Chapter 6. RHEL 8.1.0 release

6.1. New features

This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 8.1.

6.1.1. Installer and image creation

Modules can now be disabled during Kickstart installation

With this enhancement, users can now disable a module to prevent the installation of packages from the module. To disable a module during Kickstart installation, use the command:

module --name=foo --stream=bar --disable


Support for the repo.git section to blueprints is now available

A new repo.git blueprint section allows users to include extra files in their image build. The files must be hosted in git repository that is accessible from the lorax-composer build server.


Image Builder now supports image creation for more cloud providers

With this update, the Image Builder expanded the number of Cloud Providers that the Image Builder can create an image for. As a result, now you can create RHEL images that can be deployed also on Google Cloud and Alibaba Cloud as well as run the custom instances on these platforms.


6.1.2. Software management

dnf-utils has been renamed to yum-utils

With this update, the dnf-utils package, that is a part of the YUM stack, has been renamed to yum-utils. For compatibility reasons, the package can still be installed using the dnf-utils name, and will automatically replace the original package when upgrading your system.


6.1.3. Subscription management

subscription-manager now reports the role, usage and add-ons values

With this update, the subscription-manager can now display the Role, Usage and Add-ons values for each subscription available in the current organization, which is registered to either the Customer Portal or to the Satellite.

  • To show the available subscriptions with the addition of Role, Usage and Add-ons values for those subscriptions use:

    # subscription-manager list --available
  • To show the consumed subscriptions including the additional Role, Usage and Add-ons values use:

    # subscription-manager list --consumed


6.1.4. Infrastructure services

tuned rebased to version 2.12

The tuned packages have been upgraded to upstream version 2.12, which provides a number of bug fixes and enhancements over the previous version, notably:

  • Handling of devices that have been removed and reattached has been fixed.
  • Support for negation of CPU list has been added.
  • Performance of runtime kernel parameter configuration has been improved by switching from the sysctl tool to a new implementation specific to Tuned.


chrony rebased to version 3.5

The chrony packages have been upgraded to upstream version 3.5, which provides a number of bug fixes and enhancements over the previous version, notably:

  • Support for more accurate synchronization of the system clock with hardware timestamping in RHEL 8.1 kernel has been added.
  • Hardware timestamping has received significant improvements.
  • The range of available polling intervals has been extended.
  • The filter option has been added to NTP sources.


New FRRouting routing protocol stack is available

With this update, Quagga has been replaced by Free Range Routing (FRRouting, or FRR), which is a new routing protocol stack. FRR is provided by the frr package available in the AppStream repository.

FRR provides TCP/IP-based routing services with support for multiple IPv4 and IPv6 routing protocols, such as BGP, IS-IS, OSPF, PIM, and RIP.

With FRR installed, the system can act as a dedicated router, which exchanges routing information with other routers in either internal or external network.


GNU enscript now supports ISO-8859-15 encoding

With this update, support for ISO-8859-15 encoding has been added into the GNU enscript program.


Improved accuracy of measuring system clock offset in phc2sys

The phc2sys program from the linuxptp packages now supports a more accurate method for measuring the offset of the system clock.


ptp4l now supports team interfaces in active-backup mode

With this update, support for team interfaces in active-backup mode has been added into the PTP Boundary/Ordinary Clock (ptp4l).


The PTP time synchronization on macvlan interfaces is now supported

This update adds support for hardware timestamping on macvlan interfaces into the Linux kernel. As a result, macvlan interfaces can now use the Precision Time Protocol (PTP) for time synchronization.


6.1.5. Security

New package: fapolicyd

The fapolicyd software framework introduces a form of application whitelisting and blacklisting based on a user-defined policy. The application whitelisting feature provides one of the most efficient ways to prevent running untrusted and possibly malicious applications on the system.

The fapolicyd framework provides the following components:

  • fapolicyd service
  • fapolicyd command-line utilities
  • yum plugin
  • rule language

Administrator can define the allow and deny execution rules, both with possibility of auditing, based on a path, hash, MIME type, or trust for any application.

Note that every fapolicyd setup affects overall system performance. The performance hit varies depending on the use case. The application whitelisting slow-downs the open() and exec() system calls, and therefore primarily affects applications that perform such system calls frequently.

See the fapolicyd(8), fapolicyd.rules(5), and fapolicyd.conf(5) man pages for more information.


New package: udica

The new udica package provides a tool for generation SELinux policies for containers. With udica, you can create a tailored security policy for better control of how a container accesses host system resources, such as storage, devices, and network. This enables you to harden your container deployments against security violations and it also simplifies achieving and maintaining regulatory compliance.

See the Creating SELinux policies for containers section in the RHEL 8 Using SELinux title for more information.


SELinux user-space tools updated to version 2.9

The libsepol, libselinux, libsemanage, policycoreutils, checkpolicy, and mcstrans SELinux user-space tools have been upgraded to the latest upstream release 2.9, which provides many bug fixes and enhancements over the previous version.

(BZ#1672638, BZ#1672642, BZ#1672637, BZ#1672640, BZ#1672635, BZ#1672641)

SETools updated to version 4.2.2

The SETools collection of tools and libraries has been upgraded to the latest upstream release 4.2.2, which provides the following changes:

  • Removed source policy references from man pages, as loading source policies is no longer supported
  • Fixed a performance regression in alias loading


selinux-policy rebased to 3.14.3

The selinux-policy package has been upgraded to upstream version 3.14.3, which provides a number of bug fixes and enhancements to the allow rules over the previous version.


A new SELinux type: boltd_t

A new SELinux type, boltd_t, confines boltd, a system daemon for managing Thunderbolt 3 devices. As a result, boltd now runs as a confined service in SELinux enforcing mode.


A new SELinux policy class: bpf

A new SELinux policy class, bpf, has been introduced. The bpf class enables users to control the Berkeley Packet Filter (BPF) flow through SElinux, and allows inspection and simple manipulation of Extended Berkeley Packet Filter (eBPF) programs and maps controlled by SELinux.


