7.6 Release Notes

Red Hat Enterprise Linux 7.6 Beta

Release Notes for Red Hat Enterprise Linux 7.6 Beta

Red Hat Customer Content Services

Abstract

The Release Notes provide high-level coverage of the improvements and additions that have been implemented in Red Hat Enterprise Linux 7.6 Beta and document known problems in this release, as well as notable bug fixes, Technology Previews, deprecated functionality, and other details.
This version of the document is provided only as a preview. It is under development and is subject to substantial change. Consider the included information incomplete and use it with caution.

Preface

Red Hat Enterprise Linux (RHEL) minor releases are an aggregation of individual security, enhancement, and bug fix errata. The Red Hat Enterprise Linux 7.6 Beta Release Notes document describes the major changes made to the Red Hat Enterprise Linux 7 operating system and its accompanying applications for this minor release, as well as known problems and a complete list of all currently available Technology Previews.
Capabilities and limits of Red Hat Enterprise Linux 7 as compared to other versions of the system are available in the Red Hat Knowledgebase article available at https://access.redhat.com/articles/rhel-limits.
Packages distributed with this release are listed in Red Hat Enterprise Linux 7 Package Manifest. Migration from Red Hat Enterprise Linux 6 is documented in the Migration Planning Guide.
For information regarding the Red Hat Enterprise Linux life cycle, refer to https://access.redhat.com/support/policy/updates/errata/.

Chapter 1. Overview

Security

  • Driven by Trusted Platform Module (TPM) 2.0 hardware modules, the NBDE capability has been extended to provide two layers of security for hybrid-cloud operations: the network-based mechanism is applicable in the cloud, while the use of TPM on-premises helps to keep information on disks physically more secure.
  • The GnuTLS library now provides improved Hardware Security Module (HSM) support.
  • OpenSSL now works with new CP Assist for Cryptographic Functions (CPACF) instructions to accelerate Galois/Counter Mode (GCM) of operation as available with IBM z14.
  • Red Hat Certificate System distributed with Red Hat Enterprise Linux 7.6 Beta provides new default cryptographic algorithms for RSA and ECC, which help maintain FIPS compliance and stay current with cryptography requirements from NIST and other standards bodies, as well as organizations responsible for handling sensitive information.

Networking

  • For better integration with counter-intrusion measures, firewall operations through Red Hat Enterprise Linux have been improved with enhancements to nftables. The nft command-line tool can now also provide improved control packet filtering, providing better overall visibility and simplified configuration for systems security.
For details, see Chapter 13, Networking.

Identity Management and Access Control

  • This release of OpenSC supports support new smart cards, for example, models with CardOS 5.3.
For details, see Chapter 26, Security.

Management and Automation

  • The task of managing Red Hat Enterprise Linux 7 continues to be refined, with the latest beta version introducing enhancements to the Red Hat Enterprise Linux Web Console including:
    • Showing available updates on the system summary page
    • Automatic configuration of single sign-on for identity management, helping to simplify this task for security administrators
    • An interface to control firewall services
  • The integration of the Extended Berkeley Packet Filter (eBPF) provides a safer, more efficient mechanism for monitoring activity within the kernel and will help to enable additional performance monitoring and network tracing tools in the future. The eBPF tool is available as a Technology Preview.

Red Hat Insights

Since Red Hat Enterprise Linux 7.2, the Red Hat Insights service is available. Red Hat Insights is a proactive service designed to enable you to identify, examine, and resolve known technical issues before they affect your deployment. Insights leverages the combined knowledge of Red Hat Support Engineers, documented solutions, and resolved issues to deliver relevant, actionable information to system administrators.
The service is hosted and delivered through the Customer Portal or through Red Hat Satellite. To register your systems, follow the Getting Started Guide for Insights.

Red Hat Customer Portal Labs

Red Hat Customer Portal Labs is a set of tools in a section of the Customer Portal available at https://access.redhat.com/labs/. The applications in Red Hat Customer Portal Labs can help you improve performance, quickly troubleshoot issues, identify security problems, and quickly deploy and configure complex applications. Some of the most popular applications are:

Chapter 2. Architectures

Red Hat Enterprise Linux 7.6 Beta is available on the following architectures: [1]
  • 64-bit AMD
  • 64-bit Intel
  • IBM POWER7+ (big endian)
  • IBM POWER8 (big endian) [2]
  • IBM POWER8 (little endian) [3]
  • IBM POWER9 (little endian) [4] [5]
  • IBM z Systems [4] [6]
  • 64-bit ARM [4]


[1] Note that the Red Hat Enterprise Linux 7.6 Beta installation is supported only on 64-bit hardware. Red Hat Enterprise Linux 7.6 Beta is able to run 32-bit operating systems, including previous versions of Red Hat Enterprise Linux, as virtual machines.
[2] Red Hat Enterprise Linux 7.6 Beta POWER8 (big endian) are currently supported as KVM guests on Red Hat Enterprise Linux 7.6 Beta POWER8 systems that run the KVM hypervisor.
[3] Red Hat Enterprise Linux 7.6 Beta POWER8 (little endian) is currently supported as a KVM guest on Red Hat Enterprise Linux 7.6 Beta POWER8 systems that run the KVM hypervisor. In addition, Red Hat Enterprise Linux 7.6 Beta POWER8 (little endian) guests are supported on Red Hat Enterprise Linux 7.6 Beta POWER9 systems that run the KVM hypervisor in POWER8-compatibility mode on version 4.14 kernel using the kernel-alt package.
[4] This architecture is supported with the kernel version 4.14, provided by the kernel-alt packages. For details, see the Red Hat Enterprise Linux 7.5.
[5] Red Hat Enterprise Linux 7.6 Beta POWER9 (little endian) is currently supported as a KVM guest on Red Hat Enterprise Linux 7.6 Beta POWER9 systems that run the KVM hypervisor on version 4.14 kernel using the kernel-alt package.
[6] Red Hat Enterprise Linux 7.6 Beta for z Systems (both the 3.10 kernel version and the 4.14 kernel version) is currently supported as a KVM guest on Red Hat Enterprise Linux 7.6 Beta for z Systems hosts that run the KVM on version 4.14 kernel using the kernel-alt package.

Chapter 3. Important Changes to External Kernel Parameters

This chapter provides system administrators with a summary of significant changes in the kernel shipped with Red Hat Enterprise Linux 7.6 Beta. These changes include added or updated proc entries, sysctl, and sysfs default values, boot parameters, kernel configuration options, or any noticeable behavior changes.

Kernel parameters

hardened_usercopy = [KNL]
This parameter specifies whether hardening is enabled (default) or not enabled for the boot.
Hardened usercopy checking is used to protect the kernel from reading or writing beyond known memory allocation boundaries as a proactive defense against bounds-checking flaws in the kernel's copy_to_user()/copy_from_user() interface.
The valid settings are: on, off.
on – Perform hardened usercopy checks (default).
off – Disable hardened usercopy checks.
no-vmw-sched-clock [X86,PV_OPS]
Disables paravirtualized VMware scheduler clock and uses the default one.
rdt = [HW,X86,RDT]
Turns on or off individual RDT features.
Available features are: cmt, mbmtotal, mbmlocal, l3cat, l3cdp, l2cat, l2cdp, mba.
For example, to turn on cmt and turn off mba, use:
rdt=cmt,!mba
nospec_store_bypass_disable [HW]
Disables all mitigations for the Speculative Store Bypass vulnerability.
For more in-depth information about the Speculative Store Bypass (SSB) vulnerability, see Kernel Side-Channel Attack using Speculative Store Bypass - CVE-2018-3639.
spec_store_bypass_disable = [HW]
Certain CPUs are vulnerable to an exploit against a common industry wide performance optimization known as Speculative Store Bypass.
In such cases, recent stores to the same memory location cannot always be observed by later loads during speculative execution. However, such stores are unlikely and thus they can be detected prior to instruction retirement at the end of a particular speculation execution window.
In vulnerable processors, the speculatively forwarded store can be used in a cache side channel attack. An example of this is reading memory to which the attacker does not directly have access, for example inside the sandboxed code.
This parameter controls whether the Speculative Store Bypass (SSB) optimization to mitigate the SSB vulnerability is used.
Possible values are:
on – Unconditionally disable SSB.
off – Unconditionally enable SSB.
auto – Kernel detects whether the CPU model contains an implementation of SSB and selects the most appropriate mitigation.
prctl – Controls SSB for a thread using prctl. SSB is enabled for a process by default. The state of the control is inherited on fork.
Not specifying this option is equivalent to spec_store_bypass_disable=auto.
For more in-depth information about the Speculative Store Bypass (SSB) vulnerability, see Kernel Side-Channel Attack using Speculative Store Bypass - CVE-2018-3639.
nmi_watchdog = [KNL,BUGS=X86]
These settings can now be accessed at runtime with the use of the nmi_watchdog and hardlockup_panic sysctls.

New and updated /proc/sys/kernel/ entries

hardlockup_panic
This parameter controls whether the kernel panics if a hard lockup is detected.
Possible values are:
0 – Do not panic on hard lockup.
1 – Panic on hard lockup.
This can also be set using the nmi_watchdog kernel parameter.
perf_event_mlock_kb
Controls size of per-cpu ring buffer not counted against mlock limit.
The default value is 512 + 1 page.
perf_event_paranoid
Controls use of the performance events system by unprivileged users (without CAP_SYS_ADMIN).
The default value is 2.
Possible values are:
-1 – Allow use of the majority of events by all users.
>=0 – Disallow ftrace function tracepoint and raw tracepoint access by users without CAP_SYS_ADMIN.
>=1 – Disallow CPU event access by users without CAP_SYS_ADMIN.
>=2 – Disallow kernel profiling by users without CAP_SYS_ADMIN.

New /proc/sys/net/core entries

bpf_jit_harden
Enables hardening for the Berkeley Packet Filter (BPF) Just in Time (JIT) compiler.
Supported are Extended Berkeley Packet Filter (eBPF) JIT backends. Enabling hardening trades off performance, but can mitigate JIT spraying.
Possible values are:
0 – Disable JIT hardening (default value).
1 – Enable JIT hardening for unprivileged users only.
2 – Enable JIT hardening for all users.

Part I. New Features

This part documents new features and major enhancements introduced in Red Hat Enterprise Linux 7.6 Beta.

Chapter 4. General Updates

In-place upgrade from Red Hat Enterprise Linux 6 to Red Hat Enterprise Linux 7

An in-place upgrade offers a way of upgrading a system to a new major release of Red Hat Enterprise Linux by replacing the existing operating system. To perform an in-place upgrade, use the Preupgrade Assistant, a utility that checks the system for upgrade issues before running the actual upgrade, and that also provides additional scripts for the Red Hat Upgrade Tool. When you have solved all the problems reported by the Preupgrade Assistant, use the Red Hat Upgrade Tool to upgrade the system.
Note that the Preupgrade Assistant and the Red Hat Upgrade Tool are available in the Red Hat Enterprise Linux 6 Extras channel, see https://access.redhat.com/support/policy/updates/extras. (BZ#1432080)

Chapter 5. Authentication and Interoperability

Certificate System now supports additional strong ciphers by default

With this update, the following additional ciphers, which are compliant with the Federal Information Processing Standard (FIPS), are enabled by default in Certificate System:
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_256_GCM_SHA384
For a full list of enabled ciphers, enter:
# /usr/lib64/nss/unsupported-tools/listsuites | grep -B1 --no-group-separator "Enabled"
If you use a Hardware Security Module (HSM) with Certificate System, see the documentation of the HSM for supported ciphers. (BZ#1550786)

samba rebased to version 4.8.3

The samba packages have been upgraded to upstream version 4.8.3, which provides a number of bug fixes and enhancements of the previous version:
  • The smbd service no longer queries user and group information from Active Directory domain controllers and NT4 primary domain controllers directly. Installations with the security parameter set to ads or domain now require that the winbindd service is running.
  • The dependency on global lists of trusted domains within the winbindd process has been reduced. For installations that do not require the global list, set the winbind scan trusted domains parameter in the /etc/samba/smb.conf file to no. For more information, see the parameter's description in the smb.conf(5) man page.
  • The trust properties displayed in the output of the wbinfo -m --verbose command have been changed to correctly reflect the status of the system where the command is executed.
  • Authentication from users of a one-way trust now works correctly when using the idmap_rid and idmap_autorid ID mapping back ends.
Samba automatically updates its tdb database files when the smbd, nmbd, or winbind daemon starts. Back up the databases files before starting Samba. Note that Red Hat does not support downgrading tdb database files.
For more information about notable changes, read the upstream release notes before updating: https://www.samba.org/samba/history/samba-4.8.0.html. (BZ#1558560)

Directory Server rebased to version 1.3.8.4

The 389-ds-base packages have been upgraded to upstream version 1.3.8.4, which provides a number of bug fixes and enhancements over the previous version. For a complete list of notable changes, read the upstream release notes before updating:

Certificate System rebased to version 10.5.9

The pki-core packages have been upgraded to upstream version 10.5.9, which provides a number of bug fixes and enhancements over the previous version. (BZ#1557569)

jss rebased to version 4.4.4

The jss packages has been upgraded to upstream version 4.4.4, which provides a number of bug fixes and enhancements over the previous version. (BZ#1557575)

The CRMFPopClient utility supports CRMF requests without key archival

With this enhancement, users can create Certificate Request Message Format (CRMF) requests without the key archival option when using the CRMFPopClient utility. This feature increases flexibility because a Key Recovery Authority (KRA) certificate is no longer required. Previously, if the user did not pass the -b transport_certificate_file option to CRMFPopClient, the utility automatically used the KRA transport certificate stored in the transport.txt file. With this update, if -b transport_certificate_file is not specified, Certificate System creates a request without using key archival. (BZ#1585866)

Certificate System automatically applies ECC profiles when setting up root CA with ECC certificates

This update enhances Certificate System to automatically apply ECC profiles when setting up a new root CA with ECC profiles using the pkispawn utility. As a result, administrators no longer have to set the profile overwrite parameters for ECC certificates as a workaround in the configuration file passed to pkispawn when setting up a root CA. (BZ#1550742)

Certificate System now adds the SAN extension to server certificates

With this update, Certificate System adds the Subject Alternative Name (SAN) extension by default to server certificates and sets it to the Common Name (CN) of the certificate. (BZ#1562423)

A low-level API to create X.509 certificates and CRLs has been added to JSS

This enhancements adds a low-level API, which can be used to create X.509 certificate and certificate revocation lists (CRL) to the Java Security Services (JSS). (BZ#1560682)

The pam_pkcs11 module now has support for certificate chains

This update enhances the pam_pkcs11 module to support Public Key Infrastructure for X.509 (PKIX) certificate chains. This enables more complex chain processing, including multiple paths to the leaf certificate. As a result, pam_pkcs11 now validates PKIX certificate chains. (BZ#1578029)

SSSD on an IdM client can now authenticate against a specific AD site or AD DC

The System Security Services Daemon (SSSD) running on an Identity Management (IdM) client in a domain with a trust relationship with Active Directory (AD) can now be pinned to authenticate against a configured AD site or a configured set of AD Domain Controllers (DC).
Previously, SSSD relied completely on DNS SRV discovery done by libkrb5. However, this did not take AD sites into account because libkrb5 has no notion of AD sites. If the administrator wanted to pin SSSD to authenticate against a set of AD DCs, they had to set the correct Key Distribution Centre (KDC) in the /etc/krb5.conf file, which was non-intuitive.
The enhancement is especially convenient for large environments, in which modifying the /etc/krb5.conf file on each client individually was previously the only available solution. (BZ#1416528)

Chapter 6. Clustering

Pacemaker now supports path, mount, and timer systemd unit files

Previously, Pacemaker supported service and socket systemd unit files, but any other unit file type would be treated as a service unit and fail. With this release, path, mount, and timer systemd units can now be managed by a Pacemaker cluster. (BZ#1590483)

New LVM and LVM lock manager resource agents

This release supports two new resource agents: lvmlockd and LVM-activate. The LVM-activate agent provides a choice from multiple methods for LVM management throughout a cluster:
  • tagging: the same as tagging with the existing lvm resource agent
  • clvmd: the same as clvmd with the existing lvm resource agent
  • system ID: a new option for using system ID for volume group failover (an alternative to tagging).
  • lvmlockd: a new option for using lvmlockd and dlm for volume group sharing (an alternative to clvmd).
The new lvmlockd resource agent is used to start the lvmlockd daemon when LVM-activate is configured to use lvmlockd.
For information on the lvmlockd and LVM-activate resource agent, see the PCS help screens for those agents. For information on setting up LVM for use with lvmlockd, see the lvmlockd(8) man page. (BZ#1513957, BZ#1608986)

Support for Red Hat Enterprise Linux High Availability clusters on Alibaba Cloud

Red Hat Enterprise Linux 7.6 supports High Availability clusters of virtual machines (VMs) on Alibaba Cloud (Aliyun). For information on configuring a Red Hat Enterprise Linux High Availability Cluster on Alibaba Cloud, see https://access.redhat.com/articles/3467251. (BZ#1568589)

Support for Red Hat Enterprise Linux High Availability clusters on Google Compute Cloud

Red Hat Enterprise Linux 7.6 supports High Availability clusters of virtual machines (VMs) on Google Compute Cloud (GCP.) For information on configuring a Red Hat Enterprise Linux High Availability Cluster on GCP, see https://access.redhat.com/articles/3479821. (BZ#1568588)

New volume_group_check_only parameter for lvm resource agent

The lvm resource agent now supports the volume_group_check_only parameter. When this parameter is set, only the volume group is checked when running a monitoring operation. Setting this parameter can be used to avoid timeouts with tagged volumes.
WARNING: This parameter should be used only when you have issues with timeouts, and when you must use the lvm resource agent agent and not the LVM-activate agent. (BZ#1470840)

Support for VDO resource agent

Red Hat Enterprise Linux now provides support for the vdo-vol resource agent to manage VDO (Virtual Data Optimizer) volumes as a high availability resource. (BZ#1538689)

New pcs commands to list available watchdog devices and test watchdog devices

In order to configure SBD with Pacemaker, a functioning watchdog device is required. The Red Hat Enterprise Linux 7.6 release supports the pcs stonith sbd watchdog list command to list available watchdog devices on the local node, and the pcs stonith watchdog test command to test a watchdog device. (BZ#1475318)

Chapter 7. Compiler and Tools

The Net::SMTP Perl module now supports SSL

This update adds support for implicit and explicit TLS and SSL encryption to the Net::SMTP Perl module. As a result, it is now possible to communicate with SMTP servers through a secured channel. (BZ#1557574)

