Chapter 9. Known issues
This part describes known issues in Red Hat Enterprise Linux 9.5.
9.1. Installer and image creation
The auth
and authconfig
Kickstart commands require the AppStream repository
The authselect-compat
package is required by the auth
and authconfig
Kickstart commands during installation. Without this package, the installation fails if auth
or authconfig
are used. However, by design, the authselect-compat
package is only available in the AppStream repository.
To work around this problem, verify that the BaseOS and AppStream repositories are available to the installation program or use the authselect
Kickstart command during installation.
Bugzilla:1640697[1]
The reboot --kexec
and inst.kexec
commands do not provide a predictable system state
Performing a RHEL installation with the reboot --kexec
Kickstart command or the inst.kexec
kernel boot parameters do not provide the same predictable system state as a full reboot. As a consequence, switching to the installed system without rebooting can produce unpredictable results.
Note that the kexec
feature is deprecated and will be removed in a future release of Red Hat Enterprise Linux.
Bugzilla:1697896[1]
Unexpected SELinux policies on systems where Anaconda is running as an application
When Anaconda is running as an application on an already installed system (for example to perform another installation to an image file using the –image
anaconda option), the system is not prohibited to modify the SELinux types and attributes during installation. As a consequence, certain elements of SELinux policy might change on the system where Anaconda is running.
To work around this problem, do not run Anaconda on the production system. Instead, run Anaconda in a temporary virtual machine to keep the SELinux policy unchanged on a production system. Running anaconda as part of the system installation process such as installing from boot.iso
or dvd.iso
is not affected by this issue.
Local Media
installation source is not detected when booting the installation from a USB that is created using a third party tool
When booting the RHEL installation from a USB that is created using a third party tool, the installer fails to detect the Local Media
installation source (only Red Hat CDN is detected).
This issue occurs because the default boot option int.stage2=
attempts to search for iso9660
image format. However, a third party tool might create an ISO image with a different format.
As a workaround, use either of the following solution:
-
When booting the installation, click the
Tab
key to edit the kernel command line, and change the boot optioninst.stage2=
toinst.repo=
. - To create a bootable USB device on Windows, use Fedora Media Writer.
- When using a third party tool such as Rufus to create a bootable USB device, first regenerate the RHEL ISO image on a Linux system, and then use the third party tool to create a bootable USB device.
For more information on the steps involved in performing any of the specified workaround, see, Installation media is not auto-detected during the installation of RHEL 8.3.
Bugzilla:1877697[1]
The USB CD-ROM drive is not available as an installation source in Anaconda
Installation fails when the USB CD-ROM drive is the source for it and the Kickstart ignoredisk --only-use=
command is specified. In this case, Anaconda cannot find and use this source disk.
To work around this problem, use the harddrive --partition=sdX --dir=/
command to install from USB CD-ROM drive. As a result, the installation does not fail.
Hard drive partitioned installations with iso9660 filesystem fails
You cannot install RHEL on systems where the hard drive is partitioned with the iso9660
filesystem. This is due to the updated installation code that is set to ignore any hard disk containing a iso9660
file system partition. This happens even when RHEL is installed without using a DVD.
To work around this problem, add the following script in the Kickstart file to format the disc before the installation starts.
Note: Before performing the workaround, backup the data available on the disk. The wipefs
command formats all the existing data from the disk.
%pre
wipefs -a /dev/sda
%end
As a result, installations work as expected without any errors.
Anaconda fails to verify existence of an administrator user account
While installing RHEL using a graphical user interface, Anaconda fails to verify if the administrator account has been created. As a consequence, users might install a system without any administrator user account.
To work around this problem, ensure you configure an administrator user account or the root password is set and the root account is unlocked. As a result, users can perform administrative tasks on the installed system.
New XFS features prevent booting of PowerNV IBM POWER systems with firmware older than version 5.10
PowerNV IBM POWER systems use a Linux kernel for firmware, and use Petitboot as a replacement for GRUB. This results in the firmware kernel mounting /boot
and Petitboot reading the GRUB config and booting RHEL.
The RHEL 9 kernel introduces bigtime=1
and inobtcount=1
features to the XFS filesystem, which kernels with firmware older than version 5.10 do not understand.
To work around this problem, you can use another filesystem for /boot
, for example ext4.
Bugzilla:1997832[1]
RHEL for Edge installer image fails to create mount points when installing an rpm-ostree payload
When deploying rpm-ostree
payloads, used for example in a RHEL for Edge installer image, the installer does not properly create some mount points for custom partitions. As a consequence, the installation is aborted with the following error:
The command 'mount --bind /mnt/sysimage/data /mnt/sysroot/data' exited with the code 32.
To work around this issue:
- Use an automatic partitioning scheme and do not add any mount points manually.
-
Manually assign mount points only inside
/var
directory. For example,/var/my-mount-point
), and the following standard directories:/
,/boot
,/var
.
As a result, the installation process finishes successfully.
NetworkManager fails to start after the installation when connected to a network but without DHCP or a static IP address configured
Starting with RHEL 9.0, Anaconda activates network devices automatically when there is no specific ip=
or Kickstart network configuration set. Anaconda creates a default persistent configuration file for each Ethernet device. The connection profile has the ONBOOT
and autoconnect
value set to true
. As a consequence, during the start of the installed system, RHEL activates the network devices, and the networkManager-wait-online
service fails.
As a workaround, do one of the following:
Delete all connections using the
nmcli
utility except one connection you want to use. For example:List all connection profiles:
# nmcli connection show
Delete the connection profiles that you do not require:
# nmcli connection delete <connection_name>
Replace <connection_name> with the name of the connection you want to delete.
Disable the auto connect network feature in Anaconda if no specific
ip=
or Kickstart network configuration is set.- In the Anaconda GUI, navigate to Network & Host Name.
- Select a network device to disable.
- Click Configure.
- On the General tab, clear the Connect automatically with priority checkbox.
- Click Save.
Bugzilla:2115783[1]
Kickstart installations fail to configure the network connection
Anaconda performs the Kickstart network configuration only through the NetworkManager API. Anaconda processes the network configuration after the %pre
Kickstart section. As a consequence, some tasks from the Kickstart %pre
section are blocked. For example, downloading packages from the %pre
section fails due to unavailability of the network configuration.
To work around this problem:
-
Configure the network, for example using the
nmcli
tool, as a part of the%pre
script. -
Use the installer boot options to configure the network for the
%pre
script.
As a result, it is possible to use the network for tasks in the %pre
section and the Kickstart installation process completes.
Images built with the stig
profile remediation fails to boot with FIPS error
FIPS mode is not supported by RHEL image builder. When using RHEL image builder customized with the xccdf_org.ssgproject.content_profile_stig
profile remediation, the system fails to boot with the following error:
Warning: /boot//.vmlinuz-<kernel version>.x86_64.hmac does not exist FATAL: FIPS integrity test failed Refusing to continue
Enabling the FIPS policy manually after the system image installation with the fips-mode-setup --enable
command does not work, because the /boot
directory is on a different partition. System boots successfully if FIPS is disabled. Currently, there is no workaround available.
You can manually enable FIPS after installing the image by using the fips-mode-setup --enable
command.
Driver disk menu fails to display user inputs on the console
When you start RHEL installation using the inst.dd
option on the kernel command line with a driver disk, the console fails to display the user input. Consequently, it appears that the application does not respond to the user input and stops responding, but displays the output which is confusing for users. However, this behavior does not affect the functionality, and user input gets registered after pressing Enter
.
As a workaround, to see the expected results, ignore the absence of user inputs in the console and press Enter
when you finish adding inputs.
Kickstart installation fails due to missing packages with systemd
service files in %packages
section
If the Kickstart file uses the services --enabled=…
directive to enable systemd
services and packages containing the specified service file are not included in the %packages
section, the RHEL installation process fails with the following error:
Error enabling service <name_of_the_service>
To work around this problem, include the respective package with the service file in Kickstart’s %packages
section. As a result, RHEL installation completes, enabling expected services during installation.
Jira:RHEL-9633[1]
Unable to build ISOs from a signed container
Trying to build an ISO disk image from a GPG or a simple signed container results in an error, similar to the following:
manifest - failed Failed Error: cannot run osbuild: running osbuild failed: exit status 1 2024/04/23 10:56:48 error: cannot run osbuild: running osbuild failed: exit status 1
This happens because the system fails to get the image source signatures. To work around this issue, you can either remove the signature from the container image or build a derived container image. For example, to remove the signature, you can run the following command:
$ sudo skopeo copy --remove-signatures containers-storage:registry.redhat.io/rhel9-beta/rhel-bootc:9.4 containers-storage:registry.redhat.io/rhel9-beta/rhel-bootc:9.4 $ sudo podman run \ --rm \ -it \ --privileged \ --pull=newer \ --security-opt label=type:unconfined_t \ -v /var/lib/containers/storage:/var/lib/containers/storage \ -v ~/images/iso:/output \ quay.io/centos-bootc/bootc-image-builder \ --type iso --local \ registry.redhat.io/rhel9-beta/rhel-bootc:9.4
To build a derived container image, and avoid adding a simple GPG signatures to it, see the Signing container images product documentation.
bootc-image-builder
does not support building images from private registries
Currently, you cannot build base disk images which come from private registries by using bootc-image-builder
. To work around this issue, copy the private registry into your localhost, then build the image with the following arguments:
-
--local
-
localhost/<image name>:tag
as the image
For example, to build your image:
sudo podman run \ --rm \ -it \ --privileged \ --pull=newer \ --security-opt label=type:unconfined_t \ -v ./config.toml:/config.toml \ -v ./output:/output \ -v /var/lib/containers/storage:/var/lib/containers/storage \ registry.redhat.io/rhel9/bootc-image-builder:latest --type qcow2 \ --local \ quay.io/<namespace>/<image>:<tag>
Jira:RHELDOCS-18720[1]
SELinux autorelabel in the Rescue Mode may cause reboot loop
Accessing a file system in the rescue
mode triggers SELinux to autorelabel the file system on the next boot, which continues until SELinux runs in the permissive
mode. Consequently, the system might go into an infinite loop of reboots after exiting the rescue
mode as it cannot delete the /.autorelabel
file.
