Chapter 8. Bug fixes

The --noverifyssl option for liveimg no longer checks the server’s certificate for images downloaded using HTTPS

Previously, the installer ignored the --noverifyssl option from the liveimg kickstart command. Consequently, if the server’s certificate could not be validated for images downloaded using the HTTPS protocol, the installation process failed. With this update, this issue has been fixed, and the --noverifyssl option of the liveimg kickstart command works as expected.

Booting from an NFS filesystem now works with SELinux set to enforcing mode

Previously, when using NFS as the root filesystem, SELinux labels were not forwarded from the server, causing boot failures when SELinux was set to enforcing mode.

The automatic screen lock now works correctly even when a USB smart-card reader is removed

Before RHEL 8.9, the opensc packages incorrectly handled removing USB smart-card readers. Consequently, the system remained unlocked even if the GNOME Display Manager (GDM) was configured to lock the screen when a smart card was removed. Furthermore, after reconnecting the USB reader, the screen also did not lock after removing the smart card. In this release, the code for handling removals of USB smart-card readers has been fixed. As a result, the screen is correctly locked even when a smart card or a USB smart-card reader is removed.

The SCAP enable_fips_mode rule now checks only fips=1 on 64-bit IBM Z architecture

Previously, the SCAP Security Guide rule enable_fips_mode did check the contents of the /boot/grub2/grubenv file. Consequently, the 64-bit IBM Z architecture did not use /boot/grub2/grubenv file for FIPS mode. With this update, the OVAL rule enable_fips_mode now test if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf file on 64-bit IBM Z architecture.

SCAP journald rules no longer remediate to invalid configuration

Previously, the SCAP Security Guide rules journald_compress, journald_forward_to_syslog, and journald_storage contained a bug in the remediation script which added extra quotes to the respective options within the /etc/systemd/journald.conf configuration file. Consequently, the journald service failed to parse the configuration options and ignored them. Therefore, the configuration options were not effective and OpenSCAP reported false pass results. With this update, the rules and remediations scripts have been fixed to not add the extra quotes. The rule now create a valid configuration for journald.

Images can now be configured with security profiles

SCAP Security Guide rules that configure mount point options have been reworked, and you can now use them also for hardening images when building an operating system image in image builder. As a result, you can now build images with partition configuration aligned with a specific security profile.

Removed strict requirements from SSG rules related to AIDE configuration

Previously, the SCAP Security Guide (SSG) rule aide_build_database required the existence of both /var/lib/aide/aide.db.new.gz and /var/lib/aide/aide.db.gz files to pass. Because the AIDE utility does not require the /var/lib/aide/aide.db.new.gz file, this update removed the corresponding requirement from the aide_build_database rule. As a result, the rule requires only the /var/lib/aide/aide.db.gz file to pass.

SCAP rules related to pam_faillock have correct descriptions

Previously, the SCAP Security Guide rules related to the pam_faillock contained descriptions that were misaligned with some profile values. Consequently, the descriptions were not correct. With this update, the rules descriptions are now using XCCDF variables.

The file_permissions_efi_user_cfg SCAP rule no longer fails when /boot/efi is mounted

Previously, the default permissions of UEFI files were not accepted. Therefore, it was not possible to change the permissions with the chmod command when the /boot/efi partition used a virtual file allocation table (VFAT) file system. Consequently, the file_permissions_efi_user_cfg rule failed. This update changes the default permissions from 0600 to 0700. Because the 0700 permission is also accepted by CIS, the assessment and remediation are now better aligned with CIS profiles.

SSG remediations are now aligned with configure_openssl_cryptopolicy

Previously, the SCAP Security Guide (SSG) remediation added the = character to the opensslcnf.config file. This syntax dit not match the description of the configure_openssl_cryptopolicy rule. Consequently, compliance checks might fail after remediations that inserted .include = instead of .include to opensslcnf.config. With this release, the remediation scripts are aligned with the rule description, and SSG remediations that use configure_openssl_cryptopolicy no longer fail due to additional =.

