Chapter 7. Bug fixes

Anaconda now shows a dialog for ldl or unformatted DASD disks in text mode

Previously, during an installation in text mode, Anaconda failed to show a dialog for Linux disk layout (ldl) or unformatted Direct-Access Storage Device (DASD) disks. As a result, users were unable to utilize those disks for the installation.

RHEL installer failed to start when InfiniBand network interfaces were configured using installer boot options

Previously, when you configured InfiniBand network interfaces at an early stage of RHEL installation using installer boot options (for example, downloaded installer image using PXE server), the installer failed to activate the network interfaces.

The automatic partitioning can be scheduled in Anaconda

Previously, during automatic partitioning on LVM type disks, the installer tried to create a partition for an LVM PV on each selected disk. If these disks already had partitioning layout, the schedule of the automatic partitioning could have failed with the error message.

Configuring a wireless network using Anaconda GUI is fixed

Previously, configuring the wireless network while using Anaconda graphical user interface (GUI) caused the installation to crash.

New -m and -M parameters are now supported for the %autopatch rpm macro

With this update, the -m (min) and -M (max) parameters have been added to the %autopatch macro to apply only a range of patches with given parameters.

popt rebased to version 1.18

The popt packages have been upgraded to the upstream version 1.18, which provides the following notable changes over the previous version:

snmpbulkget now provides valid output for a non-existing PID

Previously, the snmpbulkget command did not provide valid output for a non-existing PID. Consequently, this command would fail with the output as no results found.

The CRON command now sends an email as per the trigger conditions.

Previously, when the Relax-and-Recover (ReaR) utility was configured incorrectly, the CRON command triggered an error message that was sent to the administrator through an email. Consequently, the administrator would receive emails even if the configuration was not performed for ReaR.

Using NetBackup version 8.2 as the backup mechanism in ReaR now works.

Previously, when using NetBackup as a backup method, the Relax-and-Recover (ReaR) utility did not start the vxpbx_exchanged service in the rescue system. Consequently, restoring the data from the backup in the rescue system with NetBackup 8.2 failed with the following error messages logged on the NetBackup server:

libvpd rebased to version 2.2.8.

Notable changes include:

ReaR utility now restores system using LUKS2 encrypted partition

Previously, when at least one LUKS2 encrypted partition was present on the system to backup with Relax-and-Recover (Rear) utility, the user was not informed that ReaR does not support LUKS2 encrypted partition. Consequently, the ReaR utility was unable to recreate the original state of the system during the restore phase.

Texlive now correctly works with Poppler

Previously, the Poppler utility underwent an update for API changes. Consequently, due to these API changes the Texlive build did not function. With this update, the Texlive build now functions correctly with the new Poppler utility.

RPZ now works with wildcard characters

Previously, the dns_rpz_find_name function in the lib/dns/rpz.c file did not consider wildcard characters when a record for the same suffix was present. Consequently, some records containing wildcard characters were ignored. With this update, the dns_rpz_find_name function has been fixed and it now considers wildcard characters.

Improved padding for pkcs11

Previously, the pkcs11 token label had extra padding for some smart cards. As a consequence, the wrong padding could cause issues matching cards based on the label attribute. With this update, the padding is fixed for all the cards and defined PKCS #11 URIs and matching against them in application should work as expected.

Fixed sealert connection issue handling

Previously, a crash of the setroubleshoot daemon could cause the sealert process to stop responding. Consequently, the GUI did not show any analysis and also became unresponsive, the command line tool did not print any output and kept running until killed. This update improves handling of connection issues between sealert and setroubleshootd. Now sealert reports an error message and exits in case the setroubleshoot daemon crashes.

Optimized audit record analysis by setroubleshoot

Previously, new features introduced in setroubleshoot-3.3.23-1 had a negative impact on performance, which led to the AVC analysis being up to 8 times slower than before. This update provides optimizations that significantly reduce the AVC analysis times.

Fixed SELinux policy interface parser

Previously, the policy interface parser caused syntax error messages to appear when installing a custom policy that contained an ifndef block in its interface file. This update improves the interface file parsing, and thus resolves this issue.

setfiles does not stop on labeling error

Previously, the setfiles utility stopped whenever it failed to relabel a file. Consequently, mislabeled files were left in the target directory. With this update, setfiles skips files it cannot relabel, and as a result, setfiles processes all files in the target directory.

