Chapter 8. Bug fixes
This part describes bugs fixed in Red Hat Enterprise Linux 8.7 that have a significant impact on users.
8.1. Installer and image creation
The installer no longer installs earlier versions of packages
Previously, the installer did not correctly load the DNF configuration file during the installation process. As a consequence, the installer sometimes installed earlier versions of select packages in the RPM transaction.
This bug has been fixed, and only the latest versions of packages are now installed from the installation repositories. In cases where it is impossible to install the latest versions of the packages, the installation fails as expected.
Anaconda installation is successful even if changing the network configuration in stage2
Previously, when using the rd.live.ram
boot argument, Anaconda did not unmount an NFS mount point that is used in initramfs
to fetch the installation image into memory. As a consequence, the installation process could become unresponsive or fail with a timeout error if the network configuration was changed in stage2.
To fix this problem, the NFS mount point used to fetch the installation image into memory is unmounted in initramfs
before switchroot. As a result, the installation process is completed without any interruption.
(BZ#1970726)
Installer asks for the passphrase missing in the Kickstart file for the encrypted devices during the installation
Previously, when running the installer in graphical mode, if the passphrase was not specified in the Kickstart file, the installer would not ask for entering the passphrase for encrypted devices. As a consequence, the partitioning specified in the Kickstart file was not applied during the installation.
This update adds a dialog window that appears during the installation and asks for the missing passphrase. As a result, the installer properly applies the partitioning scheme specified in the Kickstart file.
Images now build successfully for packages in blueprint that contain conditional dependencies
Previously, when using the web console to customize a blueprint with packages that contained conditional dependencies, such as ipa-client
, cockpit
, podman
, would cause the build to fail because of the missing dependencies. As a consequence, the conditional dependency was not met during the dep-solve packages. This issue is fixed now, and the builds will no longer fail when dep-solving conditional dependencies.
8.2. Software management
DNF now correctly rolls back a transaction containing an item with the Reason Change
Action type
Previously, running the dnf history rollback
command on a transaction containing an item with the Reason Change
Action type failed. With this update, the issue has been fixed, and dnf history rollback
now works as expected.
8.3. Shells and command-line tools
The cmx
operation with no parameter no longer crashes the CIM Client
The cmx
operation calls a method and returns XML, a parameter specifies the name of the called method. Previously, the command line sblim-wbemcli
Common Information Model (CIM) Client crashed when running the cmx
operation without an additional parameter. With this update, the cmx
operation requires the parameter that defines the name of the called method. Invoking the cmx
operation without this parameter results in an error message, and the CIM Client no longer crashes.
The cvSaveImage
function in the opencv
library no longer terminates the user application
Previously, the opencv
library could not use the cvSaveImage
function correctly. Consequently, the user application was terminated unexpectedly. With this update, the cvSaveImage
function writes the image data on disk and no longer terminates the user application.
ReaR no longer fails to display an error message if it does not update the UUID in /etc/fstab
Previously, ReaR did not display an error message during recovery when it failed to update the universally unique identifier (UUID) in /etc/fstab
to match the UUID of the newly created partition in case the UUIDs were different. This could have happened if the rescue image was out of sync with the backup. With this update, an error message occurs during recovery if the restored basic system files do not match the recreated system.
ReaR with the PXE output method no longer fails to store the output files in the rsync OUTPUT_URL
location
In RHEL 8.5, the handling of the OUTPUT_URL
variable with the OUTPUT=PXE
and BACKUP=RSYNC
options was removed. As a consequence, when using an rsync location for OUTPUT_URL
, ReaR failed to copy the initrd
and kernel files to this location, although it uploaded them to the location specified by BACKUP_URL
. With this update, the behavior from RHEL 8.4 and earlier releases is restored. ReaR creates the required files at the designated OUTPUT_URL
destination using rsync.
ReaR now supports restoring a system using NetBackup version 9
Previously, restoring a system using the NetBackup (NBU) method with NetBackup version 9 or later failed due to missing libraries and other files. With this update, the NBU_LD_LIBRARY_PATH
variable contains the required library paths and the rescue system now incorporates the required files, and ReaR can use the NetBackup method.
