Chapter 8. Bug fixes

The installer no longer installs earlier versions of packages

Previously, the installer did not correctly load the DNF configuration file during the installation process. As a consequence, the installer sometimes installed earlier versions of select packages in the RPM transaction.

Anaconda installation is successful even if changing the network configuration in stage2

Previously, when using the rd.live.ram boot argument, Anaconda did not unmount an NFS mount point that is used in initramfs to fetch the installation image into memory. As a consequence, the installation process could become unresponsive or fail with a timeout error if the network configuration was changed in stage2.

Installer asks for the passphrase missing in the Kickstart file for the encrypted devices during the installation

Previously, when running the installer in graphical mode, if the passphrase was not specified in the Kickstart file, the installer would not ask for entering the passphrase for encrypted devices. As a consequence, the partitioning specified in the Kickstart file was not applied during the installation.

Images now build successfully for packages in blueprint that contain conditional dependencies

Previously, when using the web console to customize a blueprint with packages that contained conditional dependencies, such as ipa-client, cockpit, podman, would cause the build to fail because of the missing dependencies. As a consequence, the conditional dependency was not met during the dep-solve packages. This issue is fixed now, and the builds will no longer fail when dep-solving conditional dependencies.

DNF now correctly rolls back a transaction containing an item with the Reason Change Action type

Previously, running the dnf history rollback command on a transaction containing an item with the Reason Change Action type failed. With this update, the issue has been fixed, and dnf history rollback now works as expected.

The cmx operation with no parameter no longer crashes the CIM Client

The cmx operation calls a method and returns XML, a parameter specifies the name of the called method. Previously, the command line sblim-wbemcli Common Information Model (CIM) Client crashed when running the cmx operation without an additional parameter. With this update, the cmx operation requires the parameter that defines the name of the called method. Invoking the cmx operation without this parameter results in an error message, and the CIM Client no longer crashes.

The cvSaveImage function in the opencv library no longer terminates the user application

Previously, the opencv library could not use the cvSaveImage function correctly. Consequently, the user application was terminated unexpectedly. With this update, the cvSaveImage function writes the image data on disk and no longer terminates the user application.

ReaR no longer fails to display an error message if it does not update the UUID in /etc/fstab

Previously, ReaR did not display an error message during recovery when it failed to update the universally unique identifier (UUID) in /etc/fstab to match the UUID of the newly created partition in case the UUIDs were different. This could have happened if the rescue image was out of sync with the backup. With this update, an error message occurs during recovery if the restored basic system files do not match the recreated system.

ReaR with the PXE output method no longer fails to store the output files in the rsync OUTPUT_URL location

In RHEL 8.5, the handling of the OUTPUT_URL variable with the OUTPUT=PXE and BACKUP=RSYNC options was removed. As a consequence, when using an rsync location for OUTPUT_URL, ReaR failed to copy the initrd and kernel files to this location, although it uploaded them to the location specified by BACKUP_URL. With this update, the behavior from RHEL 8.4 and earlier releases is restored. ReaR creates the required files at the designated OUTPUT_URL destination using rsync.

ReaR now supports restoring a system using NetBackup version 9

Previously, restoring a system using the NetBackup (NBU) method with NetBackup version 9 or later failed due to missing libraries and other files. With this update, the NBU_LD_LIBRARY_PATH variable contains the required library paths and the rescue system now incorporates the required files, and ReaR can use the NetBackup method.

ReaR no longer displays a false error message about missing symlink targets

Previously, ReaR displayed incorrect error messages about missing symlink targets for the build and source symlinks under /usr/lib/modules/ when creating the rescue image. This situation was harmless, and you could safely ignore the error message. With this update, ReaR does not report a false error message about missing symlink targets in this situation.

