Este contenido no está disponible en el idioma seleccionado.
Chapter 8. Bug fixes
This part describes bugs fixed in Red Hat Enterprise Linux 9.3 that have a significant impact on users.
8.1. Installer and image creation
The installation program now correctly processes the --proxy
option of the url
Kickstart command
Previously, the installation program did not correctly process the --proxy
option of the url
Kickstart command. As a consequence, you could not use the specified proxy to fetch the installation image. With this update, the issue is fixed and the --proxy
option now works as expected.
The --noverifyssl
option for liveimg
no longer checks the server’s certificate for images downloaded using HTTPS
Previously, the installation program ignored the --noverifyssl
option from the liveimg
Kickstart command. Consequently, if the server’s certificate could not be validated for images downloaded using the HTTPS protocol, the installation process failed. With this update, this issue has been fixed, and the --noverifyssl
option of the liveimg
Kickstart command works correctly.
Anaconda now validates LUKS passphrases for the FIPS requirements
Previously, Anaconda did not check whether the length of LUKS passphrases satisfied the FIPS requirements, even though the underlying tools performed this check. As a consequence, installing in FIPS mode with a passphrase shorter than 8 characters caused the installer to stop prematurely.
With this update, the installation program has been improved to validate and enforce the minimum length for passphrase. As a result, the installation program informs if the LUKS passphrase is too short for use in the FIPS mode and prevents the unexpected stop.
The new version of xfsprogs
no longer shrinks the size of /boot
Previously, the xfsprogs
package with the 5.19 version in the RHEL 9.3 caused the size of /boot
to shrink. As a consequence, it caused a difference in the available space on the /boot
partition, if compared to the RHEL 9.2 version. This fix increases the /boot
partition to 600 MiB for all images, instead of 500 MiB, and the /boot
partition is no longer affected by space issues.
8.2. Security
OpenSSL commands cms
and smime
can encrypt files in FIPS mode
Previously, the default configuration of the cms
and smime
OpenSSL commands used legacy encryption algorithms, such as 3DES or PKCS #1 v1.5. These algorithms are disabled in FIPS mode. As a result, encrypting files by using the smime
command with the default settings did not work on systems in FIPS mode. This update introduces the following changes:
- In FIPS mode, OpenSSL APIs create CMS data by using OAEP with RSA keys by default.
-
In FIPS mode, the
cms
OpenSSL command creates CMS files encrypted withaes-128-cbc
and OAEP when provided RSA keys.
The use of ECDSA keys is unaffected. In non-FIPS mode, OpenSSL APIs and the cms
command continue to use PKCS#1 v1.5 padding and 3DES encryption by default.
As a consequence, you can use the cms
and smime
OpenSSL commands in FIPS mode to encrypt files.
SELinux allows mail replication in Dovecot
You can configure the Dovecot high-performance mail delivery agent for high availability with two-way replication set, but the SELinux policy previously did not contain rules for the dovecot-deliver
utility to communicate over a pipe in the runtime filesystem. As a consequence, mail replication in Dovecot did not work. With this update, permissions have been added to the SELinux policy, and as a result, mail replication in Dovecot works.
Bugzilla:2170495[1]
Booting from an NFS filesystem now works with SELinux set to enforcing mode
Previously, when using NFS as the root filesystem, SELinux labels were not forwarded from the server, causing boot failures when SELinux was set to enforcing mode.
With this fix, SELinux has been fixed to correctly flag NFS mounts created before the initial SELinux policy load as supporting security labels. As a result, the NFS mount now forwards SELinux labels between the server and the client and the boot can succeed with SELinux set to enforcing mode.
Bugzilla:2218207[1]
rabbitmq
no longer fails with IPv6
Previously, when you deployed rabbitmq
server with IPv6 enabled, the inet_gethost
command tried to access the /proc/sys/net/ipv6/conf/all/disable_ipv6
file. Consequently, the system denied access to /proc/sys/net/ipv6/conf/all/disable_ipv6
. With this update, system can now read /proc/sys/net/ipv6/conf/all/disable_ipv6
, and rabbitmq
now works with IPv6.
Registration to Insights through cloud-init
is no longer blocked by SELinux
Previously, the SELinux policy did not contain a rule that allows the cloud-init
script to run the insights-client
service. Consequently, an attempt to run the insights-client --register
command by the cloud-init
script failed. With this update, the missing rule has been added to the policy, and you can register to Insights through cloud-init
with SELinux in enforcing mode.
Users in the staff_r
SELinux role can now run scap_workbench
probes
Previously, the selinux-policy
packages did not contain rules for users in the staff_r
SELinux role required to run the scap-workbench
utility. Consequently, scap-workbench
probes failed when run by user in the staff_r
SELinux role. With this update, the missing rules have been added to selinux-policy
, and SELinux users can now run scap_workbench
probes.
Permissions for insights-client
added to the SELinux policy
The insights-client
service requires permissions that were not in the previous versions of the selinux-policy
. As a consequence, some components of insights-client
did not work correctly and reported access vector cache (AVC) error messages. This update adds new permissions to the SELinux policy. As a result, insights-client
runs correctly without reporting AVC errors.
Jira:RHELPLAN-163014[1], Bugzilla:2190178, Bugzilla:2224737, Bugzilla:2207894, Bugzilla:2214581
Keylime allowlist generation script updated
The Keylime script create_allowlist.sh
generates an allowlist for the Keylime policy. In RHEL 9.3, it was replaced with the create_runtime_policy.sh
script, which failed when trying to convert the allowlist to the JSON runtime policy.
With this update, the script was reverted to create_allowlist.sh
. Now, you can combine the allowlist and excludelist into the JSON runtime policy by using the keylime_create_policy
script.
