6.8 Release Notes
Release Notes for Red Hat Enterprise Linux 6.8
Chapter 1. Overview
- libreswan, an implementation of one of the most widely supported and standardized VPN protocols, replaces openswan as the Red Hat Enterprise Linux 6 VPN endpoint solution, giving Red Hat Enterprise Linux 6 customers access to recent advances in VPN security.
Authentication and Interoperability
- Enhancements to Red Hat Identity Management include increased client-side performance as well as simplified client management through the addition of new capabilities to the System Security Services Daemon (SSSD). For example, cached authentication lookup on the client reduces the unnecessary exchange of user credentials with Active Directory servers. Also, support for adcli simplifies the management of Red Hat Enterprise Linux 6 systems interoperating with an Active Directory domain. In addition, SSSD now supports user authentication using smart cards, for both system login and related functions, such as sudo.
System and Subscription Management
- Relax-and-Recover (ReAR) is a new a system archiving utility that enables administrators to create local backups in ISO format that can be centrally archived and replicated remotely for simplified disaster recovery operations.
- An enhanced yum utility simplifies the process of locating required packages to add and enable new platform features.
- Red Hat Enterprise Linux 6.8 provides increased visibility into storage usage and performance through dmstats, a program that displays and manages I/O statistics for user-defined regions of devices using the device-mapper driver.
- The Scalable File System Add-on for Red Hat Enterprise Linux 6 now supports XFS file-system sizes up to 300 TB.
- An updated Red Hat Enterprise Linux 6.8 platform image enables customers to migrate their traditional workloads into container-based applications. The image is available in the Red Hat Container Registry and is suitable for deployment on Red Hat Enterprise Linux 7 or Red Hat Enterprise Linux Atomic Host.
Red Hat Insights
Red Hat Customer Portal Labs
Part I. New Features
Chapter 2. General Updates
Cross channel package dependency improvements
yumutility has been enhanced to prompt the end user to search disabled package repositories on the system when a package dependency error occurs. This change will allow users to quickly resolve dependency errors by first checking all known channels for the missing package dependency.
yum update yum subscription-managerprior to upgrading your machine to Red Hat Enterprise Linux 6.8.
Packages moved to the
yum updatecommand for updating these packages can lead to problems causing the update to fail. Enable the
Optionalchannel before updating the mentioned installed packages or uninstall them before updating your system.
Optionalchannel, see the relevant Knowledgebase articles on Red Hat Customer Portal: https://access.redhat.com/solutions/392003 for Red Hat Subscription Management or https://access.redhat.com/solutions/70019 if your system is registered with RHN Classic. (BZ#1300789)
Chapter 3. Authentication and Interoperability
SSSD smart card support
sudoservice. The user places the smart card into the reader and provides the user name and the smart card PIN at the login prompt. If the certificate on the smart card is verified, the user is successfully authenticated.
authlines of the
/etc/pam.d/system-authPAM configuration files. For detailed information, see the Identity Management Guide: http://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#idm-smart-cards (BZ#1270027)
Cache authentication in SSSD
The ou=sudoers,$DC part of the IdM server compatibility plug-in tree can now be disabled for better performance
sudorules in the
cn=sudorules,cn=sudo,$DCpart of the IdM server's LDAP tree instead of the
ou=sudoers,$DCcompatibility tree generated by the
slapi-nisDirectory Server plug-in.
ou=sudoers,$DCpart of the tree. This allows better performance because generating the compatibility tree using
slapi-nisis resource-intensive, especially in environments with a large number of authentication operations. (BZ#1244957)
SSSD enables UID and GID mapping on individual clients
sss_overrideutility. This client-side override possibility can resolve problems caused by UID and GID duplication or ease transition from a legacy system that previously used different ID mapping.
initgroupsoperations, which enhances the speed of
initgroupsprocessing and improves the performance of some applications, such as GlusterFS and
New packages: adcli
adcliutility allows users to manage host, user, and group objects in Active Directory (AD) from a Red Hat Enterprise Linux 6 client. The main use of the utility is joining a host to an AD domain and to renew the credentials of the host.
adcliutility is site-aware and does not require additional configuration to join an AD domain. On clients that run the SSSD service,
adclican renew the host credentials on a regular basis. (BZ#1279725)
SSSD is now able to automatically renew the host credentials of Linux clients joined to AD
SSSD can now automatically adjust ID ranges for AD clients in environments with large RIDs
SSSD now supports GPOs from different domain controllers
Support for SSLv2 has been disabled
OpenLDAP now supports TLSv1.2
TLSv1.2along with new ciphers from the TLSv1.2 suite. Additionally, the new cipher strings
SHA384have been added. With this update, the cipher string
DEFAULTselects a subset of the Network Security Services (NSS) defaults in order to be up to date with current security development. Note that the cipher string
AESGCMciphers, in order not to break the Security Strength Factor (SSF) functionality. (BZ#1300701)
nss now supports ECDSA certificates
New SSSD default values for group names
id_providerconfiguration option set to
sAMAccountName, a manual configuration change is required. For example, this might be required in situations when providing groups with the same name as users. To revert to the old behaviour, set
cnas the attribute value:
ldap_group_name = cnin the
# service sssd stop # find /var/lib/sss/ ! -type d | xargs rm -f # service sssd start
Chapter 4. Clustering
New Pacemaker features
- You can now use the
pcs resource relocate runcommand to move a resource to its preferred node, as determined by current cluster status, constraints, location of resources and other settings.
- When configuring fencing for redundant power supplies, you now are only required to define each device once and to specify that both devices are required to fence the node.
- The new
resource-discoverylocation constraint option allows you to indicate whether Pacemaker should perform resource discovery on a node for a specified resource.
- Resources will now start as soon as their state has been confirmed on all nodes and all dependencies have been satisfied, rather than waiting for the state of all resources to be confirmed. This allows for faster startup of some services, and more even startup load.
