7.8 Release Notes

Smart-card sharing is now supported on Windows guests with ActivClient drivers

This update adds support for smart-card sharing in virtual machines (VMs) that use a Windows guest OS and ActivClient drivers. This enables smart-card authentication for user logins using emulated or shared smart cards on these VMs.

The ipa-client-automount utility now supports setting an NFS domain that differs from the IdM domain

This enhancement adds the --idmap-domain option to the ipa-client-automount utility. Previously, ipa-client-automount assumed that the NFS domain is the same as the Identity Management (IdM) domain, but this is not always the case. As a result, you can now specify an NFS domain that is different from the IdM domain.

samba rebased to version 4.10.4

The samba packages have been upgraded to upstream version 4.10.4, which provides a number of bug fixes and enhancements over the previous version:

Default value of Pacemaker concurrent-fencing cluster property now set to true

Pacemaker now defaults the concurrent-fencing cluster property to true. If multiple nodes need to be fenced at the same time and they use different configured fence devices, Pacemaker will execute the fencing simultaneously rather than serialized as before. This can greatly speed up recovery in a large cluster when multiple nodes must be fenced.

Pacemaker support for configuring resources to remain stopped on clean node shutdown

When a cluster node shuts down, Pacemaker’s default response is to stop all resources running on that node and recover them elsewhere. Some users prefer to have high availability only for failures, and to treat clean shutdowns as scheduled outages. To address this, Pacemaker now supports the shutdown-lock and shutdown-lock-limit cluster properties to specify that resources active on a node when it shuts down should remain stopped until the node next rejoins. Users can now use clean shutdowns as scheduled outages without any manual intervention. For information on configuring resources to remain stopped on a clean node shutdown, see Configuring Resources to Remain Stopped on Clean Node Shutdown.

Optimized implementation of SHA-2 operations on IBM PowerPC systems

This update adds an assembly code implementation of SHA-2 operations on IBM PowerPC systems, which significantly improves performance.

OpenJDK now supports also secp256k1

Previously, Open Java Development Kit (OpenJDK) could use only curves from the NSS library. Consequently, OpenJDK provided only the secp256r1, secp384r1, and secp521r1 curves for elliptic curve cryptography (ECC). With this update, OpenJDK uses the internal ECC implementation and supports also the secp256k1 curve.

Modified workspace switcher in GNOME Classic

Workspace switcher in the GNOME Classic environment has been modified. The switcher is now located in the right part of the bottom bar, and it is designed as a horizontal strip of thumbnails.

GNOME now warns against a root graphical login

With this update, GNOME now displays a warning notification if you log into a graphical session as the root user.

Aero adapters are now fully supported

The following Aero adapters, previously available as a Technology Preview, are now fully supported:

RHEL 7.8 now supports blueprint customizations

With this enhancement, RHEL 7.8 now supports a set of image customizations within blueprints when using the CLI. To make use of these customizations, you must configure them in the blueprint and import (push) to Image Builder. As a result, you are able to add specifications for your system.

Kernel version in RHEL 7.8

Red Hat Enterprise Linux 7.8 is distributed with the kernel version 3.10.0-1127.

FUSE file system can be used inside of a user namespace

RHEL 7 now enables users to mount the Filesystem in Userspace (FUSE) based filesystems inside of the user namespace. As a result, users are able to use the fuse-overlayfs command inside of rootless containers that were created with Buildah or Podman utilities.

ipcmin_extend increases the number of unique System V IPC identifiers

A new kernel command line parameter ipcmin_extend increases the number of unique System V Interprocess Communication (IPC) identifiers from 32,768 to 16,777,216. As a result, users with applications that exceed 32,768 of unique System V IPC identifiers can add ipcmin_extend to port the relevant applications to RHEL without a major redesign.

Intel® Omni-Path Architecture (OPA) Host Software

Intel® Omni-Path Architecture (OPA) host software is fully supported in Red Hat Enterprise Linux 7.8. Intel OPA provides Host Fabric Interface (HFI) hardware with initialization and setup for high performance data transfers (high bandwidth, high message rate, low latency) between compute and I/O nodes in a clustered environment.

kernel-rt source tree now matches the latest RHEL 7 tree

The kernel-rt sources have been upgraded to the latest Red Hat Enterprise Linux kernel source tree, which provides a number of bug fixes and enhancements over the previous version.

A new storage role added to RHEL System Roles

The storage role has been added to RHEL System Roles provided by the rhel-system-roles package, which is available in the RHEL 7 Extras repository.

SCAP Security Guide now provides OSPP 4.2.1 and NCP Profiles

The OSPP (Protection Profile for General Purpose Operating Systems) profile has been updated, and it now conforms to OSPP 4.2.1 baseline. The profile with the ospp42 ID has been merged to the OSPP profile. Administrators should switch systems using the ospp42 profile to ospp because ospp42 is no longer a valid ID.

SCAP Security Guide now supports ACSC Essential Eight

The scap-security-guide packages now provides the Australian Cyber Security Centre (ACSC) Essential Eight compliance profile and a corresponding Kickstart file. With this enhancement, users can install a system that conforms with this security baseline. Furthermore, you can use the OpenSCAP suite for checking security compliance and remediation using this specification of minimum security controls defined by ACSC.

SCAP Security Guide now correctly disables services

With this update, the SCAP Security Guide (SSG) profiles correctly disable and mask services that should not be started. This guarantees that disabled services are not inadvertently started as a dependency of another service. Before this change, the SSG profiles such as the U.S. Government Commercial Cloud Services (C2S) profile only disabled the service. As a result, services disabled by an SSG profile cannot be started unless you unmask them first.

