Chapter 7. Bug fixes

The network --defroute option now works correctly in the %include script

Previously, the network --defroute option got ignored when used in the %include script during the kickstart installation. As a consequence, the device was set as the default route.

Users can now specify user accounts in the RHEL for Edge Installer blueprint

Previously, performing an update on your blueprint without a user account defined in the RHEL for Edge Commit for the upgrade, such as adding a rpm package, would cause users to be locked out of their system, after the upgrade was applied. It caused users to have redefine user accounts when upgrading an existing system. This issue has been fixed to allow users to specify user accounts in the RHEL for Edge Installer blueprint, that creates a user on the system at installation time, rather than having the user as part of the ostree commit.

osbuild no longer fails to build an ISO image bigger than 4GB

Image Builder users can create a customized image by adding additional packages. If the total size of the packages and their dependencies exceeded 4GB size, users of RHEL 8.5 and earlier releases would see the following error:

Running createrepo_c --update on a modular repository now preserves modular metadata in it

Previously, when running the createrepo_c --update command on an already existing modular repository without the original source of modular metadata present, the default policy was to remove all additional metadata including modular metadata from this repository, which, consequently, broke it. To preserve metadata, it required running the createrepo_c --update command with the additional --keep-all-metadata option.

Errors during the installation of the info subpackage do not happen anymore

Previously the fix-info-dir script expected the existence of a /dev/null file. With a new version of the texinfo package for software documentation, the installation of the info subpackage does not fail on systems that do not contain the /dev/null special file. Now the fix-info-dir script does not expect the existence of the /dev/null file, and avoids the possibility of an infinite loop.

ReaR backs up a system with an unused LVM physical volume correctly

Previously, ReaR produced an incorrect disk layout when an unused LVM physical volume (PV) was present on the system. As a result, ReaR commands that need to produce the disk layout, such as the mkrescue, mkbackup, mkbackuponly, savelayout commands, aborted with the error message:

ReaR does not incorrectly exclude multipath devices from the backup

Previously, ReaR was incorrectly excluding certain multipath devices whose names contained the names of multipath devices that should have been excluded from the backup.

Remote users are no longer repetitively prompted to access smart cards

Previously, the polkit policy for the pcscd daemon incorrectly requested user interaction. As a consequence, non-local and non-privileged users could not access smart cards and encountered large numbers of prompts. With this update, the pcsc-lite package policy no longer includes the interactive prompts. As a result, remote card users are no longer repeatedly asked for privilege escalation.

64-bit IBM Z systems no longer become unbootable when installing in FIPS mode

Previously, the fips-mode-setup command with the --no-bootcfg option did not execute the zipl tool. Because fips-mode-setup regenerates the initial RAM disk (initrd), and the resulting system needs an update of zipl internal state to boot, this put 64-bit IBM Z systems into an unbootable state after installing in FIPS mode. With this update, fips-mode-setup now executes zipl on 64-bit IBM Z systems even if invoked with --no-bootcfg, and as a result, the newly installed system boots successfully.

crypto-policies can disable ChaCha20 in OpenSSL

Previously, the crypto-policies component used a wrong keyword to disable the ChaCha20 cipher in OpenSSL. As a consequence, use of ChaCha20 in TLS 1.2 in OpenSSL could not be disabled through crypto-policies. With this update, crypto-policies use the -CHACHA20 keyword instead of the -CHACHA20-POLY1305 keyword. As a result, you can now use crypto-policies to disable the use of the ChaCha20 cipher in OpenSSL for both TLS 1.2 and TLS 1.3.

systemd can now execute files from /home/user/bin

Previously, systemd services could not execute files from the /home/user/bin/ directory because the SELinux policy did not include the policy rules that allow such access. Consequently, the systemd services failed and eventually logged the Access Vector Cache (AVC) denial Audit messages. This update adds the missing SELinux rules that allow access, and systemd services can now correctly execute commands from /home/user/bin/.