Rebuilds of the SELinux policy store are now more resistant to power failures

Previously, SELinux-policy rebuilds were not resistant to power failures due to write caching. Consequently, the SELinux policy store may become corrupted after a power failure during a policy rebuild. With this update, the libsemanage library writes all pending modifications to metadata and cached file data to the file system that contains the policy store before using it. As a result, the policy store is now more resistant to power failures and other interruptions.

libselinux now determines the default context of SELinux users correctly

Previously, the libselinux library failed to determine the default context of SELinux users on some systems, due to the use of the deprecated security_compute_user() function. As a consequence, some system services were unavailable on systems with complex security policies. With this update, libselinux no longer uses security_compute_user() and determines the SELinux user’s default context properly, regardless of policy complexity.

Geo-replication in rsync mode no longer fails due to SELinux

Previously, SELinux policy did not allow processes running under rsync_t to set the value of the security.trusted extended attribute. As a consequence, geo-replication in Red Hat Gluster Storage (RHGS) failed. This update includes the new SELinux boolean rsync_sys_admin that allows the rsync_t processes to set security.trusted. As a result, if the rsync_sys_admin boolean is enabled, rsync can set the security.trusted extended attribute and geo-replication no longer fails.

OpenSCAP can now scan systems with large numbers of files without running out of memory

Previously, when scanning systems with low RAM and large numbers of files, the OpenSCAP scanner sometimes caused the system to run out of memory. With this update, OpenSCAP scanner memory management has been improved. As a result, the scanner no longer runs out of memory on systems with low RAM when scanning large numbers of files, for example package groups Server with GUI and Workstation.

CIS-remediated systems with FAT no longer fail on boot

Previously, the Center for Internet Security (CIS) profile in the SCAP Security Guide (SSG) contained a rule which disabled loading of the kernel module responsible for access to FAT file systems. As a consequence, if SSG remediated this rule, the system could not access partitions formatted with FAT12, FAT16, and FAT32 file systems, including EFI System Partitions (ESP). This caused the systems to fail to boot. With this update, the rule has been removed from the profile. As a result, systems that use these file systems no longer fail to boot.

OVAL checks consider GPFS as remote

Previously, the OpenSCAP scanner did not identify mounted General Parallel File Systems (GPFS) as remote file systems (FS). As a consequence, OpenSCAP scanned GPFS even for OVAL checks that applied only to local systems. This sometimes caused the scanner to run out of resources and fail to complete the scan. With this update, GPFS has been included in the list of remote FS. As a result, OVAL checks correctly consider GPFS as a remote FS, and the scans are faster.

The fapolicyd-selinux SELinux policy now covers all file types

Previously, the fapolicyd-selinux SELinux policy did not cover all file types. Consequently, the fapolicyd service could not access files located on non-monitored locations such as sysfs. With this update, the fapolicyd service covers and analyzes all file system types.

fapolicyd no longer prevents RHEL updates

When an update replaces the binary of a running application, the kernel modifies the application binary path in memory by appending the (deleted) suffix. Previously, the fapolicyd file access policy daemon treated such applications as untrusted. As a consequence, fapolicyd prevented these applications from opening and executing any other files. With this update, fapolicyd ignores the suffix in the binary path so the binary can match the trust database. As a result, fapolicyd enforces the rules correctly and the update process can finish.

USBGuard rebased to 1.0.0-1

The usbguard packages have been rebased to the upstream version 1.0.0-1. This update provides improvements and bug fixes, most notably:

USBGuard now can send Audit messages

As part of service hardening, the capabilities of usbguard.service were limited while the CAP_AUDIT_WRITE capability was missing. As a consequence, usbguard running as a system service could not send Audit events. With this update, the service configuration has been updated, and as a result, USBGuard can send Audit messages.

tangd now handles invalid requests correctly

Previously, the tangd daemon returned an error exit code for some invalid requests. As a consequence, tangd.socket@.service failed, which in turn might have caused problems if the number of such failed units increased. With this update, tangd exits with an error code only when the tangd server itself is facing problems. As a result, tangd handles invalid requests correctly.

Migrating an iptables rule set from RHEL 7 to RHEL 8 with rules involving ipset lookups no longer fails

Previously, the ipset counters were updated only if all the additional constraints match while referring to an ipset command with enabled counters from an iptables rule set. Consequently, the rules involving ipset lookups, e.g. -m set --match-set xxx src --bytes-gt 100 will never get chance to match, because the member’s counter of ipset will not be added up. With this update, migrating an iptables rule set with rules involving ipset lookups works as expected.

The iptraf-ng no longer exposes raw memory content

Previously, when setting %p in a filter in iptraf-ng, the application displayed raw memory content in the status bar. Consequently, inessential information was getting displayed. With this update, the iptraf-ng processes do not show any raw memory content on the status bar at the bottom.

