7.6 Release Notes
Release Notes for Red Hat Enterprise Linux 7.6
Chapter 1. Overview
- Driven by Trusted Platform Module (TPM) 2.0 hardware modules, the Policy-Based Decryption (PBD) capability has been extended to provide two layers of security for hybrid-cloud operations: the network-based mechanism is applicable in the cloud, while the use of TPM on-premises helps to keep information on disks physically more secure.
GnuTLSlibrary now provides improved Hardware Security Module (HSM) support.
OpenSSLnow works with new CP Assist for Cryptographic Functions (CPACF) instructions to accelerate Galois/Counter Mode (GCM) of operation as available with IBM z14.
- Red Hat Certificate System distributed with Red Hat Enterprise Linux 7.6 provides new default cryptographic algorithms for RSA and ECC, which help maintain FIPS compliance and stay current with cryptography requirements from NIST and other standards bodies, as well as organizations responsible for handling sensitive information.
- For better integration with counter-intrusion measures, firewall operations through Red Hat Enterprise Linux have been improved with enhancements to
nftables. The nft command-line tool can now also provide improved control packet filtering, providing better overall visibility and simplified configuration for systems security.
Identity Management and Access Control
- This release of OpenSC supports support new smart cards, for example, models with CardOS 5.3.
Management and Automation
- The tools for managing Red Hat Enterprise Linux 7 continue to be refined, with the latest version introducing enhancements to the Red Hat Enterprise Linux Web Console including:
- Showing available updates on the system summary page
- Automatic configuration of single sign-on for identity management, helping to simplify this task for security administrators
- An interface to control firewall services
- The following Red Hat Enterprise Linux System Roles are now fully supported:
- The integration of the Extended Berkeley Packet Filter (eBPF) provides a safer, more efficient mechanism for monitoring activity within the kernel and will help to enable additional performance monitoring and network tracing tools in the future. The eBPF tool is available as a Technology Preview.
- Red Hat Enterprise Linux 7.6 introduces full support for Podman, a container management tool that complements the previously released Buildah and Skopeo tools. Podman can start and run stand-alone containers from the command line, as services using
systemd, or using a remote API. These same capabilities can be used to invoke groups of containers on a single node, also called pods. Podman does not require a daemon to function, which helps to eliminate the complexity and the client-server interactions of a traditional container engine. Podman also allows building containers on a desktop, as well as in continuous integration and continuous delivery (CI/CD) systems. Finally, it enables starting containers within high-performance computing environments and big data schedulers.The
podmancommand can replace the
dockercommand in most cases, supporting almost identical features and syntax.
Red Hat Insights
Red Hat Customer Portal Labs
Chapter 2. Architectures
Chapter 3. Important Changes to External Kernel Parameters
sysfsdefault values, boot parameters, kernel configuration options, or any noticeable behavior changes.
- hardened_usercopy = [KNL]
- This parameter specifies whether hardening is enabled (default) or not enabled for the boot.Hardened usercopy checking is used to protect the kernel from reading or writing beyond known memory allocation boundaries as a proactive defense against bounds-checking flaws in the kernel's
copy_from_user()interface.The valid settings are:
on– Perform hardened usercopy checks (default).
off– Disable hardened usercopy checks.
- no-vmw-sched-clock [X86,PV_OPS]
- Disables paravirtualized VMware scheduler clock and uses the default one.
- rdt = [HW,X86,RDT]
- Turns on or off individual RDT features.Available features are:
mba.For example, to turn on
cmtand turn off
- nospec_store_bypass_disable [HW]
- Disables all mitigations for the Speculative Store Bypass vulnerability.For more in-depth information about the Speculative Store Bypass (SSB) vulnerability, see Kernel Side-Channel Attack using Speculative Store Bypass - CVE-2018-3639.
- spec_store_bypass_disable = [HW]
- Certain CPUs are vulnerable to an exploit against a common industry wide performance optimization known as Speculative Store Bypass.In such cases, recent stores to the same memory location cannot always be observed by later loads during speculative execution. However, such stores are unlikely and thus they can be detected prior to instruction retirement at the end of a particular speculation execution window.In vulnerable processors, the speculatively forwarded store can be used in a cache side channel attack. An example of this is reading memory to which the attacker does not directly have access, for example inside the sandboxed code.This parameter controls whether the Speculative Store Bypass (SSB) optimization to mitigate the SSB vulnerability is used.Possible values are:
on– Unconditionally disable SSB.
off– Unconditionally enable SSB.
auto– Kernel detects whether the CPU model contains an implementation of SSB and selects the most appropriate mitigation.
prctl– Controls SSB for a thread using prctl. SSB is enabled for a process by default. The state of the control is inherited on fork.Not specifying this option is equivalent to
spec_store_bypass_disable=auto.For more in-depth information about the Speculative Store Bypass (SSB) vulnerability, see Kernel Side-Channel Attack using Speculative Store Bypass - CVE-2018-3639.
- nmi_watchdog = [KNL,BUGS=X86]
- These settings can now be accessed at runtime with the use of the
New and updated /proc/sys/kernel/ entries
- This parameter controls whether the kernel panics if a hard lockup is detected.Possible values are:
0– Do not panic on hard lockup.
1– Panic on hard lockup.This can also be set using the
- Controls size of per-cpu ring buffer not counted against mlock limit.The default value is
512 + 1page.
- Controls use of the performance events system by unprivileged users (without
CAP_SYS_ADMIN).The default value is
2.Possible values are:
-1– Allow use of the majority of events by all users.
>=0– Disallow ftrace function tracepoint and raw tracepoint access by users without
>=1– Disallow CPU event access by users without
>=2– Disallow kernel profiling by users without
New /proc/sys/net/core entries
- Enables hardening for the Berkeley Packet Filter (BPF) Just in Time (JIT) compiler.Supported are Extended Berkeley Packet Filter (eBPF) JIT backends. Enabling hardening trades off performance, but can mitigate JIT spraying.Possible values are:
0– Disable JIT hardening (default value).
1– Enable JIT hardening for unprivileged users only.
2– Enable JIT hardening for all users.
Part I. New Features
Chapter 4. General Updates
In-place upgrade from Red Hat Enterprise Linux 6 to Red Hat Enterprise Linux 7
Preupgrade Assistant, a utility that checks the system for upgrade issues before running the actual upgrade, and that also provides additional scripts for the
Red Hat Upgrade Tool. When you have solved all the problems reported by the
Preupgrade Assistant, use the
Red Hat Upgrade Toolto upgrade the system.
Preupgrade Assistantand the
Red Hat Upgrade Toolare available in the Red Hat Enterprise Linux 6 Extras channel, see https://access.redhat.com/support/policy/updates/extras. (BZ#1432080)
Chapter 5. Authentication and Interoperability
Certificate System now supports additional strong ciphers by default
# /usr/lib64/nss/unsupported-tools/listsuites | grep -B1 --no-group-separator "Enabled"
samba rebased to version 4.8.3
smbdservice no longer queries user and group information from Active Directory domain controllers and NT4 primary domain controllers directly. Installations with the
securityparameter set to
domainnow require that the
winbinddservice is running.
- The dependency on global lists of trusted domains within the
winbinddprocess has been reduced. For installations that do not require the global list, set the
winbind scan trusted domainsparameter in the
no. For more information, see the parameter's description in the
- The trust properties displayed in the output of the
wbinfo -m --verbosecommand have been changed to correctly reflect the status of the system where the command is executed.
- Authentication from users of a one-way trust now works correctly when using the
idmap_autoridID mapping back ends.
winbinddaemon starts. Back up the databases files before starting Samba. Note that Red Hat does not support downgrading tdb database files.
Directory Server rebased to version 18.104.22.168
Certificate System rebased to version 10.5.9
jss rebased to version 4.4.4
The CRMFPopClient utility supports CRMF requests without key archival
-b transport_certificate_fileoption to CRMFPopClient, the utility automatically used the KRA transport certificate stored in the transport.txt file. With this update, if
-b transport_certificate_fileis not specified, Certificate System creates a request without using key archival. (BZ#1585866)
Certificate System automatically applies ECC profiles when setting up root CA with ECC certificates
pkispawnutility. As a result, administrators no longer have to set the profile overwrite parameters for ECC certificates as a workaround in the configuration file passed to
pkispawnwhen setting up a root CA. (BZ#1550742)
Certificate System now adds the SAN extension to server certificates
A low-level API to create X.509 certificates and CRLs has been added to JSS
pcsc-lite-ccid driver now has support for new smart card readers
pcsc-lite-cciddriver did not detect certain smart card readers. This enhancement adds the USB-ID values of these readers to the driver. As a result,
pcsc-lite-ccidnow detects the smart card readers in the described scenario.
pam_pkcs11 module now has support for certificate chains
pam_pkcs11module to support Public Key Infrastructure for X.509 (PKIX) certificate chains. This enables more complex chain processing, including multiple paths to the leaf certificate. As a result,
pam_pkcs11now validates PKIX certificate chains. (BZ#1578029)
dnssec-keymgr automates DNSSEC key rollovers
dnssec-keymgr, a utility to automate DNS Security Extensions (DNSSEC) key rollovers.
dnssec-keymgrenables automatic long-term management of DNS keys for secure zones due to its simple configurable policy. This makes it possible to roll out keys seamlessly, without interrupting the DNS service. (BZ#1510008)
DNSSEC validation can be disabled for selected domains
SSSD on an IdM client can now authenticate against a specific AD site or AD DC
System Security Services Daemon(SSSD) running on an Identity Management (IdM) client in a domain with a trust relationship with Active Directory (AD) can now be pinned to authenticate against a configured AD site or a configured set of AD Domain Controllers (DC).
SSSDrelied completely on DNS SRV discovery done by libkrb5. However, this did not take AD sites into account because libkrb5 has no notion of AD sites. If the administrator wanted to pin
SSSDto authenticate against a set of AD DCs, they had to set the correct Key Distribution Centre (KDC) in the
/etc/krb5.conffile, which was non-intuitive.
/etc/krb5.conffile on each client individually was previously the only available solution. (BZ#1416528)
Chapter 6. Clustering
Pacemaker now supports
timer systemd unit files
socketsystemd unit files, but any other unit file type would be treated as a
serviceunit and fail. With this release,
timersystemd units can now be managed by a Pacemaker cluster. (BZ#1590483)
Support for Red Hat Enterprise Linux High Availability clusters on Alibaba Cloud
Support for Red Hat Enterprise Linux high availability clusters on Google Compute Cloud
New volume_group_check_only parameter for lvm resource agent
lvmresource agent now supports the
volume_group_check_onlyparameter. When this parameter is set, only the volume group is checked when running a monitoring operation. Setting this parameter can be used to avoid timeouts with tagged volumes.
WARNING:This parameter should be used only when you have issues with timeouts, and when you must use the
lvmresource agent and not the
Support for VDO resource agent
vdo-volresource agent to manage VDO (Virtual Data Optimizer) volumes as a high availability resource. (BZ#1538689)
pcs command now supports filtering resource failures by an operation and its interval
pcs resource failcount showcommand now allows filtering failures by a resource, node, operation, and interval. It provides an option to display failures aggregated per a resource and node or detailed per a resource, node, operation, and its interval. Additionally, the
pcs resource failcount resetcommand now allows filtering failures by a resource, node, operation, and interval. (BZ#1427273)
pcs commands to list available watchdog devices and test watchdog devices
pcs stonith sbd watchdog listcommand to list available watchdog devices on the local node, and the
pcs stonith sbd watchdog testcommand to test a watchdog device. (BZ#1475318)
Chapter 7. Compiler and Tools
Net::SMTP Perl module now supports SSL
Net::SMTPPerl module. As a result, it is now possible to communicate with SMTP servers through a secured channel. (BZ#1557574)
Net::LDAP Perl module no longer defaults to TLS 1.0
Net::LDAPPerl module module was used for upgrading an unsecured LDAP connection to a TLS-protected one, the module used the TLS protocol version 1.0, which is currently considered insecure. With this update, the default TLS version has been removed from
Net::LDAP, and both implicit (LDAPS schema) and explicit (LDAP schema) TLS protocols rely on the default TLS version selected in the
IO::Socket::SSLPerl module. As a result, it is no longer necessary to override the TLS version in the
Net::LDAPclients by passing the
sslversionargument to the
start_tls()method to preserve security. (BZ#1520364)
timemaster now supports bonding devices
timemasterprogram can be used to synchronize the system clock to all available time sources in case that there are multiple PTP domains available on the network, or fallback to NTP is needed.
timemasternow checks if the active interface supports software or hardware timestamping and starts
ptp4lon the bonding interface. (BZ#1549015)
pcp rebased to version 4.1.0
- Added a sized-based interim compression to the
pmlogger_check(1)script to reduce data volume sizes on systems configured via the
- Daily compressed archive metadata files.
- Changed metric labels to first class PCP metric metadata.
- Metric help text and labels are now stored in PCP archives.
- Added more Linux kernel metrics: virtual machines, TTYs, aggregate interrupt and softirq counters, af_unix/udp/tcp connection (inet/ipv6), VFS locking, login sessions, AIO, capacity per block device, and other.
- Performance Metrics Application Programming Interface (PMAPI) and the Performance Metrics Domain Agent (PMDA) API have been refactored, including promotion and deprecation of individual functions.
- Added new virtual data optimizer (VDO) metrics to
- Improved integration with Zabbix agentd service with further low-level-discovery support in the
- Added a new PMDA
pmdabcc(1)for exporting BCC and eBPF trace instrumentation.
- Added a new PMDA
pmdaprometheus(1)to consume metrics from Prometheus end-points. (BZ#1565370)
ps utility now displays the Login ID associated with processes
psutility now enables you to display the Login ID associated with processes.
$ ps -o luid
gcc-libraries rebased to version 8.2.1
libgfortran.so.4Fortran libraries have been added to enable running applications built with Red Hat Developer Toolset versions 7 and later.
libquadmathlibrary has been added as a dependency of the
- The Cilk+ library has been removed. (BZ#1600265)
systemtap rebased to version 3.3
- Limited support for the extended Berkeley Packet Filter (eBPF) tracing on the Intel64 and AMD64 architectures has been added. Use the
--runtime=bpfoption to use eBPF as a backend. Due to numerous limitations of
eBPFand its SystemTap interface, only simple scripts work. For more information, see the Knowledge article https://access.redhat.com/articles/3550581 and the stapbpf(8) manual page.
--sysrootoption has been optimized for cross-compiled environments.
- A new
--exampleoption allows you to search the example scripts distributed with SystemTap without providing the whole path of the file.
- The SystemTap runtime and tapsets are compatible with kernel versions up to 4.17.
- Usage of SystemTap on systems with real time kernel or machines with a high number of CPUs has been improved.
- Handling of code used for Spectre and Meltdown attack mitigation has been improved. (BZ#1565773)
GDB can disassemble instructions for the z14 processor of IBM Z architecture
GDBdebugger has been extended to disassemble instructions of the z14 processor of the IBM Z architecture, including guarded storage instructions. Previously,
GDBdisplayed only the numerical values of such instructions in the
.long 0xNNNNform. With this update,
GDBcan correctly display mnemonic names of assembly instructions in code targeting this processor. (BZ#1553104)
New packages: java-11-openjdk
OpenJDK 11support through the
OpenJDK 11is the next Long-Term Support (LTS) version of Java supported by Red Hat after
OpenJDK 8. It provides multiple new features including Modularization, Application Class Data Sharing, Heap Allocation on Alternative Memory Devices, Local-Variable Syntax for Lambda Parameters, and TLS 1.3 support.