STIG-specific default banner text removed from other profiles

Previously, banner text from the STIG profile was used as default by other profiles that did not have a default text defined, such as CIS. As a consequence, systems using these profiles were configured with the specific text required by DISA. With this update, a generic default text was created and a standard CIS banner aligned with the guidelines was defined. As a result, profiles based on guidelines which explicitly require a text banner are now aligned with the requirements and set the correct text.

ANSSI Enhanced Profile correctly selects the "Ensure SELinux State is Enforcing" rule

Previously, the ANSSI Enhanced profile (anssi_bp28_enhanced) did not select the "Ensure SELinux State is Enforcing" (selinux_state) rule. This update modified the rule selection and now the ANSSI Enhanced Profile selects the "Ensure SELinux State is Enforcing" rule.

Descriptions for restorecon and seunshare SSG rules fixed

Previously, descriptions for rules "Record Any Attempts to Run restorecon" (CCE-80699-2) and "Record Any Attempts to Run seunshare" (CCE-80933-5) were incorrect. With this update, the descriptions of these rules are aligned with the automated OVAL check. As a result, applying the fix recommended in the description now correctly fixes these rules.

The CIS profile no longer automatically disables IPv6

Previously, the CIS profile for RHEL 8 provided inappropriate automated remediation for recommendation “3.6 Disable IPv6”, which disabled IPv6 by configuring /etc/modprobe.d/ipv6.conf to prevent the IPv6 module from loading. This could have undesired effects on the dependent features and services. In RHEL 8 CIS Benchmark v1.0.1, the recommendation 3.6 must be implemented manually, and therefore the RHEL8 CIS profiles do not apply any remediation for this configuration item. As a result, the CIS profile is aligned with the benchmark and does not disable IPv6 automatically. To disable IPv6 manually by configuring GRUB2 or sysctl settings as recommended by CIS, see How do I disable or enable the IPv6 protocol in Red Hat Enterprise Linux?.

CIS profile no longer blocks the SSH service

Previously, the xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key rule by default set the permissions to 640 on SSH private keys. As a consequence, the SSH daemon did not start. This update removes the file_permissions_sshd_private_key rule from the CIS profile and as a result, the SSH service works correctly.

Files in /usr/share/audit/sample-rules are now accepted by SCAP rules

Previously, according to the description of SCAP rules xccdf_org.ssgproject.content_rule_audit_ospp_general and xccdf_org.ssgproject.content_rule_audit_immutable_login_uids, users were able to make systems compliant by copying appropriate files from the /usr/share/audit/sample-rules directory. However, OVAL checks of these rules failed, and the system was consequently marked as non-compliant after the scan. With this update, the OVAL checks now accept the files from /usr/share/audit/sample-rules, and the SCAP rules pass successfully.

ANSSI Kickstart now reserves enough disk space

Previously, GUI installation required more disk space than ANSSI Kickstart reserved in the /usr partition. As a consequence, RHEL 8.6 GUI installations failed, with an error message stating that At least 429 MB more space needed on the /usr filesystem. This update increases the disk space for the /usr partition, and RHEL 8.6 installations using the ANSSI Kickstarts provided in the scap-security-guide now completes successfully.

Remediations of GRUB2 arguments are now persistent

Previously, the remediations for GRUB2 rules that set kernel arguments were using incorrect procedures and the configuration changes were not persistent across kernel upgrades. As a consequence, the remediations had to be reapplied with every kernel upgrade. With this update, remediations use the grubby tool that configures GRUB2 in a persistent way.

scap-workbench no longer hangs when scanning remote systems from RHEL 8 hosts

Previously, sending content files to the scanned system would hang and the scap-workbench utility could not complete the scan. This was due to a bug in the kernel which blocked executed Qt subprocesses. As a consequence, scanning of remote systems using the scap-workbench command from RHEL 8 hosts did not work. With this update, the underlying kernel bug is fixed, and therefore remote scans no longer hang on copying files to a remote system and successfully finish.

usbguard-notifier no longer logs too many error messages to the Journal

Previously, the usbguard-notifier service did not have inter-process communication (IPC) permissions for connecting to the usbguard-daemon IPC interface. Consequently, usbguard-notifier failed to connect to the interface, and it wrote a corresponding error message to the Journal. Because usbguard-notifier started with the --wait option, which ensured that usbguard-notifier attempted to connect to the IPC interface each second after a connection failure, by default, the log contained an excessive amount of these messages soon.