As a work around, switch to the permissive
mode by adding enforcing=0
to the kernel command line on the next boot. The system displays a warning message as a preventive measure that informs about the possibility of this issue when accessing the file system in the rescue
mode.
9.2. Security
OpenSSL does not detect if a PKCS #11 token supports the creation of raw RSA or RSA-PSS signatures
The TLS 1.3 protocol requires support for RSA-PSS signatures. If a PKCS #11 token does not support raw RSA or RSA-PSS signatures, server applications that use the OpenSSL library fail to work with an RSA key if the key is held by the PKCS #11 token. As a result, TLS communication fails in the described scenario.
To work around this problem, configure servers and clients to use TLS version 1.2 as the highest TLS protocol version available.
Bugzilla:1681178[1]
OpenSSL
incorrectly handles PKCS #11 tokens that does not support raw RSA or RSA-PSS signatures
The OpenSSL
library does not detect key-related capabilities of PKCS #11 tokens. Consequently, establishing a TLS connection fails when a signature is created with a token that does not support raw RSA or RSA-PSS signatures.
To work around the problem, add the following lines after the .include
line at the end of the crypto_policy
section in the /etc/pki/tls/openssl.cnf
file:
SignatureAlgorithms = RSA+SHA256:RSA+SHA512:RSA+SHA384:ECDSA+SHA256:ECDSA+SHA512:ECDSA+SHA384 MaxProtocol = TLSv1.2
As a result, a TLS connection can be established in the described scenario.
Bugzilla:1685470[1]
With a specific syntax, scp
empties files copied to themselves
The scp
utility changed from the Secure copy protocol (SCP) to the more secure SSH file transfer protocol (SFTP). Consequently, copying a file from a location to the same location erases the file content. The problem affects the following syntax:
scp localhost:/myfile localhost:/myfile
To work around this problem, do not copy files to a destination that is the same as the source location using this syntax.
The problem has been fixed for the following syntaxes:
-
scp /myfile localhost:/myfile
-
scp localhost:~/myfile ~/myfile
The OSCAP Anaconda add-on does not fetch tailored profiles in the graphical installation
The OSCAP Anaconda add-on does not provide an option to select or deselect tailoring of security profiles in the RHEL graphical installation. Starting from RHEL 8.8, the add-on does not take tailoring into account by default when installing from archives or RPM packages. Consequently, the installation displays the following error message instead of fetching an OSCAP tailored profile:
There was an unexpected problem with the supplied content.
To work around this problem, you must specify paths in the %addon org_fedora_oscap
section of your Kickstart file, for example:
xccdf-path = /usr/share/xml/scap/sc_tailoring/ds-combined.xml tailoring-path = /usr/share/xml/scap/sc_tailoring/tailoring-xccdf.xml
As a result, you can use the graphical installation for OSCAP tailored profiles only with the corresponding Kickstart specifications.
Ansible remediations require additional collections
With the replacement of Ansible Engine by the ansible-core
package, the list of Ansible modules provided with the RHEL subscription is reduced. As a consequence, running remediations that use Ansible content included within the scap-security-guide
package requires collections from the rhc-worker-playbook
package.
For an Ansible remediation, perform the following steps:
Install the required packages:
# dnf install -y ansible-core scap-security-guide rhc-worker-playbook
Navigate to the
/usr/share/scap-security-guide/ansible
directory:# cd /usr/share/scap-security-guide/ansible
Run the relevant Ansible playbook using environment variables that define the path to the additional Ansible collections:
# ANSIBLE_COLLECTIONS_PATH=/usr/share/rhc-worker-playbook/ansible/collections/ansible_collections/ ansible-playbook -c local -i localhost, rhel9-playbook-cis_server_l1.yml
Replace
cis_server_l1
with the ID of the profile against which you want to remediate the system.
As a result, the Ansible content is processed correctly.
Support of the collections provided in rhc-worker-playbook
is limited to enabling the Ansible content sourced in scap-security-guide
.
Keylime does not accept concatenated PEM certificates
When Keylime receives a certificate chain as multiple certificates in the PEM format concatenated in a single file, the keylime-agent-rust
Keylime component does not correctly use all the provided certificates during signature verification, resulting in a TLS handshake failure. As a consequence, the client components (keylime_verifier
and keylime_tenant
) cannot connect to the Keylime agent. To work around this problem, use just one certificate instead of multiple certificates.
Jira:RHELPLAN-157225[1]
Keylime refuses runtime policies whose digests start with a backslash
The current script for generating runtime policies, create_runtime_policy.sh
, uses SHA checksum functions, for example, sha256sum
, to compute the file digest. However, when the input file name contains a backslash or \n
, the checksum function adds a backslash before the digest in its output. In such cases, the generated policy file is malformed. When provided with the malformed policy file, the Keylime tenant produces the following or similar error message: me.tenant - ERROR - Response code 400: Runtime policy is malformatted
. To work around the problem, remove the backslash from the malformed policy file manually by entering the following command: sed -i 's/^\\//g' <malformed_file_name>
.
Jira:RHEL-11867[1]
Keylime agent rejects requests from the verifier after update
When the API version number of the Keylime agent (keylime-agent-rust
) has been updated, the agent rejects requests that use a different version. As a consequence, if a Keylime agent is added to a verifier and then updated, the verifier tries to contact the agent using the old API version. The agent rejects this request and fails the attestation. To work around this problem, update the verifier (keylime-verifier
) before updating the agent (keylime-agent-rust
). As a result, when the agents are updated, the verifier detects the API change and updates its stored data accordingly.
Jira:RHEL-1518[1]
Missing files in trustdb
cause denials for fapolicyd
When fapolicyd
is installed with the Ansible DISA STIG profile, a race condition causes the trustdb
database to be out of sync with the rpmdb
database. As a consequence, missing files in trustdb
cause denials on the system. To work around this problem, restart fapolicyd
or run the Ansible DISA STIG profile again.
Jira:RHEL-24345[1]
The fapolicyd
utility incorrectly allows executing changed files
Correctly, the IMA hash of a file should update after any change to the file, and fapolicyd
should prevent execution of the changed file. However, this does not happen due to differences in IMA policy setup and in file hashing by the evctml
utility. As a result, the IMA hash is not updated in the extended attribute of a changed file. Consequently, fapolicyd
incorrectly allows the execution of the changed file.
Jira:RHEL-520[1]
OpenSSL no longer creates X.509 v1 certificates
With the OpenSSL TLS toolkit 3.2.1 introduced in RHEL 9.5, you can no longer create certificates in the X.509 version 1 format using the openssl
CA tool. The X.509 v1 format does not meet current web requirements.
OpenSSH no longer logs timeout before authentication
OpenSSH does not record a timeout before authentication for $IP port $PORT
to the log. This might be important because the Fail2Ban intrusion prevention daemon and similar systems use these log records in its mdre-ddos
regular expression and no longer ban the IPs of clients that attempt this type of attack. There is currently no known workaround for this problem.
Default SELinux policy allows unconfined executables to make their stack executable
The default state of the selinuxuser_execstack
boolean in the SELinux policy is on, which means that unconfined executables can make their stack executable. Executables should not use this option, and it might indicate poorly coded executables or a possible attack. However, due to compatibility with other tools, packages, and third-party products, Red Hat cannot change the value of the boolean in the default policy. If your scenario does not depend on such compatibility aspects, you can turn the boolean off in your local policy by entering the command setsebool -P selinuxuser_execstack off
.
SSH timeout rules in STIG profiles configure incorrect options
An update of OpenSSH affected the rules in the following Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) profiles:
-
DISA STIG for RHEL 9 (
xccdf_org.ssgproject.content_profile_stig
) -
DISA STIG with GUI for RHEL 9 (
xccdf_org.ssgproject.content_profile_stig_gui
)
In each of these profiles, the following two rules are affected:
Title: Set SSH Client Alive Count Max to zero CCE Identifier: CCE-90271-8 Rule ID: xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0 Title: Set SSH Idle Timeout Interval CCE Identifier: CCE-90811-1 Rule ID: xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
When applied to SSH servers, each of these rules configures an option (ClientAliveCountMax
and ClientAliveInterval
) that no longer behaves as previously. As a consequence, OpenSSH no longer disconnects idle SSH users when it reaches the timeout configured by these rules. As a workaround, these rules have been temporarily removed from the DISA STIG for RHEL 9 and DISA STIG with GUI for RHEL 9 profiles until a solution is developed.
GnuPG incorrectly allows using SHA-1 signatures even if disallowed by crypto-policies
The GNU Privacy Guard (GnuPG) cryptographic software can create and verify signatures that use the SHA-1 algorithm regardless of the settings defined by the system-wide cryptographic policies. Consequently, you can use SHA-1 for cryptographic purposes in the DEFAULT
cryptographic policy, which is not consistent with the system-wide deprecation of this insecure algorithm for signatures.
To work around this problem, do not use GnuPG options that involve SHA-1. As a result, you will prevent GnuPG from lowering the default system security by using the insecure SHA-1 signatures.
OpenSCAP memory-consumption problems
On systems with limited memory, the OpenSCAP scanner might stop prematurely or it might not generate the results files. To work around this problem, you can customize the scanning profile to deselect rules that involve recursion over the entire /
file system:
-
rpm_verify_hashes
-
rpm_verify_permissions
-
rpm_verify_ownership
-
file_permissions_unauthorized_world_writable
-
no_files_unowned_by_user
-
dir_perms_world_writable_system_owned
-
file_permissions_unauthorized_suid
-
file_permissions_unauthorized_sgid
-
file_permissions_ungroupowned
-
dir_perms_world_writable_sticky_bits
For more details and more workarounds, see the related Knowledgebase article.
