upgrade.
1.3. Driver Updates
- the SCSI device handler infrastructure (
scsi_dh
) has been updated, providing added support for LSI RDAC SCSI based storage devices. - the tg3 driver for Broadcom Tigon3 ethernet devices has been updated to version 3.93. This applies several upstream changes for new hardware. However, the 5785 hardware is not fully supported. This device may be detected by the driver, but lack of PHY support may cause these chips to not function correctly and may require the user disable any on-board 5785 cards in the system BIOS.
scsi-target-utils
now features iSCSI Extensions for RDMA (iSER), which is based on the Linux Target (tgt) framework. iSER is included in this release as a Technology Preview, and provides capabilities for both single and multiple portals on different subnets. Note, however, that there are known bugs with using multiple portals on the same subnet.To set up an iSER target component, install thescsi-target-utils
andlibibverbs-devel
packages. The corresponding library package for your system's Infiniband hardware is also required. For example, in HCAs that use thecxgb3
driver thelibcxgb3
package is needed, and for HCAs using themthca
driver thelibmthca
package is need.- The MPT Fusion driver has been updated to version 3.04.06, providing the following bugfixes and enhancements:
- Previously, the MPT Fusion driver always allocated I/O resources, even if they were not required, which may have caused issues in low resource environments. With this update, the driver now uses the pci_enable_device_mem and pci_enable_device functions to differentiate the resource allocations.
- Previously, the kernel would panic when the mptsas and mptcl modules were loaded in parallel. With this update, this issue has been resolved.
- Previously, system power state changes (such as hibernation and standby) were not functioning correctly with 106XE controllers. With this update, the driver has been modified to free and allocate resources in power management entry points.
1.4. Virtualization
- A bug in the IDE/ATA driver stack that could prevent a system using
kernel-xen
from booting into thekdump
environment is now fixed. In previous releases, this occurred if the system encountered a kernel panic while an IDE device was performing I/O and the IDE device was being controlled by a device driver other thanlibata
. - A softlockup may have occurred when creating a guest with a large amount of memory. Consequently, a call trace of the error was displayed on both the dom0 and the other guest. In this update, this issue has been resolved.
- On systems with large amounts of memory (ie 256GB or more), setting up the dom0 could exhaust the hypervisor memory heap. To work around this, the xenheap and dom0_size command line arguments had to be set to valid values for the system. In this update, the hypervisor has been updated to automatically set these values to a default of 32GB, which resolves this issue.
- Due to technical problems with passing TX checksum offload information between paravirtual domains, the use of TX checksum offload in conjunction with NAT for traffic originating from another domain is not supported. TX checksum offload can be used together with NAT as long as the NAT rule is applied in the domain where the traffic originates.Note that this also applies to fully virtualised domains using paravirtual network drivers. Fully virtualised domains using fully virtualised drivers are not affected as they do not support TX checksum offload at all.
1.5. Known Issues
- Previous versions of the 5.3 Release Notes stated that the CD-ROM/DVD-ROM unit on Dell PowerEdge R905 servers does not work with Red Hat Enterprise Linux 5. This note was included by error, and does not apply to Red Hat Enterprise Linux 5.3.
- kdump now serializes drive creation registration with the rest of the kdump process. Consequently, kdump may hang waiting for IDE drives to be initialized. In these cases, it is recommended that IDE disks not be used with kdump.
- Improvements have been made to the 'nv' driver, enhancing suspend and resume support on some systems equipped with nVidia GeForce 8000 and 9000 series devices. Due to technical limitations, this will not enable suspend/resume on all hardware.
- pirut sorts some package lists using the textual representation of a package, which is inconsistent with the textual representation method used in yum. As such, some package lists (e.g. list) in pirut may not display names in alphabetical order.
- The Hypervisor outputs messages regarding attempts by any guest to write to an MSR. Such messages contain the statement
Domain attempted WRMSR
. These messages can be safely ignored; furthermore, they are rate limited and should pose no performance risk. - When upgrading from Red Hat Enterprise Linux 4 Workstation to 5 Server, OpenOffice will no longer work correctly with SELinux. This is because the Red Hat Enterprise Linux version of OpenOffice is built using an incorrect library. As a result, SELinux will prevent OpenOffice from accessing any shared libraries, causing OpenOffice to fail.To work around this, update the SELinux context to allow OpenOffice to access shared libraries. To do so, run the following commands:
semanage fcontext -a -t textrel_shlib_t '/usr/lib/ooo-1.1(/.*)?'
semanage fcontext -a -t textrel_shlib_t '/usr/lib64/ooo-1.1(/.*)?'
restorecon -Rv /usr/lib/ooo-1.19
restorecon -Rv /usr/lib64/ooo-1.19
Alternatively, you can also upgrade your OpenOffice to a correct version compatible with SELinux in Red Hat Enterprise Linux 5. You can do this by subscribing to the "Productivity App" child channel in Red Hat Network and running the following command:yum install openoffice-{base,calc,draw,emailmerge,graphicfilter,headless,impress,javafilter,math,pyuno,writer,xsltfilter}
- If jumbo frames are enabled on your system, a kernel panic will occur if you attempt to unload the
bnx2
module. - Red Hat advises that you avoid removing a block device from a guest while the device is in use. Doing so causes Xend to lose domain information for the guest.
