Questo contenuto non è disponibile nella lingua selezionata.
Chapter 7. Bug fixes
This part describes bugs fixed in Red Hat Enterprise Linux 8.6 that have a significant impact on users.
7.1. Installer and image creation
The network --defroute
option now works correctly in the %include
script
Previously, the network --defroute
option got ignored when used in the %include
script during the kickstart installation. As a consequence, the device was set as the default route.
With this update, the kickstart installation does not ignore the network --defroute
option added in the %include
script and the network connection is configured as expected.
Users can now specify user accounts in the RHEL for Edge Installer blueprint
Previously, performing an update on your blueprint without a user account defined in the RHEL for Edge Commit for the upgrade, such as adding a rpm package, would cause users to be locked out of their system, after the upgrade was applied. It caused users to have redefine user accounts when upgrading an existing system. This issue has been fixed to allow users to specify user accounts in the RHEL for Edge Installer blueprint, that creates a user on the system at installation time, rather than having the user as part of the ostree
commit.
osbuild
no longer fails to build an ISO image bigger than 4GB
Image Builder users can create a customized image by adding additional packages. If the total size of the packages and their dependencies exceeded 4GB size, users of RHEL 8.5 and earlier releases would see the following error:
ubprocess.CalledProcessError: Command '['/usr/bin/xorrisofs', '-verbose', '-V', 'RHEL-8-5-0-BaseOS-x86_64', '-sysid', 'LINUX', '-isohybrid-mbr', '/usr/share/syslinux/isohdpfx.bin', '-b', 'isolinux/isolinux.bin', '-c', 'isolinux/boot.cat', '-boot-load-size', '4', '-boot-info-table', '-no-emul-boot', '-rock', '-joliet', '-eltorito-alt-boot', '-e', 'images/efiboot.img', '-no-emul-boot', '-isohybrid-gpt-basdat', '-o', '/run/osbuild/tree/installer.iso', '/run/osbuild/inputs/tree']' returned non-zero exit status 32.
The problem happened because the ISO 9660 Level Of Interchange -isolevel 3
argument was not passed to the xorrisofs
command. To work around the problem, users had to permanently alter the ISO level value to 3.
With the RHEL 8.6 release, the problem has been fixed, and users no longer need to permanently alter the ISO level value.
7.2. Software management
Running createrepo_c --update
on a modular repository now preserves modular metadata in it
Previously, when running the createrepo_c --update
command on an already existing modular repository without the original source of modular metadata present, the default policy was to remove all additional metadata including modular metadata from this repository, which, consequently, broke it. To preserve metadata, it required running the createrepo_c --update
command with the additional --keep-all-metadata
option.
With this update, you can preserve modular metadata on a modular repository by running createrepo_c --update
without any additional option.
To remove additional metadata, you can use the new --discard-additional-metadata
option.
7.3. Shells and command-line tools
Errors during the installation of the info
subpackage do not happen anymore
Previously the fix-info-dir
script expected the existence of a /dev/null
file. With a new version of the texinfo
package for software documentation, the installation of the info
subpackage does not fail on systems that do not contain the /dev/null
special file. Now the fix-info-dir
script does not expect the existence of the /dev/null
file, and avoids the possibility of an infinite loop.
ReaR
backs up a system with an unused LVM physical volume correctly
Previously, ReaR
produced an incorrect disk layout when an unused LVM physical volume (PV) was present on the system. As a result, ReaR commands that need to produce the disk layout, such as the mkrescue
, mkbackup
, mkbackuponly
, savelayout
commands, aborted with the error message:
ERROR: LVM 'lvmdev' entry in /var/lib/rear/layout/disklayout.conf where volume_group or device is empty or more than one word
With this update, ReaR
now comments out unused PVs in the disk layout file and is thus able to back up a system with unused PVs correctly.
(BZ#2048454)
ReaR
does not incorrectly exclude multipath devices from the backup
Previously, ReaR
was incorrectly excluding certain multipath devices whose names contained the names of multipath devices that should have been excluded from the backup.
For example, if a device named /dev/mapper/mpatha
was excluded from the backup, then a second device named /dev/mapper/mpathaa
would be incorrectly excluded as well. This would occur with more than 26 multipath devices.
