Chapter 11. Fixed issues

Installation no longer fails if a VDO logical volume is present

Before this update, installing RHEL failed when users attempted to remove a pre-existing Logical Volume Manager Virtual Data Optimizer (LVM VDO) volume on systems without the dm_vdo kernel module. With this update, installation succeeds when removing an LVM VDO volume on systems without VDO support.

Enhanced installation program to enable container-based deployments on s390x

The RHEL installation program now supports deploying bootable containers in Image Mode on the s390x architectures by using the ostreecontainer Kickstart command. This enhancement removes previous limitations and ensures consistent deployment options across supported architectures. Users can now automate installations on s390x systems by using container-based workflows.

The installation program now respects the BOOTIF boot argument

Previously, the RHEL installation program ignored the BOOTIF=<MAC> boot argument and activated all the available network interfaces. With this fix, the installation program now properly processes the BOOTIF argument and ensures that only the designated network device is activated during the installation process.

fapolicyd no longer causes the RPM database to crash with repeated updates

Before this update, repeated updates of the RPM database when fapolicyd was in enforcing mode caused a bus error (SIGBUS), which caused the RPM database to terminate unexpectedly. With this release, fapolicyd SIGBUS protection for RPM database updates has been improved. As a result, the RPM database no longer crashes when repeatedly updating it with fapolicyd enabled.

SSH connection fail no longer displays verbose help message

Before this update, when SSH connection failed, a message with common SSH errors and a link to Red Hat help was displayed. As a consequence, the help message in the error output broke user scripts and automation. With this update, the help message displays only when SSH is run with log level debug1 or higher. As a result, the error output does not include any unexpected messages by default.

fapolicyd-cli --file add no longer fails when processing non-regular files

Before this update, the fapolicyd-cli --file add command failed to add directories containing non-regular files, such as sockets, to the trust database. With this update, the problem is resolved, and fapolicyd-cli --file add no longer fails in the described scenario.

GnuTLS supports standard ML-DSA formats

In RHEL 10.0, GnuTLS tools used non-standard serialization formats for ML-DSA private keys. Consequently, the certtool -p command exported ML-DSA private keys that were not compatible with IETF-compliant implementations. Likewise, keys exported by other software did not work with GnuTLS. With this update, GnuTLS support standard ML-DSA formats and generate interoperable private keys.

OpenSSL stores ML-KEM and ML-DSA private keys in standard formats

In RHEL 10.0, the open quantum-safe provider for OpenSSL (oqsprovider) generated private keys in a format that did not conform to any of the file formats proposed by the IETF LAMPS work group. Consequently, the key files were unreadable by other applications that follow the IETF standard and could not be handled by applications that require providing the key in the seed format for import. With this update, OpenSSL no longer uses oqsprovider and its post-quantum cryptography (PQC) implementation generates the keys in standard formats. As a result, you can use OpenSSL ML-KEM and ML-DSA keys for storing long-term secrets.

DNF Automatic uses the correct RHEL minor version when the EPEL repository is enabled

Before this update, when you used the DNF Automatic tool with the Extra Packages for Enterprise Linux (EPEL) repository enabled, the tool expanded the EPEL metalink URL to a wrong address. This caused the tool to download packages for the minor version of RHEL 10 that is still in development instead of the last released minor version. With this update, updating of the releasever_major and releasever_minor variables was fixed in the dnf.cli.cli.Cli._read_conf_file() method. As a result, DNF Automatic correctly detects a minor release number and downloads an EPEL repository matching the RHEL major and minor release version.

/var/lib/tftpboot directory is created by default in Image Mode deployments

Previously, in Image Mode deployments, installing the tftp-server package did not create the /var/lib/tftpboot directory. This occurred because changes to the /var directory were not applied when additional packages were added to existing Image Mode deployments.

The IPL output method of ReaR on IBM Z follows RHEL 9 file naming conventions

Before this update, when using the deprecated IPL output method of Relax-and-Recover (ReaR) on IBM Z, the resulting recovery kernel was named kernel-$RAMDISK_SUFFIX and the ramdisk image was named initramfs-$RAMDISK_SUFFIX.img. This naming convention differed from RHEL 9, which uses vmlinuz-$kernel_version and initrd.cgz, respectively. Consequently, custom scripts used to process these recovery images required manual adjustment after an upgrade from RHEL 9 to RHEL 10 due to the file name changes.

The chronyc reload sources command now correctly handles hostname-specified sources

Previously, the chronyc reload sources command in chronyd incorrectly reloaded sources from the sourcedir directory specified in the chrony.conf file. This behavior caused the chronyd to duplicate sources when a hostname resolved to multiple IP addresses, resulting in an unexpected increase in the number of sources.