OpenJDK 11is not fully compatible with
OpenJDK 8. (BZ#1570856)
Support for new locales in
el_GR@euro. Users can now specify these locales using the relevant environment variables to take advantage of the new localization support. (BZ#1448107)
New OFD Locking constants for 64-bit-offset programs
#define _FILE_OFFSET_BITS 64) are able to use the
F_OFD_*constants in system calls, although they still need to detect if the kernel supports those operations. Note that programs which use 32-bit file offsets do not have access to these constants, as the RHEL 7 ABI does not support translating them. (BZ#1461231)
elfutils rebased to version 0.172
eu-readelftool can display split unit DIEs when the
--debug-dump=info+option is used.
eu-readelftool can inspect separate
skeleton fileswith debug information when the
--dwarf-skeletonoption is used.
libdwlibrary now tries to resolve the
alt filecontaining linked debug information even when it has not yet been set with the
libdwlibrary has been extended with the functions
Chapter 8. Desktop
GNOME Shell rebased to version 3.28
- New GNOME Boxes features
- New on-screen keyboard
- Extended devices support, most significantly integration for the Thunderbolt 3 interface
- Improvements for GNOME Software, dconf-editor and GNOME Terminal
The sane-backends package is now built with systemd support
- The sane-backends package is built with systemd support.
- The saned daemon can be run without the need to create unit files manually, because these files are now shipped with sane-backends. (BZ#1512252)
FreeType rebased to version 2.8
FreeTypefont engine has been rebased to version 2.8, which is required by GNOME 3.28. The 2.8 version has been modified to be API and Application Binary Interface (ABI) compatible with the previous version 2.4.11. (BZ#1576504)
Nvidia Volta-based graphics cards are now supported
modesettinguser-space driver, which is able to handle the basic operations and single graphic output, is used. However, 3D graphic is handled by the
llvmpipedriver because Nvidia did not share public signed firmware for 3D. To reach maximum performance of the card, use the Nvidia binary driver. (BZ#1457161)
xorg-x11-server rebased to version 1.20.0-0.1
- Added support for the following input devices: Wacom Cintiq Pro 24, Wacom Cintiq Pro 32 tablet, Wacom Pro Pen 3D.
- Added support for Intel Cannon Lake and Whiskey Lake platform GPUs.
- Added support for S3TC texture compression in OpenGL
- Added support for X11 backing store
- Added support for Nvidia Volta series of graphics.
- Added support for AMD Vega graphics and Raven APU. (BZ#1564632)
Chapter 9. File Systems
The CephFS kernel client is fully supported with Red Hat Ceph Storage 3
XFS now supports modifying labels on mounted file systems
# xfs_io -c "label new-label" /mount-point
xfs_adminutility, which is still supported. (BZ#1322930)
pNFS SCSI layout is now fully supported for client and server
ima-evm-utils is now fully supported on AMD64 and Intel 64
Chapter 10. Hardware Enablement
genwqe-tools rebased to version 4.0.20 on IBM POWER
- CompressBound has been fixed
- Debugging tools have been added
genwqe_cksumtool has been fixed
- Missing manual pages in the spec file have been fixed
- New compiler warnings have been fixed
Z_STREAM_ENDdetection circumvention has been improved (BZ#1521050)
Chapter 11. Installation and Booting
network-scripts. Setting this option to
true, or leaving it empty has no effect. If you set this option to
false, it causes the
ifdowncalls to not be issued when stopping or restarting the
Improved content of error messages in network-scripts
Booting from an iSCSI device that is not configured using iBFT is now supported
inst.nonibftiscsibootthat supports the installation of boot loader on an iSCSI device that has not been configured in the iSCSI Boot Firmware Table (iBFT).
iscsiKickstart command or the installer GUI. (BZ#1562301)
Installing and booting from NVDIMM devices is now supported
- The use of NVDIMM devices for installation using the
nvdimmKickstart command and the GUI, making it possible to install and boot from NVDIMM devices in sector mode and reconfigure NVDIMM devices into sector mode during installation.
- The extension of
Anacondawith commands for handling NVDIMM devices.
- The ability of
efivarsystem components to handle and boot from NVDIMM devices. (BZ#1612965, BZ#1280500, BZ#1590319, BZ#1558942)
--noghost option has been added to the
rpm -V command
--noghostoption to the
rpm -Vcommand. If used with this option,
rpm -Vverifies only the non-ghost files that were altered, which helps diagnose system problems. (BZ#1395818)
Chapter 12. Kernel
kdump FCoE target has been added into the
kdumpFibre Channel over Ethernet (FCoE) target into the
kexec-toolsdocuments. As a result, users now have better understanding about the state and details of
kdumpon FCoE target support. (BZ#1352763)
SCHED_DEADLINE scheduler class enabled
SCHED_DEADLINEscheduler class for the Linux kernel. The scheduler enables predictable task scheduling based on application deadlines.
SCHED_DEADLINEbenefits periodic workloads by guaranteeing timing isolation, which is not based only on a fixed priority but also on the applications' timing requirements. (BZ#1344565)
User mount namespaces now fully supported
kernel.shmall updated to kernel defaults on IBM Z
kernel.shmallparameters on IBM Z. This update aligns the values of
kernel.shmallwith kernel defaults, which helps avoid the described crashes. (BZ#1493069)
Updated aQuantia Corporation
atlantic Network driver
atlantic.ko.xz, has been updated to version 22.214.171.124-kern and it is now fully supported. (BZ#1451438)
Thunderbolt 3 is now supported
Intel® Omni-Path Architecture (OPA) Host Software
opal-prd rebased to version 6.0.4 on the little-endian variant of IBM POWER Systems
- Performance in High Performance Computing (HPC) environments has been improved.
powernv_flashmodule is now explicitly loaded on systems based on Baseboard Management Controller (BMC), which ensures that the flash device is created before the
- Error on the first failure for soft or hard offline is no longer displayed by the
opal-prddaemon. (BZ#1564097, BZ#1537001)
The SEV feature has been introduced for AMD virtual machines
swiotlb=262144parameter currently has be to added to the guest kernel command line to ensure that virtual machines that use SEV are stable. For details, see the Known Issues section. (BZ#1361286)
Chapter 13. Real-Time Kernel
About Red Hat Enterprise Linux for Real Time Kernel
rhel-7-server-rt-rpmsrepository. The Installation Guide contains the installation instructions and the rest of the documentation is available at Product Documentation for Red Hat Enterprise Linux for Real Time.
kernel-rt sources updated
SCHED_DEADLINE scheduler class for real time kernel fully supported
SCHED_DEADLINEscheduler class for the real-time kernel, which was introduced in Red Hat Enterprise Linux 7.4 as a Technology Preview, is now fully supported. The scheduler enables predictable task scheduling based on application deadlines.
SCHED_DEADLINEbenefits periodic workloads by guaranteeing timing isolation, which is based not only on a fixed priority but also on the applications' timing requirements. (BZ#1297061)
rt-entsk prevents IPI generation and delay of realtime tasks
chronyd, enables or disables network timestamping, which activates a static key within the kernel. When a static key is enabled or disabled, three inter-processor interrupt (IPIs) are generated to notify other processors of the activation.
chronydstatic keys led to a delay of a realtime task. Consequently, a latency spike occurred. With this update, systemd starts the
rt-entskprogram, which keeps timestamping enabled and prevents the IPIs from being generated. As a result, IPI generation no longer occurs in a rapid succession, and realtime tasks are no longer delayed due to this bug. (BZ#1616038)
Chapter 14. Networking
Support for the libnftnl and nftables packages
fib_multipath_hash_policy support added to the kernel for IPv4 packets
fib_multipath_hash_policy, a new
sysctlsetting that controls which hash policy to use for multipath routes. When
fib_multipath_hash_policyis set to
1, the kernel performs
L4 hash, which is a multipath hash for IPv4 packets according to a
5-tuple(source IP, source port, destination IP, destination port, IP protocol type) set of values. When
fib_multipath_hash_policyis set to
L3 hashis used (the source and destination IP addresses).
fib_multipath_hash_policy, the Internet Control Message Protocol (ICMP) error packets are not hashed according to the inner packet headers. This is a problem for anycast services as the ICMP packet can be delivered to the incorrect host. (BZ#1511351)
Support for hardware time stamping on VLAN interfaces
linuxptp, to enable hardware time stamping. (BZ#1520356)
Support for specifying
duplex 802-3-ethernet properties when
802-3-ethernet.auto-negotiation is enabled
802-3-ethernet.auto-negotiationwas enabled on an Ethernet connection, all the
duplexmodes supported by the Network Interface Card (NIC) were advertised. The only option to enforce a specific
duplexmode was to disable
802-3-ethernet.duplexproperties. This was not correct because the
10GBASE-TEthernet standards require
auto-negotiationto be always enabled. With this update, you can enable a specific
auto-negotiationis enabled. (BZ#1487477)
Support for changing the DUID for IPv6 DHCP connections
NetworkManagerto get an IPv6 address from a Dynamic Host Configuration Protocol (DHCP) server. As a result, users can now specify the DUID for DHCPv6 connections using the new property,
ipv6.dhcp-duid. For more details on values set for
ipv6.dhcp-duid, see the
nm-settings(5)man page. (BZ#1414093)
ipset rebased to Linux kernel version 4.17
ipsetkernel component has been upgraded to upstream Linux kernel version 4.17 which provides a number of enhancements and bug fixes over the previous version. Notable changes include:
- The following
ipsettypes are now supported:
- hash:ip,mac (BZ#1557599)
ipset (userspace) rebased to version 6.38
- The userspace ipset is now aligned to the Red Hat Enterprise Linux (RHEL) kernel ipset implementation in terms of supported ipset types
- A new type of set,
hash:ipmac, is now supported (BZ#1557600)
firewalld rebased to version 0.5.3
firewalldservice daemon has been upgraded to upstream version 0.5.3, which provides a number of bug fixes and enhancements over the previous version. Notable changes include:
- Added the
--check-configoption to verify sanity of configuration files.
- Generated interfaces such as
docker0are now correctly re-added to zones after
- A new IP set type,
hash:mac, is now supported. (BZ#1554993)
comment extension is now supported
commentextension. Τhis enables you to add entries with a comment. For more information, see the
ipset (8)man page. (BZ#1496859)
radvd rebased to version 2.17
router advertisement daemon (radvd)has been upgraded to version 2.17. The most notable change is that now
radvdsupports the selection of router advertisements source address. As a result, connection tracking no longer fails when the router's address is moved between hosts or firewalls. (BZ#1475983)
The default version for SMB now is auto-negotiated to the highest supported versions, SMB2 or SMB3
vers=1.0option on the Common Internet File System (CIFS) mount.
vers=1.0is used. (BZ#1471950)
position in an
nftables add or insert rule is replaced by
positionparameter in an add or insert rule has been deprecated and replaced by the
indexarguments. This syntax is more consistent with the replace and delete commands. (BZ#1571968)
New features in net-snmp
- net-snmp now supports monitoring disks of ZFS file system.
- net-snmp now supports monitoring disks of ASM Cluster (AC) file system. (BZ#1533943, BZ#1564400)
firewalld-cmd --check-config now checks the validity of XML configuration files
--check-configoption for the
firewall-offline-cmdcommands. The new option checks a user configuration of the
firewallddaemon in XML files. The verification script reports syntax errors in custom rule definitions if any. (BZ#1477771)
Each IP set is saved and restored from an individual file
ipset`systemd` service is used, each IP set is saved in its own file in the
/etc/sysconfig/ipset.d/directory. When the
ipsetservice loads the
ipsetconfiguration, these files are also restored from each corresponding set. This feature provides easier maintenance and configuration of single sets.
/etc/sysconfig/ipsetis still possible. However, if the
ipsetservice is configured to save files on the
stopaction, or when the
saveoperation is explicitly invoked, this legacy file will be removed, and the contents of all configured sets will be split into different files in
Chapter 15. Red Hat Enterprise Linux System Roles Powered by Ansible
Selected roles of Red Hat Enterprise Linux System Roles are now fully supported
timesyncroles are fully supported. The
postfixrole continues to be available as a Technology Preview.
selinuxroles, the changes are not backward compatible and it is necessary to update playbooks that use them. For more information, see https://access.redhat.com/articles/3561071. (BZ#1479381)
Chapter 16. Security
Clevis now supports TPM 2.0
Clevispluggable framework for Policy-Based Decryption (PBD) supports also clients that encrypt using a Trusted Platform Module 2.0 (TPM 2.0) chip. For more information and the list of possible configuration properties, see the
gnutls rebased to 3.3.29
- Improved the PKCS#11 cryptographic token interface for hardware security modules (HSMs): added DSA support in
p11tooland fixed key import in certain Atos HSMs.
- Improved counter-measures for the TLS Cipher Block Chaining (CBC) record padding. The previous counter-measures had certain issues and were insufficient when the attacker had access to the CPU cache and performed a chosen-plaintext attack (CPA).
- Disabled the legacy
HMAC-SHA384cipher suites by default. (BZ#1561481)
AES-GCM operations with
OpenSSL are now faster on IBM z14
AES-GCMoperations with the
OpenSSLlibrary are now executed faster on IBM z14 and later hardware. (BZ#1519396)
sudo rebased to version 1.8.23
- The new
cvtsudoersutility replaces both the
sudoers2ldifscript and the
visudo -xfunctionality. It can read a file in either sudoers or LDIF format and produce JSON, LDIF, or sudoers output. It is also possible to filter the generated output file by user, group, or host name.
always_query_group_pluginoption is now set explicitly in the default
/etc/sudoersfile. Users who upgrade from previous versions and want to retain the old group-querying behavior should ensure that this setting is in place after the upgrade.
- PAM account management modules are now run even when no password is required.
- The new
case_insensitive_groupsudoers options enable to control whether
sudodoes case-sensitive matching of users and groups in
sudoers. Case-insensitive matching is now the default.
- It is now an error to specify the
runasuser as an empty string on the command line. Previously, an empty
runasuser was treated the same as an unspecified
- I/O log files are now created with group
ID 0by default unless the
iolog_groupoptions are set in
- It is now possible to preserve bash shell functions in the environment where the
sudoerssetting is disabled by removing the
*=()*pattern from the
usbguard rebased to version 0.7.4
usbguard-daemonnow exits with an error if it fails to open a logging file or an audit event file.
- The present device enumeration algorithm is now more reliable. Enumeration timeouts no longer cause the
usbguard-daemonprocess to exit.
usbguard watchcommand now includes the
-eoption to run an executable for every received event. The event data is passed to the executable through environment variables. (BZ#1508878)
audit rebased to 2.8.4
- Added support for dumping internal state. You can now run the
service auditd statecommand to see information about the
- Added support for the
SOFTWARE_UPDATEevent generated by the
- Allowed unlimited retries during a remote logging startup. This helps to start even if the aggregating server is not running when a client is booted.
- Improved IPv6 remote logging. (BZ#1559032)
RPM now provides audit events
RPM Package Manager(RPM) provides audit events. The information that a software package is installed or updated is important for system analysis with the Linux
RPMnow creates a
SOFTWARE_UPDATEaudit event whenever a package is installed or upgraded by the
SELinux now supports
extended_socket_classpolicy capability that enables a number of new SELinux object classes to support all of the known network socket address families. It also enables the use of separate security classes for Internet Control Message Protocol (ICMP) and Stream Control Transmission Protocol (SCTP) sockets, which were previously mapped to the
rawip_socketclass. (BZ#1564775, BZ#1427553)
selinux-policy now checks file permissions when
mmap() is used
mmap()system call. The purpose of a separate map permission check on
mmap()is to permit policy to prohibit memory mapping of specific files for which you need to ensure that every access is revalidated. This is useful for scenarios where you expect the files to be relabeled at run-time to reflect state changes, for example, in a cross-domain solution or an assured pipeline without data copying.
domain_can_mmap_files, has been added. If
domain_can_mmap_filesis enabled, every domain can use
mmap()in every file, a character device or a block device. If
domain_can_mmap_filesis disabled, the list of domains that can use
mmap()is limited. (BZ#1460322)
The RHEL7 DISA STIG profile now matches STIG Version 1, Release 4
SCAP Security Guideproject, the RHEL7 Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) profile is aligned with STIG Version 1, Release 4. Note that certain rules do not contain an automated check or fix. (BZ#1443551)
Libreswan now supports PKCS #7-formatted X.509 certificates
LibreswanVirtual Private Network application supports also PKCS #7-formatted X.509 certificates. This enables interoperability with systems running Microsoft Windows. (BZ#1536404)
libreswan rebased to version 3.25
pfs=nooption and setting an ESP/AH PFS
modpgroup (for example,
esp=aes-sha2;modp2048) would load and ignore the
modpsetting. With this update, these connections fail to load with the
ESP DH algorithm MODP2048 is invalid as PFS policy is disablederror message. (BZ#1591817)
openssl-ibmca rebased to version 2.0.0
- The Elliptic-Curve Cryptography (ECC) functionality is now supported.