The bug has been fixed and ReaR
now does not exclude multipath devices from the backup unless they should be excluded. Note that you have to specify AUTOEXCLUDE_MULTIPATH=n
in the ReaR
configuration file if there are multipath devices that should be included in the backup, otherwise ReaR
excludes all multipath devices automatically. This behavior has not changed.
7.4. Security
Remote users are no longer repetitively prompted to access smart cards
Previously, the polkit
policy for the pcscd
daemon incorrectly requested user interaction. As a consequence, non-local and non-privileged users could not access smart cards and encountered large numbers of prompts. With this update, the pcsc-lite
package policy no longer includes the interactive prompts. As a result, remote card users are no longer repeatedly asked for privilege escalation.
For additional information about adjusting the policy to escalate privileges of non-privileged users, see Controlling access to smart cards using polkit in Security hardening in RHEL product documentation.
64-bit IBM Z systems no longer become unbootable when installing in FIPS mode
Previously, the fips-mode-setup
command with the --no-bootcfg
option did not execute the zipl
tool. Because fips-mode-setup
regenerates the initial RAM disk (initrd
), and the resulting system needs an update of zipl
internal state to boot, this put 64-bit IBM Z systems into an unbootable state after installing in FIPS mode. With this update, fips-mode-setup
now executes zipl
on 64-bit IBM Z systems even if invoked with --no-bootcfg
, and as a result, the newly installed system boots successfully.
(BZ#2020295)
crypto-policies
can disable ChaCha20 in OpenSSL
Previously, the crypto-policies
component used a wrong keyword to disable the ChaCha20 cipher in OpenSSL. As a consequence, use of ChaCha20 in TLS 1.2 in OpenSSL could not be disabled through crypto-policies
. With this update, crypto-policies
use the -CHACHA20
keyword instead of the -CHACHA20-POLY1305
keyword. As a result, you can now use crypto-policies
to disable the use of the ChaCha20 cipher in OpenSSL for both TLS 1.2 and TLS 1.3.
systemd
can now execute files from /home/user/bin
Previously, systemd
services could not execute files from the /home/user/bin/
directory because the SELinux policy did not include the policy rules that allow such access. Consequently, the systemd
services failed and eventually logged the Access Vector Cache (AVC) denial Audit messages. This update adds the missing SELinux rules that allow access, and systemd
services can now correctly execute commands from /home/user/bin/
.
STIG-specific default banner text removed from other profiles
Previously, banner text from the STIG profile was used as default by other profiles that did not have a default text defined, such as CIS. As a consequence, systems using these profiles were configured with the specific text required by DISA. With this update, a generic default text was created and a standard CIS banner aligned with the guidelines was defined. As a result, profiles based on guidelines which explicitly require a text banner are now aligned with the requirements and set the correct text.
ANSSI Enhanced Profile correctly selects the "Ensure SELinux State is Enforcing" rule
Previously, the ANSSI Enhanced profile (anssi_bp28_enhanced
) did not select the "Ensure SELinux State is Enforcing" (selinux_state
) rule. This update modified the rule selection and now the ANSSI Enhanced Profile selects the "Ensure SELinux State is Enforcing" rule.
Descriptions for restorecon
and seunshare
SSG rules fixed
Previously, descriptions for rules "Record Any Attempts to Run restorecon" (CCE-80699-2) and "Record Any Attempts to Run seunshare" (CCE-80933-5) were incorrect. With this update, the descriptions of these rules are aligned with the automated OVAL check. As a result, applying the fix recommended in the description now correctly fixes these rules.
The CIS profile no longer automatically disables IPv6
Previously, the CIS profile for RHEL 8 provided inappropriate automated remediation for recommendation “3.6 Disable IPv6”, which disabled IPv6 by configuring /etc/modprobe.d/ipv6.conf
to prevent the IPv6 module from loading. This could have undesired effects on the dependent features and services. In RHEL 8 CIS Benchmark v1.0.1, the recommendation 3.6 must be implemented manually, and therefore the RHEL8 CIS profiles do not apply any remediation for this configuration item. As a result, the CIS profile is aligned with the benchmark and does not disable IPv6 automatically. To disable IPv6 manually by configuring GRUB2 or sysctl settings as recommended by CIS, see How do I disable or enable the IPv6 protocol in Red Hat Enterprise Linux?.