The custom iproute2 settings in /etc/iproute2/ works as expected

Previously, if you updated to RHEL 10.0, the iproute2 package stored the default configuration in the /usr/share/iproute2/ directory. Additionally, if you had a custom configuration in /etc/iproute2/, the update renamed these files and appended the .rpmsave suffix. As a consequence, the custom settings were no longer applied. If you update to the RHEL 10.1 version of the iproute2 package, the installation script in the package no longer renames custom configuration files and, if it finds files with .rpmsave suffix in /etc/iproute2/, the script removes this suffix. As a result, custom settings work again as expected.

The kernel no longer panics if you reduce the number of SR-IOV VFs at runtime

In previous releases, the Linux kernel could panic if all of the following conditions applied:

The NAT engine now checks for address collisions in reply direction

Before this update, the network address translation (NAT) engine did not check for address collisions in the reply direction. This led to connection failures when new incoming connections used the same source addresses and source ports as existing connections. With this release, the NAT engine now checks the reply direction and detects the collision, and the source port the new connection is internally remapped to a new available port number. As a result, the connection proceeds as expected.

The nft_fib expression now returns consistent results for both IPv4 and IPv6 in VRF domains

Before this update, the Netfilter "nft_fib" expression returned unicast instead of local if a device was part of a Virtual Routing and Forwarding (VRF) domain. Additionally, the fib daddr . iif expression behaved differently for IPv4 and IPv6 packets arriving on a VRF interface. For an incoming IPv6 packet, it incorrectly returned the name of the underlying physical interface, whereas for an IPv4 packet, it correctly returns the name of the VRF device itself. With this update, the nft_fib expression now provides consistent results for both IPv4 and IPv6 when the device is part of a VRF domain.

Network authentication methods using PKCS #11 with wpa_supplicant has been fixed

In RHEL 10, engines that are not compatible with the Federal Information Processing Standard (FIPS), such as the OpenSSL engine API, have been removed. Consequently, the dependent wpa_supplicant service could not load X.509 certificates and keys stored in PKCS #11 URI format. This prevented any EAP-TLS authentication method and variants using PKCS #11 did not connect to the relevant network. To fix this problem, wpa_supplicant now depends on the pkcs11-provider package and uses the same-named library to load X.509 certificates and keys from a PKCS #11 storage. As a result, network authentication methods using PKCS #11 work as expected.

Updated the stalld scheduling policy regression to prevent performance degradation

Before this update, the Node Tuning Operator CI was broken because of a change in stalld scheduling policy., This change caused the service to revert to SCHED_OTHER instead of SCHED_FIFO after starting. Consequently, real-time workloads could experience performance degradation, and you could not merge PR. With this update, the systemd unit file sets stalld priority to 10, ensuring that stalld runs with SCHED_FIFO. This restores expected behavior and improves performance for real-time workloads.

osnoise/cpus allows setting a long comma-separated list of cpus

Before this update, you could not set a lengthy comma-separated list of cpus in osnoise/cpus because of an invalid argument error. This restriction impacted latency debugging and troubleshooting. With this release, you can input a long comma-separated list of cpus in osnoise/cpus to enhance RTLA latency debugging and troubleshooting.

rtla timerlat now handles high-frequency sampling on systems with 100+ CPUs

Before this update, rtla timerlat could not process timerlat samples with 100us period or faster on systems with more than 100 CPUs due to insufficient tracefs buffer handling. As a consequence, samples were dropped and timerlat measurements became inaccurate, affecting real-time performance analysis. With this release, timerlat samples are collected directly on measurement CPUs, eliminating buffer overflow issues. As a result, rtla timerlat provides accurate measurements on high-core-count systems, enabling reliable real-time performance analysis.

rtla timerlat does not reset osnoise stop tracing threshold during startup

Before this update, using the rtla timerlat multiple times without clearing the stop_tracing flags would leave/left RTLA in an inconsistent state. As a consequence, tracing did not stop correctly in case stop tracing was not requested via the -a, -T, or -i options. This led to inaccurate data being reported, since RTLA exited when it shouldn’t have. With this update, rtla-timerlat resets stop tracing variables, preventing early exit, and as a result, program stability is improved.