Fallbacks of SR-IOV devices now complete successfully

Previously, Single Root I/O Virtualization (SR-IOV) devices did not fallback after device failover because the hcnmgr script used an incorrect active_slave attribute instead of a primary attribute. With this update, the hcnmgr script uses the correct attribute and fallbacks for SR-IOV devices complete successfully.

ppc64-diag rebased to version 2.7.8

The ppc64-diag package for platform diagnostics has been updated to version 2.7.8. Notable improvements and bug fixes include:

lsvpd rebased to version 1.7.14

The lsvpd package, which provides commands for constituting a hardware inventory system, has been updated to version 1.7.14. With this update, the lsvpd utility prevents corruption of the database file when you run the vpdupdate command.

libvpd rebased to version 2.2.9

The libvpd package, which contains classes for accessing the Vital Product Data (VPD), has been updated to version 2.2.9. Notable improvements and bug fixes include:

The printer test page layout in RHEL 8 has changed

Previously, the print test page was not printed if the destination document format was PDF. This update introduces a new test page layout to work with a broader set of printers. Note that the test page does not contain any information regarding the printer or the test page print job.

The frr binary files and scripts have a new location

Previously, the frr package for managing dynamic routing stack contained its binary files and scripts in the /usr/lib/frr directory, which caused certain issues when applying the new targeted SELinux policy. Consequently, SELinux logged denial messages in access vector cache (AVC) and prevented frr from starting properly.

OpenSCAP remediation sets correct permissions for /etc/tmux.conf

Previously, when remediating the SCAP rule configure_tmux_lock_after_time, the /etc/tmux.conf file was created with permissions respecting umask (600). This caused /etc/tmux.conf to be unreadable by regular users. If a regular user logged in, they received an error message and had to wait for several minutes before a timeout ran out and they were logged in. With this update, the remediation of rule configure_tmux_lock_after_time sets specific permissions of /etc/tmux.conf to 644. As a result, regular users no longer encounter the error message or login delay.

SCAP rule for Rsyslog correctly identifies .conf files

Previously, rule "Ensure System Log Files Have Correct Permissions" (xccdf_org.ssgproject.content_rule_rsyslog_files_permissions) did not expand glob expressions in Rsyslog include statements. As a consequence, the rule did not parse all relevant configuration files, and some log files did not have their permissions checked. With this update, the rule correctly expands the glob expressions to identify the .conf files it needs to parse. As a result, the rule now correctly processes the required .conf files to ensure that all configured log files have the correct permissions.

Rules for chronyd do not require explicit chrony user configuration

RHEL runs chronyd under the chrony user by default. Previously, the check and remediation for the chronyd service configuration user were stricter than necessary. The overly strict check led to false positives and to excessive remediations. In this version, the check and remediations of the rule xccdf_org.ssgproject.content_rule_chronyd_run_as_chrony_user are updated, for both the minimalistic correct configuration and legacy explicit correct configurations pass. As a result, the rule respects the default RHEL behavior and does not require explicit chrony user configuration.

Warning added to rsyslog_remote_loghost

The SCAP rule xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost ensures that the Rsyslog daemon is configured to send log messages to a remote log host. However, the rule does not configure TCP queues. As a consequence, the system hangs if TCP queues are not configured, and the remote log host becomes unavailable. This update adds a warning message that explains how to configure TCP queues. If you encounter system hangs while using this rule, read the warning and configure the system properly.

Remediation of sudo_custom_logfile works for custom sudo log files

Previously, remediation of the SCAP Security Guide rule xccdf_org.ssgproject.content_sudo_custom_logfile did not work for custom sudo log files with a different path than /var/log/sudo.log. With this update, the rule is fixed so that it can properly remediate if the system has a custom sudo log file that does not match the expected path.

Remediation of firewalld_sshd_port_enabled now works correctly

Previously, Bash remediation of the SCAP rule xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled incorrectly handled lists of network interfaces. Additionally, configuration files had different names than required. This update has fixed the remediation. As a result, the remediation handles all network interfaces correctly, and configuration files have predictable names.

fagenrules --load now works correctly

Previously, the fapolicyd service did not correctly handle the signal hang up (SIGHUP). Consequently, fapolicyd terminated after receiving the SIGHUP signal, and the fagenrules --load command did not work properly. This update contains a fix for the problem. As a result, fagenrules --load now works correctly, and rule updates no longer require manual restarts of fapolicyd.