Network access is now available when using DHCP in the Anaconda ip boot option

The initial RAM disk (initrd) uses NetworkManager to manage networking. Previously, the dracut NetworkManager module provided by the RHEL 8.3 ISO file incorrectly assumed that the first field of the ip option in the Anaconda boot options was always set. As a consequence, if you used DHCP and set ip=::::<host_name>::dhcp, NetworkManager did not retrieve an IP address, and the network was not available in Anaconda. This problem has been fixed. As a result, the Anaconda ip boot option works as expected when you use the RHEL 8.4 ISO to install a host in the mentioned scenario.

Unloading XDP programs no longer fails on Netronome network cards that use the nfp driver

Previously, the nfp driver for Netronome network cards contained a bug. As a consequence, unloading eXpress Data Path (XDP) programs failed if you used such a card and loaded the XDP program using the IFLA_XDP_EXPECTED_FD feature with the XDP_FLAGS_REPLACE flag. For example, this affected XDP programs that were loaded using the libxdp library. This bug has been fixed. As a result, unloading an XDP program from Netronome network cards works as expected.

NetworkManager now tries to retrieve the host name using DHCP and reverse DNS lookups on all interfaces

Previously, if the host name was not set in the /etc/hostname file, NetworkManager tried to obtain the host name using DHCP or a reverse DNS lookup only through the interface with the default route with the lowest metric value. As a consequence, it was not possible to automatically assign a host name on networks without a default route. This update changes the behavior, and NetworkManager now first tries to retrieve the host name using the default route interface. If this process fails, NetworkManager tries other available interfaces. As a result, NetworkManager tries to retrieve the host name using DHCP and reverse DNS lookups on all interfaces if it is not set in /etc/hostname.

The kernel no longer returns false positive warnings on IBM Z systems

Previously, IBM Z systems on RHEL 8 were missing an allowed entry for the ZONE_DMA memory zone to allow user access. Consequently, the kernel returned false positive warnings such as:

RHEL systems boot as expected from the tboot GRUB entry

Previously, the tboot utility of version 1.9.12-2 caused some RHEL systems with Trusted Platform Module (TPM) 2.0 enabled to fail to boot in legacy mode. As a consequence, the system halted when it attempted to boot from the tboot Grand Unified Bootloader (GRUB) entry. With a new version of RHEL 8 and the update of the tboot utility, the problem has been fixed and RHEL systems boot as expected.

The kernel successfully reclaims memory in heavy-workload container scenarios

When a volume was constrained for I/O and memory within a container, the kernel code responsible for reclaiming memory experienced soft-lockup due to a data race condition. Data race is a phenomenon that happens if:

RHEL 8 with offline memory no longer causes kernel panics

Previously, when running RHEL 8 with memory that was initiated but marked as offline, the kernel in some cases attempted to access uninitialized memory pages. As a consequence, a kernel panic occurred. This update fixes the kernel mechanism for idle page tracking, which prevents the problem from occurring.

The NUMA systems no longer experience unexpected memory layout

Previously, ARM64 and S390 architectures experienced unexpected memory layouts on NUMA systems due to missing of the CONFIG_NODES_SPAN_OTHER_NODES option. As a consequence, the memory regions from different NUMA nodes intersected and the intersecting memory regions from low NUMA nodes were added into the high NUMA.

The rngd service no longer busy-waits on poll() system call

A new kernel entropy source for FIPS mode was added for kernels, starting with version 4.18.0-193.10. Consequently, the rngd service busy-waited on the poll() system call for the /dev/random device. This situation caused consumption of 100% of CPU time, when a system was in a FIPS mode. With this update, in FIPS mode, a poll() handler for the /dev/random device has been changed from a default one to a handler developed especially for the /dev/random device. As a result, the rngd service no longer busy-waits on poll() in the described scenario.

HRTICK support for SCHED_DEADLINE scheduler is enabled

Previously, the feature for high resolution system timers (HRTICK) was not armed for certain tasks configured with the SCHED_DEADLINE policy. Consequently, the throttling mechanism for these tasks using the SCHED_DEADLINE scheduler, consumed all the runtime configured for those tasks. This behavior caused an unexpected latency spike in the real-time environment.

tpm2-abrmd rebased to version 2.3.3.2

The tpm2-abrmd package has been upgraded to version 2.3.3.2, which provides multiple bug fixes. Notable changes include:

The cxgb4 driver no longer causes crash in the kdump kernel

Previously, the kdump kernel would crash while trying to save information in the vmcore file. Consequently, the cxgb4 driver prevented the kdump kernel from saving a core for later analysis. To work around this problem, add the novmcoredd parameter to the kdump kernel command line to allow saving core files.

