Identifier: Certificate Policies: - 2.5.29.32
            Critical: no
            Certificate Policies:

(BZ#1768718)

(BZ#1796352)

(BZ#1792492)

# pmieconf -c enable zeroconf.all_threads

(BZ#1775373)

For detailed information about FreeRDP 2.1.1, see the upstream release notes: https://github.com/FreeRDP/FreeRDP/blob/2.1.1/ChangeLog.

(BZ#1834286)

See also Important Changes to External Kernel Parameters and Device Drivers.

(BZ#1801759)

For more information about important changes to kernel parameters, see the New kernel parameters section.

(BZ#1781726)

(BZ#1514705)

(BZ#1855010)

(BZ#1829777)

(BZ#1790643)

For configuring unbound to run inside chroot, prepare your environment as described in the following support article Running unbound in chroot.

(BZ#2121623)

(BZ#1767177)

Note that the rpm_verify_permissions rule in the CIS profile does not work correctly. See the known issue description rpm_verify_permissions fails in the CIS profile.

(BZ#1821633)

(BZ#1791583)

You should use only the current version of this profile because the older versions of this profile are no longer valid. The OVAL checks for several rules have changed, and scans using the V3R1 version will fail for systems that were hardened using older versions of SCAP Security Guide. You can fix the rules automatically by running the remediation with the new version of SCAP Security Guide.

The following rules have been changed:

(BZ#1665233)

(BZ#1958789, BZ#1970131)

As a result, you can configure and automate compliance of your RHEL 7 systems according to your required ANSSI hardening level by using the ANSSI Ansible Playbooks and the ANSSI SCAP profiles. The Draft ANSSI High profile provided with the previous versions has been aligned to ANSSI DAT-NT-028. Although the profile names and versions have changed, the IDs of the ANSSI profiles such as xccdf_org.ssgproject.content_profile_anssi_nt28_high remain the same to ensure backward compatibility.

(BZ#1955180)

Note that the evaluations of the following rules still diverge:

Also, rule SV-204405r603261_rule from DISA’s RHEL 7 STIG is not covered in the SSG RHEL 7 STIG profiles.

(BZ#1967950)

(BZ#1993822)

The compat-unixODBC234 package conflicts with the base RHEL 7 unixODBC package. Therefore, uninstall unixODBC prior to installing compat-unixODBC234.

This package is also available for Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions, Red Hat Enterprise Linux 7.6 Extended Update Support, and Red Hat Enterprise Linux 7.7 Extended Update Support through the RHEA-2020:2178 advisory.

See also The compat-unixODBC234 package for SAP requires a symlink to load the unixODBC library.

(BZ#1790655)

(BZ#1834835)

DIF/DIX is not supported on the following configurations:

DIF/DIX is enabled or disabled at the storage device, which involves various layers up to (and including) the application. The method for activating the DIF on storage devices is device-dependent.

For further information on the DIF/DIX feature, see What is DIF/DIX.

(BZ#1649493)

Red Hat Enterprise Linux Atomic Host is a secure, lightweight, and minimal-footprint operating system optimized to run Linux containers.

Red Hat Software Collections (RHSCL) is a Red Hat content set that provides a set of dynamic programming languages, database servers, and related packages that you can install and use on all supported releases of Red Hat Enterprise Linux 7 on AMD64 and Intel 64 architectures, IBM Z, and IBM POWER, little endian.

Red Hat Developer Toolset is designed for developers working on the Red Hat Enterprise Linux platform. It provides current versions of the GNU Compiler Collection, GNU Debugger, and other development, debugging, and performance monitoring tools. Red Hat Developer Toolset is included as a separate Software Collection.

Dynamic languages, database servers, and other tools distributed with Red Hat Software Collections do not replace the default system tools provided with Red Hat Enterprise Linux, nor are they used in preference to these tools. Red Hat Software Collections uses an alternative packaging mechanism based on the scl utility to provide a parallel set of packages. This set enables optional use of alternative package versions on Red Hat Enterprise Linux. By using the scl utility, users can choose which package version they want to run at any time.

See the Red Hat Software Collections documentation for the components included in the set, system requirements, known problems, usage, and specifics of individual Software Collections.

See the Red Hat Developer Toolset documentation for more information about the components included in this Software Collection, installation, usage, known problems, and more.

Graphics Drivers and Miscellaneous Drivers

Network Driver Updates

Storage Driver Updates

(BZ#1801327)

(BZ#1700987)

(BZ#1796558)

(BZ#1769418)

(BZ#1807537)

Note that, if the time difference is greater than one day, the server logs a INFO - csngen_new_csn - Detected large jump in CSN time message in the /var/log/dirsrv/slapd-<instance_name>/error file. However, Directory Server still creates the CSN and does not reject the update operation.

(BZ#1837105)

(BZ#1824930)

(BZ#1827284)

The Kerberos interface has been updated and expiration notices are now sent correctly.

(BZ#1733289)

(BZ#1782492)

(BZ#1487418)

(BZ#1751381)

(BZ#1806523)

(BZ#1807077)

(BZ#1770232)

With this update, XFS now mounts the file system even if it was created based on invalid stripe geometry.

For details, see the following solution article: https://access.redhat.com/solutions/5075561.

(BZ#1836292)

Note that using an in-view clause is recommended as a better solution.

(BZ#1744081)

By default, in RHEL 7.9, the new AllowZoneDrifting parameter in the /etc/firewalld/firewalld.conf file is set to yes. Note that, if the parameter is enabled, firewalld logs:

WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now.

(BZ#1796055)

(BZ#1754117)

(BZ#1478285)

(BZ#1640522)

(BZ#1691877)

(BZ#1494606)

(BZ#1609014)

(BZ#1776780)

(BZ#1890111)

(BZ#1942281)

With the release of the RHBA-2021:1383 advisory, rule descriptions, remediations, and OVAL checks have been aligned and inform users that they must mask a service to disable it.

(BZ#1891435)

With the update released in the RHBA-2021:4781 advisory, Ansible regular expressions have been fixed. As a result, these rules remediate correctly in the dconf configuration.

(BZ#1976123)

(BZ#1770123)

With this update, the missing rule has been added to the SELinux policy. As a result, auditd can now halt or power off the system.

(BZ#1780332)

(BZ#1775573)

(BZ#1703445)

(BZ#1672212)

As a consequence, the tuned service became unresponsive and had to be restarted. This bug has been fixed, and the tuned service no longer hangs in the described scenarios.

Note that the tuned behavior has changed with this update. Previously, when the user executed the tuned-adm off command and restarted the tuned service, tuned tried to load the recommended profile. Now, tuned loads no profile even if the recommended profile exists.

(BZ#1702724)

Note that to re-apply sysctl settings you need to move them from the mentioned directories to /etc/sysctl.d, /etc/sysctl.conf or /run/sysctl.d directories or to a custom tuned profile.