OpenSCAP rebased to version 1.3.1

The openscap packages have been upgraded to upstream version 1.3.1, which provides many bug fixes and enhancements over the previous version, most notably:

  • Support for SCAP 1.3 source data streams: evaluating, XML schemas, and validation
  • Tailoring files are included in ARF result files
  • OVAL details are always shown in HTML reports, users do not have to provide the --oval-results option
  • HTML report displays OVAL test details also for OVAL tests included from other OVAL definitions using the OVAL extend_definition element
  • OVAL test IDs are shown in HTML reports
  • Rule IDs are shown in HTML guides


OpenSCAP now supports SCAP 1.3

The OpenSCAP suite now supports data streams conforming to the latest version of the SCAP standard - SCAP 1.3. You can now use SCAP 1.3 data streams, such as those contained in the scap-security-guide package, in the same way as SCAP 1.2 data streams without any additional usability restrictions.


scap-security-guide rebased to version 0.1.46

The scap-security-guide packages have been upgraded to upstream version 0.1.46, which provides many bug fixes and enhancements over the previous version, most notably: * SCAP content conforms to the latest version of SCAP standard, SCAP 1.3 * SCAP content supports UBI images


OpenSSH rebased to 8.0p1

The openssh packages have been upgraded to upstream version 8.0p1, which provides many bug fixes and enhancements over the previous version, most notably:

  • Increased default RSA key size to 3072 bits for the ssh-keygen tool
  • Removed support for the ShowPatchLevel configuration option
  • Applied numerous GSSAPI key exchange code fixes, such as the fix of Kerberos cleanup procedures
  • Removed fall back to the sshd_net_t SELinux context
  • Added support for Match final blocks
  • Fixed minor issues in the ssh-copy-id command
  • Fixed Common Vulnerabilities and Exposures (CVE) related to the scp utility (CVE-2019-6111, CVE-2018-20685, CVE-2019-6109)

Note, that this release introduces minor incompatibility of scp as mitigation of CVE-2019-6111. If your scripts depend on advanced bash expansions of the path during an scp download, you can use the -T switch to turn off these mitigations temporarily when connecting to trusted servers.


libssh now complies with the system-wide crypto-policies

The libssh client and server now automatically load the /etc/libssh/libssh_client.config file and the /etc/libssh/libssh_server.config, respectively. This configuration file includes the options set by the system-wide crypto-policies component for the libssh back end and the options set in the /etc/ssh/ssh_config or /etc/ssh/sshd_config OpenSSH configuration file. With automatic loading of the configuration file, libssh now use the system-wide cryptographic settings set by crypto-policies. This change simplifies control over the set of used cryptographic algorithms by applications.

(BZ#1610883, BZ#1610884)

An option for rsyslog to preserve case of FROMHOST is available

This update to the rsyslog service introduces the option to manage letter case preservation of the FROMHOST property for the imudp and imtcp modules. Setting the preservecase value to on means the FROMHOST property is handled in a case sensitive manner. To avoid breaking existing configurations, the default values of preservecase are on for imtcp and off for imudp.


6.1.6. Networking

PMTU discovery and route redirection is now supported with VXLAN and GENEVE tunnels

The kernel in Red Hat Enterprise Linux (RHEL) 8.0 did not handle Internet Control Message Protocol (ICMP) and ICMPv6 messages for Virtual Extensible LAN (VXLAN) and Generic Network Virtualization Encapsulation (GENEVE) tunnels. As a consequence, Path MTU (PMTU) discovery and route redirection was not supported with VXLAN and GENEVE tunnels in RHEL releases prior to 8.1. With this update, the kernel handles ICMP "Destination Unreachable" and "Redirect Message", as well as ICMPv6 "Packet Too Big" and "Destination Unreachable" error messages by adjusting the PMTU and modifying forwarding information. As a result, RHEL 8.1 supports PMTU discovery and route redirection with VXLAN and GENEVE tunnels.


Notable changes in XDP and networking eBPF features in kernel

The XDP and the networking eBPF features in the kernel package have been upgraded to upstream version 5.0, which provides a number of bug fixes and enhancements over the previous version:

  • eBPF programs can now better interact with the TCP/IP stack, perform flow dissection, have wider range of bpf helpers available, and have access to new map types.
  • XDP metadata are now available to AF_XDP sockets.


The new PTP_SYS_OFFSET_EXTENDED control for ioctl() improves the accuracy of measured system-PHC ofsets

This enhancement adds the PTP_SYS_OFFSET_EXTENDED control for more accurate measurements of the system precision time protocol (PTP) hardware clock (PHC) offset to the ioctl() function. The PTP_SYS_OFFSET control which, for example, the chrony service uses to measure the offset between a PHC and the system clock is not accurate enough. With the new PTP_SYS_OFFSET_EXTENDED control, drivers can isolate the reading of the lowest bits. This improves the accuracy of the measured offset. Network drivers typically read multiple PCI registers, and the driver does not read the lowest bits of the PHC time stamp between two readings of the system clock.


ipset rebased to version 7.1

The ipset packages have been upgraded to upstream version 7.1, which provides a number of bug fixes and enhancements over the previous version:

  • The ipset protocol version 7 introduces the IPSET_CMD_GET_BYNAME and IPSET_CMD_GET_BYINDEX operations. Additionally, the user space component can now detect the exact compatibility level that the kernel component supports.
  • A significant number of bugs have been fixed, such as memory leaks and use-after-free bugs.


6.1.7. Kernel

Kernel version in RHEL 8.1

Red Hat Enterprise Linux 8.1 is distributed with the kernel version 4.18.0-147.


Live patching for the kernel is now available

Live patching for the kernel, kpatch, provides a mechanism to patch the running kernel without rebooting or restarting any processes. Live kernel patches will be provided for selected minor release streams of RHEL covered under the Extended Update Support (EUS) policy to remediate Critical and Important CVEs.

To subscribe to the kpatch stream for the RHEL 8.1 version of the kernel, install the kpatch-patch-4_18_0-147 package provided by the RHEA-2019:3695 advisory.

For more information, see Applying patches with kernel live patching in Managing, monitoring and updating the kernel.


Extended Berkeley Packet Filter in RHEL 8

Extended Berkeley Packet Filter (eBPF) is an in-kernel virtual machine that allows code execution in the kernel space, in the restricted sandbox environment with access to a limited set of functions. The virtual machine executes special assembly-like code. The code is then loaded to the kernel and translated to the native machine code with just-in-time compilation. There are numerous components shipped by Red Hat that utilize the eBPF virtual machine. Each component is in a different development phase, and thus not all components are currently fully supported.

In RHEL 8.1, the BPF Compiler Collection (BCC) tools package is fully supported on the AMD and Intel 64-bit architectures. The BCC tools package is a collection of dynamic kernel tracing utilities that use the eBPF virtual machine.

The following eBPF components are currently available as a Technology Preview:

  • The BCC tools package on the following architectures: the 64-bit ARM architecture, IBM Power Systems, Little Endian, and IBM Z
  • The BCC library on all architectures
  • The bpftrace tracing language
  • The eXpress Data Path (XDP) feature

For details regarding the Technology Preview components, see Section 6.5.2, “Kernel”.


Red Hat Enterprise Linux 8 now supports early kdump

The early kdump feature allows the crash kernel and initramfs to load early enough to capture the vmcore information even for early crashes.

For more details about early kdump, see the /usr/share/doc/kexec-tools/early-kdump-howto.txt file.


RHEL 8 now supports ipcmni_extend

A new kernel command line parameter ipcmni_extend has been added to Red Hat Enterprise Linux 8. The parameter extends a number of unique System V Inter-process Communication (IPC) identifiers from the current maximum of 32 KB (15 bits) up to 16 MB (24 bits). As a result, users whose applications produce a lot of shared memory segments are able to create a stronger IPC identifier without exceeding the 32 KB limit.