Remediating service-related rules during kickstart installations might fail
During a kickstart installation, the OpenSCAP utility sometimes incorrectly shows that a service enable
or disable
state remediation is not needed. Consequently, OpenSCAP might set the services on the installed system to a non-compliant state. As a workaround, you can scan and remediate the system after the kickstart installation. This will fix the service-related issues.
Jira:RHELPLAN-44202[1]
Interoperability of FIPS:OSPP
hosts impacted due to CNSA 1.0
The OSPP
subpolicy has been aligned with Commercial National Security Algorithm (CNSA) 1.0. This affects the interoperability of hosts that use the FIPS:OSPP
policy-subpolicy combination, with the following major aspects:
- Minimum RSA key size is mandated at 3072 bits.
- Algorithm negotiations no longer support AES-128 ciphers, the secp256r1 elliptic curve, and the FFDHE-2048 group.
Jira:RHEL-2735[1]
Missing rules in the SELinux policy block permissions to SQL databases
Missing permission rules from the SELinux policy block connections to SQL databases. Consequently, the FIDO Device Onboard (FDO) services fdo-manufacturing-server.service
, fdo-owner-onboarding-server.service
, and fdo-rendezvous-server.service
cannot connect with FDO databases, such as PostgreSQL and SQLite. Therefore, the system cannot start the FDO by using the supported databases for credentials and other parameters, such as storing ownership vouchers.
You can work around this problem by performing the following steps:
Create a new file named
local_fdo_update.cil
and enter the missing SELinux policy rules:(allow fdo_t etc_t (file (write))) (allow fdo_t fdo_conf_t (file (append create rename setattr unlink write ))) (allow fdo_t fdo_var_lib_t (dir (add_name remove_name write ))) (allow fdo_t fdo_var_lib_t (file (create setattr unlink write ))) (allow fdo_t krb5_keytab_t (dir (search))) (allow fdo_t postgresql_port_t (tcp_socket (name_connect))) (allow fdo_t sssd_t (unix_stream_socket (connectto))) (allow fdo_t sssd_var_run_t (sock_file (write)))
Install the policy module package:
# semodule -i local_fdo_update.cil
As a consequence, FDO can connect with the PostgreSQL database and also fix problems related to SQLite permissions over /var/lib/fdo/
, where the SQLite database files are expected to be located.
9.3. Software management
The Installation process sometimes becomes unresponsive
When you install RHEL, the installation process sometimes becomes unresponsive. The /tmp/packaging.log
file displays the following message at the end:
10:20:56,416 DDEBUG dnf: RPM transaction over.
To work around this problem, restart the installation process.
Running createrepo_c
on local repositories generates duplicate repodata
files
When you run the createrepo_c
command on local repositories, it generates duplicate copies of repodata
files, one of the copies is compressed and one is not. There is no workaround available, however, you can safely ignore the duplicate files. The createrepo_c
command generates duplicate copies because of requirements and differences in other tools relying on repositories created by using createrepo_c
.
9.4. Shells and command-line tools
The chkconfig
package is not installed by default in RHEL 9
The chkconfig
package, which updates and queries runlevel information for system services, is not installed by default in RHEL 9.
To manage services, use the systemctl
commands or install the chkconfig
package manually.
For more information about systemd
, see Introduction to systemd. For instructions on how to use the systemctl
utility, see Managing system services with systemctl.
Bugzilla:2053598[1]
Setting the console keymap
requires the libxkbcommon
library on your minimal install
In RHEL 9, certain systemd
library dependencies have been converted from dynamic linking to dynamic loading, so that your system opens and uses the libraries at runtime when they are available. With this change, a functionality that depends on such libraries is not available unless you install the necessary library. This also affects setting the keyboard layout on systems with a minimal install. As a result, the localectl --no-convert set-x11-keymap gb
command fails.
To work around this problem, install the libxkbcommon
library:
# dnf install libxkbcommon
The %vmeff
metric from the sysstat
package displays incorrect values
The sysstat
package provides the %vmeff
metric to measure the page reclaim efficiency. The values of the %vmeff
column returned by the sar -B
command are incorrect because sysstat
does not parse all relevant /proc/vmstat
values provided by later kernel versions. To work around this problem, you can calculate the %vmeff
value manually from the /proc/vmstat
file. For details, see Why the sar(1)
tool reports %vmeff
values beyond 100 % in RHEL 8 and RHEL 9?
The Service Location Protocol (SLP) is vulnerable to an attack through UDP
The OpenSLP provides a dynamic configuration mechanism for applications in local area networks, such as printers and file servers. However, SLP is vulnerable to a reflective denial of service amplification attack through UDP on systems connected to the internet. SLP allows an unauthenticated attacker to register new services without limits set by the SLP implementation. By using UDP and spoofing the source address, an attacker can request the service list, creating a Denial of Service on the spoofed address.
To prevent external attackers from accessing the SLP service, disable SLP on all systems running on untrusted networks, such as those directly connected to the internet. Alternatively, to work around this problem, configure firewalls to block or filter traffic on UDP and TCP port 427.
Jira:RHEL-6995[1]
The ReaR rescue image on UEFI
systems with Secure Boot enabled fails to boot with the default settings
ReaR image creation by using the rear mkrescue
or rear mkbackup
command fails with the following message:
grub2-mkstandalone may fail to make a bootable EFI image of GRUB2 (no /usr/*/grub*/x86_64-efi/moddep.lst file) (...) grub2-mkstandalone: error: /usr/lib/grub/x86_64-efi/modinfo.sh doesn't exist. Please specify --target or --directory.
The missing files are part of the grub2-efi-x64-modules
package. If you install this package, the rescue image is created successfully without any errors. When the UEFI
Secure Boot is enabled, the rescue image is not bootable because it uses a boot loader that is not signed.
To work around this problem, add the following variables to the /etc/rear/local.conf
or /etc/rear/site.conf
ReaR configuration file):
UEFI_BOOTLOADER=/boot/efi/EFI/redhat/grubx64.efi SECURE_BOOT_BOOTLOADER=/boot/efi/EFI/redhat/shimx64.efi
With the suggested workaround, the image can be produced successfully even on systems without the grub2-efi-x64-modules
package, and it is bootable on systems with Secure Boot enabled. In addition, during the system recovery, the bootloader of the recovered system is set to the EFI
shim bootloader.
For more information about UEFI
, Secure Boot
, and shim bootloader
, see the UEFI: what happens when booting the system Knowledge Base article.
Jira:RHELDOCS-18064[1]
The %util
column produced by sar
and iostat
utilities is invalid
When you collect system usage statistics by using the sar
or iostat
utilities, the %util
column produced by sar
or iostat
might contain invalid data.
Jira:RHEL-26275[1]
The lsb-release
binary is not available in RHEL 9
The information in /etc/os-release
was previously available by calling the lsb-release
binary. This binary was included in the redhat-lsb package
, which was removed in RHEL 9. Now, you can display information about the operating system, such as the distribution, version, code name, and associated metadata, by reading the /etc/os-release
file. This file is provided by Red Hat and any changes to it will be overwritten with each update of the redhat-release
package. The format of the file is KEY=VALUE
, and you can safely source the data for a shell script.
Jira:RHELDOCS-16427[1]
9.5. Infrastructure services
Both bind
and unbound
disable validation of SHA-1-based signatures
The bind
and unbound
components disable validation support of all RSA/SHA1 (algorithm number 5) and RSASHA1-NSEC3-SHA1 (algorithm number 7) signatures, and the SHA-1 usage for signatures is restricted in the DEFAULT system-wide cryptographic policy.
As a result, certain DNSSEC records signed with the SHA-1, RSA/SHA1, and RSASHA1-NSEC3-SHA1 digest algorithms fail to verify in Red Hat Enterprise Linux 9 and the affected domain names become vulnerable.
To work around this problem, upgrade to a different signature algorithm, such as RSA/SHA-256 or elliptic curve keys.
For more information and a list of top-level domains that are affected and vulnerable, see the DNSSEC records signed with RSASHA1 fail to verify solution.
named
fails to start if the same writable zone file is used in multiple zones
BIND does not allow the same writable zone file in multiple zones. Consequently, if a configuration includes multiple zones which share a path to a file that can be modified by the named
service, named
fails to start. To work around this problem, use the in-view
clause to share one zone between multiple views and make sure to use different paths for different zones. For example, include the view names in the path.
Note that writable zone files are typically used in zones with allowed dynamic updates, secondary zones, or zones maintained by DNSSEC.
libotr
is not compliant with FIPS
The libotr
library and toolkit for off-the-record (OTR) messaging provides end-to-end encryption for instant messaging conversations. However, the libotr
library does not conform to the Federal Information Processing Standards (FIPS) due to its use of the gcry_pk_sign()
and gcry_pk_verify()
functions. As a result, you cannot use the libotr
library in FIPS mode.
9.6. Networking
Bluetooth device does not work properly after resuming from the suspend mode
When your system suspends or resumes, the RTL8852BE
wifi card does not function properly. Consequently, you will notice either audio interruptions during the resume process or audio does not work properly after resuming from the suspend mode. As a workaround, you need to update RHEL wifi driver.
Jira:RHEL-24414[1]
kTLS does not support offloading of TLS 1.3 to NICs
Kernel Transport Layer Security (kTLS) does not support offloading of TLS 1.3 to NICs. Consequently, software encryption is used with TLS 1.3 even when the NICs support TLS offload. To work around this problem, disable TLS 1.3 if offload is required. As a result, you can offload only TLS 1.2. When TLS 1.3 is in use, there is lower performance, since TLS 1.3 cannot be offloaded.
Bugzilla:2000616[1]
Failure to update the session key causes the connection to break
Kernel Transport Layer Security (kTLS) protocol does not support updating the session key, which is used by the symmetric cipher. Consequently, the user cannot update the key, which causes a connection break. To work around this problem, disable kTLS. As a result, with the workaround, it is possible to successfully update the session key.
