Questo contenuto non è disponibile nella lingua selezionata.
Chapter 5. RHEL 8.3.0 release
5.1. New features
This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 8.3.
5.1.1. Installer and image creation
Anaconda rebased to version 33.16
With this release, Anaconda has been rebased to version 33.16. This version provides the following notable enhancements over the previous version.
- The Installation Program now displays static IPv6 addresses on multiple lines and no longer resizes the windows.
- The Installation Program now displays supported NVDIMM device sector sizes.
- Host name is now configured correctly on an installed system having IPv6 static configuration.
- You can now use non-ASCII characters in disk encryption passphrase.
- The Installation Program displays a proper recommendation to create a new file system on /boot, /tmp, and all /var and /usr mount points except /usr/local and /var/www.
- The Installation Program now correctly checks the keyboard layout and does not change the status of the Keyboard Layout screen when the keyboard keys (ALT+SHIFT) are used to switch between different layouts and languages.
- Rescue mode no longer fails on systems with existing RAID1 partitions.
-
Changing of the LUKS version of the container is now available in the
Manual Partitioning
screen. -
The Installation Program successfully finishes the installation without the
btrfs-progs
package. - The Installation Program now uses the default LUKS2 version for an encrypted container.
-
The Installation Program no longer crashes when a Kickstart file places physical volumes (PVs) of a Logical volume group (VG) on an
ignoredisk
list. -
Introduces a new mount path
/mnt/sysroot
for system root. This path is used to mount/
of the target system. Usually, the physical root and the system root are the same, so/mnt/sysroot
is attached to the same file system as/mnt/sysimage
. The only exceptions are rpm-ostree systems, where the system root changes based on the deployment. Then,/mnt/sysroot
is attached to a subdirectory of/mnt/sysimage
. It is recommended to use/mnt/sysroot
for chroot.
(BZ#1691319, BZ#1679893, BZ#1684045, BZ#1688478, BZ#1700450, BZ#1720145, BZ#1723888, BZ#1754977, BZ#1755996, BZ#1784360, BZ#1796310, BZ#1871680)
GUI changes in RHEL Installation Program
The RHEL Installation Program now includes the following user settings on the Installation Summary window:
- Root password
- User creation
With this change, you can now configure a root password and create a user account before you begin the installation. Previously, you configured a root password and created a user account after you began the installation process.
A root password is used to log in to the administrator (also known as superuser or root) account which is used for system administration tasks. The user name is used to log in from a command line; if you install a graphical environment, then your graphical login manager uses the full name. For more details, see Performing a standard RHEL installation document.
(JIRA:RHELPLAN-40469)
Image Builder backend osbuild-composer
replaces lorax-composer
The osbuild-composer
backend replaces lorax-composer
. The new service provides REST APIs for image building. As a result, users can benefit from a more reliable backend and more predictable output images.
(BZ#1836211)
Image Builder osbuild-composer
supports a set of image types
With the osbuild-composer
backend replacement, the following set of image types supported in osbuild-composer
this time:
- TAR Archive (.tar)
- QEMU QCOW2 (.qcow2)
- VMware Virtual Machine Disk (.vmdk)
- Amazon Machine Image (.ami)
- Azure Disk Image (.vhd)
- OpenStack Image (.qcow2)
The following outputs are not supported this time:
- ext4-filesystem
- partitioned-disk
- Alibaba Cloud
- Google GCE
(JIRA:RHELPLAN-42617)
Image Builder now supports push to clouds through GUI
With this enhancement, when creating images, users can choose the option of pushing to Azure
and AWS
service clouds through GUI Image Builder. As a result, users can benefit from easier uploads and instantiation.
(JIRA:RHELPLAN-30878)
5.1.2. RHEL for Edge
Introducing RHEL for Edge images
With this release, you can now create customized RHEL images for Edge servers.
You can use Image Builder to create RHEL for Edge images, and then use RHEL installer to deploy them on AMD and Intel 64-bit systems. Image Builder generates a RHEL for Edge image as rhel-edge-commit
in a .tar
file.
A RHEL for Edge image is an rpm-ostree
image that includes system packages for remotely installing RHEL on Edge servers.
The system packages include:
- Base OS package
- Podman as the container engine
You can customize the image to configure the OS content as per your requirements, and can deploy them on physical and virtual machines.
With a RHEL for Edge image, you can achieve the following:
- Atomic upgrades, where the state of each update is known and no changes are seen until you reboot the device.
- Custom health checks using Greenboot and intelligent rollbacks for resiliency in case of failed upgrades.
- Container-focused workflows, where you can separate core OS updates from the application updates, and test and deploy different versions of applications.
- Optimized OTA payloads for low-bandwidth environments.
- Custom health checks using Greenboot to ensure resiliency.
For more information about composing, installing, and managing RHEL for Edge images, see Composing, Installing, and Managing RHEL for Edge images.
(JIRA:RHELPLAN-56676)
5.1.3. Software management
The default value for the best
dnf configuration option has been changed from True
to False
With this update, the value for the best
dnf configuration option has been set to True
in the default configuration file to retain the original dnf behavior. As a result, for users that use the default configuration file the behavior remains unchanged.
If you provide your own configuration files, make sure that the best=True
option is present to retain the original behavior.
New --norepopath
option for the dnf reposync
command is now available
Previously, the reposync
command created a subdirectory under the --download-path
directory for each downloaded repository by default. With this update, the --norepopath
option has been introduced, and reposync
does not create the subdirectory. As a result, the repository is downloaded directly into the directory specified by --download-path
. This option is also present in the YUM v3.
Ability to enable and disable the libdnf
plugins
Previously, subscription checking was hardcoded into the RHEL version of the libdnf
plug-ins. With this update, the microdnf
utility can enable and disable the libdnf
plug-ins, and subscription checking can now be disabled the same way as in DNF. To disable subscription checking, use the --disableplugin=subscription-manager
command. To disable all plug-ins, use the --noplugins
command.
5.1.4. Shells and command-line tools
ReaR
updates
RHEL 8.3 introduces a number of updates to the Relax-and-Recover (ReaR
) utility. Notable changes include:
-
Support for the third-party Rubrik Cloud Data Management (CDM) as external backup software has been added. To use it, set the
BACKUP
option in the configuration file toCDM
. - Creation of a rescue image with a file larger than 4 GB on the IBM POWER, little endian architecture has been enabled.
-
Disk layout created by
ReaR
no longer includes entries for Rancher 2 Longhorn iSCSI devices and file systems.
(BZ#1743303)
smartmontools
rebased to version 7.1
The smartmontools
package has been upgraded to version 7.1, which provides multiple bug fixes and enhancements. Notable changes include:
- HDD, SSD and USB additions to the drive database.
-
New options
-j
and--json
to enable JSON output mode. -
Workaround for the incomplete
Log
subpages response from some SAS SSDs. -
Improved handling of
READ CAPACITY
command. - Various improvements for the decoding of the log pages.
opencryptoki
rebased to version 3.14.0
The opencryptoki
packages have been upgraded to version 3.14.0, which provides multiple bug fixes and enhancements. Notable changes include:
EP11 cryptographic service enhancements:
- Dilithium support
- Edwards-curve digital signature algorithm (EdDSA) support
- Support of Rivest–Shamir–Adleman optimal asymmetric encryption padding (RSA-OAEP) with non-SHA1 hash and mask generation function (MGF)
- Enhanced process and thread locking
-
Enhanced
btree
and object locking - Support for new IBM Z hardware z15
- Support of multiple token instances for trusted platform module (TPM), IBM cryptographic architecture (ICA) and integrated cryptographic service facility (ICSF)
-
Added a new tool
p11sak
, which lists the token keys in anopenCryptoki
token repository - Added a utility to migrate a token repository to FIPS compliant encryption
-
Fixed
pkcsep11_migrate
tool - Minor fixes of the ICSF software
(BZ#1780293)
gpgme
rebased to version 1.13.1.
The gpgme
packages have been upgraded to upstream version 1.13.1. Notable changes include:
-
New context flags
no-symkey-cache
(has an effect when used with GnuPG 2.2.7 or later),request-origin
(has an effect when used with GnuPG 2.2.6 or later),auto-key-locate
, andtrust-model
have been introduced. -
New tool
gpgme-json
as native messaging server for web browsers has been added. As of now, the public key encryption and decryption is supported. - New encryption API to support direct key specification including hidden recipients option and taking keys from a file has been introduced. This also allows the use of a subkey.
5.1.5. Infrastructure services
powertop
rebased to version 2.12
The powertop
packages have been upgraded to version 2.12. Notable changes over the previously available version 2.11 include:
- Use of Device Interface Power Management (DIPM) for SATA link PM.
- Support for Intel Comet Lake mobile and desktop systems, the Skylake server, and the Atom-based Tremont architecture (Jasper Lake).
(BZ#1783110)
tuned
rebased to version 2.14.0
The tuned
packages have been upgraded to upstream version 2.14.0. Notable enhancements include:
-
The
optimize-serial-console
profile has been introduced. - Support for a post loaded profile has been added.
-
The
irqbalance
plugin for handlingirqbalance
settings has been added. - Architecture specific tuning for Marvell ThunderX and AMD based platforms has been added.
-
Scheduler plugin has been extended to support
cgroups-v1
for CPU affinity setting.
tcpdump
rebased to version 4.9.3
The tcpdump
utility has been updated to version 4.9.3 to fix Common Vulnerabilities and Exposures (CVE).
libpcap
rebased to version 1.9.1
The libpcap
packages have been updated to version 1.9.1 to fix Common Vulnerabilities and Exposures (CVE).
iperf3
now supports sctp
option on the client side
With this enhancement, the user can use Stream Control Transmission Protocol (SCTP) instead of Transmission Control Protocol (TCP) on the client side of testing network throughput.
The following options for iperf3
are now available on the client side of testing:
-
--sctp
-
--xbind
-
--nstreams
To obtain more information, see Client Specific Options
in the iperf3
man page.
(BZ#1665142)
iperf3
now supports SSL
With this enhancement, the user can use RSA authentication between the client and the server to restrict the connections to the server only to legitimate clients.
The following options for iperf3
are now available on the server side:
-
--rsa-private-key-path
-
--authorized-users-path
The following options for iperf3
are now available on the client side of communication:
-
--username
-
--rsa-public-key-path
bind
rebased to 9.11.20
The bind
package has been upgraded to version 9.11.20, which provides multiple bug fixes and enhancements. Notable changes include:
- Increased reliability on systems with many CPU cores by fixing several race conditions.
-
Detailed error reporting:
dig
and other tools can now print the Extended DNS Error (EDE) option, if it is present. - Message IDs in inbound DNS Zone Transfer Protocol (AXFR) transfers are checked and logged, when they are inconsistent.
(BZ#1818785)
A new optimize-serial-console
TuneD profile to reduce I/O to serial consoles by lowering the printk
value
With this update, a new optimize-serial-console
TuneD profile is available. In some scenarios, kernel drivers can send large amounts of I/O operations to the serial console. Such behavior can cause temporary unresponsiveness while the I/O is written to the serial console. The optimize-serial-console
profile reduces this I/O by lowering the printk
value from the default of 7 4 1 7 to 4 4 1 7. Users with a serial console who wish to make this change on their system can instrument their system as follows:
# tuned-adm profile throughput-performance optimize-serial-console
As a result, users will have a lower printk
value that persists across a reboot, which reduces the likelihood of system hangs.
This TuneD profile reduces the amount of I/O written to the serial console by removing debugging information. If you need to collect this debugging information, you should ensure this profile is not enabled and that your printk
value is set to 7 4 1 7. To check the value of printk
run:
# cat /proc/sys/kernel/printk
New TuneD profiles added for the AMD-based platforms
In RHEL 8.3, the throughput-performance
TuneD profile was updated to include tuning for the AMD-based platforms. There is no need to change any parameter manually and the tuning is automatically applied on the AMD
system. The AMD Epyc Naples
and Rome
systems alters the following parameters in the default throughput-performance
profile:
sched_migration_cost_ns=5000000
and kernel.numa_balancing=0
With this enhancement, the system performance is improved by ~5%.
(BZ#1746957)
memcached
rebased to version 1.5.22
The memcached
packages have been upgraded to version 1.5.22. Notable changes over the previous version include:
- TLS has been enabled.
-
The
-o inline_ascii_response
option has been removed. -
The
-Y [authfile]
option has been added along with authentication mode for the ASCII protocol. -
memcached
can now recover its cache between restarts. - New experimental meta commands have been added.
- Various performance improvements.
5.1.6. Security
Cyrus SASL
now supports channel bindings with the SASL/GSSAPI
and SASL/GSS-SPNEGO
plug-ins
This update adds support for channel bindings with the SASL/GSSAPI
and SASL/GSS-SPNEGO
plug-ins. As a result, when used in the openldap
libraries, this feature enables Cyrus SASL
to maintain compatibility with and access to Microsoft Active Directory and Microsoft Windows systems which are introducing mandatory channel binding for LDAP connections.
Libreswan rebased to 3.32
With this update, Libreswan has been rebased to upstream version 3.32, which includes several new features and bug fixes. Notable features include:
- Libreswan no longer requires separate FIPS 140-2 certification.
- Libreswan now implements the cryptographic recommendations of RFC 8247, and changes the preference from SHA-1 and RSA-PKCS v1.5 to SHA-2 and RSA-PSS.
- Libreswan supports XFRMi virtual ipsecXX interfaces that simplify writing firewall rules.
- Recovery of crashed and rebooted nodes in a full-mesh encryption network is improved.
The libssh
library has been rebased to version 0.9.4
The libssh
library, which implements the SSH protocol, has been upgraded to version 0.9.4.
This update includes bug fixes and enhancements, including:
-
Added support for
Ed25519
keys in PEM files. -
Added support for
diffie-hellman-group14-sha256
key exchange algorithm. -
Added support for
localuser
inMatch
keyword in thelibssh
client configuration file. -
Match
criteria keyword arguments are now case-sensitive (note that keywords are case-insensitive, but keyword arguments are case-sensitive) - Fixed CVE-2019-14889 and CVE-2020-1730.
- Added support for recursively creating missing directories found in the path string provided for the known hosts file.
-
Added support for
OpenSSH
keys in PEM files with comments and leading white spaces. -
Removed the
OpenSSH
server configuration inclusion from thelibssh
server configuration.
gnutls
rebased to 3.6.14
The gnutls
packages have been rebased to upstream version 3.6.14. This version provides many bug fixes and enhancements, most notably:
-
gnutls
now rejects certificates withTime
fields that contain invalid characters or formatting. -
gnutls
now checks trusted CA certificates for minimum key sizes. -
When displaying an encrypted private key, the
certtool
utility no longer includes its plain text description. -
Servers using
gnutls
now advertise OCSP-stapling support. -
Clients using
gnutls
now send OCSP staples only on request.
gnutls
FIPS DH checks now conform with NIST SP 800-56A rev. 3
This update of the gnutls
packages provides checks required by NIST Special Publication 800-56A Revision 3, sections 5.7.1.1 and 5.7.1.2, step 2. The change is necessary for future FIPS 140-2 certifications. As a result, gnutls
now accept only 2048-bit or larger parameters from RFC 7919 and RFC 3526 during the Diffie-Hellman key exchange when operating in FIPS mode.
gnutls
now performs validations according to NIST SP 800-56A rev 3
This update of the gnutls
packages adds checks required by NIST Special Publication 800-56A Revision 3, sections 5.6.2.2.2 and 5.6.2.1.3, step 2. The addition prepares gnutls
for future FIPS 140-2 certifications. As a result, gnutls
perform additional validation steps for generated and received public keys during the Diffie-Hellman key exchange when operating in FIPS mode.
(BZ#1855803)
update-crypto-policies
and fips-mode-setup
moved into crypto-policies-scripts
The update-crypto-policies
and fips-mode-setup
scripts, which were previously included in the crypto-policies
package, are now moved into a separate RPM subpackage crypto-policies-scripts
. The package is automatically installed through the Recommends dependency on regular installations. This enables the ubi8/ubi-minimal
image to avoid the inclusion of the Python language interpreter and thus reduces the image size.
OpenSC rebased to version 0.20.0
The opensc
package has been rebased to version 0.20.0 which addresses multiple bugs and security issues. Notable changes include:
- With this update, CVE-2019-6502, CVE-2019-15946, CVE-2019-15945, CVE-2019-19480, CVE-2019-19481 and CVE-2019-19479 security issues are fixed.
-
The OpenSC module now supports the
C_WrapKey
andC_UnwrapKey
functions. - You can now use the facility to detect insertion and removal of card readers as expected.
-
The
pkcs11-tool
utility now supports theCKA_ALLOWED_MECHANISMS
attribute. - This update allows default detection of the OsEID cards.
- The OpenPGP Card v3 now supports Elliptic Curve Cryptography (ECC).
- The PKCS#11 URI now truncates the reader name with ellipsis.
stunnel
rebased to version 5.56
With this update, the stunnel
encryption wrapper has been rebased to upstream version 5.56, which includes several new features and bug fixes. Notable features include:
-
New
ticketKeySecret
andticketMacSecret
options that control confidentiality and integrity protection of the issued session tickets. These options enable you to resume sessions on other nodes in a cluster. -
New
curves
option to control the list of elliptic curves in OpenSSL 1.1.0 and later. -
New
ciphersuites
option to control the list of permitted TLS 1.3 ciphersuites. -
Added
sslVersion
,sslVersionMin
andsslVersionMax
for OpenSSL 1.1.0 and later.
libkcapi
rebased to version 1.2.0
The libkcapi
package has been rebased to upstream version 1.2.0, which includes minor changes.
(BZ#1683123)
setools
rebased to 4.3.0
The setools
package, which is a collection of tools designed to facilitate SELinux policy analysis, has been upgraded to version 4.3.0.
This update includes bug fixes and enhancements, including:
-
Revised
sediff
method for Type Enforcement (TE) rules, which significantly reduces memory and runtime issues. -
Added
infiniband
context support toseinfo
,sediff
, andapol
. -
Added
apol
configuration for the location of the Qt assistant tool used to display online documentation. Fixed
sediff
issues with:- Properties header displaying when not requested.
-
Name comparison of
type_transition
files.
-
Fixed permission of map socket
sendto
information flow direction. -
Added methods to the
TypeAttribute
class to make it a complete Python collection. -
Genfscon
now looks up classes, rather than using fixed values which were dropped fromlibsepol
.
The setools
package requires the following packages:
-
setools-console
-
setools-console-analyses
-
setools-gui
Individual CephFS files and directories can now have SELinux labels
The Ceph File System (CephFS) has recently enabled storing SELinux labels in the extended attributes of files. Previously, all files in a CephFS volume were labeled with a single common label system_u:object_r:cephfs_t:s0
. With this enhancement, you can change the labels for individual files, and SELinux defines the labels of newly created files based on transition rules. Note that previously unlabeled files still have the system_u:object_r:cephfs_t:s0
label until explicitly changed.
OpenSCAP rebased to version 1.3.3
The openscap
packages have been upgraded to upstream version 1.3.3, which provides many bug fixes and enhancements over the previous version, most notably:
-
Added the
autotailor
script that enables you to generate tailoring files using a command-line interface (CLI). - Added the timezone part to the Extensible Configuration Checklist Description Format (XCCDF) TestResult start and end time stamps
-
Added the
yamlfilecontent
independent probe as a draft implementation. -
Introduced the
urn:xccdf:fix:script:kubernetes
fix type in XCCDF. -
Added ability to generate the
machineconfig
fix. -
The
oscap-podman
tool can now detect ambiguous scan targets. -
The
rpmverifyfile
probe can now verify files from the/bin
directory. -
Fixed crashes when complicated regexes are executed in the
textfilecontent58
probe. -
Evaluation characteristics of the XCCDF report are now consistent with OVAL entities from the
system_info
probe. -
Fixed file-path pattern matching in offline mode in the
textfilecontent58
probe. -
Fixed infinite recursion in the
systemdunitdependency
probe.
SCAP Security Guide now provides a profile aligned with the CIS RHEL 8 Benchmark v1.0.0
With this update, the scap-security-guide
packages provide a profile aligned with the CIS Red Hat Enterprise Linux 8 Benchmark v1.0.0. The profile enables you to harden the configuration of the system using the guidelines by the Center for Internet Security (CIS). As a result, you can configure and automate compliance of your RHEL 8 systems with CIS by using the CIS Ansible Playbook and the CIS SCAP profile.
Note that the rpm_verify_permissions
rule in the CIS profile does not work correctly.
scap-security-guide
now provides a profile that implements HIPAA
This update of the scap-security-guide
packages adds the Health Insurance Portability and Accountability Act (HIPAA) profile to the RHEL 8 security compliance content. This profile implements recommendations outlined on the The HIPAA Privacy Rule website.
The HIPAA Security Rule establishes U.S. national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronically protected health information.
scap-security-guide
rebased to 0.1.50
The scap-security-guide
packages, which contain the latest set of security policies for Linux systems, have been upgraded to version 0.1.50.
This update includes bug fixes and enhancements, most notably:
- Ansible content has been improved: numerous rules contain Ansible remediations for the first time and other rules have been updated to address bug fixes.
Fixes and improvements to the
scap-security-guide
content for scanning RHEL7 systems, including:-
The
scap-security-guide
packages now provide a profile aligned with the CIS RHEL 7 Benchmark v2.2.0. Note that therpm_verify_permissions
rule in the CIS profile does not work correctly; see therpm_verify_permissions
fails in the CIS profile known issue. - The SCAP Security Guide profiles now correctly disable and mask services that should not be started.
-
The
audit_rules_privileged_commands
rule in thescap-security-guide
packages now works correctly for privileged commands. -
Remediation of the
dconf_gnome_login_banner_text
rule in thescap-security-guide
packages no longer incorrectly fails.
-
The
SCAP Workbench
can now generate results-based remediations from tailored profiles
With this update, you can now generate result-based remediation roles from tailored profiles using the SCAP Workbench
tool.
(BZ#1640715)
New Ansible role provides automated deployments of Clevis clients
This update of the rhel-system-roles
package introduces the nbde_client
RHEL system role. This Ansible role enables you to deploy multiple Clevis clients in an automated way.
New Ansible role can now set up a Tang server
With this enhancement, you can deploy and manage a Tang server as part of an automated disk encryption solution with the new nbde_server
system role. The nbde_server
Ansible role, which is included in the rhel-system-roles
package, supports the following features:
- Rotating Tang keys
- Deploying and backing up Tang keys
For more information, see Rotating Tang server keys.
clevis
rebased to version 13
The clevis
packages have been rebased to version 13, which provides multiple bug fixes and enhancements. Notable changes include:
-
clevis luks unlock
can be used in the device with a key file in the non-interactive mode. -
clevis encrypt tpm2
parses thepcr_ids
field if the input is given as a JSON array. -
The
clevis-luks-unbind(1)
man page no longer refers only to LUKS v1. -
clevis luks bind
does not write to an inactive slot anymore, if the password given is incorrect. -
clevis luks bind
now works while the system uses the non-English locale. -
Added support for
tpm2-tools
4.x.
clevis luks edit
enables you to edit a specific pin configuration
This update of the clevis
packages introduces the new clevis luks edit
subcommand that enables you to edit a specific pin configuration. For example, you can now change the URL address of a Tang server and the pcr_ids
parameter in a TPM2 configuration. You can also add and remove new sss
pins and change the threshold of an sss
pin.
(BZ#1436735)
clevis luks bind -y
now allows automated binding
With this enhancement, Clevis supports automated binding with the -y
parameter. You can now use the -y
option with the clevis luks bind
command, which automatically answers subsequent prompts with yes. For example, when using a Tang pin, you are no longer required to manually trust Tang keys.
(BZ#1819767)
fapolicyd
rebased to version 1.0
The fapolicyd
packages have been rebased to version 1.0, which provides multiple bug fixes and enhancements. Notable changes include:
- The multiple thread synchronization problem has been resolved.
- Enhanced performance with reduced database size and loading time.
-
A new trust option for the
fapolicyd
package in thefapolicyd.conf
file has been added to customize trust back end. You can add all trusted files, binaries, and scripts to the new/etc/fapolicyd/fapolicyd.trust
file. -
You can manage the
fapolicyd.trust
file using the CLI. - You can clean or dump the database using the CLI.
-
The
fapolicyd
package overrides the magic database for better decoding of scripts. The CLI prints MIME type of the file similar to the file command according to the override. -
The
/etc/fapolicyd/fapolicyd.rules
file supports a group of values as attribute values. -
The
fapolicyd
daemon has asyslog_format
option for setting the format of theaudit/sylog
events.
fapolicyd
now provides its own SELinux policy in fapolicyd-selinux
With this enhancement, the fapolicyd
framework now provides its own SELinux security policy. The daemon is confined under the fapolicyd_t
domain and the policy is installed through the fapolicyd-selinux
subpackage.
USBGuard
rebased to version 0.7.8
The usbguard
packages have been rebased to version 0.7.8 which provides multiple bug fixes and enhancements. Notable changes include:
-
The
HidePII=true|false
parameter in the/etc/usbguard/usbguard-daemon.conf
file can now hide personally identifiable information from audit entries. -
The
AuthorizedDefault=keep|none|all|internal
parameter in the/etc/usbguard/usbguard-daemon.conf
file can predefine authorization state of controller devices. -
With the new
with-connect-type
rule attribute, users can now distinguish the connection type of the device. -
Users can now append temporary rules with the
-t
option. Temporary rules remain in memory only until the daemon restarts. -
usbguard list-rules
can now filter rules according to certain properties. -
usbguard generate-policy
can now generate a policy for specific devices. -
The
usbguard allow|block|reject
command can now handle rule strings, and a target is applied on each device that matches the specified rule string. -
New subpackages
usbguard-notifier
andusbguard-selinux
are included.
USBGuard
provides many improvements for corporate desktop users
This addition to the USBGuard project contains enhancements and bug fixes to improve the usability for corporate desktop users. Important changes include:
-
For keeping the
/etc/usbguard/rules.conf
rule file clean, users can define multiple configuration files inside theRuleFolder=/etc/usbguard/rules.d/
directory. By default, the RuleFolder is specified in the/etc/usbguard-daemon.conf
file. -
The
usbguard-notifier
tool now provides GUI notifications. The tool notifies the user whenever a device is plugged in or plugged out and whether the device is allowed, blocked, or rejected by any user. -
You can now include comments in the configuration files, because the
usbguard-daemon
no longer parses lines starting with#
.
USBGuard now provides its own SELinux policy in usbguard-selinux
With this enhancement, the USBGuard framework now provides its own SELinux security policy. The daemon is confined under the usbguard_t
domain and the policy is installed through the usbguard-selinux
subpackage.
libcap
now supports ambient capabilities
With this update, users are able to grant ambient capabilities at login and prevent the need to have root access for the appropriately configured processes.
(BZ#1487388)
The libseccomp
library has been rebased to version 2.4.3
The libseccomp
library, which provides an interface to the seccomp
system call filtering mechanism, has been upgraded to version 2.4.3.
This update provides numerous bug fixes and enhancements. Notable changes include:
-
Updated the
syscall
table for Linux v5.4-rc4. -
No longer defining
__NR_x
values for system calls that do not exist. -
__SNR_x
is now used internally. -
Added
define
for__SNR_ppoll
. - Fixed a multiplexing issue with s390/s390x shm* system calls.
-
Removed the
static
flag from thelibseccomp
tools compilation. -
Added support for
io-uring
related system calls. -
Fixed the Python module naming issue introduced in the v2.4.0 release; the module is named
seccomp
as it was previously. -
Fixed a potential memory leak identified by
clang
in thescmp_bpf_sim
tool.
omamqp1
module is now supported
With this update, the AMQP 1.0
protocol supports sending messages to a destination on the bus. Previously, Openstack used the AMQP1
protocol as a communication standard, and this protocol can now log messages in AMQP messages. This update introduces the rsyslog-omamqp1
sub-package to deliver the omamqp1
output mode, which logs messages and sends them to the destination on the bus.
OpenSCAP compresses remote content
With this update, OpenSCAP uses gzip
compression for transferring remote content. The most common type of remote content is text-based CVE feeds, which increase in size over time and typically have to be downloaded for every scan. The gzip
compression reduces the bandwidth to 10% of bandwidth needed for uncompressed content. As a result, this reduces bandwidth requirements across the entire chain between the scanned system and the server that hosts the remote content.
SCAP Security Guide now provides a profile aligned with NIST-800-171
With this update, the scap-security-guide
packages provide a profile aligned with the NIST-800-171 standard. The profile enables you to harden the system configuration in accordance with security requirements for protection of Controlled Unclassified Information (CUI) in non-federal information systems. As a result, you can more easily configure systems to be aligned with the NIST-800-171 standard.
5.1.7. Networking
The IPv4 and IPv6 connection tracking modules have been merged into the nf_conntrack
module
This enhancement merges the nf_conntrack_ipv4
and nf_conntrack_ipv6
Netfilter connection tracking modules into the nf_conntrack
kernel module. Due to this change, blacklisting the address family-specific modules no longer work in RHEL 8.3, and you can blacklist only the nf_conntrack
module to disable connection tracking support for both the IPv4 and IPv6 protocols.
(BZ#1822085)
firewalld rebased to version 0.8.2
The firewalld
packages have been upgraded to upstream version 0.8.2, which provides a number of bug fixes over the previous version. For details, see the firewalld 0.8.2 Release Notes.
NetworkManager rebased to version 1.26.0
The NetworkManager
packages have been upgraded to upstream version 1.26.0, which provides a number of enhancements and bug fixes over the previous version:
- NetworkManager resets the auto-negotiation, speed, and duplex setting to their original value when deactivating a device.
- Wi-Fi profiles connect now automatically if all previous activation attempts failed. This means that an initial failure to auto-connect to the network no longer blocks the automatism. A side effect is that existing Wi-Fi profiles that were previously blocked now connect automatically.
-
The
nm-settings-nmcli(5)
andnm-settings-dbus(5)
man pages have been added. - Support for a number of bridge parameters has been added.