- Compatibility with various
OpenSSLversions has been increased.
sudo now runs PAM stack even when no authentication is required
sudoutility runs Pluggable Authentication Module (PAM) account management modules even when the
NOPASSWDoption is configured in the policy. This enables checking for restrictions imposed by PAM modules outside of the authentication phase. As a result, PAM modules, such as
pam_time, now work properly in the described scenario. (BZ#1533964)
cvtsudoers converts between different
cvtsudoersutility enables the administrator to convert rules between different
sudoerssecurity policy file formats. See the
cvtsudoers(1)man page for the list of available options and examples of usage. (BZ#1548380)
SCAP Security Guide now supports OSPP v4.2
ospp42, and the previously released profile USGCB (United States Government Configuration Baseline) OSPP v4.0 is available with ID
selinux-policy now contains five additional
keepalived_connect_any- allows the
keepalivedservice to connect to arbitrary ports.
tomcat_use_execmem- allows the
Tomcatserver to make its stack executable.
Tomcatto connect to the
redis_enable_notify- allows the
redis-sentinelservice to run notification scripts.
Chapter 17. Servers and Services
rear rebased to version 2.4
Relax-and-Recovertool (ReaR) have been upgraded to upstream version 2.4, which provides a number of bug fixes and enhancements over the previous version. Notably:
- The default behavior when resizing partitions in migration mode has been changed. Only the size of the last partition is now changed by default; the start positions of every partition are preserved. If the previous behavior is needed, set the
AUTORESIZE_PARTITIONSconfiguration variable to
yes. See the description of the configuration variables
/usr/share/rear/conf/default.conffile for more information on how to control the partition resizing.
- The network setup now supports teaming (with the exception of Link Aggregation Control Protocol - LACP), bridges, bonding, and VLANs.
- Support for Tivoli Storage Manager (TSM) has been improved. In particular, support for the password store in the TSM client versions 8.1.2 and later has been added, fixing the bug where the generated ISO image did not support restoring the OS if those TSM versions were used for backup.
- Support for partition names containing blank and slash characters has been fixed.
- SSH secrets (private keys) are no longer copied to the recovery system, which prevents their leaking. As a consequence, SSH in the recovery system cannot use the secret keys from the original system. See the description of the
SSH_UNPROTECTED_PRIVATE_KEYSvariables in the
/usr/share/rear/conf/default.conffile for more information on controlling this behavior.
- Numerous improvements to support of the IBM POWER Systems architecture have been added, such as support for including the backup in the rescue ISO image and for multiple ISOs.
- Multipath support has been enhanced. For example, support for software RAID on multipath devices has been added.
- Support for secure boot has been added. The
SECURE_BOOT_BOOTLOADERvariable can be used for specifying any custom-signed boot loader.
- Support for restoring disk layout of software RAID devices with missing components has been added.
- The standard error and standard output channels of programs invoked by
ReaRare redirected to the log file instead of appearing on the terminal. Programs prompting for user input on the standard output or standard error channel will not work correctly. Their standard output channel should be redirected to file descriptor
7and standard input channel from file descriptor
6. See the Coding Style documentation on the
ReaRwiki for more details.
The rear package now includes a user guide
Relax-and-Recovertool (ReaR). After installation of rear, you can find the user guide in the
pcsc-lite interface now supports up to 32 devices
pcsc-litesmart card interface supports has been increased from 16 to 32. (BZ#1516993)
tuned rebased to version 2.10.0
- an added mssql profile (shipped in a separate tuned-profiles-mssql subpackage)
tuned-admtool now displays a relevant log snippet in case of error
- fixed verification of a CPU mask on systems with more than 32 cores (BZ#1546598)
STOU FTP command has improved algorithm for generating unique file names
STOUFTP command allows transferring files to the server and storing them with unique file names. Previously, the
STOUcommand created the names of the files by taking the file name, supplied as an argument to the command, and adding a numerical suffix and incrementing the suffix by one. In some cases, this led to a race condition. Subsequently the scripts which used
STOUto upload files with the same file name could fail. This update modifies
STOUto create unique file names in a way which helps to avoid the race condition and improves the functioning of scripts that use
STOU. To enable the improved algorithm for generating unique file names using
STOU, enable the
better_stouoption in the configuration file (usually
/etc/vsftpd/vsftpd.conf) by adding the following line:
imfile now supports symlinks
imfilemodule delivers better performance and more configuration options. This enables to use the module for more complicated file monitoring use cases. Users of
rsyslogare now able to use file monitors with glob patterns anywhere along the configured path and rotate symlink targets with increased data throughput when compared to the previous version. (BZ#1531295)
kafkacentralized data storage scenarios, you can now forward logs to the
kafkainfrastructure using the new
rsyslogin favor of other log collectors and where kubernetes container metadata are required, a new
mmkubernetesmodule has been added to Red Hat Enterprise Linux. (BZ#1539193)
Chapter 18. Storage
NVMe driver rebased to version 4.17-rc1
NVMedriver has been rebased to upstream version 4.17-rc1, which provides a number of bug fixes and enhancements over the previous version. Notable changes are as follows:
- added error handling improvements for Nonvolatile Memory Express (NVMe) over Remote Direct Memory Access (RDMA)
- added fixes for keeping connections over the RDMA transport alive
NVMe/FC is fully supported on Broadcom Emulex Fibre Channel Adapters
lpfcdriver, edit the
/etc/modprobe.d/lpfc.conffile and add the following option:
lpfcstill remain in Technology Preview. See the Technology Previews part for more information.
- Multipath is not supported with NVMe/FC. See https://bugzilla.redhat.com/show_bug.cgi?id=1524966.
- The kernel-alt package does not support NVMe/FC.
kdumpis not supported with NVMe/FC. See https://bugzilla.redhat.com/show_bug.cgi?id=1654433.
- Booting from Storage Area Network (SAN) NVMe/FC is not supported. See https://bugzilla.redhat.com/show_bug.cgi?id=1654435.
- Storage device fencing is not available on NVMe. See https://bugzilla.redhat.com/show_bug.cgi?id=1519009. (BZ#1584753)
DM Multipath now enables blacklisting or whitelisting paths by protocol
protocolconfiguration option in the
blacklist_exceptionsconfiguration sections. This enables you to blacklist or whitelist paths based on the protocol they use, such as
nvme. For SCSI devices, you can also specify the transport: for example
%0 wildcard added for the
multipathd show paths format command to show path failures
multipathd show paths formatcommand now supports the
%0wildcard to display path failures. Support for this wildcard makes it easier for users to track which paths have been failing in a multipath device. (BZ#1554516)
all_tg_pt multipath configuration option
devicessections of the
multipath.confconfiguration file now support the
all_tg_ptsparameter, which defaults to
no. If this option is set to
mpathpersistregisters keys it will treat a key registered from one host to one target port as going from one host to all target ports. Some arrays, notably the EMC VNX, treat reservations as between one host and all target ports. Without
mpathpersistworking the same way, it would give reservation conflicts. (BZ#1541116)
Chapter 19. System and Subscription Management
cockpit rebased to version 173
- The menu and navigation can now work with mobile browsers.
Cockpitnow supports alternate Kerberos keytabs for Cockpit's web server, which enables configuration of Single Sign-On (SSO).
- Automatic setup of Kerberos keytab for Cockpit web server.
- Automatic configuration of SSO with FreeIPA for
Cockpitrequests FreeIPA SSL certificate for Cockpit's web server.
Cockpitshows available package updates and missing registrations on system front page.
- A Firewall interface has been added.
- The flow control to avoid user interface hangs and unbounded memory usage for big file downloads has been added.
- Terminal issues in Chrome have been fixed.
Cockpitnow properly localizes numbers, times, and dates.
- Subscriptions page hang when accessing as a non-administrator user has been fixed.
Log inis now localized properly.
reposync now by default skips packages whose location falls outside the destination directory
reposynccommand did not sanitize paths to packages specified in a remote repository, which was insecure. A security fix for CVE-2018-10897 has changed the default behavior of
reposyncto not store any packages outside the specified destination directory. To restore the original insecure behavior, use the new
--allow-path-traversaloption. (BZ#1609302, BZ#1600618)
yum clean all command now prints a disk usage summary
yum clean allcommand, the following hint was always displayed:
Maybe you want: rm -rf /var/cache/yum
yum clean allnow prints a disk usage summary for remaining repositories that were not affected by
yum clean all(BZ#1481220)
yum versionlock plug-in now displays which packages are blocked when running the
yum update command
yum versionlockplug-in, which is used to lock RPM packages, did not display any information about packages excluded from the update. Consequently, users were not warned that such packages will not be updated when running the
yum updatecommand. With this update,
yum versionlockhas been changed. The plug-in now prints a message about how many package updates are being excluded. In addition, the new
statussubcommand has been added to the plug-in. The
yum versionlock statuscommand prints the list of available package updates blocked by the plug-in. (BZ#1497351)
repotrack command now supports the
--repofrompath option, which is already supported by the
repoclosurecommands, has been added to the
repotrackcommand. As a result, non-root users can now add custom repositories to track without escalating their privileges. (BZ#1506205)
Subscription manager now respects
proxy_port settings from
proxy_portconfiguration from the
/etc/rhsm/rhsm.conffile. Consequently, the default value of 3128 was used even after the user had changed the value of
proxy_portconfiguration. However, making any change to the
/etc/rhsm/rhsm.confrequires an selinux policy change. To avoid selinux denials when changing the default
proxy_port, run this command for the benefit of the
semanage port -a -t squid_port_t -p tcp <new_proxy_port>
New package: sos-collector
sos-collectoris a utility that gathers
sosreportsfrom multi-node environments.
sos-collectorfacilitates data collection for support cases and it can be run from either a node or from an administrator's local workstation that has network access to the environment. (BZ#1481861)
Chapter 20. Virtualization
virt-v2v converts virtual machine CPU topology
virt-v2vutility preserves the CPU topology of the converted virtual machines (VMs). This ensures that the VM CPU works the same way after the conversion as it did before the conversion, which avoids potential runtime problems. (BZ#1541908)
virt-v2v can import virtual machines directly to RHV
virt-v2vutility is now able to output a converted virtual machine (VM) directly to a Red Hat Virtualization (RHV) client. As a result, importing VMs converted by
virt-v2vusing the Red Hat Virtualization Manager (RHVM) is now easier, faster, and more reliable.
The i6300esb watchdog is now supported by
libvirtAPI supports the i6300esb watchdog device. As a result, KVM virtual machines can use this device to automatically trigger a specified action, such as saving a core dump of the guest if the guest OS becomes unresponsive or terminates unexpectedly. (BZ#1447169)
Paravirtualized clock added to Red Hat Enterprise Linux VMs
sched_clock()function has been integrated in the Red Hat Enterprise Linux kernel. This improves the performance of Red Hat Enterprise Linux virtual machines (VMs) running on VMWare hypervisors.
no-vmw-sched-clockoption to the kernel command line. (BZ#1507027)
VNC console is supported on IBM Z
virtio-gpukernel configuration in guests running on the IBM Z architecture. As a result, KVM guests on an IBM Z host are now able to use the VNC console to display their graphical output. (BZ#1570090)
QEMU Guest Agent diagnostics enhanced
qemu-get-timezonecommands, which improve the diagnostic capabilities of QEMU Guest Agent. (BZ#1569013)
Chapter 21. Atomic Host and Containers
Red Hat Enterprise Linux Atomic Host
Chapter 22. Red Hat Software Collections
sclutility to provide a parallel set of packages. This set enables optional use of alternative package versions on Red Hat Enterprise Linux. By using the
sclutility, users can choose which package version they want to run at any time.
Part II. Notable Bug Fixes
Chapter 23. Authentication and Interoperability
Directory Server now supports certificates with all ciphers supported by NSS
Directory Server correctly generates the CSN
client-cert-request utility no longer fails to create CSRs for ECC certificates
generatePkcs10Requestmethod in the Certificate System's
client-cert-requestutility failed to map the curve and length parameters. Consequently, the utility failed to create certificate signing requests (CSR) for Elliptic Curve Cryptography (ECC) certificates. The problem has been fixed. As a result, using
client-cert-requestfor creating CSRs for ECC certificates works as expected. (BZ#1549632)
pkiconsole utility no longer accepts ACLs with an empty expression
pkiconsoleutility displayed an
StringIndexOutOfBoundsExceptionerror. With this update, the utility rejects empty ACL expressions. As a result, invalid ACLs cannot be saved and the error is no longer displayed. (BZ#1546708)
CMC CRMF requests using ECC keys work correctly
Installing Certificate System subsystems with ECC keys no longer fail
Directory Server clients are no longer randomly restricted by anonymous resource limits
Thread processing in Directory Server has been serialized
addoperation before the parent entry was added. With this update, the thread processing the start session operation no longer processes further operations, even if some are available in the read buffer. As a result, the inconsistencies no longer occur in the mentioned scenario. (BZ#1552698)
memberOf attribute in Directory Server works correctly
memberOfplug-in deletes the
memberOfattribute with the old value and adds a new
memberOfattribute with the new group's distinguished name (DN) in affected user entries. Previously, if the old subtree was not within the scope of the
memberOfplug-in, deleting the old
memberOfattribute failed because the values did not exist. As a consequence, the plug-in did not add the new
memberOfvalue, and the user entry contained an incorrect
memberOfvalue. With this update, the plug-in now checks the return code when deleting the old value. If the return code is
no such value, the plug-in only adds the new
memberOfvalue. As a result, the
memberOfattribute information is correct. (BZ#1551071)
PBKDF2_SHA256 password storage scheme can now be used in Directory Server
PBKDF2_SHA256password storage scheme could not be used in the
passwordStorageSchemeparameter. This update automatically enables the plug-in. As a result, administrators can now use the
PBKDF2_SHA256password storage scheme. (BZ#1576485)
Directory Server no longer crashes when removing connections from an active list
The Disk Monitoring feature shuts down Directory Server on low disk space
Directory Server no longer logs a warning when searching a non-existent DN in
entrydnattribute caused Directory Server to log a warning in the error log. With this update, the server correctly handles situations when an
entrydnattribute fails to find a match. As a result, the server no longer logs a misleading warning. (BZ#1570033)
pwdhash utility no longer crashes when using the
CRYPT password storage scheme
pwdhashutility used an invalid mutex lock when creating a hash using the
CRYPTpassword storage scheme. As a consequence,
pwdhashfailed with a segmentation fault error. With this update, the utility uses the re-entrant form of the
crypt()function that does not require a lock. As a result,
pwdhashno longer crashes when using the
CRYPTpassword storage scheme. (BZ#1570649)
The Directory Server
Pass-through plug-in now supports encrypted connections using the
Pass-throughplug-in in Directory Server did not support encrypted connections if the encryption was started using the
STARTTLScommand. The problem has been fixed, and the
Pass-throughplug-in now supports connections that use the
Using the password policy feature works correctly if
chain on update is enabled
Password must be changed after resetpassword policy setting was not enforced because the flag for marking the user that must change their password is set on the connection itself. If this setting was used with the
chain on updatefeature, the flag was lost. As a consequence, the password policy feature did not work. With this update, the server sets the flag on
chain on updateconnections properly. As a result, the password policy feature works correctly. (BZ#1582092)
Improved performance when the fine-grained password policy is enabled in Directory Server
shadowAccountentry, Directory Server adds the shadow attributes to the entry. If the fine-grained password policy is enabled, the
shadowAccountentry can contain its own
pwdpolicysubentrypolicy attribute. Previously, to retrieve this attribute, the server started an internal search for each
shadowAccountentry, which was unnecessary because the entry was already known to the server. With this update, Directory Server only starts internal searches if if the entry is not known. As a result, the performance of searches, such as response time and throughput, is improved. (BZ#1593807)
Directory Server now retrieves members of the replica bind DN group when the first session is started
nsds5replicabinddngroupattribute, the group is retrieved periodically based on the interval set in the
nsDS5ReplicaBindDnGroupCheckIntervalattribute. If the entry is not a member at the time the server retrieves the group, any session that is authenticated using this entry is not authorized to replicate updates. This behavior remains until the entry becomes a member of the group and the server retrieves the group again. As a consequence, replication fails for the first interval set in
nsDS5ReplicaBindDnGroupCheckInterval. With this update, the server retrieves the group when the first session is started rather than when the replica is created. As a result, the group is taken into account at the first attempt it is checked. (BZ#1598478)
Creating a Directory Server back end with the name
default is now supported
defaultwas reserved in Directory Server. As a consequence, creating a back end named
defaultfailed. With this update, Directory Server no longer reserves this name, and administrators can create a back end named
Updated Directory Server SNMP MIB definitions
lintutility reported errors. The definitions have now been updated, and as a result, the MIB definitions comply with the SMIv2 specification (BZ#1525256)
rpc.yppasswdd now updates passwords also with
SELinuxsecurity module was disabled on the system, the
rpc.yppasswddupdate function failed to perform the update action. As a consequence,
rpc.yppasswddwas unable to update the user password. With this update,
SELinuxis enabled on the system before detecting the
SELinuxcontext type for the
passwdfiles. As a result,
rpc.yppasswddnow correctly updates passwords in the described scenario. (BZ#1492892)
The default of the
nsslapd-enable-nunc-stans parameter has been changed to
off. As a result, Directory Server is now stable. (BZ#1614501)
Chapter 24. Clustering
PCS is able to find a token and connect to a node with upper case characters in its node name
pcs cluster authcommand would lowercase all node names before storing them to the PCS token file. With this fix, PCS does not lowercase node names before storing them to the PCS token file. (BZ#1590533)
pcs now shows correct value for
pcs resource failcount showcommand always showed a
failcountof zero, even when this was not the correct value. This occurred because the format of resource failcounts was changed in Pacemaker. With this fix, the
pcsutility is able to parse the new
failcountformat and it displays the correct value. (BZ#1588667)
At cluster startup,
corosync starts on each node with a small delay to reduce the risk of JOIN flood
corosyncon all nodes at the same time may cause a JOIN flood, which may result in some nodes not joining the cluster. With this update, each node starts
corosyncwith a small delay to reduce the risk of this happening. (BZ#1572886)
/etc/sysconfig/pcsd option to reject client-initiated SSL/TLS renegotiation
/etc/sysconfig/pcsdconfiguration file to reject renegotiations. Note that the client can still open multiple connections to a server with a handshake performed for all of the connections. (BZ#1566382)
Chapter 25. Compiler and Tools
GDB registers unaligned watchpoint hits on the 64-bit ARM architecture
GDBdebugger provided only limited support for unaligned hardware watchpoints used by the
GDBcommands on the 64-bit ARM architecture. As a consequence,
GDBrunning on such systems failed to register some watchpoint hits and subsequently did not stop the debugged program.