SCAP Security Guide rebased to version 0.1.46

The SCAP Security Guide (SSG) packages have been upgraded to version 0.1.46, which provides enhancements and bug fixes over the previous version, most notably:

SCAP Security Guide now supports scanning RHEL 8 systems from RHEL 7

The scap-security-guide package now contains SCAP content and Ansible playbooks for RHEL 8. This enables you to scan RHEL 8 systems and containers from a RHEL 7 environment.

selinux-policy now allows tomcat processes to connect to redis database

This update of selinux-policy packages introduces rules that allow the tomcat_t domain to connect to ports labeled redis_port_t when the tomcat_can_network_connect_db SELinux boolean is enabled. You can now use this boolean to allow tomcat_t to access several databases, which was not previously supported for redis processes.

sysadm_u users can now log in to graphical sessions

Previously, Linux users mapped to the sysadm_u SELinux user were unable to log in to graphical sessions. The SELinux policy has been updated to allow these users to use graphical sessions while conforming to DISA STIG requirements. If the xdm_sysadm_login Boolean is enabled, the sysadm_u user can now successfully log in to X Window System session from the GNOME Display Manager.

An option for rsyslog to preserve case of FROMHOST for imudp and imtcp is available

This update to the rsyslog service introduces the option to manage letter-case preservation of the FROMHOST property for the imudp and imtcp modules. Setting the preservecase value to on means the FROMHOST property is handled in a case sensitive manner. To avoid breaking existing configurations, the default values of preservecase are on for imtcp and off for imudp.

Support for Data Integrity Field/Data Integrity Extension (DIF/DIX)

DIF/DIX is supported on configurations where the hardware vendor has qualified it and provides full support for the particular host bus adapter (HBA) and storage array configuration on RHEL.

NVMe/FC is now fully supported in Qlogic HBAs

The NVMe over Fibre Channel (NVMe/FC) transport type is now fully supported in Qlogic Fibre Channel (FC) host bus adapters (HBAs), which use the qla2xxx driver.

Directory Server rebased to version 1.3.10

The 389-ds-base packages have been upgraded to upstream version 1.3.10, which provides a number of bug fixes over the previous version.

Directory Server now correctly logs the search base if the server rejects a search operation

Previously, when Directory Server rejected a search operation because of a protocol error, the server logged base="(null)" instead of the actual search base. With this update, Directory Server passes the correct internal variable to the log operation. As a result, the server correctly logs the search base in the mentioned scenario.

Directory Server improved the logging of the etime value

Previously, if an operation started and completed at the border of a second and the operation took less than one second, Directory Server logged an incorrectly calculated etime value. As a consequence, the logged value was too big. This updates fixes the problem. As a result, the calculated etime value is now closer to the start and end time stamp.

Directory Server now logs the correct etime value in the access log

Previously, Directory Server incorrectly formatted the etime field in the /var/log/dirsrv/slapd-<instance_name>/access log file. As a consequence, the time value in nanoseconds was 10 times lower than the actual value. This update fixes the problem. As a result, Directory Server now logs the correct nanosecond value in the etime field.

The severity of a Directory Server log message has been changed

Previously, Directory Server incorrectly logged Event <event_name> should not occur in state <state_name>; going to sleep messages as error. This update changes the severity of this message to warning.

Directory Server is RFC 4511-compliant when searching for the 1.1 and other attributes in one request

To retrieve only a list of matching distinguished names (DN), LDAP users can search for the 1.1 special attribute. According to RFC 4511, if an LDAP client searches for the 1.1. special attribute in combination with other attributes in one search request, the server must ignore the 1.1 special attribute.

Directory Server returns password policy controls in the correct order

Previously, if the password of a user expired, Directory Server returned password policy controls in a different order depending on whether grace logins were exhausted or not. Consequently, this sometimes caused problems in LDAP clients compliant with the RFC 4511 standard. This update fixes the problem, and as a result, Directory Server returns password policy controls in the correct order.

Directory Server now also applies limits for maximum concurrent cleanAllRUV tasks received from extended operations

Directory Server supports up to 64 concurrent cleanAllRUV tasks. Previously, Directory Server applied this limit only to manually created tasks and not to tasks the server received from extended operations. As a consequence, more than 64 concurrent cleanAllRUV tasks could run at the same time and slow down the server. This update adds a counter to track the number of clean tasks and abort threads. As a result, only up to 64 concurrent cleanAllRUV tasks can run at the same time.

Importing large LDIF files to Directory Server databases with many nested-subtrees is now significantly faster

Previously, if the Directory Server database contained many nested sub-trees, importing a large LDIF file using the ldif2db and ldif2db.pl utilities was slow. With this update, Directory Server adds the ancestorid index after all entries. As a result, importing LDIF files to a database with many nested sub-trees is now significantly faster.

Directory Server now processes new operations only after a previous SASL bind fully initialized the connection

During a bind using the Simple Authentication and Security Layer (SASL) framework, Directory Server initializes a set of callback functions. Previously, if Directory Server received an additional operation on the same connection during a SASL bind, this operation could access and use the callback functions even if they were not fully initialized. Consequently, the Directory Server instance terminated unexpectedly. With this update, the server prevents operations from accessing and using the callback structure until the previous SASL bind is successfully initialized. As a result, Directory Server no longer crashes in this situation.

The cl-dump.pl and cl-dump utilities now remove temporary files after exporting the change log

Previously, the cl-dump.pl and cl-dump utilities in Directory Server created temporary LDIF files in the /var/lib/dirsrv/slapd-<instance_name>/changelogdb/ directory. After the change log was exported, the utilities renamed the temporary files to *.done. As a consequence, if the temporary files were large, this could result in low free disk space. With this update, by default, cl-dump.pl and cl-dump now delete the temporary files at the end of the export. Additionally, the -l option has been added to both utilities to manually preserve the temporary files. As a result, cl-dump.pl and cl-dump free the disk space after exporting the change log or user can optionally enforce the old behavior by using the -l option.

IdM configures the Apache NSS module to use only TLS 1.2 when installing or updating an IdM server or replica

Previously, when an administrator installed an Identity Management (IdM) server or replica, the installer enabled the TLS 1.0, TLS 1.1, and TLS 1.2 protocols in the Apache web server’s network security service (NSS) module. This update provides the following changes:

IdM now correctly updates the certificate record in the cn=CAcert,cn=ipa,cn=etc,<base_DN> entry

Previously, after renewing the Identity Management (IdM) certificate authority (CA) certificate or modifying the CA certificate chain, IdM did not update the certificate record stored in the cn=CAcert,cn=ipa,cn=etc,<base_DN> entry. As a consequence, installations of IdM clients on RHEL 6 failed. With this update, IdM now updates the certificate record in cn=CAcert,cn=ipa,cn=etc,<base_DN>. As a result, installing IdM on RHEL 6 now succeeds after the administrator renews the CA certificate or updates the certificate chain on the IdM CA.