Bugzilla:2013650[1]
Renaming network interfaces using ifcfg
files fails
On RHEL 9, the initscripts
package is not installed by default. Consequently, renaming network interfaces using ifcfg
files fails. To solve this problem, Red Hat recommends that you use udev
rules or link files to rename interfaces. For further details, see Consistent network interface device naming and the systemd.link(5)
man page.
If you cannot use one of the recommended solutions, install the initscripts
package.
Bugzilla:2018112[1]
The initscripts
package is not installed by default
By default, the initscripts
package is not installed. As a consequence, the ifup
and ifdown
utilities are not available. As an alternative, use the nmcli connection up
and nmcli connection down
commands to enable and disable connections. If the suggested alternative does not work for you, report the problem and install the NetworkManager-initscripts-updown
package, which provides a NetworkManager solution for the ifup
and ifdown
utilities.
The iwl7260-firmware
breaks Wi-Fi on Intel Wi-Fi 6 AX200, AX210, and Lenovo ThinkPad P1 Gen 4
After updating the iwl7260-firmware
or iwl7260-wifi
driver to the version provided by RHEL 9.1 and later, the hardware gets into an incorrect internal state. reports its state incorrectly. Consequently, Intel Wifi 6 cards may not work and display the error message:
kernel: iwlwifi 0000:09:00.0: Failed to start RT ucode: -110 kernel: iwlwifi 0000:09:00.0: WRT: Collecting data: ini trigger 13 fired (delay=0ms) kernel: iwlwifi 0000:09:00.0: Failed to run INIT ucode: -110
An unconfirmed workaround is to power off the system and back on again. Do not reboot.
Bugzilla:2129288[1]
DPLL stability during PF resets
The Digital Phase-Locked Loop (DPLL) system experienced several issues, including uninitialized mutex usage and incorrect handling of pin phase adjustments, particularly during Physical Function (PF) resets. These issues led to unstable management of DPLL and pin configurations, causing inconsistent data states and connection mismanagement.
To resolve this, mutexes were properly initialized, and mechanisms for updating pin phase adjustments, DPLL data, and connection states during PF resets were corrected. As a result, the DPLL system now performs reliably during resets, with accurate phase adjustments and consistent connection states, improving the overall stability of clock synchronization.
Jira:RHEL-36283[1]
9.7. Kernel
Customer applications with dependencies on kernel page size might need updating when moving from 4k to 64k page size kernel
RHEL is compatible with both 4k and 64k page size kernels. Customer applications with dependencies on a 4k kernel page size might require updating when moving from 4k to 64k page size kernels. Known instances of this include jemalloc
and dependent applications.
The jemalloc
memory allocator library is sensitive to the page size used in the system’s runtime environment. The library can be built to be compatible with 4k and 64k page size kernels, for example, when configured with --with-lg-page=16
or env JEMALLOC_SYS_WITH_LG_PAGE=16
(for jemallocator
Rust crate). Consequently, a mismatch can occur between the page size of the runtime environment and the page size that was present when compiling binaries that depend on jemalloc
. As a result, using a jemalloc
-based application triggers the following error:
<jemalloc>: Unsupported system page size
To avoid this problem, use one of the following approaches:
- Use the appropriate build configuration or environment options to create 4k and 64k page size compatible binaries.
-
Build any user space packages that use
jemalloc
after booting into the final 64k kernel and runtime environment.
For example, you can build the fd-find
tool, which also uses jemalloc
, with the cargo
Rust package manager. In the final 64k environment, trigger a new build of all dependencies to resolve the mismatch in the page size by entering the cargo
command:
# cargo install fd-find --force
Bugzilla:2167783[1]
Upgrading to the latest real-time kernel with dnf
does not install multiple kernel versions in parallel
Installing the latest real-time kernel with the dnf
package manager requires resolving package dependencies to retain the new and current kernel versions simultaneously. By default, dnf
removes the older kernel-rt
package during the upgrade.
As a workaround, add the current kernel-rt
package to the installonlypkgs
option in the /etc/yum.conf
configuration file, for example, installonlypkgs=kernel-rt
.
The installonlypkgs
option appends kernel-rt
to the default list used by dnf
. Packages listed in installonlypkgs
directive are not removed automatically and therefore support multiple kernel versions to install simultaneously.
Note that having multiple kernels installed is a way to have a fallback option when working with a new kernel version.
Bugzilla:2181571[1]
The Delay Accounting
functionality does not display the SWAPIN
and IO%
statistics columns by default
The Delayed Accounting
functionality, unlike early versions, is disabled by default. Consequently, the iotop
application does not show the SWAPIN
and IO%
statistics columns and displays the following warning:
CONFIG_TASK_DELAY_ACCT not enabled in kernel, cannot determine SWAPIN and IO%
The Delay Accounting
functionality, using the taskstats
interface, provides the delay statistics for all tasks or threads that belong to a thread group. Delays in task execution occur when they wait for a kernel resource to become available, for example, a task waiting for a free CPU to run on. The statistics help in setting a task’s CPU priority, I/O priority, and rss
limit values appropriately.
As a workaround, you can enable the delayacct
boot option either at run time or boot.
To enable
delayacct
at run time, enter:echo 1 > /proc/sys/kernel/task_delayacct
Note that this command enables the feature system wide, but only for the tasks that you start after running this command.
To enable
delayacct
permanently at boot, use one of the following procedures:Edit the
/etc/sysctl.conf
file to override the default parameters:Add the following entry to the
/etc/sysctl.conf
file:kernel.task_delayacct = 1
For more information, see How to set sysctl variables on Red Hat Enterprise Linux.
- Reboot the system for changes to take effect.
Add the
delayacct
option to the kernel command line.For more information, see Configuring kernel command-line parameters.
As a result, the iotop
application displays the SWAPIN
and IO%
statistics columns.
Bugzilla:2132480[1]
Hardware certification of the real-time kernel on systems with large core-counts might require passing the skew-tick=1
boot parameter
Large or moderate sized systems with numerous sockets and large core-counts can experience latency spikes due to lock contentions on xtime_lock
, which is used in the timekeeping system. As a consequence, latency spikes and delays in hardware certifications might occur on multiprocessing systems. As a workaround, you can offset the timer tick per CPU to start at a different time by adding the skew_tick=1
boot parameter.
To avoid lock conflicts, enable skew_tick=1
:
Enable the
skew_tick=1
parameter withgrubby
.# grubby --update-kernel=ALL --args="skew_tick=1"
- Reboot for changes to take effect.
Verify the new settings by displaying the kernel parameters you pass during boot.
cat /proc/cmdline
Note that enabling skew_tick=1
causes a significant increase in power consumption and, therefore, it must be enabled only if you are running latency sensitive real-time workloads.
Jira:RHEL-9318[1]
The kdump
mechanism fails to capture the vmcore
file on LUKS-encrypted targets
When running kdump
on systems with Linux Unified Key Setup (LUKS) encrypted partitions, systems require a certain amount of available memory. When the available memory is less than the required amount of memory, the systemd-cryptsetup
service fails to mount the partition. Consequently, the second kernel fails to capture the crash dump file on the LUKS-encrypted targets.
As a workaround, query the Recommended crashkernel value
and gradually increase the memory size to an appropriate value. The Recommended crashkernel value
can serve as reference to set the required memory size.
Print the estimate crash kernel value.
# kdumpctl estimate
Configure the amount of required memory by increasing the
crashkernel
value.# grubby --args=crashkernel=652M --update-kernel=ALL
Reboot the system for changes to take effect.
# reboot
As a result, kdump
works correctly on systems with LUKS-encrypted partitions.
Jira:RHEL-11196[1]
The kdump
service fails to build the initrd
file on IBM Z systems
On the 64-bit IBM Z systems, the kdump
service fails to load the initial RAM disk (initrd
) when znet
related configuration information such as s390-subchannels
reside in an inactive NetworkManager
connection profile. Consequently, the kdump
mechanism fails with the following error:
dracut: Failed to set up znet kdump: mkdumprd: failed to make kdump initrd
As a workaround, use one of the following solutions:
Configure a network bond or bridge by re-using the connection profile that has the
znet
configuration information:$ nmcli connection modify enc600 master bond0 slave-type bond
Copy the
znet
configuration information from the inactive connection profile to the active connection profile:Run the
nmcli
command to query theNetworkManager
connection profiles:# nmcli connection show NAME UUID TYPE Device bridge-br0 ed391a43-bdea-4170-b8a2 bridge br0 bridge-slave-enc600 caf7f770-1e55-4126-a2f4 ethernet enc600 enc600 bc293b8d-ef1e-45f6-bad1 ethernet --
Update the active profile with configuration information from the inactive connection:
#!/bin/bash inactive_connection=enc600 active_connection=bridge-slave-enc600 for name in nettype subchannels options; do field=802-3-ethernet.s390-$name val=$(nmcli --get-values "$field"connection show "$inactive_connection") nmcli connection modify "$active_connection" "$field" $val" done
Restart the
kdump
service for changes to take effect:# kdumpctl restart
weak-modules
from kmod
fails to work with module inter-dependencies
The weak-modules
script provided by the kmod
package determines which modules are kABI-compatible with installed kernels. However, while checking modules' kernel compatibility, weak-modules
processes modules symbol dependencies from higher to lower release of the kernel for which they were built. As a consequence, modules with inter-dependencies built against different kernel releases might be interpreted as non-compatible, and therefore the weak-modules
script fails to work in this scenario.
To work around the problem, build or put the extra modules against the latest stock kernel before you install the new kernel.
Bugzilla:2103605[1]
The Intel® i40e
adapter permanently fails on IBM Power10
When the i40e
adapter encounters an I/O error on IBM Power10 systems, the Enhanced I/O Error Handling (EEH) kernel services trigger the network driver’s reset and recovery. However, EEH repeatedly reports I/O errors until the i40e
driver reaches the predefined maximum of EEH freezes. As a consequence, EEH causes the device to fail permanently.