(BZ#1776149)

With this update, the VDO systemd units have been improved, and as a result, the system shuts down cleanly with LVM on VDO.

Additionally, the VDO startup configuration is now more flexible. You no longer have to add special mount options in the /etc/fstab file for most VDO configurations.

(BZ#1706154)

GPG enabled: failed to lookup digest in keyring.

With this update, handling of relative gpgkey paths has been fixed in librhsm. As a result, the user can now successfully use the custom repository from Satellite inside containers.

(BZ#1708628)

signature X doesn't bind subkey to key, type is subkey revocation

This update introduces a change in the code that checks revocation before checking binding signature. As a result, YUM can now install RPM packages signed with GPG keys with revoked subkeys.

(BZ#1778784)

kernel: swapon: swapfile has holes

This update fixes the underlying code, which prevents the problem from occurring.

(BZ#1772505)

(BZ#1284974)

For details, see Using Containerized Identity Management Services.

(BZ#1405325)

Users who decide to secure their DNS zones with DNSSEC are advised to read and follow these documents:

Note that IdM servers with integrated DNS use DNSSEC to validate DNS answers obtained from other DNS servers. This might affect the availability of DNS zones that are not configured in accordance with recommended naming practices described in the Red Hat Enterprise Linux Networking Guide.

(BZ#1115294)

In RHEL 7.3, the IdM API was enhanced to enable multiple versions of API commands. Previously, enhancements could change the behavior of a command in an incompatible way. Users are now able to continue using existing tools and scripts even if the IdM API changes. This enables:

In all cases, the communication with the server is possible, regardless if one side uses, for example, a newer version that introduces new options for a feature.

For details on using the API, see the related Knowlegdebase article.

(BZ#1298286)

Hidden replicas are primarily designed for dedicated services that can otherwise disrupt clients. For example, a full backup of IdM requires to shut down all IdM services on the master or replica. Since no clients use a hidden replica, administrators can temporarily shut down the services on this host without affecting any clients. Other use cases include high-load operations on the IdM API or the LDAP server, such as a mass import or extensive queries.

To install a new hidden replica, use the ipa-replica-install --hidden-replica command. To change the state of an existing replica, use the ipa server-state command.

(BZ#1518939)

(BZ#1068725)

For details, see the upstream documentation at http://custodia.readthedocs.io.

Note that since Red Hat Enterprise Linux 7.6, Custodia has been deprecated.

(BZ#1403214)

(BZ#1413573)

If the heuristics agent is configured on the same fencing level as the fence agent that does the actual fencing but is configured before that agent in sequence, fencing issues an off action on the heuristics agent before it attempts to do so on the agent that does the fencing. If the heuristics agent gives a negative result for the off action it is already clear that the fencing level is not going to succeed, causing Pacemaker fencing to skip the step of issuing the off action on the agent that does the fencing. A heuristics agent can exploit this behavior to prevent the agent that does the actual fencing from fencing a node under certain conditions.

A user might want to use this agent, especially in a two-node cluster, when it would not make sense for a node to fence the peer if it can know beforehand that it would not be able to take over the services properly. For example, it might not make sense for a node to take over services if it has problems reaching the networking uplink, making the services unreachable to clients, a situation which a ping to a router might detect in that case.

(BZ#1476401)

There is one exception to this feature being Technology Preview: As of RHEL 7.4, Red Hat fully supports the usage of Pacemaker bundles for Red Hat Openstack Platform (RHOSP) deployments.

(BZ#1433016)

The LVM-activate agent provides a choice from multiple methods for LVM management throughout a cluster:

The new lvmlockd resource agent is used to start the lvmlockd daemon when LVM-activate is configured to use lvmlockd.

For information on the lvmlockd and LVM-activate resource agent, see the PCS help screens for those agents. For information on setting up LVM for use with lvmlockd, see the lvmlockd(8) man page.

(BZ#1513957)

The following features are currently unavailable or do not work correctly:

(BZ#1481411)

Due to technical limitations, fractional scaling is available only on Wayland.

(BZ#1481395)

To use DAX, a system must have some form of persistent memory available, usually in the form of one or more Non-Volatile Dual In-line Memory Modules (NVDIMMs), and a file system that supports DAX must be created on the NVDIMM(s). Also, the file system must be mounted with the dax mount option. Then, an mmap of a file on the dax-mounted file system results in a direct mapping of storage into the application’s address space.

(BZ#1274459)

Note that Red Hat recommends using the pNFS SCSI layout instead, which is similar to block layout but easier to use.

(BZ#1111712)

OverlayFS remains a Technology Preview under most circumstances. As such, the kernel will log warnings when this technology is activated.

Full support is available for OverlayFS when used with Docker under the following restrictions:

Note that OverlayFS provides a restricted set of the POSIX standards. Test your application thoroughly before deploying it with OverlayFS.

Note that XFS file systems must be created with the -n ftype=1 option enabled for use as an overlay. With the rootfs and any file systems created during system installation, set the --mkfsoptions=-n ftype=1 parameters in the Anaconda kickstart. When creating a new file system after the installation, run the # mkfs -t xfs -n ftype=1 /PATH/TO/DEVICE command. To determine whether an existing file system is eligible for use as an overlay, run the # xfs_info /PATH/TO/DEVICE | grep ftype command to see if the ftype=1 option is enabled.

There are also several known issues associated with OverlayFS in this release. For details, see Non-standard behavior in the Linux kernel documentation.

(BZ#1206277)

Red Hat Enterprise Linux 7.4 introduced the last planned update to this feature. Btrfs has been deprecated, which means Red Hat will not be moving Btrfs to a fully supported feature and it will be removed in a future major release of Red Hat Enterprise Linux.

(BZ#1477977)

(BZ#1062759)

(BZ#1384452)

In Red Hat Enterprise Linux 7.6, the ibmvnic driver was upgraded to version 1.0, which provides a number of bug fixes and enhancements over the previous version. Notable changes include:

(BZ#1519746)

(BZ#1454918)

(BZ#1454916)

(BZ#1559615)

(BZ#1230959)

(BZ#1460849)

It is not possible to make kexec fast reboot as the default reboot action. Special case is using kexec fast reboot for Anaconda. It still does not enable to make kexec fast reboot default. However, when used with Anaconda, the operating system can automatically use kexec fast reboot after the installation is complete in case that user boots kernel with the anaconda option. To schedule a kexec reboot, use the inst.kexec command on the kernel command line, or include a reboot --kexec line in the Kickstart file.

(BZ#1464377)

These problems included most notably:

In Red Hat Enterprise Linux 7.5, perf cqm was replaced by the approach based on the resctrl file system, which addressed all of the aforementioned problems.