The postfix_prevent_unrestricted_relay rule now accepts white spaces around the = sign

Previously, the OVAL check of the SCAP rule xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay was too strict and it did not account for postconf configuration assignment statements which contained white spaces around the = sign. As a consequence, the final report reported this rule as failing even for configurations that technically met the rule’s requirements. With this update, the rule was modified so that the check accepts statements with white spaces around the = sign. As a result, the final report rule now marks this rule as passing for correct configuration statements.

SCAP rules now correctly evaluate whether the /var/log and /var/log/audit partitions exist

Previously, some SCAP rules relevant to the /var/log and /var/log/audit partitions were evaluated and remediated even when the appropriate disk partition did not exist. This affected the following rules:

The SCAP rule accounts_passwords_pam_faillock_interval now covers new STIG IDs

Previously, the SCAP Security Guide rule accounts_passwords_pam_faillock_interval did not cover RHEL-08-020012 and RHEL-08-020013. Consequently, the rule accounts_passwords_pam_faillock_interval checked for faillock configuration in all of these three files: /etc/pam.d/password-auth, /etc/pam.d/system-auth, and /etc/security/faillock.conf. With this update, the rule now covers STIG IDs RHEL-08-020012 and RHEL-08-020013.

Red Hat CVE feeds have been updated

The version 1 of Red Hat Common Vulnerabilities and Exposures (CVE) feeds at https://access.redhat.com/security/data/oval/ has been sunset and replaced by version 2 of the CVE feeds located at https://access.redhat.com/security/data/oval/v2/.

The wget utility no longer fails TLS handshake when accessing restricted resources

Previously, when ticket-based session resumption was enabled in TLS, the wget utility expected a TLS session to be resumed even when the server requested the client to re-authenticate to access restricted resources. This behavior caused wget to fail the second TLS handshake. With this update, wget properly initiates a new handshake and the access to restricted resources no longer fails.

Settings from pam_cap are correctly applied on SELinux-enabled systems

Previously, the SELinux policy did not contain rules for using the pam_cap module. As a consequence, granting login capabilities controlled by pam_cap to users in the /etc/security/capability.conf configuration file did not work when the users logged in by using ssh or the console. This update adds a new rule to the policy. As a result, granting capabilities in /etc/security/capability.conf now works, and user capabilities configured with pam_cap are taken into account when logging in.

The systemd-fsck-root service is now correctly labeled on SELinux-enabled systems

Previously, the /run/fsck directory was created by the systemd-fsck-root service or the fsck command but the SELinux policy did not contain rules for proper labeling of the directory. As a consequence, the systemd-fsck-root service did not work correctly. With this update, the correct label and file transition for /run/fsck were added to the policy. As a result, the systemd-fsck-root service works without reporting errors.

SELinux policy now allows bidirectional communication on D-Bus

Previously, the SELinux policy contained rules to allow only one-way communication between two domains on the D-Bus message bus system. However, such communication must be allowed in both directions. This occurred also when the Pacemaker high-availability cluster resource manager executed the hostnamectl or timedatectl commands. As a consequence, these commands executed by Pacemaker timed out without receiving a response on D-Bus because SELinux blocked it. This update to the SELinux policy allows bidirectional communication on D-Bus. As a result, commands that require bidirectional communication on D-Bus executed by Pacemaker finish successfully.

tangd-keygen now handles non-default umask correctly

Previously, the tangd-keygen script did not change file permissions for generated key files. Consequently, on systems with a default user file-creation mode mask (umask) that prevents reading keys to other users, the tang-show-keys command returned the error message Internal Error 500 instead of displaying the keys. With this update, tangd-keygen sets file permissions for generated key files, and therefore the script now works correctly on systems with non-default umask.