(BZ#2077404)
ReaR no longer displays a false error message about missing symlink targets
Previously, ReaR displayed incorrect error messages about missing symlink targets for the build
and source
symlinks under /usr/lib/modules/
when creating the rescue image. This situation was harmless, and you could safely ignore the error message. With this update, ReaR does not report a false error message about missing symlink targets in this situation.
Fallbacks of SR-IOV devices now complete successfully
Previously, Single Root I/O Virtualization (SR-IOV) devices did not fallback after device failover because the hcnmgr
script used an incorrect active_slave
attribute instead of a primary
attribute. With this update, the hcnmgr
script uses the correct attribute and fallbacks for SR-IOV devices complete successfully.
(BZ#2078514)
ppc64-diag
rebased to version 2.7.8
The ppc64-diag
package for platform diagnostics has been updated to version 2.7.8. Notable improvements and bug fixes include:
-
Updated build dependency to use
libvpd
utility version 2.2.9 or higher -
Fixed
extract_opal_dump
error message on unsupported platform -
Fixed build warning with
GCC-8.5
andGCC-11
compilers
(BZ#2051313)
lsvpd
rebased to version 1.7.14
The lsvpd
package, which provides commands for constituting a hardware inventory system, has been updated to version 1.7.14. With this update, the lsvpd
utility prevents corruption of the database file when you run the vpdupdate
command.
(BZ#2051316)
libvpd
rebased to version 2.2.9
The libvpd
package, which contains classes for accessing the Vital Product Data (VPD), has been updated to version 2.2.9. Notable improvements and bug fixes include:
- Fixed database locking
-
Updated
libtool
utility version information
(BZ#2051319)
8.4. Infrastructure services
The printer test page layout in RHEL 8 has changed
Previously, the print test page was not printed if the destination document format was PDF. This update introduces a new test page layout to work with a broader set of printers. Note that the test page does not contain any information regarding the printer or the test page print job.
The frr
binary files and scripts have a new location
Previously, the frr
package for managing dynamic routing stack contained its binary files and scripts in the /usr/lib/frr
directory, which caused certain issues when applying the new targeted SELinux policy. Consequently, SELinux logged denial messages in access vector cache (AVC) and prevented frr
from starting properly.
With this update, /usr/libexec/frr
is the new location of the frr
binary files and scripts. As a result, SELinux applies rules for binaries and scripts in /usr/libexec/frr
and for other frr
libraries in /usr/lib64/frr
separately, and no longer produces denial messages.
8.5. Security
OpenSCAP remediation sets correct permissions for /etc/tmux.conf
Previously, when remediating the SCAP rule configure_tmux_lock_after_time
, the /etc/tmux.conf
file was created with permissions respecting umask (600). This caused /etc/tmux.conf
to be unreadable by regular users. If a regular user logged in, they received an error message and had to wait for several minutes before a timeout ran out and they were logged in. With this update, the remediation of rule configure_tmux_lock_after_time
sets specific permissions of /etc/tmux.conf
to 644. As a result, regular users no longer encounter the error message or login delay.
SCAP rule for Rsyslog correctly identifies .conf
files
Previously, rule "Ensure System Log Files Have Correct Permissions" (xccdf_org.ssgproject.content_rule_rsyslog_files_permissions
) did not expand glob expressions in Rsyslog include statements. As a consequence, the rule did not parse all relevant configuration files, and some log files did not have their permissions checked. With this update, the rule correctly expands the glob expressions to identify the .conf
files it needs to parse. As a result, the rule now correctly processes the required .conf
files to ensure that all configured log files have the correct permissions.
(BZ#2075384)
Rules for chronyd
do not require explicit chrony
user configuration
RHEL runs chronyd
under the chrony
user by default. Previously, the check and remediation for the chronyd
service configuration user were stricter than necessary. The overly strict check led to false positives and to excessive remediations. In this version, the check and remediations of the rule xccdf_org.ssgproject.content_rule_chronyd_run_as_chrony_user
are updated, for both the minimalistic correct configuration and legacy explicit correct configurations pass. As a result, the rule respects the default RHEL behavior and does not require explicit chrony
user configuration.