The ipa-replica-install utility now verifies that the server specified in --server provides all required roles

The ipa-replica-install utility provides a --server option to specify the Identity Management (IdM) server which the installer should use for the enrollment. Previously, ipa-replica-install did not verify that the supplied server provided the certificate authority (CA) and key recovery authority (KRA) roles. As a consequence, the installer replicated domain data from the specified server and CA data from a different server that provided the CA and KRA roles. With this update, ipa-replica-install verifies that the specified server provides all required roles. As a result, if the administrator uses the --server option, ipa-replica-install only replicates data from the specified server.

ipa sudorule-add-option no longer shows a false error when options are added to an existing sudo rule

Previously, when a sudo rule already contained hosts, hostgroups, users, or usergroups, the ipa sudorule-add-option command incorrectly processed the sudo rule content. Consequently, the ipa sudorule-add-option command used with the sudooption argument returned an error despite completing successfully. This bug has been fixed, and ipa sudorule-add-option now displays an accurate output in the described scenario.

IdM no longer drops all custom attributes when moving an account from preserved to stage

Previously, IdM processed only some of the attributes defined in a preserved account. Consequently, when moving an account from preserved to stage, all the custom attributes were lost. With this update, IdM processes all the attributes defined in a preserved account and the described problem no longer occurs.

Sub-CA key replication no longer fails

Previously, a change to the credential cache (ccache) behaviour in the Kerberos library caused lightweight Certificate Authority (CA) key replication to fail. This update adapts the IdM lightweight CA key replication client code to the changed ccache behaviour. As a result, the lightweight CA key replication now works correctly.

Certificate System now records audit events if the system acts as a client to other subsystems or to the LDAP server

Previously, Certificate System did not contain audit events if the system acted as a client to other subsystems or to the LDAP server. As a consequence, the server did not record any events in this situation. This update adds the CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE, CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS, and CLIENT_ACCESS_SESSION_TERMINATED events to Certificate System. As a result, Certificate System records these events when acting as a client.

The python-kdcproxy library no longer drops large Kerberos replies

Previously, if an Active Directory Kerberos Distribution Center (KDC) split large Kerberos replies into multiple TCP packets, the python-kdcproxy library dropped these packages. This update fixes the problem. As a result, python-kdcproxy processes large Kerberos replies correctly.

Socket::inet_aton() can now be used from multiple threads safely

Previously, the Socket::inet_aton() function, used for resolving a domain name from multiple Perl threads, called the unsafe gethostbyname() glibc function. Consequently, an incorrect IPv4 address was occasionally returned, or the Perl interpreter terminated unexpectedly. With this update, the Socket::inet_aton() implementation has been changed to use the thread-safe getaddrinfo() glibc function instead of gethostbyname(). As a result, the inet_aton() function from Perl Socket module can be used from multiple threads safely.

sosreport now generates HTML reports faster

Previously, when the sosreport utility collected tens of thousands of files, generation of HTML report was very slow. This update provides changes to the text report code, improving the report structure and formatting. Additionally, support for reports in the JSON file format has been added. As a result, HTML reports are now generated without delay.

32- and 64-bit fwupd packages can now be used together when installing or upgrading the system

Previously, the /usr/lib/systemd/system/fwupd.service file in the fwupd packages was different for 32- and 64-bit architectures. Consequently, it was impossible to install both 32- and 64-bit fwupd packages or to upgrade a Red Hat Enterprise Linux 7.5 system with both 32- and 64-bit fwupd packages to a later version. This update fixes fwupd so that the /usr/lib/systemd/system/fwupd.service file is same for both 32- and 64-bit architectures. As a result, installing both 32- and 64-bit fwupd packages, or upgrading a Red Hat Enterprise Linux 7.5 system with both 32- and 64-bit fwupd packages to a later version is now possible.

A memory leak in libteam has been fixed

Previously, the libteam library used an incorrect JSON API when a user queried the status of a network team. As a consequence, the teamdctl <team_device> state command leaked memory. With this update, the library uses the correct API, and querying the status of a team no longer leaks memory.

The installation program correctly sets the connection type for Kickstart network team devices

Previously, the installation program used the TYPE="Team" parameter instead of the DEVICETYPE="Team" parameter to specify the connection type in the ifcfg file that is created for Kickstart network team devices. As a consequence, any network team devices using network service were not activated during the boot process. With this update, the installation program uses the DEVICETYPE parameter to specify the connection type in the ifcfg file. As a result, Kickstart network team devices are activated during the boot process even if the system is using network service for network configuration, for example, the NetworkManager service is disabled.

The installation program correctly handles an exception when GTK is not installed

Previously, the installation program failed to handle an exception when the GTK GUI toolkit was not installed in the environment. As a consequence, the exception was not communicated to the user. With this update, the installation program correctly handles an exception when the GTK GUI toolkit is not installed, and the user is also notified of the exception.

The IBM Z systems no longer become unresponsive when using certain BCC tools

Previously, due to a bug in the kernel, running dcsnoop, runqlen, and slabratetop utilities from the bcc-tools package caused the IBM Z systems to become unresponsive. This update fixes the problem and IBM Z systems no longer hang in the described scenario.

Virtual machines no longer enable unnecessary CPU vulnerability mitigation

Previously, the MDS_NO CPU flags, which indicate that the CPU was not vulnerable to the Microarchitectural Data Sampling (MDS) vulnerability, were not exposed to guest operating systems when the virtual machine was using CPU host-passthrough. As a consequence, the guest operating system in some cases automatically enabled CPU vulnerability mitigation features that were not necessary for the host. This update ensures that the MDS_NO flag is properly visible to the guest operating system when using CPU host-passthrough, which prevents the described problem from occurring.