Ambient capabilities are now applied correctly to non-root users

As a safety measure, changing a UID (User Identifier) from root to non-root nullifies permitted, effective, and ambient sets of capabilities.

The usbguard-selinux package is no longer dependent on usbguard

Previously, the usbguard-selinux package was dependent on the usbguard package. This, in combination with other dependencies of these packages, led to file conflicts when installing usbguard. As a consequence, this prevented the installation of usbguard on certain systems. With this version, usbguard-selinux no longer depends on usbguard, and as a result, yum can install usbguard correctly.

audisp-remote now correctly detects the availability of the remote locations

Previously, the audisp-remote plugin did not detect that remote services became unavailable. As a consequence, the audisp-remote process would enter a state with high CPU usage. With this update, audisp-remote can properly detect remote services becoming unavailable. As a result, the process no longer enters a high-CPU-usage state.

Clevis no longer stops on certain configurations before automated unlocking

Previously, the Clevis utility, which performs automated unlocking of LUKS-encrypted volumes, stopped on certain system configurations. Consequently, encrypted volumes were not unlocked automatically, and the administrator had to provide a passphrase manually. In some cases, Clevis restarted after the administrator pressed Enter and unlocked the encrypted volumes. With this update, the utility has been fixed to not stop on these configurations, and the process of automated unlocking now works properly.

NetworkManager now uses a static IPv4 IP address as primary

The main purpose of primary and secondary addresses is to enable source address selection for connections that are not yet bound to an IP address. For these connections, the kernel automatically chooses an address. In a NetworkManager connection profile, you can configure a static IPv4 address and DHCP at the same time for one connection. Previously, if you configured a connection with DHCP and a static IPv4 address from the same range as the one provided by the DHCP server, NetworkManager incorrectly assigned the IP address that it received from the DHCP server as primary and the static IP address as secondary.

The dmidecode --type 17 command now successfully decodes DDR5 memory information

Previously, the dmidecode command failed to decode the DDR5 memory information. Consequently, dmidecode --type 17 returned the <OUT OF SPEC> message. The latest update of the package (dmidecode-3.3-3.el8) has fixed this problem. As a result, dmidecode --type 17 now successfully decodes DDR5 memory information.

kdump no longer fails on KVM virtual machines that use the default amount of memory

Previously, kdump failed on some kernel-based virtual machines (KVM) that uses the default amount of memory. Consequently, the crash kernel failed to capture the crash dump file with following error:

Tunnel offloading now works as expected and supports the available hardware

Previously, the driver was not setting certain feature flags. Hence, tunnel offloading was not working as expected. In this update, the driver sets the required flags to enable tunnel offloading and works as expected.

Fixed the kernel warning while setting the rx ring buffer to max

Previously, an internal function expecting clean input was called with a reused and already initialized structure. It caused the kernel to give the warning message: “missing unregister, handled but fix driver”. This update fixes the bug, reinitializing the structure before trying to register it again.

xfsrestore command works correctly while restoring a backup

Previously, while restoring a backup created using the xfsdump command, xfsrestore created an orphanage directory. As a consequence, a few files were moved into the created orphanage directory with the following messages:

The multipathd.socket unit file no longer disables multipathd after too many startup attempts

Previously, the starting conditions for multipathd in the multipath.service unit file differed from the triggering conditions in multipathd.socket. Consequently, the unit file repeatedly tried to start multipathd and failed. This resulted in disabling multipathd after too many failed attempts. With this fix, the starting conditions for multipathd.socket and multipathd.service have been set to the same values. As a result, the multipathd.socket unit file no longer attempts to start multipathd where the starting conditions for multipathd.service are not met.