Warning added to rsyslog_remote_loghost
The SCAP rule xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost
ensures that the Rsyslog daemon is configured to send log messages to a remote log host. However, the rule does not configure TCP queues. As a consequence, the system hangs if TCP queues are not configured, and the remote log host becomes unavailable. This update adds a warning message that explains how to configure TCP queues. If you encounter system hangs while using this rule, read the warning and configure the system properly.
Remediation of sudo_custom_logfile
works for custom sudo
log files
Previously, remediation of the SCAP Security Guide rule xccdf_org.ssgproject.content_sudo_custom_logfile
did not work for custom sudo
log files with a different path than /var/log/sudo.log
. With this update, the rule is fixed so that it can properly remediate if the system has a custom sudo
log file that does not match the expected path.
Remediation of firewalld_sshd_port_enabled
now works correctly
Previously, Bash remediation of the SCAP rule xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled
incorrectly handled lists of network interfaces. Additionally, configuration files had different names than required. This update has fixed the remediation. As a result, the remediation handles all network interfaces correctly, and configuration files have predictable names.
fagenrules --load
now works correctly
Previously, the fapolicyd
service did not correctly handle the signal hang up (SIGHUP). Consequently, fapolicyd
terminated after receiving the SIGHUP signal, and the fagenrules --load
command did not work properly. This update contains a fix for the problem. As a result, fagenrules --load
now works correctly, and rule updates no longer require manual restarts of fapolicyd
.
8.6. Networking
The NetworkManager
utility enforces correct ordering of IPv6 addresses from various sources
In general, the ordering of IPv6 addresses affects the priority for source address selection. For example, when you make an outgoing TCP connection. Previously, the relative priority of IPv6 addresses added through the manual
, dhcpv6
, and autoconf6
methods, was not correct. With this update, the problem has been fixed and the ordering priority now reflects this logic: manual
> dhcpv6
> autoconf6
. However, the order of addresses under the ipv6.addresses
setting did not change and the address added last still has the highest priority.
Asymmetric routing now works correctly
The previous minor version of RHEL 8 contained a change that caused connection tracking to fail in some cases. Consequently, asymmetric routing was not working correctly. This release reverts the change that was introduced in RHEL 8.6. As a result, the asymmetric routing works correctly.
(BZ#2062870)
8.7. Kernel
A new ability to deprecate CgroupV1 memory.swappiness allowing for consistent swap behavior
CgroupV1 includes the memory.swappiness
per-cgroup swappiness value that controls the swap behavior of the given cgroup.
However, systemd
processes run within cgroups
and the sysctl
swappiness value has minimal effect on swap
heuristics. Such cgroups ignore the values in sysctl
or tuned
configurations and processes running on the system are assigned a default swappiness value of 60
. As a consequence, in cases with high memory pressure and page reclamation, earlier or more aggressive swapping can occur compared to the assigned swappiness value.
This update introduces a new sysctl
variable, /proc/sys/vm/force_cgroupv2_swappiness
, with a default value of 0
. When set to 1
, the memory.swappiness
value becomes deprecated and all per-cgroups swappiness values mirror the system-wide swappiness value in the /proc/sys/vm/swappiness
file. As a result, the memory swapping behavior of cgroups is more consistent.
(BZ#2084242)
Anaconda no longer fails after entering a passphrase for encrypted devices
Previously, if kdump
was disabled when preparing an installation, and the user selected encrypted disk partitioning, the Anaconda installer failed with a traceback after entering a passphrase for the encrypted device.
This update fixes the problem, and users no longer need to enable kdump
to create encrypted disk partitioning.
The net_prio
or net_cls
controllers in v1 mode now work correctly
Previously, in cgroup-v2
environments, using either net_prio
or net_cls
controllers in v1 mode disabled the hierarchical tracking of socket data. As a consequence, the cgroup-v2
hierarchy for socket data tracking controllers was not active, and the dmesg
command reported the following message:
cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation
This update ensures cgroup-v2
is correctly active after the reboot.
(BZ#2046396)
8.8. Boot loader
grubby
now passes arguments to future kernels
When installing a newer version of the kernel, the grubby
tool did not pass the kernel command-line arguments from the previous kernel version. As a consequence, the GRUB boot loader ignored user settings. With this fix, the user settings now persist after installing the new kernel version.
