Chapter 7. Bug fixes

RHEL installation no longer aborts when Insights client fails to register system

Previously, the RHEL installation failed with an error at the end if the Red Hat Insights client failed to register the system during the installation. With this update, the system completes the installation even if the insights client fails. The user is notified about the error during installation so the error can be handled later independently.

Anaconda allows data encryption for automatically created disk layout in the custom partitioning screen

Previously, requesting encrypted disk layout when the disk layout was automatically created in the custom partitioning screen was not possible. With this update, Anaconda provides an option on the custom partitioning screen to encrypt the automatically created disk layout.

Installation program does not attempt automatic partitioning when partitioning scheme is not specified in the Kickstart file

When using a Kickstart file to perform an automated installation, the installation program does not attempt to perform automatic partitioning when you do not specify any partitioning scheme in the Kickstart file. The installation process is interrupted and allows the user to configure the partitioning.

RHEL-Edge container image now uses nginx and serves on port 8080

Previously, the edge-container image type was unable to run in non-root mode. As a result, Red Hat OpenShift 4 was unable to use the edge-container image type. With this enhancement, the container now uses nginx HTTP server to serve the commit and a configuration file that allows the server to run as a non-root user inside the container, enabling its use on Red Hat OpenShift 4. The internal web server now uses the port 8080 instead of 80.

opal-prd rebased to version 6.7.1

opal-prd has been upgraded to version 6.7.1. Notable bug fixes and enhancements include:

libservicelog rebased to version 1.1.19

libservicelog has been upgraded to version 1.1.19. Notable bug fixes and enhancements include:

ipmitool sol activate command no longer crashes

Previously, after upgrading from RHEL 7 to RHEL 8 the ipmitool sol activate command would crash while trying to access the remote console on an IBM DataPower appliance.

Relax-and-Recover (ReaR) package now depends on the bootlist executable

Previously, ReaR could produce a rescue image without the bootlist executable on the IBM Power Systems, Little Endian architecture. Consequently, if the powerpc-utils-core package is not installed, the rescue image did not contain the bootlist executable.

rsync with an unprivileged remote user can now be used in ReaR

Previously, when rsync was used to back up and restore the system data (BACKUP=RSYNC), the parameters to rsync were incorrectly quoted, and the --fake-super parameter was not passed to the remote rsync process. Consequently, the file metadata was not correctly saved and restored.

Loss of backup data on network shares when using ReaR does not occur anymore

Previously, when a network file system like NFS was used to store the ReaR backups, in case of an error ReaR removed the directory where the NFS was mounted. Consequently, this caused backup data loss.

ReaR can now be used to back up and recover machines that use ESP

Previously, ReaR did not create Extensible Firmware Interface (EFI) entries when software RAID (MDRAID) is used for the EFI System Partition on machines with Unified Extensible Firmware Interface (UEFI) firmware. When a system with UEFI firmware and EFI System Partition on software RAID were recovered using ReaR; the recovered system was unbootable and required manual intervention to fix the boot EFI variables.

/etc/slp.spi file added to openslp package

Previously, the /etc/slp.spi file was missing in the openslp package. Consequently, the /usr/bin/slptool command did not generate output. With this update, /etc/slp.spi has been added to openslp.

BM Power Systems, Little Endian architecture machines with multipath can now be safely recovered using ReaR

Previously, the /sys file system was not mounted in the chroot when ReaR was recovering the system. The ofpathname executable on the IBM Power Systems, Little Endian architecture failed when installing the boot loader. Consequently, the error remained undetected and the recovered system was unbootable.

The which utility no longer aborts with a syntax error message when used with an alias

Previously, when you tried to use the which command with an alias, for example, A=B which ls, the which utility aborted with the syntax error message bash: syntax error near unexpected token `('.

Permissions of the /var/lib/chrony have changed

Previously, enterprise security scanners would flag the /var/lib/chrony directory for having world-readable and executable permissions. With this update, the permissions of the /var/lib/chrony directory have changed to limit access only to the root and chrony users.