The GRUB2 net_del_dns command deletes the DNS server correctly

Before this update, if you attempted to delete the DNS server by using the net_del_dns command, it added the DNS server back erroneously because of incorrect implementation, and returned an error. With this fix, the add command was replaced by the remove command in the net_del_dns implementation. As a result, you can delete the DNS server by using the net_del_dns command.

multipathd can monitor devices with offline paths

Before this update, when a user created a multipath device while some paths to the device were in the offline state, the multipathd daemon did not monitor the device or its paths. Consequently, if paths failed, they were never restored, even if they became available again. With this update, the multipathd daemon monitors the multipath device and its offline paths. multipathd also adds the paths to the multipath device if they become online.

The RHEL installation program removes corrupted LVM thin volumes

Previously, the presence of corrupted LVM thin volumes caused storage configuration errors, blocking the installation process. With this fix, the RHEL installation program now detects and removes broken thin volumes. As a result, users do not have to intervene in the installation process manually.

pcs commands no longer fail due to improperly capitalized target-role values

Before this update, if a resource’s target-role meta-attribute was set to a value that was not capitalized, such as stopped instead of Stopped, pcs failed to parse the cluster status. This parsing error caused pcs status query resource commands and commands for deleting resources, including pcs resource delete, to fail.

fence_ibm_powervs supports plain text token files

Before this update, the fence_ibm_powervs agent could only read authentication tokens from files that were formatted as JSON. It failed to read tokens from plain text files.

Pacemaker Remote nodes are no longer fenced unnecessarily when quorum is lost

Before this update, in certain cluster configurations, a Pacemaker Remote node could be fenced when its partition lost quorum, even if the resource managing that node could be safely restarted on a different, quorate node. This behavior caused unnecessary downtime for the services running on the Pacemaker Remote node.

Pacemaker no longer requires manual IPC buffer tuning for large clusters

Before this update, in clusters with a large number of nodes or resources, Pacemaker’s internal communication could exceed the default buffer size. This would result in logged errors and could cause command-line tools to be slow or unresponsive. Users sometimes had to manually increase the PCMK_ipc_buffer setting to resolve these issues.

systemd resources with long start or stop times are handled correctly

Before this update, Pacemaker polled for the result of start and stop actions on systemd resources with a fixed timeout. If a resource took longer to start or stop than this timeout, Pacemaker incorrectly marked the resource as failed.

glibc package updated to include bug fixes and enhancements from the upstream 2.39 release

Upstream development delivered multiple bug fixes and enhancements to glibc 2.39. As a consequence, RHEL 10 glibc became outdated relative to the upstream release, resulting in gaps in features and unresolved bugs. To address this, the fixes and enhancements from the glibc 2.39 upstream release branch were backported to RHEL 10. As a result, RHEL 10 glibc now provides feature and bug parity with the upstream glibc 2.39 release branch as of August 20, 2025.

Certain programs no longer crash when running the glibc dynamic linker in auditing mode

Previously, the ‎glibc dynamic linker in ‎LD_AUDIT mode could allocate internal data structures by using the main ‎calloc function before the linker initialized the main ‎malloc subsystem. As a consequence, certain programs terminated unexpectedly in the ‎calloc function during startup. With this update, the process startup sequence has been rearranged so that ‎calloc memory allocation occurs before switching to the main ‎malloc function, using the internal ‎malloc implementation during startup. As a result, programs no longer crash during startup in the ‎calloc function when the dynamic linker is in auditing mode.

Improved support for recursive dlopen calls in audit modules in glibc

Previously, recursive ‎dlopen calls from auditors could trigger an ‎r_state == RT_CONSISTENT assertion failure in glibc’s ‎dl-open.c. As a consequence, applications exited unexpectedly when auditors were active. With this update, the dynamic linker reports consistency of its internal data structures earlier during an in-progress ‎dlopen call. As a result, recursive ‎dlopen operations for auditors are supported in more cases.

glibc: ctype.h macros caused segmentation faults in multithreaded programs with multiple libc.so

Previously, the internal state for ‎<ctype.h> in secondary C library copies created by audit or with ‎dlmopen failed to initialize for threads created with ‎pthread_create. As a consequence, using ‎<ctype.h> functionality, either directly or indirectly, in secondary threads and namespaces resulted in program crashes.

getent group now returns complete member lists when NSS merge encounters ‎ERANGE in glibc

Before this update, a merge between two group entries could fail due to a too-small internal buffer on systems where Name Service Switch (NSS) merged groups from more than two sources. In such cases, glibc incorrectly skipped the merge instead of retrying with a larger buffer. As a consequence, in some cases, querying group membership produced incomplete or empty results in environments with multiple group databases.