Accessing SMB targets no longer fail with EREMOTE error

Previously, mounting a DFS namespace on a RHEL SMB client with the cifsacl mount option was inaccessible and a listing failed with an EREMOTE error. This update fixes the kernel to account for EREMOTE, and thus makes the SMB share accessible.

Performance improvements for NFS readdir function

Previously, a process on a NFS client listing a directory could take a long time to complete the listing, with possibility to never complete. With this update, the NFS client directory listing performance is improved in the following scenarios:

Default token timeout value in corosync.conf file increased from 1 second to 3 seconds

Previously, the TOTEM token timeout value in the corosync.conf file was set to 1 second. This short timeout makes the cluster react quickly but in the case of network delays it may result in premature failover. The default value is now set to 3 seconds to provide a better trade-off between quick response and broader applicability. For information on modifying the token timeout value, see How to change totem token timeout value in a RHEL 5, 6, 7, or 8 High Availability cluster?

An in-place upgrade is now possible when perl-Time-HiRes is installed

Previously, the perl-Time-HiRes package distributed in RHEL 8 was missing an epoch number that was included in the RHEL 7 version of the package. As a consequence, it was impossible to perform an in-place upgrade from RHEL 7 to RHEL 8 when perl-Time-HiRes was installed. The missing epoch number has been added, and the in-place upgrade no longer fails when perl-Time-HiRes is installed.

The glibc DNS stub resolver correctly processes parallel queries with identical transaction IDs

Prior to this update, the DNS stub resolver in the GNU C library glibc did not process responses to parallel queries with identical transaction IDs correctly. Consequently, when the transaction IDs were equal, the second parallel response was never matched to a query, resulting in a timeout and retry.

Reading configuration files with fgetsgent() and fgetsgent_r() is now more robust

Specifically structured entries in the /etc/gshadow file, or changes in file sizes while reading, sometimes caused the fgetsgent() and fgetsgent_r() functions to return invalid pointers. Consequently, applications that used these functions to read /etc/gshadow, or other configuration files in /etc/, failed with a segmentation fault error. This update modifies fgetsgent() and fgetsgent_r() to make reading of configuration files more robust. As a result, applications are now able to read configuration files successfully.

The glibc string functions now avoid negative impact on system cache on AMD64 and Intel 64 processors

Previously, the glibc implementation of string functions incorrectly estimated the amount of last-level cache available to a thread on the 64-bit AMD and Intel processors. As a consequence, calling the memcpy function on large buffers either negatively impacted the overall cache performance of the system or slowed down the memcpy system call.

The glibc dynamic loader now avoids certain failures of libc.so.6

Previously, when the libc.so.6 shared object ran as a main program (for example, to display the glibc version information), the glibc dynamic loader did not order relocation of libc.so.6 correctly in relation to the objects loaded using the LD_PRELOAD environment variable. Consequently, when LD_PRELOAD was set, invoking libc.so.6 sometimes caused libc.so.6 to terminate unexpectedly with a segmentation fault. This update fixes the bug, and the dynamic loader now correctly handles the relocation of libc.so.6. As a result, the described problem no longer occurs.

The glibc dynamic linker now restricts part of the static thread-local storage space to static TLS allocations

Previously, the glibc dynamic linker used all available static thread-local storage (TLS) space for dynamic TLS, on a first come, first served basis. Consequently, loading additional shared objects at run time using the dlopen function sometimes failed, because dynamic TLS allocations had already consumed all available static TLS space. This problem occurred particularly on the 64-bit ARM architecture and IBM Power Systems.

The glibc dynamic linker now disables lazy binding for the 64-bit ARM variant calling convention

Previously, the glibc dynamic linker did not disable lazy binding for functions using the 64-bit ARM (AArch64) variant calling convention. As a consequence, the dynamic linker corrupted arguments in such function calls, leading to incorrect results or process failures. With this update, the dynamic linker now disables lazy binding in the described scenario, and the function arguments are passed correctly.

gcc rebased to version 8.4

The GNU Compiler Collection (GCC) has been rebased to upstream version 8.4, which provides a number of bug fixes over the previous version.

The Samba wide links feature has been converted to a VFS module

Previously, the wide links parameter was part of the smbd service’s core functionality. Enabling this feature is insecure and, therefore, has been moved into a separate virtual file system (VFS) module named widelinks. For backward compatibility, Samba in RHEL 8.4 automatically loads this module for shares that have wide links = yes set in their configuration.

Network connection idle timeouts are no longer reported as resource errors

Previously, Directory Server reported a misleading error that a resource was temporarily unavailable when an idle network connection timed out. With this update, the error macro for network connection idle timeouts has been changed from EAGAIN to ETIMEDOUT, and an accurate error message describing a timeout is written to the Directory Server access logs.