(BZ#1457533)

Hardware offloading enables that the selected functions of network traffic processing, such as shaping, scheduling, policing and dropping, are executed directly in the hardware instead of waiting for software processing, which improves the performance.

(BZ#1503123)

(BZ#1589397)

(BZ#1726642)

Note that the criu tool depends on Protocol Buffers, a language-neutral, platform-neutral extensible mechanism for serializing structured data. The protobuf and protobuf-c packages, which provide this dependency, were also introduced in Red Hat Enterprise Linux 7.2 as a Technology Preview. Since Red Hat Enterprise Linux 7.8, the criu package provides support for Podman to do a container checkpoint and restore. The newly added functionality only works without SELinux support.

(BZ#1400230)

(BZ#916384)

(BZ#916382)

(BZ#755087)

Note that the qlcnic driver has been deprecated and is not available in RHEL 8.

(BZ#1259547)

(BZ#1393375)

Since Red Hat Enterprise Linux 7.4, the rhel-system-roles packages have been distributed through the Extras repository.

The postfix role is available as a Technology Preview.

The following roles are fully supported:

For more information, see the Knowledgebase article about RHEL System Roles.

(BZ#1439896)

The following new roles in the rhel-system-roles-sap package are available as a Technology Preview:

For more information, see Red Hat Enterprise Linux System Roles for SAP.

Note: RHEL 7.8 for SAP Solutions is currently not scheduled to be validated for use with SAP HANA on Intel 64 architecture and IBM POWER8. Other SAP applications and database products, for example, SAP NetWeaver and SAP ASE, can use RHEL 7.8 features. Please consult SAP Notes 2369910 and 2235581 for the latest information about validated releases and SAP support.

(BZ#1660838)

(BZ#1375750)

Note that if the corresponding private key is imported and has the PrivateKeyInfo.privateKeyAlgorithm field that restricts the signing algorithm to RSA-PSS, it is ignored when importing the key. See MZBZ#1413596 for more information.

(BZ#1431210)

Support for certificates signed with RSA-PSS in certutil is provided as a Technology Preview.

(BZ#1425514)

Note that the functionality has the following limitations:

(BZ#1432142)

See the Blocking USB devices while the screen is locked Knowledgebase article.

(BZ#1480100)

Also note that although blk-mq is intended to offer improved performance, particularly for low-latency devices, it is not guaranteed to always provide better performance. Notably, in some cases, enabling scsi-mq can result in significantly deteriorated performance, especially on systems with many CPUs.

(BZ#1109348)

The Targetd plug-in is not fully supported and remains a Technology Preview.

(BZ#1119909)

The SCSI-MQ functionality is provided as a Technology Preview when used with the qla2xxx or the lpfc drivers.

Note that a recent performance testing at Red Hat with async IO over Fibre Channel adapters using SCSI-MQ has shown significant performance degradation under certain conditions.

(BZ#1414957)

YUM 4 is based on the DNF technology and offers the following advantages over the standard YUM 3 used on RHEL 7:

To install YUM 4, run the yum install nextgen-yum4 command.

Make sure to install the dnf-plugin-subscription-manager package, which includes the subscription-manager plug-in. This plug-in is required for accessing protected repositories provided by the Red Hat Customer Portal or Red Hat Satellite 6, and for automatic updates of the /etc/yum.repos.d/redhat.repo file.

To manage packages, use the yum4 command and its particular options the same way as the yum command.

For detailed information about differences between the new YUM 4 tool and YUM 3, see Changes in DNF CLI compared to YUM.

For instructions on how to enable the Extras repository, see the Knowledgebase article How to subscribe to the Extras channel/repo.

(BZ#1461652)

(BZ#1103193)

(BZ#1299662)

(BZ#1661654)

(BZ#1387213)

(BZ#1475770)

(BZ#653382)

The feature is currently supported with Microsoft Windows Server 2019 and 2016.

(BZ#1348508)

(BZ#1819745)

Currently, the SSSD configuration option to enforce TLS, ldap_id_use_start_tls, defaults to false. Ensure that your setup operates in a trusted environment and decide if it is safe to use unencrypted communication for id_provider = ldap. Note id_provider = ad and id_provider = ipa are not affected as they use encrypted connections protected by SASL and GSSAPI.

If it is not safe to use unencrypted communication, enforce TLS by setting the ldap_id_use_start_tls option to true in the /etc/sssd/sssd.conf file. The default behavior is planned to be changed in a future release of RHEL.

(JIRA:RHELPLAN-155168)

As a workaround, use the version of GCC included in Red Hat Developer Toolset to build code which uses the thread sanitizer.

(BZ#1569484)

(BZ#1648162)

To work around this problem, disable radeon in kdump by adding the following line to the /etc/kdump.conf file:

dracut_args --omit-drivers "radeon"

Afterwards, restart the machine and kdump.

Note that in this scenario, no graphics will be available during kdump, but kdump will complete successfully.

(BZ#1168430)

(BZ#1706522)

(BZ#1813394)

To work around the problem:

As a result, the kdump kernel boots with 9 CPUs and the vmcore file is captured upon kernel crash. Note that the kdump service can use a significant amount of crash kernel memory to dump the vmcore file since it enables 9 CPUs in the kdump kernel. Therefore, ensure that the crash kernel has a size reserve of 256MB available for booting the kdump kernel.

(BZ#1844522)

As a consequence, enabling these kprobe events, you can experience a system response failure. This situation triggers a kernel panic. To workaround this problem, avoid configuring kretprobes for mentioned functions and prevent system response failure.

(BZ#1838903)

kexec_file_load failed: Required key not available

This behavior displays due to either of these:

As a consequence, kdump fails to start and hence no dump core is saved during the crash event.

To workaround this problem, use either of these:

As a result, kdump starts successfully in the described scenario.

(BZ#1862840)

To work around the problem, add the following options to the kernel command line when booting to the installer:

rd.iscsi.ibft=1 rd.iscsi.firmware=1

These options enable network configuration and iSCSI target discovery from the pre-OS firmware configuration.

The firmware configures the iSCSI storage, and as a result, the installer can discover and use the iSCSI storage.

(BZ#1871027)

Workqueue: mlx5e mlx5e_rep_neigh_update [mlx5_core]

Currently, a workaround or partial mitigation to this problem is not known.

(BZ#1874101)

Consequently, the network adapter remains undetected by the operating system. To work around this problem, you can use external drivers for RHEL 7 provided by Intel® or Dell.

(BZ#1933998)

(BZ#1773478)

Environment=OPENSSL_ENABLE_MD5_VERIFY=1

Then run the systemctl daemon-reload command as root to reload the service file.

(BZ#1062656)

To work around this problem, use one of the following:

Note that it is not recommended to use more than three domains.

(BZ#1758317)

category query-errors { default_debug; };

This will move query errors back into the debug log.

Alternatively, use the following statement to discard all query error messages:

category querry-errors { null; };

As a result, only name queries are logged in a similar way to the previous BIND 9.9.4 release.

(BZ#1853191)

With the rebase to bind 9.11, only the following zone types:

use the check-names statement.

Consequently, the check-names option, previously allowed in the forward zone definitions, is no longer accepted and causes a failure on start of the named-chroot service. To work around this problem, remove the check-names option from all the zone types except for master, slave, stub or hint.

As a result, the named-chroot service starts again without errors. Note that the ignored statements will not change the provided service.

(BZ#1851836)

To work around this problem, rearrange the --queue-bypass option before --queue-cpu-fanout option.

(BZ#1851944)

To work around the problem, set up a watch for the resolved path of the program executable, and filter the resulting log messages using the last component listed in the comm= or proctitle= fields.

(BZ#1421794)

In most cases, the domain_entry_file() interface grants the newly required permission to the SELinux domain. However, in case the executed file is a script, then the target domain may lack the permission to execute the interpreter’s binary. This lack of the newly required permission leads to AVC denials. If SELinux is running in enforcing mode, the kernel might kill the process with the SIGSEGV or SIGKILL signal in such a case.

If the problem occurs on the file from the domain which is a part of the selinux-policy package, file a bug against this component. In case it is part of a custom policy module, Red Hat recommends granting the missing permissions using standard SELinux interfaces:

For more details, see the /usr/share/selinux/devel/include/kernel/corecommands.if file provided by the selinux-policy-doc package and the An exception that breaks the stability of the RHEL SELinux policy API article on the Customer Portal.

(BZ#1832194)

To work around this problem, use smaller package groups, for example, Server and Minimal Install on systems with limited RAM. If your scenario requires large package groups, you can test whether your system has sufficient memory in a virtual or staging environment. Alternatively, you can tailor the scanning profile to deselect rules that involve recursion over the entire / filesystem:

This prevents the OpenSCAP scanner from causing the system to run out of memory.

(BZ#1829782)

(BZ#1828598)

For more information about the related feature, see SCAP Security Guide now provides a profile aligned with the CIS RHEL 7 Benchmark v2.2.0.

(BZ#1838622)

As a consequence, rules that work with user IDs or group IDs do not have access to IDs of remote users. Therefore, such IDs are identified as foreign to the system. This might result in scans to fail on compliant systems. In the scap-security-guide packages, the following rules are affected:

To work around this problem, if a rule that deals with user or group IDs fails on a system that defines remote users, check the failed parts manually. The OpenSCAP scanner enables you to specify the --oval-results option together with the --report option. This option displays offending files and UIDs in the HTML report and makes the manual revision process straightforward.

Additionally, in RHEL 8.3, the rules in the scap-security-guide packages contain a warning that only local-user back ends have been evaluated.

(BZ#1721439)

(BZ#1778661)

Due to minor ABI differences between unixODBC version 2.3.1 and 2.3.4, an application built with version 2.3.1 might not work with version 2.3.4 in certain rare cases. To prevent problems caused by this incompatibility, the compat-unixODBC234 package uses a different SONAME for shared libraries available in this package, and the library file is available under /usr/lib64/libodbc.so.1002.0.0 instead of /usr/lib64/libodbc.so.2.0.0.

As a consequence, third party applications built with unixODBC version 2.3.4 that load the unixODBC library in runtime using the dlopen() function fail to load the library with the following error message:

/usr/lib64/libodbc.so.2.0.0: cannot open shared object file: No such file or directory

To work around this problem, create the following symbolic link:

# ln -s /usr/lib64/libodbc.so.1002.0.0 /usr/lib64/libodbc.so.2.0.0

and similar symlinks for other libraries from the compat-unixODBC234 package if necessary.

Note that the compat-unixODBC234 package conflicts with the base RHEL 7 unixODBC package. Therefore, uninstall unixODBC prior to installing compat-unixODBC234.

(BZ#1844443)

With this update to the Apache Portable Runtime (APR) library, you can work around the problem by setting the APR_DEEPBIND environment variable, which enables the use of the RTLD_DEEPBIND dynamic linker option when loading httpd modules. When the APR_DEEPBIND environment variable is enabled, crashes no longer occur in httpd configurations that load conflicting libraries.

(BZ#1739287)

RHEL 7 no longer receives updates to support new hardware. As a consequence, RHEL 7 cannot recognize Non-Volatile Memory Express (NVMe) devices that are managed by VMD 2.0.

To work around the problem, Red Hat recommends that you upgrade to a recent major RHEL release.

(BZ#1942865)

To work around this issue, terminate the transport session with the iscsiadm logout commands in either session mode (specifying a session ID) or in node mode (specifying a matching target name and portal for the blocked session). Issuing an iSCSI session logout on a recovering session terminates the session and removes the SCSI devices.

(BZ#1439055)

(BZ#2042313)

(BZ#1854917)

To prevent this problem from occurring, add the following line to the /etc/kdump.conf file and restart the kdump service.

extra_modules pci_hyperv

(BZ#1846667)

If you require using a password login for SSH connections to your RHEL 8 VMs configured using cloud-init, set ssh_pwauth: 1 in the /etc/cloud/cloud.cfg file before deploying the VM.

(BZ#1685580)

The following packages are now deprecated. For information regarding replaced packages or availability in an unsupported RHEL 8 repository (if applicable), see Considerations in adopting RHEL 8.

The following device drivers continue to be supported until the end of life of Red Hat Enterprise Linux 7 but will likely not be supported in future major releases of this product and are not recommended for new deployments.

The following adapters continue to be supported until the end of life of Red Hat Enterprise Linux 7 but will likely not be supported in future major releases of this product and are not recommended for new deployments. Other adapters from the mentioned drivers that are not listed here remain unchanged.

PCI IDs are in the format of vendor:device:subvendor:subdevice. If the subdevice or subvendor:subdevice entry is not listed, devices with any values of such missing entries have been deprecated.

To check the PCI IDs of the hardware on your system, run the lspci -nn command.

Python 2 has been deprecated

In the next major release, RHEL 8, Python 3.6 is the default Python implementation, and only limited support for Python 2.7 is provided.

See the Conservative Python 3 Porting Guide for information on how to migrate large code bases to Python 3.

LVM libraries and LVM Python bindings have been deprecated

The lvm2app library and LVM Python bindings, which are provided by the lvm2-python-libs package, have been deprecated.

Red Hat recommends the following solutions instead:

LVM mirror is deprecated

The LVM mirror segment type is now deprecated. Support for mirror will be removed in a future major release of RHEL.

Red Hat recommends that you use LVM RAID 1 devices with a segment type of raid1 instead of mirror. The raid1 segment type is the default RAID configuration type and replaces mirror as the recommended solution.

To convert mirror devices to raid1, see Converting a Mirrored LVM Device to a RAID1 Device.

Mirrored mirror log has been deprecated in LVM

The mirrored mirror log feature of mirrored LVM volumes has been deprecated. A future major release of Red Hat Enterprise Linux will no longer support creating or activating LVM volumes with a mirrored mirror log.

The recommended replacements are:

The clvmd daemon has been deprecated

The clvmd daemon for managing shared storage devices has been deprecated. A future major release of Red Hat Enterprise linux will instead use the lvmlockd daemon.

The lvmetad daemon has been deprecated

The lvmetad daemon for caching metadata has been deprecated. In a future major release of Red Hat Enterprise Linux, LVM will always read metadata from disk.

Previously, autoactivation of logical volumes was indirectly tied to the use_lvmetad setting in the lvm.conf configuration file. The correct way to disable autoactivation continues to be setting auto_activation_volume_list=[] (an empty list) in the lvm.conf file.

The sap-hana-vmware Tuned profile has been deprecated

The sap-hana-vmware Tuned profile has been deprecated. For backward compatibility, this profile is still provided in the tuned-profiles-sap-hana package, but the profile will be removed in future major release of Red Hat Enterprise Linux. The recommended replacement is the sap-hanaTuned profile.

Deprecated packages related to Identity Management and security

The following packages have been deprecated and will not be included in a future major release of Red Hat Enterprise Linux:

The Clevis HTTP pin has been deprecated

The Clevis HTTP pin has been deprecated and this feature will not be included in the next major version of Red Hat Enterprise Linux and will remain out of the distribution until a further notice.

crypto-utils has been deprecated

The crypto-utils packages have been deprecated, and they will not be available in a future major version of Red Hat Enterprise Linux. You can use tools provided by the openssl, gnutls-utils, and nss-tools packages instead.

NSS SEED ciphers have been deprecated

The Mozilla Network Security Services (NSS) library will not support Transport Layer Security (TLS) cipher suites that use a SEED cipher in a future release. For deployments that rely on SEED ciphers, Red Hat recommends enabling support for other cipher suites. This way, you ensure smooth transitions when NSS will remove support for them.

Note that the SEED ciphers are already disabled by default in RHEL.

All-numeric user and group names in shadow-utils have been deprecated

Creating user and group names consisting purely of numeric characters using the useradd and groupadd commands has been deprecated and will be removed from the system with the next major release. Such names can potentially confuse many tools that work with user and group names and user and group ids (which are numbers).

3DES is removed from the Python SSL default cipher list

The Triple Data Encryption Standard (3DES) algorithm has been removed from the Python SSL default cipher list. This enables Python applications using SSL to be PCI DSS-compliant.

sssd-secrets has been deprecated

The sssd-secrets component of the System Security Services Daemon (SSSD) has been deprecated in Red Hat Enterprise Linux 7.6. This is because Custodia, a secrets service provider, available as a Technology Preview, is no longer actively developed. Use other Identity Management tools to store secrets, for example the Vaults.

Support for earlier IdM servers and for IdM replicas at domain level 0 will be limited

Red Hat does not plan to support using Identity Management (IdM) servers running Red Hat Enterprise Linux (RHEL) 7.3 and earlier with IdM clients of the next major release of RHEL. If you plan to introduce client systems running on the next major version of RHEL into a deployment that is currently managed by IdM servers running on RHEL 7.3 or earlier, be aware that you will need to upgrade the servers, moving them to RHEL 7.4 or later.

In the next major release of RHEL, only domain level 1 replicas will be supported. Before introducing IdM replicas running on the next major version of RHEL into an existing deployment, be aware that you will need to upgrade all IdM servers to RHEL 7.4 or later, and change the domain level to 1.

Consider planning the upgrade in advance if your deployment will be affected.

Bug-fix only support for the nss-pam-ldapd and NIS packages in the next major release of Red Hat Enterprise Linux

The nss-pam-ldapd packages and packages related to the NIS server will be released in the future major release of Red Hat Enterprise Linux but will receive a limited scope of support. Red Hat will accept bug reports but no new requests for enhancements. Customers are advised to migrate to the following replacement solutions:

Use the Go Toolset instead of golang

The golang package, previously available in the Optional repository, will no longer receive updates in Red Hat Enterprise Linux 7. Developers are encouraged to use the Go Toolset instead, which is available through the Red Hat Developer program.

mesa-private-llvm will be replaced with llvm-private

The mesa-private-llvm package, which contains the LLVM-based runtime support for Mesa, will be replaced in a future minor release of Red Hat Enterprise Linux 7 with the llvm-private package.

libdbi and libdbi-drivers have been deprecated

The libdbi and libdbi-drivers packages will not be included in the next Red Hat Enterprise Linux (RHEL) major release.

Ansible deprecated in the Extras repository

Ansible and its dependencies will no longer be updated through the Extras repository. Instead, the Red Hat Ansible Engine product has been made available to Red Hat Enterprise Linux subscriptions and will provide access to the official Ansible Engine channel. Customers who have previously installed Ansible and its dependencies from the Extras repository are advised to enable and update from the Ansible Engine channel, or uninstall the packages as future errata will not be provided from the Extras repository.

Ansible was previously provided in Extras (for AMD64 and Intel 64 architectures, and IBM POWER, little endian) as a runtime dependency of, and limited in support to, the Red Hat Enterprise Linux (RHEL) System Roles. Ansible Engine is available today for AMD64 and Intel 64 architectures, with IBM POWER, little endian availability coming soon.

Note that Ansible in the Extras repository was not a part of the Red Hat Enterprise Linux FIPS validation process.

The following packages have been deprecated from the Extras repository:

For more information and guidance, see the Knowledgebase article at https://access.redhat.com/articles/3359651.

Note that Red Hat Enterprise Linux System Roles continue to be distributed though the Extras repository. Although Red Hat Enterprise Linux System Roles no longer depend on the ansible package, installing ansible from the Ansible Engine repository is still needed to run playbooks which use Red Hat Enterprise Linux System Roles.

signtool has been deprecated and moved to unsupported-tools

The signtool tool from the nss packages, which uses insecure signature algorithms, has been deprecated. The signtool executable has been moved to the /usr/lib64/nss/unsupported-tools/ or /usr/lib/nss/unsupported-tools/ directory, depending on the platform.

SSL 3.0 and RC4 are disabled by default in NSS

Support for the RC4 ciphers in the TLS protocols and the SSL 3.0 protocol is disabled by default in the NSS library. Applications that require RC4 ciphers or SSL 3.0 protocol for interoperability do not work in default system configuration.

It is possible to re-enable those algorithms by editing the /etc/pki/nss-legacy/nss-rhel7.config file. To re-enable RC4, remove the :RC4 string from the disallow= list. To re-enable SSL 3.0 change the TLS-VERSION-MIN=tls1.0 option to ssl3.0.

TLS compression support has been removed from nss

To prevent security risks, such as the CRIME attack, support for TLS compression in the NSS library has been removed for all TLS versions. This change preserves the API compatibility.

Public web CAs are no longer trusted for code signing by default

The Mozilla CA certificate trust list distributed with Red Hat Enterprise Linux 7.5 no longer trusts any public web CAs for code signing. As a consequence, any software that uses the related flags, such as NSS or OpenSSL, no longer trusts these CAs for code signing by default. The software continues to fully support code signing trust. Additionally, it is still possible to configure CA certificates as trusted for code signing using system configuration.

Sendmail has been deprecated

Sendmail has been deprecated in Red Hat Enterprise Linux 7. Customers are advised to use Postfix, which is configured as the default Mail Transfer Agent (MTA).

dmraid has been deprecated

Since Red Hat Enterprise Linux 7.5, the dmraid packages have been deprecated. It will stay available in Red Hat Enterprise Linux 7 releases but a future major release will no longer support legacy hybrid combined hardware and software RAID host bus adapter (HBA).

Automatic loading of DCCP modules through socket layer is now disabled by default

For security reasons, automatic loading of the Datagram Congestion Control Protocol (DCCP) kernel modules through socket layer is now disabled by default. This ensures that userspace applications can not maliciously load any modules. All DCCP related modules can still be loaded manually through the modprobe program.

The /etc/modprobe.d/dccp-blacklist.conf configuration file for blacklisting the DCCP modules is included in the kernel package. Entries included there can be cleared by editing or removing this file to restore the previous behavior.

Note that any re-installation of the same kernel package or of a different version does not override manual changes. If the file is manually edited or removed, these changes persist across package installations.

rsyslog-libdbi has been deprecated

The rsyslog-libdbi sub-package, which contains one of the less used rsyslog module, has been deprecated and will not be included in a future major release of Red Hat Enterprise Linux. Removing unused or rarely used modules helps users to conveniently find a database output to use.

The inputname option of the rsyslog imudp module has been deprecated

The inputname option of the imudp module for the rsyslog service has been deprecated. Use the name option instead.

SMBv1 is no longer installed with Microsoft Windows 10 and 2016 (updates 1709 and later)

Microsoft announced that the Server Message Block version 1 (SMBv1) protocol will no longer be installed with the latest versions of Microsoft Windows and Microsoft Windows Server. Microsoft also recommends users to disable SMBv1 on earlier versions of these products.

This update impacts Red Hat customers who operate their systems in a mixed Linux and Windows environment. Red Hat Enterprise Linux 7.1 and earlier support only the SMBv1 version of the protocol. Support for SMBv2 was introduced in Red Hat Enterprise Linux 7.2.

For details on how this change affects Red Hat customers, see SMBv1 no longer installed with latest Microsoft Windows 10 and 2016 update (version 1709) in Red Hat Knowledgebase.

The -ok option of the tc command has been deprecated

The -ok option of the tc command has been deprecated and this feature will not be included in the next major version of Red Hat Enterprise Linux.

FedFS has been deprecated

Federated File System (FedFS) has been deprecated because the upstream FedFS project is no longer being actively maintained. Red Hat recommends migrating FedFS installations to use autofs, which provides more flexible functionality.

Btrfs has been deprecated

The Btrfs file system has been in Technology Preview state since the initial release of Red Hat Enterprise Linux 6. Red Hat will not be moving Btrfs to a fully supported feature and it will be removed in a future major release of Red Hat Enterprise Linux.

The Btrfs file system did receive numerous updates from the upstream in Red Hat Enterprise Linux 7.4 and will remain available in the Red Hat Enterprise Linux 7 series. However, this is the last planned update to this feature.

tcp_wrappers deprecated

The tcp_wrappers package has been deprecated. tcp_wrappers provides a library and a small daemon program that can monitor and filter incoming requests for audit, cyrus-imap, dovecot, nfs-utils, openssh, openldap, proftpd, sendmail, stunnel, syslog-ng, vsftpd, and various other network services.

nautilus-open-terminal replaced with gnome-terminal-nautilus

Since Red Hat Enterprise Linux 7.3, the nautilus-open-terminal package has been deprecated and replaced with the gnome-terminal-nautilus package. This package provides a Nautilus extension that adds the Open in Terminal option to the right-click context menu in Nautilus. nautilus-open-terminal is replaced by gnome-terminal-nautilus during the system upgrade.

sslwrap() removed from Python

The sslwrap() function has been removed from Python 2.7. After the 466 Python Enhancement Proposal was implemented, using this function resulted in a segmentation fault. The removal is consistent with upstream.

Red Hat recommends using the ssl.SSLContext class and the ssl.SSLContext.wrap_socket() function instead. Most applications can simply use the ssl.create_default_context() function, which creates a context with secure default settings. The default context uses the system’s default trust store, too.

Symbols from libraries linked as dependencies no longer resolved by ld

Previously, the ld linker resolved any symbols present in any linked library, even if some libraries were linked only implicitly as dependencies of other libraries. This allowed developers to use symbols from the implicitly linked libraries in application code and omit explicitly specifying these libraries for linking.

For security reasons, ld has been changed to not resolve references to symbols in libraries linked implicitly as dependencies.

As a result, linking with ld fails when application code attempts to use symbols from libraries not declared for linking and linked only implicitly as dependencies. To use symbols from libraries linked as dependencies, developers must explicitly link against these libraries as well.

To restore the previous behavior of ld, use the -copy-dt-needed-entries command-line option. (BZ#1292230)

Windows guest virtual machine support limited

As of Red Hat Enterprise Linux 7, Windows guest virtual machines are supported only under specific subscription programs, such as Advanced Mission Critical (AMC).

libnetlink is deprecated

The libnetlink library contained in the iproute-devel package has been deprecated. The user should use the libnl and libmnl libraries instead.

S3 and S4 power management states for KVM have been deprecated

Native KVM support for the S3 (suspend to RAM) and S4 (suspend to disk) power management states has been discontinued. This feature was previously available as a Technology Preview.

The Certificate Server plug-in udnPwdDirAuth is discontinued

The udnPwdDirAuth authentication plug-in for the Red Hat Certificate Server was removed in Red Hat Enterprise Linux 7.3. Profiles using the plug-in are no longer supported. Certificates created with a profile using the udnPwdDirAuth plug-in are still valid if they have been approved.

Red Hat Access plug-in for IdM is discontinued

The Red Hat Access plug-in for Identity Management (IdM) was removed in Red Hat Enterprise Linux 7.3. During the update, the redhat-access-plugin-ipa package is automatically uninstalled. Features previously provided by the plug-in, such as Knowledgebase access and support case engagement, are still available through the Red Hat Customer Portal. Red Hat recommends to explore alternatives, such as the redhat-support-tool tool.

The Ipsilon identity provider service for federated single sign-on

The ipsilon packages were introduced as Technology Preview in Red Hat Enterprise Linux 7.2. Ipsilon links authentication providers and applications or utilities to allow for single sign-on (SSO).

Red Hat does not plan to upgrade Ipsilon from Technology Preview to a fully supported feature. The ipsilon packages will be removed from Red Hat Enterprise Linux in a future minor release.

Red Hat has released Red Hat Single Sign-On as a web SSO solution based on the Keycloak community project. Red Hat Single Sign-On provides greater capabilities than Ipsilon and is designated as the standard web SSO solution across the Red Hat product portfolio.

Several rsyslog options deprecated

The rsyslog utility version in Red Hat Enterprise Linux 7.4 has deprecated a large number of options. These options no longer have any effect and cause a warning to be displayed.

Deprecated symbols from the memkind library

The following symbols from the memkind library have been deprecated:

Options of Sockets API Extensions for SCTP (RFC 6458) deprecated

The options SCTP_SNDRCV, SCTP_EXTRCV and SCTP_DEFAULT_SEND_PARAM of Sockets API Extensions for the Stream Control Transmission Protocol have been deprecated per the RFC 6458 specification.

New options SCTP_SNDINFO, SCTP_NXTINFO, SCTP_NXTINFO and SCTP_DEFAULT_SNDINFO have been implemented as a replacement for the deprecated options.

Managing NetApp ONTAP using SSLv2 and SSLv3 is no longer supported by libstorageMgmt

The SSLv2 and SSLv3 connections to the NetApp ONTAP storage array are no longer supported by the libstorageMgmt library. Users can contact NetApp support to enable the Transport Layer Security (TLS) protocol.

dconf-dbus-1 has been deprecated and dconf-editor is now delivered separately

With this update, the dconf-dbus-1 API has been removed. However, the dconf-dbus-1 library has been backported to preserve binary compatibility. Red Hat recommends using the GDBus library instead of dconf-dbus-1.

The dconf-error.h file has been renamed to dconf-enums.h. In addition, the dconf Editor is now delivered in the separate dconf-editor package.

FreeRADIUS no longer accepts Auth-Type := System

The FreeRADIUS server no longer accepts the Auth-Type := System option for the rlm_unix authentication module. This option has been replaced by the use of the unix module in the authorize section of the configuration file.

The libcxgb3 library and the cxgb3 firmware package have been deprecated

The libcxgb3 library provided by the libibverbs package and the cxgb3 firmware package have been deprecated. They continue to be supported in Red Hat Enterprise Linux 7 but will likely not be supported in the next major releases of this product. This change corresponds with the deprecation of the cxgb3, cxgb3i, and iw_cxgb3 drivers listed above.

SFN4XXX adapters have been deprecated

Starting with Red Hat Enterprise Linux 7.4, SFN4XXX Solarflare network adapters have been deprecated. Previously, Solarflare had a single driver sfc for all adapters. Recently, support of SFN4XXX was split from sfc and moved into a new SFN4XXX-only driver, called sfc-falcon. Both drivers continue to be supported at this time, but sfc-falcon and SFN4XXX support is scheduled for removal in a future major release.

Software-initiated-only FCoE storage technologies have been deprecated

The software-initiated-only type of the Fibre Channel over Ethernet (FCoE) storage technology has been deprecated due to limited customer adoption. The software-initiated-only storage technology will remain supported for the life of Red Hat Enterprise Linux 7. The deprecation notice indicates the intention to remove software-initiated-based FCoE support in a future major release of Red Hat Enterprise Linux.

It is important to note that the hardware support and the associated user-space tools (such as drivers, libfc, or libfcoe) are unaffected by this deprecation notice.

For details regarding changes to FCoE support in RHEL 8, see Considerations in adopting RHEL 8.

Target mode in Software FCoE and Fibre Channel has been deprecated

Containers using the libvirt-lxc tooling have been deprecated

The following libvirt-lxc packages are deprecated since Red Hat Enterprise Linux 7.1:

Future development on the Linux containers framework is now based on the docker command-line interface. libvirt-lxc tooling may be removed in a future release of Red Hat Enterprise Linux (including Red Hat Enterprise Linux 7) and should not be relied upon for developing custom container management applications.

For more information, see the Red Hat KnowledgeBase article.

The Perl and shell scripts for Directory Server have been deprecated

The Perl and shell scripts, which are provided by the 389-ds-base package, have been deprecated. The scripts will be replaced by new utilities in the next major release of Red Hat Enterprise Linux.

libguestfs can no longer inspect ISO installer files

The libguestfs library does no longer support inspecting ISO installer files, for example using the guestfish or virt-inspector utilities. Use the osinfo-detect command for inspecting ISO files instead. This command can be obtained from the libosinfo package.

Creating internal snapshots of virtual machines has been deprecated

Due to their lack of optimization and stability, internal virtual machine snapshots are now deprecated. In their stead, external snapshots are recommended for use. For more information, including instructions for creating external snapshots, see the Virtualization Deployment and Admnistration Guide.

IVSHMEM has been deprecated

The inter-VM shared memory device (IVSHMEM) feature has been deprecated. Therefore, in a future major release of RHEL, if a virtual machine (VM) is configured to share memory between multiple virtual machines in the form of a PCI device that exposes memory to guests, the VM will fail to boot.

The gnome-shell-browser-plugin subpackage has been deprecated

Since the Firefox Extended Support Release (ESR 60), Firefox no longer supports the Netscape Plugin Application Programming Interface (NPAPI) that was used by the gnome-shell-browser-plugin subpackage. The subpackage, which provided the functionality to install GNOME Shell Extensions, has thus been deprecated. The installation of GNOME Shell Extensions is now handled directly in the gnome-software package.

The VDO read cache has been deprecated

The read cache functionality in Virtual Data Optimizer (VDO) has been deprecated. The read cache is disabled by default on new VDO volumes.

In the next major Red Hat Enterprise Linux release, the read cache functionality will be removed, and you will no longer be able to enable it using the --readCache option of the vdo utility.

cpuid has been deprecated

The cpuid command has been deprecated. A future major release of Red Hat Enterprise Linux will no longer support using cpuid to dump the information about CPUID instruction for each CPU. To obtain similar information, use the lscpu command instead.

KDE has been deprecated

KDE Plasma Workspaces (KDE), which has been provided as an alternative to the default GNOME desktop environment has been deprecated. A future major release of Red Hat Enterprise Linux will no longer support using KDE instead of the default GNOME desktop environment.

Using virt-install with NFS locations is deprecated

With a future major version of Red Hat Enterprise Linux, the virt-install utility will not be able to mount NFS locations. As a consequence, attempting to install a virtual machine using virt-install with a NFS address as a value of the --location option will fail. To work around this change, mount your NFS share prior to using virt-install, or use a HTTP location.

The lwresd daemon has been deprecated

The lwresd daemon, which is a part of the bind package, has been deprecated. A future major release of Red Hat Enterprise Linux will no longer support providing name lookup services to clients that use the BIND 9 lightweight resolver library with lwresd.

The recommended replacements are:

The /etc/sysconfig/nfs file and legacy NFS service names have been deprecated

A future major Red Hat Enterprise Linux release will move the NFS configuration from the /etc/sysconfig/nfs file to /etc/nfs.conf.

Red Hat Enterprise Linux 7 currently supports both of these files. Red Hat recommends that you use the new /etc/nfs.conf file to make NFS configuration in all versions of Red Hat Enterprise Linux compatible with automated configuration systems.

Additionally, the following NFS service aliases will be removed and replaced by their upstream names:

The JSON export functionality has been removed from the nft utility

Previously, the nft utility provided an export feature, but the exported content could contain internal ruleset representation details, which was likely to change without further notice. For this reason, the deprecated export functionality has been removed from nft starting with RHEL 7.7. Future versions of nft, such as provided by RHEL 8, contain a high-level JSON API. However, this API not available in RHEL 7.7.

The openvswitch-2.0.0-7 package in the RHEL 7 Optional repository has been deprecated

RHEL 7.5 introduced the openvswitch-2.0.0-7.el7 package in the RHEL 7 Optional repository as a dependency of the NetworkManager-ovs package. This dependency no longer exists and, as a result, openvswitch-2.0.0-7.el7 is now deprecated.

Note that Red Hat does not support packages in the RHEL 7 Optional repository and that openvswitch-2.0.0-7.el7 will not be updated in the future. For this reason, do not use this package in production environments.

Deprecated PHP extensions

The following PHP extensions have been deprecated:

Deprecated Apache HTTP Server modules

The following modules of the Apache HTTP Server have been deprecated:

Apache Tomcat has been deprecated

The Apache Tomcat server, a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies, has been deprecated. Red Hat recommends that users requiring a servlet container use the JBoss Web Server.

The DES algorithm is deprecated in IdM

Due to security reasons, the Data Encryption Standard (DES) algorithm is deprecated in Identity Management (IdM). The MIT Kerberos libraries provided by the krb5-libs package do not support using the Data Encryption Standard (DES) in new deployments. Use DES only for compatibility reasons if your environment does not support any newer algorithm.

Red Hat also recommends to avoid using RC4 ciphers over Kerberos. While DES is deprecated, the Server Message Block (SMB) protocol still uses RC4. However, the SMB protocol can also use the secure AES algorithms.

For further details, see:

real(kind=16) type support has been removed from libquadmath library

real(kind=16) type support has been removed from the libquadmath library in the compat-libgfortran-41 package in order to preserve ABI compatibility.

Deprecated glibc features

The following features of the GNU C library provided by the glibc packages have been deprecated:

Deprecated features of the GDB debugger

The following features and capabilities of the GDB debugger have been deprecated:

Development headers and static libraries from valgrind-devel have been deprecated

The valgrind-devel sub-package includes development files for developing custom Valgrind tools. These files do not have a guaranteed API, have to be linked statically, are unsupported, and thus have been deprecated. Red Hat recommends to use the other development files and header files for valgrind-aware programs from the valgrind-devel package such as valgrind.h, callgrind.h, drd.h, helgrind.h, and memcheck.h, which are stable and well supported.

The nosegneg libraries for 32-bit Xen have been deprecated

The glibc i686 packages contain an alternative glibc build, which avoids the use of the thread descriptor segment register with negative offsets (nosegneg). This alternative build is only used in the 32-bit version of the Xen Project hypervisor without hardware virtualization support, as an optimization to reduce the cost of full paravirtualization. This alternative build is deprecated.

Ada, Go, and Objective C/C++ build capability in GCC has been deprecated

Capability for building code in the Ada (GNAT), GCC Go, and Objective C/C++ languages using the GCC compiler has been deprecated.

To build Go code, use the Go Toolset instead.

Deprecated Kickstart commands and options

The following Kickstart commands and options have been deprecated:

Where only specific options and values are listed, the base command and its other options are not deprecated.

The env option in virt-who has become deprecated

With this update, the virt-who utility no longer uses the env option for hypervisor detection. As a consequence, Red Hat discourages the use of env in your virt-who configurations, as the option will not have the intended effect.

AGP graphics card have been deprecatd

Graphics cards using the Accelerated Graphics Port (AGP) bus have been deprecated and are not supported in RHEL 8. AGP graphics cards are rarely used in 64-bit machines and the bus has been replaced by PCI-Express.

The copy_file_range() call has been disabled on local file systems and in NFS

The copy_file_range() system call on local file systems contains multiple issues that are difficult to fix. To avoid file corruptions, copy_file_range() support on local file systems has been disabled in RHEL 7.8. If an application uses the call in this case, copy_file_range() now returns an ENOSYS error.

For the same reason, the server-side-copy feature has been disabled in the NFS server. However, the NFS client still supports copy_file_range() when accessing a server that supports server-side-copy.

The ipv6, netmask, gateway, and hostname kernel parameters have been deprecated

The ipv6, netmask, gateway, and hostname parameters to set the network configuration in the kernel command line have been deprecated. RHEL 8 supports only the consolidated ip parameter that accepts different formats, such as the following:

ip=__IP_address__:__peer__:__gateway_IP_address__:__net_mask__:__host_name__:__interface_name__:__configuration_method__

For further details about the individual fields and other formats this parameter accepts, see the description of the ip parameter in the dracut.cmdline(7) man page.

Note that you can already use the consolidated ip parameter in RHEL 7.

The hidepid=n mount option is not recommended in RHEL 7

The mount option hidepid=n, which controls who can access information in /proc/[pid] directories, is not compatible with systemd provided in RHEL 7 and newer.

In addition, using this option might cause certain services started by systemd to produce SELinux AVC denial messages and prevent other operations from completing.

For more information, see the related Is mounting /proc with "hidepid=2" recommended with RHEL7 and RHEL8?.

The -s split option is no longer supported with the -f option

When providing files to Red Hat Support by uploading them to Red Hat Secure FTP, you can run the redhat-support-tool addattachment -f command. Due to infrastructure changes introduced in the RHBA-2022:0623 advisory, you can no longer use the -s option with this command for splitting big files into parts and uploading them to Red Hat Secure FTP.

The redhat-support-tool diagnose <file_or_directory> command has been deprecated

With the release of the RHBA-2022:0623 advisory, the Red Hat Support Tool no longer supports the redhat-support-tool diagnose <file_or_directory> command previously used for advanced diagnostic services for files or directories. The redhat-support-tool diagnose command continues to support the plain text analysis.