Red Hat Enterprise Linux 7.3 Beta

7.3 Release Notes

Release Notes for Red Hat Enterprise Linux 7.3 Beta

Red Hat Customer Content Services

Legal Notice

Copyright © 2016 Red Hat, Inc.
This document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0 Unported License. If you distribute this document, or a modified version of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If the document is modified, all Red Hat trademarks must be removed.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.

Abstract

The Release Notes provide high-level coverage of the improvements and additions that have been implemented in Red Hat Enterprise Linux 7.3 Beta and document known problems in this release, as well as notable bug fixes, Technology Previews, deprecated functionality, and other details.
Note: This document is under development, is subject to substantial change, and is provided only as a preview. The included information and instructions should not be considered complete, and should be used with caution.

Preface

Red Hat Enterprise Linux minor releases are an aggregation of individual security, enhancement, and bug fix errata. The Red Hat Enterprise Linux 7.3 Beta Release Notes document describes the major changes made to the Red Hat Enterprise Linux 7 operating system and its accompanying applications for this minor release, as well as known problems and a complete list of all currently available Technology Previews.
Capabilities and limits of Red Hat Enterprise Linux 7 as compared to other versions of the system are available in the Red Hat Knowledgebase article available at https://access.redhat.com/articles/rhel-limits.
For information regarding the Red Hat Enterprise Linux life cycle, refer to https://access.redhat.com/support/policy/updates/errata/.

Chapter 1. Overview

Security

  • The SELinux userspace has been rebased and provides various enhancements and performance improvements. Notably, the new SELinux module store supports priorities, and the SELinux Common Intermediate Language (CIL) has been introduced.
  • OpenSCAP workbench now provides a new SCAP Security Guide integration dialog and enables modification of SCAP policies using a graphical tool.
  • The OpenSCAP suite now includes support for scanning containers using the atomic scan command.
  • Upgraded firewalld starts and restarts significantly faster due to a new transaction model. It also provides improved management of connections, interfaces, and sources, a new default logging option, and ipset support.
  • The audit daemon introduces a new flush technique, which significantly improves performance. Audit policy, configuration, and logging have been enhanced and now support a number of new options.
  • Media Access Control Security (MACsec) encryption over Ethernet is now supported.
See Chapter 15, Security for more information on security enhancements.

Identity Management

The highlighted new features and improvements related to Identity Management (IdM) include:
  • Improved performance of both IdM servers and clients in large customer environments
  • Enhanced topology management and replica installation
  • Extended smart card support for Active Directory (AD) users
  • Fine-grained configuration of one-time password (OTP) authentication
  • Improved troubleshooting capabilities of IdM clients.
For detailed information on changes in IdM, refer to Chapter 4, Authentication and Interoperability.

Core Kernel

  • Support for Checkpoint/Restore in User space (CRIU) has been expanded to the the little-endian variant of IBM Power Systems architecture.
  • Heterogeneous memory management (HMM) feature has been introduced as a Technology Preview.
For more kernel features, refer to Chapter 12, Kernel. For information about Technology Previews related to kernel, see Chapter 42, Kernel.

Networking

  • Open vSwitch now uses kernel lightweight tunnel support.
  • Bulking in the memory allocator subsystem is now supported.
  • NetworkManager now supports new device types, improved stacking of virtual devices, LLDP, stable privacy IPv6 addresses (RFC 7217), detects duplicate IPv4 addresses, and controls a host name through systemd-hostnamed. Additionally, the user can set a DHCP timeout property and DNS priorities.
For more networking features, see Chapter 14, Networking.

Platform Hardware Enablement

  • Support for the Coherent Accelerator Processor Interface (CAPI) flash block adapter has been added. For detailed information, see Chapter 10, Hardware Enablement.

Real-Time Kernel

  • A new scheduler policy, SCHED_DEADLINE has been introduced as Technology Preview. This new policy is available in the upstream kernel and shows promise for certain Realtime use cases. For details, see Chapter 43, Real-Time Kernel.

Storage and File Systems

  • Support for Non-Volatile Dual In-line Memory Module (NVDIMM) persistent memory architecture has been added, which includes the addition of the libnvdimm kernel subsystem. For details, see Chapter 17, Storage and Chapter 12, Kernel. In addition, ext4 and XFS file systems now support Direct Access (DAX) for NVDIMM devices as a Technology Preview. Refer to Chapter 39, File Systems for more information.
  • A new Ceph File System (CephFS) kernel module, introduced as a Technology Preview, enables Red Hat Enterprise Linux Linux nodes to mount Ceph File Systems from Red Hat Ceph Storage clusters. For more information, see Chapter 39, File Systems.
  • Support for pNFS SCSI file sharing has been introduced as a Technology Preview. For details, refer to Chapter 39, File Systems.
  • LVM2 support for RAID-level takeover, the ability to switch between RAID types, is now available as a Technology Preview. See Chapter 45, Storage for more information.

Desktop

  • A new instant messaging client, pidgin, has been introduced, which supports off-the-record (OTR) messaging and the Microsoft Lync instant messaging application.
For more information regarding changes in desktop, refer to Chapter 7, Desktop.

Internet of Things

  • Red Hat Enterprise Linux 7.3 provides latest Bluetooth support, including support for connecting to Bluetooth Low Energy (LE) devices; see Chapter 10, Hardware Enablement.
  • Controller Area Network (CAN) device drivers are now supported, see Chapter 12, Kernel for more information.
  • Red Hat Enterprise Linux 7 kernel is now able to use the embedded MMC (eMMC) interface version 5.0. For details, refer to Chapter 10, Hardware Enablement.

Linux Containers

Red Hat Insights

Since Red Hat Enterprise Linux 6.7, the Red Hat Insights service is available. Red Hat Insights is a proactive service designed to enable you to identify, examine, and resolve known technical issues before they affect your deployment. Insights leverages the combined knowledge of Red Hat Support Engineers, documented solutions, and resolved issues to deliver relevant, actionable information to system administrators.
The service is hosted and delivered through the customer portal at https://access.redhat.com/insights/ or through Red Hat Satellite. To register your systems, follow the Getting Started Guide for Insights. For further information, data security, and limits, refer to https://access.redhat.com/insights/splash/.

Red Hat Access Labs

Red Hat Access Labs is a set of tools in a section of the Customer Portal available at https://access.redhat.com/labs/. The applications in Red Hat Access Labs can help you improve performance, quickly troubleshoot issues, identify security problems, and quickly deploy and configure complex applications. Some of the most popular applications are:

Chapter 2. Architectures

Red Hat Enterprise Linux 7.3 Beta is available as a single kit on the following architectures: [1]
  • 64-bit AMD
  • 64-bit Intel
  • IBM POWER7+ and POWER8 (big endian) [2]
  • IBM POWER8 (little endian) [3]
  • IBM System z [4]


[1] Note that the Red Hat Enterprise Linux 7.3 Beta installation is supported only on 64-bit hardware. Red Hat Enterprise Linux 7.3 Beta is able to run 32-bit operating systems, including previous versions of Red Hat Enterprise Linux, as virtual machines.
[2] Red Hat Enterprise Linux 7.3 Beta (big endian) is currently supported as a KVM guest on Red Hat Enterprise Virtualization for Power, and on PowerVM.
[3] Red Hat Enterprise Linux 7.3 Beta (little endian) is currently supported as a KVM guest on Red Hat Enterprise Virtualization for Power, on PowerVM and PowerNV (bare metal).
[4] Note that Red Hat Enterprise Linux 7.3 Beta supports IBM zEnterprise 196 hardware or later; IBM System z10 mainframe systems are no longer supported and will not boot Red Hat Enterprise Linux 7.3 Beta.

Part I. New Features

Chapter 3. General Updates

New variable for disabling colored output for systemd

This update introduces the SYSTEMD_COLORS environment variable for systemd, which enables turning on or off systemd color output. SYSTEMD_COLORS should be set to a valid boolean value. (BZ#1265749)

systemd units can now be enabled using aliases

The systemd init system uses aliases. Aliases are symbolic links to the service files, and can be used in commands instead of the actual names of services. For example, the package providing the /usr/lib/systemd/system/nfs-server.service service file also provides an alias /usr/lib/systemd/system/nfs.service, which is a symbolic link to the nfs-server.service. This enables, for example, using the systemctl status nfs.service command instead of systemctl status nfs-server.service.
Previously, running the systemctl enable command using an alias instead of the real service name failed with an error. With this update, the bug is fixed, and systemctl enable successfully enables units referred to by their aliases. (BZ#1142378)

New systemd option: RandomizedDelaySec

This update introduces the RandomizedDelaySec option for systemd timers, which schedules an event to occur later by a random number of seconds. For example, setting the option to 10 will postpone the event by a random number of seconds between 0 and 10. The new option is useful for spreading workload over a longer time period to avoid several events executing at the same time. (BZ#1305279)

Chapter 4. Authentication and Interoperability

Server performance has improved in many areas

Some operations in Identity Management run much faster now. For example, this enhancement enables better scalability in large deployments exceeding 50,000 users and hosts. Most notably, the improvements include:
  • Faster adding of users and hosts
  • Faster Kerberos authentication for all commands
  • Faster execution of the ipa user-find and ipa host-find commands
Note that to make the find operations faster, the ipa *-find commands no longer show membership by default. To display the membership, add the --all option to ipa *-find or, alternatively, use the ipa *-show commands. (BZ#1298288)

Enhanced IdM topology management

Information about the Identity Management (IdM) topology is now maintained at a central location in the shared tree. As a result, you can now manage the topology from any IdM server using the command line or the web UI.
Additionally, some topology management operations have been simplified, notably:
  • Topology commands have been integrated into the IdM command-line interface, so that you can perform all replica operations using the native IdM command-line tools.
  • You can manage replication agreements in the web UI or from the command line using a new and simplified workflow.
  • The web UI includes a graph of the IdM topology, which helps visualize the current state of replica relationships.
  • IdM includes safety measures that prevent you from accidentally deleting the last certificate authority (CA) master from the topology or isolating a server from the other servers.
  • Support for server roles as a simpler way of determining which server in the topology hosts which services as well as installing these services onto a server.

Simplified replica installation

Installing a replica no longer requires you to log in to the initial server, use the Directory Manager (DM) credentials, and copy the replica information file from the initial server to the replica. For example, this allows for easier provisioning using an external infrastructure management system, while retaining a reasonable level of security.
In addition, the ipa-replica-install utility can now also promote an existing client to a replica.

IdM now supports smart card authentication for AD users

This update extends smart card support in Identity Management (IdM). Users from a trusted Active Directory (AD) can now authenticate using a smart card both remotely using ssh as well as locally. The following methods are supported for local authentication:
  • Text console
  • Graphical console, such as the Gnome Display Manager (GDM)
  • Local authentication services, like su or sudo
Note that IdM only supports the above-mentioned local authentication services and ssh for smart card authentication. Other services, such as FTP, are not supported.
The smart card certificate for AD users can be stored directly in AD, or in an IdM override object for the AD user.

IdM now supports TGS authorization decisions

In an Identity Management (IdM) environment, users can optionally log in using multi-factor authentication. The Kerberos ticket from the ticket granting server (TGS) now contains an indicator if two-factor authentication using a standard password in combination with a one-time password (OTP) was used. This enables the administrator to set server-side policies for resources, and the users are allowed to access based upon the type of their logins. For example, the administrator can now allow the user to log in to the desktop either using one- or two-factor authentication, but require two-factor authentication for virtual private networks (VPN) logins.
By default, all services accept all tickets. To activate this granularity, you have to manage the policies in the IdM web user interface or use the ipa service-* and ipa host-* commands. (BZ#1224057)

sssd now provides optional two-factor authentication

The System Security Services Daemon (SSSD) now allows users with two-factor authentication enabled to authenticate to services either by using a standard password and a one-time password (OTP), or using only a standard password. Optional two-factor authentication enables administrators to configure local logins using a single factor, while other services, like access to VPN gateways, can request both factors. As a result, during the login, the user can enter either both factors, or optionally only the password. The Kerberos ticket then uses authentication indicators to list the used factors. (BZ#1325809)

New SSSD control and status utility

The sssctl utility provides a simple and unified way to obtain information about the System Security Services Daemon's (SSSD) status. For example, you can query status information about active server, auto-discovered servers, domains, and cached objects. Additionally, the sssctl utility enables you to manage SSSD data files to troubleshoot SSSD in a safe way while the service is running.
For more information about the features the utility provides, run sssctl --help.

SSSD configuration file validation

Previously, the System Security Services Daemon (SSSD) did not provide a tool to manually check the /etc/sssd/sssd.conf file. As a consequence, the administrator had to find the problem in the configuration file if the service failed to start. This update provides the config-check option of the sssctl command to locate problems in the configuration file. Additionally, SSSD automatically checks the validity of the configuration file after the service starts, and shows level 0 debug messages for incorrect settings. (BZ#988207)

New sss_cache option to mark sudo rules as expired

This update enhances the sss_cache command from the System Security Services Daemon (SSSD). The options -r and -R have been added to mark one or all sudo rules as expired. This enables the administrator to force a refresh of new rules on the next sudo lookup. Please note that the sudo rules are refreshed using a different algorithm than the user and group entities. For more information about the mechanism, see the sssd-sudo(5) man page. (BZ#1031074)

New packages: custodia, python-jwcrypto

This update adds the custodia packages and their dependency python-jwcrypto to Red Hat Enterprise Linux 7.
Custodia is an HTTP-based pipeline to request and distribute secrets. It handles the authentication, authorization, request handling, and storage stages of secrets management. Custodia is currently only supported as an internal subsystem of Red Hat Identity Management.
The package python-jwcrypto is an implementation of the JavaScript object signing and encryption (JOSE) web standards in Python. It is installed as a dependency of Custodia. (BZ#1206288)

New package: python-gssapi

This update adds the python-gssapi package to Red Hat Enterprise Linux 7. It provides a generic security services API (GSSAPI) that is compatible with Python 2 and 3. Identity Management (IdM) uses the package as a replacement for python-krbV and python-pykerberos, which only support Python 2 (BZ#1292139)

New package: python-netifaces

This update adds the python-netifaces package to Red Hat Enterprise Linux 7. This Python module makes it possible to read information about the system network interfaces from the operating system. It has been added as a dependency for Red Hat Identity Management (IdM). (BZ#1303046)

New package: mod_auth_openidc

This update adds the mod_auth_openidc package to Red Hat Enterprise Linux 7. It enables the Apache HTTP server to act as an OpenID Connect Relying Party for single sign-on (SSO) or as an OAuth 2.0 Resource Server. Web applications can use the module to interact with a variety of OpenID Connect server implementations including the Keycloak open source project and Red Hat Single Sign-On (SSO) products. (BZ#1292561)

IdM now supports DNS locations

This update adds support for DNS location management to the Identity Management (IdM) integrated DNS server to improve cross-site implementations. Previously, clients using DNS records to locate IdM servers could not distinguish local servers from servers located in remote geographical locations. This update enables clients using DNS discovery to find the nearest servers, and to use the network in an optimized way. As a result, administrators can manage DNS locations and assign servers to them in the IdM web user interface and from the command line.

IdM now supports establishing an external trust to an AD domain

Red Hat Enterprise Linux Identity Management (IdM) now supports establishing an external trust to an Active Directory (AD) domain in a forest. An external trust is non-transitive and can be established to any domain in an AD forest. This allows to limit a trusted relationship to a specific domain rather than trusting the whole AD forest. (BZ#1314786)

IdM now supports logging in with alternative UPNs

In an Active Directory (AD) forest it is possible to associate a different user principal name (UPN) suffix with the user name instead of the default domain name. Identity Management (IdM) now allows users from a trusted AD forest to log on with an alternative UPN.
When you add or remove UPN suffixes in a trusted AD forest, run ipa trust-fetch-domains on an IdM master to refresh the information for the trusted forest in the IdM database.

IdM now supports sub-CAs

Previously, Identity Management (IdM) only supported one certificate authority (CA) that was used to sign all certificates issued within the IdM domain. Now, you can use lightweight sub-CAs for better control over the purpose for which a certificate can be used. For example, a Virtual Private Network (VPN) server can be configured to only accept certificates issued by a sub-CA created for that purpose, rejecting certificates issued by other sub-CAs, such as a smart card CA.
To support this functionality, you can now specify an IdM lightweight sub-CA when requesting a certificate with certmonger.

SSSD now supports automatic Kerberos host keytab renewal

Previously, the System Security Services Daemon (SSSD) did not support the automatic renewal of Kerberos host keytab files in an Active Directory (AD). In environments that, for security reasons, do not allow using passwords that never expire, the files had to be manually renewed. With this update, SSSD is able to automatically renew Kerberos host keytab files.
SSSD checks once per day if the machine account password is older than the configured number of days in the ad_maximum_machine_account_password_age parameter of the /etc/sssd/sssd.conf file.

IdM supports user principal aliases

Previously, Identity Management (IdM) supported only the authentication using the user name. However, in some environments it is a requirement to authenticate with an email address or alias name. IdM was enhanced and now supports principal aliases.
To add the aliases ualias and user@example.com to the account user, run the following command:
# ipa user-add-principal user ualias user\\@example.com
Use the -C option to the kinit command when with an alias, and the -E option when using an enterprise principal name:
# kinit -C ualias
# kinit -E user@example.com
(BZ#1328552)

SSSD cache update performance improvement

Previously, the System Security Services Daemon (SSSD) always updated all cached entries after the cache validity timeout passed. This consumed unnecessarily resources on the client and the server, for entries that have not been changed. SSSD has been enhanced and now checks if the cached entry requires an update. The time stamp values are increased for unchanged entries and stored in the new SSSD database /var/lib/sss/db/timestamps_$domain.ldb. This enhancement improves the performance for entries that rarely change on the server side, such as groups. (BZ#1290380)

SSSD now supports sudo rules stored in the IdM schema

Previously, the System Security Services Daemon (SSSD) used the ou=sudoers container, generated by the compatibility plug-in, to fetch sudo rules. SSSD has been enhanced to support sudo rules in the cn=sudo container that are stored in the Identity Management (IdM) directory schema.
To enable this feature, unset the ldap_sudo_search_base parameter in the /etc/sssd/sssd.conf file. (BZ#789477)

SSSD now automatically adjusts the ID ranges for AD clients in environments with high RID numbers

The automatic ID mapping mechanism included in the System Security Services Daemon (SSSD) service is now able to merge ID range domains. The SSSD default size of ID ranges is 200,000. In large Active Directory (AD) installations, the administrator had to manually adjust the ID range assigned by SSSD if the Active Directory relative ID (RID) increased 200,000 to correspond with the RID.
With this enhancement, for AD clients having ID mapping enabled, SSSD automatically adjusts the ID ranges in the described situation. As a result, the administrator does not have to adjust the ID range manually, and the default ID mapping mechanism works in large AD installations. (BZ#1059972)

New sssctl option remove-cache

This update adds the remove-cache option to the sssctl utility. The option removes the local System Security Services Daemon's (SSSD) database contents, and restarts the sssd service. This enables the administrator to start from a clean state with SSSD and avoid the need to manually remove cache files. (BZ#1007969)

Password changes on legacy IdM clients

Previously, Red Hat Enterprise Linux contained a version of slapi-nis that does not enable user to change their passwords on legacy Identity Management (IdM) clients. As a consequence, users logged in to clients via the slapi-nis compatibility tree could only update their password using the IdM web UI or directly in Active Directory (AD). A patch has been applied to and as a result, users are now able to change their password on legacy IdM clients. (BZ#1084018)

Red Hat Access plug-in for IdM is discontinued

The Red Hat Access plug-in for Identity Management (IdM) has been removed in Red Hat Enterprise Linux 7.3. During the update, the redhat-access-plugin-ipa package is automatically uninstalled. Features previously provided by the plug-in, such as Knowledgebase access and support case engagement, are still available through the Red Hat Customer Portal. Red Hat recommends to explore alternatives, such as the redhat-support-tool tool. (BZ#1296140)

Introducing Red Hat Single Sign-On as a replacement for the Ipsilon identity provider

Red Hat Single Sign-On (SSO) is now available as a single sign-on solution based on the Keycloak community project. Red Hat SSO is intended to replace Ipsilon, which was offered as Technology Preview for federated single sign-on in Red Hat Enterprise Linux 7.2.
Red Hat SSO provides more capabilities than Ipsilon, and Red Hat therefore recommends to use it instead of Ipsilon.
For details, see:
Note that Red Hat does not plan to upgrade Ipsilon from Technology Preview to a fully supported feature. The ipsilon packages will be removed from Red Hat Enterprise Linux in a future minor release. (BZ#1364891)

SSSD now reads optional *.conf files from /etc/sssd/conf.d/

The System Security Services Daemon (SSSD) has been enhanced to read *.conf files from the /etc/sssd/conf.d/ directory. This enables you to use a general /etc/sssd/sssd.conf file on all clients and to add additional settings in further configuration files to suit individual clients. SSSD first reads the common /etc/sssd/sssd.conf file, and then in alphabetical order the other files in /etc/sssd/conf.d/. The daemon uses the last read configuration parameter if the same one appears multiple times in different files. (BZ#790113)

The IdM password policy now enables never-expiring passwords

Previously, all user passwords in Identity Management (IdM) were required to have an expiration date defined. With this update, the administrator can configure user passwords to be valid indefinitely by setting the password policy Max lifetime value to 0.
Note that new password policy settings apply to new passwords only. For the change to take effect, existing users must update their passwords. (BZ#826790)

Samba rebased to version 4.4.4

The samba packages have been upgraded to upstream version 4.4.4, which provides a number of bug fixes and enhancements over the previous version:
  • The WINS nsswitch module now uses the libwbclient library for WINS queries. Note that the winbind daemon must be running to resolve WINS names that use the module.
  • The default value of the winbind expand groups option has been changed from 1 to 0.
  • The -u and -g options of the smbget command have been replaced with the -U option to match other Samba command's parameter. The -U option accepts a username[%password] value. Additionally, the username and password parameters in the smbgetrc configuration file have been replaced with the user parameter.
  • The -P parameter of the smbget command has been removed.
  • Printing using the CUPS back end with Kerberos credentials now requires to install the samba-krb5-printing package and to configure CUPS appropriately.
  • It is now possible to configure Samba as a print server by using the CUPS back end with Kerberos credentials. To do so, install the samba-krb5-printing package and configure CUPS appropriately.
  • Samba and CTDB header files are no longer installed automatically when you install samba.
Samba automatically updates its tdb database files when the smbd, nmbd, or winbind daemon starts. Back up the databases files before starting Samba. Note that Red Hat does not support downgrading tdb database files.
For further information about notable changes, read the upstream release notes before updating:

New net ads join option to prevent AD DNS update

The net ads join command now provides the --no-dns-updates option that prevents updating the DNS server with the machine name when joining a client to the Active Directory (AD). This option enables the administrator to bypass the DNS registration if the DNS server does not allow client updates and thus the DNS update would fail with an error message. (BZ#1263322)

Chapter 5. Clustering

A Pacemaker cluster resource that is used to create a guest node may now be a member of a resource group

Previous Pacemaker versions did not support including a guest node in a group. As of Red Hat Enterprise Linux 7.3, a Pacemaker cluster resource such as VirtualDomain that is used to create a guest node may now be a member of a resource group. This can be useful, for example, to associate a virtual machine with its storage. (BZ#1303765)

Support for quorum devices in a Pacemaker cluster

As of Red Hat Enterprise Linux 7.3, you can configure a separate quorum device which acts as a third-party arbitration device for the cluster. Its primary use is to allow a cluster to sustain more node failures than standard quorum rules allow. A quorum device is recommended for clusters with an even number of nodes and highly recommended for two-node clusters. For information on configuring a quorum device, see the High Availability Add-On Reference. (BZ#1158805)

Chapter 6. Compiler and Tools

iputils rebased to version 20160308

The iputils packages have been upgraded to upstream version 20160308, which provides a number of bug fixes and enhancements over the previous version. Notably, the ping command is now dual stack aware. It can be used for probing both IPv4 and IPv6 addresses. The old ping6 command is now a symbolic link to the ping command and works the same way as before. (BZ#1273336)

Logging capabilities of the tftp server have been enhanced

As a result of improved logging, the Trivial File Transfer Protocol (TFTP) server can now track successes and failures. For example, a log event is now created when a client successfully finishes downloading a file, or the file not found message is provided in case of a failure. (BZ#1311092)

New option for arpwatch: -p

This update introduces option -p for the arpwatch command of the arpwatch network monitoring tool. This option disables promiscuous mode. (BZ#1291722)

The chrt utility now has new options

This update introduces new command-line options for the chrt utility: --deadline, --sched-runtime, --sched-period, and --sched-deadline. These options take advantage of the kernel SCHED_DEADLINE scheduler and provide full control of deadline scheduling policy for scripts and when using the command line. (BZ#1298384)

New command-line utility: lsipc

This update introduces the lsipc utility that lists information about inter-process communication (IPC) facilities. In comparison with the old ipcs command, lsipc provides more details, is easier to use in scripts, and is more user-friendly. This results into better control of the output on IPC information for scripts and when using the command line. (BZ#1153770)

Searching using libmount and findmnt is now more reliable

Overlay filesystem's st_dev does not provide possibility for reliable searching to the libmount library and the findmnt utility. With this update, libmount and findmnt search in mount tables by other means than with st_dev in some cases, achieving better reliability. (BZ#587393)

New --family option for the alternatives utility

This update introduces the new --family option for the alternatives utility. The software packager can use this option to group similar alternative packages from the same group into families. Families inside groups ensure that if the currently used alternative is removed, and it belonged to a family, then the current alternative will change to package with the highest priority within the same family, and not outside the family.
For example, a system has four packages installed in the same alternatives group: a1, a2, a3, b (listed in increasing priority). Packages a1, a2, and a3 belong to the same family. a1 is the currently used alternative. If a1 is removed, then the currently used alternative will change to a3. It will not be b, because b is outside the family of a1, and it will not be a2, because a2 has lower priority than a3.
This option is useful when just setting priorities for each alternative is not enough. For example, all openjdk packages can be put into the same family to ensure that if one of them is uninstalled, the alternative will switch to another openjdk package, and not to the java-1.7.0-oracle package (if another openjdk package is installed). (BZ#1291340)

sos rebased to version 3.3

The sos package has been updated to upstream version 3.3, which provides a number of enhancements, new features, and bug fixes, including:
  • Support for OpenShift Enterprise 3.x
  • Improved and expanded OpenStack plug-ins
  • Enhanced support for Open vSwitch
  • Enhanced Kubernetes data collection
  • Improved support for systemd journal collection
  • Enhanced display manager and 3D acceleration data capture
  • Improved support for Linux clusters, including Pacemaker
  • Expanded CPU and NUMA topology collection
  • Expanded mainframe (IBM System z) coverage
  • Collection of multipath topology (BZ#1293044)

ethtool rebased to version 4.5

The ethtool utility enables querying and changing settings such as speed, port, auto-negotiation, PCI locations, and checksum offload on many network devices, especially Ethernet devices. The package has been upgraded to upstream version 4.5. Notable improvements include:
  • SFP serial number and date are now included in EEPROM dump (option -m)
  • Added missing Advertised speeds, some combinations of 10GbE and 56GbE
  • Added register dump support for VMware vmxnet3 (option -d)
  • Added support for setting the default Rx flow indirection table (option -X)
(BZ#1318316)

elfutils rebased to version 0.166

The elfutils packages contain a number of utilities and libraries related to the creation and maintenance of executable code. The package has been upgraded to version 0.166. Highlighted improvements include:
  • strip, unstrip: these utilities can now handle ELF files with merged strtab/shstrtab tables.
  • elfcompress: a new utility to compress or decompress ELF sections.
  • readelf: a new -z,--decompress option.
  • new functions have been added to libelf and libdw to handle compressed ELF sections: elf_compress, elf_compress_gnu, elf32_getchdr, elf64_getchdr, and gelf_getchdr.
  • libdwelf: a new dwelf_scn_gnu_compressed_size() function.
  • New libelf and libdw pkgconfig (package configuration) files.
(BZ#1296313)

pcp rebased to version 3.11.3

Performance Co-Pilot (PCP) is a suite of tools, services, and libraries for acquisition, archiving, and analysis of system-level performance measurements. The package has been upgraded to version 3.11.3. Highlighted improvements include:
  • pcp-ipcs - new command to show inter-process communication
  • pcp-atopsar - new PMAPI sar command based on http://atoptool.nl
  • pcp-vmstat - wrapper for pmstat modified to more closely resemble vmstat
  • libpcp - new fetchgroup API
  • pmdamic - new PMDA for Intel MIC card metrics
  • pmdaslurm - new PMDA exporting HPC scheduler metrics
  • pmdapipe - command output event capture PMDA
  • pmdaxfs - support for per-device XFS metrics
  • pmdavmware - updated to work with current VMWare Perl API
  • pmdaperfevent - variety of improvements surrounding derived metrics; added reference clock cycles for NHM and WSM
  • pmdaoracle - Oracle database metrics available and updated
  • pmdads389 - added normalized dn cache metrics
  • pmdalinux - added metrics for per numa node memory bandwidth, shared memory segments, IPC, MD driver stats, transparent-huge-page zero page alloc counters, NVME devices, IPv6 metrics
  • pmdaelasticsearch - restrict to local node metrics by default and adjust to elasticsearch API change
  • pmdaxfs - support for per-device XFS metrics
  • pmrep - powerful and versatile metric-reporting utility
  • pmlogconf - support for automatic recording of Oracle database, nginx, elasticsearch, memcache, and application metrics supplied by mmv
  • zbxpcp - Zabbix Agent loadable module for PCP metrics supporting Zabbix v2 and v3 simultaneously
  • pmcd - support for starting PMDAs via pmdaroot, allowing restart on PMDA failure without restarting pmcd itself
  • sar2pcp - support for additional mem.util metrics and sysstat-11.0.1 commands
  • pmmgr - added general monitor-program launching option
  • pcp-atop - updated with latest atop features (especially NFS-related)
  • libpcp - allowed the name of a server certificate to be customized; added support for permanent, global derived metrics, and multi-archive contexts
  • pmdaproc - cgroup blkio throttle throughput and IOPS metrics
  • pcp-iostat - added the -R flag for device-name matching using regular expressions and the -G flag for sum, avg, min, or max statistics
  • pmieconf - new rule to automate restarting of unresponsive PMDAs
(BZ#1284307)

systemtap rebased to version 3.0

The systemtap packages have been updated to upstream version 3.0, which provides a number of bug fixes and enhancements. For example, the translator has been improved to require less memory, produce faster code, support more function-callee probing, print improved diagnostics, include language extensions for function overloading and private scoping, and introduce experimental --monitor and --interactive modes. (BZ#1289617)

valgrind rebased to version 3.11.0

Valgrind is an instrumentation framework that is used for debugging memory, detecting memory leaks, and profiling applications. The package has been upgraded to upstream version 3.11.0. Highlighted improvements include:
  • The JIT's register allocator is now significantly faster, making JIT-intensive activities, for example program startup, approximately 5% faster.
  • Intel AVX2 support is now more complete for 64-bit targets. On AVX2-capable hosts, the simulated CPUID will now indicate AVX2 support.
  • The default value for the --smc-check option has been changed from stack to all-non-file on targets that provide automatic D-I cache coherence. The result is to provide, by default, transparent support for JIT generated and self-modifying code on all targets.
Highlighted new features in the Memcheck utility include:
  • The default value for the --leak-check-heuristics option has been changed from none to all. This helps to reduce the number of possibly lost blocks, in particular for C++ applications.
  • The default value for the --keep-stacktraces option has been changed from malloc-then-free to malloc-and-free. This has a small cost in memory but allows Memcheck to show the 3 stack traces of a dangling reference: where the block was allocated, where it was freed, and where it is accessed after being freed.
  • The default value for the --partial-loads-ok option has been changed from no to yes, to avoid false-positive errors resulting from certain vectorised loops.
  • A new gdb monitor command xb [addr] [len] shows the validity bits of [len] bytes at [addr]. The monitor command xb is easier to use than get_vbits when you need to associate byte data value with their corresponding validity bits.
  • The block_list gdb monitor command has been enhanced: it can print a range of loss records; it now accepts an optional argument, limited [max_blocks], to control the number of printed blocks; if a block has been found using a heuristic, then block_list now shows the heuristic after the block size; the loss records/blocks to print can be limited to the blocks found via specified heuristics.
  • A new --expensive-definedness-checks=yes|no command-line option has been added. This is useful for avoiding occasional invalid uninitialized-value errors in optimized code. Beware of potential runtime degradation, as this can be up to 25%. The slowdown is highly application-specific though. The default value is no.
(BZ#1296318)

OpenJDK 8 now supports ECC

With this update, support for Elliptic Curve Cryptography (ECC) and associated ciphers for TLS connections has been added to OpenJDK 8. In most cases, ECC is preferable to older cryptographic solutions for establishing secure network connections. (BZ#1245810)

pycurl now provides options to require TLSv1.1 or 1.2

With this update, pycurl has been enhanced to support options that make it possible to require the use of the 1.1 or 1.2 versions of the TLS protocol, which improves the security of communication. (BZ#1260407)

Perl Net:SSLeay now supports elliptic curve parameters

Support for elliptic-curve parameters has been added to the Perl Net:SSLeay module, which contains bindings to the OpenSSL library. Namely, the EC_KEY_new_by_curve_name(), EC_KEY_free*(), SSL_CTX_set_tmp_ecdh(), and OBJ_txt2nid() subroutines have been ported from upstream. This is required for the support of the Elliptic Curve Diffie–Hellman Exchange (ECDHE) key exchange in the IO::Socket::SSL Perl module. (BZ#1316379)

Perl IO::Socket::SSL now supports ECDHE

Support for Elliptic Curve Diffie–Hellman Exchange (ECDHE) has been added to the IO::Socket::SSL Perl module. The new SSL_ecdh_curve option can be used for specifying a suitable curve by the Object Identifier (OID) or Name Identifier (NID). As a result, it is now possible to override the default elliptic curve parameters when implementing a TLS client using IO::Socket:SSL. (BZ#1316377)

tcsh now uses system allocation functions

The tcsh command language interpreter now uses allocation functions from the glibc library instead of built-in allocation functions. This eliminates earlier problems with the malloc() library call. (BZ#1315713)

Python performance enhancement

The CPython interpreter now uses computed goto statements at the main switch statement, which executes Python bytecode. This enhancement allows the interpreter to avoid a bounds check that is required by the C99 standard for the switch statement, and allows the CPU to perform more efficient branch prediction, which reduces pipeline flushes. As a result of this enhancement, Python code is interpreted significantly faster than before. (BZ#1289277)

New configuration options for SSL/TLS certificate verification for the HTTP clients in the Python standard library

New per-application and per-process configuration options for SSL/TLS certificate verification have been added for the HTTP clients in the Python standard library. The options are described in the 493 Python Enhancement Proposal (https://www.python.org/dev/peps/pep-0493/). The default global setting continues to be to not verify certificates. For details, see https://access.redhat.com/articles/2039753. (BZ#1315758)

OProfile support for the Intel Skylake-SP server

This update provides a more complete set of performance monitoring events for the Intel Skylake-SP server. (BZ#1273755)

OProfile support for Intel HarrisonVille

This update provides a more complete set of performance monitoring events for Intel HarrisonVille (Denverton SoC). (BZ#1273756)

libpfm rebased to version 4.7.0

The libpfm package has been rebased to version 4.7.0. This version provides support for the following 32-bit AMD and Intel architectures:
  • Intel Skylake core PMU
  • Intel Haswell-EP uncore PMUs
  • Intel Broadwell-DE
  • Intel Broadwell (desktop core)
  • Intel Haswell-EP (core)
  • Intel Haswell-EP (core)
  • Intel ivyBridge-EP uncore PMUs (all boxes)
  • Intel Silvermont core PMU
  • Intel RAPL events support
  • Intel SNB, IVB, HSW event table updates
  • Major update on Intel event tables
  • AMD Fam15h Northbridge PMU
(BZ#1321051)

glibc now supports BIG5-HKSCS-2008

Previously, glibc supported an earlier version of the Hong Kong Supplementary Character Set, BIG5-HKSCS-2004. The BIG5-HKSCS character set map has been updated to the HKSCS-2008 revision of the standard. This allows Red Hat Enterprise Linux customers to write applications processing text that is encoded with this version of the standard. (BZ#1211823)

memtest86+ rebased to version 5.01

The memtest86+ package has been upgraded to upstream version 5.01, which provides a number of bug fixes and enhancements over the previous version. Notable changes include the following:
  • Support for up to 2 TB of RAM on AMD64 and Intel 64 CPUs
  • Support for new Intel and AMD CPUs, for example Intel Haswell
  • Experimental SMT support up to 32 cores
For detailed changes, see http://www.memtest.org/#change (BZ#1280352)

xz rebased to version 5.2.2

The xz packages have been upgraded to upstream version 5.2.2, which provides several optimization fixes, fixes for race conditions, translations, portability fixes, and also new stabilized API previously available only for testing. Additionally, this update introduces a new experimental feature controlled by the --flush-timeout option (by default off). When compressing, if more than timeout milliseconds (a positive integer) have passed since the previous flush and reading more input would be blocked, all the pending input data is flushed from the encoder and made available in the output stream. This can be useful if the xz utility is used for compressing data that is streamed over a network. (BZ#1160193)

GDB now supports IBM z13 features

This update provides a GDB extension for debugging code utilizing IBM z13 features. This includes disassembling extended IBM z13 instructions and supporting SIMD instructions using 128-bit wide vector registers v0-v31. Code optimized for IBM z13 can be now debugged by GDB displaying correct instruction mnemonics, vector registers, and retrieving and passing vector register content during inferior calls. (BZ#1182151)

ruby rebased to version 2.0.0.648

The ruby packages have been upgraded to upstream version 2.0.0.648, which provides a number of bug and security fixes. This is the last upstream stable release of Ruby 2.0.0 as it has been deprecated in upstream. More recent versions of Ruby are available in Red Hat Software Collections. (BZ#1197720)

Chapter 7. Desktop

New packages: pidgin

This update adds the pidgin instant messaging client that supports off-the-record (OTR) messaging and the Microsoft Lync instant messaging application. (BZ#1066457)

Scroll wheel increment configurable in GNOME terminal

With this update, the _gnome-terminal packages have been upgraded so that the scroll wheel setting is now configurable in the GNOME terminal. The scrolling preferences include a checkbutton and a spinbutton, which allow to choose between dynamic or fixed scrolling increment. The default option is dynamic scrolling increment, which is based on the number of visible rows. (BZ#1103380)

Vinagre user experience improvements

The Vinagre remote desktop viewer introduces the following user experience enhancements:
  • A minimize button is available in the fullscreen toolbar, which makes access to custom options easier.
  • It is now possible to scale Remote Desktop Protocol (RDP) sessions. You can set the session size in the Connect dialog.
  • You can now use the secrets service to safely store and retrieve remote credentials. (BZ#1291275)

Custom titles for the terminal tabs or windows

This update allows users to set custom titles for terminal windows or tabs in gnome-terminal. The titles can be changed directly in the gnome-terminal user interface. (BZ#1296110)

Separate menu items for opening tabs and windows restored

This update restores separate menu items for opening tabs and windows in gnome-terminal. It is now easier to open a mix of tabs and windows without being familiar with keyboard shortcuts. (BZ#1300826)

Native Gnome/GTK+ look for Qt applications

Previously, the default Qt style did not provide consistency for Qt applications, causing them not to fit into Gnome desktop. A new adwaita-qt style has been provided for those applications and the visual differences between the Qt and GTK+ applications are now minimal. (BZ#1306307)

Rhythmbox rebase to version 3.3.1

Rhythmbox is the GNOME default music player. It is easy to use and includes features such as playlists, podcast playback, and audio streaming. The rhythmbox packages have been upgraded to upstream version 3.3.1. The most notable changes include:
  • Better support for Android devices
  • New task progress display below the track list
  • Support for the composer, disc, and track total tags
  • New style for playback controls and the source list
  • A number of bug fixes for various warnings and unexpected termination errors (BZ#1298233)

libreoffice rebased to version 5.0.6.2

The libreoffice packages have been upgraded to upstream version 5.0.6.2, which provides a number of bug fixes and enhancements over the previous version, notably:
  • The status bar and various sidebar decks have been improved.
  • Various toolbars and context menus have been cleaned up or rearranged for better usability.
  • The color selector has been reworked.
  • New templates have been created.
  • Templates now appear directly in the Start Center and can be picked from there.
  • libreoffice now displays an information bar to indicate visibly when a document is being opened in read-only mode.
  • The possibility to embed libreoffice in certain web browsers by using the deprecated NPAPI has been removed.
  • It is possible to connect to SharePoint 2010 and 2013 and OneDrive directly from libreoffice.
  • Support for converting formulas into direct values, Master Document templates, reading Adobe Swatch Exchange color palettes in the .ase format, importing Adobe PageMaker documents, and for exporting digitally signed PDF files.
  • It is now possible to specify references to entire columns or rows using the A:A or 1:1 notation.
  • Interoperability with Microsoft Office document formats has been improved.
For a complete list of bug fixes and enhancements provided by this upgrade, see https://wiki.documentfoundation.org/ReleaseNotes/4.4 and https://wiki.documentfoundation.org/ReleaseNotes/5.0. (BZ#1290148)

libdvdnav rebased to version 5.0.3

The libdvdnav library allows you to navigate DVD menus on any operating system. The libdvdnav packages have been upgraded to version 5.0.3. The most notable changes include:
  • Fixed a bug on menu-less DVDs
  • Fixed playback issues on multi-angle DVDs
  • Fixed unexpected termination when playing a DVD from different region than currently set in the DVD drive
  • Fixed memory bugs when reading certain DVDs (BZ#1068814)

GIMP rebased to version 2.8.16

The GNU Image Manipulation Program (GIMP) has been upgraded to version 2.8.16, which provides a number of bug fixes and enhancements over the previous version. Notable changes include the following:
Core:
  • More robust loading of XCF files
  • Improved performance and behavior when writing XCF files
GUI:
  • The widget direction automatically matches the direction of language set for GUI
  • Larger scroll area for tags
  • Fixed switching of dock tabs by drag and drop (DND) hovering
  • DND works between images in one dockable
  • No unexpected termination problem in the save dialog
Plug-ins:
  • Improved security of the script-fu server
  • Fixed reading and writing of files in the BMP format
  • Fixed exporting of fonts in the PDF plug-in
  • Support of layer groups in OpenRaster files
  • Fixed loading of PSD files with layer groups (BZ#1298226)

Chapter 8. Directory Server in Red Hat Enterprise Linux

About Directory Server for Red Hat Enterprise Linux

This section describes changes in the main server component for Red Hat Directory Server - the 389-ds-base package, which includes the LDAP server itself and command line utilities and scripts for its administration. This package is part of the Red Hat Enterprise Linux base subscription channel and therefore available on all Red Hat Enterprise Linux Server systems due to Red Hat Identity Management components which depend on it.
Additional Red Hat Directory Server components, such as the Directory Server Console, are available in the rhel-7-server-rhds-10-rpms additional subscription channel. A subscription to this channel is also required to obtain support for Red Hat Directory Server. Changes to the additional components in this channel are not described in this document.
Red Hat Directory Server version 10.1 is available for Red Hat Enterprise Linux 7. See https://access.redhat.com/products/red-hat-directory-server/get-started for information about getting started with Directory Server 10, and https://access.redhat.com/documentation/en/red-hat-directory-server/?version=10 for full documentation.

The ldapsearch command can now return all operational attributes

LDAP searches can now return all operational attributes as described in IETF RFC 3673. Using the + character in a search will yield all operational attributes to which the bound Distinguished Name (DN) has access. The returned results may be limited depending on applicable Access Control Instructions (ACIs).
An example search might look similar to the following:
ldapsearch -LLLx -h localhost -p 10002 -b ou=people,dc=example,dc=com -s base '+'
dn: ou=People,dc=example,dc=com
See https://tools.ietf.org/html/rfc3673 for additional information about this feature. (BZ#1290111)

Increased accuracy of log time stamps

This update increases the accuracy of time stamps in Directory Server logs from one second precision to nanosecond precision by default. This enhancement allows for a more detailed analysis of events in Directory Server, and enables external log systems to correctly rebuild and interweave logs from Directory Server.
Previously, log entries contained time stamps as shown in the following example:
[21/Mar/2016:12:00:59 +1000] conn=1 op=0 BIND dn="cn=Directory Manager" method=128 version=3
With this update, the same log entry contains a more accurate time stamp:
[21/Mar/2016:12:00:59.061886080 +1000] conn=1 op=0 BIND dn="cn=Directory Manager" method=128 version=3
To revert to the old time stamp format, set the nsslapd-logging-hr-timestamps-enabled attribute to false in cn=config. (BZ#1273549)

New utility for displaying status of Directory Server instances

Directory Server now provides the status-dirsrv command line utility, which outputs the status of one or all instances. Use the following command to obtain a list of all existing instances:
status-dirsrv
To display the status of a specific instance, append the instance name to the command. See the status-dirsrv(8) man page for additional details and a list of return codes. (BZ#1209128)

New option to enable use of quotes in schema

This update introduces the LDAP_SCHEMA_ALLOW_QUOTED environment variable which adds support for older style schema using quotes in the schema directory. To enable this functionality, set the following variable in the /etc/sysconfig/dirsrv-INSTANCE configuration file:
LDAP_SCHEMA_ALLOW_QUOTED=on
(BZ#1368484)

Chapter 9. File Systems

XFS runtime statistics are available per file system in the /sys/fs/ directory

The existing XFS global statistics directory has been moved from the /proc/fs/xfs/ directory to the /sys/fs/xfs/ directory while maintaining compatibility with earlier versions with a symbolic link in /proc/fs/xfs/stat. New subdirectories will be created and maintained for statistics per file system in /sys/fs/xfs/, for example /sys/fs/xfs/sdb7/stats and /sys/fs/xfs/sdb8/stats. Previously, XFS runtime statistics were available only per server. Now, XFS runtime statistics are available per device. (BZ#1269281)

A progress indicator has been added to mkfs.gfs2

The mkfs.gfs2 tool now reports its progress when building journals and resource groups. As mkfs.gfs2 can take some time to complete with large or slow devices, it was not previously clear if mkfs.gfs2 was working correctly until a report was printed. A progress bar has been added to mkfs.gfs2 indicate progress. (BZ#1196321)

fsck.gfs2 has been enhanced to require considerably less memory on large file systems

Prior to this update, the Global File System 2 (GFS2) file system checker, fsck.gfs2, required a large amount of memory to run on large file systems, and running fsck.gfs2 on file systems larger than 100 TB was therefore impractical. With this update, fsck.gfs2 has been enhanced to run in considerably less memory, which allows for better scalability and makes running fsck.gf2 practical to run on much larger file systems. (BZ#1268045)

GFS2 has been enhanced to allow better scalability of its glocks

In the Global File System 2 (GFS2), opening or creating a large number of files, even if they are closed again, leaves a lot of GFS2 cluster locks (glocks) in slab memory. When the number of glocks was in the millions, GFS2 previously started to slow down, especially with file creates: GFS2 became gradually slower to create files. With this update, the GFS2 has been enhanced to allow better scalability of its glocks, and the GFS2 can now therefore maintain good performance across millions of file creates. (BZ#1172819)

xfsprogs rebased to version 4.5.0

The xfsprogs packages have been upgraded to upstream version 4.5.0, which provides a number of bug fixes and enhancements over the previous version. The Red Hat Enterprise Linux 7.3 kernel RPM requires the upgraded version of xfsprogs because the new default on-disk format requires special handling of log cycle numbers when running the xfs_repair utility. Notable changes include:
  • Metadata cyclic redundancy checks (CRCs) and directory entry file types are now enabled by default. To replicate the older mkfs on-disk format used in earlier versions of Red Hat Enterprise Linux 7, use the -m crc=0 -n ftype=0 options on the mkfs.xfs command line.
  • The GETNEXTQUOTA interface is now implemented in xfs_quota, which allows fast iteration over all on-disk quotas even when the number of entries in the user database is extremely large.
Also, note the following differences between upstream and Red Hat Enterprise Linux 7.3:
  • The experimental sparse inode feature is not available.
  • The free inode btree (finobt) feature is disabled by default to ensure compatibility with earlier Red Hat Enterprise Linux 7 kernel versions. (BZ#1309498)

The CIFS kernel module rebased to version 6.4

The Common Internet File System (CIFS) has been upgraded to upstream version 6.4, which provides a number of bug fixes and enhancements over the previous version. Notably:
  • Support for Kerberos authentication has been added.
  • Support for MFSymlink has been added.
  • The mknod and mkfifo named pipes are now allowed.
Also, several memory leaks have been identified and fixed. (BZ#1337587)

Chapter 10. Hardware Enablement

Support added for the CAPI flash block adapter

The Coherent Accelerator Processor Interface (CAPI) is a technology that enables I/O adapters to coherently access host memory, and thus ensures improved performance. This update adds the cxlflash driver, which provides support for IBM's CAPI flash block adapter. (BZ#1182021)

MMC kernel rebased to version 4.5

With this update, the Multimedia Card (MMC) kernel subsystem has been upgraded to upstream version 4.5, which fixes multiple bugs and also enables the Red Hat Enterprise Linux 7 kernel to use the embedded MMC (eMMC) interface version 5.0. In addition, the update improves the suspend and resume functionality of MMC devices, as well as their general stability. (BZ#1297039)

Intel DIMM management API

An API has been added for configuring and managing Intel Dual Inline Memory Modules (DIMMs). This enables the user to perform basic DIMM inventory, capacity provisioning, health monitoring, and troubleshooting. (BZ#1270993)

iWarp mapper service added

This update adds support for the internet Wide Area RDMA Protocol (iWARP) mapper to Red Hat Enterprise Linux 7. The iWARP mapper is a user-space service that enables the following iWARP drivers to claim TCP ports using the standard socket interface:
  • Intel i40iw
  • NES
  • Chelsio cxgb4
Note that both the iw_cm and ib_core kernel modules need to be loaded for the iWarp mapper service (iwpmd) to start successfully. (BZ#1331651)

New package: memkind

This update adds the memkind package, which provides a user-extensible heap manager library, built as an extension of the jemalloc memory allocator. This library enables partitioning of the memory heap located between memory types that are defined when the operating system policies are applied to virtual address ranges. In addition, memkind enables the user to control memory partition features and allocate memory with a specified set of memory features selected. (BZ#1210910)

Per-port MSI-X support for the AHCI driver

The driver for the Advanced Host Controlled Interface (AHCI) has been updated for per-port message-signaled interrupt (MSI-X) vectors. Note that this applies only to controllers that support the feature. (BZ#1286946)

Chapter 11. Installation and Booting

Improved logging when network traffic is blocked during installation

This update adds improved logging when attempting to connect to a network repository during installation. Now, when there is a connection problem with a network repository during installation, logs include more detailed information about what caused the problem. (BZ#1240379)

Support for Memory Address Range Mirroring

With this update, it is possible to configure Memory Address Range Mirroring on EFI-based systems on compatible hardware, using the efibootmgr utility with the new --mirror-below-4G and --mirror-above-4G options. (BZ#1271412)

Default logging levels increased in Yum and NetworkManager

With this update, default logging levels were increased in the Yum and NetworkManager utilities. (BZ#1254368)

Driver Update Disks can now replace loaded modules

It is now possible to use a Driver Update Disk to replace a module that is already loaded, provided that the original module is not in use. (BZ#1265693)

Chapter 12. Kernel

criu rebased to version 2.3 and fully supported for certain applications

The criu packages have been upgraded to upstream version 2.3, which provides a number of bug fixes and enhancements over the previous version. Notably, Checkpoint/Restore in User-space (CRIU) is now supported on Red Hat Enterprise Linux for POWER, little endian in addition to the existing support on the ⁠AMD64 and Intel 64 architectures.
Additionally, CRIU has been moved from Technology Preview to full support for the following applications running in a Red Hat Enterprise Linux 7 runc container:
  • vsftpd
  • apache httpd
  • sendmail
  • postgresql
  • mongodb
  • mariadb
  • mysql
  • tomcat
  • dnsmasq (BZ#1296578)

The CAN protocol has been enabled in the kernel

The Controller Area Network (CAN) protocol kernel modules have been enabled, providing the device interface for CAN device drivers. CAN is a vehicle bus specification originally intended to connect the various micro-controllers in automobiles and has since extended to other areas. CAN is also used in industrial and machine controls where a high performance interface is required and other interfaces such as RS-485 are not sufficient. The functions exported from the CAN protocol modules are used by CAN device drivers to make the kernel aware of the devices and to allow applications to connect and transfer data. Enablement of CAN in the kernel allows the use of third party CAN drivers and applications to implement CAN based systems. (BZ#1311631)

Persistent memory support added to kexec-tools

The Linux kernel now supports E820_PRAM and E820_PMEM type for the Non-Volatile Dual In-line Memory Module (NVDIMM) memory devices. A patch has been backported from the upstream, which ensures that kexec-tools support these memory devices as well. (BZ#1282554)

libndctl - userspace nvdimm management library

The libndctl userspace library has been added. It is a collection of C interfaces to the ioctl and sysfs entry points provided by the kernel libnvdimm subsystem. The library enables higher level management software for NVDIMM-enabled platforms and also provides a command-line interface for managing NVDIMMs. (BZ#1271425)

New symbols for the kABI whitelist to support the hpvsa and hpdsa drivers

This update adds a set of symbols to the kernel Application Binary Interface (kABI) whitelist, which ensures the support for the hpvsa and hpdsa drivers.
The newly added symbols are:
  • scsi_add_device,
  • scsi_adjust_queue_depth
  • scsi_cmd_get_serial
  • scsi_dma_map
  • scsi_dma_unmap
  • scsi_scan_host (BZ#1274471)

crash rebased to version 7.1.5

The crash packages have been upgraded to upstream version 7.1.5, which provides several bug fixes and a number of enhancements over the previous version. Notably, this rebase adds new options such as dis -s, dis -f, sys -i, list -l, new support for Quick Emulator (QEMU) generated Executable and Linkable Format (ELF) vmcores on the 64-bit ARM architectures, and several updates required for support of recent upstream kernels. It is safer and more efficient to rebase the crash packages than to backport selectively the individual patches. (BZ#1292566)

New package: crash-ptdump-command

Crash-ptdump-command is a new rpm package which provides a crash extension module to add ptdump subcommand to the crash utility. The ptdump subcommand retrieves and decodes the log buffer generated by the Intel Processor Trace facility from the vmcore file and outputs to the files. This new package is designed for EM64T and AMD64 architectures. (BZ#1298172)

Support of 8 TB of RAM

With this update, the kernel is certified to support 8 TB of RAM. This new feature covers the advance in memory technology and it provides the potential to meet technological requirements of future servers that will be released in the life time of Red Hat Enterprise Linux 7. This feature is available for AMD64 and Intel 64 architectures. (BZ#727077)

Ambient capabilities are now supported

Capabilities are per-thread attributes used by the Linux kernel to divide the privileges traditionally associated with superuser privileges into multiple distinct units. This update adds support for ambient capabilities to the kernel. Ambient capabilities are a set of capabilities that are preserved when a program is executed using the execve() system call. Only capabilities which are permitted and inheritable can be ambient. You can use the prctl() call to modify ambient capabilities. See the capabilities(7) man page for more information about kernel capabilities in general, and the prctl(2) man page for information about the prctl call. (BZ#1165316)

cpuid utility is now available

With this update, the cpuid utility is available in Red Hat Enterprise Linux. This utility dumps detailed information about the CPU(s) gathered from the CPUID instruction, and also determines the exact model of CPU(s). It supports Intel, AMD, and VIA CPUs. (BZ#1307043)

FC-FCoE symbols have been added to KABI white lists

With this update, a list of symbols belonging to the libfc and libfcoe kernel modules has been added to the kernel Application Binary Interface (KABI) white lists. This ensures that the Fibre Channel over Ethernet (FCoE) driver, which depends on libfc and libfcoe, can safely use the newly added symbols. (BZ#1232050)

New package: opal-prd for OpenPower systems

The new opal-prd package contains a daemon that handles hardware-specific recovery processes, and should be run as a background system process after boot. It interacts with OPAL firmware to capture hardware error causes, log events to the management processor, and handles recoverable errors where suitable. (BZ#1224121)

New package: libcxl

The new libcxl package contains the user-space library for applications in user space to access CAPI hardware via kernel cxl functions. It is available on ppc64 and ppc64le architectures. (BZ#1305080)

Kernel support for the newly added iproute commands

This update adds kernel support to ensure the correct functionality of newly added iproute commands. The provided patch set includes:
  • Extension of the IPsec interface, which allows prefixed policies to be hashed.
  • Inclusion of the hash prefixed policies based on preflen thresholds.
  • Configuration of policy hash table thresholds by netlink. (BZ#1222936)

Backport of the PID cgroup controller

This update adds the new Process Indentifier (PID) controller. This controller accounts for the processes per cgroup and allows a cgroup hierarchy to stop any new tasks from being forked or cloned after a certain limit is reached. (BZ#1265339)

mpt2sas and mpt3sas merged

The source codes of mpt2sas and mpt3sas drivers have been merged. Unlike in upstream, Red Hat Enterprise Linux 7 continues to maintain two binary drivers for compatibility reasons. (BZ#1262031)

Allow multiple .ko files to be specified in ksc

Previously, it was not possible to add multiple .ko files in a single run of the ksc utility. Consequently, the drivers that contain multiple kernel modules were not passed to ksc in a single run. With this update, the -k option can be specified multiple times in the same run. Thus single run of ksc can be used to query symbols used by several kernel modules. As a result, one file with symbols used by all modules is generated. (BZ#906659)

dracut update

The dracut initramfs generator has been updated with a number of bug fixes and enhancements over the previous version. Notably:
  • dracut gained a new kernel command-line option rd.emergency=[reboot|poweroff|halt], which specifies what action to execute in case of a critical failure. When using rd.emergency=[reboot|poweroff|halt], the rd.shell=0 option should also be specified.
  • The reboot, poweroff, and halt commands now work in the emergency shell of dracut.
  • dracut now supports multiple bond, bridge, and VLAN configurations on the kernel command line.
  • The device timeout can now be specified on the kernel command line using the rd.device.timeout=<seconds> option.
  • DNS name servers specified on the kernel command line are now used in DHCP.
  • dracut now supports 20-byte MAC addresses.
  • Maximum Transmission Unit (MTU) and MAC addresses are now set correctly for DHCP and IPv6 Stateless Address AutoConfiguration (SLAAC).
  • The ip= kernel command line option now supports MAC addresses in brackets.
  • dracut now supports the NFS over RDMA (NFSoRDMA) module.
  • Support for kdump has been added to Fibre Channel over Ethernet (FCoE) devices.
  • dracut now supports the --install-optional <file list> option and the install_optional_items+=" <file>[ <file> ...] configuration file directive. The new option and directive enable installing files if they exist without returning an error if they do not.
  • dracut DHCP now recognizes the rfc3442-classless-static-routes option, which enables using classless network addresses. (BZ#1359144, BZ#1178497, BZ#1324454, BZ#1194604, BZ#1282679, BZ#1282680, BZ#1332412, BZ#1319270, BZ#1271656, BZ#1271656, BZ#1367374, BZ#1169672, BZ#1222529, BZ#1260955)

Red Hat Enterprise Linux 7 now supports Wacom Cintiq 27 QHD

Previously, the Wacom Cintiq 27 QHD tablets were not supported in Red Hat Enterprise Linux 7. With this update, Wacom Cintiq 27 QHD is supported in Red Hat Enterprise Linux 7. (BZ#1342989)

Full support for OPA kernel driver

Intel® Omni-Path Architecture (OPA) kernel driver, previously available as a Technology Preview, is now fully supported. Intel® OPA provides Host Fabric Interconnect (HFI) hardware with initialization and setup for high performance data transfers (high bandwidth, high message rate, low latency) between compute and I/O nodes in a clustered environment.
For instructions on how to obtain Intel Omni-Path documentation, see https://access.redhat.com/articles/2039623. (BZ#1374826)

Cyclitest --smi option available for non-root users

With this update, it is possible to use the cyclictest program with the --smi option as a non-root user, provided that the user also belongs to the realtime group. On processors that support system management interrupts (SMIs), --smi displays a report on the system's SMIs, which was previously only available for root users. (BZ#1346771)

Chapter 13. Real-Time Kernel

About Red Hat Enterprise Linux for Real Time Kernel

The Red Hat Enterprise Linux for Real Time Kernel is designed to enable fine-tuning for systems with extremely high determinism requirements. The major increase in the consistency of results can, and should, be achieved by tuning the standard kernel. The real-time kernel enables gaining a small increase on top of increase achieved by tuning the standard kernel.
The real-time kernel is available in the rhel-7-server-rt-rpms repository. The Installation Guide contains the installation instructions and the rest of the documentation is available at Product Documentation for Red Hat Enterprise Linux for Real Time.

The can-dev module has been enabled for the real-time kernel

The can-dev module has been enabled for the real-time kernel, providing the device interface for Controller Area Network (CAN) device drivers. CAN is a vehicle bus specification originally intended to connect the various micro-controllers in automobiles and has since extended to other areas. CAN is also used in industrial and machine controls where a high performance interface is required and other interfaces such as RS-485 are not sufficient.
The functions exported from the can-dev module are used by CAN device drivers to make the kernel aware of the devices and to allow applications to connect and transfer data.
Enabling CAN in the real-time kernel allows the use of third party CAN drivers and applications to implement CAN-based systems. (BZ#1328607)

Chapter 14. Networking

Open vSwitch now uses kernel lightweight tunnel support

With this update, the Open vSwitch (OVS) implementation now uses kernel lightweight tunnel support for VXLAN, GRE, and GENEVE tunnels. This allows to eliminate the duplicate functionality in the OVS vport implementation and also means OVS benefits from feature and performance improvements in the base kernel such as destination caching support or hardware offloading. (BZ#1283886)

Bulking in the memory allocator subsystem is now supported

With this update, the kernel supports batching of memory allocation and memory freeing. Currently, this performance optimization is used only in the networking stack to free consecutive network packets. (BZ#1268334)

NetworkManager now supports LLDP

With this update, NetworkManager can now listen for Link Layer Discovery Protocol (LLDP) messages on given interfaces and expose information about found neighbors through D-bus and nmcli. This feature is disabled by default, but you can enable it through the connection.lldp property or the LLDP variable in the ifcfg files. (BZ#1142898)

DHCP timeout in NetworkManager is configurable

The faster fallback in a Dynamic Host Configuration Protocol (DHCP) negotiation is useful in case a server is not present. With this update, the user can set the value of the ipv4.dhcp-timeout property or the IPV4_DHCP_TIMEOUT option in the ifcfg files. As a result, NetworkManager waits for a response from the DHCP server only for a given time. (BZ#1262922)

NetworkManager now detects duplicate IPv4 addresses

With this update, NetworkManager performs a check to detect duplicate IPv4 addresses when activating a new connection. If the address in LAN is already assigned, the connection activation fails. This feature is disabled by default, but you can enable it by the ipv4.dad-timeout property or the ARPING_WAIT variable in the ifcfg files. (BZ#1259063)

NetworkManager now controls the host name using systemd-hostnamed

With this update, NetworkManager uses the systemd-hostnamed service to read and write the static host name, which is stored in the /etc/hostname file. Due to this change, manual modifications done to the /etc/hostname file are no longer picked up automatically by NetworkManager; users should change the system host name through the hostnamectl utility. Also, the use of the HOSTNAME variable in the '/etc/sysconfig/network' file is now deprecated. (BZ#1367916)

Support for latest Bluetooth, including Bluetooth LE

This update provides latest Bluetooth support, including support for connecting to Bluetooth Low Energy (LE) devices. This helps to ensure proper functionality of Internet of Things (IoT) devices. (BZ#1296707)

Additional policies for the PR-SCTP extension are now supported

The Partially Reliable SCTP (PR-SCTP) extension defined in RFC3758 provides a generic method for senders to abandon user messages. With this update, three additional PR-SCTP policies are supported:
  • Timed Reliability: This allows the sender to specify a timeout for a user message. The SCTP stack abandons the user message after the timeout expires.
  • Limited Retransmission Policy: Allows limitation of the number of retransmissions.
  • Priority Policy: Allows removal of lower-priority messages if space for higher-priority messages is needed in the send buffer. (BZ#965453)

Man pages for tc filter actions were added to the iproute package

With this update, man pages for the iproute utility's tc filter actions have been added. Every tc action has now a corresponding man page, which includes synopsis, options, and detailed functional description. (BZ#1275426)

The ip command can now display bridge configuration

With this update, you can use the ip tool instead of the brctl tool to display network bridge configuration. (BZ#1270763)

ss now supports monitoring per connection TCP re-transmission

With this update, the ss command output includes the 'bytes_acked', 'bytes_received', 'segs_in, and 'segs_out' fields, unless they are null. This feature improves link quality monitoring. (BZ#1269051)

iPXE packages rebased to support IPv6 on physical computers

The ipxe-bootimgs and ipxe-roms packages have been rebased to upstream commit 6366fa7a to support network booting over IPv6 on physical installations of Red Hat Enterprise Linux 7. (BZ#1298313)

New packages: libvma

libvma is a dynamically linked user space library for transparently enhancing the performance of TCP and UDP networking-heavy applications over RDMA-capable network interface controllers. It allows standard socket API applications to run with the full network stack bypass from user space, which results in latency reduction, increased throughput, and packet rate. (BZ#1271624)

Chapter 15. Security

The SELinux userspace rebased to version 2.5

The SELinux userspace packages have been upgraded to upstream version 2.5, which provides a number of enhancements, bug fixes, and performance improvements over the previous version. The most important new features in the SELinux userspace 2.5 include:
  • The new SELinux module store supports priorities. The priority concept provides an ability to override a system module with a module of a higher priority.
  • SELinux Common Intermediate Language (CIL) provides clear and simple syntax that is easy to read, parse, and to generate by high-level compilers, analysis tools, and policy generation tools.
  • Time-consuming SELinux operations, such as policy installations or loading new policy modules, are now significantly faster.
Note: The default location of the SELinux modules remains in the /etc/selinux/ directory in Red Hat Enterprise Linux 7, whereas the upstream version uses /var/lib/selinux/. To change this location for migration, set the store-root= option in the /etc/selinux/semanage.conf file. (BZ#1297815)

scap-workbench rebased to version 1.1.2

The scap-workbench package has been rebased to version 1.1.2, which provides a new SCAP Security Guide integration dialog. The dialog helps the administrator choose a product that needs to be scanned instead of choosing content files. The new version also offers a number of performance and user-experience improvements, including improved rule-searching in the tailoring window, the possibility to fetch remote resources in SCAP content using the GUI, and the dry-run feature. The dry-run feature enables to user to get oscap command-line arguments to the diagnostics window instead of running the scan. (BZ#1202854)

openscap rebased to version 1.2.10

The OpenSCAP suite that enables integration of the Security Content Automation Protocol (SCAP) line of standards has been rebased to version 1.2.10, the latest upstream version. The openscap packages provide the OpenSCAP library and the oscap utility. Most notably, this update adds support for scanning containers using the atomic scan command. In addition, this update provides the following enhancements:
  • oscap-vm, a tool for offline scanning of virtual machines
  • oscap-chroot, a tool for offline scanning of file systems mounted at arbitrary paths
  • full support for Open Vulnerability and Assessment Language (OVAL) 5.11.1
  • native support for remote .xml.bz2 files
  • grouping HTML report results according to various criteria
  • HTML report improvements
  • verbose mode for debugging OVAL evaluation (BZ#1278147)

firewalld rebased to version 0.4.3.2

The firewalld packages have been upgraded to upstream version 0.4.3.2 which provides a number of enhancements and bug fixes over the previous version. Notable changes include the following:
  • Performance improvements: firewalld starts and restarts significantly faster thanks to the new transaction model which groups together rules that are applied simultaneously. This model uses the iptables restore commands. Also, the firewall-cmd, firewall-offline-cmd, firewall-config, and firewall-applet tools have been improved with performance in mind.
  • The improved management of connections, interfaces and sources: The user can now control zone settings for connections in NetworkManager. In addition, zone settings for interfaces are also controlled by firewalld and in the ifcfg file.
  • Default logging option: With the new LogDenied setting, the user can easily debug and log denied packets.
  • ipset support: firewalld now supports ipsets used as zone sources, within rich and direct rules. (BZ#1302802)

audit rebased to version 2.6.5

The audit packages contain the user space utilities for storing and searching the audit records which have been generated by the audit subsystem in the Linux kernel. The audit packages have been upgraded to upstream version 2.6.5, which provides a number of enhancements and bug fixes over the previous version. Notable changes include the following:
  • The audit daemon now includes a new flush technique called incremental_async, which improves its performance approximately 90 times.
  • The audit system now has many more rules that can be composed into an audit policy. Some of these new rules include support for the Security Technical Implementation Guide (STIG), PCI Data Security Standard, and other capabilities such as auditing the occurrence of 32-bit syscalls, significant power usage, or module loading.
  • The auditd.conf configuration file and the auditctl command now support many new options.
  • The audit system now supports a new log format called enriched, which resolves UID, GID, syscall, architecture, and network addresses. This will aid in log analysis on a machine that differs from where the log was generated. (BZ#1296204)

MACsec (IEEE 802.1AE) is now supported

With this update, the Media Access Control Security (MACsec) encryption over Ethernet is supported. MACsec encrypts and authenticates all traffic in LANs with the GCM-AES-128 algorithm. (BZ#1104151)

The rsyslog RELP module now binds to a specific rule set

With this update, the rsyslog Reliable Event-Logging Protocol (RELP) module is now capable of binding to specific rule set with each input instance. The input() instance rule set has higher priority than the module() rule set. (BZ#1223566)

rsyslog imfile module now supports a wildcard file name

The rsyslog packages provide an enhanced, multi-threaded syslog daemon. With this update, the rsyslog imfile module supports using wildcards inside file names and adding the actual file name to the message's metadata. This is useful, when rsyslog needs to read logs under a directory and does not know the names of files in advance. (BZ#1303617)

Syscalls in audit.log are now converted to text

With this update, auditd converts system call numbers to their names prior to forwarding them to syslog daemon through the audispd event multiplexor. (BZ#1127343)

audit subsystem can now filter by process name

The user can now audit by executable name (with the -F exe=<path-to-executable> option), which allows expression of many new audit rules. You can use this functionality to detect events such as the bash shell opening a network connection. (BZ#1135562)

mod_security_crs rebased to version 2.2.9

The mod_security_crs package has been upgraded to upstream version 2.2.9, which provides a number of bug fixes and enhancements over the previous version. Notable changes include:
  • A new PHP rule (958977) to detect PHP exploits.
  • A JS overrides file to identify successful XSS probes.
  • New XSS detection rules.
  • Fixed session-hijacking rules. (BZ#1150614)

opencryptoki rebased to version 3.5

The opencryptoki packages have been upgraded to version 3.5, which provides a number of bug fixes and enhancements over the previous version.
Notable changes include:
  • The openCryptoki service automatically creates lock/ and log/ directories, if not present.
  • The PKCS#11 API supports hash-based message authentication code (HMAC) with SHA hashes in all tokens.
  • The openCryptoki library provides dynamic tracing set by the OPENCRYPTOKI_TRACE_LEVEL environment variable. (BZ#1185421)

gnutls now uses the central certificate store

The gnutls packages provide the GNU Transport Layer Security (GnuTLS) library, which implements cryptographic algorithms and protocols such as SSL, TLS, and DTLS. With this update, GnuTLS uses the central certificate store of Red Hat Enterprise Linux through p11-kit packages. Certificate Authority (CA) updates are now visible to applications at runtime. (BZ#1110750)

The firewalld-cmd command can now provide additional details

With this update, firewalld shows details of a service, zone, and ICMP type. Additionally, the user can list the full path to the source XML file. The new options for firewalld-cmd are:
  • [--permanent] --info-zone=zone
  • [--permanent] --info-service=service
  • [--permanent] --info-icmptype=icmptype (BZ#1147500)

libica rebased to version 2.6.2

The libica packages have been updated to upstream version 2.6.2, which provides a number of bug fixes and enhancements over the previous version. Notably, this update adds support for generation of pseudo random numbers, including enhanced support for Deterministic Random Bit Generator (DRBG), according to updated security specification NIST SP 800-90A. (BZ#1274390)

Chapter 16. Servers and Services

PHP cURL module now supports TLS 1.1 and TLS 1.2

Support for the TLS protocol version 1.1 and 1.2, which was previously made available in the curl library, has been added to the PHP cURL extension. (BZ#1291667)

squid rebased to version 3.5.20

Squid is a fully-featured HTTP proxy, which offers a rich access control, authorization and logging environment to develop web proxy and content serving applications. The squid packages have been upgraded to version 3.5.20. The most notable changes include:
  • Support for libecap version 1.0
  • Authentication helper query extensions
  • Support for named services
  • Upgraded the squidclient utility
  • Helper support for concurrency channels
  • Native FTP Relay
  • Receive PROXY protocol, versions 1 and 2
  • SSL server certificate validator
  • Note directive for annotating transactions
  • TPROXY support for BSD systems
  • spoof_client_ip directive for managing TPROXY spoofing
  • Various Access Control updates
  • Support for the OK, ERR, and BH response codes and the kv-pair options from any helper
  • Improved pipeline queue configuration.
  • Multicast DNS (BZ#1273942)

Dovecot has tcp_wrappers support enabled

Dovecot is an IMAP server, primarily written with security in mind. It also contains a small POP3 server and supports e-mail in either the Maildir or Mbox format.
In this update, Dovecot is built with tcp_wrappers support enabled. You can now limit network access to Dovecot using tcp_wrappers as an additional layer of security. (BZ#1229164)

Necessary classes added to allow log4j as Tomcat logging mechanism

Due to missing tomcat-juli.jar and tomcat-juli-adapters.jar files, the log4j utility could not be used as Tomcat logging mechanism. The necessary classes have been added and log4j can now be used for logging. (BZ#1133070)

MySQL-python rebased to version 1.2.5

The MySQL-python packages have been upgraded to upstream version 1.2.5, which provides a number of bug fixes and enhancements over the previous version. Notably, a bug causing ResourceClosedError in neutron and cinder services has been fixed. (BZ#1266849)

The BIND server now supports CAA records

Certification Authority Authorization (CAA) support has been added to the Berkeley Internet Name Domain (BIND) server. Now, users can restrict Certification Authorities by specifying the DNS record. (BZ#1306610)

Chapter 17. Storage

New kernel subsystem: libnvdimm

This update adds libnvdimm, a kernel subsystem responsible for the detection, configuration, and management of Non-Volatile Dual Inline Memory Modules (NVDIMMs). As a result, if NVDIMMs are present in the system, they are exposed through the /dev/pmem* device nodes and can be configured using the ndctl utility. (BZ#1269626)

New packages: nvml

The nvml packages contain the Non-Volatile Memory Library (NVML), a collection of libraries for using memory-mapped persistence, optimized specifically for persistent memory. (BZ#1274541)

SCSI now supports multiple hardware queues

The nr_hw_queues field is now present in the Scsi_Host structure, which allows drivers to use the field. (BZ#1308703)

The lvextend command no longer attempts to resize a file system when the size of the logical volume has not changed

Previously, if the lvextend command was not able to resize a logical volume, the size of the logical volume did not change but an attempt was made to resize the file system. With this fix, if a logical volume does not change size, the lvextend command does not try to resize the file system. As a result, the exit code returned from the command has also changed in this circumstance. (BZ#1354396)

Improved LVM locking infrastructure

lvmlockd is a next generation locking infrastucture for LVM. It allows LVM to safely manage shared storage from multiple hosts, using either the dlm or sanlock lock managers. sanlock allows lvmlockd to coordinate hosts through storage-based locking, without the need for an entire cluster infrastructure. For more information, see the lvmlockd(8) man page.
This feature was originally introduced in Red Hat Enterprise Linux 7.2 as a Technology Preview. In Red Hat Enterprise Linux 7.3, 'lvmlockd' is fully supported. (BZ#1299977)

Support for caching thinly-provisioned logical volumes with limitations

Red Hat Enterpirse Linux 7.3 provides the ability to cache thinly provisioned logical volumes. This brings caching benefits to all the thin logical volumes associated with a particular thin pool. However, when thin pools are set up in this way, it is not currently possible to grow the thin pool without removing the cache layer first. This also means that thin pool auto-grow features are unavailable. Users should take care to monitor the fullness and consumption rate of their thin pools to avoid running out of space. Refer to the lvmthin(7) man page for information on thinly-provisioned logical volume and the lvmcache(7) man page for information on LVM cache volumes. (BZ#1371597)

Chapter 18. Virtualization

VT-d posted interrupts

Red Hat Enterprise Linux now supports the Intel Virtualization Technology for Directed I/O (VT-d) in CPU-side posted interrupts. With the VT-d posted interrupts feature enabled, external interrupts from direct-assigned devices can be delivered to guests without the need for assistance by the Virtual Machine Manager, even when the guests are running in non-root mode. (BZ#1172351)

Guests using an RBD volume now use an encoded, encrypted startup secret

Previously, when libvirt generated the QEMU command line arguments for guests using an authenticated Rados Block Device (RBD) volume, the password to the RBD server would encoded as an argument allowing for the possibility for that password to be decoded. In the current release, the password is provided as an encoded, encrypted object that QEMU decrypts based on a shared, encrypted domain key that is valid only while the guest is running. Usage of this form of secret handling provides the capability for a more secure environment. Subsequent domain restarts will always generate a unique shared private key between libvirt and QEMU. (BZ#1182074)

Hyper-V storage driver (storvsc) updated

The Hyper-V storage driver (storvsc) was updated from upstream. This provides moderate performance improvement of I/O operations when using Hyper-V storvsc driver for certain workloads. (BZ#1287040)

Hyper-V clock source changed to use the TSC page

With this update, the Time Stamp Counter (TSC) page is used as the Hyper-V clock source. The TSC page provides a more efficient way of computing the per-guest reference counter value than the previously used model-specific register (MSR). As a result, kernel operations that involve reading time stamps are now faster. (BZ#1300325)

libguestfs rebased to version 1.32.6

The libguestfs packages have been upgraded to upstream version 1.32.6, which provides a number of bug fixes and enhancements over the previous version. Notable changes include the following:
  • The virt-get-kernel utility has been added, which can be used to extract the kernel and initial RAM file system (initramfs) from a disk image file. For details, see the virt-get-kernel(1) man page.
  • The virt-dib utility has been added. Its capabilities include building disk image files and ramdisks. For more information, see the virt-dib(1) man page.§
  • Multiple options have been added for the virt-customize, virt-builder, and virt-systprep utilities. (BZ#1218766)

virt-v2v and virt-p2v add support for latest Windows releases

The virt-v2v utility now includes support for converting virtual machines that use Windows 8, 8.1 and 10, and Windows Server 2012 and 2012R2 from the VMWare hypervisor to run on KVM, Red Hat Enterprise Virtualization, and OpenStack. In addition, the virt-p2v utility now includes support for converting physical machines that use the mentioned Windows systems to virtual machines compatible with KVM, Red Hat Enterprise Virtualization, and OpenStack. (BZ#1190669)

libvirt administration API added

This update enables an administration interface for the libvirtd service. Unlike persistent libvirtd configuration, which can be adjusted using the libvirtd.conf file and requires daemon restart each time it is modified, the administration interface enables users to change the daemon settings at any time. In addition, the administration interface provides multiple means of monitoring current daemon settings.
Specifically, the operations that the API enables include the following:
  • Listing all daemon servers
  • Listing all client connections
  • Providing detailed information about a client connection
  • Closing individual client connections in a forceful manner
  • Reconfiguration of the limits to number of allowed clients and active worker threads on the host.
The administration interface can be controlled using the virt-admin" tool, which is based on the existing virsh client. For more information, see the virt-admin(1) man page. (BZ#735385)

virt-p2v is fully supported

The virt-p2v tool, introduced in Red Hat Enterprise Linux 7.2 as a Technology Preview, is now fully supported. It enables converting physical machines to virtual machines compatible with the KVM hypervisor, and was previously available as a Technology Preview.
virt-p2v is provided as an ISO image that contains a minimal Red Hat Enterprise Linux distribution and the tool itself. To convert a physical machine, burn the ISO image to a CD and use it to boot the physical machine. PXE booting and USB booting are also supported. Afterwards, follow the on-screen instructions to perform a manual conversion or activate the automated conversion.
For further information, install the virt-v2v package and see the virt-p2v(1) manual page. (BZ#1358332)

WALinuxAgent rebased to version 2.1.5

The Windows Azure Linux Agent has been upgraded to upstream version 2.1.5, which provides a number of bug fixes and enhancements over the previous version. This agent supports the provisioning and running of Linux Virtual Machines in the Windows Azure cloud and should be installed on Linux images that are built to run in the Windows Azure environment. The WALinuxAgent package is provided in the Extras channel. (BZ#1296359)

New package: libvirt-nss

Red Hat Enterprise Linux 7.3 adds the libvirt-nss package, which enables you to use the libvirt Network Security Services (NSS) module. This module makes it easier to connect to guests with TLS, SSL, SSH, as well as other remote login services. In addition, it benefits utilities that use host name translation, such as ping. For more information, see the Red Hat Enterprise Linux 7 Virtualization Deployment and Administration Guide. (BZ#1325996)

Intel Xeon v5 processors supported on KVM guests

Support for Intel Xeon v5 processors has now been added to the KVM hypervisor and kernel code, and to the libvirt API. This enables KVM guest virtual machines to use the following features: MPX, XSAVEC, XGETBV1. (BZ#1327599)

VirtIO 1.0 full support

VirtIO 1.0 devices, introduced in Red Hat Enterprise Linux 7.2 as a Technology Preview, are now fully supported. This enables a number of virtualization features when using the Intel Q35 Express Chipset on the guest. These features include PCI Express (PCIe) chipset and ports, Advanced Host Controlled Interface (AHCI), and PCI device assignment to PCIe ports. Note that certain Q35 Express Chipset features remain unsupported, such as legacy PCI bridges and legacy PCI devices. (BZ#1227339)

libvirt iptables rules can be manually managed for a specified network

libvirt automatically generates and applies iptables rules appropriate for each type of network it creates. The rules are controlled by forward mode in the configuration of each network. Previously, there was no way for users to disable these automatically generated iptables rules and manually manage the iptables rules. In the current release, the open network forward mode was added. When specified for a network, libvirt does not generate any iptables rules for the network. As a result, iptables rules added outside the scope of libvirt are not disrupted and users can manually manage iptables rules. (BZ#846810)

Chapter 19. Atomic Host and Containers

Red Hat Enterprise Linux Atomic Host

Red Hat Enterprise Linux Atomic Host is a secure, lightweight, and minimal-footprint operating system optimized to run Linux containers. See the Atomic Host and Containers Release Notes for the latest new features, known issues, and Technology Previews.

Chapter 20. Red Hat Software Collections

Red Hat Software Collections is a Red Hat content set that provides a set of dynamic programming languages, database servers, and related packages that you can install and use on all supported releases of Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7 on AMD64 and Intel 64 architectures.
Dynamic languages, database servers, and other tools distributed with Red Hat Software Collections do not replace the default system tools provided with Red Hat Enterprise Linux, nor are they used in preference to these tools. Red Hat Software Collections uses an alternative packaging mechanism based on the scl utility to provide a parallel set of packages. This set allows for optional use of alternative package versions on Red Hat Enterprise Linux. By using the scl utility, users can pick and choose which package version they want to run at any time.
Red Hat Developer Toolset is now a part of Red Hat Software Collections. It is included as a separate Software Collection. Red Hat Developer Toolset is designed for developers working on the Red Hat Enterprise Linux platform. It provides current versions of the GNU Compiler Collection, GNU Debugger, Eclipse development platform, and other development, debugging, and performance monitoring tools.

Important

Red Hat Software Collections has a shorter life cycle and support term than Red Hat Enterprise Linux. For more information, see the Red Hat Software Collections Product Life Cycle.
See the Red Hat Software Collections documentation for the components included in the set, system requirements, known problems, usage, and specifics of individual Software Collections.
See the Red Hat Developer Toolset documentation for more information about the components included in this Software Collection, installation, usage, known problems, and more.

Part II. Notable Bug Fixes

Chapter 21. General Updates

Shortening of long network device names

Previously, some network devices had unacceptably long names. This was due to certain firmware reporting meaningless data, such as the device's onboard index value, which the kernel passed to user-space. This resulted in problems with maximum name length, especially with VLANs. With this update, systemd rejects unacceptably long names and falls back to a different naming scheme. As a result, long network device names will no longer appear.
IMPORTANT: This means that names on existing installations might change. (BZ#1230210)

A fix for systemd to read the device identification bytes correctly

Due to an endianness problem, the version of systemd in Red Hat Enterprise Linux 7.2 read the device identification bytes in a wrong order, causing the dev/disk/by-id/wwn-* symbolic links to be generated incorrectly. A patch has been applied to put the device identification bytes in the correct order and the symbolic links are now generated correctly. Any reference that depends on the value obtained from /dev/disk/by-id/wwn-* needs to be modified to work correctly in Red Hat Enterprise Linux 7.3 and later. (BZ#1308795)

The value of net.unix.max_dgram_qlen increased to 512

Previously, the default value of the net.unix.max_dgram_qlen kernel option was 16. As a consequence, when the network traffic was too high, certain services could terminate unexpectedly. This update sets the value to 512, thus preventing this problem. Users need to reboot the machine to apply this change. (BZ#1267707)

Chapter 22. Authentication and Interoperability

The idmap_hash module now works correctly when used with other modules

Previously, the idmap_hash module worked incorrectly when it was used together with other modules. As a consequence, user and group IDs were not mapped properly. A patch has been applied to skip already configured modules. Now, the hash module can be used as the default idmap configuration back end and IDs are resolved correctly. (BZ#1316899)

Chapter 23. Clustering

The DLM now detects and reports connection problems

Previously, the Distributed Lock Manager (DLM) used for cluster communications expected TCP/IP packet delivery and waited for responses indefinitely. As a consequence, if a DLM connection was lost, there was no notification of the problem. With this update, the DLM detects and reports when cluster communications are lost. As a result, DLM communication problems can be identified, and cluster nodes that become unresponsive can be restarted once the problems are resolved. (BZ#1267339)

Pacemaker correctly interprets systemd responses and systemd services are stopped in proper order at cluster shutdown

Previously, when a Pacemaker cluster was configured with systemd resources and the cluster was stopped, Pacemaker could mistakenly assume that a systemd service had stopped before it actually had stopped. As a consequence, services could be stopped out of order, potentially leading to stop failures. With this update, Pacemaker now correctly interprets systemd responses and systemd services are stopped in the proper order at cluster shutdown. (BZ#1286316)

Pacemaker now distinguishes transient failures from fatal failures when loading systemd units

Previously, Pacemaker treated all errors loading a systemd unit as fatal. As a consequence, Pacemaker would not start a systemd resource on a node where it could not load the systemd unit, even if the load failed due to transient conditions such as CPU load. With this update, Pacemaker now distinguishes transient failures from fatal failures when loading systemd units. Logs and cluster status now show more appropriate messages, and the resource can start on the node once the transient error clears. (BZ#1346726)

Pacemaker now removes node attributes from its memory when purging a node that has been removed from the c

luster
Previously, Pacemaker's node attribute manager removed attribute values from its memory but not the attributes themselves when purging a node that had been removed from the cluster. As a result, if a new node was later added to the cluster with the same node ID, attributes that existed on the original node could not be set for the new node. With this update, Pacemaker now purges the attributes themselves when removing a node and a new node with the same ID encounters no problems with setting attributes. (BZ#1338623)

Pacemaker now correctly determines expected results for resources that are in a group or depend on a clone

Previously, when restarting a service, Pacemaker's crm_resource tool (and thus the pcs resource restart command) could fail to properly determine when affected resources successfully started. As a result, the command could fail to restart a resource that is a member of a group, or the command could hang indefinitely if the restarted resource depended on a cloned resource that moved to another node. With this update, the command now properly determines expected results for resources that are in a group or depend on a clone. The desired service is restarted, and the command returns. (BZ#1337688)

Fencing now occurs when DLM requires it, even when the cluster itself does not

Previously, DLM could require fencing due to quorum issues, even when the cluster itself did not require fencing, but would be unable to initiate it, As a consequence, DLM and DLM-based services could hang waiting for fencing that never happened. With this fix, the ocf:pacemaker:controld resource agent now checks whether DLM is in this state, and requests fencing if so. Fencing now occurs in this situation, allowing DLM to recover. (BZ#1268313)

Chapter 24. Compiler and Tools

Removal of purposeless warning message for physically non-existing nodes

Previously, when the numa_node_to_cpus() function was called on a node which did not have an entry in the sysfs directory, the libnuma library always printed a warning message about an invalid sysfs. Consequently, libnuma printed the confusing warning message also for physically non-existing nodes (for example, for non-contiguous node numbers) and this warning could not be overridden when the function was called using the dlsym interface. With this update, the mentioned warning message is printed just for NUMA nodes that were found during an initial scan but then did not appear in sysfs. As a result, users of libnuma no longer receive the warning message for non-contiguous node numbers. (BZ#1270734)

Origin plug-in added to the sos package

The origin plug-in has been added to the sos package. The plug-in collects information about OpenShift Origin and related products, such as Atomic Platform or OpenShift Enterprise 3 and higher. This allows users to gather information about OpenShift Origin deployments. (BZ#1246423)

Selection of OpenJDK version family now remembered across updates

Prior to this update, when a user had multiple JDKs installed, yum update always updated to the newest JDK even if the user had previously selected some lower-prioritized JDK. This update introduces the --family switch for chkconfig, which makes sure that the selected JDK remains in the version 'family' after system updates. (BZ#1296413)

RC4 is now disabled by default in OpenJDK 6 and OpenJDK 7

Earlier OpenJDK packages allowed the RC4 cryptographic algorithm to be used when making secure connections using Transport Layer Security (TLS). This algorithm is no longer secure, and it has been disabled in this release. To retain its use, it is necessary to revert to the earlier setting of the jdk.tls.disabledAlgorithms of SSLv3, DH keySize < 768. This can be done permanently in the <java.home>/jre/lib/security/java.security file or by adding the following line:
jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768
to a new text file and passing the location of that file to Java on the command line using the -Djava.security.properties=<path to file> argument. (BZ#1302385)

system-switch-java rebased to version 1.7

The system-switch-java package, which provides an easy-to-use tool to select the default Java toolset for the system, has been updated to version 1.7. The new version has been rewritten to support modern JDK packages. The main enhancements include support for multiple Java installations, addition of -debug packages, and support for JDK 9. (BZ#1283904)

zsh no longer deadlocks on malloc() execution

Previously, if the zsh process received a signal during the execution of a memory allocation function and the signal handler attempted to allocate or free memory, zsh entered a deadlock and became unresponsive. With this update, signal handlers are no longer enabled while handling the global state of zsh or while using the heap memory allocator. This ensures that the described deadlock no longer occurs. (BZ#1267912)

SCSI device types described using multiple words are now handled correctly

Prior to this update, the rescan-scsi-bus.sh tool misinterpreted SCSI device types that were described using more than one word, for example, Medium Changer or Optical Device. Consequently, when the script was run on systems that had such device types attached, the script printed multiple misleading error messages. With this update, device types described with multiple words are handled correctly, and the proper device-type description is returned to the user without any errors. (BZ#1298739)

gdbserver now supports seamless debugging of processes from containers

Prior to this update, when GDB was executing inside a Super-Privileged Container (SPC) and attached to a process that was running in another container on Red Hat Enterprise Linux Atomic Host, GDB did not locate the binary images of the main executable or any shared libraries loaded by the process to be debugged.
As a consequence, GDB may have displayed error messages relating to files not being present, or being present but mismatched. Also, GDB may have seemed to attach correctly, but subsequent commands may have failed or displayed corrupted information.
In Red Hat Enterprise Linux 7.3, gdbserver has been extended for seamless support of debugging processes from containers. The Red Hat Enterprise Linux 7.3 version of gdbserver newly supports the qXfer:exec-file:read and vFile:setfs packets. However, the Red Hat Enterprise Linux 7.3 version of gdb cannot use these packets. The Red Hat Developer Toolset 4.1 (or higher) version of gdb is recommended for use with containers and with Red Hat Enterprise Linux 7.3 gdbserver. The Red Hat Developer Toolset version of gdbserver can be used as well.
Red Hat Enterprise Linux 7.3 gdb can now suggest using gdbserver when run with the -p parameter (or the attach command) and when, at the same time, it detects that the process being attached is from a container. Red Hat Enterprise Linux 7.3 gdb now also suggests the explicit use of the file command to specify the location of the process executable in the container being debugged. The file command does not need to be entered when the Red Hat Developer Toolset version of gdb is being used instead.
With this update, Red Hat Enterprise Linux 7.3 gdbserver provides seamless debugging of processes from containers together with Red Hat Developer Toolset 4.1 (or higher) gdb. Additionally, Red Hat Enterprise Linux 7.3 gdb guides the user through the debugging of processes from containers when Red Hat Developer Toolset gdb is not available. (BZ#1186918)

GDB no longer reports spurious SIGTRAP signals on the 64-bit ARM architecture

Prior to this update, GDB reported spurious SIGTRAP signals when a false watchpoint was detected by the processor on the 64-bit ARM architecture. GDB can now detect a hardware reason why the SIGTRAP signal occurred, and spurious SIGTRAP signals are no longer reported when hardware watchpoints are in use. (BZ#1261564)

GDB no longer kills running processes with deleted executables

Prior to this update, GDB attempting to attach to a running process with a deleted executable would accidentally kill the process. This bug has been fixed, and GDB no longer erroneously kills processes with deleted executables. (BZ#1326476)

GDB now generates smaller core files and respects core-dump filtering

The gcore command, which provides GDB with its own core-dumping functionality, has been updated to more closely simulate the function of the Linux kernel core-dumping code, thus generating smaller core-dump files. GDB now also respects the /proc/PID/coredump_filter file, which controls what memory segments are written to core-dump files. (BZ#1265351)

The opreport and opannote utilities now properly analyze archive data.

Previously, when using oparchive to store data, the associated samples were not included in the archive. In addition, the oprofile utilities selected data in the current working oprofile_data directory rather than in the archive. Consequently, the opreport and opannote utilities were unable to properly analyze data in an archive generated by oparchive. This update provides a fix for storing the profiling samples in the archive and selecting them for use with archives, and opreport and opannote now work as expected. (BZ#1264443)

Events with identical numerical unit masks are now handled by their names

The 5th-generation Core i3, i5, and i7 Intel processors have some events that have multiple unit masks with the same numerical value. As a consequence, some events' default unit masks were not found and selected. This update changes the events to use a name rather than a numerical value for the default unit mask, thus fixing this bug. (BZ#1272136)

More accurate PAPI_L1_DC* event on IBM Power7 and IBM Power8 platforms

Previously, the PAPI event presets for cache events incorrectly computed derived values for various IBM Power7 and Power8 processors. Consequently, the PAPI_L1_DCR, PAPI_L1_DCW, and PAPI_L1_DCA event values were incorrect. The preset computations have been fixed and the mentioned events are now more accurate. (BZ#1263666)

Chapter 25. Desktop

Sphinx builds HTML documentation in FIPS mode properly

Previously, the Python Sphinx generator failed to build documentation in the HTML format on systems with FIPS mode activated. With this update,the use of the md5() function has been fixed by setting the used_for_security parameter to to false. As a result, Sphinx now builds HTML documentation as expected. (BZ#966954)

Poppler no longer renders certain characters incorrectly

Previously, the Poppler library did not map correctly to character code. As a consequence, Poppler showed the 'fi' string instead of showing the correct glyph, or nothing, if the font did not contain necessary glyphs. With this update, the characters previously replaced with the 'fi' string are shown correctly. (BZ#1298616)

Poppler no longer tries to access memory behind the array

Memory corruption due to exceeding the length of array caused the Poppler library to terminate unexpectedly. A fix has been applied to not allow Poppler to try to access memory behind the array, and Poppler no longer crashes in the described situation. (BZ#1299506)

pdftocairo no longer crashes when processing a PDF without group color space

Previously, the Poppler library tried to access a non-existing object when processing a PDF without group color space. As a consequence, the Poppler library terminated unexpectedly with a segmentation fault. A patch has been applied to verify if group color space exists. As a result, Poppler no longer crashes, and the pdftocairo utility works as expected in the described situation. (BZ#1299479)

Poppler no longer terminates unexpectedly during text extraction

Previously, a writing after the end of the lines array could cause a memory corruption. As a consequence, the Poppler library could terminate unexpectedly. A patch has been applied and array is now always relocated when an item is added. As a result, Poppler no longer crashes in the described situation. (BZ#1299481)

pdfinfo no longer terminates unexpectedly due to asserting broken encryption information

Previously, Poppler tried to obtain broken encryption owner information. As a consequence, the pdfinfo utility to terminate unexpectedly. A fix has been applied to fix this bug, and Poppler no longer asserts broken encryption information. As a result, pdfinfo no longer crashes in the described situation. (BZ#1299500)

Evince no longer crashes when viewing a PDF

Previously, screen annotation and form fields passed a NULL pointer to _poppler_action_new, and Poppler created a false PopplerAction when viewing certaing PDFs in the Evince application. As a consequence, Evince terminated unexpectedly with a segmentation fault. A patch has been applied to modify _poppler_annot_scren_new and poppler_form_field_get_action to pass PopplerDocument instead of NULL. As a result, Evince no longer crashes in the described situation. (BZ#1299503)

Virtual machines started by GNOME Boxes are no longer accessible to every user

Previously, virtual machines started by GNOME Boxes were listening on a local TCP socket. As a consequence, any user could connect to any virtual machine started by another user. A patch has been applied and GNOME Boxes no longer opens such sockets by default. As a result the virtual machines are now accessible through SPICE only to the user who owns the virtual machine. (BZ#1043950)

FreeRDP now recognizes wildcard certificates

Previously, wildcard certificates support was not implemented in FreeRDP. As a consequence, wildcard certificates were not recognized by FreeRDP, and the following warning was displayed when connecting:
WARNING: CERTIFICATE NAME MISMATCH!
Missing functionality has been backported from upstream and code for comparing host names was improved. As a result, the mentioned prompt is no longer shown if a valid wildcard certificate is used. (BZ#1275241)

Chapter 26. Directory Server in Red Hat Enterprise Linux

The cleanAllRUV task no longer logs false attrlist_replace errors

A memory corruption bug in the cleanAllRUV task was causing attrlist_replace error messages to be logged by mistake. The task has been updated to use a different function for memory copying, and it no longer writes false error messages to logs. (BZ#1288229)

Connection objects no longer deadlock

Previously, an unnecessary lock was sometimes acquired on a connection object, which could then cause a deadlock. A patch has been applied to remove the unnecessary locking, and the deadlock no longer occurs. (BZ#1278755)

Abandon requests for simple paged results searches no longer cause a crash

Prior to this update, Directory Server could receive an abandon request for a simple paged results search after the abandon check was completed but before the results were fully sent. In this case, the abandon request was processed while the results were being sent, which caused Directory Server to crash. This update adds a lock which prevents abandon requests from being processed while the results are already being sent, and the crash no longer occurs. (BZ#1278567)

Simple paged results search slots are now correctly released after a failure

Previously, if a simple paged results search failed in the back end, the simple paged results slot was not released. Consequently, multiple simple paged results slots could be accumulated in a connection object. With this update, the simple paged results slot is released correctly when a search fails, and unused simple paged results slots are no longer left in a connection object. (BZ#1290242)

Deleting a back end database no longer causes deadlocks

Transaction information was previously not passed to one of the database helper functions during back end deletion. Consequently, a deadlock occurred if a plug-in attempted to access data in the area locked by the transaction. This update ensures that transaction information is passed to all necessary database helper functions, and the deadlock no longer occurs. (BZ#1273555)

Deleting and adding the same LDAP attribute now correctly updates the equality index

Previously, when several values of the same LDAP attribute were deleted using the ldapmodify command, and at least one of them was added again during the same operation, the equality index was not updated. As a consequence, an exact search for the re-added attribute value did not return that entry. The logic of the index code has been modified to update the index if at least one of the values in the entry changes, and the exact search for the re-added attribute value now returns the correct entry. (BZ#1290600)

Abandon requests in simple paged results searches no longer cause deadlocks

An exclusive connection lock was previously added as part of a bug fix related to abandon requests in simple paged results searches. However, in specific circumstances, this new lock causes a self-deadlock. This update makes the lock reentrant, and self-deadlocks no longer occur during simple paged results searches. (BZ#1295947)

Simple paged results searches no longer return 0 instead of the actual results

Previously, when a simple paged results slot in a connection was discarded due to an error such as SIZELIMIT_EXCEEDED, the discarded slot was not cleaned up properly. Subsequent searches which reused this slot then always returned 0. With this update, discarded simple paged results slots are cleaned up correctly, and searches return correct results even with reused slots. (BZ#1331343)

ACL plug-in no longer crashes due to missing pblock object

When a persistent search ("psearch") was launched by a bind user without sufficient permissions, the access permissions object in cache failed to reset to point the initial pblock structure to the permanent structure. As a consequence, the access control list (ACL) plug-in could crash the server due to a missing pblock object. This update ensures that the initial object is reset to the permanent structure, and Directory Server no longer crashes in this situation. (BZ#1302823)

Password conversion from DES to AES now works properly

During the upgrade from Red Hat Enterprise Linux 7.1 to 7.2, the encryption algorithm used by the Reversible Password Plug-in was changed from DES to AES. Directory Server automatically converted all passwords to the new algorithm upon upgrade. However, password conversion failed with an error 32 if any defined back end was missing the top entry. Additionally, even if the conversion failed, 389-ds-base still disabled the DES plug-in, which caused existing passwords to fail to decode.
This bug has been fixed, 389-ds-base now ignores errors when searching back ends for passwords to convert, and the DES plug-in is now only disabled after all passwords are successfully converted to AES. (BZ#1320715)

Failed replication updates are now retried correctly in the next session

If a replica update failed on the consumer side and was followed by another update that succeeded, the consumer's replication status was updated by the successful update, which caused the consumer to seem as if it was up to date. Consequently, the failed update was never retried, leading to data loss. With this update, a replication failure closes the connection and stops the replication session. This prevents further updates from changing the consumer's replication status, and allows the supplier to retry the failed operation in the next session, avoiding data loss. (BZ#1310848)

The LICENSE file now shows correct license information

Previously, the output of the rpm -qi 389-ds-base command displayed an incorrect License field with an earlier license, GPLv2 with exceptions. This problem has been fixed and the 389-ds-base package now provides the correct license information (the GPLv3+ license) in its LICENSE file. (BZ#1315893)

Passwords reset by administrators are now stored in password history

When a user password was reset by an administrator, the old password was previously not stored in the user's password history. This allowed the user to reuse the same password after the reset. With this update, passwords reset manually by administrators are stored in password history, and the user must use a different password. (BZ#1332709)

Entries rejected by multiple plug-ins no longer show up in searches

Previously, when an entry was rejected by multiple back end transaction plug-ins (for example, Auto Membership or Managed Entry) at the same time, the entry cache was left in an inconsistent state. This allowed a search to return the entry even though it was not added. With this update, the entry cache which stores the Distinguished Name (DN) of the entry is properly cleaned up when an add operation fails, and rejected entries are no longer returned by ldapsearch. (BZ#1304682)

Running db2index with no options no longer causes replication failures

When running the db2index script with no options, the script failed to handle on-disk Replica Update Vector (RUV) entries because these entries have no parent entries. The existing RUV was skipped and a new one was generated instead, which subsequently caused the next replication to fail due to an ID mismatch. This update fixes handling of RUV entries in db2index, and running this script without specifying any options no longer causes replication failures. (BZ#1340307)

Promoting a consumer to a master no longer fails due to duplicate ID errors

Previously, when a consumer instance was promoted to master, a new element was appended to the end of the replica update vector (RUV). However, when attempting to replicate from the newly promoted master, the remote checked the first element of the RUV instead of the last one, which caused it to abort the replication session due to a duplicate ID. With this update, the RUV is reordered when promoting a replica to a master, and replication from masters which were previously replicas no longer fails. (BZ#1278987)

nsslapd now correctly sets its working directory

A regression introduced in an earlier bug fix caused nsslapd to skip setting its working directory (the nsslapd-workingdir attribute) by default when it was started by systemd. This bug has been fixed and the working directory is being set during startup again. (BZ#1360447)

Chapter 27. File Systems

The quota RPC service is no longer unavailable

After upgrading the nfs-utils packages, the nfs-rquotad.service systemd service was previously unavailable on the system after starting the quota Remote Procedure Call (RPC) service. To fix this bug, the quota packages now include a new rpc-rquotad.service *systemd* service, which provides the quota RPC service that allows querying and setting disk quotas over a network. The service can be configured in the /etc/sysconfig/rpc-rquotad file. The nfs-rquotad service alias is also provided to ensure compatibility with earlier versions. As a result, the quota RPC service is now available on Red Hat Enterprise Linux 7 as expected in the described situation. (BZ#1207239)

Chapter 28. Hardware Enablement

Primary bond interface no longer takes over active interfaces that did not fail

The primary_reselect=failure bond parameter previously worked incorrectly. The primary interface was always taking over even if others did not fail. With this update, the parameter works as expected and the primary bond interface only takes over if the current non-primary active interface fails. (BZ#1301451)

Removing a USB device no longer causes a race condition

Previously, removing a USB device caused a problem in synchronization, which could lead to a race condition. With this update, the timer is initialized early enough, which prevents the possibility of a race condition. (BZ#1290202)

The kernel now boots on AMD Turion II systems

Previously, because of a livelock in the tick broadcast code, AMD Turion II systems locked up and became unresponsive during boot. With this update, the livelock is fixed, and the kernel now boots on AMD Turion II systems. (BZ#1265283)

Real-time systems with many CPUs no longer have large latencies due to run-queue lock contention

Previously, on real-time systems, multiple CPUs tried to take an rq lock, which resulted in lock contention and a latency. The latency was multiplied by the number of CPUs, which caused the systems with many CPUs to have large latencies. With this update, systems with more than 32 cores use the \"push\" approach rather than \"pull\", which prevents long lists of CPUs in critical areas. As a result, real-time systems with many CPUs no longer have large latencies due to run-queue lock contention. (BZ#1209987)

The kernel no longer crashes when enabling multi-queue support with NVM Express device driver

Previously, there was a bug in the core block device code that could lead to the kernel terminating unexpectedly when enabling multi-queue support on the Nonvolatile Memory (NVM) Express (*nvme*) device driver. Though that issue was observed with the nvme driver, other block devices could also be affected, which could also cause the kernel to crash. With this update, this bug has been fixed, and the kernel works as expected. (BZ#1303255)

The CPU frequency now reaches the requested value

Previously, the CPU frequency numbers were rounded incorrectly by the intel_pstate driver. Consequently, the CPU frequency was lower than the user requested. With this update, the rounding errors have been fixed, and the CPU frequency now reaches the requested value. (BZ#1279617)

The get_cpu_light/put_cpu_light function in FCoE code has been fixed

Previously, in the Fibre Channel over Ethernet (FCoE) code in the real-time kernel, the get_cpu_light/put_cpu_light function had an imbalance in pairing. Consequently, preemption was disabled, and BUG: scheduling while atomic happened in the FCoE code. With this update, the get_cpu_light/put_cpu_light function has been fixed, and the bug no longer occurs. (BZ#1258295)

The performance of IBM Power Systems is no longer decreased

Previously, due to a regression, the Non-Uniform Memory Access (NUMA) node was not reported for PCI adapters. This caused significant decrease in the performance of every IBM Power System deployed with Red Hat Enterprise Linux 7. With this update, the regression has been fixed, and the system performance is no longer decreased in this situation. (BZ#1273978)

The system no longer crashes while setting up the DMA transfer

Due to the inconsistencies in the page size of Input/Output Memory Management Unit (IOMMU), the Nonvolatile Memory Express (NVMe) device, and the kernel, the BUG_ON signal previously occurred in the nvme_setup_prps() function. This lead to the system crash while setting up the Direct Memory Access (DMA) transfer. With this update, the default NVMe page size is set to 4k, and the system crash no longer occurs. (BZ#1245140)

Kernel no longer hangs during hot-unplug

Due to retry-able command errors, the NVMe driver previously leaked I/O descriptors and dma mappings. As a consequence, the kernel could become unresponsive during the hot-unplug operation if a drive was removed. This update fixes the driver memory leak bug on command retries, and the kernel no longer hangs in this situation. (BZ#1271860)

Disabling the Large Receive Offload (LRO) flag now propagates correctly

Previously, disabling the Large Receive Offload (LRO) flag was not propagated downwards from above devices in vlan and bond hierarchy. Consequently, the flow of traffic broke. With this update, the problem has been fixed and disabling of LRO flags now propagates correctly. (BZ#1266578)

Switching p-states on Intel Xeon v5 platforms now succeeds

Previously, on Intel Xeon v5 platforms, the processor frequency was always tied to the highest possible frequency. As a consequence, switching p-states on these client platforms failed. This update sets the idle frequency, busy frequency, and processor frequency values by determining the range and adjusting the minimum and maximum percent limits values. As a result, switching p-states on these client platforms now succeeds. (BZ#1264990)

The cpuscaling test no longer fails

The cpuscaling test of the certification test suite previously failed due to a number rounding bug in the intel-pstate driver. This bug has been fixed and the cpuscaling test now passes. (BZ#1263866)

The genwqe driver can allocate memory even during memory pressure situations

The genwqe device driver was previously using the GFP_ATOMIC flag for allocating consecutive memory pages from the kernel's atomic memory pool - even in non-atomic situations. This could lead to allocation failures during memory pressure. With this update, the genwqe driver's memory allocations use the GFP_KERNEL flag, and the driver can allocate memory even during memory pressure situations. (BZ#1270244)

The console no longer hangs

Previously, in the real-time kernel, the hotplug lock and the console semaphore could be acquired in an incorrect order. This could lead to a deadlock causing the system console to become unresponsive. With this update, the locks are acquired in the correct order, and console no longer hangs. (BZ#1269647)

LRO is now disabled by default in the ixgbe driver

Because Large Receive Offload (LRO) is incompatible with forwarding and bridging and can cause performance problems and instability, it is now disabled by default in the ixgbe driver.
To enable LRO:
# ethtool -K ethX lro on
Replace ethX with the name of the interface. (BZ#1266948)

The nx842 co-processor for IBM Power Systems no longer provides corrupted data

Previously, the nx842 co-processor for IBM Power Systems could in some circumstances provided invalid data. This was caused by a data corruption bug that occured during uncompression. With this update, all compression and uncompression calls to the nx842 co-processor contain a cyclic redundancy check (CRC) flag. This forces all compression and uncompression operations to check data integrity and prevents the co-processor from providing corrupted data. (BZ#1264905)

The system no longer crashes when calling the mlx4_en_recover_from_oom() function

Previously, when the mlx4_en_recover_from_oom() function was invoked under heavy TCP stream by the mlx4_en drive, the operating system crashed. This update fixes the bug, and the system no longer crashes in this scenario. (BZ#1258136)

iw displays regulatory information correctly

Previously, the iw utility did not correctly display the regulatory country after it was set with the iw reg set command. This update adjusts the iw code to match the Red Hat Enterprise Linux wireless code more closely. As a result, iw displays the regulatory country information as expected. (BZ#1324096)

Chapter 29. Installation and Booting

Graphics cards using the ast module can now be used during installation

Due to missing dependencies for the ast module in the installation system, graphics cards that rely on this module were unable to be used during installation of Red Hat Enterprise Linux 7. These dependencies have now been added. (BZ#1272658)

Installations can now be performed on disks containing invalid or unsupported partition tables.

Previously, when attempting to install Red Hat Enterprise Linux 7 on a disk with a corrupt or unsupported partition table, the installation failed, most commonly when attempting to write to the disk. Support for the removal of invalid and unsupported partition tables has been added, and installations can now be performed on disks with such partition tables. (BZ#1266199)

Multiple inst.dd options are now supported to load driver disks

The job for loading driver disks based on the inst.dd option was scheduled with a unique option. When multiple inst.dd sources were specified as boot options, only the last one was actually loaded and applied. This update ensures the job is no longer called as unique. As a result, multiple inst.dd boot options can now be specified to provide drivers via multiple driver update images from different sources. (BZ#1268792)

Help for the subscription manager screen during installation

The installer's built-in help system now includes information regarding the subscription manager screen. (BZ#1260071)

The Initial Setup utility starts correctly

Due to a race condition between the initial-setup-text service and the initial-setup-graphical service, the interface of the Initial Setup utility sometimes started incorrectly. The two services have now been combined into a single service, initial-setup. The original services are still available for compatibility, but are not used by default. As a result, the interface now displays correctly. (BZ#1249598)

VNC installation using IPv6 works correctly

Due to an error in the processing of IPv6 addresses, IPv6 address lookup failed. Consequently, it was not possible to install through VNC using IPv6. This bug has been fixed. (BZ#1267872)

HyperPAV aliases used during installation are now available on the installed system

Previously, HyperPAV aliases activated during installation were not correctly configured on the installed system. HyperPAV handling has now been improved, and any HyperPAV aliases used during installation are now automatically configured on the installed system. (BZ#1031589)

Improved support for network boot on EFI platforms

Due to a bug related to handling certain implementations of Simple Networking Protocol (SNP), network boot using PXE failed on some EFI-based platforms. This bug has been fixed and network boot on these platforms now works. (BZ#1273974)

Errors in custom partitioning are correctly detected

Previously, errors in custom partitioning were not displayed to the user properly, allowing the installation to continue with an invalid custom partition configuration, leading to unexpected behavior. This bug has been fixed and errors in custom partitioning are now correctly reported to the user so they can be adjusted before continuing the installation. (BZ#1269195)

Static routes configured during installation are now automatically configured on the installed system

Previously, static route configuration files were not copied from the installation environment to the installed system. Consequently, static route configuration during installation was lost after the installation finished. These files are now copied, and static routes configured during installation are automatically configured on the installed system. (BZ#1255801)

GRUB2 is now correctly configured when upgrading the kernel and redhat-release-*

Previously, if a redhat-release-* package and a kernel package were present in the same Yum transaction, the GRUB2 boot loader was reconfigured incorrectly. As a consequence, GRUB2 failed to boot the newly installed kernel. With this upate, GRUB2 is now correctly reconfigured and can boot the new kernel in this situation. (BZ#1289314)

Kickstart files valid for Red Hat Enterprise Linux 6 are now correctly recognized by ksvalidator

Previously, when using the ksvalidator utility to validate a Kickstart file made for Red Hat Enterprise Linux 6 that uses the logvol command with the --reserved-percent option, ksvalidator incorrectly stated that --reserved-percent is not a valid option. This bug has been fixed. (BZ#1290244)

Anaconda no longer crashes when adding iSCSI devices

Previously, the Anaconda installer terminated unexpectedly when attempting to add certain iSCSI devices using the Add a disk button in the Storage screen. This bug has now been fixed. (BZ#1255280)

The Anaconda installer correctly allows adjustment of a problematic disk selection

Previously, if a problem occurred with the selection of disks during installation of Red Hat Enterprise Linux 7, an error was displayed after the installation started, and thus caused the installation to fail. With this update, a warning is displayed at the proper time, allowing the disk selection to be adjusted before proceeding. (BZ#1265330)

The anaconda-user-help package is now upgraded correctly

The anaconda-user-help package was not upgraded correctly when upgrading from Red Hat Enterprise Linux 7.1. This has been fixed and the package is now upgraded correctly. (BZ#1275285)

A wider variety of partitions can be used as /boot

Previously, the GRUB2 boot loader only supported 8-bit device node minor numbers. Consequently, boot loader installation failed on device nodes with minor numbers larger than 255. All valid Linux device node minor numbers are now supported, and as a result a wider variety of partitions can be used as /boot partitions. (BZ#1279599)

Incorrect escaping of the '/' character in systemd no longer prevents the system from booting

Previously, systemd incorrectly handled the LABEL=/ option in the initial RAM disk (initrd). As a consequence, the label was not found, and the system failed to boot when the root partition LABEL included the '/' character. With this update, '/' is escaped correctly in the described situation, and the system no longer fails to boot. Updating to a higher minor version of Red Hat Enterprise Linux updates the kernel and rebuilds the initrd. You can also rebuild the initrd by running the dracut -f command. (BZ#1306126)

The default size of the /boot partition is now 1 GB

In previous releases of Red Hat Enterprise Linux 7, the default size of the /boot partition was set to 500 MB. This could lead to problems on systems with multiple kernels and additional packages such as kernel-debuginfo installed. The /boot partition could become full or almost full in such scenario, which then prevented the system from upgrading and required manual cleanup to free additional space.
In Red Hat Enterprise Linux 7.3, the default size of the /boot partition is increased to 1 GB, and these problems no longer occur on newly installed systems. Note that installations made with previous versions will not have their /boot partitions resized, and may still require manual cleanup in order to upgrade. (BZ#1369837)

Chapter 30. Kernel

A fix of PT_NOTE entries that were previously corrupted during crashdump

On some HP servers, a kernel crash could lead to the corruption of PT_NOTE entries because of a kernel code defect. As a consequence, the kernel crash dump utility failed to initialize. The provided patch aligns the allocation of PT_NOTE entries so that they are inside one physical page, and thus written and read data is identical. As a result, kernel crash dump now works as expected in the described situation. (BZ#1073651)

Change of the Red Hat Hardware Certification tests to avoid system hang caused by Oprofile

Previously, when Oprofile was run on an HP server with 480 CPUs, repeated CPU stalls or soft lockups occurred. Several unknown Non-Maskable Interrupts (NMI) were hitting multiple processors that triggered the hpwdt driver to handle them and call the panic. One of the CPU calling panic could initiate a crashkernel boot and successful dump, but more often the first kernel activity continued on the same console as the crashkernel boot. Consequently, the crashkernel boot hung, or the panic did not initiate a crashkernel boot thus blocking the Red Hat Hardware Certification tests. With this update, the hardware certification tests have been fixed, so they now pass on the mentioned hardware as expected. (BZ#1138935)

Removal of the slub_debug parameter to save memory

The slub_debug parameter enables debugging of the SLUB allocator, which makes each object consume extra memory. If the slub_debug kernel parameter was used, not enough memory was allocated to the kdump capture kernel by the automatic setting on 128 GB systems. Consequently, various tasks from the kdump init script terminated with an Out Of Memory (OOM) error message and no crash dump was saved. The provided patch removes the slub_debug parameter, and crash dump is now saved as expected in the aforementioned scenario. (BZ#1180246)

Removal of a race condition causing a deadlock when a new CPU was attached

Previously, when a new CPU was attached, a race condition between the CPU hotplug and the stop_two_cpus() function could occur causing a deadlock if that migration thread on the new CPU was already marked as active but not enabled. A set of patches has been applied which removes this race condition. As a result, systems with attached new CPUs now run as intended. (BZ#1252281)

Update of the kernel with hugepage migration patches from the upstream

Previously, several types of bugs including the kernel panic could occur with the hugepage migration. A set of patches from the upstream has been backported which fix these bugs. The updated kernel is now more stable and hugepage migration is automatically disabled in architectures other than AMD64 and Intel 64. (BZ#1287322)

Booting kernel with UEFI and the secure boot enabled

When the Unified Extensible Firmware Interface (UEFI) was used and the secure boot was enabled, the operating system failed to boot for all kernels before kernel 3.10.0-327.4.4.el7. With the update to the aforementioned kernel and newer versions the system boots up as expected after disabling the secure boot. (BZ#1290441)

New microcode added into initramfs images for all installed kernels

Previously, when the microcode_ctl package was installed, the postinstall scriptlet rebuilt the initramfs file only for the running kernel and not for any other installed kernels. Consequently, when the build completed, there was an initramfs file for a kernel that was not even installed. The provided fix adds new microcode into initramfs images for all installed kernels. As a result, the superfluous initramfs file is no longer generated. (BZ#1292158)

Change of default settings on FCoE servers to reach the correct functionality of the kdump mechanism

Disks on Fibre Channel over Ethernet (FCoE) servers use the multipath storage system, which allows the disks to connect to system from a different interface. Several logical disks are present in the system, but they are mapped to only one real disk. Consequently, with the default settings, the FCoE servers are not able to start on a kdump kernel. To reach the correct functionality of the kdump mechanism, users are advised to specify the Universally Unique Identifier (UUID) of the FCoE disks. Users are also advised to enable the multipath option so that disks can be managed in a more efficient way. (BZ#1293520)

Dump-capture kernel memory freed when kdump mechanism fails

When crashkernel memory was allocated using the ,high and ,low syntax, there were cases where the reservation of the high portion succeeded but with the reservation of the low portion the kdump mechanism failed. This failure could occur especially on large systems for several reasons. The manually specified crashkernel low memory was too large and thus an adequate memblock region was not found. The kexec utility could load the dump-capture kernel successfully, but booting the dump-capture kernel failed, as there was no low memory. The provided patch set reserves low memory for the dump-capture kernel after the high memory portion has been allocated. As a result, the dump-capture kernel memory is freed if the kdump mechanism fails. The user thus has a chance to take measures accordingly. (BZ#1241236)

The ksc utility no longer fails to file bugs due to the

unavailable kabi-whitelists component
In an earlier update, the kabi-whitelists component was changed to the kabi-whitelists sub-component of the kernel component. Consequently, the ksc utility was not able to file bugs, as the kabi-whitelists component value was not active, and the following error message was generated:
Could not create bug.<Fault 32000:"The component value 'kabi-whitelists'is not active">
With this update, the correct sub-component of the kernel component is kabi-whitelisted, and ksc files bugs as expected. (BZ#1328384)

ksc now returns an error instead of crashing when running without mandatory arguments

Previously, the ksc tool terminated unexpectedly when running without the mandatory arguments. With this update, ksc returns an error message and exits gracefully in the described situation. (BZ#1272348)

Chapter 31. Networking

sctp_accept() no longer causes a deadlock when called during a timeout event

Previously, when sctp_accept() was called by a user during a heartbeat timeout event after the 4-way handshake, a deadlock could occur. With this update, the bug has been fixed by giving the assoc->base.sk pointer to make sure SCTP correctly locks and unlocks the listening socket. (BZ#1270586)

Chapter 32. Security

The SHA-3 implementation in nettle now conforms to FIPS 202

nettle is a cryptographic library that is designed to fit easily in almost any context. With this update, the Secure Hash Algorithm 3 (SHA-3) implementation has been updated to conform the final Federal Information Processing Standard (FIPS) 202 draft. (BZ#1252936)

Chapter 33. Servers and Services

The named service now binds to all interfaces

With this update, BIND is able to react to situations when a new IP address is added to an interface. If the new address is allowed by the configuration, BIND will automatically start to listen on that interface. (BZ#1294506)

Fix for tomcat-digest to generate password hashes

When using the tomcat-digest utility to create an SHA hash of Tomcat passwords, the command terminated unexpectedly with the ClassNotFoundException Java exception. A patch has been provided to fix this bug and tomcat-digest now generates password hashes as expected. (BZ#1240279)

Tomcat can now use shell expansion in configuration files within the new conf.d directory

Previously, the /etc/sysconfig/tomcat and /etc/tomcat/tomcat.conf files were loaded without shell expansion, causing the application to terminate unexpectedly. This update provides a mechanism for using shell expansion in the Tomcat configuration files by adding a new configuration directory, /etc/tomcat/conf.d. Any files placed in the new directory may now include shell variables. (BZ#1221896)

Fix for the tomcat-jsvc service unit to create two independent Tomcat servers

When trying to start multiple independent Tomcat servers, the second server failed to start due to the jsvc service returning an error. This update fixes the jsvc systemd service unit as well as the handling of the TOMCAT_USER variable. (BZ#1201409)

The dbus-daemon service no longer becomes unresponsive due to leaking file descriptors

Previously, the dbus-daemon service incorrectly handled multiple messages containing file descriptors if they were received in a short time period. As a consequence, dbus-daemon leaked file descriptors and became unresponsive. A patch has been applied to correctly handle multiple file descriptors from different messages inside dbus-daemon. As a result, dbus-daemon closes and passes file descriptors correctly and no longer becomes unresponsive in the described situation. (BZ#1325870)

Update for marking tomcat-admin-webapps package configration files

Previously, the tomcat-admin-webapps web.xml files were not marked as the configuration files. Consequently, upgrading the tomcat-admin-webapps package overwrote the /usr/share/tomcat/webapps/host-manager/WEB-INF/web.xml and /usr/share/tomcat/webapps/manager/WEB-INF/web.xml files, causing custom user configuration to be automatically removed. This update fixes classification of these files, thus preventing this problem. (BZ#1208402)

Timer migration for realtime Tuned profile has been disabled

Previously, the realtime Tuned profile that is included in the tuned-profiles-realtime package set the value of the kernel.timer_migration variable to 1. As a consequence, realtime applications could be negatively affected. This update disables the timer migration in the realtime profile. (BZ#1323283)

rcu-nocbs no longer missing from kernel boot parameters

Previously the rcu_nocbs kernel parameter was not set in the realtime-virtual-host and realtime-virtual-guest tuned profiles. With this update, rcu-nocbs is set as expected. (BZ#1334479)

The global limit on how much time realtime scheduling may use has been removed in realtime Tuned profile

Prior to this update, the Tuned utility configuration for the kernel.sched_rt_runtime_us sysctl variable in the realtime profile included in the tuned-profiles-realtime package was incorrect. As a consequence, creating a virtual machine instance caused an error due to incompatible scheduling time. Now, the value of kernel.sched_rt_runtime_us is set to -1 (no limit), and the described problem no longer occurs. (BZ#1346715)

Chapter 34. Virtualization

SMEP and SMAP bits masked to enable secondary vCPUs

Previously, disabling Extended Page Table (EPT) on a host that supported Supervisor Mode Execution Protection (SMEP) or Supervisor Mode Access Protection (SMAP) resulted in guests being restricted to a single vCPU. This update masks SMEP and SMAP bits on the host side when necessary. As a result, secondary vCPUs start and can be used by the guest virtual machine. (BZ#1273807)

Force Reset menu entry in Japanese locale Virtual Machine Manager translated correctly

Previously, the Force Reset menu entry was translated incorrectly in the Japanese locale Virtual Machine Manager. In this update the Force Reset menu entry is translated correctly. (BZ#1282276)

Limited KSM deduplication factor

Previously, the kernel same-page merging (KSM) deduplication factor was not explicitly limited, which caused Red Hat Enterprise Linux hosts to have performance problems or become unresponsive in case of high workloads. This update limits the KSM deduplication factor, and thus eliminates the described problems with virtual memory operations related to KSM pages. (BZ#1298618)

VMDK images with streamOptimized sub-format are accepted

Previously, a Virtual Machine Disk (VMDK) image with a streamOptimized sub-format created by the qemu-img tool was rejected by Elastic Sky X (ESX) services, because the version number of the VMDK image was too low. In this update, the sub-format number of streamOptimized VMDK images are automatically increased. This results in the VMDK image being accepted by ESX services. (BZ#1299116)

Data layout of VMDK images with streamOptimized sub-format was incorrect

Previously, the data layout of a Virtual Machine Disk (VMDK) image with a streamOptimized sub-format created by the qemu-img tool was incorrect. This prevented the VMDK image from being bootable when imported to ESX servers. In this update, the image is converted to a valid VMDK streamOptimized image. This results in the VMDK image being bootable. (BZ#1299250)

blockcopy with --pivot option no longer fails

Previously, blockcopy always failed when the --pivot option was specified. With this release, the libvirt package was updated to prevent this issue. blockcopy can now be used with the --pivot option. (BZ#1197592)

Guest display problems after virt-v2v conversion have been fixed

Previously, the video card driver setting of a guest converted with the virt-v2v utility was ignored, causing various display problems in the guest. This update ensures that virt-v2v generates the libvirt XML file for the converted guest properly. As a result, the video card setting is preserved, and the guest can take full advantage of graphical capabilities after the conversion. (BZ#1225789)

Migrating MSR_TSC_AUX works properly

Previously, the contents of the MSR_TSC_AUX file were sometimes not migrated correctly during guest migration. As a consequence, the guest terminated unexpectedly after the migration finished. This update ensures that the contents of MSR_TSC_AUX are migrated as expected, and the described crashes no longer occur. (BZ#1265427)

Windows guest virtual machine information removed from documentation

In this update, all references to Windows guest virtual machines have been removed from the documentation. The information was moved to the following knowledgebase article: https://access.redhat.com/articles/2470791 (BZ#1262007)

The libvirt API generates addresses for USB devices

With this update, libvirt generates addresses for USB devices. These devices, along with the libvirt-generated address children can be found in the domain XML file. This ensures that future start, restore, and migrate operations have a consistent address for the guests' USB devices. As a result, you can migrate virtual machines to which USB devices have been hot-plugged. (BZ#1215968)

Part III. Technology Previews

This part provides an overview of Technology Previews introduced or updated in Red Hat Enterprise Linux 7.3 Beta.
For more information on Red Hat Technology Preview features support scope, see https://access.redhat.com/support/offerings/techpreview/.

Chapter 35. General Updates

The systemd-importd VM and container image import and export service

Latest systemd version now contains the systemd-importd daemon that was not enabled in the earlier build, which caused the machinectl pull-* commands to fail. Note, that the systemd-importd daemon is offered as a Technology Preview and should not be considered stable. (BZ#1284974)

Chapter 36. Authentication and Interoperability

Identity Management in a container now available

Identity Management (IdM) in a container is provided as a Technology Preview. This update is available for Red Hat Enterprise Linux Atomic Host.
To install this new image, use the atomic install rhel7/ipa-server command. (BZ#1283777)

SSSD in a container now available

The System Security Services Daemon (SSSD) in a container is provided as a Technology Preview to allow Red Hat Enterprise Linux Atomic Host authentication subsystem to be connected to central identity providers like Red Hat Identity Management and Microsoft Active Directory.
To install this new image, use the atomic install rhel7/sssd command. (BZ#1200143)

Use of AD and LDAP sudo providers

The Active Directory (AD) provider is a back end used to connect to an AD server. In Red Hat Enterprise Linux 7.2, using the AD sudo provider together with the LDAP provider is supported as a Technology Preview. To enable the AD sudo provider, add the sudo_provider=ad setting in the [domain] section of the sssd.conf file. (BZ#1068725)

DNSSEC available as Technology Preview in Identity Management

Identity Management servers with integrated DNS now support DNS Security Extensions (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted on Identity Management servers can be automatically signed using DNSSEC. The cryptographic keys are automatically generated and rotated.
Users who decide to secure their DNS zones with DNSSEC are advised to read and follow these documents:
Note that Identity Management servers with integrated DNS use DNSSEC to validate DNS answers obtained from other DNS servers. This might affect the availability of DNS zones that are not configured in accordance with recommended naming practices described in the Red Hat Enterprise Linux Networking Guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/ch-Configure_Host_Names.html#sec-Recommended_Naming_Practices. (BZ#1115294)

Support for secrets as a service

This update adds responder secrets as a Technology Preview to the System Security Services Daemon (SSSD). This responder allows an application to communicate with SSSD over a UNIX socket using the Custodia API. This enables SSSD to store secrets in its local database or to forward them to a remote Custodia server. (BZ#1311056)

The Ipsilon identity provider service for federated single sing-on

The ipsilon packages were introduced as Technology Preview in Red Hat Enterprise Linux 7.2. Ipsilon links authentication providers and applications or utilities to allow for SSO.
Red Hat does not plan to upgrade Ipsilon from Technology Preview to a fully supported feature. The ipsilon packages will be removed from Red Hat Enterprise Linux in a future minor release.
Note that Red Hat Single Sign-On (SSO) is now available, which is intended to replace Ipsilon and is the recommended solution for single sing-on. For details, see the description for Red Hat SSO in the New Features part of these Release Notes. (BZ#1365388)

IdM web UI enables smart card login

The Identity Management (IdM) web UI enables users to log in using smart cards. Note that this feature is experimental and not supported. (BZ#1317379)

Identity Management JSON-RPC API available as Technology Preview

An API is available for Identity Management (IdM). To view the API, IdM also provides an API browser as Technology Preview.
In Red Hat Enterprise Linux 7.3, the IdM API has been enhanced to enable multiple versions of API commands. Previously, enhancements could change the behavior of a command in an incompatible way. Users are now able to continue using existing tools and scripts even if the IdM API changes. This enables:
  • Administrators to use previous or later versions of IdM on the server than on the managing client.
  • Developers to use a specific version of an IdM call, even if the IdM version changes on the server.
In all cases, the communication with the server is possible, regardless if one side uses, for example, a newer version that introduces new options for a feature. (BZ#1298286)

Chapter 37. Clustering

Support for clufter, a tool for transforming and analyzing cluster configuration formats

The clufter package, available as a Technology Preview in Red Hat Enterprise Linux 7, provides a tool for transforming and analyzing cluster configuration formats. It can be used to assist with migration from an older stack configuration to a newer configuration that leverages Pacemaker. For information on the capabilities of clufter, see the clufter(1) man page or the output of the clufter -h command. (BZ#1212909)

Chapter 38. Directory Server in Red Hat Enterprise Linux

Nunc Stans event framework available for Directory Server

A new Nunc Stans event framework to handle multiple simultaneous connections has been added as Technology Preview. The framework allows supporting several thousand active connections with no performance degradation. It is disabled by default. (BZ#1206301)

Chapter 39. File Systems

The CephFS kernel client is now available

Starting with Red Hat Enterprise Linux 7.3, the Ceph File System (CephFS) kernel module enables, as a Technology Preview, Red Hat Enterprise Linux nodes to mount Ceph File Systems from Red Hat Ceph Storage clusters. The kernel client in Red Hat Enterprise Linux is a more efficient alternative to the Filesystem in Userspace (FUSE) client included with Red hat Ceph Storage. Note that the kernel client currently lacks support for CephFS quotas. For more information, see the Ceph File System Guide for Red Hat Ceph Storage 2: https://access.redhat.com/documentation/en/red-hat-ceph-storage/2/single/ceph-file-system-guide-technology-preview (BZ#1205497)

ext4 and XFS file systems now support DAX

Starting with Red Hat Enterprise Linux 7.3, Direct Access (DAX) provides, as a Technology Preview, a means for an application to directly map persistent memory into its address space. To use DAX, a system must have some form of persistent memory available, usually in the form of one or more Non-Volatile Dual In-line Memory Modules (NVDIMMs), and a file system that supports DAX must be created on the NVDIMM(s). Also, the file system must be mounted with the dax mount option. Then, an mmap of a file on the dax-mounted file system results in a direct mapping of storage into the application's address space. (BZ#1274459)

pNFS Block Layout Support

As a Technology Preview, the upstream code has been backported to the Red Hat Enterprise Linux client to provide pNFS block layout support.
In addition, Red Hat Enterprise Linux 7.3 includes the Technology Preview of the pNFS SCSI layout. This feature is similar to pNFS block layout support, but limited only to SCSI devices, so it is easier to use. Therefore, Red Hat recommends the evaluation of the pNFS SCSI layout rather than the pNFS block layout for most use cases. (BZ#1111712)

OverlayFS

OverlayFS is a type of union file system. It allows the user to overlay one file system on top of another. Changes are recorded in the upper file system, while the lower file system remains unmodified. This allows multiple users to share a file-system image, such as a container or a DVD-ROM, where the base image is on read-only media. Refer to the kernel file Documentation/filesystems/overlayfs.txt for additional information.
OverlayFS remains a Technology Preview in Red Hat Enterprise Linux 7.3 under most circumstances. As such, the kernel will log warnings when this technology is activated.
Full support is available for OverlayFS when used with Docker under the following restrictions:
  • OverlayFS is only supported for use as a Docker graph driver. Its use can only be supported for container COW content, not for persistent storage. Any persistent storage must be placed on non-OverlayFS volumes to be supported. Only default Docker configuration can be used; that is, one level of overlay, one lowerdir, and both lower and upper levels are on the same file system.
  • Only XFS is currently supported for use as a lower layer file system.
  • SELinux must be enabled and in enforcing mode on the physical machine, but must be disabled in the container when performing container separation; that is, /etc/sysconfig/docker must not contain --selinux-enabled. SELinux support for OverlayFS is being worked on upstream, and is expected in a future release.
  • The OverlayFS kernel ABI and userspace behavior are not considered stable, and may see changes in future updates.
  • In order to make the yum and rpm utilities work properly inside the container, the user should be using the yum-plugin-ovl packages.
Note that OverlayFS provides a restricted set of the POSIX standards. Test your application thoroughly before deploying it with OverlayFS.
Note that XFS file systems must be created with the -n ftype=1 option enabled for use as an overlay. With the rootfs and any file systems created during system installation, set the --mkfsoptions=-n ftype=1 parameters in the Anaconda kickstart. When creating a new file system after the installation, run the # mkfs -t xfs -n ftype=1 /PATH/TO/DEVICE command. To determine whether an existing file system is eligible for use as an overlay, run the # xfs_info /PATH/TO/DEVICE | grep ftype command to see if the ftype=1 option is enabled.
There are also several known issues associated with OverlayFS as of Red Hat Enterprise Linux 7.3 release. For details, see 'Non-standard behavior' in the Documentation/filesystems/overlayfs.txt file. (BZ#1206277)

Support for NFSv4 clients with flexible file layout

Support for flexible file layout on NFSv4 clients was first introduced in Red Hat Enterprise Linux 7.2 as a Technology Preview. This technology enables advanced features such as non-disruptive file mobility and client-side mirroring, which provides enhanced usability in areas such as databases, big data and virtualization. This feature has been updated in Red Hat Enterprise Linux 7.3, and it is still offered as a Technology Preview.
See https://datatracker.ietf.org/doc/draft-ietf-nfsv4-flex-files/ for detailed information about NFS flexible file layout. (BZ#1217590)

Btrfs file system

The Btrfs (B-Tree) file system is supported as a Technology Preview in Red Hat Enterprise Linux 7.3. This file system offers advanced management, reliability, and scalability features. It enables users to create snapshots, it enables compression and integrated device management. (BZ#1205873)

pNFS SCSI layouts client and server support is now provided

Client and server support for parallel NFS (pNFS) SCSI layouts is provided as a Technology Preview starting with Red Hat Enterprise Linux 7.3. Building on the work of block layouts, the pNFS layout is defined across SCSI devices and contains sequential series of fixed-size blocks as logical units that must be capable of supporting SCSI persistent reservations. The Logical Unit (LU) devices are identified by their SCSI device identification, and fencing is handled through the assignment of reservations. (BZ#1305092)

Chapter 40. Hardware Enablement

Runtime Instrumentation for IBM System z

Support for the Runtime Instrumentation feature is available as a Technology Preview in Red Hat Enterprise Linux 7.2 on IBM System z. Runtime Instrumentation enables advanced analysis and execution for a number of user-space applications available with the IBM zEnterprise EC12 system. (BZ#1115947)

LSI Syncro CS HA-DAS adapters

Red Hat Enterprise Linux 7.1 included code in the megaraid_sas driver to enable LSI Syncro CS high-availability direct-attached storage (HA-DAS) adapters. While the megaraid_sas driver is fully supported for previously enabled adapters, the use of this driver for Syncro CS is available as a Technology Preview. Support for this adapter is provided directly by LSI, your system integrator, or system vendor. Users deploying Syncro CS on Red Hat Enterprise Linux 7.2 are encouraged to provide feedback to Red Hat and LSI. For more information on LSI Syncro CS solutions, please visit http://www.lsi.com/products/shared-das/pages/default.aspx. (BZ#1062759)

Chapter 41. Installation and Booting

Multi-threaded xz compression in rpm-build

Compression can take long time for highly parallel builds as it currently uses only one core. This is problematic especially for continuous integration of large projects that are built on hardware with many cores.
This feature enables multi-threaded xz compression for source and binary packages when setting the %_source_payload or %_binary_payload macros to the wLTX.xzdio pattern . In it, L represents the compression level, which is 6 by default, and X is the number of threads to be used (may be multiple digits), for example w6T12.xzdio. This can be done by editing the /usr/lib/rpm/macros file or by declaring the macro within the spec file or at the command line. (BZ#1278924)

Chapter 42. Kernel

Heterogeneous memory management included as a Technology Preview

Red Hat Enterprise Linux 7.3 offers the heterogeneous memory management (HMM) feature as a Technology Preview. This feature has been added to the kernel as a helper layer for devices that want to mirror a process address space into their own memory management unit (MMU). Thus a non-CPU device processor is able to read system memory using the unified system address space. To enable this feature, add experimental_hmm=enable to the kernel command line. (BZ#1230959)

User namespace

This feature provides additional security to servers running Linux containers by providing better isolation between the host and the containers. Administrators of a container are no longer able to perform administrative operations on the host, which increases security. (BZ#1138782)

LPAR Watchdog for IBM System z

An enhanced watchdog driver for IBM System z is available as a Technology Preview. This driver supports Linux logical partitions (LPAR) as well as Linux guests in the z/VM hypervisor, and provides automatic reboot and automatic dump capabilities if a Linux system becomes unresponsive. (BZ#1088540)

Support for Diag0c on IBM System z

As a Technology Preview, Red Hat Enterprise Linux 7.2 and later provide support for the Diag0c feature on IBM System z. Diag0c support makes it possible to read the CPU performance metrics provided by the z/VM hypervisor, and allows obtaining the management time for each online CPU of a Linux guest where the diagnose task is executed. (BZ#1182292)

10GbE RoCE Express feature for RDMA

As a Technology Preview, Red Hat Enterprise Linux 7.2 and later include the 10GbE RDMA over Converged Ethernet (RoCE) Express feature. This makes it possible to use Ethernet and Remote Direct Memory Access (RDMA), as well as the Direct Access Programming Library (DAPL) and OpenFabrics Enterprise Distribution (OFED) APIs, on IBM System z.
Before using this feature on an IBM z13 system, ensure that the minimum required service is applied: z/VM APAR UM34525 and HW ycode N98778.057 (bundle 14). (BZ#1182169)

zEDC compression on IBM System z

Red Hat Enterprise Linux 7.2 and later provide the Generic Workqueue (GenWQE) engine device driver as a Technology Preview. The initial task of the driver is to perform zlib-style compression and decompression of the RFC1950, RFC1951 and RFC1952 formats, but it can be adjusted to accelerate a variety of other tasks. (BZ#1182302)

libocrdma RoCE support on Oce141xx cards

As a Technology Preview, the ocrdma module and the libocrdma package support the Remote Direct Memory Access over Converged Ethernet (RoCE) functionality on all network adapters in the Oce141xx family. (BZ#1334675)

No-IOMMU mode for VFIO drivers

As a Technology Preview, this update adds No-IOMMU mode for virtual function I/O (VFIO) drivers. The No-IOMMU mode provides the user with full user-space I/O (UIO) access to a direct memory access (DMA)-capable device without a I/O memory management unit (IOMMU). Note that in addition to not being supported, using this mode is not secure due to the lack of I/O management provided by IOMMU. (BZ#1299662)

Chapter 43. Real-Time Kernel

New scheduler class: SCHED_DEADLINE

This update introduces the SCHED_DEADLINE scheduler class for the real-time kernel as a Technology Preview. The new scheduler enables predictable task scheduling based on application deadlines. SCHED_DEADLINE benefits periodic workloads by reducing application timer manipulation. (BZ#1297061)

Chapter 44. Networking

Cisco usNIC driver

Cisco Unified Communication Manager (UCM) servers have an optional feature to provide a Cisco proprietary User Space Network Interface Controller (usNIC), which allows performing Remote Direct Memory Access (RDMA)-like operations for user-space applications. The libusnic_verbs driver, which is supported as a Technology Preview, makes it possible to use usNIC devices via standard InfiniBand RDMA programming based on the Verbs API. (BZ#916384)

Cisco VIC kernel driver

The Cisco VIC Infiniband kernel driver, which is supported as a Technology Preview, allows the use of Remote Directory Memory Access (RDMA)-like semantics on proprietary Cisco architectures. (BZ#916382)

Trusted Network Connect

Trusted Network Connect, supported as a Technology Preview, is used with existing network access control (NAC) solutions, such as TLS, 802.1X, or IPsec to integrate endpoint posture assessment; that is, collecting an endpoint's system information (such as operating system configuration settings, installed packages, and others, termed as integrity measurements). Trusted Network Connect is used to verify these measurements against network access policies before allowing the endpoint to access the network. (BZ#755087)

SR-IOV functionality in the qlcnic driver

Support for Single-Root I/O virtualization (SR-IOV) has been added to the qlcnic driver as a Technology Preview. Support for this functionality will be provided directly by QLogic, and customers are encouraged to provide feedback to QLogic and Red Hat. Other functionality in the qlcnic driver remains fully supported. (BZ#1259547)

New packages: nftables, libnftnl

As a Technology Preview, this update adds the nftables and libnftnl packages. nftables provides a packet-filtering tool, with numerous improvements in convenience, features, and performance. It is the designated successor to iptables, ip6tables, arptables and ebtables. (BZ#1332581)

Chapter 45. Storage

lvm2 now supports RAID-level takeover

RAID-level takeover, the ability to switch between RAID types, is now available as a Technology Preview. With RAID-level takeover, the user can decide based on their changing hardware characteristics what type of RAID configuration best suits their needs and make the change without having to deactivate the logical volume. For example, if a striped logical volume is created, it can be later converted to a RAID4 logical volume if an additional device is available.
Starting with Red Hat Enterprise Linux 7.3, the following conversions are available as a Technology Preview:
  • striped <-> RAID4
  • linear <-> RAID1
  • mirror <-> RAID1 (mirror is a legacy type, but still supported) (BZ#1191630)

Multi-queue I/O scheduling for SCSI

Red Hat Enterprise Linux 7 includes a new multiple-queue I/O scheduling mechanism for block devices known as blk-mq. The scsi-mq package allows the Small Computer System Interface (SCSI) subsystem to make use of this new queuing mechanism. This functionality is provided as a Technology Preview and is not enabled by default. To enable it, add scsi_mod.use_blk_mq=Y to the kernel command line. (BZ#1109348)

Targetd plug-in from the libStorageMgmt API

Since Red Hat Enterprise Linux 7.1, storage array management with libStorageMgmt, a storage array independent API, has been fully supported. The provided API is stable, consistent, and allows developers to programmatically manage different storage arrays and utilize the hardware-accelerated features provided. System administrators can also use libStorageMgmt to manually configure storage and to automate storage management tasks with the included command-line interface.
The Targetd plug-in is not fully supported and remains a Technology Preview. (BZ#1119909)

DIF/DIX

DIF/DIX is a new addition to the SCSI Standard. It is fully supported in Red Hat Enterprise Linux 7.2 for the HBAs and storage arrays specified in the Features chapter, but it remains in Technology Preview for all other HBAs and storage arrays.
DIF/DIX increases the size of the commonly used 512 byte disk block from 512 to 520 bytes, adding the Data Integrity Field (DIF). The DIF stores a checksum value for the data block that is calculated by the Host Bus Adapter (HBA) when a write occurs. The storage device then confirms the checksum on receipt, and stores both the data and the checksum. Conversely, when a read occurs, the checksum can be verified by the storage device, and by the receiving HBA. (BZ#1072107)

Chapter 46. Virtualization

Nested virtualization

As a Technology Preview, Red Hat Enterprise Linux 7 offers nested virtualization. This feature enables KVM to launch guests that can act as hypervisors and create their own guests. For more information, see the Red Hat Enterprise Linux 7 Virtualization Deployment and Administration Guide. (BZ#1187762)

USB 3.0 support for KVM guests

USB 3.0 host adapter (xHCI) emulation for KVM guests remains a Technology Preview in Red Hat Enterprise Linux 7.3. (BZ#1103193)

Select Intel network adapters now support SR-IOV

In this update for Red Hat Enterprise Linux guest virtual machines running on Hyper-V, a new PCI passthrough driver adds the ability to use the single-root I/O virtualization (SR-IOV) feature for Intel network adapters supported by the ixgbevf driver. This ability is enabled when the following conditions are met:
  • SR-IOV support is enabled for the network interface controller (NIC)
  • SR-IOV support is enabled for the virtual NIC
  • SR-IOV support is enabled for the virtual switch
The virtual function (VF) from the NIC is attached to the virtual machine.
The feature is currently supported with Microsoft Windows Server 2016 Technical Preview 5. (BZ#1348508)

Driver added for devices that connect over a PCI Express bus in guest virtual machine under Hyper-V

In this update, a new driver was added that exposes a root PCI bus when a devices that connects over a PCI Express bus is passed through to a Red Hat Enterprise Linux guest virtual machine running on the Hyper-V hypervisor. The feature is currently supported with Microsoft Windows Server 2016 Technical Preview 5. (BZ#1302147)

Part IV. Device Drivers

This part provides a comprehensive listing of all device drivers which were updated in Red Hat Enterprise Linux 7.3 Beta.

Chapter 47. New Drivers

Storage Drivers

  • cxgbit
  • libnvdimm
  • mpt2sas
  • nd_blk
  • nd_btt
  • nd_e820
  • nd_pmem
  • nvme

Network Drivers

  • ath10k_core
  • ath10k_pci
  • bnxt_en
  • brcmfmac
  • brcmsmac
  • brcmutil
  • btbcm
  • btcoexist
  • btintel
  • btrtl
  • c_can
  • c_can_pci
  • c_can_platform
  • can-dev
  • cc770
  • cc770_platform
  • ems_pci
  • ems_usb
  • esd_usb2
  • fjes
  • geneve
  • hfi1
  • i40iw
  • iwl3945
  • iwl4965
  • iwldvm
  • iwlegacy
  • iwlmvm
  • iwlwifi
  • kvaser_pci
  • kvaser_usb
  • macsec
  • mwifiex
  • mwifiex_pcie
  • mwifiex_sdio
  • mwifiex_usb
  • mwl8k
  • peak_pci
  • peak_usb
  • plx_pci
  • qed
  • qede
  • rdmavt
  • rt2800lib
  • rt2800mmio
  • rt2800pci
  • rt2800usb
  • rt2x00lib
  • rt2x00mmio
  • rt2x00pci
  • rt2x00usb
  • rt61pci
  • rt73usb
  • rtl_pci
  • rtl_usb
  • rtl8187
  • rtl8188ee
  • rtl8192c-common
  • rtl8192ce
  • rtl8192cu
  • rtl8192de
  • rtl8192ee
  • rtl8192se
  • rtl8723-common
  • rtl8723ae
  • rtl8723be
  • rtl8821ae
  • rtlwifi
  • sja1000
  • sja1000_platform
  • slcan
  • softing
  • uas
  • usb_8dev
  • vcan

Graphics Drivers and Miscellaneous Drivers

  • amdgpu
  • amdkfd
  • gp2ap002a00f
  • gpio-ich
  • gpio-viperboard
  • idma64
  • int3400_thermal
  • leds-lt3593
  • ledtrig-gpio
  • nfit
  • pci-hyperv
  • pwm-lpss
  • qat_c3xxx
  • qat_c3xxxvf
  • qat_c62x
  • qat_c62xvf
  • qat_dh895xccvf
  • rotary_encoder
  • rtsx_usb
  • rtsx_usb_sdmmc
  • sht15
  • tpm_st33zp24
  • tpm_st33zp24_i2c
  • virt-dma
  • virtio-gpu
  • zram

Chapter 48. Updated Drivers

Storage Driver Updates

  • The 3w-9xxx driver has been updated to version 2.26.02.014.rh1.
  • The aacraid driver has been updated to version 1.2-1[41066]-ms.
  • The be2iscsi driver has been updated to version 11.0.0.0.
  • The bfa driver has been updated to version 3.2.25.0.
  • The bnx2fc driver has been updated to version 2.10.3.
  • The cxgb3i driver has been updated to version 2.0.1-ko.
  • The cxgb4i driver has been updated to version 0.9.5-ko.
  • The libcxgbi driver has been updated to version 0.9.1-ko.
  • The fnic driver has been updated to version 1.6.0.21.
  • The hpsa driver has been updated to version 3.4.14-0-RH1.
  • The isci driver has been updated to version 1.2.0.
  • The lpfc driver has been updated to version 0:11.1.0.2.
  • The megaraid_sas driver has been updated to version 06.811.02.00-rh1.
  • The mt2sas driver has been updated to version 20.102.00.00.
  • The mt3sas driver has been updated to version 13.100.00.00.
  • The qla2xxx driver has been updated to version 8.07.00.33.07.3-k.
  • The vmw_pvscsi driver has been updated to version 1.0.6.0-k.
  • The cxgbit driver has been updated to version 1.0.0-ko.
  • The nvme driver has been updated to version 1.0.

Network Driver Updates

  • The bpa10x driver has been updated to version 0.11.
  • The btbcm driver has been updated to version 0.1.
  • The btintel driver has been updated to version 0.1.
  • The btrtl driver has been updated to version 0.1.
  • The btusb driver has been updated to version 0.8.
  • The hci_uart driver has been updated to version 2.3.
  • The hci_vhci driver has been updated to version 1.5.
  • The hfi1 driver has been updated to version 0.9-294.
  • The i40iw driver has been updated to version 0.5.123.
  • The ocrdma driver has been updated to version 11.0.0.0.
  • The ib_srp driver has been updated to version 2.0.
  • The bnx2x driver has been updated to version 1.712.30-0.
  • The bnxt_en driver has been updated to version 1.2.0.
  • The cnic driver has been updated to version 2.5.22.
  • The enic driver has been updated to version 2.3.0.20.
  • The be2net driver has been updated to version 11.0.0.0r.
  • The e1000e driver has been updated to version 3.2.6-k.
  • The i40e driver has been updated to version 1.5.10-k.
  • The i40evf driver has been updated to version 1.5.10-k.
  • The igb driver has been updated to version 5.3.0-k.
  • The ixgbe driver has been updated to version 4.4.0-k-rh7.3.
  • The ixgbevf driver has been updated to version 2.12.1-k-rh7.3.
  • The qed driver has been updated to version 8.7.1.20.
  • The qede driver has been updated to version 8.7.1.20.
  • The qlcnic driver has been updated to version 5.3.64.
  • The fjes driver has been updated to version 1.1.
  • The geneve driver has been updated to version 0.6.
  • The vmxnet driver has been updated to version 1.4.7.0-k.
  • The iwl3945 driver has been updated to version in-tree:ds.
  • The iwl4965 driver has been updated to version in-tree:d.
  • The iwlegacy driver has been updated to version in-tree:.
  • The mwifiex driver has been updated to version 1.0.
  • The mwifiex_pcie driver has been updated to version 1.0.
  • The mwifiex_sdio driver has been updated to version 1.0.
  • The mwifiex_usb driver has been updated to version 1.0.
  • The mwl8k driver has been updated to version 0.13.
  • The rt2800lib driver has been updated to version 2.3.0.
  • The rt2800mmio driver has been updated to version 2.3.0.
  • The rt2800pci driver has been updated to version 2.3.0.
  • The rt2800usb driver has been updated to version 2.3.0.
  • The rt2x00lib driver has been updated to version 2.3.0.
  • The rt2x00mmio driver has been updated to version 2.3.0.
  • The rt2x00pci driver has been updated to version 2.3.0.
  • The rt2x00usb driver has been updated to version 2.3.0.
  • The rt61pci driver has been updated to version 2.3.0.
  • The rt73usb driver has been updated to version 2.3.0.

Graphics Driver and Miscellaneous Driver Updates

  • The tpm_st33zp24 driver has been updated to version 1.3.0.
  • The tpm_st33zp24_i2c driver has been updated to version 1.3.0.
  • The qat_c3xxx driver has been updated to version 0.6.0.
  • The qat_c62x driver has been updated to version 0.6.0.
  • The intel_qat driver has been updated to version 0.6.0.
  • The qat_dh895xcc driver has been updated to version 0.6.0.
  • The qat_dh895xccvf driver has been updated to version 0.6.0.
  • The amdkfd driver has been updated to version 0.7.2.
  • The qat_dh895xccvf driver has been updated to version 0.6.0.
  • The vmwgfx driver has been updated to version 2.10.0.0.
  • The vmw_balloon driver has been updated to version 1.4.0.0-k.

Chapter 49. Deprecated Functionality

This chapter provides an overview of functionality that has been deprecated in all minor releases of Red Hat Enterprise Linux 7 up to Red Hat Enterprise Linux 7.3 Beta.
Deprecated functionality continues to be supported until the end of life of Red Hat Enterprise Linux 7. Deprecated functionality will likely not be supported in future major releases of this product and is not recommended for new deployments. For the most recent list of deprecated functionality within a particular major release, refer to the latest version of release documentation.
Deprecated hardware components are not recommended for new deployments on the current or future major releases. Hardware driver updates are limited to security and critical fixes only. Red Hat recommends replacing this hardware as soon as reasonably feasible.
A package can be deprecated and not recommended for further use. Under certain circumstances, a package can be removed from a product. Product documentation then identifies more recent packages that offer functionality similar, identical, or more advanced to the one deprecated, and provides further recommendations.

sslwrap() removed from Python

The sslwrap() function has been removed from Python 2.7. After the 466 Python Enhancement Proposal was implemented, using this function resulted in a segmentation fault. The removal is consistent with upstream. Red Hat recommends using the ssl.wrap_socket() function instead.

Windows guest virtual machine support limited

As of Red Hat Enterprise Linux 7, Windows guest virtual machines are supported only under specific subscription programs, such as Advanced Mission Critical (AMC).

libnetlink is deprecated

The libnetlink library contained in the iproute-devel package has been deprecated. The user should use the libnl and libmnl libraries instead.

S3 and S4 power management states for KVM are deprecated

Native KVM support for the S3 (suspend to RAM) and S4 (suspend to disk) power management states has been discontinued. This feature was previously available as a Technology Preview.

The Certificate Server plug-in udnPwdDirAuth is discontinued

The udnPwdDirAuth authentication plug-in for the Red Hat Certificate Server has been removed in Red Hat Enterprise Linux 7.3. Profiles using the plug-in are no longer supported. Certificates created with a profile using the udnPwdDirAuth plug-in are still valid if they have been approved.

Red Hat Access plug-in for IdM is discontinued

The Red Hat Access plug-in for Identity Management (IdM) has been removed in Red Hat Enterprise Linux 7.3. During the update, the redhat-access-plugin-ipa package is automatically uninstalled. Features previously provided by the plug-in, such as Knowledgebase access and support case engagement, are still available through the Red Hat Customer Portal. Red Hat recommends to explore alternatives, such as the redhat-support-tool tool.

Deprecated Device Drivers

  • 3w-9xxx
  • 3w-sas
  • mptbase
  • mptctl
  • mptsas
  • mptscsih
  • mptspi
  • qla3xxx
  • The following controllers from the megaraid_sas driver have been deprecated:
    • Dell PERC5, PCI ID 0x15
    • SAS1078R, PCI ID 0x60
    • SAS1078DE, PCI ID 0x7C
    • SAS1064R, PCI ID 0x411
    • VERDE_ZCR, PCI ID 0x413
    • SAS1078GEN2, PCI ID 0x78
  • The following Ethernet adapter controlled by the be2net driver has been deprecated:
    • TIGERSHARK NIC, PCI ID 0x0700
  • The following controllers from the be2iscsi driver have been deprecated:
    • Emulex OneConnect 10Gb iSCSI Initiator (generic), PCI ID 0x212
    • OCe10101, OCm10101, OCe10102, OCm10102 BE2 adapter family, PCI ID 0x702
    • OCe10100 BE2 adapter family, PCI ID 0x703
  • The following Emulex boards from the lpfc driver have been deprecated:
    BladeEngine 2 (BE2) Devices
    • TIGERSHARK FCOE, PCI ID 0x0704
    Fibre Channel (FC) Devices
    • FIREFLY, PCI ID 0x1ae5
    • PROTEUS_VF, PCI ID 0xe100
    • BALIUS, PCI ID 0xe131
    • PROTEUS_PF, PCI ID 0xe180
    • RFLY, PCI ID 0xf095
    • PFLY, PCI ID 0xf098
    • LP101, PCI ID 0xf0a1
    • TFLY, PCI ID 0xf0a5
    • BSMB, PCI ID 0xf0d1
    • BMID, PCI ID 0xf0d5
    • ZSMB, PCI ID 0xf0e1
    • ZMID, PCI ID 0xf0e5
    • NEPTUNE, PCI ID 0xf0f5
    • NEPTUNE_SCSP, PCI ID 0xf0f6
    • NEPTUNE_DCSP, PCI ID 0xf0f7
    • FALCON, PCI ID 0xf180
    • SUPERFLY, PCI ID 0xf700
    • DRAGONFLY, PCI ID 0xf800
    • CENTAUR, PCI ID 0xf900
    • PEGASUS, PCI ID 0xf980
    • THOR, PCI ID 0xfa00
    • VIPER, PCI ID 0xfb00
    • LP10000S, PCI ID 0xfc00
    • LP11000S, PCI ID 0xfc10
    • LPE11000S, PCI ID 0xfc20
    • PROTEUS_S, PCI ID 0xfc50
    • HELIOS, PCI ID 0xfd00
    • HELIOS_SCSP, PCI ID 0xfd11
    • HELIOS_DCSP, PCI ID 0xfd12
    • ZEPHYR, PCI ID 0xfe00
    • HORNET, PCI ID 0xfe05
    • ZEPHYR_SCSP, PCI ID 0xfe11
    • ZEPHYR_DCSP, PCI ID 0xfe12
To check the PCI IDs of the hardware on your system, run the lspci -nn command.
Note that other controllers from the mentioned drivers that are not listed here remain unchanged.

Part V. Known Issues

Chapter 50. General Updates

The TAB key does not expand $PWD by default

When working in CLI in Red Hat Enterprise Linux 6, pressing the TAB key expanded $PWD/ to the current directory. In Red Hat Enterprise Linux 7, CLI does not have the same behavior. Users can achieve this behavior by putting the following lines into the $HOME/.bash_profile file:
if ((BASH_VERSINFO[0] >= 4)) && ((BASH_VERSINFO[1] >= 2)); then
    shopt -s direxpand
fi
(BZ#1185416)

gnome-dictionary multilib packages conflicts occur

When both the 32-bit and 64-bit packages of the gnome-dictionary multilib packages are installed, upgrading from Red Hat Enterprise Linux 7.2 to Red Hat Enterprise Linux 7.3 fails. To work around this problem, uninstall the 32-bit package before upgrading. (BZ#1360338)

gnome-getting-started-docs-* moved to the Optional channel

As of Red Hat Enterprise Linux 7.3, the gnome-getting-started-docs-* packages have been moved from the Base channel to the Optional channel. Consequently, upgrading from an earlier version of Red Hat Enterprise Linux 7 fails, if these packages were previously installed. To work around this problem, uninstall gnome-getting-started-docs-* prior to upgrading to Red Hat Enterprise Linux 7.3. (BZ#1350802)

Chapter 51. Authentication and Interoperability

Problem with importing a user certificate from CA over SSL

The pki user-cert-add command provides an option to import a user certificate directly from CA. Due to incorrect client library initialization, when the command is executed over an SSL port, the command fails with the following error message:
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated.
To work around this problem, download the certificate from CA into a file using the pki cert-show command. Then, upload the certificate from the file using the pki user-cert-add command. With the workaround, the user certificate is added correctly. (BZ#1246635)

Security warning when using ipa-kra-install, ipa-ca-install, or ipa-replica-install

When using the ipa-kra-install, ipa-ca-install, and ipa-replica-install commands to install an additional key recovery authority (KRA) component, certificate authority, or replica, the following warning appears:
SecurityWarning: Certificate has no `subjectAltName`,
falling back to check for a `commonName` for now.
This feature is being removed by major browsers and deprecated by RFC 2818.
The error occurs due to RFC 2818, which deprecates the practice of carrying the subject host name in the subject DN common name (CN) field. However, the commands succeed. Therefore, you can ignore the warning message. (BZ#1358457)

The IdM web UI displays all certificates on one page in the Certificates table

The Certificates table, available under the Authentication tab in the Identity Management (IdM) web UI, ignores the page size limit of 20 entries. When more than 20 certificates are available, the table displays all the certificates on one page, instead of only displaying 20 certificates per page. (BZ#1358836)

SSSD fails to start when ldap_user_extra_attrs includes mail

System Security Services Daemon (SSSD) now fetches the mail attribute by default. When the ldap_user_extra_attrs option in the /etc/sssd/sssd.conf file also lists the mail attribute, SSSD warns the user about the duplicate email address and fails to start.
To work around this problem, set a fictional attribute name in the ldap_user_email attribute in the domain section of sssd.conf. This ensures that the two obtained email addresses are different and that SSSD starts successfully. (BZ#1362023)

ipa commands fail when the user does not have a home directory in IdM

When IdM cannot create a cache directory at ~/.cache/ipa in the home directory, all ipa commands fail. This situation can occur for example when the user does not have a home directory.
To work around this problem, make sure a home directory is configured for the user, for example by installing the Identity Management (IdM) client with the --mkhomedir option, which ensures that a home directory is created for every user at first login. (BZ#1364113)

Displaying help for IdM commands takes longer

When the user runs an Identity Management (IdM) command with the --help option, IdM gathers the required information from plug-ins and commands. Previously, the plug-ins and commands were Python modules. With this update, IdM must generate the plug-ins and commands based on a schema downloaded from the server. Because of this, displaying the help takes significantly longer than in the previous version of IdM, especially if the help includes lists of topics and commands. (BZ#1356146)

pam_pkcs11 only supports one token

The PKCS#11 modules in the opensc and coolkey packages provide support for various types of smart cards. However the pam_pkcs11 module only supports one of them at a time. As a consequence, you cannot use PKCS#15 and CAC tokens using the same configuration. To work around the problem, install one of the following:
  • the opensc package for PKCS#15 and PIV support
  • the coolkey package for CAC, Coolkey, and PIV support (BZ#1367919)

Running commands on servers with an earlier version of IdM takes unexpectedly long

When a user on an Identity Management (IdM) client running IdM version 4.4 runs a command, IdM checks if the server contacted by the client supports the new command schema. Because this information is not cached, the check is performed every time the client contacts the server, which prolongs the time required to invoke commands on servers running an earlier version of IdM. If the user runs a new command introduced in IdM 4.4, it might even seem that the operation will not complete, because the server does not recognize the command. (BZ#1357488)

Tree-root domains in a trusted AD forest are not marked as reachable through the forest root

When an Active Directory (AD) forest contains tree-root domains (a separate DNS domain), Identity Management (IdM) might fail to correctly route authentication requests to the tree-root domain's domain controllers. As result, users from a tree-root domain might fail to authenticate against services hosted in IdM. (BZ#1318169)

The IdM web UI does not show certificates issued by sub-CAs

To display the certificates issued by a certificate authority (CA), the web UI uses the ipa cert-find command to query the CA name, and then the ipa cert-show command with the CA name added. However, ipa cert-find command currently does not return the CA name. As a consequence, an attempt to display the details page for a certificate issued by a sub-CA fails with an error in the web UI. Note that certificates issued by the IdM CA are displayed as expected. (BZ#1368424)

Third-party certificate trust flags are reset after installing an external CA into IdM

The ipa-ca-install --external-ca command, used to install an external certificate authority (CA) into an existing Identity Management (IdM) domain, generates a certificate signing request (CSR) that the user must submit to the external CA.
When using a previously installed third-party certificate to sign the CSR, the third-party certificate trust flags in the NSS database are reset. Consequently, the certificate is no longer marked as trusted. In addition, checks performed by the mod_nss module fail, and the httpd.service fails to start. The CA installation fails with the following message in this situation:
CA failed to start after 300 seconds
As a workaround, after this message appears, reset the third-party certificate flags to their previous state and restart httpd.service. For example, if the ca1 certificate previously had the C,, trust flags:
# certutil -d /etc/httpd/alias -n 'ca1' -M -t C,,
# systemctl restart httpd.service
This restores the system to the correct state. (BZ#1318616)

The certmonger service fails to request certificates from IdM sub-CAs

The certmonger service uses incorrect API calls to request certificates from IdM sub-CAs. As a consequence, the sub-CA setting is ignored and the certificate is always issued by the IdM root CA. There is currently no known workaround. (BZ#1367683)

Adding an IdM OTP token with a custom key does not work

When the user runs the ipa otptoken-add command with the --key option to add a new one-time password (OTP) token, the Identity Management (IdM) command line converts the token key provided by the user incorrectly. Consequently, the OTP token created in IdM in this situation is invalid. Attempts to authenticate using the OTP token fail. (BZ#1368981)

Machines joined to a realm are not able to resolve centrally managed supplementary groups

Installing an Identity Management (IdM) server or client does not add the sss option to the initgroups lookup entry in the /etc/nsswitch.conf file. As a consequence, looking up secondary groups for users managed by SSSD does not work as expected. As a work around, remove or comment out the line starting with initgroups in the /etc/nsswitch.conf file before the installation. This ensures that machines joined to the realm resolve centrally managed supplementary groups as expected. (BZ#1366569)

SSSD default configuration fails to integrate with other services

The System Security Services Daemon's (SSSD) /usr/lib64/sssd/conf/sssd.conf default configuration file uses a auto-configured domain to proxy all requests to the /etc/passwd and /etc/groups files. On systems having SELinux disabled or running in permissive mode, SSSD copies the default configuration to /etc/sssd/sssd.conf if this file does not exist when the daemon is being started. However, the proxy configuration fails to integrate with tools like realmd or ipa-client-install. To work around this problem, modify the /etc/sssd/sssd.conf file and remove:
  • shadowutils from the domains parameter
  • the [domain/shadowutils] section
As a result, tools using SSSD work correctly. (BZ#1369118)

realmd fails to remove the computer account from AD

Red Hat Enterprise Linux uses Samba as default back end for Active Directory (AD) domain memberships. In this case, if you manually set a computer name using the --computer-name option with the realm join command, the account cannot be removed from AD when you leave the domain. To work around this problem, do not use the --computer-name option and instead add the computer name to the /etc/realmd.conf file. For example:
[domain.example.com]
computer-name = host_name
With the workaround, the host is successfully joined to the domain and the account is automatically removed if you leave the domain using the realm leave --remove command. (BZ#1293390)

sss_override commands fail if an override was created without -n option

Red Hat Enterprise Linux 7.3 introduced local overrides to the System Security Services Daemon (SSSD). However, a known issue in the sss_override command currently causes all export, find, and show operations for users and groups to fail if one or more records in the cache do not contain a name record. If you encounter this problem, delete the override which is missing the name record. For example:
# sss_override user-del user_name
Alternatively, you can clear the SSSD cache manually to remove all overrides:
# systemctl stop sssd
# rm -f /var/lib/sss/db/*
# systemctl stop sssd
To avoid this problem, always add the -n option to the sss_override command when you create an override. For example:
# sss_override user-add user_name -s /bin/bash -n user_name
As a result, all sss_override operations are working. (BZ#1373420)

The old realmd version is started when updating realmd while it is running

The realmd daemon starts only when requested, then performs a given action, and after some time it times out. When realmd is updated while it is still running, the old version of realmd starts upon a next request because realmd is not restarted after the update. To work around this problem, make sure that reamld is not running before updating it. (BZ#1274368)

SSSD fails to manage autofs mappings from a LDAP tree

Previously, the System Security Services Daemon (SSSD) implemented incorrect default values for autofs mappings when using the RFC2307 LDAP schema. A patch has been applied, which fixed the defaults to match the schema. However, users connecting to LDAP servers that contain mappings with the schema SSSD previously used, are not able to load the autofs attributes. Affected users see the following error reported in the /var/log/messages log file:
Your configuration uses the autofs provider with schema set to rfc2307 and default attribute mappings. The default map has changed in this release, please make sure the configuration matches the server attributes.
To work around this problem, modify the /etc/sssd/sssd.conf file and set your domain to use the existing attribute mappings:
[domain/EXAMPLE]
...
ldap_autofs_map_object_class   = automountMap
ldap_autofs_map_name           = ou
ldap_autofs_entry_object_class = automount
ldap_autofs_entry_key          = cn
ldap_autofs_entry_value        = automountInformation
As a result, SSSD is able to load autofs mappings from the attributes. (BZ#1372814)

Chapter 52. Compiler and Tools

Accessing Red Hat Gluster Storage over libgfapi on KVM guests fails

When using a KVM guest virtual machine, accessing Red Hat Gluster Storage with the libgfapi service, for example by running the qemu-img or qemu-systems-x86_64 command on the host machine, fails with an invalid argument error. There is currently no known workaround. (BZ#1356372)

Chapter 53. Desktop

Closing laptop lid breaks the GNOME multi-display configuration

When using a laptop with the GNOME graphical environment that is connected to one or more external displays, closing the lid to suspend the laptop sometimes causes windows and icons to be moved between displays and the display layout to be reset when the system is resumed. To work around this problem, open the GNOME Displays interface, which causes the display configuration to be reloaded. (BZ#1360906)

Chapter 54. File Systems

The default option specification is not overridden by the host-specific option in /etc/exports

The 'sec=sys' is used in the default option section of the /etc/exports file, and the following option list is not parsed correctly. As a consequence, the default option cannot be overridden by the host-specific option. (BZ#1359042)

Chapter 55. Hardware Enablement

Serial console is now configured correctly on Cavium ThunderX 64-bit ARM systems

Previously, Cavium ThunderX (CN88XX series) ARM systems did not set up a serial console by default due to a firmware problem. Now, the problem in firmware has been fixed, and serial console is now configured correctly. (BZ#1268193)

i40e no longer issues warn_slowpath warnings during boot

Previously, the i40e driver was issuing warn_slowpath warnings during a ring size change because the code was cloning the rx_ring struct but not zeroing out the pointers before allocating new memory. With this update, the bug is fixed, and the warnings are no longer shown. (BZ#1272833)

The netprio_cgroups module is now mounted at boot

Previously, systemd mounted the /sys/fs/cgroup/ directory as read-only, which prevented mounting of the /sys/fs/cgroup/net_prio/ directory during the initial system setup. Consequently, the netprio_cgroups module was not mounted at boot. With this update, this problem has been fixed, and the netprio_cgroups module is now mounted at boot. (BZ#1262204)

Setting up bonding with qlcnic fails

Prior to this update, certain bonding modes, such as balance-tlb or balance-alb, set a MAC address that was not properly stored. This MAC address was not restored when tearing down the bond, leaving a duplicate MAC in place. Consequently, re-establishing a bond failed, because the original MAC address was not present. This update improves the code to properly restore the MAC addresses when the bonding is taken down. As a result, bonding with qlcnic devices works as expected. (BZ#1265058)

Platforms relying on DDF-based RAID are not supported

Disk Data Format (DDF)-based BIOS RAID is currently not supported in Red Hat Enterprise Linux. This includes systems using the LSI BIOS, which require the megasr proprietary driver.
However, on certain systems, such as IBM System z servers with the ServeRAID adapter, it is possible to disable RAID in the BIOS. To do this, enter the \"UEFI\" menu and navigate through the \"System Settings and Devices\" and \"I/O Ports\" menus to the \"Configure the onboard SCU\" submenu. Then change the SCU setting from RAID to nonRAID. Save your changes and reboot the system. In this mode, the storage is configured using an open-source non-RAID LSI driver available in Red Hat Enterprise Linux, such as mptsas, mpt2sas, or mpt3sas.
To obtain the megasr driver for IBM systems refer to the IBM support page:
Note that the described restriction does not apply to LSI adapters that use the megaraid driver, as such adapters implement RAID functions in firmware. (BZ#1067292)

Chapter 56. Installation and Booting

Dell Latitude E6430 laptops shut down unexpectedly

When booting a Dell Latitude E6430 laptop with an Nvidia graphics card and Nvidia Optimus enabled in the BIOS, as soon as the system attempts to use the Nvidia GPU, the system shuts down. The BIOS then incorrectly displays a system board thermal trip error at next boot. To work around this problem, use the nouveau.runpm=0 parameter when booting. However, note that using nouveau.runpm=0 can increase power consumption. (BZ#1349827)

The Initial Setup utility's text-based interface starts correctly on IBM System z

An update to the Initial Setup utility introduced a bug which prevented its text-based interface from starting on IBM System z. This bug has been fixed. (BZ#1366776)

Formatting DASDs works correctly during a text-based installation

Previously, a bug prevented DASDs from being correctly formatted during a text-based installaton. As a consequence, DASDs that were unformatted or incorrectly formatted had to be manually formatted before use. This bug has been fixed, and the installer can now format DASDs when performing a text-based installation. (BZ#1259437)

Insufficient /boot partition size may prevent the system from upgrading

The /boot partition, which contains installed kernels and initial ram disks, may become full if multiple kernels and additional packages such as kernel-debug are installed. This is caused by the default size of this partition being set to 500 MB during installation, and prevents the system from being upgraded.
As a workaround, use yum to remove older kernels if you do not need them.
This known issue only affects installation made with Red Hat Enterprise Linux 7.2 and earlier. In Red Hat Enterprise Linux 7.3, the default size of the /boot partition is increased to 1 GB, which avoids this problem in future upgrades. (BZ#1270883)

Chapter 57. Kernel

Red Hat Beta public key certificate needs to be loaded manually

The system administrator can use the machine owner key (MOK) mechanism to load the corresponding Red Hat Beta public key certificate which is needed to authenticate the kernel included in a Red Hat Enterprise Linux Beta release. The enrollment of the Red Hat Certificate Authority (CA) Beta public key is a one-time procedure for any system on which Red Hat Enterprise Linux 7.3 Beta will be run with UEFI Secure Boot enabled:
1. Turn UEFI Secure Boot off and install Red Hat Enterprise Linux 7.3 Beta.
2. Install the kernel-doc package if it is not already installed. It provides a certificate file that contains the Red Hat CA public Beta key in the file: /usr/share/doc/kernel-keys/<kernel-ver>/kernel-signing-ca.cer, where <kernel-ver> is the kernel version string without the platform architecture suffix, for example, 3.10.0-314.el7.
3. Manually request enrollment of the public key to the Machine Owner Key (MOK) list on the system using the mokutil utility. Run the following command as the root user:
mokutil --import /usr/share/doc/kernel-keys/<kernel-ver>/kernel-signing-ca.cer
You will be asked to supply a password for the enrollment request.
4. On the next boot of the system, you will be prompted on the system console to complete the enrollment of the MOK request. You will need to respond to the prompts and supply the password that you provided to mokutil in step 3.
5. When you complete the MOK enrollment, the system will be reset and will reboot. You can re-enable UEFI Secure Boot on that reboot, or on any subsequent reboot of the system. (BZ#1261767)

Some ext4 file systems cannot be resized

Due to a bug in the ext4 code, it is currently impossible to resize ext4 file systems that have 1 kilobyte block size and are smaller than 32 megabytes. (BZ#1172496)

Hard lock-up of the screen can occur on laptops using integrated graphics in the 6th Generation Intel Core processors

Situations causing this bug include:
  • moving the cursor between the edges of the monitor
  • moving the cursor between multiple monitors
  • changing any aspect of the monitor configuration
  • docking or undocking the machine
  • plugging or unplugging a monitor (BZ#1341633)

Multiple problems sometimes occur on systems with persistent memory

The following problems can occur during boot on systems with persistent memory, either real Non-Volatile Dual In-line Memory Modules (NVDIMMs) or emulated NVDIMMs using the memmap=X!Y kernel command-line parameter:
  • the onlining of persistent memory causes the following messages to be displayed for every block (128 MB) of pmem devices:
    Built 2 zonelists in Zone order, mobility grouping on.  Total pages: 8126731Policy zone: Normal

  • the system becomes unresponsive
  • the following BUG message is displayed:
   BUG: unable to handle kernel paging request at ffff88007b7eef70 (BZ#1367257)

Looking up transport or association can lead to kernel panic

Due to a use-after-free bug, the kernel's stream control transmission protocol (SCTP) implementation does not hold the pointer to the transport path while it is in use. As a consequence, another CPU can free the pointer, access the memory which should be unavailable, and a kernel panic occurs. Work to address this issue is being tracked in https://bugzilla.redhat.com/show_bug.cgi?id=1368884. (BZ#1368884)

dracut displays a harmless error message about a non-existent /etc/hba.conf

When dracut creates an initial RAM file system (initramfs) with Fibre Channel over Ethernet (FCoE) support, if the /etc/hba.conf file does not exist, dracut displays an error message. You can safely ignore this message. (BZ#1373129)

Harmless soft lockup in IBM POWER8 guest kernel

Due to an incorrect value in the virtual time base (VTB) register, the kernel of an IBM POWER8 guest in some cases incorrectly detects a soft lockup condition, logs a call trace, and reports the following error:
MI watchdog: BUG: soft lockup - CPU#x stuck for XXs
This error does not have any harmful effect and can be safely ignored. To remove the error message, disable dynamic hyper-threading by loading the kvm-hv kernel module with the following command:
modprobe kvm-hv dynamic_mt_modes=0 target_smt_mode=1
(BZ#1350719)

Chapter 58. Networking

Verification of signatures using the MD5 hash algorithm is disabled in Red Hat Enterprise Linux 7

It is not possible to connect to any Wi-Fi Protected Access (WPA) Enterprise Access Point (AP) that requires MD5 signed certificates. To work around this problem, copy the wpa_supplicant.service file from the /usr/lib/systemd/system/ directory to the /etc/systemd/system/ directory and add the following line to the Service section of the file:
Environment=OPENSSL_ENABLE_MD5_VERIFY=1
Then run the systemctl daemon-reload command as root to reload the service file.
Important: Note that MD5 certificates are highly insecure and Red Hat does not recommend using them. (BZ#1062656)

Chapter 59. Security

The openscap packages do not install atomic as a dependency

The OpenSCAP suite enables integration of the Security Content Automation Protocol (SCAP) line of standards. The current version adds the ability to scan containers using the atomic scan and oscap-docker commands. However, when you install only the openscap, openscap-utils, and openscap-scanner packages, the atomic package is not installed by default. As a consequence, any container scan command fails with an error message. To work around this problem, install the atomic package by running the yum install atomic command as root. (BZ#1356547)

CIL does not have a separate module statement

The new SELinux userspace uses SELinux Common Intermediate Language (CIL) in the module store. CIL treats files as modules and does not have a separate module statement, the module is named after the file name. As a consequence, this can cause confusion when a policy module has a name that is not the same as its base filename, and the semodule -l command does not show the module version. Additionaly, semodule -l does not show disabled modules. To work around this problem, list all modules using the semodule --l=full command. (BZ#1345825)

Chapter 60. Servers and Services

ReaR creates two ISO images instead of one

In ReaR, the OUTPUT_URL directive enables specifying location for the ISO image containing the rescue system. Currently, with this directive set, ReaR creates two copies of the ISO image: one in the specified directory and one in the /var/lib/rear/output/ default directory. This requires additional space for the image. This is especially important if a full-system backup is included into the ISO image (using the BACKUP=NETFS and BACKUP_URL=iso:///backup/ configuration).
To work around this behavior, delete the extra ISO image once ReaR has finished working or, to avoid having a period of time with double storage consumption, create the image in the default directory and then move it to the desired location manually.
There is a request for enhancement to change this behavior and make ReaR create only one copy of the ISO image. (BZ#1320552)

Chapter 61. Storage

No support for thin provisioning on top of RAID in a cluster

While RAID logical volumes and thinly provisioned logical volumes can be used in a cluster when activated exclusively, there is currently no support for thin provisioning on top of RAID in a cluster. This is the case even if the combination is activated exclusively. Currently this combination is only supported in LVM's single machine non-clustered mode. (BZ#1014758)

When using thin-provisioning, it is possible to lose buffered writes to the thin-pool if it reaches capacity

If a thin-pool is filled to capacity, it may be possible to lose some writes even if the pool is being grown at that time. This is because a resize operation (even an automated one) will attempt to flush outstanding I/O to the storage device prior to the resize being performed. Since there is no room in the thin-pool, the I/O operations must be errored first to allow the grow to succeed. Once the thin pool has grown, the logical volumes associated with the thin-pool will return to normal operation.
As a workaround to this problem, set 'thin_pool_autoextend_threshold' and 'thin_pool_autoextend_percent' appropriately for your needs in the lvm.conf file. Do not set the threshold so high or the percent so low that your thin-pool will reach full capacity so quickly that it does not allow enough time for it to be auto-extended (or manually extended if you prefer). If you are not using over-provisioning (creating logical volumes in excess of the size of the backing thin-pool), then be prepared to remove snapshots as necessary if the thin-pool begins to near capacity. (BZ#1274676)

Chapter 62. System and Subscription Management

The subscription-manager refresh command fails, displaying an error

Due to a bug caused by changes in the API used by the subscription-manager utility, executing the subscription-manager refresh command results in an error. There is no workaround at this point. (BZ#1366301)

Chapter 63. Virtualization

Migration of certain guests from Red Hat Enterprise Linux 7.2 to 7.3 hosts is not possible

Prior to this update, the PCI address of any USB controller that did not have an explicitly specified model value was ignored on IBM Power guest virtual machines. This bug has been fixed, but as a consequence of the fix, it is not possible to perform a live migration of guests that use the described USB controllers from a Red Hat Enterprise Linux 7.2 host to a Red Hat Enterprise Linux 7.3 host, due to the different PCI addresses of the USB controller.
To work around this problem, edit the guest XML file and add a model attribute with the pci-ohci value to the USB <controller> element, for example as follows:
<controller type='usb' model='pci-ohci' index='0'>
  <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
</controller>
Afterwards, shut down the guest and start it again for the changes to take effect. As a result, the guest can be migrated from Red Hat Enterprise Linux 7.2 to 7.3. (BZ#1357468)

numad changes QEMU memory bindings

Currently, the numad daemon cannot distinguish between memory bindings that numad sets and memory bindings set explicitly by the memory mappings of a process. As a consequence, numad changes QEMU memory bindings, even when the NUMA memory policy is specified in the QEMU command line. To work around this problem, if manual NUMA bindings are specified in the guest, disable numad. This ensures that manual bindings configured in virtual machines are not changed by numad. (BZ#1360584)

Chapter 64. Atomic Host and Containers

SELinux prevents Docker from running a container

Due to a missing label for the /usr/bin/docker-current binary file, Docker is prevented from running a container by SELinux. (BZ#1358819)

Appendix A. Component Versions

This appendix is a list of components and their versions in the Red Hat Enterprise Linux 7.3 Beta release.

Table A.1. Component Versions

Component
Version
Kernel
3.10.0-493
QLogic qla2xxx driver
8.07.00.33.07.3-k
QLogic qla4xxx driver
5.04.00.00.07.02-k0
Emulex lpfc driver
0:11.1.0.2
iSCSI initiator utils
iscsi-initiator-utils-6.2.0.873-34
DM-Multipath
device-mapper-multipath-0.4.9-96
LVM
lvm2-2.02.163-1

Appendix B. Revision History

Revision History
Revision 0.0-9Fri Sep 23 2016Lenka Špačková
Various additions and updates, namely to Deprecated Functionality.
Revision 0.0-8Mon Sep 19 2016Lenka Špačková
Various additions and updates.
Revision 0.0-7Tue Sep 13 2016Lenka Špačková
Various additions and updates.
Revision 0.0-6Mon Sep 12 2016Lenka Špačková
Various additions and updates.
Revision 0.0-5Fri Sep 09 2016Lenka Špačková
Various additions and updates.
Revision 0.0-4Wed Aug 31 2016Lenka Špačková
Various additions and updates.
Revision 0.0-3Thu Aug 25 2016Lenka Špačková
Release of the Red Hat Enterprise Linux 7.3 Beta Release Notes.