Chapter 8. Known Issues

This chapter documents known problems in Red Hat Enterprise Linux 7.

8.1. Authentication and Interoperability

Potential risk when using the default value for ldap_id_use_start_tls option

When using ldap:// without TLS for identity lookups, it can pose a risk for an attack vector. Particularly a man-in-the-middle (MITM) attack which could allow an attacker to impersonate a user by altering, for example, the UID or GID of an object returned in an LDAP search.

Currently, the SSSD configuration option to enforce TLS, ldap_id_use_start_tls, defaults to false. Ensure that your setup operates in a trusted environment and decide if it is safe to use unencrypted communication for id_provider = ldap. Note id_provider = ad and id_provider = ipa are not affected as they use encrypted connections protected by SASL and GSSAPI.

If it is not safe to use unencrypted communication, enforce TLS by setting the ldap_id_use_start_tls option to true in the /etc/sssd/sssd.conf file. The default behavior is planned to be changed in a future release of RHEL.

(JIRA:RHELPLAN-155168)

8.2. Compiler and Tools

GCC thread sanitizer included in RHEL no longer works

Due to incompatible changes in kernel memory mapping, the thread sanitizer included with the GNU C Compiler (GCC) compiler version in RHEL no longer works. Additionally, the thread sanitizer cannot be adapted to the incompatible memory layout. As a result, it is no longer possible to use the GCC thread sanitizer included with RHEL.

As a workaround, use the version of GCC included in Red Hat Developer Toolset to build code which uses the thread sanitizer.

(BZ#1569484)

8.3. Desktop

The radeon driver fails to reset hardware correctly in the kexec context

When booting a kernel from the currently running kernel, such as when performing the kdump process, the radeon kernel driver currently does not properly reset hardware. Instead, radeon terminates unexpectedly, which causes the rest of the kdump service to fail.

To work around this bug, blacklist radeon in kdump by adding the following line to the /etc/kdump.conf file:

dracut_args --omit-drivers "radeon"

Afterwards, restart the machine and kdump.

Note that in this scenario, no graphics will be available during kdump, but kdump will complete successfully.

(BZ#1509444)

8.4. File Systems

System boot might fail due to persistent memory file systems

Systems with a large amount of persistent memory take a long time to boot. If the /etc/fstab file configures persistent memory file systems, the system might time out waiting for the devices to become available. The boot process then fails and presents the user with an emergency prompt.

To work around the problem, increase the DefaultTimeoutStartSec value in the /etc/systemd/system.conf file. Use a sufficiently large value, such as 1200s. As a result, the system boot no longer times out.

(BZ#1666535, BZ#1634341)

8.5. Installation and Booting

RHEL 7.7 and later installations add spectre_v2=retpoline to Intel Cascade Lake systems 

RHEL 7.7 and later installations add the spectre_v2=retpoline kernel parameter to Intel Cascade Lake systems, and as a consequence, system performance is affected. To work around this problem and ensure the best performance, complete the following steps.

  1. Remove the kernel boot parameter on Intel Cascade Lake systems:

    # grubby --remove-args="spectre_v2=retpoline" --update-kernel=DEFAULT
  2. Reboot the system:

    # reboot

(BZ#1767612)

iSCSI installation failing with Emulex OneConnect card

After connecting an Emulex OneConnect card and configuring it for iSCSI boot, when you start the RHEL installation, the Anaconda installer returns an exception and the installation terminates unexpectedly.

To work around this problem, add the rd.iscsi.firmware parameter to the boot command line post installation and you will be able to successfully boot into RHEL. However, note that the boot process with this workaround takes a little longer.

(BZ#1632274)

8.6. Kernel

The system boot sometimes fails on large systems

During the boot process, the udev device manager sometimes generates too many rules on large systems. For example, the problem has manifested on a system with 32 TB of memory and 192 CPUs. As a consequence, the boot process becomes unresponsive or times out and switches to the emergency shell.

To work around the problem, increase the udev.children-max value:

  1. Add the udev.children-max=1000 option to the kernel command line in the /etc/default/grub file. You can experiment with different values of udev.children-max to see which value results in the fastest boot on your system.
  2. Limit the udev.children-max value for the kdump kernel:

    Add the udev.children-max option to the KDUMP_COMMANDLINE_REMOVE line in the /etc/sysconfig/kdump file.

    If you do not specify the kdump option, the system might enter emergency mode after a kdump or fadump capture on IBM POWER systems.

  3. Restart the kdump service:

    # systemctl restart kdump

As a result, the system boots successfully.

(BZ#1722855)

The mirror segment type causes system deadlock in stacked configurations

The usage of the mirror segment type and putting any logical volumes on top of it causes system deadlock in stacked configurations. To work around this problem, Red Hat recommends using RAID 1 logical volumes with segment type raid1.

To convert mirror devices to raid1, see Converting a Mirrored LVM Device to a RAID1 Device.

(BZ#1772107)

The zlib compression format may slow down a vmcore capture

The kdump configuration file uses the lzo compression format (makedumpfile -l) by default. Modification of the configuration file to use the zlib compression format (makedumpfile -c) is likely to bring a better compression factor at the expense of slowing down the vmcore capture process. As a consequence, it may take kdump approximately 4 times longer to capture a vmcore when zlib is used as compared to lzo. As a result, Red Hat recommends that you use the default lzo for cases where speed is the main driving factor. However, if the target machine is low on available space, zlib is a better option.

(BZ#1737111)

Intel network device that uses the ice driver does not pass traffic when using bridge-over-VLAN topology

Ethernet devices do not transmit Internet Control Message Protocol (ICMP) echo request and reply traffic if all of the following conditions meet:

  • The Ethernet device uses the ice Intel driver.
  • The Ethernet device is a member of a bridge.
  • The bridge uses VLAN tagging according to the 802.1Q protocol

As a consequence, Network Interface Controller (NIC) does not pass traffic for the described network topology. There is no workaround available to this problem.

(BZ#1787295)

8.7. Networking

Verification of signatures using the MD5 hash algorithm is disabled in Red Hat Enterprise Linux 7

It is impossible to connect to any Wi-Fi Protected Access (WPA) Enterprise Access Point (AP) that requires MD5 signed certificates. To work around this problem, copy the wpa_supplicant.service file from the /usr/lib/systemd/system/ directory to the /etc/systemd/system/ directory and add the following line to the Service section of the file:

Environment=OPENSSL_ENABLE_MD5_VERIFY=1

Then run the systemctl daemon-reload command as root to reload the service file.

Important

Note that MD5 certificates are highly insecure and Red Hat does not recommend using them.

(BZ#1062656)

bind-utils DNS lookup utilities support fewer search domains than glibc

The dig, host, and nslookup DNS lookup utilities from the bind-utils package support only up to 8 search domains, while the glibc resolver in the system supports any number of search domains. As a consequence, the DNS lookup utilities may get different results than applications when a search in the /etc/resolv.conf file contains more than 8 domains.

To work around this problem, use one of the following:

  • Full names ending with a dot, or
  • Fewer than nine domains in the resolv.conf search clause.

Note that it is not recommended to use more than three domains.

(BZ#1758317)

8.8. Security

Auditd server does not start on remote logging servers using KRB5 peer authentication

The SELinux policy does not contain the auditd_tmp_t file type for the temporary directories and files created by processes running under auditd_t SELinux type. This prevents starting the auditd service on a server when KRB5 peer authentication is used for remote logging.

To work around this problem, either set auditd_t domain to permissive mode or build a custom SELinux policy that allows processes running under auditd_t type to create and modify files and directories in the /var/tmp directory. As a result, auditd server using KRB5 peer authentication for remote logging can be started only after applying the described workaround.

(BZ#1752577)

Audit executable watches on symlinks do not work

File monitoring provided by the -w option cannot directly track a path. It has to resolve the path to a device and an inode to make a comparison with the executed program. A watch monitoring an executable symlink monitors the device and an inode of the symlink itself instead of the program executed in memory, which is found from the resolution of the symlink. Even if the watch resolves the symlink to get the resulting executable program, the rule triggers on any multi-call binary called from a different symlink. This results in flooding logs with false positives. Consequently, Audit executable watches on symlinks do not work.

To work around the problem, set up a watch for the resolved path of the program executable, and filter the resulting log messages using the last component listed in the comm= or proctitle= fields.

(BZ#1421794)

8.9. Servers and Services

Upgrade to RHEL 7.8 fails when mariadb-test or postgresql-docs are installed on Workstation

The mariadb-test and postgresql-docs packages have been moved to the Workstation Optional repository. Consequently, if these packages are installed, it is impossible to update a system with a Workstation variant to RHEL 7.8. To work around this problem, uninstall mariadb-test and postgresql-docs prior to upgrading to RHEL 7.8.

(BZ#1749776)

FreeRADIUS silently truncates Tunnel-Passwords longer than 249 characters

If a Tunnel-Password is longer than 249 characters, the FreeRADIUS service silently truncates it. This may lead to unexpected password incompatibilities with other systems.

To work around the problem, choose a password that is 249 characters or fewer.

(BZ#1463673)

8.10. Storage

The system sometimes becomes unresponsive in low-memory situations with external MD metadata

The system might periodically become unresponsive if all of the following conditions occur:

  • The Multiple Devices (MD) storage subsystem is configured to use external metadata arrays.
  • The system reaches a low-memory situation.
  • The MD user space performs an allocation that writes data back to the same device that MD is allocating for.

To work around the problem, ensure that the system has enough free memory. As a result, the system does not become unresponsive when MD performs the allocation.

(BZ#1703180)

8.11. Virtualization

Live migration of virtual machines between hosts with different physical address sizes does not work in some cases

Live migration of a virtual machine (VM) that uses a hot-plugged CPU currently fails in some cases if the hosts have different physical address sizes. To work around this problem, do not live migrate between such hosts while using a CPU hot-plug. Alternatively, do not hot-plug a CPU to a VM that has been migrated to a host with a different physical address size.

(BZ#1607311)

virt-clone always shows a 100% progress bar when --nonsparse is used

Currently, when the virt-clone utility is used with the --nonparse option, the progress bar displayed in the CLI always shows 100% completion of the process. As a consequence, the user cannot see the actual progress of cloning the virtual machine.

(BZ#1746771)

RHEL 7 virtual machines sometimes cannot boot on and migrate to Witherspoon hosts

RHEL 7 virtual machines (VMs) that use the pseries-rhel7.6.0-sxxm machine type in some cases fail to boot on Power9 S922LC for HPC hosts (also known as Witherspoon) that use the DD2.3 CPU.

Attempting to boot such a VM instead generates the following error message:

qemu-kvm: Requested safe indirect branch capability level not supported by kvm

In addition, migrating VMs that use the pseries-rhel7.6.0-sxxm machine type to Witherspoon hosts from other hosts fails.

(BZ#1751054)

kdump does not support setting nr_cpus to 2 or higher in Hyper-V virtual machines

When using RHEL 7.8 as a guest operating system on a Microsoft Hyper-V hypervisor, the kdump kernel in some cases becomes unresponsive when the nr_cpus parameter is set to 2 or higher. To avoid this problem from occurring, do not change the default nr_cpus=1 parameter in the /etc/sysconfig/kdump file of the guest.

(BZ#1773478)