Jira:RHEL-11866[1]
Keylime no longer requires a specific file for tls_dir = default
Previously, when the tls_dir
variable was set to default
in Keylime verifier or registrar configuration, Keylime rejected custom certificate authority (CA) certificates that had a different file name than cacert.crt
. With this update, the problem no longer occurs, and you can use custom CA certificate files even with the tls_dir = default
setting.
Jira:RHELPLAN-157337[1]
Environment variables can override Keylime agent options with underscores
Previously, when a Keylime agent configuration option name contained an underscore (_), overriding this option through environment variables did not work. With this update, the override through environment variables works correctly even when an option name contains an underscore.
Jira:RHEL-395[1]
Keylime registrar correctly identifies IPv6 addresses
Previously, the Keylime registrar did not correctly recognize IPv6 addresses, and therefore failed to bind its listening port. With this update, the registrar properly identifies IPv6 addresses and, consequently, binds to its port correctly.
Jira:RHEL-392[1]
Keylime agent correctly handles IPv6 addresses
Previously, when registering a Keylime agent by using an IPv6 address not enclosed in brackets, [ ], the keylime_tenant
utility failed with an error. With this update, keylime_tenant
handles IPv6 addresses correctly even when they are not enclosed in brackets.
Jira:RHEL-393[1]
Keylime no longer fails measured boot attestation due to new events in QEMU VMs
An update of the edk2-ovmf
package introduced a new type of events in the measured boot log for virtual systems operated by QEMU. These events caused failures in Keylime measured boot attestation. With this update, Keylime handles these events correctly.
Jira:RHEL-947[1]
Keylime webhook notifier correctly closes TLS sessions
Previously, the keylime webhook notifier did not correctly close TLS sessions. This caused warnings being reported on the listener side. This update fixed this issue, and the webhook notifier now correctly closes TLS sessions.
Jira:RHEL-1252[1]
gpg-agent
now works as an SSH agent in FIPS mode
Previously, the gpg-agent
tool created MD5 fingerprints when adding keys to the ssh-agent
program even though FIPS mode disabled the MD5 digest. As a consequence, the ssh-add
utility failed to add the keys to the authentication agent.
With this release, gpg-agent
no longer use MD5 checksums. As a result, gpg-agent
now works as an SSH authentication agent also on systems running in FIPS mode.
tangd-keygen
now handles non-default umask
correctly
Previously, the tangd-keygen
script did not change file permissions for generated key files. Consequently, on systems with a default user file-creation mode mask (umask
) that prevents reading keys to other users, the tang-show-keys
command returned the error message Internal Error 500
instead of displaying the keys. With this update, tangd-keygen
sets file permissions for generated key files, and therefore the script now works correctly on systems with non-default umask
.
fapolicyd
service no longer runs programs that are removed from the trusted database
Previously, the fapolicyd
service incorrectly handled a program as trusted even after it was removed from the trusted database. As a result, entering the fapolicyd-cli --update
command had no effect, and the program could be executed even after being removed. With this update, the fapolicyd-cli --update
command correctly updates the trusted programs database, and removed programs can no longer be executed.
fapolicyd
no longer causes the system to hang after mount
and umount
Previously, when the mount
or umount
actions were run twice followed by the fapolicyd-cli --update
command, the fapolicyd
service might enter an endless loop. As a result, the system stopped responding. With this update, the service runs the fapolicyd-cli --update
command correctly, and the service handles any number of mount
or umount
actions.
Keylime now accepts concatenated PEM certificates
Previously, when Keylime received a certificate chain as multiple certificates in the PEM format concatenated in a single file, the keylime-agent-rust
Keylime component produced a TLS handshake failure. As a consequence, the client components (keylime_verifier
and keylime_tenant
) could not connect to the Keylime agent. With this update, keylime-agent-rust
correctly handles multiple certificates including intermediary CA certificates. As a result, you can now use concatenated PEM certificates with Keylime.
Jira:RHEL-396[1]
Rsyslog can start even without capabilities
When Rsyslog is executed as a normal user or in a containerized environment, the rsyslog
process has no capabilities. Consequently, Rsyslog in this scenario could not drop capabilities and exited at startup. With this update, the process no longer attempts to drop capabilities if it has no capabilities. As a result, Rsyslog can start even when it has no capabilities.
Jira:RHELPLAN-160541[1]
io_uring
now works without SELinux denials
Previously, the io_uring
kernel interface missed the map
permission in the SELinux policy. Consequently, the mmap
system call failed and the io_uring
interface did not work properly. With this update, the map
permissions have been allowed in SELinux policy and the interface now works without SELinux denials.
oscap-anaconda-addon
can now harden Network Servers for CIS
Previously, installing RHEL Network Servers with a CIS security profile (cis
, cis_server_l1
, cis_workstation_l1
, or cis_workstation_l2
) was not possible with the Network Servers package group selected. This problem is fixed by excluding the tftp
package in oscap-anaconda-addon-2.0.0-17.el9
provided with RHEL 9.3. As a consequence, you can install CIS-hardened RHEL Network Servers with the Network Servers package group.
Rules checking home directories apply only to local users
Multiple compliance profiles provided by the scap-security-guide
package contain the following rules that check the correct configuration of user home directories:
-
accounts_umask_interactive_users
-
accounts_user_dot_group_ownership
-
accounts_user_dot_user_ownership
-
accounts_user_interactive_home_directory_exists
-
accounts_users_home_files_groupownership
-
accounts_users_home_files_ownership
-
accounts_users_home_files_permissions
-
file_groupownership_home_directories
-
file_ownership_home_directories
-
file_permissions_home_directories
These rules correctly check the configuration of local users. Previously, the scanner also incorrectly checked the configuration of remote users provided by network sources such as NSS even though the remediation scripts could not change remote users’ configuration. This was because the OpenSCAP scanner previously used the getpwent()
system call. This update changes the internal implementation of these rules to depend only on the data from the /etc/passwd
file. As a result, the rules now apply only to the local users’ configuration.
