Este conteúdo não está disponível no idioma selecionado.
Chapter 5. Bug fixes
This part describes bugs fixed in Red Hat Enterprise Linux 9.0 that have a significant impact on users.
5.1. Installer and image creation
--leavebootorder
no longer changes boot order
Previously, using --leavebootorder
for the bootloader kickstart command did not work correctly on UEFI systems and changed the boot order. This caused the installer to add RHEL at the top of the list of installed systems in the UEFI boot menu.
This update fixes the problem and using --leavebootorder
no longer changes the boot order in the boot loader. --leavebootorder
is now supported on RHEL for UEFI systems.
Anaconda sets a static hostname before running the %post
scripts
Previously, when Anaconda was setting the installer environment host name to the value from the kickstart configuration (network --hostname
), it used to set a transient hostname. Some of the actions performed during %post
script run, for example network device activation, were causing the host name reset to a value obtained by reverse dns
.
With this update, Anaconda now sets a static hostname of the installer environment to be stable during the run of kickstart %post
scripts.
Users can now specify user accounts in the RHEL for Edge Installer blueprint
Previously, performing an update on your blueprint without a user account defined in the edge commit for the upgrade, such as adding a rpm package, would cause users to be locked out of a system, after an upgrade is applied. It caused users to redefine user accounts when upgrading an existing system.This issue has been fixed to allow users to specify user accounts in the RHEL for Edge Installer blueprint, which creates a user on the system at installation time, rather than having the user as part of the ostree
commit.
The basic graphics
mode has been removed from the boot menu
Previously, the basic graphics
mode was used to install RHEL on hardware with an unsupported graphics card or to work around issues in graphic drivers that prevented starting the graphical interface. With this update, the option to install in a basic graphics
mode has been removed from the installer boot menu. Use the VNC installation options for graphical installations on unsupported hardware or to work around driver bugs.
For more information on installations using VNC, see the Performing a remote RHEL installation using VNC section.
5.2. Subscription management
virt-who
now works correctly with Hyper-V hosts
Previously, when using virt-who
to set up RHEL 9 virtual machines (VMs) on a Hyper-V hypervisor, virt-who
did not properly communicate with the hypervisor, and the setup failed. This was because of a deprecated encryption method in the openssl
package.
With this update, the virt-who
authentication mode for Hyper-V has been modified, and setting up RHEL 9 VMs on Hyper-V using virt-who
now works correctly. Note that this also requires the hypervisor to use basic authentication mode. To enable this mode, use the following commands:
winrm set winrm/config/service/auth '@{Basic="true"}' winrm set winrm/config/service '@{AllowUnencrypted="true"}'
5.3. Software management
Running createrepo_c --update
on a modular repository now preserves modular metadata in it
Previously, when running the createrepo_c --update
command on an already existing modular repository without the original source of modular metadata present, the default policy was to remove all additional metadata including modular metadata from this repository, which, consequently, broke it. To preserve metadata, it required running the createrepo_c --update
command with the additional --keep-all-metadata
option.
With this update, you can preserve modular metadata on a modular repository by running createrepo_c --update
without any additional option.
To remove additional metadata, you can use the new --discard-additional-metadata
option.
5.4. Shells and command-line tools
RHEL 9 provides libservicelog 1.1.19
RHEL 9 is distributed with libservicelog
version 1.1.19. Notable bug fixes include:
- Fixed output alignment issue.
-
Fixed
segfault
onservicelog_open()
failure.
(BZ#1869568)
5.5. Security
Hardware optimization enabled in libgcrypt
when in the FIPS mode
Previously, the Federal Information Processing Standard (FIPS 140-2) did not allow using hardware optimization. Therefore, in previous versions of RHEL, the operation was disabled in the libgcrypt
package when in the FIPS mode. RHEL 9 enables hardware optimization in FIPS mode, and as a result, all cryptographic operations are performed faster.
crypto-policies
now can disable ChaCha20
cipher usage
Previously, the crypto-policies
package used a wrong keyword to disable the ChaCha20
cipher in OpenSSL. Consequently, you could not disable ChaCha20
for the TLS 1.2 protocol in OpenSSL through crypto-policies
. With this update, the -CHACHA20
keyword is used instead of -CHACHA20-POLY1305
. As a result, you now can use the cryptographic policies for disabling ChaCha20
cipher usage in OpenSSL for TLS 1.2 and TLS 1.3.
64-bit IBM Z systems no longer become unbootable when installing in FIPS mode
Previously, the fips-mode-setup
command with the --no-bootcfg
option did not execute the zipl
tool. Because fips-mode-setup
regenerates the initial RAM disk (initrd
), and the resulting system needs an update of zipl
internal state to boot, this put 64-bit IBM Z systems into an unbootable state after installing in FIPS mode. With this update fips-mode-setup
now executes zipl
on 64-bit IBM Z systems even if invoked with --no-bootcfg
, and as a result, the newly installed system boots successfully.
(BZ#2013195)
GNUTLS_NO_EXPLICIT_INIT
no longer disables implicit library initialization
Previously, the GNUTLS_NO_EXPLICIT_INIT
environment variable disabled implicit library initialization. In RHEL 9, the GNUTLS_NO_IMPLICIT_INIT
variable disables implicit library initialization instead.
(BZ#1999639)
OpenSSL-based applications now work correctly with the Turkish locale
Because the OpenSSL
library uses case-insensitive string comparison functions, OpenSSL-based applications did not work correctly with the Turkish locale, and omitted checks caused applications using this locale to crash. This update provides a patch to use the Portable Operating System Interface (POSIX) locale for case-insensitive string comparison. As a result, OpenSSL-based applications such as curl work correctly with the Turkish locale.
kdump
no longer crashes due to SELinux permissions
The kdump
crash recovery service requires additional SELinux permissions to start correctly. In previous versions, therefore, SELinux prevented kdump
from working, kdump
reported that it is not operational, and Access Vector Cache (AVC) denials were audited. In this version, the required permissions were added to selinux-policy
and as a result, kdump
works correctly and no AVC denial is audited.
(BZ#1932752)
The usbguard-selinux
package is no longer dependent on usbguard
Previously, the usbguard-selinux
package was dependent on the usbguard
package. This, in combination with other dependencies of these packages, led to file conflicts when installing usbguard
. As a consequence, this prevented the installation of usbguard
on certain systems. With this version, usbguard-selinux
no longer depends on usbguard
, and as a result, dnf
can install usbguard
correctly.
dnf install
and dnf update
now work with fapolicyd
in SELinux
The fapolicyd-selinux
package, which contains SELinux rules for fapolicyd, did not contain permissions to watch all files and directories. As a consequence, the fapolicyd-dnf-plugin
did not work correctly, causing any dnf install
and dnf update
commands to make the system stop responding indefinitely. In this version, the permissions to watch any file type were added to fapolicyd-selinux
. As a result, the fapolicyd-dnf-plugin
works correctly and the commands dnf install
and dnf update
are operational.
(BZ#1932225)
Ambient capabilities are now applied correctly to non-root users
As a safety measure, changing a UID (User Identifier) from root to non-root nullifies permitted, effective, and ambient sets of capabilities.
However, the pam_cap.so
module is unable to set ambient capabilities because a capability needs to be in both the permitted and the inheritable set to be in the ambient set. In addition, the permitted set gets nullified after changing the UID (for example by using the setuid
utility), so the ambient capability cannot be set.
To fix this problem, the pam_cap.so
module now supports the keepcaps
option, which allows a process to retain its permitted capabilities after changing the UID from root to non-root. The pam_cap.so
module now also supports the defer
option, which causes pam_cap.so
to reapply ambient capabilities within a callback to pam_end()
. This callback can be used by other applications after changing the UID.
Therefore, if the su
and login
utilities are updated and PAM-compliant, you can now use pam_cap.so
with the keepcaps
and defer
options to set ambient capabilities for non-root users.
usbguard-notifier
no longer logs too many error messages to the Journal
Previously, the usbguard-notifier
service did not have inter-process communication (IPC) permissions for connecting to the usbguard-daemon
IPC interface. Consequently, usbguard-notifier
failed to connect to the interface, and it wrote a corresponding error message to the Journal. Because usbguard-notifier
started with the --wait
option, which ensured that usbguard-notifier
attempted to connect to the IPC interface each second after a connection failure, by default, the log contained an excessive amount of these messages soon.
With this update, usbguard-notifier
does not start with --wait
by default. The service attempts to connect to the daemon only three times in the 1-second intervals. As a result, the log contains three such error messages at maximum.
5.6. Networking
Wifi and 802.1x Ethernet connections profiles are now connecting properly
Previously, many Wifi and 802.1x Ethernet connections profiles were not able to connect. This bug is now fixed. All the profiles are now connecting properly. Profiles that use legacy cryptographic algorithms still work but you need to manually enable the OpenSSL legacy provider. This is required, for example, when you use DES with MS-CHAPv2 and RC4 with TKIP.
Afterburn no longer sets an overlong hostname in /etc/hostname
The maximum length of a RHEL hostname is 64 characters. However, certain cloud providers use the Fully-Qualified Domain Name (FQDN) as the hostname, which can be up to 255 characters. Previously, the afterburn-hostname
service wrote such an overlong hostname directly to the /etc/hostname
file. The systemd
service truncated the hostname to 64 characters, and NetworkManager derived an incorrect DNS search domain from the truncated value. With this fix, afterburn-hostname
truncates hostnames at the first dot or 64 characters, whichever comes first. As a result, NetworkManager no longer sets invalid DNS search domains in /etc/resolv.conf
.
5.7. Kernel
modprobe
loads out-of-tree kernel modules as expected
The /etc/depmod.d/dist.conf
configuration file provides a search order for the depmod
utility. Based on the search order, depmod
creates the modules.dep.bin
file. This file lists module dependencies, which the modprobe
utility uses for loading and unloading kernel modules and resolving module dependencies at the same time. Previously, /etc/depmod.d/dist.conf
was missing. As a result, modprobe
could not load some out-of-tree kernel modules. This update includes the /etc/depmod.d/dist.conf
configuration file, which fixes the search order. As a result, modprobe
loads out-of-tree kernel modules as expected.
alsa-lib
now correctly handles audio devices that use UCM
A bug in the alsa-lib
package caused incorrect parsing of the internal Use Case Manager (UCM) identifier. Consequently, some audio devices that used the UCM configuration were not detected or they did not function correctly. The problem occurred more often when the system used the pipewire
sound service. With the new release of RHEL 9, the problem has been fixed by updating the alsa-lib
library.
5.8. File systems and storage
Protection uevents no longer cause reload failure of multipath devices
Previously, when a read-only
path device was rescanned, the kernel sent out two write protection uevents - one with the device set to read/write
, and the following with the device set to read-only
. Consequently, upon detection of the read/write
uevent on a path device, multipathd
tried to reload the multipath device, which caused a reload error message. With this update, multipathd
now checks that all the paths are set to read/write
before reloading a device read/write. As a result, multipathd
no longer tries to reload read/write
whenever a read-only
device is rescanned.
(BZ#2017979)
device-mapper-multipath
rebased to version 0.8.7
The device-mapper-multipath
package has been upgraded to version 0.8.7, which provides multiple bug fixes and enhancements. Notable changes include:
-
Fixed memory leaks in the
multipath
andkpartx
commands. -
Fixed repeated trigger errors from the
multipathd.socket
unit file. - Improved autoconfiguration of more devices, such as DELL SC Series arrays, EMC Invista and Symmetrix arrays (among others).
5.9. High availability and clusters
Pacemaker attribute manager correctly determines remote node attributes, preventing unfencing loops
Previously, Pacemaker’s controller on a node might be elected the Designated Controller (DC) before its attribute manager learned an already-active remote node is remote. When this occurred, the node’s scheduler would not see any of the remote node’s node attributes. If the cluster used unfencing, this could result in an unfencing loop. With the fix, the attribute manager can now learn a remote node is remote by means of additional events, including the initial attribute sync at start-up. As a result, no unfencing loop occurs, regardless of which node is elected DC.
5.10. Compilers and development tools
-Wsequence-point
warning behavior fixed
Previously, when compiling C++ programs with GCC, the -Wsequence-point
warning option tried to warn about very long expressions, it could cause quadratic behavior and therefore significantly longer compilation time. With this update, -Wsequence-point
doesn’t attempt to warn about extremely large expressions and as a result, does not increase compilation time.
(BZ#1481850)
5.11. Identity Management
MS-CHAP authentication with the OpenSSL legacy provider
Previously, FreeRADIUS authentication mechanisms that used MS-CHAP failed because they depended on MD4 hash functions, and MD4 has been deprecated in RHEL 9. With this update, you can authenticate FreeRADIUS users with MS-CHAP or MS-CHAPv2 if you enable the OpenSSL legacy provider.
If you use the default OpenSSL provider, MS-CHAP and MS-CHAPv2 authentication fails and the following error message is displayed, indicating the fix:
Couldn't init MD4 algorithm. Enable OpenSSL legacy provider.
Running sudo commands no longer exports the KRB5CCNAME environment variable
Previously, after running sudo
commands, the environment variable KRB5CCNAME
pointed to the Kerberos credential cache of the original user, which might not be accessible to the target user. As a result Kerberos related operations might fail as this cache is not accessible. With this update, running sudo
commands no longer sets the KRB5CCNAME
environment variable and the target user can use their default Kerberos credential cache.
(BZ#1879869)
SSSD correctly evaluates the default setting for the Kerberos keytab name in /etc/krb5.conf
Previously, if you defined a non-standard location for your krb5.keytab
file, SSSD did not use this location and used the default /etc/krb5.keytab
location instead. As a result, when you tried to log into the system, the login failed as the /etc/krb5.keytab
contained no entries.
With this update, SSSD now evaluates the default_keytab_name
variable in the /etc/krb5.conf
and uses the location specified by this variable. SSSD only uses the default /etc/krb5.keytab
location if the default_keytab_name
variable is not set.
(BZ#1737489)
Authenticating to Directory Server in FIPS mode with passwords hashed with the PBKDF2 algorithm now works as expected
When Directory Server runs in Federal Information Processing Standard (FIPS) mode, the PK11_ExtractKeyValue()
function is not available. As a consequence, prior to this update, users with a password hashed with the password-based key derivation function 2 (PBKDF2) algorithm were not able to authenticate to the server when FIPS mode was enabled. With this update, Directory Server now uses the PK11_Decrypt()
function to get the password hash data. As a result, authentication with passwords hashed with the PBKDF2 algorithm now works as expected.
5.12. Red Hat Enterprise Linux system roles
The Networking system role no longer fails to set a DNS search domain if IPv6 is disabled
Previously, the nm_connection_verify()
function of the libnm
library did not ignore the DNS search domain if the IPv6 protocol was disabled. As a consequence, when you used the Networking RHEL system role and set dns_search
together with ipv6_disabled: true
, the system role failed with the following error:
nm-connection-error-quark: ipv6.dns-search: this property is not allowed for 'method=ignore' (7)
With this update, the nm_connection_verify()
function ignores the DNS search domain if IPv6 is disabled. As a consequence, you can use dns_search
as expected, even if IPv6 is disabled.
Postfix
role README no longer uses plain role name
Previously, the examples provided in the /usr/share/ansible/roles/rhel-system-roles.postfix/README.md
used the plain version of the role name, postfix
, instead of using rhel-system-roles.postfix
. Consequently, users would consult the documentation and incorrectly use the plain role name instead of Full Qualified Role Name (FQRN). This update fixes the issue, and the documentation contains examples with the FQRN, rhel-system-roles.postfix
, enabling users to correctly write playbooks.
Postfix RHEL system role README.md no longer missing variables under the "Role Variables" section
Previously, the Postfix RHEL system role variables, such as postfix_check
, postfix_backup
, postfix_backup_multiple
were not available under the "Role Variables" section. Consequently, users were not able to consult the Postfix role documentation. This update adds role variable documentation to the Postfix README section. The role variables are documented and available for users in the doc/usr/share/doc/rhel-system-roles/postfix/README.md
documentation provided by rhel-system-roles
.
Role tasks no longer change when running the same output
Previously, several of the role tasks would report as CHANGED
when running the same input once again, even if there were no changes. Consequently, the role was not acting idempotent. To fix the issue, perform the following actions:
-
Check if configuration variables change before applying them. You can use the option
--check
for this verification. -
Do not add a
Last Modified: $date
header to the configuration file.
As a result, the role tasks are idempotent.
The logging_purge_confs
option correctly deletes unnecessary configuration files
With the logging_purge_confs
option set to true
, it should delete unnecessary logging configuration files. Previously, however, unnecessary configuration files were not deleted from the configuration directory even if logging_purge_confs
was set to true
. This issue is now fixed and the option has been redefined as follows: if logging_purge_confs
is set to true
, Rsyslog removes files from the rsyslog.d
directory which do not belong to any rpm packages. This includes configuration files generated by previous runs of the Logging role. The default value of logging_purge_confs
is false
.
A playbook using the Metrics role completes successfully on multiple runs even if the Grafana admin
password is changed
Previously, changes to the Grafana admin
user password after running the Metrics role with the metrics_graph_service: yes
boolean caused failure on subsequent runs of the Metrics role. This led to failures of playbooks using the Metrics role, and the affected systems were only partially set up for performance analysis. Now, the Metrics role uses the Grafana deployment
API when it is available and no longer requires knowledge of username or password to perform the necessary configuration actions. As a result, a playbook using the Metrics role completes successfully on multiple runs even if the administrator changes the Grafana admin
password.
Configuration by the Metrics role now follows symbolic links correctly
When the mssql pcp
package is installed, the mssql.conf
file is located in /etc/pcp/mssql/
and is targeted by the symbolic link /var/lib/pcp/pmdas/mssql/mssql.conf
. Previously, however, the Metrics role overwrote the symbolic link instead of following it and configuring mssql.conf
. Consequently, running the Metrics role changed the symbolic link to a regular file and the configuration therefore only affected the /var/lib/pcp/pmdas/mssql/mssql.conf
file. This resulted in a failed symbolic link, and the main configuration file /etc/pcp/mssql/mssql.conf
was not affected by the configuration. The issue is now fixed and the follow: yes
option to follow the symbolic link has been added to the Metrics role. As a result, the Metrics role preserves the symbolic links and correctly configures the main configuration file.
The timesync
role no longer fails to find the requested service ptp4l
Previously, on some versions of RHEL, the Ansible service_facts
module, reported service facts incorrectly. Consequently, the timesync
role reported an error attempting to stop the ptp4l
service. With this fix, the Ansible service_facts
module checks the return value of the tasks to stop timesync
services. If the returned value is failed
, but the error message is Could not find the requested service NAME:
, then the module assumes success. As a result, the timesync
role now runs without errors like Could not find the requested service ptp4l
.
(BZ#2058645)
The kernel_settings
configobj
is available on managed hosts
Previously, the kernel_settings
role did not install the python3-configobj
package on managed hosts. As a consequence, the role returned an error stating that the configobj
Python module could not be found. With this fix, the role ensures that the python3-configobj
package is present on managed hosts and the kernel_settings
role works as expected.
The Terminal Session Recording role tlog-rec-session
is now correctly overlaid by SSSD
Previously, the Terminal Session Recording RHEL system role relied on the System Security Services Daemon (SSSD) files provider and on enabled authselect
option with-files-domain
to set up correct passwd
entries in the nsswitch.conf
file. In RHEL 9.0, SSSD did not implicitly enable the files provider by default, and consequently the tlog-rec-session
shell overlay by SSSD did not work. With this fix, the Terminal Session Recording role now updates the nsswitch.conf
to ensure tlog-rec-session
is correctly overlaid by SSSD.
The SSHD system role can manage systems in FIPS mode
Previously, the SSHD system role could not create the not allowed
HostKey type when called. As a consequence, the SSHD system role could not manage RHEL 8 and older systems in Federal Information Processing Standard (FIPS) mode. With this update, the SSHD system role detects FIPS mode and adjusts the default HostKey list correctly. As a result, the system role can manage RHEL systems in FIPS mode with the default HostKey configuration.
The SSHD system role uses the correct template file
Previously, the SSHD system role used a wrong template file. As a consequence, the generated sshd_config
file did not contain the ansible_managed
comment. With this update, the system role uses the correct template file and sshd_config
contains the correct ansible_managed
comment.
The Kdump RHEL system role is be able to reboot, or indicate that a reboot is required
Previously, the Kdump RHEL system role ignored managed nodes without any reserved memory for crash kernel. Consequently, the role finished with the "Success" status, even if it did not configure the system properly. With this update of RHEL 9, the problem has been fixed. In cases when managed nodes do not have any memory reserved for the crash kernel, the Kdump RHEL system role fails and suggests that users set the kdump_reboot_ok
variable to true
to properly configure the kdump
service on managed nodes.
The nm
provider in the Networking system role now correctly manages bridges
Previously, if you used the initscripts
provider, the Networking system role created an ifcfg
file which configured NetworkManager to mark bridge interfaces as unmanaged. Also, NetworkManager failed to detect followup initscript
actions. For example, the down
and absent
actions of initscript provider will not change the NetworkManager’s understanding on unmanaged state of this interface if not reloading the connection after the down
and absent
actions. With this fix, the Networking system role uses the NM.Client.reload_connections_async()
function to reload NetworkManager on managed hosts with NetworkManager 1.18. As a result, NetworkManager manages the bridge interface when switching the provider from initscript
to nm
.
Fixed a typo to support active-backup
for the correct bonding mode
Previously, there was a typo,active_backup
, in supporting the InfiniBand port while specifying active-backup
bonding mode. Due to this typo, the connection failed to support the correct bonding mode for the InfiniBand bonding port. This update fixes the typo by changing bonding mode to active-backup
. The connection now successfully supports the InfiniBand bonding port.
The Logging system role no longer calls tasks multiple times
Previously, the Logging role was calling tasks multiple times that should have been called only once. As a consequence, the extra task calls slowed down the execution of the role. With this fix, the Logging role was changed to call the tasks only once, improving the Logging role performance.
RHEL system roles now handle multi-line ansible_managed
comments in generated files
Previously, some of the RHEL system roles were using # {{ ansible_managed }}
to generate some of the files. As a consequence, if a customer had a custom multi-line ansible_managed
setting, the files would be generated incorrectly. With this fix, all of the system roles use the equivalent of {{ ansible_managed | comment }}
when generating files so that the ansible_managed
string is always properly commented, including multi-line ansible_managed
values. Consequently, generated files have the correct multi-line ansible_managed
value.
The Firewall system role now reloads the firewall immediately when target
changes
Previously, the Firewall system role was not reloading the firewall when the target
parameter has been changed. With this fix, the Firewall role reloads the firewall when the target
changes, and as a result, the target
change is immediate and available for subsequent operations.
The group
option in the Certificate system role no longer keeps certificates inaccessible to the group
Previously, when setting the group for a certificate, the mode
was not set to allow group read permission. As a consequence, group members were unable to read certificates issued by the Certificate role. With this fix, the group setting now ensures that the file mode includes group read permission. As a result, the certificates issued by the Certificate role for groups are accessible by the group members.
The Logging role no longer misses quotes for the immark
module interval value
Previously, the interval
field value for the immark
module was not properly quoted, because the immark
module was not properly configured. This fix ensures that the interval
value is properly quoted. Now, the immark
module works as expected.
The /etc/tuned/kernel_settings/tuned.conf
file has a proper ansible_managed
header
Previously, the kernel_settings
RHEL system role had a hard-coded value for the ansible_managed
header in the /etc/tuned/kernel_settings/tuned.conf
file. Consequently, users could not provide their custom ansible_managed
header. In this update, the problem has been fixed so that kernel_settings
updates the header of /etc/tuned/kernel_settings/tuned.conf
with user’s ansible_managed
setting. As a result, /etc/tuned/kernel_settings/tuned.conf
has a proper ansible_managed
header.
The VPN system role filter plugin vpn_ipaddr
now converts to FQCN (Fully Qualified Collection Name)
Previously, the conversion from the legacy role format to the collection format was not converting the filter plugin vpn_ipaddr
to FQCN (Fully Qualified Collection Name) redhat.rhel_system_roles.vpn_ipaddr
. As a consequence, the VPN role could not find the plugin by the short name and reported an error. With this fix, the conversion script has been changed so that the filter is converted to FQCN format in the collection. And now the VPN role runs without issuing the error.
(BZ#2050341)
Job for kdump.service
no longer fails
Previously, the Kdump role code for configuring the kernel crash size was not updated for RHEL9, which requires the use of kdumpctl reset-crashkernel
. As a consequence, the kdump.service
could not start and issued an error. With this update, the kdump.service
role uses kdumpctl reset-crashkernel
to configure the crash kernel size. Now, kdump.service
role successfully starts the kdump service and the kernel crash size is configured correctly.
(BZ#2050419)
5.13. Virtualization
Hot-unplugging a mounted virtual disk no longer causes the guest kernel to crash on IBM Z
Previously, when detaching a mounted disk from a running virtual machine (VM) on IBM Z hardware, the VM kernel crashed under the following conditions:
-
The disk was attached with target bus type
scsi
and mounted inside the guest. - After hot-unplugging the disk device, the corresponding SCSI controller was hot-unplugged as well.
With this update, the underlying code has been fixed and the described crash no longer occurs.
(BZ#1997541)
5.14. Containers
UBI 9-Beta containers can run on RHEL 7 and 8 hosts
Previously, the UBI 9-Beta container images had an incorrect seccomp profile set in the containers-common
package. As a consequence, containers were not able to deal with certain system calls causing a failure. With this update, the problem has been fixed.