Chapter 10. Known issues

This part describes known issues in Red Hat Enterprise Linux 8.

10.1. Installer and image creation

The auth and authconfig Kickstart commands require the AppStream repository

The authselect-compat package is required by the auth and authconfig Kickstart commands during installation. Without this package, the installation fails if auth or authconfig are used. However, by design, the authselect-compat package is only available in the AppStream repository.

To work around this problem, verify that the BaseOS and AppStream repositories are available to the installer or use the authselect Kickstart command during installation.


The --interactive option of the ignoredisk Kickstart command does not work in RHEL 8

A Red Hat Enterprise Linux 8.0 installation using the ignoredisk --interactive Kickstart command will fail with an error message. To work around this problem, remove the ignoredisk --interactive command from the Kickstart file.


10.2. Kernel

The system sometimes becomes unresponsive when many devices are connected

When Red Hat Enterprise Linux 8 configures a large number of devices, a large number of console messages occurs on the system console. This happens, for example, when there are a large number of logical unit numbers (LUNs), with multiple paths to each LUN. The flood of console messages, in addition to other work the kernel is doing, might cause the kernel watchdog to force a kernel panic because the kernel appears to be hung.

Because the scan happens early in the boot cycle, the system becomes unresponsive when many devices are connected. This typically occurs at boot time.

If kdump is enabled on your machine during the device scan event after boot, the hard lockup results in a capture of a vmcore image.

To work around this problem, increase the watchdog lockup timer. To do so, add the watchdog_thresh=N option to the kernel command line. Replace N with the number of seconds:

  • If you have less than a thousand devices, use 30.
  • If you have more than a thousand devices, use 60.

For storage, the number of device is the number of paths to all the LUNs: generally, the number of /dev/sd* devices.

After applying the workaround, the system no longer becomes unresponsive when configuring a large amount of devices.


Physical memory hotplugging does not work

Memory blocks in the movable zone occasionally cannot be reported as movable due to a race window. Consequently, the removable attribute of some memory blocks on a hot-pluggable node is set to 0 and hot removals of those hot-pluggable nodes always fail. As a result, physical memory hotplugging does not work.


Unable to restrict bugs to the redhat Bugzilla group without permission

Previously, ksc Bugzilla submissions were restricted to redhat Bugzilla group. As a consequence, an error message displayed for users who were not able to restrict bugs to this group. To work around this issue, redhat group restriction is removed. As a result, enabling report filing using Bugzilla accounts that cannot restrict bugs to this group is now successful.


10.3. Software management

Dependent modules can cause a rejection of yum module operations

Certain modules depend on other modules. Modules consist of one or more streams that can be active or inactive. Streams are active either if marked as default or if they are explicitly enabled by a user action. Maximum one stream of a particular module can be active at a given point in time.

Yum 4 performs strict checking of package dependencies during the enable and disable module operations for all modules that have active streams. Disabling a stream can be rejected if it would break a dependent module, even if the user does not intend to make use of that module. In RHEL 8.0 Beta, the perl-App-cpanminus, perl-DBD-MySQL, perl-DBD-Pg, perl-DBD-SQLite, perl-DBI, perl-YAML, and freeradius modules depend on the perl module. Consequently, disabling the default perl:5.26 stream without enabling the perl:5.24 stream is rejected due to potential broken dependencies because it causes the perl module to have no active streams.

In addition, the freeradius module depends only on the perl:5.26 stream. Thus, when the user attempts to enable the perl:5.24 stream, the operation is also rejected due to the broken dependency.

To work around this problem:

  • Either disable modules that you do not actively use, for example:
yum module disable freeradius
  • Or use the "--skip-broken" parameter to override the dependency problem. Note that once you use this parameter, you will have to keep using the parameter for all other future module operations and for all modules, otherwise the operations will be rejected with a Modular dependency problem error message. In addition, Yum 4 will continue to return a harmless Modular dependency problem error message for all yum operations that not related to modules, such as the install, erase, search package operations.

To reset a module and its streams to the default state, use the yum module reset command, for example:

yum module reset perl


Running yum list under a non-root user causes YUM crash

When running the yum list command under a non-root user after the libdnf package has been updated, YUM can terminate unexpectedly. If you hit this bug, run yum list under root to resolve the problem. As a result, subsequent attempts to run yum list under a non-root user no longer cause YUM crash.


The yum(8) man page incorrectly mentions the yum module profile command

The yum(8) manual page incorrectly states that the YUM package management tool includes the yum module profile command to provide details about module profiles. However, this command is no longer available and when used, YUM displays an error message about an invalid command. For details about module profiles, use the new yum module info --profile command instead.


yum-plugin-aliases currently not available

The yum-plugin-aliases package, which provides the alias command for adding custom yum aliases, is currently not available. Consequently, it is not currently possible to use aliases.


yum-plugin-changelog currently not available

The yum-plugin-changelog package, which enables viewing package change logs before and after package updating, is currently not available.


10.4. Infrastructure services

Tuned does not set kernel boot command line parameters

The Tuned tool does not support Boot Loader Specification (BLS), which is enabled by default. Consequently, Tuned does not set certain kernel boot command line parameters, which causes some issues, such as performance decrease or CPU cores not being isolated. To work around this problem, disable BLS and restart Tuned.

  1. Install the grubby package.
  2. Remove the following line from the /etc/default/grub file:

  3. Re-generate the grub2.cfg file by running for non-EFI systems:

    grub2-mkconfig -o /etc/grub2.cfg
    or for EFI systems:
    grub2-mkconfig -o /etc/grub2-efi.cfg
  4. Restart Tuned by running:

    systemctl restart tuned

As a result, Tuned sets the kernel boot parameters as expected.


10.5. Shells and command-line tools

Python binding of the net-snmp package is unavailable

The Net-SNMP suite of tools currently does not provide binding for Python 3, which is the default Python implementation in RHEL 8. Consequently, python-net-snmp, python2-net-snmp, or python3-net-snmp packages are currently unavailable in RHEL 8.


TCP connections are reset or slowed down due to ECN

Currently, Explicit Congestion Notifications (ECN) are requested also on outgoing TCP connections. ECN enabled routers to report congestion by setting a flag in an IP packet header. Consequently, some network devices can drop such packets, and TCP connection is reset or slowed down significantly.

To work around this problem, remove the following line from the usr/lib/sysctl.d/50-default.conf file:

net.ipv4.tcp_ecn = 1

As a result, ECN is reset to the kernel’s default value, and ECN is not negotiated on outgoing TCP connections.


10.6. Web servers, databases, dynamic languages

Database servers are not installable in parallel

The mariadb and mysql modules cannot be installed in parallel in RHEL 8.0 Beta due to conflicting RPM packages.

By design, it is impossible to install more than one version (stream) of the same module in parallel. For example, you need to choose only one of the available streams from the postgresql module, either 10 (default) or 9.6. Parallel installation of components is possible in Red Hat Software Collections for RHEL 6 and RHEL 7. In RHEL 8, different versions of database servers can be used in containers.


Python 3 bindings for Subversion unavailable

Due to incompatibilities in the Subversion libraries used for supporting language bindings, Python 3 bindings for Subversion are currently unavailable. As a consequence, applications that require Python bindings for Subversion are unsupported at this time.


Problems in mod_cgid logging

If the mod_cgid Apache httpd module is used under a threaded multi-processing module (MPM), which is the default situation in RHEL 8, the following logging problems occur:

  • The stderr output of the CGI script is not prefixed with standard timestamp information.
  • The stderr output of the CGI script is not correctly redirected to a log file specific to the VirtualHost, if configured.


10.7. Desktop

The gnome-shell-extension-desktop-icons package is only available in BuildRoot

The gnome-shell-extension-desktop-icons package is only available in the BuildRoot repository. It will be moved to the AppStream repository by the RHEL 8.0 GA release.


10.8. Hardware enablement

The i40iw module does not load automatically on boot

Due to many i40e NICs not supporting iWarp and the i40iw module not fully supporting suspend/resume, this module is not automatically loaded by default to ensure suspend/resume works properly. To work around this problem, manually edit the /lib/udev/rules.d/90-rdma-hw-modules.rules file to enable automated load of i40iw.

Also note that if there is another RDMA device installed with a i40e device on the same machine, the non-i40e RDMA device triggers the rdma service, which loads all enabled RDMA stack modules, including the i40iw module.


Clevis does not work with tpm2-tools

The tpm2-tools packages in version 3.1.0 contain a new unified environment variable to configure the TPM (Trusted Platform Module) command transmission interface (TCTI) - TPM2TOOLS_ENV_TCTI. This variable does not offer backward compatibility with the legacy TPM2TOOLS_* environment variables. Consequently, applications that use the environment variables, such as the Clevis policy decryption framework, do not work.

To work around this problem, use the -T option to configure the TCTI module and parameters. As a result, tpm2-tools can be used after the administrator uses the described workaround, however, Clevis automated unlocking of encrypted volumes with a TPM2 device does not work at this time.


10.9. Identity Management

The KCM credential cache is not suitable for a large number of credentials in a single credential cache

If the credential cache contains too many credentials, Kerberos operations, such as kinit, fail due to a hardcoded limit on the buffer used to transfer data between the sssd-kcm component and the underlying database.

To work around this problem, add the ccache_storage = memory option in the kcm section of the /etc/sssd/sssd.conf file. This instructs the kcm responder to only store the credential caches in-memory, not persistently. Note that if you do this, restarting the system or sssd-kcm clears the credential caches.


SSSD only runs as root

Due to packaging errors, the System Security Services Daemon (SSSD) does not start if it is configured to run as a non-root user, with the user parameter set to sssd in the [sssd] section of the /etc/sssd/sssd.conf file.


Conflicting timeout values prevent SSSD from connecting to servers

Some of the default timeout values related to the failover operations used by the System Security Services Daemon (SSSD) are conflicting. Consequently, the timeout value reserved for SSSD to talk to a single server prevents SSSD from trying other servers before the connecting operation as a whole time out. To work around the problem, set the value of the ldap_opt_timeout timeout parameter higher than the value of the dns_resolver_timeout parameter, and set the value of the dns_resolver_timeout parameter higher than the value of the dns_resolver_op_timeout parameter.


Using a smart card to log into the IdM web UI does not work

When a user attempts to log in to the Identity Management (IdM) web UI using a certificate stored on their smart card, the System Security Services Daemon (SSSD) D-Bus interface code uses an incorrect callback to look the user up. Consequently, the lookup crashes. To work around the problem, use other methods of authentication.


10.10. Compilers and development tools

Synthetic functions generated by GCC confuse SystemTap

GCC optimization can generate synthetic functions for partially inlined copies of other functions. Tools such as SystemTap and GDB can not distinguish these synthetic functions from real functions. As a consequence, SystemTap can place probes on both synthetic and real function entry points, and thus register multiple probe hits for a single real function call.

To work around this problem, SystemTap scripts must be adapted with measures such as detecting recursion and suppressing probes related to inlined partial functions. For example, a script

probe kernel.function("can_nice").call { }

can try to avoid the described problem as follows:

global in_can_nice%

probe kernel.function("can_nice").call {
  in_can_nice[tid()] ++;
  if (in_can_nice[tid()] > 1) { next }
  /* code for real probe handler */

probe kernel.function("can_nice").return {
  in_can_nice[tid()] --;

Note that this example script does not take into account all possible scenarios, such as missed kprobes or kretprobes, or genuine intended recursion.


Time zone data for the Europe/Volgograd zone not yet updated

Due to the timing of the upstream release, the tzdata package has not yet been updated to reflect the recent changes for Morocco, Volgograd, Fiji, and parts of Chili. These updates will be part of a future release.


Time zone data with new upstream default data format

The RHEL 8.0 Beta release provides a version of the tzdata-2018e package that supports the new default upstream data format, including negative DST offsets. As a consequence, future upstream data format changes could break tools that process the tzdata files.

A future update of tzdata will revert back to the traditional (rearguard) format to prevent the described problem.


The ltrace tool does not report function calls

Because of improvements to binary hardening applied to all RHEL components, the ltrace tool can no longer detect function calls in binary files coming from RHEL components. As a consequence, ltrace output is empty because it does not report any detected calls when used on such binary files. There is no workaround currently available.

As a note, ltrace can correctly report calls in custom binary files built without the respective hardening flags.

(BZ#1618748, BZ#1655368)

10.11. File systems and storage

The I/O performance of Qlogic HBAs might be degraded

Direct I/O write performance with Qlogic Host Bus Adapters (HBAs) might be inferior compared to Red Hat Enterprise Linux 7. This might affect workloads in a Storage Area Network (SAN) environment.


The system does not boot from FCoE SAN

Red Hat Enterprise Linux 8 currently cannot boot from Storage Area Network (SAN) with supported Fibre Channel over Ethernet (FCoE) adapters. This is caused by the Blivet storage configuration tool, which lacks revised FCoE support in Red Hat Enterprise Linux 8.0 Beta.

Red Hat recommends that you defer the testing of boot from SAN with FCoE in Beta until Blivet is updated.

For more information about changes in FCoE, see Chapter 8, Removed functionality.


Unable to discover an iSCSI target using the iscsiuio package

Red Hat Enterprise Linux 8 does not allow concurrent access to PCI register areas. As a consequence, a could not set host net params (err 29) error was set and the connection to the discovery portal failed. To work around this problem, set the kernel parameter iomem=relaxed in the kernel command line for the iSCSI offload. This specifically involves any offload using the bnx2i driver. As a result, connection to the discovery portal is now successful and iscsiuio package now works correctly.


10.12. Security

Libreswan is terminated unexpectedly with a segmentation fault when loading large ike= configurations

Libreswan handling of large default ike= proposals as defined inside the system-wide crypto policy contains a memory allocation error that causes the parser to crash.

To work around this problem, remove the line starting with the ike= string from the /etc/crypto-policies/back-ends/libreswan.config file.


OpenSCAP rpmverifypackage does not work correctly

The chdir and chroot system calls are called twice by the rpmverifypackage probe. Consequently, an error occurs when the probe is utilized during an OpenSCAP scan with custom Open Vulnerability and Assessment Language (OVAL) content.

To work around this problem, do not use the rpmverifypackage_test OVAL test in your content or use only the content from the scap-security-guide package where rpmverifypackage_test is not used.


libssh does not comply with the system-wide crypto policy

The libssh library does not follow system-wide cryptographic policy settings. As a consequence, the set of supported algorithms is not changed when the administrator changes the crypto policies level using the update-crypto-policies command.

To work around this problem, the set of advertised algorithms needs to be set individually by every application that uses libssh. As a result, when the system is set to the LEGACY or FUTURE policy level, applications that use libssh behave inconsistently when compared to OpenSSH.


SCAP Workbench fails to generate results-based remediations from tailored profiles

The following error occurs when trying to generate results-based remediation roles from a customized profile using the SCAP Workbench tool:

Error generating remediation role .../ Exit code of oscap was 1: [output truncated]

To work around this problem, use the oscap command with the --tailoring-file option.


SCAP Security Guide PCI-DSS profile aligns with version 3.1

The SCAP Security Guide project provides the PCI-DSS (Payment Card Industry Data Security Standard) profile for Red Hat Enterprise Linux 8. However, this profile adheres to PCI-DSS version 3.1, and it has not been updated to align with the latest PCI-DSS version 3.2.1.


OpenSCAP rpmverifyfile does not work

The OpenSCAP scanner does not correctly change the current working directory in offline mode, and the fchdir function is not called with the correct arguments in the OpenSCAP rpmverifyfile probe. Consequently, scanning arbitrary file systems using the oscap-chroot command fails if rpmverifyfile_test is used in an SCAP content. As a result, oscap-chroot aborts in the described scenario.


A utility for security and compliance scanning of containers is not available

In Red Hat Enterprise Linux 7, the oscap-docker utility can be used for scanning of Docker containers based on Atomic technologies. In Red Hat Enterprise Linux 8, the Docker- and Atomic-related OpenSCAP commands are not available. As a result, oscap-docker or an equivalent utility for security and compliance scanning of containers is not available in RHEL8 at the moment.


Audit remote logging does not work with SELinux in enforcing mode.

SELinux prevents the /sbin/audisp-remote remote logging client to read local Audit events from the relevant socket. Consequently, the remote logging process is terminated unexpectedly.

To work around this problem, use the semodule -i command to load a custom policy module, which contains the following rule:

( allow audisp_remote_t auditd_t ( unix_stream_socket ( read )))

As a result, without the described workaround, the Audit remote logging does not work with SELinux in enforcing mode.


10.13. Subscription management

Repositories are not enabled as expected

Systems that have successfully registered with Satellite or the Red Hat Customer Portal may experience unexpected behavior when trying to access content from repositories that have been enabled in addition to the default BaseOS and AppStream repositories, for example, the High Availability (HA) and Core Ready Builder (CRB) repositories. As a workaround, see Enabling Repositories in Red Hat Enterprise Linux 8 Beta for more information.


10.14. Virtualization

Virtual machines can access any network services reachable by the host

As of the RHEL 8 Beta release, the newly implemented nftables backend for firewalld has not been fully integrated into the libvirt library. As a consequence, KVM virtual machines that use libvirt-managed virtual networks have access to all network services that are listening on the host, which may be a security concern.


Glusterfs storage does not work with virtual machines

Due to incompatibility with the libvirt API, glusterfs storage currently cannot be used for KVM virtual machines in Red Hat Enterprise Linux 8.


⁠virt-v2v and virt-p2v do not work on IBM POWER, IBM Z, and the 64-bit ARM architecture

The virt-v2v and virt-p2v utilities are currently only supported on the AMD64 and Intel 64 architecture, also known as x86_64. On other architectures, including IBM Z, IBM POWER, and 64-bit ARM, virt-v2v and virt-p2v do not work correctly.


10.15. Supportability

redhat-support-tool not available in RHEL 8 Beta

The redhat-support-tool utility is not included in Red Hat Enterprise Linux (RHEL) 8 Beta.


10.16. Satellite and Red Hat network client tools

The rhn-tools default profile cannot be installed

Modular metadata for rhn-tools module are currently incorrect. Consequently, the yum module install rhn-tools command fails due to incorrect modular metadata. To work around this problem, individual packages from the module can be installed using the regular yum install package operation, just like in previous RHEL releases.