Ability to register your system, attach RHEL subscriptions, and install from the Red Hat CDN

In RHEL 8.2, you can register your system, attach RHEL subscriptions, and install from the Red Hat Content Delivery Network (CDN) before package installation. Interactive GUI installations, as well as automated Kickstart installations, support this feature. Benefits include:

Ability to register your system to Red Hat Insights during installation

In RHEL 8.2, you can register your system to Red Hat Insights during installation. Interactive GUI installations, as well as automated Kickstart installations, support this feature.

Image Builder now offers cloud-init support for creating Azure images

With this enhancement, cloud-init support is available for Azure images created by Image Builder. As a result, the creation of on-premise images with fast-provisioning and the ability to add custom data is available to customers.

Added new kickstart commands: rhsm and zipl

With this release, the following kickstart commands are added:

User-Agent header string now includes information read from the /etc/os-release file

With this enhancement, the User-Agent header string, which is normally included with the HTTP requests made by DNF, has been extended with information read from the /etc/os-release file.

All dnf-automatic.timer timer units now use the real-time clock by default

Previously, the dnf-automatic.timer timer units used the monotonic clock, which resulted in unpredictable activation time after the system boot. With this update, the timer units run between 6 a.m. and 7 a.m. If the system is off during that time, the timer units are activated within one hour after the system boot.

The createrepo_c utility now skips packages whose metadata contains the disallowed control characters

To ensure a valid XML, the package metadata must not contain any control characters, with the exception of:

opencv rebased to version 3.4.6

The opencv packages have been upgraded to upstream version 3.4.6. Notable changes include:

graphviz-python3 is now distributed in the CRB repository

This update adds the graphviz-python3 package to RHEL 8. The package provides bindings required for usage of the Graphviz graph visualization software from Python.

tuned rebased to version 2.13.0

The tuned packages have been upgraded to upstream version 2.13.0. Notable enhancements include:

powertop rebased to version 2.11

The powertop package has been upgraded to version 2.11, which provides a following notable change:

BIND now supports .GeoIP2 instead of GeoLite Legacy GeoIP

The GeoLite Legacy GeoIP library is no longer supported in BIND. With this update, GeoLite Legacy GeoP has been replaced with GeoIP2, which is provided in the libmaxminddb data format.

stale-answer now provides old cached records in case of DDoS attack

Previously, the Distributed Denial of Service (DDoS) attack caused the authoritative servers to fail with the SERVFAIL error. With this update, the stale-answer functionality provides the expired records until a fresh response is obtained.

BIND rebased to version 9.11.13

The bind packages have been upgraded to version 9.11.13. Notable changes include:

RHEL 8 now contains the DISA STIG profile

Security Technical Implementation Guides (STIG) are a set of baseline recommendations published by the Defense Information Systems Agency (DISA) to harden the security of information systems and software that might otherwise be vulnerable. This release includes the profile and Kickstart file for this security policy. With this enhancement, users can check systems for compliance, remediate systems to be compliant, and install systems compliant with DISA STIG for Red Hat Enterprise Linux 8.

crypto-policies can now be customized

With this update, you can adjust certain algorithms or protocols of any policy level or set a new complete policy file as the current system-wide cryptographic policy. This enables administrators to customize the system-wide cryptographic policy as required by different scenarios.

SCAP Security Guide now supports ACSC Essential Eight

The scap-security-guide packages now provide the Australian Cyber Security Centre (ACSC) Essential Eight compliance profile and a corresponding Kickstart file. With this enhancement, users can install a system that conforms with this security baseline. Furthermore, you can use the OpenSCAP suite for checking security compliance and remediation using this specification of minimum security controls defined by ACSC.

oscap-podman for security and compliance scanning of containers is now available

This update of the openscap packages introduces a new utility for security and compliance scanning of containers. The oscap-podman tool provides an equivalent of the oscap-docker utility that serves for scanning container and container images in RHEL 7.

setroubleshoot can now analyze and react to execmem access denials

This update introduces a new setroubleshoot plugin. The plugin can analyze execmem access denials (AVCs) and provide relevant advice. As a result, setroubleshoot can now suggest a possibility to switch a boolean if it allows access, or report the issue when no boolean can allow access.

New packages: setools-gui and setools-console-analyses

The setools-gui package, which has been part of RHEL 7, is now being introduced to RHEL 8. Graphical tools help inspect relations and data flows especially in multi-level systems with highly specialized SELinux policies. With the apol graphical tool from the setools-gui package, you can inspect and analyze aspects of an SELinux policy. Tools from the setools-console-analyses package enable you to analyze domain transitions and SELinux policy information flows.

Confined users in SELinux can now manage user session services

Previously, confined users were not able to manage user session services. As a result, they could not execute systemctl --user or busctl --user commands or work in the RHEL web console. With this update, confined users can manage user sessions.

The lvmdbusd service is now confined by SELinux

The lvmdbusd service provides a D-Bus API to the logical volume manager (LVM). Previously, the lvmdbusd daemon could not transition to the lvm_t context even though the SELinux policy for lvm_t was defined. As a consequence, the lvmdbusd daemon was executed in the unconfined_service_t domain and SELinux labeled lvmdbusd as unconfined. With this update, the lvmdbusd executable file has the lvm_exec_t context defined and lvmdbusd can now be used correctly with SELinux in enforcing mode.

semanage now supports listing and modifying SCTP and DCCP ports.

Previously, semanage port allowed listing and modifying of only TCP and UDP ports. This update adds SCTP and DCCP protocol support to semanage port. As a result, administrators can now check if two machines can communicate via SCTP and fully enable SCTP features to successfully deploy SCTP-based applications.

semanage export now shows customizations related to permissive domains

With this update, the semanage utility, which is part of the policycoreutils package for SELinux, is able to display customizations related to permissive domains. System administrators can now transfer permissive local modifications between machines using the semanage export command.

udica can add new allow rules generated from SELinux denials to existing container policy

When a container that is running under a policy generated by the udica utility triggers an SELinux denial, udica is now able to update the policy. The new parameter -a or --append-rules can be used to append rules from an AVC file.

New SELinux types enable services to run confined

This update introduces new SELinux types that enable the following services to run as confined services in SELinux enforcing mode instead of running in the unconfined_service_t domain:

Clevis is able to list policies in place for a given LUKS device

With this update, the clevis luks list command lists PBD policies in place for a given LUKS device. This makes it easier to find information on Clevis pins in use and pin configuration, for example, Tang server addresses, details on tpm2 policies, and SSS thresholds.

Clevis provides new commands for reporting key status and rebinding expired keys

The clevis luks report command now provides a simple way to report whether keys for a particular binding require rotation. Regular key rotations in a Tang server improve the security of Network-Bound Disk Encryption (NBDE) deployments, and therefore the client should provide detection of expired keys. If the key is expired, Clevis suggests using the clevis luks regen command which rebinds the expired key slot with a current key. This significantly simplifies the process of key rotation.

Clevis can now extract the passphrase used for binding a particular slot in a LUKS device

With this update to the Clevis policy-based decryption framework, you can now extract the passphrase used for binding a particular slot in a LUKS device. Previously, if the LUKS installation passphrase was erased, Clevis could not perform LUKS administrative tasks, such as re-encryption, enabling a new key slot with a user passphrase, and re-binding Clevis when the administrator needs to change the sss threshold. This update introduces the clevis luks pass command that shows the passphrase used for binding a particular slot.

Clevis now provides improved support for decrypting multiple LUKS devices on boot

The clevis packages have been updated to provide better support for decrypting multiple LUKS-encrypted devices on boot. Prior to this improvement, the administrator had to perform complicated changes to the system configuration to enable the proper decryption of multiple devices by Clevis on boot. With this release, you can set up the decryption by using the clevis luks bind command and updating the initramfs through the dracut -fv --regenerate-all command.

openssl-pkcs11 rebased to 0.4.10

The openssl-pkcs11 package has been upgraded to upstream version 0.4.10, which provides many bug fixes and enhancements over the previous version. The openssl-pkcs11 package provides access to PKCS #11 modules through the engine interface. The major changes introduced by the new version are:

rsyslog rebased to 8.1911.0

The rsyslog utility has been upgraded to upstream version 8.1911.0, which provides a number of bug fixes and enhancements over the previous version. The following list includes notable enhancements:

rsyslog now provides the omhttp plugin for communication through an HTTP REST interface

With this update of the rsyslog packages, you can use the new omhttp plugin for producing an output compatible with services using a Representational State Transfer (REST) API, such as the Ceph storage platform, Amazon Simple Storage Service (Amazon S3), and Grafana Loki. This new HTTP output module provides a configurable REST path and message format, support for several batching formats, compression, and TLS encryption.

omelasticsearch in rsyslog now supports rebindinterval

This update of the rsyslog packages introduces support for setting the time of periodical reconnection in the omelasticsearch module. You can improve performance when sending records to a cluster of Elasticsearch nodes by setting this parameter according to your scenario. The value of the rebindinterval parameter indicates the number of operations submitted to a node after which rsyslog closes the connection and establishes a new one. The default value -1 means that rsyslog does not re-establish the connection.

rsyslog mmkubernetes now provides metadata cache expiration

With this update of the rsyslog packages, you can use two new parameters for the mmkubernetes module for setting metadata cache expiration. This ensures that deleted Kubernetes objects are removed from the mmkubernetes static cache. The value of the cacheentryttl parameter indicates the maximum age of cache entries in seconds. The cacheexpireinterval parameter has the following values:

audit rebased to version 3.0-0.14

The audit packages have been upgraded to upstream version 3.0-0.14, which provides many bug fixes and enhancements over the previous version, most notably:

Audit now contains many improvements from the kernel v5.5-rc1

This addition to the Linux kernel contains the majority of enhancements, bug fixes, and cleanups related to the Audit subsystem and introduced between the version 4.18 and 5.5-rc1. The following list highlights important changes:

fapolicyd rebased to 0.9.1-2

The fapolicyd packages that provide RHEL application whitelisting have been upgraded to upstream version 0.9.1-2. Notable bug fixes and enhancements include:

sudo rebased to 1.8.29-3.el8

sudo packages have been upgraded to upstream version 1.8.29-3, which provides a number of bug fixes and enhancements over the previous version. The major changes introduced by the new version are:

The pam_namespace module now allows specifying additional mount options for tmpfs

The nosuid, noexec, and nodev mount options can now be used in the /etc/security/namespace.conf configuration file to respectively disable setuid bit effect, disable running executables, and to prevent files from being interpreted as character or block devices on the mounted tmpfs filesystem.

pam_faillock can now read settings from faillock.conf configuration file

The pam_faillock module, a part of pluggable authentication modules (PAM), can now read settings from the configuration file located at /etc/security/faillock.conf. This makes it easier to set up an account lockout on authentication failures, provide user profiles for this functionality, and handle different PAM configurations by simply editing the faillock.conf file.

User-space applications can now retrieve the netns id selected by the kernel

User-space applications can request the kernel to select a new netns ID and assign it to a network name space. With this enhancement, users can specify the NLM_F_ECHO flag when sending an RTM_NETNSID netlink message to the kernel. The kernel then sends the netlink message back to the user. This message includes the netns ID set to the value the kernel selected. As a result, user-space applications now have a reliable option to identify the netlink ID the kernel selected.

firewalld rebased to version 0.8

The firewalld packages have been updated to version 0.8. Notable changes include:

ndptool can now specify a destination address in IPv6 header

With this update, the ndptool utility can send a Neighbor Solicitation (NS) or a Neighbor Advertisement (NA) message to a specific destination by specifying the address in the IPv6 header. As a result, a message can be sent to addresses other than just the link-local address.

nftables now supports multi-dimensional IP set types

With this enhancement, the nftables packet-filtering framework supports set types with concatenations and intervals. As a result, administrators no longer require workarounds to create multi-dimensional IP set types.

nftables rebased to version 0.9.3

The nftables packages have been upgraded to upstream version 0.9.3, which provides a number of bug fixes and enhancements over the previous version:

Rules for the firewalld service can now use connection tracking helpers for services running on a non-standard port

User-defined helpers in the firewalld service can now use standard kernel helper modules. This enables administrators to create firewalld rules to use connection tracking helpers for services running on a non-standard port.

The whois package is now available

With this enhancement, the whois package is now available in RHEL 8.2.0. As a result, retrieving information about a specific domain name or IP address is now possible.

eBPF for tc is now fully supported

The Traffic Control (tc) kernel subsystem and the tc tool can attach extended Berkeley Packet Filtering (eBPF) programs as packet classifiers and actions for both ingress and egress queueing disciplines. This enables programmable packet processing inside the kernel network data path. eBPF for tc, previously available as a technology preview, is now fully supported in RHEL 8.2.

Kernel version in RHEL 8.2

Red Hat Enterprise Linux 8.2 is distributed with the kernel version 4.18.0-193.

Extended Berkeley Packet Filter for RHEL 8.2

The Extended Berkeley Packet Filter (eBPF) is an in-kernel virtual machine that allows code execution in the kernel space, in the restricted sandbox environment with access to a limited set of functions. The virtual machine executes a special assembly-like code. The eBPF bytecode first loads to the kernel, followed by its verification, code translation to the native machine code with just-in-time compilation, and then the virtual machine executes the code.