glibc audit logging provides complete object life cycle tracking

Before this update, the glibc dynamic linker called la_objclose for the proxy ld.so link map in a secondary namespace without a preceding la_objopen. This resulted in incomplete object life cycle reporting for tools that rely on la_objopen to track shared objects.

ipa-cacert-manage install now permits duplicate CA subjects

Previously, attempting to add a CA certificate with an identical subject but a different private key using ipa-cacert-manage install failed with the message subject public key info mismatch, as IdM prohibited duplicate subjects.

dsconf replication get-ruv no longer returns an error

Before this update, one of the replication functions did not call a required function. As a result, when you ran dsconf <instance_name> replication get-ruv --suffix dc=example,dc=com, an error was displayed. With this update, the command returns a Replica Update Vector (RUV) value as expected.

Newly created user password policies are displayed correctly

Before this update, the cosAttribute attribute in the Class of Service (CoS) template had the operational modifier instead of operational-default. As a consequence, when both subtree and user password policies existed, the pwdpolicysubentry attribute pointed to the subtree password policy instead of the user password policy. With this release, the CoS template uses the operational-default modifier. As a result, the user policy is displayed correctly.

ipa-healthcheck now ignores the replica busy condition

Before this update, in a topology with more than two suppliers, the ipa-healthcheck tool reported an error about replication agreement status when a supplier was receiving updates from another node. It is a standard replication situation and, with this release, ipa-healthcheck no longer reports an error when replicas are busy.

Directory Server no longer fails during cleanup at shutdown on instance with LMDB

Before this update, a race condition occurred during cleanup at shutdown on an instance with Lightning Memory-Mapped Database Manager (LMDB). With this update, Directory Server no longer calls lmdb when the database environment is closed.

LMDB monitoring statistics are now displayed correctly

Before this update, when you tried to retrieve the monitoring statistics on an instance with Lightning Memory-Mapped Database Manager (LMDB) database type, a key error occurred. With this update, Directory Server ensures backend and monitor keys match the configured database implementation. As a result, global monitoring statistics are displayed correctly.

389-ds-base no longer fails during the LMDB offline import

Before this update, a race condition occurred when a worker thread read an entry before another process finished writing the entry. As a result, offline import on an instance with the Lightning Memory-Mapped Database Manager (LMDB) backend caused a segmentation fault.

The Directory Server web console now shows the server version

Before this update, the web console did not display the server version in the Server Settings>General Settings​​. With this update, the server version is displayed correctly.

Directory Server correctly displays the number of child entries under a specific node

Before this update, the numSubordinates and numTombstoneSubordinates attributes were wrongly computed during import. Consequently, when you compared the number of child entries under a specific node, the wrong values were displayed.

Directory Server no longer fails during NDN cache operations

Before this update, the arc-swap library, which was used in the Rust dependency of 389-ds-base, could cause a failure in Directory Server during NDN cache operations. With this release, Directory Server uses an updated version of Rust dependency (concread) 0.5.7 that does not contain the arc-swap library. As a result, Directory Server no longer fails.

Directory Server correctly displays membership in nested groups

Before this update, Directory Server displayed an incorrect value of the memberOf attribute in that entry under the following conditions:

Directory Server no longer fails when adding nsslapd-referral

Before this update, when you tried to configure Directory Server to use a referral, the server failed due to incorrect handling of the paged search result.

The RootDN Access Control plugin with wildcards for IP addresses no longer fails

Before this update, if you tried to set IP addresses with wildcards for the RootDN Access Control plugin configuration, the attempt failed with the Invalid IP address error. With this release, the validation function was updated. As a result, the attempt to set values with wildcards no longer fails.

The Directory Server monitoring information is available as expected when NDN cache is disabled

Before this update, when the Normalized DN (NDN) cache was disabled, the dsconf <instance_name> monitor dbmon command failed with an error because of improper handling of the backend get-tree command failures. This release adds a rollback functionality to prevent orphaned backends when the tree creation fails during a backend creation. As a result, Directory Server monitoring information is returned as expected.

The Databases menu opens as expected in the Directory Server web console

Before this update, you could not open the Databases menu in the Directory Server web console if the database name that you created had an incorrect suffix syntax, for example, the name included dc=. With this update, Directory Server uses a rollback functionality when mapping tree creation fails during backend creation to prevent orphaned backends. As a result, the Databases menu opens as expected.

NDN cache no longer causes increased memory consumption in Directory Server

Before this update, the concread Rust dependency of 389-ds-base allowed the Normalized DN (NDN) cache to hold the memory even of the evicted entries. As a consequence, NDN cache could increase memory consumption.

Password modify extended operation skips password policy checks correctly for the root DN and password administrators

Before this update, when the root DN or a password administrator used a password modify extended operation to change a password, they could not bypass Directory Server’s password policies restrictions. As a consequence, they could not update passwords that did not comply with password policy requirements.

dsconf correctly returns replication monitoring information

Before this update, if a supplier was configured with a replica starting with 0, such as 010 or 020, the dsconf <instance_name> replication monitor command failed to retrieve information about time of a delay or the replication status.

The error log in 389-ds-base now contains full message about replication

Before this update, when you configured replication, the error log file contained incomplete messages about replication. With this release, the error log contains full messages with the actual values.

Unprivileged processes can now renew host keytabs

Before this update, unprivileged processes lacked the ability to renew host keytab because the keytab file was only accessible by the root user. This issue prevented unprivileged processes from renewing their host keytab. With the release of the RHBA-2025:21019 advisory, realmd supports renewing the host keytab with appropriate policy-kit settings for unprivileged processes. As a result, unprivileged processes and users can now renew host keytab with ease.

Specifying multiple users no longer causes resources to be associated with the wrong user

Previously, when managing resources for two different users, both vars and set_fact were used to set the __podman_user and __podman_user_home_dir variables. This led to unpredictable and undefined behavior as the system used the old values from the first user for the second user, causing the second user’s configuration to incorrectly reference the first user’s data.

The postfix RHEL system role auto-detects if an IPv6 interface is disabled

The default postfix configuration uses the inet_interfaces = localhost setting which tells postfix to listen on all interfaces resolving to localhost including both IPv4 and IPv6 interfaces. Before this update, a problem occurred if IPv6 was disabled on the host. In this situation, the postfix role and its command-line tools, such as postconf, returned an error. The entire role failed. With this release, the role determines if IPv6 is disabled. If so, then it sets inet_protocols = ipv4 so that postfix only uses the IPv4 interface. As a result, the postfix role works even when IPv6 is disabled.

selinux role no longer produces error due to undefined tempdir path in Ansible check mode

Before this update, the tempdir path was not defined in Ansible check mode, and the __selinux_item.path could be undefined. Consequently, when running in check mode, the selinux RHEL system role produced an error that various variables are undefined. With this update, the role skips tasks that require the tempdir.path to be defined, and can handle cases where variables are undefined. As a result, the role works correctly in check mode.

Improved removal of kernel options with values in ‎rhel-system-roles

Previously, kernel boot options specified as key=value could not be removed when users provided only the key, resulting in persistent unwanted boot parameters and inconsistent management of kernel options by name. With this update, the regular expression in the ‎mod_boot_args function was updated to match and remove kernel options with values correctly, and automated tests were added to verify correct behavior.

Ensures /var/lib/pcsd directory is available when needed by the ha_cluster RHEL system role

Before this update, the /var/lib/pcsd directory was created during the installation of pcs, but newer versions rely on the systemd service to create this directory when the pcsd service starts. As a result, the directory might not exist at the time the role attempts to access it, causing errors or failures in execution.

LVM RAID now supports encrypted and partitioned devices

Before this update, the LVM RAID code assumed that disks specified in raid_disks were the parent devices of the PVs for all LVM RAID setups. This was not applicable for encrypted or partitioned devices. As a consequence, errors occurred when encrypted LUKS layers added an extra storage layer, or when direct partitions were used without a parent device. With this release, PV resolution in LVM RAID is improved to support encrypted and partitioned devices. As a result, you can now specify the PV partition instead of the underlying disk.

RAID now reports clear errors for invalid or unsupported configurations

Before this update, invalid RAID levels or insufficient disks could be specified without raising clear errors. This resulted in failed or inconsistent array creation. As a consequence, the error messages were unclear, and RAID setup was less reliable. With this release, RAID parameters are validated before array creation, and a minimum disk count is enforced. As a result, clear errors are raised, and attempts to create a RAID with inadequate disks are blocked.

encryption_key is no longer masked

Before this update, the encryption_key parameter was incorrectly marked as no_log. This caused the key file path to be replaced by a placeholder string, preventing disk encryption from working. With this update, the encryption_key parameter is no longer marked with the no_log flag, and you can now perform disk encryption using a key file successfully.

selinux role persistently sets kernel SELinux parameters

Before this update, the selinux RHEL system role did not set the kernel SELinux parameter when changing the SELinux state to and from disabled. As a consequence, the SELinux state change was not persistent upon reboot. This update ensures that the kernel SELinux parameter is correctly set when the role changes SELinux state to and from disabled. As a result, the SELinux state change to and from disabled is persistent upon reboot.