8.9. High availability and clusters
pcs
now recognizes the mode
option when creating a new Booth ticket
Previously, when a user specified a mode
option when adding a new Booth ticket, pcs
reported the error invalid booth ticket option 'mode'
. With this fix, you can now specify the mode
option when creating a Booth ticket.
pcs
now validates the value of stonith-watchdog-timeout
Previously, it was possible to set the stonith-watchdog-timeout
property to a value that is incompatible with SBD configuration. This could result in a fence loop, or could cause the cluster to consider a fencing action to be successful even if the action is not finished. With this fix, pcs
validates the value of stonith-watchdog-property
when you set it, to prevent incorrect configuration.
8.10. Dynamic programming languages, web and database servers
MariaDB 10.5
now warns about dropping a non-existent table when the OQGraph
plug-in is enabled
Previously, when the OQGraph
storage engine plug-in was loaded to the MariaDB 10.5
server, MariaDB
did not warn about dropping a non-existent table. In particular, when the user attempted to drop a non-existent table using the DROP TABLE
or DROP TABLE IF EXISTS
SQL commands, MariaDB
neither returned an error message nor logged a warning. This bug has been fixed, and a warning is now shown in the described scenario.
8.11. Compilers and development tools
Applications no longer deadlock when invoking pthread_atfork
or dclose
from fork handler callbacks
Previously, applications invoked pthread_atfork
handler callbacks while glibc
had acquired an internal lock. As a result, registering fork handlers or calling dclose
from a fork handler could deadlock applications.
A different synchronization mechanism is now used to protect internal data structures while fork handlers are running. As a result, applications no longer deadlock when invoking pthread_atfork
or dclose
from fork handler callbacks.
Wildcard functions in Makefiles no longer return symbolic links when only directories are expected
Previously, the GLOB_ONLYDIR
hint used by glob()
misreported symbolic links as directories on certain XFS filesystems. When using glob()
, make
did not confirm that the hints were actually directories and, as a result, wildcard functions in Makefiles returned symbolic links when only directories were expected.
The bug has been fixed and wildcard functions in Makefiles no longer return symbolic links when only directories are expected.
popen()
no longer causes multithreaded processes to crash
Previously, a defect in popen()
caused applications to crash when using the interface from a multithreaded process. With this update, the bug has been fixed and multithreaded processes no longer crash when using popen()
.
The mapping for the 0xBC
code point for some IBM character sets is now U+00AF MACRON
Previously, the IBM256
, IBM277
, IBM278
, IBM280
, IBM284
, IBM297
, and IBM424
character sets encoded the EBCDIC
code point 0xBC
as the Unicode character U+203E OVERLINE
. As a result, when using the iconv
program provided by glibc
, converting text in those character sets containing the 0xBC
code point failed for non-Unicode character sets such as ISO-8859-1
because they could not encode the U+203E OVERLINE
character.
With this update, the bug has been fixed. As a result, input in the IBM277
, IBM278
, IBM280
, IBM284
, and IBM297
character sets can be converted to ISO-8859-1
in all cases. For the IBM256
and IBM424
character sets, conversion no longer fails if the input text contains the 0xBC code point and the respective output is U+00AF MACRON
.
The tempnam
function now uses getrandom
to increase the randomness of generated file names
Previously, the tempnam
function in Red Hat Enterprise Linux 8.4 and later used time-derived randomness for choosing paths. As a result, the tempnam
function was not producing the full set of possible file names when invoked repeatedly in quick succession. This bug has been fixed by a new implementation that uses the getrandom
function to increase the randomness of the generated file names. As a result, the tempnam
function now generates more distinct file names.
POWER9-optimized strncpy function no longer gives incorrect results
Previously, the POWER9 strncpy function did not use the correct register as the source of the NUL bytes for padding. Consequently, the output buffer contained uninitialized register content instead of the NUL padding. With this update, the strncpy function has been fixed, and the end of the output buffer is now correctly padded with NUL bytes.
The en_US@ampm
locale is now listed correctly by locale -a
Previously, there was a defect in the listing of en_US@ampm
in the output of the locale -a
command. Consequently, the setlocale
API failed when trying to set this locale using its name/alias printed by locale -a
. With this update, en_US@ampm
is now listed correctly and calls to setlocale
succeed for all locales printed by locale -a
.
