8.1 Release Notes

Modules can now be disabled during Kickstart installation

With this enhancement, users can now disable a module to prevent the installation of packages from the module. To disable a module during Kickstart installation, use the command:

Support for the repo.git section to blueprints is now available

A new repo.git blueprint section allows users to include extra files in their image build. The files must be hosted in git repository that is accessible from the lorax-composer build server.

Image Builder now supports image creation for more cloud providers

With this update, the Image Builder expanded the number of Cloud Providers that the Image Builder can create an image for. As a result, now you can create RHEL images that can be deployed also on Google Cloud and Alibaba Cloud as well as run the custom instances on these platforms.

dnf-utils has been renamed to yum-utils

With this update, the dnf-utils package, that is a part of the YUM stack, has been renamed to yum-utils. For compatibility reasons, the package can still be installed using the dnf-utils name, and will automatically replace the original package when upgrading your system.

subscription-manager now reports the role, usage and add-ons values

With this update, the subscription-manager can now display the Role, Usage and Add-ons values for each subscription available in the current organization, which is registered to either the Customer Portal or to the Satellite.

tuned rebased to version 2.12

The tuned packages have been upgraded to upstream version 2.12, which provides a number of bug fixes and enhancements over the previous version, notably:

chrony rebased to version 3.5

The chrony packages have been upgraded to upstream version 3.5, which provides a number of bug fixes and enhancements over the previous version, notably:

New FRRouting routing protocol stack is available

With this update, Quagga has been replaced by Free Range Routing (FRRouting, or FRR), which is a new routing protocol stack. FRR is provided by the frr package available in the AppStream repository.

GNU enscript now supports ISO-8859-15 encoding

With this update, support for ISO-8859-15 encoding has been added into the GNU enscript program.

Improved accuracy of measuring system clock offset in phc2sys

The phc2sys program from the linuxptp packages now supports a more accurate method for measuring the offset of the system clock.

ptp4l now supports team interfaces in active-backup mode

With this update, support for team interfaces in active-backup mode has been added into the PTP Boundary/Ordinary Clock (ptp4l).

The PTP time synchronization on macvlan interfaces is now supported

This update adds support for hardware timestamping on macvlan interfaces into the Linux kernel. As a result, macvlan interfaces can now use the Precision Time Protocol (PTP) for time synchronization.

New package: fapolicyd

The fapolicyd software framework introduces a form of application whitelisting and blacklisting based on a user-defined policy. The application whitelisting feature provides one of the most efficient ways to prevent running untrusted and possibly malicious applications on the system.

New package: udica

The new udica package provides a tool for generation SELinux policies for containers. With udica, you can create a tailored security policy for better control of how a container accesses host system resources, such as storage, devices, and network. This enables you to harden your container deployments against security violations and it also simplifies achieving and maintaining regulatory compliance.

SELinux user-space tools updated to version 2.9

The libsepol, libselinux, libsemanage, policycoreutils, checkpolicy, and mcstrans SELinux user-space tools have been upgraded to the latest upstream release 2.9, which provides many bug fixes and enhancements over the previous version.

SETools updated to version 4.2.2

The SETools collection of tools and libraries has been upgraded to the latest upstream release 4.2.2, which provides the following changes:

selinux-policy rebased to 3.14.3

The selinux-policy package has been upgraded to upstream version 3.14.3, which provides a number of bug fixes and enhancements to the allow rules over the previous version.

A new SELinux type: boltd_t

A new SELinux type, boltd_t, confines boltd, a system daemon for managing Thunderbolt 3 devices. As a result, boltd now runs as a confined service in SELinux enforcing mode.

A new SELinux policy class: bpf

A new SELinux policy class, bpf, has been introduced. The bpf class enables users to control the Berkeley Packet Filter (BPF) flow through SElinux, and allows inspection and simple manipulation of Extended Berkeley Packet Filter (eBPF) programs and maps controlled by SELinux.

OpenSCAP rebased to version 1.3.1

The openscap packages have been upgraded to upstream version 1.3.1, which provides many bug fixes and enhancements over the previous version, most notably:

OpenSCAP now supports SCAP 1.3

The OpenSCAP suite now supports data streams conforming to the latest version of the SCAP standard - SCAP 1.3. You can now use SCAP 1.3 data streams, such as those contained in the scap-security-guide package, in the same way as SCAP 1.2 data streams without any additional usability restrictions.

scap-security-guide rebased to version 0.1.46

The scap-security-guide packages have been upgraded to upstream version 0.1.46, which provides many bug fixes and enhancements over the previous version, most notably: * SCAP content conforms to the latest version of SCAP standard, SCAP 1.3 * SCAP content supports UBI images

OpenSSH rebased to 8.0p1

The openssh packages have been upgraded to upstream version 8.0p1, which provides many bug fixes and enhancements over the previous version, most notably:

libssh now complies with the system-wide crypto-policies

The libssh client and server now automatically load the /etc/libssh/libssh_client.config file and the /etc/libssh/libssh_server.config, respectively. This configuration file includes the options set by the system-wide crypto-policies component for the libssh back end and the options set in the /etc/ssh/ssh_config or /etc/ssh/sshd_config OpenSSH configuration file. With automatic loading of the configuration file, libssh now use the system-wide cryptographic settings set by crypto-policies. This change simplifies control over the set of used cryptographic algorithms by applications.

An option for rsyslog to preserve case of FROMHOST is available

This update to the rsyslog service introduces the option to manage letter case preservation of the FROMHOST property for the imudp and imtcp modules. Setting the preservecase value to on means the FROMHOST property is handled in a case sensitive manner. To avoid breaking existing configurations, the default values of preservecase are on for imtcp and off for imudp.

PMTU discovery and route redirection is now supported with VXLAN and GENEVE tunnels

The kernel in Red Hat Enterprise Linux (RHEL) 8.0 did not handle Internet Control Message Protocol (ICMP) and ICMPv6 messages for Virtual Extensible LAN (VXLAN) and Generic Network Virtualization Encapsulation (GENEVE) tunnels. As a consequence, Path MTU (PMTU) discovery and route redirection was not supported with VXLAN and GENEVE tunnels in RHEL releases prior to 8.1. With this update, the kernel handles ICMP "Destination Unreachable" and "Redirect Message", as well as ICMPv6 "Packet Too Big" and "Destination Unreachable" error messages by adjusting the PMTU and modifying forwarding information. As a result, RHEL 8.1 supports PMTU discovery and route redirection with VXLAN and GENEVE tunnels.

Notable changes in XDP and networking eBPF features in kernel

The XDP and the networking eBPF features in the kernel package have been upgraded to upstream version 5.0, which provides a number of bug fixes and enhancements over the previous version:

The new PTP_SYS_OFFSET_EXTENDED control for ioctl() improves the accuracy of measured system-PHC ofsets

This enhancement adds the PTP_SYS_OFFSET_EXTENDED control for more accurate measurements of the system precision time protocol (PTP) hardware clock (PHC) offset to the ioctl() function. The PTP_SYS_OFFSET control which, for example, the chrony service uses to measure the offset between a PHC and the system clock is not accurate enough. With the new PTP_SYS_OFFSET_EXTENDED control, drivers can isolate the reading of the lowest bits. This improves the accuracy of the measured offset. Network drivers typically read multiple PCI registers, and the driver does not read the lowest bits of the PHC time stamp between two readings of the system clock.

ipset rebased to version 7.1

The ipset packages have been upgraded to upstream version 7.1, which provides a number of bug fixes and enhancements over the previous version:

Kernel version in RHEL 8.1

Red Hat Enterprise Linux 8.1 is distributed with the kernel version 4.18.0-147.

Live patching for the kernel is now available

Live patching for the kernel, kpatch, provides a mechanism to patch the running kernel without rebooting or restarting any processes. Live kernel patches will be provided for selected minor release streams of RHEL covered under the Extended Update Support (EUS) policy to remediate Critical and Important CVEs.

Extended Berkeley Packet Filter in RHEL 8

Extended Berkeley Packet Filter (eBPF) is an in-kernel virtual machine that allows code execution in the kernel space, in the restricted sandbox environment with access to a limited set of functions. The virtual machine executes special assembly-like code. The code is then loaded to the kernel and translated to the native machine code with just-in-time compilation. There are numerous components shipped by Red Hat that utilize the eBPF virtual machine. Each component is in a different development phase, and thus not all components are currently fully supported.

Red Hat Enterprise Linux 8 now supports early kdump

The early kdump feature allows the crash kernel and initramfs to load early enough to capture the vmcore information even for early crashes.

RHEL 8 now supports ipcmni_extend

A new kernel command line parameter ipcmni_extend has been added to Red Hat Enterprise Linux 8. The parameter extends a number of unique System V Inter-process Communication (IPC) identifiers from the current maximum of 32 KB (15 bits) up to 16 MB (24 bits). As a result, users whose applications produce a lot of shared memory segments are able to create a stronger IPC identifier without exceeding the 32 KB limit.

The persistent memory initialization code supports parallel initialization

The persistent memory initialization code enables parallel initialization on systems with multiple nodes of persistent memory. The parallel initialization greatly reduces the overall memory initialization time on systems with large amounts of persistent memory. As a result, these systems can now boot much faster.

TPM userspace tool has been updated to the last version

The tpm2-tools userspace tool has been updated to version 2.0. With this update, tpm2-tools is able to fix many defects.

The rngd daemon is now able to run with non-root privileges

The random number generator daemon (rngd) checks whether data supplied by the source of randomness is sufficiently random and then stores the data in the kernel’s random-number entropy pool. With this update, rngd is able to run with non-root user privileges to enhance system security.

Full support for the ibmvnic driver

With the introduction of Red Hat Enterprise Linux 8.0, the IBM Virtual Network Interface Controller (vNIC) driver for IBM POWER architectures, ibmvnic, was available as a Technology Preview. vNIC is a PowerVM virtual networking technology that delivers enterprise capabilities and simplifies network management. It is a high-performance, efficient technology that when combined with SR-IOV NIC provides bandwidth control Quality of Service (QoS) capabilities at the virtual NIC level. vNIC significantly reduces virtualization overhead, resulting in lower latencies and fewer server resources, including CPU and memory, required for network virtualization.

Intel ® Omni-Path Architecture (OPA) Host Software

Intel Omni-Path Architecture (OPA) host software is fully supported in Red Hat Enterprise Linux 8.1. Intel OPA provides Host Fabric Interface (HFI) hardware with initialization and setup for high performance data transfers (high bandwidth, high message rate, low latency) between compute and I/O nodes in a clustered environment.

UBSan has been enabled in the debug kernel in RHEL 8

The Undefined Behavior Sanitizer (UBSan) utility exposes undefined behavior flaws in C code languages at runtime. This utility has now been enabled in the debug kernel because the compiler behavior was, in some cases, different than developers' expectations. Especially, in the case of compiler optimization, where subtle, obscure bugs would appear. As a result, running the debug kernel with UBSan enabled allows the system to easily detect such bugs.

The fadump infrastructure now supports re-registering in RHEL 8

The support has been added for re-registering (unregistering and registering) of the firmware-assisted dump (fadump) infrastructure after any memory hot add/remove operation to update the crash memory ranges. The feature aims to prevent the system from potential racing issues during unregistering and registering fadump from userspace during udev events.