Password age rules apply only to local users
Some compliance profiles, for example CIS and DISA STIG, contain the following rules checking password age and password expiration of user account passwords:
-
accounts_password_set_max_life_existing
-
accounts_password_set_min_life_existing
-
accounts_password_set_warn_age_existing
-
accounts_set_post_pw_existing
These rules correctly check the configuration of local users. Previously, the scanner also incorrectly checked the configuration of remote users provided by network sources such as NSS even though the remediation scripts could not change remote users’ configuration. This was because the OpenSCAP scanner previously used the getpwent()
system call.
This update changes the internal implementation of these rules to depend only on the data from the /etc/shadow
file. As a result, the rules now apply only to the local users’ configuration.
Red Hat CVE feeds have been updated
The version 1 of Red Hat Common Vulnerabilities and Exposures (CVE) feeds at https://access.redhat.com/security/data/oval/ has been discontinued and replaced by the version 2 of the CVE feeds located at https://access.redhat.com/security/data/oval/v2/.
Consequently, the links in SCAP source data streams provided by the scap-security-guide
package have been updated to link to the new version of the Red Hat CVE feeds.
Rules related to journald
configuration no longer add extra quotes
Previously, the SCAP Security Guide rules journald_compress
, journald_forward_to_syslog
, and journald_storage
previously contained a bug in the remediation script which caused adding extra quotes to the configuration options in the /etc/systemd/journald.conf
configuration file. Consequently, the journald
system service failed to parse the configuration options and ignored them. Therefore, the configuration options were not effective. This caused false pass
results in OpenSCAP scans. With this update, the rules and remediations scripts no longer add the extra quotes. As a result, these rules now produce a valid configuration for journald
.
Files under /var/lib/fdo
now get the correct SElinux label
Previously, there was a security issue that allowed the FDO process to access the entire host. With this update, by using the service-info-api
server with SElinux, you can add any file to send to the device under the /var/lib/fdo
directory, and, as a consequence, the files under /var/lib/fdo
will now get the correct SElinux label.
8.3. Subscription management
subscription-manager
no longer retains nonessential text in the terminal
Starting with RHEL 9.1, subscription-manager
displays progress information while processing any operation. Previously, for some languages, typically non-Latin, progress messages did not clean up after the operation finished. With this update, all the messages are cleaned up properly when the operation finishes.
If you have disabled the progress messages before, you can re-enable them by entering the following command:
# subscription-manager config --rhsm.progress_messages=1
Bugzilla:2136694[1]
8.4. Software management
The dnf needs-restarting -s
command now correctly displays the list of systemd services
Previously, when you used the needs-restarting
command with the -s
or --services
option, an error occurred when a non-systemd or malfunctioning process was detected. With this update, the dnf needs-restarting -s
command ignores such processes and displays a warning instead with the list of affected systemd services.
The dnf-automatic
command now correctly reports the exit status of transactions
Previously, the dnf-automatic
command returned a successful exit code of a transaction even if some actions during this transaction were not successfully completed. This could cause a security risk on machines that use dnf-automatic
for automatic deployment of errata. With this update, the issue has been fixed and dnf-automatic
now reports every problem with packages during the transaction.
Installing packages with IMA signatures on file systems without extended file attributes no longer fails
Previously, RPM tried to apply IMA signatures to files even if they did not support these signatures. As a consequence, package installation failed. With this update, RPM skips applying IMA signatures. As a result, package installation no longer fails.
8.5. Shells and command-line tools
The rsyslog
logging service now starts at boot of the rescue system
Previously, the rsyslog
service for message logging did not automatically start in the rescue system. The /dev/log
socket kept receiving messages during the recovery process with no service listening at this socket. Consequently, the /dev/log
socket was filled with messages and caused the recovery process to be stuck. For example, the grub2-mkconfig
command to regenerate the GRUB configuration produces a high amount of log messages depending on the number of mounted file systems. If you used ReaR to recover systems with many mounted file systems, numerous log messages would fill the /dev/log
socket, and the recovery process froze.
With this fix, the systemd
units in the rescue system now include the sockets target in the boot procedure to start the logging socket at boot. As a result, the rsyslog
service starts in the rescue environment when required, and the processes that need to log messages during recovery are no longer stuck. The recovery process completes successfully and you can find the log messages in the /var/log/messages
file in the rescue RAM disk.
The which
command no longer fails for a long path
Previously, when you executed the which
command in a directory with a path longer than 256 characters, the command failed with the Can’t get current working directory
error message. With this fix, the which
command now uses the PATH_MAX
value for the path length limit. As a result, the command no longer fails.
ReaR now supports UEFI Secure Boot with OUTPUT=USB
Previously, the OUTPUT=USB
ReaR output method, which stores the rescue image on a bootable disk drive, did not respect the SECURE_BOOT_BOOTLOADER
setting. Consequently, on systems with UEFI Secure Boot enabled, the disk with the rescue image would not boot because the boot loader was not signed.
With this fix, the OUTPUT=USB
ReaR output method now uses the boot loader that you specify in the SECURE_BOOT_BOOTLOADER
setting when creating the rescue disk. To use the signed UEFI shim boot loader, change the following setting in the /etc/rear/local.conf
file:
SECURE_BOOT_BOOTLOADER=/boot/efi/EFI/redhat/shimx64.efi
As a result, the rescue disk is bootable when UEFI Secure Boot is enabled. It is safe to set the variable to this value on all systems with UEFI, even when Secure Boot is not enabled. It is even recommended for consistency. For details about the UEFI boot procedure and the shim boot loader, see UEFI: what happens when booting the system.
System recovered by ReaR no longer fails to mount all VG logical volumes
The /etc/lvm/devices/system.devices
file represents the Logical Volume Manager (LVM) system devices and controls device visibility and usability to LVM. By default, the system.devices
feature is enabled in RHEL 9 and when active, it replaces the LVM device filter.