Unit masks for events are now all included in the papi_xml_event_info
output
Previously, the testing of event unit mask information in papi_xml_event_info
was incomplete. In some cases, unit masks for events were not included in the papi_xml_event_info
output. This bug has been fixed and as a result, papi_xml_event_command
now prints out all the unit masks for an event.
(BZ#2037426)
8.12. Identity Management
Debug messages no longer logged to /var/log/messages by default
Previously, the ipa-dnskeysyncd
and ipa-ods-exporter
daemons logged all debug messages to /var/log/messages
by default, resulting in log files growing substantially. If required, you can now configure the debug log level by setting debug=True
in the /etc/ipa/dns.conf
file. For more information refer to the default.conf(5)
man page.
Preserving users accounts
Previously, if you ran the ipa user-del --preserve user_login
command to preserve a user account, the output incorrectly returned the message Deleted user “user_login”
. This message incorrectly indicates that the user was deleted and not preserved as expected. With this update, the output now returns Preserved user “user_login”
.
Transferring Kerberos databases greater than 4 GB
Previously, the kprop
service and the kpropd
command used a 32 bit value when storing the size of the Kerberos KDC database. As a result the transfer of the Kerberos database dump file from the primary Kerberos server to a replica server failed if the database size exceeded 4 GB.
This update modifies Kerberos and it can now transfer KDC databases greater than 4 GB.
(BZ#2026462)
Handling unreadable objects in an LDAP group’s member list
Before this update, SSSD inconsistently handled the unreadable objects in an LDAP group’s member list and this resulted in unreadable objects causing an error or in certain situations unreadable objects were ignored.
With this update, SSSD has a new option ldap_ignore_unreadable_references
to modify this behavior. If the ldap_ignore_unreadable_references
option is set to false
, unreadable objects cause an error and if set to true
, unreadable objects are ignored. The default is set to false
and because of the original inconsistent behavior, after the update, some group lookups may fail. In this case, set ldap_ignore_unreadable_references = True
in the corresponding [domain/name of the domain]
section in the /etc/sssd/sssd.conf
file.
This allows unreadable objects to be handled in a consistent manner and the behavior can be tuned using the new ldap_ignore_unreadable_references
option.
(BZ#2069379)
8.13. Desktop
The Airplane Mode switch is always displayed
Previously, the Airplane Mode switch in the Wi-Fi section of the Settings application disappeared after you enabled airplane mode. With this update, the problem has been fixed, and Settings always display the Airplane Mode switch, regardless of its state.
(BZ#2079139)
8.14. Graphics infrastructures
Hotkeys in Motif applications activate the correct item
Previously, menu hotkeys activated the wrong menu item in applications using the Motif toolkit. When a submenu was open and you pressed a hotkey associated with its item, the application activated an item in the parent menu instead.
With this update, the problem has been fixed, and hotkeys now activate the correct submenu items.
The desktop no longer fails to start with disabled IPv6 and DisallowTCP=false
Previously, the X11 desktop session failed to start after login under the following circumstances:
- IPv6 networking was disabled on your system.
-
The
DisallowTCP=false
option was enabled in GDM configuration.
With this update, the problem has been fixed, and you can log into the X11 session as expected with the described configuration.
8.15. The web console
Removing USB host devices using the web console now works as expected
Previously, when you attached a USB device to a virtual machine (VM), the device number and bus number of the USB device changed after they were passed to the VM. As a consequence, using the web console to remove such devices failed due to the incorrect correlation of the device and bus numbers. With this update, the issue has been fixed and you can remove the USB host devices using the web console.
(JIRA:RHELPLAN-109067)
Attaching multiple host devices using the web console now works as expected
Previously, when you selected multiple devices to attach to a virtual machine (VM) using the web console, only a single device was attached and the rest were ignored. With this update, the issue has been fixed and you can now simultaneously attach multiple host devices using the web console.
(JIRA:RHELPLAN-115603)
8.16. Red Hat Enterprise Linux system roles
Fixed a typo to support active-backup
for the correct bonding mode
Previously, there was a typo,active_backup
, in supporting the InfiniBand port while specifying active-backup
bonding mode. Due to this typo, the connection failed to support the correct bonding mode for the InfiniBand bonding port. This update fixes the typo by changing bonding mode to active-backup
. The connection now successfully supports the InfiniBand bonding port.