Certificates issued by PKI ACME Responder connected to PKI CA no longer fail OCSP validation

Previously, the default ACME certificate profile provided by PKI CA contained a sample OCSP URL that did not point to an actual OCSP service. As a consequence, if PKI ACME Responder was configured to use a PKI CA issuer, the certificates issued by the responder could fail OCSP validation. This update removes hard-coded URLs in the ACME certificate profile and adds an upgrade script to fix the profile configuration file in case you did not customize it.

Display backlight now works reliably on recent Intel laptops

Certain recent laptops with Intel CPUs require a proprietary interface to control display backlight. Previously, RHEL did not support the proprietary interface, and attempted to use the VESA interface, which was unreliable on the laptops. As a consequence, RHEL could not control display backlight on those laptops.

tests_luks.yml no longer cause partition case fail with NVME disk

Previously, NVME disks used a different partition naming convention than the one used by virtio/scsi and the Storage role did not reflect it. As a consequence, running the Storage role with NVME disks resulted in a crash. With this fix, the Storage RHEL system role now obtains the partition name from the blivet module.

The selinux RHEL system role no longer uses variable named present

Previously, some tasks in the selinux RHEL system role were incorrectly using a variable named present instead of using the string present. As a consequence, the selinux RHEL system role returned an error informing that there is no variable named present. This update fixes this issue, changing those tasks to use the string present. As a result, the selinux RHEL system role works as expected, with no error message.

Logging output no longer fails when the rsyslog-gnutls package is missing

A global tls rsyslog-gnutls package is required when the logging RHEL system role is configured to provide secure remote input and secure forward output. Previously, thel tls rsyslog-gnutls package was changed to install unconditionally in the previous version. As a consequence, when the tls rsyslog-gnutls package was not available on the managed nodes, the logging role configuration failed, even if the secure remote input and secure forward output were not included as part of the configuration. This update fixes the issue by examining if the secure connection is configured and checking the global tls logging_pki_files variable. The rsyslog-gnutls package is installed only when the secure connection is configured. As a result, the operation to configure Red Hat Enterprise Virtualization Hypervisor to integrate elasticsearch as the logging output no longer fails with the missing rsyslog-gnutls package.

Connecting to the RHEL 8 guest console on a Windows Server 2019 host is no longer slowed down

Previously, when using RHEL 8 as a guest operating system in multi-user mode on a Windows Server 2019 host, connecting to a console output of the guest currently took significantly longer than expected. This update improves the performance of VRAM on the Hyper-V hypervisor, which fixes the problem.

Displaying multiple monitors of virtual machines that use Wayland is now possible with QXL

Previously, using the remote-viewer utility to display more than one monitor of a virtual machine (VM) that was using the Wayland display server caused the VM to become unresponsive and the Waiting for display status message to be displayed indefinitely. The underlying code has been fixed, which prevents the described problem from occurring.

GPU-optimized Azure instances now work correctly after hibernation

When running RHEL 8 as a guest operating system on a Microsoft Azure instance with GPU-optmized virtual machine (VM) size, such as NV6, resuming the VM from hibernation previously caused the VM’s GPU to work incorrectly. When this occurred, the kernel logged the following message:

The TX/RX packet counters increase as intended after virtual machines resume from hibernation

Previously, the TX/RX packet counters stopped increasing when a RHEL 8 virtual machine using a CX4 VF NIC resumed from hibernation on Microsoft Azure. This update resolves the issue, and the packet counters increase as intended.

RHEL 8 virtual machines no longer fail to resume from hibernation on Azure

Previously, the GUID of the virtual function (VF), vmbus device, changed when a RHEL 8 virtual machine (VM), with SR-IOV enabled, was hibernated and deallocated on Microsoft Azure. Consequently, when the VM was restarted, it failed to resume and terminated unexpectedly. With this update, the vmbus device VF no longer changes, and the VM resumes from hibernation successfully.

Removed a redundant error message in Hyper-V and KVM guests

Previously, when a RHEL 8 guest operating system was running in a KVM or Hyper-V virtual machine, the following error message was reported in the /var/log/messages file:

podman system connection add automatically set the default connection

Previously, the podman system connection add command did not automatically set the first connection to be the default connection. As a consequence, you must manually run the podman system connection default <connection_name> command to set the default connection. With this update, the podman system connection add command works as expected.

The podman run --pid=host works in a rootless mode

Previously, running the podman run --pid=host command as a rootless user did not work. Consequently, an OCI permission error occurred: