Chapter 19. System and Subscription Management

cockpit rebased to version 173

The cockpit packages, which provide the Cockpit browser-based administration console, have been upgraded to version 173. This version provides a number of bug fixes and enhancements. Notable changes include:
  • The menu and navigation can now work with mobile browsers.
  • Cockpit now supports alternate Kerberos keytabs for Cockpit's web server, which enables configuration of Single Sign-On (SSO).
  • Automatic setup of Kerberos keytab for Cockpit web server.
  • Automatic configuration of SSO with FreeIPA for Cockpit is possible.
  • Cockpit requests FreeIPA SSL certificate for Cockpit's web server.
  • Cockpit shows available package updates and missing registrations on system front page.
  • A Firewall interface has been added.
  • The flow control to avoid user interface hangs and unbounded memory usage for big file downloads has been added.
  • Terminal issues in Chrome have been fixed.
  • Cockpit now properly localizes numbers, times, and dates.
  • Subscriptions page hang when accessing as a non-administrator user has been fixed.
  • Log in is now localized properly.
  • The check for root privilege availability has been improved to work for FreeIPA administrators as well. (BZ#1568728, BZ#1495543, BZ#1442540, BZ#1541454, BZ#1574630)

reposync now by default skips packages whose location falls outside the destination directory

Previously, the reposync command did not sanitize paths to packages specified in a remote repository, which was insecure. A security fix for CVE-2018-10897 has changed the default behavior of reposync to not store any packages outside the specified destination directory. To restore the original insecure behavior, use the new --allow-path-traversal option. (BZ#1609302)

The yum clean all command now prints a disk usage summary

When using the yum clean all command, the following hint was always displayed: 
Maybe you want: rm -rf /var/cache/yum
With this update, the hint has been removed, and yum clean all now prints a disk usage summary for remaining repositories that were not affected by yum clean all (BZ#1481220)

The yum versionlock plug-in now displays which packages are blocked when running the yum update command

Previously, the yum versionlock plug-in, which is used to lock RPM packages, did not display any information about packages excluded from the update. Consequently, users were not warned that such packages will not be updated when running the yum update command. With this update, yum versionlock has been changed. The plug-in now prints a message about how many package updates are being excluded. In addition, the new status subcommand has been added to the plug-in. The yum versionlock status command prints the list of available package updates blocked by the plug-in. (BZ#1497351)

The repotrack command now supports the --repofrompath option

The --repofrompath option, which is already supported by the repoquery and repoclosure commands, has been added to the repotrack command. As a result, non-root users can now add custom repositories to track without escalating their privileges. (BZ#1506205)

Subscription manager now respects proxy_port settings from rhsm.conf

Previously, subscription manager did not respect changes to the default proxy_port configuration from the /etc/rhsm/rhsm.conf file. Consequently, the default value of 3128 was used even after the user had changed the value of proxy_port.
With this update, the underlying source code has been fixed, and subscription manager now respects changes to the default proxy_port configuration. However, making any change to the proxy_port value in /etc/rhsm/rhsm.conf requires an selinux policy change. To avoid selinux denials when changing the default proxy_port, run this command for the benefit of the rhsmcertd daemon process: 
semanage port -a -t squid_port_t -p tcp <new_proxy_port>
(BZ#1576423)

New package: sos-collector

sos-collector is a utility that gathers sosreports from multi-node environments. sos-collector facilitates data collection for support cases and it can be run from either a node or from an administrator's local workstation that has network access to the environment. (BZ#1481861)