- Clone resources support a new
clone-minmetadata option, specifying that a certain number of instances must be running before any dependent resources can run. This is particularly useful for services behind a virtual IP and haproxy, as is often done with OpenStack.
Configuring the Red Hat High Availability Add-On with Pacemaker, available at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Configuring_the_Red_Hat_High_Availability_Add-On_with_Pacemaker/index.html. (BZ#1290458)
Graceful migration of resources when the
pacemaker_remote service is stopped on an active Pacemaker Remote node
pacemaker_remoteservice is stopped on an active Pacemaker Remote node, the cluster will gracefully migrate resources off the node before stopping the node. Previously, Pacemaker Remote nodes were fenced when the service was stopped (including by commands such as
yum update), unless the node was first explicitly taken out of the cluster. Software upgrades and other routine maintenance procedures are now much easier to perform on Pacemaker Remote nodes.
Support for SBD fencing with Pacemaker
glocktop tool has been added to gfs2-utils
glocktoptool, which can be used to troubleshoot locking-related performance problems that concern the Global File System 2 (GFS2). (BZ#1202817)
pcs now supports exporting a cluster configuration to a list of
pcs config exportcommand can be used to export a cluster configuration to a list of
pcscommands. Also, the
pcs config import-cmancommand, which converts a CMAN cluster configuration to a Pacemaker cluster configuration, can now output a list of
pcscommands that can be used to create the Pacemaker cluster configuration file. As a result, the user can determine what commands can be used to set up a cluster based on its configuration files. (BZ#1264795)
Fence agent for APC now supports firmware 6.x
Chapter 5. Compiler and Tools
dmidecode now supports SMBIOS 3.0.0
dmidecodecan work with 64-bit structures according to SMBIOS 3.0.0 specification. (BZ#1232558)
mcelog now supports additional Intel processors
mcelogutility now supports 6th generation Intel Core processors, Intel Xeon processor E3 v5, and current Intel Pentium and Intel Celeron-branded processors. These new processors report with cpuid
mcelognow also recognizes cpuids for current Intel Atom processors (
0x5d) and Intel Xeon processor E5 v4, E7 v4, and Intel Xeon D (
python-linux-procfs rebased to version 0.4.9
- The package now contains API documentation installed in the
- Handling of space separated fields in
/proc/PID/flagshas been improved which removes parsing errors previously encountered by python-linux-procfs. (BZ#1255725)
trace-cmd rebased to version 2.2.4
- A new option
-Pis available for the
trace-cmd listcommand. Use this option to list loaded plug-in files by path.
trace-cmd reportcommand has a new option,
-t, which can be used to print full time stamps in reports. (BZ#1218670)
tcsh now supports
tcshcommand-language interpreter now supports the use of the
$tcsh_posix_statusvariables, which define the tcsh behavior in case of an error of any pipelined command. This update brings the
tcshfunctionality closer to the Red Hat Enterprise Linux 7
tcshversion. Note that these two variables have opposite logical meanings. For more information, see the tcsh(1) manual page. (BZ#1256653)
OpenJDK 8 now supports ECC
RC4 is now disabled by default in OpenJDK 6 and OpenJDK 7
SSLv3, DH keySize < 768. This can be done permanently in the
<java.home>/jre/lib/security/java.securityfile or by adding the following line:
jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768
-Djava.security.properties=<path to file>. (BZ#1217131)
rhino rebased to version 1.7R4
pcp rebased to version 3.10.9
openmpi rebased to version 1.10.2
- The new name of the binary package is openmpi-1.10. Its environment module name on the x86_64 architecture is openmpi-1.10-x86_64.
- To preserve compatibility with Red Hat Enterprise Linux 6.7, openmpi-1.8 is still available. Its package name is openmpi-1.8 and it keeps the environment module name ( openmpi-x86_64 on the x86_64 architecture) it had in Red Hat Enterprise Linux 6.7. (BZ#1130442)
Changes in Open MPI distribution
- openmpi-1.4 (openmpi-1.4-x86_64)
- openmpi-1.4-psm (openmpi-1.4-psm-x86_64)
- openmpi-1.5.3 (compat-openmpi-x86_64, aliased as openmpi-1.5.3-x86_64)
- openmpi-1.5.3-psm (compat-openmpi-psm-x86_64, aliased as openmpi-1.5.3-psm-x86_64)
- openmpi-1.5.4 (openmpi-1.5.4-x86_64)
- openmpi-1.8 (openmpi-x86_64, aliased as openmpi-1.8-x86_64)
yum install openmpicommand in Red Hat Enterprise Linux 6.8 installs the openmpi-1.8 package for maximum compatibility with Red Hat Enterprise Linux 6.7. A later version of Open MPI is available in the openmpi-1.10 package. (BZ#1158864)
Omping is now fully supported
elfutils rebased to version 0.164
eu-addr2lineutility introduces the following improvements:
- Input addresses are now always interpreted as hexadecimal numbers, never as octal or decimal numbers.
- A new option,
--addresses, to print address before each entry.
- A new option,
--demangle, to show demangled symbols.
- A new option,
--pretty-print, to print all information on one line.
eu-striputility is now able to:
- Handle ELF files with merged
- Handle missing
libdwlibrary introduces improvements in the following functions:
dwfl_standard_find_debuginfonow searches any subdirectory of the binary path under the debuginfo root when the separate debug file could not be found by build ID.
dwfl_linux_proc_attachcan now be called before any
Dwfl_Moduleshave been reported.
dwarf_peel_typenow also handles
DW_LANG_Haskell. Additionally, a new header file,
elfutils/known-dwarf.h, is now installed by the devel package. (BZ#1254647)
glibc now supports BIG5-HKSCS-2008
glibcsupported an earlier version of the Hong Kong Supplementary Character Set, BIG5-HKSCS-2004. The BIG5-HKSCS character set map has been updated to the HKSCS-2008 revision of the standard. This allows Red Hat Enterprise Linux customers to write applications processing text that is encoded with this version of the standard. (BZ#1211748)
installed-rpmssosreport list has been simplified to allow for optimal human readability. (BZ#1267677)
OProfile now supports 6th Generation Intel Core processors
OProfile updated to recognize the Intel Xeon Processor D-1500 product family
LLC_MISSES, may not count correctly. Check http://www.intel.com/content/www/us/en/processors/xeon/xeon-d-1500-specification-update.html for a complete list of performance events affected. (BZ#1231399)
SystemTap rebased to version 2.9
SystemTapinstrumentation system has been rebased to version 2.9. Major improvements in this update include more complete manual pages, more portable and usable netfilter probes, better support for kernel backtraces without debuginfo, better debuginfo-related diagnostics, reduced translator memory usage, and better performance of generated code. (BZ#1254648)
powerpc-utils rebased to version 1.3.0
ipmitool rebased to version 1.8.15
memtest86+ rebased to version 5.01
- Support for up to 2 TB of RAM on AMD64 and Intel 64 CPUs
- Support for new Intel and AMD CPUs, for example Intel Haswell
- Experimental SMT support up to 32 cores
New package: java-1.8.0-ibm
New option for arpwatch:
arpwatchcommand of the
arpwatchnetwork monitoring tool. This option disables promiscuous mode. (BZ#1006479)
Chapter 6. Desktop
LibreOffice rebased to version 18.104.22.168
- The possibility to print comments in page margin has been added.
- Support for nested comments has been added.
- OpenXML interoperability has been improved.
- Accessibility support has been enhanced.
- The color picker has been improved.
- The start center has been improved.
- Initial HiDPI support has been added.
- The limitation on number of characters in a paragraph has been raised considerably.
mesa now supports additional Intel 3D graphics
New Vinagre features
- The ability to connect through RDP protocol to remote Windows machines has been added.
- If requested, credentials can be stored in a keyring for RDP connections.
- Minimize button has been added to the fullscreen toolbar so that users do not need to leave fullscreen mode to minimize the whole window.
/apps/vinagre/plugins/active-pluginsGConf key is now ignored as it could cause RDP not to be loaded. (BZ#1215093)
vmwgfx now supports 3D operations under VMware Workstation 10
vmwgfxdriver has been updated to version 4.4, which enables
vmwgfxsupport for 3D operations under VMware Workstation 10. With this upgrade, the
vmwgfxdriver now allows virtualized Red Hat Enterprise Linux 6 system to work as intended on Windows workstations. (BZ#1164447)
x3270 rebased to version 3.3.15
icedtea-web rebased to version 1.6.2
- The IcedTea-Web documentation and man pages have been significantly expanded.
- IcedTea-Web now supports bash completion.
Run in Sandboxfeatures have been enhanced.
-htmlswitch has been implemented for the Java Web Start (JavaWS) framework, which can serve as a replacement of the AppletViewer program.
- It is now possible to use IcedTea-Web to create desktop and menu launchers for applets and JavaWS applications. (BZ#1275523)
Chapter 7. Directory Server in Red Hat Enterprise Linux
About Directory Server for Red Hat Enterprise Linux
Directory Server Console, are available in the
rhel-x86_64-server-6-rhdirserv-9additional subscription channel. A subscription to this channel is also required to obtain support for Red Hat Directory Server. Changes to the additional components in this channel are not described in this document.
Improved performance when deleting large quantities of multi-valued attributes
Chapter 8. File Systems
XFS runtime statistics are available per file system in the
/proc/fs/xfs/directory to the
/sys/fs/xfs/directory while maintaining compatibility with earlier versions with a symbolic link in
/proc/fs/xfs/stat. New subdirectories will be created and maintained for statistics per file system in
/sys/fs/xfs/, for example
/sys/fs/xfs/sdb8/stats. Previously, XFS runtime statistics were available only per server. Now, XFS runtime statistics are available per device. (BZ#1205640)
XFS supported file-system size has been increased
autofs option is now available
autofsoption to override the use of an IP address when mounting to a host name with multiple associated addresses has been implemented. If strict Round Robin DNS is needed, the
use_hostname_for_mountsoption enables bypassing the usual availability and proximity check, and the host name is used in mount requests regardless of whether the requests have multiple IP addresses. (BZ#1248798)
Chapter 9. Hardware Enablement
Support for Sealevel model 2803 ROHS converters from USB to serial media
Backporting of the rtlwifi driver family
Support for NCT6775 and compatible chips
Ethernet functionality added to mlx5_core
Support for O2Micro sdhci card reader model 8520
Support for solarflare devices and features
Wacom Cintiq 27QHD Device Support
Wacom Intuos PT Tablet Device Support
- PTH-650 Intuos5 touch (M)
- CTH-480 Intuos Pen & Touch (S)
- PTH-651 Intuos pro (M) (BZ#1252898)
Support for the Realtek 5229 card reader
Support for the AMD GX-212JC processor
ppc64-diag rebased to version 2.7.0
- Several security-related issues have been fixed, such as memory leaks, buffer overflows, and replacing the
- Diagnostics support for the
5887 disk drive enclosurehas been added
- PCI Host Bridge (PHB) hot-plugging support has been added for PowerKVM guests (BZ#1252717)
librtas rebased to version 1.4.0
libofdtlibrary has been decommissioned from the librtas package. (BZ#1252716)
lsvpd rebased to version 1.7.6
lsmcodeutility adds support for OpenPower system. (BZ#1148150)
servicelog rebased to version 1.1.13
iprutils rebased to version 22.214.171.124
rpm -e --noscripts iprutils
Chapter 10. Installation and Booting
Using an HTTPS source for kickstart files is now supported
Increased debug logging for
NetworkManagerutility has been increased to make debugging the installation process easier. (BZ#831777)
Automatic network device configuration using 802.1q VLAN tags from the iBFT
Chapter 11. Kernel
The /proc/pid/cmdline file length is now unlimited
/proc/pid/cmdlinefile length limit for the
pscommand was previously hard-coded in the kernel to 4096 characters. This update makes sure the length of
/proc/pid/cmdlineis unlimited, which is especially useful for listing processes with long command line arguments. (BZ#1100069)
Support for LSO and LRO
ipr rebased to version 2.6.3
iprdriver has been upgraded to upstream version 2.6.3, which provides a number of enhancements and bug fixes over the previous version. Namely, the update enables new SAS VRAID adapters on IBM Power Systems and includes recent performance improvements. As a result, the update improves disk performance and supports recent adapters on IBM Power Systems. (BZ#1252713)
ixgbe rebased to version 4.2.1
ixgbeNIC driver has been upgraded to upstream version 4.2.1, which provides a number of bug fixes and enhancements over the previous version. Notably:
- Null pointer crashes related to VLAN support have been fixed.
- Two more devices from the Intel X550 Ethernet controller family are now supported: IDs 15AC and 15AD have been added.
- Several PHY-related problems have been addressed: link disruptions and link flapping.
- Added PHY-related support for Intel X550.
- Performance has been improved. (BZ#1249244)
L2 cache information is gathered using the CPUID instruction
bnx2 rebased to version 2.2.6
bnx2NIC driver has been upgraded to upstream version 2.2.6, which provides a number of bug fixes and enhancements over the previous version. Notably:
- Bandwidth allocation for some MF modes has been fixed.
- Toggling of
rxvlancan now be disabled.
- A chip initialization bug has been fixed.
- Inconsistent use of page sizes has been fixed. (BZ#1252124)
e100 rebased to version 3.5.24-k2-NAPI
e1000e rebased to version 3.2.6-k
MLDv1 and MLDv2 snooping added to bridge
perf has been updated
perfhas been updated. Notable enhancements include:
- Added support for additional model numbers of 5th Generation Intel Core i7 processors.
- Added support for Intel Xeon v5 mobile and desktop processors.
- Enabled support for the uncore subsystem for Intel Xeon v3 and v4 processors.
- Enabled support for the uncore subsystem for Intel Xeon Processor D-1500. (BZ#1216217)
EDAC support for Intel Xeon v4
Crash dump performance enhancements
makedumpfileby making use of mmap() to remove empty and unneeded pages. (BZ#1097904)
Interval Tree Support for Intel Xeon v3 and v4 core processors with Gen graphics
CPU microcode update for Intel processors
Minimal support for secondary endpoints with nf_conntrack_proto_sctp
The sch_qfq scheduler now supports QFQ+
sch_qfqscheduler now supports the Quick Fair Queuing Plus (QFQ+) algorithm, which improves the scheduler's efficiency and accuracy. At the same time, a number of bug fixes have been applied to further improve the behavior of
sch_qfqunder various conditions. (BZ#1152235)
Tracking and capturing I/O statistics for the tape driver is available
/sys/class/scsi_tape/tree with custom tools. (BZ#875277)
mpt2sas and mpt3sas merged
mpt3sasdrivers have been merged. Unlike in upstream, Red Hat Enterprise Linux 6 continues to maintain two binary drivers for compatibility reasons. (BZ#717090)
Firmware-assisted Crash Dumping
Setting an SELinux context label for a block device
udev. The system administrator can set a new option to give a label to a newly created device node as follows:
New packages: libevdev
libevdevpackages have been added to Red Hat Enterprise Linux 6.8. These packages contain a library to wrap kernel evdev devices and provide a proper API to interact with these devices. (BZ#1250806)
lpfc driver update
link downstate, and an error message is logged to the log file.
3176 Misconfigured Physical Port - Port Name [wwpn] Unknown event status [status]
Chapter 12. Networking
NetworkManager-openswan now supports libreswan
New package: chrony
chronyis a versatile implementation of the Network Time Protocol (NTP), which can usually synchronize the system clock with a better accuracy than the
ntpddaemon from the ntp package. It can be also used with the
timemasterservice from the linuxptp package to synchronize the clock to Precision Time Protocol (PTP) domains with sub-microsecond accuracy if hardware timestamping is available, and provide a fallback to other PTP domains or NTP sources. (BZ#1274811)
New packages: ldns
wpa_supplicant can now send logs into the syslog
wpa_supplicantcould only save log messages into the
/var/log/wpa_supplicant.logfile. This update adds the capability to save log messages into the system log, allowing you to use additional features provided by syslog such as remote logging.
/etc/sysconfig/wpa_supplicantconfiguration file. (BZ#822128)
Enhancements in system-config-network
Network Configurationtool (the system-config-network package) has received multiple user interface improvements in this release. Notable enhancements include additional fields for the
ONBOOTsettings and an added
Deletebutton in the list of interfaces. (BZ#1214729)
New packages: unbound
nm-connection-editor now allows a higher range of VLAN ids
nm-connection-editor. The new allowed range is between 0 and 4095. (BZ#1258218)
NetworkManager supports locking Wi-Fi network connections to a specific radio frequency band
NetworkManagernow allows you to specify a certain frequency band such for a Wi-Fi connection. To lock a connection to a certain band, use the new
BAND=option in the connection configuration file in the
/etc/sysconfig/network-scripts/directory. Values for this option are based on the IEEE 802.11 protocol specifications; to specify the 2.4 GHz band, use
BAND=bg, and to specify the 5 GHz band, use
NetworkManager now supports iBFT
NetworkManager. This plug-in ensures that initial network configuration for hosts booting from iSCSI in a VLAN is correct. (BZ#1198325)
Chapter 13. Security
TLS 1.2 support added to basic system components
Postfixhave been modified to support the 1.2 version of the TLS protocol. This is to ensure that the tools are not vulnerable to security exploits that exist for older versions of the protocol. (BZ#1253743)
NSS now enables the TLS version 1.2 protocol by default
pycurl now provides options to require TLSv1.1 or 1.2
pycurlhas been enhanced to support options that make it possible to require the use of the 1.1 or 1.2 versions of the TLS protocol, which improves the security of communication. (BZ#1260406)
cURL module now supports TLS 1.1 and TLS 1.2
curllibrary, has been added to the PHP
openswan deprecated in favor of
libreswanis a more stable and secure VPN solution for Red Hat Enterprise Linux 6.
libreswanis already available as the VPN endpoint solution for Red Hat Enterprise Linux 7.
openswanwill be replaced by
libreswanduring system upgrade. See https://access.redhat.com/articles/2089191 for instructions on how to migrate from
libreswan, use the
yumto exclude libreswan:
yum install openswan -x libreswan. (BZ#1266222)
SELinux support added for GlusterFS
shadow-utils rebased to version 126.96.36.199
--rootoption of the respective tools. (BZ#1257643)
audit rebased to version 2.4.5
auditsubsystem in the Linux kernel, has been rebased to version 2.4.5. This update includes enhanced event interpretation facilities that provide more system-call names and arguments to make the understanding of events easier.
auditdrecords events to disk. If you are using either
syncmodes for the
auditd.conf, you will see a performance decrease in
auditd'sability to log events. This is because it was previously not properly informing the kernel that full synchronous writes should be used. This was corrected, which has improved the reliability of the operation, but this has come at the expense of performance. If the performance drop is not tolerable, the
flushsetting should be changed to
freqsetting will control how often
auditdinstructs the kernel to synchronize all records to disk. A
100should give good performance while making sure that new records are flushed to disk periodically. (BZ#1257650)
LWP now supports host name and certificate verification
LWP::UserAgentPerl module to verify the identity of HTTPS servers. To enable the verification, make sure the
IO::Socket::SSLPerl module is installed and the
PERL_LWP_SSL_VERIFY_HOSTNAMEenvironment variable set to
1or that the application is modified to set the
ssl_optsoption correctly. See
LWP::UserAgentPOD for more details. (BZ#745800)
Net:SSLeay now supports elliptic curve parameters
Net:SSLeaymodule, which contains bindings to the OpenSSL library. Namely, the
OBJ_txt2nid()subroutines have been ported from upstream. This is required for the support of the Elliptic Curve Diffie–Hellman Exchange (ECDHE) key exchange in the
IO::Socket::SSLPerl module. (BZ#1044401)
IO::Socket::SSL now supports ECDHE
IO::Socket::SSLPerl module. The new
SSL_ecdh_curveoption can be used for specifying a suitable curve by the Object Identifier (OID) or Name Identifier (NID). As a result, it is now possible to override the default elliptic curve parameters when implementing a TLS client using
openscap rebased to version 1.2.8
oscap-vm, for scanning over SSH and scanning of inactive virtual systems respectively, native support for bz2 archives, and a modern interface for HTML reports and guides. (BZ#1259037)
scap-workbench rebased to version 1.1.1
scap-security-guide rebased to version 0.1.28
Support for SSLv3 and RC4 disabled in
luci, the web-based high availability administration application. By default, only TLSv1.0 and higher protocol versions are allowed, and the digest algorithm used for self-managed certificates has been updated to SHA256. It is possible to re-enable SSLv3 (by uncommenting the
allow_insecureoptions in relevant sections of the
/etc/sysconfig/luciconfiguration file), but that is only for unlikely and unpredictable cases and should be used with extreme caution.
allow_insecure): the path to the certificate pair and the cipher list. These settings can be used either globally, or independently for both secure channels (HTTPS web UI access and connection with
Chapter 14. Servers and Services
mod_nss now supports server-side SNI
Non-root user support in
mod_rewritemodule provided with the Apache HTTP Server now supports running external mapping programs as a non-root user. This reduces security risk from using
mod_rewritemapping because a non-privileged process can be used. (BZ#1035230)
tomcat6 now supports disableURLRewriting
disableURLRewritingattribute to the Tomcat 6 servlet container. The attribute allows to disable support for using URL rewriting to track session IDs for specific contexts. (BZ#1221877)
Logging capabilities of the
tftp server have been enhanced
file not foundmessage is provided in case of a failure. (BZ#917817)
Squid can log IP addresses and ports of remote hosts
Squidcaching and forwarding web proxy had the ability to log the URL, which included the host name. However,
Squidcould not log the IP address of the destination server. This update enables
Squidto log IP addresses and ports of remote hosts, which is especially useful when dealing with hosts that have multiple IP addresses. (BZ#848124)
new ignore-client-uids option
ignore-client-uids, add the following line to the
Tuned profile optimized for Oracle database servers has been included
Tunedprofile, which is specifically optimized for the Oracle databases load, is now available. The new profile is delivered in the tuned-profiles-oracle subpackage, so that other related profiles can be added in the future. The
oracleprofile is based on the
enterprise-storageprofile, but modifies kernel parameters based on Oracle database requirements and turns transparent huge pages off. (BZ#1196294)
New package: squid34
- Helper protocol extensions
- SSL Server Certificate Validator
- TPROXY Support for OpenBSD 5.1 and later, and FreeBSD 9 and later
- Transaction Annotations
- Multicast DNS (BZ#1265328)
The BIND server now supports CAA records
LocalPort keywords are now supported for
Match conditions in
sshd_config, without the need to run several services with different configuration files. (BZ#1211673)
Support for disabling selected GSSAPI key exchange algorithms
gss-group1-sha1algorithm is not considered secure anymore. Previously, there was no possibility to disable this single key exchange method. With this update, the administrator can disable this or other selected algorithms used by GSSAPI key exchange in
authorized_keys_command option in
sudorules across multiple systems might require to list SSH keys from LDAP, which was previously not possible. With this update, you can set up
pam_ssh_agent_authto get the authorized keys from LDAP or a different service easily. The feature has been backported from the upstream version. (BZ#1299555)
Chapter 15. Storage
multipath utility can now save data between prioritizer calls
Asynchronous checkers can use the multipath checker_timeout option
checker_timeoutoption in the
multipath.conffile to determine when to stop waiting for a response from the array and fail the non-responsive path. This behavior for asynchronous checkers can be configured in the same way as for synchronous checkers. (BZ#1153704)
nfsidmap -d option added
nfsidmap -doption has been added to display the system's effective NFSv4 domain name on stdout. (BZ#948680)
Configurable connection timeout for mounted CIFS shares
echo_interval=nmount option, where n is the echo interval in seconds. (BZ#1234960)
Support for device-mapper statistics facility (
dmstatsprogram displays and manages I/O statistics for user-defined regions of devices that use the device-mapper driver. The
dmstatsprogram provides a similar functionality to the
iostatsprogram, but at levels of finer granularity than a whole device. For information on the
dmstatsprogram, see the
dmstats(8) man page. (BZ#1267664)
Support for raw format mode in multipathd formatted output commands
rawformat mode that removes the headers and additional padding between fields. Support for additional format wildcards has been added as well. Raw format mode makes it easer to collect and parse information about multipath devices, particularly for use in scripting. For information on raw format mode, see the
DM MultipathGuide. (BZ#1145442)
Chapter 16. System and Subscription Management
search-disabled-repos plug-in for
yumhas been added to the subscription-manager packages. This plug-in allows users to successfully complete
yumoperations that fail due to the source repository being dependent on a disabled repository. When
search-disabled-reposis installed in the described scenario,
yumdisplays instructions to temporarily enable repositories that are currently disabled and to search for missing dependencies.
notify_onlybehavior in the
yumoperations will prompt you to temporarily or permanently enable all the disabled repositories needed to fulfill the
Easier troubleshooting with
yumutility is now able to identify certain frequently occurring errors and provides a link to a relevant Red Hat Knowledgebase article. This helps users identify typical problems and address their cause. (BZ#1248686)
New package: rear
Relax-and-Recover(rear) is a recovery and system migration utility. Written in
bash, it allows you to use tools already present on your system to continuously create recovery images which can be saved locally or on a remote server, and to use these images to easily restore the system in case of software or hardware failure. The tool also supports integration with various external tools such as backup solutions (
IBM TSM, etc.) and monitoring systems (
iostat now supports separate statistics for
iostattool now supports separate statistics for
r_await(average time for read requests issued to the device to be served) and
w_await(average time for write requests issued to the device to be served) in the Device Utilization Report. Use the
-xoption to obtain a report which includes this information. (BZ#1185057)
TLS 1.1 and 1.2 are now enabled by default in
libcurl. Users were required to explicitly enable these TLS versions in utilities based on
libcurlin order to allow these utilities to securely communicate with servers that do not accept SSL 3.0 and TLS 1.0 connections. With this update, TLS 1.1 and TLS 1.2 are no longer disabled by default in
libcurl. You can, however, explicitly disable them using the libcurl API. (BZ#1289205)
libcurl can now connect to SCP and SFTP servers through a HTTP proxy
libcurlhave been enhanced and now support tunneling through HTTP proxies. (BZ#1258566)
abrt can now exclude specific programs from being dumped
abrtdid not prevent it from creating their core dumps - the dumps were still written to disk and then deleted. This approach allowed
abrtto notify system administrators of a crash while not using disk space to store unneeded crash dumps. However, creating these dumps only to delete them later was unnecessarily wasting system resources. This update introduces a new configuration option
/etc/abrt/plugins/CCpp.confconfiguration file, which allows you to specify a comma-separated list of file system path globs which will not be dumped at all. (BZ#1208713)
User and group whitelisting added to
abrtallowed all users to generate and collect core dumps, which could potentially enable any user to maliciously generate a large number of core dumps and waste system resources. This update adds a whitelisting functionality to
abrt, and you can now only allow specific users or groups to generate core dumps. Use the new
AllowedUsers = user1, user2, ...and
AllowedGroups = group1, group2, ...options in the
/etc/abrt/plugins/CCpp.confconfiguration file to restrict core dump generation and collection to these users or groups, or leave these options empty to configure
abrtto process core dumps for all users and groups. (BZ#1256705)
libvpd rebased to version 2.2.5
- Improved error handling
- Security improvements such as fixing a potential buffer overflow and memory allocation validation (BZ#1148140)
libservicelog rebased to version 1.1.15
sysctl configuration files can now contain longer lines
sysctlconfiguration files could only contain lines up to 255 characters long. With this update, the maximum acceptable line length has been increased to 4095 characters. (BZ#1201024)
ps can now display thread cgroups
thcgr, which can be used to display the cgroup of each listed thread. (BZ#1284076)
reporter-upload now allows configuring optional SSH keys
reporter-uploadtool, which is used by
abrtto submit collected problem data, now allows you to use optional SSH key files. You can specify a key file using one of the following ways:
SSHPrivateKeyoptions in the
-rcommand line options for the public and private key, respectively.
- Setting the
Upload_SSHPrivateKeyenvironment variables, respectively.
reporter-uploadwill attempt to use the default SSH key from the user's
Chapter 17. Virtualization
Support for Hyper-V storage with 4096-byte sectors
Red Hat Enterprise Linux guests now support reporting kernel crashes on Hyper-V
18590event. The event contains the relative instruction pointer (RIP) and 4 basic CPU registers. (BZ#1229904)
Hyper-V guests now support TRIM
Hyper-V guests now support Windows 10 protocol
Setting the account password is now possible for any guest user
guest-set-user-passwordcommand has been introduced for the QEMU guest agent. This allows setting the account password for any guest user, including the root, when using QEMU and KVM. (BZ#1174181)
virtio-win support for Windows 10
Red Hat Enterprise Linux 6 Hyper-V Generation 2 guests fully supported
New package: WALinuxAgent
virt-who rebased to version 0.16-7
virt-whoqueries of the Hyper-V hypervisor have been extended to include the capacity (socket counts so that the subscription applied to the hypervisor can be evaluated), name, and type to be displayed in the SMS inventory to make it easier for the user to identify the system.
VIRTWHO_INTERVAL=, has been extended to 1 minute to prevent from failures in communication with Subscription-Manager.
virt-whonow supports connecting Red Hat Enterprise Virtualization Manager (RHEV-M) and the Hyper-V hypervisor through proxy.
virt-whonow allows filtering for hosts that are sent by
virt-whoto Red Hat Subscription-Manager.
virt-whois able to report which virtual guests of virtual machines are active on all known hypervisors. (BZ#1258765)
Chapter 18. Red Hat Software Collections
sclutility to provide a parallel set of packages. This set enables optional use of alternative package versions on Red Hat Enterprise Linux. By using the
sclutility, users can choose which package version they want to run at any time.
Part II. Known Issues
Chapter 19. General Updates
resource-agents-sap-hana shipped in an incorrect channel
rpm -ecommand. (BZ#1334776)
Incorrect information about the expected default settings of services in Red Hat Enterprise Linux 7
initscriptsprovides incorrect information about the expected default settings of the services in Red Hat Enterprise Linux 7 according to the
/usr/lib/systemd/system-preset/90-default.presetfile in Red Hat Enterprise Linux 7 and according to the current settings of the Red Hat Enterprise Linux 6 system. In addition, the module does not check the default settings of the system but only the settings for the runlevel used during the processing of the check script, which might not be the default runlevel of the system. As a consequence,
initscriptsare not handled in the anticipated way and the new system needs more manual action than expected. However, the user is informed about the settings that will be chosen for relevant services, despite the presumable default settings. (BZ#1366671)
The default value of
first_valid_uid in Dovecot has changed in Red Hat Enterprise Linux 7
first_valid_uidconfiguration option of Dovecot has changed from
500in Red Hat Enterprise Linux 6 to
1000in Red Hat Enterprise Linux 7. Consequently, if a Red Hat Enterprise Linux 6 installation does not have
first_valid_uidexplicitly defined, the
Dovecotconfiguration will not allow users with UID less than
1000to log in after the update to Red Hat Enterprise Linux 7.
500after the upgrade in the
/etc/dovecot/conf.d/10-mail.conffile. Note that only installations where
first_valid_uidis not explicitly defined are affected by this problem. (BZ#1388967)
Chapter 20. Authentication and Interoperability
Do not use SELinux in enforcing mode when sharing the root directory
samba_share_twhen SELinux is in enforcing mode. However, when sharing the whole root directory of the system by using the
path = /configuration in the
/etc/samba/smb.conffile, labeling the root directory as
samba_share_tcauses critical system malfunctions.
samba_share_tlabel. Therefore, do not use SELinux in enforcing mode when sharing the root directory using Samba. (BZ#1320172)
SSSD does not support the LDAP externalUser attribute
externalUserLDAP attribute of the Identity Management (IdM) schema. In consequence, the assignment of
sudorules to local accounts, such as by using the
/etc/passwdfile, fails. The problem affects only accounts outside of the IdM domains and Active Directory (AD) trusted domains.
sudosearch base as follows in the
[domain]section of the
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
SSSD incorrectly creates local overrides in an AD environment
sss_overridetool creates case-insensitive distinguished names (DN) when the
id_provideroption is set to
/etc/sssd/sssd.conffile. However, the DNs in the SSSD cache are stored case-sensitive. As a consequence, local overrides are not created for users from the Active Directory (AD) subdomain or for users with mixed-case account names. (BZ#1327272)
sssd_be does not terminate forked child processes
id_provideroption is set to
/etc/sssd/sssd.conffile, a helper process inside
sssd_beprocesses sometimes fails. In consequence, the process is spawning new
sssd_beinstances, which consume additional memory. To work around this problem, install the adcli package and restart the
SSSD fails to manage sudo rules from the IdM LDAP tree
/etc/sssd/sssd.conffile to set your domain to use the
[domain/EXAMPLE] ... ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
compattree and you will be able to assign rules to non-POSIX groups.
The HP keyboard KUS1206 does not handle smart cards correctly and can become unresponsive
- The keyboard detects smart cards inconsistently.
- When the user logs in to the system with a password and the smart card is not inserted, the following message appears continuously in the
pcscd: commands.c:957:CmdGetSlotStatus Card absent or mute
- The keyboard sometimes becomes unresponsive.
Chapter 21. Compiler and Tools
LVM2 detection on FCoE storage and mounting of file systems specified in
/etc/fstab on FCoE storage can fail
fcoeinit scripts cannot determine what devices can be assigned through the FCoE storage fabric, and therefore whether the startup process needs to wait for device discovery. Consequently, logical volume (LVM2) detection on FCoE attached storage and mounting of file systems specified in
/etc/fstabon FCoE storage can fail during system startup due to an incomplete FCoE device discovery.
/dev/disk/by-path/fc-*symbolic links as the specified block special device in
/etc/fstabalong with the
_netdevmount option. The
fcoeinit script waits longer for the specified devices to attach.
MINIMUM_WAIToption in the
/etc/fcoe/configfile in such cases.
MINIMUM_WAITis 0. Set the value to the number of seconds you want the
fcoeinit script to delay allowing device discovery to complete. Using
MINIMUM_WAITadds time to the system boot process, but could be necessary to allow block devices to be present before LVM2 and file system mounting scripts are run. (BZ#980961)
Chapter 22. Desktop
Using Radeon or Nouveau can cause incorrectly rendered graphics
WrappedFBoption to the
xorg.conffile as follows:
Section "Device" Identifier "nouveau-device" Driver "nouveau" Option "WrappedFB" "true" EndSection
Chapter 23. Installation and Booting
BFS installation fails on VV when automatic LVM partitioning is selected
Volume group "VolGroup" has insufficient free space.
--nocore option in the
%packages section of a kickstart file may result in a broken system
--nocoreoption is used in the
%packagessection of a kickstart file, core system packages and libraries will not be installed, which may result in the system being unable to perform essential tasks such as user creation, and may render the system unusable. To avoid this problem, do not use
The zipl boot loader requires target information in each section
zipltool manually from a command line using a section name as a parameter, the tool was previously using the target defined in the default section of the
/etc/zipl.conffile. In the current version of
ziplthe default sections' target is not being used automatically, resulting in an error.
/etc/zipl.confconfiguration file and copy the line starting with
target=from the default section to every section. (BZ#1203627)
The installer displays the number of multipath devices and number of multipath devices selected incorrectly
The installer displays the amount of disk space within multipath devices incorrectly
Chapter 24. Kernel
e1000e cards might not get an IPv4 address
System freeze when loading Intel Skylake integrated graphics cards
nomodesetparameter to the kernel command line, which instructs the kernel to not load Intel Skylake integrated graphics driver and use BIOS modes instead. (BZ#1309875)
ecb fails when dracut is not upgraded
ecbmodule to work.
ecbkernel module is needed by the
drbgkernel module when using the AES implementation on non-x86 architectures. Otherwise, the
drbgAES implementation fails with a warning message while other
drbgmodules still work. (BZ#1315832)
kernel panic in xfrm6 stack
Intel Xeon v5 causes GPU to hang
i915.enable_rc6=0option to the kernel command line to disable the RC6 power saving state on Intel Xeon v5. (BZ#1323945)
Chapter 25. Networking
keyingtries libreswan option set to
0 is mistakenly interpreted as
0which means 'retry forever'. Due to this bug, if a temporary problem occurs during an active negotiation, the connection will not be attempted more than once.
keyingtriesoption to a sufficiently large number. (BZ#1289498)
Chapter 26. Storage
Change in behavior of
lvchange --zero n
lvchange --zero ncommand is run against an active thin pool, the change will not take effect until the next time the pool is deactivated. In previous releases it took effect immediately, and this behavior will be reinstated in a future release. (BZ#1328245)
Chapter 27. System and Subscription Management
Some Italian text is missing from subscription-manager
ReaR supports only grub during system recovery
ReaR works only on the eth0 interface
ReaR fails to create an ISO on IBM System z
ReaR creates two ISO images instead of one
OUTPUT_URLdirective enables specifying location for the ISO image containing the rescue system. Currently, with this directive set, ReaR creates two copies of the ISO image: one in the specified directory and one in the
/var/lib/rear/output/default directory. This requires additional space for the image. This is especially important if a full-system backup is included into the ISO image (using the
Chapter 28. Virtualization
Limited CPU support for Windows 10 and Windows Server 2016 guests
- the Intel Xeon E series
- the Intel Xeon E7 family
- Intel Xeon v2, v3, and v4
- Opteron G2, G3, G4, G5, and G6
virsh capabilitiescommand on the host. Using the application default or hypervisor default prevents the guests from booting properly.
<cpu mode='custom' match='exact'> <model>MODELNAME</model> <feature name='erms' policy='require'/> </cpu>
Resizing VHDX files can take a very long time
- VHDX BlockSize = 1MB
Multifunction does not work correctly when hot-plugging virtual PCI devices
# echo 1 > /sys/bus/pci/devices/0000\:00\:00.0/rescan
Soft-rebooted Windows guests cannot detect some of their bootable devices
system_resetcommand in the QEMU monitor console. (BZ#1129549)
Using qemu-img to modify an image that is in use can corrupt the image
virtio-win VFD files do not contain Windows 10 drivers
Booting virtual machines with the
smep flags on older host CPUs fails
smepCPU flags are not properly emulated on certain older CPU models, such as the early Intel Xeon E processors. As a consequence, using
smepwhen booting a Windows guest virtual machine on a host with one of the described CPUs causes the boot to fail. Similarly, using
smepwhen booting a Red Hat Enterprise Linux guest virtual machine on a host with one of the described CPUs causes the boot to fail. To work around this problem, do not use
smepif the CPU does not support them. (BZ#1371765)
Appendix A. Component Versions
Table A.1. Component Versions
QLogic ql2xxx firmware
iSCSI initiator utils
Appendix B. Revision History
|Revision 0.2-8||Thu Apr 27 2017|
|Revision 0.2-7||Tue Mar 21 2017|
|Revision 0.2-6||Mon Mar 13 2017|
|Revision 0.2-5||Fri Dec 16 2016|
|Revision 0.2-4||Thu Oct 27 2016|
|Revision 0.2-3||Wed Oct 25 2016|
|Revision 0.2-1||Wed Sep 07 2016|
|Revision 0.2-0||Mon Aug 29 2016|
|Revision 0.1-9||Mon Aug 01 2016|
|Revision 0.1-8||Fri Jul 01 2016|
|Revision 0.1-6||Wed Jun 08 2016|
|Revision 0.1-4||Fri Jun 03 2016|
|Revision 0.1-3||Fri May 27 2016|
|Revision 0.1-2||Mon May 16 2016|
|Revision 0.1-1||Thu May 12 2016|
|Revision 0.1-0||Tue May 10 2016|
|Revision 0.0-5||Tue Mar 15 2016|