Jira:RHEL-15404[1]
dkms
provides an incorrect warning on program failure with correctly compiled drivers on 64-bit ARM CPUs
The Dynamic Kernel Module Support (dkms
) utility does not recognize that the kernel headers for 64-bit ARM CPUs work for both the kernels with 4 kilobytes and 64 kilobytes page sizes. As a result, when the kernel update is performed and the kernel-64k-devel
package is not installed, dkms
provides an incorrect warning on why the program failed on correctly compiled drivers. To work around this problem, install the kernel-headers
package, which contains header files for both types of ARM CPU architectures and is not specific to dkms
and its requirements.
Jira:RHEL-25967[1]
9.8. File systems and storage
Device Mapper Multipath is not supported with NVMe/TCP
Using Device Mapper Multipath with the nvme-tcp
driver can result in the Call Trace warnings and system instability. To work around this problem, NVMe/TCP users must enable native NVMe multipathing and not use the device-mapper-multipath
tools with NVMe.
By default, Native NVMe multipathing is enabled in RHEL 9. For more information, see Enabling multipathing on NVMe devices.
Bugzilla:2033080[1]
The blk-availability
systemd service deactivates complex device stacks
In systemd
, the default block deactivation code does not always handle complex stacks of virtual block devices correctly. In some configurations, virtual devices might not be removed during the shutdown, which causes error messages to be logged. To work around this problem, deactivate complex block device stacks by executing the following command:
# systemctl enable --now blk-availability.service
As a result, complex virtual device stacks are correctly deactivated during shutdown and do not produce error messages.
Bugzilla:2011699[1]
Disabling quota accounting is no longer possible for an XFS filesystem mounted with quotas enabled
Starting with RHEL 9.2, it is no longer possible to disable quota accounting on an XFS filesystem which has been mounted with quotas enabled.
To work around this issue, disable quota accounting by remounting the filesystem, with the quota option removed.
Bugzilla:2160619[1]
udev rule change for NVMe devices
There is a udev rule change for NVMe devices that adds OPTIONS="string_escape=replace"
parameter. This leads to a disk by-id naming change for some vendors, if the serial number of your device has leading whitespace.
NVMe/FC devices cannot be reliably used in a Kickstart file
NVMe/FC devices can be unavailable during parsing or execution of pre-scripts of the Kickstart file, which can cause the Kickstart installation to fail. To work around this issue, update the boot argument to inst.wait_for_disks=30
. This option causes a delay of 30 seconds, and should provide enough time for the NVMe/FC device to connect. With this workaround along with the NVMe/FC devices connecting in time, the Kickstart installation proceeds without issues.
Jira:RHEL-8164[1]
Kernel panic while using the qedi
driver
While using the qedi
iSCSI driver, the kernel panics after OS boots. To work around this issue, disable the kfence
runtime memory error detector feature by adding kfence.sample_interval=0
to the kernel boot command line.
Jira:RHEL-8466[1]
ARM-based systems fail to update with a 64k page size kernel when vdo
is installed
While installing the vdo
package, RHEL installs the kmod-kvdo
package and a kernel with 4k
page size as dependencies. As a consequence, updates from RHEL 9.3 to 9.x fail because kmod-kvdo
conflicts with the 64k kernel. To work around this issue, remove the vdo
package and its dependencies prior to attempting to update.
lldpad
is auto enabled even for qedf
adapters
When using a QLogic Corp. FastLinQ QL45000 Series 10/25/40/50GbE, FCOE Controller automatically enables the lldpad
daemon on systems running RHV. As a consequence, I/O operations are aborted with an error, for example, [qedf_eh_abort:xxxx]:1: Aborting io_req=ff5d85a9dcf3xxxx
.
To work around this problem, disableLink Layer Discovery Protocol (LLDP) and then enable it for interfaces that can be set on the vdsm
configuration level. For more information, https://access.redhat.com/solutions/6963195.
Jira:RHEL-8104[1]
System fails to boot when iommu
is enabled
By enabling the Input-Output Memory Management Unit (IOMMU) on AMD platforms when the BNX2I adapter is in use, a system fails to boot with the Direct Memory Access Remapping (DMAR) timeout errors. To work around this problem, disable the IOMMU before booting by using the kernel command-line option, iommu=off
. As a result, the system boots without any errors.
Jira:RHEL-25730[1]
RHEL installer does not automatically discover or use iSCSI devices as boot devices on aarch64
The absence of the iscsi_ibft
kernel module in RHEL installers running on aarch64 prevents automatic discovery of iSCSI devices defined in firmware. These devices are not automatically visible in the installer nor selectable as boot devices when added manually by using the GUI. As a workaround, add the "inst.nonibftiscsiboot" parameter to the kernel command line when booting the installer and then manually attach iSCSI devices through the GUI. As a result, the installer can recognize the attached iSCSI devices as bootable and installation completes as expected.
For more information, see KCS solution.
Jira:RHEL-56135[1]
9.9. High availability and clusters
Removing duplicate route entries for IPv6 addresses in an IPsrcaddr
resource
In Red Hat Enterprise Linux 9.4 and earlier, when you specified an IPv6 address for an IPsrcaddr
resource, the IPsrcaddr
resource agent created a duplicate route with a different metric when the metric was used for the subnet. For example, this happened when NetworkManager created another IP address on the IPv6 subnet. In this situation, the IPsrcaddr
resource failed to start because there was more than one match for the IP address. As of Red Hat Enterprise Linux 9.5, the IPsrcaddr
resource agent specifies the metric of an existing route when it is available and a second route is not created. If, however, you created an IPaddr2
IPv6 resource that uses an IPv6 address before this upgrade, you must reboot your system to remove the duplicate route entry.
Jira:RHEL-32265[1]
9.10. Dynamic programming languages, web and database servers
python3.11-lxml
does not provide the lxml.isoschematron
submodule
The python3.11-lxml
package is distributed without the lxml.isoschematron
submodule because it is not under an open source license. The submodule implements ISO Schematron support. As an alternative, pre-ISO-Schematron validation is available in the lxml.etree.Schematron
class. The remaining content of the python3.11-lxml
package is unaffected.
The --ssl-fips-mode
option in MySQL
and MariaDB
does not change FIPS mode
The --ssl-fips-mode
option in MySQL
and MariaDB
in RHEL works differently than in upstream.
In RHEL 9, if you use --ssl-fips-mode
as an argument for the mysqld
or mariadbd
daemon, or if you use ssl-fips-mode
in the MySQL
or MariaDB
server configuration files, --ssl-fips-mode
does not change FIPS mode for these database servers.
Instead:
-
If you set
--ssl-fips-mode
toON
, themysqld
ormariadbd
server daemon does not start. -
If you set
--ssl-fips-mode
toOFF
on a FIPS-enabled system, themysqld
ormariadbd
server daemons still run in FIPS mode.
This is expected because FIPS mode should be enabled or disabled for the whole RHEL system, not for specific components.
Therefore, do not use the --ssl-fips-mode
option in MySQL
or MariaDB
in RHEL. Instead, ensure FIPS mode is enabled on the whole RHEL system:
- Preferably, install RHEL with FIPS mode enabled. Enabling FIPS mode during the installation ensures that the system generates all keys with FIPS-approved algorithms and continuous monitoring tests in place. For information about installing RHEL in FIPS mode, see Installing the system in FIPS mode.
- Alternatively, you can switch FIPS mode for the entire RHEL system by following the procedure in Switching the system to FIPS mode.
Git
fails to clone or fetch from repositories with potentially unsafe ownership
To prevent remote code execution and mitigate CVE-2024-32004, stricter ownership checks have been introduced in Git
for cloning local repositories. With this update, Git
treats local repositories with potentially unsafe ownership as dubious.
As a consequence, if you attempt to clone from a repository locally hosted through git-daemon
and you are not the owner of the repository, Git
returns a security alert about dubious ownership and fails to clone or fetch from the repository.
To work around this problem, explicitly mark the repository as safe by executing the following command:
git config --global --add safe.directory /path/to/repository
Jira:RHELDOCS-18435[1]
9.11. Identity Management
The DEFAULT:SHA1 subpolicy has to be set on RHEL 9 clients for PKINIT to work against AD KDCs
The SHA-1 digest algorithm has been deprecated in RHEL 9, and CMS messages for Public Key Cryptography for initial authentication (PKINIT) are now signed with the stronger SHA-256 algorithm.
However, the Active Directory (AD) Kerberos Distribution Center (KDC) still uses the SHA-1 digest algorithm to sign CMS messages. As a result, RHEL 9 Kerberos clients fail to authenticate users by using PKINIT against an AD KDC.
To work around the problem, enable support for the SHA-1 algorithm on your RHEL 9 systems with the following command:
# update-crypto-policies --set DEFAULT:SHA1
The PKINIT authentication of a user fails if a RHEL 9 Kerberos agent communicates with a non-RHEL-9, non-AD Kerberos agent
If a RHEL 9 Kerberos agent, either a client or Kerberos Distribution Center (KDC), interacts with a non-RHEL-9 Kerberos agent that is not an Active Directory (AD) agent, the PKINIT authentication of the user fails. To work around the problem, perform one of the following actions:
Set the RHEL 9 agent’s crypto-policy to
DEFAULT:SHA1
to allow the verification of SHA-1 signatures:# update-crypto-policies --set DEFAULT:SHA1
Update the non-RHEL-9 and non-AD agent to ensure it does not sign CMS data using the SHA-1 algorithm. For this, update your Kerberos client or KDC packages to the versions that use SHA-256 instead of SHA-1:
- CentOS 9 Stream: krb5-1.19.1-15
- RHEL 8.7: krb5-1.18.2-17
- RHEL 7.9: krb5-1.15.1-53
- Fedora Rawhide/36: krb5-1.19.2-7
- Fedora 35/34: krb5-1.19.2-3
As a result, the PKINIT authentication of the user works correctly.
Note that for other operating systems, it is the krb5-1.20 release that ensures that the agent signs CMS data with SHA-256 instead of SHA-1.
See also The DEFAULT:SHA1 subpolicy has to be set on RHEL 9 clients for PKINIT to work against AD KDCs.