- Support for virtual routing and forwarding (VRF) interfaces has been added. For further details, see Permanently reusing the same IP address on different interfaces.
- Support for Opportunistic Wireless Encryption mode (OWE) for Wi-Fi networks has been added.
- NetworkManager now supports 31-bit prefixes on IPv4 point-to-point links according to RFC 3021.
-
The
nmcli
utility now supports removing settings using thenmcli connection modify <connection_name> remove <setting>
command. - NetworkManager no longer creates and activates slave devices if a master device is missing.
For further information about notable changes, read the upstream release notes:
XDP is conditionally supported
Red Hat supports the eXpress Data Path (XDP) feature only if all of the following conditions apply:
- You load the XDP program on an AMD or Intel 64-bit architecture
-
You use the
libxdp
library to load the program into the kernel -
The XDP program uses one of the following return codes:
XDP_ABORTED
,XDP_DROP
, orXDP_PASS
- The XDP program does not use the XDP hardware offloading
For details about unsupported XDP features, see Overview of XDP features that are available as Technology Preview
xdp-tools
is partially supported
The xdp-tools
package, which contains user space support utilities for the kernel eXpress Data Path (XDP) feature, is now supported on the AMD and Intel 64-bit architectures. This includes the libxdp
library, the xdp-loader
utility for loading XDP programs, and the xdp-filter
example program for packet filtering. Note that the xdpdump
utility for capturing packets from a network interface with XDP enabled is still a Technology Preview. (BZ#1820670)
The dracut
utility by default now uses NetworkManager in initial RAM disk
Previously, the dracut
utility was using a shell script to manage networking in the initial RAM disk, initrd
. In certain cases, this could cause problems. For example, the NetworkManager sends another DHCP request, even if the script in the RAM disk has already requested an IP address, which could result in a timeout.
With this update, the dracut
by default now uses the NetworkManager in the initial RAM disk and prevents the system from running into issues. In case you want to switch back to the previous implementation, and recreate the RAM disk images, use the following commands:
# echo 'add_dracutmodules+=" network-legacy "' > /etc/dracut.conf.d/enable-network-legacy.conf # dracut -vf --regenerate-all
(BZ#1626348)
Network configuration in the kernel command line has been consolidated under the ip
parameter
The ipv6
, netmask
, gateway
, and hostname
parameters to set the network configuration in the kernel command line have been consolidated under the ip
parameter. The ip
parameter accepts different formats, such as the following:
ip=__IP_address__:__peer__:__gateway_IP_address__:__net_mask__:__host_name__:__interface_name__:__configuration_method__
For further details about the individual fields and other formats this parameter accepts, see the description of the ip
parameter in the dracut.cmdline(7)
man page.
The ipv6
, netmask
, gateway
, and hostname
parameters are no longer available in RHEL 8.
(BZ#1905138)
5.1.8. Kernel
Kernel version in RHEL 8.3
Red Hat Enterprise Linux 8.3 is distributed with the kernel version 4.18.0-240.
Extended Berkeley Packet Filter for RHEL 8.3
The Extended Berkeley Packet Filter (eBPF) is an in-kernel virtual machine that allows code execution in the kernel space, in the restricted sandbox environment with access to a limited set of functions. The virtual machine executes a special assembly-like code.
The eBPF bytecode first loads to the kernel, followed by its verification, code translation to the native machine code with just-in-time compilation, and then the virtual machine executes the code.
Red Hat ships numerous components that utilize the eBPF virtual machine. Each component is in a different development phase, and thus not all components are currently fully supported. In RHEL 8.3, the following eBPF components are supported:
- The BPF Compiler Collection (BCC) tools package, which provides tools for I/O analysis, networking, and monitoring of Linux operating systems using eBPF
- The BCC library which allows the development of tools similar to those provided in the BCC tools package.
- The eBPF for Traffic Control (tc) feature, which enables programmable packet processing inside the kernel network data path.
- The eXpress Data Path (XDP) feature, which provides access to received packets before the kernel networking stack processes them, is supported under specific conditions. For more details, refer to the Networking section of Relase Notes.
-
The
libbpf
package, which is crucial for bpf related applications likebpftrace
andbpf/xdp
development. For more details, refer to the dedicated release note libbpf fully supported. -
The
xdp-tools
package, which contains userspace support utilities for the XDP feature, is now supported on the AMD and Intel 64-bit architectures.This includes thelibxdp
library, thexdp-loader
utility for loading XDP programs, and thexdp-filter
example program for packet filtering. Note that thexdpdump
utility for capturing packets from a network interface with XDP enabled is still an unsupported Technology Preview. For more details, refer to the Networking section of Release Notes.
Note that all other eBPF components are available as Technology Preview, unless a specific component is indicated as supported.
The following notable eBPF components are currently available as Technology Preview:
-
The
bpftrace
tracing language -
The
AF_XDP
socket for connecting the eXpress Data Path (XDP) path to user space
For more information regarding the Technology Preview components, see Technology Previews.
Cornelis Networks Omni-Path Architecture (OPA) Host Software
Omni-Path Architecture (OPA) host software is fully supported in Red Hat Enterprise Linux 8.3. OPA provides Host Fabric Interface (HFI) hardware with initialization and setup for high performance data transfers (high bandwidth, high message rate, low latency) between compute and I/O nodes in a clustered environment.
TSX is now disabled by default
Starting with RHEL 8.3, the kernel now has the Intel® Transactional Synchronization Extensions (TSX) technology disabled by default to improve the OS security. The change applies to those CPUs that support disabling TSX, including the 2nd Generation Intel® Xeon® Scalable Processors (formerly known as Cascade Lake with Intel® C620 Series Chipsets).
For users whose applications do not use TSX, the change removes the default performance penalty of the TSX Asynchronous Abort (TAA) mitigations on the 2nd Generation Intel® Xeon® Scalable Processors.
The change also aligns the RHEL kernel behavior with upstream, where TSX has been disabled by default since Linux 5.4.
To enable TSX, add the tsx=on
parameter to the kernel command line.
(BZ#1828642)
RHEL 8.3 now supports the page owner tracking feature
With this update, you can use the page owner tracking feature to observe the kernel memory utilization at the page allocation level.
To enable the page tracker, execute the following steps :
# grubby --args="page_owner=on" --update-kernel=0 # reboot
As a result, the page owner tracker will track the kernel memory consumption, which helps to debug kernel memory leaks and detect the drivers that use a lot of memory.
(BZ#1825414)
EDAC for AMD EPYC™ 7003 Series Processors is now supported
This enhancement provides Error Detection And Correction (EDAC) device support for AMD EPYC™ 7003 Series Processors. Previously, corrected (CEs) and uncorrected (UEs) memory errors were not reported on systems based on AMD EPYC™ 7003 Series Processors. With this update, such errors will now be reported using EDAC.
(BZ#1735611)
Flamegraph is now supported with perf
tool
With this update, the perf
command line tool supports flamegraphs to create a graphical representation of the system’s performance. The perf
data is grouped together into samples with similar stack backtraces. As a result, this data is converted into a visual representation to allow easier identification of computationally intensive areas of code. To generate a flamegraph using the perf
tool, execute the following commands:
$ perf script record flamegraph -F 99 -g -- stress --cpu 1 --vm-bytes 128M --timeout 10s stress: info: [4461] dispatching hogs: 1 cpu, 0 io, 0 vm, 0 hdd stress: info: [4461] successful run completed in 10s [ perf record: Woken up 1 times to write data ] [ perf record: Captured and wrote 0.060 MB perf.data (970 samples) ] $ perf script report flamegraph dumping data to flamegraph.html
Note : To generate flamegraphs, install the js-d3-flame-graph
rpm.
(BZ#1281843)
/dev/random
and /dev/urandom
are now conditionally powered by the Kernel Crypto API DRBG
In FIPS mode, the /dev/random
and /dev/urandom
pseudorandom number generators are powered by the Kernel Crypto API Deterministic Random Bit Generator (DRBG). Applications in FIPS mode use the mentioned devices as a FIPS-compliant noise source, therefore the devices have to employ FIPS-approved algorithms. To achieve this goal, necessary hooks have been added to the /dev/random
driver. As a result, the hooks are enabled in the FIPS mode and cause /dev/random
and /dev/urandom
to connect to the Kernel Crypto API DRBG.
(BZ#1785660)
libbpf
fully supported
The libbpf
package, crucial for bpf related applications like bpftrace
and bpf/xdp
development, is now fully supported.
It is a mirror of bpf-next linux tree bpf-next/tools/lib/bpf
directory plus its supporting header files. The version of the package reflects the version of the Application Binary Interface (ABI).
(BZ#1759154)
lshw
utility now provides additional CPU information
With this enhancement, the List Hardware utility (lshw) displays more CPU information. The CPU version
field now provides the family, model and stepping details of the system processors in numeric format as version: <family>.<model>.<stepping>
.
kernel-rt
source tree has been updated to the RHEL 8.3 tree
The kernel-rt
sources have been updated to use the latest Red Hat Enterprise Linux kernel source tree. The real-time patch set has also been updated to the latest upstream version, v5.6.14-rt7. Both of these updates provide a number of bug fixes and enhancements.
(BZ#1818138, BZ#1818142)
tpm2-tools
rebased to version 4.1.1
The tpm2-tools
package has been upgraded to version 4.1.1, which provides a number of command additions, updates, and removals. For more details, see the Updates to tpm2-tools package in RHEL8.3 solution.
(BZ#1789682)
The Mellanox ConnectX-6 Dx network adapter is now fully supported
This enhancement adds the PCI IDs of the Mellanox ConnectX-6 Dx network adapter to the mlx5_core
driver. On hosts that use this adapter, RHEL loads the mlx5_core
driver automatically. This feature, previously available as a technology preview, is now fully supported in RHEL 8.3.
(BZ#1782831)
mlxsw
driver rebased to version 5.7
The mlxsw driver
is upgraded to upstream version 5.7 and include following new features:
- The shared buffer occupancy feature, which provides buffer occupancy data.
-
The packet drop feature, which enables monitoring the
layer 2
,layer 3
,tunnels
andaccess control list
drops. - Packet trap policers support.
- Default port priority configuration support using Link Layer Discovery Protocol (LLDP) agent.
- Enhanced Transmission Selection (ETS) and Token Bucket Filter (TBF) queuing discipline offloading support.
-
RED queuing discipline
nodrop
mode is enabled to prevent early packet drops. -
Traffic class SKB editing action
skbedit
priority feature enables changing packets metadata and it complements withpedit
Traffic Class Offloading (TOS).
(BZ#1821646)
The crash kernel now expands memory reserve for kdump
With this enhancement, the crashkernel=auto
argument now reserves more memory on machines with 4GB to 64GB memory capacity. Previously, due to limited memory reserve, the crash kernel failed to capture the crash dump as the kernel space and user space memory expanded. As a consequence, the crash kernel experienced an out-of-memory (OOM) error. This update helps to reduce the OOM error occurrences in the described scenario and expands the memory capacity for kdump
accordingly.
(BZ#1746644)
5.1.9. File systems and storage
LVM can now manage VDO volumes
LVM now supports the Virtual Data Optimizer (VDO) segment type. As a result, you can now use LVM utilities to create and manage VDO volumes as native LVM logical volumes.
VDO provides inline block-level deduplication, compression, and thin provisioning features.
For more information, see Deduplicating and compressing logical volumes on RHEL.
(BZ#1598199)
The SCSI stack now works better with high-performance adapters
The performance of the SCSI stack has been improved. As a result, next-generation, high performance host bus adapters (HBAs) are now capable of higher IOPS (I/Os per second) on RHEL.
(BZ#1761928)
The megaraid_sas
driver has been updated to the latest version
The megaraid_sas
driver has been updated to version 07.713.01.00-rc1. This update provides several bug fixes and enhancements relating to improving performance, better stability of supported MegaRAID adapters, and a richer feature set.
(BZ#1791041)
Stratis now lists the pool name on error
When you attempt to create a Stratis pool on a block device that is already in use by an existing Stratis pool, the stratis
utility now reports the name of the existing pool. Previously, the utility listed only the UUID label of the pool.
FPIN ELS frame notification support
The lpfc
Fibre Channel (FC) driver now supports Fabric Performance Impact Notifications (FPINs) regarding link integrity, which help identify link level issues and allows the switch to choose a more reliable path.
(BZ#1796565)
New commands to debug LVM on-disk metadata
The pvck
utility, which is available from the lvm2
package, now provides low-level commands to debug or rescue LVM on-disk metadata on physical volumes:
-
To extract metadata, use the
pvck --dump
command. -
To repair metadata, use the
pvck --repair
command.
For more information, see the pvck(8)
man page.
(BZ#1541165)
LVM RAID supports DM integrity to prevent data loss due to corrupted data on a device
It is now possible to add Device Mapper (DM) integrity to an LVM RAID configuration to prevent data loss. The integrity layer detects data corruption on a device and alerts the RAID layer to fix the corrupted data across the LVM RAID.
While RAID prevents data loss due to device failure, adding integrity to an LVM RAID array prevents data loss due to corrupted data on a device. You can add the integrity layer when you create a new LVM RAID, or you can add it to an LVM RAID that already exists.
(JIRA:RHELPLAN-39320)
Resilient Storage (GFS2) supported on AWS, Azure, and Aliyun public clouds
Resilient Storage (GFS2) is now supported on three major public clouds, Amazon (AWS), Microsoft (Azure) and Alibaba (Aliyun) with the introduction of shared block device support on those platforms. As a result GFS2 is now a true hybrid cloud cluster filesystem with options to use both on premises and in the public cloud. For information on configuring shared block storage on Microsoft Azure and on AWS, see Deploying RHEL 8 on Microsoft Azure and Deploying RHEL 8 on Amazon Web Services. For information on configuring shared block storage on Alibaba Cloud, see Configuring Shared Block Storage for a Red Hat High Availability Cluster on Alibaba Cloud.
Userspace now supports the latest nfsdcld
daemon
Userspace now supports the lastest nfsdcld
daemon, which is the only namespace-aware client tracking method. This enhancement ensures client open or lock recovery from the containerized knfsd
daemon without any data corruption.
nconnect
now supports multiple concurrent connections
With this enhancement, you can use the nconnect
functionality to create multiple concurrent connections to an NFS server, allowing for a different load balancing ability. Enable the nconnect
functionality with the nconnect=X
NFS mount option, where X is the number of concurrent connections to use. The current limit is 16.
(BZ#1683394, BZ#1761352)
nfsdcld
daemon for client information tracking is now supported
With this enhancement, the nfsdcld
daemon is now the default method in tracking per-client information on a stable storage. As a result, the NFS v4 running in containers allows the clients to reclaim the opens or locks after a server restart.
(BZ#1817752)
5.1.10. High availability and clusters
pacemaker
rebased to version 2.0.4
The Pacemaker cluster resource manager has been upgraded to upstream version 2.0.4, which provides a number of bug fixes.
New priority-fencing-delay
cluster property
Pacemaker now supports the new priority-fencing-delay
cluster property, which allows you to configure a two-node cluster so that in a split-brain situation the node with the fewest resources running is the node that gets fenced.
The priority-fencing-delay
property can be set to a time duration. The default value for this property is 0 (disabled). If this property is set to a non-zero value, and the priority
meta-attribute is configured for at least one resource, then in a split-brain situation the node with the highest combined priority of all resources running on it will be more likely to survive.
For example, if you set pcs resource defaults priority=1
and pcs property set priority-fencing-delay=15s
and no other priorities are set, then the node running the most resources will be more likely to survive because the other node will wait 15 seconds before initiating fencing. If a particular resource is more important than the rest, you can give it a higher priority.
The node running the master role of a promotable clone will get an extra 1 point if a priority has been configured for that clone.
Any delay set with priority-fencing-delay
will be added to any delay from the pcmk_delay_base
and pcmk_delay_max
fence device properties. This behavior allows some delay when both nodes have equal priority, or both nodes need to be fenced for some reason other than node loss (for example, on-fail=fencing
is set for a resource monitor operation). If used in combination, it is recommended that you set the priority-fencing-delay
property to a value that is significantly greater than the maximum delay from pcmk_delay_base
and pcmk_delay_max
, to be sure the prioritized node is preferred (twice the value would be completely safe).
New commands for managing multiple sets of resource and operation defaults
It is now possible to create, list, change and delete multiple sets of resource and operation defaults. When you create a set of default values, you can specify a rule that contains resource
and op
expressions. This allows you, for example, to configure a default resource value for all resources of a particular type. Commands that list existing default values now include multiple sets of defaults in their output.
-
The
pcs resource [op] defaults set create
command creates a new set of default values. When specifying rules with this command, onlyresource
andop
expressions, includingand
,or
and parentheses, are allowed. -
The
pcs resource [op] defaults set delete | remove
command removes sets of default values. -
The
pcs resource [op] defaults set update
command changes the default values in a set.
(BZ#1817547)
Support for tagging cluster resources
It is now possible to tag cluster resources in a Pacemaker cluster with the pcs tag
command. This feature allows you to administer a specified set of resources with a single command. You can also use the pcs tag
command to remove or modify a resource tag, and to display the tag configuration.
The pcs resource enable
, pcs resource disable
, pcs resource manage
, and pcs resource unmanage
commands accept tag IDs as arguments.
Pacemaker now supports recovery by demoting a promoted resource rather than fully stopping it
It is now possible to configure a promotable resource in a Pacemaker cluster so that when a promote or monitor action fails for that resource, or the partition in which the resource is running loses quorum, the resource will be demoted but will not be fully stopped.
This feature can be useful when you would prefer that the resource continue to be available in the unpromoted mode. For example, if a database master’s partition loses quorum, you might prefer that the database resource lose the Master
role, but stay alive in read-only mode so applications that only need to read can continue to work despite the lost quorum. This feature can also be useful when a successful demote is both sufficient for recovery and much faster than a full restart.
To support this feature:
The
on-fail
operation meta-attribute now accepts ademote
value when used withpromote
actions, as in the following example:pcs resource op add my-rsc promote on-fail="demote"
The
on-fail
operation meta-attribute now accepts ademote
value when used withmonitor
actions with bothinterval
set to a nonzero value androle
set toMaster
, as in the following example:pcs resource op add my-rsc monitor interval="10s" on-fail="demote" role="Master"
-
The
no-quorum-policy
cluster property now accepts ademote
value. When set, if a cluster partition loses quorum, any promoted resources will be demoted but left running and all other resources will be stopped.
Specifying a demote
meta-attribute for an operation does not affect how promotion of a resource is determined. If the affected node still has the highest promotion score, it will be selected to be promoted again.
(BZ#1837747, BZ#1843079)
New SBD_SYNC_RESOURCE_STARTUP
SBD configuration parameter to improve synchronization with Pacemaker
To better control synchronization between SBD and Pacemaker, the /etc/sysconfig/sbd
file now supports the SBD_SYNC_RESOURCE_STARTUP
parameter. When Pacemaker and SBD packages from RHEL 8.3 or later are installed and SBD is configured with SBD_SYNC_RESOURCE_STARTUP=true
, SBD contacts the Pacemaker daemon for information about the daemon’s state.
In this configuration, the Pacemaker daemon will wait until it has been contacted by SBD, both before starting its subdaemons and before final exit. As a result, Pacemaker will not run resources if SBD cannot actively communicate with it, and Pacemaker will not exit until it has reported a graceful shutdown to SBD. This prevents the unlikely situation that might occur during a graceful shutdown when SBD fails to detect the brief moment when no resources are running before Pacemaker finally disconnects, which would trigger an unneeded reboot. Detecting a graceful shutdown using a defined handshake works in maintenance mode as well. The previous method of detecting a graceful shutdown on the basis of no running resources left had to be disabled in maintenance mode since running resources would not be touched on shutdown.
In addition, enabling this feature avoids the risk of a split-brain situation in a cluster when SBD and Pacemaker both start successfully but SBD is unable to contact pacemaker. This could happen, for example, due to SELinux policies. In this situation, Pacemaker would assume that SBD is functioning when it is not. With this new feature enabled, Pacemaker will not complete startup until SBD has contacted it. Another advantage of this new feature is that when it is enabled SBD will contact Pacemaker repeatedly, using a heartbeat, and it is able to panic the node if Pacemaker stops responding at any time.
If you have edited your /etc/sysconfig/sbd file or configured SBD through PCS, then an RPM upgrade will not pull in the new SBD_SYNC_RESOURCE_STARTUP
parameter. In these cases, to implement this feature you must manually add it from the /etc/sysconfig/sbd.rpmnew
file or follow the procedure described in the Configuration via environment
section of the sbd
(8) man page.
5.1.11. Dynamic programming languages, web and database servers
A new module stream: ruby:2.7
RHEL 8.3 introduces Ruby 2.7.1 in a new ruby:2.7
module stream. This version provides a number of performance improvements, bug and security fixes, and new features over Ruby 2.6 distributed with RHEL 8.1.
Notable enhancements include:
- A new Compaction Garbage Collector (GC) has been introduced. This GC can defragment a fragmented memory space.
- Ruby yet Another Compiler-Compiler (Racc) now provides a command-line interface for the one-token Look-Ahead Left-to-Right – LALR(1) – parser generator.
-
Interactive Ruby Shell (
irb
), the bundled Read–Eval–Print Loop (REPL) environment, now supports multi-line editing. - Pattern matching, frequently used in functional programming languages, has been introduced as an experimental feature.
- Numbered parameter as the default block parameter has been introduced as an experimental feature.
The following performance improvements have been implemented:
- Fiber cache strategy has been changed to accelerate fiber creation.
-
Performance of the
CGI.escapeHTML
method has been improved. -
Performance of the
Monitor
class andMonitorMixin
module has been improved.
In addition, automatic conversion of keyword arguments and positional arguments has been deprecated. In Ruby 3.0, positional arguments and keyword arguments will be separated. For more information, see the upstream documentation.
To suppress warnings against experimental features, use the -W:no-experimental
command-line option. To disable a deprecation warning, use the -W:no-deprecated
command-line option or add Warning[:deprecated] = false
to your code.
To install the ruby:2.7
module stream, use:
# yum module install ruby:2.7
If you want to upgrade from the ruby:2.6
stream, see Switching to a later stream.
(BZ#1817135)
A new module stream: nodejs:14
A new module stream, nodejs:14
, is now available. Node.js 14
, included in RHEL 8.3, provides numerous new features and bug and security fixes over Node.js 12
distributed in RHEL 8.1.
Notable changes include:
- The V8 engine has been upgraded to version 8.3.
- A new experimental WebAssembly System Interface (WASI) has been implemented.
- A new experimental Async Local Storage API has been introduced.
- The diagnostic report feature is now stable.
- The streams APIs have been hardened.
- Experimental modules warnings have been removed.
With the release of the RHEA-2020:5101 advisory, RHEL 8 provides Node.js 14.15.0
, which is the most recent Long Term Support (LTS) version with improved stability.
To install the nodejs:14
module stream, use:
# yum module install nodejs:14
If you want to upgrade from the nodejs:12
stream, see Switching to a later stream.
(BZ#1815402, BZ#1891809)
git
rebased to version 2.27
The git
packages have been upgraded to upstream version 2.27. Notable changes over the previously available version 2.18 include:
The
git checkout
command has been split into two separate commands:-
git switch
for managing branches -
git restore
for managing changes within the directory tree
-
-
The behavior of the
git rebase
command is now based on themerge
workflow by default rather than the previouspatch+apply
workflow. To preserve the previous behavior, set therebase.backend
configuration variable toapply
. -
The
git difftool
command can now be used also outside a repository. -
Four new configuration variables,
{author,committer}.{name,email}
, have been introduced to overrideuser.{name,email}
in more specific cases. - Several new options have been added that enable users to configure SSL for communication with proxies.
-
Handling of commits with log messages in non-UTF-8 character encoding has been improved in the
git fast-export
andgit fast-import
utilities. -
The
lfs
extension has been added as a newgit-lfs
package. Git Large File Storage (LFS) replaces large files with text pointers insideGit
and stores the file contents on a remote server.
(BZ#1825114, BZ#1783391)
Changes in Python
RHEL 8.3 introduces the following changes to the python38:3.8
module stream:
-
The
Python
interpreter has been updated to version 3.8.3, which provides several bug fixes. -
The
python38-pip
package has been updated to version 19.3.1, andpip
now supports installingmanylinux2014
wheels.
Performance of the Python 3.6
interpreter, provided by the python3
packages, has been significantly improved.
The ubi8/python-27
, ubi8/python-36
, and ubi8/python-38
container images now support installing the pipenv
utility from a custom package index or a PyPI mirror if provided by the customer. Previously, pipenv
could only be downloaded from the upstream PyPI repository, and if the upstream repository was unavailable, the installation failed.
(BZ#1847416, BZ#1724996, BZ#1827623, BZ#1841001)
A new module stream: php:7.4
RHEL 8.3 introduces PHP 7.4
, which provides a number of bug fixes and enhancements over version 7.3.
This release introduces a new experimental extension, Foreign Function Interface (FFI), which enables you to call native functions, access native variables, and create and access data structures defined in C libraries. The FFI extension is available in the php-ffi
package.
The following extensions have been removed:
-
The
wddx
extension, removed fromphp-xml
package -
The
recode
extension, removed from thephp-recode
package.
To install the php:7.4
module stream, use:
# yum module install php:7.4
If you want to upgrade from the php:7.3
stream, see Switching to a later stream.
For details regarding PHP usage on RHEL 8, see Using the PHP scripting language.
A new module stream: nginx:1.18
The nginx 1.18
web and proxy server, which provides a number of bug fixes, security fixes, new features and enhancements over version 1.16, is now available. Notable changes include:
-
Enhancements to HTTP request rate and connection limiting have been implemented. For example, the
limit_rate
andlimit_rate_after
directives now support variables, including new$limit_req_status
and$limit_conn_status
variables. In addition, dry-run mode has been added for thelimit_conn_dry_run
andlimit_req_dry_run
directives. -
A new
auth_delay
directive has been added, which enables delayed processing of unauthorized requests. -
The following directives now support variables:
grpc_pass
,proxy_upload_rate
, andproxy_download_rate
. -
Additional PROXY protocol variables have been added, namely
$proxy_protocol_server_addr
and$proxy_protocol_server_port
.
To install the nginx:1.18
stream, use:
# yum module install nginx:1.18
If you want to upgrade from the nginx:1.16
stream, see Switching to a later stream.
A new module stream: perl:5.30
RHEL 8.3 introduces Perl 5.30
, which provides a number of bug fixes and enhancements over the previously released Perl 5.26
. The new version also deprecates or removes certain language features. Notable changes with significant impact include:
-
The
Math::BigInt::CalcEmu
,arybase
, andB::Debug
modules have been removed -
File descriptors are now opened with a
close-on-exec
flag - Opening the same symbol as a file and as a directory handle is no longer allowed
- Subroutine attributes now must precede subroutine signatures
-
The
:locked
and:uniq
attributes have been removed - Comma-less variable lists in formats are no longer allowed
-
A bare
<<
here-document operator is no longer allowed -
Certain formerly deprecated uses of an unescaped left brace (
{
) character in regular expression patterns are no longer permitted -
The
AUTOLOAD()
subroutine can no longer be inherited to non-method functions -
The
sort
pragma no longer allows specifying asort
algorithm -
The
B::OP::terse()
subroutine has been replaced by theB::Concise::b_terse()
subroutine -
The
File::Glob::glob()
function has been replaced by theFile::Glob::bsd_glob()
function -
The
dump()
function now must be invoked fully qualified asCORE::dump()
-
The yada-yada operator (
…
) is a statement now, it cannot be used as an expression -
Assigning a non-zero value to the
$[
variable now returns a fatal error -
The
$*
and$#
variables are no longer allowed -
Declaring variables using the
my()
function in a false condition branch is no longer allowed -
Using the
sysread()
andsyswrite()
functions on the:utf8
handles now returns a fatal error -
The
pack()
function no longer returns malformed UTF-8 format -
Unicode code points with a value greater than
IV_MAX
are no longer allowed - Unicode 12.1 is now supported
To upgrade from an earlier perl
module stream, see Switching to a later stream.
Perl 5.30
is also available as an s2i-enabled ubi8/perl-530
container image.
A new module stream: perl-libwww-perl:6.34
RHEL 8.3 introduces a new perl-libwww-perl:6.34
module stream, which provides the perl-libwww-perl
package for all versions of Perl
available in RHEL 8. The non-modular perl-libwww-perl
package, available since RHEL 8.0, which cannot be used with other Perl
streams than 5.26, has been obsoleted by the new default perl-libwww-perl:6.34
stream.
A new module stream: perl-IO-Socket-SSL:2.066
A new perl-IO-Socket-SSL:2.066
module stream is now available. This module provides the perl-IO-Socket-SSL
and perl-Net-SSLeay
packages and it is compatible with all Perl
streams available in RHEL 8.
The squid:4
module stream rebased to version 4.11
The Squid
proxy server, provided by the squid:4
module stream, has been upgraded from version 4.4 to version 4.11. This release provides multiple bug and security fixes, and various enhancements, such as new configuration options.
(BZ#1829467)
Changes in the httpd:2.4
module stream
RHEL 8.3 introduces the following notable changes to the Apache HTTP Server, available through the httpd:2.4
module stream:
-
The
mod_http2
module rebased to version 1.15.7 -
Configuration changes in the
H2Upgrade
andH2Push
directives -
A new
H2Padding
configuration directive to control padding of the HTTP/2 payload frames - Numerous bug fixes.
Support for logging to journald
from the CustomLog
directive in httpd
It is now possible to output access (transfer) logs to journald
from the Apache HTTP Server by using a new option for the CustomLog
directive.
The supported syntax is as follows:
CustomLog journald:priority format|nickname
where priority is any priority string up to debug
as used in the LogLevel
directive.
For example, to log to journald
using the the combined
log format, use:
CustomLog journald:info combined
Note that when using this option, the server performance might be lower than when logging directly to flat files.