GnuTLS no longer rejects SHA-1-signed CAs if they are explicitly trusted

Previously, the GnuTLS library checked signature hash strength of all certificate authorities (CA) even if the CA was explicitly trusted. As a consequence, chains containing CAs signed with the SHA-1 algorithm were rejected with the error message certificate’s signature hash strength is unacceptable. With this update, GnuTLS excludes trusted CAs from the signature hash strength checks and therefore no longer rejects certificate chains containing CAs even if they are signed using weak algorithms.

Hardware optimization enabled in FIPS mode

Previously, the Federal Information Processing Standard (FIPS 140-2) did not allow using hardware optimization. Therefore, the operation was disabled in the libgcrypt package when in the FIPS mode. This update enables hardware optimization in FIPS mode, and as a result, all cryptographic operations are performed faster.

leftikeport and rightikeport options work correctly

Previously, Libreswan ignored the leftikeport and rightikeport options in any host-to-host Libreswan connections. As a consequence, Libreswam used the default ports regardless of any non-default options settings. With this update, the issue is now fixed and you can use leftikeport and rightikeport connection options over the default options.

SELinux policy did not allow GDM to set the GRUB boot_success flag

Previously, SELinux policy did not allow the GNOME Display Manager (GDM) to set the GRUB boot_success flag during the power-off and reboot operations. Consequently, the GRUB menu appeared on the next boot. With this update, the SELinux policy introduces a new xdm_exec_bootloader boolean that allows the GDM to set the GRUB boot_success flag, and which is enabled by default. As a result, the GRUB boot menu is shown on the first boot and the flicker-free boot support feature works correctly.

selinux-policy now supports IPsec-based VPNs using TCP encapsulation

Since RHEL 8.4, the libreswan packages have supported IPsec-based VPNs using TCP encapsulation, but the selinux-policy package did not reflect this update. As a consequence, when Libreswan was configured to use TCP, the ipsec service failed to bind to the given TCP port. With this update to the selinux-policy package, the ipsec service can bind and connect to the commonly used TCP port 4500, and therefore you can use TCP encapsulation in IPsec-based VPNs.

SELinux policy now prevents staff_u users from switching to unconfined_r

Previously, when the secure_mode boolean was enabled, staff_u users could incorrectly switch to the unconfined_r role. As a consequence, staff_u users could perform privileged operations affecting the security of the system. With this fix, SELinux policy prevents staff_u users from switching to the unconfined_r role using the newrole command. As a result, unprivileged users cannot run privileged operations.

OSCAP Anaconda Addon now handles customized profiles

Previously, the OSCAP Anaconda Addon plugin did not correctly handle security profiles with customizations in separate files. Consequently, the customized profiles were not available in the RHEL graphical installation even when you specified them in the corresponding Kickstart section. The handling has been fixed, and you can use customized SCAP profiles in the RHEL graphical installation.

OpenSCAP no longer fails during evaluation of the STIG profile and other SCAP content

Previously, initialization of the cryptography library in OpenSCAP was not performed properly in OpenSCAP, specifically in the filehash58 probe. As a consequence, a segmentation fault occurred while evaluating SCAP content containing the filehash58_test Open Vulnerability Assessment Language (OVAL) test. This affected in particular the evaluation of the STIG profile for Red Hat Enterprise Linux 8. The evaluation failed unexpectedly and results were not generated. The process of initializing libraries has been fixed in the new version of the openscap package. As a result, OpenSCAP no longer fails during the evaluation of the STIG profile for RHEL 8 and other SCAP content that contains the filehash58_test OVAL test.

Ansible updates banner files only when needed

Previously, the playbook used for banner remediation always removed the file and recreated it. As a consequence, the banner file inodes were always modified regardless of need. With this update, the Ansible remediation playbook has been improved to use the copy module, which first compares existing content with the intended content and only updates the file when needed. As a result, banner files are only updated when the existing content differs from the intended content.

USB devices now work correctly with the DISA STIG profile

Previously, the DISA STIG profile enabled the USBGuard service but did not configure any initially connected USB devices. Consequently, the USBGuard service blocked any device that was not specifically allowed. This made some USB devices, such as smart cards, unreachable. With this update, the initial USBGuard configuration is generated when applying the DISA STIG profile and allows the use of any connected USB device. As a result, USB devices are not blocked and work correctly.