FIPS support for AD trust requires the AD-SUPPORT crypto subpolicy
Active Directory (AD) uses AES SHA-1 HMAC encryption types, which are not allowed in FIPS mode on RHEL 9 by default. If you want to use RHEL 9 IdM hosts with an AD trust, enable support for AES SHA-1 HMAC encryption types before installing IdM software.
Since FIPS compliance is a process that involves both technical and organizational agreements, consult your FIPS auditor before enabling the AD-SUPPORT
subpolicy to allow technical measures to support AES SHA-1 HMAC encryption types, and then install RHEL IdM:
# update-crypto-policies --set FIPS:AD-SUPPORT
Heimdal client fails to authenticate a user using PKINIT against RHEL 9 KDC
By default, a Heimdal Kerberos client initiates the PKINIT authentication of an IdM user by using Modular Exponential (MODP) Diffie-Hellman Group 2 for Internet Key Exchange (IKE). However, the MIT Kerberos Distribution Center (KDC) on RHEL 9 only supports MODP Group 14 and 16.
Consequently, the pre-autentication request fails with the krb5_get_init_creds: PREAUTH_FAILED
error on the Heimdal client and Key parameters not accepted
on the RHEL MIT KDC.
To work around this problem, ensure that the Heimdal client uses MODP Group 14. Set the pkinit_dh_min_bits
parameter in the libdefaults
section of the client configuration file to 1759:
[libdefaults] pkinit_dh_min_bits = 1759
As a result, the Heimdal client completes the PKINIT pre-authentication against the RHEL MIT KDC.
IdM in FIPS mode does not support using the NTLMSSP protocol to establish a two-way cross-forest trust
Establishing a two-way cross-forest trust between Active Directory (AD) and Identity Management (IdM) with FIPS mode enabled fails because the New Technology LAN Manager Security Support Provider (NTLMSSP) authentication is not FIPS-compliant. IdM in FIPS mode does not accept the RC4 NTLM hash that the AD domain controller uses when attempting to authenticate.
Jira:RHEL-12154[1]
Migrated IdM users might be unable to log in due to mismatching domain SIDs
If you have used the ipa migrate-ds
script to migrate users from one IdM deployment to another, those users might have problems using IdM services because their previously existing Security Identifiers (SIDs) do not have the domain SID of the current IdM environment. For example, those users can retrieve a Kerberos ticket with the kinit
utility, but they cannot log in. To work around this problem, see the following Knowledgebase article: Migrated IdM users unable to log in due to mismatching domain SIDs.
Jira:RHELPLAN-109613[1]
Adding a RHEL 9 replica in FIPS mode to an IdM deployment in FIPS mode that was initialized with RHEL 8.6 or earlier fails
The default RHEL 9 FIPS cryptographic policy aiming to comply with FIPS 140-3 does not allow the use of the AES HMAC-SHA1 encryption types' key derivation function as defined by RFC3961, section 5.1.
This constraint is a blocker when adding a RHEL 9 Identity Management (IdM) replica in FIPS mode to a RHEL 8 IdM environment in FIPS mode in which the first server was installed on a RHEL 8.6 system or earlier. This is because there are no common encryption types between RHEL 9 and the previous RHEL versions, which commonly use the AES HMAC-SHA1 encryption types but do not use the AES HMAC-SHA2 encryption types.
You can view the encryption type of your IdM master key by entering the following command on the server:
# kadmin.local getprinc K/M | grep -E '^Key:'
For more information, see the AD Domain Users unable to login in to the FIPS-compliant environment KCS solution.
Installing a RHEL 7 IdM client with a RHEL 9.2 and later IdM server in FIPS mode fails due to EMS enforcement
The TLS Extended Master Secret
(EMS) extension (RFC 7627) is now mandatory for TLS 1.2 connections on FIPS-enabled RHEL 9.2 and later systems. This is in accordance with FIPS-140-3 requirements. However, the openssl
version available in RHEL 7.9 and lower does not support EMS. In consequence, installing a RHEL 7 Identity Management (IdM) client with a FIPS-enabled IdM server running on RHEL 9.2 and later fails.
If upgrading the host to RHEL 8 before installing an IdM client on it is not an option, work around the problem by removing the requirement for EMS usage on the RHEL 9 server by applying a NO-ENFORCE-EMS subpolicy on top of the FIPS crypto policy:
# update-crypto-policies --set FIPS:NO-ENFORCE-EMS
Note that this removal goes against the FIPS 140-3 requirements. As a result, you can establish and accept TLS 1.2 connections that do not use EMS, and the installation of a RHEL 7 IdM client succeeds.
The online backup and the online automembership rebuild tasks can acquire two locks resulting in a deadlock
If the online backup and the online automembership rebuild tasks attempt to acquire the same two locks in the opposite order, it can lead to an unrecoverable deadlock that requires you to stop and restart the server. To work around this problem, do not launch the online backup and the online automembership rebuild tasks in parallel.
Jira:RHELDOCS-18065[1]
dsconf config replace
cannot handle multivalued attributes
Currently, the dsconf config replace
command cannot set several values to a multivalued attribute, such as nsslapd-haproxy-trusted-ip
.
To work around this issue, use the ldapmodify
utility. For example, if you want to set several trusted IP addresses, run the following command:
# ldapmodify -D "cn=Directory Manager" -W -H ldap://server.example.com -x << EOF dn: cn=config changetype: modify add: nsslapd-haproxy-trusted-ip nsslapd-haproxy-trusted-ip: 192.168.0.1 nsslapd-haproxy-trusted-ip: 192.168.0.2 nsslapd-haproxy-trusted-ip: 192.168.0.3 EOF
9.12. SSSD
Potential risk when using the default value for ldap_id_use_start_tls
option
When using ldap://
without TLS for identity lookups, it can pose a risk for an attack vector. Particularly a man-in-the-middle (MITM) attack which could allow an attacker to impersonate a user by altering, for example, the UID or GID of an object returned in an LDAP search.
Currently, the SSSD configuration option to enforce TLS, ldap_id_use_start_tls
, defaults to false
. Ensure that your setup operates in a trusted environment and decide if it is safe to use unencrypted communication for id_provider = ldap
. Note id_provider = ad
and id_provider = ipa
are not affected as they use encrypted connections protected by SASL and GSSAPI.
If it is not safe to use unencrypted communication, enforce TLS by setting the ldap_id_use_start_tls
option to true
in the /etc/sssd/sssd.conf
file. The default behavior is planned to be changed in a future release of RHEL.
Jira:RHELPLAN-155168[1]
SSSD registers the DNS names properly
Previously, if the DNS was set up incorrectly, SSSD always failed the first attempt to register the DNS name. To work around the problem, this update provides a new parameter dns_resolver_use_search_list
. Set dns_resolver_use_search_list = false
to avoid using the DNS search list.
Bugzilla:1608496[1]
9.13. Desktop
VNC is not running after upgrading to RHEL 9
After upgrading from RHEL 8 to RHEL 9, the VNC server fails to start, even if it was previously enabled.
To work around the problem, manually enable the vncserver
service after the system upgrade:
# systemctl enable --now vncserver@:port-number
As a result, VNC is now enabled and starts after every system boot as expected.
User Creation screen is unresponsive
When installing RHEL using a graphical user interface, the User Creation screen is unresponsive. As a consequence, creating users during installation is more difficult.
To work around this problem, use one of the following solutions to create users:
- Run the installation in VNC mode and resize the VNC window.
- Create users after completing the installation process.
Jira:RHEL-11924[1]
WebKitGTK fails to display web pages on IBM Z
The WebKitGTK web browser engine fails when trying to display web pages on the IBM Z architecture. The web page remains blank and the WebKitGTK process ends unexpectedly.
As a consequence, you cannot use certain features of applications that use WebKitGTK to display web pages, such as the following:
- The Evolution mail client
- The GNOME Online Accounts settings
- The GNOME Help application
9.14. Graphics infrastructures
NVIDIA drivers might revert to X.org
Under certain conditions, the proprietary NVIDIA drivers disable the Wayland display protocol and revert to the X.org display server:
- If the version of the NVIDIA driver is lower than 470.
- If the system is a laptop that uses hybrid graphics.
- If you have not enabled the required NVIDIA driver options.
Additionally, Wayland is enabled but the desktop session uses X.org by default if the version of the NVIDIA driver is lower than 510.
Jira:RHELPLAN-119001[1]
Night Light is not available on Wayland with NVIDIA
When the proprietary NVIDIA drivers are enabled on your system, the Night Light feature of GNOME is not available in Wayland sessions. The NVIDIA drivers do not currently support Night Light.
Jira:RHELPLAN-119852[1]
X.org configuration utilities do not work under Wayland
X.org utilities for manipulating the screen do not work in the Wayland session. Notably, the xrandr
utility does not work under Wayland due to its different approach to handling, resolutions, rotations, and layout.
Jira:RHELPLAN-121049[1]
9.15. The web console
VNC console in the RHEL web console does not work correctly on ARM64
Currently, when you import a virtual machine (VM) in the RHEL web console on ARM64 architecture and then you try to interact with it in the VNC console, the console does not react to your input.
Additionally, when you create a VM in the web console on ARM64 architecture, the VNC console does not display the last lines of your input.
Jira:RHEL-31993[1]
9.16. Red Hat Enterprise Linux System Roles
If firewalld.service
is masked, using the firewall
RHEL System Role fails
If firewalld.service
is masked on a RHEL system, the firewall
RHEL System Role fails. To work around this problem, unmask the firewalld.service
:
systemctl unmask firewalld.service
Unable to register systems with environment names
The rhc
system role fails to register the system when specifying environment names in rhc_environment
. As a workaround, use environment IDs instead of environment names while registering.
Running Microsoft SQL Server 2022 in high-availability mode as an SELinux-confined application does not work
Microsoft SQL Server 2022 on RHEL 9.4 and later supports running as an SELinux-confined application. However, due to a limitation in Microsoft SQL Server, running the service as an SELinux-confined application does not work in high-availability mode. To work around this problem, you can run Microsoft SQL Server as an unconfined application if you require the service to be high available.