- Accessing the right-click menu of the NetworkManager GNOME applet may cause the GNOME dialog to appear. When this occurs, no XII applications can receive keyboard or mouse input.To recover from this, switch to a virtual terminal using Ctrl+Alt+F1. Log in as the affected user (or root) and run
killall -9 nm-applet
. Then, switch back to X11 using Ctrl+Alt+F7. Your system should be able to receive keyboard and mouse input, although Red Hat recommends that you logout and login again to allow the system to fully recover. - On Altix systems with an ATI FireMV graphics adapter, the GUI console may not display on one of the VGA connectors. To workaround this issue, switch to using the other VGA connector on the dongle.
- It has been determined that 1024 byte objects in kernel slab may be lost when a call to pipe() fails. The problem occurs because pipe() allocates pipe files, and then tries to get free file descriptors for them. If the process is out of file descriptors, pipe() fails, but it does not clean up properly. A fix for this problem is planned for a forthcoming 5.3 kernel update.To workaround this issue, ensure that the process calling do_pipe has adequate file descriptors allocated.This issue has been observed with multipathd in particular. To avoid the problem with multipathd, calculate the number of file descriptors (FDs) required using the formula: "FDs = Number of Paths + 32". If the result is greater than the default value of 1024, then the max_fds value in the defaults section of multipath.conf should be set to the previously calculated value. For example, if there are 255 LUNs with 8 paths each, the line to be added to the defaults section of multipath.conf would be:
max_fds 2072
- The
libcmpiutil-devel
package depends ontog-pegasus-devel
, which for the Red Hat Enterprise Linux Desktop product is only available from the Workstation option. Therefore, any attempt to install thelibcmpiutil-devel
package on a system that does not have a Subscription including the Workstation option or is not subscribed to the Workstation channel on the Red Hat Network, will fail with an unresolved dependency error. - It is possible in rare circumstances, for
makedumpfile
to produce erroneous results but not have them reported. This is due to the fact thatmakedumpfile
processes its output data through a pipeline consisting of several stages. Ifmakedumpfile
fails, the other stages will still succeed, effectively masking the failure. Should a vmcore appear corrupt, and makedumpfile is in use, it is recommended that the core be recorded without makedumpfile and a bug be reported. - An issue may be encountered when using system-config-cluster to configure a Postgres 8 resource agent, resulting in the postgresql service failing to start. To include a Postgres resource agent in your cluster, please check the man page for the agent, and edit the
cluster.conf
file in an editor, then update the cluster with the new configuration file using the appropriate cman_tool command. - Due to outstanding driver issues with hardware encryption acceleration, users of Intel WiFi Link 4965, 5100, 5150, 5300, and 5350 wireless cards are advised to disable hardware accelerated encryption using module parameters. Failure to do so may result in the inability to connect to Wired Equivalent Privacy (WEP) protected wireless networks after connecting to WiFi Protected Access (WPA) protected wireless networks.To do so, add the following options to
/etc/modprobe.conf
:alias wlan0 iwlagn options iwlagn swcrypto50=1 swcrypto=1
(where wlan0 is the default interface name of the first Intel WiFi Link device) - kdump now restarts when CPUs or DIMMs are hot-added to a system. If multiple items are added at the same time, several sequential restarts may be encountered. This behavior is intentional, as it minimizes the time-frame where a crash may occur while memory or processors are not being tracked by kdump.
1.6. Technology Previews
- Software based Fibre Channel over Ethernet (FCoE)
- The Fibre Channel over Ethernet (FCoE) driver (fcoe.ko), along with libfc, provides the ability to run FCoE over a standard Ethernet card. This capability is provided as a technical preview in Red Hat Enterprise Linux 5.3.To enable this feature, you must login by writing the network interface name to the
/sys/module/fcoe/parameters/create
file, for example:echo eth6 > /sys/module/fcoe/parameters/create
To logout, write the network interface name to the/sys/module/fcoe/parameters/destroy
file, for example:echo eth6 > /sys/module/fcoe/parameters/destroy
For further information on software based FCoE refer to: http://www.open-fcoe.org/openfc/wiki/index.php/FCoE_Initiator_Quickstart.Red Hat Enterprise Linux 5.3 provides full support for FCoE on three specialized hardware implementations. These are: Ciscofnic
driver, the Emulexlpfc
driver, and the Qlogicqla2xx
driver. - iSER Support
- iSER support, allowing for block storage transfer across a network, has been added to the
scsi-target-utils
package as a Technology Preview. In this release, single portal and multiple portals on different subnets are supported. There are known bugs when using multiple portals on the same subnet.To set up the iSER target component install the scsi-target-utils and libibverbs-devel RPM. The library package for the InfiniBand hardware that is being used is also required. For example: host channel adapters that use thecxgb3
driver thelibcxgb3
package is needed, and for host channel adapters using themthca
driver thelibmthca
package is needed.There is also a known issue relating to connection timeouts in some situations. Refer to Red Hat Bugzilla #470627 for more information on this issue.