5.1.12. Compilers and development tools
.NET 5 is now available on RHEL
.NET 5 is available on Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, and OpenShift Container Platform. .NET 5 includes new language versions: C# 9 and F# 5.0. Significant performance improvements were made in the base libraries, GC and JIT. .NET 5 has single file applications, which allows you to distribute .NET applications as a single executable, with all dependencies included. UBI8 images for .NET 5 are available from Red Hat container registry and can be used with OpenShift.
To use .NET 5, install the dotnet-sdk-5.0
package:
$ sudo dnf install -y dotnet-sdk-5.0
For more information, see the .NET 5 documentation.
New GCC Toolset 10
GCC Toolset 10 is a compiler toolset that provides recent versions of development tools. It is available as an Application Stream in the form of a Software Collection in the AppStream
repository.
The GCC compiler has been updated to version 10.2.1, which provides many bug fixes and enhancements that are available in upstream GCC.
The following tools and versions are provided by GCC Toolset 10:
Tool | Version |
---|---|
GCC | 10.2.1 |
GDB | 9.2 |
Valgrind | 3.16.0 |
SystemTap | 4.3 |
Dyninst | 10.1.0 |
binutils | 2.35 |
elfutils | 0.180 |
dwz | 0.12 |
make | 4.2.1 |
strace | 5.7 |
ltrace | 0.7.91 |
annobin | 9.29 |
To install GCC Toolset 10, run the following command as root:
# yum install gcc-toolset-10
To run a tool from GCC Toolset 10:
$ scl enable gcc-toolset-10 tool
To run a shell session where tool versions from GCC Toolset 10 override system versions of these tools:
$ scl enable gcc-toolset-10 bash
For more information, see Using GCC Toolset.
The GCC Toolset 10 components are available in the two container images:
-
rhel8/gcc-toolset-10-toolchain
, which includes the GCC compiler, the GDB debugger, and themake
automation tool. rhel8/gcc-toolset-10-perftools
, which includes the performance monitoring tools, such as SystemTap and Valgrind.To pull a container image, run the following command as root:
# podman pull registry.redhat.io/<image_name>
Note that only the GCC Toolset 10 container images are now supported. Container images of earlier GCC Toolset versions are deprecated.
For details regarding the container images, see Using the GCC Toolset container images.
(BZ#1842656)
Rust Toolset rebased to version 1.45.2
Rust Toolset has been updated to version 1.45.2. Notable changes include:
-
The subcommand
cargo tree
for viewing dependencies is now included incargo
. - Casting from floating point values to integers now produces a clamped cast. Previously, when a truncated floating point value was out of range for the target integer type the result was undefined behaviour of the compiler. Non-finite floating point values led to undefined behaviour as well. With this enhancement, finite values are clamped either to the minimum or the maximum range of the integer. Positive and negative infinity values are by default clamped to the maximum and minimum integer respectively, Not-a-Number(NaN) values to zero.
- Function-like procedural macros in expressions, patterns, and statements are now extended and stabilized.
For detailed instructions regarding usage, see Using Rust Toolset.
(BZ#1820593)
LLVM Toolset rebased to version 10.0.1
LLVM Toolset has been upgraded to version 10.0.1. With this update, the clang-libs
packages no longer include individual component libraries. As a result, it is no longer possible to link applications against them. To link applications against the clang
libraries, use the libclang-cpp.so
package.
For more information, see Using LLVM Toolset.
(BZ#1820587)
Go Toolset rebased to version 1.14.7
Go Toolset has been upgraded to version 1.14.7 Notable changes include:
- The Go module system is now fully supported.
- SSL version 3.0 (SSLv3) is no longer supported. Notable Delve debugger enhancements include:
-
The new command
examinemem
(orx
) for examining raw memory -
The new command
display
for printing values of an expression during each stop of the program -
The new
--tty
flag for supplying a Teletypewriter (TTY) for the debugged program - The new coredump support for Arm64
- The new ability to print goroutine labels
- The release of the Debug Adapter Protocol (DAP) server
-
The improved output from
dlv trace
andtrace
REPL (read-eval-print-loop) commands
For more information on Go Toolset, see Using Go Toolset.
For more information on Delve, see the upstream Delve documentation.
(BZ#1820596)
SystemTap rebased to version 4.3
The SystemTap instrumentation tool has been updated to version 4.3, which provides multiple bug fixes and enhancements. Notable changes include:
-
Userspace probes can be targeted by hexadecimal
buildid
fromreadelf -n
. This alternative to a path name enables matching binaries to be probed under any name, and thus allows a single script to target a range of different versions. This feature works well in conjunction with the elfutilsdebuginfod
server. -
Script functions can use probe
$context
variables to access variables in the probed location, which allows the SystemTap scripts to use common logic to work with a variety of probes. -
The
stapbpf
program improvements, including try-catch statements, and error probes, have been made to enable proper error tolerance in scripts running on the BPF backend.
For further information about notable changes, read the upstream release notes before updating.
Valgrind rebased to version 3.16.0
The Valgrind executable code analysis tool has been updated to version 3.16.0, which provides a number of bug fixes and enhancements over the previous version:
-
It is now possible to dynamically change the value of many command-line options while your program is running under Valgrind: through
vgdb
, through agdb
connected to the Valgrind gdbserver, or through program client requests. To get a list of dynamically changeable options, run thevalgrind --help-dyn-options
command. -
For the Cachegrind (
cg_annotate
) and Callgrind (callgrind_annotate
) tools the--auto
and--show-percs
options now default toyes
. -
The Memcheck tool produces fewer false positive errors on optimized code. In particular, Memcheck now better handles the case when the compiler transformed an
A && B
check intoB && A
, whereB
could be undefined andA
was false. Memcheck also better handles integer equality checks and non-equality checks on partially defined values. -
The experimental Stack and Global Array Checking tool (
exp-sgcheck
) has been removed. An alternative for detecting stack and global array overruns is using the AddressSanitizer (ASAN) facility of GCC, which requires you to rebuild your code with the-fsanitize=address
option.
elfutils
rebased to version 0.180
The elfutils
package has been updated to version 0.180, which provides multiple bug fixes and enhancements. Notable changes include:
-
Better support for debug info for code built with GCC LTO (link time optimization). The
eu-readelf
andlibdw
utilities now can read and handle.gnu.debuglto_
sections, and correctly resolve file names for functions that are defined across CUs (compile units). -
The
eu-nm
utility now explicitly identifies weak objects asV
and common symbols asC
. -
The
debuginfod
server can now index.deb
archives and has a generic extension to add other package archive formats using the-Z EXT[=CMD]
option. For example-Z '.tar.zst=zstdcat'
indicates that archives ending with the.tar.zst
extension should be unpacked using thezstdcat
utility. -
The
debuginfo-client
tool has several new helper functions, such asdebuginfod_set_user_data
,debuginfod_get_user_data
,debuginfod_get_url
anddebuginfod_add_http_header
. It also supportsfile://
URLs now.
GDB now supports process record and replay on IBM z15
With this enhancement, the GNU Debugger (GDB) now supports process record and replay with most of the new instructions of the IBM z15 processor (previously known as arch13). Note that the following instructions are currently not supported: SORTL (sort lists), DFLTCC (deflate conversion call), KDSA (compute digital signature authentication).
(BZ#1659535)
Marvell ThunderX2 performance monitoring events have been updated in papi
With this enhancement, a number of performance events specific to ThunderX2, including uncore events, have been updated. As a result, developers can better investigate system performance on Marvell ThunderX2 systems.
(BZ#1726070)
The glibc
math library is now optimized for IBM Z
With this enhancement, the libm
math functions were optimized to improve performance on IBM Z machines. Notable changes include:
- improved rounding mode handling to avoid superfluous floating point control register sets and extracts
- exploitation of conversion between z196 integer and float
(BZ#1780204)
An additional libffi-specific temporary directory is available now
Previously on hardened systems, the system-wide temporary directories may not have had permissions suitable for use with the libffi
library.
With this enhancement, system administrators can now set the LIBFFI_TMPDIR
environment variable to point to a libffi-specific temporary directory with both write
and exec
mount or selinux permissions.
Improved performance of strstr()
and strcasestr()
With this update, the performance of the strstr()
and strcasestr()
functions has been improved across several supported architectures. As a result, users now benefit from significantly better performance of all applications using string and memory manipulation routines.
(BZ#1821531)
glibc
now handles loading of a truncated locale archive correctly
If the archive of system locales has been previously truncated, either due to a power outage during upgrade or a disk failure, a process could terminate unexpectedly when loading the archive. This enhancement adds additional consistency checks to the loading of the locale archive. As a result, processes are now able to detect archive truncation and fall back to either non-archive installed locales or the default POSIX locale.
(BZ#1784525)
GDB now supports debuginfod
With this enhancement, the GNU Debugger (GDB) can now download debug information packages from centralized servers on demand using the elfutils debuginfod
client library.
pcp
rebased to version 5.1.1-3
The pcp
package has been upgraded to version 5.1.1-3. Notable changes include:
-
Updated service units and improved
systemd
integration and reliability for all the PCP services. Improved archive log rotation and more timely compression. Archived discovery bug fixes in thepmproxy
protocol. -
Improved
pcp-atop
,pcp-dstat
,pmrep
, and related monitor tools along with metric labels reporting in thepmrep
and export tools. -
Improved
bpftrace
,OpenMetrics
, MMV, the Linux kernel agent, and other collection agents. New metric collectors for theOpen vSwitch
andRabbitMQ
servers. -
New host discovery
pmfind systemd
service, which replaces the standalonepmmgr
daemon.
grafana
rebased to version 6.7.3
The grafana
package has been upgraded to version 6.7.3. Notable changes include:
-
Generic
OAuth
role mapping support - A new logs panel
- Multi-line text display in the table panel
- A new currency and energy units
grafana-pcp
rebased to version 2.0.2
The grafana-pcp
package has been upgraded to version 2.0.2. Notable changes include:
-
Supports the multidimensional
eBPF
maps to be graphed in the flamegraph. - Removes an auto-completion cache in the query editor, so that the PCP metrics can appear dynamically.
A new rhel8/pcp
container image
The rhel8/pcp
container image is now available in the Red Hat Container Registry. The image contains the Performance Co-Pilot (PCP) toolkit, which includes preinstalled pcp-zeroconf
package and the OpenMetrics
PMDA.
(BZ#1497296)
A new rhel8/grafana
container image
The rhel8/grafana
container image is now available in the Red Hat Container Registry. Grafana is an open source utility with metrics dashboard, and graph editor for the Graphite
, Elasticsearch
, OpenTSDB
, Prometheus
, InfluxDB
, and PCP
monitoring tool.
5.1.13. Identity Management
IdM backup utility now checks for required replica roles
The ipa-backup
utility now checks if all of the services used in the IdM cluster, such as a Certificate Authority (CA), Domain Name System (DNS), and Key Recovery Agent (KRA) are installed on the replica where you are running the backup. If the replica does not have all these services installed, the ipa-backup
utility exits with a warning, because backups taken on that host would not be sufficient for a full cluster restoration.
For example, if your IdM deployment uses an integrated Certificate Authority (CA), a backup run on a non-CA replica will not capture CA data. Red Hat recommends verifying that the replica where you perform an ipa-backup
has all of the IdM services used in the cluster installed.
For more information, see Preparing for data loss with IdM backups.
New password expiration notification tool
Expiring Password Notification (EPN), provided by the ipa-client-epn
package, is a standalone tool you can use to build a list of Identity Management (IdM) users whose passwords are expiring soon.
IdM administrators can use EPN to:
- Display a list of affected users in JSON format, which is calculated at runtime
- Calculate how many emails will be sent for a given day or date range
- Send password expiration email notifications to users
Red Hat recommends launching EPN once a day from an IdM client or replica with the included ipa-epn.timer
systemd
timer.
(BZ#913799)
JSS now provides a FIPS-compliant SSLContext
Previously, Tomcat used the SSLEngine directive from the Java Cryptography Architecture (JCA) SSLContext class. The default SunJSSE implementation is not compliant with the Federal Information Processing Standard (FIPS), therefore PKI now provides a FIPS-compliant implementation via JSS.
Checking the overall health of your public key infrastructure is now available
With this update, the public key infrastructure (PKI) Healthcheck tool reports the health of the PKI subsystem to the Identity Management (IdM) Healthcheck tool, which was introduced in RHEL 8.1. Executing the IdM Healthcheck invokes the PKI Healthcheck, which collects and returns the health report of the PKI subsystem.
The pki-healthcheck
tool is available on any deployed RHEL IdM server or replica. All the checks provided by pki-healthcheck
are also integrated into the ipa-healthcheck
tool. ipa-healthcheck
can be installed separately from the idm:DL1
module stream.
Note that pki-healthcheck
can also work in a standalone Red Hat Certificate System (RHCS) infrastructure.
(BZ#1770322)
Support for RSA PSS
With this enhancement, PKI now supports the RSA PSS (Probabilistic Signature Scheme) signing algorithm.
To enable this feature, set the following line in the pkispawn
script file for a given subsystem: pki_use_pss_rsa_signing_algorithm=True
As a result, all existing default signing algorithms for this subsystem (specified in its CS.cfg
configuration file) will use the corresponding PSS version. For example, SHA256withRSA becomes SHA256withRSA/PSS
Directory Server exports the private key and certificate to a private name space when the service starts
Directory Server uses OpenLDAP libraries for outgoing connections, such as replication agreements. Because these libraries cannot access the network security services (NSS) database directly, Directory Server extracts the private key and certificates from the NSS database on instances with TLS encryption support to enable the OpenLDAP libraries to establish encrypted connections. Previously, Directory Server extracted the private key and certificates to the directory set in the nsslapd-certdir
parameter in the cn=config
entry (default: /etc/dirsrv/slapd-<instance_name>/
). As a consequence, Directory Server stored the Server-Cert-Key.pem
and Server-Cert.pem
in this directory. With this enhancement, Directory Server extracts the private key and certificate to a private name space that systemd
mounts to the /tmp/
directory. As a result, the security has been increased.
Directory Server can now turn an instance to read-only mode if the disk monitoring threshold is reached
This update adds the nsslapd-disk-monitoring-readonly-on-threshold
parameter to the cn=config
entry. If you enable this setting, Directory Server switches all databases to read-only if disk monitoring is enabled and the free disk space is lower than the value you configured in nsslapd-disk-monitoring-threshold
. With nsslapd-disk-monitoring-readonly-on-threshold
set to on
, the databases cannot be modified until Directory Server successfully shuts down the instance. This can prevent data corruption.
(BZ#1728943)
samba rebased to version 4.12.3
The samba packages have been upgraded to upstream version 4.12.3, which provides a number of bug fixes and enhancements over the previous version:
- Built-in cryptography functions have been replaced with GnuTLS functions. This improves the server message block version 3 (SMB3) performance and copy speed significantly.
- The minimum runtime support is now Python 3.5.
-
The
write cache size
parameter has been removed because the previous write cache concept could reduce the performance on memory-constrained systems. - Support for authenticating connections using Kerberos tickets with DES encryption types has been removed.
-
The
vfs_netatalk
virtual file system (VFS) module has been removed. -
The
ldap ssl ads
parameter is marked as deprecated and will be removed in a future Samba version. For information about how to alternatively encrypt LDAP traffic and further details, see the samba: removal of "ldap ssl ads" smb.conf option solution. -
By default, Samba on RHEL 8.3 no longer supports the deprecated RC4 cipher suite. If you run Samba as a domain member in an AD that still requires RC4 for Kerberos authentication, use the
update-crypto-policies --set DEFAULT:AD-SUPPORT
command to enable support for the RC4 encryption type.
Samba automatically updates its tdb
database files when the smbd
, nmbd
, or winbind
service starts. Back up the database files before starting Samba. Note that Red Hat does not support downgrading tdb
database files.
For further information about notable changes, read the upstream release notes before updating.
cockpit-session-recording rebased to version 4
The cockpit-session-recording
module has been rebased to version 4. This version provides following notable changes over the previous version:
-
Updated parent id in the
metainfo
file. - Updated package manifest.
-
Fixed
rpmmacro
to resolve correct path on CentOS7. - Handled byte-array encoded journal data.
- Moved code out of deprecated React lifecycle functions.
krb5
rebased to version 1.18.2
The krb5
packages have been upgraded to upstream version 1.18.2. Notable fixes and enhancements include:
- Single- and triple-DES encryption types have been removed.
- Draft 9 PKINIT has been removed as it is not needed for any of the supported versions of Active Directory.
- NegoEx mechanism plug-ins are now supported.
-
Hostname canonicalization fallback is now supported (
dns_canonicalize_hostname = fallback
).
(BZ#1802334)
IdM now supports new Ansible management modules
This update introduces several ansible-freeipa
modules for automating common Identity Management (IdM) tasks using Ansible playbooks:
-
The
config
module allows setting global configuration parameters within IdM. -
The
dnsconfig
module allows modifying global DNS configuration. -
The
dnsforwardzone
module allows adding and removing DNS forwarders from IdM. -
The
dnsrecord
allows the management of DNS records. In contrast to the upstreamipa_dnsrecord
, it allows multiple record management in one execution, and it supports more record types. -
The
dnszone
module allows configuring zones in the DNS server. -
The
service
module allows ensuring the presence and absence of services. -
The
vault
module allows ensuring the presence and absence of vaults and of the members of vaults.
Note that the ipagroup
and ipahostgroup
modules have been extended to include user and host group membership managers, respectively. A group membership manager is a user or a group that can add members to a group or remove members from a group. For more information, see the Variables
sections of the respective /usr/share/doc/ansible-freeipa/README-*
files.
(JIRA:RHELPLAN-49954)
IdM now supports a new Ansible system role for certificate management
Identity Management (IdM) supports a new Ansible system role for automating certificate management tasks. The new role includes the following benefits:
- The role helps automate the issuance and renewal of certificates.
-
The role can be configured to have the
ipa
certificate authority issue your certificates. In this way, you can use your existing IdM infrastructure to manage the certificate trust chain. - The role allows you to specify the commands to be executed before and after a certificate is issued, for example the stopping and starting of services.
(JIRA:RHELPLAN-50002)
Identity Management now supports FIPS
With this enhancement, you can now use encryption types that are approved by the Federal Information Processing Standard (FIPS) with the authentication mechanisms in Identity Management (IdM). Note that a cross-forest trust between IdM and Active Directory is not FIPS compliant.
Customers who require FIPS but do not require an AD trust can now install IdM in FIPS mode.
(JIRA:RHELPLAN-43531)
OpenDNSSEC in idm:DL1
rebased to version 2.1
The OpenDNSSEC component of the idm:DL1
module stream has been upgraded to the 2.1 version series, which is the current long term upstream support version. OpenDNSSEC is an open source project driving the adoption of Domain Name System Security Extensions (DNSSEC) to further enhance Internet security. OpenDNSSEC 2.1 provides a number of bug fixes and enhancements over the previous version. For more information, read the upstream release notes: https://www.opendnssec.org/archive/releases/
(JIRA:RHELPLAN-48838)
IdM now supports the deprecated RC4 cipher suite with a new system-wide cryptographic subpolicy
This update introduces the new AD-SUPPORT
cryptographic subpolicy that enables the Rivest Cipher 4 (RC4) cipher suite in Identity Management (IdM).
As an administrator in the context of IdM-Active Directory (AD) cross-forest trusts, you can activate the new AD-SUPPORT
subpolicy when AD is not configured to use Advanced Encryption Standard (AES). More specifically, Red Hat recommends enabling the new subpolicy if one of the following conditions applies:
- The user or service accounts in AD have RC4 encryption keys and lack AES encryption keys.
- The trust links between individual Active Directory domains have RC4 encryption keys and lack AES encryption keys.
To enable the AD-SUPPORT
subpolicy in addition to the DEFAULT
cryptographic policy, enter:
# update-crypto-policies --set DEFAULT:AD-SUPPORT
Alternatively, to upgrade trusts between AD domains in an AD forest so that they support strong AES encryption types, see the following Microsoft article: AD DS: Security: Kerberos "Unsupported etype" error when accessing a resource in a trusted domain.
(BZ#1851139)
Adjusting to new Microsoft LDAP channel binding and LDAP signing requirements
With recent Microsoft updates, Active Directory (AD) flags the clients that do not use the default Windows settings for LDAP channel binding and LDAP signing. As a consequence, RHEL systems that use the System Security Services Daemon (SSSD) for direct or indirect integration with AD might trigger error Event IDs in AD upon successful Simple Authentication and Security Layer (SASL) operations that use the Generic Security Services Application Program Interface (GSSAPI).
To prevent these notifications, configure client applications to use the Simple and Protected GSSAPI Negotiation Mechanism (GSS-SPNEGO) SASL mechanism instead of GSSAPI. To configure SSSD, set the ldap_sasl_mech
option to GSS-SPNEGO
.
Additionally, if channel binding is enforced on the AD side, configure any systems that use SASL with SSL/TLS in the following way:
-
Install the latest versions of the
cyrus-sasl
,openldap
andkrb5-libs
packages that are shipped with RHEL 8.3 and later. -
In the
/etc/openldap/ldap.conf
file, specify the correct channel binding type by setting theSASL_CBINDING
option totls-endpoint
.
For more information, see Impact of Microsoft Security Advisory ADV190023 | LDAP Channel Binding and LDAP Signing on RHEL and AD integration.
SSSD, adcli, and realmd now support the deprecated RC4 cipher suite with a new system-wide cryptographic subpolicy
This update introduces the new AD-SUPPORT
cryptographic subpolicy that enables the Rivest Cipher 4 (RC4) cipher suite for the following utilities:
- the System Security Services Daemon (SSSD)
-
adcli
-
realmd
As an administrator, you can activate the new AD-SUPPORT
subpolicy when Active Directory (AD) is not configured to use Advanced Encryption Standard (AES) in the following scenarios:
- SSSD is used on a RHEL system connected directly to AD.
-
adcli
is used to join an AD domain or to update host attributes, for example the host key. -
realmd
is used to join an AD domain.
Red Hat recommends enabling the new subpolicy if one of the following conditions applies:
- The user or service accounts in AD have RC4 encryption keys and lack AES encryption keys.
- The trust links between individual Active Directory domains have RC4 encryption keys and lack AES encryption keys.
To enable the AD-SUPPORT
subpolicy in addition to the DEFAULT
cryptographic policy, enter:
# update-crypto-policies --set DEFAULT:AD-SUPPORT
authselect
has a new minimal
profile
The authselect
utility has a new minimal
profile. You can use this profile to serve only local users and groups directly from system files instead of using other authentication providers. Therefore, you can safely remove the SSSD
, winbind
, and fprintd
packages and can use this profile on systems that require minimal installation to save disk and memory space.
(BZ#1654018)
SSSD now updates Samba’s secrets.tdb
file when rotating a password
A new ad_update_samba_machine_account_password
option in the sssd.conf
file is now available in RHEL. You can use it to set SSSD to automatically update the Samba secrets.tdb
file when rotating a machine’s domain password while using Samba.
However, if SELinux is in enforcing mode, SSSD fails to update the secrets.tdb
file. Consequently, Samba does not have access to the new password. To work around this problem, set SELinux to permissive mode.
SSSD now enforces AD GPOs by default
The default setting for the SSSD option ad_gpo_access_control
is now enforcing
. In RHEL 8, SSSD enforces access control rules based on Active Directory Group Policy Objects (GPOs) by default.
Red Hat recommends ensuring GPOs are configured correctly in Active Directory before upgrading from RHEL 7 to RHEL 8. If you would not like to enforce GPOs, change the value of the ad_gpo_access_control
option in the /etc/sssd/sssd.conf
file to permissive
.
(JIRA:RHELPLAN-51289)
Directory Server now supports the pwdReset
operation attribute
This enhancement adds support for the pwdReset
operation attribute to Directory Server. When an administrator changes the password of a user, Directory Server sets pwdReset
in the user’s entry to true
. As a result, applications can use this attribute to identify if a password of a user has been reset by an administrator.
Note that pwdReset
is an operational attribute and, therefore, users cannot edit it.
Directory Server now logs the work and operation time in RESULT
entries
With this update, Directory Server now logs two additional time values in RESULT`entries in the `/var/log/dirsrv/slapd-<instance_name>/access
file:
-
The
wtime
value indicates how long it took for an operation to move from the work queue to a worker thread. -
The
optime
value shows the time the actual operation took to be completed once a worker thread started the operation.
The new values provide additional information about how the Directory Server handles load and processes operations.
For further details, see the Access Log Reference section in the Red Hat Directory Server Configuration, Command, and File Reference.
5.1.14. Desktop
Single-application session is now available
You can now start GNOME in a single-application session, also known as kiosk mode. In this session, GNOME displays only a full-screen window of an application that you have configured.
To enable the single-application session:
Install the
gnome-session-kiosk-session
package:# yum install gnome-session-kiosk-session
Create and edit the
$HOME/.local/bin/redhat-kiosk
file of the user that will open the single-application session.In the file, enter the executable name of the application that you want to launch.
For example, to launch the Text Editor application:
#!/bin/sh gedit &
Make the file executable:
$ chmod +x $HOME/.local/bin/redhat-kiosk
- At the GNOME login screen, select the Kiosk session from the cogwheel button menu and log in as the single-application user.
(BZ#1739556)
tigervnc has been rebased to version 1.10.1
The tigervnc
suite has been rebased to version 1.10.1. The update contains number of fixes and improvements. Most notably:
-
tigervnc now only supports starting of the virtual network computing (VNC) server using the
systemd
service manager. -
The clipboard now supports full Unicode in the native viewer,
WinVNC
and Xvnc/libvnc.so. - The native client will now respect the system trust store when verifying server certificates.
- The Java web server has been removed.
-
x0vncserver
can now be configured to only allow local connections. -
x0vncserver
has received fixes for when only part of the display is shared. -
Polling is now default in
WinVNC
. - Compatibility with VMware’s VNC server has been improved.
- Compatibility with some input methods on macOS has been improved.
- Automatic "repair" of JPEG artefacts has been improved.
5.1.15. Graphics infrastructures
Support for new graphics cards
The following graphics cards are now fully supported:
The AMD Navi 14 family, which includes the following models:
- Radeon RX 5300
- Radeon RX 5300 XT
- Radeon RX 5500
- Radeon RX 5500 XT
The AMD Renoir APU family, which includes the following models:
- Ryzen 3 4300U
- Ryzen 5 4500U, 4600U, and 4600H
- Ryzen 7 4700U, 4800U, and 4800H
The AMD Dali APU family, which includes the following models:
- Athlon Silver 3050U
- Athlon Gold 3150U
- Ryzen 3 3250U
Additionally, the following graphics drivers have been updated:
-
The Matrox
mgag200
driver
(JIRA:RHELPLAN-55009)
Hardware acceleration with Nvidia Volta and Turing
The nouveau
graphics driver now supports hardware acceleration with the Nvidia Volta and Turing GPU families. As a result, the desktop and applications that use 3D graphics now render efficiently on the GPU. Additionally, this frees the CPU for other tasks and improves the overall system responsiveness.
(JIRA:RHELPLAN-57564)
Reduced display tearing on XWayland
The XWayland display back end now enables the XPresent extension. Using XPresent, applications can efficiently update their window content, which reduces display tearing.
This feature significantly improves the user interface rendering of full-screen OpenGL applications, such as 3D editors.
(JIRA:RHELPLAN-57567)
Intel Tiger Lake GPUs are now supported
This update adds support for the Intel Tiger Lake family of GPUs. This includes Intel UHD Graphics and Intel Xe GPUs found with the following CPU models: https://ark.intel.com/content/www/us/en/ark/products/codename/88759/tiger-lake.html.
You no longer have to set the i915.alpha_support=1
or i915.force_probe=*
kernel option to enable Tiger Lake GPU support.
This enhancement was released as part of the RHSA-2021:0558 asynchronous advisory.
(BZ#1882620)
5.1.16. The web console
Setting privileges from within the web console session
With this update the web console provides an option to switch between administrative access and limited access from inside of a user session. You can switch between the modes by clicking the Administrative access or Limited access indicator in your web console session.
(JIRA:RHELPLAN-42395)
Improvements to logs searching
With this update, the web console introduces a search box that supports several new ways of how the users can search among logs. The search box supports regular expression searching in log messages, specifying service or searching for entries with specific log fields.
Overview page shows more detailed Insights reports
With this update, when a machine is connected to Red Hat Insights, the Health card in the Overview page in the web console shows more detailed information about number of hits and their priority.
(JIRA:RHELPLAN-42396)
5.1.17. Red Hat Enterprise Linux system roles
Terminal log role added to RHEL system roles
With this enhancement, a new Terminal log (TLOG) role has been added to RHEL system roles shipped with the rhel-system-roles
package. Users can now use the tlog
role to setup and configure session recording using Ansible.
Currently, the tlog
role supports the following tasks:
-
Configure
tlog
to log recording data to thesystemd
journal - Enable session recording for explicit users and groups, via SSSD
RHEL Logging system role is now available for Ansible
With the Logging system role, you can deploy various logging configurations consistently on local and remote hosts. You can configure a RHEL host as a server to collect logs from many client systems.
rhel-system-roles-sap
fully supported
The rhel-system-roles-sap
package, previously available as a Technology Preview, is now fully supported. It provides Red Hat Enterprise Linux (RHEL) system roles for SAP, which can be used to automate the configuration of a RHEL system to run SAP workloads. These roles greatly reduce the time to configure a system to run SAP workloads by automatically applying the optimal settings that are based on best practices outlined in relevant SAP Notes. Access is limited to RHEL for SAP Solutions offerings. Please contact Red Hat Customer Support if you need assistance with your subscription.
The following new roles in the rhel-system-roles-sap
package are fully supported:
-
sap-preconfigure
-
sap-netweaver-preconfigure
-
sap-hana-preconfigure
For more information, see Red Hat Enterprise Linux system roles for SAP.
(BZ#1660832)
The metrics
RHEL system role is now available for Ansible.