The determine_maximum_mpps.sh script has been introduced in RHEL for Real Time 8

The determine_maximum_mpps.sh script has been introduced to help use the queuelat test program. The script executes queuelat to determine the maximum packets per second a machine can handle.

kernel-rt source tree now matches the latest RHEL 8 tree

The kernel-rt sources have been upgraded to be based on the latest Red Hat Enterprise Linux kernel source tree, which provides a number of bug fixes and enhancements over the previous version.

The ssdd test has been added to RHEL for Real Time 8

The ssdd test has been added to enable stress testing of the tracing subsystem. The test runs multiple tracing threads to verify locking is correct within the tracing system.

Memory Mode for Optane DC Persistent Memory technology is fully supported

Intel Optane DC Persistent Memory storage devices provide data center-class persistent memory technology, which can significantly increase transaction throughput.

IBM Z now supports system boot signature verification

Secure Boot allows the system firmware to check the authenticity of cryptographic keys that were used to sign the kernel space code. As a result,the feature improves security since only code from trusted vendors can be executed.

Support for Data Integrity Field/Data Integrity Extension (DIF/DIX)

DIF/DIX is supported on configurations where the hardware vendor has qualified it and provides full support for the particular host bus adapter (HBA) and storage array configuration on RHEL.

Optane DC memory systems now supports EDAC reports

Previously, EDAC was not reporting memory corrected/uncorrected events if the memory address was within a NVDIMM module. With this update, EDAC can properly report the events with the correct memory module information.

The VDO Ansible module has been moved to Ansible packages

Previously, the VDO Ansible module was provided by the vdo RPM package. Starting with this release, the module is provided by the ansible package instead.

Aero adapters are now fully supported

The following Aero adapters, previously available as a Technology Preview, are now fully supported:

LUKS2 now supports online re-encryption

The Linux Unified Key Setup version 2 (LUKS2) format now supports re-encrypting encrypted devices while the devices are in use. For example, you do not have to unmount the file system on the device to perform the following tasks:

New features of ext4 available in RHEL 8

In RHEL8, following are the new fully supported features of ext4:

NVMe over RDMA now supports an Infiniband in the target mode for IBM Coral systems

In RHEL 8.1, NVMe over RDMA now supports an Infiniband in the target mode for IBM Coral systems, with a single NVMe PCIe add in card as the target.

Pacemaker now defaults the concurrent-fencing cluster property to true

If multiple cluster nodes need to be fenced at the same time, and they use different configured fence devices, Pacemaker will now execute the fencing simultaneously, rather than serialized as before. This can result in greatly sped up recovery in a large cluster when multiple nodes must be fenced.

Extending a shared logical volume no longer requires a refresh on every cluster node

With this release, extending a shared logical volume no longer requires a refresh on every cluster node after running the lvextend command on one cluster node. For the full procedure to extend the size of a GFS2 file system, see Growing a GFS2 file system.

Maximum size of a supported RHEL HA cluster increased from 16 to 32 nodes

With this release, Red Hat supports cluster deployments of up to 32 full cluster nodes.

Commands for adding, changing, and removing corosync links have been added to pcs

The Kronosnet (knet) protocol now allows you to add and remove knet links in running clusters. To support this feature, the pcs command now provides commands to add, change, and remove knet links and to change a upd/udpu link in an existing cluster. For information on adding and modifying links in an existing cluster, see Adding and modifying links in an existing cluster. (BZ#1667058)

A new module stream: php:7.3

RHEL 8.1 introduces PHP 7.3, which provides a number of new features and enhancements. Notable changes include:

A new module stream: ruby:2.6

A new module stream, ruby:2.6, is now available. Ruby 2.6.3, included in RHEL 8.1, provides numerous new features, enhancements, bug and security fixes, and performance improvements over version 2.5 distributed in RHEL 8.0.

A new module stream: nodejs:12

RHEL 8.1 introduces Node.js 12, which provides a number of new features and enhancements over version 10. Notable changes include:

Judy-devel available in CRB

The Judy-devel package is now available as a part of the mariadb-devel:10.3 module in the CodeReady Linux Builder repository (CRB). As a result, developers are now able to build applications with the Judy library.

FIPS compliance in Python 3

This update adds support for OpenSSL FIPS mode to Python 3. Namely:

FIPS compliance changes in python3-wheel

This update of the python3-wheel package removes a built-in implementation for signing and verifying data that is not compliant with FIPS.

A new module stream: nginx:1.16

The nginx 1.16 web and proxy server, which provides a number of new features and enhancements over version 1.14, is now available. For example:

perl-IO-Socket-SSL rebased to version 2.066

The perl-IO-Socket-SSL package has been upgraded to version 2.066, which provides a number of bug fixes and enhancements over the previous version, for example:

perl-Net-SSLeay rebased to version 1.88

The perl-Net-SSLeay package has been upgraded to version 1.88, which provides multiple bug fixes and enhancements. Notable changes include:

GCC Toolset 9 available

Red Hat Enterprise Linux 8.1 introduces GCC Toolset 9, an Application Stream containing more up-to-date versions of development tools.

Upgraded compiler toolsets

The following compiler toolsets, distributed as Application Streams, have been upgraded with RHEL 8.1:

SystemTap rebased to version 4.1

The SystemTap instrumentation tool has been updated to upstream version 4.1. Notable improvements include:

General availability of the DHAT tool

Red Hat Enterprise Linux 8.1 introduces the general availability of the DHAT tool. It is based on the valgrind tool version 3.15.0.

elfutils rebased to version 0.176

The elfutils packages have been updated to upstream version 0.176. This version brings various bug fixes, and resolves the following vulnerabilities:

Additional memory allocation checks in glibc

Application memory corruption is a leading cause of application and security defects. Early detection of such corruption, balanced against the cost of detection, can provide significant benefits to application developers.

GDB can access more POWER8 registers

With this update, the GNU debugger (GDB) and its remote stub gdbserver can access the following additional registers and register sets of the POWER8 processor line of IBM:

binutils disassembler can handle NFP binary files

The disassembler tool from the binutils package has been extended to handle binary files for the Netronome Flow Processor (NFP) hardware series. This functionality is required to enable further features in the bpftool Berkeley Packet Filter (BPF) code compiler.

Partially writable GOT sections are now supported on the IBM Z architecture

The IBM Z binaries using the "lazy binding" feature of the loader can now be hardened by generating partially writable Global offset table (GOT) sections. These binaries require a read-write GOT, but not all entries to be writable. This update provides protection for the entries from potential attacks.

binutils now supports Arch13 processors of IBM Z

This update adds support for the extensions related to the Arch13 processors into the binutils packages on IBM Z architecture. As a result, it is now possible to build kernels that can use features available in arch13-enabled CPUs on IBM Z.

Dyninst rebased to version 10.1.0

The Dyninst instrumentation library has been updated to upstream version 10.1.0. Notable changes include:

Date formatting updates for the Japanese Reiwa era

The GNU C Library now provides correct Japanese era name formatting for the Reiwa era starting on May 1st, 2019. The time handling API data has been updated, including the data used by the strftime and strptime functions. All APIs will correctly print the Reiwa era including when strftime is used along with one of the era conversion specifiers such as %EC, %EY, or %Ey.

Performance Co-Pilot rebased to version 4.3.2

In RHEL 8.1, the Performance Co-Pilot (PCP) tool has been updated to upstream version 4.3.2. Notable improvements include:

IdM now supports Ansible roles and modules for installation and management

This update introduces the ansible-freeipa package, which provides Ansible roles and modules for Identity Management (IdM) deployment and management. You can use Ansible roles to install and uninstall IdM servers, replicas, and clients. You can use Ansible modules to manage IdM groups, topology, and users. There are also example playbooks available.

New tool to test the overall fitness of IdM deployment: Healthcheck

This update introduces the Healthcheck tool in Identity Management (IdM). The tool provides tests verifying that the current IdM server is configured and running correctly.

IdM now supports renewing expired system certificates when the server is offline

With this enhancement, administrators can renew expired system certificates when Identity Management (IdM) is offline. When a system certificate expires, IdM fails to start. The new ipa-cert-fix command replaces the workaround to manually set the date back to proceed with the renewal process. As a result, the downtime and support costs reduce in the mentioned scenario.

Identity Management supports trust with Windows Server 2019

When using Identity Management, you can now establish a supported forest trust to Active Directory forests that run by Windows Server 2019. The supported forest and domain functional levels are unchanged and supported up to level Windows Server 2016.

samba rebased to version 4.10.4

The samba packages have been upgraded to upstream version 4.10.4, which provides a number of bug fixes and enhancements over the previous version:

Updated system-wide certificate store location for OpenLDAP

The default location for trusted CAs for OpenLDAP has been updated to use the system-wide certificate store (/etc/pki/ca-trust/source) instead of /etc/openldap/certs. This change has been made to simplify the setting up of CA trust.

New ipa-crl-generation commands have been introduced to simplify managing IdM CRL master

This update introduces the ipa-crl-generation status/enable/disable commands. These commands, run by the root user, simplify work with the Certificate Revocation List (CRL) in IdM. Previously, moving the CRL generation master from one IdM CA server to another was a lengthy, manual and error-prone procedure.

OpenID Connect support in keycloak-httpd-client-install

The keycloak-httpd-client-install identity provider previously supported only the SAML (Security Assertion Markup Language) authentication with the mod_auth_mellon authentication module. This rebase introduces the mod_auth_openidc authentication module support, which allows you to configure also the OpenID Connect authentication.

Setting up IdM as a hidden replica is now available as a Technology Preview

This enhancement enables administrators to set up an Identity Management (IdM) replica as a hidden replica. A hidden replica is an IdM server that has all services running and available. However, it is not advertised to other clients or masters because no SRV records exist for the services in DNS, and LDAP server roles are not enabled. Therefore, clients cannot use service discovery to detect hidden replicas.

SSSD now enforces AD GPOs by default

The default setting for the SSSD option ad_gpo_access_control is now enforcing. In RHEL 8, SSSD enforces access control rules based on Active Directory Group Policy Objects (GPOs) by default.

Modified workspace switcher in GNOME Classic

Workspace switcher in the GNOME Classic environment has been modified. The switcher is now located in the right part of the bottom bar, and it is designed as a horizontal strip of thumbnails. Switching between workspaces is possible by clicking on the required thumbnail. Alternatively, you can also use the combination of Ctrl+Alt+down/up arrow keys to switch between workspaces. The content of the active workspace is shown in the left part of the bottom bar in form of the window list.

DRM rebased to Linux kernel version 5.1

The Direct Rendering Manager (DRM) kernel graphics subsystem has been rebased to upstream Linux kernel version 5.1, which provides a number of bug fixes and enhancements over the previous version. Most notably:

Support for AMD Picasso graphic cards

This update introduces the amdgpu graphics driver. As a result AMD Picasso graphics cards are now fully supported on RHEL 8.