Clevis now handles SHA-256 thumbprints

Before this update, the Clevis client did not recognize SHA-256 thumbprints specified through the thp configuration option. Consequently, clients did not bind to Tang servers that used SHA-256 thumbprints, and every corresponding clevis encrypt tang command reported an error. With this update, Clevis recognizes thumbprints using SHA-256 and handles them correctly. As a result, Clevis clients can bind not only to Tang servers using SHA-1 but also SHA-256 thumbprints.

Rsyslog can start even without capabilities

When Rsyslog is executed as a normal user or in a containerized environment, the rsyslog process has no capabilities. Consequently, Rsyslog in this scenario could not drop capabilities and exited at startup. With this update, the process no longer attempts to drop capabilities if it has no capabilities. As a result, Rsyslog can start even when it has no capabilities.

fapolicyd service no longer runs programs that are removed from the trusted database

Previously, the fapolicyd service incorrectly handled a program as trusted even after it was removed from the trusted database. As a result, entering the fapolicyd-cli --update command had no effect, and the program could be executed even after being removed. With this update, the fapolicyd-cli --update command correctly updates the trusted programs database, and removed programs can no longer be executed.

fapolicyd service now creates RPM database files with correct ownership

Previously, the fapolicyd service created and owned RPM database files in the /var/lib/rpm/ directory. As a result, other programs were unable to access the files, which resulted in availability control errors. With this update, fapolicyd creates the files with correct ownership, and the errors no longer occur.

The yum needs-restarting -s command now correctly displays the list of systemd services

Previously, when you used the needs-restarting command with the -s or --services option, an error occurred when a non-systemd or malfunctioning process was detected. With this update, the yum needs-restarting -s command ignores such processes and displays a warning instead with the list of affected systemd services.

The dnf-automatic command now correctly reports the exit status of transactions

Previously, the dnf-automatic command returned a successful exit code of a transaction even if some actions during this transaction were not successfully completed. This could cause a security risk on machines that use dnf-automatic for automatic deployment of errata. With this update, the issue has been fixed, and dnf-automatic now reports every problem with packages during the transaction.

YUM now handles proxy=_none_ correctly

You can use the YUM proxy=_none_ configuration option to prohibit changing proxy settings. Previously, if you set proxy=_none_ in the main configuration file, YUM detected an error. This update fixes the bug, and YUM now handles proxy=_none_ correctly.

The needs-restarting plug-in now correctly requires the system restart when a file owned by dbus is updated by zlib

Previously, when you ran the YUM needs-restarting plug-in, it did not prompt to restart the system when a file owned by the dbus package was updated by the dependent zlib package. With this update, the issue has been fixed, and the needs-restarting plug-in now displays a message that you must restart dbus when zlib is updated.

The which command no longer fails for a long path

Previously, when you executed the which command in a directory with a path longer than 256 characters, the command failed with the Can’t get current working directory error message. With this fix, the which command now uses the PATH_MAX value for the path length limit. As a result, the command no longer fails.

ReaR now supports UEFI Secure Boot with OUTPUT=USB

Previously, the OUTPUT=USB ReaR output method, which stores the rescue image on a bootable disk drive, did not respect the SECURE_BOOT_BOOTLOADER setting. Consequently, on systems with UEFI Secure Boot enabled, the disk with the rescue image would not boot because the bootloader was not signed.

ipmievd now recognizes SEL response correctly when a SEL request times out

The ipmievd service sends System Event Log (SEL) requests through the /dev/ipmi0 device. Previously, due to a missing ID check of the returned IPMI message, a timed-out request led to incorrect processing of the next request. For example, if the Baseboard Management Controller (BMC) was reset, the SEL request from the ipmievd service timed out due to no SEL response. Consequently, ipmievd did not work correctly due to a non-corresponding SEL response. As a result, you did not get the correct hardware state, and a large amount of wrong hardware information was output to /var/log/messages. With this fix, ipmitool and ipmievd now check the ID of the returned IPMI message against the ID of the request and skip non-corresponding SEL requests. ipmevd no longer logs incorrect hardware information.

