Red Hat Training
A Red Hat training course is available for Red Hat Enterprise Linux
6.9 Release Notes
Red Hat Enterprise Linux 6.9
Release Notes for Red Hat Enterprise Linux 6.9
The Release Notes provide high-level coverage of the improvements and additions that have been implemented in Red Hat Enterprise Linux 6.9 and document known problems in this release. For information about notable bug fixes, Technology Previews, deprecated functionality, and other details, refer to the Technical Notes.
Red Hat Enterprise Linux minor releases are an aggregation of individual enhancement, security, and bug fix errata. The Red Hat Enterprise Linux 6.9 Release Notes document describes the major changes made to the Red Hat Enterprise Linux 6 operating system and its accompanying applications for this minor release, as well as known problems. The Technical Notes document provides a list of notable bug fixes, all currently available Technology Previews, deprecated functionality, and other information.
Capabilities and limits of Red Hat Enterprise Linux 6 as compared to other versions of the system are available in the Red Hat Knowledgebase article available at https://access.redhat.com/articles/rhel-limits.
For information regarding the Red Hat Enterprise Linux life cycle, refer to https://access.redhat.com/support/policy/updates/errata/.
Chapter 1. Overview
Product Life Cycle Note
Red Hat Enterprise Linux 6 is now in the Maintenance Support 2 phase of the product life cycle. New functionality and new hardware enablement are not planned for availability in this phase. Red Hat Enterprise Linux 6.9 therefore provides a stable release focused on bug fixes. Subsequent updates will be limited to qualified critical security fixes and business-impacting urgent issues. Please refer to Red Hat Enterprise Linux Life Cycle for more information.
As Red Hat Enterprise Linux subscriptions are not tied to a particular release, existing customers can update their Red Hat Enterprise Linux 6 infrastructure to Red Hat Enterprise Linux 7 at any time, free of charge, to take advantage of recent upstream innovations. To simplify the upgrade to Red Hat Enterprise Linux 7, Red Hat provides the Preupgrade Assistant and Red Hat Upgrade Tool. For more information, see Chapter 2, General Updates.
- With the addition of TLS protocol version 1.2 support to the GnuTLS component, Red Hat Enterprise Linux 6 offers complete support for TLS 1.2 in the provided security libraries. TLS 1.2 is recommended by modern security standards such as PCI-DSS 3.1. For more information, see Chapter 11, Security.
OpenSCAP1.2.13 has been certified by the National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP) 1.2 in the Authenticated Configuration Scanner category with the Common Vulnerabilities and Exposure (CVE) option. For details, see Chapter 11, Security.
- Cryptographic protocols and algorithms that are considered insecure, such as MD5, SHA0, RC4, or DH shorter than 1024 bits, have been deprecated. In addition, support for EXPORT cipher suites has been removed. For details, see the Red Hat Enterprise Linux 6.9 Technical Notes.
Red Hat Insights
Since Red Hat Enterprise Linux 6.7, the Red Hat Insights service is available. Red Hat Insights is a proactive service designed to enable you to identify, examine, and resolve known technical issues before they affect your deployment. Insights leverages the combined knowledge of Red Hat Support Engineers, documented solutions, and resolved issues to deliver relevant, actionable information to system administrators.
The service is hosted and delivered through the customer portal at https://access.redhat.com/insights/ or through Red Hat Satellite. To register your systems, follow the Getting Started Guide for Insights. For further information, data security and limits, refer to https://access.redhat.com/insights/splash/.
Red Hat Customer Portal Labs
Red Hat Customer Portal Labs is a set of tools in a section of the Customer Portal available at https://access.redhat.com/labs/. The applications in Red Hat Customer Portal Labs can help you improve performance, quickly troubleshoot issues, identify security problems, and quickly deploy and configure complex applications. Some of the most popular applications are, for example:
Part I. New Features
This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 6.9.
Chapter 2. General Updates
In-place upgrade from Red Hat Enterprise Linux 6 to Red Hat Enterprise Linux 7
An in-place upgrade offers a way of upgrading a system to a new major release of Red Hat Enterprise Linux by replacing the existing operating system. To perform an in-place upgrade, use the Preupgrade Assistant, a utility that checks the system for upgrade issues before running the actual upgrade, and that also provides additional scripts for the Red Hat Upgrade Tool. When you have solved all the problems reported by the Preupgrade Assistant, use the Red Hat Upgrade Tool to upgrade the system.
For details regarding procedures and supported scenarios, see the Migration Planning Guide and the solution document dedicated to the upgrade.
Note that the Preupgrade Assistant and the Red Hat Upgrade Tool are available in the Extras channel.
preupgrade-assistant rebased to version 2.3.3
The preupgrade-assistant packages have been upgraded to version 2.3.3, which provides a number of bug fixes, enhancements, and other changes over the previous version. Notably:
- A new
preupg-difftool has been added, which compares multiple Preupgrade Assistant XML reports: one new with unidentified problems and other reports with already analyzed problems. The tool helps to find issues that emerged in the new report by filtering out results that are the same in the new report and in at least one of the analyzed XML files. The output of the trimmed report is available in the XML and HTML format.
- Two new return codes have been added:
internal error, and
- The meaning of the return code
22has been changed to
invalid CLI option.
- The STDOUT and STDERR output in the assessment report of the Preupgrade Assistant have been separated into two fields:
Additional outputfor STDOUT and
pythonmodule to be imported by the Preupgrade Assistant modules written in Python has been renamed from
preupg. Additionally, the
preup_ui_manageexecutable has been renamed to
exit_unknownfunction and the
$RESULT_UNKNOWNvariable have been removed. Instead of the
unknownresult, set the error result by using the
set_componentmodule API function has been removed.