OSCAP Anaconda Addon now installs all selected packages in text mode

Previously, the OSCAP Anaconda Addon plugin did not evaluate rules that required certain partition layout or package installations and removals before the installation started when running in text mode. Consequently, when a security policy profile was specified using Kickstart and the installation was running in text mode, any additional packages required by a selected security profile were not installed. OSCAP Anaconda Addon now performs the required checks before the installation starts regardless of whether the installation is graphical or text-based, and all selected packages are installed also in text mode.

rpm_verify_permissions removed from the CIS profile

The rpm_verify_permissions rule, which compares file permissions to package default permissions, has been removed from the Center for Internet Security (CIS) Red Hat Enterprise Linux 8 Benchmark. With this update, the CIS profile is aligned with the CIS RHEL 8 benchmark, and as a result, this rule no longer affects users who harden their systems according to CIS.

A revert of upstream patch allows some systemd services and user-space workloads to run as expected

The backported upstream change to the mknod() system call caused the open() system call to be more privileged with respect to device nodes than mknod(). Consequently, multiple user-space workloads and some systemd services in containers became unresponsive. With this update, the incorrect behavior has been reverted and no crashes occur any more.

Improved performance regression in memory accounting operations

Previously, a slab memory controller was increasing the frequency of memory accounting operations per slab. Consequently, a performance regression occurred due to an increased number of memory accounting operations. To fix the problem, the memory accounting operations have been streamlined to use as much caching and as little atomic operations as possible. As a result, a slight performance regression still remains. However, the user experience is much better.

Hard lockups and system panic no longer occur when issuing multiple SysRg-T magic keys

Issuing multiple SysRg-T magic key sequences to a system caused an interrupt to be disabled for an extended period of time, depending on the serial console speed, and on the volume of information being printed out. This prolonged disabled-interrupt time often resulted in a hard lockup followed by a system panic. This update brings the SysRg-T key sequence to substantially reduce the period when interrupt is disabled. As a result, no hard lockups or system panic occur in the described scenario.

Certain BCC utilities do not display the "macro redefined" warning anymore

Macro redefinitions in some compiler-specific kernel headers caused some BPF Compiler Collection (BCC) utilities to display the following zero-impact warning:

kdump no longer fails to dump vmcore on SSH or NFS targets

Previously, when configuring a network interface card (NIC) port to a static IP address and setting kdump to dump vmcore on SSH or NFS dump targets, the kdump service started with the following error message:

Certain networking kernel drivers now properly display their version

The behavior for module versioning of many networking kernel drivers changed in RHEL 8.4. Consequently, those drivers did not display their version. Alternatively, after executing the ethtool -i command, the drivers displayed the kernel version instead of the driver version. This update fixes the bug by providing the kernel module strings. As a result, users can determine versions of the affected kernel drivers.

The hwloc commands now return correct data on single CPU Power9 and Power10 logical partitions

With the hwloc utility of version 2.2.0, any single-node Non-Uniform Memory Access (NUMA) system that ran a Power9 or Power10 CPU was considered to be "disallowed". Consequently, all hwloc commands did not work, because NODE0 (socket 0, CPU 0) was offline and the hwloc source code expected NODE0 to be online. The following error message was displayed:

Records obtained from getaddrinfo() now include a default TTL

Previously, API did not convey time-to-live (TTL) information, which left TTL unset for address records obtained through getaddrinfo(), even if they were obtained from the DNS. As a consequence, the key.dns_resolver upcall program did not set an expiry time on dns_resolver records, unless the records included a component obtained directly from the DNS, such as an SRV or AFSDB record. With this update, records from getaddrinfo() now include a default TTL of 10 minutes to prevent an unset expiry time.