Intel Corporation I350 Gigabit Fiber Network Connection now provides a link after kernel update

Previously, hardware configurations with Small Formfactor Pluggable (SFP) transceiver modules without External Thermal Sensor (ETS) caused the igb driver to erroneously initialize the Inter-Integrated Circuit (I2C) to read ETS. As a consequence, connections did not obtain links. With this bug fix, the igb driver only initializes I2C when SFP with ETS is available. As a result, connections obtain links.

grubby now passes arguments to a new kernel correctly

When you add a new kernel using the grubby tool and do not specify any arguments, or leave the arguments blank, grubby will not pass any arguments to the new kernel and root will not be set. Using the --args and --copy-default options ensures new arguments are appended to the default arguments.

multipathd adds the persistent reservation registration key to all paths

Previously, when the multipathd daemon started and it recognized a registration key for the persistent reservations on one path of an existing multipath device, not all paths of that device had the registration key. As a consequence, if new paths appeared to a multipath device with persistent reservations while multipathd was stopped, persistent reservations were not set up on those. This allowed IO processing on the paths, even if they were supposed to be forbidden by the reservation key.

LUNs are now visible during the OS installation

Previously, the system was not using the authentication information from firmware sources, specifically in cases involving iSCSI hardware offload with CHAP (Challenge-Handshake Authentication Protocol) authentication stored in the iSCSI iBFT (Boot Firmware Table). As a consequence, the iSCSI login failed during installation.

Pacemaker Designated Controller elections no longer finalized until all pending actions are complete

When a cluster elects a new Designated Controller (DC), all nodes send their current history to the new DC, which saves it to the CIB. As a consequence, if actions were already in progress when a new DC is elected, and the actions finish after the nodes send their current history to the new DC, the actions' results could be lost. With this fix, DC elections are not finalized until all pending actions are complete and no action results are lost.

The fence_scsi agent is now able to auto-detect shared lvmlockd devices

Previously, the fence_scsi agent did not auto-detect shared lvmlockd devices. With this update, fence_scsi is able to auto-detect lvmlockd devices when the devices attribute is not set.

Resource stickiness now properly compares against colocation scores

Chained resource colocations are resources colocated with the resource that is colocated with the resource being assigned. Previously, if the original colocation had a finite negative score, and the chained colocation was mandatory, the original resource being assigned could be banned from its node even if resource-stickiness was set to INFINITY. With this fix, chained colocations are now taken into account proportionally and stickiness properly compares against colocation scores.

The crm_resource command now allows banning or moving a bundle with only a single active replica

Previously, when the crm_resource command checked where a bundle with a single replica was active, the command counted both the node where the container was active and the guest node that was created for the container itself. As a result, the crm_resource command would not ban or move a bundle with a single active replica. With this fix, the crm_resource command now only counts nodes where a bundle’s containers are active when determining the number of active replicas.

The mysql resource agent now works correctly with promotable clone resources

Previously, the mysql resource agent moved cloned resources that were operating in a Master role between nodes, due to promotion scores changing between promoted and non-promoted values. With this fix, a promoted node stays promoted.

Unpromoted clone instances no longer restart unnecessarily

Previously, promotable clone instances were assigned in numerical order, with promoted instances first. As a result, if a promoted clone instance needed to start, an unpromoted instance in some cases restarted unexpectedly, because the instance numbers changed. With this fix, roles are considered when assigning instance numbers to nodes and as a result no unnecessary restarts occur.

A fence watchdog configured as a second fencing device now fences a node when the first device times out

Previously, when a watchdog fencing device was configured as the second device in a fencing topology, the watchdog timeout would not be considered when calculating the timeout for the fencing operation. As a result, if the first device timed out the fencing operation would time out even though the watchdog would fence the node. With this fix, the watchdog timeout is included in the fencing operation timeout and the fencing operation succeeds if the first device times out.