The Net::LDAP Perl module no longer defaults to TLS 1.0

Previously, when the Net::LDAP Perl module module was used for upgrading an unsecured LDAP connection to a TLS-protected one, the module used the TLS protocol version 1.0, which is currently considered insecure. With this update, the default TLS version has been removed from Net::LDAP, and both implicit (LDAPS schema) and explicit (LDAP schema) TLS protocols rely on the default TLS version selected in the IO::Socket::SSL Perl module. As a result, it is no longer necessary to override the TLS version in the Net::LDAP clients by passing the sslversion argument to the start_tls() method to preserve security. (BZ#1520364)

timemaster now supports bonding devices

The timemaster program can be used to synchronize the system clock to all available time sources in case that there are multiple PTP domains available on the network, or fallback to NTP is needed.
This update adds the possibility to specify bonding devices in the active-backup mode in the timemaster configuration file. timemaster now checks if the active interface supports software or hardware timestamping and starts ptp4l on the bonding interface. (BZ#1549015)

pcp rebased to version 4.1.0

The pcp packages have been upgraded to upstream version of Performace Co-Pilot 4.1.0, which provides a number of bug fixes and enhancements over the previous version:
  • Added a sized-based interim compression to the pmlogger_check(1) script to reduce data volume sizes on systems configured via the pcp-zeroconf package.
  • Daily compressed archive metadata files.
  • Changed metric labels to first class PCP metric metadata.
  • Metric help text and labels are now stored in PCP archives.
  • Added more Linux kernel metrics: virtual machines, TTYs, aggregate interrupt and softirq counters, af_unix/udp/tcp connection (inet/ipv6), VFS locking, login sessions, AIO, capacity per block device, and other.
  • Performance Metrics Application Programming Interface (PMAPI) and the Performance Metrics Domain Agent (PMDA) API have been refactored, including promotion and deprecation of individual functions.
  • Added new virtual data optimizer (VDO) metrics to pmdadm(1).
  • Improved integration with Zabbix agentd service with further low-level-discovery support in the pcp2zabbix(1) function.
  • Added a new PMDA pmdabcc(1) for exporting BCC and eBPF trace instrumentation.
  • Added a new PMDA pmdaprometheus(1) to consume metrics from Prometheus end-points. (BZ#1565370)

Chapter 8. Desktop

The pcsc-lite-ccid driver now has support for new smart card readers

Previously, the pcsc-lite-ccid driver did not detect certain smart card readers. This enhancement adds the USB-ID values of these readers to the driver. As a result, pcsc-lite-ccid now detects the smart card readers in the described scenario.
Note that Red Hat did not test the smart card readers whose USB-ID have been added. (BZ#1558258)

The sane-backends package is now built with systemd support

Scanner Access Now Easy (SANE) is a universal scanner interface whose backend's and library's features are provided by the sane-backends package. This update brings the following changes to SANE:
  • The sane-backends package is built with systemd support.
  • The saned daemon can be run without the need to create unit files manually, because these files are now shipped with sane-backends. (BZ#1512252)

Chapter 9. File Systems

The CephFS kernel client is fully supported with Red Hat Ceph Storage 3

The Ceph File System (CephFS) kernel module enables Red Hat Enterprise Linux nodes to mount Ceph File Systems from Red Hat Ceph Storage clusters. The kernel client in Red Hat Enterprise Linux is a more efficient alternative to the Filesystem in Userspace (FUSE) client included with Red Hat Ceph Storage. Note that the kernel client currently lacks support for CephFS quotas.
The CephFS kernel client was introduced in Red Hat Enterprise Linux 7.3 as a Technology Preview, and since the release of Red Hat Ceph Storage 3, CephFS is fully supported.
For more information, see the Ceph File System Guide for Red Hat Ceph Storage 3: https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/3/html/ceph_file_system_guide/. (BZ#1205497)

XFS now supports modifying labels on mounted file systems

You can now modify the label attribute of mounted XFS file systems using the xfs_io utility:
# xfs_io -c "label new-label" /mount-point
Previously, it was only possible to modify labels on unmounted file systems using the xfs_admin utility, which is still supported. (BZ#1322930)

pNFS SCSI layout is now fully supported for client and server

Client and server support for parallel NFS (pNFS) SCSI layouts is now fully supported. It was first introduced in Red Hat Enterprise Linux 7.3 as a Technology Preview.
Building on the work of block layouts, the pNFS layout is defined across SCSI devices and contains sequential series of fixed-size blocks as logical units that must be capable of supporting SCSI persistent reservations. The Logical Unit (LU) devices are identified by their SCSI device identification, and fencing is handled through the assignment of reservations. (BZ#1305092)

ima-evm-utils is now fully supported on AMD64 and Intel 64

The ima-evm-utils package is now fully supported when used on the AMD64 and Intel 64 architecture. Note that on other architectures, ima-evm-utils remains in Technology Preview.
The ima-evm-utils package provides utilities to label the file system and verify the integrity of your system at run time using the Integrity Measurement Architecture (IMA) and Extended Verification Module (EVM) features. These utilities enable you to monitor if files have been accidentally or maliciously altered. (BZ#1627278)

Chapter 10. Installation and Booting

A new network-scripts option: IFDOWN_ON_SHUTDOWN

This update adds the IFDOWN_ON_SHUTDOWN option for network-scripts. Setting this option to yes, true, or leaving it empty has no effect. If you set this option to no, or false, it causes the ifdown calls to not be issued when stopping or restarting the network service.
This can be useful in situations where NFS (or other network file system) mounts are in a stale state, because the network was shut down before the mount was cleanly unmounted. (BZ#1583677)

Improved content of error messages in network-scripts

The network-scripts now display more verbose error messages when the installation of bonding drivers fails. (BZ#1542514)

Booting from an iSCSI device that is not configured using iBFT is now supported

This update provides a new installer boot option inst.nonibftiscsiboot that supports the installation of boot loader on an iSCSI device that has not been configured in the iSCSI Boot Firmware Table (iBFT).
This update helps in a use case where the iSCSI device is not configured in the iBFT for installation, it is added manually by using the iscsi Kickstart command or the installer GUI; the iBFT is not used for booting the installed system from the iSCSI device, an iPXE boot from SAN features is used. (BZ#1562301)

Installing and booting from NVDIMM devices is now supported

Prior to this update, Nonvolatile Dual Inline Memory Module (NVDIMM) devices in any mode were ignored by the installer.
With this update, kernel improvements to support NVDIMM devices provide improved system performance capabilities and enhanced file system access for write-intensive applications like database or analytic workloads, as well as reduced CPU overhead.
This update introduces support for:
  • The use of NVDIMM devices for installation using the nvdimm Kickstart command and the GUI, making it possible to install and boot from NVDIMM devices in sector mode and reconfigure NVDIMM devices into sector mode during installation.
  • The extension of Kickstart scripts for Anaconda with commands for handling NVDIMM devices.
  • The ability of grub2, efibootmgr, and efivar system components to handle and boot from NVDIMM devices. (BZ#1612965, BZ#1280500, BZ#1590319, BZ#1558942)

kernel.shmmax and kernel.shmall updated to kernel defaults on IBM z Systems

Previously, applications that required a large amount of memory in some cases terminated unexpectedly due to low values of the kernel.shmmax and kernel.shmall parameters on IBM z Systems. This update aligns the values of kernel.shmmax and kernel.shmall with kernel defaults, which helps avoid the described crashes. (BZ#1493069)

Chapter 11. Kernel

The kdump FCoE target has been added into the kexec-tools documents

This update adds the kdump Fibre Channel over Ethernet (FCoE) target into the kexec-tools documents. As a result, users now have better understanding about the state and details of kdump on FCoE target support. (BZ#1352763)

The ipset comment extension is now supported

Τhis update adds the ipset comment extension. Τhis enables you to add entries with a comment. For more information, see the ipset (8) man page. (BZ#1496859)

NVMe driver rebased to version 4.17-rc1

The NVMe driver has been rebased to upstream version 4.17-rc1, which provides a number of bug fixes and enhancements over the previous version. Notable changes are as follows:
  • added error handling improvements for Nonvolatile Memory Express (NVMe) over Remote Direct Memory Access (RDMA)
  • added fixes for keeping connections over the RDMA transport alive
Note that the driver does not support the Data Integrity Field/Data Integrity Extension (DIF/DIX) Protection Information implementation, and does not support multipathing over NVMe-over-Fabrics transport. (BZ#1515584)

The SCHED_DEADLINE scheduler class enabled

This update adds support for the SCHED_DEADLINE scheduler class for the Linux kernel. The scheduler enables predictable task scheduling based on application deadlines. SCHED_DEADLINE benefits periodic workloads by guaranteeing timing isolation, which is not based only on a fixed priority but also on the applications' timing requirements. (BZ#1344565)

User mount namespaces now fully supported

The mount namespaces feature, previously available as a Technology Preview, is now fully supported. (BZ#1350553)

NVMe-FC is now supported in Initiator mode with Broadcom adapters

The NVMe over Fibre Channel (NVMe-FC) transport type is now fully supported in Initiator mode when used with Broadcom 32Gbit adapters.
NVMe over Fibre Channel is an additional fabric transport type for the Nonvolatile Memory Express (NVMe) protocol, in addition to the Remote Direct Memory Access (RDMA) protocol that was previously introduced in Red Hat Enterprise Linux.
To enable NVMe over Fibre Channel in the lpfc driver, edit the /etc/modprobe.d/lpfc.conf file and the following option:
lpfc_enable_fc4_type=3
This feature was introduced as a Technology Preview in Red Hat Enterprise Linux 7.5. The Target mode and drivers other than lpfc still remain in Technology Preview. See the Technology Previews part for more information.
Please test NVMe-FC during the Red Hat Enterprise Linux 7.6 Beta phase, and provide test results through your Red Hat technical support channel. (BZ#1584753)

Updated aQuantia Corporation atlantic Network driver

The aQuantia Corporation Network driver (*atlantic.ko.xz*) has been updated to version 2.0.2.1-kern and it is now fully supported. (BZ#1451438)

Chapter 12. Real-Time Kernel

About Red Hat Enterprise Linux for Real Time Kernel

The Red Hat Enterprise Linux for Real Time Kernel is designed to enable fine-tuning for systems with extremely high determinism requirements. The major increase in the consistency of results can, and should, be achieved by tuning the standard kernel. The real-time kernel enables gaining a small increase on top of increase achieved by tuning the standard kernel.
The real-time kernel is available in the rhel-7-server-rt-rpms repository. The Installation Guide contains the installation instructions and the rest of the documentation is available at Product Documentation for Red Hat Enterprise Linux for Real Time.

kernel-rt sources updated

The kernel-rt sources have been upgraded to be based on the latest Red Hat Enterprise Linux kernel source tree, which provides a number of bug fixes and enhancements over the previous version. (BZ#1553351)

The SCHED_DEADLINE scheduler class fully supported

The SCHED_DEADLINE scheduler class for the real-time kernel, which was introduced in Red Hat Enterprise Linux 7.4 as a Technology Preview, is now fully supported. The scheduler enables predictable task scheduling based on application deadlines. SCHED_DEADLINE benefits periodic workloads by guaranteeing timing isolation, which is based not only on a fixed priority but also on the applications' timing requirements. (BZ#1297061)

Chapter 13. Networking

Support for the libnftnl and nftables packages

The nftables and libnftl packages, previously available as a Technology Preview, are now supported.
The nftables packages provide a packet-filtering tool, with numerous improvements in convenience, features, and performance over previous packet-filtering tools. It is the designated successor to the iptables, ip6tables, arptables, and ebtables utilities.
The libnftnl packages provide a library for low-level interaction with nftables Netlink API over the libmnl library. (BZ#1332585)

ECMP fib_multipath_hash_policy support added to the kernel for IPv4 packets

This update adds support for Equal-cost multi-path routing (ECMP) hash policy choice using fib_multipath_hash_policy, a new sysctl setting that controls which hash policy to use for multipath routes. When fib_multipath_hash_policy is set to 1, the kernel performs L4 hash, which is a multipath hash for IPv4 packets according to a 5-tuple (source IP, source port, destination IP, destination port, IP protocol type) set of values. When fib_multipath_hash_policy is set to 0 (default), only L3 hash is used (the source and destination IP addresses).
Note that if you enable fib_multipath_hash_policy, the Internet Control Message Protocol (ICMP) error packets are not hashed according to the inner packet headers. This is a problem for anycast services as the ICMP packet can be delivered to the incorrect host. (BZ#1511351)

Support for hardware time stamping on VLAN interfaces

This update adds hardware time stamping on VLAN interfaces (driver dp83640 is excluded). This allows applications, such as linuxptp, to enable hardware time stamping. (BZ#1520356)

Support for specifying speed and duplex 802-3-ethernet properties when 802-3-ethernet.auto-negotiation is enabled

Previously, when 802-3-ethernet.auto-negotiation was enabled on an Ethernet connection, all the 'speed' and 'duplex' modes supported by the Network Interface Card (NIC) were advertised. The only option to enforce a specific 'speed' and 'duplex' mode was to disable 802-3-ethernet.auto-negotiation and set 802-3-ethernet.speed and 802-3-ethernet.duplex properties. This was not correct because the 1000BASE-T and 10GBASE-T Ethernet standards require auto-negotiation to be always enabled. With this update, you can enable a specific speed and duplex when auto-negotiation is enabled. (BZ#1487477)

Support for changing the DUID for IPv6 DHCP connections

With this update, users can configure the DHCP Unique Identifier (DUID) in NetworkManager to get an IPv6 address from a Dynamic Host Configuration Protocol (DHCP) server. As a result, users can now specify the DUID for DHCPv6 connections using the new property, ipv6.dhcp-duid. For more details on values set for ipv6.dhcp-duid, see the nm-settings(5) man page. (BZ#1414093)

ipset rebased to Linux kernel version 4.17

The ipset kernel component has been upgraded to upstream Linux kernel version 4.17 which provides a number of enhancements and bug fixes over the previous version. Notable changes include:
  • The following ipset types are now supported:
  • hash:net,net
  • hash:net,port,net
  • hash:ip,mark
  • hash:mac
  • hash:ip,mac (BZ#1557599)

ipset (userspace) rebased to version 6.38

The ipset (userspace) package has been upgraded to upstream version 6.38, which provides a number of bug fixes and enhancements over the previous version. Notable changes include:
  • The userspace ipset is now aligned to the Red Hat Enterprise Linux (RHEL) kernel ipset implementation in terms of supported ipset types
  • A new type of set, hash:ipmac, is now supported (BZ#1557600)

firewalld rebased to version 0.5.3

The firewalld service daemon has been upgraded to upstream version 0.5.3, which provides a number of bug fixes and enhancements over the previous version. Notable changes include:
  • Added the --check-config option to verify sanity of configuration files.
  • Generated interfaces such as docker0 are now correctly re-added to zones after firewalld restarts.
  • A new IP set type, hash:mac, is now supported. (BZ#1554993)

radvd rebased to version 2.17

The router advertisement daemon (radvd) has been upgraded to version 2.17. The most notable change is that now radvd supports the selection of router advertisements source address. As a result, connection tracking no longer fails when the router's address is moved between hosts or firewalls. (BZ#1475983)

The default version for SMB now is auto-negotiated to the highest supported versions, SMB2 or SMB3

With this update, the default version of the Server Message Block (SMB) protocol has been changed from SMB1 to be auto-negotiated to the highest supported versions SMB2 or SMB3. Users can still choose to explicitly mount with the less secure SMB1 dialect (for old servers) by adding the vers=1.0 option on the Common Internet File System (CIFS) mount.
Note that SMB2 or SMB3 do not support Unix Extensions. Users that depend on Unix Extensions need to review the mount options and ensure that vers=1.0 is used. (BZ#1471950)

position in an add or insert rule is replaced by 'handle' and 'index'

With this update of the nftables packages, the 'position' parameter in an add or insert rule has been deprecated and replaced by the 'handle' and 'index' arguments. This syntax is more consistent with the replace and delete commands. (BZ#1571968)

Chapter 14. Security

Clevis now supports TPM 2.0

With this update, the Clevis pluggable framework for the Network-Bound Disk Encryption (NBDE) supports also clients that encrypt using a Trusted Platform Module 2.0 (TPM 2.0) chip. For more information and the list of possible configuration properties, see the clevis-encrypt-tpm2(1) man page.
Note that this feature is available only on systems with the 64-bit Intel or 64-bit AMD architecture. (BZ#1472435)

gnutls rebased to 3.3.29

The GNU Transport Layer Security (GnuTLS) library has been upgraded to upstream version 3.3.29, which provides a number of bug fixes and enhancements over the previous version. Notable changes include:
  • Improved the PKCS#11 cryptographic token interface for hardware security modules (HSMs): added DSA support in p11tool and fixed key import in certain Atos HSMs.
  • Improved counter-measures for the TLS Cipher Block Chaining (CBC) record padding. The previous counter-measures had certain issues and were insufficient when the attacker had access to the CPU cache and performed a chosen-plaintext attack (CPA).
  • Disabled the legacy HMAC-SHA384 cipher suites by default. (BZ#1561481)

audit rebased to 2.8.4

The audit packages have been upgraded to upstream version 2.8.4, which provides a number of bug fixes and enhancements over the previous version. Notable changes include:
  • Added support for dumping internal state. You can now run the service auditd state command to see information about the Audit daemon.
  • Added support for the SOFTWARE_UPDATE event generated by the rpm and yum tools.
  • Allowed unlimited retries during a remote logging startup. This helps to start even if the aggregating server is not running when a client is booted.
  • Improved IPv6 remote logging. (BZ#1559032)

RPM now provides audit events

With this update, the RPM Package Manager (RPM) provides audit events. The information that a software package is installed or updated is important for system analysis with the Linux Audit system. RPM now creates a SOFTWARE_UPDATE audit event whenever a package is installed or upgraded by the root user. (BZ#1555326)

SELinux now supports extended_socket_class

This update introduces the extended_socket_class policy capability that enables a number of new SELinux object classes to support all of the known network socket address families. It also enables the use of separate security classes for Internet Control Message Protocol (ICMP) and Stream Control Transmission Protocol (SCTP) sockets, which were previously mapped to the rawip_socket class. (BZ#1564775, BZ#1427553)

selinux-policy now checks file permissions when mmap() is used

This release introduces a new permission check on the mmap() system call. The purpose of a separate map permission check on mmap() is to permit policy to prohibit memory mapping of specific files for which you need to ensure that every access is revalidated. This is useful for scenarios where you expect the files to be relabeled at run-time to reflect state changes, for example, in a cross-domain solution or an assured pipeline without data copying.
To use this functionality, enable the domain_can_mmap_files SELinux boolean. (BZ#1460322)

The RHEL7 DISA STIG profile now matches STIG Version 1, Release 4

With this update of the SCAP Security Guide project, the RHEL7 Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) profile is aligned with STIG Version 1, Release 4. Note that certain rules do not contain an automated check or fix. (BZ#1443551)

AES-GCM operations with OpenSSL are now faster on IBM z14

This update introduces support for additional acceleration of cryptographical operations with new CP Assist for Cryptographic Functions (CPACF) instructions available on IBM z14 systems. As a result, AES-GCM operations with the OpenSSL library are now executed faster on IBM z14 and later hardware. (BZ#1519396)

Chapter 15. Servers and Services

The pcsc-lite interface now supports up to 32 devices

In Red Hat Enterprise Linux 7.6, the number of devices the pcsc-lite smart card interface supports has been increased from 16 to 32. (BZ#1516993)

tuned rebased to version 2.10.0

The tuned packages have been rebased to upstream version 2.10.0, which provides a number of bug fixes and enhancements over the previous version.
Notable changes include:
  • an added mssql profile (shipped in a separate tuned-profiles-mssql subpackage)
  • the tuned-adm tool now displays a relevant log snippet in case of error
  • fixed verification of a CPU mask on systems with more than 32 cores (BZ#1546598)