The ocf:heartbeat:pgsql resource agent and some third-party agents no longer fail to stop during a shutdown process

In the RHEL 8.4 GA release, Pacemaker’s crm_mon command-line tool was modified to display a "shutting down" message rather than the usual cluster information when Pacemaker starts to shut down. As a consequence, shutdown progress, such as the stopping of resources, could not be monitored. In this situation, resource agents that parse crm_mon output in their stop operation (such as the ocf:heartbeat:pgsql agent distributed with the resource-agents package, or some custom or third-party agents) could fail to stop, leading to cluster problems. This bug has been fixed, and the described problem no longer occurs.

pyodbc works again with MariaDB 10.3

The pyodbc module did not work with the MariaDB 10.3 server included in the RHEL 8.4 release. The root cause in the mariadb-connector-odbc package has been fixed, and pyodbc now works with MariaDB 10.3 as expected.

GCC Toolset 11: GCC 11 now defaults to DWARF 4

While upstream GCC 11 defaults to using the DWARF 5 debugging format, GCC of GCC Toolset 11 defaults to DWARF 4 to stay compatible with RHEL 8 components, for example, rpmbuild.

The tunables framework now parses GLIBC_TUNABLES correctly

Previously, the tunables framework did not parse the GLIBC_TUNABLES environment variable correctly for non-setuid children of setuid programs. As a consequence, in some cases all tunables remained in non-setuid children of setuid programs. With this update, tunables in the GLIBC_TUNABLES environment variable are correctly parsed. As a result, only a restricted subset of identified tunables are now inherited by non-setuid children of setuid programs.

The semctl system call wrapper in glibc now treats SEM_STAT_ANY like SEM_STAT

Previously, the semctl system call wrapper in glibc did not treat the kernel argument SEM_STAT_ANY like SEM_STAT. As a result, glibc did not pass the address of the result object struct semid_ds to the kernel, so that the kernel failed to update it. With this update, glibc now treats SEM_STAT_ANY like SEM_STAT, and as a result, applications can obtain struct semid_ds data using SEM_STAT_ANY.

Glibc now includes definitions for IPPROTO_ETHERNET, IPPROTO_MPTCP, and INADDR_ALLSNOOPERS_GROUP

Previously, the Glibc system library headers (/usr/include/netinet/in.h) did not include definitions of IPPROTO_ETHERNET, IPPROTO_MPTCP, and INADDR_ALLSNOOPERS_GROUP. As a consequence, applications needing these definitions failed to compile. With this update, the system library headers now include the new network constant definitions for IPPROTO_ETHERNET, IPPROTO_MPTCP, and INADDR_ALLSNOOPERS_GROUP resulting in correctly compiling applications.

gcc rebased to version 8.5

The GNU Compiler Collection (GCC) has been rebased to upstream version 8.5, which provides a number of bug fixes over the previous version.

Incorrect file decryption using OpenSSL aes-cbc mode

The OpenSSL EVP aes-cbc mode did not decrypt files correctly, because it expects to handle padding while the Go CryptoBlocks interface expects full blocks. This issue has been fixed by disabling padding before executing EVP operations in OpenSSL.

FreeRADIUS no longer incorrectly generating default certificates when the bootstrap script is run

A bootstrap script runs each time FreeRADIUS is started. Previously, this script generated new testing certificates in the /etc/raddb/certs directory and as a result, the FreeRADIUS server sometimes failed to start as these testing certificates were invalid. For example, the certificates might have expired. With this update, the bootstrap script checks the /etc/raddb/certs directory and if it contains any testing or customer certificates, the script is not run and the FreeRADIUS server should start correctly.

FreeRADIUS no longer fails to create a core dump file

Previously, FreeRADIUS did not create a core dump file when allow_core_dumps was set to yes. Consequently, no core dump files were created if any process failed. With this update, when you set allow_core_dumps to yes, FreeRADIUS now creates a core dump file if any process fails.

SSSD correctly evaluates the default setting for the Kerberos keytab name in /etc/krb5.conf

Previously, if you defined a non-standard location for your krb5.keytab file, SSSD did not use this location and used the default /etc/krb5.keytab location instead. As a result, when you tried to log into the system, the login failed as the /etc/krb5.keytab contained no entries.

Running sudo commands no longer exports the KRB5CCNAME environment variable

Previously, after running sudo commands, the environment variable KRB5CCNAME pointed to the Kerberos credential cache of the original user, which might not be accessible to the target user. As a result Kerberos related operations might fail as this cache is not accessible. With this update, running sudo commands no longer sets the KRB5CCNAME environment variable and the target user can use their default Kerberos credential cache.