The NetworkManager utility enforces correct ordering of IPv6 addresses from various sources

In general, the ordering of IPv6 addresses affects the priority for source address selection. For example, when you make an outgoing TCP connection. Previously, the relative priority of IPv6 addresses added through the manual, dhcpv6, and autoconf6 methods, was not correct. With this update, the problem has been fixed and the ordering priority now reflects this logic: manual > dhcpv6 > autoconf6. However, the order of addresses under the ipv6.addresses setting did not change and the address added last still has the highest priority.

Asymmetric routing now works correctly

The previous minor version of RHEL 8 contained a change that caused connection tracking to fail in some cases. Consequently, asymmetric routing was not working correctly. This release reverts the change that was introduced in RHEL 8.6. As a result, the asymmetric routing works correctly.

A new ability to deprecate CgroupV1 memory.swappiness allowing for consistent swap behavior

CgroupV1 includes the memory.swappiness per-cgroup swappiness value that controls the swap behavior of the given cgroup.

Anaconda no longer fails after entering a passphrase for encrypted devices

Previously, if kdump was disabled when preparing an installation, and the user selected encrypted disk partitioning, the Anaconda installer failed with a traceback after entering a passphrase for the encrypted device.

The net_prio or net_cls controllers in v1 mode now work correctly

Previously, in cgroup-v2 environments, using either net_prio or net_cls controllers in v1 mode disabled the hierarchical tracking of socket data. As a consequence, the cgroup-v2 hierarchy for socket data tracking controllers was not active, and the dmesg command reported the following message:

grubby now passes arguments to future kernels

When installing a newer version of the kernel, the grubby tool did not pass the kernel command-line arguments from the previous kernel version. As a consequence, the GRUB boot loader ignored user settings. With this fix, the user settings now persist after installing the new kernel version.

pcs now recognizes the mode option when creating a new Booth ticket

Previously, when a user specified a mode option when adding a new Booth ticket, pcs reported the error invalid booth ticket option 'mode'. With this fix, you can now specify the mode option when creating a Booth ticket.

pcs now validates the value of stonith-watchdog-timeout

Previously, it was possible to set the stonith-watchdog-timeout property to a value that is incompatible with SBD configuration. This could result in a fence loop, or could cause the cluster to consider a fencing action to be successful even if the action is not finished. With this fix, pcs validates the value of stonith-watchdog-property when you set it, to prevent incorrect configuration.

MariaDB 10.5 now warns about dropping a non-existent table when the OQGraph plug-in is enabled

Previously, when the OQGraph storage engine plug-in was loaded to the MariaDB 10.5 server, MariaDB did not warn about dropping a non-existent table. In particular, when the user attempted to drop a non-existent table using the DROP TABLE or DROP TABLE IF EXISTS SQL commands, MariaDB neither returned an error message nor logged a warning. This bug has been fixed, and a warning is now shown in the described scenario.

Applications no longer deadlock when invoking pthread_atfork or dclose from fork handler callbacks

Previously, applications invoked pthread_atfork handler callbacks while glibc had acquired an internal lock. As a result, registering fork handlers or calling dclose from a fork handler could deadlock applications.

Wildcard functions in Makefiles no longer return symbolic links when only directories are expected

Previously, the GLOB_ONLYDIR hint used by glob() misreported symbolic links as directories on certain XFS filesystems. When using glob(), make did not confirm that the hints were actually directories and, as a result, wildcard functions in Makefiles returned symbolic links when only directories were expected.

popen() no longer causes multithreaded processes to crash

Previously, a defect in popen() caused applications to crash when using the interface from a multithreaded process. With this update, the bug has been fixed and multithreaded processes no longer crash when using popen().

