Chapter 4. Notable Bug Fixes
This chapter describes bugs fixed in Red Hat Enterprise Linux 7.7 Beta that have a significant impact on users.
4.1. Authentication and Interoperability
`krb5' memory caches are now thread-safe
Previously, the memory caches of the Kerberos V5 login program (
krb5) were not completely thread-safe. As a consequence, multi-threaded access terminated unexpectedly in some cases. With this update, the memory caches are cleaned up to be more thread-safe. As a result, no more crashes occur.
krb5 configurations prohibited by FIPS-140-2 can now work again
Previously, Red Hat Enterprise Linux 7.6 build of the Kerberos V5 (
krb5) system increased compliance with FIPS-140-2. As a consequence, certain previously permitted configurations that were prohibited by FIPS-140-2 stopped working. With this update, the changes have been reverted, because
krb5 only requires to work in FIPS mode, not be FIPS-compliant. As a result, configurations prohibited by FIPS-140-2 can now work again.
Note that Red Hat Enterprise Linux 8 does not support these configurations at the moment.
SSSD uses the AD LDAP server to retrieve POSIX attributes for initgroup lookups
The SSSD service uses the Active Directory (AD) global catalog (GC) for initgroup lookups, but the POSIX attributes, such as the user home directory or shell, are not replicated to the GC set by default. Consequently, when SSSD requests the POSIX attributes during SSSD lookups, SSSD incorrectly considers the attributes to be removed from the server, because they are not present in the GC, and removes them from the SSSD cache as well. With this update, initgroup lookups now switch between LDAP and GC connection as appropriate, because the AD LDAP server contains the POSIX attributes even without schema modification. As a result, POSIX attributes, such as shell or home directory, are no longer overwritten or missing.
Changing the shell with
ypchsh no longer results in an overwritten password when NIS uses
Previously, when the NIS server was set up to support the
passwd.adjunct map and the user changed the shell on a NIS client by using the
ypchsh command, the
yppasswdd daemon overwrote the user’s password hash inside
passwd.adjunct with the
##username string. Consequently, the affected user was unable to log in due to a corrupted password hash. This bug has been fixed, and
yppasswdd no longer overwrites the user’s password hash while updating the user’s shell information. As a result, the user can successfully log in the new shell after running
4.2. Compiler and Tools
GDB breakpoint default source file works for symbolic links
Previously, the GDB debugger could not locate the symbol table information for the default source file, if the file was a symbolic link. As a consequence, users could not set breakpoints by omitting the source file name and using the default, such as
break 63. This bug has been fixed and users can now use default source files with breakpoints for files behind symbolic links.
The DNS stub resolver in
glibc no longer rejects valid host names, such as hostname-.example.com
The DNS stub resolver in
glibc rejected certain valid host names, such as hostname-.example.com, and accepted some invalid names. As a consequence, some host names on the Internet could not be resolved. To fix the problem, the DNS name validation functions, such as
res hnok, have been adjusted to match user expectations and specifications more closely. As a result, host names of the form hostname-.example.com can now be resolved successfully if they exist in DNS.
iconv no longer hangs when converting from certain IBM character sets
glibc converters for the IBM930, IBM933, IBM935, IBM937, and IBM393 character sets returned an error and failed to advance to the next input character when they encountered invalid redundant shift sequences. As a consequence, converting from these character sets using the
iconv tool with the
-c option to discard these characters made the tool unresponsive, because it could not progress beyond the first occurence of a redundant shift sequence. The converters have been modified to accept these sequences and continue correctly. As a result, the conversions mentioned above are now possible.
iconv can convert between the IBM273 and ISO-8859-1 character sets
glibc implementation of the IBM273 character set was not equivalent to the ISO-8859-1 character set. It did not have a representation for the Unicode character
MACRON, instead it used the corresponding byte to represent the
OVERLINE Unicode character, which has the same visual representation as a
MACRON. As a consequence, using the
iconv tool provided by
glibc to convert IBM273 text containing an
OVERLINE character to ISO-8859-1 or ISO-8859-1 text containing a
MACRON character to IBM273 resulted in an error during conversion. To fix this bug, the IBM273 character set was made equivalent to the ISO-8859-1 character set by replacing its
OVERLINE representation with
MACRON. As a result, both character sets now use the
MACRON Unicode character, are equivalent, and conversion from one to the other does not lead to an error.
getifaddrs calls can no longer unexpectedly terminate applications
Previously, the network interface list produced by the
getifaddrs function in the
glibc library could lack interface names if the interfaces changed in the kernel at the same time. As a consequence, applications using
getifaddrs could terminate unexpectedly in such situation. This has been fixed and
getifaddrs now makes sure the list is identical to kernel state. As a result, the unexpected termination mentioned above cannot happen.