With the metrics
RHEL system role, you can configure, for local and remote hosts:
-
performance analysis services via the
pcp
application -
visualisation of this data using a
grafana
server -
querying of this data using the
redis
data source without having to manually configure these services separately.
rhel-system-roles-sap
upgraded
The rhel-system-roles-sap
packages have been upgraded to upstream version 2.0.0, which provides multiple bug fixes and enhancements. Notable changes include:
- Improve hostname configuration and checking
-
Improve
uuidd
status detection and handling -
Add support for the
--check (-c)
option -
Increase
nofile
limits from 32800 to 65536 -
Add the
nfs-utils
file tosap_preconfigure_packages
* -
Disable
firewalld
. With this change we disablefirewalld
only when it is installed. -
Add minimum required versions of the
setup
package for RHEL 8.0 and RHEL 8.1. -
Improve the
tmpfiles.d/sap.conf
file handling - Support single step execution or checking of SAP notes
-
Add the required
compat-sap-c++
packages - Improve minimum package installation handling
- Detect if a reboot is required after applying the RHEL system roles
-
Support setting any SElinux state. Default state is
"disabled"
- No longer fail if there is more than one line with identical IP addresses
-
No longer modify
/etc/hosts
if there is more than one line containingsap_ip
- Support for HANA on RHEL 7.7
-
Support for adding a repository for the IBM service and productivity tools for Power, required for SAP HANA on the
ppc64le
platform
The storage
RHEL system role now supports file system management
With this enhancement, administrators can use the storage
RHEL system role to:
-
resize an
ext4
file - resize a LVM file
- create a swap partition, if it does not exist, or to modify the swap partition, if it already exists, on a block device using the default parameters.
(BZ#1959289)
5.1.18. Virtualization
Migrating a virtual machine to a host with incompatible TSC setting now fails faster
Previously, migrating a virtual machine to a host with incompatible Time Stamp Counter (TSC) setting failed late in the process. With this update, attempting such a migration generates an error before the migration process starts.
(JIRA:RHELPLAN-45950)
Virtualization support for 2nd generation AMD EPYC processors
With this update, virtualization on RHEL 8 adds support for the 2nd generation AMD EPYC processors, also known as EPYC Rome. As a result, virtual machines hosted on RHEL 8 can now use the EPYC-Rome
CPU model and utilise new features that the processors provide.
(JIRA:RHELPLAN-45959)
New command: virsh iothreadset
This update introduces the virsh iothreadset
command, which can be used to configure dynamic IOThread polling. This makes it possible to set up virtual machines with lower latencies for I/O-intensive workloads at the expense of greater CPU consumption for the IOThread. For specific options, see the virsh man page.
(JIRA:RHELPLAN-45958)
UMIP is now supported by KVM on 10th generation Intel Core processors
With this update, the User-mode Instruction Prevention (UMIP) feature is now supported by KVM for hosts running on 10th generation Intel Core processors, also known as Ice Lake Servers. The UMIP feature issues a general protection exception if certain instructions, such as sgdt
, sidt
, sldt
, smsw
, and str
, are executed when the Current Privilege Level (CPL) is greater than 0. As a result, UMIP ensures system security by preventing unauthorized applications from accessing certain system-wide settings which can be used to initiate privilege escalation attacks.
(JIRA:RHELPLAN-45957)
The libvirt
library now supports Memory Bandwidth Allocation
libvirt
now supports Memory Bandwidth Allocation (MBA). With MBA, you can allocate parts of host memory bandwidth in vCPU threads by using the <memorytune>
element in the <cputune>
section.
MBA is an extension of the existing Cache QoS Enforcement (CQE) feature found in the Intel Xeon v4 processors, also known as Broadwell server. For tasks that are associated with the CPU affinity, the mechanism used by MBA is the same as in CQE.
(JIRA:RHELPLAN-45956)
RHEL 6 virtual machines now support the Q35 machine type
Virtual machines (VMs) hosted on RHEL 8 that use RHEL 6 as their guest OS can now use Q35, a more modern PCI Express-based machine type. This provides a variety of improvements in features and performance of virtual devices, and ensures that a wider range of modern devices are compatible with RHEL 6 VMs.
(JIRA:RHELPLAN-45952)
All logged QEMU events now have a time stamp. As a result, users can more easily troubleshoot their virtual machines using logs saved in the /var/log/libvirt/qemu/
directory.
QEMU logs now include time stamps for spice-server events
This update adds time stamps to`spice-server` event logs. Therefore, all logged QEMU events now have a time stamp. As a result, users can more easily troubleshoot their virtual machines using logs saved in the /var/log/libvirt/qemu/
directory.
(JIRA:RHELPLAN-45945)
The bochs-display
device is now supported
RHEL 8.3 and later introduce the Bochs display device, which is more secure than the currently used stdvga
device. Note that all virtual machines (VMs) compatible with bochs-display
will use it by default. This mainly includes VMs that use the UEFI interface.
(JIRA:RHELPLAN-45939)
Optimized MDS protection for virtual machines
With this update, a RHEL 8 host can inform its virtual machines (VMs) whether they are vulnerable to Microarchitectural Data Sampling (MDS). VMs that are not vulnerable do not use measures against MDS, which improves their performance.
(JIRA:RHELPLAN-45937)
Creating QCOW2 disk images on RBD now supported
With this update, it is possible to create QCOW2 disk images on RADOS Block Device (RBD) storage. As a result, virtual machines can use RBD servers for their storage back ends with QCOW2 images.
Note, however, that the write performance of QCOW2 disk images on RBD storage is currently lower than intended.
(JIRA:RHELPLAN-45936)
Maximum supported VFIO devices increased to 64
With this update, you can attach up to 64 PCI devices that use VFIO to a single virtual machine on a RHEL 8 host. This is up from 32 in RHEL 8.2 and prior.
(JIRA:RHELPLAN-45930)
discard
and write-zeroes
commands are now supported in QEMU/KVM
With this update, the discard
and write-zeroes
commands for virtio-blk
are now supported in QEMU/KVM. As a result, virtual machines can use the virtio-blk
device to discard unused sectors of an SSD, fill sectors with zeroes when they are emptied, or both. This can be used to increase SSD performance or to ensure that a drive is securely erased.
(JIRA:RHELPLAN-45926)
RHEL 8 now supports IBM POWER 9 XIVE
This update introduces support for the External Interrupt Virtualization Engine (XIVE) feature of IBM POWER9 to RHEL 8. As a result, virtual machines (VMs) running on a RHEL 8 hypervisor on an IBM POWER 9 system can use XIVE, which improves the performance of I/O-intensive VMs.
(JIRA:RHELPLAN-45922)
Control Group v2 support for virtual machines
With this update, the libvirt suite supports control groups v2. As a result, virtual machines hosted on RHEL 8 can take advantage of resource control capabilities of control group v2.
(JIRA:RHELPLAN-45920)
Paravirtualized IPIs are now supported for Windows virtual machines
With this update, the hv_ipi
flag has been added to the supported hypervisor enlightenments for Windows virtual machines (VMs). This allows inter-processor interrupts (IPIs) to be sent via a hypercall. As a result, IPIs can be performed faster on VMs running a Windows OS.
(JIRA:RHELPLAN-45918)
Migrating virtual machines with enabled disk cache is now possible
This update makes the RHEL 8 KVM hypervisor compatible with disk cache live migration. As a result, it is now possible to live-migrate virtual machines with disk cache enabled.
(JIRA:RHELPLAN-45916)
macvtap interfaces can now be used by virtual machines in non-privileged sessions
It is now possible for virtual machines (VMs) to use a macvtap interface previously created by a privileged process. Notably, this enables VMs started by the non-privileged user
session of libvirtd
to use a macvtap interface.
To do so, first create a macvtap interface in a privileged environment and set it to be owned by the user who will be running libvirtd
in a non-privileged session. You can do this using a management application such as the web console, or using command-line utilities as root, for example:
# ip link add link en2 name mymacvtap0 address 52:54:00:11:11:11 type macvtap mode bridge # chown myuser /dev/tap$(cat /sys/class/net/mymacvtap0/ifindex) # ip link set mymacvtap0 up
Afterwards, modify the <target>
sub-element of the VM’s <interface>
configuration to reference the newly created macvtap interface:
<interface type='ethernet'> <model type='virtio'/> <mac address='52:54:00:11:11:11'/> <target dev='mymacvtap0' managed='no'/> </interface>
With this configuration, if libvirtd
is run as the user myuser
, the VM will use the existing macvtap interface when started.
(JIRA:RHELPLAN-45915)
Virtual machines can now use features of 10th generation Intel Core processors
The Icelake-Server
and Icelake-Client
CPU model names are now available for virtual machines (VMs). On hosts with 10th generation Intel Core processors, using Icelake-Server
or Icelake-Client
as the CPU type in the XML configuration of a VM makes new features of these CPUs exposed to the VM.
(JIRA:RHELPLAN-45911)
QEMU now supports LUKS encryption
With this update, it is possible to create virtual disks using Linux Unified Key Setup (LUKS) encryption. You can encrypt the disks when creating the storage volume by including the <encryption>
field in the virtual machine’s (VM) XML configuration. You can also make the LUKS
encrypted virtual disk completely transparent to the VM by including the <encryption>
field in the disk’s domain definition in the XML configuration file.
(JIRA:RHELPLAN-45910)
Improved logs for nbdkit
The nbdkit
service logging has been modified to be less verbose. As a result, nbdkit
logs only potentially important messages, and the logs created during virt-v2v
conversions are shorter and easier to parse.
(JIRA:RHELPLAN-45909)
Improved consistency for virtual machines SELinux security labels and permissions
With this update, the libvirt
service can record SELinux security labels and permissions associated with files, and restore the labels after modifying the files. As a result, for example, using libguestfs
utilities to modify a virtual machine (VM) disk image owned by a specific user no longer changes the image owner to root.
Note that this feature does not work on file systems that do not support extended file attributes, such as NFS.
(JIRA:RHELPLAN-45908)
QEMU now uses the gcrypt
library for XTS ciphers
With this update, the QEMU emulator has been changed to use the XTS cipher mode implementation provided by the gcrypt
library. This improves the I/O performance of virtual machines whose host storage uses QEMU’s native luks
encryption driver.
(JIRA:RHELPLAN-45904)
Windows Virtio drivers can now be updated using Windows Updates
With this update, a new standard SMBIOS
string is initiated by default when QEMU starts. The parameters provided in the SMBIOS
fields make it possible to generate IDs for the virtual hardware running on the virtual machine(VM). As a result, Windows Update can identify the virtual hardware and the RHEL hypervisor machine type, and update the Virtio drivers on VMs running Windows 10+, Windows Server 2016, and Windows Server 2019+.
(JIRA:RHELPLAN-45901)
New command: virsh guestinfo
The virsh guestinfo
command has been introduced to RHEL 8.3. This makes it possible to report the following types of information about a virtual machine (VM):
- Guest OS and file system information
- Active users
- The time zone used
Before running virsh guestinfo
, ensure that the qemu-guest-agent package is installed. In addition, the guest_agent
channel must be enabled in the VM’s XML configuration, for example as follows:
<channel type='unix'> <target type='virtio' name='org.qemu.guest_agent.0'/> </channel>
(JIRA:RHELPLAN-45900)
VNNI for BFLOAT16
inputs are now supported by KVM
With this update, Vector Neural Network Instructions (VNNI) supporting BFLOAT16
inputs, also known as AVX512_BF16
instructions, are now supported by KVM for hosts running on the 3rd Gen Intel Xeon scalable processors, also known as Cooper Lake. As a result, guest software can now use the AVX512_BF16
instructions inside virtual machines, by enabling it in the virtual CPU configuration.
(JIRA:RHELPLAN-45899)
New command: virsh pool-capabilities
RHEL 8.3 introduces the virsh pool-capabilities
command option. This command displays information that can be used for creating storage pools, as well as storage volumes within each pool, on your host. This includes:
- Storage pool types
- Storage pool source formats
- Target storage volume format types
(JIRA:RHELPLAN-45884)
Support for CPUID.1F in virtual machines with Intel Xeon Platinum 9200 series processors
With this update, virtual machines hosted on RHEL 8 can be configured with a virtual CPU topology of multiple dies, using the Extended Topology Enumeration leaf feature (CPUID.1F). This feature is supported by Intel Xeon Platinum 9200 series processors, previously known as Cascade Lake. As a result, it is now possible on hosts that use Intel Xeon Platinum 9200 series processors to create a vCPU topology that mirrors the physical CPU topology of the host.
(JIRA:RHELPLAN-37573, JIRA:RHELPLAN-45934)
Virtual machines can now use features of 3rd Generation Intel Xeon Scalable Processors
The Cooperlake
CPU model name is now available for virtual machines (VMs). Using Cooperlake
as the CPU type in the XML configuration of a VM makes new features from the 3rd Generation Intel Xeon Scalable Processors exposed to the VM, if the host uses this CPU.
(JIRA:RHELPLAN-37570)
Intel Optane persistent memory now supported by KVM
With this update, virtual machines hosted on RHEL 8 can benefit from the Intel Optane persistent memory technology, previously known as Intel Crystal Ridge. Intel Optane persistent memory storage devices provide data center-class persistent memory technology, which can significantly increase transaction throughput.
(JIRA:RHELPLAN-14068)
Virtual machines can now use Intel Processor Trace
With this update, virtual machines (VMs) hosted on RHEL 8 are able to use the Intel Processor Trace (PT) feature. When your host uses a CPU that supports Intel PT, you can use specialized Intel software to collect a variety of metrics about the performance of your VM’s CPU. Note that this also requires enabling the intel-pt
feature in the XML configuration of the VM.
(JIRA:RHELPLAN-7788)
DASD devices can now be assigned to virtual machines on IBM Z
Direct-access storage devices (DASDs) provide a number of specific storage features. Using the vfio-ccw
feature, you can assign DASDs as mediated devices to your virtual machines (VMs) on IBM Z hosts. This for example makes it possible for the VM to access a z/OS dataset, or to share the assigned DASDs with a z/OS machine.
(JIRA:RHELPLAN-40234)
IBM Secure Execution supported for IBM Z
When using IBM Z hardware to run your RHEL 8 host, you can improve the security of your virtual machines (VMs) by configuring IBM Secure Execution for the VMs. IBM Secure Execution, also known as Protected Virtualization, prevents the host system from accessing a VM’s state and memory contents.
As a result, even if the host is compromised, it cannot be used as a vector for attacking the guest operating system. In addition, Secure Execution can be used to prevent untrusted hosts from obtaining sensitive information from the VM.
(JIRA:RHELPLAN-14754)
5.1.19. RHEL in cloud environments
cloud-utils-growpart
rebased to 0.31
The cloud-utils-growpart
package has been upgraded to version 0.31, which provides multiple bug fixes and enhancements. Notable changes include:
- A bug that prevented GPT disks from being grown past 2TB has been fixed.
-
The
growpart
operation no longer fails when the start sector and size are the same. -
Resizing a partition using the
sgdisk
utility previously in some cases failed. This problem has now been fixed.
5.1.20. Containers
skopeo
container image is now available
The registry.redhat.io/rhel8/skopeo
container image is a containerized implementation of the skopeo
package. The skopeo
tool is a command-line utility that performs various operations on container images and image repositories. This container image allows you to inspect container images in a registry, to remove a container image from a registry, and to copy container images from one unauthenticated container registry to another. To pull the registry.redhat.io/rhel8/skopeo
container image, you need an active Red Hat Enterprise Linux subscription.
buildah
container image is now available
The registry.redhat.io/rhel8/buildah
container image is a containerized implementation of the buildah
package. The buildah
tool facilitates building OCI container images. This container image allows you to build container images without the need to install the buildah
package on your system. The use-case does not cover running this image in rootless mode as a non-root user. To pull the registry.redhat.io/rhel8/buildah
container image, you need an active Red Hat Enterprise Linux subscription.
Podman v2.0 RESTful API is now available
The new REST based Podman 2.0 API replaces the old remote API based on the varlink library. The new API works in both a rootful and a rootless environment and provides a docker compatibility layer.
(JIRA:RHELPLAN-37517)
Installing Podman does not require container-selinux
With this enhancement, the installation of the container-selinux
package is now optional during the container build. As a result, Podman has fewer dependencies on other packages.
5.2. Important changes to external kernel parameters
This chapter provides system administrators with a summary of significant changes in the kernel shipped with Red Hat Enterprise Linux 8.3. These changes could include for example added or updated proc
entries, sysctl
, and sysfs
default values, boot parameters, kernel configuration options, or any noticeable behavior changes.
New kernel parameters
- acpi_no_watchdog = [HW,ACPI,WDT]
- This parameter enables to ignore the Advanced Configuration and Power Interface (ACPI) based watchdog interface (WDAT) and let the native driver control the watchdog device instead.
- dfltcc = [HW,S390]
This parameter configures the
zlib
hardware support for IBM Z architectures.Format: { on | off | def_only | inf_only | always }
The options are:
-
on
(default) - IBM Zzlib
hardware support for compression on level 1 and decompression -
off
- No IBM Zzlib
hardware support -
def_only
- IBM Zzlib
hardware support for thedeflate
algorithm only (compression on level 1) -
inf_only
- IBM Zzlib
hardware support for theinflate
algorithm only (decompression) -
always
- Similar ason
, but ignores the selected compression level and always uses hardware support (used for debugging)
-
- irqchip.gicv3_pseudo_nmi = [ARM64]
This parameter enables support for pseudo non-maskable interrupts (NMIs) in the kernel.
To use this parameter you need to build the kernel with the
CONFIG_ARM64_PSEUDO_NMI
configuration item.- panic_on_taint =
Bitmask for conditionally calling
panic()
inadd_taint()
Format: <hex>[,
nousertaint
]A hexadecimal bitmask which represents a set of
TAINT
flags that will cause the kernel to panic when theadd_taint()
system call is invoked with any of the flags in this set. The optionalnousertaint
switch prevents userspace-forced crashes by writing to the/proc/sys/kernel/tainted
file any flagset that matches the bitmask inpanic_on_taint
.For for more information see the upstream documentation.
- prot_virt = [S390]
Format: <bool>
This parameter enables hosting of protected virtual machines which are isolated from the hypervisor if the hardware support is present.
- rcutree.use_softirq = [KNL]
This parameter enables elimination of Tree-RCU
softirq
processing.If you set this parameter to zero, it moves all
RCU_SOFTIRQ
processing to per-CPU rcuc kthreads. If you setrcutree.use_softirq
to a non-zero value (default),RCU_SOFTIRQ
is used by default. Specifyrcutree.use_softirq=0
to use rcuc kthreads.- split_lock_detect = [X86]
This parameter enables the split lock detection. When enabled, and if hardware support is present, atomic instructions that access data across cache line boundaries will result in an alignment check exception.
The options are:
-
off
- not enabled -
warn
- the kernel will emit rate limited warnings about applications that trigger the Alignment Check Exception (#AC). This mode is the default on CPUs that supports split lock detection. fatal
- the kernel will send Buss error (SIGBUS) signal to applications that trigger the #AC exception.If the #AC exception is hit while not executing in the user mode, the kernel will issue an oops error in either the
warn
orfatal
mode.
-
- srbds = [X86,INTEL]
This parameter controls the Special Register Buffer Data Sampling (SRBDS) mitigation.
Certain CPUs are vulnerable to a Microarchitectural Data Sampling (MDS)-like exploit which can leak bits from the random number generator.
By default, microcode mitigates this issue. However, the microcode fix can cause the
RDRAND
andRDSEED
instructions to become much slower. Among other effects, this will result in reduced throughput from theurandom
kernel random number source device.To disable the microcode mitigation, set the following option:
-
off
- Disable mitigation and remove performance impact toRDRAND
andRDSEED
-
- svm = [PPC]
Format: { on | off | y | n | 1 | 0 }
This parameter controls the use of the Protected Execution Facility on pSeries systems.
- nopv = [X86,XEN,KVM,HYPER_V,VMWARE]
This parameter disables the PV optimizations which forces the guest to run as generic guest with no PV drivers.
Currently supported are XEN HVM, KVM, HYPER_V and VMWARE guests.
Updated kernel parameters
- hugepagesz = [HW]
This parameter specifies a huge page size. Use this parameter in conjunction with the
hugepages
parameter to pre-allocate a number of huge pages of the specified size.Specify the
hugepagesz
andhugepages
parameters in pairs such as:hugepagesz=2M hugepages=512
The
hugepagesz
parameter can only be specified once on the command line for a specific huge page size. Valid huge page sizes are architecture dependent.- hugepages = [HW]
This parameter specifies the number of huge pages to pre-allocate. This parameter typically follows the valid
hugepagesz
ordefault_hugepagesz
parameter.However, if
hugepages
is the first or the only HugeTLB command-line parameter, it implicitly specifies the number of huge pages of the default size to allocate. If the number of huge pages of the default size is implicitly specified, it can not be overwritten by thehugepagesz
+hugepages
parameter pair for the default size.For example, on an architecture with 2M default huge page size:
hugepages=256 hugepagesz=2M hugepages=512
Settings from the example above results in allocation of 256 2M huge pages and a warning message that the
hugepages=512
parameter was ignored. Ifhugepages
is preceded by invalidhugepagesz
,hugepages
will be ignored.- default_hugepagesz = [HW]
This parameter specifies the default huge page size. You can specify
default_hugepagesz
only once on the command-line. Optionally, you can followdefault_hugepagesz
with thehugepages
parameter to pre-allocate a specific number of huge pages of the default size. Also, you can implicitly specify the number of default-sized huge pages to pre-allocate.For example, on an architecture with 2M default huge page size:
hugepages=256 default_hugepagesz=2M hugepages=256 hugepages=256 default_hugepagesz=2M
Settings from the example above all results in allocation of 256 2M huge pages. Valid default huge page size is architecture dependent.
- efi = [EFI]
Format: { "old_map", "nochunk", "noruntime", "debug", "nosoftreserve" }
The options are:
-
old_map
[X86-64] - Switch to the old ioremap-based EFI runtime services mapping. 32-bit still uses this one by default -
nochunk
- Disable reading files in "chunks" in the EFI boot stub, as chunking can cause problems with some firmware implementations -
noruntime
- Disable EFI runtime services support -
debug
- Enable miscellaneous debug output -
nosoftreserve
- TheEFI_MEMORY_SP
(Specific Purpose) attribute sometimes causes the kernel to reserve the memory range for a memory mapping driver to claim. Specifyefi=nosoftreserve
to disable this reservation and treat the memory by its base type (for exampleEFI_CONVENTIONAL_MEMORY
/ "System RAM").
-
- intel_iommu = [DMAR]
Intel IOMMU driver Direct Memory Access Remapping (DMAR).
The added options are:
-
nobounce
(Default off) - Disable bounce buffer for untrusted devices such as the Thunderbolt devices. This will treat the untrusted devices as the trusted ones. Hence this setting might expose security risks of direct memory access (DMA) attacks.
-
- mem = nn[KMG] [KNL,BOOT]
This parameter forces the usage of a specific amount of memory.
The amount of memory to be used in cases as follows:
- For test.
- When the kernel is not able to see the whole system memory.
Memory that lies after the
mem
boundary is excluded from the hypervisor, then assigned to KVM guests.[X86] Work as limiting max address. Use together with the
memmap
parameter to avoid physical address space collisions. Withoutmemmap
, Peripheral Component Interconnect (PCI) devices could be placed at addresses belonging to unused RAM.Note that this setting only takes effect during the boot time since in the case 3 above, the memory may need to be hot added after the boot if the system memory of hypervisor is not sufficient.
- pci = [PCI]
Various Peripheral Component Interconnect (PCI) subsystem options.
Some options herein operate on a specific device or a set of devices (
<pci_dev>
). These are specified in one of the following formats:[<domain>:]<bus>:<dev>.<func>[/<dev>.<func>]* pci:<vendor>:<device>[:<subvendor>:<subdevice>]
Note that the first format specifies a PCI bus/device/function address which may change if new hardware is inserted, if motherboard firmware changes, or due to changes caused by other kernel parameters. If the domain is left unspecified, it is taken to be zero. Optionally, a path to a device through multiple device/function addresses can be specified after the base address (this is more robust against renumbering issues). The second format selects devices using IDs from the configuration space which may match multiple devices in the system.
The options are:
-
hpmmiosize
- The fixed amount of bus space which is reserved for hotplug bridge’s Memory-mapped I/O (MMIO) window. The default size is 2 megabytes. -
hpmmioprefsize
- The fixed amount of bus space which is reserved for hotplug bridge’s MMIO_PREF window. The default size is 2 megabytes.
-
- pcie_ports = [PCIE]
Peripheral Component Interconnect Express (PCIe) port services handling.
The options are:
-
native
- Use native PCIe services (PME, AER, DPC, PCIe hotplug) even if the platform does not give the OS permission to use them. This setting may cause conflicts if the platform also tries to use these services. -
dpc-native
- Use native PCIe service for DPC only. This setting may cause conflicts if firmware uses AER or DPC. -
compat
- Disable native PCIe services (PME, AER, DPC, PCIe hotplug).
-
- rcu_nocbs = [KNL]
- The argument is a CPU list. The string "all" can be used to specify every CPU on the system.
- usbcore.authorized_default = [USB]
The default USB device authorization.
The options are:
-
-1
(Default) - Authorized except for wireless USB -
0
- Not authorized -
1
- Authorized -
2
- Authorized if the device is connected to the internal port
-
- usbcore.old_scheme_first = [USB]
- This parameter enables to start with the old device initialization scheme. This setting applies only to low and full-speed devices (default 0 = off).
- usbcore.quirks = [USB]
A list of quirk entries to augment the built-in USB core quirk list. The list entries are separated by commas. Each entry has the form VendorID:ProductID:Flags, for example
quirks=0781:5580:bk,0a5c:5834:gij
. The IDs are 4-digit hex numbers and Flags is a set of letters. Each letter will change the built-in quirk; setting it if it is clear and clearing it if it is set.The added flags:
-
o
-USB_QUIRK_HUB_SLOW_RESET
, hub needs extra delay after resetting its port
-
New /proc/sys/fs parameters
- protected_fifos
This parameter is based on the restrictions in the Openwall software and provides protection by allowing to avoid unintentional writes to an attacker-controlled FIFO where a program intended to create a regular file.
The options are:
-
0
- Writing to FIFOs is unrestricted. -
1
- Does not allow theO_CREAT
flag open on FIFOs that we do not own in world writable sticky directories unless they are owned by the owner of the directory. -
2
- Applies to group writable sticky directories.
-
- protected_regular
This parameter is similar to the
protected_fifos
parameter, however it avoids writes to an attacker-controlled regular file where a program intended to create one.The options are:
-
0
- Writing to regular files is unrestricted. -
1
- Does not allow theO_CREAT
flag open on regular files that we do not own in world writable sticky directories unless they are owned by the owner of the directory. -
2
- Applies to group writable sticky directories.
-
5.3. Device Drivers
5.3.1. New drivers
Network drivers
- CAN driver for Kvaser CAN/USB devices (kvaser_usb.ko.xz)
- Driver for Theobroma Systems UCAN devices (ucan.ko.xz)
- Pensando Ethernet NIC Driver (ionic.ko.xz)
Graphics drivers and miscellaneous drivers
- Generic Remote Processor Framework (remoteproc.ko.xz)
- Package Level C-state Idle Injection for Intel® CPUs (intel_powerclamp.ko.xz)
- X86 PKG TEMP Thermal Driver (x86_pkg_temp_thermal.ko.xz)
- INT3402 Thermal driver (int3402_thermal.ko.xz)
- ACPI INT3403 thermal driver (int3403_thermal.ko.xz)
- Intel® acpi thermal rel misc dev driver (acpi_thermal_rel.ko.xz)
- INT3400 Thermal driver (int3400_thermal.ko.xz)
- Intel® INT340x common thermal zone handler (int340x_thermal_zone.ko.xz)
- Processor Thermal Reporting Device Driver (processor_thermal_device.ko.xz)
- Intel® PCH Thermal driver (intel_pch_thermal.ko.xz)
- DRM gem ttm helpers (drm_ttm_helper.ko.xz)
- Device node registration for cec drivers (cec.ko.xz)
- Fairchild FUSB302 Type-C Chip Driver (fusb302.ko.xz)
- VHOST IOTLB (vhost_iotlb.ko.xz)
- vDPA-based vhost backend for virtio (vhost_vdpa.ko.xz)
- VMware virtual PTP clock driver (ptp_vmw.ko.xz)
- Intel® LPSS PCI driver (intel-lpss-pci.ko.xz)
- Intel® LPSS core driver (intel-lpss.ko.xz)
- Intel® LPSS ACPI driver (intel-lpss-acpi.ko.xz)
- Mellanox watchdog driver (mlx_wdt.ko.xz)
- Mellanox FAN driver (mlxreg-fan.ko.xz)
- Mellanox regmap I/O access driver (mlxreg-io.ko.xz)
- Intel® speed select interface pci mailbox driver (isst_if_mbox_pci.ko.xz)
- Intel® speed select interface mailbox driver (isst_if_mbox_msr.ko.xz)
- Intel® speed select interface mmio driver (isst_if_mmio.ko.xz)
- Mellanox LED regmap driver (leds-mlxreg.ko.xz)
- vDPA Device Simulator (vdpa_sim.ko.xz)
- Intel® Tiger Lake PCH pinctrl/GPIO driver (pinctrl-tigerlake.ko.xz)
- PXA2xx SSP SPI Controller (spi-pxa2xx-platform.ko.xz)
- CE4100/LPSS PCI-SPI glue code for PXA’s driver (spi-pxa2xx-pci.ko.xz)
- Hyper-V PCI Interface (pci-hyperv-intf.ko.xz)
- vDPA bus driver for virtio devices (virtio_vdpa.ko.xz)
5.3.2. Updated drivers
Network driver updates
- VMware vmxnet3 virtual NIC driver (vmxnet3.ko.xz) has been updated to version 1.5.0.0-k.
