Este conteúdo não está disponível no idioma selecionado.
Chapter 6. Bug fixes
This part describes bugs fixed in Red Hat Enterprise Linux 8.10 that have a significant impact on users.
6.1. Installer and image creation
Installer now accepts additional time zone definitions in Kickstart files
Anaconda switched to a different, more restrictive method of validating time zone selections. This caused some time zone definitions, such as Japan, to be no longer valid despite being accepted in previous versions. Legacy Kickstart files with these definitions had to be updated. Otherwise, they would default to the Americas/New_York time
zone.
The list of valid time zones was previously taken from pytz.common_timezones
in the pytz
Python library. This update changes the validation settings for the timezone
Kickstart command to use pytz.all_timezones
, which is a superset of the common_timezones
list, and allows significantly more time zones to be specified. This change ensures that old Kickstart files made for Red Hat Enterprise Linux 6 still specify valid time zones.
Note: This change only applies to the timezone
Kickstart command. The time zone selection in the graphical and text-based interactive interfaces remains unchanged. Existing Kickstart files for Red Hat Enterprise Linux 8 that had valid time zone selections do not require any updates.
Jira:RHEL-13151[1]
6.2. Networking
NetworkManager can mitigate the impact of CVE-2024-3661 (TunnelVision) in VPN connection profiles
VPN connections rely on routes to redirect traffic through a tunnel. However, if a DHCP server uses the classless static route option (121) to add routes to a client’s routing table, and the routes propagated by the DHCP server overlap with the VPN, traffic can be transmitted through the physical interface instead of the VPN. CVE-2024-3661 describes this vulnerability, which is also know as TunnelVision. As a consequence, an attacker can access traffic that the user expects to be protected by the VPN.
On RHEL, this problem affects LibreSwan IPSec and WireGuard VPN connections. Only LibreSwan IPSec connections with profiles in which both the ipsec-interface
and vt-interface
properties are undefined or set to no
are not affected.
The CVE-2024-3661 document describes steps to mitigate the impact of TunnelVision by configuring VPN connection profiles to place the VPN routes in a dedicated routing table with a high priority. The steps work for both LibreSwan IPSec and WireGuard connections. However, to apply the mitigation steps to a LibreSwan IPSec connection profile, you must use NetworkManager 1.40.16-18 or later. On RHEL 8.10, this version is provided by the RHSA-2025:0288 advisory.
6.3. Security
Rules for managing virtual routing with ip vrf
are added to the SELinux policy
You can use the ip vrf
command to manage virtual routing of other network services. Previously, selinux-policy
did not contain rules to support this usage. With this update, SELinux policy rules allow explicit transitions from the ip
domain to the httpd
, sshd
, and named
domains. These transitions apply when the ip
command uses the setexeccon
library call.
Jira:RHEL-9981[1]
SELinux policy allows staff_r
confined users to run sudo crontab
Previously, the SELinux policy did not contain rules to allow confined users to run the sudo crontab
command. As a consequence, confined users in the staff_r
role could not use sudo crontab
to edit other users' crontab
schedules. This update adds a rule to the policy, and as a result, staff_r
users can use sudo crontab
to edit other users' crontab
schedules.
SELinux policy contains rules for additional services and applications
This version of the selinux-policy
package contains additional rules. Most notably, users in the sysadm_r
role can enter the following commands:
-
sudo traceroute
-
sudo tcpdump
-
sudo dnf
Jira:RHEL-15398, Jira:RHEL-1679, Jira:RHEL-9947
SELinux policy denies SSH login for unconfined users when unconfined_login
is set to off
Previously, the SELinux policy was missing a rule to deny unconfined users to log in via SSH when the unconfined_login
boolean was set to off
. As a consequence, with unconfined_login
set to off
, users still could log in with SSHD as an unconfined domain. This update adds a rule to the SELinux policy, and as a result, users cannot log in via sshd
as unconfined when unconfined_login
is off
.