Note that this limitation also impacts installing Microsoft SQL Server when you use the mssql
RHEL System Role to install this service.
Jira:RHELDOCS-17719[1]
The mssql
RHEL System Role cannot configure Microsoft SQL Server with AD integration
The Microsoft SQL Server service does not provide the adutil
tool that the service requires for the integration with Active Directory (AD). Consequently, you cannot use the mssql
RHEL System Role to configure this scenario on a RHEL 9 managed node. No workaround is available, and you can use the RHEL System Role only to configure Microsoft SQL Server without AD integration on RHEL 9.
Jira:RHELDOCS-17720[1]
9.17. Virtualization
Installing a virtual machine over https or ssh in some cases fails
Currently, the virt-install
utility fails when attempting to install a guest operating system (OS) from an ISO source over a https or ssh connection - for example using virt-install --cdrom https://example/path/to/image.iso
. Instead of creating a virtual machine (VM), the described operation ends unexpectedly with an internal error: process exited while connecting to monitor
message.
Similarly, using the RHEL 9 web console to install a guest operating system fails and displays an Unknown driver 'https'
error if you use an https or ssh URL, or the Download OS
function.
To work around this problem, install qemu-kvm-block-curl
and qemu-kvm-block-ssh
on the host to enable https and ssh protocol support. Alternatively, use a different connection protocol or a different installation source.
Using NVIDIA drivers in virtual machines disables Wayland
Currently, NVIDIA drivers are not compatible with the Wayland graphical session. As a consequence, RHEL guest operating systems that use NVIDIA drivers automatically disable Wayland and load an Xorg session instead. This primarily occurs in the following scenarios:
- When you pass through an NVIDIA GPU device to a RHEL virtual machine (VM)
- When you assign an NVIDIA vGPU mediated device to a RHEL VM
There is currently no workaround for this issue.
Jira:RHELPLAN-117234[1]
The Milan
VM CPU type is sometimes not available on AMD Milan systems
On certain AMD Milan systems, the Enhanced REP MOVSB (erms
) and Fast Short REP MOVSB (fsrm
) feature flags are disabled in the BIOS by default. Consequently, the Milan
CPU type might not be available on these systems. In addition, VM live migration between Milan hosts with different feature flag settings might fail. To work around these problems, manually turn on erms
and fsrm
in the BIOS of your host.
Bugzilla:2077767[1]
A hostdev
interface with failover settings cannot be hot-plugged after being hot-unplugged
After removing a hostdev
network interface with failover configuration from a running virtual machine (VM), the interface currently cannot be re-attached to the same running VM. There is currently no workaround for this issue.
Live post-copy migration of VMs with failover VFs fails
Currently, attempting to post-copy migrate a running virtual machine (VM) fails if the VM uses a device with the virtual function (VF) failover capability enabled. To work around the problem, use the standard migration type, rather than post-copy migration.
Host network cannot ping VMs with VFs during live migration
When live migrating a virtual machine (VM) with a configured virtual function (VF), such as a VMs that uses virtual SR-IOV software, the network of the VM is not visible to other devices and the VM cannot be reached by commands such as ping
. After the migration is finished, however, the problem no longer occurs.
Disabling AVX causes VMs to become unbootable
On a host machine that uses a CPU with Advanced Vector Extensions (AVX) support, attempting to boot a VM with AVX explicitly disabled currently fails, and instead triggers a kernel panic in the VM. There is currently no workaround for this issue.
Bugzilla:2005173[1]
Windows VM fails to get IP address after network interface reset
Sometimes, Windows virtual machines fail to get an IP address after an automatic network interface reset. As a consequence, the VM fails to connect to the network. To work around this problem, disable and re-enable the network adapter driver in the Windows Device Manager.
Windows Server 2016 VMs sometimes stops working after hot-plugging a vCPU
Currently, assigning a vCPU to a running virtual machine (VM) with a Windows Server 2016 guest operating system might cause a variety of problems, such as the VM terminating unexpectedly, becoming unresponsive, or rebooting. There is currently no workaround for this issue.
Redundant error messages on VMs with NVIDIA passthrough devices
When using an Intel host machine with a RHEL 9.2 and later operating system, virtual machines (VMs) with a passed through NVDIA GPU device frequently log the following error message:
Spurious APIC interrupt (vector 0xFF) on CPU#2, should never happen.
However, this error message does not impact the functionality of the VM and can be ignored. For details, see the Red Hat KnoweldgeBase.
Bugzilla:2149989[1]
Restarting the OVS service on a host might block network connectivity on its running VMs
When the Open vSwitch (OVS) service restarts or crashes on a host, virtual machines (VMs) that are running on this host cannot recover the state of the networking device. As a consequence, VMs might be completely unable to receive packets.
This problem only affects systems that use the packed virtqueue format in their virtio
networking stack.
To work around this problem, use the packed=off
parameter in the virtio
networking device definition to disable packed virtqueue. With packed virtqueue disabled, the state of the networking device can, in some situations, be recovered from RAM.
Recovering an interrupted post-copy VM migration might fail
If a post-copy migration of a virtual machine (VM) is interrupted and then immediately resumed on the same incoming port, the migration might fail with the following error: Address already in use
To work around this problem, wait at least 10 seconds before resuming the post-copy migration or switch to another port for migration recovery.
NUMA node mapping not working correctly on AMD EPYC CPUs
QEMU does not handle NUMA node mapping on AMD EPYC CPUs correctly. As a result, the performance of virtual machines (VMs) with these CPUs might be negatively impacted if using a NUMA node configuration. In addition, the VMs display a warning similar to the following during boot.
sched: CPU #4's llc-sibling CPU #3 is not on the same node! [node: 1 != 0]. Ignoring dependency. WARNING: CPU: 4 PID: 0 at arch/x86/kernel/smpboot.c:415 topology_sane.isra.0+0x6b/0x80
To work around this issue, do not use AMD EPYC CPUs for NUMA node configurations.
NFS failure during VM migration causes migration failure and source VM coredump
Currently, if the NFS service or server is shut down during virtual machine (VM) migration, the source VM’s QEMU is unable to reconnect to the NFS server when it starts running again. As a result, the migration fails and a coredump is initiated on the source VM. Currently, there is no workaround available.
PCIe ATS devices do not work on Windows VMs
When you configure a PCIe Address Translation Services (ATS) device in the XML configuration of virtual machine (VM) with a Windows guest operating system, the guest does not enable the ATS device after booting the VM. This is because Windows currently does not support ATS on virtio
devices.
For more information, see the Red Hat KnowledgeBase.
virsh blkiotune --weight
command fails to set the correct cgroup I/O controller value
Currently, using the virsh blkiotune --weight
command to set the VM weight does not work as expected. The command fails to set the correct io.bfq.weight
value in the cgroup I/O controller interface file. There is no workaround at this time.
Starting a VM with an NVIDIA A16 GPU sometimes causes the host GPU to stop working
Currently, if you start a VM that uses an NVIDIA A16 GPU passthrough device, the NVIDIA A16 GPU physical device on the host system in some cases stops working.
To work around the problem, reboot the hypervisor and set the reset_method
for the GPU device to bus
:
# echo bus > /sys/bus/pci/devices/<DEVICE-PCI-ADDRESS>/reset_method # cat /sys/bus/pci/devices/<DEVICE-PCI-ADDRESS>/reset_method bus
For details, see the Red Hat Knowledgebase.
Jira:RHEL-7212[1]
Windows VMs might become unresponsive due to storage errors
On virtual machines (VMs) that use Windows guest operating systems, the system in some cases becomes unresponsive when under high I/O load. When this happens, the system logs a viostor Reset to device, \Device\RaidPort3, was issued
error. There is currently no workaround for this issue.
Jira:RHEL-1609[1]
Windows 10 VMs with certain PCI devices might become unresponsive on boot
Currently, a virtual machine (VM) that uses a Windows 10 guest operating system might become unresponsive during boot if a virtio-win-scsi
PCI device with a local disk back end is attached to the VM. To work around the problem, boot the VM with the multi_queue
option enabled.
Jira:RHEL-1084[1]
Windows 11 VMs with a memory balloon device set might close unexpectedly during reboot
Currently, rebooting virtual machines (VMs) that use a Windows 11 guest operating system and a memory balloon device in some cases fails with a DRIVER POWER STAT FAILURE
blue-screen error. There is currently no workaround for this issue.
Jira:RHEL-935[1]
The virtio balloon driver sometimes does not work on Windows 10 VMs
Under certain circumstances, the virtio-balloon driver does not work correctly on virtual machines (VMs) that use a Windows 10 guest operating system. As a consequence, such VMs might not use their assigned memory efficiently. There is currently no workaround for this issue.
The virtio file system has suboptimal performance in Windows VMs
Currently, when a virtio file system (virtiofs) is configured on a virtual machine (VM) that uses a Windows guest operating system, the performance of virtiofs in the VM is significantly worse than in VMs that use Linux guests. There is currently no workaround for this issue.
Jira:RHEL-1212[1]
Hot-unplugging a storage device on Windows VMs might fail
On virtual machines (VMs) that use a Windows guest operating system, removing a storage device when the VM is running (also known as a device hot-unplug) in some cases fails. As a consequence, the storage device remains attached to the VM and the disk manager service might become unresponsive. There is currently no workaround for this issue.
Hot plugging CPUs to a Windows VM might cause a system failure
When hot plugging the maximum number of CPUs to a Windows virtual machine (VM) with huge pages enabled, the guest operating system might crash with the following Stop error:
PROCESSOR_START_TIMEOUT
There is currently no workaround for this issue.
Updating virtio
drivers on Windows VMs might fail
When updating the KVM paravirtualized (virtio
) drivers on a Windows virtual machine (VM), the update might cause the mouse to stop working and the newly installed drivers might not be signed. This problem occurs when updating the virtio
drivers by installing from the virtio-win-guest-tools
package, which is a part of the virtio-win.iso
file.
