Chapter 8. Known Issues

Potential risk when using the default value for ldap_id_use_start_tls option

When using ldap:// without TLS for identity lookups, it can pose a risk for an attack vector. Particularly a man-in-the-middle (MITM) attack which could allow an attacker to impersonate a user by altering, for example, the UID or GID of an object returned in an LDAP search.

GCC thread sanitizer included in RHEL no longer works

Due to incompatible changes in kernel memory mapping, the thread sanitizer included with the GNU C Compiler (GCC) compiler version in RHEL no longer works. Additionally, the thread sanitizer cannot be adapted to the incompatible memory layout. As a result, it is no longer possible to use the GCC thread sanitizer included with RHEL.

The radeon driver fails to reset hardware correctly in the kexec context

When booting a kernel from the currently running kernel, such as when performing the kdump process, the radeon kernel driver currently does not properly reset hardware. Instead, radeon terminates unexpectedly, which causes the rest of the kdump service to fail.

System boot might fail due to persistent memory file systems

Systems with a large amount of persistent memory take a long time to boot. If the /etc/fstab file configures persistent memory file systems, the system might time out waiting for the devices to become available. The boot process then fails and presents the user with an emergency prompt.

RHEL 7.7 and later installations add spectre_v2=retpoline to Intel Cascade Lake systems 

RHEL 7.7 and later installations add the spectre_v2=retpoline kernel parameter to Intel Cascade Lake systems, and as a consequence, system performance is affected. To work around this problem and ensure the best performance, complete the following steps.

iSCSI installation failing with Emulex OneConnect card

After connecting an Emulex OneConnect card and configuring it for iSCSI boot, when you start the RHEL installation, the Anaconda installer returns an exception and the installation terminates unexpectedly.

The system boot sometimes fails on large systems

During the boot process, the udev device manager sometimes generates too many rules on large systems. For example, the problem has manifested on a system with 32 TB of memory and 192 CPUs. As a consequence, the boot process becomes unresponsive or times out and switches to the emergency shell.

The mirror segment type causes system deadlock in stacked configurations

The usage of the mirror segment type and putting any logical volumes on top of it causes system deadlock in stacked configurations. To work around this problem, Red Hat recommends using RAID 1 logical volumes with segment type raid1.

The zlib compression format may slow down a vmcore capture

The kdump configuration file uses the lzo compression format (makedumpfile -l) by default. Modification of the configuration file to use the zlib compression format (makedumpfile -c) is likely to bring a better compression factor at the expense of slowing down the vmcore capture process. As a consequence, it may take kdump approximately 4 times longer to capture a vmcore when zlib is used as compared to lzo. As a result, Red Hat recommends that you use the default lzo for cases where speed is the main driving factor. However, if the target machine is low on available space, zlib is a better option.

Intel network device that uses the ice driver does not pass traffic when using bridge-over-VLAN topology

Ethernet devices do not transmit Internet Control Message Protocol (ICMP) echo request and reply traffic if all of the following conditions meet:

Verification of signatures using the MD5 hash algorithm is disabled in Red Hat Enterprise Linux 7

It is impossible to connect to any Wi-Fi Protected Access (WPA) Enterprise Access Point (AP) that requires MD5 signed certificates. To work around this problem, copy the wpa_supplicant.service file from the /usr/lib/systemd/system/ directory to the /etc/systemd/system/ directory and add the following line to the Service section of the file:

bind-utils DNS lookup utilities support fewer search domains than glibc

The dig, host, and nslookup DNS lookup utilities from the bind-utils package support only up to 8 search domains, while the glibc resolver in the system supports any number of search domains. As a consequence, the DNS lookup utilities may get different results than applications when a search in the /etc/resolv.conf file contains more than 8 domains.

Auditd server does not start on remote logging servers using KRB5 peer authentication

The SELinux policy does not contain the auditd_tmp_t file type for the temporary directories and files created by processes running under auditd_t SELinux type. This prevents starting the auditd service on a server when KRB5 peer authentication is used for remote logging.

Audit executable watches on symlinks do not work

File monitoring provided by the -w option cannot directly track a path. It has to resolve the path to a device and an inode to make a comparison with the executed program. A watch monitoring an executable symlink monitors the device and an inode of the symlink itself instead of the program executed in memory, which is found from the resolution of the symlink. Even if the watch resolves the symlink to get the resulting executable program, the rule triggers on any multi-call binary called from a different symlink. This results in flooding logs with false positives. Consequently, Audit executable watches on symlinks do not work.

Upgrade to RHEL 7.8 fails when mariadb-test or postgresql-docs are installed on Workstation

The mariadb-test and postgresql-docs packages have been moved to the Workstation Optional repository. Consequently, if these packages are installed, it is impossible to update a system with a Workstation variant to RHEL 7.8. To work around this problem, uninstall mariadb-test and postgresql-docs prior to upgrading to RHEL 7.8.

FreeRADIUS silently truncates Tunnel-Passwords longer than 249 characters

If a Tunnel-Password is longer than 249 characters, the FreeRADIUS service silently truncates it. This may lead to unexpected password incompatibilities with other systems.

The system sometimes becomes unresponsive in low-memory situations with external MD metadata

The system might periodically become unresponsive if all of the following conditions occur:

Live migration of virtual machines between hosts with different physical address sizes does not work in some cases

Live migration of a virtual machine (VM) that uses a hot-plugged CPU currently fails in some cases if the hosts have different physical address sizes. To work around this problem, do not live migrate between such hosts while using a CPU hot-plug. Alternatively, do not hot-plug a CPU to a VM that has been migrated to a host with a different physical address size.

virt-clone always shows a 100% progress bar when --nonsparse is used

Currently, when the virt-clone utility is used with the --nonparse option, the progress bar displayed in the CLI always shows 100% completion of the process. As a consequence, the user cannot see the actual progress of cloning the virtual machine.

RHEL 7 virtual machines sometimes cannot boot on and migrate to Witherspoon hosts

RHEL 7 virtual machines (VMs) that use the pseries-rhel7.6.0-sxxm machine type in some cases fail to boot on Power9 S922LC for HPC hosts (also known as Witherspoon) that use the DD2.3 CPU.

kdump does not support setting nr_cpus to 2 or higher in Hyper-V virtual machines

When using RHEL 7.8 as a guest operating system on a Microsoft Hyper-V hypervisor, the kdump kernel in some cases becomes unresponsive when the nr_cpus parameter is set to 2 or higher. To avoid this problem from occurring, do not change the default nr_cpus=1 parameter in the /etc/sysconfig/kdump file of the guest.