SELinux policy allows rsyslogd
to enter confined commands
Previously, the SELinux policy was missing a rule to allow the rsyslogd
daemon to enter SELinux-confined commands, such as systemctl
. As a consequence, commands executed as an argument of the omprog
directive failed. This update adds rules to the SELinux policy so that executables in the /usr/libexec/rsyslog
directory that are run as an argument of omprog
are in the syslogd_unconfined_script_t
unconfined domain. As a result, commands executed as an argument of omprog
finish successfully.
Large SSHD configuration files no longer prevent login
Previously, when the SSHD configuration file was larger than 256 KB, an error occurred when logging into the system. As a consequence, remote systems were unreachable. This update removes the file size limitation, and therefore users can log in to the system when the SSHD configuration file is larger than 256 KB.
6.4. Software management
The yum needs-restarting --reboothint
command now recommends a reboot to update the CPU microcode
To fully update the CPU microcode, you must reboot a system. Previously, when you installed the microcode_ctl
package, which contains the updated CPU microcode, the yum needs-restarting --reboothint
command did not recommend the reboot. With this update, the issue has been fixed, and yum needs-restarting --reboothint
now recommends a reboot to update the CPU microcode.
systemd
now correctly manages the /run/user/0
directory created by librepo
Previously, if the librepo
functions were called from an Insights client before logging in root, the /run/user/0
directory could be created with a wrong SELinux context type. This prevented systemd
from cleaning the directory after you logged out from root.
With this update, the librepo
package now sets a default creation type according to default file system labeling rules defined in a SELinux policy. As a result, systemd
now correctly manages the /run/user/0
directory created by librepo
.
systemd
now correctly manages the /run/user/0
directory created by libdnf
Previously, if the libdnf
functions were called from an Insights client before logging in root, the /run/user/0
directory could be created with a wrong SELinux context type. This prevented systemd
from cleaning the directory after you logged out from root.
With this update, the libdnf
package now sets a default creation type according to default file system labeling rules defined in a SELinux policy. As a result, systemd
now correctly manages the /run/user/0
directory created by libdnf
.
6.5. Shells and command-line tools
ReaR now determines the presence of a BIOS boot loader when both BIOS and UEFI boot loaders are installed
Previously, in a hybrid boot loader setup (UEFI and BIOS), when UEFI was used to boot, Relax-and-Recover (ReaR) restored only the UEFI boot loader and not the BIOS boot loader. This would result in a system that had a GUID Partition Table
(GPT), a BIOS Boot Partition, but not a BIOS boot loader. In this situation, ReaR failed to create the rescue image, the attempt to produce a backup or a rescue image by using the rear mkbackup
or rear mkrescue
command would fail with the following error message:
ERROR: Cannot autodetect what is used as boot loader, see default.conf about 'BOOTLOADER'.
With this update, ReaR determines the presence of both UEFI and BIOS boot loaders, restores them, and does not fail when it does not encounter the BIOS boot loader on the system with the BIOS Boot Partition in GPT
. As a result, systems with the hybrid UEFI and BIOS boot loader setup can be backed up and recovered multiple times.
Jira:RHEL-24729[1]
ReaR no longer uses the logbsize
, sunit
and swidth
mount options during recovery
Previously, when restoring an XFS
file system with the parameters different from the original ones by using the MKFS_XFS_OPTIONS
configuration setting, Relax-and-Recover (ReaR) mounted this file system with mount options applicable for the original file system, but not for the restored file system. As a consequence, the disk layout recreation would fail with the following error message when ReaR ran the mount
command :
wrong fs type, bad option, bad superblock on and missing codepage or helper program, or other error.
The kernel log displayed either of the following messages:
logbuf size must be greater than or equal to log stripe size
alignment check failed: sunit/swidth vs. agsize
With this update, ReaR avoids using the logbsize
, sunit
and swidth
mount options when mounting re-created XFS
file systems. As a result, when you use the MKFS_XFS_OPTIONS
configuration setting, the disk layout recreation succeeds.
Jira:RHEL-17354[1]
ReaR recovery no longer fails on systems with a small thin pool metadata size
Previously, ReaR did not save the size of the pool metadata volume when saving a layout of an LVM volume group with a thin pool. During recovery, ReaR re-created the pool with the default size even if the system used a non-default pool metadata size.