Enabling and disabling SMT

Simultaneous Multi-Threading (SMT) configuration is now available in RHEL 8. Disabling SMT in the web console allows you to mitigate a class of CPU security vulnerabilities such as:

Adding a search box in the Services page

The Services page now has a search box for filtering services by:

Adding support for firewall zones

The firewall settings on the Networking page now supports:

Adding improvements to Virtual Machines configuration

With this update, the RHEL 8 web console includes a lot of improvements in the Virtual Machines page. You can now:

A new storage role added to RHEL system roles

The storage role has been added to RHEL system roles provided by the rhel-system-roles package. The storage role can be used to manage local storage using Ansible.

WALinuxAgent rebased to version 2.2.38

The WALinuxAgent package has been upgraded to upstream version 2.2.38, which provides a number of bug fixes and enhancements over the previous version.

Windows automatically finds the needed virtio-win drivers

Windows can now automatically find the virtio-win drivers it needs from the driver ISO without requiring the user to select the folder in which they are located.

KVM supports 5-level paging

With Red Hat Enterprise Linux 8, KVM virtualization supports the 5-level paging feature. On selected host CPUs, this significantly increases the physical and virtual address space that the host and guest systems can use.

Smart card sharing is now supported on Windows guests with ActivClient drivers

This update adds support for smart card sharing in virtual machines (VMs) that use a Windows guest OS and ActivClient drivers. This enables smart card authentication for user logins using emulated or shared smart cards on these VMs.

New options have been added for virt-xml

The virt-xml utility can now use the following command-line options:

IBM z14 GA2 CPUs supported by KVM

With this update, KVM supports the IBM z14 GA2 CPU model. This makes it possible to create virtual machines on IBM z14 GA2 hosts that use RHEL 8 as the host OS with an IBM z14 GA2 CPU in the guest.

Nvidia NVLink2 is now compatible with virtual machines on IBM POWER9

Nvidia VGPUs that support the NVLink2 feature can now be assigned to virtual machines (VMs) running in a RHEL 8 host on an IBM POWER9 system. This makes it possible for these VMs to use the full performance potential of NVLink2.

Using the version or inst.version kernel boot parameters no longer stops the installation program

Previously, booting the installation program from the kernel command line using the version or inst.version boot parameters printed the version, for example anaconda 30.25.6, and stopped the installation program.

The xorg-x11-drv-fbdev, xorg-x11-drv-vesa, and xorg-x11-drv-vmware video drivers are now installed by default

Previously, workstations with specific models of NVIDIA graphics cards and workstations with specific AMD accelerated processing units did not display the graphical login window after a RHEL 8.0 Server installation. This issue also impacted virtual machines relying on EFI for graphics support, such as Hyper-V. With this update, the xorg-x11-drv-fbdev, xorg-x11-drv-vesa, and xorg-x11-drv-vmware video drivers are installed by default and the graphical login window is displayed after a RHEL 8.0 and later Server installation.

Rescue mode no longer fails without displaying an error message

Previously, running rescue mode on a system with no Linux partitions resulted in the installation program failing with an exception. With this update, the installation program displays the error message “You don’t have any Linux partitions” when a system with no Linux partitions is detected.

The installation program now sets the lvm_metadata_backup Blivet flag for image installations

Previously, the installation program failed to set the lvm_metadata_backup Blivet flag for image installations. As a consequence, LVM backup files were located in the /etc/lvm/ subdirectory after an image installation. With this update, the installation program sets the lvm_metadata_backup Blivet flag, and as a result, there are no LVM backup files located in the /etc/lvm/ subdirectory after an image installation.

The RHEL 8 installation program now handles strings from RPM

Previously, when the python3-rpm library returned a string, the installation program failed with an exception. With this update, the installation program can now handle strings from RPM.

The inst.repo kernel boot parameter now works for a repository on a hard drive that has a non-root path

Previously, the RHEL 8 installation process could not proceed without manual intervention if the inst.repo=hd:<device>:<path> kernel boot parameter was pointing to a repository (not an ISO image) on a hard drive, and a non-root (/) path was used. With this update, the installation program can now propagate any <path> for a repository located on a hard drive, ensuring the installation proceeds as normal.

The --changesok option now allows the installation program to change the root password

Previously, using the --changesok option when installing Red Hat Enterprise Linux 8 from a Kickstart file did not allow the installation program to change the root password. With this update, the --changesok option is successfully passed by Kickstart, and as a result, users specifying the pwpolicy root –changesok option in their Kickstart file can now change the root password using the GUI, even if the password has already been set by Kickstart.

Image Building no longer fails when using lorax-composer API

Previously, when using lorax-composer API from a subscribed RHEL system, the image building process always failed. Anaconda could not access the repositories, because the subscription certificates from the host are not passed through. To fix the issue update lorax-composer, pykickstart, and Anaconda packages. That will allow to pass supported CDN certificates.

systemd in debug mode no longer produces unnecessary log messages

When using the systemd system and service manager in debug mode, systemd previously produced unnecessary and harmless log messages that started with:

fapolicyd no longer prevents RHEL updates

When an update replaces the binary of a running application, the kernel modifies the application binary path in memory by appending the " (deleted)" suffix. Previously, the fapolicyd file access policy daemon treated such applications as untrusted, and prevented them from opening and executing any other files. As a consequence, the system was sometimes unable to boot after applying updates.

SELinux no longer prevents Tomcat from sending emails

Prior to this update, the SELinux policy did not allow the tomcat_t and pki_tomcat_t domains to connect to SMTP ports. Consequently, SELinux denied applications on the Tomcat server from sending emails. With this update of the selinux-policy packages, the policy allows processes from the Tomcat domains access SMTP ports, and SELinux no longer prevents applications on Tomcat from sending emails.

lockdev now runs correctly with SELinux

Previously, the lockdev tool could not transition into the lockdev_t context even though the SELinux policy for lockdev_t was defined. As a consequence, lockdev was allowed to run in the ‘unconfined_t’ domain when used by the root user. This introduced vulnerabilities into the system. With this update, the transition into lockdev_t has been defined, and lockdev can now be used correctly with SELinux in enforcing mode.

iotop now runs correctly with SELinux

Previously, the iotop tool could not transition into the iotop_t context even though the SELinux policy for iotop_t was defined. As a consequence, iotop was allowed to run in the ‘unconfined_t’ domain when used by the root user. This introduced vulnerabilities into the system. With this update, the transition into iotop_t has been defined, and iotop can now be used correctly with SELinux in enforcing mode.

SELinux now properly handles NFS ‘crossmnt’

The NFS protocol with the crossmnt option automatically creates internal mounts when a process accesses a subdirectory already used as a mount point on the server. Previously, this caused SELinux to check whether the process accessing an NFS mounted directory had a mount permission, which caused AVC denials. In the current version, SELinux permission checking skips these internal mounts. As a result, accessing an NFS directory that is mounted on the server side does not require mount permission.

An SELinux policy reload no longer causes false ENOMEM errors

Reloading the SELinux policy previously caused the internal security context lookup table to become unresponsive. Consequently, when the kernel encountered a new security context during a policy reload, the operation failed with a false "Out of memory" (ENOMEM) error. With this update, the internal Security Identifier (SID) lookup table has been redesigned and no longer freezes. As a result, the kernel no longer returns misleading ENOMEM errors during an SELinux policy reload.

Unconfined domains can now use smc_socket

Previously, the SELinux policy did not have the allow rules for the smc_socket class. Consequently, SELinux blocked an access to smc_socket for the unconfined domains. With this update, the allow rules have been added to the SELinux policy. As a result, the unconfined domains can use smc_socket.

Kerberos cleanup procedures are now compatible with GSSAPIDelegateCredentials and default cache from krb5.conf

Previously, when the default_ccache_name option was configured in the krb5.conf file, the kerberos credentials were not cleaned up with the GSSAPIDelegateCredentials and GSSAPICleanupCredentials options set. This bug is now fixed by updating the source code to clean up credential caches in the described use cases. After the configuration, the credential cache gets cleaned up on exit if the user configures it.

OpenSSH now correctly handles PKCS #11 URIs for keys with mismatching labels

Previously, specifying PKCS #11 URIs with the object part (key label) could prevent OpenSSH from finding related objects in PKCS #11. With this update, the label is ignored if the matching objects are not found, and keys are matched only by their IDs. As a result, OpenSSH is now able to use keys on smart cards referenced using full PKCS #11 URIs.

SSH connections with VMware-hosted systems now work properly

The previous version of the OpenSSH suite introduced a change of the default IP Quality of Service (IPQoS) flags in SSH packets, which was not correctly handled by the VMware virtualization platform. Consequently, it was not possible to establish an SSH connection with systems on VMware. The problem has been fixed in VMWare Workstation 15, and SSH connections with VMware-hosted systems now work correctly.

curve25519-sha256 is now supported by default in OpenSSH

Previously, the curve25519-sha256 SSH key exchange algorithm was missing in the system-wide crypto policies configurations for the OpenSSH client and server even though it was compliant with the default policy level. As a consequence, if a client or a server used curve25519-sha256 and this algorithm was not supported by the host, the connection might fail. This update of the crypto-policies package fixes the bug, and SSH connections no longer fail in the described scenario.

Ansible playbooks for OSPP and PCI-DSS profiles no longer exit after encountering a failure

Previously, Ansible remediations for the Security Content Automation Protocol (OSPP) and the Payment Card Industry Data Security Standard (PCI-DSS) profiles failed due to incorrect ordering and other errors in the remediations. This update fixes the ordering and errors in generated Ansible remediation playbooks, and Ansible remediations now work correctly.

Audit transport=KRB5 now works properly

Prior to this update, Audit KRB5 transport mode did not work correctly. Consequently, Audit remote logging using the Kerberos peer authentication did not work. With this update, the problem has been fixed, and Audit remote logging now works properly in the described scenario.

The kernel now supports destination MAC addresses in bitmap:ipmac, hash:ipmac, and hash:mac IP set types

Previously, the kernel implementation of the bitmap:ipmac, hash:ipmac, and hash:mac IP set types only allowed matching on the source MAC address, while destination MAC addresses could be specified, but were not matched against set entries. As a consequence, administrators could create iptables rules that used a destination MAC address in one of these IP set types, but packets matching the given specification were not actually classified. With this update, the kernel compares the destination MAC address and returns a match if the specified classification corresponds to the destination MAC address of a packet. As a result, rules that match packets against the destination MAC address now work correctly.

The gnome-control-center application now supports editing advanced IPsec settings

Previously, the gnome-control-center application only displayed the advanced options of IPsec VPN connections. Consequently, users could not change these settings. With this update, the fields in the advanced settings are now editable, and users can save the changes.

The TRACE target in the iptables-extensions(8) man page has been updated

Previously, the description of the TRACE target in the iptables-extensions(8) man page referred only to the compat variant, but Red Hat Enterprise Linux 8 uses the nf_tables variant. As a consequence, the man page did not reference the xtables-monitor command-line utility to display TRACE events. The man page has been updated and, as a result, now mentions xtables-monitor.

Error logging in the ipset service has been improved

Previously, the ipset service did not report configuration errors with a meaningful severity in the systemd logs. The severity level for invalid configuration entries was only informational, and the service did not report errors for an unusable configuration. As a consequence, it was difficult for administrators to identify and troubleshoot issues in the ipset service’s configuration. With this update, ipset reports configuration issues as warnings in systemd logs and, if the service fails to start, it logs an entry with the error severity including further details. As a result, it is now easier to troubleshoot issues in the configuration of the ipset service.