(BZ#1990736)
CIS profile no longer blocks the SSH service
Previously, the xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key
rule by default set the permissions to 640
on SSH private keys. As a consequence, the SSH daemon did not start. This update removes the file_permissions_sshd_private_key
rule from the CIS profile and as a result, the SSH service works correctly.
Files in /usr/share/audit/sample-rules
are now accepted by SCAP rules
Previously, according to the description of SCAP rules xccdf_org.ssgproject.content_rule_audit_ospp_general
and xccdf_org.ssgproject.content_rule_audit_immutable_login_uids
, users were able to make systems compliant by copying appropriate files from the /usr/share/audit/sample-rules
directory. However, OVAL checks of these rules failed, and the system was consequently marked as non-compliant after the scan. With this update, the OVAL checks now accept the files from /usr/share/audit/sample-rules
, and the SCAP rules pass successfully.
ANSSI Kickstart now reserves enough disk space
Previously, GUI installation required more disk space than ANSSI Kickstart reserved in the /usr
partition. As a consequence, RHEL 8.6 GUI installations failed, with an error message stating that At least 429 MB more space needed on the /usr filesystem
. This update increases the disk space for the /usr
partition, and RHEL 8.6 installations using the ANSSI Kickstarts provided in the scap-security-guide
now completes successfully.
Remediations of GRUB2 arguments are now persistent
Previously, the remediations for GRUB2 rules that set kernel arguments were using incorrect procedures and the configuration changes were not persistent across kernel upgrades. As a consequence, the remediations had to be reapplied with every kernel upgrade. With this update, remediations use the grubby
tool that configures GRUB2 in a persistent way.
scap-workbench
no longer hangs when scanning remote systems from RHEL 8 hosts
Previously, sending content files to the scanned system would hang and the scap-workbench
utility could not complete the scan. This was due to a bug in the kernel which blocked executed Qt subprocesses. As a consequence, scanning of remote systems using the scap-workbench
command from RHEL 8 hosts did not work. With this update, the underlying kernel bug is fixed, and therefore remote scans no longer hang on copying files to a remote system and successfully finish.
usbguard-notifier
no longer logs too many error messages to the Journal
Previously, the usbguard-notifier
service did not have inter-process communication (IPC) permissions for connecting to the usbguard-daemon
IPC interface. Consequently, usbguard-notifier
failed to connect to the interface, and it wrote a corresponding error message to the Journal. Because usbguard-notifier
started with the --wait
option, which ensured that usbguard-notifier
attempted to connect to the IPC interface each second after a connection failure, by default, the log contained an excessive amount of these messages soon.
With this update, usbguard-notifier
does not start with --wait
by default. The service attempts to connect to the daemon only three times in the 1-second intervals. As a result, the log contains three such error messages at maximum.
Ambient capabilities are now applied correctly to non-root users
As a safety measure, changing a UID (User Identifier) from root to non-root nullifies permitted, effective, and ambient sets of capabilities.
However, the pam_cap.so
module is unable to set ambient capabilities because a capability needs to be in both the permitted and the inheritable set to be in the ambient set. In addition, the permitted set gets nullified after changing the UID (for example by using the setuid
utility), so the ambient capability cannot be set.
To fix this problem, the pam_cap.so
module now supports the keepcaps
option, which allows a process to retain its permitted capabilities after changing the UID from root to non-root. The pam_cap.so
module now also supports the defer
option, which causes pam_cap.so
to reapply ambient capabilities within a callback to pam_end()
. This callback can be used by other applications after changing the UID.
Therefore, if the su
and login
utilities are updated and PAM-compliant, you can now use pam_cap.so
with the keepcaps
and defer
options to set ambient capabilities for non-root users.
The usbguard-selinux
package is no longer dependent on usbguard
Previously, the usbguard-selinux
package was dependent on the usbguard
package. This, in combination with other dependencies of these packages, led to file conflicts when installing usbguard
. As a consequence, this prevented the installation of usbguard
on certain systems. With this version, usbguard-selinux
no longer depends on usbguard
, and as a result, yum
can install usbguard
correctly.
audisp-remote
now correctly detects the availability of the remote locations
Previously, the audisp-remote
plugin did not detect that remote services became unavailable. As a consequence, the audisp-remote
process would enter a state with high CPU usage. With this update, audisp-remote
can properly detect remote services becoming unavailable. As a result, the process no longer enters a high-CPU-usage state.