The STOU FTP command has improved algorithm for generating unique file names

The STOU FTP command allows transferring files to the server and storing them with unique file names. Previously, the STOU command created the names of the files by taking the file name, supplied as an argument to the command, and adding a numerical suffix and incrementing the suffix by one. In some cases, this led to a race condition. Subsequently the scripts which used STOU to upload files with the same file name could fail. This update modifies STOU to create unique file names in a way which helps to avoid the race condition and improves the functioning of scripts that use STOU. To enable the improved algorithm for generating unique file names using STOU, enable the better_stou option in the configuration file (usually /etc/vsftpd/vsftpd.conf) by adding the following line:
better_stou=YES (BZ#1479237)

Chapter 16. Storage

DM Multipath now enables blacklisting or whitelisting paths by protocol

Device Mapper Multipath (DM Multipath) now supports the protocol configuration option in the blacklist and blacklist_exceptions configuration sections. This enables you to blacklist or whitelist paths based on the protocol they use, such as scsi or nvme. For SCSI devices, you can also specify the transport: for example scsi:fcp or scsi:iscsi. (BZ#1593459)

New %0 wildcard added for the multipathd show paths format command to show path failures

The multipathd show paths format command now supports the %0 wildcard to display path failures. Support for this wildcard makes it easier for users to track which paths have been failing in a multipath device. (BZ#1554516)

New all_tg_pt multipath configuration option

There is a new mutipath.conf defaults and devices section option, all_tg_pt, which defaults to no. If this option is set to yes, when mpathpersist registers keys it will treat a key registered from one host to one target port as going from one host to all target ports. Some arrays, notably the EMC VNX, treat reservations as between one host and all target ports. Without mpathpersist working the same way, it would give reservation conflicts. (BZ#1541116)

Chapter 17. System and Subscription Management

cockpit rebased to version 173

The cockpit packages, which provide the Cockpit browser-based administration console, have been upgraded to version 173. This version provides a number of bug fixes and enhancements. Notable changes include:
  • The menu and navigation can now work with mobile browsers.
  • Cockpit now supports alternate Kerberos keytabs for Cockpit's web server, which enables configuration of Single Sign-On (SSO).
  • Automatic setup of Kerberos keytab for Cockpit web server.
  • Automatic configuration of SSO with FreeIPA for Cockpit is possible.
  • Cockpit requests FreeIPA SSL certificate for Cockpit's web server.
  • Cockpit shows available package updates and missing registrations on system front page.
  • A Firewall interface has been added.
  • The flow control to avoid user interface hangs and unbounded memory usage for big file downloads has been added.
  • Terminal issues in Chrome have been fixed.
  • Cockpit now properly localizes numbers, times and dates.
  • Subscriptions page hang when accessing as a non-administrator user has been fixed.
  • Log in is now localized properly.
  • The check for root privilege availability has been improved to work for FreeIPA administrators as well. (BZ#1568728, BZ#1495543, BZ#1442540, BZ#1541454, BZ#1574630)

reposync now by default skips packages whose location falls outside the destination directory

Previously, the reposync command did not sanitize paths to packages specified in a remote repository, which was insecure. A security fix for CVE-2018-10897 has changed the default behavior of reposync to not store any packages outside the specified destination directory. To restore the original insecure behavior, use the new --allow-path-traversal option. (BZ#1609302)

Chapter 18. Virtualization

virt-v2v converts virtual machine CPU topology

With this update, the virt-v2v utility preserves the CPU topology of the converted virtual machines (VMs). This ensures that the VM CPU works the same way after the conversion as it did before the conversion, which avoids potential runtime problems. (BZ#1541908)

virt-v2v can import virtual machines directly to RHV

The virt-v2v utility is now able to output a converted virtual machine (VM) directly to a Red Hat Virtualization (RHV) client. As a result, importing VMs converted by virt-v2v using the Red Hat Virtualization Manager (RHVM) is now easier, faster, and more reliable.
Note that this feature requires RHV version 4.2 or later to work properly. (BZ#1557273)

The i6300esb watchdog is now supported by libvirt

With this update, the libvirt API supports the i6300esb watchdog device. As a result, KVM virtual machines can use this device to automatically trigger a specified action, such as saving a core dump of the guest if the guest OS becomes unresponsive or terminates unexpectedly. (BZ#1447169)

Paravirtualized clock added to Red Hat Enterprise Linux VMs

With this update, the paravirtualized sched_clock() function has been integrated in the Red Hat Enterprise Linux kernel. This improves the performance of Red Hat Enterprise Linux virtual machines (VMs) running on VMWare hypervisors.
Note that the function is enabled by default. To disable it, add the no-vmw-sched-clock option to the kernel command line. (BZ#1507027)

VNC console is supported on IBM z Systems

This update enables the virtio-gpu kernel configuration in guests running on the IBM z System architecture. As a result, KVM guests on an IBM z System host are now able to use the VNC console to display their graphical output. (BZ#1570090)

QEMU Guest Agent diagnostics enhanced

To maintain qemu-guest-agents compatibility with the latest version of VDSM, a number of features have been backported from the most recent upstream version.
These include the addition of qemu-get-host-name, qemu-get-users, qemu-get-osinfo, and qemu-get-timezone commands, which improve the diagnostic capabilities of QEMU Guest Agent. (BZ#1569013)

GPU-based mediated devices now support the VNC console

The Virtual Network Computing (VNC) console is now supported for use with GPU-based mediated devices, such as the NVIDIA vGPU technology. As a result, it is now possible to use these mediated devices for real-time rendering of a virtual machine's graphical output. (BZ#1475770)

Chapter 19. Atomic Host and Containers

Red Hat Enterprise Linux Atomic Host

Red Hat Enterprise Linux Atomic Host is a secure, lightweight, and minimal-footprint operating system optimized to run Linux containers. See the Atomic Host and Containers Release Notes for the latest new features, known issues, and Technology Previews.

Chapter 20. Red Hat Software Collections

Red Hat Software Collections is a Red Hat content set that provides a set of dynamic programming languages, database servers, and related packages that you can install and use on all supported releases of Red Hat Enterprise Linux 7 on AMD64 and Intel 64 architectures, the 64-bit ARM architecture, IBM z Systems, and IBM POWER, little endian. Certain components are available also for all supported releases of Red Hat Enterprise Linux 6 on AMD64 and Intel 64 architectures.
Red Hat Developer Toolset is designed for developers working on the Red Hat Enterprise Linux platform. It provides current versions of the GNU Compiler Collection, GNU Debugger, and other development, debugging, and performance monitoring tools. Red Hat Developer Toolset is included as a separate Software Collection.
Dynamic languages, database servers, and other tools distributed with Red Hat Software Collections do not replace the default system tools provided with Red Hat Enterprise Linux, nor are they used in preference to these tools. Red Hat Software Collections uses an alternative packaging mechanism based on the scl utility to provide a parallel set of packages. This set enables optional use of alternative package versions on Red Hat Enterprise Linux. By using the scl utility, users can choose which package version they want to run at any time.

Important

Red Hat Software Collections has a shorter life cycle and support term than Red Hat Enterprise Linux. For more information, see the Red Hat Software Collections Product Life Cycle.
See the Red Hat Software Collections documentation for the components included in the set, system requirements, known problems, usage, and specifics of individual Software Collections.
See the Red Hat Developer Toolset documentation for more information about the components included in this Software Collection, installation, usage, known problems, and more.

Part II. Notable Bug Fixes

This part describes bugs fixed in Red Hat Enterprise Linux 7.6 Beta that have a significant impact on users.

Chapter 21. Authentication and Interoperability

Directory Server now supports certificates with all ciphers supported by NSS

Due to a restriction in Directory Server, administrators could only use RSA and Fortezza ciphers. As a consequence, certificates created with a different cipher, such as ECC certificates, were not supported. This update removes this restriction. As a result, administrators can now use certificates with all ciphers supported by the underlying Network Security Services (NSS) database when configuring TLS in Directory Server. (BZ#1582747)

Directory Server correctly generates the CSN

In a Directory Server replication topology, updates are managed by using Change Sequence Numbers (CSN) based on time stamps. New CSNs must be higher than the highest CSN present in the replica update vector (RUV). In case the server generates a new CSN in the same second as the most recent CSN, the sequence number is increased to ensure that it is higher. However, if the most recent CSN and the new CSN were identical, the sequence number was not increased. In this situation, the new CSN was, except the replica ID, identical to the most recent one. As a consequence, a new update in the directory appeared in certain situations older than the most recent update. With this update, Directory Server increases the CSN if the sequence number is lower or equal to the most recent one. As a result, new updates are no longer considered older than the most recent data. (BZ#1559945)

The client-cert-request utility no longer fails to create CSRs for ECC certificates

Previously, the generatePkcs10Request method in the Certificate System's client-cert-request utility failed to map the curve and length parameters. Consequently, the utility failed to create certificate signing requests (CSR) for Elliptic Curve Cryptography (ECC) certificates. The problem has been fixed. As a result, using client-cert-request for creating CSRs for ECC certificates works as expected. (BZ#1549632)

The pkiconsole utility no longer accepts ACLs with an empty expression

The Certificate System server rejects saving invalid access control lists (ACL). As a consequence, when saving an ACL with an empty expression, the server rejected the update and the pkiconsole utility displayed an StringIndexOutOfBoundsException error. With this update, the utility rejects empty ACL expressions. As a result, invalid ACLs cannot be saved and the error is no longer displayed. (BZ#1546708)

CRM CRFM requests using ECC keys work correctly

Previously, during verification, Certificate System encoded the ECC public key incorrectly in CMC Certificate Request Message Format (CRMF) requests. As a consequence, requesting an ECC certificate with Certificate Management over CMS (CMC) in CRMF failed. The problem has been fixed, and as a result, CMC CRMF requests using ECC keys work as expected. (BZ#1580394)

Installing Certificate System subsystems with ECC keys no longer fail

Previously, due to a bug in the Certificate System installation procedure, installing a Key Recovery Authority (KRA) with ECC keys failed. To fix the problem, the installation process has been updated to handle both RSA and ECC subsystems automatically. As a result, installing subsystems with ECC keys no longer fail. (BZ#1568615)

The Certificate System installation no longer fails on hosts with multiple IP addresses

Previously, if Certificate System was installed on a host whose host name resolves to multiple IP addresses and one of them was not responding, the installation failed due to an incorrect timeout. This update sets the timeout on connection attempts during the installation. As a result, if the selected IP address is not reachable, the connection times out, the installer starts another attempt, and the installation succeeds. (BZ#1515759)

Directory Server clients are no longer randomly restricted by anonymous resource limits

Previously, Directory Server did not remember when the first operation, bind, or a connection was started. As a consequence, the server applied in certain situations anonymous resource limits to an authenticated client. With this update, Directory Server properly marks authenticated client connections. As a result, it applies the correct resource limits, and authenticated clients no longer get randomly restricted by anonymous resource limits. (BZ#1515190)

Thread processing in Directory Server has been serialized

On an incoming replicated session, a replicated operation must only be processed when the previous one is completed. In certain situations, the thread which processed the start session operation continued to read and process replicated operations. Consequently, two replicated operations ran in parallel that led to inconsistencies, such as an completed child add operation before the parent entry was added. With this update, the thread processing the start session operation no longer processes further operations, even if some are available in the read buffer. As a result, the inconsistencies no longer occur in the mentioned scenario. (BZ#1552698)

Deleting the memberOf attribute in Directory Server works correctly

If an administrator moves a group in Directory Server from one subtree to another, the memberOf plug-in deletes the memberOf attribute with the old value and adds a new memberOf attribute with the new group's distinguished name (DN) in affected user entries. Previously, if the old subtree was not within the scope of the memberOf plug-in, deleting the old memberOf attribute failed because the values did not exist. As a consequence, the plug-in did not add the new memberOf value, and the user entry contained an incorrect memberOf value. With this update, the plug-in now checks the return code when deleting the old value. If the return code is no such value, the plug-in only adds the new memberOf value. As a result, the memberOf attribute information is correct. (BZ#1551071)

The PBKDF2_SHA256 password storage scheme can now be used in Directory Server

If a Red Hat Directory Server instance was installed using version 10.1.0 or earlier and subsequently updated, the update script did not enable the Password-Based Key Derivation Function version 2 (PBKDF2) plug-in. As a consequence, the PBKDF2_SHA256 password storage scheme could not be used in the nsslapd-rootpwstoragescheme and passwordStorageScheme parameter. This update automatically enables the plug-in. As a result, administrators can now use the PBKDF2_SHA256 password storage scheme. (BZ#1576485)

Directory Server no longer crashes when removing connections from an active list

Directory Server manages established connections in an active list. When a thread flags a connection for closing, the server waits until there are no active threads left on the connection to remove the connection from the active list. In certain situations, the number of active threads is less than the actual number of threads. In this scenario, Directory Server moves the connection out of the active list and flags it as invalid. Another remaining thread which detects that the connection is invalid also attempts to remove it from the active list. However, the code that removes the connection from the active list expects that the connection has valid list pointers. If the pointers are invalid because the connection is not on the active list, Directory Server terminates unexpectedly. With this update, the server checks that the list pointers are valid before using them. As a result, the server no longer crashes when attempting to remove a connection from the active list. (BZ#1566444)

The Disk Monitoring feature shuts down Directory Server on low disk space

Due to changes in the way Directory Server sets the error log level, the Disk Monitoring feature in Directory Server failed to detect that the error log level was set to the default level. As a consequence, Directory Server did not correctly shut down when the file system was full. The way the Disk Monitoring feature checks the error level has been updated. As a result, Disk Monitoring now correctly shuts down the server if the disk space is low. (BZ#1568462)

Directory Server no longer logs a warning when searching a non-existent DN in entrydn attributes

Previously, searches for a non-existent distinguished name (DN) set in the entrydn attribute caused Directory Server to log a warning in the error log. With this update, the server correctly handles situations when an entrydn attribute fails to find a match. As a result, the server no longer logs a misleading warning. (BZ#1570033)

The pwdhash utility no longer crashes when using the CRYPT password storage scheme

Previously, the pwdhash utility used an invalid mutex lock when creating a hash using the CRYPT password storage scheme. As a consequence, pwdhash failed with a segmentation fault error. With this update, the utility uses the re-entrant form of the crypt() function that does not require a lock. As a result, pwdhash no longer crashes when using the CRYPT password storage scheme. (BZ#1570649)

The Directory Server Pass-through plug-in now supports encrypted connections using the STARTTLS command

Previously, the Pass-through plug-in in Directory Server did not support encrypted connections if the encryption was started using the STARTTLS command. The problem has been fixed, and the Pass-through plug-in now supports connections that use the STARTTLS command. (BZ#1581737)

Using the password policy feature works correctly if chain on update is enabled

On a Directory Server read-only consumer, the Password must be changed after reset password policy setting was not enforced because the flag for marking the user that must change their password is set on the connection itself. If this setting was used with the chain on update feature, the flag was lost. As a consequence, the password policy feature did not work. With this update, the server sets the flag on chain on update connections properly. As a result, the password policy feature works correctly. (BZ#1582092)

Improved performance when the fine-grained password policy is enabled in Directory Server

When a search evaluates the shadowAccount entry, Directory Server adds the shadow attributes to the entry. If the fine-grained password policy is enabled, the shadowAccount entry can contain its own pwdpolicysubentry policy attribute. Previously, to retrieve this attribute, the server started an internal search for each shadowAccount entry, which was unnecessary because the entry was already known to the server. With this update, Directory Server only starts internal searches if if the entry is not known. As a result, the performance of searches, such as response time and throughput, is improved. (BZ#1593807)

Directory Server now retrieves members of the replica bind DN group when the first session is started

Directory Server replicas define entries that are authorized to replicate updates to the replica itself. If the entries are members of the group set in the nsds5replicabinddngroup attribute, the group is retrieved periodically based on the interval set in the nsDS5ReplicaBindDnGroupCheckInterval attribute. If the entry is not a member at the time the server retrieves the group, any session that is authenticated using this entry is not authorized to replicate updates. This behavior remains until the entry becomes a member of the group and the server retrieves the group again. As a consequence, replication fails for the first interval set in nsDS5ReplicaBindDnGroupCheckInterval. With this update, the server retrieves the group when the first session is started rather than when the replica is created. As a result, the group is taken into account at the first attempt it is checked. (BZ#1598478)

Creating a Directory Server back end with the name default is now supported

Previously, the name default was reserved in Directory Server. As a consequence, creating a back end named default failed. With this update, Directory Server no longer reserves this name, and administrators can create a back end named default. (BZ#1598718)

Updated Directory Server SNMP MIB definitions

Previously, the Simple Network Management Protocol (SNMP) Management Information Base (MIB) definitions provided by the 389-ds-base package did not conform to the Structure of Management Information Version 2 (SMIv2) defined in RFC 2578. As a consequence, the lint utility reported errors. The definitions have now been updated, and as a result, the MIB definitions comply with the SMIv2 specification (BZ#1525256)

rpc.yppasswdd now updates passwords also with SELinux disabled

Previously, when the SELinux security module was disabled on the system, the rpc.yppasswdd update function failed to perform the update action. As a consequence, rpc.yppasswdd was unable to update the user password. With this update, rpc.yppasswdd checks whether SELinux is enabled on the system before detecting the SELinux context type for the passwd files. As a result, rpc.yppasswdd now correctly updates passwords in the described scenario. (BZ#1492892)

Chapter 22. Clustering

PCS is able to find a token and connect to a node with upper case characters in its node name

Previously, PCS was unable to find a token for any node name with upper case characters, and it would report an error that the node is not authenticated. This occurred because the pcs cluster auth command would lowercase all node names before storing them to the PCS token file. With this fix, PCS does not lowercase node names before storing them to the PCS token file. (BZ#1590533)

pcs now shows correct value for failcount

Starting with the Red Hat Enterprise Linux 7.5 release, the pcs resource failcount show command always showed a failcount of zero, even when this was not the correct value. This occurred because the format of resource failcounts was changed in Pacemaker. With this fix, the pcs utility is able to parse the new failcount format and it displays the correct value. (BZ#1588667)

At cluster startup, corosync starts on each node with a small delay to reduce the risk of JOIN flood

Starting corosync on all nodes at the same time may cause a JOIN flood, which may result in some nodes not joining the cluster. With this update, each node starts corosync with a small delay to reduce the risk of this happening. (BZ#1572886)

New /etc/sysconfig/pcsd option to reject client-initiated SSL/TLS renegotiation

When TLS renegotiation is enabled on the server, a client is allowed to send a renegotiation request, which initiates a new handshake. Computational requirements of a handshake are higher on a server than on a client. This makes the server vulnerable to DoS attacks. With this fix, a new option has been added to the /etc/sysconfig/pcsd configuration file to reject renegotiations. Note that the client can still open multiple connections to a server with a handshake performed in all of them. (BZ#1566382)