GDBhas been extended to handle this situation. As a result, it can correctly handle any hardware watchpoints on the 64-bit ARM architecture, including unaligned ones. (BZ#1347993)
Retpoline support in GCC on IBM Z architecture
binutils linker no longer terminates unexpectedly when encountering relocations against absolute address
The helper to store credentials in a GNOME keyring is now available in the git-gnome-keyring subpackage
gitautomatically installed GNOME components as a dependency, because the helper to store credentials in a GNOME keyring was part of the
gitpackage. With this update, the helper has been moved into the separate git-gnome-keyring subpackage. As a result, the size of a
gitinstallation is reduced.
# yum install git-gnome-keyring
git instaweb now works without any additional configuration and it is available in a separate subpackage
git instawebcommand required a web server and did not work in the default installation. With this update,
git instawebhas been moved into the separate git-instaweb subpackage, which depends on the
Apacheweb server, and is configured to use the web server automatically. As a result,
git instawebnow works without any further configuration when git-instaweb is installed. To install the subpackage:
# yum install git-instaweb
man utility no longer prints
gimme gimme gimme after midnight
manutility that printed
gimme gimme gimmein the standard error output at 00:30 local time. As a consequence, under certain circumstances the unexpected output misled automated tools. With this update, the Easter egg has been removed, and the described problem no longer occurs. (BZ#1515352)
sysctl now allows
tuned to reset kernel parameters
sysctldid not allow kernel parameters to be set to default values. As a consequence, the
tunedutility could not set default kernel parameters using
sysctl. With this update,
sysctlaccepts default values to reset kernel parameters. As a result,
tunedworks as expected and kernel parameters can be reset to default values. (BZ#1507356)
ncat now correctly sets environment variables in UDP mode
ncatutility did not set environment variables for User Datagram Protocol (UDP) connections properly. As a consequence, user's scripts failed in UDP mode. This update sets some internal values, and environment variables now are set properly. (BZ#1573411)
ncat no longer uses the default HTTP port for all proxy types
socks5, was specified. As a consequence, the
ncatutility unsuccessfully tried to connect to a proxy type through the non-default port. This update corrects the code so that an HTTP proxy port is not used by default. As a result,
ncatnow sets the proper default port according to the proxy type. (BZ#1546246)
Decoding and conversion of JPEG 2000 images now work correctly
openjpeglibrary. With this update, the underlying source code has been fixed, and decoding and conversion of JPEG 2000 images now works as expected. (BZ#1553235)
strip no longer malforms binary files built with tools that use a later
BFD library version
striptool created an invalid binary file if the file was originally produced by tools that use a later version of the
strip. As a consequence running the resulting binary file failed and generated an error message about an unresolvable relocation.
BFDhas been modified to report situations where it cannot recognize its future features instead of damaging the code that contains these features. As a result,
stripnow generates an error message and aborts in this situation. (BZ#1553842)
Fixes of bugs in process-shared robust mutex
EOWNERDEADto another process that was trying to recover the mutex. This update fixes the threading library and all known and fixable bugs in robust mutexes. (BZ#1401665)
GDBserver not working properly when attaching to a process in another container
socketpair not available on this hosthas been fixed and both GDB and GDBserver are now able to debug into containers. (BZ#1578378)
Chapter 26. Hardware Enablement
lsslot -cpci command now correctly reports PCI slot types
lsslot -cpcicommand reported PCI slot types as <literal>Unknown slot type</literal>. With this update, the bug has been fixed, and
lsslotutility reports PCI slot types correctly. (BZ#1592429)
drmgr -C command now loads the
rpadlpar_io kernel module
drmgr -Ccommand did not select hotplug types. As a consequence, the
rpadlpar_iokernel module was loaded only when one of the following hotplug types was explicitly selected:
slot. With this update, the underlying source code has been fixed, and the command
drmgr -Cnow loads
Diagnostic utilities now display CPU frequency values correctly
lscpu, in some cases reported an incorrect CPU frequency value. With this update, the affected utilities display correct values and report an error if the accurate value currently cannot be detected. (BZ#1596121)
ppc64_cpu utility no longer fails when reading CPU frequency
ppc64_cpuutility failed when reading CPU frequency. With this update, a thread is created for each of the CPUs if the number of CPUs in the system is less than CPU_SETSIZE, or only CPU_SETSIZE threads are created. As a result, the described problem no longer occurs, and
ppc64_cpuno longer fails. (BZ#1628907)
Chapter 27. Installation and Booting
network service no longer hangs on stop or restart
networkservice could hang if it was stopped or restarted. A patch to the initscripts packages has been applied to not use the
pidofutility, and the described problem no longer occurs. (BZ#1559384)
KSH no longer fails to process
localappears on the same line as an array definition. This previously caused
KSHto fail to source the
/etc/init.d/functionsfile. This update provides a workaround to the
KSHlimitation, and the function file is now being sourced as expected.
KSHmay still be unable use some of the functions in
/etc/init.d/functionsfile. This update only allows KSH to not fail during the sourcing of
Diskless NFS clients no longer hang when unmounting the root file system
networkservice was stopped or restarted while unmounting the root file system. This happened because the unit files generated by
systemdsometimes had incorrect dependencies.
systemctl reload network.service has been removed
systemctl reload network.servicecommand, which does not work due to technical limitations of initscripts has been removed, and using it now results in an appropriate warning message. To correctly apply a new configuration for the network service, use the
~]# systemctl restart network.service
Text mode will now prompt for a passphrase if a Kickstart file does not provide one while enabling encryption
cmdline Kickstart installation with conflicting packages now displays an error message
cmdline(noninteractive, unattended) Kickstart installation with conflicting packages was started, the installation failed and the machine rebooted before displaying the error message.
The custom partitioning screen now displays relevant storage configuration error messages
Host name is now configured correctly on an installed system
ipinstaller boot option was not configured on an installed system.
ipinstaller boot option has now been fixed for IPv6 static configuration. (BZ#1554271)
reqpart Kickstart command will now only create partitions that are required by the hardware platform
reqpartcommand was specified in a Kickstart file and no partitions were required by the hardware platform, the installer attempted to perform automatic partitioning. As a result, the installation failed with an error.
reqpartKickstart command will only create partitions that are required by the hardware platform. (BZ#1557485)
Installation started with boot option
zfcp.allow_lun_scan is applied to the installed system
zfcp.allow_lun_scanwas not applied to the installed system and as a result, the installed system started without the boot option.
zfcp.allow_lun_scanto the installed system. (BZ#1561662)
clearpart Kickstart command can now be used on disk partitions
clearpart --list=<part>(where <part> is a partition on a disk) during installation worked for disks but not disk partitions.
Device <part> given in clearpart device list does not exist.
Chapter 28. Kernel
libcgroup no longer truncates the values of cgroup subsystem parameters that are longer than 100 characters
libcgrouplibrary truncated the values longer than 100 characters before writing them to a file representing matching cgroup subsystem parameter in the kernel. With this update, the maximal length of values of cgroup subsystem parameters in
libcgrouphas been extended to 4096 characters. As a result,
libcgroupnow handles values of cgroup subsystem parameters with any length correctly. (BZ#1549175)
mlx5 device no longer contains a firmware issue
mlx5device contained a firmware issue, which caused that the link of
mlx5devices in certain situation dropped after rebooting a system. As a consequence, a message similar to the following was seen in the output of the
mlx5_core 0000:af:00.0: Port module event[error]: module 0, Cable error, Bus stuck(I2C or data shorted)
Chapter 29. Real-Time Kernel
A race condition that prevented tasks from being scheduled properly has been fixed
Chapter 30. Networking
Bad offload warnings are no longer displayed using
virtio_netnetwork adapter in bridge connections, user space programs sometimes generated Generic Segmentation Offload (GSO) packets with no checksum offload and passed them to the kernel. As a consequence, the kernel checksum offloading code displayed bad offload warnings unnecessarily. With this update, a patch has been applied, and the kernel does not warn anymore about bad checksum offload messages for such packets. (BZ#1544920)
L2TP sequence number handling now works correctly
L2TPsessions stopped working unexpectedly. With this update, a patch has been applied to correctly handle sequence numbers in case of a packet loss. As a result, when users enable sequence numbers,
L2TPsessions work as expected in the described scenario. (BZ#1527799)
The kernel no longer crashes when a
tunnel_key mode is not specified
tunnel_keyaction rules was incorrect if neither
unsetmode was specified in the configuration. As a consequence, the kernel dereferenced an incorrect pointer and terminated unexpectedly. With this update, the kernel does not install
unsetwas not specified. As a result, the kernel no longer crashes in the described scenario. (BZ#1554907)
net.ipv4.route.min_pmtu setting no longer set invalid values
net.ipv4.route.min_pmtusetting was not restricted. As a consequence, administrators were able to set a negative value for
net.ipv4.route.min_pmtu. This sometimes resulted in setting the path Maximum Transmission Unit (MTU) of some routes to very large values because of an integer overflow. This update restricts values for
>= 68, the minimum valid MTU for IPv4. As a result,
net.ipv4.route.min_pmtucan no longer be set to invalid values (negative value or
< 68). (BZ#1541250)
wpa_supplicant no longer responds to packets whose destination address does not match the interface address
wpa_supplicantwas running on a Linux interface that was configured in
promiscuousmode, incoming Extensible Authentication Protocol over LAN (EAPOL) packets were processed regardless of the destination address in the frame. However,
wpa_supplicantchecked the destination address only if the interface was enslaved to a bridge. As a consequence, in certain cases,
wpa_supplicantwas responding to EAPOL packets when the destination address was not the interface address. With this update, a socket filter has been added that allows the kernel to discard unicast EAPOL packets whose destination address does not match the interface address, and the described problem no longer occurs. (BZ#1434434)
NetworkManager no longer fails to detect duplicate IPv4 addresses
NetworkManagerused to spawn an instance of the
arpingprocess to detect duplicate IPv4 addresses on the network. As a consequence, if the timeout configured for IPv4 Duplicate Address Detection (DAD) was short and the system was overloaded,
NetworkManagersometimes failed to detect a duplicate address in time. With this update, the detection of duplicate IPv4 addresses is now performed internally to
NetworkManagerwithout spawning external binaries, and the described problem no longer occurs. (BZ#1507864)
firewalld now prevents partially applied rules
failedstatus and allows the user to remedy the situation. This prevents unexpected results by having partially applied rules. (BZ#1498923)
The wpa_supplicant upgrade no longer causes disconnections
wpa_supplicantservice. As a consequence, the network disconnected temporarily. With this update, the systemd unit is not restarted during the upgrade. As a result, the network connectivity no longer fails during the wpa_supplicant upgrade. (BZ#1505404)
Chapter 31. Security
CardOS 5.3 smart cards with ECDSA support work correctly in OpenSC
TokenInfoinformation provided by CardOS 5.3 smart cards. As a consequence, OpenSC did not detect these cards. The
TokenInfoparser has been updated and now complies with the PKCS #15 specification. As a result, CardOS 5.3 smart cards with ECDSA support work correctly in OpenSC. (BZ#1562277)
Non-CCID-compliant smart card readers work in OpenSC
pkcs11-tool utility now supports mechanism IDs and handles ECDSA keys correctly
pkcs11-toolutility incorrectly handled
EC_POINTvalues and support for certain vendor-specific mechanisms was missing. As a consequence, these mechanisms and certain ECDSA keys in hardware security modules (HSM) and smart cards were not supported by
pkcs11-tool. With this update, the
EC_POINTvalues and vendor-specific mechanisms correctly. As a result, the utility now supports mechanism IDs and handles ECDSA keys correctly. (BZ#1562572)
OpenSCAP RPM verification rules no longer work incorrectly with VM and container file systems
rpmverifyfileprobes did not fully support offline mode. As a consequence,
OpenSCAPRPM verification rules did not work correctly when scanning virtual machine (VM) and container file systems in offline mode. With this update, support for offline mode has been fixed, and results of scanning VM and container file systems in offline mode no longer contain false negatives. (BZ#1556988)
sudo no longer blocks
sudothat had the I/O logging enabled, a parent process of the command was occasionally blocked in the
poll()function execution, waiting for an event on the
/dev/ptmxfile descriptor. Consequently, a deadlock occurred and
sudomight leave the process of the command in an unresponsive state. This update adds a pseudoterminal cleanup logic, and sudo no longer causes a deadlock in the described scenario. (BZ#1560657)
Chapter 32. Servers and Services
pxlmono now work correctly
pxlmonodrivers in the Ghostscript interpreter did not function correctly. As a consequence, the drivers were likely to ignore a selection of a paper tray for certain printers, therefore only a specific paper tray was selected. This update applies a patch, which fixes the issue. As a result, the selection of different paper trays now works as expected in the described scenario. (BZ#1551782)
nuxwdog service starts correctly when a sub-CA is installed
nuxwdogservice did not allocate enough memory. As a consequence, the service failed to start. This update fixes the problem. As a result,
nuxwdogstarts correctly in the mentioned scenario. (BZ#1615617)
/etc/fstab with white spaces more reliably
/etc/fstabfile if they had white spaces at the beginning. This sometime caused problems in software tools that use Augeas, such as the
virt-v2vutility or the
Puppetmanagement tool. With this update, the Fstab lens of Augeas correctly ignores white spaces at the beginning of lines. As a result, Augeas now reads
/etc/fstabas expected. (BZ#1544520)
Chapter 33. Storage
mpathpersist no longer fails when opening too many files
mpathpersistutility sometimes overstepped the limit on open files when scanning a large number of devices. As a consequence,
mpathpersistnow checks the
max_fdsconfiguration value and correctly sets the maximum number of open files. As a result,
mpathpersistno longer fails when opening too many files. (BZ#1610263)
multipathd readsector0 checker now returns the correct result
multipathddaemon was incorrectly calculating the I/O size to use with the
readsector0checker, causing it to do a 0 size read. This could cause the
multipathd readsector0checker to return the wrong result. It is also possible that some SCSI devices do not treat a 0 size read command as valid. With this fix,
multipathdnow uses the correct size for the
DM Multipath is much less likely to output an incorrect timeout error
multipath now correctly prints the
sysfs state of paths
multipath -lcommand did not print the
sysfsstate of paths because the
multipathutility did not correctly set path information. With this update, the problem has been fixed, and
multipathnow prints the
sysfsstate of paths correctly. (BZ#1526876)
multipathd can now correctly set APTPL when registering keys on path devices
multipathdservice did not track which devices registered their persistent reservation keys with the Activate Persist Through Power Loss (APTPL) option. As a consequence, registrations always lost the APTPL setting.