Clevis no longer stops on certain configurations before automated unlocking
Previously, the Clevis utility, which performs automated unlocking of LUKS-encrypted volumes, stopped on certain system configurations. Consequently, encrypted volumes were not unlocked automatically, and the administrator had to provide a passphrase manually. In some cases, Clevis restarted after the administrator pressed Enter and unlocked the encrypted volumes. With this update, the utility has been fixed to not stop on these configurations, and the process of automated unlocking now works properly.
(BZ#2018292)
7.5. Networking
NetworkManager now uses a static IPv4 IP address as primary
The main purpose of primary and secondary addresses is to enable source address selection for connections that are not yet bound to an IP address. For these connections, the kernel automatically chooses an address. In a NetworkManager connection profile, you can configure a static IPv4 address and DHCP at the same time for one connection. Previously, if you configured a connection with DHCP and a static IPv4 address from the same range as the one provided by the DHCP server, NetworkManager incorrectly assigned the IP address that it received from the DHCP server as primary and the static IP address as secondary.
RHEL 8.6 changes this to the intended behavior. As a result, if you configure both a static IPv4 address and DHCP in one connection profile, the static IP address is now always the primary and the address received from the DHCP server the secondary. Additionally, NetworkManager now also sets the src
attribute for routes assigned by a DHCP server. With this functionality, destinations reachable through these routes use the IP address received from the DHCP server as a source.
(BZ#2096256)
7.6. Kernel
The dmidecode --type 17
command now successfully decodes DDR5 memory information
Previously, the dmidecode
command failed to decode the DDR5 memory information. Consequently, dmidecode --type 17
returned the <OUT OF SPEC>
message. The latest update of the package (dmidecode-3.3-3.el8
) has fixed this problem. As a result, dmidecode --type 17
now successfully decodes DDR5 memory information.
(BZ#2027665)
kdump
no longer fails on KVM virtual machines that use the default amount of memory
Previously, kdump
failed on some kernel-based virtual machines (KVM) that uses the default amount of memory. Consequently, the crash kernel failed to capture the crash dump file with following error:
/bin/sh: error while loading shared libraries: libtinfo.so.6: cannot open shared object file: No such file or directory
With this update, the problem has been fixed and kdump
works correctly on KVM virtual machines that use the default amount of memory.
(BZ#2004000)
Tunnel offloading now works as expected and supports the available hardware
Previously, the driver was not setting certain feature flags. Hence, tunnel offloading was not working as expected. In this update, the driver sets the required flags to enable tunnel offloading and works as expected.
(BZ#1910885)
Fixed the kernel warning while setting the rx
ring buffer to max
Previously, an internal function expecting clean input was called with a reused and already initialized structure. It caused the kernel to give the warning message: “missing unregister, handled but fix driver”. This update fixes the bug, reinitializing the structure before trying to register it again.
(BZ#2040171)
7.7. File systems and storage
xfsrestore
command works correctly while restoring a backup
Previously, while restoring a backup created using the xfsdump
command, xfsrestore
created an orphanage directory. As a consequence, a few files were moved into the created orphanage directory with the following messages:
# xfsdump -L test -M test -f /scratch.dmp /mnt/test ... xfsdump: NOTE: root ino 128 differs from mount dir ino 1024, bind mount? ... xfsdump: Dump Status: SUCCESS # xfsrestore -f /scratch.dmp /mnt/restore/ ... xfsrestore: restoring non-directory files xfsrestore: NOTE: ino 128 salvaging file, placing in orphanage/1024.0/dir17/file60 xfsrestore: NOTE: ino 129 salvaging file, placing in orphanage/1024.0/dir17/file61 xfsrestore: NOTE: ino 130 salvaging file, placing in orphanage/1024.0/dir17/file62 xfsrestore: NOTE: ino 131 salvaging file, placing in orphanage/1024.0/dir17/file63 xfsrestore: NOTE: ino 132 salvaging file, placing in orphanage/1024.0/dir17/file64 xfsrestore: NOTE: ino 133 salvaging file, placing in orphanage/1024.0/dir17/file65 xfsrestore: NOTE: ino 134 salvaging file, placing in orphanage/1024.0/dir17/file66 ...
With this update, the problem has been fixed and xfsrestore
now works correctly.
(BZ#2020494)
The multipathd.socket
unit file no longer disables multipathd
after too many startup attempts
Previously, the starting conditions for multipathd
in the multipath.service
unit file differed from the triggering conditions in multipathd.socket
. Consequently, the unit file repeatedly tried to start multipathd
and failed. This resulted in disabling multipathd
after too many failed attempts. With this fix, the starting conditions for multipathd.socket
and multipathd.service
have been set to the same values. As a result, the multipathd.socket
unit file no longer attempts to start multipathd
where the starting conditions for multipathd.service
are not met.
Protection uevents no longer cause reload failure of multipath devices
Previously, when a read-only
path device was rescanned, the kernel sent out two write protection uevents - one with the device set to read/write
, and the following with the device set to read-only
. Consequently, upon detection of the read/write
uevent on a path device, multipathd
tried to reload the multipath device, which caused a reload error message. With this update, multipathd
now checks that all the paths are set to read/write
before reloading a device read/write. As a result, multipathd
no longer tries to reload read/write
whenever a read-only
device is rescanned.
(BZ#2009624)
7.8. Compilers and development tools
The -j
flag now works when used in a Makefile
Previously, when you added the -j
flag to MAKEFLAGS inside the Makefile, the targets were built sequentially instead of in parallel. This bug has been fixed, and now the targets are built at the same time when you use the -j
flag in the Makefile.
Statically linked applications no longer crash
Previously, the initialization code of the dynamic loader, which is linked into statically linked binaries, did not initialize a link map variable correctly. Consequently, statically linked applications crashed if LD_LIBRABY__PATH
contained a dynamic token string. With this update statically linked applications no longer crash.
pthread_once()
in glibc has been fixed to correctly support C++ exceptions
Previously, the pthread_once()
implementation could result in a hang when using libstdc++
library functions. For example libstdc++
's std::call_once()
called a function that threw an exception which would result in a hang. With this update, pthread_once()
is fixed and no longer hangs when an exception is thrown.
7.9. Identity Management
Certmonger can now automatically renew SCEP certificates with AD when challengePassword
is required for enrollment
Previously, requests for renewal of SCEP certificates sent by certmonger
to an Active Directory (AD) Network Device Enrollment Service (NDES) server included the challengePassword
used to originally obtain the certificate. However, AD treats challengePassword
as a one-time password (OTP). As a consequence, the renewal request was rejected.
This update adds the challenge_password_otp
option to certmonger
. When enabled, this option prevents certmonger
from sending the OTP with the SCEP renewal request. The administrator must also add the DisableRenewalSubjectNameMatch
entry with a value of 1
to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP subkey in the AD registry. With this modification, AD no longer requires the signer certificate and requested certificate subject names to match. As a result, the SCEP certificate renewal is successful.
To configure certmonger
and the AD server for SCEP renewals to work:
-
Open
regedit
on the AD server. -
In the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP subkey, add a new 32-bit REG_DWORD entry
DisableRenewalSubjectNameMatch
and set its value to1
. On the server where
certmonger
is running, open the/etc/certmonger/certmonger.conf
file and add the following section:[scep] challenge_password_otp = yes
Restart certmonger:
# systemctl restart certmonger
FreeRADIUS proxy server no longer stops working when a second FreeRADIUS server is unavailable
When a FreeRADIUS server is configured as a proxy server it forwards request messages to another FreeRADIUS server. Previously, if the connection between these two servers was interrupted, the FreeRADIUS proxy server stopped working. With this fix, the FreeRADIUS proxy server is now able to reestablish a connection when the other server becomes available.
Authenticating to Directory Server in FIPS mode with PBKDF2-hashed passwords now works as expected
When Directory Server runs in Federal Information Processing Standard (FIPS) mode, the PK11_ExtractKeyValue()
function is not available. As a consequence, users with a password-based key derivation function 2 (PBKDF2) hashed password could not authenticate to the server when FIPS mode was enabled. With this update, Directory Server now uses the PK11_Decrypt()
function to get the password hash data. As a result, authenticating to Directory Server in FIPS mode now works for users with PBKDF2-hashed passwords.
Socket activation of SSSD succeeds when the SSSD cache is mounted in tmpfs as the SSSD user
Previously, socket activation of SSSD would fail if the SSSD cache was mounted in a tmpfs
temporary file system because the /var/lib/sss/db/config.ldb
SSSD configuration file was not owned by the sssd
user. With this fix, SSSD creates the config.ldb
file as the sssd
user and socket activation succeeds. If you have mounted the /var/lib/sssd/db/
SSSD cache directory in tpmfs
, you must remount it as the sssd
user so SSSD can create the config.ldb
file in that location.
Perform the following steps only if you have mounted your SSSD cache into tmpfs
for faster performance according to the steps in the Tuning performance in Identity Management guide. In standard circumstances, Red Hat recommends using the default location for the SSSD cache, on standard disk storage, instead.
Procedure
Confirm that
/var/lib/sss/db
is a mount point:# mount -t tmpfs | grep /var/lib/sss/db tmpfs on /var/lib/sss/db type tmpfs (rw,relatime,rootcontext=system_u:object_r:sssd_var_lib_t:s0,seclabel,size=307200k,mode=700)
If
/var/lib/sss/db
is a valid mount point, check if it is owned by theroot
user:# ls -l /var/lib/sss | grep db drwx------. 2 *root root* 40 Jul 26 04:48 db
If the
db
directory is a mount point and it is owned by theroot
user, adduid=sssd,gid=sssd
to the corresponding entry in the/etc/fstab
file to mount it as the SSSD user:tmpfs /var/lib/sss/db/ tmpfs size=300M,mode=0700,*uid=sssd,gid=sssd*,rootcontext=system_u:object_r:sssd_var_lib_t:s0 0 0
Remount the directory and restart the SSSD service:
# systemctl stop sssd # umount /var/lib/sss/db # mount /var/lib/sss/db # systemctl start sssd
Verification
Verify that the
/var/lib/sss/db
directory is owned by thesssd
user:# ls -l /var/lib/sss | grep db drwx------. 2 sssd sssd 160 Jul 26 05:00 db
(BZ#2108316)
7.10. Graphics infrastructures
Matrox GPU with a VGA display now works as expected
Prior to this release, your display showed no graphical output if you used the following system configuration:
- A GPU in the Matrox MGA G200 family
- A display connected over the VGA controller
- UEFI switched to legacy mode
As a consequence, you could not use or install RHEL on this configuration.
With this update, the mgag200
driver has been significantly rewritten, and as a result, the graphics output now works as expected.
(BZ#1953926)
7.11. Red Hat Enterprise Linux system roles
A playbook using the Metrics role completes successfully on multiple runs even if the Grafana admin
password is changed
Previously, changes to the Grafana admin
user password after running the Metrics role with the metrics_graph_service: yes
boolean caused failure on subsequent runs of the Metrics role. This led to failures of playbooks using the Metrics role, and the affected systems were only partially set up for performance analysis. Now, the Metrics role uses the Grafana deployment
API when it is available and no longer requires knowledge of username or password to perform the necessary configuration actions. As a result, a playbook using the Metrics role completes successfully on multiple runs even if the administrator changes the Grafana admin
password.
The SSHD system role uses the correct template file
In RHEL 8.5, the SSHD system role used a wrong template file. As a consequence, the generated sshd_config
file did not contain the # Ansible managed
comment. The missing comment did not affect any functionality on the system. With this update, the system role uses the correct template file and sshd_config
contains the correct # Ansible managed
comment.
The Networking system role no longer fails to set a DNS search domain if IPv6 is disabled
Previously, the nm_connection_verify()
function of the libnm
library did not ignore the DNS search domain if the IPv6 protocol was disabled. As a consequence, when you used the Networking RHEL system role and set dns_search
together with ipv6_disabled: true
, the system role failed with the following error:
nm-connection-error-quark: ipv6.dns-search: this property is not allowed for 'method=ignore' (7)
With this update, the nm_connection_verify()
function ignores the DNS search domain if IPv6 is disabled. As a consequence, you can use dns_search
as expected, even if IPv6 is disabled.
The nm
provider in the Networking system role now correctly manages bridges
Previously, if you used the initscripts
provider, the Networking system role created an ifcfg
file which configured NetworkManager to mark bridge interfaces as unmanaged. Also, NetworkManager failed to detect followup initscript
actions. For example, the down
and absent
actions of initscript provider will not change the NetworkManager’s understanding on unmanaged state of this interface if not reloading the connection after the down
and absent
actions. With this fix, the Networking system role uses the NM.Client.reload_connections_async()
function to reload NetworkManager on managed hosts with NetworkManager 1.18. As a result, NetworkManager manages the bridge interface when switching the provider from initscript
to nm
.
The SSH server role now detects FIPS mode and handles tasks correctly in FIPS mode
Previously, when managing RHEL8 and older systems in FIPS mode, one of the default hostkeys was not allowed to be created. As a consequence, the SSH server role operation failed to generate the not allowed key
type when invoked. With this fix, the SSH server role detects FIPS mode and adjusts default hostkey list accordingly. As a result, the SSH server role can now manage systems in FIPS mode with default hostkeys configuration.
The Logging system role no longer calls tasks multiple times
Previously, the Logging role was calling tasks multiple times that should have been called only once. As a consequence, the extra task calls slowed down the execution of the role. With this fix, the Logging role was changed to call the tasks only once, improving the Logging role performance.
RHEL system roles now handle multi-line ansible_managed
comments in generated files
Previously, some of the RHEL system roles were using # {{ ansible_managed }}
to generate some of the files. As a consequence, if a customer had a custom multi-line ansible_managed
setting, the files would be generated incorrectly. With this fix, all of the system roles use the equivalent of {{ ansible_managed | comment }}
when generating files so that the ansible_managed
string is always properly commented, including multi-line ansible_managed
values. Consequently, generated files have the correct multi-line ansible_managed
value.
The Logging role no longer misses quotes for the immark
module interval value
Previously, the "interval" field value for the immark
module was not properly quoted, because the immark
module was not properly configured. This fix ensures that the "interval" value is properly quoted. Now, the immark
module works as expected.
The group
option no longer keeps certificates inaccessible to the group
Previously, when setting the group for a certificate, the mode
was not set to allow group read permission. As a consequence, group members were unable to read certificates issued by the Certificate role. With this fix, the group setting now ensures that the file mode includes group read permission. As a result, the certificates issued by the Certificate role for groups are accessible by the group members.
The /etc/tuned/kernel_settings/tuned.conf
file has a proper ansible_managed
header
Previously, the Kernel settings RHEL system role had a hard-coded value for the ansible_managed
header in the /etc/tuned/kernel_settings/tuned.conf
file. Consequently, users could not provide their custom ansible_managed
header. In this update, the problem has been fixed so that kernel_settings
updates the header of /etc/tuned/kernel_settings/tuned.conf
with user’s ansible_managed
setting. As a result, /etc/tuned/kernel_settings/tuned.conf
has a proper ansible_managed
header.
The logging_purge_confs
option no longer fails to delete unnecessary configuration files
Previously, the logging_purge_confs
variable was prepared to delete unnecessary logging configuration files, but failed to clean them up. Consequently, even though the logging_purge_confs
variable was set to true, unnecessary configuration files were not cleaned up, but left in the configuration directory. This issue is now fixed and the logging_purge_confs
variable has been redefined to work as follows.
-
If
logging_purge_confs
is set totrue
, it removes files inrsyslog.d
which do not belong to any rpm packages. That includes configuration files generated by the previouslogging
role run. Thelogging_purge_confs
default value isfalse
.
Fixed a typo to support active-backup
for the correct bonding mode
Previously, there was a typo,active_backup
, in supporting the InfiniBand port while specifying active-backup
bonding mode. Due to this typo, the connection failed to support the correct bonding mode for the InfiniBand bonding port. This update fixes the typo by changing bonding mode to active-backup
. The connection now successfully supports the InfiniBand bonding port.
Configuration by the Metrics role now follows symbolic links correctly
When the mssql pcp
package is installed, the mssql.conf
file is located in /etc/pcp/mssql/
and is targeted by the symbolic link /var/lib/pcp/pmdas/mssql/mssql.conf
. Previously, however, the Metrics role overwrote the symbolic link instead of following it and configuring mssql.conf
. Consequently, running the Metrics role changed the symbolic link to a regular file and the configuration therefore only affected the /var/lib/pcp/pmdas/mssql/mssql.conf
file. This resulted in a failed symbolic link, and the main configuration file /etc/pcp/mssql/mssql.conf
was not affected by the configuration. The issue is now fixed and the follow: yes
option to follow the symbolic link has been added to the Metrics role. As a result, the Metrics role preserves the symbolic links and correctly configures the main configuration file.
The Kernel settings system role now correctly installs python3-configobj
Previously, the Kernel settings role returned an error that the python3-configobj
package could not be found. The role failed to find the package because it did not install python3-configobj
on managed hosts. With this update, the role now installs python3-configobj
on managed hosts and works correctly.
The Kdump system role does not ignore hosts anymore
Previously, the Kdump role ignored managed nodes that do not have memory reserved for crash kernel, and consequently completed with the “Success” status even when not configuring the system correctly. The role has been redesigned to fail in cases where managed nodes do not have memory reserved for crash kernel, and to prompt the user to set the kdump_reboot_ok
variable to true
to correctly configure kdump on managed nodes. As a result, the Kdump role now does not ignore hosts, and either completes successfully with the correct configuration, or fails with an error message describing what users need to do to fix the issue.
The Firewall system role now reloads the firewall immediately when target
changes
Previously, the Firewall system role was not reloading the firewall when the target
parameter has been changed. With this fix, the Firewall role reloads the firewall when the target
changes, and as a result, the target
change is immediate and available for subsequent operations.
Default pcsd
permissions for HA Cluster system role now allow access for group haclient
Previously, when a user ran the HA Cluster system role with the default pcsd
permissions that were set with the ha_cluster_pcs_permission_list
variable, only members of the group hacluster
had access to the cluster. With this fix, the default pcsd
permissions allow the group haclient
to manage the cluster and all members of haclient
can now access and manage the cluster.
7.12. Virtualization
strict
NUMA binding policy no longer allows for moving runtime memory
Previously, when the strict
NUMA binding policy was enabled in a VM (<memory mode='strict'/>
), attempting to move runtime memory from that VM to another NUMA node in some cases partly or completely failed. To avoid this problem, the strict
policy now completely prohibits moving runtime memory.
In addition, the restrictive
policy has been added, which works like the strict
policy did previously. This means that it does allow for moving runtime memory to other NUMA nodes, but cannot ensure that the memory is moved completely.
(BZ#2014369)
multifd
migration now works reliably
Previously, attempting to migrate a virtual machine (VM) using the multifd
feature of QEMU caused the migration to fail and the VM to terminate unexpectedly. The underlying code has been fixed, and multifd
migration now works as expected.
VM migration and snapshots no longer failing due to virtio-balloon
Previously, attempting to migrate a virtual machine (VMs) with a more recent guest operating system (such as RHEL 9) failed if the VM was using the virtio-balloon
device. Similarly, creating a snapshot of such a VM failed. This update fixes a bug in the page poison
feature of virtio-balloon
, which prevents the described problem from occurring.
Hot unplugging an IBMVFC device on PowerVM now works as expected
Previously, when using a virtual machine (VM) with a RHEL 8 guest operating system on the PowerVM hypervisor, attempting to remove an IBM Power Virtual Fibre Channel (IBMVFC) device from the running VM failed. Instead, it displayed an outstanding translation
error. The underlying code has been fixed and live hot unplugs of IBMVFC device now work correctly on PowerVM.
(BZ#1959020)
7.13. Containers
Rootless containers created in RHEL 8.5 and earlier using fuse-overlayfs now recognize removed files
Previously, in RHEL 8.4 and earlier, rootless images and containers were created or stored using the fuse-overlayfs file system. Using such images and containers in RHEL 8.5 and later introduced problems for unprivileged users using the overlayfs implementation provided by the kernel and who had removed files or directories from a container or from an image in RHEL 8.4. This problem did not apply to containers created by the root account.
As a consequence, files or directories that were removed from a container or from an image were marked as such using the whiteout format when using the fuse-overlayfs file system. However, due to differences in the format, the kernel overlayfs implementation did not recognize the whiteout format created by fuse-overlayfs. As a result, any removed files or directories still appeared. This problem did not apply to containers created by the root account.
With this update, the problem is solved.
(JIRA:RHELPLAN-92741)