Note that in some cases using ipcmni_extend results in a small performance overhead and it should be used only if the applications need more than 32 KB of unique IPC identifier.


The persistent memory initialization code supports parallel initialization

The persistent memory initialization code enables parallel initialization on systems with multiple nodes of persistent memory. The parallel initialization greatly reduces the overall memory initialization time on systems with large amounts of persistent memory. As a result, these systems can now boot much faster.


TPM userspace tool has been updated to the last version

The tpm2-tools userspace tool has been updated to version 2.0. With this update, tpm2-tools is able to fix many defects.


The rngd daemon is now able to run with non-root privileges

The random number generator daemon (rngd) checks whether data supplied by the source of randomness is sufficiently random and then stores the data in the kernel’s random-number entropy pool. With this update, rngd is able to run with non-root user privileges to enhance system security.


Full support for the ibmvnic driver

With the introduction of Red Hat Enterprise Linux 8.0, the IBM Virtual Network Interface Controller (vNIC) driver for IBM POWER architectures, ibmvnic, was available as a Technology Preview. vNIC is a PowerVM virtual networking technology that delivers enterprise capabilities and simplifies network management. It is a high-performance, efficient technology that when combined with SR-IOV NIC provides bandwidth control Quality of Service (QoS) capabilities at the virtual NIC level. vNIC significantly reduces virtualization overhead, resulting in lower latencies and fewer server resources, including CPU and memory, required for network virtualization.

Starting with Red Hat Enterprise Linux 8.1 the ibmvnic device driver is fully supported on IBM POWER9 systems.


Intel ® Omni-Path Architecture (OPA) Host Software

Intel Omni-Path Architecture (OPA) host software is fully supported in Red Hat Enterprise Linux 8.1. Intel OPA provides Host Fabric Interface (HFI) hardware with initialization and setup for high performance data transfers (high bandwidth, high message rate, low latency) between compute and I/O nodes in a clustered environment.


UBSan has been enabled in the debug kernel in RHEL 8

The Undefined Behavior Sanitizer (UBSan) utility exposes undefined behavior flaws in C code languages at runtime. This utility has now been enabled in the debug kernel because the compiler behavior was, in some cases, different than developers' expectations. Especially, in the case of compiler optimization, where subtle, obscure bugs would appear. As a result, running the debug kernel with UBSan enabled allows the system to easily detect such bugs.


The fadump infrastructure now supports re-registering in RHEL 8

The support has been added for re-registering (unregistering and registering) of the firmware-assisted dump (fadump) infrastructure after any memory hot add/remove operation to update the crash memory ranges. The feature aims to prevent the system from potential racing issues during unregistering and registering fadump from userspace during udev events.


The script has been introduced in RHEL for Real Time 8

The script has been introduced to help use the queuelat test program. The script executes queuelat to determine the maximum packets per second a machine can handle.


kernel-rt source tree now matches the latest RHEL 8 tree

The kernel-rt sources have been upgraded to be based on the latest Red Hat Enterprise Linux kernel source tree, which provides a number of bug fixes and enhancements over the previous version.


The ssdd test has been added to RHEL for Real Time 8

The ssdd test has been added to enable stress testing of the tracing subsystem. The test runs multiple tracing threads to verify locking is correct within the tracing system.


6.1.8. Hardware enablement

Memory Mode for Optane DC Persistent Memory technology is fully supported

Intel Optane DC Persistent Memory storage devices provide data center-class persistent memory technology, which can significantly increase transaction throughput.

To use the Memory Mode technology, your system does not require any special drivers or specific certification. Memory Mode is transparent to the operating system.


IBM Z now supports system boot signature verification

Secure Boot allows the system firmware to check the authenticity of cryptographic keys that were used to sign the kernel space code. As a result,the feature improves security since only code from trusted vendors can be executed.

Note that IBM z15 is required to use Secure Boot.


6.1.9. File systems and storage

Support for Data Integrity Field/Data Integrity Extension (DIF/DIX)

DIF/DIX is supported on configurations where the hardware vendor has qualified it and provides full support for the particular host bus adapter (HBA) and storage array configuration on RHEL.

DIF/DIX is not supported on the following configurations:

  • It is not supported for use on the boot device.
  • It is not supported on virtualized guests.
  • Red Hat does not support using the Automatic Storage Management library (ASMLib) when DIF/DIX is enabled.

DIF/DIX is enabled or disabled at the storage device, which involves various layers up to (and including) the application. The method for activating the DIF on storage devices is device-dependent.

For further information on the DIF/DIX feature, see What is DIF/DIX.


Optane DC memory systems now supports EDAC reports

Previously, EDAC was not reporting memory corrected/uncorrected events if the memory address was within a NVDIMM module. With this update, EDAC can properly report the events with the correct memory module information.


The VDO Ansible module has been moved to Ansible packages

Previously, the VDO Ansible module was provided by the vdo RPM package. Starting with this release, the module is provided by the ansible package instead.

The original location of the VDO Ansible module file was:


The new location of the file is:


The vdo package continues to distribute Ansible playbooks.

For more information on Ansible, see


Aero adapters are now fully supported

The following Aero adapters, previously available as a Technology Preview, are now fully supported:

  • PCI ID 0x1000:0x00e2 and 0x1000:0x00e6, controlled by the mpt3sas driver
  • PCI ID 0x1000:Ox10e5 and 0x1000:0x10e6, controlled by the megaraid_sas driver


LUKS2 now supports online re-encryption

The Linux Unified Key Setup version 2 (LUKS2) format now supports re-encrypting encrypted devices while the devices are in use. For example, you do not have to unmount the file system on the device to perform the following tasks:

  • Change the volume key
  • Change the encryption algorithm

When encrypting a non-encrypted device, you must still unmount the file system, but the encryption is now significantly faster. You can remount the file system after a short initialization of the encryption.

Additionally, the LUKS2 re-encryption is now more resilient. You can select between several options that prioritize performance or data protection during the re-encryption process.

To perform the LUKS2 re-encryption, use the cryptsetup reencrypt subcommand. Red Hat no longer recommends using the cryptsetup-reencrypt utility for the LUKS2 format.

Note that the LUKS1 format does not support online re-encryption, and the cryptsetup reencrypt subcommand is not compatible with LUKS1. To encrypt or re-encrypt a LUKS1 device, use the cryptsetup-reencrypt utility.

For more information on disk encryption, see Encrypting block devices using LUKS.