- If you set the
reservation_keyoption to a file in the
multipathdnow keeps the APTPL setting automatically.
- If you set
reservation_keyto a specific key, you can now add the
:aptplstring at the end of the key in
reservation_key, which enables APTPL for it. Set this to match the APTPL setting used when registering the key. (BZ#1498724)
Chapter 34. System and Subscription Management
yum updateinfo commands now respect
yumcommands operating on the updateinfo metadata, such as
yum check-update --security, did not work correctly. Consequently,
yumterminated with an error instead of skipping the repository. With this update, the underlying source code has been fixed to respect the
skip_if_unavailableoption. As a result, the affected
yumcommands now skip the unavailable repository as expected under the described circumstances. (BZ#1528608)
Part III. Technology Previews
Chapter 35. General Updates
systemd-importd VM and container image import and export service
systemdversion now contains the
systemd-importddaemon that was not enabled in the earlier build, which caused the
machinectl pull-*commands to fail. Note that the
systemd-importddaemon is offered as a Technology Preview and should not be considered stable. (BZ#1284974)
Chapter 36. Authentication and Interoperability
Use of AD and LDAP sudo providers
sudo_provider=adsetting in the [domain] section of the
DNSSEC available as Technology Preview in IdM
Identity Management JSON-RPC API available as Technology Preview
- Administrators to use previous or later versions of IdM on the server than on the managing client.
- Developers to use a specific version of an IdM call, even if the IdM version changes on the server.
Containerized Identity Management server available as Technology Preview
rhel7/ipa-servercontainer image is available as a Technology Preview feature. Note that the
rhel7/sssdcontainer image is now fully supported.
The Custodia secrets service provider is available as a Technology Preview
Chapter 37. Clustering
The pcs tool now manages bundle resources in Pacemaker
fence-agents-heuristics-ping fence agent
fence_heuristics_pingagent. This agent aims to open a class of experimental fence agents that do no actual fencing by themselves but instead exploit the behavior of fencing levels in a new way.
offaction on the heuristics agent before it attempts to do so on the agent that does the fencing. If the heuristics agent gives a negative result for the
offaction it is already clear that the fencing level is not going to succeed, causing Pacemaker fencing to skip the step of issuing the
offaction on the agent that does the fencing. A heuristics agent can exploit this behavior to prevent the agent that does the actual fencing from fencing a node under certain conditions.
Heuristics supported in
corosync-qdevice as a Technology Preview
corosync-qnetd, and, optionally, on a periodic basis. When all commands finish successfully on time (their return error code is zero), heuristics have passed; otherwise, they have failed. The heuristics result is sent to
corosync-qnetdwhere it is used in calculations to determine which partition should be quorate. (BZ#1413573, BZ#1389209)
New LVM and LVM lock manager resource agents
LVM-activateagent provides a choice from multiple methods for LVM management throughout a cluster:
- tagging: the same as tagging with the existing
- clvmd: the same as clvmd with the existing
- system ID: a new option for using system ID for volume group failover (an alternative to tagging).
- lvmlockd: a new option for using
dlmfor volume group sharing (an alternative to
lvmlockdresource agent is used to start the
LVM-activateis configured to use
lvmlockd, see the
lvmlockd(8)man page. (BZ#1513957, BZ#1634729)
Chapter 38. Desktop
Wayland available as a Technology Preview
Waylanddisplay server protocol is available in Red Hat Enterprise Linux as a Technology Preview with the dependent packages required to enable
Waylandsupport in GNOME, which supports fractional scaling.
libinputlibrary as its input driver.
- Multiple GPU support is not possible at this time.
NVIDIAbinary driver does not work under
xrandrutility does not work under Wayland due to its different approach to handling, resolutions, rotations, and layout.
- Screen recording, remote desktop, and accessibility do not always work correctly under
- No clipboard manager is available.
- It is currently impossible to restart
Waylandignores keyboard grabs issued by X11 applications, such as virtual machines viewers. (BZ#1481411)
Fractional Scaling available as a Technology Preview
Chapter 39. File Systems
ext4 and XFS file systems now support DAX
daxmount option. Then, an
mmapof a file on the dax-mounted file system results in a direct mapping of storage into the application's address space. (BZ#1274459)
pNFS block layout is now available
- OverlayFS is only supported for use as a Docker graph driver. Its use can only be supported for container COW content, not for persistent storage. Any persistent storage must be placed on non-OverlayFS volumes to be supported. Only default Docker configuration can be used; that is, one level of overlay, one lowerdir, and both lower and upper levels are on the same file system.
- Only XFS is currently supported for use as a lower layer file system.
- On Red Hat Enterprise Linux 7.3 and earlier, SELinux must be enabled and in enforcing mode on the physical machine, but must be disabled in the container when performing container separation, that is the
/etc/sysconfig/dockerfile must not contain
--selinux-enabled. Starting with Red Hat Enterprise Linux 7.4, OverlayFS supports SELinux security labels, and you can enable SELinux support for containers by specifying
- The OverlayFS kernel ABI and userspace behavior are not considered stable, and may see changes in future updates.
- In order to make the yum and rpm utilities work properly inside the container, the user should be using the yum-plugin-ovl packages.
-n ftype=1option enabled for use as an overlay. With the rootfs and any file systems created during system installation, set the
--mkfsoptions=-n ftype=1parameters in the Anaconda kickstart. When creating a new file system after the installation, run the
# mkfs -t xfs -n ftype=1 /PATH/TO/DEVICEcommand. To determine whether an existing file system is eligible for use as an overlay, run the
# xfs_info /PATH/TO/DEVICE | grep ftypecommand to see if the
ftype=1option is enabled.
Non-standard behaviorin the Linux kernel documentation: https://www.kernel.org/doc/Documentation/filesystems/overlayfs.txt. (BZ#1206277)
Btrfs file system
Btrfs(B-Tree) file system is available as a Technology Preview in Red Hat Enterprise Linux 7.
Btrfshas been deprecated, which means Red Hat will not be moving
Btrfsto a fully supported feature and it will be removed in a future major release of Red Hat Enterprise Linux. (BZ#1477977)
ima-evm-utils available as a Technology Preview for certain architectures
Chapter 40. Hardware Enablement
LSI Syncro CS HA-DAS adapters
tss2 enables TPM 2.0 for IBM Power LE
ibmvnic device driver available as a Technology Preview
ibmvnic, has been available as a Technology Preview. vNIC is a PowerVM virtual networking technology that delivers enterprise capabilities and simplifies network management. It is a high-performance, efficient technology that when combined with SR-IOV NIC provides bandwidth control Quality of Service (QoS) capabilities at the virtual NIC level. vNIC significantly reduces virtualization overhead, resulting in lower latencies and fewer server resources, including CPU and memory, required for network virtualization.
ibmvnicdriver has been upgraded to version 1.0, which provides a number of bug fixes and enhancements over the previous version. Notable changes include:
- The code that previously requested error information has been removed because no error ID is provided by the Virtual Input-Output (VIOS) Server.
- Error reporting has been updated with the cause string. As a result, during a recovery, the driver classifies the string as a warning rather than an error.
- Error recovery on a login failure has been fixed.
- The failed state that occurred after a failover while migrating Logical Partitioning (LPAR) has been fixed.
- The driver can now handle all possible login response return values.
- A driver crash that happened during a failover or Link Power Management (LPM) if the Transmit and Receive (Tx/Rx) queues have changed has been fixed. (BZ#1519746)
Chapter 41. Installation and Booting
Custom system image creation with Composer available as a Technology Preview
composer-clitool. Composer output formats include, among others:
- ISO disk image
- qcow2 file for direct use with a virtual machine
- file system image file
Chapter 42. Kernel
eBPF system call for tracing
Heterogeneous memory management included as a Technology Preview
experimental_hmm=enableto the kernel command line. (BZ#1230959)
criu rebased to version 3.5
criutool as a Technology Preview. This tool implements
Checkpoint/Restore in User-space (CRIU), which can be used to freeze a running application and store it as a collection of files. Later, the application can be restored from its frozen state.
criutool depends on
Protocol Buffers, a language-neutral, platform-neutral extensible mechanism for serializing structured data. The protobuf and protobuf-c packages, which provide this dependency, were also introduced in Red Hat Enterprise Linux 7.2 as a Technology Preview.
kexec as a Technology Preview
kexecsystem call has been provided as a Technology Preview. This system call enables loading and booting into another kernel from the currently running kernel, thus performing the function of the boot loader from within the kernel. Hardware initialization, which is normally done during a standard system boot, is not performed during a
kexecboot, which significantly reduces the time required for a reboot. (BZ#1460849)
kexec fast reboot as a Technology Preview
kexec fast rebootfeature, which was introduced in Red Hat Enterprise Linux 7.5, continues to be available as a Technology Preview.
kexec fast rebootmakes the reboot significantly faster. To use this feature, you must load the kexec kernel manually, and then reboot the operating system. It is not possible to make
kexec fast rebootas the default reboot action. Special case is using
kexec fast rebootfor
Anaconda. It still does not enable to make
kexec fast rebootdefault. However, when used with
Anaconda, the operating system can automatically use
kexec fast rebootafter the installation is complete in case that user boots kernel with the anaconda option. To schedule a kexec reboot, use the
inst.kexeccommand on the kernel command line, or include a
reboot --kexecline in the Kickstart file. (BZ#1464377)
perf cqm has been replaced by
perf cqmtool did not work correctly due to an incompatibility between perf infrastructure and Cache Quality of Service Monitoring (CQM) hardware support. Consequently, multiple problems occurred when using
perf cqmdid not support the group of tasks which is allocated using
perf cqmgave random and inaccurate data due to several problems with recycling
perf cqmdid not provide enough support when running different kinds of events together (the different events are, for example, tasks, system-wide, and cgroup events)
perf cqmprovided only partial support for cgroup events
- The partial support for cgroup events did not work in cases with a hierarchy of cgroup events, or when monitoring a task in a cgroup and the cgroup together
- Monitoring tasks for the lifetime caused
perf cqmreported the aggregate cache occupancy or memory bandwidth over all sockets, while in most cloud and VMM-bases use cases the individual per-socket usage is needed
perf cqmwas replaced by the approach based on the
resctrlfile system, which addressed all of the aforementioned problems. (BZ#1457533, BZ#1288964)
TC HW offloading available as a Technology Preview
xgbe network driver available as a Technology Preview
xgbenetwork driver has been provided as a Technology Preview. (BZ#1589397)
Chapter 43. Networking
Cisco usNIC driver
Cisco VIC kernel driver
Trusted Network Connect
SR-IOV functionality in the qlcnic driver
flower classifier with off-loading support
floweris a Traffic Control (TC) classifier intended to allow users to configure matching on well-known packet fields for various protocols. It is intended to make it easier to configure rules over the
u32classifier for complex filtering and classification tasks.
floweralso supports the ability to off-load classification and action rules to underlying hardware if the hardware supports it. The
flowerTC classifier is now provided as a Technology Preview. (BZ#1393375)
Chapter 44. Red Hat Enterprise Linux System Roles Powered by Ansible
postfix role of Red Hat Enterprise Linux System Roles as a Technology Preview
postfixrole has been available as a Technology Preview since Red Hat Enterprise Linux 7.4.
Chapter 45. Security
USBGuard enables blocking USB devices while the screen is locked as a Technology Preview
USBGuardframework, you can influence how an already running
usbguard-daemoninstance handles newly inserted USB devices by setting the value of the
InsertedDevicePolicyruntime parameter. This functionality is provided as a Technology Preview, and the default choice is to apply the policy rules to figure out whether to authorize the device or not.
Blocking USB devices while the screen is lockedKnowledge Base article: https://access.redhat.com/articles/3230621 (BZ#1480100)
pk12util can now import certificates signed with
pk12utiltool now provides importing a certificate signed with the
RSA-PSSalgorithm as a Technology Preview.
PrivateKeyInfo.privateKeyAlgorithmfield that restricts the signing algorithm to
RSA-PSS, it is ignored when importing the key to a browser. See https://bugzilla.mozilla.org/show_bug.cgi?id=1413596 for more information. (BZ#1431210)
Support for certificates signed with
certutil has been improved
RSA-PSSalgorithm in the
certutiltool has been improved. Notable enhancements and fixes include:
--pssoption is now documented.
PKCS#1 v1.5algorithm is no longer used for self-signed signatures when a certificate is restricted to use
RSA-PSSparameters in the
subjectPublicKeyInfofield are no longer printed as invalid when listing certificates.
--pss-signoption for creating regular RSA certificates signed with the
RSA-PSSalgorithm has been added.
certutilis provided as a Technology Preview. (BZ#1425514)
NSS is now able to verify
RSA-PSS signatures on certificates
Network Security Services(NSS) libraries now provide verifying
RSA-PSSsignatures on certificates as a Technology Preview. Prior to this update, clients using
SSLbackend were not able to establish a
TLSconnection to a server that offered only certificates signed with the
- The algorithm policy settings in the
/etc/pki/nss-legacy/rhel7.configfile do not apply to the hash algorithms used in
RSA-PSSparameters restrictions between certificate chains are ignored and only a single certificate is taken into account. (BZ#1432142)
SECCOMP can be now enabled in libreswan
seccomp=enabled|tolerant|disabledoption has been added to the
ipsec.confconfiguration file, which makes it possible to use the Secure Computing mode (SECCOMP). This improves the syscall security by whitelisting all the system calls that
Libreswanis allowed to execute. For more information, see the
ipsec.conf(5)man page. (BZ#1375750)
Chapter 46. Storage
Multi-queue I/O scheduling for SCSI
scsi_mod.use_blk_mq=Yto the kernel command line.
Targetd plug-in from the libStorageMgmt API
Support for Data Integrity Field/Data Integrity Extension (DIF/DIX)
SCSI-MQ as a Technology Preview in the
qla2xxxdriver updated in Red Hat Enterprise Linux 7.4 can enable the use of SCSI-MQ (multiqueue) with the
ql2xmqsupport=1module parameter. The default value is
NVMe/FC available as a Technology Preview in Qlogic adapters using the
lpfcdriver. See the restrictions listed in the New Features part. (BZ#1387768, BZ#1454386)
Chapter 47. System and Subscription Management
YUM 4 available as Technology Preview
YUMversion 4, a next generation of the YUM package manager, is now available as a Technology Preview in the Red Hat Enterprise Linux 7 Extras channel.
YUM 4is based on the
DNFtechnology and offers the following advantages over the standard
YUM 3used on RHEL 7:
- Increased performance
- Support for modular content
- Well-designed stable API for integration with tooling
YUM 4, run the
yum install nextgen-yum4command.
subscription-managerplug-in. This plug-in is required for accessing protected repositories provided by the Red Hat Customer Portal or Red Hat Satellite 6, and for automatic updates of the
yum4command and its particular options the same way as the
YUM 4tool and
YUM 3, see http://dnf.readthedocs.io/en/latest/cli_vs_yum.html. (BZ#1461652, BZ#1558411)
Chapter 48. Virtualization
USB 3.0 support for KVM guests
Select Intel network adapters now support SR-IOV as a guest on Hyper-V
- SR-IOV support is enabled for the network interface controller (NIC)
- SR-IOV support is enabled for the virtual NIC
- SR-IOV support is enabled for the virtual switch
No-IOMMU mode for VFIO drivers
virt-v2v can now use vmx configuration files to convert VMware guests
virt-v2vutility now includes the
vmxinput mode, which enables the user to convert a guest virtual machine from a VMware vmx configuration file. Note that to do this, you also need access to the corresponding VMware storage, for example by mounting the storage using NFS. It is also possible to access the storage using SSH, by adding the
-it sshparameter. (BZ#1441197, BZ#1523767)
virt-v2v can convert Debian and Ubuntu guests
virt-v2vutility can now convert Debian and Ubuntu guest virtual machines. Note that the following problems currently occur when performing this conversion:
virt-v2vcannot change the default kernel in the GRUB2 configuration, and the kernel configured in the guest is not changed during the conversion, even if a more optimal version of the kernel is available on the guest.
- After converting a Debian or Ubuntu VMware guest to KVM, the name of the guest's network interface may change, and thus requires manual configuration. (BZ#1387213)
Virtio devices can now use vIOMMU
virt-v2v converts VMWare guests faster and more reliably
virt-v2vutility can now use the VMWare Virtual Disk Development Kit (VDDK) to import a VMWare guest virtual machine to a KVM guest. This enables
virt-v2vto connect directly to the VMWare ESXi hypervisor, which improves the speed and reliability of the conversion.
nbdkitutility and its VDDK plug-in. (BZ#1477912)
Open Virtual Machine Firmware
GPU-based mediated devices now support the VNC console
Part IV. Device Drivers
Chapter 49. New Drivers
- Thunderbolt network driver (thunderbolt-net.ko.xz).
- AMD 10 Gigabit Ethernet Driver (amd-xgbe.ko.xz).
- Command Queue Host Controller Interface driver (cqhci.ko.xz).
Graphics Drivers and Miscellaneous Drivers
- DRM GPU scheduler (gpu-sched.ko.xz).
- Closed hash table (chash.ko.xz).
- RMI4 SMBus driver (rmi_smbus.ko.xz).
- RMI bus.
- RMI F03 module (rmi_core.ko.xz).
- Dell WMI descriptor driver (dell-wmi-descriptor.ko.xz).
- Intel® PMC Core Driver (intel_pmc_core.ko.xz).
- Intel® WMI Thunderbolt force power driver (intel-wmi-thunderbolt.ko.xz).
- ACPI Hardware Watchdog (WDAT) driver (wdat_wdt.ko.xz).
- IIO helper functions for setting up triggered buffers (industrialio-triggered-buffer.ko.xz).
- HID Sensor Pressure (hid-sensor-press.ko.xz).
- HID Sensor Device Rotation (hid-sensor-rotation.ko.xz).
- HID Sensor Inclinometer 3D (hid-sensor-incl-3d.ko.xz).
- HID Sensor trigger processing (hid-sensor-trigger.ko.xz).
- HID Sensor common attribute processing (hid-sensor-iio-common.ko.xz).
- HID Sensor Magnetometer 3D (hid-sensor-magn-3d.ko.xz).
- HID Sensor ALS (hid-sensor-als.ko.xz).
- HID Sensor Proximity (hid-sensor-prox.ko.xz).
- HID Sensor Gyroscope 3D (hid-sensor-gyro-3d.ko.xz).
- HID Sensor Accel 3D (hid-sensor-accel-3d.ko.xz).
- HID Sensor Hub driver (hid-sensor-hub.ko.xz).
- HID Sensor Custom and Generic sensor driver (hid-sensor-custom.ko.xz).
Chapter 50. Updated Drivers
Storage Driver Updates
- The Microsemi Smart Family Controller driver (smartpqi.ko.xz) has been updated to version 1.1.4-115.
- The HP Smart Array Controller driver (hpsa.ko.xz) has been updated to version 3.4.20-125-RH1.
- The Emulex LightPulse Fibre Channel SCSI driver (lpfc.ko.xz) has been updated to version 0:126.96.36.199.
- The Avago MegaRAID SAS driver (megaraid_sas.ko.xz) has been updated to version 07.705.02.00-rh1.
- The Dell PERC2, 2/Si, 3/Si, 3/Di, Adaptec Advanced Raid Products, HP NetRAID-4M, IBM ServeRAID & ICP SCS driver (aacraid.ko.xz) has been updated to version 1.2.1-custom.
- The QLogic FastLinQ 4xxxx iSCSI Module driver (qedi.ko.xz) has been updated to version 188.8.131.52.
- The QLogic Fibre Channel HBA driver (qla2xxx.ko.xz) has been updated to version 10.00.00.06.07.6-k.
- The QLogic QEDF 25/40/50/100Gb FCoE driver (qedf.ko.x) has been updated to version 184.108.40.206.
- The LSI MPT Fusion SAS 3.0 Device driver (mpt3sas.ko.xz) has been updated to version 16.100.01.00.
- The LSI MPT Fusion SAS 2.0 Device driver (mpt2sas.ko.xz) has been updated to version 20.103.01.00.
Network Driver Updates
- The Realtek RTL8152/RTL8153 Based USB Ethernet Adapters driver (r8152.ko.xz) has been updated to version v1.09.9.
- The VMware vmxnet3 virtual NIC driver (vmxnet3.ko.xz) has been updated to version 220.127.116.11-k.
- The Intel® Ethernet Connection XL710 Network driver (i40e.ko.xz) has been updated to version 2.3.2-k.
- The Intel® 10 Gigabit Virtual Function Network driver (ixgbevf.ko.xz) has been updated to version 4.1.0-k-rh7.6.
- The Intel® 10 Gigabit PCI Express Network driver (ixgbe.ko.xz) has been updated to version 5.1.0-k-rh7.6.
- The Intel® XL710 X710 Virtual Function Network driver (i40evf.ko.xz) has been updated to version 3.2.2-k.
- The Intel® Ethernet Switch Host Interface driver (fm10k.ko.xz) has been updated to version 0.22.1-k.
- The Broadcom BCM573xx network driver (bnxt_en.ko.xz) has been updated to version 1.9.1.
- The Cavium LiquidIO Intelligent Server Adapter driver (liquidio.ko.xz) has been updated to version 1.7.2.
- The Cavium LiquidIO Intelligent Server Adapter Virtual Function driver (liquidio_vf.ko.xz) has been updated to version 1.7.2.
- The Elastic Network Adapter (ENA) driver (ena.ko.xz) has been updated to version 1.5.0K.
- The aQuantia Corporation Network driver (atlantic.ko.xz) has been updated to version 18.104.22.168-kern.
- The QLogic FastLinQ 4xxxx Ethernet driver (qede.ko.xz) has been updated to version 22.214.171.124.
- The QLogic FastLinQ 4xxxx Core Module driver (qed.ko.xz) has been updated to version 126.96.36.199.
- The Cisco VIC Ethernet NIC driver (enic.ko.xz) has been updated to version 188.8.131.52.
Graphics Driver and Miscellaneous Driver Updates
- The VMware Memory Control (Balloon) driver (vmw_balloon.ko.xz) has been updated to version 184.108.40.206-k.
- The HP watchdog driver (hpwdt.ko.xz) has been updated to version 1.4.0-RH1k.
- The standalone drm driver for the VMware SVGA device (vmwgfx.ko.xz) has been updated to version 220.127.116.11.
Chapter 51. Deprecated Functionality
Python 2 has been deprecated
Python 3is available to RHEL customers, and supported on RHEL, as a part of Red Hat Software Collections.
LVM libraries and LVM Python bindings have been deprecated
lvm2applibrary and LVM Python bindings, which are provided by the lvm2-python-libs package, have been deprecated.
- The LVM D-Bus API in combination with the
lvm2-dbusdservice. This requires using Python version 3.
- The LVM command-line utilities with JSON formatting; this formatting has been available since the lvm2 package version 2.02.158.
Mirrored mirror log has been deprecated in LVM
- RAID1 LVM volumes. The main advantage of RAID1 volumes is their ability to work even in degraded mode and to recover after a transient failure. For information on converting mirrored volumes to RAID1, see the Converting a Mirrored LVM Device to a RAID1 Device section in the LVM Administration guide.
- Disk mirror log. To convert a mirrored mirror log to disk mirror log, use the following command:
lvconvert --mirrorlog disk my_vg/my_lv.
clvmd daemon has been deprecated
clvmddaemon for managing shared storage devices has been deprecated. A future major release of Red Hat Enterprise linux will instead use the
lvmetad daemon has been deprecated
lvmetaddaemon for caching metadata has been deprecated. In a future major release of Red Hat Enterprise Linux, LVM will always read metadata from disk.
use_lvmetadsetting in the
lvm.confconfiguration file. The correct way to disable autoactivation continues to be setting
auto_activation_volume_list=(an empty list) in the
Deprecated packages related to Identity Management and security
|Deprecated packages||Proposed replacement package or product|
|openldap-servers||Depending on the use case, migrate to Identity Management included in Red Hat Enterprise Linux or to Red Hat Directory Server. [c]|
|hesiod||No replacement available.|
|mod_revocator||No replacement available.|
[a] System Security Services Daemon (SSSD) contains enhanced smart card functionality.
[c] Red Hat Directory Server requires a valid Directory Server subscription. For details, see also What is the support status of the LDAP-server shipped with Red Hat Enterprise Linux? in Red Hat Knowledgebase.
- python-kerberos, python-krbV
The Clevis HTTP pin has been deprecated
3DES is removed from the Python SSL default cipher list
3DES) algorithm has been removed from the Python SSL default cipher list. This enables Python applications using SSL to be PCI DSS-compliant.
sssd-secrets has been deprecated
sssd-secretscomponent of the
System Security Services Daemon(SSSD) has been deprecated in Red Hat Enterprise Linux 7.6. This is because Custodia, a secrets service provider, available as a Technology Preview, is no longer actively developed. Use other Identity Management tools to store secrets, for example the Vaults.
Support for earlier IdM servers and for IdM replicas at domain level 0 will be limited
Bug-fix only support for the nss-pam-ldapd and NIS packages in the next major release of Red Hat Enterprise Linux
|Affected packages||Proposed replacement package or product|
|Identity Management in Red Hat Enterprise Linux|
Use the Go Toolset instead of golang
mesa-private-llvm will be replaced with llvm-private
libdbi and libdbi-drivers have been deprecated
Ansible deprecated in the Extras channel
Ansibleand its dependencies will no longer be updated through the Extras channel. Instead, the Red Hat Ansible Engine product has been made available to Red Hat Enterprise Linux subscriptions and will provide access to the official Ansible Engine channel. Customers who have previously installed
Ansibleand its dependencies from the Extras channel are advised to enable and update from the Ansible Engine channel, or uninstall the packages as future errata will not be provided from the Extras channel.
Ansiblewas previously provided in Extras (for AMD64 and Intel 64 architectures, and IBM POWER, little endian) as a runtime dependency of, and limited in support to, the Red Hat Enterprise Linux (RHEL) System Roles. Ansible Engine is available today for AMD64 and Intel 64 architectures, with IBM POWER, little endian availability coming soon.
Ansiblein the Extras channel was not a part of the Red Hat Enterprise Linux FIPS validation process.
signtool has been deprecated
signtooltool from the nss packages, which uses insecure signature algorithms, has been deprecated and will not be included in a future minor release of Red Hat Enterprise Linux.
TLS compression support has been removed from nss
NSSlibrary has been removed for all TLS versions. This change preserves the API compatibility.
Public web CAs are no longer trusted for code signing by default
OpenSSL, no longer trusts these CAs for code signing by default. The software continues to fully support code signing trust. Additionally, it is still possible to configure CA certificates as trusted for code signing using system configuration.
Sendmail has been deprecated
Sendmailhas been deprecated in Red Hat Enterprise Linux 7. Customers are advised to use
Postfix, which is configured as the default Mail Transfer Agent (MTA).
dmraid has been deprecated
Automatic loading of
DCCP modules through socket layer is now disabled by default
Datagram Congestion Control Protocol (DCCP)kernel modules through socket layer is now disabled by default. This ensures that userspace applications can not maliciously load any modules. All
DCCPrelated modules can still be loaded manually through the
/etc/modprobe.d/dccp-blacklist.confconfiguration file for blacklisting the
DCCPmodules is included in the kernel package. Entries included there can be cleared by editing or removing this file to restore the previous behavior.
rsyslog-libdbi has been deprecated
rsyslogmodule, has been deprecated and will not be included in a future major release of Red Hat Enterprise Linux. Removing unused or rarely used modules helps users to conveniently find a database output to use.
inputname option of the rsyslog
imudp module has been deprecated
inputnameoption of the
imudpmodule for the
rsyslogservice has been deprecated. Use the
SMBv1 is no longer installed with Microsoft Windows 10 and 2016 (updates 1709 and later)
-ok option of the
tc command has been deprecated
-okoption of the
tccommand has been deprecated and this feature will not be included in the next major version of Red Hat Enterprise Linux.
FedFS has been deprecated
autofs, which provides more flexible functionality.
Btrfs has been deprecated
Btrfsfile system has been in Technology Preview state since the initial release of Red Hat Enterprise Linux 6. Red Hat will not be moving
Btrfsto a fully supported feature and it will be removed in a future major release of Red Hat Enterprise Linux.
Btrfsfile system did receive numerous updates from the upstream in Red Hat Enterprise Linux 7.4 and will remain available in the Red Hat Enterprise Linux 7 series. However, this is the last planned update to this feature.
nautilus-open-terminal replaced with gnome-terminal-nautilus
sslwrap() removed from Python
sslwrap()function has been removed from Python 2.7. After the 466 Python Enhancement Proposal was implemented, using this function resulted in a segmentation fault. The removal is consistent with upstream.
ssl.SSLContextclass and the
ssl.SSLContext.wrap_socket()function instead. Most applications can simply use the
ssl.create_default_context()function, which creates a context with secure default settings. The default context uses the system's default trust store, too.
Symbols from libraries linked as dependencies no longer resolved by
ldlinker resolved any symbols present in any linked library, even if some libraries were linked only implicitly as dependencies of other libraries. This allowed developers to use symbols from the implicitly linked libraries in application code and omit explicitly specifying these libraries for linking.
ldhas been changed to not resolve references to symbols in libraries linked implicitly as dependencies.
ldfails when application code attempts to use symbols from libraries not declared for linking and linked only implicitly as dependencies. To use symbols from libraries linked as dependencies, developers must explicitly link against these libraries as well.
ld, use the
-copy-dt-needed-entriescommand-line option. (BZ#1292230)
Windows guest virtual machine support limited
libnetlink is deprecated
libnetlinklibrary contained in the iproute-devel package has been deprecated. The user should use the
S3 and S4 power management states for KVM have been deprecated
The Certificate Server plug-in udnPwdDirAuth is discontinued
udnPwdDirAuthauthentication plug-in for the Red Hat Certificate Server was removed in Red Hat Enterprise Linux 7.3. Profiles using the plug-in are no longer supported. Certificates created with a profile using the
udnPwdDirAuthplug-in are still valid if they have been approved.
Red Hat Access plug-in for IdM is discontinued
The Ipsilon identity provider service for federated single sign-on
rsyslog options deprecated
rsyslogutility version in Red Hat Enterprise Linux 7.4 has deprecated a large number of options. These options no longer have any effect and cause a warning to be displayed.
- The functionality previously provided by the options
-6can be achieved using the
- There is no replacement for the functionality previously provided by the options
Deprecated symbols from the
memkindlibrary have been deprecated:
Options of Sockets API Extensions for SCTP (RFC 6458) deprecated
SCTP_DEFAULT_SEND_PARAMof Sockets API Extensions for the Stream Control Transmission Protocol have been deprecated per the RFC 6458 specification.