Kerberos now only requests permitted encryption types

Previously, RHEL did not apply permitted encryption types specified in the permitted_enctypes parameter in the /etc/krb5.conf file if the default_tgs_enctypes or default_tkt_enctypes parameters were not set. Consequently, Kerberos clients were able to request deprecated cipher suites, such as RC4, which might cause other processes to fail. With this update, RHEL applies the encryption types set in permitted_enctypes to the default encryption types as well, and processes can only request permitted encryption types.

The replication session update speed is now enhanced

Previously, when the changelog contained larger updates, the replication session started from the beginning of the changelog. This slowed the session down. The using of a small buffer to store the update from a changelog during the replication session caused this. With this update, the replication session checks that the buffer is large enough to store the update at the starting point. The replication session starts sending updates immediately.

The database indexes created by plug-ins are now enabled

Previously, when a server plug-in created its own database indexes, you had to enable those indexes manually. With this update, the indexes are enabled immediately after creation by default.

Role tasks no longer change when running the same output

Previously, several of the role tasks would report as CHANGED when running the same input once again, even if there were no changes. Consequently, the role was not acting idempotent. To fix the issue, perform the following actions:

relayhost parameter no longer incorrectly defined in the Postfix documentation

Previously, the relayhost parameter of the Postfix RHEL system role was defined as relay_host in the doc /usr/share/doc/rhel-system-roles/postfix/README.md documentation provided by rhel-system-roles. This update fixes the issue and the relayhost parameter is now correctly defined in the Postfix documentation.

Postfix RHEL system role README.md no longer missing variables under the "Role Variables" section

Previously, the Postfix RHEL system role variables, such as postfix_check, postfix_backup, postfix_backup_multiple were not available under the "Role Variables" section. Consequently, users were not able to consult the Postfix role documentation. This update adds role variable documentation to the Postfix README section. The role variables are documented and available for users in the doc/usr/share/doc/rhel-system-roles/postfix/README.md documentation provided by rhel-system-roles.

Postfix role README no longer uses plain role name

Previously, the examples provided in the /usr/share/ansible/roles/rhel-system-roles.postfix/README.md used the plain version of the role name, postfix, instead of using rhel-system-roles.postfix. Consequently, users would consult the documentation and incorrectly use the plain role name instead of Full Qualified Role Name (FQRN). This update fixes the issue, and the documentation contains examples with the FQRN, rhel-system-roles.postfix, enabling users to correctly write playbooks.

The output log of timesync only reports harmful errors

Previously, the timesync RHEL system role used the ignore_errors directive with separate checking for task failure in many tasks. Consequently, the output log of the successful role run was full of harmless errors. The users were safe to ignore those errors, but still they were distressing to see. In this update, the relevant tasks have been rewritten not to use ignore_errors. As a result, the output log is now clean, and only role-stopping errors are reported.

The requirements.txt file no longer missing in the Ansible collection

Previously, the requirements.txt file, responsible for specifying the python dependencies, was missing in the Ansible collection. This fix adds the missing file with the correct dependencies at the /usr/share/ansible/collections/ansible_collections/redhat/rhel_system_roles/requirements.tx path.

Traceback no longer observed when set type: partition for storage_pools

Previously, when setting the variable type as partition for storage_pools in a playbook, running this playbook would fail and indicate traceback. This update fixes the issue and the Traceback error no longer appears.

SElinux role no longer perform unnecessary reloads

Previously, the SElinux role would not check if changes were actually applied before reloading the SElinux policy. As a consequence, the SElinux policy was being reloaded unnecessarily, which had an impact on the system resources. With this fix, the SElinux role now uses ansible handlers and conditionals to ensure that the policy is only reloaded if there is a change. As a result, the SElinux role runs much faster.

sshd role no longer fails to start with the installed sshd_config file on the RHEL6 host.