Previously, when you used ReaR to recover the systems to disks with hardware IDs different from those the original system used, the recovered system did not find all LVM volumes and failed to boot. With this fix, if ReaR finds the system.devices
file, ReaR moves this file to /etc/lvm/devices/system.devices.rearbak
at the end of recovery. As a result, the recovered system does not use the LVM devices file to restrict device visibility and the system finds the restored volumes at boot.
Optional: If you want to restore the default behavior and regenerate the LVM devices file, use the vgimportdevices -a
command after booting the recovered system and connecting all disk devices needed for a normal operation, in case you disconnected any disks before the recovery process.
8.6. Networking
Intel Corporation I350 Gigabit Fiber Network Connection now provides a link after kernel update
Previously, hardware configurations with Small Formfactor Pluggable (SFP) transceiver modules without External Thermal Sensor (ETS) caused the igb
driver to erroneously initialize the Inter-Integrated Circuit (I2C) to read ETS. As a consequence, connections did not obtain links. With this bug fix, the igb
driver only initializes I2C when SFP with ETS is available. As a result, connections obtain links.
Bugzilla:2173594[1]
The nm-cloud-setup
service no longer removes manually-configured secondary IP addresses from interfaces
Based on the information received from the cloud environment, the nm-cloud-setup
service configured network interfaces. While you had the option to disable nm-cloud-setup
for manual interface configuration, certain scenarios led to conflicts. In some cases, other services on the host would independently configure interfaces, including the addition of secondary IP addresses. nm-cloud-setup
incorrectly removed these secondary IP addresses when triggered again by the systemd
timer unit. This update for the NetworkManager
package fixes the problem. You only need to wait for the systemd
timer unit to trigger nm-cloud-setup
. If you do not want to wait for the timer, you can enable nm-cloud-setup
manually with the following command:
# systemctl enable nm-cloud-setup.service
As a result, nm-cloud-setup
no longer removes manually-configured secondary IP addresses from interfaces.
8.7. Kernel
RHEL previously failed to recognize NVMe disks when VMD was enabled
When you reset or reattached a driver, the Volume Management Device (VMD) domain previously did not soft-reset. Consequently, the hardware could not properly detect and enumerate its devices. With this update, the operating system with VMD enabled now correctly recognizes NVMe disks, especially when resetting a server or working with a VM machine.
Bugzilla:2128610[1]
8.8. Boot loader
GRUB now correctly handles non-debug kernel variants
Previously, in systems with multiple kernel RPMs installed, entering the dnf install kernel-$VERSION
or dnf update
commands set the last-installed kernel as the default kernel. This occurred, for example, in systems with the standard kernel and real-time kernel on AMD and Intel 64-bit architectures, or kernel (4k) and kernel-64k
on 64-bit ARM architecture. As a consequence, the system could boot into the unneeded kernel on future reboots. With this update, GRUB uses the DEFAULTKERNEL
variable in the /etc/sysconfig/kernel
configuration file, and the default kernel remains the proper variant and latest version.
For more information, see the Changing the default kernel in Red Hat Enterprise Linux 8 & 9 solution.
Bugzilla:2184069[1]
8.9. File systems and storage
The lpfc
driver is in a valid state during the D_ID
port swap
Previously, the SAN Boot host, after issuing the NetApp giveback operation, resulted in LVM hung task warnings and stalled I/O. This problem occurred even when alternate paths were available in a DM-Multipath environment due to the fiber channel D_ID
port swap. As a consequence of the race condition, the D_ID
port swap resulted in an inconsistent state in the lpfc
driver, which prevented I/O from being issued.
With this fix, the lpfc
driver now ensures a valid state when the D_ID
port swap occurs. As a result, a fiber channel D_ID
port swap does not cause hung I/O.
Bugzilla:2173947[1]
multipathd
adds the persistent reservation registration key to all paths
Previously, when the multipathd
daemon started and it recognized a registration key for the persistent reservations on one path of an existing multipath device, not all paths of that device had the registration key. As a consequence, if new paths appeared to a multipath device with persistent reservations while multipathd
was stopped, persistent reservations were not set up on those. This allowed IO processing on the paths, even if they were supposed to be forbidden by the reservation key.
With this fix, if multipathd
finds a persistent reservation registration key on any device path, it adds the key to all active paths. As a result, multipath devices now have persistent reservations set up correctly on all the paths, even if path devices first appear while multipathd
is not running.
LUNs are now visible during the operating system installation
Previously, the system was not using the authentication information from firmware sources, specifically in cases involving iSCSI hardware offload with CHAP (Challenge-Handshake Authentication Protocol) authentication stored in the iSCSI iBFT (Boot Firmware Table). As a consequence, the iSCSI login failed during installation.
With the fix in the udisks2-2.9.4-9.el9
firmware authentication, this issue is now resolved and LUNs are visible during the installation and initial boot.
Bugzilla:2213769[1]
System boots correctly when adding a NVMe-FC device as a mount point in /etc/fstab
Previously, due to a known issue in the nvme-cli nvmf-autoconnect systemd
services, systems failed to boot while adding the Non-volatile Memory Express over Fibre Channel (NVMe-FC) devices as a mount point in the /etc/fstab
file. Consequently, the system entered into an emergency mode. With this update, a system boots without any issue when mounting an NVMe-FC device.
Jira:RHEL-8171[1]
8.10. High availability and clusters
The pcs config checkpoint diff
command now works correctly for all configuration sections
As of the RHEL 9.0 release, the pcs config checkpoint diff
command had stopped showing the differences for the following configuration sections: Fencing Levels, Ordering Constraints, Colocation Constraints, Ticket Constraints, Resources Defaults, and Operations Defaults. As of the RHEL 9.1 release, the pcs config checkpoint diff
command had stopped showing the differences for the Resources and Stonith devices configuration sections. This is because as the code responsible for displaying each of the different configuration sections switched to a new mechanism for loading CIB files, the loaded content was cached. The second file used for the difference comparison was not loaded and the cached content of the first file was used instead. As a result, the diff
command yielded no output. With this fix, the CIB file content is no longer cached and the pcs config checkpoint diff
command shows differences for all configuration sections.
pcsd
Web UI now displays cluster status when fence levels are configured
Previously, the pcsd
Web UI did not display cluster status when fence levels were configured. With this fix, you can now view the cluster status and change the cluster settings with the Web UI when fence levels are configured.
A fence watchdog configured as a second fencing device now fences a node when the first device times out
Previously, when a watchdog fencing device was configured as the second device in a fencing topology, the watchdog timeout would not be considered when calculating the timeout for the fencing operation. As a result, if the first device timed out the fencing operation would time out even though the watchdog would fence the node. With this fix, the watchdog timeout is included in the fencing operation timeout and the fencing operation succeeds if the first device times out.
Location constraints with rules no longer displayed when listing is grouped by nodes
Location constraints with rules cannot have a node assigned. Previously, when you grouped the listing by nodes, location constraints with rules were displayed under an empty node. With this fix, the location constraints with rules are no longer displayed and a warning is given indicating that constraints with rules are not displayed.
pcs
command to update multipath SCSI devices now works correctly
Due to changes in the Pacemaker CIB file, the pcs stonith update-scsi-devices
command stopped working as designed, causing an unwanted restart of some cluster resources. With this fix, this command works correctly and updates SCSI devices without requiring a restart of other cluster resources running on the same node.
Memory footprint of pcsd-ruby
daemon now reduced when pscd
Web UI is open
Previously, when the pcsd
Web UI was open, memory usage of the pcsd-ruby
daemon increased steadily over the course of several hours. With this fix, the web server that runs in the pcsd-ruby
daemon now periodically performs a graceful restart. This frees the allocated memory and reduces the memory footprint.
Bugzilla:1860626[1]
The azure-events-az
resource agent no longer produces an error with Pacemaker 2.1 and later
The azure-events-az
resource agent executes the crm_simulate -Ls
command and parses the output. With Pacemaker 2.1 and later, the output of the crm_simulate
command no longer contains the text Transition Summary:
, which resulted in an error. With this fix, the agent no longer yields an error when this text is missing.
The mysql
resource agent now works correctly with promotable clone resources
Previously, the mysql
resource agent moved cloned resources that were operating in a Promoted role between nodes, due to promotion scores changing between promoted and non-promoted values. With this fix, a node in a Promoted role remains in a Promoted role.
Bugzilla:2179003[1]
The fence_scsi
agent is now able to auto-detect shared lvmlockd
devices
Previously, the fence_scsi
agent did not auto-detect shared lvmlockd
devices. With this update, fence_scsi
is able to auto-detect lvmlockd
devices when the devices
attribute is not set.
8.11. Compilers and development tools
The glibc
system()
function now restores the previous signal mask unconditionally
Previously, if the glibc
system()
function was called concurrently from multiple threads, the signal mask for the SIGCHLD
signal might not be restored correctly. As a consequence, the SIGCHLD
signal remained blocked after the return from the glibc
system()
function on some threads.
With this update, the glibc
system()
function now restores the previous signal mask unconditionally, even when parallel system()
function calls are running. As a result, the SIGCHLD
signal is no longer incorrectly blocked if the glibc
system()
function is called concurrently from multiple threads.
eu-addr2line -C
now correctly recognizes other arguments
Previously, when you used the -C
argument in eu-addr2line
command from elfutils
, the following single character argument disappeared. Consequently, the eu-addr2line -Ci
command behaved the same way as eu-addr2line -C
while eu-addr2line -iC
worked as expected. This bug has been fixed, and eu-addr2line -Ci
now recognizes both arguments.
eu-addr2line -i
now correctly handles code compiled with GCC link-time optimization
Previously, the dwarf_getscopes
function from the libdw
library included in elfutils
was unable to find an abstract origin definition of a function that was compiled with GCC link-time optimization. Consequently, when you used the -i
argument in the eu-addr2line
command, eu-addr2line
was unable to show inline functions for code compiled with gcc -flto
. With this update, the libdw dwarf_getscopes
function looks in the correct compile unit for the inlined scope, and eu-addr2line -i
works as expected.
Programs using papi
no longer stop when shutting down
Previously, papi
initialized threads before papi
initialized some components. Because of this, entries for certain components describing the number of elements in arrays were not set to correct values and zero-sized memory allocations were attempted. As a consequence, later accesses and frees of those zero-sized memory allocations caused the programs to stop.
The bug has been fixed and programs using papi
no longer stop when shutting down.
The OpenJDK XML signature provider is now functional in FIPS mode
Previously, the OpenJDK XML signature provider was unable to operate in FIPS mode. As a result of enhancements to FIPS mode support the OpenJDK XML signature provider is now enabled in FIPS mode.
8.12. Identity Management
Paged searches from a regular user now do not impact performance
Previously, when Directory Server was under the search load, paged searches from a regular user could impact the server performance because a lock conflicted with the thread that polls for network events. In addition, if a network issue occurred while sending the page search, the whole server was unresponsive until the nsslapd-iotimeout
parameter expired. With this update, the lock was split into several parts to avoid the contention with the network events. As a result, no performance impact during paged searches from a regular user.
Schema replication now works correctly in Directory Server
Previously, when Directory Server replicated a schema to a new server, it added all the schema to the 99user.ldif
file on the remote replica. It seemed it was all custom schema because X-ORIGIN
keyword was set to user defined
for all definitions. As a result, it could cause issues with the web console and possibly for customers who monitor the schema and expect the X-ORIGIN
keyword to have specific values. With this update, schema replication works as expected.
Referral mode is now working correctly in Directory Server
Previously, CLI set nsslapd-referral
configuration attribute to the backend and not to the mapping tree. As a result, referral mode did not work. With this update, the nsslapd-referral
attribute is set correctly and the referral mode works as expected.
The LMDB import now works faster
Previously, to build the entryrdn
index, LMDB import worker threads waited for other worker threads to ensure that the parent entry was processed. This generated lock contention that drastically slowed import. With this update, the LDIF import over LMDB database was redesigned and the provider thread stores the data about the entry RDN and its parents in a temporary database that the worker thread uses to build the entryrdn
index. As a result, worker threads synchronization is no longer needed and the average import rate is better.
Note that the LMDB import still has an import rate three times slower than the BDB import because LMDB does not support concurrent write transactions.
The dirsrv
service now starts correctly after reboot
Previously, dirsrv
service could fail to start after reboot because dirsrv
service did not explicitly wait for systemd-tmpfiles-setup.service
to finish. This led to a race condition. With this update, dirsrv
service waits for the systemd-tmpfiles-setup.service
to finish and no longer fail to start after reboot.
Changing a security parameter now works correctly
Previously, when you changed a security parameter by using the dsconf instance_name security set
command, the operation failed with the error:
Name 'log' is not defined
With this update, the security parameter change works as expected.
SSSD now uses sAMAccountName
when evaluating GPO-based access control
Previously, if ldap_user_name
was set to a value other than sAMAccountName
on an AD client, GPO-based access control failed. With this update, SSSD now always uses sAMAccountName
when evaluating GPO-based access control. Even if ldap_user_name
is set to a value different from sAMAccountName
on an AD client, GPO-based access control now works correctly.
SSSD now handles duplicate attributes in the user_attributes
option when retrieving users
Previously, if sssd.conf
contained duplicate attributes in the user_attributes
option, SSSD did not handle these duplicates correctly. As a consequence, users with those attributes could not be retrieved. With this update, SSSD now handles duplicates correctly. As a result, users with duplicate attributes can now be retrieved.
The dynamic Kerberos PAC ticket signature enforcement mechanism now fixes cross-version incompatibility in IdM
Previously, if your Identity Management (IdM) deployment featured servers running on both RHEL 9 and RHEL 8, the incompatibility caused by the upstream implementation of the Privilege Attribute Certificate (PAC) ticket signature support caused certain operations to fail. With this update, the implementation of the dynamic ticket signature enforcement mechanism feature in RHEL 9 fixes this cross-version incompatibility. For this feature to actually take effect, you must:
- Update all the servers in the domain.
- Restart all the IdM Kerberos Distribution Center (KDC) services.
The order of these two actions is important. When starting, the KDCs query the metadata of all the other servers in the domain to check if they all support the PAC ticket signature. If this is not the case, the signature will not be enforced.
For more information about the dynamic Kerberos PAC ticket signature enforcement mechanism, including an example of a constrained delegation request, see this Knowledgebase article.
Jira:RHELDOCS-17011[1], Bugzilla:2182683, Bugzilla:2178298
SHA-1 signature verification can now be allowed in FIPS mode
Previously, it was not possible to allow the use of SHA-1 signature verification when Identity Management (IdM) was in FIPS mode. This is because IdM uses the FIPS-140-3 standard, which does not allow SHA-1 signatures. This situation caused problems with Active Directory (AD) interoperability, because AD only complies with the older FIPS-140-2 standard and therefore requires SHA-1 signatures.
This update introduces a FIPS exception for PKINIT signature verification. When FIPS mode is enabled in IdM, its restrictions are ignored. Only default mode restrictions are applied, allowing the use of the SHA1
crypto module even when in FIPS mode. As a result, AD interoperability in FIPS mode works as intended.
In the scenario of an IdM/AD trust, or using a RHEL 9.2 or later host as an AD client, you need to set the crypto policy to FIPS:AD-SUPPORT:SHA1 to support PKINIT while in FIPS mode.
Deleting the IdM admin
user is now no longer permitted
Previously, nothing prevented you from deleting the Identity Management (IdM) admin
user if you were a member of the admins
group. The absence of the admin
user causes the trust between IdM and Active Directory (AD) to stop functioning correctly. With this update, you can no longer delete the admin
user. As a result, the IdM-AD trust works correctly.
ipa-kdb
no longer causes krb5kdc
to fail
Previously, the ipa-kdb
driver did not differentiate between the absence of a server host object and a connection failure. Consequently, the krb5kdc
server sometimes stopped unexpectedly because of a NULL
LDAP context produced by a connection issue with the LDAP server.
With this update, the ipa-kdb
driver correctly identifies connection failures and differentiates between them and the absence of a server host object. As a result, the krb5kdc
server does not fail anymore.
The IdM client installer no longer specifies the TLS CA configuration in the ldap.conf
file
Previously, the IdM client installer specified the TLS CA configuration in the ldap.conf
file. With this update, OpenLDAP uses the default truststore and the IdM client installer does not set up the TLS CA configuration in the ldap.conf
file.
IdM clients correctly retrieve information for trusted AD users when their names contain mixed case characters
Previously, if you attempted a user lookup or authentication of a user, and that trusted Active Directory (AD) user contained mixed case characters in their names and they were configured with overrides in IdM, an error was returned preventing users from accessing IdM resources.
With the release of RHBA-2023:4359, a case-sensitive comparison is replaced with a case-insensitive comparison that ignores the case of a character. As a result, IdM clients can now lookup users of an AD trusted domain, even if their usernames contain mixed case characters and they are configured with overrides in IdM.
Jira:SSSD-6096
8.13. The web console
The web console NBDE binding steps now work also on volume groups with a root file system
In RHEL 9.2, due to a bug in the code for determining whether or not the user was adding a Tang key to the root file system, the binding process in the web console crashed when there was no file system on the LUKS container at all. Because the web console displayed the error message TypeError: Qe(…) is undefined
after you had clicked the Trust key
button in the Verify key
dialog, you had to perform all the required steps in the command-line interface in the described scenario.
With this update, the web console correctly handles additions of Tang keys to root file systems. As a result, the web console finishes all binding steps required for the automated unlocking of LUKS-encrypted volumes using Network-Bound Disk Encryption (NBDE) in various scenarios.
VNC console now works at most resolutions
Previously, when using the Virtual Network Computing (VNC) console under certain display resolutions, a mouse offset problem was present or only a part of the interface was visible. Consequently, using the VNC console was not possible.
With this update, the problem has been fixed and the VNC console works correctly at most resolutions, with the exception of ultra high resolutions, such as 3840x2160.
Note that a small offset between the recorded and displayed positions of the cursor might still be present. However, this does not significantly impact the usability of the VNC console.
8.14. Red Hat Enterprise Linux System roles
The storage
role can now resize the mounted file systems without unmounting
Previously, the storage
role was unable to resize mounted devices, even if the file system supported online resizing. As a consequence, the storage
role unmounted all file systems before resizing, which failed for file systems that were in use, for example, while resizing the /
directory of the running system.
With this update, the storage
role now supports resizing mounted file systems that support online resizing such as XFS and Ext4. As a result, the mounted file systems can now be resized without unmounting them.
The podman_registries_conf
variable now configures unqualified-search-registries
field correctly
Previously, after configuring the podman_registries_conf
variable, the podman
RHEL system role failed. Consequently, unqualified-search-registries = ["registry.access.redhat.com"]
setting was not generated in the /etc/containers/registries.conf.d/50-systemroles.conf
file. With this update, this problem has been fixed.
The kdump
role adds authorized_keys
idempotently
Previously, the task to add authorized_key
added an extra newline character every time. Consequently the role was not acting idempotent. With this fix, adding a new authorized_key
works correctly and adds only a single key value idempotently.
The kdump
system role does not fail if kdump_authorized_keys
is missing
Previously, the kdump
system role failed to add SSH
authorized keys if the user defined in the kdump_ssh_user
variable did not have access to the .ssh
directory in the home
directory or an empty .ssh/authorized_keys
file. With this fix, the kdump
system role now correctly adds authorized keys to the SSH
configuration. As a result, the key based authentication works reliably in the described scenario.
Failure to remove data from member disks before creation no longer persists
Previously, when creating RAID volumes, the system did not effectively eliminate existing data from member disks before forming the RAID volume. With this update, RAID volumes remove any per-existing data from member disks as needed.
Running the firewall
RHEL system role in check mode with non-existent services no longer fails
Previously, running the firewall
role in check mode with non-existent services would fail. This fix implements better compliance with Ansible best practices for check mode. As a result, non-existent services being enabled or disabled no longer fails the role in check mode. Instead, a warning prompts you to confirm that the service is defined in a previous playbook.
The firewall
RHEL system role on RHEL 7 no longer attempts to install non-existent Python packages
Previously, when the firewall
role on RHEL 7 was called from another role, and that role was using python3
, the firewall
role attempted to install the python3-firewall
library for that version of Python. However, that library is not available in RHEL 7. Consequently, the python3-firewall
library was not found, and you received the following error message:
No package matching 'python3-firewall' found available, installed or updated
With this update, the firewall
role does not attempt to install the python-firewall
or python3-firewall
library. As a result, the firewall
role does not fail on RHEL 7 when python3
is installed on the managed node.
kdump
RHEL system role updates
The kdump
RHEL system role has been updated to a newer version, which brings the following notable enhancements:
-
After installing
kexec-tools
, the utility suite no longer generates the/etc/sysconfig/kdump
file because you do not need to manage this file anymore. -
The role supports the
auto_reset_crashkernel
anddracut_args
variables.
For more details, see resources in the /usr/share/doc/rhel-system-roles/kdump/
directory.
Insights tags created by using the rhc
role are now applied correctly
Previously, when you created Insights tags by using the rhc
role, tags were not stored in the correct file. Consequently, tags were not sent to Insights and as a result they were not applied to the systems in the Insights inventory.
With this fix, tags are stored correctly and applied to the systems present in the Insights inventory.
raid_chunk_size
parameter no longer returns an error message
Previously, raid_chunk_size
attribute was not allowed for RAID pools and volumes. With this update, you can now configure the raid_chunk_size
attribute for RAID pools and volumes without encountering any restrictions.
The certificate
RHEL system role now checks for the certificate key size when determining whether to perform a new certificate request
Previously, the certificate
RHEL system role did not check the key size of a certificate when evaluating whether to request a new certificate. As a consequence, the role sometimes did not issue new certificate requests in cases where it should. With this update, certificate
now checks the key_size
parameter to determine if a new certificate request should be performed.
The kdump
role adds multiple keys to authorized_keys
idempotently
Previously, adding multiple SSH keys to the authorized_keys
file at the same time replaced the key value of one host by another. This update fixes the problem by using the lineinfile
module to manage the authorized_keys
file. lineinfile
iterates the tasks in sequence, checking for an existing key and writing the new key in one atomic operation on a single host at one time. As a result, adding SSH keys on multiple hosts works correctly, and does not replace the key value from another host.
Note: Use the serial: 1
play serial keyword at play level to control the number of hosts executing at one time.
Jira:RHEL-1499[1]
The kdump
role successfully updates .ssh/authorized_keys
for kdump_ssh_server
authentication
Previously, the .ssh
directory was not accessible by the kdump
role to securely authenticate users to log into kdump_ssh_server
. As a consequence, the kdump
role did not update the .ssh/authorized_keys
file and the SSH mechanism to verify the kdump_ssh_server
failed. This update fixes the problem. As a result the kdump_ssh_user
authentication on kdump_ssh_server
works reliably.