Makefiles containing explicit targets before implicit work again
Previously, mixing implicit (pattern) and explicit targets in Makefiles was deprecated. After update to version 3.82, the
make build tool returned errors for mixed targets. As a consequence, legacy Makefiles containing mixed targets cound not be used. With this update,
make can correctly parse situations where an explicit target is listed before an implicit target. However, implicit targets before explicit targets still result in an error. As a result, certain legacy Makefiles can now be used again without modification.
Note that mixing explicit and implicit targets in Makefiles is deprecated and should not be added to new Makefiles.
PCP reports all process details on large systems
Previously, the Performance Co-Pilot (PCP) toolkit failed to report certain process details on very large systems in some cases. The code reading the process details files was changed so that it can read data of arbitrary length, instead of only the first 1024 bytes. As a result, the described PCP error can no longer happen.
strip no longer crashes with certain executable files
strip tool contained untrue assumptions about executable file structure. As a consequence, attempting to strip certain executable files could unexpectedly terminate
strip. The assumptions about structure have been changed such that this problem can no longer happen and
strip works correctly.
Optimized CPU consumption by
A previous update to the
libdb database caused an excessive CPU consumption in the trickle thread. With this update, the CPU usage has been optimized.
fixfiles no longer incorrectly fails
fixfiles script failed if the
/etc/selinux/fixfiles_exclude_dirs file contained at least one entry and the
/etc/selinux/targeted/contexts/files/file_contexts.local file was not present. With this update, the requirement for existence of
/etc/selinux/targeted/contexts/files/file_contexts.local has been removed, and fixfiles now works correctly in the described scenario.
SystemTap Dyninst backend no longer needs the
Previously, the SystemTap Dyninst backend used by the
stap --dyninst command did not work when the
dyninst-devel package was not installed. As a consequence, SystemTap terminated unexpectedly in this situation, and users had to manually install
dyninst-devel and run the
ldconfig tool as a workaround. This bug has been fixed and SystemTap Dyninst backend can be used without the mentioned workaround.
X.org server no longer crashes during fast user switching
Previously, the X.Org X11
qxl video driver did not emulate the leaving virtual terminal event on shutdown. Consequently, the X.Org display server terminated unexpectedly during fast user switching, and the current user session was terminated when switching a user. With this update,
qxl has been fixed, and the X.org server no longer crashes during fast user switching.
4.4. File Systems
Setting disk quota limits over a network works again for users occupying more than 4 GB of space on the network file system
setquota utility was unable to handle an occupied space greater than 4 GB when communicating with an NFS server due to an incorrect format of the used disk size. Consequently, when setting disk quota limits for a user exceeding 4 GB of used space on a NFS-mounted file system,
setquota failed to perform the operation. This update corrects the conversion of the used disk size to an RPC protocol format, and the described problem no longer occurs.
4.5. Installation and Booting
NVDIMM commands are added to kickstart script file anaconda-ks.cfg after installation
The installer creates a kickstart script equivalent to the configuration used for installation of the system. This script is stored in the file
/root/anaconda-ks.cfg. Previously, when the interactive graphical user interface was used for installation, the
nvdimm commands used for configuring Non-Volatile Dual In-line Memory (NVDIMM) devices were not added to this file. This bug has been fixed and the kickstart file now contains the
nvdimm commands as expected.
The graphical installation program no longer permits an invalid passphrase
Previously, when installing RHEL 7 using the graphical installation program, it was possible to leave the passphrase field in the Partitioning Disk Encryption Passphrase dialog box empty, click the Save Passphrase button, and finish your partitioning tasks. As a consequence, partitioning was misconfigured and you had to cancel the disk encryption process or enter a valid passphrase. With this update, the Save Passphrase button is available only when you enter a valid and non-empty passphrase.
inst.version kernel boot parameters no longer stops the installation program
Previously, booting the installation program from the kernel command line using the
inst.version boot parameters printed the version, for example
anaconda 30.25.6, and stopped the installation program.