Preupgrade Assistant enables blacklisting to improve performance
Preupgrade Assistant now supports creation of a blacklist file, which enables to skip all executable files on a path with a listed prefix. Users can activate this functionality in the
/etc/preupgrade-assistant.conffile by setting the
exclude_filevalue to the blacklist file name in the
xccdf_preupg_rule_system_BinariesRebuild_checksection. For example:
Each line of the blacklist file contains a path prefix of executable files to be excluded. Previously, significant performance problems occured when a large partition was mounted and the
RHEL6_7/system/BinariesRebuildmodule checked numerous files on a list of executables. Now, users can filter out unimportant executable files and thus reduce time the module consumes. Note that this feature is expected to be changed in the future. (BZ#1392018)
Key file names unified in Preupgrade Assistant modules
Previously, each module in Preupgrade Assistant used different file names for certain required files, which made testing and orientation complicated. With this update, the key file names have been unified to
module.ini(the metadata INI file),
check(the check script), and
solution.txt(a solution text) in each of the modules. Additionaly, multiple rules (module IDs) have been renamed to conform with this change, so each rule now contains the unified
_checksuffix, for example, in the
A new RHDS module to check a possibility of an in-place upgrade of an RHDS system
This update introduces a new Red Hat Directory Server (RHDS) module, which checks for relevant installed RHDS packages and gives users information about the possibility of an in-place upgrade of the RHDS system. As a result, if the relevant packages are installed, and the basic directory instance has been configured, the module creates a backup of the configuration files and prints information about them. (BZ#1406464)
cloud-init moved to the Base channel
As of Red Hat Enterprise Linux 6.9, the cloud-init package and its dependencies have been moved from the Red Hat Common channel to the Base channel.
Cloud-initis a tool that handles early initialization of a system using metadata provided by the environment. It is typically used to configure servers booting in a cloud environment, such as OpenStack or Amazon Web Services. Note that the cloud-init package has not been updated since the latest version provided through the Red Hat Common channel. (BZ#1421281)
Chapter 3. Authentication and Interoperability
SSSD now enables the administrator to select which domains from the AD forest can be contacted
In some environments, only a subset of domains in a joined Active Directory (AD) forest can be reached. Attempting to contact an unreachable domain might cause unwanted timeouts or switch the System Security Services Daemon (SSSD) to offline mode.
To prevent this, the administrator can now configure a list of domains to which SSSD connects by setting the
ad_enabled_domainsoption in the
/etc/sssd/sssd.conf/file. For details, see the sssd-ad(5) man page. (BZ#1324428)
SSSD now enables selecting a list of PAM services that will not receive any environmental variables from
In some cases, it is not desirable to propagate environment variables set by the
pam_sssPluggable Authentication Module (PAM). For example, when using the
sudo -icommand, users might want to transfer the
KRB5CCNAMEvariable of the original user to the target environment.
Previously, when a non-privileged user executed the
sudo -icommand to become another non-privileged user, the new non-privileged user did not have the permissions to read the Kerberos credentials cache that
For this use case, this update adds a new option named
pam_response_filter, the administrator can list PAM services (such as
sudo-i) that do not receive any environmental variables (such as
KRB5CCNAME) during login. Now, if
sudo-i, a user can switch from one non-privileged user to another without
KRB5CCNAMEbeing set in the target environment. (BZ#1329378)
IdM servers can now be configured to require
TLS 1.2 or better
Version 1.2 of the Transport Layer Security (TLS) protocol is considered significantly more secure than previous versions. This update enables you to configure your Identity Management (IdM) server to forbid communication using protocols that are less secure than
For details, see the following Red Hat Knowledgebase article: https://access.redhat.com/articles/2801181. (BZ#1367026)
pam_faillock can be now configured with
pam_faillockmodule now allows specifying using the
unlock_time=neveroption that the user authentication lock caused by multiple authentication failures should never expire. (BZ#1404832)
libkadm5* libraries have been moved to the libkadm5 package
In Red Hat Enterprise Linux 6.9, the
libkadm5*libraries have been moved from the krb5-libs to the new libkadm5 package. As a consequence,
yumis not able to downgrade the krb5-libs package automatically. Before downgrading, remove the libkadm5 package manually:
# rpm -e --nodeps libkadm5
After you have manually removed the package, use the
yum downgradecommand to downgrade the krb5-libs package to a previous version. (BZ#1351284)
Chapter 4. Clustering
Support added for Oracle 11g in Oracle and OrLsnr Pacemaker resource agents
As of Red Hat Enterprise Linux release 6.9, the Pacemaker resource agents
OraLsnrsupport Oracle database 11g. (BZ#1336846)
Pacemaker now supports alert agents
You can now create
Pacemakeralert agents to take some external action when a cluster event occurs. The cluster passes information about the event to the agent by means of environment variables. Agents can do anything desired with this information, such as send an email message, log to a file, or update a monitoring system. For information on configuring alert agents, see Configuring the Red Hat High Availability Add-On with Pacemaker. (BZ#1253325, BZ#1376480)
clufter is now fully supported
The clufter packages provide a tool for transforming and analyzing cluster configuration formats. They can be used to assist with migration from an older stack configuration to a newer configuration that leverages Pacemaker. The
cluftertool, previously available as a Technology Preview, is now fully supported. For information on the capabilities of
clufter, see the
clufter(1)man page or the output of the
clufter -hcommand. For examples of
clufterusage, see the following Red Hat Knowledgebase article: https://access.redhat.com/articles/2810031. (BZ#1318326)
clufter rebased to version 0.59.8
The clufter packages have been upgraded to upstream version 0.59.8, which provides a number of bug fixes, new features, and user experience enhancements over the previous version. Among the notable updates are the following:
- When converting either CMAN or Pacemaker stack specific configuration into the respective sequence of
pcscommands with the
*2pcscmdfamilies of commands, the
cluftertool no longer suggests
pcs cluster cib file --config, which does not currently work for subsequent local-modification
pcscommands. Instead it suggests
pcs cluster cib file. (RHBZ#1328078)
cluftertool outputs now may vary significantly depending on the specified distribution target since the tool now aligns the output with what the respective environment, such as the
pcsversion, can support. Because of this, your distribution or setup may not be supported, and you should not expect that one sequence of
pcscommands that the
cluftertool produces is portable to a completely different environment.
cluftertool now supports several new features of the
pcstool, including alert handlers configuration. Additionally, the
cluftertool supports older features recently added to the
pcstool, including resource sets for colocation and order constraints.