Jira:RHEL-1397[1]
Enabling kdump
for system role requires using the failure_action
configuration parameter on RHEL 9 and later versions
Previously, using the default
option during kdump
configuration was not successful and printed the following warning in logs:
kdump: warning: option 'default' was renamed 'failure_action' and will be removed in the future. please update /etc/kdump.conf to use option 'failure_action' instead.
Consequently, the role did not enable kdump
successfully if default
option was used. This update fixes the problem and you can configure kernel dump parameters on multiple systems by using the failure_action
parameter. As a result, enabling kdump
works successfully in the described scenario.
Jira:RHEL-906[1]
The previous: replaced
parameter of the firewall
system role now overrides the previous configuration without deleting it
Previously, if you added the previous: replaced
parameter to the variable list, the firewall
system role removed all existing user-defined settings and reset firewalld
to the default settings. This fix uses the fallback configuration in firewalld
, which was introduced in the EL7 release, to retain the previous configuration. As a result, when you use the previous: replaced
parameter in the variable list, the firewall.conf
configuration file is not deleted on reset, but the file and comments in the file are retained.
Jira:RHEL-1495[1]
The firewall
RHEL system role correctly reports changes when using previous: replaced
in check mode
Previously, the firewall
role was not checking whether any files would be changed when using the previous: replaced
parameter in check mode. As a consequence, the role gave an error about undefined variables. This fix adds new check variables to the check mode to assess whether any files would be changed by the previous: replaced
parameter. The check for the firewalld.conf
file assesses the rpm
database to determine whether the file has been changed from the version shipped in the package. As a result, the firewall
role now correctly reports changes when using the previous: replaced
parameter.
Jira:RHEL-898[1]
The firewall
RHEL system role correctly reports changes when assigning zones to Network Manager interfaces
Previously, the Network Manager interface assignment reported changes when no changes were present. With this fix, the try_set_zone_of_interface
module in the file library/firewall_lib.py
returns a second value, which denotes whether the interface’s zone was changed. As a result, the module now correctly reports changes when assigning zones to interfaces handled by Network Manager.
Jira:RHEL-885[1]
The rhc
system role no longer fails on the registered systems when rhc_auth
contains activation keys
Previously, a failure occurred when you executed playbook files on the registered systems with the activation key specified in the rhc_auth
parameter. This issue has been resolved. It is now possible to execute playbook files on the already registered systems, even when activation keys are provided in the rhc_auth
parameter.
8.15. Virtualization
The NVIDIA graphics device continues working after VM shutdown
Previously, in the RHEL kernel, device power transition delays were more closely aligned to those required by the PCIe specification. As a consequence, some NVIDIA GPUs could become unresponsive when used for device assignment after a shutdown of the attached VM. This update extends the device power transition delay for NVIDIA audio device functions. As a result, NVIDIA GPUs continue to work correctly in this scenario.
Bugzilla:2178956[1]
Failover virtio NICs are now correctly assigned an IP address on Windows virtual machines
Previously, when starting a Windows virtual machine (VM) with only a failover virtio NIC, the VM failed to assign an IP address to the NIC. Consequently, the NIC was unable to set up a network connection. This problem has been fixed and VM NICs now set up network connections as expected in the described scenario.
The installer shows the expected system disk to install RHEL on VM
Previously, when installing RHEL on a VM using virtio-scsi
devices, it was possible that these devices did not appear in the installer because of a device-mapper-multipath
bug. Consequently, during installation, if some devices had a serial set and some did not, the multipath
command was claiming all the devices that had a serial. Due to this, the installer was unable to find the expected system disk to install RHEL in the VM.
With this update, multipath
correctly sets the devices with no serial as having no World Wide Identifier (WWID) and ignores them. On installation, multipath
only claims devices that multipathd
uses to bind a multipath device, and the installer shows the expected system disk to install RHEL in the VM.
Bugzilla:1926147[1]
Broadcom network adapters now work correctly on Windows VMs after a live migration
Previously, network adapters from the Broadcom family of devices, such as Broadcom, Qlogic, or Marvell, could not be hot-unplugged during live migration of Windows virtual machines (VMs). As a consequence, the adapters worked incorrectly after the migration was complete. This problem affected only adapters that were attached to Windows VMs using Single-root I/O virtualization (SR-IOV). With this update, the underlying code has been fixed and the problem no longer occurs.
Jira:RHEL-910, Bugzilla:2091528, Bugzilla:2111319
nodedev-dumpxml
lists attributes correctly for certain mediated devices
Before this update, the nodedev-dumpxml
utility did not list attributes correctly for mediated devices that were created using the nodedev-create
command. This has been fixed, and nodedev-dumpxml
now displays the attributes of the affected mediated devices properly.
virtiofs
devices could not be attached after restarting virtqemud
or libvirtd
Previously, restarting the virtqemud
or libvirtd
services prevented virtiofs
storage devices from being attached to virtual machines (VMs) on your host. This bug has been fixed, and you can now attach virtiofs
devices in the described scenario as expected.
Hot plugging a Watchdog card to a virtual machine no longer fails
Previously, if no PCI slots were available, adding a Watchdog card to a running virtual machine (VM) failed with the following error:
Failed to configure watchdog ERROR Error attempting device hotplug: internal error: No more available PCI slots
With this update, the problem has been fixed and adding a Watchdog card to a running VM now works as expected.
blob
resources do not work correctly for virtio-gpu
on IBM Z
The virtio-gpu
device is currently not compatible with blob
memory resources on IBM Z systems. As a consequence, if you configure a virtual machine (VM) with virtio-gpu
on an IBM Z host to use blob
resources, the VM does not have any graphical output.