Chapter 23. Compiler and Tools

GDB registers unaligned watchpoint hits on the 64-bit ARM architecture

Previously, the GDB debugger provided only limited support for unaligned hardware watchpoints used by the watch, rwatch, and awatch GDB commands on the 64-bit ARM architecture. As a consequence, GDB running on such systems failed to register some watchpoint hits and subsequently did not stop the debugged program.
GDB has been extended to handle this situation. As a result, it can correctly handle any hardware watchpoints on the 64-bit ARM architecture, including unaligned ones. (BZ#1347993)

Retpoline support in GCC on IBM z Systems architecture

This update adds support for retpoline generation in the GNU Compiler Collection (GCC) on IBM z Systems architecture. Retpolines are a technique used by the kernel to reduce the overhead of mitigating Spectre Variant 2 attacks described in CVE-2017-5715. (BZ#1552021)

binutils linker no longer terminates unexpectedly when encountering relocations against absolute address

Previously, the linker from the binutils package could not properly handle relocations against an absolute address. As a consequence, encountering such relocations caused a segmentation fault of the linker.
The linker has been extended to handle relocations against absolute addresses and the problem no longer occurs. (BZ#1557346)

Chapter 24. Installation and Booting

The network service no longer hangs on stop or restart

Previously, when certain processes were executed from a network share, the network service could hang if it was stopped or restarted. A patch to the initscripts packages has been applied to not use the pidof utility, and the described problem no longer occurs. (BZ#1559384)

KSH no longer fails to process /etc/init.d/functions

The Korn Shell (KSH) is unable to process code where the word local appears on the same line as an array definition. This previously caused KSH to fail to source the /etc/init.d/functions file. This update provides a workaround to the KSH limitation, and the function file is now being sourced as expected.​
Note that KSH may still be unable use some of the functions in /etc/init.d/functions file. This update only allows KSH to not fail during the sourcing of /etc/init.d/functions. (BZ#1554364)

Diskless NFS clients no longer hang when unmounting the root file system

Previously, diskless NFS clients became unresponsive in rare cases when the network service was stopped or restarted while unmounting the root file system. This happened because the unit files generated by systemd sometimes had incorrect dependencies.
A workaround has been applied in the initscripts package, and diskless NFS clients no longer hang in the described situation. (BZ#1572659)

A non-functioning systemctl reload network.service has been removed

The systemctl reload network.service command, which does not work due to technical limitations of initscripts has been removed, and using it now results in an appropriate warning message. To correctly apply a new configuration for the network service, use the restart command instead:
~]# systemctl restart network.service
(BZ#1554690)

Text mode will now prompt for a passphrase if a Kickstart file does not provide one while enabling encryption

Prior to this update, if you used the text mode interface with a Kickstart file that enabled disk encryption but did not provide a passphrase, the installation failed with an error. This update prompts the user to provide a passphrase during installation if the partitioning specified in the provided Kickstart file requires one. (BZ#1436304)

A cmdline Kickstart installation with conflicting packages now displays an error message

Previously, when a cmdline (noninteractive, unattended) Kickstart installation with conflicting packages was started, the installation failed and the machine rebooted before displaying the error message.
This update increases the reboot timeout from 10 to 180 seconds ensuring the appropriate error message is displayed. (BZ#1360223)

The custom partitioning screen now displays relevant storage configuration error messages

Previously, error messages in the custom partitioning screen were not always cleared after configuration changes. As a result, error messages that were not relevant to the current storage configuration were displayed.
This update ensures that the error messages displayed are relevant to the storage configuration in the custom partitioning screen. (BZ#1535781)

Host name is now configured correctly on an installed system

Previously, host name was not parsed properly from the IPv6 static configuration that was set by boot options. As a consequence, the host name specified by the ip installer boot option was not configured on an installed system.
The parsing of host name from the ip installer boot option has now been fixed for IPv6 static configuration. (BZ#1554271)

The reqpart Kickstart command will now only create partitions that are required by the hardware platform

Previously, when the reqpart command was specified in a Kickstart file and no partitions were required by the hardware platform, the installer attempted to perform automatic partitioning. As a result, the installation failed with an error.
This update ensures that the reqpart Kickstart command will only create partitions that are required by the hardware platform. (BZ#1557485)

Installation started with boot option zfcp.allow_lun_scan is applied to the installed system

Previously, the boot option zfcp.allow_lun_scan wasn't applied to the installed system and as a result, the installed system started without the boot option.
This update applies the boot option zfcp.allow_lun_scan to the installed system. (BZ#1561662)

The clearpart Kickstart command can now be used on disk partitions

Previously, using the Kickstart command clearpart --list=<part> (where <part> is a partition on a disk) during installation worked for disks but not disk partitions.
As a consequence, Anaconda stopped the installation with the message:
Device <part> given in clearpart device list does not exist.
This update removes the restriction and supports clearing on disk partitions. (BZ#1561930)

Chapter 25. Networking

Bad offload warnings are no longer displayed using virtio_net

Previously, using the virtio_net network adapter in bridge connections, user space programs sometimes generated Generic Segmentation Offload (GSO) packets with no checksum offload and passed them to the kernel. As a consequence, the kernel checksum offloading code displayed bad offload warnings unnecessarily. With this update, a patch has been applied, and the kernel does not warn anymore about bad checksum offload messages for such packets. (BZ#1544920)

The L2TP sequence number handling now works correctly

Previously, the kernel did not handle Layer 2 Tunneling Protocol (L2TP) sequence numbers properly and it was not compliant with RFC 3931. As a consequence, L2TP sessions stopped working unexpectedly. With this update, a patch has been applied to correctly handle sequence numbers in case of a packet loss. As a result, when users enable sequence numbers, L2TP sessions work as expected in the described scenario. (BZ#1527799)

The kernel no longer crashes when a tunnel_key mode is not specified

Previously, parsing configuration data in the tunnel_key action rules was incorrect if neither set nοr unset mode was specified in the configuration. As a consequence, the kernel dereferenced an incorrect pointer and terminated unexpectedly. With this update, the kernel does not install tunnel_key if set or unset was not specified. As a result, the kernel no longer crashes in the described scenario. (BZ#1554907)

The sysctl net.ipv4.route.min_pmtu setting no longer set invalid values

Previously, the value provided by administrators for the sysctl net.ipv4.route.min_pmtu setting was not restricted. As a consequence, administrators were able to set a negative value for net.ipv4.route.min_pmtu. This sometimes resulted in setting the path Maximum Transmission Unit (MTU) of some routes to very large values because of an integer overflow. This update restricts values for net.ipv4.route.min_pmtu set to >= 68, the minimum valid MTU for IPv4. As a result, net.ipv4.route.min_pmtu can no longer be set to invalid values (negative value or < 68). (BZ#1541250)

wpa_supplicant no longer responds to packets whose destination address does not match the interface address

Previously, when wpa_supplicant was running on a Linux interface that was configured in promiscuous mode, incoming Extensible Authentication Protocol over LAN (EAPOL) packets were processed regardless of the destination address in the frame. However, wpa_supplicant checked the destination address only if the interface was enslaved to a bridge. As a consequence, in certain cases, wpa_supplicant was responding to EAPOL packets when the destination address was not the interface address. With this update, a socket filter has been added that allows the kernel to discard unicast EAPOL packets whose destination address does not match the interface address, and the described problem no longer occurs. (BZ#1434434)

NetworkManager no longer fails to detect duplicate IPv4 addresses

Previously, NetworkManager used to spawn an instance of the arping process to detect duplicate IPv4 addresses on the network. As a consequence, if the timeout configured for IPv4 Duplicate Address Detection (DAD) was short and the system was overloaded, NetworkManager sometimes failed to detect a duplicate address in time. With this update, the detection of duplicate IPv4 addresses is now performed internally to NetworkManager without spawning external binaries, and the described problem no longer occurs. (BZ#1507864)

firewalld now prevents partially applied rules

Previously, if a direct rule failed to be inserted for any reason, then all following direct rules with a higher priority also failed to insert. As a consequence, direct rules were not applied completely. The processing has been changed to either apply all direct rules successfully or revert them all. As a result, if a rule failure occurs at startup, firewalld enters the failed status and allows the user to remedy the situation. This prevents unexpected results by having partially applied rules. (BZ#1498923)

Chapter 26. Security

CardOS 5.3 smart cards with ECDSA support work correctly in OpenSC

Previously, OpenSC did not correctly parse the ECDSA algorithm in the TokenInfo information provided by CardOS 5.3 smart cards. As a consequence, OpenSC did not detect these cards. The TokenInfo parser has been updated and now complies with the PKCS #15 specification. As a result, CardOS 5.3 smart cards with ECDSA support work correctly in OpenSC. (BZ#1562277)

Non-CCID-compliant smart card readers work in OpenSC

Certain smart card readers implement PIN pad functionality that does not follow the chip card interface device (CCID) specification. Previously, OpenSC detected the PIN pad of such smart card readers, but the reader could not be used with OpenSC. With this update, the PIN pad detection has been disabled in OpenSC by default. As a result, non-CCID-compliant smart card readers can be used, but without the PIN pad feature. (BZ#1547117)

The pkcs11-tool utility now supports mechanism IDs and handles ECDSA keys correctly

Previously, the pkcs11-tool utility incorrectly handled EC_POINT values and support for certain vendor-specific mechanisms was missing. As a consequence, these mechanisms and certain ECDSA keys in hardware security modules (HSM) and smart cards were not supported by pkcs11-tool. With this update, the pkcs11-tool now handles EC_POINT values and vendor-specific mechanisms correctly. As a result, the utility now supports mechanism IDs and handles ECDSA keys correctly. (BZ#1562572)

OpenSCAP RPM verification rules no longer work incorrectly with VM and container file systems

Previously, the rpminfo, rpmverify, and rpmverifyfile probes did not fully support offline mode. As a consequence, OpenSCAP RPM verification rules did not work correctly when scanning virtual machine (VM) and container file systems in offline mode. With this update, support for offline mode has been fixed, and results of scanning VM and container file systems in offline mode no longer contain false negatives. (BZ#1556988)

Chapter 27. Servers and Services

pxlcolor and pxlmono now work correctly

Previously, the pxlcolor and the pxlmono drivers in the Ghostscript interpreter did not function correctly. As a consequence, the drivers were likely to ignore a selection of a paper tray for certain printers, therefore only a specific paper tray was selected. This update applies a patch, which fixes the issue. As a result, the selection of different paper trays now works as expected in the described scenario. (BZ#1551782)

Augeas reads /etc/fstab with white spaces more reliably

Previously, Augeas was not able to parse lines in the /etc/fstab file if they had white spaces at the beginning. This sometime caused problems in software tools that use Augeas, such as the virt-v2v utility or the Puppet management tool. With this update, the Fstab lens of Augeas correctly ignores white spaces at the beginning of lines. As a result, Augeas now reads /etc/fstab as expected. (BZ#1544520)

Chapter 28. Storage

mpathpersist no longer fails when opening too many files

Previously, the mpathpersist utility sometimes overstepped the limit on open files when scanning a large number of devices. As a consequence, mpathpersist terminated unexpectedly.
With this update, mpathpersist now checks the max_fds configuration value and correctly sets the maximum number of open files. As a result, mpathpersist no longer fails when opening too many files. (BZ#1610263)

The multipathd `readsector0` checker now returns the correct result

Previously, in some cases the multipathd daemon was incorrectly calculating the I/O size to use with the readsector0 checker, causing it to do a 0 size read. This could cause the multipathd readsector0 checker to return the wrong result. It is also possible that some SCSI devices do not treat a 0 size read command as valid. With this fix, multipathd now uses the correct size for the readsector0 checker. (BZ#1584228)

multipath now correctly prints the sysfs state of paths

Previously, the multipath -l command did not print the sysfs state of paths because the multipath utility did not correctly set path information. With this update, the problem has been fixed, and multipath now prints the sysfs state of paths correctly. (BZ#1526876)

multipathd can now correctly set APTPL when registering keys on path devices

Previously, the multipathd service did not track which devices registered their persistent reservation keys with the Activate Persist Through Power Loss (APTPL) option. As a consequence, registrations always lost the APTPL setting.
With this update, the problem has been fixed:
  • If you set the reservation_key option to a file in the multipath.conf configuration file, multipathd now keeps the APTPL setting automatically.
  • If you set reservation_key to a specific key, you can now add the :aptpl string at the end of the key in reservation_key, which enables APTPL for it. Set this to match the APTPL setting used when registering the key. (BZ#1498724)

Part III. Technology Previews

This part provides a list of all Technology Previews available in Red Hat Enterprise Linux 7.6 Beta.
For information on Red Hat scope of support for Technology Preview features, see https://access.redhat.com/support/offerings/techpreview/.

Chapter 29. General Updates

The systemd-importd VM and container image import and export service

Latest systemd version now contains the systemd-importd daemon that was not enabled in the earlier build, which caused the machinectl pull-* commands to fail. Note that the systemd-importd daemon is offered as a Technology Preview and should not be considered stable. (BZ#1284974)

Chapter 30. Authentication and Interoperability

Use of AD and LDAP sudo providers

The Active Directory (AD) provider is a back end used to connect to an AD server. Starting with Red Hat Enterprise Linux 7.2, using the AD sudo provider together with the LDAP provider is available as a Technology Preview. To enable the AD sudo provider, add the sudo_provider=ad setting in the [domain] section of the sssd.conf file. (BZ#1068725)

DNSSEC available as Technology Preview in IdM

Identity Management (IdM) servers with integrated DNS now support DNS Security Extensions (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are automatically generated and rotated.
Users who decide to secure their DNS zones with DNSSEC are advised to read and follow these documents:
Note that IdM servers with integrated DNS use DNSSEC to validate DNS answers obtained from other DNS servers. This might affect the availability of DNS zones that are not configured in accordance with recommended naming practices described in the Red Hat Enterprise Linux Networking Guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/ch-Configure_Host_Names.html#sec-Recommended_Naming_Practices. (BZ#1115294)

Identity Management JSON-RPC API available as Technology Preview

An API is available for Identity Management (IdM). To view the API, IdM also provides an API browser as Technology Preview.
In Red Hat Enterprise Linux 7.3, the IdM API was enhanced to enable multiple versions of API commands. Previously, enhancements could change the behavior of a command in an incompatible way. Users are now able to continue using existing tools and scripts even if the IdM API changes. This enables:
  • Administrators to use previous or later versions of IdM on the server than on the managing client.
  • Developers to use a specific version of an IdM call, even if the IdM version changes on the server.
In all cases, the communication with the server is possible, regardless if one side uses, for example, a newer version that introduces new options for a feature.
For details on using the API, see https://access.redhat.com/articles/2728021 (BZ#1298286)

The Custodia secrets service provider is now available

As a Technology Preview, you can now use Custodia, a secrets service provider. Custodia stores or serves as a proxy for secrets, such as keys or passwords.
For details, see the upstream documentation at http://custodia.readthedocs.io. (BZ#1403214)

Containerized Identity Management server available as Technology Preview

The rhel7/ipa-server container image is available as a Technology Preview feature. Note that the rhel7/sssd container image is now fully supported.

Chapter 31. Clustering

The pcs tool now manages bundle resources in Pacemaker

As a Technology Preview starting with Red Hat Enterprise Linux 7.4, Pacemaker supports a special syntax for launching a Docker container with any infrastructure it requires: the bundle. After you have created a Pacemaker bundle, you can create a Pacemaker resource that the bundle encapsulates. For information on Pacemaker support for containers, see https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7-beta/html-single/high_availability_add-on_reference/. (BZ#1433016)

New fence-agents-heuristics-ping fence agent

As a Technology Preview, Pacemaker now supports the fence_heuristics_ping agent. This agent aims to open a class of experimental fence agents that do no actual fencing by themselves but instead exploit the behavior of fencing levels in a new way.
If the heuristics agent is configured on the same fencing level as the fence agent that does the actual fencing but is configured before that agent in sequence, fencing issues an off action on the heuristics agent before it attempts to do so on the agent that does the fencing. If the heuristics agent gives a negative result for the off action it is already clear that the fencing level is not going to succeed, causing Pacemaker fencing to skip the step of issuing the off action on the agent that does the fencing. A heuristics agent can exploit this behavior to prevent the agent that does the actual fencing from fencing a node under certain conditions.
A user might want to use this agent, especially in a two-node cluster, when it would not make sense for a node to fence the peer if it can know beforehand that it would not be able to take over the services properly. For example, it might not make sense for a node to take over services if it has problems reaching the networking uplink, making the services unreachable to clients, a situation which a ping to a router might detect in that case. (BZ#1476401)

Heuristics supported in corosync-qdevice as a Technology Preview

Heuristics are a set of commands executed locally on startup, cluster membership change, successful connect to corosync-qnetd, and, optionally, on a periodic basis. When all commands finish successfully on time (their return error code is zero), heuristics have passed; otherwise, they have failed. The heuristics result is sent to corosync-qnetd where it is used in calculations to determine which partition should be quorate. (BZ#1413573, BZ#1389209)

Chapter 32. Desktop

Wayland available as a Technology Preview

The Wayland display server protocol is available in Red Hat Enterprise Linux as a Technology Preview with the dependent packages required to enable Wayland support in GNOME, which supports fractional scaling. Wayland uses the libinput library as its input driver.
The following features are currently unavailable or do not work correctly:
  • Multiple GPU support is not possible at this time.
  • The NVIDIA binary driver does not work under Wayland.
  • The xrandr utility does not work under Wayland due to its different approach to handling, resolutions, rotations, and layout.
  • Screen recording, remote desktop, and accessibility do not always work correctly under Wayland.
  • No clipboard manager is available.
  • It is currently impossible to restart GNOME Shell under Wayland.
  • Wayland ignores keyboard grabs issued by X11 applications, such as virtual machines viewers. (BZ#1481411)

Fractional Scaling available as a Technology Preview

Starting with Red Hat Enterprise Linux 7.5, GNOME provides, as a Technology Preview, fractional scaling to address problems with monitors whose DPI lies in the middle between lo (scale 1) and hi (scale 2).
Due to technical limitations, fractional scaling is available only on Wayland. (BZ#1481395)

Chapter 33. File Systems

ext4 and XFS file systems now support DAX

Starting with Red Hat Enterprise Linux 7.3, Direct Access (DAX) provides, as a Technology Preview, a means for an application to directly map persistent memory into its address space. To use DAX, a system must have some form of persistent memory available, usually in the form of one or more Non-Volatile Dual In-line Memory Modules (NVDIMMs), and a file system that supports DAX must be created on the NVDIMM(s). Also, the file system must be mounted with the dax mount option. Then, an mmap of a file on the dax-mounted file system results in a direct mapping of storage into the application's address space. (BZ#1274459)

pNFS block layout is now available

As a Technology Preview, Red Hat Enterprise Linux clients can now mount pNFS shares with the block layout feature.
Note that Red Hat recommends using the pNFS SCSI layout instead, which is similar to block layout but easier to use. (BZ#1111712)

OverlayFS

OverlayFS is a type of union file system. It allows the user to overlay one file system on top of another. Changes are recorded in the upper file system, while the lower file system remains unmodified. This allows multiple users to share a file-system image, such as a container or a DVD-ROM, where the base image is on read-only media. See the Linux kernel documentation for additional information: https://www.kernel.org/doc/Documentation/filesystems/overlayfs.txt.
OverlayFS remains a Technology Preview under most circumstances. As such, the kernel will log warnings when this technology is activated.
Full support is available for OverlayFS when used with Docker under the following restrictions:
  • OverlayFS is only supported for use as a Docker graph driver. Its use can only be supported for container COW content, not for persistent storage. Any persistent storage must be placed on non-OverlayFS volumes to be supported. Only default Docker configuration can be used; that is, one level of overlay, one lowerdir, and both lower and upper levels are on the same file system.
  • Only XFS is currently supported for use as a lower layer file system.
  • On Red Hat Enterprise Linux 7.3 and earlier, SELinux must be enabled and in enforcing mode on the physical machine, but must be disabled in the container when performing container separation, that is the /etc/sysconfig/docker file must not contain --selinux-enabled. Starting with Red Hat Enterprise Linux 7.4, OverlayFS supports SELinux security labels, and you can enable SELinux support for containers by specifying --selinux-enabled in /etc/sysconfig/docker.
  • The OverlayFS kernel ABI and userspace behavior are not considered stable, and may see changes in future updates.
  • In order to make the yum and rpm utilities work properly inside the container, the user should be using the yum-plugin-ovl packages.
Note that OverlayFS provides a restricted set of the POSIX standards. Test your application thoroughly before deploying it with OverlayFS.
Note that XFS file systems must be created with the -n ftype=1 option enabled for use as an overlay. With the rootfs and any file systems created during system installation, set the --mkfsoptions=-n ftype=1 parameters in the Anaconda kickstart. When creating a new file system after the installation, run the # mkfs -t xfs -n ftype=1 /PATH/TO/DEVICE command. To determine whether an existing file system is eligible for use as an overlay, run the # xfs_info /PATH/TO/DEVICE | grep ftype command to see if the ftype=1 option is enabled.
There are also several known issues associated with OverlayFS in this release. For details, see Non-standard behavior in the Linux kernel documentation: https://www.kernel.org/doc/Documentation/filesystems/overlayfs.txt. (BZ#1206277)

Btrfs file system

The Btrfs (B-Tree) file system is available as a Technology Preview in Red Hat Enterprise Linux 7.
Red Hat Enterprise Linux 7.4 introduced the last planned update to this feature. Btrfs has been deprecated, which means Red Hat will not be moving Btrfs to a fully supported feature and it will be removed in a future major release of Red Hat Enterprise Linux. (BZ#1477977)

ima-evm-utils available as a Technology Preview for certain architectures

The ima-evm-utils package, available as a Technology Preview, provides utilities to label the file system and verify the integrity of your system at run time using the Integrity Measurement Architecture (IMA) and Extended Verification Module (EVM) features. These utilities enable you to monitor if files have been accidentally or maliciously altered.
Note that ima-evm-utils is now fully supported on the AMD64 and Intel 64 architecture, but remains in Technology Preview on all other architectures. (BZ#1384450)

Chapter 34. Hardware Enablement

LSI Syncro CS HA-DAS adapters

Red Hat Enterprise Linux 7.1 included code in the megaraid_sas driver to enable LSI Syncro CS high-availability direct-attached storage (HA-DAS) adapters. While the megaraid_sas driver is fully supported for previously enabled adapters, the use of this driver for Syncro CS is available as a Technology Preview. Support for this adapter is provided directly by LSI, your system integrator, or system vendor. Users deploying Syncro CS on Red Hat Enterprise Linux 7.2 and later are encouraged to provide feedback to Red Hat and LSI. For more information on LSI Syncro CS solutions, please visit http://www.lsi.com/products/shared-das/pages/default.aspx. (BZ#1062759)

tss2 enables TPM 2.0 for IBM Power LE

The tss2 package adds IBM implementation of a Trusted Computing Group Software Stack (TSS) 2.0 as a Technology Preview for the IBM Power LE architecture. This package enables users to interact with TPM 2.0 devices. (BZ#1384452)

ibmvnic Device Driver

Starting with Red Hat Enterprise Linux 7.3, the ibmvnic Device Driver has been available as a Technology Preview for IBM POWER architectures. vNIC (Virtual Network Interface Controller) is a PowerVM virtual networking technology that delivers enterprise capabilities and simplifies network management. It is a high-performance, efficient technology that when combined with SR-IOV NIC provides bandwidth control Quality of Service (QoS) capabilities at the virtual NIC level. vNIC significantly reduces virtualization overhead, resulting in lower latencies and fewer server resources, including CPU and memory, required for network virtualization. (BZ#1391561, BZ#947163)

ibmvnic available as a Technology Preview

Starting with Red Hat Enterprise Linux 7.3, the ibmvnic Device Driver has been available as a Technology Preview for IBM POWER architectures. vNIC (Virtual Network Interface Controller) is a PowerVM virtual networking technology that delivers enterprise capabilities and simplifies network management. It is a high-performance, efficient technology that when combined with SR-IOV NIC provides bandwidth control Quality of Service (QoS) capabilities at the virtual NIC level. vNIC significantly reduces virtualization overhead, resulting in lower latencies and fewer server resources, including CPU and memory, required for network virtualization. (BZ#1555237)

Chapter 35. Kernel

Heterogeneous memory management included as a Technology Preview

Red Hat Enterprise Linux 7.3 introduced the heterogeneous memory management (HMM) feature as a Technology Preview. This feature has been added to the kernel as a helper layer for devices that want to mirror a process address space into their own memory management unit (MMU). Thus a non-CPU device processor is able to read system memory using the unified system address space. To enable this feature, add experimental_hmm=enable to the kernel command line. (BZ#1230959)

criu rebased to version 3.5

Red Hat Enterprise Linux 7.2 introduced the criu tool as a Technology Preview. This tool implements Checkpoint/Restore in User-space (CRIU), which can be used to freeze a running application and store it as a collection of files. Later, the application can be restored from its frozen state.
Note that the criu tool depends on Protocol Buffers, a language-neutral, platform-neutral extensible mechanism for serializing structured data. The protobuf and protobuf-c packages, which provide this dependency, were also introduced in Red Hat Enterprise Linux 7.2 as a Technology Preview.
In Red Hat Enterprise Linux 7.6, the criu packages have been upgraded to upstream version 3.9, which provides a number of bug fixes and optimization for the runC container runtime. In addition, support for the 64-bit ARM architectures and the little-endian variant of IBM Power Systems CPU architectures has been fixed. (BZ#1400230, BZ#1464596)

kexec as a Technology Preview

The kexec system call has been provided as a Technology Preview. This system call enables loading and booting into another kernel from the currently running kernel, thus performing the function of the boot loader from within the kernel. Hardware initialization, which is normally done during a standard system boot, is not performed during a kexec boot, which significantly reduces the time required for a reboot. (BZ#1460849)

kexec fast reboot as a Technology Preview

The kexec fast reboot feature, which was introduced in Red Hat Enterprise Linux 7.5, continues to be available as a Technology Preview. kexec fast reboot makes the reboot significantly faster. To use this feature, you must load the kexec kernel manually, and then reboot the operating system. It is not possible to make kexec fast reboot as the default reboot action. Special case is using kexec fast reboot for Anaconda. It still does not enable to make kexec fast reboot default. However, when used with Anaconda, the operating system can automatically use kexec fast reboot after the installation is complete in case that user boots kernel with the anaconda option. To schedule a kexec reboot, use the inst.kexec command on the kernel command line, or include a reboot --kexec line in the Kickstart file. (BZ#1464377)

SCSI-MQ as a Technology Preview in the qla2xxx driver

The qla2xxx& driver updated in Red Hat Enterprise Linux 7.4 can now enable the use of SCSI-MQ (multiqueue) with the ql2xmqsupport=1 module parameter. The default value is 0 (disabled). The SCSI-MQ functinality is provided as a Technology Preview when used with the qla2xxx driver.
Note that a recent performance testing at Red Hat with async IO over Fibre Channel adapters using SCSI-MQ has shown significant performance degradation under certain conditions. A fix is being tested but was not ready in time for Red Hat Enterprise Linux 7.4 General Availability. (BZ#1414957)

NVMe over Fibre Channel is available as a Technology Preview

The NVMe over Fibre Channel (NVMe-FC) transport type is available as a Technology Preview. NVMe-FC is an additional fabric transport type for the Nonvolatile Memory Express (NVMe) protocol, in addition to the Remote Direct Memory Access (RDMA) protocol that was previously introduced in Red Hat Enterprise Linux.
NVMe-FC provides a higher-performance, lower-latency I/O protocol over existing Fibre Channel infrastructure. This is especially important with solid-state storage arrays, because it allows the performance benefits of NVMe storage to be passed through the fabric transport, rather than being encapsulated in a different protocol, SCSI.
In Red Hat Enterprise Linux 7.6, NVMe-FC is available only with Broadcom 32Gbit adapters using use the lpfc driver or Qlogic adapters using the qla2xxx driver.
To enable NVMe over Fibre Channel in the lpfc driver, edit the /etc/modprobe.d/lpfc.conf file and the following option:
lpfc_enable_fc4_type=3
Note that the NVMe-FC Initiator mode with Broadcom 32Gbit adapters is now fully supported. See see the New Features part for more information. (BZ#1387768, BZ#1454386)

perf cqm has been replaced by resctrl

The Intel Cache Allocation Technology (CAT) was introduced in Red Hat Enterprise Linux 7.4 as a Technology Preview. However, the perf cqm tool did not work correctly due to an incompatibility between perf infrastructure and Cache Quality of Service Monitoring (CQM) hardware support. Consequently, multiple problems occurred when using perf cqm.
These problems included most notably:
  • perf cqm did not support the group of tasks which is allocated using resctrl
  • perf cqm gave random and inaccurate data due to several problems with recycling
  • perf cqm did not provide enough support when running different kinds of events together (the different events are, for example, tasks, system-wide, and cgroup events)
  • perf cqm provided only partial support for cgroup events
  • The partial support for cgroup events did not work in cases with a hierarchy of cgroup events, or when monitoring a task in a cgroup and the cgroup together
  • Monitoring tasks for the lifetime caused perf overhead
  • perf cqm reported the aggregate cache occupancy or memory bandwidth over all sockets, while in most cloud and VMM-bases use cases the individual per-socket usage is needed
In Red Hat Enterprise Linux 7.5, perf cqm was replaced by the approach based on the resctrl file system, which addressed all of the aforementioned problems. (BZ#1457533, BZ#1288964)

TC HW offloading available as a Technology Preview

Starting with Red Hat Enterprise Linux 7.6, Traffic Control (TC) Hardware offloading has been provided as a Technology Preview.
Hardware offloading enables that the selected functions of network traffic processing, such as shaping, scheduling, policing and dropping, are executed directly in the hardware instead of waiting for software processing, which improves the performance. (BZ#1503123)

AMD xgbe network driver available as a Technology Preview

Starting with Red Hat Enterprise Linux 7.6, the AMD xgbe network driver has been provided as a Technology Preview. (BZ#1589397)

Chapter 36. Networking

Cisco usNIC driver

Cisco Unified Communication Manager (UCM) servers have an optional feature to provide a Cisco proprietary User Space Network Interface Controller (usNIC), which allows performing Remote Direct Memory Access (RDMA)-like operations for user-space applications. The libusnic_verbs driver, which is available as a Technology Preview, makes it possible to use usNIC devices via standard InfiniBand RDMA programming based on the Verbs API. (BZ#916384)

Cisco VIC kernel driver

The Cisco VIC Infiniband kernel driver, which is available as a Technology Preview, allows the use of Remote Directory Memory Access (RDMA)-like semantics on proprietary Cisco architectures. (BZ#916382)

Trusted Network Connect

Trusted Network Connect, available as a Technology Preview, is used with existing network access control (NAC) solutions, such as TLS, 802.1X, or IPsec to integrate endpoint posture assessment; that is, collecting an endpoint's system information (such as operating system configuration settings, installed packages, and others, termed as integrity measurements). Trusted Network Connect is used to verify these measurements against network access policies before allowing the endpoint to access the network. (BZ#755087)

SR-IOV functionality in the qlcnic driver

Support for Single-Root I/O virtualization (SR-IOV) has been added to the qlcnic driver as a Technology Preview. Support for this functionality will be provided directly by QLogic, and customers are encouraged to provide feedback to QLogic and Red Hat. Other functionality in the qlcnic driver remains fully supported. (BZ#1259547)

The flower classifier with off-loading support

flower is a Traffic Control (TC) classifier intended to allow users to configure matching on well-known packet fields for various protocols. It is intended to make it easier to configure rules over the u32 classifier for complex filtering and classification tasks. flower also supports the ability to off-load classification and action rules to underlying hardware if the hardware supports it. The flower TC classifier is now provided as a Technology Preview. (BZ#1393375)

Chapter 37. Red Hat Enterprise Linux System Roles Powered by Ansible

Red Hat Enterprise Linux System Roles

Red Hat Enterprise Linux System Roles, available as a Technology Preview, is a configuration interface for Red Hat Enterprise Linux subsystems, which makes system configuration easier through the inclusion of Ansible Roles. This interface enables managing system configurations across multiple versions of Red Hat Enterprise Linux, as well as adopting new major releases.
Since Red Hat Enterprise Linux 7.4, the Red Hat Enterprise Linux System Roles packages have been distributed through the Extras channel. For details regarding Red Hat Enterprise Linux System Roles, see https://access.redhat.com/articles/3050101.
With the RHEA-2018:2385 advisory, selected roles of the rhel-system-roles package have received multiple bug fixes and significant enhancements to improve interface consistency, usability, and conformance to Ansible best practices. Note that for the timesync, kdump, and selinux roles, the changes are not backward compatible and it is necessary to update playbooks that use them. For more information, see https://access.redhat.com/articles/3561071. (BZ#1439896)

Chapter 38. Security

USBGuard enables blocking USB devices while the screen is locked as a Technology Preview

With the USBGuard framework, you can influence how an already running usbguard-daemon instance handles newly inserted USB devices by setting the value of the InsertedDevicePolicy runtime parameter. This functionality is provided as a Technology Preview, and the default choice is to apply the policy rules to figure out whether to authorize the device or not.
See the Blocking USB devices while the screen is locked Knowledge Base article: https://access.redhat.com/articles/3230621 (BZ#1480100)

pk12util can now import certificates signed with RSA-PSS

The pk12util tool now provides importing a certificate signed with the RSA-PSS algorithm as a Technology Preview.
Note that if the corresponding private key is imported and has the PrivateKeyInfo.privateKeyAlgorithm field that restricts the signing algorithm to RSA-PSS, it is ignored when importing the key to a browser. See https://bugzilla.mozilla.org/show_bug.cgi?id=1413596 for more information. (BZ#1431210)

Support for certificates signed with RSA-PSS in certutil has been improved

Support for certificates signed with the RSA-PSS algorithm in the certutil tool has been improved. Notable enhancements and fixes include:
  • The --pss option is now documented.
  • The PKCS#1 v1.5 algorithm is no longer used for self-signed signatures when a certificate is restricted to use RSA-PSS.
  • Empty RSA-PSS parameters in the subjectPublicKeyInfo field are no longer printed as invalid when listing certificates.
  • The --pss-sign option for creating regular RSA certificates signed with the RSA-PSS algorithm has been added.
Support for certificates signed with RSA-PSS in certutil is provided as a Technology Preview. (BZ#1425514)

NSS is now able to verify RSA-PSS signatures on certificates

With the new version of the nss package, the Network Security Services (NSS) libraries now provide verifying RSA-PSS signatures on certificates as a Technology Preview. Prior to this update, clients using NSS as the SSL backend were not able to establish a TLS connection to a server that offered only certificates signed with the RSA-PSS algorithm.
Note that the functionality has the following limitations:
  • The algorithm policy settings in the /etc/pki/nss-legacy/rhel7.config file do not apply to the hash algorithms used in RSA-PSS signatures.
  • RSA-PSS parameters restrictions between certificate chains are ignored and only a single certificate is taken into account. (BZ#1432142)

SECCOMP can be now enabled in libreswan

As a Technology Preview, the seccomp=enabled|tolerant|disabled option has been added to the ipsec.conf configuration file, which makes it possible to use the Secure Computing mode (SECCOMP). This improves the syscall security by whitelisting all the system calls that Libreswan is allowed to execute. For more information, see the ipsec.conf(5) man page. (BZ#1375750)

Chapter 39. Storage

Multi-queue I/O scheduling for SCSI

Red Hat Enterprise Linux 7 includes a new multiple-queue I/O scheduling mechanism for block devices known as blk-mq. The scsi-mq package allows the Small Computer System Interface (SCSI) subsystem to make use of this new queuing mechanism. This functionality is provided as a Technology Preview and is not enabled by default. To enable it, add scsi_mod.use_blk_mq=Y to the kernel command line.
Although blk-mq is intended to offer improved performance, particularly for low-latency devices, it is not guaranteed to always provide better performance. In particular, in some cases, enabling scsi-mq can result in significantly worse performance, especially on systems with many CPUs. (BZ#1109348)

Targetd plug-in from the libStorageMgmt API

Since Red Hat Enterprise Linux 7.1, storage array management with libStorageMgmt, a storage array independent API, has been fully supported. The provided API is stable, consistent, and allows developers to programmatically manage different storage arrays and utilize the hardware-accelerated features provided. System administrators can also use libStorageMgmt to manually configure storage and to automate storage management tasks with the included command-line interface.
The Targetd plug-in is not fully supported and remains a Technology Preview. (BZ#1119909)

Support for Data Integrity Field/Data Integrity Extension (DIF/DIX)

DIF/DIX is a new addition to the SCSI Standard. It is fully supported in Red Hat Enterprise Linux 7 for the HBAs and storage arrays specified in the Features chapter, but it remains in Technology Preview for all other HBAs and storage arrays.
DIF/DIX increases the size of the commonly used 512 byte disk block from 512 to 520 bytes, adding the Data Integrity Field (DIF). The DIF stores a checksum value for the data block that is calculated by the Host Bus Adapter (HBA) when a write occurs. The storage device then confirms the checksum on receipt, and stores both the data and the checksum. Conversely, when a read occurs, the checksum can be verified by the storage device, and by the receiving HBA. (BZ#1072107)

Chapter 40. System and Subscription Management

YUM 4 available as Technology Preview

YUM version 4, a next generation of the YUM package manager, is now available as a Technology Preview in the Red Hat Enterprise Linux 7 Extras channel.
YUM 4 is based on the DNF technology and offers the following advantages over the standard YUM 3 used on RHEL 7:
  • Increased performance
  • Support for modular content
  • Well-designed stable API for integration with tooling
To install YUM 4, run the yum install nextgen-yum4 command.
To manage packages, use the yum4 command and its particular options the same way as the yum command.
For detailed information about differences between the new YUM 4 tool and YUM 3, see http://dnf.readthedocs.io/en/latest/cli_vs_yum.html. (BZ#1461652)

Chapter 41. Virtualization

eBPF system call for tracing

Red Hat Enterprise Linux 7.6 introduces the Extended Berkeley Packet Filter tool (eBPF) as a Technology Preview. This tool is enabled only for the tracing subsystem. For details, see the Red Hat Knowledgebase article at https://access.redhat.com/articles/3550581. (BZ#1559615, BZ#1559756, BZ#1311586)

USB 3.0 support for KVM guests

USB 3.0 host adapter (xHCI) emulation for KVM guests remains a Technology Preview in Red Hat Enterprise Linux 7. (BZ#1103193)

Select Intel network adapters now support SR-IOV as a guest on Hyper-V

In this update for Red Hat Enterprise Linux guest virtual machines running on Hyper-V, a new PCI passthrough driver adds the ability to use the single-root I/O virtualization (SR-IOV) feature for Intel network adapters supported by the ixgbevf driver. This ability is enabled when the following conditions are met:
  • SR-IOV support is enabled for the network interface controller (NIC)
  • SR-IOV support is enabled for the virtual NIC
  • SR-IOV support is enabled for the virtual switch
The virtual function (VF) from the NIC is attached to the virtual machine.
The feature is currently supported with Microsoft Windows Server 2016. (BZ#1348508)

No-IOMMU mode for VFIO drivers

As a Technology Preview, this update adds No-IOMMU mode for virtual function I/O (VFIO) drivers. The No-IOMMU mode provides the user with full user-space I/O (UIO) access to a direct memory access (DMA)-capable device without a I/O memory management unit (IOMMU). Note that in addition to not being supported, using this mode is not secure due to the lack of I/O management provided by IOMMU. (BZ#1299662)

virt-v2v can now use vmx configuration files to convert VMware guests

As a Technology Preview, the virt-v2v utility now includes the vmx input mode, which enables the user to convert a guest virtual machine from a VMware vmx configuration file. Note that to do this, you also need access to the corresponding VMware storage, for example by mounting the storage using NFS. It is also possible to access the storage using SSH, by adding the -it ssh parameter. (BZ#1441197, BZ#1523767)

virt-v2v can convert Debian and Ubuntu guests

As a technology preview, the virt-v2v utility can now convert Debian and Ubuntu guest virtual machines. Note that the following problems currently occur when performing this conversion:
  • virt-v2v cannot change the default kernel in the GRUB2 configuration, and the kernel configured in the guest is not changed during the conversion, even if a more optimal version of the kernel is available on the guest.
  • After converting a Debian or Ubuntu VMware guest to KVM, the name of the guest's network interface may change, and thus requires manual configuration. (BZ#1387213)

Virtio devices can now use vIOMMU

As a Technology Preview, this update enables virtio devices to use virtual Input/Output Memory Management Unit (vIOMMU). This guarantees the security of Direct Memory Access (DMA) by allowing the device to DMA only to permitted addresses. However, note that only guest virtual machines using Red Hat Enterprise Linux 7.4 or later are able to use this feature. (BZ#1283251, BZ#1464891)

virt-v2v converts VMWare guests faster and more reliably

As a Technology Preview, the virt-v2v utility can now use the VMWare Virtual Disk Development Kit (VDDK) to import a VMWare guest virtual machine to a KVM guest. This enables virt-v2v to connect directly to the VMWare ESXi hypervisor, which improves the speed and reliability of the conversion.
Note that this conversion import method requires the external nbdkit utility and its VDDK plug-in. (BZ#1477912)

Open Virtual Machine Firmware

The Open Virtual Machine Firmware (OVMF) is available as a Technology Preview in Red Hat Enterprise Linux 7. OVMF is a UEFI secure boot environment for AMD64 and Intel 64 guests. (BZ#653382)

Part IV. Device Drivers

This part provides a comprehensive listing of all device drivers that are new or have been updated in Red Hat Enterprise Linux 7.6 Beta.

Chapter 42. New Drivers

Network Drivers

  • Thunderbolt network driver (thunderbolt-net.ko.xz).
  • AMD 10 Gigabit Ethernet Driver (amd-xgbe.ko.xz).

Storage Drivers

  • Command Queue Host Controller Interface driver (cqhci.ko.xz).

Graphics Drivers and Miscellaneous Drivers

  • DRM GPU scheduler (gpu-sched.ko.xz).
  • Closed hash table (chash.ko.xz).
  • RMI4 SMBus driver (rmi_smbus.ko.xz).
  • RMI bus.
  • RMI F03 module (rmi_core.ko.xz).
  • Dell WMI descriptor driver (dell-wmi-descriptor.ko.xz).
  • Intel® PMC Core Driver (intel_pmc_core.ko.xz).
  • Intel® WMI Thunderbolt force power driver (intel-wmi-thunderbolt.ko.xz).
  • ACPI Hardware Watchdog (WDAT) driver (wdat_wdt.ko.xz).
  • IIO helper functions for setting up triggered buffers (industrialio-triggered-buffer.ko.xz).
  • HID Sensor Pressure (hid-sensor-press.ko.xz).
  • HID Sensor Device Rotation (hid-sensor-rotation.ko.xz).
  • HID Sensor Inclinometer 3D (hid-sensor-incl-3d.ko.xz).
  • HID Sensor trigger processing (hid-sensor-trigger.ko.xz).
  • HID Sensor common attribute processing (hid-sensor-iio-common.ko.xz).
  • HID Sensor Magnetometer 3D (hid-sensor-magn-3d.ko.xz).
  • HID Sensor ALS (hid-sensor-als.ko.xz).
  • HID Sensor Proximity (hid-sensor-prox.ko.xz).
  • HID Sensor Gyroscope 3D (hid-sensor-gyro-3d.ko.xz).
  • HID Sensor Accel 3D (hid-sensor-accel-3d.ko.xz).
  • HID Sensor Hub driver (hid-sensor-hub.ko.xz).
  • HID Sensor Custom and Generic sensor driver (hid-sensor-custom.ko.xz).

Chapter 43. Updated Drivers

Storage Driver Updates

  • The Microsemi Smart Family Controller driver (smartpqi.ko.xz) has been updated to version 1.1.4-115.
  • The HP Smart Array Controller driver (hpsa.ko.xz) has been updated to version 3.4.20-125-RH1.
  • The Emulex LightPulse Fibre Channel SCSI driver (lpfc.ko.xz) has been updated to version 0:12.0.0.5.
  • The Avago MegaRAID SAS driver (megaraid_sas.ko.xz) has been updated to version 07.705.02.00-rh1.
  • The Dell PERC2, 2/Si, 3/Si, 3/Di, Adaptec Advanced Raid Products, HP NetRAID-4M, IBM ServeRAID & ICP SCS driver (aacraid.ko.xz) has been updated to version 1.2.1[50877]-custom.
  • The QLogic FastLinQ 4xxxx iSCSI Module driver (qedi.ko.xz) has been updated to version 8.33.0.20.
  • The QLogic Fibre Channel HBA driver (qla2xxx.ko.xz) has been updated to version 10.00.00.06.07.6-k.
  • The QLogic QEDF 25/40/50/100Gb FCoE driver (qedf.ko.x) has been updated to version 8.33.0.20.
  • The LSI MPT Fusion SAS 3.0 Device driver (mpt3sas.ko.xz) has been updated to version 16.100.01.00.
  • The LSI MPT Fusion SAS 2.0 Device driver (mpt2sas.ko.xz) has been updated to version 20.103.01.00.

Network Driver Updates

  • The Realtek RTL8152/RTL8153 Based USB Ethernet Adapters driver (r8152.ko.xz) has been updated to version v1.09.9.
  • The VMware vmxnet3 virtual NIC driver (vmxnet3.ko.xz) has been updated to version 1.4.14.0-k.
  • The Intel® Ethernet Connection XL710 Network driver (i40e.ko.xz) has been updated to version 2.3.2-k.
  • The Intel® 10 Gigabit Virtual Function Network driver (ixgbevf.ko.xz) has been updated to version 4.1.0-k-rh7.6.
  • The Intel® 10 Gigabit PCI Express Network driver (ixgbe.ko.xz) has been updated to version 5.1.0-k-rh7.6.
  • The Intel® XL710 X710 Virtual Function Network driver (i40evf.ko.xz) has been updated to version 3.2.2-k.
  • The Intel® Ethernet Switch Host Interface driver (fm10k.ko.xz) has been updated to version 0.22.1-k.
  • The Broadcom BCM573xx network driver (bnxt_en.ko.xz) has been updated to version 1.9.1.
  • The Cavium LiquidIO Intelligent Server Adapter driver (liquidio.ko.xz) has been updated to version 1.7.2.
  • The Cavium LiquidIO Intelligent Server Adapter Virtual Function driver (liquidio_vf.ko.xz) has been updated to version 1.7.2.
  • The Elastic Network Adapter (ENA) driver (ena.ko.xz) has been updated to version 1.5.0K.
  • The aQuantia Corporation Network driver (atlantic.ko.xz) has been updated to version 2.0.2.1-kern.
  • The QLogic FastLinQ 4xxxx Ethernet driver (qede.ko.xz) has been updated to version 8.33.0.20.
  • The QLogic FastLinQ 4xxxx Core Module driver (qed.ko.xz) has been updated to version 8.33.0.20.
  • The Cisco VIC Ethernet NIC driver (enic.ko.xz) has been updated to version 2.3.0.53.

Graphics Driver and Miscellaneous Driver Updates

  • The VMware Memory Control (Balloon) driver (vmw_balloon.ko.xz) has been updated to version 1.4.1.0-k.
  • The HP watchdog driver (hpwdt.ko.xz) has been updated to version 1.4.0-RH1k.
  • The standalone drm driver for the VMware SVGA device (vmwgfx.ko.xz) has been updated to version 2.14.1.0.

Chapter 44. Deprecated Functionality

This chapter provides an overview of functionality that has been deprecated in all minor releases of Red Hat Enterprise Linux 7 up to Red Hat Enterprise Linux 7.6 Beta.
Deprecated functionality continues to be supported until the end of life of Red Hat Enterprise Linux 7. Deprecated functionality will likely not be supported in future major releases of this product and is not recommended for new deployments. For the most recent list of deprecated functionality within a particular major release, refer to the latest version of release documentation.
Deprecated hardware components are not recommended for new deployments on the current or future major releases. Hardware driver updates are limited to security and critical fixes only. Red Hat recommends replacing this hardware as soon as reasonably feasible.
A package can be deprecated and not recommended for further use. Under certain circumstances, a package can be removed from a product. Product documentation then identifies more recent packages that offer functionality similar, identical, or more advanced to the one deprecated, and provides further recommendations.

Python 2 has been deprecated

Python 2 will be replaced with Python 3 in the next Red Hat Enterprise Linux (RHEL) major release.
See the Conservative Python 3 Porting Guide for information on how to migrate large code bases to Python 3.
Note that Python 3 is available to RHEL customers, and supported on RHEL, as a part of Red Hat Software Collections.

LVM libraries and LVM Python bindings have been deprecated

The lvm2app library and LVM Python bindings, which are provided by the lvm2-python-libs package, have been deprecated.
Red Hat recommends the following solutions instead:
  • The LVM D-Bus API in combination with the lvm2-dbusd service. This requires using Python version 3.
  • The LVM command-line utilities with JSON formatting; this formatting has been available since the lvm2 package version 2.02.158.

Mirrored mirror log has been deprecated in LVM

The mirrored mirror log feature of mirrored LVM volumes has been deprecated. A future major release of Red Hat Enterprise Linux will no longer support creating or activating LVM volumes with a mirrored mirror log.
The recommended replacements are:
  • RAID1 LVM volumes. The main advantage of RAID1 volumes is their ability to work even in degraded mode and to recover after a transient failure. For information on converting mirrored volumes to RAID1, see the Converting a Mirrored LVM Device to a RAID1 Device section in the LVM Administration guide.
  • Disk mirror log. To convert a mirrored mirror log to disk mirror log, use the following command: lvconvert --mirrorlog disk my_vg/my_lv.

Deprecated packages related to Identity Management and security

The following packages have been deprecated and will not be included in a future major release of Red Hat Enterprise Linux:
Deprecated packages Proposed replacement package or product
authconfig authselect
pam_pkcs11 sssd [a]
pam_krb5 sssd [b]
openldap-servers Depending on the use case, migrate to Identity Management included in Red Hat Enterprise Linux or to Red Hat Directory Server. [c]
mod_auth_kerb mod_auth_gssapi
python-kerberos
python-krbV
python-gssapi
python-requests-kerberos python-requests-gssapi
hesiod No replacement available.
mod_nss mod_ssl
mod_revocator No replacement available.
[a] System Security Services Daemon (SSSD) contains enhanced smart card functionality.
[b] For details on migrating from pam_krb5 to sssd, see Migrating from pam_krb5 to sssd in the upstream SSSD documentation.
[c] Red Hat Directory Server requires a valid Directory Server subscription. For details, see also What is the support status of the LDAP-server shipped with Red Hat Enterprise Linux? in Red Hat Knowledgebase.

Note

In Red Hat Enterprise Linux 7.5, the following packages were added to the table above:
  • mod_auth_kerb
  • python-kerberos, python-krbV
  • python-requests-kerberos
  • hesiod
  • mod_nss
  • mod_revocator

The Clevis HTTP pin has been deprecated

The Clevis HTTP pin has been deprecated and this feature will not be included in the next major version of Red Hat Enterprise Linux and will remain out of the distribution until a further notice.

sssd-secrets has been deprecated

The sssd-secrets component of the System Security Services Daemon (SSSD) has been deprecated in Red Hat Enterprise Linux 7.6. This is because Custodia, a secrets service provider, is no longer actively developed. Use other Identity Management tools to store secrets, for example the Vaults.

Support for earlier IdM servers and for IdM replicas at domain level 0 will be limited

Red Hat does not plan to support using Identity Management (IdM) servers running Red Hat Enterprise Linux (RHEL) 7.3 and earlier with IdM clients of the next major release of RHEL. If you plan to introduce client systems running on the next major version of RHEL into a deployment that is currently managed by IdM servers running on RHEL 7.3 or earlier, be aware that you will need to upgrade the servers, moving them to RHEL 7.4 or later.
In the next major release of RHEL, only domain level 1 replicas will be supported. Before introducing IdM replicas running on the next major version of RHEL into an existing deployment, be aware that you will need to upgrade all IdM servers to RHEL 7.4 or later, and change the domain level to 1.
Consider planning the upgrade in advance if your deployment will be affected.

Bug-fix only support for the nss-pam-ldapd and NIS packages in the next major release of Red Hat Enterprise Linux

The nss-pam-ldapd packages and packages related to the NIS server will be released in the future major release of Red Hat Enterprise Linux but will receive a limited scope of support. Red Hat will accept bug reports but no new requests for enhancements. Customers are advised to migrate to the following replacement solutions:
Affected packages Proposed replacement package or product
nss-pam-ldapd sssd
ypserv
ypbind
portmap
yp-tools
Identity Management in Red Hat Enterprise Linux

Use the Go Toolset instead of golang

The golang package has been updated to version 1.9 with Red Hat Enterprise Linux 7.5.
The golang package, available in the Optional channel, will be removed from a future minor release of Red Hat Enterprise Linux 7. Developers are encouraged to use the Go Toolset instead, which is currently available as a Technology Preview through the Red Hat Developer program.

mesa-private-llvm will be replaced with llvm-private

The mesa-private-llvm package, which contains the LLVM-based runtime support for Mesa, will be replaced in a future minor release of Red Hat Enterprise Linux 7 with the llvm-private package.

libdbi and libdbi-drivers have been deprecated

The libdbi and libdbi-drivers packages will not be included in the next Red Hat Enterprise Linux (RHEL) major release.

Ansible deprecated in the Extras channel

Ansible and its dependencies will no longer be updated through the Extras channel. Instead, the Red Hat Ansible Engine product has been made available to Red Hat Enterprise Linux subscriptions and will provide access to the official Ansible Engine channel. Customers who have previously installed Ansible and its dependencies from the Extras channel are advised to enable and update from the Ansible Engine channel, or uninstall the packages as future errata will not be provided from the Extras channel.
Ansible was previously provided in Extras (for AMD64 and Intel 64 architectures, and IBM POWER, little endian) as a runtime dependency of, and limited in support to, the Red Hat Enterprise Linux (RHEL) System Roles. Ansible Engine is available today for AMD64 and Intel 64 architectures, with IBM POWER, little endian availability coming soon.
Note that Ansible in the Extras channel was not a part of the Red Hat Enterprise Linux FIPS validation process.
The following packages have been deprecated from the Extras channel:
  • ansible(-doc)
  • libtomcrypt
  • libtommath(-devel)
  • python2-crypto
  • python2-jmespath
  • python-httplib2
  • python-paramiko(-doc)
  • python-passlib
  • sshpass
For more information and guidance, see the Knowledgebase article at https://access.redhat.com/articles/3359651.
Note that Red Hat Enterprise Linux System Roles, available as a Technology Preview, continue to be distributed though the Extras channel. Although Red Hat Enterprise Linux System Roles no longer depend on the ansible package, installing ansible from the Ansible Engine repository is still needed to run playbooks which use Red Hat Enterprise Linux System Roles.

signtool has been deprecated

The signtool tool from the nss packages, which uses insecure signature algorithms, has been deprecated and will not be included in a future minor release of Red Hat Enterprise Linux.

TLS compression support has been removed from nss

To prevent security risks, such as the CRIME attack, support for TLS compression in the NSS library has been removed for all TLS versions. This change preserves the API compatibility.

Public web CAs are no longer trusted for code signing by default

The Mozilla CA certificate trust list distributed with Red Hat Enterprise Linux 7.5 no longer trusts any public web CAs for code signing. As a consequence, any software that uses the related flags, such as NSS or OpenSSL, no longer trusts these CAs for code signing by default. The software continues to fully support code signing trust. Additionally, it is still possible to configure CA certificates as trusted for code signing using system configuration.

Sendmail has been deprecated

Sendmail has been deprecated in Red Hat Enterprise Linux 7. Customers are advised to use Postfix, which is configured as the default Mail Transfer Agent (MTA).

dmraid has been deprecated

Since Red Hat Enterprise Linux 7.5, the dmraid packages have been deprecated. It will stay available in Red Hat Enterprise Linux 7 releases but a future major release will no longer support legacy hybrid combined hardware and software RAID host bus adapter (HBA).

Automatic loading of DCCP modules through socket layer is now disabled by default

For security reasons, automatic loading of the Datagram Congestion Control Protocol (DCCP) kernel modules through socket layer is now disabled by default. This ensures that userspace applications can not maliciously load any modules. All DCCP related modules can still be loaded manually through the modprobe program.
The /etc/modprobe.d/dccp-blacklist.conf configuration file for blacklisting the DCCP modules is included in the kernel package. Entries included there can be cleared by editing or removing this file to restore the previous behavior.
Note that any re-installation of the same kernel package or of a different version does not override manual changes. If the file is manually edited or removed, these changes persist across package installations.

rsyslog-libdbi has been deprecated

The rsyslog-libdbi sub-package, which contains one of the less used rsyslog module, has been deprecated and will not be included in a future major release of Red Hat Enterprise Linux. Removing unused or rarely used modules helps users to conveniently find a database output to use.

The inputname option of the rsyslog imudp module has been deprecated

The inputname option of the imudp module for the rsyslog service has been deprecated. Use the name option instead.

SMBv1 is no longer installed with Microsoft Windows 10 and 2016 (updates 1709 and later)

Microsoft announced that the Server Message Block version 1 (SMBv1) protocol will no longer be installed with the latest versions of Microsoft Windows and Microsoft Windows Server. Microsoft also recommends users to disable SMBv1 on earlier versions of these products.
This update impacts Red Hat customers who operate their systems in a mixed Linux and Windows environment. Red Hat Enterprise Linux 7.1 and earlier support only the SMBv1 version of the protocol. Support for SMBv2 was introduced in Red Hat Enterprise Linux 7.2.
For details on how this change affects Red Hat customers, see SMBv1 no longer installed with latest Microsoft Windows 10 and 2016 update (version 1709) in Red Hat Knowledgebase.

FedFS has been deprecated

Federated File System (FedFS) has been deprecated because the upstream FedFS project is no longer being actively maintained. Red Hat recommends migrating FedFS installations to use autofs, which provides more flexible functionality.

Btrfs has been deprecated

The Btrfs file system has been in Technology Preview state since the initial release of Red Hat Enterprise Linux 6. Red Hat will not be moving Btrfs to a fully supported feature and it will be removed in a future major release of Red Hat Enterprise Linux.
The Btrfs file system did receive numerous updates from the upstream in Red Hat Enterprise Linux 7.4 and will remain available in the Red Hat Enterprise Linux 7 series. However, this is the last planned update to this feature.

tcp_wrappers deprecated

The tcp_wrappers package has been deprecated. tcp_wrappers provides a library and a small daemon program that can monitor and filter incoming requests for audit, cyrus-imap, dovecot, nfs-utils, openssh, openldap, proftpd, sendmail, stunnel, syslog-ng, vsftpd, and various other network services.

nautilus-open-terminal replaced with gnome-terminal-nautilus

Since Red Hat Enterprise Linux 7.3, the nautilus-open-terminal package has been deprecated and replaced with the gnome-terminal-nautilus package. This package provides a Nautilus extension that adds the Open in Terminal option to the right-click context menu in Nautilus. nautilus-open-terminal is replaced by gnome-terminal-nautilus during the system upgrade.

sslwrap() removed from Python

The sslwrap() function has been removed from Python 2.7. After the 466 Python Enhancement Proposal was implemented, using this function resulted in a segmentation fault. The removal is consistent with upstream.
Red Hat recommends using the ssl.SSLContext class and the ssl.SSLContext.wrap_socket() function instead. Most applications can simply use the ssl.create_default_context() function, which creates a context with secure default settings. The default context uses the system's default trust store, too.

Symbols from libraries linked as dependencies no longer resolved by ld

Previously, the ld linker resolved any symbols present in any linked library, even if some libraries were linked only implicitly as dependencies of other libraries. This allowed developers to use symbols from the implicitly linked libraries in application code and omit explicitly specifying these libraries for linking.
For security reasons, ld has been changed to not resolve references to symbols in libraries linked implicitly as dependencies.
As a result, linking with ld fails when application code attempts to use symbols from libraries not declared for linking and linked only implicitly as dependencies. To use symbols from libraries linked as dependencies, developers must explicitly link against these libraries as well.
To restore the previous behavior of ld, use the -copy-dt-needed-entries command-line option. (BZ#1292230)

Windows guest virtual machine support limited

As of Red Hat Enterprise Linux 7, Windows guest virtual machines are supported only under specific subscription programs, such as Advanced Mission Critical (AMC).

libnetlink is deprecated

The libnetlink library contained in the iproute-devel package has been deprecated. The user should use the libnl and libmnl libraries instead.

S3 and S4 power management states for KVM have been deprecated

Native KVM support for the S3 (suspend to RAM) and S4 (suspend to disk) power management states has been discontinued. This feature was previously available as a Technology Preview.

The Certificate Server plug-in udnPwdDirAuth is discontinued

The udnPwdDirAuth authentication plug-in for the Red Hat Certificate Server was removed in Red Hat Enterprise Linux 7.3. Profiles using the plug-in are no longer supported. Certificates created with a profile using the udnPwdDirAuth plug-in are still valid if they have been approved.

Red Hat Access plug-in for IdM is discontinued

The Red Hat Access plug-in for Identity Management (IdM) was removed in Red Hat Enterprise Linux 7.3. During the update, the redhat-access-plugin-ipa package is automatically uninstalled. Features previously provided by the plug-in, such as Knowledgebase access and support case engagement, are still available through the Red Hat Customer Portal. Red Hat recommends to explore alternatives, such as the redhat-support-tool tool.

The Ipsilon identity provider service for federated single sign-on

The ipsilon packages were introduced as Technology Preview in Red Hat Enterprise Linux 7.2. Ipsilon links authentication providers and applications or utilities to allow for single sign-on (SSO).
Red Hat does not plan to upgrade Ipsilon from Technology Preview to a fully supported feature. The ipsilon packages will be removed from Red Hat Enterprise Linux in a future minor release.
Red Hat has released Red Hat Single Sign-On as a web SSO solution based on the Keycloak community project. Red Hat Single Sign-On provides greater capabilities than Ipsilon and is designated as the standard web SSO solution across the Red Hat product portfolio.

Several rsyslog options deprecated

The rsyslog utility version in Red Hat Enterprise Linux 7.4 has deprecated a large number of options. These options no longer have any effect and cause a warning to be displayed.
  • The functionality previously provided by the options -c, -u, -q, -x, -A, -Q, -4, and -6 can be achieved using the rsyslog configuration.
  • There is no replacement for the functionality previously provided by the options -l and -s

Deprecated symbols from the memkind library

The following symbols from the memkind library have been deprecated:
  • memkind_finalize()
  • memkind_get_num_kind()
  • memkind_get_kind_by_partition()
  • memkind_get_kind_by_name()
  • memkind_partition_mmap()
  • memkind_get_size()
  • MEMKIND_ERROR_MEMALIGN
  • MEMKIND_ERROR_MALLCTL
  • MEMKIND_ERROR_GETCPU
  • MEMKIND_ERROR_PMTT
  • MEMKIND_ERROR_TIEDISTANCE
  • MEMKIND_ERROR_ALIGNMENT
  • MEMKIND_ERROR_MALLOCX
  • MEMKIND_ERROR_REPNAME
  • MEMKIND_ERROR_PTHREAD
  • MEMKIND_ERROR_BADPOLICY
  • MEMKIND_ERROR_REPPOLICY

Options of Sockets API Extensions for SCTP (RFC 6458) deprecated

The options SCTP_SNDRCV, SCTP_EXTRCV and SCTP_DEFAULT_SEND_PARAM of Sockets API Extensions for the Stream Control Transmission Protocol have been deprecated per the RFC 6458 specification.
New options SCTP_SNDINFO, SCTP_NXTINFO, SCTP_NXTINFO and SCTP_DEFAULT_SNDINFO have been implemented as a replacement for the deprecated options.

Managing NetApp ONTAP using SSLv2 and SSLv3 is no longer supported by libstorageMgmt

The SSLv2 and SSLv3 connections to the NetApp ONTAP storage array are no longer supported by the libstorageMgmt library. Users can contact NetApp support to enable the Transport Layer Security (TLS) protocol.

dconf-dbus-1 has been deprecated and dconf-editor is now delivered separately

With this update, the dconf-dbus-1 API has been removed. However, the dconf-dbus-1 library has been backported to preserve binary compatibility. Red Hat recommends using the GDBus library instead of dconf-dbus-1.
The dconf-error.h file has been renamed to dconf-enums.h. In addition, the dconf Editor is now delivered in the separate dconf-editor package.

FreeRADIUS no longer accepts Auth-Type := System

The FreeRADIUS server no longer accepts the Auth-Type := System option for the rlm_unix authentication module. This option has been replaced by the use of the unix module in the authorize section of the configuration file.

Deprecated Device Drivers

The following device drivers continue to be supported until the end of life of Red Hat Enterprise Linux 7 but will likely not be supported in future major releases of this product and are not recommended for new deployments.
  • 3w-9xxx
  • 3w-sas
  • aic79xx
  • aoe
  • arcmsr
  • ata drivers:
    • acard-ahci
    • sata_mv
    • sata_nv
    • sata_promise
    • sata_qstor
    • sata_sil
    • sata_sil24
    • sata_sis
    • sata_svw
    • sata_sx4
    • sata_uli
    • sata_via
    • sata_vsc
  • bfa
  • cxgb3
  • cxgb3i
  • hptiop
  • initio
  • isci
  • iw_cxgb3
  • mptbase
  • mptctl
  • mptsas
  • mptscsih
  • mptspi
  • mtip32xx
  • mvsas
  • mvumi
  • OSD drivers:
    • osd
    • libosd
  • osst
  • pata drivers:
    • pata_acpi
    • pata_ali
    • pata_amd
    • pata_arasan_cf
    • pata_artop
    • pata_atiixp
    • pata_atp867x
    • pata_cmd64x
    • pata_cs5536
    • pata_hpt366
    • pata_hpt37x
    • pata_hpt3x2n
    • pata_hpt3x3
    • pata_it8213
    • pata_it821x
    • pata_jmicron
    • pata_marvell
    • pata_netcell
    • pata_ninja32
    • pata_oldpiix
    • pata_pdc2027x
    • pata_pdc202xx_old
    • pata_piccolo
    • pata_rdc
    • pata_sch
    • pata_serverworks
    • pata_sil680
    • pata_sis
    • pata_via
    • pdc_adma
  • pm80xx(pm8001)
  • pmcraid
  • qla3xxx
  • stex
  • sx8
  • ufshcd
  • wireless drivers:
    • CARL9170
    • IWLEGACY
    • IWL4965
    • IWL3945
    • MWL8K
    • RT73USB
    • RT61PCI
    • RTL8187
    • WIL6210

Deprecated Adapters

  • The following adapters from the aacraid driver have been deprecated:
    • PERC 2/Si (Iguana/PERC2Si), PCI ID 0x1028:0x0001
    • PERC 3/Di (Opal/PERC3Di), PCI ID 0x1028:0x0002
    • PERC 3/Si (SlimFast/PERC3Si), PCI ID 0x1028:0x0003
    • PERC 3/Di (Iguana FlipChip/PERC3DiF), PCI ID 0x1028:0x0004
    • PERC 3/Di (Viper/PERC3DiV), PCI ID 0x1028:0x0002
    • PERC 3/Di (Lexus/PERC3DiL), PCI ID 0x1028:0x0002
    • PERC 3/Di (Jaguar/PERC3DiJ), PCI ID 0x1028:0x000a
    • PERC 3/Di (Dagger/PERC3DiD), PCI ID 0x1028:0x000a
    • PERC 3/Di (Boxster/PERC3DiB), PCI ID 0x1028:0x000a
    • catapult, PCI ID 0x9005:0x0283
    • tomcat, PCI ID 0x9005:0x0284
    • Adaptec 2120S (Crusader), PCI ID 0x9005:0x0285
    • Adaptec 2200S (Vulcan), PCI ID 0x9005:0x0285
    • Adaptec 2200S (Vulcan-2m), PCI ID 0x9005:0x0285
    • Legend S220 (Legend Crusader), PCI ID 0x9005:0x0285
    • Legend S230 (Legend Vulcan), PCI ID 0x9005:0x0285
    • Adaptec 3230S (Harrier), PCI ID 0x9005:0x0285
    • Adaptec 3240S (Tornado), PCI ID 0x9005:0x0285
    • ASR-2020ZCR SCSI PCI-X ZCR (Skyhawk), PCI ID 0x9005:0x0285
    • ASR-2025ZCR SCSI SO-DIMM PCI-X ZCR (Terminator), PCI ID 0x9005:0x0285
    • ASR-2230S + ASR-2230SLP PCI-X (Lancer), PCI ID 0x9005:0x0286
    • ASR-2130S (Lancer), PCI ID 0x9005:0x0286
    • AAR-2820SA (Intruder), PCI ID 0x9005:0x0286
    • AAR-2620SA (Intruder), PCI ID 0x9005:0x0286
    • AAR-2420SA (Intruder), PCI ID 0x9005:0x0286
    • ICP9024RO (Lancer), PCI ID 0x9005:0x0286
    • ICP9014RO (Lancer), PCI ID 0x9005:0x0286
    • ICP9047MA (Lancer), PCI ID 0x9005:0x0286
    • ICP9087MA (Lancer), PCI ID 0x9005:0x0286
    • ICP5445AU (Hurricane44), PCI ID 0x9005:0x0286
    • ICP9085LI (Marauder-X), PCI ID 0x9005:0x0285
    • ICP5085BR (Marauder-E), PCI ID 0x9005:0x0285
    • ICP9067MA (Intruder-6), PCI ID 0x9005:0x0286
    • Themisto Jupiter Platform, PCI ID 0x9005:0x0287
    • Themisto Jupiter Platform, PCI ID 0x9005:0x0200
    • Callisto Jupiter Platform, PCI ID 0x9005:0x0286
    • ASR-2020SA SATA PCI-X ZCR (Skyhawk), PCI ID 0x9005:0x0285
    • ASR-2025SA SATA SO-DIMM PCI-X ZCR (Terminator), PCI ID 0x9005:0x0285
    • AAR-2410SA PCI SATA 4ch (Jaguar II), PCI ID 0x9005:0x0285
    • CERC SATA RAID 2 PCI SATA 6ch (DellCorsair), PCI ID 0x9005:0x0285
    • AAR-2810SA PCI SATA 8ch (Corsair-8), PCI ID 0x9005:0x0285
    • AAR-21610SA PCI SATA 16ch (Corsair-16), PCI ID 0x9005:0x0285
    • ESD SO-DIMM PCI-X SATA ZCR (Prowler), PCI ID 0x9005:0x0285
    • AAR-2610SA PCI SATA 6ch, PCI ID 0x9005:0x0285
    • ASR-2240S (SabreExpress), PCI ID 0x9005:0x0285
    • ASR-4005, PCI ID 0x9005:0x0285
    • IBM 8i (AvonPark), PCI ID 0x9005:0x0285
    • IBM 8i (AvonPark Lite), PCI ID 0x9005:0x0285
    • IBM 8k/8k-l8 (Aurora), PCI ID 0x9005:0x0286
    • IBM 8k/8k-l4 (Aurora Lite), PCI ID 0x9005:0x0286
    • ASR-4000 (BlackBird), PCI ID 0x9005:0x0285
    • ASR-4800SAS (Marauder-X), PCI ID 0x9005:0x0285
    • ASR-4805SAS (Marauder-E), PCI ID 0x9005:0x0285
    • ASR-3800 (Hurricane44), PCI ID 0x9005:0x0286
    • Perc 320/DC, PCI ID 0x9005:0x0285
    • Adaptec 5400S (Mustang), PCI ID 0x1011:0x0046
    • Adaptec 5400S (Mustang), PCI ID 0x1011:0x0046
    • Dell PERC2/QC, PCI ID 0x1011:0x0046
    • HP NetRAID-4M, PCI ID 0x1011:0x0046
    • Dell Catchall, PCI ID 0x9005:0x0285
    • Legend Catchall, PCI ID 0x9005:0x0285
    • Adaptec Catch All, PCI ID 0x9005:0x0285
    • Adaptec Rocket Catch All, PCI ID 0x9005:0x0286
    • Adaptec NEMER/ARK Catch All, PCI ID 0x9005:0x0288
  • The following adapters from the mpt2sas driver have been deprecated:
    • SAS2004, PCI ID 0x1000:0x0070
    • SAS2008, PCI ID 0x1000:0x0072
    • SAS2108_1, PCI ID 0x1000:0x0074
    • SAS2108_2, PCI ID 0x1000:0x0076
    • SAS2108_3, PCI ID 0x1000:0x0077
    • SAS2116_1, PCI ID 0x1000:0x0064
    • SAS2116_2, PCI ID 0x1000:0x0065
    • SSS6200, PCI ID 0x1000:0x007E
  • The following adapters from the megaraid_sas driver have been deprecated:
    • Dell PERC5, PCI ID 0x1028:0x15
    • SAS1078R, PCI ID 0x1000:0x60
    • SAS1078DE, PCI ID 0x1000:0x7C
    • SAS1064R, PCI ID 0x1000:0x411
    • VERDE_ZCR, PCI ID 0x1000:0x413
    • SAS1078GEN2, PCI ID 0x1000:0x78
    • SAS0079GEN2, PCI ID 0x1000:0x79
    • SAS0073SKINNY, PCI ID 0x1000:0x73
    • SAS0071SKINNY, PCI ID 0x1000:0x71
  • The following adapters from the qla2xxx driver have been deprecated:
    • ISP24xx, PCI ID 0x1077:0x2422
    • ISP24xx, PCI ID 0x1077:0x2432
    • ISP2422, PCI ID 0x1077:0x5422
    • QLE220, PCI ID 0x1077:0x5432
    • QLE81xx, PCI ID 0x1077:0x8001
    • QLE10000, PCI ID 0x1077:0xF000
    • QLE84xx, PCI ID 0x1077:0x8044
    • QLE8000, PCI ID 0x1077:0x8432
    • QLE82xx, PCI ID 0x1077:0x8021
  • The following adapters from the qla4xxx driver have been deprecated:
    • QLOGIC_ISP8022, PCI ID 0x1077:0x8022
    • QLOGIC_ISP8324, PCI ID 0x1077:0x8032
    • QLOGIC_ISP8042, PCI ID 0x1077:0x8042
  • The following Ethernet adapter controlled by the be2net driver has been deprecated:
    • TIGERSHARK NIC, PCI ID 0x0700
  • The following adapters from the be2iscsi driver have been deprecated:
    • Emulex OneConnect 10Gb iSCSI Initiator (generic), PCI ID 0x212
    • OCe10101, OCm10101, OCe10102, OCm10102 BE2 adapter family, PCI ID 0x702
    • OCe10100 BE2 adapter family, PCI ID 0x703
  • The following adapters from the lpfc driver have been deprecated:
    • BladeEngine 2 (BE2) Devices
      • TIGERSHARK FCOE, PCI ID 0x0704
    • Fibre Channel (FC) Devices
      • FIREFLY, PCI ID 0x1ae5
      • PROTEUS_VF, PCI ID 0xe100
      • BALIUS, PCI ID 0xe131
      • PROTEUS_PF, PCI ID 0xe180
      • RFLY, PCI ID 0xf095
      • PFLY, PCI ID 0xf098
      • LP101, PCI ID 0xf0a1
      • TFLY, PCI ID 0xf0a5
      • BSMB, PCI ID 0xf0d1
      • BMID, PCI ID 0xf0d5
      • ZSMB, PCI ID 0xf0e1
      • ZMID, PCI ID 0xf0e5
      • NEPTUNE, PCI ID 0xf0f5
      • NEPTUNE_SCSP, PCI ID 0xf0f6
      • NEPTUNE_DCSP, PCI ID 0xf0f7
      • FALCON, PCI ID 0xf180
      • SUPERFLY, PCI ID 0xf700
      • DRAGONFLY, PCI ID 0xf800
      • CENTAUR, PCI ID 0xf900
      • PEGASUS, PCI ID 0xf980
      • THOR, PCI ID 0xfa00
      • VIPER, PCI ID 0xfb00
      • LP10000S, PCI ID 0xfc00
      • LP11000S, PCI ID 0xfc10
      • LPE11000S, PCI ID 0xfc20
      • PROTEUS_S, PCI ID 0xfc50
      • HELIOS, PCI ID 0xfd00
      • HELIOS_SCSP, PCI ID 0xfd11
      • HELIOS_DCSP, PCI ID 0xfd12
      • ZEPHYR, PCI ID 0xfe00
      • HORNET, PCI ID 0xfe05
      • ZEPHYR_SCSP, PCI ID 0xfe11
      • ZEPHYR_DCSP, PCI ID 0xfe12
To check the PCI IDs of the hardware on your system, run the lspci -nn command.
Note that other adapters from the mentioned drivers that are not listed here remain unchanged.

The libcxgb3 library and the cxgb3 firmware package have been deprecated

The libcxgb3 library provided by the libibverbs package and the cxgb3 firmware package have been deprecated. They continue to be supported in Red Hat Enterprise Linux 7 but will likely not be supported in the next major releases of this product. This change corresponds with the deprecation of the cxgb3, cxgb3i, and iw_cxgb3 drivers listed above.

SFN4XXX adapters have been deprecated

Starting with Red Hat Enterprise Linux 7.4, SFN4XXX Solarflare network adapters have been deprecated. Previously, Solarflare had a single driver sfc for all adapters. Recently, support of SFN4XXX was split from sfc and moved into a new SFN4XXX-only driver, called sfc-falcon. Both drivers continue to be supported at this time, but sfc-falcon and SFN4XXX support is scheduled for removal in a future major release.

Software-initiated-only FCoE storage technologies have been deprecated

The software-initiated-only type of the Fibre Channel over Ethernet (FCoE) storage technology has been deprecated due to limited customer adoption. The software-initiated-only storage technology will remain supported for the life of Red Hat Enterprise Linux 7. The deprecation notice indicates the intention to remove software-initiated-based FCoE support in a future major release of Red Hat Enterprise Linux.
It is important to note that the hardware support and the associated user-space tools (such as drivers, libfc, or libfcoe) are unaffected by this deprecation notice.

Containers using the libvirt-lxc tooling have been deprecated

The following libvirt-lxc packages are deprecated since Red Hat Enterprise Linux 7.1:
  • libvirt-daemon-driver-lxc
  • libvirt-daemon-lxc
  • libvirt-login-shell
Future development on the Linux containers framework is now based on the docker command-line interface. libvirt-lxc tooling may be removed in a future release of Red Hat Enterprise Linux (including Red Hat Enterprise Linux 7) and should not be relied upon for developing custom container management applications.
For more information, see the Red Hat KnowledgeBase article.

The Perl and shell scripts for Directory Server have been deprecated

The Perl and shell scripts, which are provided by the 389-ds-base package, have been deprecated. The scripts will be replaced by new utilities in the next major release of Red Hat Enterprise Linux.
The Shell Scripts and Perl Scripts sections in the Red Hat Directory Server Command, Configuration, and File Reference have been updated. The descriptions of affected scripts contain now a note that they are deprecated.

libguestfs can no longer inspect ISO installer files

The libguestfs library does no longer support inspecting ISO installer files, for example using the guestfish or virt-inspector utilities. Use the osinfo-detect command for inspecting ISO files instead. This command can be obtained from the libosinfo package.

Creating internal snapshots of virtual machines has been deprecated

Due to their lack of optimization and stability, internal virtual machine snapshots are now deprecated. In their stead, external snapshots are recommended for use. For more information, including instructions for creating external snapshots, see the Virtualization Deployment and Admnistration Guide.

The emulation of the DMI-to-PCI bridge has been deprecated

The emulated dmi-to-price-bridge device (i82801b11-bridge) has become deprecated. The pcie-pci-bridge device is recommended for use instead. Note that virtual machines that have PCI devices attached and use i82801b11-bridge may not be possible to migrate to hosts that use RHEL 7.6 and later.

virt-v2v and virt-p2v have been deprecated on IBM POWER, IBM Z, and the 64-bit ARM architecture

Due to incompatibility with multi-architecture environments, the virt-v2v and virt-p2v utilities are now supported only on AMD64 and Intel 64 systems. As such, they have become deprecated on the following architectures:
  • IBM POWER8
  • IBM POWER9
  • IBM Z
  • The 64-bit ARM architecture

IVSHMEM is now deprecated

The inter-VM shared memory device (IVSHMEM) feature has become deprecated. Therefore, using shared memory between multiple virtual machines in the form of a PCI device that exposes memory to guests is now unsupported.

Part V. Known Issues

This part documents known problems in Red Hat Enterprise Linux 7.6 Beta.

Chapter 45. Authentication and Interoperability

RADIUS proxy functionality is now also available in IdM running in FIPS mode

In FIPS mode, OpenSSL disables the use of the MD5 digest algorithm by default. Consequently, because the RADIUS protocol requires MD5 to encrypt a secret between the RADIUS client and the RADIUS server, the unavailability of MD5 in FIPS mode causes the RHEL Identity Management (IdM) RADIUS proxy server to fail.
If the RADIUS server is running on the same host as the IdM master, you can work around the problem and enable MD5 within the secure perimeter.
To do that, create a file /etc/systemd/system/radiusd.service.d/ipa-otp.conf with the following content:
------- # /etc/systemd/system/radiusd.service.d/ipa-otp.conf [Service] Environment=OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW=1 -------
To apply the change, reload the systemd configuration:
# systemctl daemon-reload
and start the radiusd service:
# systemctl start radiusd
The configuration of the RADIUS proxy requires the use of a common secret between the client and the server to wrap credentials. Specify this secret in the configuration of the RADIUS proxy in RHEL IdM using the command line interface (CLI) or web UI. To do it in the CLI:
# ipa radiusproxy-add name_of_your_proxy_server --secret your_secret
(BZ#1571754)

Chapter 46. Compiler and Tools

GCC thread sanitizer included in RHEL no longer works

Due to incompatible changes in kernel memory mapping, the thread sanitizer included with the GNU C Compiler (GCC) compiler version in RHEL no longer works. Additionally, the thread sanitizer cannot be adapted to the incompatible memory layout. As a result, it is no longer possible to use the GCC thread sanitizer included with RHEL.
As a workaround, use the version of GCC included in Red Hat Developer Toolset to build code which uses the thread sanitizer. (BZ#1569484)

Chapter 47. File Systems

An incorrect error message when mounting NFS fails

The mount utility prints the operation not permitted error message if the PUTROOTFH operation encounters the EACCES error when mounting an NFS share. This message is inaccurate.
In Red Hat Enterprise Linux 6, the access denied message was printed instead. (BZ#1428549)

XFS disables per-inode DAX functionality

Per-inode direct access (DAX) options are now disabled in the XFS file system due to unresolved issues with this feature. XFS now ignores existing per-inode DAX flags on the disk.
You can still set file system DAX behavior using the dax mount option:
# mount -o dax device mount-point
(BZ#1623150)

Chapter 48. Installation and Booting

Red Hat Enterprise Linux 7 Beta releases can not boot with UEFI Secure Boot enabled

Beta releases of Red Hat Enterprise Linux 7 use a kernel signing key which is not recognized by UEFI firmware, which means it is not normally possible to boot with Secure Boot enabled. However, you can install the system with Secure Boot disabled, manually import the key into your system's firmware, and then enable the setting. The procedure below explains the process.
Note that this only applies to Beta releases of Red Hat Enterprise Linux. The kernel signing keys used in final releases are recognized by most UEFI firmware, making the procedure unnecessary.
1. In the system's firmware setup, turn off UEFI Secure Boot, but leave UEFI boot mode enabled. Then install Red Hat Enterprise Linux 7.4 Beta. Caution: Do not switch to legacy BIOS mode to turn off UEFI secure boot - you can not switch UEFI mode back on and still boot the system if you first install in legacy mode.
2. Install the kernel-doc package if it is not already installed.
# yum install kernel-doc
The package provides a certificate file that contains the Red Hat CA public Beta key in the file /usr/share/doc/kernel-keys/<kernel-ver>/kernel-signing-ca.cer, where <kernel-ver> is the kernel version string without the platform architecture suffix, for example, 3.10.0-686.el7.
3. Manually request enrollment of the public key to the Machine Owner Key (MOK) list on the system using the mokutil utility. Run the following commands as root:
# kr=$(uname -r)
# mokutil --import /usr/share/doc/kernel-keys/${kr%.$(uname -p)}/kernel-signing-ca.cer
You will be asked to supply a password for the enrollment request.
4. On the next boot of the system, you will be prompted on the system console to complete the enrollment of the MOK request. You will need to respond to the prompts and supply the password that you provided to mokutil in the previous step.
5. When you complete the MOK enrollment, the system will be reset and will reboot. You can re-enable UEFI Secure Boot on that reboot, or on any subsequent reboot of the system. (BZ#1456652)

Chapter 49. Kernel

Cache information is missing in sysfs if firmware does not support ACPI PPTT

The kernel-alt package has been updated to use the Advanced Configuration and Power Interface Processor Properties Topology Table (ACPI PPTT) to populate CPU topology including the CPU's cache information. Consequently, on systems whose firmware does not support ACPI PPTT, the /sys/devices/system/cpu/cpu0/cache file does not contain the cache information. To work around this problem, check for updated firmware that includes ACPI PPTT support with your hardware vendor. (BZ#1615370)

Chapter 50. Networking

Verification of signatures using the MD5 hash algorithm is disabled in Red Hat Enterprise Linux 7

It is impossible to connect to any Wi-Fi Protected Access (WPA) Enterprise Access Point (AP) that requires MD5 signed certificates. To work around this problem, copy the wpa_supplicant.service file from the /usr/lib/systemd/system/ directory to the /etc/systemd/system/ directory and add the following line to the Service section of the file:
Environment=OPENSSL_ENABLE_MD5_VERIFY=1
Then run the systemctl daemon-reload command as root to reload the service file.
Important: Note that MD5 certificates are highly insecure and Red Hat does not recommend using them. (BZ#1062656)

Chapter 51. Servers and Services

Rsyslog cannot proceed if the default maximum of open files is exceeded

Rsyslog sometimes runs over the default limits for maximum number of open files. Consequently, rsyslog cannot open new files.
To work around this problem, modify the rsyslog configuration by increasing this limit to align with systemd-journald. To do so, create a drop-in file named /etc/systemd/system/rsyslog.service.d/increase_nofile_limit.conf with the following content:
[Service]
LimitNOFILE=16384
(BZ#1553700)

Chapter 52. Storage

LVM does not support event-based autoactivation of incomplete volume groups

If a volume group is not complete and physical volumes are missing, LVM does not support automatic LVM event-based activation of that volume group. This implies a setting of --activationmode complete whenever autoactivation takes place. For information on the --activationmode complete option and automatic activation, see the vgchange(8) and pvscan(8) man pages.
Note that the event-driven autoactivation hooks are enabled when lvmetad is enabled with the global/use_lvmetad=1 setting in the /etc/lvm/lvm.conf configuration file. Also note that without autoactivation, there is a direct activation hook at the exact time during boot at which the volume groups are activated with only the physical volumes that are available at that time. Any physical volumes that appear later are not taken into account.
This issue does not affect early boot in initramfs (dracut) nor does this affect direct activation from the command line using vgchange and lvchange calls, which default to degraded activation mode. (BZ#1337220)

The vdo service is disabled after upgrading to Red Hat Enterprise Linux 7.6

Upgrading from Red Hat Enterprise Linux 7.5 to 7.6 disables the vdo service if it was previously enabled. This is because of missing systemd macros in the vdo RPM package.
The problem has been fixed in the 7.6 release, and upgrading from Red Hat Enterprise Linux 7.6 to a later release will no longer disable vdo. (BZ#1617896)

Appendix A. Component Versions

This appendix provides a list of key components and their versions in the Red Hat Enterprise Linux 7.6 Beta release.

Table A.1. Component Versions

Component
Version
kernel
3.10.0-933
kernel-alt
4.14.0-104
QLogic qla2xxx driver
10.00.00.06.07.6-k
QLogic qla4xxx driver
5.04.00.00.07.02-k0
Emulex lpfc driver
0:12.0.0.5
iSCSI initiator utils (iscsi-initiator-utils)
6.2.0.874-9
DM-Multipath (device-mapper-multipath)
0.4.9-121
LVM (lvm2)
2.02.180-1
qemu-kvm[a]
1.5.3-159
qemu-kvm-ma[b]
2.12.0-8
[a] The qemu-kvm packages provide KVM virtualization on AMD64 and Intel 64 systems.
[b] The qemu-kvm-ma packages provide KVM virtualization on IBM POWER8, IBM POWER9, and IBM z Systems. Note that KVM virtualization on IBM POWER9 and IBM z Systems also requires using the kernel-alt packages.

Appendix B. List of Bugzillas by Component

This appendix provides a list of all components and their related Bugzillas that are included in this book.

Table B.1. List of Bugzillas by Component

ComponentNew FeaturesNotable Bug FixesTechnology PreviewsKnown Issues
389-ds-baseBZ#1560653BZ#1515190, BZ#1525256, BZ#1551071, BZ#1552698, BZ#1559945, BZ#1566444, BZ#1568462, BZ#1570033, BZ#1570649, BZ#1576485, BZ#1581737, BZ#1582092, BZ#1582747, BZ#1593807, BZ#1598478, BZ#1598718  
NetworkManagerBZ#1414093, BZ#1487477BZ#1507864  
OVMF  BZ#653382 
anacondaBZ#1562301BZ#1360223, BZ#1436304, BZ#1535781, BZ#1554271, BZ#1557485, BZ#1561662, BZ#1561930  
auditBZ#1559032   
augeas BZ#1544520  
binutils BZ#1557346  
clevisBZ#1472435   
cockpitBZ#1568728   
corosync  BZ#1413573 
criu  BZ#1400230 
custodia  BZ#1403214 
device-mapper-multipathBZ#1541116, BZ#1554516, BZ#1593459BZ#1498724, BZ#1526876, BZ#1584228, BZ#1610263  
distribution   BZ#1062656
dnf  BZ#1461652 
fence-agents  BZ#1476401 
firewalldBZ#1554993BZ#1498923  
gcc BZ#1552021  
gdb BZ#1347993  
ghostscript BZ#1551782  
gnome-shell  BZ#1481395 
gnutlsBZ#1561481   
ima-evm-utilsBZ#1627278 BZ#1384450 
initscriptsBZ#1493069, BZ#1542514, BZ#1583677BZ#1554364, BZ#1554690, BZ#1559384, BZ#1572659  
ipa  BZ#1115294, BZ#1298286 
ipa-server-container  BZ#1405325 
ipsetBZ#1557600   
jssBZ#1557575, BZ#1560682   
kernelBZ#1205497, BZ#1305092, BZ#1322930, BZ#1344565, BZ#1350553, BZ#1451438, BZ#1471950, BZ#1496859, BZ#1507027, BZ#1511351, BZ#1515584, BZ#1520356, BZ#1557599, BZ#1570090, BZ#1584753BZ#1527799, BZ#1541250, BZ#1544920, BZ#1554907BZ#916382, BZ#1109348, BZ#1111712, BZ#1206277, BZ#1230959, BZ#1274459, BZ#1299662, BZ#1348508, BZ#1387768, BZ#1391561, BZ#1393375, BZ#1414957, BZ#1457533, BZ#1460849, BZ#1503123, BZ#1589397BZ#1428549, BZ#1623150
kernel-alt  BZ#1555237BZ#1615370
kernel-rtBZ#1297061, BZ#1553351   
kexec-toolsBZ#1352763   
libguestfsBZ#1541908, BZ#1557273 BZ#1387213, BZ#1441197, BZ#1477912 
libnftnlBZ#1332585   
libreswan  BZ#1375750 
libsepolBZ#1564775   
libstoragemgmt  BZ#1119909 
libusnic_verbs  BZ#916384 
libvirtBZ#1447169, BZ#1475770 BZ#1283251 
linuxptpBZ#1549015   
lvm2   BZ#1337220
nftablesBZ#1571968   
nss  BZ#1425514, BZ#1431210, BZ#1432142 
opensc BZ#1547117, BZ#1562277, BZ#1562572  
openscap BZ#1556988  
opensslBZ#1519396   
otherBZ#1432080, BZ#1609302, BZ#1612965 BZ#1062759, BZ#1072107, BZ#1259547, BZ#1464377, BZ#1477977, BZ#1559615BZ#1456652, BZ#1569484, BZ#1571754
pacemakerBZ#1590483   
pam_pkcs11BZ#1578029   
pcpBZ#1565370   
pcsBZ#1475318BZ#1566382, BZ#1572886, BZ#1588667, BZ#1590533BZ#1433016 
pcsc-liteBZ#1516993   
pcsc-lite-ccidBZ#1558258   
perlBZ#1557574   
perl-LDAPBZ#1520364   
pki-coreBZ#1550742, BZ#1550786, BZ#1557569, BZ#1562423, BZ#1585866BZ#1515759, BZ#1546708, BZ#1549632, BZ#1568615, BZ#1580394  
qemu-guest-agentBZ#1569013   
qemu-kvm  BZ#1103193 
radvdBZ#1475983   
resource-agentsBZ#1470840, BZ#1513957, BZ#1538689, BZ#1568588, BZ#1568589   
rhel-system-roles  BZ#1439896 
rpmBZ#1555326   
rsyslog   BZ#1553700
sambaBZ#1558560   
sane-backendsBZ#1512252   
scap-security-guideBZ#1443551   
selinux-policyBZ#1460322   
sssdBZ#1416528 BZ#1068725 
strongimcv  BZ#755087 
systemd  BZ#1284974 
tss2  BZ#1384452 
tunedBZ#1546598   
usbguard  BZ#1480100 
vdo   BZ#1617896
vsftpdBZ#1479237   
wayland  BZ#1481411 
wpa_supplicant BZ#1434434  
ypserv BZ#1492892  

Appendix C. Revision History

Revision History
Revision 0.0-5Fri Sep 14 2018Lenka Špačková
Various additions and updates.
Revision 0.0-4Mon Sep 03 2018Lenka Špačková
Various additions and updates.
Revision 0.0-3Mon Aug 27 2018Lenka Špačková
Added a note regarding the support of NVMe-FC in Initiator mode with Broadcom adapters (Kernel).
Revision 0.0-2Fri Aug 24 2018Lenka Špačková
Various additions and updates.
Revision 0.0-1Thu Aug 23 2018Lenka Špačková
Minor fixes and improvements to existing descriptions.
Revision 0.0-0Wed Aug 22 2018Lenka Špačková
Release of the Red Hat Enterprise Linux 7.6 Beta Release Notes.

Legal Notice

Copyright © 2018 Red Hat, Inc.
This document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0 Unported License. If you distribute this document, or a modified version of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If the document is modified, all Red Hat trademarks must be removed.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.