- When converting either CMAN + RGManager stack specific configuration into the respective Pacemaker configuration (or sequence of
pcscommands reflecting the same) with the
ccs2pcs*families of commands, the
cluftertool no longer refuses to convert entirely valid lvm resource agent configuration, which could happen before. (BZ#1367536)
luci interface allows administrators to verify authenticity of remote machines
An encrypted channel requires established authenticity between the endpoints to be reasonably secure and protected against man-in-the-middle attacks. Administrators using
lucito manage clusters are now automatically provided with the corresponding certificate fingerprints of cluster nodes that are entered when creating a new cluster, adding nodes to a cluster, or adding an existing cluster to luci's management. This allows administrators to verify the authenticity of remote machines first before entrusting the remote nodes with credentials during standard, inverse (self-against-remote) authentication. (BZ#885028)
luci now lists explicit configured actions for individual resources
In a cluster configuration, it is useful to be able to review configured actions for given resources. This may be particularly useful when verifying that the implicit operations, such as the
depthparameter of the
statusaction, are overwritten with user configuration. More generally, being able to review configured actions can show the affect that these modifications and additions to implicit actions have on current cluster behavior.
lucinow lists configured actions per individual resources in the
Service Groupsbreakdown view, showing which parameters are disregarded for particular actions and emphasizing timeouts if they are set as enforced. Note that the view does not allow for active modifications of the actions; to modify the actions, you use the
--rmactionparameters of the
ccsCLI tool. (BZ#1173942)
Chapter 5. Compiler and Tools
Support for the el_GR@euro, ur_IN, and wal_ET locales has been added
The el_GR@euro, ur_IN, and wal_ET locales provide specialized support for newer currency symbols like the Euro, and complete coverage in the instances where the locale was previously unsupported.
Users can now specify these locales using the relevant environment variables to take advantage of the new localization support. (BZ#1101858)
Net:SSLeay Perl module now supports restricting of TLS version
Net:SSLeayPerl module has been updated to support explicit specification of the TLS protocol version, which can be used for improving security. To restrict TLS version to 1.1 or 1.2, set the
12, respectively. (BZ#1325407)
IO::Socket::SSL Perl module now supports restricting of TLS version
Net:SSLeayPerl module has been updated to support explicit specification of the TLS protocol versions 1.1 or 1.2 to improve security, and the
IO::Socket::SSLmodule has been updated accordingly. When a new
IO::Socket::SSLobject is created, it is now possible to restrict the TLS version to 1.1 or 1.2 by setting the
TLSv12can be used. Note that these values are case-sensitive. (BZ#1331037)
ca-certificates rebased to version 2.10
The certificate store has been upgraded to include the changes contained in version 2.10 of the Certificate Authority certificate list published by the Mozilla Foundation as part of the Network Security Services (NSS) version 3.27. In order to preserve compatibility with existing PKI deployments and with software based on OpenSSL and GnuTLS, several root CA certificates with an RSA key size of 1024 bits have been kept as trusted by default. See the following Knowledgebase article for instructions on disabling these legacy modifications: https://access.redhat.com/articles/1413643. (BZ#1368996)
Chapter 6. Directory Server in Red Hat Enterprise Linux
Directory Server now supports enabling and disabling specific TLS versions
Previously, Directory Server running on Red Hat Enterprise Linux 6 provided no configuration options to enable or disable specific TLS versions. For example, it was not possible to disable the insecure TLS 1.0 protocol while keeping later versions enabled. This updates adds the
nsTLS12parameters to the
cn=encryption,cn=configentry. As a result, it is now possible to configure specific TLS protocol versions in Directory Server.
Note, that these parameters have a higher priority than the
nsTLS1parameter, that enables or disables all TLS protocol versions. (BZ#1330758)
Chapter 7. Hardware Enablement
cpuid is now available
With this update, the
cpuidutility is available in Red Hat Enterprise Linux. This utility dumps detailed information about the CPU(s) gathered from the CPUID instruction, and also determines the exact model of CPU(s). It supports Intel, AMD, and VIA CPUs. (BZ#1316998)
Support for RealTek RTS5250S SD4.0 Controllers
The Realtek RTS5205 card reader controllers have been added to the kernel. (BZ#1167938)
Chapter 8. Installation and Booting
NO_DHCP_HOSTNAME option has been added
NO_DHCP_HOSTNAMEoption can now be specified in the
/etc/sysconfig/networkconfiguration file. Previously, in certain situations it was not possible to prevent initialization scripts from obtaining the host name through DHCP, even when using a static configuration. With this update, if the
NO_DHCP_HOSTNAMEoption is set to
/etc/sysconfig/networkfile, initialization scripts are prevented from obtaining the host name through DHCP. (BZ#1157856)
Chapter 9. Kernel
Chelsio firmware updated to version 188.8.131.52
Chelsio firmware has been updated to version 184.108.40.206, which provides a number of bug fixes and enhancements over the previous version.
The most notable bug fixes are:
iscsi tlvdriver is no longer incorrectly sent to host.
- The firmware no longer terminates unexpectedly due to enabling or disabling the Data Center Bridging Capability Exchange (DCBX) protocol.