SCTP_DEFAULT_SNDINFOhave been implemented as a replacement for the deprecated options.
Managing NetApp ONTAP using SSLv2 and SSLv3 is no longer supported by
libstorageMgmtlibrary. Users can contact NetApp support to enable the Transport Layer Security (TLS) protocol.
dconf-dbus-1 has been deprecated and
dconf-editor is now delivered separately
dconf-dbus-1API has been removed. However, the
dconf-dbus-1library has been backported to preserve binary compatibility. Red Hat recommends using the
GDBuslibrary instead of
dconf-error.hfile has been renamed to
dconf-enums.h. In addition, the dconf Editor is now delivered in the separate dconf-editor package.
FreeRADIUS no longer accepts
Auth-Type := System
FreeRADIUSserver no longer accepts the
Auth-Type := Systemoption for the
rlm_unixauthentication module. This option has been replaced by the use of the
unixmodule in the
authorizesection of the configuration file.
Deprecated Device Drivers
- ata drivers:
- OSD drivers:
- pata drivers:
- wireless drivers:
- The following adapters from the
aacraiddriver have been deprecated:
- PERC 2/Si (Iguana/PERC2Si), PCI ID 0x1028:0x0001
- PERC 3/Di (Opal/PERC3Di), PCI ID 0x1028:0x0002
- PERC 3/Si (SlimFast/PERC3Si), PCI ID 0x1028:0x0003
- PERC 3/Di (Iguana FlipChip/PERC3DiF), PCI ID 0x1028:0x0004
- PERC 3/Di (Viper/PERC3DiV), PCI ID 0x1028:0x0002
- PERC 3/Di (Lexus/PERC3DiL), PCI ID 0x1028:0x0002
- PERC 3/Di (Jaguar/PERC3DiJ), PCI ID 0x1028:0x000a
- PERC 3/Di (Dagger/PERC3DiD), PCI ID 0x1028:0x000a
- PERC 3/Di (Boxster/PERC3DiB), PCI ID 0x1028:0x000a
- catapult, PCI ID 0x9005:0x0283
- tomcat, PCI ID 0x9005:0x0284
- Adaptec 2120S (Crusader), PCI ID 0x9005:0x0285
- Adaptec 2200S (Vulcan), PCI ID 0x9005:0x0285
- Adaptec 2200S (Vulcan-2m), PCI ID 0x9005:0x0285
- Legend S220 (Legend Crusader), PCI ID 0x9005:0x0285
- Legend S230 (Legend Vulcan), PCI ID 0x9005:0x0285
- Adaptec 3230S (Harrier), PCI ID 0x9005:0x0285
- Adaptec 3240S (Tornado), PCI ID 0x9005:0x0285
- ASR-2020ZCR SCSI PCI-X ZCR (Skyhawk), PCI ID 0x9005:0x0285
- ASR-2025ZCR SCSI SO-DIMM PCI-X ZCR (Terminator), PCI ID 0x9005:0x0285
- ASR-2230S + ASR-2230SLP PCI-X (Lancer), PCI ID 0x9005:0x0286
- ASR-2130S (Lancer), PCI ID 0x9005:0x0286
- AAR-2820SA (Intruder), PCI ID 0x9005:0x0286
- AAR-2620SA (Intruder), PCI ID 0x9005:0x0286
- AAR-2420SA (Intruder), PCI ID 0x9005:0x0286
- ICP9024RO (Lancer), PCI ID 0x9005:0x0286
- ICP9014RO (Lancer), PCI ID 0x9005:0x0286
- ICP9047MA (Lancer), PCI ID 0x9005:0x0286
- ICP9087MA (Lancer), PCI ID 0x9005:0x0286
- ICP5445AU (Hurricane44), PCI ID 0x9005:0x0286
- ICP9085LI (Marauder-X), PCI ID 0x9005:0x0285
- ICP5085BR (Marauder-E), PCI ID 0x9005:0x0285
- ICP9067MA (Intruder-6), PCI ID 0x9005:0x0286
- Themisto Jupiter Platform, PCI ID 0x9005:0x0287
- Themisto Jupiter Platform, PCI ID 0x9005:0x0200
- Callisto Jupiter Platform, PCI ID 0x9005:0x0286
- ASR-2020SA SATA PCI-X ZCR (Skyhawk), PCI ID 0x9005:0x0285
- ASR-2025SA SATA SO-DIMM PCI-X ZCR (Terminator), PCI ID 0x9005:0x0285
- AAR-2410SA PCI SATA 4ch (Jaguar II), PCI ID 0x9005:0x0285
- CERC SATA RAID 2 PCI SATA 6ch (DellCorsair), PCI ID 0x9005:0x0285
- AAR-2810SA PCI SATA 8ch (Corsair-8), PCI ID 0x9005:0x0285
- AAR-21610SA PCI SATA 16ch (Corsair-16), PCI ID 0x9005:0x0285
- ESD SO-DIMM PCI-X SATA ZCR (Prowler), PCI ID 0x9005:0x0285
- AAR-2610SA PCI SATA 6ch, PCI ID 0x9005:0x0285
- ASR-2240S (SabreExpress), PCI ID 0x9005:0x0285
- ASR-4005, PCI ID 0x9005:0x0285
- IBM 8i (AvonPark), PCI ID 0x9005:0x0285
- IBM 8i (AvonPark Lite), PCI ID 0x9005:0x0285
- IBM 8k/8k-l8 (Aurora), PCI ID 0x9005:0x0286
- IBM 8k/8k-l4 (Aurora Lite), PCI ID 0x9005:0x0286
- ASR-4000 (BlackBird), PCI ID 0x9005:0x0285
- ASR-4800SAS (Marauder-X), PCI ID 0x9005:0x0285
- ASR-4805SAS (Marauder-E), PCI ID 0x9005:0x0285
- ASR-3800 (Hurricane44), PCI ID 0x9005:0x0286
- Perc 320/DC, PCI ID 0x9005:0x0285
- Adaptec 5400S (Mustang), PCI ID 0x1011:0x0046
- Adaptec 5400S (Mustang), PCI ID 0x1011:0x0046
- Dell PERC2/QC, PCI ID 0x1011:0x0046
- HP NetRAID-4M, PCI ID 0x1011:0x0046
- Dell Catchall, PCI ID 0x9005:0x0285
- Legend Catchall, PCI ID 0x9005:0x0285
- Adaptec Catch All, PCI ID 0x9005:0x0285
- Adaptec Rocket Catch All, PCI ID 0x9005:0x0286
- Adaptec NEMER/ARK Catch All, PCI ID 0x9005:0x0288
- The following adapters from the
mpt2sasdriver have been deprecated:
- SAS2004, PCI ID 0x1000:0x0070
- SAS2008, PCI ID 0x1000:0x0072
- SAS2108_1, PCI ID 0x1000:0x0074
- SAS2108_2, PCI ID 0x1000:0x0076
- SAS2108_3, PCI ID 0x1000:0x0077
- SAS2116_1, PCI ID 0x1000:0x0064
- SAS2116_2, PCI ID 0x1000:0x0065
- SSS6200, PCI ID 0x1000:0x007E
- The following adapters from the
megaraid_sasdriver have been deprecated:
- Dell PERC5, PCI ID 0x1028:0x15
- SAS1078R, PCI ID 0x1000:0x60
- SAS1078DE, PCI ID 0x1000:0x7C
- SAS1064R, PCI ID 0x1000:0x411
- VERDE_ZCR, PCI ID 0x1000:0x413
- SAS1078GEN2, PCI ID 0x1000:0x78
- SAS0079GEN2, PCI ID 0x1000:0x79
- SAS0073SKINNY, PCI ID 0x1000:0x73
- SAS0071SKINNY, PCI ID 0x1000:0x71
- The following adapters from the
qla2xxxdriver have been deprecated:
- ISP24xx, PCI ID 0x1077:0x2422
- ISP24xx, PCI ID 0x1077:0x2432
- ISP2422, PCI ID 0x1077:0x5422
- QLE220, PCI ID 0x1077:0x5432
- QLE81xx, PCI ID 0x1077:0x8001
- QLE10000, PCI ID 0x1077:0xF000
- QLE84xx, PCI ID 0x1077:0x8044
- QLE8000, PCI ID 0x1077:0x8432
- QLE82xx, PCI ID 0x1077:0x8021
- The following adapters from the
qla4xxxdriver have been deprecated:
- QLOGIC_ISP8022, PCI ID 0x1077:0x8022
- QLOGIC_ISP8324, PCI ID 0x1077:0x8032
- QLOGIC_ISP8042, PCI ID 0x1077:0x8042
- The following adapters from the
be2iscsidriver have been deprecated:
- BladeEngine 2 (BE2) Devices
- BladeEngine2 10Gb iSCSI Initiator (generic), PCI ID 0x19a2:0x212
- OneConnect OCe10101, OCm10101, OCe10102, OCm10102 BE2 adapter family, PCI ID 0x19a2:0x702
- OCe10100 BE2 adapter family, PCI ID 0x19a2:0x703
- BladeEngine 3 (BE3) Devices
- OneConnect TOMCAT iSCSI, PCI ID 0x19a2:0x0712
- BladeEngine3 iSCSI, PCI ID 0x19a2:0x0222
- The following Ethernet adapters controlled by the
be2netdriver have been deprecated:
- BladeEngine 2 (BE2) Devices
- OneConnect TIGERSHARK NIC, PCI ID 0x19a2:0700
- BladeEngine2 Network Adapter, PCI ID 0x19a2:0211
- BladeEngine 3 (BE3) Devices
- OneConnect TOMCAT NIC, PCI ID 0x19a2:0x0710
- BladeEngine3 Network Adapter, PCI ID 0x19a2:0221
- The following adapters from the
lpfcdriver have been deprecated:
- BladeEngine 2 (BE2) Devices
- OneConnect TIGERSHARK FCoE, PCI ID 0x19a2:0x0704
- BladeEngine 3 (BE3) Devices
- OneConnect TOMCAT FCoE, PCI ID 0x19a2:0x0714
- Fibre Channel (FC) Devices
- FIREFLY, PCI ID 0x10df:0x1ae5
- PROTEUS_VF, PCI ID 0x10df:0xe100
- BALIUS, PCI ID 0x10df:0xe131
- PROTEUS_PF, PCI ID 0x10df:0xe180
- RFLY, PCI ID 0x10df:0xf095
- PFLY, PCI ID 0x10df:0xf098
- LP101, PCI ID 0x10df:0xf0a1
- TFLY, PCI ID 0x10df:0xf0a5
- BSMB, PCI ID 0x10df:0xf0d1
- BMID, PCI ID 0x10df:0xf0d5
- ZSMB, PCI ID 0x10df:0xf0e1
- ZMID, PCI ID 0x10df:0xf0e5
- NEPTUNE, PCI ID 0x10df:0xf0f5
- NEPTUNE_SCSP, PCI ID 0x10df:0xf0f6
- NEPTUNE_DCSP, PCI ID 0x10df:0xf0f7
- FALCON, PCI ID 0x10df:0xf180
- SUPERFLY, PCI ID 0x10df:0xf700
- DRAGONFLY, PCI ID 0x10df:0xf800
- CENTAUR, PCI ID 0x10df:0xf900
- PEGASUS, PCI ID 0x10df:0xf980
- THOR, PCI ID 0x10df:0xfa00
- VIPER, PCI ID 0x10df:0xfb00
- LP10000S, PCI ID 0x10df:0xfc00
- LP11000S, PCI ID 0x10df:0xfc10
- LPE11000S, PCI ID 0x10df:0xfc20
- PROTEUS_S, PCI ID 0x10df:0xfc50
- HELIOS, PCI ID 0x10df:0xfd00
- HELIOS_SCSP, PCI ID 0x10df:0xfd11
- HELIOS_DCSP, PCI ID 0x10df:0xfd12
- ZEPHYR, PCI ID 0x10df:0xfe00
- HORNET, PCI ID 0x10df:0xfe05
- ZEPHYR_SCSP, PCI ID 0x10df:0xfe11
- ZEPHYR_DCSP, PCI ID 0x10df:0xfe12
- Lancer FCoE CNA Devices
- OCe15104-FM, PCI ID 0x10df:0xe260
- OCe15102-FM, PCI ID 0x10df:0xe260
- OCm15108-F-P, PCI ID 0x10df:0xe260
libcxgb3 library and the cxgb3 firmware package have been deprecated
libcxgb3library provided by the libibverbs package and the cxgb3 firmware package have been deprecated. They continue to be supported in Red Hat Enterprise Linux 7 but will likely not be supported in the next major releases of this product. This change corresponds with the deprecation of the
iw_cxgb3drivers listed above.
SFN4XXX adapters have been deprecated
sfcfor all adapters. Recently, support of SFN4XXX was split from
sfcand moved into a new SFN4XXX-only driver, called
sfc-falcon. Both drivers continue to be supported at this time, but
sfc-falconand SFN4XXX support is scheduled for removal in a future major release.
Software-initiated-only FCoE storage technologies have been deprecated
libfcoe) are unaffected by this deprecation notice.
Containers using the
libvirt-lxc tooling have been deprecated
The Perl and shell scripts for Directory Server have been deprecated
libguestfs can no longer inspect ISO installer files
libguestfslibrary does no longer support inspecting ISO installer files, for example using the
virt-inspectorutilities. Use the
osinfo-detectcommand for inspecting ISO files instead. This command can be obtained from the libosinfo package.
Creating internal snapshots of virtual machines has been deprecated
IVSHMEM has been deprecated
The gnome-shell-browser-plugin subpackage has been deprecated
The VDO read cache has been deprecated
--readCacheoption of the
cpuid has been deprecated
cpuidcommand has been deprecated. A future major release of Red Hat Enterprise Linux will no longer support using
cpuidto dump the information about CPUID instruction for each CPU. To obtain similar information, use the
KDE has been deprecated
virt-install with NFS locations is deprecated
virt-installutility will not be able to mount NFS locations. As a consequence, attempting to install a virtual machine using
virt-installwith a NFS address as a value of the
--locationoption will fail. To work around this change, mount your NFS share prior to using
virt-install, or use a HTTP location.
lwresd daemon has been deprecated
lwresddaemon, which is a part of the bind package, has been deprecated. A future major release of Red Hat Enterprise Linux will no longer support providing name lookup services to clients that use the BIND 9 lightweight resolver library with
nss-resolveAPI, provided by the systemd package
unboundlibrary API and daemon, provided by the unbound and unbound-libs packages
/etc/sysconfig/nfs file and legacy NFS service names have been deprecated
/etc/nfs.conffile to make NFS configuration in all versions of Red Hat Enterprise Linux compatible with automated configuration systems.
nfs.service, replaced by
nfs-secure.service, replaced by
rpcgssd.service, replaced by
nfs-idmap.service, replaced by
rpcidmapd.service, replaced by
nfs-lock.service, replaced by
nfslock.service, replaced by
Part V. Known Issues
Chapter 52. Authentication and Interoperability
RADIUS proxy functionality is now also available in IdM running in FIPS mode
# /etc/systemd/system/radiusd.service.d/ipa-otp.conf [Service] Environment=OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW=1
# systemctl daemon-reload
# systemctl start radiusd
# ipa radiusproxy-add name_of_your_proxy_server --secret your_secret
Chapter 53. Compiler and Tools
GCC thread sanitizer included in RHEL no longer works
Chapter 54. Desktop
Firefox 60.1 ESR fails to start on IBM Z and POWER
Firefox60.1 Extended Support Release (ESR) browser was changed. As a consequence,
Firefox60.1 ESR on IBM Z and POWER architectures fails to start with a segmentation fault error message. (BZ#1576289, BZ#1579705)
GV100GL graphics cannot use correctly more than one monitor
NVIDIAbinary driver. As a result, the second monitor output works as expected under the described circumstances. (BZ#1624337)
Files application can not burn disks in default installation
Filesapplication does not include the brasero-nautilus package necessary for burning CDs or DVDs. As a consequence, the
Filesapplication allows files to be dragged and dropped into CD or DVD devices but no content is burned to the CD or DVD. As a workaround, install brasero-nautilus package by:
# yum install brasero-nautilus
on screen keyboard feature not visible in GTK applications
on screen keyboardfeature by using the
Settings - Universal Access - Typing - Screen keyboardmenu,
on screen keyboardis not visible to access with GIMP Toolkit (GTK) applications, such as
/etc/environmentconfiguration file, and restart GNOME:
32- and 64-bit fwupd packages cannot be used together when installing or upgrading the system
/usr/lib/systemd/system/fwupd.servicefile in the fwupd packages is different for 32- and 64-bit architectures. Consequently, it is impossible to install both 32- and 64-bit fwupd packages or to upgrade a Red Hat Enterprise Linux 7.5 system with both 32- and 64-bit fwupd packages to Red Hat Enterprise Linux 7.6.