New features of ext4 available in RHEL 8

In RHEL8, following are the new fully supported features of ext4:

  • Non-default features:

    • project
    • quota
    • mmp
  • Non-default mount options:

    • bsddf|minixdf
    • grpid|bsdgroups and nogrpid|sysvgroups
    • resgid=n and resuid=n
    • errors={continue|remount-ro|panic}
    • commit=nrsec
    • max_batch_time=usec
    • min_batch_time=usec
    • grpquota|noquota|quota|usrquota
    • prjquota
    • dax
    • lazytime|nolazytime
    • discard|nodiscard
    • init_itable|noinit_itable
    • jqfmt={vfsold|vfsv0|vfsv1}
    • usrjquota=aquota.user|

For more information on features and mount options, see the ext4 man page. Other ext4 features, mount options or both, or combination of features, mount options or both may not be fully supported by Red Hat. If your special workload requires a feature or mount option that is not fully supported in the Red Hat release, contact Red Hat support to evaluate it for inclusion in our supported list.


NVMe over RDMA now supports an Infiniband in the target mode for IBM Coral systems

In RHEL 8.1, NVMe over RDMA now supports an Infiniband in the target mode for IBM Coral systems, with a single NVMe PCIe add in card as the target.


6.1.10. High availability and clusters

Pacemaker now defaults the concurrent-fencing cluster property to true

If multiple cluster nodes need to be fenced at the same time, and they use different configured fence devices, Pacemaker will now execute the fencing simultaneously, rather than serialized as before. This can result in greatly sped up recovery in a large cluster when multiple nodes must be fenced.


Extending a shared logical volume no longer requires a refresh on every cluster node

With this release, extending a shared logical volume no longer requires a refresh on every cluster node after running the lvextend command on one cluster node. For the full procedure to extend the size of a GFS2 file system, see Growing a GFS2 file system.


Maximum size of a supported RHEL HA cluster increased from 16 to 32 nodes

With this release, Red Hat supports cluster deployments of up to 32 full cluster nodes.


Commands for adding, changing, and removing corosync links have been added to pcs

The Kronosnet (knet) protocol now allows you to add and remove knet links in running clusters. To support this feature, the pcs command now provides commands to add, change, and remove knet links and to change a upd/udpu link in an existing cluster. For information on adding and modifying links in an existing cluster, see Adding and modifying links in an existing cluster. (BZ#1667058)

6.1.11. Dynamic programming languages, web and database servers

A new module stream: php:7.3

RHEL 8.1 introduces PHP 7.3, which provides a number of new features and enhancements. Notable changes include:

  • Enhanced and more flexible heredoc and nowdoc syntaxes
  • The PCRE extension upgraded to PCRE2
  • Improved multibyte string handling
  • Support for LDAP controls
  • Improved FastCGI Process Manager (FPM) logging
  • Several deprecations and backward incompatible changes

For more information, see Migrating from PHP 7.2.x to PHP 7.3.x.

Note that the RHEL 8 version of PHP 7.3 does not support the Argon2 password hashing algorithm.

To install the php:7.3 stream, use:

# yum module install php:7.3

If you want to upgrade from the php:7.2 stream, see Switching to a later stream.


A new module stream: ruby:2.6

A new module stream, ruby:2.6, is now available. Ruby 2.6.3, included in RHEL 8.1, provides numerous new features, enhancements, bug and security fixes, and performance improvements over version 2.5 distributed in RHEL 8.0.

Notable enhancements include:

  • Constant names are now allowed to begin with a non-ASCII capital letter.
  • Support for an endless range has been added.
  • A new Binding#source_location method has been provided.
  • $SAFE is now a process global state and it can be set back to 0.

The following performance improvements have been implemented:

  • The Proc#call and processes have been optimized.
  • A new garbage collector managed heap, Transient heap (theap), has been introduced.
  • Native implementations of coroutines for individual architectures have been introduced.

In addition, Ruby 2.5, provided by the ruby:2.5 stream, has been upgraded to version 2.5.5, which provides a number of bug and security fixes.

To install the ruby:2.6 stream, use:

# yum module install ruby:2.6

If you want to upgrade from the ruby:2.5 stream, see Switching to a later stream.


A new module stream: nodejs:12

RHEL 8.1 introduces Node.js 12, which provides a number of new features and enhancements over version 10. Notable changes include:

  • The V8 engine upgraded to version 7.4
  • A new default HTTP parser, llhttp (no longer experimental)
  • Integrated capability of heap dump generation
  • Support for ECMAScript 2015 (ES6) modules
  • Improved support for native modules
  • Worker threads no longer require a flag
  • A new experimental diagnostic report feature
  • Improved performance

To install the nodejs:12 stream, use:

# yum module install nodejs:12

If you want to upgrade from the nodejs:10 stream, see Switching to a later stream.


Judy-devel available in CRB

The Judy-devel package is now available as a part of the mariadb-devel:10.3 module in the CodeReady Linux Builder repository (CRB). As a result, developers are now able to build applications with the Judy library.

To install the Judy-devel package, enable the mariadb-devel:10.3 module first:

# yum module enable mariadb-devel:10.3
# yum install Judy-devel


FIPS compliance in Python 3

This update adds support for OpenSSL FIPS mode to Python 3. Namely:

  • In FIPS mode, the blake2, sha3, and shake hashes use the OpenSSL wrappers and do not offer extended functionality (such as keys, tree hashing, or custom digest size).
  • In FIPS mode, the hmac.HMAC class can be instantiated only with an OpenSSL wrapper or a string with OpenSSL hash name as the digestmod argument. The argument must be specified (instead of defaulting to the md5 algorithm).

Note that hash functions support the usedforsecurity argument, which allows using insecure hashes in OpenSSL FIPS mode. The user is responsible for ensuring compliance with any relevant standards.


FIPS compliance changes in python3-wheel

This update of the python3-wheel package removes a built-in implementation for signing and verifying data that is not compliant with FIPS.


A new module stream: nginx:1.16

The nginx 1.16 web and proxy server, which provides a number of new features and enhancements over version 1.14, is now available. For example:

  • Numerous updates related to SSL (loading of SSL certificates and secret keys from variables, variable support in the ssl_certificate and ssl_certificate_key directives, a new ssl_early_data directive)
  • New keepalive-related directives
  • A new random directive for distributed load balancing
  • New parameters and improvements to existing directives (port ranges for the listen directive, a new delay parameter for the limit_req directive, which enables two-stage rate limiting)
  • A new $upstream_bytes_sent variable
  • Improvements to User Datagram Protocol (UDP) proxying

Other notable changes include:

  • In the nginx:1.16 stream, the nginx package does not require the nginx-all-modules package, therefore nginx modules must be installed explicitly. When you install nginx as module, the nginx-all-modules package is installed as a part of the common profile, which is the default profile.
  • The ssl directive has been deprecated; use the ssl parameter for the listen directive instead.
  • nginx now detects missing SSL certificates during configuration testing.
  • When using a host name in the listen directive, nginx now creates listening sockets for all addresses that the host name resolves to.

