Chapter 8. Known Issues
This chapter documents known problems in Red Hat Enterprise Linux 7.
8.1. Authentication and Interoperability
Potential risk when using the default value for ldap_id_use_start_tls
option
When using ldap://
without TLS for identity lookups, it can pose a risk for an attack vector. Particularly a man-in-the-middle (MITM) attack which could allow an attacker to impersonate a user by altering, for example, the UID or GID of an object returned in an LDAP search.
Currently, the SSSD configuration option to enforce TLS, ldap_id_use_start_tls
, defaults to false
. Ensure that your setup operates in a trusted environment and decide if it is safe to use unencrypted communication for id_provider = ldap
. Note id_provider = ad
and id_provider = ipa
are not affected as they use encrypted connections protected by SASL and GSSAPI.
If it is not safe to use unencrypted communication, enforce TLS by setting the ldap_id_use_start_tls
option to true
in the /etc/sssd/sssd.conf
file. The default behavior is planned to be changed in a future release of RHEL.
(JIRA:RHELPLAN-155168)
8.2. Compiler and Tools
GCC thread sanitizer included in RHEL no longer works
Due to incompatible changes in kernel memory mapping, the thread sanitizer included with the GNU C Compiler (GCC) compiler version in RHEL no longer works. Additionally, the thread sanitizer cannot be adapted to the incompatible memory layout. As a result, it is no longer possible to use the GCC thread sanitizer included with RHEL.
As a workaround, use the version of GCC included in Red Hat Developer Toolset to build code which uses the thread sanitizer.
(BZ#1569484)
8.3. Desktop
The radeon
driver fails to reset hardware correctly in the kexec context
When booting a kernel from the currently running kernel, such as when performing the kdump process, the radeon
kernel driver currently does not properly reset hardware. Instead, radeon
terminates unexpectedly, which causes the rest of the kdump service to fail.
To work around this bug, blacklist radeon
in kdump by adding the following line to the /etc/kdump.conf
file:
dracut_args --omit-drivers "radeon"
Afterwards, restart the machine and kdump.
Note that in this scenario, no graphics will be available during kdump, but kdump will complete successfully.
(BZ#1509444)
8.4. File Systems
System boot might fail due to persistent memory file systems
Systems with a large amount of persistent memory take a long time to boot. If the /etc/fstab
file configures persistent memory file systems, the system might time out waiting for the devices to become available. The boot process then fails and presents the user with an emergency prompt.
To work around the problem, increase the DefaultTimeoutStartSec
value in the /etc/systemd/system.conf
file. Use a sufficiently large value, such as 1200s
. As a result, the system boot no longer times out.
(BZ#1666535, BZ#1634341)
8.5. Installation and Booting
RHEL 7.7 and later installations add spectre_v2=retpoline
to Intel Cascade Lake systems
RHEL 7.7 and later installations add the spectre_v2=retpoline
kernel parameter to Intel Cascade Lake systems, and as a consequence, system performance is affected. To work around this problem and ensure the best performance, complete the following steps.
Remove the kernel boot parameter on Intel Cascade Lake systems:
# grubby --remove-args="spectre_v2=retpoline" --update-kernel=DEFAULT
Reboot the system:
# reboot
iSCSI installation failing with Emulex OneConnect card
After connecting an Emulex OneConnect card and configuring it for iSCSI boot, when you start the RHEL installation, the Anaconda installer returns an exception and the installation terminates unexpectedly.
To work around this problem, add the rd.iscsi.firmware
parameter to the boot command line post installation and you will be able to successfully boot into RHEL. However, note that the boot process with this workaround takes a little longer.
(BZ#1632274)
8.6. Kernel
The system boot sometimes fails on large systems
During the boot process, the udev
device manager sometimes generates too many rules on large systems. For example, the problem has manifested on a system with 32 TB of memory and 192 CPUs. As a consequence, the boot process becomes unresponsive or times out and switches to the emergency shell.
To work around the problem, increase the udev.children-max
value:
-
Add the
udev.children-max=1000
option to the kernel command line in the/etc/default/grub
file. You can experiment with different values ofudev.children-max
to see which value results in the fastest boot on your system. Limit the
udev.children-max
value for thekdump
kernel:Add the
udev.children-max
option to theKDUMP_COMMANDLINE_REMOVE
line in the/etc/sysconfig/kdump
file.If you do not specify the
kdump
option, the system might enter emergency mode after akdump
orfadump
capture on IBM POWER systems.Restart the
kdump
service:# systemctl restart kdump
As a result, the system boots successfully.
(BZ#1722855)
The mirror
segment type causes system deadlock in stacked configurations
The usage of the mirror
segment type and putting any logical volumes on top of it causes system deadlock in stacked configurations. To work around this problem, Red Hat recommends using RAID 1 logical volumes with segment type raid1
.
To convert mirror
devices to raid1
, see Converting a Mirrored LVM Device to a RAID1 Device.
(BZ#1772107)
The zlib
compression format may slow down a vmcore capture
The kdump
configuration file uses the lzo
compression format (makedumpfile -l
) by default. Modification of the configuration file to use the zlib
compression format (makedumpfile -c
) is likely to bring a better compression factor at the expense of slowing down the vmcore capture process. As a consequence, it may take kdump
approximately 4 times longer to capture a vmcore when zlib
is used as compared to lzo
. As a result, Red Hat recommends that you use the default lzo
for cases where speed is the main driving factor. However, if the target machine is low on available space, zlib
is a better option.
(BZ#1737111)
Intel network device that uses the ice
driver does not pass traffic when using bridge-over-VLAN topology
Ethernet devices do not transmit Internet Control Message Protocol (ICMP) echo request and reply traffic if all of the following conditions meet:
-
The Ethernet device uses the
ice
Intel driver. - The Ethernet device is a member of a bridge.
