6.7 Release Notes

Red Hat Enterprise Linux 6

Release Notes for Red Hat Enterprise Linux 6.7

Edition 7

Red Hat Customer Content Services


The Release Notes provide high-level coverage of the improvements and additions that have been implemented in Red Hat Enterprise Linux 6.7. For detailed documentation on all changes to Red Hat Enterprise Linux for the 6.7 update, refer to the Technical Notes.


Red Hat Enterprise Linux minor releases are an aggregation of individual enhancement, security and bug fix errata. The Red Hat Enterprise Linux 6.7 Release Notes documents the major changes made to the Red Hat Enterprise Linux 6 operating system and its accompanying applications for this minor release. Detailed notes on changes (that is, bugs fixed and enhancements added) in this minor release are available in the Technical Notes. The Technical Notes document also contains a complete list of all currently available Technology Previews along with packages that provide them.
Capabilities and limits of Red Hat Enterprise Linux 6 as compared to other versions of the system are available in the Knowledge Base article available at https://access.redhat.com/articles/rhel-limits.
Should you require information regarding the Red Hat Enterprise Linux life cycle, refer to https://access.redhat.com/support/policy/updates/errata/.

Chapter 1. Authentication

Directory Server supports configurable normalized DN cache

This update provides better performance for plug-ins such as memberOf and for operations which update entries with many DN syntax attributes. The newly implemented configurable normalized DN cache makes DN handling by the server more efficient.

SSSD displays password expiration warnings when using non-password authentication

Previously, SSSD could only verify password validity during the authentication phase. When a non-password authentication method was used, such as during SSH login, SSSD was not called in the authentication phase and therefore did not perform a password validity check. This update moves the check from the authentication phase to the account phase. As a result, SSSD can issue a password expiration warning even when no password is used during authentication. For more information, see the Deployment Guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/index.html

SSSD supports login with User Principal Name

In addition to user names, the User Principal Name (UPN) attribute can now be used by SSSD for identifying users and user logins, which is a functionality available to Active Directory users. With this enhancement, it is possible to log in as an AD user with either the user name and the domain, or the UPN attribute.

SSSD supports background refresh for cached entries

SSSD allows cached entries to be updated out-of-band in the background. Prior to this update, when the validity of cached entries expired, SSSD fetched them from the remote server and stored them in the database anew, which could be time consuming. With this update, entries are returned instantly because the back end keeps them updated at all times. Note that this causes a higher load on the server because SSSD downloads the entries periodically instead of only upon request.

The sudo command supports zlib compressed I/O logs

The sudo command is now built with zlib support which enables sudo to generate and process compressed I/O logs.

New package: openscap-scanner

A new package, openscap-scanner, is now provided to allow administrators to install and use the OpenSCAP scanner (oscap) without having to install all dependencies of the openscap-utils package, which previously contained the scanner tool. The separate packaging of the OpenSCAP scanner reduces potential security risks associated with installing unnecessary dependencies. The openscap-utils package is still available and contains other miscellaneous tools. Users who only need the oscap tool are advised to remove the openscap-utils package and install the openscap-scanner package.

New package: scap-workbench for easy SCAP evaluation

SCAP Workbench enables easy to use SCAP-content tailoring and single-machine evaluation. It greatly lowers the entry barrier with its integration of scap-security-guide content. Prior to this update, Red Hat Enterprise Linux 6 included the scap-security-guide and openscap packages, but not the scap-workbench package. Without SCAP Workbench, the command line is required to test SCAP evaluation, which is error prone and a major obstacle for some users. SCAP Workbench enables users to easily customize their SCAP content and test evaluation on single machines.

If supported by NSS, TLS 1.0 or newer is enabled by default

Due to CVE-2014-3566, SSLv3 and older protocol versions are disabled by default. The Directory Server now accepts more secure SSL protocols, such as TLSv1.1 and TLSv1.2, in the range manner offered by the NSS library. You can also define the SSL range that the console will use when communicating with Directory Server instances.

openldap includes the pwdChecker library

This update introduces the Check Password extension for OpenLDAP by including the OpenLDAP pwdChecker library. The extension is required for PCI compliance in Red Hat Enterprise Linux 6.

SSSD supports overriding automatically discovered AD site

The Active Directory (AD) DNS site to which the client connects is discovered automatically by default. However, the default automatic search might not discover the most suitable AD site in certain setups. In such situations, you can now define the DNS site manually using the ad_site parameter in the [domain/NAME] section of the /etc/sssd/sssd.conf file. For more information about ad_site, see the Identity Management Guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html

certmonger supports SCEP

The certmonger service has been updated to support the Simple Certificate Enrollment Protocol (SCEP). For obtaining certificates from servers, you can now offer enrollment over SCEP.

Performance improvements for Directory Server delete operations

Previously, the recursive nested group look-ups performed during a group delete operation could take a long time to complete if there were very large static groups. The new memberOfSkipNested configuration attribute has been added to allow skipping the nested group check, thus improving performance of delete operations significantly.

SSSD supports user migration from WinSync to Cross-Realm Trust

A new ID Views mechanism of user configuration has been implemented in Red Hat Enterprise Linux 6.7. ID Views enables migration of Identity Management users from a WinSync synchronization-based architecture used by Active Directory to an infrastructure based on Cross-Realm Trusts. For details on ID Views and the migration procedure, see the Identity Management Guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html

SSSD supports localauth Kerberos plug-in

This update adds the localauth Kerberos plug-in for local authorization. The plug-in ensures that Kerberos principals are automatically mapped to local SSSD user names. With this plug-in, it is no longer necessary to use the auth_to_local parameter in the krb5.conf file. For more information about the plug-in, see the Identity Management Guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html

SSSD supports access to specified applications without system login rights

The domains= option has been added to the pam_sss module, which overrides the domains= option in the /etc/sssd/sssd.conf file. This update also adds the pam_trusted_users option, which allows the user to add a list of numerical UIDs or user names that are trusted by the SSSD daemon. In addition to that, the pam_public_domains option and a list of domains accessible even for untrusted users have been added. These new options enable a system configuration that allows regular users to access specified applications without login rights on the system itself. For more information, see the Identity Management Guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html

SSSD supports consistent user environment across AD and IdM

The sssd service can read POSIX attributes defined on an Active Directory (AD) server that is in a trust relationship with Identity Management (IdM). With this update, the administrator can transfer a custom user shell attribute from the AD server to an IdM client. SSSD then displays the custom attribute on the IdM client. This update enables maintaining consistent environments across the whole enterprise. Note that the homedir attribute on the client currently displays the subdomain_homedir value from the AD server. For more information, see the Identity Management Guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html

SSSD supports displaying groups for AD trusted users before login

Active Directory (AD) users from domains of an AD forest in a trust relationship with Identity Management (IdM) are now able to resolve group memberships prior to logging in. As a result, the id utility now displays the groups for these users without requiring the users to log in.

getcert supports requesting certificates without certmonger

Requesting a certificate using the getcert utility during an Identity Management (IdM) client kickstart enrollment no longer requires the certmonger service to be running. Previously, an attempt to do this failed because certmonger was not running. With this update, getcert can successfully request a certificate in the described situation, on the condition that the D-Bus daemon is not running. Note that certmonger starts to monitor the certificate obtained in this way only after reboot.

SSSD supports preserving case of user identifiers

SSSD now supports the true, false, and preserve values for the case_sensitive option. When the preserve value is enabled, the input matches regardless of the case, but the output is always the same case as on the server; SSSD preserves the case for the UID field as it is configured.

SSSD supports denying locked accounts SSH login access

Previously, when SSSD used OpenLDAP as its authentication database, users could authenticate into the system successfully with an SSH key even after the user account was locked. The ldap_access_order parameter now accepts the ppolicy value which can deny SSH access to the user in the described situation. For more information about using ppolicy, see the ldap_access_order description in the sssd-ldap(5) man page.

SSSD supports using GPOs on AD

SSSD can now use Group Policy Objects (GPOs) stored on an Active Directory (AD) server for access control. This enhancement mimics the functionality of Windows clients, and a single set of access control rules can now be used to handle both Windows and Unix machines. In effect, Windows administrators can now use GPOs to control access to Linux clients. For more information, see the Identity Management Guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html

Chapter 2. Clustering

corosync now tests for correct network interface configuration in RRP mode

RRP does not work when the IP address/port number pairs are the same or the IP versions are mixed. Corosync now checks whether the network interfaces have a different IP address/port number pair and whether they use the same IP version.

Support for fence_ilo_ssh fencing agent

The fence_ilo_ssh fencing agent is a fence agent that connects to an iLO device. It logs into the device via ssh and reboots a specified outlet. For information on the parameters for the fence_ilo_ssh fencing agent, see the fence_ilo_ssh(8) man page.

Support for fence_mpath fencing agent

The fence_mpath fencing agent is an I/O fencing agent that uses SCSI-3 persistent reservations to control access to multipath devices. For information on the operation of this fencing agent and for descriptions of its parameters, see the fence_mpath(8) man page.

Corosync UDPU now automatically sends messages to the appropriate ring members only

Previously, when using UDPU, all messages were sent to all configured members, as opposed to only the active members. This is appropriate for merge detection messages, but for everything else it creates unnecessary traffic to missing members and may trigger excessive arp requests on the network. Corosync has been modified to send most UDPU messages to active members only, with the exception of messages required for proper detection of merge or new member (1-2 pkts/sec).

Support for new SAPHanaTopology and SAPHana resource agents in Pacemaker

The resource-agents-sap-hana package provides two Pacemaker resource agents, SAPHanaTopology and SAPHana. These resource agents allow you to configure a Pacemaker cluster to manage a SAP HANA Scale-Up System Replication environment on Red Hat Enterprise Linux.

Support for fence_emerson fencing agent

The fence_emerson fencing agent is a fence agent for Emerson over SNMP. It is an I/O fencing agent that can be used with MPX and MPH2 managed rack PDU. For information on the parameters for the fence_emerson fencing agent, see the fence_emerson(8) man page.

Chapter 3. Compiler and Tools

gcc supports hotpatching on System z binaries

The gcc hotpatch attribute implements support for online patching of multithreaded code on System z binaries. With this update, it is possible to select specific functions for hotpatching using a function attribute and to enable hotpatching for all functions using the -mhotpatch= command-line option.
As enabled hotpatching has negative impact on software size and performance, it is recommended to use hotpatching for specific functions and not to enable hotpatch support in general.

Changed curl support for TLS versions

This update introduces the new options --tlsv1.0, --tlsv1.1, and --tlsv1.2 of curl to specify minor versions of the TLS protocol to be negotiated by NSS. The corresponding CURL_SSLVERSION_TLSv1_0, CURL_SSLVERSION_TLSv1_1, and CURL_SSLVERSION_TLSv1_2 constants have been introduced in the libcurl API for this purpose. The semantics of the already existing --tlsv1 option of curl, and the CURL_SSLVERSION_TLSv1 constant of libcurl API, have been modified to negotiate the highest TLS 1.x protocol supported by both client and server.

Python ConfigParser handles options without values gracefully

Python ConfigParser was designed to require a value for each option but certain configuration files, such as my.cnf, contain options without values. Consequently, ConfigParser failed to read such config files. This feature has been backported to Python 2.6.6, and ConfigParser is now able to read configuration files that contain options with no values.

tcpdump supports -J, -j, and --time-stamp-precision options

As kernel, glibc, and libpcap now provide APIs to obtain nanosecond resolutions timestamps, tcpdump has been updated to leverage this functionality. Users can now query which timestamp sources are available (-J), set a specific timestamp source (-j), and request timestamps with a specified resolution (--time-stamp-precision).

Improved utilities for copying data between SCSI devices

More efficient utilities for copying data between storage devices that benefit from the SCSI protocol have been introduced to the sg3_utils package. To enable this functionality, the sg_xcopy and sg_copy_results programs have been backported to the sg3_utils packages.

ethtool supports defining custom RSS hash keys

Improvements have been added to ethtool so that custom hash keys for RSS can now be defined. This improvement helps to utilize receiving queues according to traffic received, and allows for performance and security enhancements by selecting suitable keys for the expected traffic.

Setdirection support has been added to tcpdump

The tcpdump package now includes setdirection support; this allows the ability to specify, as an argument to the -P flag, that only received packets (-P in), only sent packets (-P out), or both (-P inout) should be captured.

sysctl can now read from a group of system directories

This update introduces the new --system option to the sysctl utility. This option enables sysctl to process configuration files from a group of system directories.

mcelog packages upgraded to upstream version 109

The mcelog packages have been upgraded to upstream version 109, which provide a number of bug fixes and enhancements over the previous version. Notably, mcelog now supports Intel Core i7 CPU architectures.

biosdevname upgraded to upstream version 0.6.2

The biosdevname package has been upgraded to upstream version 0.6.2 and, among other features, provides the dev_port attribute for the new Mellanox driver and allows to ignore naming of FCoE devices.

Improvements in the PCRE library

To allow the grep utility to recover from PCRE matching failures if the binary file is not a valid UTF-8 sequence, the following features have been backported to the PCRE library:
  • The pcre_exec() function now checks for out-of-range starting offset values and reports PCRE_ERROR_BADOFFSET errors instead of reporting PCRE_ERROR_NOMATCH errors or looping infinitely.
  • If the pcre_exec() function is called to perform a UTF-8 match on an invalid UTF-8 subject string and the ovector array argument is large enough, the offset of the first subject string in the invalid UTF-8 byte, as well as the detailed reason code, are returned in the ovector array element. In addition, the pcretest utility can now be used to display these details. Note that with this update, the pcre_compile() function reports first invalid UTF-8 byte instead of the last byte. Also note that the signature of the pcre_valid_utf8() function, which is not intended for public use, has been changed. Finally, note that the pcretest utility now appends human-readable error messages to error codes.

Support for Intel AVX-512 in glibc Dynamic Loader

The glibc dynamic loader now supports Intel AVX-512 extensions. This update allows the dynamic loader to save and restore AVX-512 registers as required, thus preventing AVX-512-enabled applications from failing because of audit modules that also use AVX-512.

Valgrind recognizes Intel MPX instructions

Valgrind did not recognize Intel Memory Protection Extensions (MPX) instructions or instructions using the MPX bnd prefix. Consequently, Valgrind terminated programs that used MPX instructions with a SIGKILL signal. Valgrind now recognizes the new MPX instructions and bnd prefixes. All new MPX instructions are currently implemented as no operation instructions, and the bnd prefix is ignored. As a result, programs using MPX instructions or bnd prefixes run under Valgrind as if the MPX was not enabled on the CPU and are no longer terminated.

free supports human-readable output

The new -h option has been added to the free utility. The purpose of this option is to show all output fields automatically scaled to the shortest three-digit representation including the unit, making the output conveniently human-readable.

w supports the -i option

The w utility now includes the -i option to display IP addresses instead of host names in the FROM column.

vim rebase to version 7.4

The vim packages have been updated to upstream version 7.4, which provide various bug fixes and enhancements over the previous version. Notable changes are:
  • The Vim text editor now supports persistent reverting of changes that can by enabled by setting the undofile option. By default, when unloading a buffer, Vim destroys the tree of changes created for that buffer. However, when enabling persistent reverting of changes, Vim automatically saves the history of changes and restores it after reopening the buffer again.
  • This update introduces a new regular expressions engine. The previous engine used the backtracking algorithm; the pattern was matched against the text in one way and when this attempt failed, the pattern was matched in another way. This engine worked correctly for simple patterns, however, it took significantly longer to match a complex pattern in a longer text. The new engine uses the state machine logic; it tries all possible alternatives at the current character and stores the possible states of the pattern. Although, this process is little bit slower for simple patterns, matching complex patterns against longer texts is faster. Most notably, syntax highlighting for JavaScript and XML files with long lines was improved by this change.

Chapter 4. Desktop

Kate now retains printing preferences

Previously, the Kate text editor did not retain printing preferences, which meant that the user was forced to set all the Header & Footer and Margin preferences after every print job or session. This bug has been fixed, and Kate again retains the printing preferences as expected.

LibreOffice upgrade

The libreoffice packages have been upgraded to upstream version, which provides a number of bug fixes and enhancements over the previous version, including:
  • OpenXML interoperability has been improved.
  • Additional statistics functions have been added to the Calc application, thus improving interoperability with Microsoft Excel and its Analysis ToolPak add-in.
  • Various performance improvements have been implemented in Calc.
  • This update adds new import filters for importing files from the Apple Keynote and Abiword applications.
  • The export filter for the MathML markup language has been improved.
  • This update adds a new start screen that includes thumbnails of recently opened documents.
  • A visual clue is now displayed in the Slide Sorter window for slides with transitions or animations.
  • This update improves trend lines in charts.
  • LibreOffice now supports BCP 47 language tags.
For a complete list of bug fixes and enhancements provided by this upgrade, refer to https://wiki.documentfoundation.org/ReleaseNotes/4.2

New package: libgovirt

The libgovirt package has been added to this Red Hat Enterprise Linux release. The libgovirt package is a library that allows the remote-viewer tool to connect to virtual machines managed by oVirt and Red Hat Enterprise Virtualization.

dejavu-fonts upgraded to upstream version 2.33

The dejavu-fonts packages have been upgraded to upstream version 2.33, which provides a number of bug fixes and enhancements over the previous version. Notably, this adds a number of new characters and symbols to the supported fonts.

Support for transliteration from Latin to US-ASCII

Prior to this update, icu in Red Hat Enterprise Linux 6 did not support transliteration from Latin to US-ASCII characters mode of the transliterator_transliterate() function. Consequently, the user could not, for example, easily remove non-ASCII characters from PHP code strings. With this update, the user can use transliterator_transliterate() to transliterate Latin characters to US-ASCII characters.

Chapter 5. General Updates

New package: redhat-access-insights

Red Hat Access Insights is a proactive service designed to enable you to identify, examine, and resolve known technical issues before they affect your deployment. Insights leverages the combined knowledge of Red Hat Support Engineers, documented solutions, and resolved issues to deliver relevant, actionable information to system administrators.
The service is hosted and delivered through the customer portal at https://access.redhat.com/insights/ or via Red Hat Satellite. To register your systems, please follow the latest Getting Started Guide for Insights, which is available at: https://access.redhat.com/insights/getting-started/.

redhat-release-server includes a fallback product certificate

In some scenarios, it is possible to install Red Hat Enterprise Linux without a corresponding product certificate. To ensure that a product certificate is always present for registration, a fallback certificate is now delivered with redhat-release-server.

Increased gPXE retry timeout values

This update increases the retry timeout values used by gPXE to conform to RFC 2131 and the PXE specification. The total timeout is now 60 seconds.

Enhanced maintainability for Linux IPL code

A new version of the zipl boot loader makes inclusion of bug fixes and new features in the boot loader easier.

Improved performance of the dasdfmt utility

The kernel internal handling of format requests has been reorganized and the usage of the PAV feature is now enabled to accelerate format requests. This feature speeds up formatting of large DASDs in use today and prepares for even larger DASDs that are expected to come in the future.

lscss supports verified path masks

The lscss utility on IBM System z, which gathers and displays subchannel information from sysfs, now displays a verified path mask when listing I/O devices.

wireshark supports reading from stdin

Previously when using process substitution with large files as input wireshark would fail to properly decode such input; as of the latest version wireshark now successfully reads these files.

Boot menu in seabios accessible with Esc key

The boot menu in seabios is now accessible by pressing the Esc key. This makes the boot menu accessible on systems such as OS X which may intercept certain functions keys, including F12 which was used previously, and use them for other functions.

wireshark supports nanosecond precision

Previously wireshark only included microseconds in the pcapng format; however, as of the latest version wireshark now supports nanosecond precision to allow for more accurate timestamps.

lsdasd supports detailed path information for DASDs

The lsdasd utility, which is used to gather and display information about DASD devices on IBM System z, now shows detailed path information such as installed and in-use paths.

lsqeth now displays switch port attributes

The lsqeth tool, which is used on IBM System z to list qeth-based network device parameters, now includes switch port attributes (displayed as switch_attrs) in its output.

fdasd supports GPFS partitions

The fdasd utility, which is used to manage disk partitions on ECKD DASDs on IBM System z, now recognizes GPFS as a supported partition type.

ppc64-diag rebase to version 2.6.7

The ppc64-diag packages have been upgraded to upstream version 2.6.7, which provides a number of bug fixes and enhancements over the previous version.

Support for OpenJDK 8 added to JPackage Utilities

OpenJDK 8 was added to RHEL 6.6 but system Java applications were not able to be run with it due to lack of OpenJDK 8 support in the jpackage-utils package. This has been resolved, and the RHEL 6.7 jpackage-utils package includes support for system applications to be run with OpenJDK 8.

preupgrade-assistant supports different modes for upgrading and migrating

To support the different operating modes of the preupg command, additional options are now available in the configuration files. This enables the tool to return only the required data for the operating mode selected. Currently only upgrade mode is supported.

Chapter 6. Hardware Enablement

Intel Ethernet server adapter X710/XL710 support

Red Hat Enterprise Linux 6.7 adds the i40e and i40evf kernel drivers, which enable support for Intel X710 and XL710 family Ethernet adapters. These drivers are provided as Technology Preview only.

Realtek 5229 card reader support

This update introduces support for the Realtek 5229 card reader.

AMD GX-212JC processor support

This update introduces support for the AMD GX-212JC processor.

Chapter 7. Installation and Booting

rpm supports ordered installation based on package tags

The OrderWithRequires feature has been added to the RPM Package Manager, which utilizes the new OrderWithRequires package tag. If a package specified in OrderWithRequires is present in a package transaction, it is installed before the package with the corresponding OrderWithRequires tag is installed. However, unlike the Requires package tag, OrderWithRequires does not generate additional dependencies, so if the package specified in the tag is not present in the transaction, it is not downloaded.

Anaconda now displays a warning if LDL-formatted DASDs are detected during installation

On IBM System z, DASDs with LDL (Linux Disk Layout) format are recognized by the kernel, but the installer does not support them. If one or more such DASDs are detected by Anaconda, it will display a warning about their unsupported status and offer to format them as CDL (Compatibility Disk Layout), which is a fully supported format type.

Chapter 8. Kernel

KVM Hypervisor supports 240 vCPUs per virtual machine

The KVM hypervisor has been improved to support 240 virtual CPUs (vCPUs) per KVM guest virtual machine.

iwlwifi supports Intel® Wireless 7265/3165 (Stone Peak) wireless adapter

The iwlwifi device driver now supports the Intel® Wireless 7265/3165 (Stone Peak) wireless adapter.

Support for Wacom 22HD Touch tablets

This update adds support for Wacom 22HD Touch tablets, which are now correctly recognized in Red Hat Enterprise Linux and thus functional.

Improved page fault scalability for HugeTLB

The updated Linux kernel has improved page fault scalability for HugeTLB. Previously only one HugeTLB page fault could be processed at a time because a single mutex was used. The improved method uses a table of mutexes, allowing for page faults to be processed in parallel. Calculation of the mutex table includes the number of page faults occurring and memory in use.

kdump supports hugepage filtering

To reduce both vmcore size and capture run time, kdump now treats hugepages as userpages and can filter them out. As hugepages are primarily used for application data, they are unlikely to be relevant in the event a vmcore analysis is required.

Support for 802.1X EAP packet forwarding on bridges

Bridge forwarding of 802.1x EAP packets is now supported, allowing for selective forwarding of some non-control link-local packets. This change also enables the use of 802.1X to authenticate a guest on a RHEL6 hypervisor using Linux bridge on a switch port.

Rebase of the mtip32xx driver

The Red Hat Enterprise Linux 6.7 kernel includes the most recent upstream version of the mtip32xx device driver. This version adds support for Micron SSD devices.

turbostat supports 6th Generation Intel Core Processors

The turbostat application now supports Intel's 6th Generation Intel Core Processors.

Chapter 9. Networking

iptables supports -C option

This update adds support for the -C check option to the iptables commands. Previously, there was no simple way to check if a certain rule existed. Now, the -C option can be used in a rule to check if a rule exists.

Support for IPv6 IP sets

This update adds support for IPv6 IP sets, as IP sets were not previously usable in IPv6 firewall rules.

Chapter 10. Servers and Services

Restricted Cipher Suites in Default httpd Configuration

With this update, the default configuration of the mod_ssl module in the httpd web server no longer enables support for SSL cipher suites using the single DES, IDEA, or SEED encryption algorithms.

Allowed SSL protocols configurable in the Cyrus IMAP server

With this update, it is possible to configure which Secure Sockets Layer (SSL) protocols the Cyrus IMAP server allows. For example, users can disable SSLv3 connections and thus mitigate the impact of the POODLE vulnerability.

dstat command now supports symbolic links

The dstat command has been enhanced to support the use of symbolic links as parameter values. This enables users to dynamically specify the boot device name, which ensures that dstat displays correct information after hot plugs and similar operations. Note that symbolic links must be specified in the /dev/disk/ directory and the full path must be used with the command.

rng-tools rebased to version 5

The rng-tools packages, which provide random number generator user space utilities, have been upgraded to upstream version 5. This update enables the random number generator daemon (rngd) on the Intel x86- and Intel 64-based EM64T/AMD64 CPU models by default and takes advantage of entropy provided by the RDRAND hardware random number generator instruction. The enhancement update also increases performance and security on the Intel architecture hardware, especially in the server applications.

NetworkManager Connection Editor usability improvements

This update enhances nm-connection-editor, which now enables easier editing of IP addresses and routes. In addition, nm-connection-editor attempts to automatically detect and highlight typos and incorrect configurations.

ypbind can now be set to specific rebind intervals

The NIS binding process ypbind traditionally checked for the fastest NIS server every 15 minutes, however many firewalls have a default timeout of 10 minutes. This caused intermittent failures of ypbind when trying to rebind. This update adds a tunable option, -r, to ypbind that enables setting a specific rebind interval in seconds.

Rebase of the squid packages

The squid packages have been upgraded to upstream version 3.1.23, which provides a number of bug fixes and enhancements over the previous version. Among others, this update adds the support for the HTTP/1.1 POST and PUT responses with no message body to squid.

dhcpd handles dhcp option 97 - Client Machine Identifier (pxe-client-id)

It is now possible to reserve (statically allocate) IP addresses for a particular client based on its identifier sent in option 97; for example:
host pixi {   option pxe-client-id 0 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff;   fixed-address; }

Tomcat log file rotation can now be disabled

By default, Tomcat log files are rotated on the first write operation which occurs after midnight, and given the file name {prefix}{date}{suffix}, where the format for date is YYYY-MM-DD. To allow Tomcat log file rotation to be disabled, the parameter rotatable has been added. If this parameter is set to false, the log file will not be rotated and the filename will be {prefix}{suffix}. The default value is true.

cups supports failover

It is now possible to direct jobs to a single printer with failover to other printers instead of using load balancing among printers that is built into CUPS. Jobs can be directed to the first working printer of a set, the preferred printer, with other printers used only if the preferred one is unavailable.

openssh supports adjusting LDAP queries

Administrators can now adjust Lightweight Directory Access Protocol (LDAP) queries to obtain public keys from servers that use a different schema.

ErrorPolicy description added to cupsd.conf(5) manual page

Description of the ErrorPolicy directive with supported values has been added to the cupsd.conf(5) manual page. The ErrorPolicy directive defines the default policy used when a backend is unable to send a print job to the printer.

Allowed SSL protocols configurable in dovecot

With this update, it is possible to configure which Secure Sockets Layer (SSL) protocols dovecot allows. For example, users can disable SSLv3 connections and thus mitigate the impact of the POODLE vulnerability. Due to security concerns, SSLv2 and SSLv3 are now also disabled by default, and they have to be allowed manually if the user needs them.

openssh supports wildcards for PermitOpen option

The PermitOpen option in the sshd_config file now supports wildcards.

tomcatjss supports TLS versions 1.1 and 1.2

Tomcat has been updated to support the Transport Layer Security cryptographic protocol version 1.1 (TLSv1.1) and Transport Layer Security cryptographic protocol version 1.2 (TLSv1.2) using Java Security Services.

squid supports hiding or rewriting HTTP headers

The squid packages are now built with the --enable-http-violations option and allow the user to hide or rewrite HTTP headers.

bind supports RPZ-NSIP and RPZ-NSDNAME

RPZ-NSIP and RPZ-NSDNAME records can now be used with Response Policy Zone (RPZ) in the BIND configuration.

openssh supports forcing exact permissions on uploaded files

With this update, OpenSSH can force exact permissions on files that are newly uploaded using the Secure File Transfer Protocol (SFTP).

Mailman now includes enhanced DMARC mitigation features

With this update, Mailman introduces several enhanced Domain-based Message Authentication, Reporting & Conformance (DMARC) mitigation features. For example, Mailman can be configured to recognize Sender alignment for Domain Key Identified Mail (DKIM) signatures and it is now able to correctly handle forwarded messages from domains with a reject DMARC policy.

Chapter 11. Storage

LVM thin provisioning support in Anaconda

The installer now allows you to create a thinly-provisioned LVM (Logical Volume Management) layout. Support is limited to custom Kickstart installations only; it is not possible to create a LVM thin provisioning layout automatically using the autopart Kickstart command, and you cannot select this storage configuration during an interactive installation using the graphical or text-based user interface.

udev rules support additional mount points and allowed mount options

Additional mount points and a list of allowed mount options can now be specified with udev rules. The system administrator can write a custom rule to enforce or limit mount options for a specific set of devices. For example, USB drives can be limited to be always mounted as read-only.

udisks supports noexec global option

The udisks tool now accepts the noexec global option to be enforced on all unprivileged users' mount points. On desktop systems, the noexec option can protect users from mistakenly running certain applications.

The default multipath configuration file now includes a builtin configuration for Dell MD36xxf storage arrays

Previously, default settings for the Dell MD36xxf storage arrays were not included in the devices section of the default multipath configuration file, which affected performance for these arrays. These settings are now included in this configuration file.

New config_dir option in the multipath.conf file

Users were unable to split their configuration between /etc/multipath.conf and other configuration files. This prevented users from setting up one main configuration file for all their machines and keeping machine-specific configuration information in separate configuration files for each machine.
To address this, a new config_dir option was added in the multipath.config file. Users must change the config_dir option to either an empty string or a fully qualified directory path name. When set to anything other than an empty string, multipath will read all .conf files in alphabetical order. It will then apply the configurations exactly as if they had been added to the /etc/multipath.conf. If this change is not made, config_dir defaults to /etc/multipath/conf.d.

lvchange -p now corrects in-kernel permissions on a logical volume

If a logical volume is read-only and active but its metadata states that it should be writeable (a situation that can arise if the configuration setting activation/read_only_volume_list is changed), you can now use the lvchange --permission rw command to bring the active copy in line with the metadata and make it writeable. Executing an lvchange --refresh command can do this as well, but this new feature might be more convenient in some circumstances. The opposite is also true: The lvchange --permission r command will now refresh an active logical volume that should be read-only. For information on the lvchange command, see the lvchange(8) man page.

New multipathd configuration options: delay_watch_checks and delay_wait_checks

For multipathd to stop attempting to use a path, that path must be inaccessible for the timeout period of 300 seconds. This can give the appearance that multipathd has stalled. Two configuration options have been added to improve user experience: delay_watch_checks and delay_wait_checks. Use delay_watch_checks to specify the number of cycles that multipathd should wait before using a path that has just come online. If the path fails in fewer cycles than the value specified, multipathd will not use the path. Then, use the delay_wait_checks parameter to specify the number of cycles that a path must work correctly until it can be considered accessible again. This prevents unreliable paths from being used immediately when they come back online.

mdadm upgraded to upstream version 3.3.2

The 3.3.2 version of mdadm provides a number of bug fixes as well as features such as automatically rebuilding an array in the event of a failed RAID volume, RAID level migrations, check-pointing fault tolerance, and SAS-SATA drive roaming. These features are supported on external metadata formats and continues Red Hat's support of Intel's RSTe SW stack.

New options added to lvmconf script

The lvmconf script now provides --enable-halvm and --disable-halvm options to set proper configuration in the etc/lvm/lvm.conf configuration file that is suitable for an HA-LVM environment. In addition, the lvmconf script now also provides --service, --mirrorservice, and --startstopservices options to enable or disable related SysV init services needed for LVM to work correctly in a clustered environment. For information on the lvmconf script, see the lvmconf(8) man page.

Rebase of the iprutils packages

The iprutils packages have been upgraded to upstream version 2.4.5, which provides a number of bug fixes and enhancements over the previous version. Notably, this update adds support for reporting cache hits on the Serial Attached SCSI (SAS) disk drive, and increases the speed of array creation for an advanced function (AF) direct-access storage device (DASD).

dm-cache device-mapper target now fully supported

The dm-cache device-mapper target, which was previously included as a Technology Preview, is now fully supported. This device-mapper target allows fast storage devices to act as a cache for slower storage devices. See the lvmcache manual page for more information.

Chapter 12. Subscription Management

subscription-manager supports AUS subscription migration

Subscription Manager now includes certificates and maps for Advanced Mission Critical Update Support (AUS). This enables migration from RHN Classic to RHSM for AUS subscriptions.

subscription-manager supports activation keys for automated migration

The rhn-migrate-classic-to-rhsm tool now supports activation keys when registering to Red Hat Subscription Management (RHSM). This simplifies automated migration.

subscription-manager supports migrating without RHN Classic credentials

New --keep option for rhn-migrate-classic-to-rhsm The rhn-migrate-classic-to-rhsm tool no longer requires RHN Classic credentials if the new --keep option is used. This functionality can help simplify automated migration.

Chapter 13. Virtualization

virt-viewer supports direct access to RHEV-H virtual machines

It is now possible to use the Red Hat Enterprise Virtualization Hypervisor to access virtual machines directly using virt-viewer.

Hot-swappable CD images

Using the remote-viewer tool to connect to an ovirt:// URI now displays a menu that allows the user to change the CD image inserted in the virtual machine (VM). This makes it possible to change the inserted CD while the VM is running without the need to use Red Hat Enterprise Virtualization or the oVirt portal.

New package: rest

The rest package has been added to this release as a dependency of the libgovirt package. The libgovirt package allows the remote-viewer tool to connect to virtual machines managed by oVirt and Red Hat Enterprise Virtualization.

qemu-img supports preallocation with fallocate()

The qemu-img tool now includes the fallocate() system call to improve performance of the preallocation=full option. To use the fallocate() system call, specify preallocation=falloc when creating a qcow2 image with qemu-img. The preallocation operation runs significantly faster with preallocation=falloc specified, thus shortening the time necessary to prepare a new guest.

kvm-clock correctly synchronizes VM system time after suspend

KVM virtual machines use the kvm-clock utility as the time source that synchronizes the virtual machine system time with the host system time after resuming from suspend mode. Previously, in some cases when a virtual machine running on a Red Hat Enterprise Linux 6 host was suspended to disk and then restored, the virtual machine's system time did not correctly synchronize with the host system time. With this update, kvm-clock has been modified to reliably synchronize with the system time on the host.

qemu-kvm supports virtual machine shutdown trace events

Support has been added for qemu-kvm trace events during the virtual machine system shutdown process, which allows users to get detailed diagnostics about a guest system's shutdown requests issued by the virsh shutdown command or by the virt-manager application. This provides users with enhanced capabilities for isolating and debugging KVM guest problems during shutdown.

qemu-kvm supports directsync cache mode on virtual disks

With this update, qemu-kvm supports the cache=directsync option in the host file, which enables the use of the directsync cache mode on virtual disks. When cache=directsync is set on the virtual disk (configured in the guest XML or the virt-manager application), write operations on the virtual machine are only completed when data is safely on the disk. This increases data security during file transactions between virtual machines, and also improves performance by allowing I/O from the guest to bypass the host page cache.

virt-who supports encrypted passwords

Support for encrypted passwords has been added to the virt-who service. Previously, the passwords for external services were stored in the configuration file as plain text, which exposed the password to any user with read privileges. This update introduces the virt-who-password utility, which allows encrypted passwords to be stored in the virt-who configuration file. With this change, all users who open the virt-who configuration file will see the passwords as encrypted. The encrypted passwords can be decrypted by the root user.

virt-who supports offline mode

The virt-who service can now report the association between host physical machines and guest virtual machines when the hypervisor is offline, and thus no longer requires connection to the hypervisor to perform this operation. When the virt-who service cannot connect to the hypervisor, due to security policies, for example, users can now obtain information about the host-guest mapping file by using the virt-who --print command, which displays the information saved in the mapping file, and sends it to the Subscription Manager.

virt-who supports host filtering

With this update, the virt-who service introduces a filtering mechanism for the Subscription Manager reports. As a result, users can now choose which hosts virt-who should display according to the specified parameters. For example, hosts that do not run any Red Hat Enterprise Linux guests, or hosts that run guests of a specified version of Red Hat Enterprise Linux.

virt-who supports cluster filtering

With this update, the virt-who service introduces a filtering mechanism for the Subscription Manager reports. As a result, users can now choose which clusters virt-who should display according to the specified parameters. For example, hosts that do not run any Red Hat Enterprise Linux guests, or hosts that run guests of a specified version of Red Hat Enterprise Linux.

virt-who supports filtering non-RHEL hypervisors

In cases where it is not necessary to report all the hypervisors, such as those that do not have any associated Red Hat Enterprise Linux guests, virt-who is now capable of filtering out the specified hypervisors.

Chapter 14. Red Hat Software Collections

Red Hat Software Collections is a Red Hat content set that provides a set of dynamic programming languages, database servers, and related packages that you can install and use on all supported releases of Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7 on AMD64 and Intel 64 architectures.
Dynamic languages, database servers, and other tools distributed with Red Hat Software Collections do not replace the default system tools provided with Red Hat Enterprise Linux, nor are they used in preference to these tools. Red Hat Software Collections uses an alternative packaging mechanism based on the scl utility to provide a parallel set of packages. This set allows for optional use of alternative package versions on Red Hat Enterprise Linux. By using the scl utility, users can pick and choose which package version they want to run at any time.
Red Hat Developer Toolset is now a part of Red Hat Software Collections. It is included as a separate Software Collection. Red Hat Developer Toolset is designed for developers working on the Red Hat Enterprise Linux platform. It provides current versions of the GNU Compiler Collection, GNU Debugger, Eclipse development platform, and other development, debugging, and performance monitoring tools.


Red Hat Software Collections has a shorter life cycle and support term than Red Hat Enterprise Linux. For more information, see the Red Hat Software Collections Product Life Cycle.
See the Red Hat Software Collections documentation for the components included in the set, system requirements, known problems, usage, and specifics of individual Software Collections.
See the Red Hat Developer Toolset documentation for more information about the components included in this Software Collection, installation, usage, known problems, and more.

Chapter 15. Known Issues

The sssd-common package is no longer multilib

Because of a change in packaging, the sssd-common package is no longer multilib. Consequently, parallel installation of SSSD packages other than sssd-client no longer works due to a dependency conflict. Note that this was never a supported scenario, but the change that might affect upgrades under certain circumstances. To work around this problem, prior to upgrading, uninstall any multilib SSSD packages except for sssd-client.

User login override fails trusted adusers group membership resolution

If a user login is overriden by using the --login command-line parameter, then the group membership for this user will be incorrect until the user's first login.

Group resolution is inconsistent with group overrides

If a group GID is overriden, running the id command reports an incorrect GID. To work around this problem, run the getent group command on the overriden group.

Wake on WLAN not working with WOWLAN="magic-packet" in ifcfg files

Due to a regression, a kernel configuration item was omitted and a sysfs link for wireless LAN devices was not being created. Consequently, initialization scripts were unable to identify wireless LAN devices separately from Ethernet devices.
With this update, the configuration item has been restored to the kernel and the proper sysfs links are now created. However, a related error in the ifup-wireless script means that the following workaround is currently required:
As the root user, open the /etc/sysconfig/network-scripts/ifup-wireless file and change this:
if [ -n "$WOWLAN" ] ; then
PHYDEVICE=phy_wireless_device $DEVICE
iw phy $PHYDEVICE wowlan enable ${WOWLAN}     fi
to this:
if [ -n "$WOWLAN" ] ; then
PHYDEVICE=`phy_wireless_device $DEVICE`
iw phy $PHYDEVICE wowlan enable ${WOWLAN}     fi
The change is the addition of backquotes around phy_wireless_device $DEVICE. Save and close the file.

abrt is missing a dependency

The abrt package released with Red Hat Enterprise Linux 6.7 is missing a dependency on python-argparse. During normal installation, python-argparse is usually included as a dependency in other packages. However, if customers upgrade from an earlier version of Red Hat Enterprise Linux, python-argparse is not installed. When python-argparse is not present, customers see errors like ImportError: No module named argparse when attempting to use the abrt-action-notify and abrt-action-generate-machine-id commands. To work around this issue, install the python-argparse package:
yum install python-argparse
For further information, refer to the Solution article: https://access.redhat.com/solutions/1549053

The zipl boot loader requires target information in each section

When calling the zipl tool manually from a command line using a section name as a parameter, the tool was previously using the target defined in the default section of the /etc/zipl.conf file. In the current version of zipl the default sections' target is not being used automatically, resulting in an error.
To work around the issue, manually edit the /etc/zipl.conf configuration file and copy the line starting with target= from the default section to every section.

Appendix A. Component Versions

This appendix is a list of components and their versions in the Red Hat Enterprise Linux 6.7 release.

Table A.1. Component Versions

QLogic qla2xxx driver
QLogic ql2xxx firmware
Emulex lpfc driver
iSCSI initiator utils

Appendix B. Revision History

Revision History
Revision 0.0-0.19Tue Mar 29 2016Lenka Špačková
Updated New Features (dm-cache fully supported; hardware enablement).
Revision 0.0-0.18Fri Oct 23 2015Lenka Špačková
Added zipl known issue.
Revision 0.0-0.17Thu Aug 13 2015Laura Bailey
Updated known issues.
Revision 0.0-0.16Wed Aug 05 2015Laura Bailey
Updated to include Red Hat Access Insights and some minor corrections.
Revision 0.0-0.15Tue Jul 28 2015Laura Bailey
Release of the Red Hat Enterprise Linux 6.7 Release Notes.

Legal Notice

Copyright © 2015 Red Hat, Inc.
This document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0 Unported License. If you distribute this document, or a modified version of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If the document is modified, all Red Hat trademarks must be removed.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.