Location constraints with rules no longer displayed when listing is grouped by nodes

Location constraints with rules cannot have a node assigned. Previously, when you grouped the listing by nodes, location constraints with rules were displayed under an empty node. With this fix, the location constraints with rules are no longer displayed and a warning is given indicating that constraints with rules are not displayed.

pcs command to update multipath SCSI devices now works correctly

Due to changes in the Pacemaker CIB file, the pcs stonith update-scsi-devices command stopped working as designed, causing an unwanted restart of some cluster resources. With this fix, this command works correctly and updates SCSI devices without requiring a restart of other cluster resources running on the same node.

Memory footprint of pcsd-ruby daemon now reduced when pscd Web UI is open

Previously, when the pcsd Web UI was open, memory usage of the pcsd-ruby daemon increased steadily over the course of several hours. With this fix, the web server that runs in the pcsd-ruby daemon now periodically performs a graceful restart. This frees the allocated memory and reduces the memory footprint.

The azure-events-az resource agent no longer produces an error with Pacemaker 2.1 and later

The azure-events-az resource agent executes the crm_simulate -Ls command and parses the output. With Pacemaker 2.1 and later, the output of the crm_simulate command no longer contains the text Transition Summary:, which resulted in an error. With this fix, the agent no longer yields an error when this text is missing.

systemtap scripts using guru mode now compile more quickly

The systemtap guru mode liveness analysis uses the dyninst library to parse binaries. Newer kernels enable mitigation code with CONFIG_RETPOLINE=y, replacing traditional RET instructions, with jumps to a thunk. As a consequence, binary analysis took a much longer time due to the liveness analysis needing to examine all additional edges of the control flow graph introduced by the jumps to the thunk.

eu-addr2line -C now correctly recognizes other arguments

Previously, when you used the -C argument in eu-addr2line command from elfutils, the following single character argument disappeared. Consequently, the eu-addr2line -Ci command behaved the same way as eu-addr2line -C while eu-addr2line -iC worked as expected. This bug has been fixed, and eu-addr2line -Ci now recognizes both arguments.

eu-addr2line -i now correctly handles code compiled with GCC link-time optimization

Previously, the dwarf_getscopes function from the libdw library included in elfutils was unable to find an abstract origin definition of a function that was compiled with GCC link-time optimization. Consequently, when you used the -i argument in the eu-addr2line command, eu-addr2line was unable to show inline functions for code compiled with gcc -flto. With this update, the libdw dwarf_getscopes function looks in the correct compile unit for the inlined scope, and eu-addr2line -i works as expected.

SSSD now uses sAMAccountName when evaluating GPO-based access control

Previously, if ldap_user_name was set to a value other than sAMAccountName on an AD client, GPO-based access control failed. With this update, SSSD now always uses sAMAccountName when evaluating GPO-based access control. Even if ldap_user_name is set to a value different from sAMAccountName on an AD client, GPO-based access control now works correctly.

SSSD now handles duplicate attributes in the user_attributes option when retrieving users

Previously, if sssd.conf contained duplicate attributes in the user_attributes option, SSSD did not handle these duplicates correctly. As a consequence, users with those attributes could not be retrieved. With this update, SSSD now handles duplicates correctly. As a result, users with duplicate attributes can now be retrieved.

Changing a security parameter now works correctly

Previously, when you changed a security parameter by using the dsconf instance_name security set command, the operation failed with the error:

Directory Server now calculates the dtablesize based on the maximum number of opened descriptors

Previously, an administrator could set the connection table size manually by using the nsslapd-conntablesize configuration parameter. Consequently, when the connection table size was set too low, it affected the number of connections the server was able to support. With this update, Directory Server now calculates the size of the connection table dynamically effectively resolving the issue with too small connection table size. In addition, you no longer need to manually change the connection table size.