- Realtek RTL8152/RTL8153 Based USB Ethernet Adapters (r8152.ko.xz) has been updated to version 1.09.10.
- Broadcom BCM573xx network driver (bnxt_en.ko.xz) has been updated to version 1.10.1.
- The Netronome Flow Processor (NFP) driver (nfp.ko.xz) has been updated to version 4.18.0-240.el8.x86_64.
- Intel® Ethernet Switch Host Interface Driver (fm10k.ko.xz) has been updated to version 0.27.1-k.
- Intel® Ethernet Connection E800 Series Linux Driver (ice.ko.xz) has been updated to version 0.8.2-k.
Storage driver updates
- Emulex LightPulse Fibre Channel SCSI driver (lpfc.ko.xz) has been updated to version 0:12.8.0.1.
- QLogic FCoE Driver (bnx2fc.ko.xz) has been updated to version 2.12.13.
- LSI MPT Fusion SAS 3.0 Device Driver (mpt3sas.ko.xz) has been updated to version 34.100.00.00.
- Driver for HP Smart Array Controller version (hpsa.ko.xz) has been updated to version 3.4.20-170-RH5.
- QLogic Fibre Channel HBA Driver (qla2xxx.ko.xz) has been updated to version 10.01.00.25.08.3-k.
- Broadcom MegaRAID SAS Driver (megaraid_sas.ko.xz) has been updated to version 07.714.04.00-rh1.
Graphics and miscellaneous driver updates
- Standalone drm driver for the VMware SVGA device (vmwgfx.ko.xz) has been updated to version 2.17.0.0.
- Crypto Co-processor for Chelsio Terminator cards. (chcr.ko.xz) has been updated to version 1.0.0.0-ko.
5.4. Bug fixes
This part describes bugs fixed in Red Hat Enterprise Linux 8.3 that have a significant impact on users.
5.4.1. Installer and image creation
RHEL 8 initial setup now works properly via SSH
Previously, the RHEL 8 initial setup interface did not display when logged in to the system using SSH. As a consequence, it was impossible to perform the initial setup on a RHEL 8 machine managed via SSH. This problem has been fixed, and RHEL 8 initial setup now works correctly when performed via SSH.
Installation failed when using the reboot --kexec
command
Previously, the RHEL 8 installation failed when a Kickstart file that contained the reboot --kexec
command was used.
With this update, the installation with reboot --kexec
now works as expected.
America/New York time zone can now be set correctly
Previously, the interactive Anaconda installation process did not allow users to set the America/New York time zone when using a kickstart file. With this update, users can now set America/New York as the preferred time zone in the interactive installer if a time zone is not specified in the kickstart file.
(BZ#1665428)
SELinux contexts are now set correctly
Previously, when SELinux was in enforcing mode, incorrect SELinux contexts on some folders and files resulted in unexpected AVC denials when attempting to access these files after installation.
With this update, Anaconda sets the correct SELinux contexts. As a result, you can now access the folders and files without manually relabeling the filesystem.
Automatic partitioning now creates a valid /boot
partition
Previously, when installing RHEL on a system using automatic partitioning or using a kickstart file with preconfigured partitions, the installer created a partitioning scheme that could contain an invalid /boot
partition. Consequently, the automatic installation process ended prematurely because the verification of the partitioning scheme failed. With this update, Anaconda creates a partitioning scheme that contains a valid /boot
partition. As a result, the automatic installation completes as expected.
(BZ#1630299)
A GUI installation using the Binary DVD ISO image now completes successfully without CDN registration
Previously, when performing a GUI installation using the Binary DVD ISO image file, a race condition in the installer prevented the installation from proceeding until you registered the system using the Connect to Red Hat feature.
With this update, you can now proceed with the installation without registering the system using the Connect to Red Hat feature.
(BZ#1823578)
iSCSI or FCoE devices created in Kickstart and used in ignoredisk --only-use
command no longer stop the installation process
Previously, when the iSCSI or FCoE devices created in Kickstart were used in the ignoredisk --only-use
command, the installation program failed with an error similar to Disk "disk/by-id/scsi-360a9800042566643352b476d674a774a" given in ignoredisk command does not exist
. This stopped the installation process.
With this update, the problem has been fixed. The installation program continues working.
(BZ#1644662)
System registration using CDN failed with the error message Name or service not known
When you attempted to register a system using the Content Delivery Network (CDN), the registration process failed with the error message Name or service not known.
This issue occurred because the empty Custom server URL and Custom Base URL values overwrote the default values for system registration.
With this update, the empty values now do not overwrite the default values, and the system registration completes successfully.
5.4.2. Software management
dnf-automatic
now updates only packages with correct GPG signatures
Previously, the dnf-automatic
configuration file did not check GPG signatures of downloaded packages before performing an update. As a consequence, unsigned updates or updates signed by key which was not imported could be installed by dnf-automatic
even though repository configuration requires GPG signature check (gpgcheck=1
). With this update, the problem has been fixed, and dnf-automatic
checks GPG signatures of downloaded packages before performing the update. As a result, only updates with correct GPG signatures are installed from repositories that require GPG signature check.
Trailing comma no longer causes entries removal in an append
type option
Previously, adding a trailing comma (an empty entry at the end of the list) to an append
type option (for example, exclude
, excludepkgs
, includepkgs
) caused all entries in the option to be removed. Also, adding two commas (an empty entry) caused that only entries after the commas were used.
With this update, empty entries other than leading commas (an empty entry at the beginning of the list) are ignored. As a result, only the leading comma now removes existing entries from the append
type option, and the user can use it to overwrite these entries.
5.4.3. Shells and command-line tools
The ReaR
disk layout no longer includes entries for Rancher 2 Longhorn iSCSI devices and file systems
This update removes entries for Rancher 2 Longhorn iSCSI devices and file systems from the disk layout created by ReaR
.
Rescue image creation with a file larger than 4 GB is now enabled on IBM POWER, little endian
Previously, the ReaR
utility could not create rescue images containing files larger than 4GB on IBM POWER, little endian architecture. With this update, the problem has been fixed, and it is now possible to create a rescue image with a file larger than 4 GB on IBM POWER, little endian.
5.4.4. Security
SELinux no longer prevents systemd-journal-gatewayd
to call newfstatat()
on /dev/shm/
files used by corosync
Previously, SELinux policy did not contain a rule that allows the systemd-journal-gatewayd
daemon to access files created by the corosync
service. As a consequence, SELinux denied systemd-journal-gatewayd
to call the newfstatat()
function on shared memory files created by corosync
. With this update, SELinux no longer prevents systemd-journal-gatewayd
to call newfstatat()
on shared memory files created by corosync
.
(BZ#1746398)
Libreswan
now works with seccomp=enabled
on all configurations
Prior to this update, the set of allowed syscalls in the Libreswan
SECCOMP support implementation did not match new usage of RHEL libraries. Consequently, when SECCOMP was enabled in the ipsec.conf
file, the syscall filtering rejected even syscalls required for the proper functioning of the pluto
daemon; the daemon was killed, and the ipsec
service was restarted. With this update, all newly required syscalls have been allowed, and Libreswan
now works with the seccomp=enabled
option correctly.
SELinux no longer prevents auditd
to halt or power off the system
Previously, the SELinux policy did not contain a rule that allows the Audit daemon to start a power_unit_file_t
systemd
unit. Consequently, auditd
could not halt or power off the system even when configured to do so in cases such as no space left on a logging disk partition.
This update of the selinux-policy
packages adds the missing rule, and auditd
can now properly halt and power off the system only with SELinux in enforcing mode.
IPTABLES_SAVE_ON_STOP
now works correctly
Previously, the IPTABLES_SAVE_ON_STOP
feature of the iptables
service did not work because files with saved IP tables content received incorrect SELinux context. This prevented the iptables
script from changing permissions, and the script subsequently failed to save the changes. This update defines a proper context for the iptables.save
and ip6tables.save
files, and creates a filename transition rule. As a consequence, the IPTABLES_SAVE_ON_STOP
feature of the iptables
service works correctly.
NSCD databases can now use different modes
Domains in the nsswitch_domain
attribute are allowed access to Name Service Cache Daemon (NSCD) services. Each NSCD database is configured in the nscd.conf
file, and the shared
property determines whether the database uses Shared memory or Socket mode. Previously, all NSCD databases had to use the same access mode, depending on the nscd_use_shm
boolean value. Now, using Unix stream socket is always allowed, and therefore different NSCD databases can use different modes.
The oscap-ssh
utility now works correctly when scanning a remote system with --sudo
When performing a Security Content Automation Protocol (SCAP) scan of a remote system using the oscap-ssh
tool with the --sudo
option, the oscap
tool on the remote system saves scan result files and report files into a temporary directory as the root
user. Previously, if the umask
settings on the remote machine were changed, oscap-ssh
might have been prevented access to these files. This update fixes the issue, and as a result, oscap
saves the files as the target user, and oscap-ssh
accesses the files normally.
OpenSCAP now handles remote file systems correctly
Previously, OpenSCAP did not reliably detect remote file systems if their mount specification did not start with two slashes. As a consequence, OpenSCAP handled some network-based file systems as local. With this update, OpenSCAP identifies file systems using the file-system type instead of the mount specification. As a result, OpenSCAP now handles remote file systems correctly.
OpenSCAP no longer removes blank lines from YAML multi-line strings
Previously, OpenSCAP removed blank lines from YAML multi-line strings within generated Ansible remediations from a datastream. This affected Ansible remediations and caused the openscap
utility to fail the corresponding Open Vulnerability and Assessment Language (OVAL) checks, producing false positive results. The issue is now fixed and as a result, openscap
no longer removes blank lines from YAML multi-line strings.
OpenSCAP can now scan systems with large numbers of files without running out of memory
Previously, when scanning systems with low RAM and large numbers of files, the OpenSCAP scanner sometimes caused the system to run out of memory. With this update, OpenSCAP scanner memory management has been improved. As a result, the scanner no longer runs out of memory on systems with low RAM when scanning large numbers of files, for example package groups Server with GUI
and Workstation
.
config.enabled
now controls statements correctly
Previously, the rsyslog
incorrectly evaluated the config.enabled
directive during the configuration processing of a statement. As a consequence, the parameter not known
errors were displayed for each statement except for the include()
one. With this update, the configuration is processed for all statements equally. As a result, config.enabled
now correctly disables or enables statements without displaying any error.
(BZ#1659383)
fapolicyd
no longer prevents RHEL updates
When an update replaces the binary of a running application, the kernel modifies the application binary path in memory by appending the " (deleted)" suffix. Previously, the fapolicyd
file access policy daemon treated such applications as untrusted, and prevented them from opening and executing any other files. As a consequence, the system was sometimes unable to boot after applying updates.
With the release of the RHBA-2020:5242 advisory, fapolicyd
ignores the suffix in the binary path so the binary can match the trust database. As a result, fapolicyd
enforces the rules correctly and the update process can finish.
The e8 profile can now be used to remediate RHEL 8 systems with Server with GUI
Using the OpenSCAP Anaconda Add-on to harden the system on the Server With GUI
package group with profiles that select rules from the Verify Integrity with RPM
group no longer requires an extreme amount of RAM on the system. The cause of this problem was the OpenSCAP scanner. For more details, see Scanning large numbers of files with OpenSCAP causes systems to run out of memory. As a consequence, the hardening of the system using the RHEL 8 Essential Eight (e8) profile now works also with Server With GUI
.
(BZ#1816199)
5.4.5. Networking
Automatic loading of iptables
extension modules by the nft_compat
module no longer hangs
Previously, when the nft_compat
module loaded an extension module while an operation on network name spaces (netns
) happened in parallel, a lock collision could occur if that extension registered a pernet
subsystem during initialization. As a consequence, the kernel-called modprobe
command hang. This could also be caused by other services, such as libvirtd
, that also execute iptables
commands. This problem has been fixed. As a result, loading iptables
extension modules by the nft_compat
module no longer hangs.
(BZ#1757933)
The firewalld
service now removes ipsets
when the service stops
Previously, stopping the firewalld
service did not remove ipsets
. This update fixes the problem. As a result, ipsets
are no longer left in the system after firewalld
stops.
firewalld
no longer retains ipset
entries after shutdown
Previously, shutting down firewalld
did not remove ipset
entries. Consequently, ipset
entries remained active in the kernel even after stopping the firewalld
service. With this fix, shutting down firewalld
removes ipset
entries as expected.
firewalld
now restores ipset
entries after reloading
Previously, firewalld
did not retain runtime ipset
entries after reloading. Consequently, users had to manually add the missing entries again. With this update, firewalld
has been modified to restore ipset
entries after reloading.
nftables
and firewalld
services are now mutually exclusive
Previously, it was possible to enable nftables
and firewalld
services at the same time. As a consequence, nftables
was overriding firewalld
rulesets. With this update, nftables
and firewalld
services are now mutually exclusive so that these cannot be enabled at the same time.
5.4.6. Kernel
The huge_page_setup_helper.py
script now works correctly
A patch that updated the huge_page_setup_helper.py
script for Python 3 was accidentally removed. Consequently, after executing huge_page_setup_helper.py
, the following error message appeared:
SyntaxError: Missing parentheses in call to 'print'
With this update, the problem has been fixed by updating the libhugetlbfs.spec
file. As a result, huge_page_setup_helper.py
does not show any error in the described scenario.
(BZ#1823398)
Systems with a large amount of persistent memory boot more quickly and without timeouts
Systems with a large amount of persistent memory took a long time to boot because the original source code allowed for just one initialization thread per node. For example, for a 4-node system there were 4 memory initialization threads. Consequently, if there were persistent memory file systems listed in the /etc/fstab
file, the system could time out while waiting for devices to become available. With this update, the problem has been fixed because the source code now allows for multiple memory initialization threads within a single node. As a result, the systems boot more quickly and no timeouts appear in the described scenario.
(BZ#1666538)
The bcc
scripts now successfully compile a BPF module
During the script code compilation to create a Berkeley Packet Filter (BPF) module, the bcc
toolkit used kernel headers for data type definition. Some kernel headers needed the KBUILD_MODNAME
macro to be defined. Consequently, those bcc
scripts that did not add KBUILD_MODNAME
, were likely to fail to compile a BPF module across various CPU architectures. The following bcc
scripts were affected:
-
bindsnoop
-
sofdsnoop
-
solisten
-
tcpaccept
-
tcpconnect
-
tcpconnlat
-
tcpdrop
-
tcpretrans
-
tcpsubnet
-
tcptop
-
tcptracer
With this update, the problem has been fixed by adding KBUILD_MODNAME
to the default cflags
parameter for bcc
. As a result, this problem no longer appears in the described scenario. Also, customer scripts do not need to define KBUILD_MODNAME
themselves either.
(BZ#1837906)
bcc-tools
and bpftrace
work properly on IBM Z
Previously, a feature backport introduced the ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE
kernel option. However, the bcc-tools
package and bpftrace
tracing language package for IBM Z architectures did not have proper support for this option. Consequently, the bpf()
system call failed with the Invalid argument
exception and bpftrace
failed with an error stating Error loading program
when trying to load the BPF program. With this update, the ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE
option is now removed. As a result, the problem no longer appears in the described scenario.
(BZ#1847837, BZ#1853964)
Boot process no longer fails due to lack of entropy
Previously, the boot process failed due to lack of entropy. A better mechanism is now used to allow the kernel to gather entropy early in the boot process, which does not depend on any hardware specific interrupts. This update fixes the problem by ensuring availability of sufficient entropy to secure random generation in early boot. As a result, the fix prevents kickstart timeout or slow boots and the boot process works as expected.
Repeated reboots using kexec
now work as expected
Previously, during the kernel reboot on the Amazon EC2 Nitro platform, the remove module (rmmod
) was not called during the shutdown()
call of the kernel execution path. Consequently, repeated kernel reboots using the kexec
system call led to a failure. With this update, the issue has been fixed by adding the PCI shutdown()
handler that allows safe kernel execution. As a result, repeated reboots using kexec
on Amazon EC2 Nitro platforms no longer fail.
(BZ#1758323)
Repeated reboots using vPMEM memory as dump target now works as expected
Previously, using Virtual Persistent Memory (vPMEM) namespaces as dump target for kdump
or fadump
caused the papr_scm
module to unmap and remap the memory backed by vPMEM and re-add the memory to its linear map.
Consequently, this behavior triggered Hypervisor Calls (HCalls) to POWER Hypervisor. As a result, this slows down the capture kernel boot considerably and takes a long time to save the dump file. This update fixes the problem and the boot process now works as expected in the described scenario
(BZ#1792125)
Attempting to add ICE
driver NIC port to a mode 5 bonding master interface no longer fails
Previously, attempting to add the ICE
driver NIC port to a mode 5 (balance-tlb
) bonding master interface led to a failure with an error Master 'bond0', Slave 'ens1f0': Error: Enslave failed
. Consequently, you experienced an intermittent failure to add the NIC port to the bonding master interface. This update fixes the issue and adding the interface no longer fails.
(BZ#1791664)
The cxgb4
driver no longer causes crash in the kdump
kernel
Previously, the kdump
kernel would crash while trying to save information in the vmcore
file. Consequently, the cxgb4
driver prevented the kdump
kernel from saving a core for later analysis. To work around this problem, add the novmcoredd
parameter to the kdump
kernel command line to allow saving core files.
With the release of the RHSA-2020:1769 advisory, the kdump
kernel handles this situation properly and no longer crashes.
(BZ#1708456)
5.4.7. High availability and clusters
When a GFS2 file system is used with the Filesystem agent the fast_stop
option now defaults to no
Previously, when a GFS2 file system was used with the Filesystem agent, the fast_stop
option defaulted to yes
. This value could result in unnecessary fence events due to the length of time it can take a GFS2 file system to unmount. With this update, this option defaults to no
. For all other file systems it continues to default to yes
.
(BZ#1814896)
fence_compute
and fence_evacuate
agents now interpret insecure
option in a more standard way
Previously, the fence_compute
and fence_evacuate
agents worked as if --insecure
was specified by default. With this update, customers who do not use valid certificates for their compute or evacuate services must set insecure=true
and use the --insecure
option when running manually from the CLI. This is consistent with the behavior of all other agents.
5.4.8. Dynamic programming languages, web and database servers
Optimized CPU consumption by libdb
A previous update to the libdb
database caused an excessive CPU consumption in the trickle thread. With this update, the CPU usage has been optimized.
The did_you_mean
Ruby gem no longer contains a file with a non-commercial license
Previously, the did_you_mean
gem available in the ruby:2.5
module stream contained a file with a non-commercial license. This update removes the affected file.
nginx
can now load server certificates from hardware security tokens through the PKCS#11 URI
The ssl_certificate
directive of the nginx
web server supports loading TLS server certificates from hardware security tokens directly from PKCS#11 modules. Previously, it was impossible to load server certificates from hardware security tokens through the PKCS#11 URI.
5.4.9. Compilers and development tools
The glibc
dynamic loader no longer fails while loading a shared library that uses DT_FILTER
and has a constructor
Prior to this update, a defect in the dynamic loader implementation of shared objects as filters caused the dynamic loader to fail while loading a shared library that uses a filter and has a constructor. With this release, the dynamic loader implementation of filters (DT_FILTER
) has been fixed to correctly handle such shared libraries. As a result, the dynamic loader now works as expected in the mentioned scenario.
glibc
can now remove pseudo-mounts from the getmntent()
list
The kernel includes automount
pseudo-entries in the tables exposed to userspace. Consequently, programs that use the getmntent()
API see both regular mounts and these pseudo-mounts in the list. The pseudo-mounts do not correspond to real mounts, nor include valid information.
With this update, if the mount entry has the ignore
mount option present in the automount(8)
configuration the glibc
library now removes these pseudo-mounts from the getmntent()
list. Programs that expect the previous behavior have to use a different API.
(BZ#1743445)
The movv1qi
pattern no longer causes miscompilation in the auto-vectorized code on IBM Z
Prior to this update, wrong load instructions were emitted for the movv1qi
pattern. As a consequence, when auto-vectorization was in effect, a miscompilation could occur on IBM Z systems. This update fixes the movv1qi
pattern, and as a result, code compiles and runs correctly now.
(BZ#1784758)
PAPI_event_name_to_code()
now works correctly in multiple threads
Prior to this update, the PAPI internal code did not handle thread coordination properly. As a consequence, when multiple threads used the PAPI_event_name_to_code()
operation, a race condition occurred and the operation failed. This update enhances the handling of multiple threads in the PAPI internal code. As a result, multithreaded code using the PAPI_event_name_to_code()
operation now works correctly.
(BZ#1807346)
Improved performance for the glibc
math functions on IBM Power Systems
Previously, the glibc
math functions performed unnecessary floating point status updates and system calls on IBM Power Systems, which negatively affected the performance. This update removes the unnecessary floating point status update, and improves the implementations of: ceil()
, ceilf()
, fegetmode()
, fesetmode()
, fesetenv()
, fegetexcept()
, feenableexcept()
, fedisablexcept()
, fegetround()
and fesetround()
. As a result, the performance of the math library is improved on IBM Power Systems.
(BZ#1783303)
Memory protection keys are now supported on IBM Power
On IBM Power Systems, the memory protection key interfaces pkey_set
and pkey_get
were previously stub functions, and consequently always failed. This update implements the interfaces, and as a result, the GNU C Library (glibc
) now supports memory protection keys on IBM Power Systems.
Note that memory protection keys currently require the hash-based memory management unit (MMU), therefore you might have to boot certain systems with the disable_radix
kernel parameter.
(BZ#1642150)
papi-testsuite
and papi-devel
now install the required papi-libs
package
Previously, the papi-testsuite
and papi-devel
RPM packages did not declare a dependency on the matching papi-libs
package. Consequently, the tests failed to run, and developers did not have the required version of the papi
shared library available for their applications.
With this update, when the user installs either the papi-testsuite
or papi-devel
packages, the papi-libs
package is also installed. As a result, the papi-testsuite
now has the correct library allowing the tests to run, and developers using papi-devel
have their executables linked with the appropriate version of the papi
shared library.
Installing the lldb
packages for multiple architectures no longer leads to file conflicts
Previously, the lldb
packages installed architecture-dependent files in architecture-independent locations. As a consequence, installing both 32-bit and 64-bit versions of the packages led to file conflicts. This update packages the files in correct architecture-dependent locations. As a result, the installation of lldb
in the described scenario completes successfully.
(BZ#1841073)
getaddrinfo
now correctly handles a memory allocation failure
Previously, after a memory allocation failure, the getaddrinfo
function of the GNU C Library glibc
did not release the internal resolver context. As a consequence, getaddrinfo
was not able to reload the /etc/resolv.conf
file for the rest of the lifetime of the calling thread, resulting in a possible memory leak.
This update modifies the error handling path with an additional release operation for the resolver context. As a result, getaddrinfo
reloads /etc/resolv.conf
with new configuration values even after an intermittent memory allocation failure.
glibc
avoids certain failures caused by IFUNC resolver ordering
Previously, the implementation of the librt
and libpthread
libraries of the GNU C Library glibc
contained the indirect function (IFUNC) resolvers for the following functions: clock_gettime
, clock_getcpuclockid
, clock_nanosleep
, clock_settime
, vfork
. In some cases, the IFUNC resolvers could execute before the librt
and libpthread
libraries were relocated. Consequently, applications would fail in the glibc
dynamic loader during early program startup.
With this release, the implementations of these functions have been moved into the libc
component of glibc
, which prevents the described problem from occurring.
Assertion failures no longer occur during pthread_create
Previously, the glibc
dynamic loader did not roll back changes to the internal Thread Local Storage (TLS) module ID counter. As a consequence, an assertion failure in the pthread_create
function could occur after the dlopen
function had failed in certain ways. With this fix, the glibc
dynamic loader updates the TLS module ID counter at a later point in time, after certain failures can no longer happen. As a result, the assertion failures no longer occur.
glibc
now installs correct dependencies for 32-bit applications using nss_db
Previously, the nss_db.x86_64
package did not declare dependencies on the nss_db.i686
package. Therefore automated installation did not install nss_db.i686
on the system, despite having a 32-bit environment glibc.i686
installed. As a consequence, 32-bit applications using nss_db
failed to perform accurate user database lookups, while 64-bit applications in the same setup worked correctly.
With this update, the glibc
packages now have weak dependencies that trigger the installation of the nss_db.i686
package when both glibc.i686
and nss_db
are installed on the system. As a result, 32-bit applications using nss_db
now work correctly, even if the system administrator has not explicitly installed the nss_db.i686
package.
glibc
locale information updated with Odia language
The name of Indian state previously known as Orissa has changed to Odisha, and the name of its official language has changed from Oriya to Odia. With this update, the glibc
locale information reflects the new name of the language.
LLVM sub packages now install arch-dependent files in arch-dependent locations
Previously, LLVM sub packages installed arch-dependent files in arch-independent locations. This resulted in conflicts when installing 32 and 64 bit versions of LLVM. With this update, package files are now correctly installed in arch-dependent locations, avoiding version conflicts.
(BZ#1820319)
Password and group lookups no longer fail in glibc
Previously, the nss_compat
module of the glibc
library overwrote the errno
status with incorrect error codes during processing of password and group entries. Consequently, applications did not resize buffers as expected, causing password and group lookups to fail. This update fixes the problem, and the lookups now complete as expected.
5.4.10. Identity Management
SSSD no longer downloads every rule with a wildcard character by default
Previously, the ldap_sudo_include_regexp
option was incorrectly set to true
by default. As a consequence, when SSSD started running or after updating SSSD rules, SSSD downloaded every rule that contained a wildcard character (*
) in the sudoHost
attribute. This update fixes the bug, and the ldap_sudo_include_regexp
option is now properly set to false
by default. As a result, the described problem no longer occurs.
krb5
now only requests permitted encryption types
Previously, permitted encryption types specified in the permitted_enctypes
variable in the /etc/krb5.conf
file did not apply to the default encryption types if the default_tgs_enctypes
or default_tkt_enctypes
attributes were not set. Consequently, Kerberos clients were able to request deprecated cipher suites like RC4, which may cause other processes to fail. With this update, encryption types specified in the permitted_enctypes
variable apply to the default encryption types as well, and only permitted encryption types are requested.
The RC4 cipher suite, which has been deprecated in RHEL 8, is the default encryption type for users, services, and trusts between Active Directory (AD) domains in an AD forest.
- To ensure support for strong AES encryption types between AD domains in an AD forest, see the AD DS: Security: Kerberos "Unsupported etype" error when accessing a resource in a trusted domain Microsoft article.
-
To enable support for the deprecated RC4 encryption type in an IdM server for backwards compatibility with AD, use the
update-crypto-policies --set DEFAULT:AD-SUPPORT
command.
(BZ#1791062)
KDCs now correctly enforce password lifetime policy from LDAP backends
Previously, non-IPA Kerberos Distribution Centers (KDCs) did not ensure maximum password lifetimes because the Kerberos LDAP backend incorrectly enforced password policies. With this update, the Kerberos LDAP backend has been fixed, and password lifetimes behave as expected.
Password expiration notifications sent to AD clients using SSSD
Previously, Active Directory clients (non-IdM) using SSSD were not sent password expiration notices because of a recent change in the SSSD interface for acquiring Kerberos credentials.
The Kerberos interface has been updated and expiration notices are now sent correctly.
Directory Server no longer leaks memory when using indirect COS definitions
Previously, after processing an indirect Class Of Service (COS) definition, Directory Server leaked memory for each search operation that used an indirect COS definition. With this update, Directory Server frees all internal COS structures associated with the database entry after it has been processed. As a result, the server no longer leaks memory when using indirect COS definitions.
Adding ID overrides of AD users now works in IdM Web UI
Previously, adding ID overrides of Active Directory (AD) users to Identity Management (IdM) groups in the Default Trust View for the purpose of granting access to management roles failed when using the IdM Web UI. This update fixes the bug. As a result, you can now use both the Web UI as well as the IdM command-line interface (CLI) in this scenario.
FreeRADIUS no longer generates certificates during package installation
Previously, FreeRADIUS generated certificates during package installation, resulting in the following issues:
- If FreeRADIUS was installed using Kickstart, certificates might be generated at a time when entropy on the system was insufficient, resulting in either a failed installation or a less secure certificate.
- The package was difficult to build as part of an image, such as a container, because the package installation occurs on the builder machine instead of the target machine. All instances that are spawned from the image had the same certificate information.
- It was difficult for an end-user to generate a simple VM in their environment as the certificates would have to be removed and regenerated manually.
With this update, the FreeRADIUS installation no longer generates default self-signed CA certificates nor subordinate CA certificates. When FreeRADIUS is launched via systemd
:
- If all of the required certificates are missing, a set of default certificates are generated.
- If one or more of the expected certificates are present, it does not generate new certificates.
FreeRADIUS now generates FIPS-compliant Diffie-Hellman parameters
Due to new FIPS requirements that do not allow openssl
to generate Diffie-Hellman (dh) parameters via dhparam
, the dh parameter generation has been removed from the FreeRADIUS bootstrap scripts and the file, rfc3526-group-18-8192.dhparam
, is included with the FreeRADIUS packages for all systems, and thus enables FreeRADIUS to start in FIPS mode.
Note that you can customize /etc/raddb/certs/bootstrap
and /etc/raddb/certs/Makefile
to restore the DH parameter generation if required.
Updating Healthcheck
now properly updates both ipa-healthcheck-core
and ipa-healthcheck
Previously, entering yum update healthcheck
did not update the ipa-healthcheck
package but replaced it with the ipa-healthcheck-core
package. As a consequence, the ipa-healthcheck
command did not work after the update.
This update fixes the bug, and updating ipa-healthcheck
now correctly updates both the ipa-healthcheck
package and the ipa-healthcheck-core
package. As a result, the Healthcheck
tool works correctly after the update.
5.4.11. Graphics infrastructures
Laptops with hybrid Nvidia GPUs can now successfully resume from suspend
Previously, the nouveau
graphics driver sometimes could not power on hybrid Nvidia GPUs on certain laptops from power-save mode. As a result, the laptops failed to resume from suspend.