The ipset service now ignores invalid configuration entries during startup

The ipset service stores configurations as sets in separate files. Previously, when the service started, it restored the configuration from all sets in a single operation, without filtering invalid entries that can be inserted by manually editing a set. As a consequence, if a single configuration entry was invalid, the service did not restore further unrelated sets. The problem has been fixed. As a result, the ipset service detects and removes invalid configuration entries during the restore operation, and ignores invalid configuration entries.

The ipset list command reports consistent memory for hash set types

When you add entries to a hash set type, the ipset utility must resize the in-memory representation to for new entries by allocating an additional memory block. Previously, ipset set the total per-set allocated size to only the size of the new block instead of adding the value to the current in-memory size. As a consequence, the ip list command reported an inconsistent memory size. With this update, ipset correctly calculates the in-memory size. As a result, the ipset list command now displays the correct in-memory size of the set, and the output matches the actual allocated memory for hash set types.

The kernel now correctly updates PMTU when receiving ICMPv6 Packet Too Big message

In certain situations, such as for link-local addresses, more than one route can match a source address. Previously, the kernel did not check the input interface when receiving Internet Control Message Protocol Version 6 (ICMPv6) packets. Therefore, the route lookup could return a destination that did not match the input interface. Consequently, when receiving an ICMPv6 Packet Too Big message, the kernel could update the Path Maximum Transmission Unit (PMTU) for a different input interface. With this update, the kernel checks the input interface during the route lookup. As a result, the kernel now updates the correct destination based on the source address and PMTU works as expected in the described scenario.

The /etc/hosts.allow and /etc/hosts.deny files no longer contain outdated references to removed tcp_wrappers

Previously, the /etc/hosts.allow and /etc/hosts.deny files contained outdated information about the tcp_wrappers package. The files are removed in RHEL 8 as they are no longer needed for tcp_wrappers which is removed.

tpm2-abrmd-selinux now has a proper dependency on selinux-policy-targeted

Previously, the tpm2-abrmd-selinux package had a dependency on the selinux-policy-base package instead of the selinux-policy-targeted package. Consequently, if a system had selinux-policy-minimum installed instead of selinux-policy-targeted, installation of the tpm2-abrmd-selinux package failed. This update fixes the bug and tpm2-abrmd-selinux can be installed correctly in the described scenario.

All /sys/kernel/debug files can be accessed

Previously, the return value for "Operation not permitted" (EPERM) error remained set until the end of the function regardless of the error. Consequently, any attempts to access certain /sys/kernel/debug (debugfs) files failed with an unwarranted EPERM error. This update moves the EPERM return value to the following block. As a result, debugfs files can be accessed without problems in the described scenario.

NICs are no longer affected by a bug in the qede driver for the 41000 and 45000 FastLinQ series

Previously, firmware upgrade and debug data collection operations failed due to a bug in the qede driver for the 41000 and 45000 FastLinQ series. It made the NIC unusable. The reboot (PCI reset) of the host made the NIC operational again.

The generic EDAC GHES driver now detects which DIMM reported an error

Previously, the EDAC GHES driver was not able to detect which DIMM reported an error. Consequently, the following error message appeared:

podman is able to checkpoint containers in RHEL 8

Previously, the version of the Checkpoint and Restore In Userspace (CRIU) package was outdated. Consequently, CRIU did not support container checkpoint and restore functionality, and the podman utility failed to checkpoint containers. When running the podman container checkpoint command, the following error message was displayed:

early-kdump and standard kdump no longer fail if the add_dracutmodules+=earlykdump option is used in dracut.conf

Previously, an inconsistency occurred between the kernel version being installed for early-kdump and the kernel version initramfs was generated for. As a consequence, booting failed when early-kdump was enabled. In addition, if early-kdump detected that it was being included in a standard kdump initramfs image, it forced an exit. Therefore the standard kdump service also failed when trying to rebuild kdump initramfs if early-kdump was added as a default dracut module. As a consequence, early-kdump and standard kdump both failed. With this update, early-kdump uses the consistent kernel name during the installation, only the version differs from the running kernel. Also, the standard kdump service will forcibly drop early-kdump to avoid image generation failure. As a result, early-kdump and standard kdump no longer fail in the described scenario.

The first kernel with SME enabled now succeeds in dumping the vmcore

Previously, the encrypted memory in the first kernel with the active Secure Memory Encryption (SME) feature caused a failure of the kdump mechanism. Consequently, the first kernel was not able to dump the contents (vmcore) of its memory. With this update, the ioremap_encrypted() function has been added to remap the encrypted memory and modify the related code. As a result, the encrypted first kernel’s memory is now properly accessed, and the vmcore can be dumped and parsed by the crash tools in the described scenario.

The first kernel with SEV enabled now succeeds in dumping the vmcore

Previously, the encrypted memory in the first kernel with the active Secure Encrypted Virtualization (SEV) feature caused a failure of the kdump mechanism. Consequently, the first kernel was not able to dump the contents (vmcore) of its memory. With this update, the ioremap_encrypted() function has been added to remap the encrypted memory and modify the related code. As a result, the first kernel’s encrypted memory is now properly accessed, and the vmcore can be dumped and parsed by the crash tools in the described scenario.

Kernel now reserves more space for SWIOTLB

Previously, when Secure Encrypted Virtualization (SEV) or Secure Memory Encryption (SME) features was enabled in the kernel, the Software Input Output Translation Lookaside Buffer (SWIOTLB) technology had to be enabled as well and consumed a significant amount of memory. Consequently, the capture kernel failed to boot or got an out-of-memory error. This update fixes the bug by reserving extra crashkernel memory for SWIOTLB while SEV/SME is active. As a result, the capture kernel has more memory reserved for SWIOTLB and the bug no longer appears in the described scenario.

C-state transitions can now be disabled during hwlatdetect runs

To achieve real-time performance, the hwlatdetect utility needs to be able to disable power saving in the CPU during test runs. This update allows hwlatdetect to turn off C-state transitions for the duration of the test run and hwlatdetect is now able to detect hardware latencies more accurately.

The openmpi package can be installed now

Previously, a rebase on opensm package changed its soname mechanism. As a consequence, the openmpi package could not be installed due to unresolved dependencies. This update fixes the problem. As a result, the openmpi package can be installed now without any issue.

The RHEL 8 installation program now uses the entry ID to set the default boot entry

Previously, the RHEL 8 installation program used the index of the first boot entry as the default, instead of using the entry ID. As a consequence, adding a new boot entry became the default, as it was sorted first and set to the first index. With this update, the installation program uses the entry ID to set the default boot entry, and as a result, the default entry is not changed, even if boot entries are added and sorted before the default.

The system now boots successfully when SME is enabled with smartpqi

Previously, the system failed to boot on certain AMD machines when the Secure Memory Encryption (SME) feature was enabled and the root disk was using the smartpqi driver.

FCoE LUNs do not disappear after being created on the bnx2fc cards

Previously, after creating a FCoE LUN on the bnx2fc cards, the FCoE LUNs were not attached correctly. As a consequence, FCoE LUNs disappeared after being created on the bnx2fc cards on RHEL 8.0. With this update, FCoE LUNs are attached correctly. As a result, it is now possible to discover the FCoE LUNs after they are created on the bnx2fc cards.

VDO volumes no longer lose deduplication advice after moving to a different-endian platform

Previously, the Universal Deduplication Service (UDS) index lost all deduplication advice after moving the VDO volume to a platform that used a different endian. As a consequence, VDO was unable to deduplicate newly written data against the data that was stored before you moved the volume, leading to lower space savings.

kdump service works on large IBM POWER systems

Previously, RHEL8 kdump kernel did not start. As a consequence, the kdump initrd file on large IBM POWER systems was not created. With this update, squashfs-tools-4.3-19.el8 component is added. This update adds a limit (128) to the number of CPUs which the squashfs-tools-4.3-19.el8 component can use from the available pool (instead of using all the available CPUs). This fixes the running out of resources error. As a result, kdump service now works on large IBM POWER systems.

Verbosity debug options now added to nfs.conf

Previously, the /etc/nfs.conf file and the nfs.conf(5) man page did not include the following options:

Socket::inet_aton() can now be used from multiple threads safely

Previously, the Socket::inet_aton() function, used for resolving a domain name from multiple Perl threads, called the unsafe gethostbyname() glibc function. Consequently, an incorrect IPv4 address was occasionally returned, or the Perl interpreter terminated unexpectedly. With this update, the Socket::inet_aton() implementation has been changed to use the thread-safe getaddrinfo() glibc function instead of gethostbyname(). As a result, the inet_aton() function from Perl Socket module can be used from multiple threads safely.

gettext returns untranslated text even when out of memory

Previously, the gettext() function for text localization returned the NULL value instead of text when out of memory, resulting in applications lacking text output or labels. The bug has been fixed and now, gettext() - returns untranslated text when out of memory as expected.

The locale command now warns about LOCPATH being set whenever it encounters an error during execution

Previously, the locale command did not provide any diagnostics for the LOCPATH environment variable when it encountered errors due to an invalid LOCPATH. The locale command is now set to warn that LOCPATH has been set any time it encounters an error during execution. As a result, locale now reports LOCPATH along with any underlying errors that it encounters.

gdb now can read and correctly represent z registers in core files on aarch64 SVE

Previously, the gdb component failed to read z registers from core files with aarch64 scalable vector extension (SVE) architecture. With this update, the gdb component is now able to read z registers from core files. As a result, the info register command successfully shows the z register contents.

GCC rebased to version 8.3.1

The GNU Compiler Collection (GCC) has been updated to upstream version 8.3.1. This version brings a large number of miscellaneous bug fixes.

FreeRADIUS now resolves hostnames pointing to IPv6 addresses

In previous RHEL 8 versions of FreeRADIUS, the ipaddr utility only supported IPv4 addresses. Consequently, for the radiusd daemon to resolve IPv6 addresses, a manual update of the configuration was required after an upgrade of the system from RHEL 7 to RHEL 8. This update fixes the underlying code, and ipaddr in FreeRADIUS now uses IPv6 addresses, too.

The Nuxwdog service no longer fails to start the PKI server in HSM environments

Previously, due to bugs, the keyutils package was not installed as a dependency of the pki-core package. Additionally, the Nuxwdog watchdog service failed to start the public key infrastructure (PKI) server in environments that use a hardware security module (HSM). These problems have been fixed. As a result, the required keyutils package is now installed automatically as a dependency, and Nuxwdog starts the PKI server as expected in environments with HSM.

The IdM server now works correctly in the FIPS mode

Previously, the SSL connector for Tomcat server was incompletely implemented. As a consequence, the Identity Management (IdM) server with an installed certificate server did not work on machines with the FIPS mode enabled. This bug has been fixed by adding JSSTrustManager and JSSKeyManager. As a result, the IdM server works correctly in the described scenario.

The KCM credential cache is now suitable for a large number of credentials in a single credential cache

Previously, if the Kerberos Credential Manager (KCM) contained a large number of credentials, Kerberos operations, such as kinit, failed due to a limitation of the size of entries in the database and the number of these entries.