The IPRouteUtils.get_route_tables_mapping()
function now accepts any whitespace sequence
Previously, a parser for the iproute2
routing table database, such as /etc/iproute2/rt_tables
, asserted that entries in the file were of the form 254 main
and only a single space character separated the numeric id and the name. Consequently, the parser failed to cache all the mappings between the route table name and table id.Therefore the user could not add a static route into the route table by defining the route table name. With this update, the parser accepts any whitespace sequence in between the table ID and table name. As a result, as the parser caches all the mapping between the route table name and table ID, users can add a static route into the route table by defining the route table name.
Configuration by the metrics
RHEL system role follows symbolic links correctly
When the mssql pcp
package is installed, the mssql.conf
file is located in /etc/pcp/mssql/
and is targeted by the symbolic link /var/lib/pcp/pmdas/mssql/mssql.conf
. Previously, however, the metrics
role overwrote the symbolic link instead of following it and configuring mssql.conf
. Consequently, running the metrics
role changed the symbolic link to a regular file and the configuration therefore only affected the /var/lib/pcp/pmdas/mssql/mssql.conf
file. This resulted in a failed symbolic link, and the main configuration file /etc/pcp/mssql/mssql.conf
was not affected by the configuration. The problem is now fixed and the follow: yes
option to follow the symbolic link has been added to the metrics
role. As a result, the metrics
role preserves the symbolic links and correctly configures the main configuration file.
The tlog
RHEL system roles is now correctly overlaid by SSSD
Previously, the tlog
RHEL system role relied on the System Security Services Daemon (SSSD) files provider and on enabled authselect
option with-files-domain
to set up correct passwd
entries in the nsswitch.conf
file. With this fix, the tlog
role now updates the nsswitch.conf
to ensure tlog-rec-session
is correctly overlaid by SSSD.
The mount_options
parameter for volumes is now valid for a volume
Previously, the parameter was accidentally removed from the list of valid parameters for a volume. Consequently, users were unable to set the mount_options
parameter for volumes. With this bug fix, the mount_options
parameter has been added back to the list of valid parameters and the code has been refactored to catch the errors. As a result, the storage
RHEL system role can set the mount_options
parameter for volumes.
The metrics
RHEL system role README and documentation now clearly specifies supported Redis and Grafana versions on specific versions of RHEL by the role
Previously, when trying to use the metrics
role with unsupported versions of Redis and Grafana on unsupported platforms, the role failed. This update clarifies the documentation about which versions of Redis and Grafana are supported on which versions of RHEL by the role. As a result, you can avoid trying to use unsupported versions of Redis and Grafana on unsupported platforms.
The kernel_settings
RHEL system role now correctly installs python3-configobj
Previously, the kernel_settings
role returned an error that the python3-configobj
package could not be found. The role failed to find the package because it did not install python3-configobj
on managed hosts. With this update, the role now installs python3-configobj
on managed hosts and works correctly.
The storage
RHEL system role now correctly supports striped
and raid0
levels for LVM volumes
The storage
RHEL system role previously incorrectly reported RAID levels striped
and raid0
as not supported for LVM volumes. This is now fixed and the role can now correctly create LVM volumes of all RAID levels supported by LVM: raid0
, raid1
, raid4
, raid5
, raid6
, raid10
, striped
and mirror
.
The metrics
RHEL system role automatically restarts pmie
and pmlogger
services after an update to their configuration
Previously, the pmie
and pmlogger
services did not restart after their configuration was changed and waited for handler execution. This caused errors with other metrics
services, which required pmie
and pmlogger
configuration to match their runtime behavior. With this update, the role restarts pmie
and pmlogger
immediately after a configuration update, their configuration matches runtime behavior of dependent metrics services, and they work correctly.
The forward_port
parameter now accepts both the string
and dict
option
Previously, in the firewall
RHEL system role, the forward_port
parameter only accepted the string
option. However, the role documentation claimed that both string
and dict
options were supported. Consequently, the users reading and following the documentation were getting an error. This bug has been fixed by making forward_port
accept both options. As a result, the users can safely follow the documentation to configure port forwarding.