Intel ® Omni-Path Architecture (OPA) Host Software

Intel Omni-Path Architecture (OPA) host software is fully supported in Red Hat Enterprise Linux 8.2. Intel OPA provides Host Fabric Interface (HFI) hardware with initialization and setup for high performance data transfers (high bandwidth, high message rate, low latency) between compute and I/O nodes in a clustered environment.

Control Group v2 is now fully supported in RHEL 8

Control Group v2 mechanism is a unified hierarchy control group. Control Group v2 organizes processes hierarchically and distributes system resources along the hierarchy in a controlled and configurable manner.

Randomizing free lists: Improved performance and utilization of direct-mapped memory-side-cache

With this enhancement, you can enable page allocator to randomize free lists and improve the average utilization of a direct-mapped memory-side-cache. The kernel command-line option page_alloc.shuffle, enables the page allocator to randomize the free lists and sets the boolean flag to True. The sysfs file, which is located at /sys/module/page_alloc/parameters/shuffle reads the flag status, shuffles the free lists, such that the Dynamic Random Access Memory (DRAM) is cached, and the latency band between the DRAM and persistent memory is reduced. As a result, persistent memory with a higher capacity and lower bandwidth is available on general purpose server platforms.

The TPM userspace tool has been updated to the last version

The tpm2-tools userspace tool has been updated to version 3.2.1. This update provides several bug fixes, in particular relating to Platform Configuration Register code and manual page clean ups.

The C620-series PCH chipset now supports the Intel Trace Hub feature

This update adds hardware support for Intel Trace Hub (TH) in C620-series Platform Controller Hub (PCH), also known as Lewisburg PCH. Users with C620-series PCH can now use Intel TH.

The perf tool now supports per die events aggregation for CLX-AP and CPX processors

With this update, the perf tool now provides support for per-die event counts aggregation for some Intel CPUs with multiple dies. To enable this mode, add the --per-die option in addition to the -a option for Xeon Cascade Lake-AP (CLX-AP) and Cooper Lake (CPX) system processors. As a result, this update detects any imbalance between the dies. The perf stat command captures the event counts and displays the output as:

The threshold of crashkernel=auto is decreased on IBM Z

The lower threshold of the crashkernel=auto kernel command-line parameter is now decreased from 4G to 1G on IBM Z systems. This implementation allows the IBM Z to align with the threshold of the AMD64 and Intel 64 systems to share the same reservation policy on the lower threshold of crashkernel=auto. As a result, the crash kernel is able to automatically reserve memory for kdump on systems with less than 4GB RAM.

The numactl manual entry clarifies the memory usage output

With this release of RHEL 8, the manual page for numactl explicitly mentions that the memory usage information reflects only the resident pages on the system. The reason for this addition is to eliminate potential confusion for users whether the memory usage information relates to resident pages or virtual memory.

The kexec-tools document is now updated to include Kdump FCoE target support

In this release, the /usr/share/doc/kexec-tools/supported-kdump-targets.txt file has been updated to include Kdump Fibre Channel over Ethernet (FCoE) target support. As a result, users can now have better understanding of the status and details of the kdump crash dumping mechanism on a FCoE target support.

Firmware-assisted dump now supports PowerNV

Firmware-assisted dump (fadump) mechanism is now supported on the PowerNV platform. The feature is supported with the IBM POWER9 FW941 firmware version and later. At the time of system failure, fadump, along with the vmcore file, also exports the opalcore file. The opalcore file contains information about the state of OpenPOWER Abstraction Layer (OPAL) memory at the time of breakdown. The opalcore file is helpful in debugging crashes of OPAL-based systems.

kernel-rt source tree now matches the latest RHEL 8 tree

The kernel-rt sources have been updated to use the latest RHEL kernel source tree. The realtime patch set has also been updated to the latest upstream v5.2.21-rt13 version. Both of these updates provide a number of bug fixes and enhancements.

rngd is now able to run with non-root privileges

The random number generator daemon (rngd) checks whether data supplied by the source of randomness is sufficiently random and then stores the data in the kernel’s random-number entropy pool. With this update, rngd is able to run with non-root user privileges to enhance system security.

Virtual Persistent Memory now supported for RHEL 8.2 and later on POWER 9

When running a RHEL 8.2 or later host with a PowerVM hypervisor on IBM POWER9 hardware, the host can now use the Virtual Persistent Memory (vPMEM) feature. With vPMEM, data persists across application and partition restarts until the physical server is turned off. As a result, restarting workloads that use vPMEM is significantly faster.

LVM now supports the dm-writecache caching method

LVM cache volumes now provide the dm-writecache caching method in addition to the existing dm-cache method.

VDO async policy is now ACID compliant

With this release, the VDO async write mode is now compliant with Atomicity, Consistency, Isolation, Durability (ACID). If the system unexpectedly halts while VDO is writing data in async mode, the recovered data is now always consistent.

You can now import VDO volumes

The vdo utility now enables you to import existing VDO volumes that are currently not registered on your system. To import a VDO volume, use the vdo import command.

New per-op error counter is now available in the output of the mountstats and nfsiostat

A minor supportability feature is available for the NFS client systems: the output of the mountstats and nfsiostat commands in nfs-utils have a per-op error count. This enhancement allows these tools to display per-op error counts and percentages that can assist in narrowing down problems on specific NFS mount points on an NFS client machine. Note that these new statistics depend on kernel changes that are inside the Red Hat Enterprise Linux 8.2 kernel.

Writeback IOs with cgroup awareness is now available in XFS

With this release, XFS supports writeback IOs with cgroup awareness. In general, cgroup writeback requires explicit support from the underlying file system. Until now, writeback IOs on XFS was the attribute for the root cgroup only.

The FUSE file systems now implement copy_file_range()

The copy_file_range() system call provides a way for file systems to implement efficient data copy mechanism. With this update, GlusterFS, which is using the Filesystem in Userspace (FUSE) framework takes advantage of this mechanism. Since read/write functionality of FUSE file systems involves multiple copies of data, using copy_file_range() can significantly improve performance.

Support for per-op statistics is now available for the mountstats and nfsiostat commands

A support feature is now available for the NFS client systems: the /proc/self/mountstats file has the per-op error counter. With this update, under each per-op statistics row, the ninth number indicates the number of the operations that have been completed with a status value less then zero. This status value indicates an error. For more information, see the updates to the mountstats and nfsiostat programs in the nfs-utils that displays these new error counts.

New mount stats lease_time and lease_expired are available in /proc/self/mountstats file

A support feature is available for NFSv4.x client systems. The /proc/self/mountstats file has the lease_time and the lease_expired fields at the end of the line starting with nfsv4:. The lease_time field indicates the number of seconds in the NFSv4 lease time. The lease_expired field indicates the number of seconds since the lease has expired, or 0 if the lease has not expired.

Surprise removal of NVMe devices

With this enhancement, you can surprise remove NVMe devices from the Linux operating system without notifying the operating system beforehand. This will enhance the serviceability of NVMe devices because no additional steps are required to prepare the devices for orderly removal, which ensures the availability of servers by eliminating server downtime.

New command options to disable a resource only if this would not affect other resources

It is sometimes necessary to disable resources only if this would not have an effect on other resources. Ensuring that this would be the case can be impossible to do by hand when complex resource relations are set up. To address this need, the pcs resource disable command now supports the following options:

New command to show relations between resources

The new pcs resource relations command allows you to display the relations between cluster resources in a tree structure.

New command to display the status of both a primary site and recovery site cluster

If you have configured a cluster to use as a recovery site, you can now configure that cluster as a recovery site cluster with the pcs dr command. You can then use the pcs dr command to display the status of both your primary site cluster and your recovery site cluster from a single node.

Expired resource constraints are now hidden by default when listing constraints

Listing resource constraints no longer by default displays expired constraints. To include expired constaints, use the --all option of the pcs constraint command. This will list expired constraints, noting the constraints and their associated rules as (expired) in the display.

Pacemaker support for configuring resources to remain stopped on clean node shutdown

When a cluster node shuts down, Pacemaker’s default response is to stop all resources running on that node and recover them elsewhere. Some users prefer to have high availability only for failures, and to treat clean shutdowns as scheduled outages. To address this, Pacemaker now supports the shutdown-lock and shutdown-lock-limit cluster properties to specify that resources active on a node when it shuts down should remain stopped until the node next rejoins. Users can now use clean shutdowns as scheduled outages without any manual intervention. For information on configuring resources to remain stopped on a clean node shutdown, see link: Configuring resources to remain stopped on clean node shutdown.

Support for running the cluster environment in a single node

A cluster with only one member configured is now able to start and run resources in a cluster environment. This allows a user to configure a separate disaster recovery site for a multi-node cluster that uses a single node for backup. Note that a cluster with only one node is not in itself fault tolerant.

A new module: python38

RHEL 8.2 introduces Python 3.8, provided by the new module python38 and the ubi8/python-38 container image.

Changes in mod_wsgi installation

Previously, when the user tried to install the mod_wsgi module using the yum install mod_wsgi command, the python3-mod_wsgi package was always installed. RHEL 8.2 introduces Python 3.8 as an addition to Python 3.6. With this update, you need to specify which version of mod_wsgi you want to install, otherwise an error message is returned.

Support for hardware-accelerated deflate in zlib on IBM Z

This update adds support for a hardware-accelerated deflate algorithm to the zlib library in the IBM Z mainframes. As a result, performance of compression and decompression on IBM Z vector machines has been improved.

Performance improved when decompressing gzip on IBM Power Systems, little endian

This update adds optimization for the 32-bit Cyclic Redundancy Check (CRC32) to the zlib library on IBM Power Systems, little endian. As a result, performance of decompressing gzip files has been improved.

A new module stream: maven:3.6

RHEL 8.2 introduces a new module stream, maven:3.6. This version of the Maven software project management and comprehension tool provides numerous bug fixes and various enhancements over the maven:3.5 stream distributed with RHEL 8.0.

mod_md now supports the ACMEv2 protocol

The mod_md module has been updated to version 2.0.8. This update adds a number of features, notably support for version 2 of the Automatic Certificate Management Environment (ACME) certificate issuance and management protocol, which is the Internet Engineering Task Force (IETF) standard (RFC 8555). The original ACMEv1 protocol remains supported but is deprecated by popular service providers.

New extensions for PHP 7.3

The php:7.3 module stream has been updated to provide two new PHP extensions: rrd and Xdebug.

New packages: perl-LDAP and perl-Convert-ASN1

This update adds the perl-LDAP and Perl-Convert-ASN1 packages to RHEL 8. The perl-LDAP package provides an LDAP client for the Perl language. perl-LDAP requires the perl-Convert-ASN1 package, which encodes and decodes Abstract Syntax Notation One (ASN.1) data structures using Basic Encoding Rules (BER) and Distinguished Encoding Rules (DER).

sscg now supports generating private key files protected by a password

The sscg utility is now able to generate private key files protected by a password. This adds another level of protection for private keys, and it is required by some services, such as FreeRADIUS.

grafana rebased to version 6.3.6

The grafana package has been upgraded to version 6.3.6, which provides multiple bug fixes and enhancements. Notable changes include:

pcp rebased to version 5.0.2

The pcp package has been upgraded to version 5.0.2, which provides multiple bug fixes and enhancements. Notable changes include:

grafana-pcp is now available in RHEL 8.2

The grafana-pcp package provides new grafana data sources and application plugins connecting PCP with grafana. With the grafana-pcp package, you can analyze historical PCP metrics and real-time PCP metrics using the pmseries query language and pmwebapi live services respectively. For more information, see Performance Co-Pilot Grafana Plugin.

Updated GCC Toolset 9

GCC Toolset 9 is a compiler toolset that provides recent versions of development tools. It is available as an Application Stream in the form of a Software Collection in the AppStream repository.

GCC Toolset 9 now supports NVIDIA PTX target offloading

The GCC compiler in GCC Toolset 9 now supports OpenMP target offloading for NVIDIA PTX.

The updated GCC compiler is now available for RHEL 8.2

The system GCC compiler, version 8.3.1, has been updated to include numerous bug fixes and enhancements available in the upstream GCC.

A new tunable for changing the maximum fastbin size in glibc

The malloc function uses a series of fastbins that hold reusable memory chunks up to a specific size. The default maximum chunk size is 80 bytes on 32-bit systems and 160 bytes on 64-bit systems. This enhancement introduces a new glibc.malloc.mxfast tunable to glibc that enables you to change the maximum fastbin size.

Vectorized math library is now enabled for GNU Fortran in GCC Toolset 9

With this enhancement, GNU Fortran from GCC Toolset can now use routines from the vectorized math library libmvec. Previously, the Fortran compiler in GCC Toolset needed a Fortran header file before it could use routines from libmvec provided by the GNU C Library glibc.

The glibc.malloc.tcache tunable has been enhanced

The glibc.malloc.tcache_count tunable allows to set the maximum number of memory chunks of each size that can be stored in the per-thread cache (tcache). With this update, the upper limit of the glibc.malloc.tcache_count tunable has been increased from 127 to 65535.

The glibc dynamic loader is enhanced to provide a non-inheriting library preloading mechanism

With this enhancement, the loader can now be invoked to load a user program with a --preload option followed by a colon-separated list of libraries to preload. This feature allows users to invoke their programs directly through the loader with a non-inheriting library preload list.

GDB now supports the ARCH(13) extension on the IBM Z architecture

With this enhancement, the GNU Debugger (GDB) now supports the new instructions implemented by the ARCH(13) extension on the IBM Z architecture.

elfutils rebased to version 0.178

The elfutils package has been upgraded to version 0.178, which provides multiple bug fixes and enhancements. Notable changes include:

SystemTap rebased to version 4.2

The SystemTap instrumentation tool has been updated to version 4.2. Notable enhancements include:

Enhancements to IBM Z series performance counters

IBM Z series type 0x8561, 0x8562, and 0x3907 (z14 ZR1) machines are now recognized by libpfm. Performance events for monitoring elliptic-curve cryptography (ECC) operations on IBM Z series are now available. This allows monitoring of additional subsystems on IBM Z series machines.

Rust Toolset rebased to version 1.41

Rust Toolset has been updated to version 1.41. Notable changes include:

LLVM Toolset rebased to version 9.0.1

LLVM Toolset has been upgraded to version 9.0.1. With this update, the asm goto statements are now supported. This change allows to compile the Linux kernel on the AMD64 and Intel 64 architectures.

Go Toolset rebased to version 1.13

Go Toolset has been upgraded to version 1.13. Notable enhancements include:

OpenJDK now supports also secp256k1

Previously, Open Java Development Kit (OpenJDK) could use only curves from the NSS library. Consequently, OpenJDK provided only the secp256r1, secp384r1, and secp521r1 curves for elliptic curve cryptography (ECC). With this update, OpenJDK uses the internal ECC implementation and supports also the secp256k1 curve.

IdM now supports new Ansible management modules

This update introduces several ansible-freeipa modules for automating common Identity Management (IdM) tasks using Ansible playbooks:

IdM Healthcheck now supports screening DNS records

This update introduces a standalone manual test of DNS records on an Identity Management (IdM) server.

Direct integration of RHEL into AD using SSSD now supports FIPS

With this enhancement, the System Services Security Daemon (SSSD) now integrates with Active Directory (AD) deployments whose authentication mechanisms use encryption types that were approved by the Federal Information Processing Standard (FIPS). The enhancement enables you to directly integrate RHEL systems into AD in environments that must meet the FIPS criteria.

The SMB1 protocol has been disabled in the Samba server and client utilities by default

In Samba 4.11, the default values of the server min protocol and client min protocol parameters have been changed from NT1 to SMB2_02 because the server message block version 1 (SMB1) protocol is deprecated. If you have not set these parameters in the /etc/samba/smb.conf file:

samba rebased to version 4.11.2

The samba packages have been upgraded to upstream version 4.11.2, which provides a number of bug fixes and enhancements over the previous version. Notable changes include:

Directory Server rebased to version 1.4.2.4

The 389-ds-base packages have been upgraded to upstream version 1.4.2.4, which provides a number of bug fixes and enhancements over the previous version. For a complete list of notable changes, read the archived upstream release notes before updating:

Certain legacy scripts have been replaced in Directory Server

This enhancement provides replacements for the unsupported dbverify, validate-syntax.pl, cl-dump.pl, fixup-memberuid.pl, and repl-monitor.pl legacy scripts in Directory Server. These scripts have been replaced with the following commands:

Setting up IdM as a hidden replica is now fully supported

Identity Management (IdM) in RHEL 8.2 fully supports setting up IdM servers as hidden replicas. A hidden replica is an IdM server that has all services running and available. However, it is not advertised to other clients or masters because no SRV records exist for the services in DNS, and LDAP server roles are not enabled. Therefore, clients cannot use service discovery to detect hidden replicas.

Kerberos ticket policy now supports authentication indicators

Authentication indicators are attached to Kerberos tickets based on which pre-authentication mechanism has been used to acquire the ticket:

The krb5 package is now FIPS-compliant

With this enhancement, non-compliant cryptography is prohibited. As a result, administrators can use Kerberos in FIPS-regulated environments.

Directory Server sets the sslVersionMin parameter based on the system-wide crypto policy

By default, Directory Server now sets the value of the sslVersionMin parameter based on the system-wide crypto policy. If you set the crypto policy profile in the /etc/crypto-policies/config file to:

SSSD now enforces AD GPOs by default

The default setting for the SSSD option ad_gpo_access_control is now enforcing. In RHEL 8, SSSD enforces access control rules based on Active Directory Group Policy Objects (GPOs) by default.

Wayland is now enabled on dual-GPU systems

Previously, the GNOME environment defaulted to the X11 session on laptops and other systems that have two graphical processing units (GPUs). With this release, GNOME now defaults to the Wayland session on dual-GPU systems, which is the same behavior as on single-GPU systems.

Support for new graphics cards

The following graphics cards are now supported:

Administrators can now use client certificates to authenticate to the RHEL 8 web console

With this web console enhancement, a system administrator can use client certificates to access a RHEL 8 system locally or remotely using a browser with certificate authentication built in. No additional client software is required. These certificates are commonly provided by a smart card or Yubikey, or can be imported into the browser.

Option to log in to the web console with a TLS client certificate

With this update, it is possible to configure the web console to log in with a TLS client certificate that is provided by a browser or a device such as a smart card or a YubiKey.

Changes to web console login

RHEL web console has been updated with the following changes:

The RHEL web console has been redesigned to use the PatternFly 4 user interface design system

The new design provides better accessibility and matches the design of OpenShift 4. Updates include:

Virtual Machines page updates

The web console’s Virtual Machines page got several storage improvements:

Web console Storage page updates

Usability testing showed that the default mount point concept on the RHEL web console Storage page was hard to grasp, and led to a lot of confusion. With this update, the web console no longer offers a Default choice when mounting a file system. Creating a new file system now always requires a specified mount point.

Attempting to create a RHEL virtual machine from an install tree now returns a more helpful error message.

RHEL 7 and RHEL 8 virtual machines created using the virt-install utility with the --location option in some cases fail to boot. This update adds a virt-install error message that provides instructions on how to work around this problem.

Intel Xeon Platinum 9200 series processors supported on KVM guests

Support for Intel Xeon Platinum 9200 series processors (previously known as Cascade Lake) has now been added to the KVM hypervisor and kernel code, and to the libvirt API. This enables KVM virtual machines to use Intel Xeon Platinum 9200 series processors.

EDK2 rebased to version stable201908

The EDK2 package has been upgraded to version stable201908, which provides multiple enhancements. Notably:

Creating nested virtual machines

With this update, nested virtualization is fully supported for KVM virtual machines (VMs) running on an Intel 64 host with RHEL 8. With this feature, a RHEL 7 or RHEL 8 VM that runs on a physical RHEL 8 host can act as a hypervisor, and host its own VMs.

The default registries search list in /etc/containers/registries.conf has been updated

The default registries.search list in /etc/containers/registries.conf has been updated to only include trusted registries that provide container images curated, patched, and maintained by Red Hat and its partners.

Podman no longer depends on oci-systemd-hook

Podman does not need or depend on the oci-systemd-hook package which has been removed from the container-tools:rhel8 and container-tools:2.0 module streams.

Using the version or inst.version kernel boot parameters no longer stops the installation program

Previously, booting the installation program from the kernel command line using the version or inst.version boot parameters printed the version, for example anaconda 30.25.6, and stopped the installation program.

Support secure boot for s390x in the installer

Previously, RHEL 8.1 provided support for preparing boot disks for use in IBM Z environments that enforced the use of secure boot. The capabilities of the server and hypervisor used during installation determined if the resulting on-disk format contained secure boot support. There was no way to influence the on-disk format during installation. Consequently, if you installed RHEL 8.1 in an environment that supported secure boot, the system was unable to boot when moved to an environment that lacked secure boot support, as is done in some failover scenarios.

The secure boot feature is now available

Previously, the default value for the secure= boot option was not set to auto, and as a result, the secure boot feature was not available. With this update, unless previously configured, the default value is set to auto, and the secure boot feature is now available.

The /etc/sysconfig/kernel file no longer references the new-kernel-pkg script

Previously, the /etc/sysconfig/kernel file referenced the new-kernel-pkg script. However, the new-kernel-pkg script is not included in a RHEL 8 system. With this update, the reference to the new-kernel-pkg script has been removed from the /etc/sysconfig/kernel file.

The installation does not set more than the maximum number of allowed devices in the boot-device NVRAM variable

Previously, the RHEL 8 installation program set more than the maximum number of allowed devices in the boot-device NVRAM variable. As a result, the installation failed on systems that had more than the maximum number of devices. With this update, the RHEL 8 installation program now checks the maximum device setting and only adds the permitted number of devices.

Installations work for an image location that uses a URL command in a Kickstart file located in a non-network location

Previously, the installation failed early in the process when network activation triggered by the image remote location was specified by a URL command in a Kickstart file located in a non-network location. This update fixes the issue, and installations that provide the image location by using a URL command in a Kickstart file that is located in a non-network location, for example, a CD-ROM or local block device, now work as expected.

The RHEL 8 installation program only checks ECKD DASD for unformatted devices

Previously, when checking for unformatted devices, the installation program checked all DASD devices. However, the installation program should only have checked ECKD DASD devices. As a consequence, the installation failed with a traceback when an FBA DASD device with SWAPGEN was used. With this update, the installation program does not check FBA DASD devices, and the installation completes successfully.

yum repolist no longer ends on first unavailable repository

Previously, the repository configuration option skip_if_unavailable was by default set as follows:

ReaR updates

RHEL 8.2 introduces a number of updates to the Relax-and-Recover (ReaR) utility.

mlocate-updatedb.timer is now enabled during the mlocate package installation

Previously, reindexing of the file database was not performed automatically, because the mlocate-updatedb.timer timer was disabled after the mlocate package installation. With this update, the mlocate-updatedb.timer timer is now a part of the 90-default.preset file and is enabled by default after the mlocate package installation. As a result, the file database is updated automatically.

dnsmasq now correctly handles the non-recursive DNS queries

Previously, dnsmasq forwarded all the non-recursive queries to an upstream server, which led to different responses. With this update, the non-recursive queries to local known names, such as DHCP host lease names or hosts read from the /etc/hosts file, are handled by dnsmasq and are not forwarded to an upstream server. As a result, the same response as to recursive queries to known names is returned.

dhclient no longer fails to renew the IP address after system time changes

Previously, if the system time changed, the system could lose the IP address assigned due to the removal by the kernel. With this update, dhclient uses monotonic timer to detect backward time jumps and issues the DHCPREQUEST message for lease extension in case of discontinuous jump in the system time. As a result, the system no longer loses the IP address in the described scenario.

ipcalc now returns the correct broadcast address for the /31 networks

This update fixes the ipcalc utility to follow the RFC 3021 standard properly. As a result, ipcalc returns the correct broadcast address when the /31 prefix is used on an interface.

/etc/services now contains proper NRPE port definition

This update adds the proper Nagios Remote Plug-in Executor (NRPE) service port definition to the /etc/services file.

The postfix DNS resolver code now uses res_search instead of res_query

Following its previous update in postfix, the DNS resolver code used the res_query function instead of the res_search function. As a consequence, the DNS resolver did not search host names in the current and parent domains with the following postfix configuration:

PCRE, CDB, and SQLite can now be used with Postfix

In RHEL 8, the postfix package has been split into multiple subpackages, each subpackage providing a plug-in for a specific database. Previously, RPM packages containing the postfix-pcre, postfix-cdb, and postfix-sqlite plug-ins were not distributed. Consequently, databases with these plug-ins could not be used with Postfix. This update adds RPM packages containing the PCRE, CDB, and SQLite plug-ins to the AppStream repository. As a result, these plug-ins can be used after the appropriate RPM package is installed.

fapolicyd no longer prevents RHEL updates

When an update replaces the binary of a running application, the kernel modifies the application binary path in memory by appending the " (deleted)" suffix. Previously, the fapolicyd file access policy daemon treated such applications as untrusted, and prevented them from opening and executing any other files. As a consequence, the system was sometimes unable to boot after applying updates.

openssl-pkcs11 no longer locks devices by attempting to log in to multiple devices

Previously, the openssl-pkcs11 engine attempted to log in to the first result of a search using the provided PKCS #11 URI and used the provided PIN even if the first result was not the intended device and the PIN matched another device. These failed authentication attempts locked the device.

OpenSCAP offline scans using rpmverifyfile now work properly

Prior to this update, the OpenSCAP scanner did not correctly change the current working directory in offline mode, and the fchdir function was not called with the correct arguments in the OpenSCAP rpmverifyfile probe. The OpenSCAP scanner has been fixed to correctly change the current working directory in offline mode, and the fchdir function has been fixed to use correct arguments in rpmverifyfile. As a result, SCAP content that contains OVAL rpmverifyfile can be used by OpenSCAP to scan arbitrary file systems.

httpd now starts correctly if using an ECDSA private key without matching public key stored in a PKCS #11 device

Unlike RSA keys, ECDSA private keys do not necessarily contain public-key information. In this case, you cannot obtain the public key from an ECDSA private key. For this reason, a PKCS #11 device stores public-key information in a separate object whether it is a public-key object or a certificate object. OpenSSL expected the EVP_PKEY structure provided by an engine for a private key to contain the public-key information. When filling the EVP_PKEY structure to be provided to OpenSSL, the engine in the openssl-pkcs11 package tried to fetch the public-key information only from matching public-key objects and ignored the present certificate objects.

scap-security-guide PCI-DSS remediations of Audit rules now work properly

Previously, the scap-security-guide package contained a combination of remediation and a check that could result in one of the following scenarios:

OpenSCAP now provides offline scanning of virtual machines and containers

Previously, refactoring of the OpenSCAP codebase caused certain RPM probes to fail to scan VM and containers file systems in offline mode. Consequently, the following tools could not be included in the openscap-utils package: oscap-vm and oscap-chroot. Furthermore, the openscap-containers package was completely removed from RHEL 8. With this update, the problems in the probes have been fixed.

OpenSCAP rpmverifypackage now works correctly

Previously, the chdir and chroot system calls were called twice by the rpmverifypackage probe. Consequently, an error occurred when the probe was utilized during an OpenSCAP scan with custom Open Vulnerability and Assessment Language (OVAL) content. The rpmverifypackage probe has been fixed to properly utilize the chdir and chroot system calls. As a result, rpmverifypackage now works correctly.

Locking in the qdisc_run function now does not cause kernel crash

Previously, a race condition when the pfifo_fast queue discipline resets while dequeuing traffic was leading to packet transmission after they were freed. As a consequence, sometimes kernel was getting terminated unexpectedly. With this update, locking in the qdisc_run function has been improved. As a result, kernel no longer crashes in the described scenario.

The DBus APIs in org.fedoraproject.FirewallD1.config.service work as expected

Previously, the DBus API getIncludes, setIncludes, and queryIncludes functions in org.fedoraproject.FirewallD1 returned an error message: org.fedoraproject.FirewallD1.Exception: list index out of range due to bad indexing. With this update, the DBus API getIncludes, setIncludes, and queryIncludes functions work as expected.

RHEL no longer logs a kernel warning when unloading the ipvs module

Previously, the IP virtual server (ipvs) module used an incorrect reference counting, which caused a race condition when unloading the module. Consequently, RHEL logged a kernel warning. This update fixes the race condition. As a result, the kernel no longer logs the warning when you unload the ipvs module.

The nft utility no longer interprets arguments as command-line options after the first non-option argument

Previously, the nft utility accepted options anywhere in an nft command. For example, admins could use options between or after non-option arguments. As a consequence, due to the leading dash, nft interpreted negative priority values as options, and the command failed. The nft utility’s command-line parser has been updated to not interpret arguments that are starting with a dash after the first non-option argument has been read. As a result, admins no longer require workarounds to pass negative priority values to nft.

The /etc/hosts.allow and /etc/hosts.deny files no longer contain outdated references to removed tcp_wrappers

Previously, the /etc/hosts.allow and /etc/hosts.deny files contained outdated information about the tcp_wrappers package. The files are removed in RHEL 8 as they are no longer needed for tcp_wrappers which is removed.

A configuration parameter has been added to firewalld to disable zone drifting

Previously, the firewalld service contained an undocumented behavior known as "zone drifting". RHEL 8.0 removed this behavior because it could have a negative security impact. As a consequence, on hosts that used this behavior to configure a catch-all or fallback zone, firewalld denied connections that were previously allowed. This update re-adds the zone drifting behavior, but as a configurable feature. As a result, users can now decide to use zone drifting or disable the behavior for a more secure firewall setup.

Subsection memory hotplug is now fully supported

Previously, some platforms aligned physical memory regions such as Dual In-Line Modules (DIMMs) and interleave sets to 64MiB memory boundary. However, as the Linux hotplug subsystem uses a memory size of 128MiB, hot-plugging new devices caused multiple memory regions to overlap in a single hotplug memory window. Consequently, this caused failure in listing the available persistent memory namespaces with the following or a similar call trace:

Data corruption now triggers a BUG instead of a WARN message

With this enhancement, the list corruptions at lib/list_debug.c now triggers a BUG, which generates a report with a vmcore. Previously, when encountering a data corruption, a simple WARN was generated, which was likely to go unnoticed. With set CONFIG_BUG_ON_DATA_CORRUPTION, the kernel now creates a crash and triggers a BUG in response to data corruption. This prevents further damage and reduces the security risk. The kdump now generates a vmcore, which improves the data corruption bug reporting.

Support for Intel Carlsville card is available but not verified in RHEL 8.2

The Intel Carlsville card support is available but not tested on Red Hat Enterprise Linux 8.2.

RPS and XPS no longer place jobs on isolated CPUs

Previously, the Receive Packet Steering (RPS) software-queue mechanism and the Transmit Packet Steering (XPS) transmit queue selection mechanism allocated jobs on all CPU sets, including isolated CPUs. Consequently, this could cause an unexpected latency spike in a real-time environment when a latency-sensitive workload was using the same CPU where RPS or XPS jobs were running. With this update, the store_rps_map() function does not include any isolated CPUs for the purpose of RPS configuration. Similarly, the kernel drivers used for XPS configuration are respecting CPU isolation. As a result, RPS and XPS no longer place jobs on isolated CPUs in the described scenario. If you configure an isolated CPU in the /sys/devices/pci*/net/dev/queues/rx-*/rps_cpus file, the following error appears:

SCSI drivers no longer use an excessive amount of memory

Previously, certain SCSI drivers used a larger amount of memory than in RHEL 7. In certain cases, such as vPort creation on a Fibre Channel host bus adapter (HBA), the memory usage was excessive, depending upon the system configuration.

VDO can now suspend before UDS has finished rebuilding

Previously, the dmsetup suspend command became unresponsive if you attempted to suspend a VDO volume while the UDS index was rebuilding. The command finished only after the rebuild.

Problems in mod_cgid logging have been fixed

Prior to this update, if the mod_cgid Apache httpd module was used under a threaded multi-processing module (MPM), the following logging problems occurred:

Unrelocated and uninitialized shared objects no longer result in failures if dlopen fails

Previously, if the dlopen call failed, the glibc dynamic linker did not remove shared objects with the NODELETE mark before reporting the error. Consequently, the unrelocated and uninitialized shared objects remained in the process image, eventually resulting in assertion failures or crashes. With this update, the dynamic loader uses a pending NODELETE state to remove shared objects upon dlopen failure, before marking them as NODELETE permanently. As a result, the process does not leave any unrelocated objects behind. Also, lazy binding failures while ELF constructors and destructors run now terminate the process.

Advanced SIMD functions on the 64-bit ARM architecture no longer miscompile when lazily resolved

Previously, the new vector Procedure Call Standard (PCS) for Advanced SIMD did not properly save and restore certain callee-saved registers when lazily resolving Advanced SIMD functions. As a consequence, binaries could misbehave at runtime. With this update, the Advanced SIMD and SVE vector functions in the symbol table are marked with .variant_pcs and, as a result, the dynamic linker will bind such functions early.

The sudo wrapper script now parses options

Previously, the /opt/redhat/devtoolset*/root/usr/bin/sudo wrapper script did not correctly parse sudo options. As a consequence, some sudo options (for example, sudo -i) could not be executed. With this update, more sudo options are correctly parsed and, as a result, the sudo wrapper script works more like /usr/bin/sudo.

Alignment of TLS variables in glibc has been fixed

Previously, aligned thread-local storage (TLS) data could, under certain conditions, become instantiated without the expected alignment. With this update, the POSIX Thread Library libpthread has been enhanced to ensure correct alignment under any conditions. As a result, aligned TLS data is now correctly instantiated for all threads with the correct alignment.

Repeated pututxline calls following EINTR or EAGAIN error no longer corrupt the utmp file

When the pututxline function tries to acquire a lock and does not succeed in time, the function returns with EINTR or EAGAIN error code. Previously in this situation, if pututxline was called immediately again and managed to obtain the lock, it did not use an already-allocated matching slot in the utmp file, but added another entry instead. As a consequence, these unused entries increased the size of the utmp file substantially. This update fixes the issue, and the entries are added to the utmp file correctly now.

mtrace no longer hangs when internal failures occur

Previously, a defect in the mtrace tool implementation could cause memory tracing to hang. To fix this issue, the mtrace memory tracing implementation has been made more robust to avoid the hang even in the face of internal failures. As a result, users can now call mtrace and it no longer hangs, completing in bounded time.

The fork function avoids certain deadlocks related to use of pthread_atfork

Previously, if a program registered an atfork handler and invoked fork from an asynchronous-signal handler, a defect in the internal implementation-dependent lock could cause the program to freeze. With this update, the implementation of fork and its atfork handlers is adjusted to avoid the deadlock in single-threaded programs.

strstr no longer returns incorrect matches for a truncated pattern

On certain IBM Z platforms (z15, previously known as arch13), the strstr function did not correctly update a CPU register when handling search patterns that cross a page boundary. As a consequence, strstr returned incorrect matches. This update fixes the problem, and as a result, strstr works as expected in the mentioned scenario.

C.UTF-8 locale source ellipsis expressions in glibc are fixed

Previously, a defect in the C.UTF-8 source locale resulted in all Unicode code points above U+10000 lacking collation weights. As a consequence, all code points above U+10000 did not collate as expected. The C.UTF-8 source locale has been corrected, and the newly compiled binary locale now has collation weights for all Unicode code points. The compiled C.UTF-8 locale is 5.3MiB larger as a result of this fix.

glibc no longer fails when getpwent() is called without calling setpwent()

If your /etc/nsswitch.conf file pointed to the Berkeley DB (db) password provider, you could request data using the getpwent() function without first calling setpwent() only once. When you called the endpwent() function, further calls to getpwent() without first calling setpwent() caused glibc to fail because endpwent() could not reset the internals to allow a new query. This update fixes the problem. As a result, after you end one query with endpwent(), further calls to getpwent() will start a new query even if you do not call setpwent().

ltrace can now trace system calls in hardened binaries

Previously, ltrace did not produce any results on certain hardened binaries, such as system binaries, on the AMD and Intel 64-bit architectures. With this update, ltrace can now trace system calls in hardened binaries.

Intel’s JCC flaw no longer causes significant performance loss in the GCC compiler

Certain Intel CPUs are affected by the Jump Conditional Code (JCC) bug causing machine instructions to be executed incorrectly. Consequently, the affected CPUs might not execute programs properly. The full fix involves updating the microcode of vulnerable CPUs, which can cause a performance degradation. This update enables a workaround in the assembler that helps to reduce the performance loss. The workaround is not enabled by default.

make no longer slows down when using parallel builds

Previously, while running parallel builds, make sub-processes could become temporarily unresponsive when waiting for their turn to run. As a consequence, builds with high -j values slowed down or ran at lower effective -j values. With this update, the job control logic of make is now non-blocking. As a result, builds with high -j values run at full -j speed.

The ltrace tool now reports function calls correctly

Because of improvements to binary hardening applied to all RHEL components, the ltrace tool previously could not detect function calls in binary files coming from RHEL components. As a consequence, ltrace output was empty because it did not report any detected calls when used on such binary files. This update fixes the way ltrace handles function calls, which prevents the described problem from occurring.

The dsctl utility no longer fails to manage instances with a hyphen in their name

Previously, the dsctl utility did not correctly parse hyphens in the Directory Server instance names. As a consequence, administrators could not use dsctl to manage instances with a hyphen in their name. This update fixes the problem, and dsctl now works as expected in the mentioned scenario.

Directory Server instance names can now have up to 103 characters

When an LDAP client establishes a connection to Directory Server, the server stores information related to the client address in a local buffer. Previously, the size of this buffer was too small to store an LDAPI path name longer than 46 characters. For example, this is the case if name of the Directory Server instance is too long. As a consequence, the server terminated unexpectedly due to an buffer overflow. This update increases the buffer size to the maximum size the Netscape Portable Runtime (NSPR) library supports for the path name. As a result, Directory Server no longer crashes in the mentioned scenario.

The pkidestroy utility now picks the correct instance

Previously, the pkidestroy --force command executed on a half-removed instance picked the pki-tomcat instance by default, regardless of the instance name specified with the -i instance option.

The ldap_user_authorized_service description has been updated in the sssd-ldap man page

The Pluggable authentication modules (PAM) stack has been changed in RHEL 8. For example, the systemd user session now starts a PAM conversation using the systemd-user PAM service. This service now recursively includes the system-auth PAM service, which may include the pam_sss.so interface. This means that the SSSD access control is always called.

Information about required DNS records is now displayed when enabling support for AD trust in IdM

Previously, when enabling support for Active Directory (AD) trust in Red Hat Enterprise Linux Identity Management (IdM) installation with external DNS management, no information about required DNS records was displayed. Entering the ipa dns-update-system-records --dry-run command manually was necesary to obtain a list of all DNS records required by IdM.

Recursive DNS queries are now disabled by default in IdM servers with integrated DNS

Previously, recursive queries were enabled by default when using an Identity Management (IdM) server with integrated DNS. As a consequence, it was possible to use the server for a DNS Amplification Attack. With this update, recursive DNS queries are now disabled by default, and it is no longer possible to use the server for a DNS Amplification Attack.

GNOME Shell on Wayland no longer performs slowly when using a software renderer

Previously, the Wayland back end of GNOME Shell did not use a cacheable framebuffer when using a software renderer. As a consequence, software-rendered GNOME Shell on Wayland was slow compared to software-rendered GNOME Shell on the X.org back end.

Starting a VM on a 10th generation Intel Core processor no longer fails

Previously, starting a virtual machine (VM) failed on a host model that used a 10th generation Intel Core processor, also known as Icelake-Server. With this update, libvirt no longer attempts to disable the pconfig CPU feature which is not supported by QEMU. As a result, starting a VM on a host model running a 10th generation Intel processor no longer fails.

Using cloud-init to provision virtual machines on Microsoft Azure now works correctly

Previously, it was not possible to use the cloud-init utility to provision a RHEL 8 virtual machine (VM) on the Microsoft Azure platform. This update fixes the cloud-init handling of the Azure endpoints, and provisioning RHEL 8 VMs on Azure now proceeds as expected.

RHEL 8 virtual machines on RHEL 7 hosts can be reliably viewed in higher resolution than 1920x1200

Previously, when using a RHEL 8 virtual machine (VM) running on a RHEL 7 host system, certain methods of displaying the the graphical output of the VM, such as running the application in kiosk mode, could not use greater resolution than 1920x1200. As a consequence, displaying VMs using those methods only worked in resolutions up to 1920x1200 even if the host hardware supported higher resolutions. This update adjusts DRM and QXL drivers in a way to prevent the described problem from occurring.

Customizing an ESXi VM using cloud-init and rebooting the VM now works correctly

Previously, if the cloud-init service was used to modify a virtual machine (VM) running on the VMware ESXi hypervisor to use static IP and the VM was then cloned, the new cloned VM in some cases took a very long time to reboot. This update modifies cloud-init not to rewrite the VM’s static IP to DHCP, which prevents the described problem from occurring.

Pulling images from the quay.io registry no longer leads to unintended images

Previously, having the quay.io container image registry listed in the default registries search list provided in /etc/containers/registries.conf could allow a user to pull a spoofed image when using a short name. To fix this issue, the quay.io container image registry has been removed from the default registries search list in /etc/containers/registries.conf. As a result, pulling images from the quay.io registry now requires users to specify the full repository name, such as quay.io/myorg/myimage. The quay.io registry can be added back to the default registries search list in /etc/containers/registries.conf to reenable pulling container images using short names, however, this is not recommended as it could create a security risk.

nmstate available as a Technology Preview

Nmstate is a network API for hosts. The nmstate packages, available as a Technology Preview, provide a library and the nmstatectl command-line utility to manage host network settings in a declarative manner. The networking state is described by a pre-defined schema. Reporting of the current state and changes to the desired state both conform to the schema.

AF_XDP available as a Technology Preview

Address Family eXpress Data Path (AF_XDP) socket is designed for high-performance packet processing. It accompanies XDP and grants efficient redirection of programmatically selected packets to user space applications for further processing.

XDP available as a Technology Preview

The eXpress Data Path (XDP) feature, which is available as a Technology Preview, provides a means to attach extended Berkeley Packet Filter (eBPF) programs for high-performance packet processing at an early point in the kernel ingress data path, allowing efficient programmable packet analysis, filtering, and manipulation.

KTLS available as a Technology Preview

In Red Hat Enterprise Linux 8, Kernel Transport Layer Security (KTLS) is provided as a Technology Preview. KTLS handles TLS records using the symmetric encryption or decryption algorithms in the kernel for the AES-GCM cipher. KTLS also provides the interface for offloading TLS record encryption to Network Interface Controllers (NICs) that support this functionality.

The dracut utility now supports creating initrd images with NetworkManager support as a technology preview

By default, the dracut utility uses a shell script to manage networking in the initial RAM disk (initrd). In certain cases, this could cause problems when the system switches from the RAM disk to the operating system that uses NetworkManager to configure the network. For example, NetworkManager could send another DHCP request, even if the script in the RAM disk already requested an IP address. This request from the RAM disk could result in a time out.

The mlx5_core driver supports Mellanox ConnectX-6 Dx network adapter as a Technology Preview

This enhancement adds the PCI IDs of the Mellanox ConnectX-6 Dx network adapter to the mlx5_core driver. On hosts that use this adapter, RHEL loads the mlx5_core driver automatically. Note that Red Hat provides this feature as an unsupported Technology Preview.

The systemd-resolved service is now available as a Technology Preview

The systemd-resolved service provides name resolution to local applications. The service implements a caching and validating DNS stub resolver, an Link-Local Multicast Name Resolution (LLMNR), and Multicast DNS resolver and responder.

kexec fast reboot as a Technology Preview

The kexec fast reboot feature, continues to be available as a Technology Preview. Rebooting is now significantly faster thanks to kexec fast reboot. To use this feature, load the kexec kernel manually, and then reboot the operating system.

eBPF available as a Technology Preview

Extended Berkeley Packet Filter (eBPF) is an in-kernel virtual machine that allows code execution in the kernel space, in the restricted sandbox environment with access to a limited set of functions.

libbpf is available as a Technology Preview

The libbpf package is currently available as a Technology Preview. The libbpf package is crucial for bpf related applications like bpftrace and bpf/xdp development.

The igc driver available as a Technology Preview for RHEL 8

The igc Intel 2.5G Ethernet Linux wired LAN driver is now available on all architectures for RHEL 8 as a Technology Preview. The ethtool utility also supports igc wired LANs.

Soft-RoCE available as a Technology Preview

Remote Direct Memory Access (RDMA) over Converged Ethernet (RoCE) is a network protocol which implements RDMA over Ethernet. Soft-RoCE is the software implementation of RoCE which supports two protocol versions, RoCE v1 and RoCE v2. The Soft-RoCE driver, rdma_rxe, is available as an unsupported Technology Preview in RHEL 8.

NVMe/TCP is available as a Technology Preview

Accessing and sharing Nonvolatile Memory Express (NVMe) storage over TCP/IP networks (NVMe/TCP) and its corresponding nvme-tcp.ko and nvmet-tcp.ko kernel modules have been added as a Technology Preview.

File system DAX is now available for ext4 and XFS as a Technology Preview

In Red Hat Enterprise Linux 8.2, file system DAX is available as a Technology Preview. DAX provides a means for an application to directly map persistent memory into its address space. To use DAX, a system must have some form of persistent memory available, usually in the form of one or more Non-Volatile Dual In-line Memory Modules (NVDIMMs), and a file system that supports DAX must be created on the NVDIMM(s). Also, the file system must be mounted with the dax mount option. Then, an mmap of a file on the dax-mounted file system results in a direct mapping of storage into the application’s address space.

OverlayFS

OverlayFS is a type of union file system. It enables you to overlay one file system on top of another. Changes are recorded in the upper file system, while the lower file system remains unmodified. This allows multiple users to share a file-system image, such as a container or a DVD-ROM, where the base image is on read-only media. See the Linux kernel documentation for additional information: https://www.kernel.org/doc/Documentation/filesystems/overlayfs.txt.

Stratis is now available as a Technology Preview

Stratis is a new local storage manager. It provides managed file systems on top of pools of storage with additional features to the user.

IdM now supports setting up a Samba server on an IdM domain member as a Technology Preview

With this update, you can now set up a Samba server on an Identity Management (IdM) domain member. The new ipa-client-samba utility provided by the same-named package adds a Samba-specific Kerberos service principal to IdM and prepares the IdM client. For example, the utility creates the /etc/samba/smb.conf with the ID mapping configuration for the sss ID mapping back end. As a result, administrators can now set up Samba on an IdM domain member.

Pacemaker podman bundles available as a Technology Preview

Pacemaker container bundles now run on the podman container platform, with the container bundle feature being available as a Technology Preview. There is one exception to this feature being Technology Preview: Red Hat fully supports the use of Pacemaker bundles for Red Hat Openstack.

Heuristics in corosync-qdevice available as a Technology Preview

Heuristics are a set of commands executed locally on startup, cluster membership change, successful connect to corosync-qnetd, and, optionally, on a periodic basis. When all commands finish successfully on time (their return error code is zero), heuristics have passed; otherwise, they have failed. The heuristics result is sent to corosync-qnetd where it is used in calculations to determine which partition should be quorate.

New fence-agents-heuristics-ping fence agent

As a Technology Preview, Pacemaker now supports the fence_heuristics_ping agent. This agent aims to open a class of experimental fence agents that do no actual fencing by themselves but instead exploit the behavior of fencing levels in a new way.

Identity Management JSON-RPC API available as Technology Preview

An API is available for Identity Management (IdM). To view the API, IdM also provides an API browser as Technology Preview.

DNSSEC available as Technology Preview in IdM

Identity Management (IdM) servers with integrated DNS now support DNS Security Extensions (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are automatically generated and rotated.

Checking the overall health of your public key infrastructure is now available as a Technology Preview

With this update, the public key infrastructure (PKI) Healthcheck tool reports the health of the PKI subsystem to the Identity Management (IdM) Healthcheck tool, which was introduced in RHEL 8.1. Executing the IdM Healthcheck invokes the PKI Healthcheck, which collects and returns the health report of the PKI subsystem.

GNOME for the 64-bit ARM architecture available as a Technology Preview

The GNOME desktop environment is now available for the 64-bit ARM architecture as a Technology Preview. This enables administrators to configure and manage servers from a graphical user interface (GUI) remotely, using the VNC session.

VNC remote console available as a Technology Preview for the 64-bit ARM architecture

On the 64-bit ARM architecture, the Virtual Network Computing (VNC) remote console is available as a Technology Preview. Note that the rest of the graphics stack is currently unverified for the 64-bit ARM architecture.

The postfix role of RHEL System Roles available as a Technology Preview

Red Hat Enterprise Linux System Roles provides a configuration interface for Red Hat Enterprise Linux subsystems, which makes system configuration easier through the inclusion of Ansible Roles. This interface enables managing system configurations across multiple versions of Red Hat Enterprise Linux, as well as adopting new major releases.

rhel-system-roles-sap available as a Technology Preview

The rhel-system-roles-sap package provides Red Hat Enterprise Linux (RHEL) System Roles for SAP, which can be used to automate the configuration of a RHEL system to run SAP workloads. These roles greatly reduce the time to configure a system to run SAP workloads by automatically applying the optimal settings that are based on best practices outlined in relevant SAP Notes. Access is limited to RHEL for SAP Solutions offerings. Please contact Red Hat Customer Support if you need assistance with your subscription.

Select Intel network adapters now support SR-IOV in RHEL guests on Hyper-V

As a Technology Preview, Red Hat Enterprise Linux guest operating systems running on a Hyper-V hypervisor can now use the single-root I/O virtualization (SR-IOV) feature for Intel network adapters supported by the ixgbevf and i40evf drivers. This feature is enabled when the following conditions are met:

KVM virtualization is usable in RHEL 8 Hyper-V virtual machines

As a Technology Preview, nested KVM virtualization can now be used on the Microsoft Hyper-V hypervisor. As a result, you can create virtual machines on a RHEL 8 guest system running on a Hyper-V host.

AMD SEV for KVM virtual machines

As a Technology Preview, RHEL 8 introduces the Secure Encrypted Virtualization (SEV) feature for AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine (VM), SEV encrypts VM memory so that the host cannot access data on the VM. This increases the security of the VM if the host is successfully infected by malware.

Intel vGPU

As a Technology Preview, it is now possible to divide a physical Intel GPU device into multiple virtual devices referred to as mediated devices. These mediated devices can then be assigned to multiple virtual machines (VMs) as virtual GPUs. As a result, these VMs share the performance of a single physical Intel GPU.

skopeo container image is available as a Technology Preview

The registry.redhat.io/rhel8/skopeo container image is a containerized implementation of the skopeo package. The skopeo is a command-line tool utility that performs various operations on container images and image repositories. This container image allows you to inspect and copy container images from one unauthenticated container registry to another.

buildah container image is available as a Technology Preview

The registry.redhat.io/rhel8/buildah container image is a containerized implementation of the buildah package. The buildah is a tool that facilitates building OCI container images. This container image allows you to build container images without the need to install the buildah package on your system. The use-case does not cover running this image in rootless mode as a non-root user.

The podman-machine command is unsupported

The podman-machine command for managing virtual machines, is available only as a Technology Preview. Instead, run Podman directly from the command line.

Several Kickstart commands and options have been deprecated

Using the following commands and options in RHEL 8 Kickstart files will print a warning in the logs.

The --interactive option of the ignoredisk Kickstart command has been deprecated

Using the --interactive option in future releases of Red Hat Enterprise Linux will result in a fatal installation error. It is recommended that you modify your Kickstart file to remove the option.

rpmbuild --sign is deprecated

With this update, the rpmbuild --sign command has become deprecated. Using this command in future releases of Red Hat Enterprise Linux can result in an error. It is recommended that you use the rpmsign command instead.

Metalink support for curl has been disabled

A flaw was found in curl functionality in the way it handles credentials and file hash mismatch for content downloaded using the Metalink. This flaw allows malicious actors controlling a hosting server to:

NSS SEED ciphers are deprecated

The Mozilla Network Security Services (NSS) library will not support TLS cipher suites that use a SEED cipher in a future release. For deployments that rely on SEED ciphers, Red Hat recommends enabling support for other cipher suites. This way, you ensure smooth transitions when NSS will remove support for them.

TLS 1.0 and TLS 1.1 are deprecated

The TLS 1.0 and TLS 1.1 protocols are disabled in the DEFAULT system-wide cryptographic policy level. If your scenario, for example, a video conferencing application in the Firefox web browser, requires using the deprecated protocols, switch the system-wide cryptographic policy to the LEGACY level:

DSA is deprecated in RHEL 8

The Digital Signature Algorithm (DSA) is considered deprecated in Red Hat Enterprise Linux 8. Authentication mechanisms that depend on DSA keys do not work in the default configuration. Note that OpenSSH clients do not accept DSA host keys even in the LEGACY system-wide cryptographic policy level.

SSL2 Client Hello has been deprecated in NSS

The Transport Layer Security (TLS) protocol version 1.2 and earlier allow to start a negotiation with a Client Hello message formatted in a way that is backward compatible with the Secure Sockets Layer (SSL) protocol version 2. Support for this feature in the Network Security Services (NSS) library has been deprecated and it is disabled by default.

TPM 1.2 is deprecated

The Trusted Platform Module (TPM) secure cryptoprocessor standard version was updated to version 2.0 in 2016. TPM 2.0 provides many improvements over TPM 1.2, and it is not backward compatible with the previous version. TPM 1.2 is deprecated in RHEL 8, and it might be removed in the next major release.

Network scripts are deprecated in RHEL 8

Network scripts are deprecated in Red Hat Enterprise Linux 8 and they are no longer provided by default. The basic installation provides a new version of the ifup and ifdown scripts which call the NetworkManager service through the nmcli tool. In Red Hat Enterprise Linux 8, to run the ifup and the ifdown scripts, NetworkManager must be running.

Installing RHEL for Real Time 8 using diskless boot is now deprecated

Diskless booting allows multiple systems to share a root file system via the network. While convenient, diskless boot is prone to introducing network latency in realtime workloads. With a future minor update of RHEL for Real Time 8, the diskless booting feature will no longer be supported.

The qla3xxx driver is deprecated

The qla3xxx driver has been deprecated in RHEL 8. The driver will likely not be supported in future major releases of this product, and thus it is not recommended for new deployments.

The dl2k, dnet, ethoc, and dlci drivers are deprecated

The dl2k, dnet, ethoc, and dlci drivers have been deprecated in RHEL 8. The drivers will likely not be supported in future major releases of this product, and thus they are not recommended for new deployments.

The rdma_rxe Soft-RoCE driver is deprecated

Software Remote Direct Memory Access over Converged Ethernet (Soft-RoCE), also known as RXE, is a feature that emulates Remote Direct Memory Access (RDMA). In RHEL 8, the Soft-RoCE feature is available as an unsupported Technology Preview. However, due to stability issues, this feature has been deprecated and will be removed in RHEL 9.

The elevator kernel command line parameter is deprecated

The elevator kernel command line parameter was used in earlier RHEL releases to set the disk scheduler for all devices. In RHEL 8, the parameter is deprecated.

LVM mirror is deprecated

The LVM mirror segment type is now deprecated. Support for mirror will be removed in a future major release of RHEL.

NFSv3 over UDP has been disabled

The NFS server no longer opens or listens on a User Datagram Protocol (UDP) socket by default. This change affects only NFS version 3 because version 4 requires the Transmission Control Protocol (TCP).

The SMB1 protocol is deprecated in Samba

Starting with Samba 4.11, the insecure Server Message Block version 1 (SMB1) protocol is deprecated and will be removed in a future release.

The libgnome-keyring library has been deprecated

The libgnome-keyring library has been deprecated in favor of the libsecret library, as libgnome-keyring is not maintained upstream, and does not follow the necessary cryptographic policies for RHEL. The new libsecret library is the replacement that follows the necessary security standards.

AGP graphics cards are no longer supported

Graphics cards using the Accelerated Graphics Port (AGP) bus are not supported in Red Hat Enterprise Linux 8. Use the graphics cards with PCI-Express bus as the recommended replacement.

The web console no longer supports incomplete translations

The RHEL web console no longer provides translations for languages that have translations available for less than 50 % of the Console’s translatable strings. If the browser requests translation to such a language, the user interface will be in English instead.

virt-manager has been deprecated

The Virtual Machine Manager application, also known as virt-manager, has been deprecated. The RHEL 8 web console, also known as Cockpit, is intended to become its replacement in a subsequent release. It is, therefore, recommended that you use the web console for managing virtualization in a GUI. Note, however, that some features available in virt-manager may not be yet available the RHEL 8 web console.

Virtual machine snapshots are not properly supported in RHEL 8

The current mechanism of creating virtual machine (VM) snapshots has been deprecated, as it is not working reliably. As a consequence, it is recommended not to use VM snapshots in RHEL 8.

The Cirrus VGA virtual GPU type has been deprecated

With a future major update of Red Hat Enterprise Linux, the Cirrus VGA GPU device will no longer be supported in KVM virtual machines. Therefore, Red Hat recommends using the stdvga, virtio-vga, or qxl devices instead of Cirrus VGA.

The cpu64-rhel6 CPU model has been deprecated and removed

The cpu64-rhel6 QEMU virtual CPU model has been deprecated in RHEL 8.1, and has been removed from RHEL 8.2. It is recommended that you use the other CPU models provided by QEMU and libvirt, according to the CPU present on the host machine.

The auth and authconfig Kickstart commands require the AppStream repository

The authselect-compat package is required by the auth and authconfig Kickstart commands during installation. Without this package, the installation fails if auth or authconfig are used. However, by design, the authselect-compat package is only available in the AppStream repository.

The reboot --kexec and inst.kexec commands do not provide a predictable system state

Performing a RHEL installation with the reboot --kexec Kickstart command or the inst.kexec kernel boot parameters do not provide the same predictable system state as a full reboot. As a consequence, switching to the installed system without rebooting can produce unpredictable results.

Anaconda installation includes low limits of minimal resources setting requirements

Anaconda initiates the installation on systems with minimal resource settings required available and do not provide previous message warning about the required resources for performing the installation successfully. As a result, the installation can fail and the output errors do not provide clear messages for possible debug and recovery. To work around this problem, make sure that the system has the minimal resources settings required for installation: 2GB memory on PPC64(LE) and 1GB on x86_64. As a result, it should be possible to perform a successful installation.

Installation fails when using the reboot --kexec command

The RHEL 8 installation fails when using a Kickstart file that contains the reboot --kexec command. To avoid the problem, use the reboot command instead of reboot --kexec in your Kickstart file.

RHEL 8 initial setup cannot be performed via SSH

Currently, the RHEL 8 initial setup interface does not display when logged in to the system using SSH. As a consequence, it is impossible to perform the initial setup on a RHEL 8 machine managed via SSH. To work around this problem, perform the initial setup in the main system console (ttyS0) and, afterwards, log in using SSH.

Network access is not enabled by default in the installation program

Several installation features require network access, for example, registration of a system using the Content Delivery Network (CDN), NTP server support, and network installation sources. However, network access is not enabled by default, and as a result, these features cannot be used until network access is enabled.

Registration fails for user accounts that belong to multiple organizations

Currently, when you attempt to register a system with a user account that belongs to multiple organizations, the registration process fails with the error message You must specify an organization for new units.

A GUI installation using the Binary DVD ISO image can sometimes not proceed without CDN registration

When performing a GUI installation using the Binary DVD ISO image file, a race condition in the installer can sometimes prevent the installation from proceeding until you register the system using the Connect to Red Hat feature. To work around this problem, complete the following steps:

Copying the content of the Binary DVD.iso file to a partition omits the .treeinfo and .discinfo files

During local installation, while copying the content of the RHEL 8 Binary DVD.iso image file to a partition, the * in the cp <path>/\* <mounted partition>/dir command fails to copy the .treeinfo and .discinfo files. These files are required for a successful installation. As a result, the BaseOS and AppStream repositories are not loaded, and a debug-related log message in the anaconda.log file is the only record of the problem.

Self-signed HTTPS server cannot be used in Kickstart installation

Currently, the installer fails to install from a self-signed https server when the installation source is specified in the kickstart file and the --noverifyssl option is used:

GUI installation might fail if an attempt to unregister using the CDN is made before the repository refresh is completed

In RHEL 8.2, when registering your system and attaching subscriptions using the Content Delivery Network (CDN), a refresh of the repository metadata is started by the GUI installation program. The refresh process is not part of the registration and subscription process, and as a consequence, the Unregister button is enabled in the Connect to Red Hat window. Depending on the network connection, the refresh process might take more than a minute to complete. If you click the Unregister button before the refresh process is completed, the GUI installation might fail as the unregister process removes the CDN repository files and the certificates required by the installation program to communicate with the CDN.

syspurpose addons have no effect on the subscription-manager attach --auto output.

In Red Hat Enterprise Linux 8, four attributes of the syspurpose command-line tool have been added: role,usage, service_level_agreement and addons. Currently, only role, usage and service_level_agreement affect the output of running the subscription-manager attach --auto command. Users who attempt to set values to the addons argument will not observe any effect on the subscriptions that are auto-attached.

Data from multi-path storage devices is lost when installing RHEL using a Kickstart file

Data from the multi-path storage devices that are attached to a host is lost when installing RHEL using a Kickstart file. This issue occurs because the installer fails to ignore the multi-path storage devices that you specify using ignoredisk --drives command. As a result, data on the devices is lost.

Applications using Wayland protocol cannot be forwarded to remote display servers

In Red Hat Enterprise Linux 8, most applications use the Wayland protocol by default instead of the X11 protocol. As a consequence, the ssh server cannot forward the applications that use the Wayland protocol but is able to forward the applications that use the X11 protocol to a remote display server.

systemd-resolved.service fails to start on boot

The systemd-resolved service occasionally fails to start on boot. If this happens, restart the service manually after the boot finishes by using the following command:

Audit executable watches on symlinks do not work

File monitoring provided by the -w option cannot directly track a path. It has to resolve the path to a device and an inode to make a comparison with the executed program. A watch monitoring an executable symlink monitors the device and an inode of the symlink itself instead of the program executed in memory, which is found from the resolution of the symlink. Even if the watch resolves the symlink to get the resulting executable program, the rule triggers on any multi-call binary called from a different symlink. This results in flooding logs with false positives. Consequently, Audit executable watches on symlinks do not work.

SELINUX=disabled in /etc/selinux/config does not work properly

Disabling SELinux using the SELINUX=disabled option in the /etc/selinux/config results in a process in which the kernel boots with SELinux enabled and switches to disabled mode later in the boot process. This might cause memory leaks.

libselinux-python is available only through its module

The libselinux-python package contains only Python 2 bindings for developing SELinux applications and it is used for backward compatibility. For this reason, libselinux-python is no longer available in the default RHEL 8 repositories through the dnf install libselinux-python command.

udica processes UBI 8 containers only when started with --env container=podman

The Red Hat Universal Base Image 8 (UBI 8) containers set the container environment variable to the oci value instead of the podman value. This prevents the udica tool from analyzing a container JavaScript Object Notation (JSON) file.

Removing the rpm-plugin-selinux package leads to removing all selinux-policy packages from the system

Removing the rpm-plugin-selinux package disables SELinux on the machine. It also removes all selinux-policy packages from the system. Repeated installation of the rpm-plugin-selinux package then installs the selinux-policy-minimum SELinux policy, even if the selinux-policy-targeted policy was previously present on the system. However, the repeated installation does not update the SELinux configuration file to account for the change in policy. As a consequence, SELinux is disabled even upon reinstallation of the rpm-plugin-selinux package.

SELinux prevents systemd-journal-gatewayd to call newfstatat() on shared memory files created by corosync

SELinux policy does not contain a rule that allows the systemd-journal-gatewayd daemon to access files created by the corosync service. As a consequence, SELinux denies systemd-journal-gatewayd to call the newfstatat() function on shared memory files created by corosync.

SELinux prevents auditd to halt or power off the system

The SELinux policy does not contain a rule that allows the Audit daemon to start a power_unit_file_t systemd unit. Consequently, auditd cannot halt or power off the system even when configured to do so in cases such as no space left on a logging disk partition.

users can run sudo commands as locked users

In systems where sudoers permissions are defined with the ALL keyword, sudo users with permissions can run sudo commands as users whose accounts are locked. Consequently, locked and expired accounts can still be used to execute commands.

Negative effects of the default logging setup on performance

The default logging environment setup might consume 4 GB of memory or even more and adjustments of rate-limit values are complex when systemd-journald is running with rsyslog.

Parameter not known errors in the rsyslog output with config.enabled

In the rsyslog output, an unexpected bug occurs in configuration processing errors using the config.enabled directive. As a consequence, parameter not known errors are displayed while using the config.enabled directive except for the include() statements.

Certain rsyslog priority strings do not work correctly

Support for the GnuTLS priority string for imtcp that allows fine-grained control over encryption is not complete. Consequently, the following priority strings do not work properly in rsyslog:

Connections to servers with SHA-1 signatures do not work with GnuTLS

SHA-1 signatures in certificates are rejected by the GnuTLS secure communications library as insecure. Consequently, applications that use GnuTLS as a TLS backend cannot establish a TLS connection to peers that offer such certificates. This behavior is inconsistent with other system cryptographic libraries. To work around this problem, upgrade the server to use certificates signed with SHA-256 or stronger hash, or switch to the LEGACY policy.

TLS 1.3 does not work in NSS in FIPS mode

TLS 1.3 is not supported on systems working in FIPS mode. As a result, connections that require TLS 1.3 for interoperability do not function on a system working in FIPS mode.

OpenSSL incorrectly handles PKCS #11 tokens that does not support raw RSA or RSA-PSS signatures

The OpenSSL library does not detect key-related capabilities of PKCS #11 tokens. Consequently, establishing a TLS connection fails when a signature is created with a token that does not support raw RSA or RSA-PSS signatures.

OpenSSL generates a malformed status_request extension in the CertificateRequest message in TLS 1.3

OpenSSL servers send a malformed status_request extension in the CertificateRequest message if support for the status_request extension and client certificate-based authentication are enabled. In such case, OpenSSL does not interoperate with implementations compliant with the RFC 8446 protocol. As a result, clients that properly verify extensions in the CertificateRequest message abort connections with the OpenSSL server. To work around this problem, disable support for the TLS 1.3 protocol on either side of the connection or disable support for status_request on the OpenSSL server. This will prevent the server from sending malformed messages.

ssh-keyscan cannot retrieve RSA keys of servers in FIPS mode

The SHA-1 algorithm is disabled for RSA signatures in FIPS mode, which prevents the ssh-keyscan utility from retrieving RSA keys of servers operating in that mode.

Libreswan does not work properly with seccomp=enabled on all configurations

The set of allowed syscalls in the Libreswan SECCOMP support implementation is currently not complete. Consequently, when SECCOMP is enabled in the ipsec.conf file, the syscall filtering rejects even syscalls needed for the proper functioning of the pluto daemon; the daemon is killed, and the ipsec service is restarted.

Certain sets of interdependent rules in SSG can fail

Remediation of SCAP Security Guide (SSG) rules in a benchmark can fail due to undefined ordering of rules and their dependencies. If two or more rules need to be executed in a particular order, for example, when one rule installs a component and another rule configures the same component, they can run in the wrong order and remediation reports an error. To work around this problem, run the remediation twice, and the second run fixes the dependent rules.

SCAP Workbench fails to generate results-based remediations from tailored profiles

The following error occurs when trying to generate results-based remediation roles from a customized profile using the SCAP Workbench tool:

Kickstart uses org_fedora_oscap instead of com_redhat_oscap in RHEL 8

The Kickstart references the Open Security Content Automation Protocol (OSCAP) Anaconda add-on as org_fedora_oscap instead of com_redhat_oscap which might cause confusion. That is done to preserve backward compatibility with Red Hat Enterprise Linux 7.

OSCAP Anaconda Addon does not install all packages in text mode

The OSCAP Anaconda Addon plugin cannot modify the list of packages selected for installation by the system installer if the installation is running in text mode. Consequently, when a security policy profile is specified using Kickstart and the installation is running in text mode, any additional packages required by the security policy are not installed during installation.

OSCAP Anaconda Addon does not correctly handle customized profiles

The OSCAP Anaconda Addon plugin does not properly handle security profiles with customizations in separate files. Consequently, the customized profile is not available in the RHEL graphical installation even when you properly specify it in the corresponding Kickstart section.

GnuTLS fails to resume current session with the NSS server

When resuming a TLS (Transport Layer Security) 1.3 session, the GnuTLS client waits 60 milliseconds plus an estimated round trip time for the server to send session resumption data. If the server does not send the resumption data within this time, the client creates a new session instead of resuming the current session. This incurs no serious adverse effects except for a minor performance impact on a regular session negotiation.

The oscap-ssh utility fails when scanning a remote system with --sudo

When performing a Security Content Automation Protocol (SCAP) scan of a remote system using the oscap-ssh tool with the --sudo option, the oscap tool on the remote system saves scan result files and report files into a temporary directory as the root user. If the umask settings on the remote machine have been changed, oscap-ssh might not have access to these files. To work around this problem, modify the oscap-ssh tool as described in this solution "oscap-ssh --sudo" fails to retrieve the result files with "scp: …​: Permission denied" error. As a result, oscap saves the files as the target user, and oscap-ssh accesses the files normally.

OpenSCAP produces false positives caused by removing blank lines from YAML multi-line strings

When OpenSCAP generates Ansible remediations from a datastream, it removes blank lines from YAML multi-line strings. Because some Ansible remediations contain literal configuration file content, removing blank lines affects the corresponding remediations. This causes the openscap utility to fail the corresponding Open Vulnerability and Assessment Language (OVAL) checks, even though the blank lines do not have any effect. To work around this problem, check the rule descriptions and skip scan results that failed because of missing blank lines. Alternatively, use Bash remediations instead of Ansible remediations, because Bash remediations do not produce these false positive results.

OSPP-based profiles are incompatible with GUI package groups.

GNOME packages installed by the Server with GUI package group require the nfs-utils package that is not compliant with the Operating System Protection Profile (OSPP). As a consequence, selecting the Server with GUI package group during the installation of a system with OSPP or OSPP-based profiles, for example, Security Technical Implementation Guide (STIG), aborts the installation. If the OSPP-based profile is applied after the installation, the system is not bootable. To work around this problem, do not install the Server with GUI package group or any other groups that install GUI when using the OSPP profile and OSPP-based profiles. When you use the Server or Minimal Install package groups instead, the system installs without issues and works correctly.

RHEL8 system with the Server with GUI package group cannot be remediated using the e8 profile

Using the OpenSCAP Anaconda Add-on to harden the system on the Server With GUI package group with profiles that select rules from the Verify Integrity with RPM group requires an extreme amount of RAM on the system. This problem is caused by the OpenSCAP scanner; for more details see Scanning large numbers of files with OpenSCAP causes systems to run out of memory. As a consequence, the hardening of the system using the RHEL8 Essential Eight (e8) profile is not successful. To work around this problem, choose a smaller package group, for example, Server, and install additional packages that you require after the installation. As a result, the system will have a smaller number of packages, the scanning will require less memory, and therefore the system can be hardened automatically.

Scanning large numbers of files with OpenSCAP causes systems to run out of memory

The OpenSCAP scanner stores all the collected results in the memory until the scan finishes. As a consequence, the system might run out of memory on systems with low RAM when scanning large numbers of files, for example from the large package groups Server with GUI and Workstation. To work around this problem, use smaller package groups, for example, Server and Minimal Install on systems with limited RAM. If you need to use large package groups, you can test whether your system has sufficient memory in a virtual or staging environment. Alternatively, you can tailor the scanning profile to deselect rules that involve recursion over the entire / filesystem:

IPsec network traffic fails during IPsec offloading when GRO is disabled

IPsec offloading is not expected to work when Generic Receive Offload (GRO) is disabled on the device. If IPsec offloading is configured on a network interface and GRO is disabled on that device, IPsec network traffic fails.

iptables does not request module loading for commands that update a chain if the specified chain type is not known

Note: This problem causes spurious errors with no functional implication when stopping the iptables systemd service if you are using the services default configuration.

Automatic loading of address family-specific LOG back end modules by the nft_compat module can hang

When the nft_compat module loads address family-specific LOG target back ends while an operation on network namespaces (netns) happens in parallel, a lock collision can occur. As a consequence, loading the address family-specific LOG target back ends can hang. To work around the problem, manually load the relevant LOG target back ends, such as nf_log_ipv4.ko and nf_log_ipv6.ko, before executing the iptables-restore utility. As a result, loading the LOG target back ends does not hang. However, if the problem appears during the system boots, no workaround is available.

Accidental patch removal causes huge_page_setup_helper.py to show error

A patch that updates the huge_page_setup_helper.py script, was accidentally removed. Consequently, after executing the huge_page_setup_helper.py script, the following error message appears:

Systems with a large amount of persistent memory experience delays during the boot process

Systems with a large amount of persistent memory take a long time to boot because the initialization of the memory is serialized. Consequently, if there are persistent memory file systems listed in the /etc/fstab file, the system might timeout while waiting for devices to become available. To work around this problem, configure the DefaultTimeoutStartSec option in the /etc/systemd/system.conf file to a sufficiently large value.

KSM sometimes ignores NUMA memory policies

When the kernel shared memory (KSM) feature is enabled with the merge_across_nodes=1 parameter, KSM ignores memory policies set by the mbind() function, and may merge pages from some memory areas to Non-Uniform Memory Access (NUMA) nodes that do not match the policies.

Debug kernel fails to boot in crash capture environment in RHEL 8

Due to memory-demanding nature of the debug kernel, a problem occurs when the debug kernel is in use and a kernel panic is triggered. As a consequence, the debug kernel is not able to boot as the capture kernel, and a stack trace is generated instead. To work around this problem, increase the crash kernel memory accordingly. As a result, the debug kernel successfully boots in the crash capture environment.

zlib may slow down a vmcore capture in some compression functions

The kdump configuration file uses the lzo compression format (makedumpfile -l) by default. When you modify the configuration file using the zlib compression format, (makedumpfile -c) it is likely to bring a better compression factor at the expense of slowing down the vmcore capture process. As a consequence, it takes the kdump upto four times longer to capture a vmcore with zlib, as compared to lzo.

A vmcore capture fails after memory hot-plug or unplug operation

After performing the memory hot-plug or hot-unplug operation, the event comes after updating the device tree which contains memory layout information. Thereby the makedumpfile utility tries to access a non-existent physical address. The problem appears if all of the following conditions meet:

The fadump dumping mechanism renames the network interface to kdump-<interface-name>

When using firmware-assisted dump (fadump) to capture a vmcore and store it to a remote machine using SSH or NFS protocol, renames the network interface to kdump-<interface-name>. The renaming happens when the <interface-name> is generic, for example, *eth#, or net# and so on. This problem occurs because the vmcore capture scripts in the initial RAM disk (initrd) add the kdump- prefix to the network interface name to secure persistent naming. Since the same initrd is also used for a regular boot, the interface name is changed for the production kernel too.

The system enters the emergency mode at boot-time when fadump is enabled

The system enters the emergency mode when fadump (kdump) or dracut squash module is enabled in the initramfs scheme because systemd manager fails to fetch the mount information and configure the LV partition to mount. To work around this problem, add the following kernel command line parameter rd.lvm.lv=<VG>/<LV> to discover and mount the failed LV partition appropriately. As a result, the system will boot successfully in the described scenario.

Using irqpoll causes vmcore generation failure

Due to an existing problem with the nvme driver on the 64-bit ARM architectures that run on the Amazon Web Services (AWS) cloud platforms, the vmcore generation fails when you provide the irqpoll kernel command line parameter to the first kernel. Consequently, no vmcore file is dumped in the /var/crash/ directory after a kernel crash. To work around this problem:

Using vPMEM memory as dump target delays the kernel crash capture process

When you use Virtual Persistent Memory (vPEM) namespaces as kdump or fadump target, the papr_scm module is forced to unmap and remap the memory backed by vPMEM and re-add the memory to its linear map. Consequently, this behavior triggers Hypervisor Calls (HCalls) to the POWER Hypervisor, and the total time taken, slows the capture kernel boot considerably. Therefore, it is recommended not to use vPMEM namespaces as a dump target for kdump or fadump.

The HP NMI watchdog does not always generate a crash dump

In certain cases, the hpwdt driver for the HP NMI watchdog is not able to claim a non-maskable interrupt (NMI) generated by the HPE watchdog timer because the NMI was instead consumed by the perfmon driver.

The tuned-adm profile powersave command causes the system to become unresponsive

Executing the tuned-adm profile powersave command leads to an unresponsive state of the Penguin Valkyrie 2000 2-socket systems with the older Thunderx (CN88xx) processors. Consequently, reboot the system to resume working. To work around this problem, avoid using the powersave profile if your system matches the mentioned specifications.

The cxgb4 driver causes crash in the kdump kernel

The kdump kernel crashes while trying to save information in the vmcore file. Consequently, the cxgb4 driver prevents the kdump kernel from saving a core for later analysis. To work around this problem, add the novmcoredd parameter to the kdump kernel command line to allow saving core files.

Attempting to add ICE driver NIC port to a mode 5 (balance-tlb) bonding master interface might lead to failure

Attempting to add ICE driver NIC port to a mode 5 (balance-tlb) bonding master interface might lead to a failure with an error Master 'bond0', Slave 'ens1f0': Error: Enslave failed. Consequently, you experience an intermittent failure to add the NIC port to the bonding master interface. To workaround this problem, attempt to retry adding the interface.

Attaching the Virtual Function to virtual machine with interface type='hostdev' might fails at times

Attaching a Virtual Function (VF) to a virtual machine using an .XML file, following the Assignment with <interface type='hostdev'> method, might fail at times. This occurs because using the Assignment with <interface type='hostdev'> method prevents the VM from attaching to the VF NIC presented to this virtual machine. To workaround this problem, attach the VF to the VM using the .XML file using the Assignment with <hostdev> method. As a result, the virsh attach-device command succeeds without error. For more details about the difference between Assignment with <hostdev> and Assignment with <interface type='hostdev'> (SRIOV devices only), see PCI Passthrough of host network devices.

The /boot file system cannot be placed on LVM

You cannot place the /boot file system on an LVM logical volume. This limitation exists for the following reasons:

LVM no longer allows creating volume groups with mixed block sizes

LVM utilities such as vgcreate or vgextend no longer allow you to create volume groups (VGs) where the physical volumes (PVs) have different logical block sizes. LVM has adopted this change because file systems fail to mount if you extend the underlying logical volume (LV) with a PV of a different block size.

DM Multipath might fail to start when too many LUNs are connected

The multipathd service might time out and fail to start if too many logical units (LUNs) are connected to the system. The exact number of LUNs that causes the problem depends on several factors, including the number of devices, the response time of the storage array, the memory and CPU configuration, and system load.

Limitations of LVM writecache

The writecache LVM caching method has the following limitations, which are not present in the cache method:

LVM mirror devices that store a LUKS volume sometimes become unresponsive

Mirrored LVM devices with a segment type of mirror that store a LUKS volume might become unresponsive under certain conditions. The unresponsive devices reject all I/O operations.

An NFS 4.0 patch can result in reduced performance under an open-heavy workload

Previously, a bug was fixed that, in some cases, could cause an NFS open operation to overlook the fact that a file had been removed or renamed on the server. However, the fix may cause slower performance with workloads that require many open operations. To work around this problem, it might help to use NFS version 4.1 or higher, which have been improved to grant delegations to clients in more cases, allowing clients to perform open operations locally, quickly, and safely.

getpwnam() might fail when called by a 32-bit application

When a user of NIS uses a 32-bit application that calls the getpwnam() function, the call fails if the nss_nis.i686 package is missing. To work around this problem, manually install the missing package by using the yum install nss_nis.i686 command.

nginx cannot load server certificates from hardware security tokens

The nginx web server supports loading TLS private keys from hardware security tokens directly from PKCS#11 modules. However, it is currently impossible to load server certificates from hardware security tokens through the PKCS#11 URI. To work around this problem, store server certificates on the file system

php-fpm causes SELinux AVC denials when php-opcache is installed with PHP 7.2

When the php-opcache package is installed, the FastCGI Process Manager (php-fpm) causes SELinux AVC denials. To work around this problem, change the default configuration in the /etc/php.d/10-opcache.ini file to the following:

The mod_wsgi package name is missing when being installed as a dependency

With a change in mod_wsgi installation, described in BZ#1779705, the python3-mod_wsgi package no longer provides the name mod_wsgi. When installing the mod_wsgi module, you must specify the full package name. This change causes problems with dependencies of third-party packages.

Synthetic functions generated by GCC confuse SystemTap

GCC optimization can generate synthetic functions for partially inlined copies of other functions. Tools such as SystemTap and GDB cannot distinguish these synthetic functions from real functions. As a consequence, SystemTap places probes on both synthetic and real function entry points and, thus, registers multiple probe hits for a single real function call.

Changing /etc/nsswitch.conf requires a manual system reboot

Any change to the /etc/nsswitch.conf file, for example running the authselect select profile_id command, requires a system reboot so that all relevant processes use the updated version of the /etc/nsswitch.conf file. If a system reboot is not possible, restart the service that joins your system to Active Directory, which is the System Security Services Daemon (SSSD) or winbind.

SSSD returns incorrect LDAP group membership for local users when the files domain is enabled

If the System Security Services Daemon (SSSD) serves users from the local files and the ldap_rfc2307_fallback_to_local_users attribute in the [domain/LDAP] section of the sssd.conf file is set to True, then the files provider does not include group memberships from other domains. As a consequence, if a local user is a member of an LDAP group, the id local_user command does not return the user’s LDAP group membership. To work around this problem, disable the implicit files domain by adding

SSSD does not correctly handle multiple certificate matching rules with the same priority

If a given certificate matches multiple certificate matching rules with the same priority, the System Security Services Daemon (SSSD) uses only one of the rules. As a workaround, use a single certificate matching rule whose LDAP filter consists of the filters of the individual rules concatenated with the | (or) operator. For examples of certificate matching rules, see the sss-certamp(5) man page.

Private groups fail to be created with auto_private_group = hybrid when multiple domains are defined

Private groups fail to be created with the option auto_private_group = hybrid when multiple domains are defined and the hybrid option is used by any domain other than the first one. If an implicit files domain is defined along with an AD or LDAP domain in the sssd.conf file and is not marked as MPG_HYBRID, then SSSD fails to create a private group for a user who has uid=gid and the group with this gid does not exist in AD or LDAP.

python-ply is not FIPS compatible

The YACC module of the python-ply package uses the MD5 hashing algorithm to generate the fingerprint of a YACC signature. However, FIPS mode blocks the use of MD5, which is only allowed in non-security contexts. As a consequence, python-ply is not FIPS compatible. On a system in FIPS mode, all calls to ply.yacc.yacc() fail with the error message:

FreeRADIUS silently truncates Tunnel-Passwords longer than 249 characters

If a Tunnel-Password is longer than 249 characters, the FreeRADIUS service silently truncates it. This may lead to unexpected password incompatibilities with other systems.

Installing KRA fails if all KRA members are hidden replicas

The ipa-kra-install utility fails on a cluster where the Key Recovery Authority (KRA) is already present if the first KRA instance is installed on a hidden replica. Consequently, you cannot add further KRA instances to the cluster.

Directory Server warns about missing attributes in the schema if those attributes are used in a search filter

If you set the nsslapd-verify-filter-schema parameter to warn-invalid, Directory Server processes search operations with attributes that are not defined in the schema and logs a warning. With this setting, Directory Server returns requested attributes in search results, regardless whether the attributes is defined in the schema or not.

ipa-healthcheck-0.4 does not obsolete older versions of ipa-healthcheck

The Healthcheck tool has been split into two sub-packages: ipa-healthcheck and ipa-healthcheck-core. However, only the ipa-healthcheck-core sub-package is correctly set to obsolete older versions of ipa-healthcheck. As a result, updating Healthcheck only installs ipa-healthcheck-core and the ipa-healthcheck command does not work after the update.

Potential risk when using the default value for ldap_id_use_start_tls option

When using ldap:// without TLS for identity lookups, it can pose a risk for an attack vector. Particularly a man-in-the-middle (MITM) attack which could allow an attacker to impersonate a user by altering, for example, the UID or GID of an object returned in an LDAP search.

Limitations of the Wayland session

With Red Hat Enterprise Linux 8, the GNOME environment and the GNOME Display Manager (GDM) use Wayland as the default session type instead of the X11 session, which was used with the previous major version of RHEL.

Drag-and-drop does not work between desktop and applications

Due to a bug in the gnome-shell-extensions package, the drag-and-drop functionality does not currently work between desktop and applications. Support for this feature will be added back in a future release.

Disabling flatpak repositories from Software Repositories is not possible

Currently, it is not possible to disable or remove flatpak repositories in the Software Repositories tool in the GNOME Software utility.

Generation 2 RHEL 8 virtual machines sometimes fail to boot on Hyper-V Server 2016 hosts

When using RHEL 8 as the guest operating system on a virtual machine (VM) running on a Microsoft Hyper-V Server 2016 host, the VM in some cases fails to boot and returns to the GRUB boot menu. In addition, the following error is logged in the Hyper-V event log:

System crash may result in fadump configuration loss

This issue is observed on systems where firmware-assisted dump (fadump) is enabled, and the boot partition is located on a journaling file system such as XFS. A system crash might cause the boot loader to load an older initrd that does not have the dump capturing support enabled. Consequently, after recovery, the system does not capture the vmcore file, which results in fadump configuration loss.

Unable to run graphical applications using sudo command

When trying to run graphical applications as a user with elevated privileges, the application fails to open with an error message. The failure happens because Xwayland is restricted by the Xauthority file to use regular user credentials for authentication.

radeon fails to reset hardware correctly

The radeon kernel driver currently does not reset hardware in the kexec context correctly. Instead, radeon falls over, which causes the rest of the kdump service to fail.

Multiple HDR displays on a single MST topology may not power on

On systems using NVIDIA Turing GPUs with the nouveau driver, using a DisplayPort hub (such as a laptop dock) with multiple monitors which support HDR plugged into it may result in failure to turn on all displays despite having done so on previous RHEL releases. This is due to the system erroneously thinking there is not enough bandwidth on the hub to support all of the displays.

Unprivileged users can access the Subscriptions page

If a non-administrator navigates to the Subscriptions page of the web console, the web console displays a generic error message Cockpit had an unexpected internal error.

Low GUI display performance in RHEL 8 virtual machines on a Windows Server 2019 host

When using RHEL 8 as a guest operating system in graphical mode on a Windows Server 2019 host, the GUI display performance is low, and connecting to a console output of the guest currently takes significantly longer than expected.

Displaying multiple monitors of virtual machines that use Wayland is not possible with QXL

Using the remote-viewer utility to display more than one monitor of a virtual machine (VM) that is using the Wayland display server causes the VM to become unresponsive and the Waiting for display status message to be displayed indefinitely.

virsh iface-\* commands do not work consistently

Currently, virsh iface-* commands, such as virsh iface-start and virsh iface-destroy, frequently fail due to configuration dependencies. Therefore, it is recommended not to use virsh iface-\* commands for configuring and managing host network connections. Instead, use the NetworkManager program and its related management applications.

RHEL 8 virtual machines sometimes cannot boot on Witherspoon hosts

RHEL 8 virtual machines (VMs) that use the pseries-rhel7.6.0-sxxm machine type in some cases fail to boot on Power9 S922LC for HPC hosts (also known as Witherspoon) that use the DD2.2 or DD2.3 CPU.

IBM POWER virtual machines do not work correctly with empty NUMA nodes

Currently, when an IBM POWER virtual machine (VM) running on a RHEL 8 host is configured with a NUMA node that uses zero memory (memory='0') and zero CPUs, the VM cannot start. Therefore, Red Hat strongly recommends not using IBM POWER VMs with such empty NUMA nodes on RHEL 8.

SMT CPU topology is not detected by VMs when using host passthrough mode on AMD EPYC

When a virtual machine (VM) boots with the CPU host passthrough mode on an AMD EPYC host, the TOPOEXT CPU feature flag is not present. Consequently, the VM is not able to detect a virtual CPU topology with multiple threads per core. To work around this problem, boot the VM with the EPYC CPU model instead of host passthrough.

Disk identifiers in RHEL 8.2 VMs may change on VM reboot.

When using a virtual machine (VM) with RHEL 8.2 as the guest operating system on a Hyper-V hypervisor, the device identifiers for the VM’s virtual disks in some cases change when the VM reboots. For example, a disk originally identified as /dev/sda may become /dev/sdb. As a consequence, the VM might fail to boot, and scripts that reference disks of the VM might stop working.

Virtual machines sometimes fail to start when using many virtio-blk disks

Adding a large number of virtio-blk devices to a virtual machine (VM) may exhaust the number of interrupt vectors available in the platform. If this occurs, the VM’s guest OS fails to boot, and displays a dracut-initqueue[392]: Warning: Could not boot error.

Attaching LUN devices to virtual machines using virtio-blk does not work

The q35 machine type does not support transitional virtio 1.0 devices, and RHEL 8 therefore lacks support for features that were deprecated in virtio 1.0. In particular, it is not possible on a RHEL 8 host to send SCSI commands from virtio-blk devices. As a consequence, attaching a physical disk as a LUN device to a virtual machine fails when using the virtio-blk controller.

Migrating a POWER9 guest from a RHEL 7-ALT host to RHEL 8 fails

Currently, migrating a POWER9 virtual machine from a RHEL 7-ALT host system to RHEL 8 becomes unresponsive with a "Migration status: active" status.

redhat-support-tool does not work with the FUTURE crypto policy

Because a cryptographic key used by a certificate on the Customer Portal API does not meet the requirements by the FUTURE system-wide cryptographic policy, the redhat-support-tool utility does not work with this policy level at the moment.

UDICA is not expected to work with 1.0 stable stream

UDICA, the tool to generate SELinux policies for containers, is not expected to work with containers that are run via podman 1.0.x in the container-tools:1.0 module stream.

Notes on FIPS support with Podman

The Federal Information Processing Standard (FIPS) requires certified modules to be used. Previously, Podman correctly installed certified modules in containers by enabling the proper flags at startup. However, in this release, Podman does not properly set up the additional application helpers normally provided by the system in the form of the FIPS system-wide crypto-policy. Although setting the system-wide crypto-policy is not required by the certified modules it does improve the ability of applications to use crypto modules in compliant ways. To work around this problem, change your container to run the update-crypto-policies --set FIPS command before any other application code is executed.