- Either do not install multilibrary fwupd packages.
- Or remove the 32-bit or the 64-bit fwupd package before upgrading from Red Hat Enterprise Linux 7.5 to Red Hat Enterprise Linux 7.6. (BZ#1623466)
Installation in and booting into graphical mode are not possible on Huawei servers
inst.xdriver=fbdevwhen installing the system, and install the system as
server with GUI. 2. After the installation completes, reboot and add kernel command line
singleto make the system boot into maintenance mode. 3. Run the following commands:
rpm -e xorg-x11-drivers rpm -e xorg-x11-drv-vesa init 5
X.org server crashes during fast user switching
qxlvideo driver does not emulate the leaving virtual terminal event on shutdown. Consequently, the X.Org display server terminates unexpectedly during fast user switching, and the current user session is terminated when switching a user. (BZ#1640918)
X.org X11 crashes on Lenovo T580
libpciaccesslibrary, the X.org X11 server terminates unexpectedly on Lenovo T580 laptops. (BZ#1641044)
Soft lock-ups might occur during boot in the kernel with
DisplayPorthot-plug signal can cause the
i915driver to be overloaded on boot. Consequently, certain GM45 systems might experience very slow boot times while the video driver attempts to work around the problem. In some cases, the kernel might report soft lock-ups occurring. Customers are advised to contact their hardware vendors and request a firmware update to address this problem. (BZ#1608704)
System boots to a blank screen when Xinerama is enabled
/etc/X11/xorg.confon a system using the nvidia/nouveau driver, the RANDR X extension gets disabled. Consequently, login screen fails to start upon boot due to the RANDR X extension being disabled. To work around this problem, do not enable Xinerama in
Chapter 55. File Systems
Mounting a non-existent NFS export outputs a different error than in RHEL 6
mountutility prints the
operation not permittederror message when an NFS client is trying to mount a server export that does not exist. In Red Hat Enterprise Linux 6, the
access deniedmessage was printed in the same situation. (BZ#1428549)
XFS disables per-inode DAX functionality
# mount -o dax device mount-point
Chapter 56. Installation and Booting
Certain RPM packages are not available on binary DVDs
The content location detection code is not working on Red Hat Virtualization Hosts
ssg-rhel7-ds.xmldatastream file from the Red Hat Enterprise Linux 7 scap-security-guide package to your network so it can be discovered by Anaconda.
ssg-rhel7-ds.xmldatastream file and listens on port 8000. Example: python2 -m SimpleHTTPServer, or python3 -m http.server.
ssg-rhel7-ds.xmldatastream file to a HTTPS or FTP Server.
Security Policywindow of Anaconda’s Graphical User Interface, click
Change Contentand enter the URL that points to the
ssg-rhel7-ds.xmldatastream file, for example: http://gateway:8000/ssg-rhel7-ds.xml or ftp://my-ftp-server/ssg-rhel7-ds.xml.
ssg-rhel7-ds.xmldatastream file is now available and Red Hat Virtualization Hosts can select the hardening profile. (BZ#1636847)
Composer can not create live ISO system images
Chapter 57. Kernel
Cache information is missing in
sysfs if firmware does not support ACPI PPTT
/sys/devices/system/cpu/cpu0/cachefile does not contain the cache information. To work around this problem, check for updated firmware that includes ACPI PPTT support with your hardware vendor. (BZ#1615370)
PCI-passthrough of devices connected to PCIe slots is not possible with default settings of HPE ProLiant Gen8 and Gen9
Device is ineligible for IOMMU domain attach due to platform RMRR requirement. Contact your platform vendor.
- In case of HPE ProLiant Gen8, reconfigure mentioned system settings with the
conreptool provided by HPE.
- In case of HPE ProLiant Gen9, update system firmware or NICs firmware depending on type of used NICs.
Attaching a non-RoCE device to RXE driver no longer causes a kernel to panic
BCC packages for the 64-bit AMD and Intel architectures only
pcp-pmda-bccplugins use the
bpf()system call, which is enabled only on the 64-bit AMD and Intel CPU architectures. As a result, Red Hat Enterprise Linux 7 only supports
pcp-pmda-bccfor the 64-bit AMD and Intel CPU architectures. (BZ#1633185)
Kernel panics can occur on virtual machines that use SEV
DMA: Out of SW-IOMMU spaceerror message.
swiotlb=262144parameter to the guest kernel command line. (BZ#1637992)
Branch prediction of ternary operators no longer causes a system panic
blk_queue_nonrot()function before checking the
mddev->queuestructure. As a consequence, the system panicked. With this update, checking
mddev->queueand then calling
blk_queue_nonrot()prevents the bug from appearing. As a result, the system no longer panics in the described scenario. (BZ#1627563)
write-behind causes a kernel panic
write-behindfunction cannot be used. (BZ#1632575)
i40iw module does not load automatically on boot
i40iwmodule does not fully support suspend and resume operations. Consequently, the
i40iwmodule is not automatically loaded by default to ensure suspend and resume operations work properly. To work around this problem, edit the
/lib/udev/rules.d/90-rdma-hw-modules.rulesfile to enable automated load of
rdmaservice, which loads all enabled RDMA stack modules, including the
Chapter 58. Networking
Verification of signatures using the MD5 hash algorithm is disabled in Red Hat Enterprise Linux 7
systemctl daemon-reloadcommand as root to reload the service file.
Mellanox PMD in DPDK causes a performance drop when IOMMU is enabled inside the guest
iommu=ptoption is not set.
intel_iommu=onoption (for Intel systems) to the kernel command line. In addition, use
iommu=ptto have a proper I/O performance. (BZ#1578688)
Chapter 59. Security
rpmverifypackage does not work correctly
chrootsystem calls are called twice by the
rpmverifypackageprobe. Consequently, an error occurs when the probe is utilized during an
OpenSCAPscan with custom Open Vulnerability and Assessment Language (OVAL) content.
rpmverifypackage_testOVAL test in your content or use only the content from the scap-security-guide package where
rpmverifypackage_testis not used. (BZ#1603347)
dconf databases are not checked by OVAL
SCAP Security Guideproject are not able to read a
dconfbinary database, only files used to generate the database. The database is not regenerated automatically, the administrator needs to enter the
dconf updatecommand. As a consequence, changes to the database that are not made using files in the
/etc/dconf/db/directory cannot be detected by scanning. This may cause false negatives results.
dconf updateperiodically, for example, using the
/etc/crontabconfiguration file. (BZ#1631378)
SCAP Workbench fails to generate results-based remediations from tailored profiles
Error generating remediation role '.../remediation.sh': Exit code of 'oscap' was 1: [output truncated]
oscapcommand with the
OpenSCAP scanner results contain a lot of SELinux context error messages
OpenSCAPscanner logs inability to get SELinux context on the
ERRORlevel even in situations where it is not a true error. As a result,
OpenSCAPscanner results contain a lot of SELinux context error messages. Both the
oscapcommand-line utility and the
SCAP Workbenchgraphical utility outputs can be hard to read for that reason. (BZ#1640522)
oscap scans use an excessive amount of memory
oscapprocess can take all available memory and be killed by the operating system.
--oval-resultsoption. As a result, if you lower the amount of processed data, scanning of the system should no longer crash because of the excessive use of memory. (BZ#1548949)
Chapter 60. Servers and Services
Rsyslog cannot proceed if the default maximum of open files is exceeded
Rsyslogsometimes runs over the default limits for maximum number of open files. Consequently,
rsyslogcannot open new files.
/etc/systemd/system/rsyslog.service.d/increase_nofile_limit.confwith the following content:
Upgrading a RHEL 7.5 node to RHEL 7.6 in RHOSP 10 breaks virtual machines on the node
/etc/modprobe.d/kvm.rt.tuned.conffile on the compute node, remove the following line, and reboot the node:
options kvm_intel ple_gap=0
FTP-based logins are unavailable for a common
/usr/sbin/nologinlogin shells from the
/etc/shellsfile due to security reasons. Consequently, when the configuration of the Very Secure File Transfer Protocol Daemon,
vsftpd, is modified to enable the
chroot_local_user, FTP logins are impossible.
/usr/sbin/nologin, respectively, to the
/etc/shellsfile. As a result, a login shell for users that are allowed to use FTP, but not SSH, is available again. However, note that this workaround exposes
vsftpdto the security risk described at https://access.redhat.com/security/cve/cve-2018-1113. (BZ#1647485, BZ#1571104)
Chapter 61. Storage
LVM does not support event-based autoactivation of incomplete volume groups
--activationmode completewhenever autoactivation takes place. For information on the
--activationmode completeoption and automatic activation, see the
lvmetadis enabled with the
global/use_lvmetad=1setting in the
/etc/lvm/lvm.confconfiguration file. Also note that without autoactivation, there is a direct activation hook at the exact time during boot at which the volume groups are activated with only the physical volumes that are available at that time. Any physical volumes that appear later are not taken into account.
dracut) nor does this affect direct activation from the command line using
lvchangecalls, which default to
degradedactivation mode. (BZ#1337220)
vdo service is disabled after upgrading to Red Hat Enterprise Linux 7.6
vdoservice if it was previously enabled. This is because of missing
systemdmacros in the vdo RPM package.
Data corruption occurs on RAID 10 reshape on top of VDO.
mdadm) on top of VDO corrupts data. Stacking RAID 10 (or other RAID types) on top of VDO does not take advantage of the deduplication and compression capabilities of VDO and is not recommended. (BZ#1528466, BZ#1530776)
System boot is sometimes delayed by ndctl
udevrule installed by the ndctl package sometimes delays the system boot process for several minutes on systems with Non-Volatile Dual In-line Memory Module (NVDIMM) devices. In such cases,
systemddisplays a message similar to the following:
INFO: task systemd-udevd:1554 blocked for more than 120 seconds. ... nvdimm_bus_check_dimm_count+0x31/0xa0 [libnvdimm] ...
udevrule using the following command:
# rm /usr/lib/udev/rules.d/80-ndctl.rules
udevrule, the described problem no longer occurs. (BZ#1635441)
LVM might cause data corruption in the first 128kB of allocatable space of a physical volume
lvextend, while logical volumes (LVs) in the VG are in use. (BZ#1643651)
Chapter 62. System and Subscription Management
Red Hat Satellite 5.8 availability of RHEL 7.6 EUS, AUS, TUS, and E4S streams delayed
- Extended Update Support (EUS)
- Advanced Update Support (AUS)
- Telco Extended Update Support (TUS)
- Update Services for SAP Solutions (E4S)
Appendix A. Component Versions
Table A.1. Component Versions
iSCSI initiator utils (iscsi-initiator-utils)
[a] The qemu-kvm packages provide KVM virtualization on AMD64 and Intel 64 systems.
[b] The qemu-kvm-ma packages provide KVM virtualization on IBM POWER8, IBM POWER9, and IBM Z. Note that KVM virtualization on IBM POWER9 and IBM Z also requires using the kernel-alt packages.
Appendix B. List of Bugzillas by Component
Table B.1. List of Bugzillas by Component
|Component||New Features||Notable Bug Fixes||Technology Previews||Known Issues|
|389-ds-base||BZ#1560653||BZ#1515190, BZ#1525256, BZ#1551071, BZ#1552698, BZ#1559945, BZ#1566444, BZ#1568462, BZ#1570033, BZ#1570649, BZ#1576485, BZ#1581737, BZ#1582092, BZ#1582747, BZ#1593807, BZ#1598478, BZ#1598718, BZ#1614501|
|anaconda||BZ#1562301||BZ#1360223, BZ#1436304, BZ#1535781, BZ#1554271, BZ#1557485, BZ#1561662, BZ#1561930|
|device-mapper-multipath||BZ#1541116, BZ#1554516, BZ#1593459||BZ#1498724, BZ#1526876, BZ#1544958, BZ#1584228, BZ#1610263|
|initscripts||BZ#1493069, BZ#1542514, BZ#1583677||BZ#1554364, BZ#1554690, BZ#1559384, BZ#1572659|
|kernel||BZ#1205497, BZ#1305092, BZ#1322930, BZ#1344565, BZ#1350553, BZ#1361286, BZ#1451438, BZ#1457161, BZ#1471950, BZ#1496859, BZ#1507027, BZ#1511351, BZ#1515584, BZ#1520356, BZ#1557599, BZ#1570090, BZ#1584753, BZ#1620372||BZ#1527799, BZ#1541250, BZ#1544920, BZ#1554907, BZ#1636930||BZ#916382, BZ#1109348, BZ#1111712, BZ#1206277, BZ#1230959, BZ#1274459, BZ#1299662, BZ#1348508, BZ#1387768, BZ#1393375, BZ#1414957, BZ#1457533, BZ#1460849, BZ#1503123, BZ#1519746, BZ#1589397||BZ#1428549, BZ#1520302, BZ#1528466, BZ#1608704, BZ#1615210, BZ#1622413, BZ#1623150, BZ#1627563, BZ#1632575, BZ#1637992|
|libguestfs||BZ#1541908, BZ#1557273||BZ#1387213, BZ#1441197, BZ#1477912|
|nss||BZ#1425514, BZ#1431210, BZ#1432142|
|opensc||BZ#1547117, BZ#1562277, BZ#1562572|
|openscap||BZ#1556988||BZ#1548949, BZ#1603347, BZ#1640522|
|other||BZ#1432080, BZ#1609302, BZ#1612965, BZ#1627126||BZ#1062759, BZ#1072107, BZ#1259547, BZ#1464377, BZ#1477977, BZ#1559615, BZ#1613966||BZ#1569484, BZ#1571754, BZ#1611665, BZ#1633185, BZ#1635135, BZ#1647485|
|pcs||BZ#1427273, BZ#1475318||BZ#1566382, BZ#1572886, BZ#1588667, BZ#1590533||BZ#1433016|
|pki-core||BZ#1550742, BZ#1550786, BZ#1557569, BZ#1562423, BZ#1585866||BZ#1546708, BZ#1549632, BZ#1568615, BZ#1580394|
|powerpc-utils||BZ#1540067, BZ#1592429, BZ#1596121, BZ#1628907|
|resource-agents||BZ#1470840, BZ#1538689, BZ#1568588, BZ#1568589||BZ#1513957|
|rsyslog||BZ#1482819, BZ#1531295, BZ#1539193||BZ#1553700|
|sudo||BZ#1533964, BZ#1547974, BZ#1548380||BZ#1560657|
Appendix C. Revision History
|Revision 0.0-19||Tue Jan 08 2019|
|Revision 0.0-18||Fri Dec 07 2018|
|Revision 0.0-17||Thu Nov 29 2018|
|Revision 0.0-16||Wed Nov 21 2018|
|Revision 0.0-15||Fri Nov 16 2018|
|Revision 0.0-14||Thu Nov 15 2018|
|Revision 0.0-13||Tue Nov 13 2018|
|Revision 0.0-12||Mon Nov 12 2018|
|Revision 0.0-11||Fri Nov 09 2018|
|Revision 0.0-10||Tue Nov 06 2018|
|Revision 0.0-9||Mon Nov 05 2018|
|Revision 0.0-8||Fri Nov 02 2018|
|Revision 0.0-7||Tue Oct 30 2018|
|Revision 0.0-0||Wed Aug 22 2018|