Samba no longer denies access when using the sss ID mapping plug-in

Previously, when you ran Samba on the domain member with this configuration and added a configuration that used the sss ID mapping back end to the /etc/samba/smb.conf file to share directories, changes in the ID mapping back end caused errors. Consequently, Samba denied access to files in certain cases, even if the user or group existed and it was known by SSSD. The problem has been fixed. As a result, Samba no longer denies access when using the sss plug-in.

Default SSSD time-out values no longer conflict with each other

Previously, there was a conflict between the default time-out values. The default values for the following options have been changed to improve the failover capability:

systemctl isolate multi-user.target now displays the console prompt

When running the systemctl isolate multi-user.target command from GNOME Terminal in a GNOME Desktop session, only a cursor was displayed, and not the console prompt. This update fixes gdm, and the console prompt is now displayed as expected in the described situation.

The 'i915' display driver now supports display configurations up to 3×4K.

Previously, it was not possible to have display configurations larger than 2×4K when using the 'i915' display driver in an Xorg session. With this update, the 'i915' driver now supports display configurations up to 3×4K.

Linux guests no longer display an error when initializing the GPU driver

Previously, Linux guests returned a warning when initializing the GPU driver. This happened because Intel Graphics Virtualization Technology –g (GVT -g) only simulates the DisplayPort (DP) interface for guest and leaves the ‘EDP_PSR_IMR’ and ‘EDP_PSR_IIR’ registers as default memory-mapped I/O (MMIO) read/write registers. To resolve this issue, handlers have been added to these registers and the warning is no longer returned.

It is possible to login to RHEL web console with session_recording shell

Previously, it was not possible for users of the tlog shell (which enables session recording) to log in to the RHEL web console. This update fixes the bug. The previous workaround of adding the tlog-rec-session shell to /etc/shells/ should be reverted after installing this update.

Hot-plugging PCI devices to a pcie-to-pci bridge controller works correctly

Previously, if a guest virtual machine configuration contained a pcie-to-pci-bridge controller that had no endpoint devices attached to it at the time the guest was started, hot-plugging new devices to that controller was not possible. This update improves how hot-plugging legacy PCI devices on a PCIe system is handled, which prevents the problem from occurring.

Enabling nested virtualization no longer blocks live migration

Previously, the nested virtualization feature was incompatible with live migration. As a consequence, enabling nested virtualization on a RHEL 8 host prevented migrating any virtual machines (VMs) from the host, as well as saving VM state snapshots to disk. This update fixes the described problem, and the impacted VMs are now possible to migrate.

redhat-support-tool now creates an sosreport archive

Previously, the redhat-support-tool utility was unable to create an sosreport archive. The workaround was running the sosreport command separately and then entering the redhat-support-tool addattachment -c command to upload the archive. Users can also use the web UI on Customer Portal which creates the customer case and uploads the sosreport archive.

TIPC has full support

The Transparent Inter Process Communication (TIPC) is a protocol specially designed for efficient communication within clusters of loosely paired nodes. It works as a kernel module and provides a tipc tool in iproute2 package to allow designers to create applications that can communicate quickly and reliably with other applications regardless of their location within the cluster. This feature is now fully supported in RHEL 8.

eBPF for tc available as a Technology Preview

As a Technology Preview, the Traffic Control (tc) kernel subsystem and the tc tool can attach extended Berkeley Packet Filtering (eBPF) programs as packet classifiers and actions for both ingress and egress queueing disciplines. This enables programmable packet processing inside the kernel network data path.

nmstate available as a Technology Preview

Nmstate is a network API for hosts. The nmstate packages, available as a Technology Preview, provide a library and the nmstatectl command-line utility to manage host network settings in a declarative manner. The networking state is described by a pre-defined schema. Reporting of the current state and changes to the desired state both conform to the schema.

AF_XDP available as a Technology Preview

Address Family eXpress Data Path (AF_XDP) socket is designed for high-performance packet processing. It accompanies XDP and grants efficient redirection of programmatically selected packets to user space applications for further processing.

XDP available as a Technology Preview

The eXpress Data Path (XDP) feature, which is available as a Technology Preview, provides a means to attach extended Berkeley Packet Filter (eBPF) programs for high-performance packet processing at an early point in the kernel ingress data path, allowing efficient programmable packet analysis, filtering, and manipulation.

KTLS available as a Technology Preview

In Red Hat Enterprise Linux 8, Kernel Transport Layer Security (KTLS) is provided as a Technology Preview. KTLS handles TLS records using the symmetric encryption or decryption algorithms in the kernel for the AES-GCM cipher. KTLS also provides the interface for offloading TLS record encryption to Network Interface Controllers (NICs) that support this functionality.

The systemd-resolved service is now available as a Technology Preview

The systemd-resolved service provides name resolution to local applications. The service implements a caching and validating DNS stub resolver, an Link-Local Multicast Name Resolution (LLMNR), and Multicast DNS resolver and responder.

Control Group v2 available as a Technology Preview in RHEL 8

Control Group v2 mechanism is a unified hierarchy control group. Control Group v2 organizes processes hierarchically and distributes system resources along the hierarchy in a controlled and configurable manner.

kexec fast reboot as a Technology Preview

The kexec fast reboot feature, continues to be available as a Technology Preview. Rebooting is now significantly faster thanks to kexec fast reboot. To use this feature, load the kexec kernel manually, and then reboot the operating system.

eBPF available as a Technology Preview

Extended Berkeley Packet Filter (eBPF) is an in-kernel virtual machine that allows code execution in the kernel space, in the restricted sandbox environment with access to a limited set of functions.

Soft-RoCE available as a Technology Preview

Remote Direct Memory Access (RDMA) over Converged Ethernet (RoCE) is a network protocol which implements RDMA over Ethernet. Soft-RoCE is the software implementation of RoCE which supports two protocol versions, RoCE v1 and RoCE v2. The Soft-RoCE driver, rdma_rxe, is available as an unsupported Technology Preview in RHEL 8.

The igc driver available as a Technology Preview for RHEL 8

The igc Intel 2.5G Ethernet Linux wired LAN driver is now available on all architectures for RHEL 8 as a Technology Preview. The ethtool utility also supports igc wired LANs.

NVMe/TCP is available as a Technology Preview

Accessing and sharing Nonvolatile Memory Express (NVMe) storage over TCP/IP networks (NVMe/TCP) and its corresponding nvme-tcp.ko and nvmet-tcp.ko kernel modules have been added as a Technology Preview.

File system DAX is now available for ext4 and XFS as a Technology Preview

In Red Hat Enterprise Linux 8.1, file system DAX is available as a Technology Preview. DAX provides a means for an application to directly map persistent memory into its address space. To use DAX, a system must have some form of persistent memory available, usually in the form of one or more Non-Volatile Dual In-line Memory Modules (NVDIMMs), and a file system that supports DAX must be created on the NVDIMM(s). Also, the file system must be mounted with the dax mount option. Then, an mmap of a file on the dax-mounted file system results in a direct mapping of storage into the application’s address space.

OverlayFS

OverlayFS is a type of union file system. It enables you to overlay one file system on top of another. Changes are recorded in the upper file system, while the lower file system remains unmodified. This allows multiple users to share a file-system image, such as a container or a DVD-ROM, where the base image is on read-only media.

Stratis is now available as a Technology Preview

Stratis is a new local storage manager. It provides managed file systems on top of pools of storage with additional features to the user.

A Samba server, available to IdM and AD users logged into IdM hosts, can now be set up on an IdM domain member as a Technology Preview

With this update, you can now set up a Samba server on an Identity Management (IdM) domain member. The new ipa-client-samba utility provided by the same-named package adds a Samba-specific Kerberos service principal to IdM and prepares the IdM client. For example, the utility creates the /etc/samba/smb.conf with the ID mapping configuration for the sss ID mapping back end. As a result, administrators can now set up Samba on an IdM domain member.

Pacemaker podman bundles available as a Technology Preview

Pacemaker container bundles now run on the podman container platform, with the container bundle feature being available as a Technology Preview. There is one exception to this feature being Technology Preview: Red Hat fully supports the use of Pacemaker bundles for Red Hat Openstack.

Heuristics in corosync-qdevice available as a Technology Preview

Heuristics are a set of commands executed locally on startup, cluster membership change, successful connect to corosync-qnetd, and, optionally, on a periodic basis. When all commands finish successfully on time (their return error code is zero), heuristics have passed; otherwise, they have failed. The heuristics result is sent to corosync-qnetd where it is used in calculations to determine which partition should be quorate.

New fence-agents-heuristics-ping fence agent

As a Technology Preview, Pacemaker now supports the fence_heuristics_ping agent. This agent aims to open a class of experimental fence agents that do no actual fencing by themselves but instead exploit the behavior of fencing levels in a new way.

Identity Management JSON-RPC API available as Technology Preview

An API is available for Identity Management (IdM). To view the API, IdM also provides an API browser as Technology Preview.

DNSSEC available as Technology Preview in IdM

Identity Management (IdM) servers with integrated DNS now support DNS Security Extensions (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are automatically generated and rotated.

VNC remote console available as a Technology Preview for the 64-bit ARM architecture

On the 64-bit ARM architecture, the Virtual Network Computing (VNC) remote console is available as a Technology Preview. Note that the rest of the graphics stack is currently unverified for the 64-bit ARM architecture.

The postfix role of RHEL system roles available as a Technology Preview

Red Hat Enterprise Linux system roles provides a configuration interface for Red Hat Enterprise Linux subsystems, which makes system configuration easier through the inclusion of Ansible Roles. This interface enables managing system configurations across multiple versions of Red Hat Enterprise Linux, as well as adopting new major releases.

rhel-system-roles-sap available as a Technology Preview

The rhel-system-roles-sap package provides Red Hat Enterprise Linux (RHEL) system roles for SAP, which can be used to automate the configuration of a RHEL system to run SAP workloads. These roles greatly reduce the time to configure a system to run SAP workloads by automatically applying the optimal settings that are based on best practices outlined in relevant SAP Notes. Access is limited to RHEL for SAP Solutions offerings. Please contact Red Hat Customer Support if you need assistance with your subscription.

rhel-system-roles-sap rebased to version 1.1.1

With the RHBA-2019:4258 advisory, the rhel-system-roles-sap package has been updated to provide multiple bug fixes. Notably:

Select Intel network adapters now support SR-IOV in RHEL guests on Hyper-V

As a Technology Preview, Red Hat Enterprise Linux guest operating systems running on a Hyper-V hypervisor can now use the single-root I/O virtualization (SR-IOV) feature for Intel network adapters supported by the ixgbevf and iavf drivers. This feature is enabled when the following conditions are met:

KVM virtualization is usable in RHEL 8 Hyper-V virtual machines

As a Technology Preview, nested KVM virtualization can now be used on the Microsoft Hyper-V hypervisor. As a result, you can create virtual machines on a RHEL 8 guest system running on a Hyper-V host.

AMD SEV for KVM virtual machines

As a Technology Preview, RHEL 8 introduces the Secure Encrypted Virtualization (SEV) feature for AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine (VM), SEV encrypts VM memory so that the host cannot access data on the VM. This increases the security of the VM if the host is successfully infected by malware.