Protection uevents no longer cause reload failure of multipath devices

Previously, when a read-only path device was rescanned, the kernel sent out two write protection uevents - one with the device set to read/write, and the following with the device set to read-only. Consequently, upon detection of the read/write uevent on a path device, multipathd tried to reload the multipath device, which caused a reload error message. With this update, multipathd now checks that all the paths are set to read/write before reloading a device read/write. As a result, multipathd no longer tries to reload read/write whenever a read-only device is rescanned.

The -j flag now works when used in a Makefile

Previously, when you added the -j flag to MAKEFLAGS inside the Makefile, the targets were built sequentially instead of in parallel. This bug has been fixed, and now the targets are built at the same time when you use the -j flag in the Makefile.

Statically linked applications no longer crash

Previously, the initialization code of the dynamic loader, which is linked into statically linked binaries, did not initialize a link map variable correctly. Consequently, statically linked applications crashed if LD_LIBRABY__PATH contained a dynamic token string. With this update statically linked applications no longer crash.

pthread_once() in glibc has been fixed to correctly support C++ exceptions

Previously, the pthread_once() implementation could result in a hang when using libstdc++ library functions. For example libstdc++'s std::call_once() called a function that threw an exception which would result in a hang. With this update, pthread_once() is fixed and no longer hangs when an exception is thrown.

Certmonger can now automatically renew SCEP certificates with AD when challengePassword is required for enrollment

Previously, requests for renewal of SCEP certificates sent by certmonger to an Active Directory (AD) Network Device Enrollment Service (NDES) server included the challengePassword used to originally obtain the certificate. However, AD treats challengePassword as a one-time password (OTP). As a consequence, the renewal request was rejected.

FreeRADIUS proxy server no longer stops working when a second FreeRADIUS server is unavailable

When a FreeRADIUS server is configured as a proxy server it forwards request messages to another FreeRADIUS server. Previously, if the connection between these two servers was interrupted, the FreeRADIUS proxy server stopped working. With this fix, the FreeRADIUS proxy server is now able to reestablish a connection when the other server becomes available.

Authenticating to Directory Server in FIPS mode with PBKDF2-hashed passwords now works as expected

When Directory Server runs in Federal Information Processing Standard (FIPS) mode, the PK11_ExtractKeyValue() function is not available. As a consequence, users with a password-based key derivation function 2 (PBKDF2) hashed password could not authenticate to the server when FIPS mode was enabled. With this update, Directory Server now uses the PK11_Decrypt() function to get the password hash data. As a result, authenticating to Directory Server in FIPS mode now works for users with PBKDF2-hashed passwords.

Socket activation of SSSD succeeds when the SSSD cache is mounted in tmpfs as the SSSD user

Previously, socket activation of SSSD would fail if the SSSD cache was mounted in a tmpfs temporary file system because the /var/lib/sss/db/config.ldb SSSD configuration file was not owned by the sssd user. With this fix, SSSD creates the config.ldb file as the sssd user and socket activation succeeds. If you have mounted the /var/lib/sssd/db/ SSSD cache directory in tpmfs, you must remount it as the sssd user so SSSD can create the config.ldb file in that location.

Matrox GPU with a VGA display now works as expected

Prior to this release, your display showed no graphical output if you used the following system configuration:

A playbook using the Metrics role completes successfully on multiple runs even if the Grafana admin password is changed

Previously, changes to the Grafana admin user password after running the Metrics role with the metrics_graph_service: yes boolean caused failure on subsequent runs of the Metrics role. This led to failures of playbooks using the Metrics role, and the affected systems were only partially set up for performance analysis. Now, the Metrics role uses the Grafana deployment API when it is available and no longer requires knowledge of username or password to perform the necessary configuration actions. As a result, a playbook using the Metrics role completes successfully on multiple runs even if the administrator changes the Grafana admin password.

The SSHD system role uses the correct template file

In RHEL 8.5, the SSHD system role used a wrong template file. As a consequence, the generated sshd_config file did not contain the # Ansible managed comment. The missing comment did not affect any functionality on the system. With this update, the system role uses the correct template file and sshd_config contains the correct # Ansible managed comment.