To install the nginx:1.16 stream, use:

# yum module install nginx:1.16

If you want to upgrade from the nginx:1.14 stream, see Switching to a later stream.


perl-IO-Socket-SSL rebased to version 2.066

The perl-IO-Socket-SSL package has been upgraded to version 2.066, which provides a number of bug fixes and enhancements over the previous version, for example:

  • Improved support for TLS 1.3, notably a session reuse and an automatic post-handshake authentication on the client side
  • Added support for multiple curves, automatic setting of curves, partial trust chains, and support for RSA and ECDSA certificates on the same domain


perl-Net-SSLeay rebased to version 1.88

The perl-Net-SSLeay package has been upgraded to version 1.88, which provides multiple bug fixes and enhancements. Notable changes include:

  • Improved compatibility with OpenSSL 1.1.1, such as manipulating a stack of certificates and X509 stores, and selecting elliptic curves and groups
  • Improved compatibility with TLS 1.3, for example, a session reuse and a post-handshake authentication
  • Fixed memory leak in the cb_data_advanced_put() subroutine.


6.1.12. Compilers and development tools

GCC Toolset 9 available

Red Hat Enterprise Linux 8.1 introduces GCC Toolset 9, an Application Stream containing more up-to-date versions of development tools.

The following tools and versions are provided by GCC Toolset 9:


























GCC Toolset 9 is available as an Application Stream in the form of a Software Collection in the AppStream repository. GCC Toolset is a set of tools similar to Red Hat Developer Toolset for RHEL 7.

To install GCC Toolset 9:

# yum install gcc-toolset-9

To run a tool from GCC Toolset 9:

$ scl enable gcc-toolset-9 tool

To run a shell session where tool versions from GCC Toolset 9 take precedence over system versions of these tools:

$ scl enable gcc-toolset-9 bash

For detailed instructions regarding usage, see Using GCC Toolset.


Upgraded compiler toolsets

The following compiler toolsets, distributed as Application Streams, have been upgraded with RHEL 8.1:

  • Clang and LLVM Toolset, which provides the LLVM compiler infrastructure framework, the Clang compiler for the C and C++ languages, the LLDB debugger, and related tools for code analysis, to version 8.0.1
  • Rust Toolset, which provides the Rust programming language compiler rustc, the cargo build tool and dependency manager, and required libraries, to version 1.37
  • Go Toolset, which provides the Go (golang) programming language tools and libraries, to version 1.12.8.

(BZ#1731502, BZ#1691975, BZ#1680091, BZ#1677819, BZ#1681643)

SystemTap rebased to version 4.1

The SystemTap instrumentation tool has been updated to upstream version 4.1. Notable improvements include:

  • The eBPF runtime backend can handle more features of the scripting language such as string variables and rich formatted printing.
  • Performance of the translator has been significantly improved.
  • More types of data in optimized C code can now be extracted with DWARF4 debuginfo constructs.


General availability of the DHAT tool

Red Hat Enterprise Linux 8.1 introduces the general availability of the DHAT tool. It is based on the valgrind tool version 3.15.0.

You can find changes/improvements in valgrind tool functionality below:

  • use --tool=dhat instead of --tool=exp-dhat,
  • --show-top-n and --sort-by options have been removed because dhat tool now prints the minimal data after the program ends,
  • a new viewer dh_view.html, which is a JavaScript programm, contains the profile results. A short message explains how to view the results after the run is ended,
  • the documentation for a viewer is located: /usr/libexec/valgrind/dh_view.html,
  • the documentation for the DHAT tool is located: /usr/share/doc/valgrind/html/dh-manual.html,
  • the support for amd64 (x86_64): the RDRAND and F16C insn set extensions is added,
  • in cachegrind the cg_annotate command has a new option, --show-percs, which prints percentages next to all event counts,
  • in callgrind the callgrind_annotate command has a new option, --show-percs, which prints percentages next to all event counts,
  • in massif the default value for --read-inline-info is now yes,
  • in memcheck option --xtree-leak=yes, which outputs leak result in xtree format, automatically activates the option --show-leak-kinds=all,
  • the new option --show-error-list=no|yes displays the list of the detected errors and the used suppression at the end of the run. Previously, the user could specify the option -v for valgrind command, which shows a lot of information that might be confusing. The option -s is an equivalent to the option --show-error-list=yes.


elfutils rebased to version 0.176

The elfutils packages have been updated to upstream version 0.176. This version brings various bug fixes, and resolves the following vulnerabilities:

Notable improvements include:

  • The libdw library has been extended with the dwelf_elf_begin() function which is a variant of elf_begin() that handles compressed files.
  • A new --reloc-debug-sections-only option has been added to the eu-strip tool to resolve all trivial relocations between debug sections in place without any other stripping. This functionality is relevant only for ET_REL files in certain circumstances.


Additional memory allocation checks in glibc

Application memory corruption is a leading cause of application and security defects. Early detection of such corruption, balanced against the cost of detection, can provide significant benefits to application developers.

To improve detection, six additional memory corruption checks have been added to the malloc metadata in the GNU C Library (glibc), which is the core C library in RHEL. These additional checks have been added at a very low cost to runtime performance.


GDB can access more POWER8 registers

With this update, the GNU debugger (GDB) and its remote stub gdbserver can access the following additional registers and register sets of the POWER8 processor line of IBM:

  • PPR
  • DSCR
  • TAR
  • HTM


binutils disassembler can handle NFP binary files

The disassembler tool from the binutils package has been extended to handle binary files for the Netronome Flow Processor (NFP) hardware series. This functionality is required to enable further features in the bpftool Berkeley Packet Filter (BPF) code compiler.


Partially writable GOT sections are now supported on the IBM Z architecture

The IBM Z binaries using the "lazy binding" feature of the loader can now be hardened by generating partially writable Global offset table (GOT) sections. These binaries require a read-write GOT, but not all entries to be writable. This update provides protection for the entries from potential attacks.


binutils now supports Arch13 processors of IBM Z

This update adds support for the extensions related to the Arch13 processors into the binutils packages on IBM Z architecture. As a result, it is now possible to build kernels that can use features available in arch13-enabled CPUs on IBM Z.


Dyninst rebased to version 10.1.0

The Dyninst instrumentation library has been updated to upstream version 10.1.0. Notable changes include:

  • Dyninst supports the Linux PowerPC Little Endian (ppcle) and 64-bit ARM (aarch64) architectures.
  • Start-up time has been improved by using parallel code analysis.


Date formatting updates for the Japanese Reiwa era

The GNU C Library now provides correct Japanese era name formatting for the Reiwa era starting on May 1st, 2019. The time handling API data has been updated, including the data used by the strftime and strptime functions. All APIs will correctly print the Reiwa era including when strftime is used along with one of the era conversion specifiers such as %EC, %EY, or %Ey.


Performance Co-Pilot rebased to version 4.3.2

In RHEL 8.1, the Performance Co-Pilot (PCP) tool has been updated to upstream version 4.3.2. Notable improvements include:

  • New metrics have been added - Linux kernel entropy, pressure stall information, Nvidia GPU statistics, and more.
  • Tools such as pcp-dstat, pcp-atop, the perfevent PMDA, and others have been updated to report the new metrics.
  • The pmseries and pmproxy utilities for a performant PCP integration with Grafana have been updated.