As a consequence, when the original pool metadata size was smaller than the default size and no free space was available in the volume group, the layout recreation during system recovery failed with a message in the log similar to these examples:
Insufficient free space: 230210 extents needed, but only 230026 available
or
Volume group "vg" has insufficient free space (16219 extents): 16226 required.
With this update, the recovered system has a metadata volume with the same size as the original system. As a result, the recovery of a system with a small thin pool metadata size and no extra free space in the volume group finishes successfully.
Jira:RHEL-17353[1]
The pkla-compact
binary is executed when the polkit is called on the logind-session-monitor
event
Previously, re-verification of the authorizations for polkit actions was triggered by any logind-session-monitor
event for all users. Each CheckAuthorization
request executes the polkit-pkla-compat
binary to check for legacy .pkla
configuration files even if no such files are present on the system, which causes CPU usage to increase by the polkit daemon.
Currently, only the logind-session
changes that are relevant for the polkit actions are observed. If the session’s state changes, the polkit objects assosiated with the session trigger re-verification (CheckAuthorization
). You must restart (log out to login screen and re-login
or reboot
) the gnome-shell for a successful update.
The polkit-pkla-compat
binary is now a soft dependency. As a result, you can reduce the CPU intensity by uninstalling the polkit-pkla-compat
binary only if there are no .pkla
files present in /etc/polkit-1/localauthority
, /etc/polkit-1/localauthority.conf.d
, /var/lib/polkit-1/localauthority
and their individual sub directories.
Jira:RHEL-34022[1]
6.6. Kernel
crash
rebased to version 8.0.4
The crash
utility has been upgraded to version 8.0.4, which provides multiple bug fixes. Notable fixes include:
- Fixed a segmentation fault when non-panicking CPUs failed to stop during a kernel panic.
-
Fixed a critical error incorrectly preventing the kernel from panicking when the
panic_on_oops
kernel parameter was disabled. -
Fixed the
crash
utility resolving hashed freelist pointers for the kernel compiled with theCONFIG_SLAB_FREELIST_HARDENED=y
configuration option. A change in the kernel module memory layout terminology replaced
module_layout
withmodule_memory
to better indicate memory-related aspects of thecrash
utility. Before this change, thecrash
utility could not start a session and returned an error message such as this:crash: invalid structure member offset: module_core_size FILE: kernel.c LINE: 3787 FUNCTION: module_init()
tuna
launches GUI when needed
Previously, if you ran the tuna
utility without any subcommand, it would launch the GUI. This behavior was desirable if you had a display. In the opposite case, tuna
on a machine without a display would not exit gracefully. With this update, tuna
detects whether you have a display, and the GUI is launched or not launched accordingly.
Jira:RHEL-19179[1]
6.7. File systems and storage
Multipathd now checks if a device is incorrectly queuing I/O
Previously, a multipath device restarted queuing I/O, even though it was configured to fail, under the following conditions:
-
The multipath device was configured with the
queue_if_no_paths
parameter set to several retries. - A path device was removed from the multipath device that had no working paths and was no longer queuing I/O.
With this update, the issue has been fixed. As a result, multipath devices no longer restarts queuing I/O if the queuing is disabled and a path is removed while there are no usable paths.
Jira:RHEL-16563[1]
The no_read_workqueue
, no_write_workqueue
, and try_verify_in_taskle
options of the dm-crypt
and dm-verity
devices are temporarily disabled
Previously, the dm-crypt
devices created by using either the no_read_workqueue
or no_write_workqueue
option and dm-verity
devices created by using the try_verify_in_tasklet
option caused memory corruption. Consequently, random kernel memory was corrupted, which caused various system problems. With this update, these options are temporarily disabled. Note that this fix can cause dm-verity
and dm-crypt
to perform slower on some workloads.
Jira:RHEL-22232[1]
6.8. High availability and clusters
Issues with moving and banning clone and bundle resources now corrected
This bug fix addresses two limitations of moving bundled and clone resources:
-
When a user tried to move a bundled resource out of its bundle or ban it from running in its bundle,
pcs
created a constraint but the constraint had no effect. This caused the move to fail with an error message. With this fix,pcs
disallows moving and banning bundled resources from their bundles and prints an error message noting that bundled resources cannot be moved out of their bundles. -
When a user tried to move a bundle or clone resource,
pcs
exited with an error message noting that bundle or clone resources cannot be moved. This fix relaxes validation of move commands. It is now possible to move clone and bundle resources. When moving clone resources, you must specify a destination node if more than one instance of a clone is running. Only one-replica bundles can be moved.
Output of pcs status
command no longer shows warning for expired constraints
Previously, when moving a cluster resource created a temporary location constraint, the pcs status
command displayed a warning even after the constraint expired. With this fix, the pcs status
command filters out expired constraints and they no longer generate a warning message in the command output.
Disabling the auto_tie_breaker
quorum option no longer allowed when SBD fencing requires it
Previously, pcs
allowed a user to disable the auto_tie_breaker
quorum option even when a cluster configuration required this option for SBD fencing to work correctly. With this fix, pcs
generates an error message when a user attempts to disable auto_tie_breaker
on a system where SBD fencing requires that the auto_tie_breaker
option be enabled.
Configuring the tls
and keep_active_partition_tie_breaker
quorum device options without specifying --force
Previously, when configuring a quorum device, a user could not configure the tls
and keep_active_partition_tie_breaker
options for a quorum device model net
without specifying the --force
option. With this update, configuring these options no longer requires you to specify --force
.
6.9. Compilers and development tools
ldconfig
no longer crashes after an interrupted system upgrade
Previously, the ldconfig
utility stopped unexpectedly with a segmentation fault when processing incomplete shared objects left in the /usr/lib64
directory after an interrupted system upgrade. With this update, ldconfig
ignores temporary files written during system upgrades. As a result, ldconfig
no longer crashes after an interrupted system upgrade.
Improved glibc
compatibility with applications using dlclose
on shared objects involved in a dependency cycle
Previously, when unloading a shared object in a dependency cycle using the dlclose
function in glibc
, that object’s ELF destructor might not have been called before all other objects were unloaded. As a consequence of this late ELF destructor execution, applications experienced crashes and other errors due to the initial shared object’s dependencies already being deinitialized.
With this update, glibc
has been fixed to first call the ELF destructor of the immediate object being unloaded before any other ELF destructors are started. As a result, compatibility with applications using dlclose
on shared objects involved in a dependency cycle is improved and crashes no longer occur.
Jira:RHEL-10481[1]
Improved glibc
wide-character write performance
Previously, the wide stdio
stream implementation in glibc
did not treat the default buffer size as large enough for wide-character write operations and used a 16-byte fallback buffer instead, negatively impacting performance. With this update, buffer management is fixed and the entire write buffer is used. As a result, glibc
wide-character write performance is improved.
Jira:RHEL-19824[1]
glibc
dynamic linker prevents reentrant malloc
calls made by applications using TLS access from custom malloc
implementations
Some applications provide a custom malloc
dynamic memory allocation implementation that uses global-dynamic thread-local storage (TLS) instead of initial-exec TLS. Previously, applications with bundled malloc
calls that use global-dynamic TLS could experience reentrant calls into the application’s malloc
subsystem. As a consequence, the application malloc
call crashed due to stack exhaustion or unexpected state of internal data structures.
With the release of the RHBA-2024:5834 advisory, the glibc
dynamic linker detects TLS access from custom malloc
implementations. If a TLS access during a malloc
call is detected, further calls during TLS processing are skipped, and reentrant malloc
calls are prevented.
6.10. Identity Management
certmonger
now correctly renews KDC certificates on hidden replicas
Previously, when the certificate was about to expire, certmonger
failed to renew the KDC certificate on hidden replicas. This happened because the renewal process only considered non-hidden replicas as active KDCs. With this update, the hidden replicas are treated as active KDCs, and certmonger
renews the KDC certificate successfully on these servers.
Automembership plug-in no longer cleans up groups by default
Previously, the automember rebuild task first removed all the memberships values and then rebuilt the memberships from scratch. As a result, the rebuild task was expensive, especially if other be_txn
plugins were enabled.
With this update, the Automembership plug-in has the following improvements:
- Only one rebuilt task is allowed at a time.
The Automembership plug-in no longer cleans up previous members by default. Use the new
--cleanup
CLI option to intentionally clean up memberships before rebuilding from scratch:# dsconf slapd-instance_name plugins automember fixup -f objectclass=posixaccount -s sub --cleanup "ou=people,dc=example,dc=com"
- Improved logging to display fixup progress.
Jira:RHEL-5390[1]
Allocated memory now released when an operation is completed
Previously, memory allocated by the KCM for each operation was not being released until the connection was closed. As a result, for client applications that opened a connection and ran many operations on the same connection, it led to a noticeable memory increase because the allocated memory was not released until the connection closed. With this update, the memory allocated for an operation is now released as soon as the operation is completed.
IdM clients correctly retrieve information for trusted AD users when their names contain mixed case characters
Previously, if you attempted a user lookup or authentication of a user, and that trusted Active Directory (AD) user contained mixed case characters in their names and they were configured with overrides in IdM, an error was returned preventing users from accessing IdM resources.
With this update, a case-sensitive comparison is replaced with a case-insensitive comparison that ignores the case of a character. As a result, IdM clients can now lookup users of an AD trusted domain, even if their usernames contain mixed case characters and they are configured with overrides in IdM.
SSSD correctly returns an error if no grace logins remain while changing a password
Previously, if a user’s LDAP password had expired, SSSD tried to change the password even after the initial bind of the user failed as there were no more grace logins left. However, the error returned to the user did not indicate the reason for the failure. With this update, the request to change the password is canceled if the bind fails and SSSD returns an error message indicating there are no more grace logins and the password must be changed by another means.
Removing systems from a domain using the realm leave
command
Previously, if multiple names were set for the ad_server
option in the sssd.conf
file, running the realm leave
command resulted in parsing errors and the system was not removed from the domain. With this update, the ad_server
option is properly evaluated and the correct domain controller name is used and the system is correctly removed from the domain.
KCM logs to the correct sssd.kcm.log
file
Previously, logrotate
correctly rotated the Kerberos Credential Manager (KCM) log files but KCM incorrectly wrote the logs to the old log file, sssd_kcm.log.1
. If KCM was restarted, it used the correct log file. With this update, after logrotate
is invoked, log files are rotated and KCM correctly logs to the sssd_kcm.log
file.
The realm leave --remove
command no longer asks for credentials
Previously, the realm
utility did not correctly check if a valid Kerberos ticket was available when running the realm leave
operation. As a result, users were asked to enter a password even though a valid Kerberos ticket was available. With this update, realm
now correctly verifies if there is a valid Kerberos ticket and no longer requests the user to enter a password when running the realm leave --remove
command.
IdM Vault encryption and decryption no longer fails in FIPS mode
Previously, IdM Vault used OpenSSL RSA-PKCS1v15 as the default padding wrapping algorithm. However, none of the FIPS certified modules in RHEL supported PKCS#1 v1.5 as a FIPS approved algorithm, causing IdM Vault to fail in FIPS mode. With this update, IdM Vault supports the RSA-OAEP padding wrapping algorithm as a fallback. As a result, IdM Vault encryption and decryption now work correctly in FIPS mode.
Jira:RHEL-12153[1]
Non-CA IdM replica installation no longer fails with server affinity configured
In some scenarios, installing an IdM replica without a certificate authority (CA) failed with CA_REJECTED
errors. The failure occurred due to the certmonger
service attempting to retrieve certificates and resulted in incomplete replication details when adding a new replica to a complex topology.
With this update, the IdM replica installation process happens against a specific IdM server that provides the necessary services such as Kerberos authentication and IdM API and CA requests. This ensures complete replication details when adding a new replica.
Kerberos Key Distribution Centers version 1.20 and later now process tickets generated from KDCs running version 1.18.2 and earlier
Previously, a compatibility issue occurred between a Key Distribution Center (KDC) running Kerberos version 1.20 or later and a KDC running version 1.18.2 or earlier. As a consequence, when evidence tickets issued by the KDC running Kerberos 1.20 or later were sent to the KDC running Kerberos 1.18.2 or earlier, the older KDC rejected the ticket granting service request because it lacked support for the AD-SIGNTICKET
attribute.
With this update, earlier versions of KDC now accept evidence tickets generated by KDCs running Kerberos 1.20 and newer, as they no longer require AD-SIGNTICKET
when a Privileged Attribute Certificate (PAC) is present.
SELinux labeling for dirsrv
files was moved to DEBUG
log level
Previously, SELinux labeling for dirsrv
files had the INFO
log level. With this update, the DEBUG
log level is used for the dirsrv
files the same way as it was in previous versions.
Directory Server no longer causes a segmentation fault when a backend is configured without a related suffix
Previously, if a backend was configured without a related suffix, Directory Server had a segmentation fault during startup. With this update, Directory Server checks if the suffix is associated with the backend before trying to access the suffix. As a result, the segmentation fault no longer occurs.
Directory Server no longer fails after abandoning the paged result search
Previously, a race condition was a reason for heap corruption and Directory Server failure during abandoning paged result search. With this update, the race condition was fixed, and Directory Server failure no longer occurs.
Directory Server now starts correctly after an upgrade if you configured a custom value for the connection table size
Previously, if you set a custom value for the connection table size and the nsslapd-conntablesize
attribute was present in the dse.ldif
file, Directory Server did not start after an upgrade. With this release, Directory Server starts correctly after the upgrade with nsslapd-conntablesize
present in the dse.ldif
file.
Directory Server no longer fails when Content Synchronization plug-in is enabled dynamically
Previously, if the Content Synchronization plug-in was enabled dynamically, the post-operation plug-in callback caused a segmentation fault because the pre-operation сallback was not registered. With this update, the post-operation plug-in callback verifies that the memory is initialized and Directory Server no longer fails.
6.11. Red Hat Enterprise Linux system roles
Cluster start no longer times out when the SBD delay-start
value is high
Previously, when a user configured SBD fencing in a cluster by using the ha_cluster
system role and set the delay-start
option to a value close to or higher than 90 seconds, the cluster start timed out. This is because the default systemd
start timeout is 90 seconds, which the system reached before the SBD start delay value. With this fix, the ha_cluster
system role overrides the sbd.service
start timeout in systemd
so that it is higher than the value of delay-start
. This allows the system to start successfully even with high values of the delay-start
option.
Jira:RHEL-4684[1]
network
role validates routing rules with 0.0.0.0/0
or ::/0
Previously, when the from:
or to:
settings were set to the 0.0.0.0/0
or ::/0
addresses in the routing rule, the network
RHEL system role failed to configure the routing rule and rejected the settings as invalid. With this update, the network
role allows 0.0.0.0/0
and ::/0
for from:
and to:
in routing rule validation. As a result, the role successfully configures the routing rules without raising the validation errors.
The ha_cluster
system role now correctly configures a firewall on a qnetd
host
Previously, when a user configured a qnetd
host and set the ha_cluster_manage_firewall
variable to true
by using the ha_cluster
system role, the role did not enable high-availability services in the firewall. With this fix, the ha_cluster
system role now correctly configures a firewall on a qnetd
host.
keylime_server
role correctly reports registrar service status
Previously, when the keylime_server
role playbook provided incorrect information, the role incorrectly reported the start as successful. With this update, the role now correctly reports a failure when incorrect information is provided, and the timeout when waiting for opened ports has been reduced from approximately 300 seconds to approximately 30 seconds.
The postgresql
RHEL system role now installs the correct version of PostgreSQL
Previously, if you tried to run the postgresql
RHEL system role with the postgresql_version: "15"
variable defined on a RHEL managed node, PostgreSQL version 13 was installed instead of version 15. This bug has been fixed, and the postgresql
role installs the version set in the variable.
The podman
RHEL system role now sets and cancels linger properly for rootless containers
Previously, the podman
RHEL system role did not set and cancel linger properly for rootless containers. Consequently, deploying secrets or containers for rootless users produced errors in some cases, and failed to cancel linger when removing resources in some cases. With this update, the podman
RHEL system role ensures that linger is enabled for rootless users before doing any secret or container resource management, and ensures that linger is canceled for rootless users when there are no more secrets or container resources to be managed. As a result, the role correctly manages lingering for rootless users.
The podman
RHEL system role now sets and cancels linger properly for rootless containers
Previously, the podman
RHEL system role did not set and cancel linger properly for rootless containers. Consequently, deploying secrets or containers for rootless users produced errors in some cases, and failed to cancel linger when removing resources in some cases. With this update, the podman
RHEL system role ensures that linger is enabled for rootless users before doing any secret or container resource management, and ensures that linger is canceled for rootless users when there are no more secrets or container resources to be managed. As a result, the role correctly manages lingering for rootless users.
Running read-scale clusters and installing mssql-server-ha
no longer requires certain variables
Previously, if you used the mssql
RHEL system role to configure a read-scale cluster without certain variables (mssql_ha_virtual_ip
, mssql_ha_login
, mssql_ha_login_password
, and mssql_ha_cluster_run_role
), the role failed with an error message Variable not defined
. However, these variables are not necessary to run a read-scale cluster. The role also tried to install the mssql-server-ha
, which is not required for a read-scale cluster. With this fix, the requirement for these variables was removed. As a result, running a read-scale cluster proceeds successfully without the error message.
The Kdump system role works correctly when the kexec_crash_size file is busy
The /sys/kernel/kexec_crash_size
file provides the size of the memory region allocated for crash kernel memory.
Previously, the Kdump system role failed when the /sys/kernel/kexec_crash_size
file was busy. With this update, the system role retries reading the file when it is available. As a result, the system role no longer fails when the file is busy.
selinux
role no longer uses the item
loop variable
Previously, the selinux
RHEL system role used the item
loop variable. This might have resulted in the following warning message when you called the selinux
role from another role:
[WARNING]: TASK: fedora.linux_system_roles.selinux : Restore SELinux labels on filesystem tree: The loop variable 'item' is already in use. You should set the `loop_var` value in the `loop_control` option for the task to something else to avoid variable collisions and unexpected behavior.
With this release, the selinux
role uses __selinux_item
as a loop variable. As a result, the warning that the item
variable is already in use is no longer displayed even if you call the selinux
role from another role.
Secret data is no longer logged with verbose logging
Previously, some tasks that handle secret data would log the contents. As a consequence, the logs showed secret data if verbose logging was being used. This update adds the no_log: true
directive to tasks that can log secret data. As a result, secret data is not logged with verbose logging.
A volume quadlet service name no longer fails
Previously, starting the volume service name produced an error similar to the following one:
Could not find the requested service NAME.volume: host
With this update, the volume quadlet service name is changed to basename-volume.service
. As a result, the volume service starts with no errors.
For more information, see Volume unit man page.
nbde_server
role now works with socket overrides
Previously, the nbde_server
RHEL system role assumed that the only file in the tangd
socket override directory was the override.conf
file for a custom port. Consequently, the role deleted the directory if there was no port customization without checking other files, and the system re-created the directory in subsequent runs.
With this release, the role has been fixed to prevent changing attributes of the port override file and deleting the directory if there are other files. As a result, the role correctly works if tangd
socket override files are managed also outside of the role.
6.12. Virtualization
A dump failure no longer blocks IBM Z VMs with Secure Execution from running
Previously, when a dump of an IBM Z virtual machine (VM) with Secure Execution failed, the VM remained in a paused state and was blocked from running. For example, dumping a VM by using the virsh dump
command fails if there is not enough space on the disk.
The underlying code has been fixed and Secure Execution VMs resume operation successfully after a dump failure.
Jira:RHEL-16696[1]