With this update, the
inst.version parameters are ignored when the installation program is booted from the kernel command line, and as a result, the installation program is not stopped.
The RHEL 7.7 graphical installation now displays supported NVDIMM device sector sizes
Previously, when configuring NVDIMM devices using the graphical user interface (GUI), it was possible to enter an unsupported sector size. No warning message was displayed, and as a consequence, a reconfiguration error occurred. With this update, the sector size dialog box contains a drop-down list that displays only the supported sector sizes of
Cancelling a job initiated from
cockpit-composer no longer fails
Image build process did not support cancelling an image build. As a consequence, cancelling a job initiated from
cockpit-composer GUI using
composer-cli compose cancel resulted in a hung compose API server, causing newly queued job builds to not start, and remain in waiting state. To fix the problem, a feature to cancel the Image build process was implemented. As a result, cancelling a job initiated from
cockpit-composer no longer fails.
rpm command now supports the
This update introduces the
--restore options for the
--setcaps option sets capabilities of files in a required package. The syntax is as follows:
rpm --setcaps _PACKAGE_NAME_
--restore option restores owner, group, permissions, and capabilities of files in a required package. The syntax is as follows:
rpm --restore _PACKAGE_NAME_
regexp command is no longer missing
Previously, the module providing the
regexp command for the Grand Unified Bootloader version 2 (GRUB2) was missing in the GRUB2 EFI binary. As a consequence, on UEFI systems with Secure Boot enabled, using
regexp failed with the
error: can’t find command `regexp` message. With this update, the module providing
regexp is included in the GRUB2 EFI binary and works in the described situation.
Netfilter now supports zero-length CIDR values in certain IP set types
Previously, the kernel rejected a zero-length Classless Inter-domain Routing (CIDR) network mask value in the first and the last parameter in
hash:net6,port,net6 IP set types. As a consequence, Netfilter could not match a port against all network destinations. With this update, zero-length CIDR values are allowed in the first and the last parameter of the mentioned IP set types. As a result, administrators can create firewall rules that match a port that is valid for all destinations.
intel_pstate driver loads on the Intel Skylake-X systems with HWP disabled
Previously, with the Intel Skylake-X systems, it was impossible to load the
intel_pstate driver if Hardware P-States (HWP) were disabled. As a consequence, the kernel defaulted to loading the
acpi_cpufreq driver. This update fixes the problem and
intel_pstate now loads correctly in the described scenario.
In the event that the user wants to use
acpi_cpufreq (not recommended), the solution is to append the
intel_pstate=disable parameter to the kernel command line.
Data corruption no longer occurs on RAID 10 reshape on top of VDO
Previously, RAID 10 reshape (with both LVM and "mdadm") on top of VDO corrupted data. With this fix, the data corruption no longer occurs. However, Stacking RAID 10 (or other RAID types) on top of VDO does not take advantage of the deduplication and compression capabilities of VDO and is not recommended.
write-behind in RAID1 no longer triggers a kernel panic
Previously, the write-behind mode in the Redundant Array of Independent Disks Mode 1 (RAID1) virtualization technology used the upper layer bio structures. The structures were freed immediately after the bio structures written to bottom layer disks came back. As a consequence, a kernel panic was triggered and the
write-behind function could not be used. This update fixes the problem and
write-behind can now be used without triggering a kernel panic in the described scenario.