Intel vGPU

As a Technology Preview, it is now possible to divide a physical Intel GPU device into multiple virtual devices referred to as mediated devices. These mediated devices can then be assigned to multiple virtual machines (VMs) as virtual GPUs. As a result, these VMs share the performance of a single physical Intel GPU.

Nested virtualization now available on IBM POWER 9

As a Technology Preview, it is now possible to use the nested virtualization features on RHEL 8 host machines running on IBM POWER 9 systems. Nested virtualization enables KVM virtual machines (VMs) to act as hypervisors, which allows for running VMs inside VMs.

Creating nested virtual machines

As a Technology Preview, nested virtualization is available for KVM virtual machines (VMs) in RHEL 8. With this feature, a VM that runs on a physical host can act as a hypervisor, and host its own VMs.

The podman-machine command is unsupported

The podman-machine command for managing virtual machines, is available only as a Technology Preview. Instead, run Podman directly from the command line.

Several Kickstart commands and options have been deprecated

Using the following commands and options in RHEL 8 Kickstart files will print a warning in the logs.

The --interactive option of the ignoredisk Kickstart command has been deprecated

Using the --interactive option in future releases of Red Hat Enterprise Linux will result in a fatal installation error. It is recommended that you modify your Kickstart file to remove the option.

The rpmbuild --sign command has been deprecated

With this update, the rpmbuild --sign command has become deprecated. Using this command in future releases of Red Hat Enterprise Linux can result in an error. It is recommended that you use the rpmsign command instead.

TLS 1.0 and TLS 1.1 are deprecated

The TLS 1.0 and TLS 1.1 protocols are disabled in the DEFAULT system-wide cryptographic policy level. If your scenario, for example, a video conferencing application in the Firefox web browser, requires using the deprecated protocols, switch the system-wide cryptographic policy to the LEGACY level:

DSA is deprecated in RHEL 8

The Digital Signature Algorithm (DSA) is considered deprecated in Red Hat Enterprise Linux 8. Authentication mechanisms that depend on DSA keys do not work in the default configuration. Note that OpenSSH clients do not accept DSA host keys even in the LEGACY system-wide cryptographic policy level.

SSL2 Client Hello has been deprecated in NSS

The Transport Layer Security (TLS) protocol version 1.2 and earlier allow to start a negotiation with a Client Hello message formatted in a way that is backward compatible with the Secure Sockets Layer (SSL) protocol version 2. Support for this feature in the Network Security Services (NSS) library has been deprecated and it is disabled by default.

TPM 1.2 is deprecated

The Trusted Platform Module (TPM) secure cryptoprocessor standard version was updated to version 2.0 in 2016. TPM 2.0 provides many improvements over TPM 1.2, and it is not backward compatible with the previous version. TPM 1.2 is deprecated in RHEL 8, and it might be removed in the next major release.

Network scripts are deprecated in RHEL 8

Network scripts are deprecated in Red Hat Enterprise Linux 8 and they are no longer provided by default. The basic installation provides a new version of the ifup and ifdown scripts which call the NetworkManager service through the nmcli tool. In Red Hat Enterprise Linux 8, to run the ifup and the ifdown scripts, NetworkManager must be running.

Diskless boot has been deprecated

Diskless booting allows multiple systems to share a root filesystem via the network. While convenient, it is prone to introducing network latency in realtime workloads. With a future minor update of RHEL for Real Time 8, the diskless booting will no longer be supported.

The rdma_rxe Soft-RoCE driver is deprecated

Software Remote Direct Memory Access over Converged Ethernet (Soft-RoCE), also known as RXE, is a feature that emulates Remote Direct Memory Access (RDMA). In RHEL 8, the Soft-RoCE feature is available as an unsupported Technology Preview. However, due to stability issues, this feature has been deprecated and will be removed in RHEL 9.

The qla3xxx driver is deprecated

The qla3xxx driver has been deprecated in RHEL 8. The driver will likely not be supported in future major releases of this product, and thus it is not recommended for new deployments.

The dl2k, dnet, ethoc, and dlci drivers are deprecated

The dl2k, dnet, ethoc, and dlci drivers have been deprecated in RHEL 8. The drivers will likely not be supported in future major releases of this product, and thus they are not recommended for new deployments.

The elevator kernel command line parameter is deprecated

The elevator kernel command line parameter was used in earlier RHEL releases to set the disk scheduler for all devices. In RHEL 8, the parameter is deprecated.

NFSv3 over UDP has been disabled

The NFS server no longer opens or listens on a User Datagram Protocol (UDP) socket by default. This change affects only NFS version 3 because version 4 requires the Transmission Control Protocol (TCP).

The libgnome-keyring library has been deprecated

The libgnome-keyring library has been deprecated in favor of the libsecret library, as libgnome-keyring is not maintained upstream, and does not follow the necessary cryptographic policies for RHEL. The new libsecret library is the replacement that follows the necessary security standards.

AGP graphics cards are no longer supported

Graphics cards using the Accelerated Graphics Port (AGP) bus are not supported in Red Hat Enterprise Linux 8. Use the graphics cards with PCI-Express bus as the recommended replacement.

The web console no longer supports incomplete translations

The RHEL web console no longer provides translations for languages that have translations available for less than 50 % of the Console’s translatable strings. If the browser requests translation to such a language, the user interface will be in English instead.

virt-manager has been deprecated

The Virtual Machine Manager application, also known as virt-manager, has been deprecated. The RHEL 8 web console, also known as Cockpit, is intended to become its replacement in a subsequent release. It is, therefore, recommended that you use the web console for managing virtualization in a GUI. Note, however, that some features available in virt-manager may not be yet available the RHEL 8 web console.

Virtual machine snapshots are not properly supported in RHEL 8

The current mechanism of creating virtual machine (VM) snapshots has been deprecated, as it is not working reliably. As a consequence, it is recommended not to use VM snapshots in RHEL 8.

The Cirrus VGA virtual GPU type has been deprecated

With a future major update of Red Hat Enterprise Linux, the Cirrus VGA GPU device will no longer be supported in KVM virtual machines. Therefore, Red Hat recommends using the stdvga, virtio-vga, or qxl devices instead of Cirrus VGA.

The auth and authconfig Kickstart commands require the AppStream repository

The authselect-compat package is required by the auth and authconfig Kickstart commands during installation. Without this package, the installation fails if auth or authconfig are used. However, by design, the authselect-compat package is only available in the AppStream repository.

The reboot --kexec and inst.kexec commands do not provide a predictable system state

Performing a RHEL installation with the reboot --kexec Kickstart command or the inst.kexec kernel boot parameters do not provide the same predictable system state as a full reboot. As a consequence, switching to the installed system without rebooting can produce unpredictable results.

Anaconda installation includes low limits of minimal resources setting requirements

Anaconda initiates the installation on systems with minimal resource settings required available and do not provide previous message warning about the required resources for performing the installation successfully. As a result, the installation can fail and the output errors do not provide clear messages for possible debug and recovery. To work around this problem, make sure that the system has the minimal resources settings required for installation: 2GB memory on PPC64(LE) and 1GB on x86_64. As a result, it should be possible to perform a successful installation.

Installation fails when using the reboot --kexec command

The RHEL 8 installation fails when using a Kickstart file that contains the reboot --kexec command. To avoid the problem, use the reboot command instead of reboot --kexec in your Kickstart file.

Support secure boot for s390x in the installer

RHEL 8.1 provides support for preparing boot disks for use in IBM Z environments that enforce the use of secure boot. The capabilities of the server and Hypervisor used during installation determine if the resulting on-disk format contains secure boot support or not. There is no way to influence the on-disk format during installation.

RHEL 8 initial setup cannot be performed via SSH

Currently, the RHEL 8 initial setup interface does not display when logged in to the system using SSH. As a consequence, it is impossible to perform the initial setup on a RHEL 8 machine managed via SSH. To work around this problem, perform the initial setup in the main system console (ttyS0) and, afterwards, log in using SSH.

The default value for the secure= boot option is not set to auto

Currently, the default value for the secure= boot option is not set to auto. As a consequence, the secure boot feature is not available because the current default is disabled. To work around this problem, manually set secure=auto in the [defaultboot] section of the /etc/zipl.conf file. As a result, the secure boot feature is made available. For more information, see the zipl.conf man page.

Copying the content of the Binary DVD.iso file to a partition omits the .treeinfo and .discinfo files

During local installation, while copying the content of the RHEL 8 Binary DVD.iso image file to a partition, the * in the cp <path>/\* <mounted partition>/dir command fails to copy the .treeinfo and .discinfo files. These files are required for a successful installation. As a result, the BaseOS and AppStream repositories are not loaded, and a debug-related log message in the anaconda.log file is the only record of the problem.

Self-signed HTTPS server cannot be used in Kickstart installation

Currently, the installer fails to install from a self-signed https server when the installation source is specified in the kickstart file and the --noverifyssl option is used:

yum repolist ends on first unavailable repository with skip_if_unavailable=false

The repository configuration option skip_if_unavailable is by default set as follows:

syspurpose addons have no effect on the subscription-manager attach --auto output.

In Red Hat Enterprise Linux 8, four attributes of the syspurpose command-line tool have been added: role,usage, service_level_agreement and addons. Currently, only role, usage and service_level_agreement affect the output of running the subscription-manager attach --auto command. Users who attempt to set values to the addons argument will not observe any effect on the subscriptions that are auto-attached.

Applications using Wayland protocol cannot be forwarded to remote display servers

In Red Hat Enterprise Linux 8.1, most applications use the Wayland protocol by default instead of the X11 protocol. As a consequence, the ssh server cannot forward the applications that use the Wayland protocol but is able to forward the applications that use the X11 protocol to a remote display server.

systemd-resolved.service fails to start on boot

The systemd-resolved service occasionally fails to start on boot. If this happens, restart the service manually after the boot finishes by using the following command:

Support for DNSSEC in dnsmasq

The dnsmasq package introduces Domain Name System Security Extensions (DNSSEC) support for verifying hostname information received from root servers.

redhat-support-tool does not work with the FUTURE crypto policy

Because a cryptographic key used by a certificate on the Customer Portal API does not meet the requirements by the FUTURE system-wide cryptographic policy, the redhat-support-tool utility does not work with this policy level at the moment. To work around this problem, use the DEFAULT crypto policy while connecting to the Customer Portal API.

SELINUX=disabled in /etc/selinux/config does not work properly

Disabling SELinux using the SELINUX=disabled option in the /etc/selinux/config results in a process in which the kernel boots with SELinux enabled and switches to disabled mode later in the boot process. This might cause memory leaks and race conditions and consequently also kernel panics. To work around this problem, disable SELinux by adding the selinux=0 parameter to the kernel command line as described in the Changing SELinux modes at boot time section of the Using SELinux title if your scenario really requires to completely disable SELinux.

libselinux-python is available only through its module

The libselinux-python package contains only Python 2 bindings for developing SELinux applications and it is used for backward compatibility. For this reason, libselinux-python is no longer available in the default RHEL 8 repositories through the dnf install libselinux-python command.

udica processes UBI 8 containers only when started with --env container=podman

The Red Hat Universal Base Image 8 (UBI 8) containers set the container environment variable to the oci value instead of the podman value. This prevents the udica tool from analyzing a container JavaScript Object Notation (JSON) file.