Disabling logging in the nf-logger framework has been fixed

Previously, when an admin used the sysctl or echo commands to turn off an assigned netfilter logger, a NUL-character was not added to the end of the NONE string. Consequently, the strcmp() function failed with a No such file or directory error. This update fixes the problem. As a result, commands, such as sysctl net.netfilter.nf_log.2=NONE work as expected and turn off logging.

Resuming from hibernation now works on the megaraid_sas driver

Previously, when the megaraid_sas driver resumed from hibernation, the Message Signaled Interrupts (MSIx) allocation did not work correctly. As a consequence, resuming from hibernation failed, and restarting the system was required. This bug has been fixed, and resuming from hibernation now works as expected.

Kdump no longer fails in the second kernel

Previously, the kdump initramfs image could fail in the second kernel after a disk migration or installation of a new machine with a disk image. This update adds the kdumpctl rebuild command for rebuilding the kdump initramfs image. As a result, users can now rebuild initramfs to ensure that kdump does not fail in the second kernel.

The latency for isolated CPU’s is now reduced by avoiding spurious ktimersoftd activation

Previously, for a KVM-RT configured system, per-CPU ktimersoftd kernel threads ran once every second even in absence of a timer. Consequently, an increased latency occurred on the isolated CPU’s. This update adds an optimization into the real-time kernel that does not wake the ktimersoftd on every tick. As a result, ktimersoftd is not raised on isolated CPU’s, which prevents the interference and reduces the latency.

The tc filter show command now displays filters correctly when the handle is 0xffffffff

Previously, a bug in the TC flower code caused an undesired integer overflow. As a consequence, dumping a flower rule that used 0xffffffff as a handle could result in an infinite loop. This update prevents the integer overflow on 64-bit architectures. As a result, tc filter show no longer loops in this scenario, and filters are now shown correctly.

The kernel no longer crashes when attempting to apply an invalid TC rule

Previously, while attempting to replace a traffic control (TC) rule with a rule having an invalid goto chain parameter, a kernel crash occurred. With this update, the kernel avoids a NULL dereference in the described scenario. As a result, the kernel no longer crashes, and an error message is logged instead.

The kernel now correctly updates PMTU when receiving ICMPv6 Packet Too Big message

In certain situations, such as for link-local addresses, more than one route can match a source address. Previously, the kernel did not check the input interface when receiving Internet Control Message Protocol Version 6 (ICMPv6) packets. Therefore, the route lookup could return a destination that did not match the input interface. Consequently, when receiving an ICMPv6 Packet Too Big message, the kernel could update the Path Maximum Transmission Unit (PMTU) for a different input interface. With this update, the kernel checks the input interface during the route lookup. As a result, the kernel now updates the correct destination based on the source address and PMTU works as expected in the described scenario.

MACsec no longer drops valid frames

Previously, if the cryptographic context for AES-GCM was not completely initialized, decryption of incoming frames failed. Consequently, MACsec dropped valid incoming frames, and increased the InPktsNotValid counter. With this update, the initialization of the cryptographic context has been fixed. Now, decryption with AES-GCM succeeds, and MACsec no longer drops valid frames.

The kernel no longer crashes when goto chain is used as a secondary TC control action

Previously, when the act gact and act police traffic control (TC) rules used an invalid goto chain parameter as a secondary control action, the kernel terminated unexpectedly. With this update, the kernel avoids using goto chain with a NULL dereference and no longer crashes in the described scenario. Instead, the kernel returns an -EINVAL error message.

Kernel no longer allows adding duplicate rules with NLM_F_EXCL set

Previously, the kernel never checked the rule content when a new policy routing rule was added. Consequently, the kernel could have added two rules that were exactly the same. This complicated the rule set which could cause problems when NetworkManager tried to cache the rules. With this update, the NLM_F_EXCL flag has been added to the kernel. Now, when a rule is added and the flag is set, the kernel checks the rule content, and returns an EEXIST error if the rule already exists. As a result, kernel no longer adds duplicate rules.

The ipset list command reports consistent memory for hash set types

When you add entries to a hash set type, the ipset utility must resize the in-memory representation to for new entries by allocating an additional memory block. Previously, ipset set the total per-set allocated size to only the size of the new block instead of adding the value to the current in-memory size. As a consequence, the ip list command reported an inconsistent memory size. With this update, ipset correctly calculates the in-memory size. As a result, the ipset list command now displays the correct in-memory size of the set, and the output matches the actual allocated memory for hash set types.

firewalld no longer attempts to create IPv6 rules if the IPv6 protocol is disabled

Previously, if the IPv6 protocol was disabled, the firewalld service incorrectly attempted to create rules using the ip6tables utility, even though ip6tables should not be usable. As a consequence, when firewalld initialized the firewall, the service logged error messages. This update fixes the problem, and firewalld now only initializes IPv4 rules if IPv6 is disabled.

The --remove-rules option of firewall-cmd now removes only direct rules that match the specified criteria

Previously, the --remove-rules option of the firewall-cmd command did not check the rules to remove. As a consequence, the command removed all direct rules instead of a subset rule. This update fixes the problem. As a result, firewall-cmd now removes only direct rules that match the specified criteria.

Deleting a firewalld rich rule with forward-ports works now as expected

Previously, the firewalld service incorrectly handled the deletion of rules with the forward-ports setting. As a consequence, deleting a rich rule with forward-ports from the runtime configuration failed. This update fixes the problem. As a result, deleting a rich rule with forward-ports works as expected.

Packets no longer drift to other zones and cause unexpected behavior

Previously, when setting up rules in one zone, the firewalld daemon allowed the packets to be affected by multiple zones. This behavior violated the firewalld zone concept, in which packets may only be part of a single zone. This update fixes the bug and firewalld now prevents packets from being affected by multiple zones.

Accessibility of OpenSCAP HTML reports has been improved

Previously, an Accessible Rich Internet Applications (ARIA) parameter was incorrectly defined in OpenSCAP HTML reports. As a consequence, rule details in the reports were not accessible to users of screenreading software. With this update, the template for report generation has been changed. As a result, users with screen readers can now navigate through rule details and interact with links and buttons.

SELinux policy now allows sysadm_u users to use semanage with sudo

Previously, SELinux policy was missing rules to allow users with the sysadm_u label to use the semanage command with the sudo command. As a consequence, sysadm_u users could not configure SELinux on the system. This update adds the missing rules, and SELinux users labeled as sysadm_u can now change SELinux configurations.

Manual initialization of MariaDB using mysql_install_db no longer fails

Prior to this update, the mysql_install_db script for initializing the MariaDB database called the resolveip binary from the /usr/libexec/ directory, while the binary was located in /usr/bin/. Consequently, manual initialization of the database using mysql_install_db failed. This update fixes mysql_install_db to correctly locate resolveip. As a result, manual initialization of MariaDB using mysql_install_db no longer fails.

ReaR updates

RHEL 7.8 introduces a number of updates to the Relax-and-Recover (ReaR) utility.

Concurrent SG_IO requests in /dev/sg no longer cause data corruption

Previously, the /dev/sg device driver was missing synchronization of kernel data. Concurrent requests on the same file descriptor accessed the same data at the same time in the driver.

When an image is split off from an active/active cluster mirror, the resulting logical volume is now properly activated

Previously, when you split off an image from an active/active cluster mirror, the resulting new logical volume appeared active but it had no active component. With this fix, the new logical volume is properly activated.

The systemd-importd VM and container image import and export service

Latest systemd version now contains the systemd-importd daemon that was not enabled in the earlier build, which caused the machinectl pull-* commands to fail. Note that the systemd-importd daemon is offered as a Technology Preview and should not be considered stable.

Containerized Identity Management server available as Technology Preview

The rhel7/ipa-server container image is available as a Technology Preview feature. Note that the rhel7/sssd container image is now fully supported.

DNSSEC available as Technology Preview in IdM

Identity Management (IdM) servers with integrated DNS now support DNS Security Extensions (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are automatically generated and rotated.

Identity Management JSON-RPC API available as a Technology Preview

An API is available for Identity Management (IdM). To view the API, IdM also provides an API browser as Technology Preview.

Setting up IdM as a hidden replica is now available as a Technology Preview

This enhancement enables administrators to set up an Identity Management (IdM) replica as a hidden replica. A hidden replica is an IdM server that has all services running and available. However, it is not advertised to other clients or masters because no SRV records exist for the services in DNS, and LDAP server roles are not enabled. Therefore, clients cannot use service discovery to detect hidden replicas.

Use of AD and LDAP sudo providers

The Active Directory (AD) provider is a back end used to connect to an AD server. Starting with RHEL 7.2, using the AD sudo provider together with the LDAP provider is available as a Technology Preview. To enable the AD sudo provider, add the sudo_provider=ad setting in the [domain] section of the sssd.conf file.

The Custodia secrets service provider is available as a Technology Preview

As a Technology Preview, you can use Custodia, a secrets service provider. Custodia stores or serves as a proxy for secrets, such as keys or passwords.

Heuristics in corosync-qdevice available as a Technology Preview

Heuristics are a set of commands executed locally on startup, cluster membership change, successful connect to corosync-qnetd, and, optionally, on a periodic basis. When all commands finish successfully on time (their return error code is zero), heuristics have passed; otherwise, they have failed. The heuristics result is sent to corosync-qnetd where it is used in calculations to determine which partition should be quorate.

New fence-agents-heuristics-ping fence agent

As a Technology Preview, Pacemaker now supports the fence_heuristics_ping agent. This agent aims to open a class of experimental fence agents that do no actual fencing by themselves but instead exploit the behavior of fencing levels in a new way.

The pcs tool now manages bundle resources in Pacemaker

As a Technology Preview starting with Red Hat Enterprise Linux 7.4, Pacemaker supports a special syntax for launching a Docker container with any infrastructure it requires: the bundle. After you have created a Pacemaker bundle, you can create a Pacemaker resource that the bundle encapsulates. For information on Pacemaker support for containers, see High Availability Add-On Reference.

New LVM and LVM lock manager resource agents

As a Technology Preview, Red Hat Enterprise Linux 7.6 introduces two new resource agents: lvmlockd and LVM-activate.

Wayland available as a Technology Preview

The Wayland display server protocol is available in Red Hat Enterprise Linux as a Technology Preview with the dependent packages required to enable Wayland support in GNOME, which supports fractional scaling. Wayland uses the libinput library as its input driver.

Fractional Scaling available as a Technology Preview

Starting with Red Hat Enterprise Linux 7.5, GNOME provides, as a Technology Preview, fractional scaling to address problems with monitors whose DPI lies in the middle between lo (scale 1) and hi (scale 2).

File system DAX is now available for ext4 and XFS as a Technology Preview

Starting with Red Hat Enterprise Linux 7.3, Direct Access (DAX) provides, as a Technology Preview, a means for an application to directly map persistent memory into its address space.

pNFS block layout is now available

As a Technology Preview, Red Hat Enterprise Linux clients can now mount pNFS shares with the block layout feature.

OverlayFS

OverlayFS is a type of union file system. It allows the user to overlay one file system on top of another. Changes are recorded in the upper file system, while the lower file system remains unmodified. This allows multiple users to share a file-system image, such as a container or a DVD-ROM, where the base image is on read-only media. See the Linux kernel documentation for additional information.

Btrfs file system

The B-Tree file system, Btrfs, is available as a Technology Preview in Red Hat Enterprise Linux 7.