To work around this problem, update the virtio
drivers by using Windows Device Manager.
Jira:RHEL-574[1]
TX queue size cannot be changed in VMs that use vhost-kernel
Currently, you cannot set up TX queue size on KVM virtual machines (VMs) that use vhost-kernel
as a back end for the virtio
network driver. As a consequence, you can use only the default value of 256 for the TX queue, which might prevent you from optimizing your VM network throughput. There is currently no workaround for this issue.
Jira:RHEL-1138[1]
VMs incorrectly report the vulnerable
status for spec_rstack_overflow
parameter on the AMD EPYC model
When you boot a host, it does not detect any vulnerabilities in the spec_rstack_overflow
parameter. After querying the parameter for logs, it displays the message:
# cat /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow Mitigation: Safe RET
After booting a VM on the same host, the VM detects a vulnerability in the spec_rstack_overflow
parameter. And when you query the parameter for logs, it displays the message:
# cat /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow Vulnerable: Safe RET, no microcode
However, this is a false warning message, and you can ignore the status of the /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow
file inside the VM.
Jira:RHEL-17614[1]
Virtual machines incorrectly report an AMD SRSO vulnerability
RHEL 9.4 virtual machines (VMs) running on a RHEL 9 host with the AMD Zen 3 and 4 CPU architecture incorrectly report a vulnerability to a Speculative Return Stack Overflow (SRSO) attack:
# lscpu | grep rstack
Vulnerability Spec rstack overflow: Vulnerable: Safe RET, no microcode
The problem is caused by a missing cpuid
flag and the vulnerability is in fact fully mitigated in VMs under the following conditions:
-
You have the updated
linux-firmware
package on the host as described here: cve-2023-20569. -
The host kernel has the mitigation enabled, which is the default behavior. If the mitigation is enabled,
Safe RET
is displayed in thelscpu
command output on the host.
Jira:RHEL-26152[1]
Link status shows up
on VM, even when status is down
of e1000e
or igb
model interface
Before booting the VM, set the status of Ethernet link down
for the e1000
or igb
model network interface. Despite this, after the VM boots, the network interface keeps the up
status, because when you set the status of Ethernet link down
and then stop and re-start the VM, it is automatically set back to up
. Consequently, the correct state of network interface is not maintained. As a workaround, set the network interface status to down
inside the VM by using command:
# ip link set dev eth0 down
Alternatively, you can try to remove and add this network interface again while the VM is running.
SeaBIOS cannot boot from a disk with 4096 bytes sector size
When using SeaBIOS to boot a virtual machine (VM) from a disk that uses logical or physical sector size of 4096 bytes, the boot disk is not displayed as available, and booting the VM fails. To boot a VM from such a disk, use UEFI instead of SeaBIOS.
Kdump fails on virtual machines with AMD SEV-SNP
Currently, kdump fails on RHEL 9 virtual machines (VMs) that use the AMD Secure Encrypted Virtualization (SEV) with the Secure Nested Paging (SNP) feature. There is currently no workaround for this issue.
Jira:RHEL-10019[1]
Enabling Hyper-V enlightenments in some cases does not improve CPU optimization
On virtual machines (VM) that use a Windows guest operating system, enabling Hyper-V enlightenments in some cases does not result in the expected improvement in the CPU usage of the VM. There is currently no workaround for this issue.
Jira:RHEL-17331[1]
9.18. RHEL in cloud environments
Cloning or restoring RHEL 9 virtual machines that use LVM on Nutanix AHV causes non-root partitions to disappear
When running a RHEL 9 guest operating system on a virtual machine (VM) hosted on the Nutanix AHV hypervisor, restoring the VM from a snapshot or cloning the VM currently causes non-root partitions in the VM to disappear if the guest is using Logical Volume Management (LVM). As a consequence, the following problems occur:
- After restoring the VM from a snapshot, the VM cannot boot, and instead enters emergency mode.
- A VM created by cloning cannot boot, and instead enters emergency mode.
To work around these problems, do the following in emergency mode of the VM:
-
Remove the LVM system devices file:
rm /etc/lvm/devices/system.devices
-
Re-create LVM device settings:
vgimportdevices -a
- Reboot the VM
This makes it possible for the cloned or restored VM to boot up correctly.
Alternatively, to prevent the issue from occurring, do the following before cloning a VM or creating a VM snapshot:
-
Uncomment the
use_devicesfile = 0
line in the/etc/lvm/lvm.conf
file - Reboot the VM
Bugzilla:2059545[1]
Customizing RHEL 9 guests on ESXi sometimes causes networking problems
Currently, customizing a RHEL 9 guest operating system in the VMware ESXi hypervisor does not work correctly with NetworkManager key files. As a consequence, if the guest is using such a key file, it will have incorrect network settings, such as the IP address or the gateway.
For details and workaround instructions, see the VMware Knowledge Base.
Bugzilla:2037657[1]
RHEL instances on Azure fail to boot if provisioned by cloud-init
and configured with an NFSv3 mount entry
Currently, booting a RHEL virtual machine (VM) on the Microsoft Azure cloud platform fails if the VM was provisioned by the cloud-init
tool and the guest operating system of the VM has an NFSv3 mount entry in the /etc/fstab
file. There is currently no workaround for this issue.
Bugzilla:2081114[1]
Setting static IP in a RHEL virtual machine on a VMware host does not work
Currently, when using RHEL as a guest operating system of a virtual machine (VM) on a VMware host, the DatasourceOVF function does not work correctly. As a consequence, if you use the cloud-init
utility to set the VM’s network to static IP and then reboot the VM, the VM’s network will be changed to DHCP.
To work around this issue, see the VMware Knowledge Base.
Large VMs might fail to boot into the debug kernel when the kmemleak
option is enabled
When attempting to boot a RHEL 9 virtual machine (VM) into the debug kernel, the booting might fail with the following error if the machine kernel is using the kmemleak=on
argument.
Cannot open access to console, the root account is locked. See sulogin(8) man page for more details. Press Enter to continue.
This problem affects mainly large VMs because they spend more time in the boot sequence.
To work around the problem, edit the /etc/fstab
file on the machine and add extra timeout options to the /boot
and /boot/efi
mount points. For example:
UUID=e43ead51-b364-419e-92fc-b1f363f19e49 /boot xfs defaults,x-systemd.device-timeout=600,x-systemd.mount-timeout=600 0 0 UUID=7B77-95E7 /boot/efi vfat defaults,uid=0,gid=0,umask=077,shortname=winnt,x-systemd.device-timeout=600,x-systemd.mount-timeout=600 0 2
Jira:RHELDOCS-16979[1]
9.19. Supportability
Timeout when running sos report
on IBM Power Systems, Little Endian
When running the sos report
command on IBM Power Systems, Little Endian with hundreds or thousands of CPUs, the processor plugin reaches its default timeout of 300 seconds when collecting huge content of the /sys/devices/system/cpu
directory. As a workaround, increase the plugin’s timeout accordingly:
- For one-time setting, run:
# sos report -k processor.timeout=1800
-
For a permanent change, edit the
[plugin_options]
section of the/etc/sos/sos.conf
file:
[plugin_options] # Specify any plugin options and their values here. These options take the form # plugin_name.option_name = value #rpm.rpmva = off processor.timeout = 1800
The example value is set to 1800. The particular timeout value highly depends on a specific system. To set the plugin’s timeout appropriately, you can first estimate the time needed to collect the one plugin with no timeout by running the following command:
# time sos report -o processor -k processor.timeout=0 --batch --build
Bugzilla:1869561[1]
9.20. Containers
Podman and bootc do not share the same registry login process
Podman and bootc
use different registry login processes when pulling images. As a consequence, if you login to an image by using Podman, logging to a registry for bootc
will not work on that image. When you install an image mode for RHEL system, and login to registry.redhat.io by using the following command:
# podman login registry.redhat.io <username_password>
And then you attempt to switch to the registry.redhat.io/rhel9/rhel-bootc
image with the following command:
# bootc switch registry.redhat.io/rhel9/rhel-bootc:9.4
You should be able to see the following message:
Queued for next boot: registry.redhat.io/rhel9/rhel-bootc:9.4
However, an error appears:
ERROR Switching: Pulling: Creating importer: Failed to invoke skopeo proxy method OpenImage: remote error: unable to retrieve auth token: invalid username/password: unauthorized: Please login to the Red Hat Registry using your Customer Portal credentials. Further instructions can be found here: https://access.redhat.com/RegistryAuthentication
To work around this issue, follow the steps Configuring container pull secrets to use authenticated registries with bootc
.
Jira:RHELDOCS-18471[1]
Running systemd within an older container image does not work
Running systemd within an older container image, for example, centos:7
, does not work:
$ podman run --rm -ti centos:7 /usr/lib/systemd/systemd Storing signatures Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not permitted [!!!!!!] Failed to mount API filesystems, freezing.
To work around this problem, use the following commands:
# mkdir /sys/fs/cgroup/systemd # mount none -t cgroup -o none,name=systemd /sys/fs/cgroup/systemd # podman run --runtime /usr/bin/crun --annotation=run.oci.systemd.force_cgroup_v1=/sys/fs/cgroup --rm -ti centos:7 /usr/lib/systemd/systemd
Jira:RHELPLAN-96940[1]
Root filesystem are not expanded by default
When you use a base container image, that does not include cloud-init
to create an AMI or QCOW2 container image by using bootc-image-builder
, the root filesystem size is not expanded dynamically on boot to the full size of the provisioned virtual disk.
To work around this issue, apply one of the following available options:
-
Include
cloud-init
in the image. - Include custom logic in the container image to expand the root filesystem, for example:
/usr/bin/growpart /dev/vda 4 unshare -m bin/sh -c 'mount -o remount,rw /sysroot && xfs_growfs /sysroot'
-
Include a custom logic to use the additional space for secondary filesystems, for example,
/var/lib/containers
.
By default, the physical root storage is mounted at the /sysroot
partition.