The Networking system role no longer fails to set a DNS search domain if IPv6 is disabled

Previously, the nm_connection_verify() function of the libnm library did not ignore the DNS search domain if the IPv6 protocol was disabled. As a consequence, when you used the Networking RHEL system role and set dns_search together with ipv6_disabled: true, the system role failed with the following error:

The nm provider in the Networking system role now correctly manages bridges

Previously, if you used the initscripts provider, the Networking system role created an ifcfg file which configured NetworkManager to mark bridge interfaces as unmanaged. Also, NetworkManager failed to detect followup initscript actions. For example, the down and absent actions of initscript provider will not change the NetworkManager’s understanding on unmanaged state of this interface if not reloading the connection after the down and absent actions. With this fix, the Networking system role uses the NM.Client.reload_connections_async() function to reload NetworkManager on managed hosts with NetworkManager 1.18. As a result, NetworkManager manages the bridge interface when switching the provider from initscript to nm.

The SSH server role now detects FIPS mode and handles tasks correctly in FIPS mode

Previously, when managing RHEL8 and older systems in FIPS mode, one of the default hostkeys was not allowed to be created. As a consequence, the SSH server role operation failed to generate the not allowed key type when invoked. With this fix, the SSH server role detects FIPS mode and adjusts default hostkey list accordingly. As a result, the SSH server role can now manage systems in FIPS mode with default hostkeys configuration.

The Logging system role no longer calls tasks multiple times

Previously, the Logging role was calling tasks multiple times that should have been called only once. As a consequence, the extra task calls slowed down the execution of the role. With this fix, the Logging role was changed to call the tasks only once, improving the Logging role performance.

RHEL system roles now handle multi-line ansible_managed comments in generated files

Previously, some of the RHEL system roles were using # {{ ansible_managed }} to generate some of the files. As a consequence, if a customer had a custom multi-line ansible_managed setting, the files would be generated incorrectly. With this fix, all of the system roles use the equivalent of {{ ansible_managed | comment }} when generating files so that the ansible_managed string is always properly commented, including multi-line ansible_managed values. Consequently, generated files have the correct multi-line ansible_managed value.

The Logging role no longer misses quotes for the immark module interval value

Previously, the "interval" field value for the immark module was not properly quoted, because the immark module was not properly configured. This fix ensures that the "interval" value is properly quoted. Now, the immark module works as expected.

The group option no longer keeps certificates inaccessible to the group

Previously, when setting the group for a certificate, the mode was not set to allow group read permission. As a consequence, group members were unable to read certificates issued by the Certificate role. With this fix, the group setting now ensures that the file mode includes group read permission. As a result, the certificates issued by the Certificate role for groups are accessible by the group members.

The /etc/tuned/kernel_settings/tuned.conf file has a proper ansible_managed header

Previously, the Kernel settings RHEL system role had a hard-coded value for the ansible_managed header in the /etc/tuned/kernel_settings/tuned.conf file. Consequently, users could not provide their custom ansible_managed header. In this update, the problem has been fixed so that kernel_settings updates the header of /etc/tuned/kernel_settings/tuned.conf with user’s ansible_managed setting. As a result, /etc/tuned/kernel_settings/tuned.conf has a proper ansible_managed header.

The logging_purge_confs option no longer fails to delete unnecessary configuration files

Previously, the logging_purge_confs variable was prepared to delete unnecessary logging configuration files, but failed to clean them up. Consequently, even though the logging_purge_confs variable was set to true, unnecessary configuration files were not cleaned up, but left in the configuration directory. This issue is now fixed and the logging_purge_confs variable has been redefined to work as follows.

Fixed a typo to support active-backup for the correct bonding mode

Previously, there was a typo,active_backup, in supporting the InfiniBand port while specifying active-backup bonding mode. Due to this typo, the connection failed to support the correct bonding mode for the InfiniBand bonding port. This update fixes the typo by changing bonding mode to active-backup. The connection now successfully supports the InfiniBand bonding port.

Configuration by the Metrics role now follows symbolic links correctly

When the mssql pcp package is installed, the mssql.conf file is located in /etc/pcp/mssql/ and is targeted by the symbolic link /var/lib/pcp/pmdas/mssql/mssql.conf. Previously, however, the Metrics role overwrote the symbolic link instead of following it and configuring mssql.conf. Consequently, running the Metrics role changed the symbolic link to a regular file and the configuration therefore only affected the /var/lib/pcp/pmdas/mssql/mssql.conf file. This resulted in a failed symbolic link, and the main configuration file /etc/pcp/mssql/mssql.conf was not affected by the configuration. The issue is now fixed and the follow: yes option to follow the symbolic link has been added to the Metrics role. As a result, the Metrics role preserves the symbolic links and correctly configures the main configuration file.

The Kernel settings system role now correctly installs python3-configobj

Previously, the Kernel settings role returned an error that the python3-configobj package could not be found. The role failed to find the package because it did not install python3-configobj on managed hosts. With this update, the role now installs python3-configobj on managed hosts and works correctly.

The Kdump system role does not ignore hosts anymore

Previously, the Kdump role ignored managed nodes that do not have memory reserved for crash kernel, and consequently completed with the “Success” status even when not configuring the system correctly. The role has been redesigned to fail in cases where managed nodes do not have memory reserved for crash kernel, and to prompt the user to set the kdump_reboot_ok variable to true to correctly configure kdump on managed nodes. As a result, the Kdump role now does not ignore hosts, and either completes successfully with the correct configuration, or fails with an error message describing what users need to do to fix the issue.

The Firewall system role now reloads the firewall immediately when target changes

Previously, the Firewall system role was not reloading the firewall when the target parameter has been changed. With this fix, the Firewall role reloads the firewall when the target changes, and as a result, the target change is immediate and available for subsequent operations.

Default pcsd permissions for HA Cluster system role now allow access for group haclient

Previously, when a user ran the HA Cluster system role with the default pcsd permissions that were set with the ha_cluster_pcs_permission_list variable, only members of the group hacluster had access to the cluster. With this fix, the default pcsd permissions allow the group haclient to manage the cluster and all members of haclient can now access and manage the cluster.

strict NUMA binding policy no longer allows for moving runtime memory

Previously, when the strict NUMA binding policy was enabled in a VM (<memory mode='strict'/>), attempting to move runtime memory from that VM to another NUMA node in some cases partly or completely failed. To avoid this problem, the strict policy now completely prohibits moving runtime memory.

multifd migration now works reliably

Previously, attempting to migrate a virtual machine (VM) using the multifd feature of QEMU caused the migration to fail and the VM to terminate unexpectedly. The underlying code has been fixed, and multifd migration now works as expected.

VM migration and snapshots no longer failing due to virtio-balloon

Previously, attempting to migrate a virtual machine (VMs) with a more recent guest operating system (such as RHEL 9) failed if the VM was using the virtio-balloon device. Similarly, creating a snapshot of such a VM failed. This update fixes a bug in the page poison feature of virtio-balloon, which prevents the described problem from occurring.

Hot unplugging an IBMVFC device on PowerVM now works as expected

Previously, when using a virtual machine (VM) with a RHEL 8 guest operating system on the PowerVM hypervisor, attempting to remove an IBM Power Virtual Fibre Channel (IBMVFC) device from the running VM failed. Instead, it displayed an outstanding translation error. The underlying code has been fixed and live hot unplugs of IBMVFC device now work correctly on PowerVM.

Rootless containers created in RHEL 8.5 and earlier using fuse-overlayfs now recognize removed files

Previously, in RHEL 8.4 and earlier, rootless images and containers were created or stored using the fuse-overlayfs file system. Using such images and containers in RHEL 8.5 and later introduced problems for unprivileged users using the overlayfs implementation provided by the kernel and who had removed files or directories from a container or from an image in RHEL 8.4. This problem did not apply to containers created by the root account.