Removing the rpm-plugin-selinux package leads to removing all selinux-policy packages from the system

Removing the rpm-plugin-selinux package disables SELinux on the machine. It also removes all selinux-policy packages from the system. Repeated installation of the rpm-plugin-selinux package then installs the selinux-policy-minimum SELinux policy, even if the selinux-policy-targeted policy was previously present on the system. However, the repeated installation does not update the SELinux configuration file to account for the change in policy. As a consequence, SELinux is disabled even upon reinstallation of the rpm-plugin-selinux package.

SELinux prevents systemd-journal-gatewayd to call newfstatat() on shared memory files created by corosync

SELinux policy does not contain a rule that allows the systemd-journal-gatewayd daemon to access files created by the corosync service. As a consequence, SELinux denies systemd-journal-gatewayd to call the newfstatat() function on shared memory files created by corosync.

Negative effects of the default logging setup on performance

The default logging environment setup might consume 4 GB of memory or even more and adjustments of rate-limit values are complex when systemd-journald is running with rsyslog.

Parameter not known errors in the rsyslog output with config.enabled

In the rsyslog output, an unexpected bug occurs in configuration processing errors using the config.enabled directive. As a consequence, parameter not known errors are displayed while using the config.enabled directive except for the include() statements.

Certain rsyslog priority strings do not work correctly

Support for the GnuTLS priority string for imtcp that allows fine-grained control over encryption is not complete. Consequently, the following priority strings do not work properly in rsyslog:

Connections to servers with SHA-1 signatures do not work with GnuTLS

SHA-1 signatures in certificates are rejected by the GnuTLS secure communications library as insecure. Consequently, applications that use GnuTLS as a TLS backend cannot establish a TLS connection to peers that offer such certificates. This behavior is inconsistent with other system cryptographic libraries. To work around this problem, upgrade the server to use certificates signed with SHA-256 or stronger hash, or switch to the LEGACY policy.

TLS 1.3 does not work in NSS in FIPS mode

TLS 1.3 is not supported on systems working in FIPS mode. As a result, connections that require TLS 1.3 for interoperability do not function on a system working in FIPS mode.

OpenSSL incorrectly handles PKCS #11 tokens that does not support raw RSA or RSA-PSS signatures

The OpenSSL library does not detect key-related capabilities of PKCS #11 tokens. Consequently, establishing a TLS connection fails when a signature is created with a token that does not support raw RSA or RSA-PSS signatures.

The OpenSSL TLS library does not detect if the PKCS#11 token supports creation of raw RSA or RSA-PSS signatures

The TLS-1.3 protocol requires the support for RSA-PSS signature. If the PKCS#11 token does not support raw RSA or RSA-PSS signatures, the server applications which use OpenSSL TLS library will fail to work with the RSA key if it is held by the PKCS#11 token. As a result, TLS communication will fail.

OpenSSL generates a malformed status_request extension in the CertificateRequest message in TLS 1.3

OpenSSL servers send a malformed status_request extension in the CertificateRequest message if support for the status_request extension and client certificate-based authentication are enabled. In such case, OpenSSL does not interoperate with implementations compliant with the RFC 8446 protocol. As a result, clients that properly verify extensions in the ‘CertificateRequest’ message abort connections with the OpenSSL server. To work around this problem, disable support for the TLS 1.3 protocol on either side of the connection or disable support for status_request on the OpenSSL server. This will prevent the server from sending malformed messages.

ssh-keyscan cannot retrieve RSA keys of servers in FIPS mode

The SHA-1 algorithm is disabled for RSA signatures in FIPS mode, which prevents the ssh-keyscan utility from retrieving RSA keys of servers operating in that mode.

scap-security-guide PCI-DSS remediation of Audit rules does not work properly

The scap-security-guide package contains a combination of remediation and a check that can result in one of the following scenarios:

Certain sets of interdependent rules in SSG can fail

Remediation of SCAP Security Guide (SSG) rules in a benchmark can fail due to undefined ordering of rules and their dependencies. If two or more rules need to be executed in a particular order, for example, when one rule installs a component and another rule configures the same component, they can run in the wrong order and remediation reports an error. To work around this problem, run the remediation twice, and the second run fixes the dependent rules.

A utility for security and compliance scanning of containers is not available

In Red Hat Enterprise Linux 7, the oscap-docker utility can be used for scanning of Docker containers based on Atomic technologies. In Red Hat Enterprise Linux 8, the Docker- and Atomic-related OpenSCAP commands are not available.

OpenSCAP does not provide offline scanning of virtual machines and containers

Refactoring of OpenSCAP codebase caused certain RPM probes to fail to scan VM and containers file systems in offline mode. For that reason, the following tools were removed from the openscap-utils package: oscap-vm and oscap-chroot. Also, the openscap-containers package was completely removed.

OpenSCAP rpmverifypackage does not work correctly

The chdir and chroot system calls are called twice by the rpmverifypackage probe. Consequently, an error occurs when the probe is utilized during an OpenSCAP scan with custom Open Vulnerability and Assessment Language (OVAL) content.

SCAP Workbench fails to generate results-based remediations from tailored profiles

The following error occurs when trying to generate results-based remediation roles from a customized profile using the SCAP Workbench tool:

OSCAP Anaconda Addon does not install all packages in text mode

The OSCAP Anaconda Addon plugin cannot modify the list of packages selected for installation by the system installer if the installation is running in text mode. Consequently, when a security policy profile is specified using Kickstart and the installation is running in text mode, any additional packages required by the security policy are not installed during installation.

OSCAP Anaconda Addon does not correctly handle customized profiles

The OSCAP Anaconda Addon plugin does not properly handle security profiles with customizations in separate files. Consequently, the customized profile is not available in the RHEL graphical installation even when you properly specify it in the corresponding Kickstart section.

The formatting of the verbose output of arptables now matches the format of the utility on RHEL 7

In RHEL 8, the iptables-arptables package provides an nftables-based replacement of the arptables utility. Previously, the verbose output of arptables separated counter values only with a comma, while arptables on RHEL 7 separated the described output with both a space and a comma. As a consequence, if you used scripts created on RHEL 7 that parsed the output of the arptables -v -L command, you had to adjust these scripts. This incompatibility has been fixed. As a result, arptables on RHEL 8.1 now also separates counter values with both a space and a comma.

nftables does not support multi-dimensional IP set types

The nftables packet-filtering framework does not support set types with concatenations and intervals. Consequently, you cannot use multi-dimensional IP set types, such as hash:net,port, with nftables.

IPsec network traffic fails during IPsec offloading when GRO is disabled

IPsec offloading is not expected to work when Generic Receive Offload (GRO) is disabled on the device. If IPsec offloading is configured on a network interface and GRO is disabled on that device, IPsec network traffic fails.

The i40iw module does not load automatically on boot

Due to many i40e NICs not supporting iWarp and the i40iw module not fully supporting suspend/resume, this module is not automatically loaded by default to ensure suspend/resume works properly. To work around this problem, manually edit the /lib/udev/rules.d/90-rdma-hw-modules.rules file to enable automated load of i40iw.

Network interface is renamed to kdump-<interface-name> when fadump is used

When firmware-assisted dump (fadump) is utilized to capture a vmcore and store it to a remote machine using SSH or NFS protocol, the network interface is renamed to kdump-<interface-name> if <interface-name> is generic, for example, *eth#, or net#. This problem occurs because the vmcore capture scripts in the initial RAM disk (initrd) add the kdump- prefix to the network interface name to secure persistent naming. The same initrd is used also for a regular boot, so the interface name is changed for the production kernel too.

Systems with a large amount of persistent memory experience delays during the boot process

Systems with a large amount of persistent memory take a long time to boot because the initialization of the memory is serialized. Consequently, if there are persistent memory file systems listed in the /etc/fstab file, the system might timeout while waiting for devices to become available. To work around this problem, configure the DefaultTimeoutStartSec option in the /etc/systemd/system.conf file to a sufficiently large value.

KSM sometimes ignores NUMA memory policies

When the kernel shared memory (KSM) feature is enabled with the merge_across_nodes=1 parameter, KSM ignores memory policies set by the mbind() function, and may merge pages from some memory areas to Non-Uniform Memory Access (NUMA) nodes that do not match the policies.

The system enters the emergency mode at boot-time when fadump is enabled

The system enters the emergency mode when fadump (kdump) or dracut squash module is enabled in the initramfs scheme because systemd manager fails to fetch the mount information and configure the LV partition to mount. To work around this problem, add the following kernel command line parameter rd.lvm.lv=<VG>/<LV> to discover and mount the failed LV partition appropriately. As a result, the system will boot successfully in the described scenario.

Using irqpoll in the kdump kernel command line causes a vmcore generation failure

Due to an existing underlying problem with the nvme driver on the 64-bit ARM architectures running on the Amazon Web Services (AWS) cloud platforms, the vmcore generation fails if the irqpoll kdump command line argument is provided to the first kernel. Consequently, no vmcore is dumped in the /var/crash/ directory after a kernel crash. To work around this problem:

Debug kernel fails to boot in crash capture environment in RHEL 8

Due to memory-demanding nature of the debug kernel, a problem occurs when the debug kernel is in use and a kernel panic is triggered. As a consequence, the debug kernel is not able to boot as the capture kernel, and a stack trace is generated instead. To work around this problem, increase the crash kernel memory accordingly. As a result, the debug kernel successfully boots in the crash capture environment.

softirq changes can cause the localhost interface to drop UDP packets when under heavy load

Changes in the Linux kernel’s software interrupt (softirq) handling are done to reduce denial of service (DOS) effects. Consequently, this leads to situations where the localhost interface drops User Datagram Protocol (UDP) packets under heavy load.

The HP NMI watchdog in some cases does not generate a crash dump

The hpwdt driver for the HP NMI watchdog is sometimes not able to claim a non-maskable interrupt (NMI) generated by the HPE watchdog timer because the NMI was instead consumed by the perfmon driver. As a consequence, hpwdt in some cases cannot call a panic to generate a crash dump.

Installing RHEL 8.1 on a test system configured with a QL41000 card results in a kernel panic

While installing RHEL 8.1 on a test system configured with a QL41000 card, the system is unable to handle the kernel NULL pointer dereference at 000000000000003c card. As a consequence, it results in a kernel panic error. There is no work around available for this issue.

The cxgb4 driver causes crash in the kdump kernel

The kdump kernel crashes while trying to save information in the vmcore file. Consequently, the cxgb4 driver prevents the kdump kernel from saving a core for later analysis. To work around this problem, add the "novmcoredd" parameter to the kdump kernel command line to allow saving core files.

Certain SCSI drivers might sometimes use an excessive amount of memory

Certain SCSI drivers use a larger amount of memory than in RHEL 7. In certain cases, such as vPort creation on a Fibre Channel host bus adapter (HBA), the memory usage might be excessive, depending upon the system configuration.

VDO cannot suspend until UDS has finished rebuilding

When a Virtual Data Optimizer (VDO) volume starts after an unclean system shutdown, it rebuilds the Universal Deduplication Service (UDS) index. If you try to suspend the VDO volume using the dmsetup suspend command while the UDS index is rebuilding, the suspend command might become unresponsive. The command finishes only after the rebuild is done.