- The app priority value is now handled correctly in the firmware. (BZ#1349112)
bnxt_en driver updated to the latest upstream version
bnxt_endriver has been updated with several minor fixes and with support for BCM5731X, BCM5741X, and 57404 Network Partitioning (NPAR) devices. (BZ#1347825)
ahci driver supports Marwell 88SE9230
ahcidriver now supports Marvell 88SE9230 controller. (BZ#1392941)
Chapter 10. Networking
NetworkManager now supports manual DNS configuration with
With this update, the user has the option to prevent
NetworkManagerfrom modifying the
/etc/resolv.conffile. This is useful for manual management of DNS settings. To protect the file from being modified, add the
dns=noneoption to the
Chapter 11. Security
TLS 1.2 support added to all system components
With the addition of
TLS1.2 support to the
GnuTLScomponent, Red Hat Enterprise Linux 6 offers complete support for
TLS1.2 in the shipped security libraries:
GnuTLS. Several modern standards such as PCI-DSS v3.1 recommend the latest
TLSprotocol, which is currently
TLS1.2. This addition allows you to use Red Hat Enterprise Linux 6 with future revisions of security standards, which may require
For more information about the cryptographic changes in the Red Hat Enterprise Linux 6, see this article on the Red Hat Customer Portal: https://access.redhat.com/blogs/766093/posts/2787271. (BZ#1339222)
OpenSCAP 1.2.13 is NIST certified
OpenSCAP1.2.13 has been certified by the National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP) 1.2 in the Authenticated Configuration Scanner category with the Common Vulnerabilities and Exposure (CVE) option.
OpenSCAPprovides a library that can parse and evaluate each component of the SCAP standard. This makes creating new SCAP tools convenient. Also,
OpenSCAPoffers a multi-purpose tool designed to format content into documents or scan a system based on this content. (BZ#1364207)
vsftpd now uses
TLS 1.2 by default
Users of the Very Secure File Transfer Protocol (FTP) daemon (vsftpd) can select a specific version of
TLSprotocol up to 1.2.
TLS1.2 has been enabled by default to bring security of vsftpd to the same level as the same package in Red Hat Enterprise Linux 7. New default ciphers specific to
TLS1.2 has been added:
ECDHE-ECDSA-AES256-GCM-SHA384. These changes do not break existing configurations. (BZ#1350724)
auditd now supports
auditdaemon now supports a new flush technique called
incremental_async. This new mode significantly improves the
auditdaemon's logging performance maintaining short flush intervals for security. (BZ#1369249)
scap-security-guide now supports ComputeNode
The scap-security-guide project now supports scanning of the ComputeNode variant of Red Hat Enterprise Linux and the scap-security-guide package is also distributed in the relevant channel. (BZ#1311491)
rsyslog7 now enables
With this update, the
rsyslog7multi-threaded syslog daemon explicitly enables
TLS1.2 in the
Chapter 12. Servers and Services
DHCP client hook example added for DDNS for Microsoft Azure cloud
An example of the
DHCPclient hook for Dynamic DNS (DDNS) for Microsoft Azure cloud has been added to the dhcp package. The administrator can now easily enable this hook, and register Red Hat Enterprise Linux clients with a
postfix now supports user-controlled configuration of
With this update, postfix offers configuration options for more precise control of the Transport Layer Security (TLS) protocol version. For example, you can now disable
TLSv1.1 while having
TLSv1.2 enabled. To do this, add the following line to the
smtpd_tls_mandatory_protocols = !TLSv1.1
Chapter 13. Storage
The smartPQI (
smartpqi) driver is now available
This update provides the smartPQI (
smartpqi) driver for new Microsemi storage adapter hardware, which becomes available in 2017. The new hardware can also be used with the previous
aacraiddriver on Red Hat Enterprise Linux 6.5, 6.6, 6.7, and 6.8. In comparison with the
smartpqidriver provides improved performance and enhanced functionality.
Migration from Red Hat Enterprise Linux 6.8 to Red Hat Enterprise Linux 6.9 changes the driver from
smartpqi. As long as standard installation configurations are used, this driver change is transparent to the user and no action is needed. The new
smartpqidriver is automatically used after booting Red Hat Enterprise Linux 6.9. (BZ#1343743)
mpt3sasstorage driver has been updated to version 14.100.00.00-rh, which adds support for new devices with these PCI IDs:
- 0x1000:0x00AB SAS3516 Fusion-MPT Tri-Mode RAID On Chip (ROC)
- 0x1000:0x00AC SAS3416 Fusion-MPT Tri-Mode I/O Controller Chip (IOC)
- 0x1000:0x00AE SAS3508 Fusion-MPT Tri-Mode RAID On Chip (ROC)
- 0x1000:0x00AF SAS3408 Fusion-MPT Tri-Mode I/O Controller Chip (IOC) (BZ#1306469)
megaraid_sasdriver has been updated to version 07.700.00.00-rc1, which adds support for new devices with these PCI IDs:
- 0x1000:0x001C (BZ#1306457)
A new default configuration for Huawei XSG1 arrays has been added for
On Red Hat Enterprise Linux 6, a specific configuration is recommended in the
device-mapper-multipathtool configuration for Huawei XSG1 arrays. This configuration is now used by default. (BZ#1333334)
multipath.conf option is now available in multipath to avoid data corruption
The multipath tool now has the
disable_changed_wwidsis set to
multipathdservice monitors path devices, and if their World Wide Identifier (WWID) changes,
multipathddisables access to the path devices until the WWID changes back.
If a Logical Unit Number (LUN) is remapped while a multipath device exists on top of it, it is possible in some cases for I/O to be written to an incorrect LUN, which leads to corruption. Writing to an incorrect LUN can be detected by
multipathdthat registers a change of the LUN WWID, and disables access to the device.
Note that due to the gap between when the LUN is remapped, and when
multipathdis notified that the device has changed, there is still a risk of corruption in some cases, and remapping in-use LUNs is still not supported. (BZ#1377532)
device-mapper-multipath now supports the
max_sectors_kb configuration parameter
With this update,
device-mapper-multipathprovides a new
max_sectors_kbparameter in the defaults, devices, and multipaths sections of the
max_sectors_kbparameter allows you to set the
max_sectors_kbdevice queue parameter to the specified value on all underlying paths of a multipath device before the multipath device is first activated.