LSI Syncro CS HA-DAS adapters

Red Hat Enterprise Linux 7.1 included code in the megaraid_sas driver to enable LSI Syncro CS high-availability direct-attached storage (HA-DAS) adapters. While the megaraid_sas driver is fully supported for previously enabled adapters, the use of this driver for Syncro CS is available as a Technology Preview. Support for this adapter is provided directly by LSI, your system integrator, or system vendor. Users deploying Syncro CS on Red Hat Enterprise Linux 7.2 and later are encouraged to provide feedback to Red Hat and LSI.

tss2 enables TPM 2.0 for IBM Power LE

The tss2 package adds IBM implementation of a Trusted Computing Group Software Stack (TSS) 2.0 as a Technology Preview for the IBM Power LE architecture. This package enables users to interact with TPM 2.0 devices.

The ibmvnic device driver available as a Technology Preview

Since Red Hat Enterprise Linux 7.3, the IBM Virtual Network Interface Controller (vNIC) driver for IBM POWER architectures, ibmvnic, has been available as a Technology Preview. vNIC is a PowerVM virtual networking technology that delivers enterprise capabilities and simplifies network management. It is a high-performance, efficient technology that when combined with SR-IOV NIC provides bandwidth control Quality of Service (QoS) capabilities at the virtual NIC level. vNIC significantly reduces virtualization overhead, resulting in lower latencies and fewer server resources, including CPU and memory, required for network virtualization.

The igc driver available as a Technology Preview

The Intel® 2.5G Ethernet Linux Driver (igc.ko.xz) is available as a Technology Preview.

The ice driver available as a Technology Preview

The Intel® Ethernet Connection E800 Series Linux Driver (ice.ko.xz) is available as a Technology Preview.

eBPF system call for tracing

Red Hat Enterprise Linux 7.6 introduced the Extended Berkeley Packet Filter tool (eBPF) as a Technology Preview. This tool is enabled only for the tracing subsystem. For details, see the related Red Hat Knowledgebase article.

Heterogeneous memory management included as a Technology Preview

Red Hat Enterprise Linux 7 introduced the heterogeneous memory management (HMM) feature as a Technology Preview. This feature has been added to the kernel as a helper layer for devices that want to mirror a process address space into their own memory management unit (MMU). Thus a non-CPU device processor is able to read system memory using the unified system address space. To enable this feature, add experimental_hmm=enable to the kernel command line.

kexec as a Technology Preview

The kexec system call has been provided as a Technology Preview. This system call enables loading and booting into another kernel from the currently running kernel, thus performing the function of the boot loader from within the kernel. Hardware initialization, which is normally done during a standard system boot, is not performed during a kexec boot, which significantly reduces the time required for a reboot.

kexec fast reboot as a Technology Preview

The kexec fast reboot feature, which was introduced in Red Hat Enterprise Linux 7.5, continues to be available as a Technology Preview. kexec fast reboot makes the reboot significantly faster. To use this feature, you must load the kexec kernel manually, and then reboot the operating system.

perf cqm has been replaced by resctrl

The Intel Cache Allocation Technology (CAT) was introduced in Red Hat Enterprise Linux 7.4 as a Technology Preview. However, the perf cqm tool did not work correctly due to an incompatibility between perf infrastructure and Cache Quality of Service Monitoring (CQM) hardware support. Consequently, multiple problems occurred when using perf cqm.

TC HW offloading available as a Technology Preview

Starting with Red Hat Enterprise Linux 7.6, Traffic Control (TC) Hardware offloading has been provided as a Technology Preview.

AMD xgbe network driver available as a Technology Preview

Starting with Red Hat Enterprise Linux 7.6, the AMD xgbe network driver has been provided as a Technology Preview.

Secure Memory Encryption is available only as a Technology Preview

Currently, Secure Memory Encryption (SME) is incompatible with kdump functionality, as the kdump kernel lacks the memory key to decrypt SME-encrypted memory. Red Hat found that with SME enabled, servers under testing might fail to perform some functions and therefore the feature is unfit for use in production. Consequently, SME is changing the support level from Supported to Technology Preview. Customers are encouraged to report any issues found while testing in pre-production to Red Hat or their system vendor.

criu available as a Technology Preview

Red Hat Enterprise Linux 7.2 introduced the criu tool as a Technology Preview. This tool implements Checkpoint/Restore in User-space (CRIU), which can be used to freeze a running application and store it as a collection of files. Later, the application can be restored from its frozen state.

The mlx5_core driver supports the Mellanox ConnectX-6 Dx network adapter as a Technology Preview

This enhancement adds the PCI IDs of the Mellanox ConnectX-6 Dx network adapter to the mlx5_core driver. On hosts that use this adapter, RHEL loads the mlx5_core driver automatically. Note that Red Hat provides this feature as an unsupported Technology Preview.

Cisco usNIC driver

Cisco Unified Communication Manager (UCM) servers have an optional feature to provide a Cisco proprietary User Space Network Interface Controller (usNIC), which allows performing Remote Direct Memory Access (RDMA)-like operations for user-space applications. The libusnic_verbs driver, which is available as a Technology Preview, makes it possible to use usNIC devices via standard InfiniBand RDMA programming based on the Verbs API.

Cisco VIC kernel driver

The Cisco VIC Infiniband kernel driver, which is available as a Technology Preview, allows the use of Remote Directory Memory Access (RDMA)-like semantics on proprietary Cisco architectures.

Trusted Network Connect

Trusted Network Connect, available as a Technology Preview, is used with existing network access control (NAC) solutions, such as TLS, 802.1X, or IPsec to integrate endpoint posture assessment; that is, collecting an endpoint’s system information (such as operating system configuration settings, installed packages, and others, termed as integrity measurements). Trusted Network Connect is used to verify these measurements against network access policies before allowing the endpoint to access the network.

SR-IOV functionality in the qlcnic driver

Support for Single-Root I/O virtualization (SR-IOV) has been added to the qlcnic driver as a Technology Preview. Support for this functionality will be provided directly by QLogic, and customers are encouraged to provide feedback to QLogic and Red Hat. Other functionality in the qlcnic driver remains fully supported.

The flower classifier with off-loading support

flower is a Traffic Control (TC) classifier intended to allow users to configure matching on well-known packet fields for various protocols. It is intended to make it easier to configure rules over the u32 classifier for complex filtering and classification tasks. flower also supports the ability to off-load classification and action rules to underlying hardware if the hardware supports it. The flower TC classifier is now provided as a Technology Preview.

The postfix role of RHEL System Roles available as a Technology Preview

Red Hat Enterprise Linux System Roles provides a configuration interface for Red Hat Enterprise Linux subsystems, which makes system configuration easier through the inclusion of Ansible Roles. This interface enables managing system configurations across multiple versions of Red Hat Enterprise Linux, as well as adopting new major releases.

rhel-system-roles-sap available as a Technology Preview

The rhel-system-roles-sap package provides Red Hat Enterprise Linux (RHEL) System Roles for SAP, which can be used to automate the configuration of a RHEL system to run SAP workloads. These roles greatly reduce the time to configure a system to run SAP workloads by automatically applying the optimal settings that are based on best practices outlined in relevant SAP Notes. Access is limited to RHEL for SAP Solutions offerings. Please contact Red Hat Customer Support if you need assistance with your subscription.

SECCOMP can be now enabled in libreswan

As a Technology Preview, the seccomp=enabled|tolerant|disabled option has been added to the ipsec.conf configuration file, which makes it possible to use the Secure Computing mode (SECCOMP). This improves the syscall security by whitelisting all the system calls that Libreswan is allowed to execute. For more information, see the ipsec.conf(5) man page.

pk12util can now import certificates with RSA-PSS keys

The pk12util tool now provides importing a certificate signed with the RSA-PSS algorithm as a Technology Preview.

Support for certificates signed with RSA-PSS in certutil has been improved

Support for certificates signed with the RSA-PSS algorithm in the certutil tool has been improved. Notable enhancements and fixes include:

NSS is now able to verify RSA-PSS signatures on certificates

Since the RHEL 7.5 version of the nss package, the Network Security Services (NSS) libraries provide verifying RSA-PSS signatures on certificates as a Technology Preview. Prior to this update, clients using NSS as the SSL backend were not able to establish a TLS connection to a server that offered only certificates signed with the RSA-PSS algorithm.

USBGuard enables blocking USB devices while the screen is locked as a Technology Preview

With the USBGuard framework, you can influence how an already running usbguard-daemon instance handles newly inserted USB devices by setting the value of the InsertedDevicePolicy runtime parameter. This functionality is provided as a Technology Preview, and the default choice is to apply the policy rules to figure out whether to authorize the device or not.

Multi-queue I/O scheduling for SCSI

Red Hat Enterprise Linux 7 includes a new multiple-queue I/O scheduling mechanism for block devices known as blk-mq. The scsi-mq package allows the Small Computer System Interface (SCSI) subsystem to make use of this new queuing mechanism. This functionality is provided as a Technology Preview and is not enabled by default. To enable it, add scsi_mod.use_blk_mq=Y to the kernel command line.

Targetd plug-in from the libStorageMgmt API

Since Red Hat Enterprise Linux 7.1, storage array management with libStorageMgmt, a storage array independent API, has been fully supported. The provided API is stable, consistent, and allows developers to programmatically manage different storage arrays and utilize the hardware-accelerated features provided. System administrators can also use libStorageMgmt to manually configure storage and to automate storage management tasks with the included command-line interface.

SCSI-MQ as a Technology Preview in the qla2xxx and lpfc drivers

The qla2xxx driver updated in Red Hat Enterprise Linux 7.4 can enable the use of SCSI-MQ (multiqueue) with the ql2xmqsupport=1 module parameter. The default value is 0 (disabled).

YUM 4 available as Technology Preview

YUM version 4, a next generation of the YUM package manager, is available as a Technology Preview in the Red Hat Enterprise Linux 7 Extras repository.

USB 3.0 support for KVM guests

USB 3.0 host adapter (xHCI) emulation for KVM guests remains a Technology Preview in Red Hat Enterprise Linux 7.

Select Intel network adapters now support SR-IOV in RHEL guests on Hyper-V

As a Technology Preview, Red Hat Enterprise Linux guest operating systems running on a Hyper-V hypervisor can now use the single-root I/O virtualization (SR-IOV) feature for Intel network adapters supported by the ixgbevf and i40evf drivers. This feature is enabled when the following conditions are met:

No-IOMMU mode for VFIO drivers

As a Technology Preview, this update adds No-IOMMU mode for virtual function I/O (VFIO) drivers. The No-IOMMU mode provides the user with full user-space I/O (UIO) access to a direct memory access (DMA)-capable device without a I/O memory management unit (IOMMU). Note that in addition to not being supported, using this mode is not secure due to the lack of I/O management provided by IOMMU.

Azure M416v2 as a host for RHEL 7 guests

As a Technology Preview, the Azure M416v2 instance type can now be used as a host for virtual machines that use RHEL 7.6 and later as the guest operating systems.

virt-v2v can convert Debian and Ubuntu guests

As a Technology Preview, the virt-v2v utility can now convert Debian and Ubuntu guest virtual machines. Note that the following problems currently occur when performing this conversion:

GPU-based mediated devices now support the VNC console

As a Technology Preview, the Virtual Network Computing (VNC) console is now available for use with GPU-based mediated devices, such as the NVIDIA vGPU technology. As a result, it is now possible to use these mediated devices for real-time rendering of a virtual machine’s graphical output.

Open Virtual Machine Firmware

The Open Virtual Machine Firmware (OVMF) is available as a Technology Preview in Red Hat Enterprise Linux 7. OVMF is a UEFI secure boot environment for AMD64 and Intel 64 guests. However, OVMF is not bootable with virtualization components available in RHEL 7. Note that OVMF is fully supported in RHEL 8.

Potential risk when using the default value for ldap_id_use_start_tls option

When using ldap:// without TLS for identity lookups, it can pose a risk for an attack vector. Particularly a man-in-the-middle (MITM) attack which could allow an attacker to impersonate a user by altering, for example, the UID or GID of an object returned in an LDAP search.

GCC thread sanitizer included in RHEL no longer works

Due to incompatible changes in kernel memory mapping, the thread sanitizer included with the GNU C Compiler (GCC) compiler version in RHEL no longer works. Additionally, the thread sanitizer cannot be adapted to the incompatible memory layout. As a result, it is no longer possible to use the GCC thread sanitizer included with RHEL.

The radeon driver fails to reset hardware correctly in the kexec context

When booting a kernel from the currently running kernel, such as when performing the kdump process, the radeon kernel driver currently does not properly reset hardware. Instead, radeon terminates unexpectedly, which causes the rest of the kdump service to fail.

System boot might fail due to persistent memory file systems

Systems with a large amount of persistent memory take a long time to boot. If the /etc/fstab file configures persistent memory file systems, the system might time out waiting for the devices to become available. The boot process then fails and presents the user with an emergency prompt.

RHEL 7.7 and later installations add spectre_v2=retpoline to Intel Cascade Lake systems 

RHEL 7.7 and later installations add the spectre_v2=retpoline kernel parameter to Intel Cascade Lake systems, and as a consequence, system performance is affected. To work around this problem and ensure the best performance, complete the following steps.

iSCSI installation failing with Emulex OneConnect card

After connecting an Emulex OneConnect card and configuring it for iSCSI boot, when you start the RHEL installation, the Anaconda installer returns an exception and the installation terminates unexpectedly.

The system boot sometimes fails on large systems

During the boot process, the udev device manager sometimes generates too many rules on large systems. For example, the problem has manifested on a system with 32 TB of memory and 192 CPUs. As a consequence, the boot process becomes unresponsive or times out and switches to the emergency shell.

The mirror segment type causes system deadlock in stacked configurations

The usage of the mirror segment type and putting any logical volumes on top of it causes system deadlock in stacked configurations. To work around this problem, Red Hat recommends using RAID 1 logical volumes with segment type raid1.

The zlib compression format may slow down a vmcore capture

The kdump configuration file uses the lzo compression format (makedumpfile -l) by default. Modification of the configuration file to use the zlib compression format (makedumpfile -c) is likely to bring a better compression factor at the expense of slowing down the vmcore capture process. As a consequence, it may take kdump approximately 4 times longer to capture a vmcore when zlib is used as compared to lzo. As a result, Red Hat recommends that you use the default lzo for cases where speed is the main driving factor. However, if the target machine is low on available space, zlib is a better option.

Intel network device that uses the ice driver does not pass traffic when using bridge-over-VLAN topology

Ethernet devices do not transmit Internet Control Message Protocol (ICMP) echo request and reply traffic if all of the following conditions meet:

Verification of signatures using the MD5 hash algorithm is disabled in Red Hat Enterprise Linux 7

It is impossible to connect to any Wi-Fi Protected Access (WPA) Enterprise Access Point (AP) that requires MD5 signed certificates. To work around this problem, copy the wpa_supplicant.service file from the /usr/lib/systemd/system/ directory to the /etc/systemd/system/ directory and add the following line to the Service section of the file:

bind-utils DNS lookup utilities support fewer search domains than glibc

The dig, host, and nslookup DNS lookup utilities from the bind-utils package support only up to 8 search domains, while the glibc resolver in the system supports any number of search domains. As a consequence, the DNS lookup utilities may get different results than applications when a search in the /etc/resolv.conf file contains more than 8 domains.

Auditd server does not start on remote logging servers using KRB5 peer authentication

The SELinux policy does not contain the auditd_tmp_t file type for the temporary directories and files created by processes running under auditd_t SELinux type. This prevents starting the auditd service on a server when KRB5 peer authentication is used for remote logging.

Audit executable watches on symlinks do not work

File monitoring provided by the -w option cannot directly track a path. It has to resolve the path to a device and an inode to make a comparison with the executed program. A watch monitoring an executable symlink monitors the device and an inode of the symlink itself instead of the program executed in memory, which is found from the resolution of the symlink. Even if the watch resolves the symlink to get the resulting executable program, the rule triggers on any multi-call binary called from a different symlink. This results in flooding logs with false positives. Consequently, Audit executable watches on symlinks do not work.

Upgrade to RHEL 7.8 fails when mariadb-test or postgresql-docs are installed on Workstation

The mariadb-test and postgresql-docs packages have been moved to the Workstation Optional repository. Consequently, if these packages are installed, it is impossible to update a system with a Workstation variant to RHEL 7.8. To work around this problem, uninstall mariadb-test and postgresql-docs prior to upgrading to RHEL 7.8.

FreeRADIUS silently truncates Tunnel-Passwords longer than 249 characters

If a Tunnel-Password is longer than 249 characters, the FreeRADIUS service silently truncates it. This may lead to unexpected password incompatibilities with other systems.

The system sometimes becomes unresponsive in low-memory situations with external MD metadata

The system might periodically become unresponsive if all of the following conditions occur:

Live migration of virtual machines between hosts with different physical address sizes does not work in some cases

Live migration of a virtual machine (VM) that uses a hot-plugged CPU currently fails in some cases if the hosts have different physical address sizes. To work around this problem, do not live migrate between such hosts while using a CPU hot-plug. Alternatively, do not hot-plug a CPU to a VM that has been migrated to a host with a different physical address size.

virt-clone always shows a 100% progress bar when --nonsparse is used

Currently, when the virt-clone utility is used with the --nonparse option, the progress bar displayed in the CLI always shows 100% completion of the process. As a consequence, the user cannot see the actual progress of cloning the virtual machine.

RHEL 7 virtual machines sometimes cannot boot on and migrate to Witherspoon hosts

RHEL 7 virtual machines (VMs) that use the pseries-rhel7.6.0-sxxm machine type in some cases fail to boot on Power9 S922LC for HPC hosts (also known as Witherspoon) that use the DD2.3 CPU.

kdump does not support setting nr_cpus to 2 or higher in Hyper-V virtual machines

When using RHEL 7.8 as a guest operating system on a Microsoft Hyper-V hypervisor, the kdump kernel in some cases becomes unresponsive when the nr_cpus parameter is set to 2 or higher. To avoid this problem from occurring, do not change the default nr_cpus=1 parameter in the /etc/sysconfig/kdump file of the guest.