Previously, when a managed node was running RHEL6, the version of OpenSSH did not support "Match all" in the Match criteria, which was added by the install task. As a consequence, sshd failed to start with the installed sshd_config file on the RHEL6 host. This update fixes the issue by replacing "Match all" with "Match address *" for the RHEL6 sshd_config configuration file, as the criteria is supported in the version of OpenSSH. As a result, the sshd RHEL system role successfully starts with the installed sshd_config file on the RHEL6 host.

The SSHD role name in README.md examples no longer incorrect

Previously, in the sshd README.md file, the examples reference calling the role with the willshersystems.sshd name. This update fixes the issue, and now the example references correctly refers to the role as "rhel_system_roles.sshd".

The key/certs source files are no longer copied when tls is false

Previously, in the logging RHEL system role elasticsearch output, if the key/certs source files path on the control host were configured in the playbook, they would be copied to the managed hosts, even if tls was set to false. Consequently, if the key/cert file paths were configured and tls was set to false, the command would fail, because the copy source files did not exist. This update fixes the issue, and copying the key/certs is executed only when the tls param is set to true.

Task to enable logging for targeted hosts in the metric role now works

Previously, a bug in the metric RHEL system role prevented referring to targeted hosts in the enabling the performance metric logging task. Consequently, the control file for performance metric logging was not generated. This update fixes the issue, and now the targeted hosts are correctly referred to. As a result, the control file is successfully created, enabling the performance metric logging execution.

sshd_hostkey_group and sshd_hostkey_mode variables now configurable in the playbook

Previously, the sshd_hostkey_group and sshd_hostkey_mode variables were unintentionally defined in both defaults and vars files. Consequently, users were unable to configure those variables in the playbook. With this fix, the sshd_hostkey_group is renamed to __sshd_hostkey_group and sshd_hostkey_mode to __sshd_hostkey_mode for defining the constant value in the vars files. In the default file, sshd_hostkey_group is set to __sshd_hostkey_group and sshd_hostkey_mode to __sshd_hostkey_mode. As a result, users can now configure the sshd_hostkey_group and sshd_hostkey_mode variables in the playbook.

RHEL system roles internal links in README.md are no longer broken

Previously, the internal links available in the README.md files were broken. Consequently, if a user clicked a specific section documentation link, it would not redirect users to the specific README.md section. This update fixes the issue and now the internal links point users to the correct section.

nm-cloud-setup utility now sets the correct default route on Microsoft Azure

Previously, on Microsoft Azure, the nm-cloud-setup utility failed to detect the correct gateway of the cloud environment. As a consequence, the utility set an incorrect default route, and connectivity failed. This update fixes the problem. As a result, nm-cloud-setup utility now sets the correct default route on Microsoft Azure.

SSH keys are now generated correctly on EC2 instances created from a backup AMI

Previously, when creating a new Amazon EC2 instance of RHEL 8 from a backup Amazon Machine Image (AMI), cloud-init deleted existing SSH keys on the VM but did not create new ones. Consequently, the VM in some cases could not connect to the host.

RHEL 8 running on AWS ARM64 instances can now reach the specified network speed

When using RHEL 8 as a guest operating system in a virtual machine (VM) that runs on an Amazon Web Services (AWS) ARM64 instance, the VM previously had lower than expected network performance when the iommu.strict=1 kernel parameter was used or when no iommu.strict parameter was defined.

Core dumping RHEL 8 virtual machines to a remote machine on Azure now works more reliably

Previously, using the kdump utility to save the core dump file of a RHEL 8 virtual machine (VM) on a Microsoft Azure hypervisor to a remote machine did not work correctly when the VM was using a NIC with enabled accelerated networking. As a consequence, the dump file was saved after approximately 200 seconds, instead of immediately. In addition, the following error message was logged on the console before the dump file is saved.

Hibernating RHEL 8 guests now works correctly when FIPS mode is enabled

Previously, it was not possible to hibernate a virtual machine (VM) that was using RHEL 8 as its guest operating system if the VM was using FIPS mode. The underlying code has been fixed and the affected VMs can now hibernate correctly.

UBI 9-Beta containers can run on RHEL 7 and 8 hosts

Previously, the UBI 9-Beta container images had an incorrect seccomp profile set in the containers-common package. As a consequence, containers were not able to deal with certain system calls causing a failure. With this update, the problem has been fixed.