This release is backward compatible for libraries, over-the-wire protocol and on-disk PCP archive format.


6.1.13. Identity Management

IdM now supports Ansible roles and modules for installation and management

This update introduces the ansible-freeipa package, which provides Ansible roles and modules for Identity Management (IdM) deployment and management. You can use Ansible roles to install and uninstall IdM servers, replicas, and clients. You can use Ansible modules to manage IdM groups, topology, and users. There are also example playbooks available.

This update simplifies the installation and configuration of IdM based solutions.


New tool to test the overall fitness of IdM deployment: Healthcheck

This update introduces the Healthcheck tool in Identity Management (IdM). The tool provides tests verifying that the current IdM server is configured and running correctly.

The major areas currently covered are: * Certificate configuration and expiration dates * Replication errors * Replication topology * AD Trust configuration * Service status * File permissions of important configuration files * Filesystem space

The Healthcheck tool is available in the command-line interface (CLI).


IdM now supports renewing expired system certificates when the server is offline

With this enhancement, administrators can renew expired system certificates when Identity Management (IdM) is offline. When a system certificate expires, IdM fails to start. The new ipa-cert-fix command replaces the workaround to manually set the date back to proceed with the renewal process. As a result, the downtime and support costs reduce in the mentioned scenario.


Identity Management supports trust with Windows Server 2019

When using Identity Management, you can now establish a supported forest trust to Active Directory forests that run by Windows Server 2019. The supported forest and domain functional levels are unchanged and supported up to level Windows Server 2016.


samba rebased to version 4.10.4

The samba packages have been upgraded to upstream version 4.10.4, which provides a number of bug fixes and enhancements over the previous version:

  • Samba 4.10 fully supports Python 3. Note that future Samba versions will not have any runtime support for Python 2.
  • The JavaScript Object Notation (JSON) logging feature now logs the Windows event ID and logon type for authentication messages.
  • The new vfs_glusterfs_fuse file system in user space (FUSE) module improves the performance when Samba accesses a GlusterFS volume. To enable this module, add glusterfs_fuse to the vfs_objects parameter of the share in the /etc/samba/smb.conf file. Note that vfs_glusterfs_fuse does not replace the existing vfs_glusterfs module.
  • The server message block (SMB) client Python bindings are now deprecated and will be removed in a future Samba release. This only affects users who use the Samba Python bindings to write their own utilities.

Samba automatically updates its tdb database files when the smbd, nmbd, or winbind service starts. Back up the databases files before starting Samba. Note that Red Hat does not support downgrading tdb database files.

For further information about notable changes, read the upstream release notes before updating:


Updated system-wide certificate store location for OpenLDAP

The default location for trusted CAs for OpenLDAP has been updated to use the system-wide certificate store (/etc/pki/ca-trust/source) instead of /etc/openldap/certs. This change has been made to simplify the setting up of CA trust.

No additional setup is required to set up CA trust, unless you have service-specific requirements. For example, if you require an LDAP server’s certificate to be only trusted for LDAP client connections, in this case you must set up the CA certificates as you did previously.


New ipa-crl-generation commands have been introduced to simplify managing IdM CRL master

This update introduces the ipa-crl-generation status/enable/disable commands. These commands, run by the root user, simplify work with the Certificate Revocation List (CRL) in IdM. Previously, moving the CRL generation master from one IdM CA server to another was a lengthy, manual and error-prone procedure.

The ipa-crl-generation status command checks if the current host is the CRL generation master. The ipa-crl-generation enable command makes the current host the CRL generation master in IdM if the current host is an IdM CA server. The ipa-crl-generation disable command stops CRL generation on the current host.

Additionally, the ipa-server-install --uninstall command now includes a safeguard checking whether the host is the CRL generation master. This way, IdM ensures that the system administrator does not remove the CRL generation master from the topology.


OpenID Connect support in keycloak-httpd-client-install

The keycloak-httpd-client-install identity provider previously supported only the SAML (Security Assertion Markup Language) authentication with the mod_auth_mellon authentication module. This rebase introduces the mod_auth_openidc authentication module support, which allows you to configure also the OpenID Connect authentication.

The keycloak-httpd-client-install identity provider allows an apache instance to be configured as an OpenID Connect client by configuring mod_auth_openidc.


Setting up IdM as a hidden replica is now available as a Technology Preview

This enhancement enables administrators to set up an Identity Management (IdM) replica as a hidden replica. A hidden replica is an IdM server that has all services running and available. However, it is not advertised to other clients or masters because no SRV records exist for the services in DNS, and LDAP server roles are not enabled. Therefore, clients cannot use service discovery to detect hidden replicas.

Hidden replicas are primarily designed for dedicated services that can otherwise disrupt clients. For example, a full backup of IdM requires to shut down all IdM services on the master or replica. Since no clients use a hidden replica, administrators can temporarily shut down the services on this host without affecting any clients. Other use cases include high-load operations on the IdM API or the LDAP server, such as a mass import or extensive queries.

To install a new hidden replica, use the ipa-replica-install --hidden-replica command. To change the state of an existing replica, use the ipa server-state command.


SSSD now enforces AD GPOs by default

The default setting for the SSSD option ad_gpo_access_control is now enforcing. In RHEL 8, SSSD enforces access control rules based on Active Directory Group Policy Objects (GPOs) by default.

Red Hat recommends ensuring GPOs are configured correctly in Active Directory before upgrading from RHEL 7 to RHEL 8. If you would not like to enforce GPOs, change the value of the ad_gpo_access_control option in the /etc/sssd/sssd.conf file to permissive.


6.1.14. Desktop

Modified workspace switcher in GNOME Classic

Workspace switcher in the GNOME Classic environment has been modified. The switcher is now located in the right part of the bottom bar, and it is designed as a horizontal strip of thumbnails. Switching between workspaces is possible by clicking on the required thumbnail. Alternatively, you can also use the combination of Ctrl+Alt+down/up arrow keys to switch between workspaces. The content of the active workspace is shown in the left part of the bottom bar in form of the window list.

When you press the Super key within the particular workspace, you can see the window picker, which includes all windows that are open in this workspace. However, the window picker no longer displays the following elements that were available in the previous release of RHEL:

  • dock (vertical bar on the left side of the screen)
  • workspace switcher (vertical bar on the right side of the screen)
  • search entry

For particular tasks that were previously achieved with the help of these elements, adopt the following approaches:

  • To launch applications, instead of using dock, you can:

    • Use the Applications menu on the top bar
    • Press the kdb:[Alt + F2] keys to make the Enter a Command screen appear, and write the name of the executable into this screen.
  • To switch between workspaces, instead of using the vertical workspace switcher, use the horizontal workspace switcher in the right bottom bar.
  • If you require the search entry or the vertical workspace switcher, use GNOME Standard environment instead of GNOME Classic.


6.1.15. Graphics infrastructures

DRM rebased to Linux kernel version 5.1

The Direct Rendering Manager (DRM) kernel graphics subsystem has been rebased to upstream Linux kernel version 5.1, which provides a number of bug fixes and enhancements over the previous version. Most notably:

  • The mgag200 driver has been updated. The driver continues providing support for HPE Proliant Gen10 Systems, which use Matrox G200 eH3 GPUs. The updated driver also supports current and new Dell EMC PowerEdge Servers.
  • The nouveau driver has been updated to provide hardware enablement to current and future Lenovo platforms that use NVIDIA GPUs.
  • The i915 display driver has been updated for continued support of current and new Intel GPUs.
  • Bug fixes for Aspeed AST BMC display chips have been added.
  • Support for AMD Raven 2 set of Accelerated Processing Units (APUs) has been added.
  • Support for AMD Picasso APUs has been added.
  • Support for AMD Vega GPUs has been added.
  • Support for Intel Amber Lake-Y and Intel Comet Lake-U GPUs has been added.


Support for AMD Picasso graphic cards

This update introduces the amdgpu graphics driver. As a result AMD Picasso graphics cards are now fully supported on RHEL 8.


6.1.16. The web console

Enabling and disabling SMT

Simultaneous Multi-Threading (SMT) configuration is now available in RHEL 8. Disabling SMT in the web console allows you to mitigate a class of CPU security vulnerabilities such as:


Adding a search box in the Services page

The Services page now has a search box for filtering services by:

  • Name
  • Description
  • State

In addition, service states have been merged into one list. The switcher buttons at the top of the page have also been changed to tabs to improve user experience of the Services page.


Adding support for firewall zones

The firewall settings on the Networking page now supports:

  • Adding and removing zones
  • Adding or removing services to arbitrary zones and
  • Configuring custom ports in addition to firewalld services.


Adding improvements to Virtual Machines configuration

With this update, the RHEL 8 web console includes a lot of improvements in the Virtual Machines page. You can now:

  • Manage various types of storage pools
  • Configure VM autostart
  • Import existing qcow images
  • Install VMs through PXE boot
  • Change memory allocation
  • Pause/resume VMs
  • Configure cache characteristics (directsync, writeback)
  • Change the boot order


6.1.17. Red Hat Enterprise Linux System Roles

A new storage role added to RHEL System Roles

The storage role has been added to RHEL System Roles provided by the rhel-system-roles package. The storage role can be used to manage local storage using Ansible.

Currently, the storage role supports the following types of tasks:

  • Managing file systems on whole disks
  • Managing LVM volume groups
  • Managing logical volumes and their file systems

For more information, see Managing file systems and Configuring and managing logical volumes.


6.1.18. Virtualization

WALinuxAgent rebased to version 2.2.38

The WALinuxAgent package has been upgraded to upstream version 2.2.38, which provides a number of bug fixes and enhancements over the previous version.

In addition, WALinuxAgent is no longer compatible with Python 2, and applications dependant on Python 2. As a result, applications and extensions written in Python 2 will need to be converted to Python 3 to establish compatibility with WALinuxAgent.


Windows automatically finds the needed virtio-win drivers

Windows can now automatically find the virtio-win drivers it needs from the driver ISO without requiring the user to select the folder in which they are located.


KVM supports 5-level paging

With Red Hat Enterprise Linux 8, KVM virtualization supports the 5-level paging feature. On selected host CPUs, this significantly increases the physical and virtual address space that the host and guest systems can use.


Smart card sharing is now supported on Windows guests with ActivClient drivers

This update adds support for smart card sharing in virtual machines (VMs) that use a Windows guest OS and ActivClient drivers. This enables smart card authentication for user logins using emulated or shared smart cards on these VMs.


New options have been added for virt-xml

The virt-xml utility can now use the following command-line options:

  • --no-define - Changes done to the virtual machine (VM) by the virt-xml command are not saved into persistent configuration.
  • --start - Starts the VM after performing requested changes.

Using these two options together allows users to change the configuration of a VM and start the VM with the new configuration without making the changes persistent. For example, the following command changes the boot order of the testguest VM to network for the next boot, and initiates the boot:

virt-xml testguest  --start --no-define --edit --boot network


IBM z14 GA2 CPUs supported by KVM

With this update, KVM supports the IBM z14 GA2 CPU model. This makes it possible to create virtual machines on IBM z14 GA2 hosts that use RHEL 8 as the host OS with an IBM z14 GA2 CPU in the guest.


Nvidia NVLink2 is now compatible with virtual machines on IBM POWER9

Nvidia VGPUs that support the NVLink2 feature can now be assigned to virtual machines (VMs) running in a RHEL 8 host on an IBM POWER9 system. This makes it possible for these VMs to use the full performance potential of NVLink2.


6.2. New Drivers

Network Drivers

  • Serial Line Internet Protocol support (slip.ko.xz)
  • Platform CAN bus driver for Bosch C_CAN controller (c_can_platform.ko.xz)
  • virtual CAN interface (vcan.ko.xz)
  • Softing DPRAM CAN driver (softing.ko.xz)
  • serial line CAN interface (slcan.ko.xz)
  • CAN driver for EMS Dr. Thomas Wuensche CAN/USB interfaces (ems_usb.ko.xz)
  • CAN driver for esd CAN-USB/2 and CAN-USB/Micro interfaces (esd_usb2.ko.xz)
  • Socket-CAN driver for SJA1000 on the platform bus (sja1000_platform.ko.xz)
  • Socket-CAN driver for PLX90xx PCI-bridge cards with the SJA1000 chips (plx_pci.ko.xz)
  • Socket-CAN driver for EMS CPC-PCI/PCIe/104P CAN cards (ems_pci.ko.xz)
  • Socket-CAN driver for KVASER PCAN PCI cards (kvaser_pci.ko.xz)
  • Intel® 2.5G Ethernet Linux Driver (igc.ko.xz)
  • Realtek 802.11ac wireless PCI driver (rtwpci.ko.xz)
  • Realtek 802.11ac wireless core module (rtw88.ko.xz)
  • MediaTek MT76 devices support (mt76.ko.xz)
  • MediaTek MT76x0U (USB) support (mt76x0u.ko.xz)
  • MediaTek MT76x2U (USB) support (mt76x2u.ko.xz)