- The bridge uses VLAN tagging according to the 802.1Q protocol
As a consequence, Network Interface Controller (NIC) does not pass traffic for the described network topology. There is no workaround available to this problem.
(BZ#1787295)
8.7. Networking
Verification of signatures using the MD5 hash algorithm is disabled in Red Hat Enterprise Linux 7
It is impossible to connect to any Wi-Fi Protected Access (WPA) Enterprise Access Point (AP) that requires MD5 signed certificates. To work around this problem, copy the wpa_supplicant.service
file from the /usr/lib/systemd/system/
directory to the /etc/systemd/system/
directory and add the following line to the Service section of the file:
Environment=OPENSSL_ENABLE_MD5_VERIFY=1
Then run the systemctl daemon-reload
command as root to reload the service file.
Note that MD5 certificates are highly insecure and Red Hat does not recommend using them.
(BZ#1062656)
bind-utils
DNS lookup utilities support fewer search domains than glibc
The dig
, host
, and nslookup
DNS lookup utilities from the bind-utils
package support only up to 8 search domains, while the glibc
resolver in the system supports any number of search domains. As a consequence, the DNS lookup utilities may get different results than applications when a search in the /etc/resolv.conf
file contains more than 8 domains.
To work around this problem, use one of the following:
- Full names ending with a dot, or
-
Fewer than nine domains in the
resolv.conf
search clause.
Note that it is not recommended to use more than three domains.
8.8. Security
Auditd server does not start on remote logging servers using KRB5 peer authentication
The SELinux policy does not contain the auditd_tmp_t
file type for the temporary directories and files created by processes running under auditd_t
SELinux type. This prevents starting the auditd
service on a server when KRB5 peer authentication is used for remote logging.
To work around this problem, either set auditd_t
domain to permissive mode or build a custom SELinux policy that allows processes running under auditd_t
type to create and modify files and directories in the /var/tmp
directory. As a result, auditd
server using KRB5 peer authentication for remote logging can be started only after applying the described workaround.
Audit executable watches on symlinks do not work
File monitoring provided by the -w
option cannot directly track a path. It has to resolve the path to a device and an inode to make a comparison with the executed program. A watch monitoring an executable symlink monitors the device and an inode of the symlink itself instead of the program executed in memory, which is found from the resolution of the symlink. Even if the watch resolves the symlink to get the resulting executable program, the rule triggers on any multi-call binary called from a different symlink. This results in flooding logs with false positives. Consequently, Audit executable watches on symlinks do not work.
To work around the problem, set up a watch for the resolved path of the program executable, and filter the resulting log messages using the last component listed in the comm=
or proctitle=
fields.
(BZ#1421794)
8.9. Servers and Services
Upgrade to RHEL 7.8 fails when mariadb-test
or postgresql-docs
are installed on Workstation
The mariadb-test
and postgresql-docs
packages have been moved to the Workstation Optional repository. Consequently, if these packages are installed, it is impossible to update a system with a Workstation variant to RHEL 7.8. To work around this problem, uninstall mariadb-test
and postgresql-docs
prior to upgrading to RHEL 7.8.
(BZ#1749776)
FreeRADIUS silently truncates Tunnel-Passwords longer than 249 characters
If a Tunnel-Password is longer than 249 characters, the FreeRADIUS service silently truncates it. This may lead to unexpected password incompatibilities with other systems.
To work around the problem, choose a password that is 249 characters or fewer.
8.10. Storage
The system sometimes becomes unresponsive in low-memory situations with external MD metadata
The system might periodically become unresponsive if all of the following conditions occur:
- The Multiple Devices (MD) storage subsystem is configured to use external metadata arrays.
- The system reaches a low-memory situation.
- The MD user space performs an allocation that writes data back to the same device that MD is allocating for.
To work around the problem, ensure that the system has enough free memory. As a result, the system does not become unresponsive when MD performs the allocation.
(BZ#1703180)
8.11. Virtualization
Live migration of virtual machines between hosts with different physical address sizes does not work in some cases
Live migration of a virtual machine (VM) that uses a hot-plugged CPU currently fails in some cases if the hosts have different physical address sizes. To work around this problem, do not live migrate between such hosts while using a CPU hot-plug. Alternatively, do not hot-plug a CPU to a VM that has been migrated to a host with a different physical address size.
(BZ#1607311)
virt-clone
always shows a 100% progress bar when --nonsparse
is used
Currently, when the virt-clone
utility is used with the --nonparse
option, the progress bar displayed in the CLI always shows 100% completion of the process. As a consequence, the user cannot see the actual progress of cloning the virtual machine.
(BZ#1746771)
RHEL 7 virtual machines sometimes cannot boot on and migrate to Witherspoon hosts
RHEL 7 virtual machines (VMs) that use the pseries-rhel7.6.0-sxxm
machine type in some cases fail to boot on Power9 S922LC for HPC hosts (also known as Witherspoon) that use the DD2.3 CPU.
Attempting to boot such a VM instead generates the following error message:
qemu-kvm: Requested safe indirect branch capability level not supported by kvm
In addition, migrating VMs that use the pseries-rhel7.6.0-sxxm
machine type to Witherspoon hosts from other hosts fails.
kdump does not support setting nr_cpus to 2 or higher in Hyper-V virtual machines
When using RHEL 7.8 as a guest operating system on a Microsoft Hyper-V hypervisor, the kdump kernel in some cases becomes unresponsive when the nr_cpus
parameter is set to 2 or higher. To avoid this problem from occurring, do not change the default nr_cpus=1
parameter in the /etc/sysconfig/kdump
file of the guest.