With this update, several problems in the Runtime Power Management (runpm
) system have been fixed. As a result, the laptops with hybrid graphics can now successfully resume from suspend.
(JIRA:RHELPLAN-57572)
5.4.12. Virtualization
Migrating virtual machines with the default CPU model now works more reliably
Previously, if a virtual machine (VM) was created without a specific CPU model, QEMU used a default model that was not visible to the libvirt
service. As a consequence, it was possible to migrate the VM to a host that did not support the default CPU model of the VM, which sometimes caused crashes and incorrect behavior in the guest OS after the migration.
With this update, libvirt
explicitly uses the qemu64
model as default in the XML configuration of the VM. As a result, if the user attempts migrating a VM with the default CPU model to a host that does not support that model, libvirt
correctly generates an error message.
Note, however, that Red Hat strongly recommends using a specific CPU model for your VMs.
(JIRA:RHELPLAN-45906)
5.4.13. Containers
Notes on FIPS support with Podman
The Federal Information Processing Standard (FIPS) requires certified modules to be used. Previously, Podman correctly installed certified modules in containers by enabling the proper flags at startup. However, in this release, Podman does not properly set up the additional application helpers normally provided by the system in the form of the FIPS system-wide crypto-policy. Although setting the system-wide crypto-policy is not required by the certified modules it does improve the ability of applications to use crypto modules in compliant ways. To work around this problem, change your container to run the update-crypto-policies --set FIPS
command before any other application code was executed. The update-crypto-policies --set FIPS
command is no longer required with this fix.
5.5. Technology Previews
This part provides a list of all Technology Previews available in Red Hat Enterprise Linux 8.3.
For information on Red Hat scope of support for Technology Preview features, see Technology Preview Features Support Scope.
5.5.1. Networking
Enabled the xt_u32
Netfilter module
The xt_u32
Netfilter module is now available in the kernel-modules-extra
rpm. This module helps in packet forwarding based on the data that is inaccessible to other protocol-based packet filters and thus eases manual migration to nftables
. However, xt_u32
Netfilter module is not supported by Red Hat.
(BZ#1834769)
nmstate
available as a Technology Preview
Nmstate is a network API for hosts. The nmstate
packages, available as a Technology Preview, provide a library and the nmstatectl
command-line utility to manage host network settings in a declarative manner. The networking state is described by a pre-defined schema. Reporting of the current state and changes to the desired state both conform to the schema.
For further details, see the /usr/share/doc/nmstate/README.md
file and the examples in the /usr/share/doc/nmstate/examples
directory.
(BZ#1674456)
AF_XDP
available as a Technology Preview
Address Family eXpress Data Path
(AF_XDP
) socket is designed for high-performance packet processing. It accompanies XDP
and grants efficient redirection of programmatically selected packets to user space applications for further processing.
(BZ#1633143)
XDP available as a Technology Preview
The eXpress Data Path (XDP) feature, which is available as a Technology Preview, provides a means to attach extended Berkeley Packet Filter (eBPF) programs for high-performance packet processing at an early point in the kernel ingress data path, allowing efficient programmable packet analysis, filtering, and manipulation.
(BZ#1503672)
KTLS available as a Technology Preview
In Red Hat Enterprise Linux 8, Kernel Transport Layer Security (KTLS) is provided as a Technology Preview. KTLS handles TLS records using the symmetric encryption or decryption algorithms in the kernel for the AES-GCM cipher. KTLS also provides the interface for offloading TLS record encryption to Network Interface Controllers (NICs) that support this functionality.
(BZ#1570255)
XDP features that are available as Technology Preview
Red Hat provides the usage of the following eXpress Data Path (XDP) features as unsupported Technology Preview:
-
Loading XDP programs on architectures other than AMD and Intel 64-bit. Note that the
libxdp
library is not available for architectures other than AMD and Intel 64-bit. -
The
XDP_TX
andXDP_REDIRECT
return codes. -
The XDP hardware offloading. Before using this feature, see Unloading XDP programs on Netronome network cards that use the
nfp
driver fails.
act_mpls
module available as a Technology Preview
The act_mpls
module is now available in the kernel-modules-extra
rpm as a Technology Preview. The module allows the application of Multiprotocol Label Switching (MPLS) actions with Traffic Control (TC) filters, for example, push and pop MPLS label stack entries with TC filters. The module also allows the Label, Traffic Class, Bottom of Stack, and Time to Live fields to be set independently.
(BZ#1839311)
Multipath TCP is now available as a Technology Preview
Multipath TCP (MPTCP), an extension to TCP, is now available as a Technology Preview. MPTCP improves resource usage within the network and resilience to network failure. For example, with Multipath TCP on the RHEL server, smartphones with MPTCP v1 enabled can connect to an application running on the server and switch between Wi-Fi and cellular networks without interrupting the connection to the server.
Note that either the applications running on the server must natively support MPTCP or administrators must load an eBPF
program into the kernel to dynamically change IPPROTO_TCP
to IPPROTO_MPTCP
.
For further details see, Getting started with Multipath TCP.
(JIRA:RHELPLAN-41549)
The systemd-resolved
service is now available as a Technology Preview
The systemd-resolved
service provides name resolution to local applications. The service implements a caching and validating DNS stub resolver, an Link-Local Multicast Name Resolution (LLMNR), and Multicast DNS resolver and responder.
Note that, even if the systemd
package provides systemd-resolved
, this service is an unsupported Technology Preview.
(BZ#1906489)
5.5.2. Kernel
The kexec fast reboot
feature is available as Technology Preview
The kexec fast reboot
feature continues to be available as a Technology Preview. kexec fast reboot
significantly speeds the boot process by allowing the kernel to boot directly into the second kernel without passing through the Basic Input/Output System (BIOS) first. To use this feature:
-
Load the
kexec
kernel manually. - Reboot the operating system.
eBPF available as a Technology Preview
Extended Berkeley Packet Filter (eBPF) is an in-kernel virtual machine that allows code execution in the kernel space, in the restricted sandbox environment with access to a limited set of functions.
The virtual machine includes a new system call bpf()
, which supports creating various types of maps, and also allows to load programs in a special assembly-like code. The code is then loaded to the kernel and translated to the native machine code with just-in-time compilation. Note that the bpf()
syscall can be successfully used only by a user with the CAP_SYS_ADMIN
capability, such as the root user. See the bpf
(2) man page for more information.
The loaded programs can be attached onto a variety of points (sockets, tracepoints, packet reception) to receive and process data.
There are numerous components shipped by Red Hat that utilize the eBPF virtual machine. Each component is in a different development phase, and thus not all components are currently fully supported. All components are available as a Technology Preview, unless a specific component is indicated as supported.
The following notable eBPF components are currently available as a Technology Preview:
-
bpftrace
, a high-level tracing language that utilizes the eBPF virtual machine. -
AF_XDP
, a socket for connecting the eXpress Data Path (XDP) path to user space for applications that prioritize packet processing performance.
(BZ#1559616)
The igc
driver available as a Technology Preview for RHEL 8
The igc
Intel 2.5G Ethernet Linux wired LAN driver is now available on all architectures for RHEL 8 as a Technology Preview. The ethtool
utility also supports igc
wired LANs.
(BZ#1495358)
Soft-RoCE available as a Technology Preview
Remote Direct Memory Access (RDMA) over Converged Ethernet (RoCE) is a network protocol which implements RDMA over Ethernet. Soft-RoCE is the software implementation of RoCE which supports two protocol versions, RoCE v1 and RoCE v2. The Soft-RoCE driver, rdma_rxe
, is available as an unsupported Technology Preview in RHEL 8.
(BZ#1605216)
5.5.3. File systems and storage
NVMe/TCP is available as a Technology Preview
Accessing and sharing Nonvolatile Memory Express (NVMe) storage over TCP/IP networks (NVMe/TCP) and its corresponding nvme-tcp.ko
and nvmet-tcp.ko
kernel modules have been added as a Technology Preview.
The use of NVMe/TCP as either a storage client or a target is manageable with tools provided by the nvme-cli
and nvmetcli
packages.
The NVMe/TCP target Technology Preview is included only for testing purposes and is not currently planned for full support.
(BZ#1696451)
File system DAX is now available for ext4 and XFS as a Technology Preview
In Red Hat Enterprise Linux 8, file system DAX is available as a Technology Preview. DAX provides a means for an application to directly map persistent memory into its address space. To use DAX, a system must have some form of persistent memory available, usually in the form of one or more Non-Volatile Dual In-line Memory Modules (NVDIMMs), and a file system that supports DAX must be created on the NVDIMM(s). Also, the file system must be mounted with the dax
mount option. Then, an mmap
of a file on the dax-mounted file system results in a direct mapping of storage into the application’s address space.
(BZ#1627455)
OverlayFS
OverlayFS is a type of union file system. It enables you to overlay one file system on top of another. Changes are recorded in the upper file system, while the lower file system remains unmodified. This allows multiple users to share a file-system image, such as a container or a DVD-ROM, where the base image is on read-only media.
OverlayFS remains a Technology Preview under most circumstances. As such, the kernel logs warnings when this technology is activated.
Full support is available for OverlayFS when used with supported container engines (podman
, cri-o
, or buildah
) under the following restrictions:
-
OverlayFS is supported for use only as a container engine graph driver or other specialized use cases, such as squashed
kdump
initramfs. Its use is supported primarily for container COW content, not for persistent storage. You must place any persistent storage on non-OverlayFS volumes. You can use only the default container engine configuration: one level of overlay, one lowerdir, and both lower and upper levels are on the same file system. - Only XFS is currently supported for use as a lower layer file system.
Additionally, the following rules and limitations apply to using OverlayFS:
- The OverlayFS kernel ABI and user-space behavior are not considered stable, and might change in future updates.
OverlayFS provides a restricted set of the POSIX standards. Test your application thoroughly before deploying it with OverlayFS. The following cases are not POSIX-compliant:
-
Lower files opened with
O_RDONLY
do not receivest_atime
updates when the files are read. -
Lower files opened with
O_RDONLY
, then mapped withMAP_SHARED
are inconsistent with subsequent modification. Fully compliant
st_ino
ord_ino
values are not enabled by default on RHEL 8, but you can enable full POSIX compliance for them with a module option or mount option.To get consistent inode numbering, use the
xino=on
mount option.You can also use the
redirect_dir=on
andindex=on
options to improve POSIX compliance. These two options make the format of the upper layer incompatible with an overlay without these options. That is, you might get unexpected results or errors if you create an overlay withredirect_dir=on
orindex=on
, unmount the overlay, then mount the overlay without these options.
-
Lower files opened with
To determine whether an existing XFS file system is eligible for use as an overlay, use the following command and see if the
ftype=1
option is enabled:# xfs_info /mount-point | grep ftype
- SELinux security labels are enabled by default in all supported container engines with OverlayFS.
- Several known issues are associated with OverlayFS in this release. For details, see Non-standard behavior in the Linux kernel documentation.
For more information about OverlayFS, see the Linux kernel documentation.
(BZ#1690207)
Stratis is now available as a Technology Preview
Stratis is a new local storage manager. It provides managed file systems on top of pools of storage with additional features to the user.
Stratis enables you to more easily perform storage tasks such as:
- Manage snapshots and thin provisioning
- Automatically grow file system sizes as needed
- Maintain file systems
To administer Stratis storage, use the stratis
utility, which communicates with the stratisd
background service.
Stratis is provided as a Technology Preview.
For more information, see the Stratis documentation: Setting up Stratis file systems.
RHEL 8.3 updates Stratis to version 2.1.0. For more information, see Stratis 2.1.0 Release Notes.
(JIRA:RHELPLAN-1212)
IdM now supports setting up a Samba server on an IdM domain member as a Technology Preview
With this update, you can now set up a Samba server on an Identity Management (IdM) domain member. The new ipa-client-samba
utility provided by the same-named package adds a Samba-specific Kerberos service principal to IdM and prepares the IdM client. For example, the utility creates the /etc/samba/smb.conf
with the ID mapping configuration for the sss
ID mapping back end. As a result, administrators can now set up Samba on an IdM domain member.
Due to IdM Trust Controllers not supporting the Global Catalog Service, AD-enrolled Windows hosts cannot find IdM users and groups in Windows. Additionally, IdM Trust Controllers do not support resolving IdM groups using the Distributed Computing Environment / Remote Procedure Calls (DCE/RPC) protocols. As a consequence, AD users can only access the Samba shares and printers from IdM clients.
For details, see Setting up Samba on an IdM domain member.
(JIRA:RHELPLAN-13195)
5.5.4. High availability and clusters
Local mode version of pcs cluster setup
command available as a technology preview
By default, the pcs cluster setup
command automatically synchronizes all configuration files to the cluster nodes. In Red Hat Enterprise Linux 8.3, the pcs cluster setup
command provides the --corosync-conf
option as a technology preview. Specifying this option switches the command to local
mode. In this mode, pcs
creates a corosync.conf
file and saves it to a specified file on the local node only, without communicating with any other node. This allows you to create a corosync.conf
file in a script and handle that file by means of the script.
Pacemaker podman
bundles available as a Technology Preview
Pacemaker container bundles now run on the podman
container platform, with the container bundle feature being available as a Technology Preview. There is one exception to this feature being Technology Preview: Red Hat fully supports the use of Pacemaker bundles for Red Hat Openstack.
(BZ#1619620)
Heuristics in corosync-qdevice
available as a Technology Preview
Heuristics are a set of commands executed locally on startup, cluster membership change, successful connect to corosync-qnetd
, and, optionally, on a periodic basis. When all commands finish successfully on time (their return error code is zero), heuristics have passed; otherwise, they have failed. The heuristics result is sent to corosync-qnetd
where it is used in calculations to determine which partition should be quorate.
New fence-agents-heuristics-ping
fence agent
As a Technology Preview, Pacemaker now supports the fence_heuristics_ping
agent. This agent aims to open a class of experimental fence agents that do no actual fencing by themselves but instead exploit the behavior of fencing levels in a new way.
If the heuristics agent is configured on the same fencing level as the fence agent that does the actual fencing but is configured before that agent in sequence, fencing issues an off
action on the heuristics agent before it attempts to do so on the agent that does the fencing. If the heuristics agent gives a negative result for the off
action it is already clear that the fencing level is not going to succeed, causing Pacemaker fencing to skip the step of issuing the off
action on the agent that does the fencing. A heuristics agent can exploit this behavior to prevent the agent that does the actual fencing from fencing a node under certain conditions.
A user might want to use this agent, especially in a two-node cluster, when it would not make sense for a node to fence the peer if it can know beforehand that it would not be able to take over the services properly. For example, it might not make sense for a node to take over services if it has problems reaching the networking uplink, making the services unreachable to clients, a situation which a ping to a router might detect in that case.
(BZ#1775847)
5.5.5. Identity Management
Identity Management JSON-RPC API available as Technology Preview
An API is available for Identity Management (IdM). To view the API, IdM also provides an API browser as Technology Preview.
In Red Hat Enterprise Linux 7.3, the IdM API was enhanced to enable multiple versions of API commands. Previously, enhancements could change the behavior of a command in an incompatible way. Users are now able to continue using existing tools and scripts even if the IdM API changes. This enables:
- Administrators to use previous or later versions of IdM on the server than on the managing client.
- Developers to use a specific version of an IdM call, even if the IdM version changes on the server.
In all cases, the communication with the server is possible, regardless if one side uses, for example, a newer version that introduces new options for a feature.
For details on using the API, see Using the Identity Management API to Communicate with the IdM Server (TECHNOLOGY PREVIEW).
DNSSEC available as Technology Preview in IdM
Identity Management (IdM) servers with integrated DNS now support DNS Security Extensions (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are automatically generated and rotated.
Users who decide to secure their DNS zones with DNSSEC are advised to read and follow these documents:
- DNSSEC Operational Practices, Version 2: http://tools.ietf.org/html/rfc6781#section-2
- Secure Domain Name System (DNS) Deployment Guide: http://dx.doi.org/10.6028/NIST.SP.800-81-2
- DNSSEC Key Rollover Timing Considerations: http://tools.ietf.org/html/rfc7583
Note that IdM servers with integrated DNS use DNSSEC to validate DNS answers obtained from other DNS servers. This might affect the availability of DNS zones that are not configured in accordance with recommended naming practices.
5.5.6. Desktop
GNOME for the 64-bit ARM architecture available as a Technology Preview
The GNOME desktop environment is now available for the 64-bit ARM architecture as a Technology Preview. This enables administrators to configure and manage servers from a graphical user interface (GUI) remotely, using the VNC session.
As a consequence, new administration applications are available on the 64-bit ARM architecture. For example: Disk Usage Analyzer (baobab
), Firewall Configuration (firewall-config
), Red Hat Subscription Manager (subscription-manager
), or the Firefox web browser. Using Firefox, administrators can connect to the local Cockpit daemon remotely.
(JIRA:RHELPLAN-27394, BZ#1667225, BZ#1667516, BZ#1724302)
GNOME desktop on IBM Z is available as a Technology Preview
The GNOME desktop, including the Firefox web browser, is now available as a Technology Preview on the IBM Z architecture. You can now connect to a remote graphical session running GNOME using VNC to configure and manage your IBM Z servers.
(JIRA:RHELPLAN-27737)
5.5.7. Graphics infrastructures
VNC remote console available as a Technology Preview for the 64-bit ARM architecture
On the 64-bit ARM architecture, the Virtual Network Computing (VNC) remote console is available as a Technology Preview. Note that the rest of the graphics stack is currently unverified for the 64-bit ARM architecture.
(BZ#1698565)
Intel Tiger Lake graphics available as a Technology Preview
Intel Tiger Lake UP3 and UP4 Xe graphics are now available as a Technology Preview.
To enable hardware acceleration with Intel Tiger Lake graphics, add the following option on the kernel command line:
i915.force_probe=pci-id
In this option, replace pci-id with one of the following:
- The PCI ID of your Intel GPU
-
The
*
character to enable thei915
driver with all alpha-quality hardware
(BZ#1783396)
5.5.8. Red Hat Enterprise Linux system roles
The postfix
role of RHEL system roles available as a Technology Preview
Red Hat Enterprise Linux system roles provides a configuration interface for Red Hat Enterprise Linux subsystems, which makes system configuration easier through the inclusion of Ansible Roles. This interface enables managing system configurations across multiple versions of Red Hat Enterprise Linux, as well as adopting new major releases.
The rhel-system-roles
packages are distributed through the AppStream repository.
The postfix
role is available as a Technology Preview.
The following roles are fully supported:
-
kdump
-
network
-
selinux
-
storage
-
timesync
For more information, see the Knowledgebase article about RHEL system roles.
5.5.9. Virtualization
KVM virtualization is usable in RHEL 8 Hyper-V virtual machines
As a Technology Preview, nested KVM virtualization can now be used on the Microsoft Hyper-V hypervisor. As a result, you can create virtual machines on a RHEL 8 guest system running on a Hyper-V host.
Note that currently, this feature only works on Intel systems. In addition, nested virtualization is in some cases not enabled by default on Hyper-V. To enable it, see the following Microsoft documentation:
https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/nested-virtualization
(BZ#1519039)
AMD SEV for KVM virtual machines
As a Technology Preview, RHEL 8 introduces the Secure Encrypted Virtualization (SEV) feature for AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine (VM), SEV encrypts VM memory so that the host cannot access data on the VM. This increases the security of the VM if the host is successfully infected by malware.
Note that the number of VMs that can use this feature at a time on a single host is determined by the host hardware. Current AMD EPYC processors support up to 509 running VMs using SEV.
Also note that for VMs with SEV configured to be able to boot, you must also configure the VM with a hard memory limit. To do so, add the following to the VM’s XML configuration:
<memtune> <hard_limit unit='KiB'>N</hard_limit> </memtune>
The recommended value for N is equal to or greater then the guest RAM + 256 MiB. For example, if the guest is assigned 2 GiB RAM, N should be 2359296 or greater.
(BZ#1501618, BZ#1501607, JIRA:RHELPLAN-7677)
Intel vGPU
As a Technology Preview, it is now possible to divide a physical Intel GPU device into multiple virtual devices referred to as mediated devices
. These mediated devices can then be assigned to multiple virtual machines (VMs) as virtual GPUs. As a result, these VMs share the performance of a single physical Intel GPU.
Note that only selected Intel GPUs are compatible with the vGPU feature. In addition, assigning a physical GPU to VMs makes it impossible for the host to use the GPU, and may prevent graphical display output on the host from working.
(BZ#1528684)
Creating nested virtual machines
Nested KVM virtualization is provided as a Technology Preview for KVM virtual machines (VMs) running on AMD64 and IBM Z systems hosts with RHEL 8. With this feature, a RHEL 7 or RHEL 8 VM that runs on a physical RHEL 8 host can act as a hypervisor, and host its own VMs.
Note that in RHEL 8.2 and later, nested virtualization is fully supported for VMs running on an Intel 64 host.
(JIRA:RHELPLAN-14047, JIRA:RHELPLAN-24437)
Select Intel network adapters now support SR-IOV in RHEL guests on Hyper-V
As a Technology Preview, Red Hat Enterprise Linux guest operating systems running on a Hyper-V hypervisor can now use the single-root I/O virtualization (SR-IOV) feature for Intel network adapters supported by the ixgbevf
and iavf
drivers. This feature is enabled when the following conditions are met:
- SR-IOV support is enabled for the network interface controller (NIC)
- SR-IOV support is enabled for the virtual NIC
- SR-IOV support is enabled for the virtual switch
- The virtual function (VF) from the NIC is attached to the virtual machine
The feature is currently supported with Microsoft Windows Server 2019 and 2016.
(BZ#1348508)
5.5.10. Containers
podman
container image is available as a Technology Preview
The registry.redhat.io/rhel8/podman
container image is a containerized implementation of the podman
package. The podman
tool is used for managing containers and images, volumes mounted into those containers, and pods made from groups of containers. Podman is based on the libpod
library for container lifecycle management. The libpod
library provides APIs for managing containers, pods, container images, and volumes. This container image allows create, modify and run container images without the need to install the podman
package on your system. The use-case does not cover running this image in rootless mode as a non-root user. To pull the registry.redhat.io/rhel8/podman
container image, you need an active Red Hat Enterprise Linux subscription.
crun
is available as a Technology Preview
The crun
OCI runtime has been added to the container-rools:rhl8
module. The crun
provides an access to run with cgoupsV2. The crun
supports an annotation that allows the container to access the rootless users additional groups. This is useful for volume mounting in a directory that the user only have group access to, or the directory is setgid on it.
(BZ#1841438)
The podman-machine
command is unsupported
The podman-machine
command for managing virtual machines, is available only as a Technology Preview. Instead, run Podman directly from the command line.
(JIRA:RHELDOCS-16861)
5.6. Deprecated functionality
This part provides an overview of functionality that has been deprecated in Red Hat Enterprise Linux 8.
Deprecated devices are fully supported, which means that they are tested and maintained, and their support status remains unchanged within Red Hat Enterprise Linux 8. However, these devices will likely not be supported in the next major version release, and are not recommended for new deployments on the current or future major versions of RHEL.
For the most recent list of deprecated functionality within a particular major release, see the latest version of release documentation. For information about the length of support, see Red Hat Enterprise Linux Life Cycle and Red Hat Enterprise Linux Application Streams Life Cycle.
A package can be deprecated and not recommended for further use. Under certain circumstances, a package can be removed from the product. Product documentation then identifies more recent packages that offer functionality similar, identical, or more advanced to the one deprecated, and provides further recommendations.
For information regarding functionality that is present in RHEL 7 but has been removed in RHEL 8, see Considerations in adopting RHEL 8.
For information regarding functionality that is present in RHEL 8 but has been removed in RHEL 9, see Considerations in adopting RHEL 9.
5.6.1. Installer and image creation
Several Kickstart commands and options have been deprecated
Using the following commands and options in RHEL 8 Kickstart files will print a warning in the logs.
-
auth
orauthconfig
-
device
-
deviceprobe
-
dmraid
-
install
-
lilo
-
lilocheck
-
mouse
-
multipath
-
bootloader --upgrade
-
ignoredisk --interactive
-
partition --active
-
reboot --kexec
Where only specific options are listed, the base command and its other options are still available and not deprecated.
For more details and related changes in Kickstart, see the Kickstart changes section of the Considerations in adopting RHEL 8 document.
(BZ#1642765)
The --interactive
option of the ignoredisk
Kickstart command has been deprecated
Using the --interactive option
in future releases of Red Hat Enterprise Linux will result in a fatal installation error. It is recommended that you modify your Kickstart file to remove the option.
(BZ#1637872)
lorax-composer
back end for Image Builder is deprecated in RHEL 8
The previous back end lorax-composer
for Image Builder is considered deprecated. It will only receive select fixes for the rest of the Red Hat Enterprise Linux 8 life cycle and will be omitted from future major releases. Red Hat recommends that you uninstall lorax-composer
the and install osbuild-composer
back end instead.
See Composing a customized RHEL system image for more details.
5.6.2. Software management
rpmbuild --sign
is deprecated
With this update, the rpmbuild --sign
command has become deprecated. Using this command in future releases of Red Hat Enterprise Linux can result in an error. It is recommended that you use the rpmsign
command instead.
5.6.3. Shells and command-line tools
Metalink support for curl has been disabled.
A flaw was found in curl functionality in the way it handles credentials and file hash mismatch for content downloaded using the Metalink. This flaw allows malicious actors controlling a hosting server to:
- Trick users into downloading malicious content
- Gain unauthorized access to provided credentials without the user’s knowledge
The highest threat from this vulnerability is confidentiality and integrity. To avoid this, the Metalink support for curl has been disabled from Red Hat Enterprise Linux 8.2.0.z.
As a workaround, execute the following command, after the Metalink file is downloaded:
wget --trust-server-names --input-metalink`
For example:
wget --trust-server-names --input-metalink <(curl -s $URL)
(BZ#1999620)
5.6.4. Infrastructure services
mailman
is deprecated
With this update, the mailman
packages have been marked as deprecated and will not be available in the future major releases of Red Hat Enterprise Linux.
(BZ#1890976)
5.6.5. Security
NSS
SEED ciphers are deprecated
The Mozilla Network Security Services (NSS
) library will not support TLS cipher suites that use a SEED cipher in a future release. To ensure smooth transition of deployments that rely on SEED ciphers when NSS removes support, Red Hat recommends enabling support for other cipher suites.
Note that SEED ciphers are already disabled by default in RHEL.
TLS 1.0 and TLS 1.1 are deprecated
The TLS 1.0 and TLS 1.1 protocols are disabled in the DEFAULT
system-wide cryptographic policy level. If your scenario, for example, a video conferencing application in the Firefox web browser, requires using the deprecated protocols, switch the system-wide cryptographic policy to the LEGACY
level:
# update-crypto-policies --set LEGACY
For more information, see the Strong crypto defaults in RHEL 8 and deprecation of weak crypto algorithms Knowledgebase article on the Red Hat Customer Portal and the update-crypto-policies(8)
man page.
DSA is deprecated in RHEL 8
The Digital Signature Algorithm (DSA) is considered deprecated in Red Hat Enterprise Linux 8. Authentication mechanisms that depend on DSA keys do not work in the default configuration. Note that OpenSSH
clients do not accept DSA host keys even in the LEGACY
system-wide cryptographic policy level.
(BZ#1646541)
SSL2
Client Hello
has been deprecated in NSS
The Transport Layer Security (TLS
) protocol version 1.2 and earlier allow to start a negotiation with a Client Hello
message formatted in a way that is backward compatible with the Secure Sockets Layer (SSL
) protocol version 2. Support for this feature in the Network Security Services (NSS
) library has been deprecated and it is disabled by default.
Applications that require support for this feature need to use the new SSL_ENABLE_V2_COMPATIBLE_HELLO
API to enable it. Support for this feature may be removed completely in future releases of Red Hat Enterprise Linux 8.
(BZ#1645153)
TPM 1.2 is deprecated
The Trusted Platform Module (TPM) secure cryptoprocessor standard version was updated to version 2.0 in 2016. TPM 2.0 provides many improvements over TPM 1.2, and it is not backward compatible with the previous version. TPM 1.2 is deprecated in RHEL 8, and it might be removed in the next major release.
(BZ#1657927)
5.6.6. Networking
Network scripts are deprecated in RHEL 8
Network scripts are deprecated in Red Hat Enterprise Linux 8 and they are no longer provided by default. The basic installation provides a new version of the ifup
and ifdown
scripts which call the NetworkManager service through the nmcli tool. In Red Hat Enterprise Linux 8, to run the ifup
and the ifdown
scripts, NetworkManager must be running.
Note that custom commands in /sbin/ifup-local
, ifdown-pre-local
and ifdown-local
scripts are not executed.
If any of these scripts are required, the installation of the deprecated network scripts in the system is still possible with the following command:
~]# yum install network-scripts
The ifup
and ifdown
scripts link to the installed legacy network scripts.
Calling the legacy network scripts shows a warning about their deprecation.
(BZ#1647725)
5.6.7. Kernel
Installing RHEL for Real Time 8 using diskless boot is now deprecated
Diskless booting allows multiple systems to share a root file system via the network. While convenient, diskless boot is prone to introducing network latency in realtime workloads. With a future minor update of RHEL for Real Time 8, the diskless booting feature will no longer be supported.
The qla3xxx
driver is deprecated
The qla3xxx
driver has been deprecated in RHEL 8. The driver will likely not be supported in future major releases of this product, and thus it is not recommended for new deployments.
(BZ#1658840)
The dl2k
, dnet
, ethoc
, and dlci
drivers are deprecated
The dl2k
, dnet
, ethoc
, and dlci
drivers have been deprecated in RHEL 8. The drivers will likely not be supported in future major releases of this product, and thus they are not recommended for new deployments.