The kernel now supports destination MAC addresses in
hash:mac IP set types
Previously, the kernel implementation of the
hash:mac IP set types only allowed matching on the source MAC address, while destination MAC addresses could be specified, but were not matched against set entries. As a consequence, administrators could create
iptables rules that used a destination MAC address in one of these IP set types, but packets matching the given specification were not actually classified. With this update, the kernel compares the destination MAC address and returns a match if the specified classification corresponds to the destination MAC address of a packet. As a result, rules that match packets against the destination MAC address now work correctly.
kdump kernel is now able to boot after a CPU hot add or hot remove operation
When running Red Hat Enterprise Linux 7 on the little-endian variant of IBM Power Systems with
kdump enabled, the
kdump crash kernel failed to boot if triggered by the
kexec system call after a CPU hot add or hot remove operation. This update fixes the bug by utilizing the CPU online and offline events. As a result,
kdump kernel manages to boot in the described scenario.
ipset service can now load sets which depends on other sets
ipset service saves IP sets (lists of IP addresses) in separate files. In Red Hat Enterprise Linux (RHEL) 7.6, when starting the service, each set was loaded sequentially ignoring dependencies between them. As a consequence, the service failed to load IP sets with dependencies on other sets. With this update, the
ipset service creates first all the sets included in the saved configuration, and then adds their entries. As a result, IP sets with dependencies on other sets can now be loaded.
Error logging in the
ipset service has been improved
ipset service did not report configuration errors with a meaningful severity in the
systemd logs. The severity level for invalid configuration entries was only
informational, and the service did not report errors for an unusable configuration. As a consequence, it was difficult for administrators to identify and troubleshoot issues in the
ipset service’s configuration. With this update,
ipset reports configuration issues as
systemd logs and, if the service fails to start, it logs an entry with the
error severity including further details. As a result, it is now easier to troubleshoot issues in the configuration of the
ipset service now ignores invalid configuration entries during startup
ipset service stores configurations as sets in separate files. Previously, when the service started, it restored the configuration from all sets in a single operation, without filtering invalid entries that can be inserted by manually editing a set. As a consequence, if a single configuration entry was invalid, the service did not restore further unrelated sets. The problem has been fixed. As a result, the
ipset service detects and removes invalid configuration entries during the restore operation, and ignores invalid configuration entries.
firewalld rebased to version 0.6.3
firewalld packages have been upgraded to upstream version 0.6.3, which provides a number of bug fixes over the previous version:
firewalldservice now only modifies
ifcfgfiles for permanent configuration changes.
Untranslated strings in the
firewall-configutility have been fixed, which caused that rich rules could not be modified in the UI.
set-log-deniedparameter now works correctly when used in combination with the
firewall-cmdutility now correctly checks the return value of the
IP forwarding is no longer enabled when using port forwarding and the
toaddrparameter is not specified.
- The shell auto-complete feature no longer constantly asks for authentication.
NSS now processes X.509 certificates for use with IPsec correctly
Previously, the NSS library did not properly process X.509 certificates for use with IPsec. As a consequence, if X.509 certificates had non-empty Extended Key Usage (EKU) attributes that did not contain
clientAuth attributes, the
Libreswan IPsec implementation incorrectly rejected validation of the certificates. With this update, the IPsec profiles in NSS have been fixed, and Libreswan can now accept the described certificates.
scap-security-guide now correctly skips rules that are not applicable to containers and container images
SCAP Security Guide content can be used to scan containers and container images now. Rules that are not applicable to containers and container images have been marked with a specific CPE identifier. As a result, the evaluation of these rules is skipped automatically, and the result
not applicable is reported when scanning containers and container images.
SELinux now allow
gssd_t processes to access kernel keyrings of other processes
Previously, an allow rule for the
gssd_t type was missing in the SELinux policy. As a consequence, SELinux in enforcing mode occasionally prevented processes running as
gssd_t from accessing kernel keyrings of other processes and could block for example
sec=krb5 mounts. The rule has been added to the policy, and processes running as
gssd_t are now able to access keyrings of other processes.
SELinux no longer blocks
snapperd from managing all non-security directories
Prior to this update, an allow rule for the snapper daemon (
snapperd) was missing in the SELinux policy. Consequently, snapper was not able to create a configuration file on a btrfs volume for a new snapshot with SELinux in enforcing mode. With this update, the missing rule has been added, and SELinux now allows
snapperd to manage all non-security directories.
sudo I/O logging function now works also for SELinux-confined users
Prior to this update of the SELinux policy, rules that allow user domains to use generic pseudoterminal interfaces were missing. As a consequence, the I/O logging function of the
sudo utility did not work for SELinux-confined users. The missing rules have been added to the policy, and the I/O logging function no longer fails in the described scenario.
sudo configured using LDAP now handles
sudo tool configured using LDAP did not correctly handle the case when the
sudoRunAsGroup attribute was defined and the
sudoRunAsUser attribute was not. As a consequence, the
root user was used as the target user. With this update, the handling of
sudoRunAsGroup has been fixed to match the behavior documented in the
sudoers.ldap(5) man page, and
sudo now works properly in the described scenario.