The mapping for the 0xBC code point for some IBM character sets is now U+00AF MACRON

Previously, the IBM256, IBM277, IBM278, IBM280, IBM284, IBM297, and IBM424 character sets encoded the EBCDIC code point 0xBC as the Unicode character U+203E OVERLINE. As a result, when using the iconv program provided by glibc, converting text in those character sets containing the 0xBC code point failed for non-Unicode character sets such as ISO-8859-1 because they could not encode the U+203E OVERLINE character.

The tempnam function now uses getrandom to increase the randomness of generated file names

Previously, the tempnam function in Red Hat Enterprise Linux 8.4 and later used time-derived randomness for choosing paths. As a result, the tempnam function was not producing the full set of possible file names when invoked repeatedly in quick succession. This bug has been fixed by a new implementation that uses the getrandom function to increase the randomness of the generated file names. As a result, the tempnam function now generates more distinct file names.

POWER9-optimized strncpy function no longer gives incorrect results

Previously, the POWER9 strncpy function did not use the correct register as the source of the NUL bytes for padding. Consequently, the output buffer contained uninitialized register content instead of the NUL padding. With this update, the strncpy function has been fixed, and the end of the output buffer is now correctly padded with NUL bytes.

The en_US@ampm locale is now listed correctly by locale -a

Previously, there was a defect in the listing of en_US@ampm in the output of the locale -a command. Consequently, the setlocale API failed when trying to set this locale using its name/alias printed by locale -a. With this update, en_US@ampm is now listed correctly and calls to setlocale succeed for all locales printed by locale -a.

Unit masks for events are now all included in the papi_xml_event_info output

Previously, the testing of event unit mask information in papi_xml_event_info was incomplete. In some cases, unit masks for events were not included in the papi_xml_event_info output. This bug has been fixed and as a result, papi_xml_event_command now prints out all the unit masks for an event.

Debug messages no longer logged to /var/log/messages by default

Previously, the ipa-dnskeysyncd and ipa-ods-exporter daemons logged all debug messages to /var/log/messages by default, resulting in log files growing substantially. If required, you can now configure the debug log level by setting debug=True in the /etc/ipa/dns.conf file. For more information refer to the default.conf(5) man page.

Preserving users accounts

Previously, if you ran the ipa user-del --preserve user_login command to preserve a user account, the output incorrectly returned the message Deleted user “user_login”. This message incorrectly indicates that the user was deleted and not preserved as expected. With this update, the output now returns Preserved user “user_login”.

Transferring Kerberos databases greater than 4 GB

Previously, the kprop service and the kpropd command used a 32 bit value when storing the size of the Kerberos KDC database. As a result the transfer of the Kerberos database dump file from the primary Kerberos server to a replica server failed if the database size exceeded 4 GB.

Handling unreadable objects in an LDAP group’s member list

Before this update, SSSD inconsistently handled the unreadable objects in an LDAP group’s member list and this resulted in unreadable objects causing an error or in certain situations unreadable objects were ignored.

The Airplane Mode switch is always displayed

Previously, the Airplane Mode switch in the Wi-Fi section of the Settings application disappeared after you enabled airplane mode. With this update, the problem has been fixed, and Settings always display the Airplane Mode switch, regardless of its state.

Hotkeys in Motif applications activate the correct item

Previously, menu hotkeys activated the wrong menu item in applications using the Motif toolkit. When a submenu was open and you pressed a hotkey associated with its item, the application activated an item in the parent menu instead.

The desktop no longer fails to start with disabled IPv6 and DisallowTCP=false

Previously, the X11 desktop session failed to start after login under the following circumstances:

Removing USB host devices using the web console now works as expected

Previously, when you attached a USB device to a virtual machine (VM), the device number and bus number of the USB device changed after they were passed to the VM. As a consequence, using the web console to remove such devices failed due to the incorrect correlation of the device and bus numbers. With this update, the issue has been fixed and you can remove the USB host devices using the web console.

Attaching multiple host devices using the web console now works as expected

Previously, when you selected multiple devices to attach to a virtual machine (VM) using the web console, only a single device was attached and the rest were ignored. With this update, the issue has been fixed and you can now simultaneously attach multiple host devices using the web console.

Fixed a typo to support active-backup for the correct bonding mode

Previously, there was a typo,active_backup, in supporting the InfiniBand port while specifying active-backup bonding mode. Due to this typo, the connection failed to support the correct bonding mode for the InfiniBand bonding port. This update fixes the typo by changing bonding mode to active-backup. The connection now successfully supports the InfiniBand bonding port.

The IPRouteUtils.get_route_tables_mapping() function now accepts any whitespace sequence

Previously, a parser for the iproute2 routing table database, such as /etc/iproute2/rt_tables, asserted that entries in the file were of the form 254 main and only a single space character separated the numeric id and the name. Consequently, the parser failed to cache all the mappings between the route table name and table id.Therefore the user could not add a static route into the route table by defining the route table name. With this update, the parser accepts any whitespace sequence in between the table ID and table name. As a result, as the parser caches all the mapping between the route table name and table ID, users can add a static route into the route table by defining the route table name.

Configuration by the metrics RHEL system role follows symbolic links correctly

When the mssql pcp package is installed, the mssql.conf file is located in /etc/pcp/mssql/ and is targeted by the symbolic link /var/lib/pcp/pmdas/mssql/mssql.conf. Previously, however, the metrics role overwrote the symbolic link instead of following it and configuring mssql.conf. Consequently, running the metrics role changed the symbolic link to a regular file and the configuration therefore only affected the /var/lib/pcp/pmdas/mssql/mssql.conf file. This resulted in a failed symbolic link, and the main configuration file /etc/pcp/mssql/mssql.conf was not affected by the configuration. The problem is now fixed and the follow: yes option to follow the symbolic link has been added to the metrics role. As a result, the metrics role preserves the symbolic links and correctly configures the main configuration file.

The tlog RHEL system roles is now correctly overlaid by SSSD

Previously, the tlog RHEL system role relied on the System Security Services Daemon (SSSD) files provider and on enabled authselect option with-files-domain to set up correct passwd entries in the nsswitch.conf file. With this fix, the tlog role now updates the nsswitch.conf to ensure tlog-rec-session is correctly overlaid by SSSD.

The mount_options parameter for volumes is now valid for a volume

Previously, the parameter was accidentally removed from the list of valid parameters for a volume. Consequently, users were unable to set the mount_options parameter for volumes. With this bug fix, the mount_options parameter has been added back to the list of valid parameters and the code has been refactored to catch the errors. As a result, the storage RHEL system role can set the mount_options parameter for volumes.

The metrics RHEL system role README and documentation now clearly specifies supported Redis and Grafana versions on specific versions of RHEL by the role

Previously, when trying to use the metrics role with unsupported versions of Redis and Grafana on unsupported platforms, the role failed. This update clarifies the documentation about which versions of Redis and Grafana are supported on which versions of RHEL by the role. As a result, you can avoid trying to use unsupported versions of Redis and Grafana on unsupported platforms.

The kernel_settings RHEL system role now correctly installs python3-configobj

Previously, the kernel_settings role returned an error that the python3-configobj package could not be found. The role failed to find the package because it did not install python3-configobj on managed hosts. With this update, the role now installs python3-configobj on managed hosts and works correctly.

The storage RHEL system role now correctly supports striped and raid0 levels for LVM volumes

The storage RHEL system role previously incorrectly reported RAID levels striped and raid0 as not supported for LVM volumes. This is now fixed and the role can now correctly create LVM volumes of all RAID levels supported by LVM: raid0, raid1, raid4, raid5, raid6, raid10, striped and mirror.