An NFS 4.0 patch can result in reduced performance under an open-heavy workload

Previously, a bug was fixed that, in some cases, could cause an NFS open operation to overlook the fact that a file had been removed or renamed on the server. However, the fix may cause slower performance with workloads that require many open operations. To work around this problem, it might help to use NFS version 4.1 or higher, which have been improved to grant delegations to clients in more cases, allowing clients to perform open operations locally, quickly, and safely.

nginx cannot load server certificates from hardware security tokens

The nginx web server supports loading TLS private keys from hardware security tokens directly from PKCS#11 modules. However, it is currently impossible to load server certificates from hardware security tokens through the PKCS#11 URI. To work around this problem, store server certificates on the file system

php-fpm causes SELinux AVC denials when php-opcache is installed with PHP 7.2

When the php-opcache package is installed, the FastCGI Process Manager (php-fpm) causes SELinux AVC denials. To work around this problem, change the default configuration in the /etc/php.d/10-opcache.ini file to the following:

The ltrace tool does not report function calls

Because of improvements to binary hardening applied to all RHEL components, the ltrace tool can no longer detect function calls in binary files coming from RHEL components. As a consequence, ltrace output is empty because it does not report any detected calls when used on such binary files. There is no workaround currently available.

AD users with expired accounts can be allowed to log in when using GSSAPI authentication

The accountExpires attribute that SSSD uses to see whether an account has expired is not replicated to the global catalog by default. As a result, users with expired accounts can log in when using GSSAPI authentication. To work around this problem, the global catalog support can be disabled by specifying ad_enable_gc=False in the sssd.conf file. With this setting, users with expired accounts will be denied access when using GSSAPI authentication.

Using the cert-fix utility with the --agent-uid pkidbuser option breaks Certificate System

Using the cert-fix utility with the --agent-uid pkidbuser option corrupts the LDAP configuration of Certificate System. As a consequence, Certificate System might become unstable and manual steps are required to recover the system.

Changing /etc/nsswitch.conf requires a manual system reboot

Any change to the /etc/nsswitch.conf file, for example running the authselect select profile_id command, requires a system reboot so that all relevant processes use the updated version of the /etc/nsswitch.conf file. If a system reboot is not possible, restart the service that joins your system to Active Directory, which is the System Security Services Daemon (SSSD) or winbind.

No information about required DNS records displayed when enabling support for AD trust in IdM

When enabling support for Active Directory (AD) trust in Red Hat Enterprise Linux Identity Management (IdM) installation with external DNS management, no information about required DNS records is displayed. Forest trust to AD is not successful until the required DNS records are added. To work around this problem, run the 'ipa dns-update-system-records --dry-run' command to obtain a list of all DNS records required by IdM. When external DNS for IdM domain defines the required DNS records, establishing forest trust to AD is possible.

SSSD returns incorrect LDAP group membership for local users

If the System Security Services Daemon (SSSD) serves users from the local files, the files provider does not include group memberships from other domains. As a consequence, if a local user is a member of an LDAP group, the id local_user command does not return the user’s LDAP group membership. To work around the problem, either revert the order of the databases where the system is looking up the group membership of users in the /etc/nsswitch.conf file, replacing sss files with files sss, or disable the implicit files domain by adding

Default PAM settings for systemd-user have changed in RHEL 8 which may influence SSSD behavior

The Pluggable authentication modules (PAM) stack has changed in Red Hat Enterprise Linux 8. For example, the systemd user session now starts a PAM conversation using the systemd-user PAM service. This service now recursively includes the system-auth PAM service, which may include the pam_sss.so interface. This means that the SSSD access control is always called.

SSSD does not correctly handle multiple certificate matching rules with the same priority

If a given certificate matches multiple certificate matching rules with the same priority, the System Security Services Daemon (SSSD) uses only one of the rules. As a workaround, use a single certificate matching rule whose LDAP filter consists of the filters of the individual rules concatenated with the | (or) operator. For examples of certificate matching rules, see the sss-certamp(5) man page.

Private groups fail to be created with auto_private_group = hybrid when multiple domains are defined

Private groups fail to be created with the option auto_private_group = hybrid when multiple domains are defined and the hybrid option is used by any domain other than the first one. If an implicit files domain is defined along with an AD or LDAP domain in the sssd.conf`file and is not marked as `MPG_HYBRID, then SSSD fails to create a private group for a user who has uid=gid and the group with this gid does not exist in AD or LDAP.

python-ply is not FIPS compatible

The YACC module of the python-ply package uses the MD5 hashing algorithm to generate the fingerprint of a YACC signature. However, FIPS mode blocks the use of MD5, which is only allowed in non-security contexts. As a consequence, python-ply is not FIPS compatible. On a system in FIPS mode, all calls to ply.yacc.yacc() fail with the error message:

SSSD retrieves incomplete list of members if the group size exceeds 1500 members

During the integration of SSSD with Active Directory, SSSD retrieves incomplete group member lists when the group size exceeds 1500 members. This issue occurs because Active Directory’s MaxValRange policy, which restricts the number of members retrievable in a single query, is set to 1500 by default.

Limitations of the Wayland session

With Red Hat Enterprise Linux 8, the GNOME environment and the GNOME Display Manager (GDM) use Wayland as the default session type instead of the X11 session, which was used with the previous major version of RHEL.

Drag-and-drop does not work between desktop and applications

Due to a bug in the gnome-shell-extensions package, the drag-and-drop functionality does not currently work between desktop and applications. Support for this feature will be added back in a future release.

Disabling flatpak repositories from Software Repositories is not possible

Currently, it is not possible to disable or remove flatpak repositories in the Software Repositories tool in the GNOME Software utility.

Generation 2 RHEL 8 virtual machines sometimes fail to boot on Hyper-V Server 2016 hosts

When using RHEL 8 as the guest operating system on a virtual machine (VM) running on a Microsoft Hyper-V Server 2016 host, the VM in some cases fails to boot and returns to the GRUB boot menu. In addition, the following error is logged in the Hyper-V event log:

GNOME Shell on Wayland performs slowly when using a software renderer

When using a software renderer, GNOME Shell as a Wayland compositor (GNOME Shell on Wayland) does not use a cacheable framebuffer for rendering the screen. Consequently, GNOME Shell on Wayland is slow. To workaround the problem, go to the GNOME Display Manager (GDM) login screen and switch to a session that uses the X11 protocol instead. As a result, the Xorg display server, which uses cacheable memory, is used, and GNOME Shell on Xorg in the described situation performs faster compared to GNOME Shell on Wayland.

System crash may result in fadump configuration loss

This issue is observed on systems where firmware-assisted dump (fadump) is enabled, and the boot partition is located on a journaling file system such as XFS. A system crash might cause the boot loader to load an older initrd that does not have the dump capturing support enabled. Consequently, after recovery, the system does not capture the vmcore file, which results in fadump configuration loss.

Potential risk when using the default value for ldap_id_use_start_tls option

When using ldap:// without TLS for identity lookups, it can pose a risk for an attack vector. Particularly a man-in-the-middle (MITM) attack which could allow an attacker to impersonate a user by altering, for example, the UID or GID of an object returned in an LDAP search.

radeon fails to reset hardware correctly

The radeon kernel driver currently does not reset hardware in the kexec context correctly. Instead, radeon falls over, which causes the rest of the kdump service to fail.

Unprivileged users can access the Subscriptions page

If a non-administrator navigates to the Subscriptions page of the web console, the web console displays a generic error message “Cockpit had an unexpected internal error”.

Using cloud-init to provision virtual machines on Microsoft Azure fails

Currently, it is not possible to use the cloud-init utility to provision a RHEL 8 virtual machine (VM) on the Microsoft Azure platform. To work around this problem, use one of the following methods:

RHEL 8 virtual machines on RHEL 7 hosts in some cases cannot be viewed in higher resolution than 1920x1200

Currently, when using a RHEL 8 virtual machine (VM) running on a RHEL 7 host system, certain methods of displaying the the graphical output of the VM, such as running the application in kiosk mode, cannot use greater resolution than 1920x1200. As a consequence, displaying VMs using those methods only works in resolutions up to 1920x1200, even if the host hardware supports higher resolutions.

Low GUI display performance in RHEL 8 virtual machines on a Windows Server 2019 host

When using RHEL 8 as a guest operating system in graphical mode on a Windows Server 2019 host, the GUI display performance is low, and connecting to a console output of the guest currently takes significantly longer than expected.

Installing RHEL virtual machines sometimes fails

Under certain circumstances, RHEL 7 and RHEL 8 virtual machines created using the virt-install utility fail to boot if the --location option is used.

Displaying multiple monitors of virtual machines that use Wayland is not possible with QXL

Using the remote-viewer utility to display more than one monitor of a virtual machine (VM) that is using the Wayland display server causes the VM to become unresponsive and the Waiting for display status message to be displayed indefinitely.

virsh iface-\* commands do not work consistently

Currently, virsh iface-* commands, such as virsh iface-start and virsh iface-destroy, frequently fail due to configuration dependencies. Therefore, it is recommended not to use virsh iface-\* commands for configuring and managing host network connections. Instead, use the NetworkManager program and its related management applications.

Customizing an ESXi VM using cloud-init and rebooting the VM causes IP setting loss and makes booting the VM very slow

Currently, if the cloud-init service is used to modify a virtual machine (VM) that runs on the VMware ESXi hypervisor to use static IP and the VM is then cloned, the new cloned VM in some cases takes a very long time to reboot. This is caused cloud-init rewriting the VM’s static IP to DHCP and then searching for an available datasource.

RHEL 8 virtual machines sometimes cannot boot on Witherspoon hosts

RHEL 8 virtual machines (VMs) that use the pseries-rhel7.6.0-sxxm machine type in some cases fail to boot on Power9 S922LC for HPC hosts (also known as Witherspoon) that use the DD2.2 or DD2.3 CPU.

IBM POWER virtual machines do not work correctly with zero memory NUMA nodes

Currently, when an IBM POWER virtual machine (VM) running on a RHEL 8 host is configured with a NUMA node that uses zero memory (memory='0'), the VM cannot boot. Therefore, Red Hat strongly recommends not using IBM POWER VMs with zero-memory NUMA nodes on RHEL 8.

Migrating a POWER9 guest from a RHEL 7-ALT host to RHEL 8 fails

Currently, migrating a POWER9 virtual machine from a RHEL 7-ALT host system to RHEL 8 becomes unresponsive with a "Migration status: active" status.

SMT CPU topology is not detected by VMs when using host passthrough mode on AMD EPYC

When a virtual machine (VM) boots with the CPU host passthrough mode on an AMD EPYC host, the TOPOEXT CPU feature flag is not present. Consequently, the VM is not able to detect a virtual CPU topology with multiple threads per core. To work around this problem, boot the VM with the EPYC CPU model instead of host passthrough.

Virtual machines sometimes fail to start when using many virtio-blk disks

Adding a large number of virtio-blk devices to a virtual machine (VM) may exhaust the number of interrupt vectors available in the platform. If this occurs, the VM’s guest OS fails to boot, and displays a dracut-initqueue[392]: Warning: Could not boot error.