4.9. Servers and Services
chronyd no longer fails to synchronize with NTP servers after reboot
Previously, when an interface was controlled by network scripts and NetworkManager was enabled at the same time, the
chrony NetworkManager dispatcher script switched NTP sources to the offline state on boot. As a consequence,
chronyd was prevented from synchronizing the system clock. With this update, the
chrony dispatcher script ignores events that are not related to interfaces coming up or down. As a result,
chronyd now synchronizes with NTP servers as expected under the described circumstances.
CUPS no longer denies access if SSSD running on the same server is configured with
ignore_group_members = true
When System Security Services Daemon (SSSD) uses the
ignore_group_members = true setting in the
/etc/sssd/sssd.conf file, the
getgrnam() function returns the group structure without group members of groups retrieved by SSSD. This is expected behavior. Previously, CUPS used only
getgrnam() to verify if a user is a member of a group. As a consequence, if SSSD was configured with the mentioned setting on a CUPS server that used groups to allow access to the server for members of a group, CUPS denied access to users in these groups. With this update, CUPS now additionally uses the
getgrouplist() function, which returns group members even if SSSD is configured with
ignore_group_members = true. As a result, CUPS correctly determines access based on group memberships in the mentioned scenario.
Running dbus-daemon no longer fails to activate a system service
With the rebase of the D-Bus message bus daemon (dbus-daemon) to version 1.10.24, locations of several dbus tools were migrated. The
dbus-send executable was moved from the
/bin directory to the
/usr/bin directory; the
dbus-daemon-launch-helper executable was moved from the
libdir `directory to the `libexecdir directory. Consequently, if a scriptlet in a package called the
dbus-send command to send a message to D-Bus, and triggered a service activation, the activation could fail. With this update, the bug has been fixed by creating compatibility symlinks between the old and new locations of
dbus-daemon-launch-helper. As a result, any running instance of dbus-daemon can now call the system bus and activate a system service.
Teaming in the rescue system works correctly again
Updates provided by the advisory RHBA-2019:0498 fixed several problems in ReaR, affecting complex network configurations. However, in case of teaming, this update introduced another problem. If the team had multiple member interfaces, the team device was not configured correctly in the rescue system. As a consequence, after applying an update provided by RHBA-2019:0498, a work around was needed to preserve the previous behavior. This update fixes the bug in ReaR, and teaming in the rescue system now works correctly.
Virtual machines now work correctly on RHEL 7 nodes in RHOSP 10
Previously, upgrading a Red Hat Enterprise Linux 7 (RHEL 7) node in Red Hat OpenStack Plaform 10 (RHOSP 10) to a later minor version sometimes caused virtual machines (VMs) hosted on that node to become unable to start. This update fixes how the
tuned service configures parameters of the kvm-intel module, which prevents the described problem from occurring.
LVM no longer causes data corruption in the first 128kB of allocatable space of a physical volume
Previously, a bug in the I/O layer of LVM might have caused data corruption in rare cases. The bug could manifest only when the following conditions were true at the same time:
- A physical volume (PV) was created with a non-default alignment. The default is 1MB.
- An LVM command was modifying metadata at the tail end of the metadata region of the PV.
- A user or a file system was modifying the same bytes (racing).
No cases of the data corruption have been reported.
With this update, the problem has been fixed, and LVM can no longer cause data corruption under these conditions.
System boot is no longer delayed by
udev rule installed by the
ndctl package sometimes delayed the system boot process for several minutes on systems with Non-Volatile Dual In-line Memory Module (NVDIMM) devices. In such cases,
systemd displayed a message similar to the following:
INFO: task systemd-udevd:1554 blocked for more than 120 seconds. ... nvdimm_bus_check_dimm_count+0x31/0xa0 [libnvdimm] ...
With this update,
ndctl no longer installs the
udev rule. As a result,
ndctl does not delay the system boot.