The nbde_client
system role now uses proper spacing when specifying extra Dracut command line-parameters
The Dracut framework requires proper spacing when specifying additional parameters, such as kernel command-line parameters. If the parameters are not specified with proper spacing, Dracut might not append the specified extra parameters to the kernel command line. With this update, the nbde_client
system role uses proper spacing when creating add-on Dracut configuration files. As a result, the role correctly sets Dracut command-line parameters.
Minimal RSA key bit length option in the ssh
and sshd
RHEL system roles
Accidentally using short RSA keys might make the system more vulnerable to attacks. With this update, you can set RSA key minimal bit lengths for OpenSSH clients and servers by using the RSAMinSize
option in the ssh
and sshd
RHEL system roles.
The NBDE Client system role supports static IP addresses
In previous versions of RHEL, restarting a system with a static IP address and configured with the Network Bound Disk Encryption (NBDE) Client system role would change the system’s IP address. With this change, systems with static IP addresses are supported by the NBDE Client system role, and their IP addresses do not change after a reboot.
Note that by default, the NBDE role uses DHCP when booting, and switches to the configured static IP when the system is booted.
8.17. Virtualization
Live pre-copy migration of VMs with failover VFs now works correctly
Previously, attempting to pre-copy migrate a running virtual machine (VM) failed if the VM used a device with the virtual function (VF) failover capability enabled. This update fixes the problem, and migrating VMs in the described scenario now works correctly.
(BZ#2054656)
8.18. RHEL in cloud environments
An instance now retains the primary IP address even after starting the nm-cloud-setup service in Alibaba Cloud
Previously, after launching an instance in the Alibaba Cloud, the nm-cloud-setup service configured the incorrect IP address as the primary IP address in case of multiple IPv4 addresses. Consequently, this affected the selection of the IPv4 source address for outgoing connections. With this update, after configuring secondary IP addresses manually, the NetworkManager package fetches the primary IP address from primary-ip-address metadata and configures both primary and secondary IP addresses correctly.
SR-IOV no longer performs suboptimally in ARM 64 RHEL 8 virtual machines on Azure
Previously, SR-IOV networking devices had significantly lower throughout and higher latency than expected in ARM 64 RHEL 8 virtual machines (VMs) running on a Microsoft Azure platform. The problem has been fixed, and the affected VMs now perform as expected.
(BZ#2068429)
Starting a RHEL 8 virtual machine on AWS using cloud-init
no longer takes longer than expected
Previously, initializing an EC2 instance of RHEL 8 using the cloud-init
service on Amazon Web Services (AWS) took an excessive amount of time. The Amazon Machine Images (AMIs) of RHEL 8 have been updated to include a fix for the problem, and intializing EC2 instances of RHEL 8 now works correctly.
However, you might still encounter slow intialization when customizing and uploading your own RHEL 8 image. To avoid this problem, remove the /etc/resolv.conf
file from the image you are using for VM creation before uploading the image to AWS.
(BZ#1862930)
8.19. Containers
DNF and YUM no longer fail because of non-matching repository IDs
Previously, DNF and YUM repository IDs did not match the format that DNF or YUM expected. For example, if you ran the following example, the error occurred:
# podman run -ti ubi8-ubi # dnf debuginfo-install dnsmasq ... This system is not registered with an entitlement server. You can use subscription-manager to register.
With this update, the problem has been fixed. Suffix --debug-rpms
was added to all debug repository names (for example ubi-8-appstream-debug-rpms
), and also the suffix -rpms
was added to all UBI repository names (for example ubi-8-appstream-rpms
).
For more information, see Universal Base Images (UBI): Images, repositories, packages, and source code.
Container images signed with a Beta GPG key can now be pulled
Previously, when you pulled RHEL Beta container images, Podman failed with the error message: Error: Source image rejected: None of the signatures were accepted
. The images failed to be pulled due to current builds being configured to not trust the RHEL Beta GPG keys by default. With this update, the /etc/containers/policy.json
file supports a new keyPaths
field which accepts a list of files containing the trusted keys. Because of this, the container images signed with GA and Beta GPG keys are now accepted in the default configuration.