The systemd role uses file basename to construct the path to the destination

Before this update, if a user specified a file or a template source within a nested directory, the systemd RHEL system role used the whole path instead of the basename for the destination file. As a consequence, files and templates were placed in the same directory structure on the destination, which systemd does not support. With this release, the role uses basenames for destination files in nested directories. As a result, users can use nested directories with the role.

The timesync RHEL system role no longer removes the OPTIONS="-F 2" default setting from /etc/sysconfig/chronyd

Before this update, the timesync system role replaced the default OPTIONS= setting for the chronyd service with "". As a consequence, this removed the default OPTIONS="-F 2" setting which weakened the security of chronyd. With this release, -F 2 is added as the default setting for OPTIONS, and the user can override or extend this setting. As a result, the timesync role now applies the correct security settings while still allowing user customization.

The network RHEL system role no longer shows errors due to incorrect routing rule validation

Before this update, the validation part in the network RHEL system role incorrectly checked for routing rule attributes at the top-level NM module instead of the NM.IPRoutingRule class. This caused validation failures and the role displayed errors. With this update, the role uses the API correctly and no longer shows incorrect validation errors.

The network RHEL system role now uses a more robust interface identification method

Before this update, when both an interface name and a MAC address were provided for a network interface, the validation process performed two separate lookups: one using the interface name and another using the MAC address. This could lead to validation failures because a lookup by MAC address might match the interface’s current MAC address rather than its permanent hardware MAC address.

The qdevice daemon now restarts automatically after certificate changes

Previously, after updating the TLS certificates used for communication between the quorum device daemon (qnetd) and the cluster nodes (qdevice), the qdevice daemon was not automatically restarted. The daemon would continue to use the old certificates, causing communication with the quorum device to fail.

Boolean values are correctly rendered in TOML files

Before this update, boolean values in TOML files were incorrectly formatted, causing improper handling of boolean options. As a consequence, users experienced configuration issues. With this release, the format of boolean options in TOML files has been corrected. As a result, end users can now correctly configure boolean options in their TOML files.

Boolean values are correctly rendered in TOML files

Before this update, incorrect boolean conversion in a Jinja2 template caused True to be written as "True". As a consequence, users received an error due to incorrectly formatted configuration file, causing a container service failure. With this release, improper boolean conversion in a Jinja2 template has been fixed. As a result, Podman configuration now correctly converts boolean values in a Jinja2 template.

podman RHEL system role no longer fails with UNREACHABLE errors when removing resources

Before this update, when disabling linger for non-root users, the system did not wait long enough for the user state to transition to closing. As a result, the systemd-logind service was restarted prematurely to force the linger state to be canceled. On some systems, this triggered a timer that terminated the root session, including the active sshd connection. This caused the Ansible Playbook to fail with an UNREACHABLE error. With this release, the system waits significantly longer for linger to be properly canceled, and systemd-logind is restarted only if absolutely necessary. As a result, the role no longer fails with UNREACHABLE errors when removing resources

The ha_cluster RHEL System Role now works with a system-wide HTTP proxy configured

Previously, when a system-wide HTTP proxy was configured, the ha_cluster RHEL System Role would incorrectly attempt to use the proxy for local communication with the pcsd daemon via a unix socket. This caused the role to fail.

GSSAPIIndicators added to sshd role

A new configuration option GSSAPIIndicators for setting Generic Security Services Application Programming Interface (GSS-API) was added to RHEL 10. This update adds the GSSAPIIndicators configuration option to the sshd RHEL system role. As a result, you can configure GSSAPIIndicators on RHEL 10 systems by using RHEL system roles.

bootloader role rejects boolean or null type values

Before this update, the user could specify values such as value: on or value: yes expecting that these would be converted to strings "on" or "yes". But instead, YAML treats these as YAML bool type and writes them as the string "True". Consequently, users who were unaware of YAML boolean handling could not set values such as "on" or "off". With this update, the bootloader RHEL system role rejects any value of boolean or null type. As a result, users must enter such YAML boolean type values as quoted strings to write them to the bootloader configuration. The readme is updated with this information.

sudo role no longer hangs when parsing Alias values

Before this update, the regex in the sudo RHEL system role was not taking into consideration that Alias values, such as Cmnd_Alias, do not have to have spaces on either side of the equal sign =. Consequently, the regex never terminated, and the role appeared to hang. With this update, the role ensures that the regex complies with the eBNF definition of the field from the sudoers file specification. As a result, the Alias values are parsed correctly with and without spaces around =.

The podman RHEL system role does not report changed: true when managing authentication and configuration files

Before this update, the podman RHEL system role changed the parent path mode every time it ran if it managed both authentication and configuration files because it used two different modes for the common parent path for various configuration and authentication files.

The systemd role unmasks and starts units in a single run

Before this update, the systemd RHEL system role failed to enable and start services when units were masked because the role could not unmask the units first. As a result, users had to run the role twice. With this release, the systemd role correctly unmasks and starts services, eliminating the need for double runs.

Minor volume size mismatch no longer cause incorrect role reporting

Before this update, when creating or resizing volumes, the system allowed up to a 2% difference between the requested size and the actual size. This adjustment made the volume fit into the available pool free space. As a consequence, the sizes did not match when the role was run again, causing the role to incorrectly assume that something had changed. With this release, small size differences no longer cause the role to misinterpret changes. As a result the role now reports the correct state.

Local kdump no longer fails on virtual machines with AMD SEV-SNP

Before this update, local kdump failed on RHEL 10 virtual machines (VMs) that used the AMD Secure Encrypted Virtualization (SEV) with the Secure Nested Paging (SNP) feature. As a consequence, you could not capture kernel crash dumps on VMs with AMD SEV-SNP enabled.

The --migrate-disks-detect-zeroes option no longer fails for VM migration

Before this update, when migrating virtual machines (VMs) on RHEL 10, the --migrate-disks-detect-zeroes option might not have worked, and the migration might have proceeded without zeroed block detection on the specified disk. This problem was caused by a bug in QEMU where mirroring jobs relied on punching holes, resulting in a sparse destination file.

VMs sending misaligned discard I/O requests no longer pause when discard_granularity is not configured

Before this update, the host kernel failed misaligned discard I/O requests and QEMU used the werror= policy parameter to respond to such failures. When werror was set to stop: werror=stop, a failed discard request caused the virtual machine (VM) to pause. As a consequence, it was not possible to correct this situation and resume the VM again.

virtiofsd no longer crashes when accessing shared directories with many open files

Before this update, when accessing a virtiofs shared directory with a large number of open files from a virtual machine (VM), the operation might have failed with the following error: Too many open files, and the virtiofsd process crashed.

QEMU no longer prevents using SEV-SNP

Previously, when attempting to start a virtual machine (VM) with AMD SEV-SNP enabled, QEMU checked the incorrect capability of KVM, and the guest failed to start. As a consequence, running VMs with AMD SEV-SNP configured was not possible with RHEL10. This problem has been fixed, and running VMs with SEV-SNP works as expected now.

Network boot for VMs now works correctly without an RNG device

Previously, when a virtual machine (VM) did not have an RNG device configured and its CPU model did not support the RDRAND feature, it was not possible to boot the VM from the network. With this update, the problem has been fixed, and VMs that do not support RDRAND can boot from the network even without an RNG device configured.

RHEL 10 guests no longer crash on restart in Google Cloud and Alibaba

When using a RHEL 10.0 instance on Google Cloud or the Alibaba Cloud, restarting the instance previously caused a kernel panic in the guest operating system if the virtio-net driver was in use. This issue has been fixed and RHEL 10 guests no longer crash in the described scenario.

Secure Execution VMs can now boot with file-backed memory backing

Previously, if you configured a virtual machine (VM) with enabled Secure Execution to use file-backed memory backing, the VM failed to boot, and instead displayed a Protected boot has failed error. Now, the VM boots as expected.

Nested VM with KVM virtualization and OVMF now boots successfully on Azure or Hyper-V when using an AMD EPYC processor

Previously, a nested virtual machine (VM) with Open Virtual Machine Firmware (OVMF) failed to boot when run on a RHEL VM with KVM virtualization enabled on Microsoft Azure or Hyper-V that used an AMD EPYC processor. The VM failed to boot up with following log message:

The coredump plugin now correctly limits the number of collected coredump files

Previously, the coredump plugin collected coredumpctl dump outputs, which could lead to unnecessary large archives. With this update, the plugin defaults to collecting the three most recent coredump files. Additionally, the plugin continues to provide summary information from coredumpctl info and includes symlinks to help map collected dumps to their respective metadata entries.

Plugin option overrides in sos report no longer disable unrelated options configured in /etc/sos/sos.conf or a preset

Previously, when executing the sos report command with a -k option specifying a particular plugin setting , the sos utility would incorrectly ignore other valid plugin options defined in /etc/sos/sos.conf or in a preset. This led to scenarios where global settings or user-defined presets, were silently disabled despite being correctly configured in the [plugin_options] section of the configuration file or in a preset.

sos-audit package now includes required GPLv2 LICENSE file

Previously, while the sos-audit package was always part of the sos project and built from the same SRPM containing the license, the resulting sos-audit RPM package could be installed separately from the main sos RPM. This meant users installing only the sos-audit subpackage would not find the license readily available. This omission affected all versions of sos-audit up to the current release across RHEL 8 and RHEL 9.

iscsi plugin no longer collects plain-text CHAP credentials in sosreport

Previously, the iscsi plugin in sos collected sensitive CHAP authentication credentials in iscsi configuration files in plain text when generating a report that posed a security risk. With this update, the iscsi plugin has been modified to obscure sensitive fields, ensuring that CHAP usernames and passwords are redacted or excluded from the collected output.

THP plugin now collects complete configuration to accurately reflect Transparent Huge Pages state

Previously, the memory plugin of sos collected only the enabled file from /sys/kernel/mm/transparent_hugepage/ to determine the state of Transparent Huge Pages (THP). However, recent kernel behavior changes have made this approach insufficient. For instance, it is possible for enabled to be set to [never] while shmem_enabled is set to [always], resulting in THP being active for shared memory segments despite appearing disabled.

per-user SSH configuration is now disabled by default

Previously, the ssh plugin in sos collected detailed information from all local user .ssh directories by default. This resulted in significantly prolonged execution time, especially in environments with a large number of local users. With this update, the ssh plugin no longer collects per-user .ssh configuration data by default. To capture user configurations, enable it explicitly by setting ssh.userconfs=on.

sos collect command in the sos 4.10 version no longer produces xz/bz2 tar archive

Before this update, the sos collect command returned a compressed tar archive like tar.xz or tar.bz2. With this release, the sos collect now produces uncompressed tar archives instead of compressed ones, saving time and resources.

Event logs from podman events command are now available

Previously, an error in the journald driver prevented the preservation of network event attributes, so these events were not included in logs. With this update, podman events now displays network create and network rm events.

You can now set /sys/fs/cgroup/io.max within the container

Before this update, when using runc as the container runtime, you could not set /sys/fs/cgroup/io.max inside the container. With this fix, the issue is resolved, and the value of /sys/fs/cgroup/io.max now matches in the podman update command.

Parent directories can be created now for the mount targets with mode 0755

In this update, build failures were occurring due to modifications in the handling of --mount parameter permissions in quay.io/buildah/stable:v1 v1.41.3. Previously, specifying UID as an argument resulted in incorrect permissions for the secret. Consequently, users were unable to access build secrets due to incorrect permissions after the buildah update.

Command-line assistant shows a meaningful error message when you try to delete a non-existent chat history

Before this update, users could delete a non-existent chat history without receiving an error message. This enhancement implements an error message for such cases.

Adding a description to an unnamed chat triggers a warning

Before this update, if you added a description to a chat without specifying a name for the chat, there was no error message displayed, nor was the chat with your custom description. With this update, the command-line assistant displays a warning in such cases.

c history shows complete history by default

Before this update, running the c history command without any options returned no history, confusing users. With this update, the default option for --all has been added. As a result, you can easily view all history with the single command: c history.

Command-line assistant no longer displays errors for invalid queries

Before this update, an incorrect data structure for terminal output in response led to unprocessable error messages for user queries. With this enhancement, the chat interface’s terminal output structure has been actively addressed, preventing the command-line assistant from displaying errors for invalid query requests, thereby enhancing your user experience.

Interactive shell starts correctly after a terminal restart

Before this update, the user’s .bashrc file did not include a reference to the .bashrc.d directory, preventing the source command from locating the CLA integration script. As a consequence, users could not access an interactive shell. With this update, a check has been added to ensure that the files necessary for shell integration are loaded. As a result, the interactive shell starts upon terminal restart.

Backend timeout works correctly in query.py

Before this update, extending the backend timeout in the query.py script did not work correctly. The script continued to generate timeout messages every 30 seconds because an internal timeout remained set at 30 seconds by default. With this enhancement, you can extend the backend timeout to any value that suits you by configuring this in the /etc/xdg/command-line-assistant/config.toml file, improving your response time.

cla chat displays help when run without arguments

Before this update, using cla chat without providing additional input caused user confusion, as they expected interactive AI assistance but received no response. With this update, when you use cla chat without arguments, the command-line assistant provides help and indicates additional input, improving your user experience with CLA’s interactive mode.