The metrics RHEL system role automatically restarts pmie and pmlogger services after an update to their configuration

Previously, the pmie and pmlogger services did not restart after their configuration was changed and waited for handler execution. This caused errors with other metrics services, which required pmie and pmlogger configuration to match their runtime behavior. With this update, the role restarts pmie and pmlogger immediately after a configuration update, their configuration matches runtime behavior of dependent metrics services, and they work correctly.

The forward_port parameter now accepts both the string and dict option

Previously, in the firewall RHEL system role, the forward_port parameter only accepted the string option. However, the role documentation claimed that both string and dict options were supported. Consequently, the users reading and following the documentation were getting an error. This bug has been fixed by making forward_port accept both options. As a result, the users can safely follow the documentation to configure port forwarding.

The nbde_client system role now uses proper spacing when specifying extra Dracut command line-parameters

The Dracut framework requires proper spacing when specifying additional parameters, such as kernel command-line parameters. If the parameters are not specified with proper spacing, Dracut might not append the specified extra parameters to the kernel command line. With this update, the nbde_client system role uses proper spacing when creating add-on Dracut configuration files. As a result, the role correctly sets Dracut command-line parameters.

Minimal RSA key bit length option in the ssh and sshd RHEL system roles

Accidentally using short RSA keys might make the system more vulnerable to attacks. With this update, you can set RSA key minimal bit lengths for OpenSSH clients and servers by using the RSAMinSize option in the ssh and sshd RHEL system roles.

The NBDE Client system role supports static IP addresses

In previous versions of RHEL, restarting a system with a static IP address and configured with the Network Bound Disk Encryption (NBDE) Client system role would change the system’s IP address. With this change, systems with static IP addresses are supported by the NBDE Client system role, and their IP addresses do not change after a reboot.

Live pre-copy migration of VMs with failover VFs now works correctly

Previously, attempting to pre-copy migrate a running virtual machine (VM) failed if the VM used a device with the virtual function (VF) failover capability enabled. This update fixes the problem, and migrating VMs in the described scenario now works correctly.

An instance now retains the primary IP address even after starting the nm-cloud-setup service in Alibaba Cloud

Previously, after launching an instance in the Alibaba Cloud, the nm-cloud-setup service configured the incorrect IP address as the primary IP address in case of multiple IPv4 addresses. Consequently, this affected the selection of the IPv4 source address for outgoing connections. With this update, after configuring secondary IP addresses manually, the NetworkManager package fetches the primary IP address from primary-ip-address metadata and configures both primary and secondary IP addresses correctly.

SR-IOV no longer performs suboptimally in ARM 64 RHEL 8 virtual machines on Azure

Previously, SR-IOV networking devices had significantly lower throughout and higher latency than expected in ARM 64 RHEL 8 virtual machines (VMs) running on a Microsoft Azure platform. The problem has been fixed, and the affected VMs now perform as expected.

Starting a RHEL 8 virtual machine on AWS using cloud-init no longer takes longer than expected

Previously, initializing an EC2 instance of RHEL 8 using the cloud-init service on Amazon Web Services (AWS) took an excessive amount of time. The Amazon Machine Images (AMIs) of RHEL 8 have been updated to include a fix for the problem, and intializing EC2 instances of RHEL 8 now works correctly.

DNF and YUM no longer fail because of non-matching repository IDs

Previously, DNF and YUM repository IDs did not match the format that DNF or YUM expected. For example, if you ran the following example, the error occurred:

Container images signed with a Beta GPG key can now be pulled

Previously, when you pulled RHEL Beta container images, Podman failed with the error message: Error: Source image rejected: None of the signatures were accepted. The images failed to be pulled due to current builds being configured to not trust the RHEL Beta GPG keys by default. With this update, the /etc/containers/policy.json file supports a new keyPaths field which accepts a list of files containing the trusted keys. Because of this, the container images signed with GA and Beta GPG keys are now accepted in the default configuration.