The dsctl healthcheck command now uses the password storage scheme PBKDF2-SHA512 by default

Previously, the dsctl healthcheck command used SSHA512 password storage scheme by default. Consequently, the command reported a warning because it did not detect the new password storage scheme PBKDF2-SHA512. With this update, the dsctl healthcheck command now uses PBKDF2-SHA512 password storage scheme by default and no warnings occur.

Paged searches from a regular user now do not impact performance

Previously, when Directory Server was under the search load, paged searches from a regular user could impact the server performance because a lock conflicted with the thread that polls for network events. In addition, if a network issue occurred while sending the page search, the whole server was unresponsive until the nsslapd-iotimeout parameter expired. With this update, the lock was split into several parts to avoid the contention with the network events. As a result, no performance impact during paged searches from a regular user.

You can now enable and disable ciphers in Directory Server as expected

Previously, when you tried to enable or disable specific ciphers in addition to default ciphers by using the web console, the server enabled or disabled only the specific ciphers and logged an error similar to the following:

Deleting the IdM admin user is now no longer permitted

Previously, nothing prevented you from deleting the Identity Management (IdM) admin user if you were a member of the admins group. The absence of the admin user causes the trust between IdM and Active Directory (AD) to stop functioning correctly. With this update, you can no longer delete the admin user. As a result, the IdM-AD trust works correctly.

IdM clients correctly retrieve information for trusted AD users when their names contain mixed case characters

Previously, if you attempted a user lookup or authentication of a user, and that trusted Active Directory (AD) user contained mixed case characters in their names and they were configured with overrides in IdM, an error was returned preventing users from accessing IdM resources.

The installer no longer freezes on servers with ASPEED 2600

Previously, the graphical RHEL 8.8 installer became unresponsive with a black screen when you started the installer on a server with the ASPEED 2600 On System Management Chipset. Consequently, you could not install RHEL 8.8 on the server.

The web console NBDE binding steps now work also on volume groups with a root file system

In RHEL 8.8, due to a bug in the code for determining whether or not the user was adding a Tang key to the root file system, the binding process in the web console crashed when there was no file system on the LUKS container at all. Because the web console displayed the error message TypeError: Qe(…​) is undefined after you had clicked the Trust key button in the Verify key dialog, you had to perform all the required steps in the command-line interface in the described scenario.

VNC console now works at most resolutions

Previously, when using the Virtual Network Computing (VNC) console under certain display resolutions, a mouse offset problem was present or only a part of the interface was visible. Consequently, using the VNC console was not possible.

The storage role can now resize the mounted file systems without unmounting

Previously, the storage role was unable to resize mounted devices, even if the file system supported online resizing. As a consequence, the storage role unmounted all file systems prior to resizing, which failed for file systems that were in use, for example, while resizing the / directory of the running system.

The certificate RHEL system role now checks for the certificate key size when determining whether to perform a new certificate request

Previously, the certificate RHEL system role did not check the key size of a certificate when evaluating whether to request a new certificate. As a consequence, the role sometimes did not issue new certificate requests in cases where it should. With this update, certificate now checks the key_size parameter to determine if a new certificate request should be performed.

Insights tags created by using the rhc role are now applied correctly

Previously, when you created Insights tags by using the rhc role, tags were not stored in the correct file. Consequently, tags were not sent to Insights and as a result they were not applied to the systems in the Insights inventory.

The firewall RHEL system role on RHEL 7 no longer attempts to install non-existent Python packages

Previously, when the firewall role on RHEL 7 was called from another role, and that role was using python3, the firewall role attempted to install the python3-firewall library for that version of Python. However, that library is not available in RHEL 7. Consequently, the python3-firewall library was not found, and you received the following error message:

Failure to remove data from member disks before creation no longer persists

Previously, when creating RAID volumes, the system did not effectively eliminate existing data from member disks before forming the RAID volume. With this update, RAID volumes remove any per-existing data from member disks as needed.