When a multipath device is created, the device inherits the
max_sectors_kbvalue from the path devices. Manually raising this value for the multipath device or lowering this value for the path devices can cause multipath to create I/O operations larger than the path devices allow.
max_sectors_kb multipath.confparameter is an easy way to set these values before a multipath device is created on top of the path devices, and prevent invalid-sized I/O operations from being passed down. (BZ#1355669)
multipath.conf option to allow skipping
kpartx partition creation has been added
This update enables the user to only create a multipath device, and not any partitions, even if the device has a partition table. Now, multipath devices that are configured with the
skip_kpartxoption do not have any partition devices created for them. (BZ#1310320)
Users are now warned if they create multipath devices while
multipathd is not running
With this update, multipath prints a warning message for adding and listing multipath devices when the
multipathdservice is not running. (BZ#1305589)
Chapter 14. Virtualization
Configuration options can be used to exclude weak ciphers
Previously, libvirt depended on the hard-coded cipher defaults in
GnuTLS. This made it possible to use weak ciphers. With this update, configuration options to exclude weak ciphers have been added to the
libvirt.conffiles. In addition,
TLSpriority support was added to libvirt URIs. As a a result, the list of used ciphers can be customized to exclude weak ciphers. (BZ#1333415)
Improved Hyper-V storage driver performance
The storvsc Hyper-V storage driver was updated from upstream. This provides moderate performance improvement of I/O operations when using the Hyper-V storvsc driver for certain workloads. (BZ#1352824)
Hyper-V clock source changed to use the TSC page
With this update, the Time Stamp Counter (TSC) page is used as the Hyper-V clock source. The TSC page provides a more efficient way of computing the per-guest reference counter value than the previously used model-specific register (MSR). As a result, kernel operations that involve reading time stamps are now faster.
Note that this feature is only supported on 64-bit kernels. (BZ#1365049)
Setting the account password is now possible for any guest user
guest-set-user-passwordcommand has been introduced for the QEMU guest agent. This allows setting the account password for any guest user, including the root, when using QEMU and KVM. (BZ#1303906)
Chapter 15. Red Hat Software Collections
Red Hat Software Collections is a Red Hat content set that provides a set of dynamic programming languages, database servers, and related packages that you can install and use on all supported releases of Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7 on AMD64 and Intel 64 architectures. Red Hat Developer Toolset is included as a separate Software Collection.
Red Hat Developer Toolset is designed for developers working on the Red Hat Enterprise Linux platform. It provides current versions of the GNU Compiler Collection, GNU Debugger, and other development, debugging, and performance monitoring tools. Since Red Hat Software Collections 2.3, the Eclipse development platform is provided as a separate Software Collection.
Dynamic languages, database servers, and other tools distributed with Red Hat Software Collections do not replace the default system tools provided with Red Hat Enterprise Linux, nor are they used in preference to these tools. Red Hat Software Collections uses an alternative packaging mechanism based on the
sclutility to provide a parallel set of packages. This set enables optional use of alternative package versions on Red Hat Enterprise Linux. By using the
sclutility, users can choose which package version they want to run at any time.
Red Hat Software Collections has a shorter life cycle and support term than Red Hat Enterprise Linux. For more information, see the Red Hat Software Collections Product Life Cycle.
See the Red Hat Software Collections documentation for the components included in the set, system requirements, known problems, usage, and specifics of individual Software Collections.
See the Red Hat Developer Toolset documentation for more information about the components included in this Software Collection, installation, usage, known problems, and more.
Part II. Known Issues
This part documents known problems in Red Hat Enterprise Linux 6.9.
Chapter 16. General Updates
The default value of
Dovecot has changed in Red Hat Enterprise Linux 7
Since Red Hat Enterprise Linux 7.3, the default value of the
first_valid_uidconfiguration option of
Dovecothas changed from
500in Red Hat Enterprise Linux 6 to
1000in Red Hat Enterprise Linux 7. Consequently, if a Red Hat Enterprise Linux 6 installation does not have
first_valid_uidexplicitly defined, the
Dovecotconfiguration will not allow users with UID less than
1000to log in after the update to Red Hat Enterprise Linux 7.
To avoid breaking the configuration, redefine
500after the upgrade in the
/etc/dovecot/conf.d/10-mail.conffile. Note that only installations where
first_valid_uidis not explicitly defined are affected by this problem. (BZ#1388967)
Incorrect information about the expected default settings of services in Red Hat Enterprise Linux 7
The module of Preupgrade Assistant that handles initscripts provides incorrect information about the expected default settings of the services in Red Hat Enterprise Linux 7 according to the
/usr/lib/systemd/system-preset/90-default.presetfile in Red Hat Enterprise Linux 7 and according to the current settings of the Red Hat Enterprise Linux 6 system. In addition, the module does not check the default settings of the system but only the settings for the runlevel used during the processing of the check script, which might not be the default runlevel of the system. As a consequence, initscripts are not handled in the anticipated way and the new system needs more manual action than expected. However, the user is informed about the settings that will be chosen for relevant services, despite the presumable default settings. (BZ#1366671)
Manually created configuration might not work correctly with the
named-chroot service after upgrading
When you use the the
named-chrootservice and when you have your own manually created configuration files in the
/var/named/chroot/directory, the service might not work properly on the target system after the upgrade to Red Hat Enterprise Linux 7. The
optionssection in the used configuration files must contain the
pid-filedirectives, such as in the following example:
session-keyfile "/run/named/session.key"; pid-file "/run/named/named.pid";
Preupgrade Assistantmodules do not check or fix the manually created files in the
/var/named/chroot/directory. To work around this problem, manually insert the lines above to the
optionssection. If you do not have your own manually created configuration files in
/var/named/chroot/, the configuration files of
bind, including the
/etc/named.conffile, are used. These configuration files are checked and fixed by the
Preupgrade Assistantmodules. (BZ#1473233)
Chapter 17. Authentication and Interoperability
SSSD fails to manage sudo rules from the IdM LDAP tree
The System Security Services Daemon (SSSD) currently uses the IdM LDAP tree by default. As a consequence, it is not possible to assign sudo rules to non-POSIX groups. To work around this problem, modify the
/etc/sssd/sssd.conffile to set your domain to use the
[domain/EXAMPLE] ... ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
As a result, SSSD will load sudo rules from the
compattree and you will be able to assign rules to non-POSIX groups.