(BZ#1660627)
The rdma_rxe
Soft-RoCE driver is deprecated
Software Remote Direct Memory Access over Converged Ethernet (Soft-RoCE), also known as RXE, is a feature that emulates Remote Direct Memory Access (RDMA). In RHEL 8, the Soft-RoCE feature is available as an unsupported Technology Preview. However, due to stability issues, this feature has been deprecated and will be removed in RHEL 9.
(BZ#1878207)
5.6.8. File systems and storage
The elevator
kernel command line parameter is deprecated
The elevator
kernel command line parameter was used in earlier RHEL releases to set the disk scheduler for all devices. In RHEL 8, the parameter is deprecated.
The upstream Linux kernel has removed support for the elevator
parameter, but it is still available in RHEL 8 for compatibility reasons.
Note that the kernel selects a default disk scheduler based on the type of device. This is typically the optimal setting. If you require a different scheduler, Red Hat recommends that you use udev
rules or the Tuned service to configure it. Match the selected devices and switch the scheduler only for those devices.
For more information, see Setting the disk scheduler.
(BZ#1665295)
LVM mirror
is deprecated
The LVM mirror
segment type is now deprecated. Support for mirror
will be removed in a future major release of RHEL.
Red Hat recommends that you use LVM RAID 1 devices with a segment type of raid1
instead of mirror
. The raid1
segment type is the default RAID configuration type and replaces mirror
as the recommended solution.
To convert mirror
devices to raid1
, see Converting a mirrored LVM device to a RAID1 logical volume.
LVM mirror
has several known issues. For details, see known issues in file systems and storage.
(BZ#1827628)
peripety is deprecated
The peripety
package is deprecated since RHEL 8.3.
The Peripety storage event notification daemon parses system storage logs into structured storage events. It helps you investigate storage issues.
NFSv3 over UDP has been disabled
The NFS server no longer opens or listens on a User Datagram Protocol (UDP) socket by default. This change affects only NFS version 3 because version 4 requires the Transmission Control Protocol (TCP).
NFS over UDP is no longer supported in RHEL 8.
(BZ#1592011)
cramfs
has been deprecated
Due to lack of users, the cramfs
kernel module is deprecated. squashfs
is recommended as an alternative solution.
(BZ#1794513)
5.6.9. Identity Management
openssh-ldap
has been deprecated
The openssh-ldap
subpackage has been deprecated in Red Hat Enterprise Linux 8 and will be removed in RHEL 9. As the openssh-ldap
subpackage is not maintained upstream, Red Hat recommends using SSSD and the sss_ssh_authorizedkeys
helper, which integrate better with other IdM solutions and are more secure.
By default, the SSSD ldap
and ipa
providers read the sshPublicKey
LDAP attribute of the user object, if available. Note that you cannot use the default SSSD configuration for the ad
provider or IdM trusted domains to retrieve SSH public keys from Active Directory (AD), since AD does not have a default LDAP attribute to store a public key.
To allow the sss_ssh_authorizedkeys
helper to get the key from SSSD, enable the ssh
responder by adding ssh
to the services
option in the sssd.conf
file. See the sssd.conf(5)
man page for details.
To allow sshd
to use sss_ssh_authorizedkeys
, add the AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
and AuthorizedKeysCommandUser nobody
options to the /etc/ssh/sshd_config
file as described by the sss_ssh_authorizedkeys(1)
man page.
DES and 3DES encryption types have been removed
Due to security reasons, the Data Encryption Standard (DES) algorithm has been deprecated and disabled by default since RHEL 7. With the recent rebase of Kerberos packages, single-DES (DES) and triple-DES (3DES) encryption types have been removed from RHEL 8.
If you have configured services or users to only use DES or 3DES encryption, you might experience service interruptions such as:
- Kerberos authentication errors
-
unknown enctype
encryption errors -
Kerberos Distribution Centers (KDCs) with DES-encrypted Database Master Keys (
K/M
) fail to start
Perform the following actions to prepare for the upgrade:
-
Check if your KDC uses DES or 3DES encryption with the
krb5check
open source Python scripts. See krb5check on GitHub. - If you are using DES or 3DES encryption with any Kerberos principals, re-key them with a supported encryption type, such as Advanced Encryption Standard (AES). For instructions on re-keying, see Retiring DES from MIT Kerberos Documentation.
Test independence from DES and 3DES by temporarily setting the following Kerberos options before upgrading:
-
In
/var/kerberos/krb5kdc/kdc.conf
on the KDC, setsupported_enctypes
and do not includedes
ordes3
. -
For every host, in
/etc/krb5.conf
and any files in/etc/krb5.conf.d
, setallow_weak_crypto
tofalse
. It is false by default. -
For every host, in
/etc/krb5.conf
and any files in/etc/krb5.conf.d
, setpermitted_enctypes
,default_tgs_enctypes
, anddefault_tkt_enctypes
and do not includedes
ordes3
.
-
In
- If you do not experience any service interruptions with the test Kerberos settings from the previous step, remove them and upgrade. You do not need those settings after upgrading to the latest Kerberos packages.
The SMB1 protocol is deprecated in Samba
Starting with Samba 4.11, the insecure Server Message Block version 1 (SMB1) protocol is deprecated and will be removed in a future release.
To improve the security, by default, SMB1 is disabled in the Samba server and client utilities.
(JIRA:RHELDOCS-16612)
5.6.10. Desktop
The libgnome-keyring
library has been deprecated
The libgnome-keyring
library has been deprecated in favor of the libsecret
library, as libgnome-keyring
is not maintained upstream, and does not follow the necessary cryptographic policies for RHEL. The new libsecret
library is the replacement that follows the necessary security standards.
(BZ#1607766)
The AlternateTab extension has been removed
The gnome-shell-extension-alternate-tab
package, which provides the AlternateTab GNOME Shell extension, has been removed.
To configure the window-switching behavior, set a keyboard shortcut in keyboard settings. For more information, see the following article: Using Alternate-Tab in Gnome 3.32 or later. (BZ#1922488)
5.6.11. Graphics infrastructures
AGP graphics cards are no longer supported
Graphics cards using the Accelerated Graphics Port (AGP) bus are not supported in Red Hat Enterprise Linux 8. Use the graphics cards with PCI-Express bus as the recommended replacement.
(BZ#1569610)
5.6.12. The web console
The web console no longer supports incomplete translations
The RHEL web console no longer provides translations for languages that have translations available for less than 50 % of the Console’s translatable strings. If the browser requests translation to such a language, the user interface will be in English instead.
5.6.13. Red Hat Enterprise Linux System Roles
The geoipupdate
package has been deprecated
The geoipupdate
package requires a third-party subscription and it also downloads proprietary content. Therefore, the geoipupdate
package has been deprecated, and will be removed in the next major RHEL version.
(BZ#1874892)
5.6.14. Virtualization
SPICE has been deprecated
The SPICE remote display protocol has become deprecated. As a result, SPICE will remain supported in RHEL 8, but Red Hat recommends using alternate solutions for remote display streaming:
- For remote console access, use the VNC protocol.
- For advanced remote display functions, use third party tools such as RDP, HP RGS, or Mechdyne TGX.
Note that the QXL graphics device, which is used by SPICE, has become deprecated as well.
(BZ#1849563)
virt-manager has been deprecated
The Virtual Machine Manager application, also known as virt-manager, has been deprecated. The RHEL 8 web console, also known as Cockpit, is intended to become its replacement in a subsequent release. It is, therefore, recommended that you use the web console for managing virtualization in a GUI. Note, however, that some features available in virt-manager may not be yet available the RHEL 8 web console.
(JIRA:RHELPLAN-10304)
Virtual machine snapshots are not properly supported in RHEL 8
The current mechanism of creating virtual machine (VM) snapshots has been deprecated, as it is not working reliably. As a consequence, it is recommended not to use VM snapshots in RHEL 8.
Note that a new VM snapshot mechanism is under development and will be fully implemented in a future minor release of RHEL 8.
The Cirrus VGA virtual GPU type has been deprecated
With a future major update of Red Hat Enterprise Linux, the Cirrus VGA GPU device will no longer be supported in KVM virtual machines. Therefore, Red Hat recommends using the stdvga or virtio-vga devices instead of Cirrus VGA.
(BZ#1651994)
5.6.15. Containers
Podman varlink-based REST API V1 has been deprecated
The Podman varlink-based REST API V1 has been deprecated upstream in favor of the new Podman REST API V2. This functionality will be removed in a later release of Red Hat Enterprise Linux 8.
(JIRA:RHELPLAN-60226)
5.6.16. Deprecated packages
The following packages have been deprecated and will probably not be included in a future major release of Red Hat Enterprise Linux:
- 389-ds-base-legacy-tools
- authd
- custodia
- hostname
- libidn
- lorax-composer
- mercurial
- net-tools
- network-scripts
- nss-pam-ldapd
- sendmail
- yp-tools
- ypbind
- ypserv
5.7. Known issues
This part describes known issues in Red Hat Enterprise Linux 8.3.
5.7.1. Installer and image creation
The auth
and authconfig
Kickstart commands require the AppStream repository
The authselect-compat
package is required by the auth
and authconfig
Kickstart commands during installation. Without this package, the installation fails if auth
or authconfig
are used. However, by design, the authselect-compat
package is only available in the AppStream repository.
To work around this problem, verify that the BaseOS and AppStream repositories are available to the installer or use the authselect
Kickstart command during installation.
(BZ#1640697)
The reboot --kexec
and inst.kexec
commands do not provide a predictable system state
Performing a RHEL installation with the reboot --kexec
Kickstart command or the inst.kexec
kernel boot parameters do not provide the same predictable system state as a full reboot. As a consequence, switching to the installed system without rebooting can produce unpredictable results.
Note that the kexec
feature is deprecated and will be removed in a future release of Red Hat Enterprise Linux.
(BZ#1697896)
Network access is not enabled by default in the installation program
Several installation features require network access, for example, registration of a system using the Content Delivery Network (CDN), NTP server support, and network installation sources. However, network access is not enabled by default, and as a result, these features cannot be used until network access is enabled.
To work around this problem, add ip=dhcp
to boot options to enable network access when the installation starts. Optionally, passing a Kickstart file or a repository located on the network using boot options also resolves the problem. As a result, the network-based installation features can be used.
(BZ#1757877)
The new osbuild-composer
back end does not replicate the blueprint state from lorax-composer
on upgrades
Image Builder users that are upgrading from the lorax-composer
back end to the new osbuild-composer
back end, blueprints can disappear. As a result, once the upgrade is complete, the blueprints do not display automatically. To work around this problem, perform the following steps.
Prerequisites
-
You have the
composer-cli
CLI utility installed.
Procedure
Run the command to load the previous
lorax-composer
based blueprints into the newosbuild-composer
back end:$ for blueprint in $(find /var/lib/lorax/composer/blueprints/git/workspace/master -name '*.toml'); do composer-cli blueprints push "${blueprint}"; done
As a result, the same blueprints are now available in osbuild-composer
back end.
Additional resources
- For more details about this Known Issue, see the Image Builder blueprints are no longer present following an update to Red Hat Enterprise Linux 8.3 article.
Self-signed HTTPS server cannot be used in Kickstart installation
Currently, the installer fails to install from a self-signed https server when the installation source is specified in the kickstart file and the --noverifyssl
option is used:
url --url=https://SERVER/PATH --noverifyssl
To work around this problem, append the inst.noverifyssl
parameter to the kernel command line when starting the kickstart installation.
For example:
inst.ks=<URL> inst.noverifyssl
(BZ#1745064)
GUI installation might fail if an attempt to unregister using the CDN is made before the repository refresh is completed
Since RHEL 8.2, when registering your system and attaching subscriptions using the Content Delivery Network (CDN), a refresh of the repository metadata is started by the GUI installation program. The refresh process is not part of the registration and subscription process, and as a consequence, the Unregister button is enabled in the Connect to Red Hat window. Depending on the network connection, the refresh process might take more than a minute to complete. If you click the Unregister button before the refresh process is completed, the GUI installation might fail as the unregister process removes the CDN repository files and the certificates required by the installation program to communicate with the CDN.
To work around this problem, complete the following steps in the GUI installation after you have clicked the Register button in the Connect to Red Hat window:
- From the Connect to Red Hat window, click Done to return to the Installation Summary window.
- From the Installation Summary window, verify that the Installation Source and Software Selection status messages in italics are not displaying any processing information.
- When the Installation Source and Software Selection categories are ready, click Connect to Red Hat.
- Click the Unregister button.
After performing these steps, you can safely unregister the system during the GUI installation.
(BZ#1821192)
Registration fails for user accounts that belong to multiple organizations
Currently, when you attempt to register a system with a user account that belongs to multiple organizations, the registration process fails with the error message You must specify an organization for new units.
To work around this problem, you can either:
- Use a different user account that does not belong to multiple organizations.
- Use the Activation Key authentication method available in the Connect to Red Hat feature for GUI and Kickstart installations.
- Skip the registration step in Connect to Red Hat and use Subscription Manager to register your system post-installation.
RHEL installer fails to start when InfiniBand network interfaces are configured using installer boot options
When you configure InfiniBand network interfaces at an early stage of RHEL installation using installer boot options (for example, to download installer image using PXE server), the installer fails to activate the network interfaces.
This issue occurs because the RHEL NetworkManager fails to recognize the network interfaces in InfiniBand mode, and instead configures Ethernet connections for the interfaces.
As a result, connection activation fails, and if the connectivity over the InfiniBand interface is required at an early stage, RHEL installer fails to start the installation.
To workaround this issue, create a new installation media including the updated Anaconda and NetworkManager packages, using the Lorax tool.
For more information about creating a new installation media including the updated Anaconda and NetworkManager packages, using the Lorax tool, see Unable to install Red Hat Enterprise Linux 8.3.0 with InfiniBand network interfaces
(BZ#1890261)
Anaconda installation fails when NVDIMM device namespace set to devdax
mode.
Anaconda installation fails with a trackback after booting with NVDIMM device namespace set to devdax
mode before the GUI installation.
To workaround this problem, reconfigure the NVDIMM device to set the namespace to a different mode than the devdax
mode before the installation begins. As a result, you can proceed with the installation.
(BZ#1891827)
Local Media
installation source is not detected when booting the installation from a USB that is created using a third party tool
When booting the RHEL installation from a USB that is created using a third party tool, the installer fails to detect the Local Media
installation source (only 'Red Hat CDN' is detected).
This issue occurs because the default boot option int.stage2=
attempts to search for iso9660
image format. However, a third party tool might create an ISO image with a different format.
As a workaround, use either of the following solution:
-
When booting the installation, click the
Tab
key to edit the kernel command line, and change the boot optioninst.stage2=
toinst.repo=
. - To create a bootable USB device on Windows, use Fedora Media Writer.
- When using a third party tool like Rufus to create a bootable USB device, first regenerate the RHEL ISO image on a Linux system, and then use the third party tool to create a bootable USB device.
For more information on the steps involved in performing any of the specified workaround, see, Installation media is not auto detected during the installation of RHEL 8.3
(BZ#1877697)
Anaconda now shows a dialog for ldl
or unformatted DASD disks in text mode
Previously, during an installation in text mode, Anaconda failed to show a dialog for Linux disk layout (ldl
) or unformatted Direct-Access Storage Device (DASD) disks. As a result, users were unable to utilize those disks for the installation.
With this update, in text mode Anaconda recognizes ldl
and unformatted DASD disks and shows a dialog where users can format them properly for the future utilization for the installation.
(BZ#1874394)
Red Hat Insights client fails to register the operating system when using the graphical installer
Currently, the installation fails with an error at the end, which points to the Insights client.
To work around this problem, uncheck the Connect to Red Hat Insights option during the Connect to Red Hat step before registering the systems in the installer.
As a result, you can complete the installation and register to Insights afterwards by using this command:
# insights-client --register
5.7.2. Subscription management
syspurpose addons
have no effect on the subscription-manager attach --auto
output.
In Red Hat Enterprise Linux 8, four attributes of the syspurpose
command-line tool have been added: role
,usage
, service_level_agreement
and addons
. Currently, only role
, usage
and service_level_agreement
affect the output of running the subscription-manager attach --auto
command. Users who attempt to set values to the addons
argument will not observe any effect on the subscriptions that are auto-attached.
5.7.3. Infrastructure services
libmaxminddb-devel-debuginfo.rpm
is removed when running dnf update
When performing the dnf update
command, the binary mmdblookup
tool is moved from the libmaxminddb-devel
subpackage to the main libmaxmindb
package. Consequently, the libmaxminddb-devel-debuginfo.rpm
is removed, which might create a broken update path for this package. To work around this problem, remove the libmaxminddb-devel-debuginfo
prior to the execution of the dnf update
command.
Note: libmaxminddb-debuginfo
is the new debuginfo
package.
(BZ#1642001)
5.7.4. Security
Users can run sudo
commands as locked users
In systems where sudoers
permissions are defined with the ALL
keyword, sudo
users with permissions can run sudo
commands as users whose accounts are locked. Consequently, locked and expired accounts can still be used to execute commands.
To work around this problem, enable the newly implemented runas_check_shell
option together with proper settings of valid shells in /etc/shells
. This prevents attackers from running commands under system accounts such as bin
.
(BZ#1786990)
GnuTLS fails to resume current session with the NSS server
When resuming a TLS (Transport Layer Security) 1.3 session, the GnuTLS
client waits 60 milliseconds plus an estimated round trip time for the server to send session resumption data. If the server does not send the resumption data within this time, the client creates a new session instead of resuming the current session. This incurs no serious adverse effects except for a minor performance impact on a regular session negotiation.
libselinux-python
is available only through its module
The libselinux-python
package contains only Python 2 bindings for developing SELinux applications and it is used for backward compatibility. For this reason, libselinux-python
is no longer available in the default RHEL 8 repositories through the dnf install libselinux-python
command.
To work around this problem, enable both the libselinux-python
and python27
modules, and install the libselinux-python
package and its dependencies with the following commands:
# dnf module enable libselinux-python # dnf install libselinux-python
Alternatively, install libselinux-python
using its install profile with a single command:
# dnf module install libselinux-python:2.8/common
As a result, you can install libselinux-python
using the respective module.
(BZ#1666328)
udica
processes UBI 8 containers only when started with --env container=podman
The Red Hat Universal Base Image 8 (UBI 8) containers set the container
environment variable to the oci
value instead of the podman
value. This prevents the udica
tool from analyzing a container JavaScript Object Notation (JSON) file.
To work around this problem, start a UBI 8 container using a podman
command with the --env container=podman
parameter. As a result, udica
can generate an SELinux policy for a UBI 8 container only when you use the described workaround.
Negative effects of the default logging setup on performance
The default logging environment setup might consume 4 GB of memory or even more and adjustments of rate-limit values are complex when systemd-journald
is running with rsyslog
.
See the Negative effects of the RHEL default logging setup on performance and their mitigations Knowledgebase article for more information.
(JIRA:RHELPLAN-10431)
File permissions of /etc/passwd-
are not aligned with the CIS RHEL 8 Benchmark 1.0.0
Because of an issue with the CIS Benchmark, the remediation of the SCAP rule that ensures permissions on the /etc/passwd-
backup file configures permissions to 0644
. However, the CIS Red Hat Enterprise Linux 8 Benchmark 1.0.0
requires file permissions 0600
for that file. As a consequence, the file permissions of /etc/passwd-
are not aligned with the benchmark after remediation.
SELINUX=disabled
in /etc/selinux/config
does not work properly
Disabling SELinux using the SELINUX=disabled
option in the /etc/selinux/config
results in a process in which the kernel boots with SELinux enabled and switches to disabled mode later in the boot process. This might cause memory leaks.
To work around this problem, disable SELinux by adding the selinux=0
parameter to the kernel command line as described in the Changing SELinux modes at boot time section of the Using SELinux title if your scenario really requires to completely disable SELinux.
(JIRA:RHELPLAN-34199)
ssh-keyscan
cannot retrieve RSA keys of servers in FIPS mode
The SHA-1
algorithm is disabled for RSA signatures in FIPS mode, which prevents the ssh-keyscan
utility from retrieving RSA keys of servers operating in that mode.
To work around this problem, use ECDSA keys instead, or retrieve the keys locally from the /etc/ssh/ssh_host_rsa_key.pub
file on the server.
OpenSSL
incorrectly handles PKCS #11 tokens that does not support raw RSA or RSA-PSS signatures
The OpenSSL
library does not detect key-related capabilities of PKCS #11 tokens. Consequently, establishing a TLS connection fails when a signature is created with a token that does not support raw RSA or RSA-PSS signatures.
To work around the problem, add the following lines after the .include
line at the end of the crypto_policy
section in the /etc/pki/tls/openssl.cnf
file:
SignatureAlgorithms = RSA+SHA256:RSA+SHA512:RSA+SHA384:ECDSA+SHA256:ECDSA+SHA512:ECDSA+SHA384 MaxProtocol = TLSv1.2
As a result, a TLS connection can be established in the described scenario.
(BZ#1685470)
OpenSSL in FIPS mode accepts only specific D-H parameters
In FIPS mode, Transport Security Layer (TLS) clients that use OpenSSL return a bad dh value
error and abort TLS connections to servers that use manually generated parameters. This is because OpenSSL, when configured to work in compliance with FIPS 140-2, works only with D-H parameters compliant to NIST SP 800-56A rev3 Appendix D (groups 14, 15, 16, 17, and 18 defined in RFC 3526 and with groups defined in RFC 7919). Also, servers that use OpenSSL ignore all other parameters and instead select known parameters of similar size. To work around this problem, use only the compliant groups.
(BZ#1810911)
Removing the rpm-plugin-selinux
package leads to removing all selinux-policy
packages from the system
Removing the rpm-plugin-selinux
package disables SELinux on the machine. It also removes all selinux-policy
packages from the system. Repeated installation of the rpm-plugin-selinux
package then installs the selinux-policy-minimum
SELinux policy, even if the selinux-policy-targeted
policy was previously present on the system. However, the repeated installation does not update the SELinux configuration file to account for the change in policy. As a consequence, SELinux is disabled even upon reinstallation of the rpm-plugin-selinux
package.
To work around this problem:
-
Enter the
umount /sys/fs/selinux/
command. -
Manually install the missing
selinux-policy-targeted
package. -
Edit the
/etc/selinux/config
file so that the policy is equal toSELINUX=enforcing
. -
Enter the command
load_policy -i
.
As a result, SELinux is enabled and running the same policy as before.
(BZ#1641631)
systemd service cannot execute commands from arbitrary paths
The systemd service cannot execute commands from /home/user/bin
arbitrary paths because the SELinux policy package does not include any such rule. Consequently, the custom services that are executed on non-system paths fail and eventually logs the Access Vector Cache (AVC) denial audit messages when SELinux denied access. To work around this problem, do one of the following:
Execute the command using a shell script with the
-c
option. For example,bash -c command
-
Execute the command from a common path using
/bin
,/sbin
,/usr/sbin
,/usr/local/bin
, and/usr/local/sbin
common directories.
rpm_verify_permissions
fails in the CIS profile
The rpm_verify_permissions
rule compares file permissions to package default permissions. However, the Center for Internet Security (CIS) profile, which is provided by the scap-security-guide
packages, changes some file permissions to be more strict than default. As a consequence, verification of certain files using rpm_verify_permissions
fails.
To work around this problem, manually verify that these files have the following permissions:
-
/etc/cron.d
(0700) -
/etc/cron.hourly
(0700) -
/etc/cron.monthly
(0700) -
/etc/crontab
(0600) -
/etc/cron.weekly
(0700) -
/etc/cron.daily
(0700)
Kickstart uses org_fedora_oscap
instead of com_redhat_oscap
in RHEL 8
The Kickstart references the Open Security Content Automation Protocol (OSCAP) Anaconda add-on as org_fedora_oscap
instead of com_redhat_oscap
which might cause confusion. That is done to preserve backward compatibility with Red Hat Enterprise Linux 7.
(BZ#1665082)
Certain sets of interdependent rules in SSG can fail
Remediation of SCAP Security Guide
(SSG) rules in a benchmark can fail due to undefined ordering of rules and their dependencies. If two or more rules need to be executed in a particular order, for example, when one rule installs a component and another rule configures the same component, they can run in the wrong order and remediation reports an error. To work around this problem, run the remediation twice, and the second run fixes the dependent rules.
OSCAP Anaconda Addon
does not install all packages in text mode
The OSCAP Anaconda Addon
plugin cannot modify the list of packages selected for installation by the system installer if the installation is running in text mode. Consequently, when a security policy profile is specified using Kickstart and the installation is running in text mode, any additional packages required by the security policy are not installed during installation.
To work around this problem, either run the installation in graphical mode or specify all packages that are required by the security policy profile in the security policy in the %packages
section in your Kickstart file.
As a result, packages that are required by the security policy profile are not installed during RHEL installation without one of the described workarounds, and the installed system is not compliant with the given security policy profile.
OSCAP Anaconda Addon
does not correctly handle customized profiles
The OSCAP Anaconda Addon
plugin does not properly handle security profiles with customizations in separate files. Consequently, the customized profile is not available in the RHEL graphical installation even when you properly specify it in the corresponding Kickstart section.
To work around this problem, follow the instructions in the Creating a single SCAP data stream from an original DS and a tailoring file Knowledgebase article. As a result of this workaround, you can use a customized SCAP profile in the RHEL graphical installation.
(BZ#1691305)
OSPP-based profiles are incompatible with GUI package groups.
GNOME
packages installed by the Server with GUI package group require the nfs-utils
package that is not compliant with the Operating System Protection Profile (OSPP). As a consequence, selecting the Server with GUI package group during the installation of a system with OSPP or OSPP-based profiles, for example, Security Technical Implementation Guide (STIG), OpenSCAP displays a warning that the selected package group is not compatible with the security policy. If the OSPP-based profile is applied after the installation, the system is not bootable. To work around this problem, do not install the Server with GUI package group or any other groups that install GUI when using the OSPP profile and OSPP-based profiles. When you use the Server or Minimal Install package groups instead, the system installs without issues and works correctly.
Installation with the Server with GUI
or Workstation
software selections and CIS security profile is not possible
The CIS security profile is not compatible with the Server with GUI
and Workstation
software selections. As a consequence, a RHEL 8 installation with the Server with GUI
software selection and CIS profile is not possible. An attempted installation using the CIS profile and either of these software selections will generate the error message:
package xorg-x11-server-common has been added to the list of excluded packages, but it can't be removed from the current software selection without breaking the installation.
To work around the problem, do not use the CIS security profile with the Server with GUI
or Workstation
software selections.
Remediating service-related rules during kickstart installations might fail
During a kickstart installation, the OpenSCAP utility sometimes incorrectly shows that a service enable
or disable
state remediation is not needed. Consequently, OpenSCAP might set the services on the installed system to a non-compliant state. As a workaround, you can scan and remediate the system after the kickstart installation. This will fix the service-related issues.
Certain rsyslog
priority strings do not work correctly
Support for the GnuTLS priority string for imtcp
that allows fine-grained control over encryption is not complete. Consequently, the following priority strings do not work properly in rsyslog
:
NONE:+VERS-ALL:-VERS-TLS1.3:+MAC-ALL:+DHE-RSA:+AES-256-GCM:+SIGN-RSA-SHA384:+COMP-ALL:+GROUP-ALL
To work around this problem, use only correctly working priority strings:
NONE:+VERS-ALL:-VERS-TLS1.3:+MAC-ALL:+ECDHE-RSA:+AES-128-CBC:+SIGN-RSA-SHA1:+COMP-ALL:+GROUP-ALL
As a result, current configurations must be limited to the strings that work correctly.
crypto-policies
incorrectly allow Camellia ciphers
The RHEL 8 system-wide cryptographic policies should disable Camellia ciphers in all policy levels, as stated in the product documentation. However, the Kerberos protocol enables the ciphers by default.
To work around the problem, apply the NO-CAMELLIA
subpolicy:
# update-crypto-policies --set DEFAULT:NO-CAMELLIA
In the previous command, replace DEFAULT
with the cryptographic level name if you have switched from DEFAULT
previously.
As a result, Camellia ciphers are correctly disallowed across all applications that use system-wide crypto policies only when you disable them through the workaround. (BZ#1919155)
5.7.5. Networking
The iptables
utility now requests module loading for commands that update a chain regardless of the NLM_F_CREATE
flag
Previously, when setting a chain’s policy, the iptables-nft
utility generated a NEWCHAIN
message but did not set the NLM_F_CREATE
flag. As a consequence, the RHEL 8 kernel did not load any modules and the resulting update chain command failed if the associated kernel modules were not manually loaded. With this update, the iptables-nft
utility now requests module loading for all commands that update a chain and users are able to set a chain’s policy using the iptables-nft
utility without manually loading the associated modules.
(BZ#1812666)
Support for updating packet/byte
counters in the kernel was changed incorrectly between RHEL 7 and RHEL 8
When referring to an ipset
command with enabled counters from an iptables
rule, which specifies additional constraints on matching ipset
entries, the ipset
counters are updated only if all the additional constraints match. This is also problematic with --packets-gt
or --bytes-gt
constraints.
As a result, when migrating an iptables
ruleset from RHEL 7 to RHEL 8, the rules involving ipset
lookups may stop working and need to be adjusted. To work around this problem, avoid using the --packets-gt
or --bytes-gt
options and replace them with the --packets-lt
or --bytes-lt
options.
(BZ#1806882)
Unloading XDP programs fails on Netronome network cards that use the nfp
driver
The nfp
driver for Netronome network cards contains a bug. Therefore, unloading eXpress Data Path (XDP) programs fails if you use such cards and load the XDP program using the IFLA_XDP_EXPECTED_FD
feature with the XDP_FLAGS_REPLACE
flag. For example, this bug affects XDP programs that are loaded using the libxdp
library. Currently, there is no workaround available for the problem.