The podman_registries_conf variable now configures unqualified-search-registries field correctly

Previously, after configuring the podman_registries_conf variable, the podman RHEL system role failed. Consequently, unqualified-search-registries = ["registry.access.redhat.com"] setting was not generated in the /etc/containers/registries.conf.d/50-systemroles.conf file. With this update, this problem has been fixed.

raid_chunk_size parameter no longer returns an error message

Previously, raid_chunk_size attribute was not allowed for RAID pools and volumes. With this update, you can now configure the raid_chunk_size attribute for RAID pools and volumes without encountering any restrictions.

Running the firewall RHEL system role in check mode with non-existent services no longer fails

Previously, running the firewall role in check mode with non-existent services would fail. This fix implements better compliance with Ansible best practices for check mode. As a result, non-existent services being enabled or disabled no longer fails the role in check mode. Instead, a warning prompts you to confirm that the service is defined in a previous playbook.

The kdump role adds authorized_keys idempotently

Previously, the task to add authorized_key added an extra newline character every time. Consequently the role was not acting idempotent. With this fix, adding a new authorized_key works correctly and adds only a single key value idempotently.

The kdump system role does not fail if authorized_keys are missing

Previously, the kdump system role failed to add SSH authorized keys if the user defined in the kdump_ssh_user variable did not have access to the .ssh directory in the home directory or an empty .ssh/authorized_keys file. With this fix, the kdump system role now correctly adds authorized keys to the SSH configuration. As a result, the key based authentication works reliably in the described scenario.

The firewall RHEL system role correctly reports changes when using previous: replaced in check mode

Previously, the firewall role was not checking whether any files would be changed when using the previous: replaced parameter in check mode. As a consequence, the role gave an error about undefined variables. This fix adds new check variables to the check mode to assess whether any files would be changed by the previous: replaced parameter. The check for the firewalld.conf file assesses the rpm database to determine whether the file has been changed from the version shipped in the package. As a result, the firewall role now correctly reports changes when using the previous: replaced parameter.

Enabling kdump for system role requires using the failure_action configuration parameter on RHEL 9 and later versions

Previously, using the default option during kdump configuration was not successful and printed the following warning in logs:

The firewall RHEL system role correctly reports changes when assigning zones to Network Manager interfaces

Previously, the Network Manager interface assignment reported changes when no changes were present. With this fix, the try_set_zone_of_interface module in the file library/firewall_lib.py returns a second value, which denotes whether the interface’s zone was changed. As a result, the module now correctly reports changes when assigning zones to interfaces handled by Network Manager.

The kdump role successfully updates .ssh/authorized_keys for kdump_ssh_server authentication

Previously, the .ssh directory was not accessible by the kdump role to securely authenticate users to log into kdump_ssh_server. As a consequence, the kdump role did not update the .ssh/authorized_keys file and the SSH mechanism to verify the kdump_ssh_server failed. This update fixes the problem. As a result the kdump_ssh_user authentication on kdump_ssh_server works reliably.

The previous: replaced parameter of the firewall system role now overrides the previous configuration without deleting it

Previously, if you added the previous: replaced parameter to the variable list, the firewall system role removed all existing user-defined settings and reset firewalld to the default settings. This fix uses the fallback configuration in firewalld, which was introduced in the EL7 release, to retain the previous configuration. As a result, when you use the previous: replaced parameter in the variable list, the firewall.conf configuration file is not deleted on reset, but the file and comments in the file are retained.

The kdump role adds multiple keys to authorized_keys idempotently

Previously, adding multiple SSH keys to the authorized_keys file at the same time replaced the key value of one host by another. This update fixes the problem by using the lineinfile module to manage the authorized_keys file. lineinfile iterates the tasks in sequence, checking for an existing key and writing the new key in one atomic operation on a single host at one time. As a result, adding SSH keys on multiple hosts works correctly, and does not replace the key value from another host.

Hot plugging a Watchdog card to a virtual machine no longer fails

Previously, if no PCI slots were available, adding a Watchdog card to a running virtual machine (VM) failed with the following error: