Red Hat Training
A Red Hat training course is available for Red Hat Enterprise Linux
6.8 Release Notes
Red Hat Enterprise Linux 6.8
Release Notes for Red Hat Enterprise Linux 6.8
The Release Notes provide high-level coverage of the improvements and additions that have been implemented in Red Hat Enterprise Linux 6.8 and document known problems in this release. For information about notable bug fixes, Technology Previews, deprecated functionality, and other details, refer to the Technical Notes.
Red Hat Enterprise Linux minor releases are an aggregation of individual enhancement, security, and bug fix errata. The Red Hat Enterprise Linux 6.8 Release Notes document describes the major changes made to the Red Hat Enterprise Linux 6 operating system and its accompanying applications for this minor release, as well as known problems. The Technical Notes document provides a list of notable bug fixes, all currently available Technology Previews, deprecated functionality, and other information.
Capabilities and limits of Red Hat Enterprise Linux 6 as compared to other versions of the system are available in the Red Hat Knowledgebase article available at https://access.redhat.com/articles/rhel-limits.
For information regarding the Red Hat Enterprise Linux life cycle, refer to https://access.redhat.com/support/policy/updates/errata/.
Chapter 1. Overview
Red Hat Enterprise Linux 6.8 is the last feature update in this major release, allowing enterprise customers access to upstream innovation on the secure, stable, and reliable Red Hat Enterprise Linux 6 platform. This section highlights the most notable enhancements.
- libreswan, an implementation of one of the most widely supported and standardized VPN protocols, replaces openswan as the Red Hat Enterprise Linux 6 VPN endpoint solution, giving Red Hat Enterprise Linux 6 customers access to recent advances in VPN security.
For more information about new security features, refer to Chapter 13, Security.
Authentication and Interoperability
- Enhancements to Red Hat Identity Management include increased client-side performance as well as simplified client management through the addition of new capabilities to the System Security Services Daemon (SSSD). For example, cached authentication lookup on the client reduces the unnecessary exchange of user credentials with Active Directory servers. Also, support for adcli simplifies the management of Red Hat Enterprise Linux 6 systems interoperating with an Active Directory domain. In addition, SSSD now supports user authentication using smart cards, for both system login and related functions, such as sudo.
For details about new Identity Management and SSSD enhancements, as well as other features related to authentication and interoperability, refer to Chapter 3, Authentication and Interoperability.
System and Subscription Management
- Relax-and-Recover (ReAR) is a new a system archiving utility that enables administrators to create local backups in ISO format that can be centrally archived and replicated remotely for simplified disaster recovery operations.
- An enhanced yum utility simplifies the process of locating required packages to add and enable new platform features.
For details about subscription-management related features, see Chapter 16, System and Subscription Management.
- Red Hat Enterprise Linux 6.8 provides increased visibility into storage usage and performance through dmstats, a program that displays and manages I/O statistics for user-defined regions of devices using the device-mapper driver.
For other storage features, see Chapter 15, Storage.
- The Scalable File System Add-on for Red Hat Enterprise Linux 6 now supports XFS file-system sizes up to 300 TB.
For detailed changes in file systems, refer to Chapter 8, File Systems.
- An updated Red Hat Enterprise Linux 6.8 platform image enables customers to migrate their traditional workloads into container-based applications. The image is available in the Red Hat Container Registry and is suitable for deployment on Red Hat Enterprise Linux 7 or Red Hat Enterprise Linux Atomic Host.
Red Hat Insights
Since Red Hat Enterprise Linux 6.7, the Red Hat Insights service is available. Red Hat Insights is a proactive service designed to enable you to identify, examine, and resolve known technical issues before they affect your deployment. Insights leverages the combined knowledge of Red Hat Support Engineers, documented solutions, and resolved issues to deliver relevant, actionable information to system administrators.
The service is hosted and delivered through the customer portal at https://access.redhat.com/insights/ or through Red Hat Satellite. To register your systems, follow the Getting Started Guide for Insights. For further information, data security and limits, refer to https://access.redhat.com/insights/splash/.
Red Hat Customer Portal Labs
Red Hat Customer Portal Labs is a set of tools in a section of the Customer Portal available at https://access.redhat.com/labs/. The applications in Red Hat Customer Portal Labs can help you improve performance, quickly troubleshoot issues, identify security problems, and quickly deploy and configure complex applications. Some of the most popular applications are, for example:
Part I. New Features
This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 6.8.
Chapter 2. General Updates
Cross channel package dependency improvements
yumutility has been enhanced to prompt the end user to search disabled package repositories on the system when a package dependency error occurs. This change will allow users to quickly resolve dependency errors by first checking all known channels for the missing package dependency.
To enable this functionality, execute
yum update yum subscription-managerprior to upgrading your machine to Red Hat Enterprise Linux 6.8.
See the System and Subscription Management chapter for further details on the implementation of this feature. (BZ#1197245)
Packages moved to the
The following packages have been moved to the
Note that if any of these packages have previously been installed, using the
yum updatecommand for updating these packages can lead to problems causing the update to fail. Enable the
Optionalchannel before updating the mentioned installed packages or uninstall them before updating your system.
For detailed instructions on how to subscribe your system to the
Optionalchannel, see the relevant Knowledgebase articles on Red Hat Customer Portal: https://access.redhat.com/solutions/392003 for Red Hat Subscription Management or https://access.redhat.com/solutions/70019 if your system is registered with RHN Classic. (BZ#1300789)
Chapter 3. Authentication and Interoperability
SSSD smart card support
SSSD now supports smart cards for local authentication. With this feature, the user can use a smart card to log on to the system using a text-based or graphical console, as well as local services such as the
sudoservice. The user places the smart card into the reader and provides the user name and the smart card PIN at the login prompt. If the certificate on the smart card is verified, the user is successfully authenticated.
Note that SSSD currently does not enable the user to acquire a Kerberos ticket using a smart card. To obtain a Kerberos ticket, the user is still required to authenticate using the
To enable smart card support in Red Hat Enterprise Linux 6, you must allow SSSD to prompt for password, one-time password (OTP), or the smart card PIN by modifying the
authlines of the
/etc/pam.d/system-authPAM configuration files. For detailed information, see the Identity Management Guide: http://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#idm-smart-cards (BZ#1270027)
Cache authentication in SSSD
Authentication against cache without a reconnection attempt is now available in SSSD even in online mode. Authenticating directly against the network server repeatedly can cause excessive application latency, which can make the login process overly time-consuming. (BZ#1237142)
The ou=sudoers,$DC part of the IdM server compatibility plug-in tree can now be disabled for better performance
The Identity Management (IdM) client is now able to look up
sudorules in the
cn=sudorules,cn=sudo,$DCpart of the IdM server's LDAP tree instead of the
ou=sudoers,$DCcompatibility tree generated by the
slapi-nisDirectory Server plug-in.
In environments where the compatibility tree is not required for other operations, such as for legacy client support, users can now disable the
ou=sudoers,$DCpart of the tree. This allows better performance because generating the compatibility tree using
slapi-nisis resource-intensive, especially in environments with a large number of authentication operations. (BZ#1244957)
SSSD enables UID and GID mapping on individual clients
It is now possible to map users to a different UID and GID on specific Red Hat Enterprise Linux clients through client-side configuration by using SSSD provided by the
sss_overrideutility. This client-side override possibility can resolve problems caused by UID and GID duplication or ease transition from a legacy system that previously used different ID mapping.
Note that the overrides are stored in the SSSD cache; removing the cache therefore also removes the overrides. See the sss_override(8) man page for more details about this feature. (BZ#1269422)
The SSSD fast memory cache now supports the
initgroupsoperations, which enhances the speed of
initgroupsprocessing and improves the performance of some applications, such as GlusterFS and
New packages: adcli
This update adds the adcli packages to Red Hat Enterprise Linux 6. The
adcliutility allows users to manage host, user, and group objects in Active Directory (AD) from a Red Hat Enterprise Linux 6 client. The main use of the utility is joining a host to an AD domain and to renew the credentials of the host.
adcliutility is site-aware and does not require additional configuration to join an AD domain. On clients that run the SSSD service,
adclican renew the host credentials on a regular basis. (BZ#1279725)
SSSD is now able to automatically renew the host credentials of Linux clients joined to AD
Certain Windows utilities can remove hosts from Active Directory (AD) after their password has not been updated for a long time. This is because these utilities consider such clients inactive.
With this feature, the host password of Linux clients joined to AD is regularly updated, which indicates the client is still actively used. As a result, Red Hat Enterprise Linux clients joined to AD are not removed in the described situation. (BZ#1290761)
SSSD can now automatically adjust ID ranges for AD clients in environments with large RIDs
The automatic ID mapping mechanism included in the SSSD service is now able to merge ID range domains. Previously, if the relative ID (RID) of the Active Directory (AD) domain was larger than 200,000, which is the default size of the ID range assigned by SSSD, the administrator was required to manually adjust the ID range assigned by SSSD to correspond with the RID.
With this enhancement, for AD clients with ID mapping enabled, SSSD automatically adjusts the ID ranges in the described situation. As a result, the administrator is no longer required to adjust the ID range manually, and the default SSSD ID mapping mechanism works even in large AD environments. (BZ#1268902)
SSSD now supports GPOs from different domain controllers
The System Security Services Daemon (SSSD) service has been updated to support group policy objects (GPOs) from different domain controllers. (BZ#1221365)
Support for SSLv2 has been disabled
SSLv2 is insecure and should not be used in current deployments, and thus has been disabled without a way to override. All modern browsers and frameworks cannot negotiate SSLv2 connections in default configuration and many cannot be configured to perform SSLv2 negotiation. A recent OpenSSL vulnerability (CVE-2015-3197) shows that keeping this code is a liability. In addition, upstream has already removed support for SSLv2 (MZBZ#1228555). (BZ#1304812)
OpenLDAP now supports TLSv1.2
The TLS layer of OpenLDAP has been enhanced to support the cipher string value
TLSv1.2along with new ciphers from the TLSv1.2 suite. Additionally, the new cipher strings
SHA384have been added. With this update, the cipher string
DEFAULTselects a subset of the Network Security Services (NSS) defaults in order to be up to date with current security development. Note that the cipher string
AESGCMciphers, in order not to break the Security Strength Factor (SSF) functionality. (BZ#1300701)
nss now supports ECDSA certificates
By default, the NSS library did not enable TLS cipher suites that use Elliptic Curve Cryptography (ECC). Applications that did not change the NSS default configuration were unable to connect to servers that mandated support for ECC key exchange, such as ECDHE. In particular, connecting to servers that use certificates with ECDSA keys failed.
This update changes the default configuration to enable TLS cipher suites that allow using ECC by default. As a result, applications using NSS defaults for communication over TLS can now connect to servers that use certificates with ECDSA keys. (BZ#1059682)
New SSSD default values for group names
The System Security Services Daemon (SSSD) now uses new default group names that are compatible with Windows and third-party solutions. This affects installations that have the
id_providerconfiguration option set to
If the environment requires a different value for the group name attribute than the new default value of
sAMAccountName, a manual configuration change is required. For example, this might be required in situations when providing groups with the same name as users. To revert to the old behaviour, set
cnas the attribute value:
ldap_group_name = cnin the
2. Run the following commands to clear the SSSD cache:
# service sssd stop # find /var/lib/sss/ ! -type d | xargs rm -f # service sssd start
Chapter 4. Clustering
New Pacemaker features
The Red Hat Enterprise Linux 6.8 release supports the following Pacemaker features:
- You can now use the
pcs resource relocate runcommand to move a resource to its preferred node, as determined by current cluster status, constraints, location of resources and other settings.
- When configuring fencing for redundant power supplies, you now are only required to define each device once and to specify that both devices are required to fence the node.
- The new
resource-discoverylocation constraint option allows you to indicate whether Pacemaker should perform resource discovery on a node for a specified resource.
- Resources will now start as soon as their state has been confirmed on all nodes and all dependencies have been satisfied, rather than waiting for the state of all resources to be confirmed. This allows for faster startup of some services, and more even startup load.
- Clone resources support a new
clone-minmetadata option, specifying that a certain number of instances must be running before any dependent resources can run. This is particularly useful for services behind a virtual IP and haproxy, as is often done with OpenStack.
These features are documented in
Configuring the Red Hat High Availability Add-On with Pacemaker, available at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Configuring_the_Red_Hat_High_Availability_Add-On_with_Pacemaker/index.html. (BZ#1290458)
Graceful migration of resources when the
pacemaker_remote service is stopped on an active Pacemaker Remote node
pacemaker_remoteservice is stopped on an active Pacemaker Remote node, the cluster will gracefully migrate resources off the node before stopping the node. Previously, Pacemaker Remote nodes were fenced when the service was stopped (including by commands such as
yum update), unless the node was first explicitly taken out of the cluster. Software upgrades and other routine maintenance procedures are now much easier to perform on Pacemaker Remote nodes.
Note: All nodes in the cluster must be upgraded to a version supporting this feature before it can be used on any node. (BZ#1297564)
Support for SBD fencing with Pacemaker
The SBD (Storage-Based Death) daemon integrates with Pacemaker, a watchdog device, and, optionally, shared storage to arrange for nodes to reliably self-terminate when fencing is required. SBD can be particularly useful in environments where traditional fencing mechanisms are not possible. For information on using SBD with Pacemaker, see https://access.redhat.com/articles/2212861. (BZ#1313246)
glocktop tool has been added to gfs2-utils
The gfs2-utils package now includes the
glocktoptool, which can be used to troubleshoot locking-related performance problems that concern the Global File System 2 (GFS2). (BZ#1202817)
pcs now supports exporting a cluster configuration to a list of
With this update, the
pcs config exportcommand can be used to export a cluster configuration to a list of
pcscommands. Also, the
pcs config import-cmancommand, which converts a CMAN cluster configuration to a Pacemaker cluster configuration, can now output a list of
pcscommands that can be used to create the Pacemaker cluster configuration file. As a result, the user can determine what commands can be used to set up a cluster based on its configuration files. (BZ#1264795)
Fence agent for APC now supports firmware 6.x
The fence agent for APC now support firmware 6.x. (BZ#1259254)
Chapter 5. Compiler and Tools
dmidecode now supports SMBIOS 3.0.0
This update adds SMBIOS 3.0.0 support to the
dmidecodecan work with 64-bit structures according to SMBIOS 3.0.0 specification. (BZ#1232558)
mcelog now supports additional Intel processors
mcelogutility now supports 6th generation Intel Core processors, Intel Xeon processor E3 v5, and current Intel Pentium and Intel Celeron-branded processors. These new processors report with cpuid
mcelognow also recognizes cpuids for current Intel Atom processors (
0x5d) and Intel Xeon processor E5 v4, E7 v4, and Intel Xeon D (
python-linux-procfs rebased to version 0.4.9
The python-linux-procfs packages have been upgraded to upstream version 0.4.9, which provides a number of bug fixes and enhancements over the previous version.
Notable fixes include:
- The package now contains API documentation installed in the
- Handling of space separated fields in
/proc/PID/flagshas been improved which removes parsing errors previously encountered by python-linux-procfs. (BZ#1255725)
trace-cmd rebased to version 2.2.4
The trace-cmd packages have been upgraded to upstream version 2.2.4, which provides a number of bug fixes and enhancements over the previous version.
Notable changes include:
- A new option
-Pis available for the
trace-cmd listcommand. Use this option to list loaded plug-in files by path.
trace-cmd reportcommand has a new option,
-t, which can be used to print full time stamps in reports. (BZ#1218670)
tcsh now supports
tcshcommand-language interpreter now supports the use of the
$tcsh_posix_statusvariables, which define the tcsh behavior in case of an error of any pipelined command. This update brings the
tcshfunctionality closer to the Red Hat Enterprise Linux 7
tcshversion. Note that these two variables have opposite logical meanings. For more information, see the tcsh(1) manual page. (BZ#1256653)
OpenJDK 8 now supports ECC
With this update, OpenJDK 8 supports Elliptic Curve Cryptography (ECC) and the associated ciphers for TLS connections. ECC is in most cases preferable to older cryptographic solutions for making secure network connections.
Additionally, the java-1.8.0 package priority has been expanded to 7 digits. (BZ#1208307)
RC4 is now disabled by default in OpenJDK 6 and OpenJDK 7
Earlier OpenJDK packages allowed the RC4 cryptographic algorithm to be used when making secure connections using Transport Layer Security (TLS). This algorithm is no longer secure, and so has been disabled in this release. To retain its use, it is necessary to revert to the earlier setting of the
SSLv3, DH keySize < 768. This can be done permanently in the
<java.home>/jre/lib/security/java.securityfile or by adding the following line:
jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768
to a new text file and passing the location of that file to Java on the command line using the argument
-Djava.security.properties=<path to file>. (BZ#1217131)
rhino rebased to version 1.7R4
pcp rebased to version 3.10.9
Several enhancements have been made to Performance Co-Pilot (PCP). Note that the majority of Performance Metric Domain Agents (PMDA) have been split into their own subrpms. This allows for more streamlined PCP installations.
Additions include new kernel metrics such as Intel NVME device support, IPv6 metrics, and container mappings to LXC containers, several new PMDAs (MIC, json, dm, slurm, pipe), and several new tools, including; pcp-verify(1), pcp-shping(1), pcp-atopsar(1), and pmrep(1). An export to Zabbix tool has also been added via zbxpcp(3). The pcp-atop tool has received a full rewrite, including a new NFS feature set. PCP's Performance Metrics Web Daemon (pmwebd) has received improvements, such as opening directories-as-archives for graphite, as well as adding support for the PCP pmStore(3) protocols. sar2pcp(1) has also been updated to include support for sysstat 11.0.1 commands. (BZ#1248272)
openmpi rebased to version 1.10.2
The openmpi packages have been upgraded to upstream version 1.10.2, which provides a number of bug fixes and enhancements over the previous version. Notable changes include the following:
- The new name of the binary package is openmpi-1.10. Its environment module name on the x86_64 architecture is openmpi-1.10-x86_64.
- To preserve compatibility with Red Hat Enterprise Linux 6.7, openmpi-1.8 is still available. Its package name is openmpi-1.8 and it keeps the environment module name ( openmpi-x86_64 on the x86_64 architecture) it had in Red Hat Enterprise Linux 6.7. (BZ#1130442)
Changes in Open MPI distribution
Open MPI is an open source Message Passing Interface implementation. The compat-openmpi package, which provides earlier versions of Open MPI for backward compatibility with previous minor releases of Red Hat Enterprise Linux 6, has been split into several subpackages based on the Open MPI version.
The names of the subpackages (and their respective environment module names on the x86_64 architecture) are:
- openmpi-1.4 (openmpi-1.4-x86_64)
- openmpi-1.4-psm (openmpi-1.4-psm-x86_64)
- openmpi-1.5.3 (compat-openmpi-x86_64, aliased as openmpi-1.5.3-x86_64)
- openmpi-1.5.3-psm (compat-openmpi-psm-x86_64, aliased as openmpi-1.5.3-psm-x86_64)
- openmpi-1.5.4 (openmpi-1.5.4-x86_64)
- openmpi-1.8 (openmpi-x86_64, aliased as openmpi-1.8-x86_64)
yum install openmpicommand in Red Hat Enterprise Linux 6.8 installs the openmpi-1.8 package for maximum compatibility with Red Hat Enterprise Linux 6.7. A later version of Open MPI is available in the openmpi-1.10 package. (BZ#1158864)
Omping is now fully supported
Open Multicast Ping (Omping) is a tool to test the IP multicast functionality, primarily in the local network. This utility allows users to test IP multicast functionality and assists in the diagnosing whether a problem is in the network configuration or there is a bug. In Red Hat Enterprise Linux 6, Omping was previously provided as a Technology Preview and it is now fully supported. (BZ#657370)
elfutils rebased to version 0.164
eu-addr2lineutility introduces the following improvements:
- Input addresses are now always interpreted as hexadecimal numbers, never as octal or decimal numbers.
- A new option,
--addresses, to print address before each entry.
- A new option,
--demangle, to show demangled symbols.
- A new option,
--pretty-print, to print all information on one line.
eu-striputility is now able to:
- Handle ELF files with merged
- Handle missing
libdwlibrary introduces improvements in the following functions:
dwfl_standard_find_debuginfonow searches any subdirectory of the binary path under the debuginfo root when the separate debug file could not be found by build ID.
dwfl_linux_proc_attachcan now be called before any
Dwfl_Moduleshave been reported.
dwarf_peel_typenow also handles
Various new preliminary DWARF5 constants are now recognized, namely
DW_LANG_Haskell. Additionally, a new header file,
elfutils/known-dwarf.h, is now installed by the devel package. (BZ#1254647)
glibc now supports BIG5-HKSCS-2008
glibcsupported an earlier version of the Hong Kong Supplementary Character Set, BIG5-HKSCS-2004. The BIG5-HKSCS character set map has been updated to the HKSCS-2008 revision of the standard. This allows Red Hat Enterprise Linux customers to write applications processing text that is encoded with this version of the standard. (BZ#1211748)
The format of the
installed-rpmssosreport list has been simplified to allow for optimal human readability. (BZ#1267677)
OProfile now supports 6th Generation Intel Core processors
With this update, OProfile recognizes the 6th Generation Intel Core processors, and it now provides non-architected performance events for the 6th Generation Intel Core processors instead of defaulting to the small subset of architected performance events. (BZ#1254764)
OProfile updated to recognize the Intel Xeon Processor D-1500 product family
With this update, support for Intel Xeon Processor D-1500 product family has been added to OProfile, and the processor-specific events for this product family are now available.
Note that some events, such as
LLC_MISSES, may not count correctly. Check http://www.intel.com/content/www/us/en/processors/xeon/xeon-d-1500-specification-update.html for a complete list of performance events affected. (BZ#1231399)
SystemTap rebased to version 2.9
SystemTapinstrumentation system has been rebased to version 2.9. Major improvements in this update include more complete manual pages, more portable and usable netfilter probes, better support for kernel backtraces without debuginfo, better debuginfo-related diagnostics, reduced translator memory usage, and better performance of generated code. (BZ#1254648)
powerpc-utils rebased to version 1.3.0
The powerpc-utils packages have been upgraded to upstream version 1.3.0, which provides a number of bug fixes and enhancements over the previous version. (BZ#1252706)
ipmitool rebased to version 1.8.15
The ipmitool packages have been upgraded to upstream version 1.8.15, which provides a number of bug fixes and enhancements over the previous version. The notable changes include support for the 13G Dell PowerEdge systems, support for host names longer than 64 bytes, and improved IPv6 support. (BZ#1253416)
memtest86+ rebased to version 5.01
The memtest86+ package has been upgraded to upstream version 5.01, which provides a number of bug fixes and enhancements over the previous version. Notable changes include the following:
- Support for up to 2 TB of RAM on AMD64 and Intel 64 CPUs
- Support for new Intel and AMD CPUs, for example Intel Haswell
- Experimental SMT support up to 32 cores
For detailed changes, see http://www.memtest.org/#change (BZ#1009083)
New package: java-1.8.0-ibm
This update adds IBM Java 8 to Red Hat Enterprise Linux 6. The java-1.8.0-ibm package is available in the Supplementary channel. (BZ#1148503)
New option for arpwatch:
This update introduces option
arpwatchcommand of the
arpwatchnetwork monitoring tool. This option disables promiscuous mode. (BZ#1006479)
Chapter 6. Desktop
LibreOffice rebased to version 22.214.171.124
The libreoffice packages have been upgraded to upstream version 126.96.36.199, which provides a number of bug fixes and enhancements over the previous version, including:
- The possibility to print comments in page margin has been added.
- Support for nested comments has been added.
- OpenXML interoperability has been improved.
- Accessibility support has been enhanced.
- The color picker has been improved.
- The start center has been improved.
- Initial HiDPI support has been added.
- The limitation on number of characters in a paragraph has been raised considerably.
For a complete list of bug fixes and enhancements provided by this upgrade, refer to https://wiki.documentfoundation.org/ReleaseNotes/4.3. (BZ#1258467)
mesa now supports additional Intel 3D graphics
The mesa package now supports integrated 3D graphics on 6th generation Intel Core processors, Intel Xeon processor E3 v5, and current Intel Pentium and Intel Celeron-branded processors. (BZ#1135362)
New Vinagre features
This update provides a number of features to Vinagre. Namely:
- The ability to connect through RDP protocol to remote Windows machines has been added.
- If requested, credentials can be stored in a keyring for RDP connections.
- Minimize button has been added to the fullscreen toolbar so that users do not need to leave fullscreen mode to minimize the whole window.
In addition, the
/apps/vinagre/plugins/active-pluginsGConf key is now ignored as it could cause RDP not to be loaded. (BZ#1215093)
vmwgfx now supports 3D operations under VMware Workstation 10
vmwgfxdriver has been updated to version 4.4, which enables
vmwgfxsupport for 3D operations under VMware Workstation 10. With this upgrade, the
vmwgfxdriver now allows virtualized Red Hat Enterprise Linux 6 system to work as intended on Windows workstations. (BZ#1164447)
x3270 rebased to version 3.3.15
The latest update of x3270 in Red Hat Enterprise Linux 6.8 adds support for oversize, dynamic screen resolutions, that is screen adjustment on window resizing, to the IBM 3270 terminal emulator for the X Window System. Viewing larger screen sizes thus works properly and larger files or outputs on the mainframe appear as expected. (BZ#1171849)
icedtea-web rebased to version 1.6.2
The icedtea-web packages have been upgraded to upstream version 1.6.2, which provides a number of bug fixes and enhancements over the previous version. Notable changes include the following:
- The IcedTea-Web documentation and man pages have been significantly expanded.
- IcedTea-Web now supports bash completion.
Run in Sandboxfeatures have been enhanced.
-htmlswitch has been implemented for the Java Web Start (JavaWS) framework, which can serve as a replacement of the AppletViewer program.
- It is now possible to use IcedTea-Web to create desktop and menu launchers for applets and JavaWS applications. (BZ#1275523)
Chapter 7. Directory Server in Red Hat Enterprise Linux
About Directory Server for Red Hat Enterprise Linux
This section describes changes in the main server component for Red Hat Directory Server - the 389-ds-base package, which includes the LDAP server itself and command line utilities and scripts for its administration. This package is part of the Red Hat Enterprise Linux base subscription channel and therefore available on all Red Hat Enterprise Linux Server systems due to Red Hat Identity Management components which depend on it.
Additional Red Hat Directory Server components, such as the
Directory Server Console, are available in the
rhel-x86_64-server-6-rhdirserv-9additional subscription channel. A subscription to this channel is also required to obtain support for Red Hat Directory Server. Changes to the additional components in this channel are not described in this document.
Red Hat Directory Server version 9 is available for Red Hat Enterprise Linux 6. See https://access.redhat.com/products/red-hat-directory-server/get-started-v9 for information about getting started with Directory Server 9, and https://access.redhat.com/documentation/en/red-hat-directory-server/?version=9 for full documentation. (BZ#1333801)
Improved performance when deleting large quantities of multi-valued attributes
The API used to delete entries with large amounts of multi-valued attributes has been replaced with a significantly faster one, causing a large performance improvement in such situations. (BZ#1236148)
Chapter 8. File Systems
XFS runtime statistics are available per file system in the
The existing XFS global statistics directory has been moved from the
/proc/fs/xfs/directory to the
/sys/fs/xfs/directory while maintaining compatibility with earlier versions with a symbolic link in
/proc/fs/xfs/stat. New subdirectories will be created and maintained for statistics per file system in
/sys/fs/xfs/, for example
/sys/fs/xfs/sdb8/stats. Previously, XFS runtime statistics were available only per server. Now, XFS runtime statistics are available per device. (BZ#1205640)
XFS supported file-system size has been increased
Previously, the supported file-system size for XFS was 100 TB. With this update, the supported file-system size for XFS has been increased to 300 TB. (BZ#1273090)
autofs option is now available
autofsoption to override the use of an IP address when mounting to a host name with multiple associated addresses has been implemented. If strict Round Robin DNS is needed, the
use_hostname_for_mountsoption enables bypassing the usual availability and proximity check, and the host name is used in mount requests regardless of whether the requests have multiple IP addresses. (BZ#1248798)
Chapter 9. Hardware Enablement
Support for Sealevel model 2803 ROHS converters from USB to serial media
This update introduces support for Sealevel model 2803 ROHS converters from USB to serial media by including their IDs in the kernel. (BZ#1104343)
Backporting of the rtlwifi driver family
The rtlwifi driver family from upstream Linux kernel has been backported to support new Realtek wireless devices such as RTL8188CE, which are used on some variants of Lenovo laptops. (BZ#1263386)
Support for NCT6775 and compatible chips
This update introduces the NCT6775 kernel hwmon driver. This driver enables monitoring of the sensors associated with voltage, temperature, fan speed, and such, on hardware that includes a chip from Nuvoton's Super I/O series. (BZ#1260117)
Ethernet functionality added to mlx5_core
This enhancement update adds Ethernet functionality to the mlx5_core networking driver. The mlx5_core driver acts as a library of common functions, for example, initializing the device after reset required by certain adapter cards. This driver also implements the Ethernet interfaces for some adapter cards. Unlike mlx4_en/core, mlx5 drivers do not require the mlx5_en module as the Ethernet functionalities are built-in in the mlx5_core module. (BZ#1246031)
Support for O2Micro sdhci card reader model 8520
This update introduces support for the O2Micro sdhci card reader model 8520, which is used on newer Lenovo laptops. (BZ#1089109)
Support for solarflare devices and features
This update introduces a driver update that provides support for additional solarflare devices and features. (BZ#1123046)
Wacom Cintiq 27QHD Device Support
With this release, the Wacom Cintiq 27QHD is now supported in Red Hat Enterprise Linux 6. (BZ#1243328)
Wacom Intuos PT Tablet Device Support
With this release, several Wacom Intuos PT Tablets are now supported in Red Hat Enterprise Linux 6.8. The newly supported devices are:
- PTH-650 Intuos5 touch (M)
- CTH-480 Intuos Pen & Touch (S)
- PTH-651 Intuos pro (M) (BZ#1252898)
Support for the Realtek 5229 card reader
This update introduces support for the Realtek 5229 card reader. (BZ#806173)
Support for the AMD GX-212JC processor
This update introduces support for the AMD GX-212JC processor. (BZ#1176662)
ppc64-diag rebased to version 2.7.0
The ppc64-diag packages have been upgraded to upstream version 2.7.0, which provides a number of bug fixes and enhancements over the previous version. Notable changes include the following:
- Several security-related issues have been fixed, such as memory leaks, buffer overflows, and replacing the
- Diagnostics support for the
5887 disk drive enclosurehas been added
- PCI Host Bridge (PHB) hot-plugging support has been added for PowerKVM guests (BZ#1252717)
librtas rebased to version 1.4.0
The librtas packages, which provide an IBM utility for the 64-bit PowerPC architecture support, have been updated to version 1.4.0 to provide various bug fixes and enhancements. With this update, the
libofdtlibrary has been decommissioned from the librtas package. (BZ#1252716)
lsvpd rebased to version 1.7.6
The lsvpd packages, which provide an IBM utility for the 64-bit PowerPC architecture support, have been updated to version 1.7.6 to provide various bug fixes, enhancements, and security fixes, such as buffer overflow and memory allocation validation. Additionally, the
lsmcodeutility adds support for OpenPower system. (BZ#1148150)
servicelog rebased to version 1.1.13
The servicelog packages, which provide an IBM utility for the 64-bit PowerPC architecture support, have been updated to version 1.1.13 to provide various bug fixes and enhancements. (BZ#1148139)
iprutils rebased to version 188.8.131.52
The iprutils packages, which provide an IBM utility for the 64-bit PowerPC architecture support, have been updated to version 184.108.40.206 to provide various bug fixes and enhancements.
It is recommend to use the latest version of iprutils. If a system has already installed iprutils-2.4.9-2.el6, then to remove it, run the following command:
rpm -e --noscripts iprutils
Chapter 10. Installation and Booting
Using an HTTPS source for kickstart files is now supported
With this update, it is now possible to specify HTTPS sources for kickstart files. (BZ#1259880)
Increased debug logging for
The default log level of the
NetworkManagerutility has been increased to make debugging the installation process easier. (BZ#831777)
Automatic network device configuration using 802.1q VLAN tags from the iBFT
The installer configures network devices automatically, based on the iSCSI Boot Firmware Table (iBFT). Before this update, if 802.1q VLAN tagging was required for a device, the installer was not able to apply this information to the installed system. Now, if the 802.1q VLAN ID of a device is specified in the iBFT, the installer will use this information to automatically configure the device on the installed system. (BZ#831002)
Chapter 11. Kernel
The /proc/pid/cmdline file length is now unlimited
/proc/pid/cmdlinefile length limit for the
pscommand was previously hard-coded in the kernel to 4096 characters. This update makes sure the length of
/proc/pid/cmdlineis unlimited, which is especially useful for listing processes with long command line arguments. (BZ#1100069)
Support for LSO and LRO
This update adds support for Large Send Offload (LSO) and Large Receive Offload (LRO) to the PowerVM virtual Ethernet driver (ibmveth). The enhancement allows you to enable LRO on the Shared Ethernet Adapter (SEA) in a mixed AIX and Linux Central Electronics Complex (CEC), allowing better networking performance and better interoperability with AIX in a shared ethernet adapter environment. (BZ#1233272)
ipr rebased to version 2.6.3
iprdriver has been upgraded to upstream version 2.6.3, which provides a number of enhancements and bug fixes over the previous version. Namely, the update enables new SAS VRAID adapters on IBM Power Systems and includes recent performance improvements. As a result, the update improves disk performance and supports recent adapters on IBM Power Systems. (BZ#1252713)
ixgbe rebased to version 4.2.1
ixgbeNIC driver has been upgraded to upstream version 4.2.1, which provides a number of bug fixes and enhancements over the previous version. Notably:
- Null pointer crashes related to VLAN support have been fixed.
- Two more devices from the Intel X550 Ethernet controller family are now supported: IDs 15AC and 15AD have been added.
- Several PHY-related problems have been addressed: link disruptions and link flapping.
- Added PHY-related support for Intel X550.
- Performance has been improved. (BZ#1249244)
L2 cache information is gathered using the CPUID instruction
With this update, Level 2 (L2) processor cache information such as the base cache or the number of cache leaves is gathered using the
bnx2 rebased to version 2.2.6
bnx2NIC driver has been upgraded to upstream version 2.2.6, which provides a number of bug fixes and enhancements over the previous version. Notably:
- Bandwidth allocation for some MF modes has been fixed.
- Toggling of
rxvlancan now be disabled.
- A chip initialization bug has been fixed.
- Inconsistent use of page sizes has been fixed. (BZ#1252124)
e100 rebased to version 3.5.24-k2-NAPI
The e100 NIC driver has been upgraded to upstream version 3.5.24-k2-NAPI, which provides a number of bug fixes over the previous version. Notably, the update adds error checking around DMA mapping to avoid resource leaks and fixes a possible NULL pointer dereference during initialization. (BZ#1150338)
e1000e rebased to version 3.2.6-k
The e1000e driver has been upgraded to upstream version 3.2.6-k, which provides a number of bug fixes over the previous version. Notably, the new version prevents possible data corruption and enables both ULP and EEE in Sx mode. (BZ#1249241)
MLDv1 and MLDv2 snooping added to bridge
With this update, the bridge module adds support to IPv6 multicast by snooping for MLDv1 and MLDv2. Now, IPv6 multicast messages are sent only to ports with subscribed multicast receivers. (BZ#587714)
perf has been updated
To support a greater range of hardware and incorporate numerous bug fixes,
perfhas been updated. Notable enhancements include:
- Added support for additional model numbers of 5th Generation Intel Core i7 processors.
- Added support for Intel Xeon v5 mobile and desktop processors.
- Enabled support for the uncore subsystem for Intel Xeon v3 and v4 processors.
- Enabled support for the uncore subsystem for Intel Xeon Processor D-1500. (BZ#1216217)
EDAC support for Intel Xeon v4
The kernel has been updated to incorporate new code that adds EDAC (Error Detection and Correction) support for the Xeon v4 memory controllers from Intel. (BZ#1245372)
Crash dump performance enhancements
The time taken to complete a crash dump on systems with large quantities of memory has been reduced in
makedumpfileby making use of mmap() to remove empty and unneeded pages. (BZ#1097904)
Interval Tree Support for Intel Xeon v3 and v4 core processors with Gen graphics
To enable access to the GPU functionality of some Intel processors without recompiling a custom kernel, Interval Tree support has been added. (BZ#1251197)
CPU microcode update for Intel processors
The kernel has been updated to contain the latest microcode definitions for all Intel processors. This is the latest update from Intel at the time of publishing and is designated version 20151106. (BZ#1244968)
Minimal support for secondary endpoints with nf_conntrack_proto_sctp
Basic multihoming support has been added to Stream Control Transmission Protocol (SCTP), allowing traffic between secondary endpoints to pass through where it would previously be classified as invalid and blocked by most common firewall configurations. (BZ#1267612)
The sch_qfq scheduler now supports QFQ+
sch_qfqscheduler now supports the Quick Fair Queuing Plus (QFQ+) algorithm, which improves the scheduler's efficiency and accuracy. At the same time, a number of bug fixes have been applied to further improve the behavior of
sch_qfqunder various conditions. (BZ#1152235)
Tracking and capturing I/O statistics for the tape driver is available
It is now possible to track and capture I/O performance statistics, and measure tape device performance. The user can use the statistics exposed in the
/sys/class/scsi_tape/tree with custom tools. (BZ#875277)
mpt2sas and mpt3sas merged
The source codes of
mpt3sasdrivers have been merged. Unlike in upstream, Red Hat Enterprise Linux 6 continues to maintain two binary drivers for compatibility reasons. (BZ#717090)
Firmware-assisted Crash Dumping
Red Hat Enterprise Linux 6.8 introduces support for firmware-assisted dump (fadump), which provides an alternative dumping mechanism to kdump. Fadump is supported only on PowerPC architecture. The goal of fadump is to enable the dump of a crashed system, and to do so from a fully-reset system, and to minimize the total elapsed time until the system is back in production use. Fadump is integrated with kdump infrastructure present in the user space to seemlessly switch between kdump and fadump mechanisms. (BZ#1254923)
Setting an SELinux context label for a block device
To be able to label device nodes, most commonly disks, as used by certain applications, this update provides the possibility to apply SELinux labels on device nodes created by
udev. The system administrator can set a new option to give a label to a newly created device node as follows:
New packages: libevdev
libevdevpackages have been added to Red Hat Enterprise Linux 6.8. These packages contain a library to wrap kernel evdev devices and provide a proper API to interact with these devices. (BZ#1250806)
lpfc driver update
With the latest update, LPE31000, LPE32000 HBAs, and all HBA variants of this architecture now detect and enable both Broadcom-ECD certified SFP and QSFP optics. For firmware rev 220.127.116.11 and later, unqualified optics are disabled, the network link shows
link downstate, and an error message is logged to the log file.
The lpfc driver in Red Hat Enterprise Linux 6.8 displays the following message and the network link does not come up:
3176 Misconfigured Physical Port - Port Name [wwpn] Unknown event status [status]
The users are recommended to use only Broadcom-ECD certified SFP and QSFP optics. If any of the 3176 messages are seen in the logs and the link does not come up, contact Broadcom-ECD technical support. (BZ#1295468)
Chapter 12. Networking
NetworkManager-openswan now supports libreswan
In Red Hat Enterprise Linux 6.8, the openswan IPsec implementation is considered obsolete and replaced by the libreswan implementation. The NetworkManager-openswan package now supports both openswan and libreswan in order to facilitate migration. (BZ#1267394)
New package: chrony
A new package, chrony, has been added to Red Hat Enterprise Linux 6.
chronyis a versatile implementation of the Network Time Protocol (NTP), which can usually synchronize the system clock with a better accuracy than the
ntpddaemon from the ntp package. It can be also used with the
timemasterservice from the linuxptp package to synchronize the clock to Precision Time Protocol (PTP) domains with sub-microsecond accuracy if hardware timestamping is available, and provide a fallback to other PTP domains or NTP sources. (BZ#1274811)
New packages: ldns
The ldns packages contain a library with the aim to simplify DNS programming in C. All low-level DNS/DNSSEC operations are supported. A higher level API has been defined which allows a programmer to, for instance, create or sign packets. (BZ#1284961)
wpa_supplicant can now send logs into the syslog
wpa_supplicantcould only save log messages into the
/var/log/wpa_supplicant.logfile. This update adds the capability to save log messages into the system log, allowing you to use additional features provided by syslog such as remote logging.
To activate this feature, add the new
/etc/sysconfig/wpa_supplicantconfiguration file. (BZ#822128)
Enhancements in system-config-network
Network Configurationtool (the system-config-network package) has received multiple user interface improvements in this release. Notable enhancements include additional fields for the
ONBOOTsettings and an added
Deletebutton in the list of interfaces. (BZ#1214729)
New packages: unbound
Unbound is a validating, recursive, and caching DNS resolver. It is designed as a set of modular components that also support DNS Security Extensions (DNSSEC). (BZ#1284964)
nm-connection-editor now allows a higher range of VLAN ids
The VLAN id is no longer limited to the range 0-100 in
nm-connection-editor. The new allowed range is between 0 and 4095. (BZ#1258218)
NetworkManager supports locking Wi-Fi network connections to a specific radio frequency band
NetworkManagernow allows you to specify a certain frequency band such for a Wi-Fi connection. To lock a connection to a certain band, use the new
BAND=option in the connection configuration file in the
/etc/sysconfig/network-scripts/directory. Values for this option are based on the IEEE 802.11 protocol specifications; to specify the 2.4 GHz band, use
BAND=bg, and to specify the 5 GHz band, use
NetworkManager now supports iBFT
A plug-in for iSCSI Boot Firmware Table (iBFT) configuration has been added to
NetworkManager. This plug-in ensures that initial network configuration for hosts booting from iSCSI in a VLAN is correct. (BZ#1198325)
Chapter 13. Security
TLS 1.2 support added to basic system components
With these updates, basic system tools, such as
Postfixhave been modified to support the 1.2 version of the TLS protocol. This is to ensure that the tools are not vulnerable to security exploits that exist for older versions of the protocol. (BZ#1253743)
NSS now enables the TLS version 1.2 protocol by default
In order to satisfy current best security practices, the Transport Layer Security (TLS) 1.2 protocol has been enabled by default in NSS. This means that it is no longer necessary to explicitly enable it in applications that use NSS library defaults.
If both sides of TLS connection enable TLS 1.2, this protocol version is now used automatically. (BZ#1272504)
pycurl now provides options to require TLSv1.1 or 1.2
With this update,
pycurlhas been enhanced to support options that make it possible to require the use of the 1.1 or 1.2 versions of the TLS protocol, which improves the security of communication. (BZ#1260406)
cURL module now supports TLS 1.1 and TLS 1.2
Support for the TLS protocol version 1.1 and 1.2, which was previously made available in the
curllibrary, has been added to the PHP
openswan deprecated in favor of
The openswan packages have been deprecated, and libreswan packages have been introduced as a direct replacement for
libreswanis a more stable and secure VPN solution for Red Hat Enterprise Linux 6.
libreswanis already available as the VPN endpoint solution for Red Hat Enterprise Linux 7.
openswanwill be replaced by
libreswanduring system upgrade. See https://access.redhat.com/articles/2089191 for instructions on how to migrate from
Note that the openswan packages remain available in the repository. To install
libreswan, use the
yumto exclude libreswan:
yum install openswan -x libreswan. (BZ#1266222)
SELinux support added for GlusterFS
With this update, the SELinux mandatory access control is provided for the glusterd (GlusterFS Management Service) and glusterfsd (NFS server) processes as a part of Red Hat Gluster Storage. (BZ#1241112)
shadow-utils rebased to version 18.104.22.168
The shadow-utils package, which provides utilities for managing user and group accounts, has been rebased to version 22.214.171.124. This is the same as the version of shadow-utils in Red Hat Enterprise Linux 7. Enhancements include improved auditing, which was corrected to provide a better record of system-administrator actions on the user-account database. The main new feature added to this package is the support for operation in chroot environments using the
--rootoption of the respective tools. (BZ#1257643)
audit rebased to version 2.4.5
The audit package, which provides the user-space utilities for storing and searching the audit records generated by the
auditsubsystem in the Linux kernel, has been rebased to version 2.4.5. This update includes enhanced event interpretation facilities that provide more system-call names and arguments to make the understanding of events easier.
This update also has an important behavior change in the way that
auditdrecords events to disk. If you are using either
syncmodes for the
auditd.conf, you will see a performance decrease in
auditd'sability to log events. This is because it was previously not properly informing the kernel that full synchronous writes should be used. This was corrected, which has improved the reliability of the operation, but this has come at the expense of performance. If the performance drop is not tolerable, the
flushsetting should be changed to
freqsetting will control how often
auditdinstructs the kernel to synchronize all records to disk. A
100should give good performance while making sure that new records are flushed to disk periodically. (BZ#1257650)
LWP now supports host name and certificate verification
Certificate and host-name verification, which is disabled by default, has been implemented in the World Wide Web library for Perl (LWP, also called libwww-perl). This allows users of the
LWP::UserAgentPerl module to verify the identity of HTTPS servers. To enable the verification, make sure the
IO::Socket::SSLPerl module is installed and the
PERL_LWP_SSL_VERIFY_HOSTNAMEenvironment variable set to
1or that the application is modified to set the
ssl_optsoption correctly. See
LWP::UserAgentPOD for more details. (BZ#745800)
Net:SSLeay now supports elliptic curve parameters
Support for elliptic-curve parameters has been added to the Perl
Net:SSLeaymodule, which contains bindings to the OpenSSL library. Namely, the
OBJ_txt2nid()subroutines have been ported from upstream. This is required for the support of the Elliptic Curve Diffie–Hellman Exchange (ECDHE) key exchange in the
IO::Socket::SSLPerl module. (BZ#1044401)
IO::Socket::SSL now supports ECDHE
Support for Elliptic Curve Diffie–Hellman Exchange (ECDHE) has been added to the
IO::Socket::SSLPerl module. The new
SSL_ecdh_curveoption can be used for specifying a suitable curve by the Object Identifier (OID) or Name Identifier (NID). As a result, it is now possible to override the default elliptic curve parameters when implementing a TLS client using
openscap rebased to version 1.2.8
OpenSCAP, a set of libraries providing a path for the integration of SCAP standards, has been rebased to 1.2.8, the latest upstream version. Notable enhancements include support for the OVAL-5.11 and OVAL-5.11.1 language versions, the introduction of a verbose mode, which helps to understand the details of running scans, two new commands,
oscap-vm, for scanning over SSH and scanning of inactive virtual systems respectively, native support for bz2 archives, and a modern interface for HTML reports and guides. (BZ#1259037)
scap-workbench rebased to version 1.1.1
The scap-workbench package has been rebased to version 1.1.1, which provides a new SCAP Security Guide integration dialog. It can help the administrator choose a product that needs to be scanned instead of choosing content files. The new version also offers a number of performance and user-experience improvements, including improved rule searching in the tailoring window and the possibility to fetch remote resources in SCAP content using the GUI. (BZ#1269551)
scap-security-guide rebased to version 0.1.28
The scap-security-guide package has been rebased to the latest upstream version (0.1.28), which offers a number of important fixes and enhancements. These include several improved or completely new profiles for both Red Hat Enterprise Linux 6 and 7, added automated checks and remediation scripts for many rules, human readable OVAL IDs that are consistent between releases, or HTML-formatted guides accompanying each profile. (BZ#1267509)
Support for SSLv3 and RC4 disabled in
The use of the insecure SSLv3 protocol and RC4 algorithm has been disabled in
luci, the web-based high availability administration application. By default, only TLSv1.0 and higher protocol versions are allowed, and the digest algorithm used for self-managed certificates has been updated to SHA256. It is possible to re-enable SSLv3 (by uncommenting the
allow_insecureoptions in relevant sections of the
/etc/sysconfig/luciconfiguration file), but that is only for unlikely and unpredictable cases and should be used with extreme caution.
This update also adds the possibility to adjust the most important SSL/TLS properties (in addition to the mentioned
allow_insecure): the path to the certificate pair and the cipher list. These settings can be used either globally, or independently for both secure channels (HTTPS web UI access and connection with
Chapter 14. Servers and Services
mod_nss now supports server-side SNI
This update adds server-side Server Name Indication (SNI) support to the
Non-root user support in
mod_rewritemodule provided with the Apache HTTP Server now supports running external mapping programs as a non-root user. This reduces security risk from using
mod_rewritemapping because a non-privileged process can be used. (BZ#1035230)
tomcat6 now supports disableURLRewriting
This update adds the
disableURLRewritingattribute to the Tomcat 6 servlet container. The attribute allows to disable support for using URL rewriting to track session IDs for specific contexts. (BZ#1221877)
Logging capabilities of the
tftp server have been enhanced
As a result of improved logging, the Trivial File Transfer Protocol (TFTP) server can now track successes and failures. For example, a log event is now created when a client successfully finishes downloading a file, or the
file not foundmessage is provided in case of a failure. (BZ#917817)
Squid can log IP addresses and ports of remote hosts
In previous versions, the
Squidcaching and forwarding web proxy had the ability to log the URL, which included the host name. However,
Squidcould not log the IP address of the destination server. This update enables
Squidto log IP addresses and ports of remote hosts, which is especially useful when dealing with hosts that have multiple IP addresses. (BZ#848124)
new ignore-client-uids option
When a client machine can boot different operating systems (OS), each OS can send a different DHCP client identifier (UID) and consequently obtain a different IP address from the server. Now, the user can configure a server to treat such a machine as a single entity regardless of the OS it runs at the moment with a new
This option causes the server to not record a client's UID in its lease. To configure
ignore-client-uids, add the following line to the
This configuration causes that the UID for clients will not be recorded. If this statement is not present or has a value of false or off, then client UIDs will be recorded. (BZ#1196768)
Tuned profile optimized for Oracle database servers has been included
Tunedprofile, which is specifically optimized for the Oracle databases load, is now available. The new profile is delivered in the tuned-profiles-oracle subpackage, so that other related profiles can be added in the future. The
oracleprofile is based on the
enterprise-storageprofile, but modifies kernel parameters based on Oracle database requirements and turns transparent huge pages off. (BZ#1196294)
New package: squid34
A new package squid34 version 3.4.14 has been released. This package cannot be installed together with the squid package. squid34 improves stability and fixes multiple bugs originally reported against squid.
The most important new features in squid34 include:
- Helper protocol extensions
- SSL Server Certificate Validator
- TPROXY Support for OpenBSD 5.1 and later, and FreeBSD 9 and later
- Transaction Annotations
- Multicast DNS (BZ#1265328)
The BIND server now supports CAA records
Certification Authority Authorization (CAA) support has been added to the Berkeley Internet Name Domain (BIND) server. Now, users can restrict Certification Authorities by specifying the DNS record. (BZ#1252611)
LocalPort keywords are now supported for
Match conditions in
Systems connected to several physical networks might require different access policies. With this update, you can enforce different policies for different local addresses or ports directly in
sshd_config, without the need to run several services with different configuration files. (BZ#1211673)
Support for disabling selected GSSAPI key exchange algorithms
After CVE-2015-4000 (Logjam) was discovered, the
gss-group1-sha1algorithm is not considered secure anymore. Previously, there was no possibility to disable this single key exchange method. With this update, the administrator can disable this or other selected algorithms used by GSSAPI key exchange in
authorized_keys_command option in
sudorules across multiple systems might require to list SSH keys from LDAP, which was previously not possible. With this update, you can set up
pam_ssh_agent_authto get the authorized keys from LDAP or a different service easily. The feature has been backported from the upstream version. (BZ#1299555)
Chapter 15. Storage
multipath utility can now save data between prioritizer calls
This feature has been implemented in the asymmetric logical unit access (ALUA) prioritizer, and reduces the number of commands sent to the target array. As a result, target arrays are no longer overloaded with commands if there is a large number of paths. (BZ#1081395)
Asynchronous checkers can use the multipath checker_timeout option
Asynchronous checkers now use the
checker_timeoutoption in the
multipath.conffile to determine when to stop waiting for a response from the array and fail the non-responsive path. This behavior for asynchronous checkers can be configured in the same way as for synchronous checkers. (BZ#1153704)
nfsidmap -d option added
nfsidmap -doption has been added to display the system's effective NFSv4 domain name on stdout. (BZ#948680)
Configurable connection timeout for mounted CIFS shares
Idling CIFS clients send an echo call every 60 seconds. The echo interval is hard-coded, and is used to calculate the timeout value for an unreachable server. This timeout value is usually set to (2 * echo interval) + 17 seconds. With this feature, users can change the echo interval setting, which enables them to change the timeout interval for unresponsive servers. To change the echo interval, use the
echo_interval=nmount option, where n is the echo interval in seconds. (BZ#1234960)
Support for device-mapper statistics facility (
The Red Hat Enterprise Linux 6.8 release supports a device-mapper statistics facility, the
dmstatsprogram displays and manages I/O statistics for user-defined regions of devices that use the device-mapper driver. The
dmstatsprogram provides a similar functionality to the
iostatsprogram, but at levels of finer granularity than a whole device. For information on the
dmstatsprogram, see the
dmstats(8) man page. (BZ#1267664)
Support for raw format mode in multipathd formatted output commands
The multipathd formatted ouput commands now offer a
rawformat mode that removes the headers and additional padding between fields. Support for additional format wildcards has been added as well. Raw format mode makes it easer to collect and parse information about multipath devices, particularly for use in scripting. For information on raw format mode, see the
DM MultipathGuide. (BZ#1145442)
Chapter 16. System and Subscription Management
search-disabled-repos plug-in for
yumhas been added to the subscription-manager packages. This plug-in allows users to successfully complete
yumoperations that fail due to the source repository being dependent on a disabled repository. When
search-disabled-reposis installed in the described scenario,
yumdisplays instructions to temporarily enable repositories that are currently disabled and to search for missing dependencies.
If you choose to follow the instructions and turn off the default
notify_onlybehavior in the
yumoperations will prompt you to temporarily or permanently enable all the disabled repositories needed to fulfill the
Easier troubleshooting with
yumutility is now able to identify certain frequently occurring errors and provides a link to a relevant Red Hat Knowledgebase article. This helps users identify typical problems and address their cause. (BZ#1248686)
New package: rear
Relax-and-Recover(rear) is a recovery and system migration utility. Written in
bash, it allows you to use tools already present on your system to continuously create recovery images which can be saved locally or on a remote server, and to use these images to easily restore the system in case of software or hardware failure. The tool also supports integration with various external tools such as backup solutions (
IBM TSM, etc.) and monitoring systems (
The rear utility is available in base channels for all variants of Red Hat Enterprise Linux 6.8 on all architectures.
The utility produces a bootable image and restores from backup using this image. It also allows to restore to different hardware and can therefore be used as a migration utility as well. (BZ#981637)
iostat now supports separate statistics for
iostattool now supports separate statistics for
r_await(average time for read requests issued to the device to be served) and
w_await(average time for write requests issued to the device to be served) in the Device Utilization Report. Use the
-xoption to obtain a report which includes this information. (BZ#1185057)
TLS 1.1 and 1.2 are now enabled by default in
Previously, versions 1.1 and 1.2 of the TLS protocol were disabled by default in
libcurl. Users were required to explicitly enable these TLS versions in utilities based on
libcurlin order to allow these utilities to securely communicate with servers that do not accept SSL 3.0 and TLS 1.0 connections. With this update, TLS 1.1 and TLS 1.2 are no longer disabled by default in
libcurl. You can, however, explicitly disable them using the libcurl API. (BZ#1289205)
libcurl can now connect to SCP and SFTP servers through a HTTP proxy
Implementations of the
libcurlhave been enhanced and now support tunneling through HTTP proxies. (BZ#1258566)
abrt can now exclude specific programs from being dumped
Previously, ignoring crashes of blacklisted programs in
abrtdid not prevent it from creating their core dumps - the dumps were still written to disk and then deleted. This approach allowed
abrtto notify system administrators of a crash while not using disk space to store unneeded crash dumps. However, creating these dumps only to delete them later was unnecessarily wasting system resources. This update introduces a new configuration option
/etc/abrt/plugins/CCpp.confconfiguration file, which allows you to specify a comma-separated list of file system path globs which will not be dumped at all. (BZ#1208713)
User and group whitelisting added to
abrtallowed all users to generate and collect core dumps, which could potentially enable any user to maliciously generate a large number of core dumps and waste system resources. This update adds a whitelisting functionality to
abrt, and you can now only allow specific users or groups to generate core dumps. Use the new
AllowedUsers = user1, user2, ...and
AllowedGroups = group1, group2, ...options in the
/etc/abrt/plugins/CCpp.confconfiguration file to restrict core dump generation and collection to these users or groups, or leave these options empty to configure
abrtto process core dumps for all users and groups. (BZ#1256705)
libvpd rebased to version 2.2.5
The libvpd packages have been upgraded to upstream version 2.2.5, which provides a number of bug fixes and enhancements over the previous version. Notably, this version includes:
- Improved error handling
- Security improvements such as fixing a potential buffer overflow and memory allocation validation (BZ#1148140)
libservicelog rebased to version 1.1.15
The libservicelog packages have been upgraded to upstream version 1.1.15, which provides a number of bug fixes and enhancements over the previous version. (BZ#1148141)
sysctl configuration files can now contain longer lines
sysctlconfiguration files could only contain lines up to 255 characters long. With this update, the maximum acceptable line length has been increased to 4095 characters. (BZ#1201024)
ps can now display thread cgroups
This update introduces a new format specifier
thcgr, which can be used to display the cgroup of each listed thread. (BZ#1284076)
reporter-upload now allows configuring optional SSH keys
reporter-uploadtool, which is used by
abrtto submit collected problem data, now allows you to use optional SSH key files. You can specify a key file using one of the following ways:
SSHPrivateKeyoptions in the
-rcommand line options for the public and private key, respectively.
- Setting the
Upload_SSHPrivateKeyenvironment variables, respectively.
If none of these options or variables are used,
reporter-uploadwill attempt to use the default SSH key from the user's
Chapter 17. Virtualization
Support for Hyper-V storage with 4096-byte sectors
Red Hat Enterprise Linux guests running on the Microsoft Hyper-V hypervisor are now able to properly handle 4096-byte sectors for Hyper-V storage when such sector size is reported by the host. This can significantly improve the I/O performance of Red Hat Enterprise Linux guests running on the described type of storage. (BZ#1217570)
Red Hat Enterprise Linux guests now support reporting kernel crashes on Hyper-V
Red Hat Enterprise Linux guests running on the Microsoft Hyper-V hypervisor are now able to report kernel crashes to the Hyper-V host. If such a crash occurs, the kernel panic notification data is captured in the Windows Event Viewer as a
18590event. The event contains the relative instruction pointer (RIP) and 4 basic CPU registers. (BZ#1229904)
Hyper-V guests now support TRIM
Red Hat Enterprise Linux virtual machines on Hyper-V now support performing the TRIM operation on Hyper-V virtual hard disk (VHDX) files. This prevents VHDX files on these machines from growing to excessive sizes. As a result, it is now possible to use thin-provisioned VHDX storage. (BZ#1247699)
Hyper-V guests now support Windows 10 protocol
This update introduces support for Windows 10 and Windows Server 2016 host protocols when Red Hat Enterprise Linux is running as a guest on Microsoft Hyper-V. (BZ#1267592)
Setting the account password is now possible for any guest user
guest-set-user-passwordcommand has been introduced for the QEMU guest agent. This allows setting the account password for any guest user, including the root, when using QEMU and KVM. (BZ#1174181)
virtio-win support for Windows 10
The virtio-win package now includes drivers for Windows 10, which allows users of virtio-win to create Windows 10 guests. (BZ#1275050)
Red Hat Enterprise Linux 6 Hyper-V Generation 2 guests fully supported
With Red Hat Enterprise 6.8, it is fully supported for Red Hat Enterprise Linux 6 to be hosted as Generation 2 virtual machines on the 2012 R2 and later versions of the Microsoft Hyper-V Server host. In addition to the functions supported in the previous generation, Generation 2 provides new functions on a virtual machine, such as boot from a SCSI virtual hard disk, or UEFI firmware support. (BZ#1056676)
New package: WALinuxAgent
The Microsoft Azure Linux Agent (WALA) version 2.0.16 has been included in the Extras channel. This agent supports the provisioning and running of Linux Virtual Machines in the Windows Azure cloud and should be installed on Linux images that are built to run in the Windows Azure environment. (BZ#1215872)
virt-who rebased to version 0.16-7
virt-whoqueries of the Hyper-V hypervisor have been extended to include the capacity (socket counts so that the subscription applied to the hypervisor can be evaluated), name, and type to be displayed in the SMS inventory to make it easier for the user to identify the system.
VIRTWHO_INTERVAL=, has been extended to 1 minute to prevent from failures in communication with Subscription-Manager.
virt-whonow supports connecting Red Hat Enterprise Virtualization Manager (RHEV-M) and the Hyper-V hypervisor through proxy.
virt-whonow allows filtering for hosts that are sent by
virt-whoto Red Hat Subscription-Manager.
virt-whois able to report which virtual guests of virtual machines are active on all known hypervisors. (BZ#1258765)
Chapter 18. Red Hat Software Collections
Red Hat Software Collections is a Red Hat content set that provides a set of dynamic programming languages, database servers, and related packages that you can install and use on all supported releases of Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7 on AMD64 and Intel 64 architectures. Red Hat Developer Toolset is included as a separate Software Collection.
Red Hat Developer Toolset is designed for developers working on the Red Hat Enterprise Linux platform. It provides current versions of the GNU Compiler Collection, GNU Debugger, and other development, debugging, and performance monitoring tools. Since Red Hat Software Collections 2.3, the Eclipse development platform is provided as a separate Software Collection.
Dynamic languages, database servers, and other tools distributed with Red Hat Software Collections do not replace the default system tools provided with Red Hat Enterprise Linux, nor are they used in preference to these tools. Red Hat Software Collections uses an alternative packaging mechanism based on the
sclutility to provide a parallel set of packages. This set enables optional use of alternative package versions on Red Hat Enterprise Linux. By using the
sclutility, users can choose which package version they want to run at any time.
Red Hat Software Collections has a shorter life cycle and support term than Red Hat Enterprise Linux. For more information, see the Red Hat Software Collections Product Life Cycle.
See the Red Hat Software Collections documentation for the components included in the set, system requirements, known problems, usage, and specifics of individual Software Collections.
See the Red Hat Developer Toolset documentation for more information about the components included in this Software Collection, installation, usage, known problems, and more.
Part II. Known Issues
This part documents known problems in Red Hat Enterprise Linux 6.8.
Chapter 19. General Updates
resource-agents-sap-hana shipped in an incorrect channel
The resource-agents-sap-hana package has been available as part of the High Availability Add-On in Red Hat Enterprise Linux 6.7 and 6.8. However, asynchronous updates for this package were made available through the Red Hat Enterprise Linux for SAP HANA repository. Consequently, package updates on systems that do not enable both the Red Hat Enterprise Linux High Availability Add-On and Red Hat Enterprise Linux for SAP HANA repositories can fail. To avoid this problem, enable both the RHEL for SAP HANA and Red Hat Enterprise Linux High Availability channels in Red Hat Subscription Manager, Red Hat Network, or Red Hat Network Satellite prior to updating any applicable systems. If you do not have access to SAP HANA content, remove the resource-agents-sap-hana package by running the
rpm -ecommand. (BZ#1334776)
Incorrect information about the expected default settings of services in Red Hat Enterprise Linux 7
The module of Preupgrade Assistant that handles
initscriptsprovides incorrect information about the expected default settings of the services in Red Hat Enterprise Linux 7 according to the
/usr/lib/systemd/system-preset/90-default.presetfile in Red Hat Enterprise Linux 7 and according to the current settings of the Red Hat Enterprise Linux 6 system. In addition, the module does not check the default settings of the system but only the settings for the runlevel used during the processing of the check script, which might not be the default runlevel of the system. As a consequence,
initscriptsare not handled in the anticipated way and the new system needs more manual action than expected. However, the user is informed about the settings that will be chosen for relevant services, despite the presumable default settings. (BZ#1366671)
The default value of
first_valid_uid in Dovecot has changed in Red Hat Enterprise Linux 7
Since Red Hat Enterprise Linux 7.3, the default value of the
first_valid_uidconfiguration option of Dovecot has changed from
500in Red Hat Enterprise Linux 6 to
1000in Red Hat Enterprise Linux 7. Consequently, if a Red Hat Enterprise Linux 6 installation does not have
first_valid_uidexplicitly defined, the
Dovecotconfiguration will not allow users with UID less than
1000to log in after the update to Red Hat Enterprise Linux 7.
To avoid breaking of the configuration, redefine
500after the upgrade in the
/etc/dovecot/conf.d/10-mail.conffile. Note that only installations where
first_valid_uidis not explicitly defined are affected by this problem. (BZ#1388967)
Chapter 20. Authentication and Interoperability
Do not use SELinux in enforcing mode when sharing the root directory
Samba requires a shared directory to be labeled
samba_share_twhen SELinux is in enforcing mode. However, when sharing the whole root directory of the system by using the
path = /configuration in the
/etc/samba/smb.conffile, labeling the root directory as
samba_share_tcauses critical system malfunctions.
Red Hat strongly discourages users from labeling the root directory with the
samba_share_tlabel. Therefore, do not use SELinux in enforcing mode when sharing the root directory using Samba. (BZ#1320172)
SSSD does not support the LDAP externalUser attribute
The System Security Services Daemon (SSSD) service is missing support for the
externalUserLDAP attribute of the Identity Management (IdM) schema. In consequence, the assignment of
sudorules to local accounts, such as by using the
/etc/passwdfile, fails. The problem affects only accounts outside of the IdM domains and Active Directory (AD) trusted domains.
To work around this problem, set the LDAP
sudosearch base as follows in the
[domain]section of the
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
This enables SSSD to resolve users defined in
SSSD incorrectly creates local overrides in an AD environment
sss_overridetool creates case-insensitive distinguished names (DN) when the
id_provideroption is set to
/etc/sssd/sssd.conffile. However, the DNs in the SSSD cache are stored case-sensitive. As a consequence, local overrides are not created for users from the Active Directory (AD) subdomain or for users with mixed-case account names. (BZ#1327272)
sssd_be does not terminate forked child processes
id_provideroption is set to
/etc/sssd/sssd.conffile, a helper process inside
sssd_beprocesses sometimes fails. In consequence, the process is spawning new
sssd_beinstances, which consume additional memory. To work around this problem, install the adcli package and restart the
SSSD fails to manage sudo rules from the IdM LDAP tree
The System Security Services Daemon (SSSD) currently uses the IdM LDAP tree by default. As a consequence, it is not possible to assign sudo rules to non-POSIX groups. To work around this problem, modify the
/etc/sssd/sssd.conffile to set your domain to use the
[domain/EXAMPLE] ... ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
As a result, SSSD will load sudo rules from the
compattree and you will be able to assign rules to non-POSIX groups.
Note that Red Hat recommends to configure groups referenced in sudo rules as POSIX groups.
The HP keyboard KUS1206 does not handle smart cards correctly and can become unresponsive
When using the HP keyboard KUS1206 with a built-in smart card reader, you might experience the following problems:
- The keyboard detects smart cards inconsistently.
- When the user logs in to the system with a password and the smart card is not inserted, the following message appears continuously in the
pcscd: commands.c:957:CmdGetSlotStatus Card absent or mute
- The keyboard sometimes becomes unresponsive.
Chapter 21. Compiler and Tools
LVM2 detection on FCoE storage and mounting of file systems specified in
/etc/fstab on FCoE storage can fail
fcoeinit scripts cannot determine what devices can be assigned through the FCoE storage fabric, and therefore whether the startup process needs to wait for device discovery. Consequently, logical volume (LVM2) detection on FCoE attached storage and mounting of file systems specified in
/etc/fstabon FCoE storage can fail during system startup due to an incomplete FCoE device discovery.
To work around this problem, use
/dev/disk/by-path/fc-*symbolic links as the specified block special device in
/etc/fstabalong with the
_netdevmount option. The
fcoeinit script waits longer for the specified devices to attach.
Sometimes, Fibre Channel by-path symbolic links are not a suitable option, such as when using LVM2 or mounting by labels. You can, starting with version 1.0.28 of the fcoe-utils packages, use the
MINIMUM_WAIToption in the
/etc/fcoe/configfile in such cases.
The default value of
MINIMUM_WAITis 0. Set the value to the number of seconds you want the
fcoeinit script to delay allowing device discovery to complete. Using
MINIMUM_WAITadds time to the system boot process, but could be necessary to allow block devices to be present before LVM2 and file system mounting scripts are run. (BZ#980961)
Chapter 22. Desktop
Using Radeon or Nouveau can cause incorrectly rendered graphics
A bug in the Xorg server can, under rare circumstances, cause graphics to be rendered incorrectly if using the Radeon or Nouveau graphics device driver. For example, the Thunderbird message pane can be displayed incorrectly.
For Nouveau, as a workaround, add the
WrappedFBoption to the
xorg.conffile as follows:
Section "Device" Identifier "nouveau-device" Driver "nouveau" Option "WrappedFB" "true" EndSection
This workaround avoids the faulty logic in the X server, and the Thunderbird message pane will be displayed correctly. (BZ#1076595)
Chapter 23. Installation and Booting
BFS installation fails on VV when automatic LVM partitioning is selected
When attempting installation using Boot From SAN (BFS) with an HP StoreServ 3PAR Storage Volume (VV), the installation fails during disk partitioning and LVM volume group activation with the message:
Volume group "VolGroup" has insufficient free space.
The failure is seen across all StoreServ volume types (Std VV, TPVV, TDVV). To work around this problem, if using LVM, select the Custom Partition Layout option and reduce the swap and /home partition size by 1-2 GB. If not using LVM, Select the Standard Partition option. (BZ#1190264)
--nocore option in the
%packages section of a kickstart file may result in a broken system
--nocoreoption is used in the
%packagessection of a kickstart file, core system packages and libraries will not be installed, which may result in the system being unable to perform essential tasks such as user creation, and may render the system unusable. To avoid this problem, do not use
The zipl boot loader requires target information in each section
When calling the
zipltool manually from a command line using a section name as a parameter, the tool was previously using the target defined in the default section of the
/etc/zipl.conffile. In the current version of
ziplthe default sections' target is not being used automatically, resulting in an error.
To work around the problem, manually edit the
/etc/zipl.confconfiguration file and copy the line starting with
target=from the default section to every section. (BZ#1203627)
The installer displays the number of multipath devices and number of multipath devices selected incorrectly
Multipath devices are configured properly, but the installer displays the number of devices and number of selected devices incorrectly. There is no known workaround at this point. (BZ#914637)
The installer displays the amount of disk space within multipath devices incorrectly
Multipath devices are configured properly, but the installer displays disk space and number of devices incorrectly. There is no known workaround at this point. (BZ#1014425)
Chapter 24. Kernel
e1000e cards might not get an IPv4 address
Some e1000e network interface cards (NICs) might fail to get an IPv4 address assigned after the system is rebooted. To work around this problem, add the following line to the /etc/sysconfig/network-scripts/ifcfg-<interface> file:
System freeze when loading Intel Skylake integrated graphics cards
On systems with Intel Skylake integrated graphics cards present, the system can freeze during the initial boot process when it starts to load the video driver. This known issue is caused by a race condition in version 2.6.32 of the kernel firmware loader.
As a workaround, if using the installer CD, try installing with the basic video driver. Otherwise, add the
nomodesetparameter to the kernel command line, which instructs the kernel to not load Intel Skylake integrated graphics driver and use BIOS modes instead. (BZ#1309875)
ecb fails when dracut is not upgraded
When upgrading only the kernel rpm from Red Hat Enterprise Linux 6.7 to version 6.8, it is necessary to also upgrade the dracut package to the latest version, that is dracut-004-409.el6.rpm, to enable the
ecbmodule to work.
ecbkernel module is needed by the
drbgkernel module when using the AES implementation on non-x86 architectures. Otherwise, the
drbgAES implementation fails with a warning message while other
drbgmodules still work. (BZ#1315832)
kernel panic in xfrm6 stack
During an overload and when Ethernet Flow Control is disabled, if IPSec policy is configured for the IPv6 protocol, sending UDP datagrams over the IPv6 protocol can lead to a kernel panic.
So far, there is no workaround or fix available. (BZ#1327680)
Intel Xeon v5 causes GPU to hang
On GT3 and GT4 architectures, Intel Xeon v5 integrated graphics can experience problems with GPU lock-up, leading to GPU hang.
As a workaround, add the
i915.enable_rc6=0option to the kernel command line to disable the RC6 power saving state on Intel Xeon v5. (BZ#1323945)
Chapter 25. Networking
keyingtries libreswan option set to
0 is mistakenly interpreted as
The default value of
0which means 'retry forever'. Due to this bug, if a temporary problem occurs during an active negotiation, the connection will not be attempted more than once.
To work around this problem, set the
keyingtriesoption to a sufficiently large number. (BZ#1289498)
Chapter 26. Storage
Change in behavior of
lvchange --zero n
lvchange --zero ncommand is run against an active thin pool, the change will not take effect until the next time the pool is deactivated. In previous releases it took effect immediately, and this behavior will be reinstated in a future release. (BZ#1328245)
Chapter 27. System and Subscription Management
Some Italian text is missing from subscription-manager
Due to some missing translations in the subscription-manager tool, when using subscription-manager in Italian, some messages will appear in English. (BZ#1318404)
ReaR supports only grub during system recovery
ReaR supports only the grub boot loader. Consequently, ReaR cannot automatically recover a system with a different boot loader. Notably, yaboot is not yet supported by ReaR on PowerPC machines. To work around this problem, edit the boot loader manually. (BZ#1313874)
ReaR works only on the eth0 interface
ReaR produces a rescue system that does not support mounting an NFS server using an interface other than eth0. Consequently, the backup files cannot be downloaded and the system cannot be restored. To work around this problem, ensure that the used interface is eth0 by restarting dhclient. (BZ#1313417)
ReaR fails to create an ISO on IBM System z
ReaR is unable to create an ISO image on IBM System z systems. To work around this problem, use a different type of rescue system than ISO. (BZ#1309597)
ReaR creates two ISO images instead of one
In ReaR, the
OUTPUT_URLdirective enables specifying location for the ISO image containing the rescue system. Currently, with this directive set, ReaR creates two copies of the ISO image: one in the specified directory and one in the
/var/lib/rear/output/default directory. This requires additional space for the image. This is especially important if a full-system backup is included into the ISO image (using the
To work around this behavior, delete the extra ISO image once ReaR has finished working or, to avoid having a period of time with double storage consumption, create the image in the default directory and then move it to the desired location manually.
There is a request for enhancement to change this behavior and make ReaR create only one copy of the ISO image. (BZ#1320551)
Chapter 28. Virtualization
Limited CPU support for Windows 10 and Windows Server 2016 guests
On a Red Hat Enterprise 6 host, Windows 10 and Windows Server 2016 guests can only be created when using the following CPU models:
- the Intel Xeon E series
- the Intel Xeon E7 family
- Intel Xeon v2, v3, and v4
- Opteron G2, G3, G4, G5, and G6
For these CPU models, also make sure to set the CPU model of the guest to match the CPU model detected by running the
virsh capabilitiescommand on the host. Using the application default or hypervisor default prevents the guests from booting properly.
To be able to use Windows 10 guests on Legacy Intel Core 2 processors (also known as Penryn) or Intel Xeon 55xx and 75xx processor families (also known as Nehalem), add the following flag to the Domain XML file, with either Penryn or Nehalem as MODELNAME:
<cpu mode='custom' match='exact'> <model>MODELNAME</model> <feature name='erms' policy='require'/> </cpu>
Other CPU models are not supported, and both Windows 10 guests and Windows Server 2016 guests created on them are likely to become unresponsive during the boot process. (BZ#1252134)
Resizing VHDX files can take a very long time
When an ext3 file system is being used in the guest, resizing very large Microsoft Hyper-V virtual hard disk (VHDX) devices in some cases causes the VHDX file to grow to an excessive size, and thus takes significantly longer than intended. To work around this problem, use ext4 or xfs file systems, or set the following custom parameters when creating VHDX files:
- VHDX BlockSize = 1MB
These ensure that VHDX files require the expected amount of disk space, which in turn makes file system operations much faster. (BZ#1024137)
Multifunction does not work correctly when hot-plugging virtual PCI devices
Hot-plugging a new function on a virtual PCI device that has the multifunction option enabled does not correctly trigger PCI device initialization. As a consequence, the guest does not recognize the hot-plugged function, and thus cannot use it. To work around this problem, initiate a rescan of the PCI Host Bridge in the guest, for example with the following command:
# echo 1 > /sys/bus/pci/devices/0000\:00\:00.0/rescan
In the above example, replace 0000\:00\:00.0 with the correct bus:device:function combination of the device you wish to rescan.
This forces the guest device drivers to configure newly hot-plugged devices for use, and thus makes the function available. (BZ#1208430)
Soft-rebooted Windows guests cannot detect some of their bootable devices
Under certain circumstances, soft-rebooting a Windows guest (for example by using the Ctrl+Alt+Del keys) causes the guest not to detect some of its bootable devices. To work around this problem, perform a hard reboot of the guest - for example by the Shutdown button in the virt-manager interface, or by the
system_resetcommand in the QEMU monitor console. (BZ#1129549)
Using qemu-img to modify an image that is in use can corrupt the image
Opening a QEMU disk image from multiple processes at the same time, for example by attempting to take a snapshot of a QEMU image while the guest is running, in some cases corrupts the image. To avoid this problem, never use the qemu-img utility to modify images in use by a running virtual machine or any other process. In addition, be aware that querying an image that is being modified by another process may trigger an inconsistent state error. This update also adds an admonition about the mentioned problem to the qemu-img(1) man page. (BZ#1297424)
virtio-win VFD files do not contain Windows 10 drivers
Due to limitations on the floppy device file size, the virtual floppy disk (VFD) files in the virtio-win packages do not contain a Windows 10 folder. If you need to install Windows 10 drivers from a VFD, use the Windows 8 or Windows 8.1 drivers instead. Alternatively, the Windows 10 drivers can be installed from the ISO file in the
Booting virtual machines with the
smep flags on older host CPUs fails
smepCPU flags are not properly emulated on certain older CPU models, such as the early Intel Xeon E processors. As a consequence, using
smepwhen booting a Windows guest virtual machine on a host with one of the described CPUs causes the boot to fail. Similarly, using
smepwhen booting a Red Hat Enterprise Linux guest virtual machine on a host with one of the described CPUs causes the boot to fail. To work around this problem, do not use
smepif the CPU does not support them. (BZ#1371765)
Appendix A. Component Versions
This appendix is a list of components and their versions in the Red Hat Enterprise Linux 6.8 release.
Table A.1. Component Versions
QLogic ql2xxx firmware
iSCSI initiator utils
Appendix B. Revision History
|Revision 0.2-8||Thu Apr 27 2017||Lenka Špačková|
|Revision 0.2-7||Tue Mar 21 2017||Jiří Herrmann|
|Revision 0.2-6||Mon Mar 13 2017||Lenka Špačková|
|Revision 0.2-5||Fri Dec 16 2016||Lenka Špačková|
|Revision 0.2-4||Thu Oct 27 2016||Lenka Špačková|
|Revision 0.2-3||Wed Oct 25 2016||Jiri Herrmann|
|Revision 0.2-1||Wed Sep 07 2016||Lenka Špačková|
|Revision 0.2-0||Mon Aug 29 2016||Lenka Špačková|
|Revision 0.1-9||Mon Aug 01 2016||Lenka Špačková|
|Revision 0.1-8||Fri Jul 01 2016||Lenka Špačková|
|Revision 0.1-6||Wed Jun 08 2016||Lenka Špačková|
|Revision 0.1-4||Fri Jun 03 2016||Lenka Špačková|
|Revision 0.1-3||Fri May 27 2016||Lenka Špačková|
|Revision 0.1-2||Mon May 16 2016||Lenka Špačková|
|Revision 0.1-1||Thu May 12 2016||Lenka Špačková|
|Revision 0.1-0||Tue May 10 2016||Lenka Špačková|
|Revision 0.0-5||Tue Mar 15 2016||Lenka Špačková|
Copyright © 2016-2017 Red Hat, Inc.
This document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0 Unported License. If you distribute this document, or a modified version of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If the document is modified, all Red Hat trademarks must be removed.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.