Anaconda does not have network access when using DHCP in the ip
boot option
The initial RAM disk (initrd
) uses NetworkManager to manage networking. The dracut
NetworkManager module provided by the RHEL 8.3 ISO file incorrectly assumes that the first field of the ip
option in the Anaconda boot options is always set. As a consequence, if you use DHCP and set ip=::::<host_name>::dhcp
, NetworkManager does not retrieve an IP address, and the network is not available in Anaconda.
You have the following options to work around the problem:
Set the first field in the
ip`option to `.
(period):ip=.::::<host_name>::dhcp
Note that this work around will not work in future versions of RHEL when the problem has been fixed.
-
Re-create the
boot.iso
file using the latest packages from the BaseOS repository that contains a fix for the bug: .
# lorax '--product=Red Hat Enterprise Linux' --version=8.3 --release=8.3 \ --source=<URL_to_BaseOS_repository> \ --source=<URL_to_AppStream_repository> \ --nomacboot --buildarch=x86_64 '--volid=RHEL 8.3' <output_directory>
. Note that Red Hat does not support self-created ISO files.
As a result, RHEL retrieves an IP address from the DHCP server, and network access is available in Anaconda.
(BZ#1902791)
5.7.6. Kernel
The tboot-1.9.12-2
utility causes a boot failure in RHEL 8
The tboot
utility of version 1.9.12-2 causes some systems with Trusted Platform Module (TPM) 2.0 to fail to boot in legacy mode. As a consequence, the system halts once it attempts to boot from the tboot Grand Unified Bootloader (GRUB) entry. To workaround this problem, downgrade to tboot
of version 1.9.10.
(BZ#1947839)
The kernel returns false positive warnings on IBM Z systems
In RHEL 8, IBM Z systems are missing a whitelist entry for the ZONE_DMA
memory zone to allow user access. Consequently, the kernel returns false positive warnings such as:
... Bad or missing usercopy whitelist? Kernel memory exposure attempt detected from SLUB object 'dma-kmalloc-192' (offset 0, size 144)! WARNING: CPU: 0 PID: 8519 at mm/usercopy.c:83 usercopy_warn+0xac/0xd8 ...
The warnings appear when accessing certain system information through the sysfs
interface. For example, by running the debuginfo.sh
script.
To work around this problem, add the hardened_usercopy=off
parameter to the kernel command line.
As a result, no warning messages are displayed in the described scenario.
(BZ#1660290)
The rngd
service busy wait causes total CPU consumption in FIPS mode
A new kernel entropy source for FIPS mode has been added for kernels starting with version 4.18.0-193.10. Consequently, when in FIPS mode, the rngd
service busy waits on the poll()
system call for the /dev/random
device, thereby causing consumption of 100% of CPU time. To work around this problem, stop and disable rngd
by running:
# systemctl stop rngd # systemctl disable rngd
As a result, rngd
no longer busy waits on poll()
in the described scenario.
(BZ#1884857)
softirq
changes can cause the localhost interface to drop UDP packets when under heavy load
Changes in the Linux kernel’s software interrupt (softirq
) handling are done to reduce denial of service (DOS) effects. Consequently, this leads to situations where the localhost interface drops User Datagram Protocol (UDP) packets under heavy load.
To work around this problem, increase the size of the network device backlog buffer to value 6000:
echo 6000 > /proc/sys/net/core/netdev_max_backlog
In Red Hat tests, this value was sufficient to prevent packet loss. More heavily loaded systems might require larger backlog values. Increased backlogs have the effect of potentially increasing latency on the localhost interface.
The result is to increase the buffer and allow more packets to be waiting for processing, which reduces the chances of dropping localhost packets.
(BZ#1779337)
A vmcore
capture fails after memory hot-plug or unplug operation
After performing the memory hot-plug or hot-unplug operation, the event comes after updating the device tree which contains memory layout information. Thereby the makedumpfile
utility tries to access a non-existent physical address. The problem appears if all of the following conditions meet:
- A little-endian variant of IBM Power System runs RHEL 8.
-
The
kdump
orfadump
service is enabled on the system.
Consequently, the capture kernel fails to save vmcore
if a kernel crash is triggered after the memory hot-plug or hot-unplug operation.
To work around this problem, restart the kdump
service after hot-plug or hot-unplug:
# systemctl restart kdump.service
As a result, vmcore
is successfully saved in the described scenario.
(BZ#1793389)
Using irqpoll
causes vmcore
generation failure
Due to an existing problem with the nvme
driver on the 64-bit ARM architectures that run on the Amazon Web Services (AWS) cloud platforms, the vmcore
generation fails when you provide the irqpoll
kernel command line parameter to the first kernel. Consequently, no vmcore
file is dumped in the /var/crash/
directory after a kernel crash. To work around this problem:
-
Add
irqpoll
to theKDUMP_COMMANDLINE_REMOVE
key in the/etc/sysconfig/kdump
file. -
Restart the
kdump
service by running thesystemctl restart kdump
command.
As a result, the first kernel boots correctly and the vmcore
file is expected to be captured upon the kernel crash.
Note that the kdump
service can use a significant amount of crash kernel memory to dump the vmcore
file. Ensure that the capture kernel has sufficient memory available for the kdump
service.
(BZ#1654962)
Debug kernel fails to boot in crash capture environment in RHEL 8
Due to memory-demanding nature of the debug kernel, a problem occurs when the debug kernel is in use and a kernel panic is triggered. As a consequence, the debug kernel is not able to boot as the capture kernel, and a stack trace is generated instead. To work around this problem, increase the crash kernel memory accordingly. As a result, the debug kernel successfully boots in the crash capture environment.
(BZ#1659609)
zlib
may slow down a vmcore
capture in some compression functions
The kdump
configuration file uses the lzo
compression format (makedumpfile -l
) by default. When you modify the configuration file using the zlib
compression format, (makedumpfile -c
) it is likely to bring a better compression factor at the expense of slowing down the vmcore
capture process. As a consequence, it takes the kdump
upto four times longer to capture a vmcore
with zlib
, as compared to lzo
.
As a result, Red Hat recommends using the default lzo
for cases where speed is the main driving factor. However, if the target machine is low on available space, zlib
is a better option.
(BZ#1790635)
The HP NMI watchdog does not always generate a crash dump
In certain cases, the hpwdt
driver for the HP NMI watchdog is not able to claim a non-maskable interrupt (NMI) generated by the HPE watchdog timer because the NMI was instead consumed by the perfmon
driver.
The missing NMI is initiated by one of two conditions:
- The Generate NMI button on the Integrated Lights-Out (iLO) server management software. This button is triggered by a user.
-
The
hpwdt
watchdog. The expiration by default sends an NMI to the server.
Both sequences typically occur when the system is unresponsive. Under normal circumstances, the NMI handler for both these situations calls the kernel panic()
function and if configured, the kdump
service generates a vmcore
file.
Because of the missing NMI, however, kernel panic()
is not called and vmcore
is not collected.
In the first case (1.), if the system was unresponsive, it remains so. To work around this scenario, use the virtual Power button to reset or power cycle the server.
In the second case (2.), the missing NMI is followed 9 seconds later by a reset from the Automated System Recovery (ASR).
The HPE Gen9 Server line experiences this problem in single-digit percentages. The Gen10 at an even smaller frequency.
(BZ#1602962)
The tuned-adm profile powersave
command causes the system to become unresponsive
Executing the tuned-adm profile powersave
command leads to an unresponsive state of the Penguin Valkyrie 2000 2-socket systems with the older Thunderx (CN88xx) processors. Consequently, reboot the system to resume working. To work around this problem, avoid using the powersave
profile if your system matches the mentioned specifications.
(BZ#1609288)
The default 7 4 1 7 printk
value sometimes causes temporary system unresponsiveness
The default 7 4 1 7 printk
value allows for better debugging of the kernel activity. However, when coupled with a serial console, this printk
setting can cause intense I/O bursts that can lead to a RHEL system becoming temporarily unresponsive. To work around this problem, we have added a new optimize-serial-console
TuneD profile, which reduces the default printk
value to 4 4 1 7. Users can instrument their system as follows:
# tuned-adm profile throughput-performance optimize-serial-console
Having a lower printk
value persistent across a reboot reduces the likelihood of system hangs.
Note that this setting change comes at the expense of losing the extra debugging information.
For more information about the newly added feature, see A new optimize-serial-console
TuneD profile to reduce I/O to serial consoles by lowering the printk
value.
(JIRA:RHELPLAN-28940)
The kernel ACPI driver reports it has no access to a PCIe ECAM memory region
The Advanced Configuration and Power Interface (ACPI) table provided by firmware does not define a memory region on the PCI bus in the Current Resource Settings (_CRS) method for the PCI bus device. Consequently, the following warning message occurs during the system boot:
[ 2.817152] acpi PNP0A08:00: [Firmware Bug]: ECAM area [mem 0x30000000-0x31ffffff] not reserved in ACPI namespace [ 2.827911] acpi PNP0A08:00: ECAM at [mem 0x30000000-0x31ffffff] for [bus 00-1f]
However, the kernel is still able to access the 0x30000000-0x31ffffff
memory region, and can assign that memory region to the PCI Enhanced Configuration Access Mechanism (ECAM) properly. You can verify that PCI ECAM works correctly by accessing the PCIe configuration space over the 256 byte offset with the following output:
03:00.0 Non-Volatile memory controller: Sandisk Corp WD Black 2018/PC SN720 NVMe SSD (prog-if 02 [NVM Express]) ... Capabilities: [900 v1] L1 PM Substates L1SubCap: PCI-PM_L1.2- PCI-PM_L1.1- ASPM_L1.2+ ASPM_L1.1- L1_PM_Substates+ PortCommonModeRestoreTime=255us PortTPowerOnTime=10us L1SubCtl1: PCI-PM_L1.2- PCI-PM_L1.1- ASPM_L1.2- ASPM_L1.1- T_CommonMode=0us LTR1.2_Threshold=0ns L1SubCtl2: T_PwrOn=10us
As a result, you can ignore the warning message.
For more information about the problem, see the "Firmware Bug: ECAM area mem 0x30000000-0x31ffffff
not reserved in ACPI namespace" appears during system boot solution.
(BZ#1868526)
The OPEN MPI library may trigger run-time failures with default PML
In OPEN Message Passing Interface (OPEN MPI) implementation 4.0.x series, Unified Communication X (UCX) is the default point-to-point communicator (PML). The later versions of OPEN MPI 4.0.x series deprecated openib
Byte Transfer Layer (BTL).
However, OPEN MPI, when run over a homogeneous cluster (same hardware and software configuration), UCX still uses openib
BTL for MPI one-sided operations. As a consequence, this may trigger execution errors. To work around this problem:
-
Run the
mpirun
command using following parameters:
-mca btl openib -mca pml ucx -x UCX_NET_DEVICES=mlx5_ib0
where,
-
The
-mca btl openib
parameter disablesopenib
BTL -
The
-mca pml ucx
parameter configures OPEN MPI to useucx
PML. -
The
x UCX_NET_DEVICES=
parameter restricts UCX to use the specified devices
The OPEN MPI, when run over a heterogeneous cluster (different hardware and software configuration), it uses UCX as the default PML. As a consequence, this may cause the OPEN MPI jobs to run with erratic performance, unresponsive behavior, or crash failures. To work around this problem, set the UCX priority as:
-
Run the
mpirun
command using following parameters:
-mca pml_ucx_priority 5
As a result, the OPEN MPI library is able to choose an alternative available transport layer over UCX.
(BZ#1866402)
5.7.7. File systems and storage
The /boot
file system cannot be placed on LVM
You cannot place the /boot
file system on an LVM logical volume. This limitation exists for the following reasons:
-
On EFI systems, the EFI System Partition conventionally serves as the
/boot
file system. The uEFI standard requires a specific GPT partition type and a specific file system type for this partition. -
RHEL 8 uses the Boot Loader Specification (BLS) for system boot entries. This specification requires that the
/boot
file system is readable by the platform firmware. On EFI systems, the platform firmware can read only the/boot
configuration defined by the uEFI standard. - The support for LVM logical volumes in the GRUB 2 boot loader is incomplete. Red Hat does not plan to improve the support because the number of use cases for the feature is decreasing due to standards such as uEFI and BLS.
Red Hat does not plan to support /boot
on LVM. Instead, Red Hat provides tools for managing system snapshots and rollback that do not need the /boot
file system to be placed on an LVM logical volume.
(BZ#1496229)
LVM no longer allows creating volume groups with mixed block sizes
LVM utilities such as vgcreate
or vgextend
no longer allow you to create volume groups (VGs) where the physical volumes (PVs) have different logical block sizes. LVM has adopted this change because file systems fail to mount if you extend the underlying logical volume (LV) with a PV of a different block size.
To re-enable creating VGs with mixed block sizes, set the allow_mixed_block_sizes=1
option in the lvm.conf
file.
Limitations of LVM writecache
The writecache
LVM caching method has the following limitations, which are not present in the cache
method:
-
You cannot name a
writecache
logical volume when usingpvmove
commands. -
You cannot use logical volumes with
writecache
in combination with thin pools or VDO.
The following limitation also applies to the cache
method:
-
You cannot resize a logical volume while
cache
orwritecache
is attached to it.
(JIRA:RHELPLAN-27987, BZ#1798631, BZ#1808012)
LVM mirror
devices that store a LUKS volume sometimes become unresponsive
Mirrored LVM devices with a segment type of mirror
that store a LUKS volume might become unresponsive under certain conditions. The unresponsive devices reject all I/O operations.
To work around the issue, Red Hat recommends that you use LVM RAID 1 devices with a segment type of raid1
instead of mirror
if you need to stack LUKS volumes on top of resilient software-defined storage.
The raid1
segment type is the default RAID configuration type and replaces mirror
as the recommended solution.
To convert mirror
devices to raid1
, see Converting a mirrored LVM device to a RAID1 device.
(BZ#1730502)
An NFS 4.0 patch can result in reduced performance under an open-heavy workload
Previously, a bug was fixed that, in some cases, could cause an NFS open operation to overlook the fact that a file had been removed or renamed on the server. However, the fix may cause slower performance with workloads that require many open operations. To work around this problem, it might help to use NFS version 4.1 or higher, which have been improved to grant delegations to clients in more cases, allowing clients to perform open operations locally, quickly, and safely.
(BZ#1748451)
5.7.8. Dynamic programming languages, web and database servers
getpwnam()
might fail when called by a 32-bit application
When a user of NIS uses a 32-bit application that calls the getpwnam()
function, the call fails if the nss_nis.i686
package is missing. To work around this problem, manually install the missing package by using the yum install nss_nis.i686
command.
Symbol conflicts between OpenLDAP libraries might cause crashes in httpd
When both the libldap
and libldap_r
libraries provided by OpenLDAP are loaded and used within a single process, symbol conflicts between these libraries might occur. Consequently, Apache httpd
child processes using the PHP ldap
extension might terminate unexpectedly if the mod_security
or mod_auth_openidc
modules are also loaded by the httpd
configuration.
With this update to the Apache Portable Runtime (APR) library, you can work around the problem by setting the APR_DEEPBIND
environment variable, which enables the use of the RTLD_DEEPBIND
dynamic linker option when loading httpd
modules. When the APR_DEEPBIND
environment variable is enabled, crashes no longer occur in httpd
configurations that load conflicting libraries.
(BZ#1819607)
PAM plug-in does not work in MariaDB
MariaDB 10.3
provides the Pluggable Authentication Modules (PAM) plug-in version 1.0. The MariaDB
PAM plug-in version 1.0 does not work in RHEL 8. To work around this problem, use the PAM plug-in version 2.0 provided by the mariadb:10.5
module stream, which is available with RHEL 8.4.
5.7.9. Identity Management
Installing KRA fails if all KRA members are hidden replicas
The ipa-kra-install
utility fails on a cluster where the Key Recovery Authority (KRA) is already present, if the first KRA instance is installed on a hidden replica. Consequently, you cannot add further KRA instances to the cluster.
To work around this problem, unhide the hidden replica that has the KRA role before you add new KRA instances. You can hide it again when ipa-kra-install
completes successfully.
Using the cert-fix
utility with the --agent-uid pkidbuser
option breaks Certificate System
Using the cert-fix
utility with the --agent-uid pkidbuser
option corrupts the LDAP configuration of Certificate System. As a consequence, Certificate System might become unstable and manual steps are required to recover the system.
Certificates issued by PKI ACME Responder connected to PKI CA may fail OCSP validation
The default ACME certificate profile provided by PKI CA contains a sample OCSP URL that does not point to an actual OCSP service. As a consequence, if PKI ACME Responder is configured to use a PKI CA issuer, the certificates issued by the responder may fail OCSP validation.
To work around this problem, you need to set the policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0 property to a blank value in the /usr/share/pki/ca/profiles/ca/acmeServerCert.cfg
configuration file:
-
In the ACME Responder configuration file, change the line
policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ocsp.example.com
topolicyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=
. - Restart the service and regenerate the certificate.
As a result, PKI CA will generate ACME certificates with an autogenerated OCSP URL that points to an actual OCSP service.
FreeRADIUS silently truncates Tunnel-Passwords longer than 249 characters
If a Tunnel-Password is longer than 249 characters, the FreeRADIUS service silently truncates it. This may lead to unexpected password incompatibilities with other systems.
To work around the problem, choose a password that is 249 characters or fewer.
The /var/log/lastlog
sparse file on IdM hosts can cause performance problems
During the IdM installation, a range of 200,000 UIDs from a total of 10,000 possible ranges is randomly selected and assigned. Selecting a random range in this way significantly reduces the probability of conflicting IDs in case you decide to merge two separate IdM domains in the future.
However, having high UIDs can create problems with the /var/log/lastlog
file. For example, if a user with the UID of 1280000008 logs in to an IdM client, the local /var/log/lastlog
file size increases to almost 400 GB. Although the actual file is sparse and does not use all that space, certain applications are not designed to identify sparse files by default and may require a specific option to handle them. For example, if the setup is complex and a backup and copy application does not handle sparse files correctly, the file is copied as if its size was 400 GB. This behavior can cause performance problems.
To work around this problem:
- In case of a standard package, refer to its documentation to identify the option that handles sparse files.
-
In case of a custom application, ensure that it is able to manage sparse files such as
/var/log/lastlog
correctly.
(JIRA:RHELPLAN-59111)
Potential risk when using the default value for ldap_id_use_start_tls
option
When using ldap://
without TLS for identity lookups, it can pose a risk for an attack vector. Particularly a man-in-the-middle (MITM) attack which could allow an attacker to impersonate a user by altering, for example, the UID or GID of an object returned in an LDAP search.
Currently, the SSSD configuration option to enforce TLS, ldap_id_use_start_tls
, defaults to false
. Ensure that your setup operates in a trusted environment and decide if it is safe to use unencrypted communication for id_provider = ldap
. Note id_provider = ad
and id_provider = ipa
are not affected as they use encrypted connections protected by SASL and GSSAPI.
If it is not safe to use unencrypted communication, enforce TLS by setting the ldap_id_use_start_tls
option to true
in the /etc/sssd/sssd.conf
file. The default behavior is planned to be changed in a future release of RHEL.
(JIRA:RHELPLAN-155168)
5.7.10. Desktop
Disabling flatpak
repositories from Software Repositories is not possible
Currently, it is not possible to disable or remove flatpak
repositories in the Software Repositories tool in the GNOME Software utility.
Drag-and-drop does not work between desktop and applications
Due to a bug in the gnome-shell-extensions
package, the drag-and-drop functionality does not currently work between desktop and applications. Support for this feature will be added back in a future release.
Generation 2 RHEL 8 virtual machines sometimes fail to boot on Hyper-V Server 2016 hosts
When using RHEL 8 as the guest operating system on a virtual machine (VM) running on a Microsoft Hyper-V Server 2016 host, the VM in some cases fails to boot and returns to the GRUB boot menu. In addition, the following error is logged in the Hyper-V event log:
The guest operating system reported that it failed with the following error code: 0x1E
This error occurs due to a UEFI firmware bug on the Hyper-V host. To work around this problem, use Hyper-V Server 2019 as the host.
(BZ#1583445)
5.7.11. Graphics infrastructures
radeon
fails to reset hardware correctly
The radeon
kernel driver currently does not reset hardware in the kexec context correctly. Instead, radeon
falls over, which causes the rest of the kdump service to fail.
To work around this problem, disable radeon
in kdump by adding the following line to the /etc/kdump.conf
file:
dracut_args --omit-drivers "radeon" force_rebuild 1
Restart the machine and kdump. After starting kdump, the force_rebuild 1
line may be removed from the configuration file.
Note that in this scenario, no graphics will be available during kdump, but kdump will work successfully.
(BZ#1694705)
Multiple HDR displays on a single MST topology may not power on
On systems using NVIDIA Turing GPUs with the nouveau
driver, using a DisplayPort
hub (such as a laptop dock) with multiple monitors which support HDR plugged into it may result in failure to turn on. This is due to the system erroneously thinking there is not enough bandwidth on the hub to support all of the displays.
(BZ#1812577)
Unable to run graphical applications using sudo
command
When trying to run graphical applications as a user with elevated privileges, the application fails to open with an error message. The failure happens because Xwayland
is restricted by the Xauthority
file to use regular user credentials for authentication.
To work around this problem, use the sudo -E
command to run graphical applications as a root
user.
VNC Viewer displays wrong colors with the 16-bit color depth on IBM Z
The VNC Viewer application displays wrong colors when you connect to a VNC session on an IBM Z server with the 16-bit color depth.
To work around the problem, set the 24-bit color depth on the VNC server. With the Xvnc
server, replace the -depth 16
option with -depth 24
in the Xvnc
configuration.
As a result, VNC clients display the correct colors but use more network bandwidth with the server.
Hardware acceleration is not supported on ARM
Built-in graphics drivers do not support hardware acceleration or the Vulkan API on the 64-bit ARM architecture.
To enable hardware acceleration or Vulkan on ARM, install the proprietary Nvidia driver.
(JIRA:RHELPLAN-57914)
The RHEL installer becomes unresponsive with NVIDIA Ampere
RHEL 8.3.0 does not support the NVIDIA Ampere GPUs. If you start the RHEL installation on a system that has an NVIDIA Ampere GPU, the installer becomes unresponsive. As a consequence, the installation cannot finish successfully.
The NVIDIA Ampere family includes the following GPU models:
- GeForce RTX 3060 Ti
- GeForce RTX 3070
- GeForce RTX 3080
- GeForce RTX 3090
- RTX A6000
- NVIDIA A40
- NVIDIA A100
- NVIDIA A100 80GB
To work around the problem, disable the nouveau
graphics driver and install RHEL in text mode:
- Boot into the boot menu of the installer.
Add the
nouveau.modeset=0
option on the kernel command line.For details, see Editing boot options.
- Install RHEL on the system.
-
Boot into the newly installed RHEL. At the boot menu, add the
nouveau.modeset=0
option on the kernel command line. Disable the
nouveau
driver permanently:# echo 'blacklist nouveau' >> /etc/modprobe.d/blacklist.conf
As a result, the installation has finished successfully and RHEL now runs in text mode.
Optionally, you can install the proprietary NVIDIA GPU driver to enable graphics. For instructions, see How to install the NVIDIA proprietary driver on RHEL 8.
(BZ#1903890)
5.7.12. The web console
Unprivileged users can access the Subscriptions page
If a non-administrator navigates to the Subscriptions page of the web console, the web console displays a generic error message Cockpit had an unexpected internal error
.
To work around this problem, sign in to the web console with a privileged user and make sure to check the Reuse my password for privileged tasks checkbox.
5.7.13. Red Hat Enterprise Linux system roles
oVirt
input and the elasticsearch
output functionalities are not supported in system roles Logging
The oVirt
input and the elasticsearch
output are not supported in system roles Logging although they are mentioned in the README file. There is no workaround available at the moment.
5.7.14. Virtualization
Displaying multiple monitors of virtual machines that use Wayland is not possible with QXL
Using the remote-viewer
utility to display more than one monitor of a virtual machine (VM) that is using the Wayland display server causes the VM to become unresponsive and the Waiting for display status message to be displayed indefinitely.
To work around this problem, use virtio-gpu
instead of qxl
as the GPU device for VMs that use Wayland.
(BZ#1642887)
virsh iface-\*
commands do not work consistently
Currently, virsh iface-*
commands, such as virsh iface-start
and virsh iface-destroy
, frequently fail due to configuration dependencies. Therefore, it is recommended not to use virsh iface-\*
commands for configuring and managing host network connections. Instead, use the NetworkManager program and its related management applications.
(BZ#1664592)
Virtual machines sometimes fail to start when using many virtio-blk disks
Adding a large number of virtio-blk devices to a virtual machine (VM) may exhaust the number of interrupt vectors available in the platform. If this occurs, the VM’s guest OS fails to boot, and displays a dracut-initqueue[392]: Warning: Could not boot
error.
Attaching LUN devices to virtual machines using virtio-blk does not work
The q35 machine type does not support transitional virtio 1.0 devices, and RHEL 8 therefore lacks support for features that were deprecated in virtio 1.0. In particular, it is not possible on a RHEL 8 host to send SCSI commands from virtio-blk devices. As a consequence, attaching a physical disk as a LUN device to a virtual machine fails when using the virtio-blk controller.
Note that physical disks can still be passed through to the guest operating system, but they should be configured with the device='disk'
option rather than device='lun'
.
(BZ#1777138)
Virtual machines using Cooperlake
cannot boot when TSX
is disabled on the host
Virtual machines (VMs) that use the Cooperlake
CPU model currently fail to boot when the TSX
CPU flag is diabled on the host. Instead, the host displays the following error message:
the CPU is incompatible with host CPU: Host CPU does not provide required features: hle, rtm
To make VMs with Cooperlake
usable on such host, disable the HLE, RTM, and TAA_NO flags in the VM configuration in the VM’s XML configuration:
<feature policy='disable' name='hle'/> <feature policy='disable' name='rtm'/> <feature policy='disable' name='taa-no'/>
Virtual machines sometimes cannot boot on Witherspoon hosts
Virtual machines (VMs) that use the pseries-rhel7.6.0-sxxm
machine type in some cases fail to boot on Power9 S922LC for HPC hosts (also known as Witherspoon) that use the DD2.2 or DD2.3 CPU.
Attempting to boot such a VM instead generates the following error message:
qemu-kvm: Requested safe indirect branch capability level not supported by kvm
To work around this problem, configure the VM’s XML configuration as follows:
<domain type='qemu' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'> <qemu:commandline> <qemu:arg value='-machine'/> <qemu:arg value='cap-ibs=workaround'/> </qemu:commandline>
5.7.15. RHEL in cloud environments
GPU problems on Azure NV6 instances
When running RHEL 8 as a guest operating system on a Microsoft Azure NV6 instance, resuming the virtual machine (VM) from hibernation sometimes causes the VM’s GPU to work incorrectly. When this occurs, the kernel logs the following message:
hv_irq_unmask() failed: 0x5
(BZ#1846838)
kdump sometimes does not start on Azure and Hyper-V
On RHEL 8 guest operating systems hosted on the Microsoft Azure or Hyper-V hypervisors, starting the kdump
kernel in some cases fails when post-exec notifiers are enabled.
To work around this problem, disable crash kexec post notifiers:
# echo N > /sys/module/kernel/parameters/crash_kexec_post_notifiers
(BZ#1865745)
Setting static IP in a RHEL 8 virtual machine on a VMWare host does not work
Currently, when using RHEL 8 as a guest operating system of a virtual machine (VM) on a VMWare host, the DatasourceOVF function does not work correctly. As a consequence, if you use use the cloud-init
utility to set the the VM’s network to static IP and then reboot the VM, the VM’s network will be changed to DHCP.
Core dumping RHEL 8 virtual machines with certain NICs to a remote machine on Azure takes longer than expected
Currently, using the kdump
utility to save the core dump file of a RHEL 8 virtual machine (VM) on a Microsoft Azure hypervisor to a remote machine does not work correctly when the VM is using a NIC with enabled accelerated networking. As a consequence, the dump file is saved after approximately 200 seconds, instead of immediately. In addition, the following error message is logged on the console before the dump file is saved.
device (eth0): linklocal6: DAD failed for an EUI-64 address
(BZ#1854037)
TX/RX
packet counters do not increase after virtual machines resume from hibernation
The TX/RX
packet counters stop increasing when a RHEL 8 virtual machine (VM), with a CX4 VF NIC, resumes from hibernation on Microsoft Azure. To keep the counters working, restart the VM. Note that, doing so will reset the counters.
(BZ#1876527)
RHEL 8 virtual machines fail to resume from hibernation on Azure
The GUID of the virtual function (VF), vmbus device
, changes when a RHEL 8 virtual machine (VM), with SR-IOV
enabled, is hibernated and deallocated on Microsoft Azure . As a result, when the VM is restarted, it fails to resume and crashes. As a workaround, hard reset the VM using the Azure serial console.
(BZ#1876519)
Migrating a POWER9 guest from a RHEL 7-ALT host to RHEL 8 fails
Currently, migrating a POWER9 virtual machine from a RHEL 7-ALT host system to RHEL 8 becomes unresponsive with a "Migration status: active" status.
To work around this problem, disable Transparent Huge Pages (THP) on the RHEL 7-ALT host, which enables the migration to complete successfully.
(BZ#1741436)
5.7.16. Supportability
redhat-support-tool
does not work with the FUTURE
crypto policy
Because a cryptographic key used by a certificate on the Customer Portal API does not meet the requirements by the FUTURE
system-wide cryptographic policy, the redhat-support-tool
utility does not work with this policy level at the moment.
To work around this problem, use the DEFAULT
crypto policy while connecting to the Customer Portal API.
5.7.17. Containers
UDICA is not expected to work with 1.0 stable stream
UDICA, the tool to generate SELinux policies for containers, is not expected to work with containers that are run via podman 1.0.x in the container-tools:1.0
module stream.
(JIRA:RHELPLAN-25571)
podman system connection add
does not automatically set the default connection
The podman system connection add
command does not automatically set the first connection to be the default connection. To set the default connection, you must manually run the command podman system connection default <connection_name>
.