Note that Red Hat recommends to configure groups referenced in sudo rules as POSIX groups. (BZ#1336548)
winbindd crashes when installing a new AD trust
When configuring a new Active Directory (AD) trust on a newly installed system, the
ipa-adtrust-installutility might report that the
winbinddservice terminated unexpectedly. Otherwise,
If this problem occurs, restart the IdM services by using the
ipactl restartcommand after running
ipa-adtrust-install. This also restarts
Note that the full extent of the functional impact of this problem is still unknown. Some trust functionality might not work until
winbinddis restarted. (BZ#1399058)
nslcd fails to resolve user or group identities when it is started before the network connection is fully up
nslcd, the local LDAP name service daemon, is started before the network connection is fully up, the daemon fails to connect to an LDAP server. As a consequence, resolving user or group identities does not work. To work around this problem, start
nslcdafter the network connection is up. (BZ#1401632)
Chapter 18. Desktop
vmware driver does not support multiple displays
vmwarevideo driver for the X11 window system misses certain features related to multi-display support. As a consequence, Red Hat Enterprise Linux 6 guests running on VMware cannot correctly use multiple displays and only single-display support is available.
Please contact Red Hat support for test packages if you require multi-display support. (BZ#1320480)
Incorrect mouse pointer movement after screen rotation inside a virtual machine in VMWare 11 or VMWare 12
If the screen rotation is changed inside a virtual machine in VMWare 11 or VMWare 12, the pointer movement remains unchanged. This only happens when the
xorg-x11-drv-vmwaredriver is used, which initializes an absolute-axis device rather than a relative-axis device. The pointer does not follow the expected path because the driver is still mapping to the original coordinate system. To work around this problem, it it necessary to manually rotate the device, for example by running the following command:
xinput set-prop "ImPS/2 Generic Wheel Mouse" "Coordinate Transformation Matrix" 0 -1 1 1 0 0 0 0 1
Note that the command above is only an example. In general, the matrix needs to be adjusted depending on the specific scenario. Once the matrix is applied, pointer movement matches the rotation of the screen. (BZ#1322712, BZ#1318340)
Using Radeon or Nouveau can cause incorrectly rendered graphics
A bug in the Xorg server can, under rare circumstances, cause graphics to be rendered incorrectly if using the Radeon or Nouveau graphics device driver. For example, the Thunderbird message pane can be displayed incorrectly.
For Nouveau, as a workaround, add the
WrappedFBoption to the
xorg.conffile as follows:
Section "Device" Identifier "nouveau-device" Driver "nouveau" Option "WrappedFB" "true" EndSection
This workaround avoids the faulty logic in the X server, and the Thunderbird message pane will be displayed correctly. (BZ#1076595)
Chapter 19. Directory Server in Red Hat Enterprise Linux
IdM schema replications from Red Hat Enterprise Linux 7 to 6.9 fail
Identity Management (IdM) in Red Hat Enterprise Linux 6.9 uses a different schema definition in the
nsEncryptionConfigobject class than IdM on Red Hat Enterprise Linux 7.3. Because the schema learning mechanism is unable to merge definitions, schema replications between servers fail. As a consequence, mechanisms relying on the schema can fail. For example, schema violations and plug-in failures can occur, replication can fail, and access control instructions (ACI) can be ignored. In an upcoming Red Hat Enterprise Linux 7.3 update, the
nsTLS12attributes will be added to the list of allowed attributes in the
nsEncryptionConfigobject class, and as a consequence, mechanisms relying on the schema no longer fails in the described scenario. (BZ#1404443)
Chapter 20. Installation and Booting
The installer displays the number of multipath devices, and number of multipath devices selected, incorrectly
Multipath devices are configured properly, but the installer displays the number of devices and number of selected devices incorrectly. There is no known workaround at this point. (BZ#914637)
The installer displays the amount of disk space within multipath devices incorrectly
Multipath devices are configured properly, but the installer displays disk space and number of devices incorrectly. There is no known workaround at this point. (BZ#1014425)
device.map configuration file generated by
Anaconda is sometimes incorrect
Due to limitations in the kernel, the
device.mapconfiguration file that is used to map BIOS drives to operating system devices might be generated incorrectly in certain situations, particularly when installing from a USB key. As a consequence, booting sometimes fails after installation. To work around this problem, manually update the
device.mapfile in the
/boot/grubdirectory. After updating
device.mapso that it correctly maps devices on the system, Red Hat Enterprise Linux 6 will boot as expected. (BZ#1253223)
ifup script incorrectly replaces manually-defined default routes
If a default route is manually added to the routing table, the
ifupscript incorrectly replaces it, when setting up other interfaces, if the
GATEWAYparameter is specified. To work around this bug, specify a non-zero metric for either the manually-added route, or when adding a route with
Upgrading Red Hat Enterprise Linux 6 on UEFI systems clears the boot loader password
When upgrading Red Hat Enterprise Linux 6 on a system with UEFI firmware and a boot loader password set, the boot loader password is removed. As a consequence, modifying the boot record is possible without a password. To work around this problem, make a back up of the password settings from the
/boot/efi/EFI/redhat/grub.confconfiguration file before upgrading, and then restore the settings to the
/boot/efi/EFI/redhat/grub.conffile in the new system. (BZ#1416653)
Chapter 21. Kernel
Certain NIC firmware can become unresponsive with the
Due to a bug in the unload sequence of the pre-boot drivers, the firmware of some internet adapters can become unresponsive after the
bnx2xdriver takes over the device. The
bnx2xdriver detects the problem and returns the message in the kernel log:
Storm stats were not updated for 3 times.
To work around this problem, apply the latest NIC firmware updates provided by your hardware vendor. As a result, unloading of the pre-boot firmware now works as expected and the firmware no longer hangs after
bnx2xtakes over the device. (BZ#1012684)
e1000e cards might not get an IPv4 address
Some e1000e network interface cards (NICs) might fail to get an IPv4 address assigned after the system is rebooted. To work around this problem, add the following line to the /etc/sysconfig/network-scripts/ifcfg-<interface> file:
ecb kernel module fails when dracut is not upgraded
When upgrading only the kernel rpm from Red Hat Enterprise Linux 6.7 to version 6.8, upgrade the dracut package to the latest version (dracut-004-409.el6.rpm).
Upgrading dracut enables the
ecbmodule to work. The
ecbkernel module is needed by the
drbgkernel module when using the Advanced Encryption Standard (AES) implementation on non-x86 architectures. If you do not upgrade dracut, the
drbgAES implementation fails with a warning message, although other
drbgmodules still work. (BZ#1315832)
Guests sometimes fail to boot on ESXi 5.5
When running Red Hat Enterprise Linux 7 guests on a VMware ESXi 5.5 hypervisor, certain components currently initialize with incorrect memory type range register (MTRR) values or incorrectly reconfigure MTRR values across boots. This sometimes causes the guest kernel to panic or the guest to become unresponsive during boot.
To work around this problem, add the `disable_mtrr_trim` option to the guest's kernel command line, which enables the guest to continue booting when MTRRs are configured incorrectly. Note that with this option, the guest prints `WARNING: BIOS bug` messages during boot, which you can safely ignore. (BZ#1422774)
File-system corruption due to incorrect flushing of cache has been fixed but I/O operations can be slower
Due to a bug in the
megaraid_sasdriver, file-system corruption previously occurred in some cases when the file system was used with a disk-write back cache during system shutdown, reboot, or power loss. This update fixes
megaraid_sasto transfer the flush cache commands correctly to the raid card. As a result, if you also update the raid card firmware, the file-system corruption no longer occurs under the described circumstances.
megaraid_sasraid adapter, you can check the functionality in the system log (dmesg). The proper functionality is indicated by the following text string:
FW supports sync cache Yes
Note that this fix can slow down I/O operations because the cache is now flushed properly. (BZ#1392499)
Chapter 22. Networking
radvd occasionally terminates unexpectedly due to a race condition
Router Advertisement Daemon(radvd), there is a race condition in
radvdtimer handling. Consequently, the
radvdoccasionally terminates unexpectedly. (BZ#1058698)
Chapter 23. Security
A runtime version of
OpenSSL is masked and
SSL_OP_NO_TLSv1_1 must not be used when an application runs with
Because certain applications perform incorrect version check of the
OpenSSLversion, the actual runtime version of
OpenSSLis masked and the build-time version is reported instead. Consequently, it is impossible to detect the currently running
OpenSSLversion using the
Additionally, passing the value equivalent to the
SSL_OP_NO_TLSv1_1option as present on
OpenSSL1.0.1 to the
SSL_CTX_set_options()function when running with
OpenSSL1.0.0 breaks the SSL/TLS support completely.
To work around this problem, use another way to detect the currently running
OpenSSLversion. For example, it is possible to obtain a list of enabled ciphers with the
SSL_get_ciphers()function and search a
TLS1.2 cipher by parsing the list using the
SSL_CIPHER_description()function. This indicates an application that runs with the
OpenSSLversion later than 1.0.0 because
TLS1.2 support is present since version 1.0.1. (BZ#1497859)
Chapter 24. Servers and Services
Printing a PDF file upside down with
cups is currently impossible
In the CUPS printing system, the
-o orientation-requested=6option in the
lp -d [printer] -o orientation-requested=6 [filename]command, which is expected to rotate the printed page by 180°, does not work. (BZ#1099617)
Printing PDF files using the fit-to-page and fitplot options does not work on printers with hardware margins
In the CUPS printing system, the
lp -d printer-with-hwmargins -o fit-to-pageand
lp -d printer-with-hwmargins -o fitplotcommands use the
-o fitplotoptions which resize the document to be printed so that it fits the paper size. The options do not work for printing PDF files on printers with hardware margins. (BZ#1268131)
DHCP client sends unicast requests through the incorrect interface
DHCPclient does not support multiple interfaces on the same subnet and it is not able to ensure that unicast requests go through the right interface. Consequently,
DHCPclient fails to renew a lease, and network configuration stops working. There is no known workaround at this point.
DHCPclient cannot be used in configuration with two interfaces connected to the same subnet. (BZ#1297445)
A *.dsc file converted from a *.pdf file by the
pdf2dsc script cannot be opened in Evince
It is no longer possible to convert a *.pdf (Portable Document Format) file into a *.dsc (Document Structure Convention) file with the
pdf2dscscript, and open the converted *.dsc file with the Evince GNOME document viewer, located outside the Ghostscript's sandbox. It is a result of the fixed
-dSAFERoption, which forces Ghostscript to operate in sandbox mode. For details and a workaround, see https://access.redhat.com/articles/2948831. (BZ#1411843)
Chapter 25. System and Subscription Management
ReaR works only on the eth0 interface
ReaR produces a rescue system that does not support mounting an NFS server using an interface other than eth0. Consequently, the backup files cannot be downloaded and the system cannot be restored. To work around this problem, ensure that the used interface is eth0 by restarting dhclient. (BZ#1313417)
ReaR creates two ISO images instead of one
In ReaR, the
OUTPUT_URLdirective enables specifying location for the ISO image containing the rescue system. Currently, with this directive set, ReaR creates two copies of the ISO image: one in the specified directory and one in the
/var/lib/rear/output/default directory. This requires additional space for the image. This is especially important if a full-system backup is included into the ISO image (using the
To work around this behavior, delete the extra ISO image once ReaR has finished working or, to avoid having a period of time with double storage consumption, create the image in the default directory and then move it to the desired location manually.
There is a request for enhancement to change this behavior and make ReaR create only one copy of the ISO image. (BZ#1320551)
Chapter 26. Virtualization
Coolkey does not load on Windows 7 guests
Coolkeymodule on Windows 7 guest virtual machines currently fails, which prevents smart card redirection from working properly on these guests. (BZ#1331471)
Disabling vCPUs on Hyper-V guests fails
Currently, it is not possible to disable CPUs on guest virtual machines running on Microsoft Hyper-V, including Microsoft Azure cloud, due to the lack of support from the host side. However, it is possible to reduce the number of online CPUs by booting guests with the
nr_cpus=XXparameter passed on the kernel command line, where
XXis the number of online CPUs required.
For more information, see https://access.redhat.com/solutions/2790331. (BZ#1396336)
Hot plugging hard disks as a batch on the VMware ESXi hypervisor does not work reliably
When hot plugging multiple hard disks at the same time to a Red Hat Enterprise Linux 6 guest virtual machine running on the VMware ESXi hypervisor, the host currently does not inform the guest about all of the added disks, and some of the disks thus cannot be used. To work around this problem, hot plug one hard disk at a time in the described scenario. (BZ#1224673)
Guests cannot access floppy disks larger than 1.44 MB
Guest virtual machines are currently unable to access floppy drive images larger than 1.44 MB if they are inserted while the guest is running. To work around the problem, insert the floppy drive image prior to booting the guest. (BZ#1209362)
Hyper-V guest integration services stop working after they are disabled and re-enabled
Currently, Red Hat Enterprise Linux 6 guest virtual machines running on the Microsoft Hyper-V hypervisor do not automatically restart the
hyperv-daemonssuite after Hyper-V guest integration services, such as data exchange and backup, are disabled and then re-enabled. As a consequence, these integration services stop working after they are disabled and re-enabled in the Hyper-V Manager interface.
To work around this problem, restart the
hypervfcopydservices in the guest after re-enabling the integration services from Hyper-V Manager, or do not change the status of the integration services while the guest is running. (BZ#1121888)
Booting virtual machines with the
smep flags on older host CPUs fails
smepCPU flags are not properly emulated on certain older CPU models, such as the early Intel Xeon E processors. As a consequence, using
smepwhen booting a guest virtual machine on a host with such a CPU causes the boot to fail. To work around this problem, do not use
smepif the CPU does not support them. (BZ#1371765)
Guests with recent Windows systems in some cases fail to boot if
hv_relaxed is used
Attempting to boot KVM guests with the following operating systems currently fails with an
error code: 0x0000001Emessage if the value of the
hv_relaxedoption is used.
- 64-bit Windows 8 or later
- 64-bit Windows Server 2012 or later
To work around this problem, do not use
Limited CPU support for Windows 10 and Windows Server 2016 guests
On a Red Hat Enterprise 6 host, Windows 10 and Windows Server 2016 guests can only be created when using the following CPU models:
- the Intel Xeon E series
- the Intel Xeon E7 family
- Intel Xeon v2, v3, and v4
- Opteron G2, G3, G4, G5, and G6
For these CPU models, also make sure to set the CPU model of the guest to match the CPU model detected by running the
virsh capabilitiescommand on the host. Using the application default or hypervisor default prevents the guests from booting properly.
To be able to use Windows 10 guests on Legacy Intel Core 2 processors (also known as Penryn) or Intel Xeon 55xx and 75xx processor families (also known as Nehalem), add the following flag to the Domain XML file, with either Penryn or Nehalem as MODELNAME:
<cpu mode='custom' match='exact'> <model>MODELNAME</model> <feature name='erms' policy='require'/> </cpu>
Other CPU models are not supported, and both Windows 10 guests and Windows Server 2016 guests created on them are likely to become unresponsive during the boot process. (BZ#1346153)
Network connectivity not restored when vnic is enabled
netdev(tap)link is set to off and the
vnic(virtio-net/e1000)link is set to on, network connectivity does not resume. However, if the
vnic(virtio-net/e1000)link is set to off and the
netdev(tap)link is set to on, network connectivity resumes.
To resolve the issue, consistently use the same device to control the link. If
netdev(tap)link was set to off, using it to turn the link back on will work correctly. (BZ#1198956)
KVM guests fail to properly read physical DVD/CD-ROM media
Several problems may occur when using physical DVD/CD-ROMs with KVM guest virtual machines. To work around this problem, you can create ISO files from the physical media and use them with the virtual machines. It is recommended that you do not use physical DVD/CD-ROMs. For more information, see https://access.redhat.com/solutions/2543131. (BZ#1360581)
Appendix A. Component Versions
This appendix is a list of components and their versions in the Red Hat Enterprise Linux 6.9 release.
Table A.1. Component Versions
QLogic ql2xxx firmware
iSCSI initiator utils
Appendix B. Revision History
|Revision 0.2-0||Thu Aug 02 2018||Lenka Špačková|
|Revision 0.1-9||Fri Jul 20 2018||Lenka Špačková|
|Revision 0.1-8||Fri Mar 16 2018||Lenka Špačková|
|Revision 0.1-7||Wed Nov 29 2017||Lenka Špačková|
|Revision 0.1-6||Mon Sep 04 2017||Lenka Špačková|
|Revision 0.1-5||Mon Jul 03 2017||Jiří Herrmann|
|Revision 0.1-2||Thu Apr 27 2017||Lenka Špačková|
|Revision 0.1-1||Fri Mar 31 2017||Lenka Špačková|
|Revision 0.1-0||Tue Mar 28 2017||Lenka Špačková|
|Revision 0.0-8||Tue Mar 21 2017||Lenka Špačková|
|Revision 0.0-4||Thu Jan 05 2017||Lenka Špačková|
Copyright © 2017-2018 Red Hat, Inc.
This document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0 Unported License. If you distribute this document, or a modified version of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If the document is modified, all Red Hat trademarks must be removed.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.