Chapter 10. Known issues

Crash dumps are not performed by default

By default, crash dumps do not occur for default installation methods using RHEL Image Mode, because the crashkernel= kernel argument is not set. To work around this problem, set a crashkernel= kernel argument at build or during installation time.

Podman and bootc do not share the same registry login process

Podman and bootc use different registry login processes when pulling images. As a consequence, if you login to an image by using Podman, logging to a registry for bootc will not work on that image. When you install an image mode for RHEL system, and login to registry.redhat.io by using the following command:

cloud-init growpart skips with composefs is enabled

When composefs is enabled, if you generate an image from the generic base image, then the rootfs will note grow the filesystem, prompting an error similar to:

Unable to build ISOs from a signed container

Trying to build an ISO disk image from a GPG or a simple signed container results in an error, similar to the following:

Hostname resolution fails with encrypted DNS and custom CA in boot options

While using the inst.repo= or inst.stage2= boot options in the kernel command line along with a remote installation URL, an encrypted DNS, and a custom CA certificate in the Kickstart file, the installation program attempts to download the install.img stage2 image before processing the Kickstart file. Consequently, the hostname resolution fails, leading to display of some errors before successfully fetching the stage2 image. Workaround: Define the installation source in the Kickstart file instead of the kernel command line.

The installation program becomes unresponsive during final RPM installation stage

An installation program may become unresponsive during the RPM installation process at the final stage. Before the issue occurs, you might see the repeated Configuring rootfiles.noarch messages. Workaround: Restart the installation process.

Disabled keyboard layout switching by using shortcut during installation

To prevent confusion caused by a broken keyboard shortcut to change keyboard layout, this feature has been disabled in Anaconda. You cannot change keyboard layouts by using shortcuts during installation. Workaround: Use the keyboard layout icon on the top bar to switch layouts.

Bonding device with LACP takes longer to become operational, causing subscription failures

When configuring a bonding device with LACP by using both kernel command-line boot options and a Kickstart file, the connection is created during the initramfs stage but reactivated in Anaconda. As a consequence, it causes a temporary disruption that leads to system subscription failure via the rhsm Kickstart command.

The services Kickstart command fails to disable the firewalld service

A bug in Anaconda prevents the services --disabled=firewalld command from disabling the firewalld service in Kickstart. Workaround: Use the firewall --disabled command instead. As a result, the firewalld service is disabled properly.

Installation program fails if /boot partition is not created when using ostreecontainer

When using the ostreecontainer Kickstart command to install a bootable container, the installation fails if the /boot partition is not created. This issue occurs because the installation program requires a dedicated /boot partition to proceed with the container deployment.

Kickstart installation fails with an unknown disk error when ignoredisk command precedes iscsi command

Installing RHEL by using the kickstart method fails if the ignoredisk command is placed before the iscsi command. This issue occurs because the iscsi command attaches the specified iSCSI device during command parsing, while the ignoredisk command resolves device specifications simultaneously. If the ignoredisk command references an iSCSI device name before it is attached by the iscsi command, the installation fails with an "unknown disk" error.

The USB CD-ROM drive is not available as an installation source in Anaconda

Installation fails when the USB CD-ROM drive is the source for it and the Kickstart ignoredisk --only-use= command is specified. In this case, Anaconda cannot find and use this source disk.

Driver disk menu fails to display user inputs on the console

When you start RHEL installation by using the inst.dd option on the kernel command line with a driver disk, the console fails to display the user input. Consequently, it seems that the application does not respond to the user input and stops responding, but displays the output which is confusing for users. However, this behavior does not affect the functionality, and user input gets registered after pressing Enter.

Insufficient disk space can cause deployment failure

Deploying a bootc container image on a package mode system without enough free disk space can result in installation errors and prevent the system from booting. Ensure adequate disk space is available for the image to install and adjust the provision logical volume before deployment.

Anaconda may not work correctly on s390x and ppc64le architectures

Image mode for RHEL supports pp64le and s390x architectures besides the already supported x86_64 and ARM architectures. However, Anaconda may not function correctly on s390x and ppc64le architectures.

RHEL images on Azure marked as LVM require default layout resizing

When using system-reinstall-bootc or bootc install on Azure, RHEL images marked as LVM will require resizing the default layout.

sq cannot generate keys in FIPS mode

The sq utility from the Sequoia PGP toolset uses the deprecated OpenSSL API for key generation. Consequently, you cannot generate keys with sq on the system running in FIPS mode.

GnuTLS cannot convert ML-DSA private keys to public ones

GnuTLS lacks an algorithm to convert a private ML-DSA key in the expanded form to a public ML-DSA key. Consequently, operations requiring both keys fail when only the expanded private key is provided.

Updating the NSS database password corrupts the ML-DSA seed

Generating an ML-DSA key begins with a seed, which is sufficient to derive the key. However, the keys can also be expanded to accelerate subsequent operations. If you have ML-DSA keys in an NSS database, either generated or imported, both the expanded format and the seed are likely stored. Due to a bug in how NSS handles database re-encryption, if you change the password of the database, the seed attribute is not updated to accommodate the new password, and its value is permanently lost, even with the knowledge of the previous password.

PQC for rpm-sequoia is always enabled in crypto-policies

In RHEL 10.1, the rpm-sequoia fails to verify dual-signed RPM packages if one of the algorithms used for signing is disabled in system-wide cryptographic policies. This problem is common on systems that have post-quantum (PQ) algorithms disabled and cannot install packages signed with both classic and PQ cryptography.

SELinux policy rules for four libvirt services temporarily changed into permissive mode

Previously, the SELinux policy was changed to reflect the replacement of the legacy monolithic libvirtd daemon with a new set of modular daemons. Because this change requires testing of a lot of scenarios, the following services have been temporarily changed into SELinux permissive mode:

Cryptographic tokens do not work in FIPS mode with pkcs11-provider

When the system runs in FIPS mode, the pkcs11-provider OpenSSL provider does not work correctly and the OpenSSL TLS toolkit falls back to the default provider. Consequently, OpenSSL fails to load PKCS #11 keys, and cryptographic tokens do not work in this scenario.

pass:uname command produces an unknown output

The uname command displays unknown output with flags pass:--hardware-platform and pass:--processor. In the previous RHEL versions, pass:uname -i and pass:uname -p were aliases for pass:uname -m and are not portable even across GNU/Linux distributions.

Hot-plugged memory is not available to VMs running on IBM Z by default

RHEL provides default udev rules that automatically configure memory onlining when you hot plug memory to virtual machines (VMs) with virtio-mem. However, current udev rules do not include VMs running on IBM Z. As a consequence, after hot-plugging memory to VMs running on IBM Z with virtio-mem, the memory is not immediately available in the VM.

Nginx does not support PKCS #11 and TPM

The OpenSSL engines API was deprecated in RHEL 9 and removed from Nginx in RHEL 10. The corresponding functionality using the current OpenSSL providers API is not yet available. As a consequence, the Nginx HTTP server does not work with hardware security modules (HSMs) through PKCS #11 and Trusted Platform Module (TPM) devices.

Using the incorrect Perl database driver for MariaDB and MySQL can lead to unexpected results

The MariaDB database is a fork of MySQL. Over time, these services developed independently and are no longer fully compatible. These differences also affect the Perl database drivers. Consequently, if you use the DBD::mysql driver in a Perl application to connect to a MariaDB database, or the DBD::MariaDB driver to connect to a MySQL database, operations can lead to unexpected results. For example, the driver can return incorrect data from read operations. To avoid such problems, use the Perl driver in your application that matches the database service.

VMware vCenter cannot correctly remove a SATA disk from a running RHEL VM

When using the VMware vCenter interface to remove a SATA disk from a running RHEL 10 guest on the VMware ESXi hypervisor, the disk currently does not get removed fully. It stops being functional and disappears from the guest in the vCenter interface, but the SCSI interface still detects the disk as attached in the guest. 

Inconsistent NVMe device names after reboot

A new kernel feature that enables asynchronous NVMe namespace scans is introduced in RHEL 10, to accelerate NVMe disk detection. As a consequence of the asynchronous scans, the /dev/nvmeXnY device files might point to different namespaces after each reboot. This can lead to inconsistent device names. At this time, there is no known workaround for this issue.

iSCSI-backed logical volumes fail to activate after a reboot

During installation, a logical volume spanning a local disk and an iSCSI device can fail to activate the iSCSI device in the installed system. This occurs where a non-root filesystem LVM logical volume is located both on a local disk and on an iSCSI device, which results in the iSCSI device not getting configured with node.startup=onboot by the installation program. As a result, the system cannot access the volume after reboot, because it doesn’t get automatically activated upon boot.

ACL roles should not reference location constraints with two rules

In Red Hat Enterprise Linux 10, more than one top-level rule in a location constraint is not supported. When upgrading from RHEL 9 to RHEL 10, verify that any ACL roles you have configured do not reference a location constraint with two rules and are still valid.

The new version of TBB is incompatible

RHEL 10 includes the Threading Building Blocks (TBB) library version 2021.11.0, which is incompatible with the versions distributed with previous releases of RHEL. You must rebuild applications that use TBB to make them run on RHEL 10.

IdM in FIPS mode does not support using the NTLMSSP protocol to establish a two-way cross-forest trust

Establishing a two-way cross-forest trust between Active Directory (AD) and Identity Management (IdM) with FIPS mode enabled fails because the New Technology LAN Manager Security Support Provider (NTLMSSP) authentication is not FIPS-compliant. IdM in FIPS mode does not accept the RC4 NTLM hash that the AD domain controller uses when attempting to authenticate.

Installing a RHEL 7 IdM client with a RHEL 10 IdM server in FIPS mode fails due to EMS enforcement

The TLS Extended Master Secret (EMS) extension (RFC 7627) is now mandatory for TLS 1.2 connections on FIPS-enabled RHEL 10 systems. This is in accordance with FIPS-140-3 requirements. However, the openssl version available in RHEL 7.9 and lower does not support EMS. In consequence, installing a RHEL 7 Identity Management (IdM) client with a FIPS-enabled IdM server running on RHEL 10 fails.

Automatic host keytab renewal via adcli run by SSSD is failing

In direct SSSD-AD integration, SSSD checks daily if the machine account password is older than the configured age in days and, if needed, tries to renew it. The configured age is set by the ad_maximum_machine_account_password_age value, with a default of 30 days. A value of 0 disables the renewal attempt.

dsctl healthcheck can report a wrong database type

If you created an instance with the Lightning Memory-Mapped Database Manager (LMDB) database type, running the dsctl healthcheck command can result in one of the following error messages, because Directory Server checks a wrong configuration parameter:

An error message is displayed during migration from BDB to LMDB

When you run the dsctl dblib bdb2mdb command to migrate from Berkeley Database (BDB) to Lightning Memory-Mapped Database Manager (LMDB) and you have not enabled the replication, the following error message is displayed in the output:

ldapmodify does not delete a single specific value from any attribute in cn=config

Currently, when you try to delete a value from any attribute in cn=config, the value remains in the attribute and the server might require a restart to fully remove it.

SSSD retrieves incomplete list of members if the group size exceeds 1500 members

During the integration of SSSD with Active Directory, SSSD retrieves incomplete group member lists when the group size exceeds 1500 members. This issue occurs because Active Directory’s MaxValRange policy, which restricts the number of members retrievable in a single query, is set to 1500 by default.

Plymouth duplicates log entries of the kernel log ringbuffer

Plymouth, an application which provides a graphical boot experience for Red Hat Enterprise Linux, has a "console syndication" feature that outputs log messages to all configured consoles during boot. The kernel can natively output log messages only to the last configured console. In the default configuration, the kernel is muted, but removing the quiet argument from the kernel command line unmutes the kernel, and causes both Plymouth and the kernel to send the boot log messages to the last-configured console. As a result, log messages might be duplicated on the last-configured console (for example ttyS0). Plymouth further duplicates these log entries by replaying the entire contents of the kernel log ringbuffer during boot and shutdown. To work around this problem, disable Plymouth.

Standard mouse cursor is offset in VMs when using Mutter

When you use a standard mouse within a virtual machine (VM) configuration in the Mutter compositing window manager, you might notice an offset between the physical mouse cursor and the actual pointer within the virtual environment. The actual pointer might not even be visible in the virtual environment.

Standard mouse cursor is offset in VMs when using Mutter

When you use a standard mouse within a virtual machine (VM) configuration in the Mutter compositing window manager, you might notice an offset between the physical mouse cursor and the actual pointer within the virtual environment. The actual pointer might not even be visible in the virtual environment.

VNC console in the RHEL web console does not work correctly on ARM64

Currently, when you import a virtual machine (VM) in the RHEL web console on ARM64 architecture and then you try to interact with it in the VNC console, the console does not react to your input.

Ansible rpm_key modules fail to work with the OpenPGP v6 RPM-GPG-KEY-redhat-release key

RHEL 10.1 uses the Red Hat RPM signing key extended with a post-quantum public key and stored in the /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release file in the OpenPGP v6 format. Because the Ansible rpm_key modules use the GnuPG tools, which cannot handle post-quantum keys and OpenPGP v6, the modules fail to work with this key.

PostgreSQL, MariaDB, and MySQL do not work with RHEL in image mode

The PostgreSQL, MariaDB, and MySQL database management systems do not use the sysusers.d directories to populate users and working directories. MariaDB and MySQL also do not use the tmpfiles.d directory. As a consequence, the database user can be missing and the database systems are not able to initialize because their working directory is missing. There is currently no workaround for this issue.

ansible-core does not install sshpass as a dependency

The ansible-core package does not install the sshpass package as a dependency. Consequently, you cannot use Ansible to manage systems over SSH with an SSH password.

Windows VMs might become unresponsive due to storage errors

On virtual machines (VMs) that use Windows guest operating systems, the system in some cases becomes unresponsive when under high I/O load. When this happens, the system logs a viostor Reset to device, \Device\RaidPort3, was issued error. There is currently no workaround for this issue.

Windows 10 VMs with certain PCI devices might become unresponsive on boot

Currently, a virtual machine (VM) that uses a Windows 10 guest operating system might become unresponsive during boot if a virtio-win-scsi PCI device with a local disk back end is attached to the VM.

Using virtiofs with the rsync and du commands can result in too many open files errors

The virtiofsd daemon keeps file descriptors open until the guest invalidates its cache. When tracking a large number of files, this can cause virtiofsd on the host to exceed the maximum open files limit.

Installing the VirtIO-Win bundle cannot be canceled

Currently, if you start the installation of virtio-win drivers from the VirtIO-Win installer bundle in a Windows guest operating system, clicking the Cancel button during the installation does not correctly stop it. The installer wizard interface displays a "Setup Failed" screen, but the drivers are installed and the IP address of the guest is reset.

A virtual machine with a large amount of bootable data disks might fail to start

If you attempt to start a virtual machine (VM) with a large amount of bootable data disks, the VM might fail to boot with this error: Something has gone seriously wrong: import_mok_state() failed: Volume Full

VMs with large memory cannot boot on SEV-SNP host with AMD Genoa CPUs

Currently, virtual machines (VMs) cannot boot on hosts that use a 4th Generation AMD EPYC processor (also known as Genoa) and have the AMD Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP) feature enabled. Instead of booting, a kernel panic occurs in the VM.

The virtio balloon driver sometimes does not work on Windows 10 and Windows 11 VMs

Under certain circumstances, the virtio-balloon driver does not work correctly on virtual machines (VMs) that use a Windows 10 or Windows 11 guest operating system. As a consequence, such VMs might not use their assigned memory efficiently.

Windows 11 VMs with a memory balloon device set might close unexpectedly during reboot

Currently, rebooting virtual machines (VMs) that use a Windows 11 guest operating system and a memory balloon device in some cases fails with a DRIVER POWER STAT FAILURE blue-screen error.

Windows VM with VBS and IOMMU device fails to boot

When you boot a Windows VM with Virtualization Based Security (VBS) enabled and an Input-Output Memory Management Unit (IOMMU) device by using the qemu-kvm utility, the booting sequence only shows the boot screen, resulting in an incomplete booting process.

Windows VM running on Sapphire Rapids CPU with hypervisor launch type set to auto might fail to boot when restarted

If you set the hypervisor launch type to auto in a Windows virtual machine (VM) running on a Sapphire Rapids CPU, the VM might fail to boot when it is restarted. For example, you can set the hypervisor launch type to auto by using the bcdedit /set hypervisorlaunchtype Auto command.

Hot-plugging vCPUs and memory to Windows guests with VBS does not work

Currently, Windows Virtualization-based Security (VBS) is not compatible with hot-plugging CPU and memory resources. As a consequence, attempting to attach memory or vCPUs to a running Windows virtual machine (VM) with VBS enabled only adds the resources to the VM after the guest system is restarted. 

VMs with 5-level page merging and a lot of memory sometimes fail to start

VMs with the following configuration fail to boot if you set the host-phys-bits-limit parameter to 49 or more:

Enabling 3D support prevents installing a RHEL 10 guest on ESXi

Currently, if you select the Enable 3D support option in VMware ESXI for installing a RHEL 10 guest operating system, the installation does not start correctly, and instead shows a blank screen.

RDMA devices currently do not work on vSphere

When using a RHEL 10 instance on the VMware vSphere platform, the vmw_pvrdma module currently does not install properly. As a consequence, VMware paravirtual remote direct memory access (PVRDMA) devices do not work on the affected instances.

The leapp upgrade fails when upgrading from RHEL 9.6 to RHEL 10.0 for the cloud-init network configuration

If you deploy RHEL 9.6 with the cloud-init default configuration and with sysconfig as the default network configuration directory, the sysconfig configuration files do not support the ifcfg legacy format for RHEL 10.0. Consequently, the leapp upgrade fails when upgrading from RHEL 9.6 to RHEL 10.0 for the legacy network configuration files, such as ifcfg-<enp1s0>.

Upgrading a RHEL 9.6 guest on VMware ESXi to RHEL 10.0 causes cloud-init to rewrite the network configuration

After a upgrading a RHEL guest on the VMware ESXi hypervisor from RHEL 9.6 to RHEL 10.0, the cloud-init tool currently cannot detect the VMware data source and cannot restore its configuration from the cache. As a consequence, cloud-init reverts to the None data source, and rewrites the network configuration of the guest.

kdump fails to complete on the Azure Confidential VMs

When you experience a kernel crash on a Red Hat Enterprise Linux VM on the Azure Confidential VM instances, in this case DCv5 and ECv5 series, the kdump process may not complete and the VM becomes unresponsive. As a result, after a forced reboot, there is a vmcore-incomplete file.

BIOS or UEFI supported Hyper-V Windows Server 2016 VM fails to boot if a host uses the AMD EPYC CPU processor

With the Hyper-V enabled setting, Hyper-V Windows Server 2016 VM fails to boot on the AMD EPYC CPU host.

FIPS bootc image creation fails on FIPS enabled host

Building a disk image on a host by using Podman with enabled the FIPS mode fails with the exit code 3 because of the update-crypto-policies package:

Authentication errors with the command-line assistant on hosts registered to Red Hat Satellite 6.17 and later

When using the command-line assistant powered by RHEL Lightspeed on hosts registered to Red Hat Satellite 6.17 and later versions, authentication errors occur when attempting to authenticate with the RHEL Lightspeed service. As a consequence, you cannot use the assistant effectively.

Command-line assistant configuration file changes are not applied immediately

When making changes in the etc/xdg/command-line-assistant/config.toml configuration file, it takes around 30 to 60 seconds for the command-line assistant daemon to recognize the changes, instead of applying the changes immediately. The command-line assistant is also missing the reload functionality.