Graphics Drivers and Miscellaneous Drivers

  • Virtual Kernel Mode Setting (vkms.ko.xz)
  • Intel GTT (Graphics Translation Table) routines (intel-gtt.ko.xz)
  • Xen frontend/backend page directory based shared buffer handling (xen-front-pgdir-shbuf.ko.xz)
  • LED trigger for audio mute control (ledtrig-audio.ko.xz)
  • Host Wireless Adapter Radio Control Driver (hwa-rc.ko.xz)
  • Network Block Device (nbd.ko.xz)
  • Pericom PI3USB30532 Type-C mux driver (pi3usb30532.ko.xz)
  • Fairchild FUSB302 Type-C Chip Driver (fusb302.ko.xz)
  • TI TPS6598x USB Power Delivery Controller Driver (tps6598x.ko.xz)
  • Intel PCH Thermal driver (intel_pch_thermal.ko.xz)
  • PCIe AER software error injector (aer_inject.ko.xz)
  • Simple stub driver for PCI SR-IOV PF device (pci-pf-stub.ko.xz)
  • mISDN Digital Audio Processing support (mISDN_dsp.ko.xz)
  • ISDN layer 1 for Cologne Chip HFC-4S/8S chips (hfc4s8s_l1.ko.xz)
  • ISDN4Linux: Call diversion support (dss1_divert.ko.xz)
  • CAPI4Linux: Userspace /dev/capi20 interface (capi.ko.xz)
  • USB Driver for Gigaset 307x (bas_gigaset.ko.xz)
  • ISDN4Linux: Driver for HYSDN cards (hysdn.ko.xz)
  • mISDN Digital Audio Processing support (mISDN_dsp.ko.xz)
  • mISDN driver for Winbond w6692 based cards (w6692.ko.xz)
  • mISDN driver for CCD’s hfc-pci based cards (hfcpci.ko.xz)
  • mISDN driver for hfc-4s/hfc-8s/hfc-e1 based cards (hfcmulti.ko.xz)
  • mISDN driver for NETJet (netjet.ko.xz)
  • mISDN driver for AVM FRITZ!CARD PCI ISDN cards (avmfritz.ko.xz)

Storage Drivers

  • NVMe over Fabrics TCP host (nvme-tcp.ko.xz)
  • NVMe over Fabrics TCP target (nvmet-tcp.ko.xz)
  • device-mapper writecache target (dm-writecache.ko.xz)

6.3. Updated Drivers

Network Driver Updates

  • QLogic FastLinQ 4xxxx Ethernet Driver (qede.ko.xz) has been updated to version
  • QLogic FastLinQ 4xxxx Core Module (qed.ko.xz) has been updated to version
  • Broadcom BCM573xx network driver (bnxt_en.ko.xz) has been updated to version 1.10.0.
  • QLogic BCM57710/57711/57711E/57712/57712_MF/57800/57800_MF/57810/57810_MF/57840/57840_MF Driver (bnx2x.ko.xz) has been updated to version 1.713.36-0.
  • Intel® Gigabit Ethernet Network Driver (igb.ko.xz) has been updated to version 5.6.0-k.
  • Intel® 10 Gigabit Virtual Function Network Driver (ixgbevf.ko.xz) has been updated to version 4.1.0-k-rh8.1.0.
  • Intel® 10 Gigabit PCI Express Network Driver (ixgbe.ko.xz) has been updated to version 5.1.0-k-rh8.1.0.
  • Intel® Ethernet Switch Host Interface Driver (fm10k.ko.xz) has been updated to version 0.26.1-k.
  • Intel® Ethernet Connection E800 Series Linux Driver (ice.ko.xz) has been updated to version 0.7.4-k.
  • Intel® Ethernet Connection XL710 Network Driver (i40e.ko.xz) has been updated to version 2.8.20-k.
  • The Netronome Flow Processor (NFP) driver (nfp.ko.xz) has been updated to version 4.18.0-147.el8.x86_64.
  • Elastic Network Adapter (ENA) (ena.ko.xz) has been updated to version 2.0.3K.

Graphics and Miscellaneous Driver Updates

  • Standalone drm driver for the VMware SVGA device (vmwgfx.ko.xz) has been updated to version
  • hpe watchdog driver (hpwdt.ko.xz) has been updated to version 2.0.2.

Storage Driver Updates

  • Driver for HP Smart Array Controller version 3.4.20-170-RH3 (hpsa.ko.xz) has been updated to version 3.4.20-170-RH3.
  • LSI MPT Fusion SAS 3.0 Device Driver (mpt3sas.ko.xz) has been updated to version
  • Emulex LightPulse Fibre Channel SCSI driver (lpfc.ko.xz) has been updated to version 0:
  • QLogic QEDF 25/40/50/100Gb FCoE Driver (qedf.ko.xz) has been updated to version
  • Cisco FCoE HBA Driver (fnic.ko.xz) has been updated to version
  • QLogic Fibre Channel HBA Driver (qla2xxx.ko.xz) has been updated to version
  • Driver for Microsemi Smart Family Controller version 1.2.6-015 (smartpqi.ko.xz) has been updated to version 1.2.6-015.
  • QLogic FastLinQ 4xxxx iSCSI Module (qedi.ko.xz) has been updated to version
  • Broadcom MegaRAID SAS Driver (megaraid_sas.ko.xz) has been updated to version 07.707.51.00-rc1.

6.4. Bug fixes

This part describes bugs fixed in Red Hat Enterprise Linux 8.1 that have a significant impact on users.

6.4.1. Installer and image creation

Using the version or inst.version kernel boot parameters no longer stops the installation program

Previously, booting the installation program from the kernel command line using the version or inst.version boot parameters printed the version, for example anaconda 30.25.6, and stopped the installation program.

With this update, the version and inst.version parameters are ignored when the installation program is booted from the kernel command line, and as a result, the installation program is not stopped.


The xorg-x11-drv-fbdev, xorg-x11-drv-vesa, and xorg-x11-drv-vmware video drivers are now installed by default

Previously, workstations with specific models of NVIDIA graphics cards and workstations with specific AMD accelerated processing units did not display the graphical login window after a RHEL 8.0 Server installation. This issue also impacted virtual machines relying on EFI for graphics support, such as Hyper-V. With this update, the xorg-x11-drv-fbdev, xorg-x11-drv-vesa, and xorg-x11-drv-vmware video drivers are installed by default and the graphical login window is displayed after a RHEL 8.0 and later Server installation.


Rescue mode no longer fails without displaying an error message

Previously, running rescue mode on a system with no Linux partitions resulted in the installation program failing with an exception. With this update, the installation program displays the error message “You don’t have any Linux partitions” when a system with no Linux partitions is detected.


The installation program now sets the lvm_metadata_backup Blivet flag for image installations

Previously, the installation program failed to set the lvm_metadata_backup Blivet flag for image installations. As a consequence, LVM backup files were located in the /etc/lvm/ subdirectory after an image installation. With this update, the installation program sets the lvm_metadata_backup Blivet flag, and as a result, there are no LVM backup files located in the /etc/lvm/ subdirectory after an image installation.


The RHEL 8 installation program now handles strings from RPM

Previously, when the python3-rpm library returned a string, the installation program failed with an exception. With this update, the installation program can now handle strings from RPM.


The inst.repo kernel boot parameter now works for a repository on a hard drive that has a non-root path

Previously, the RHEL 8 installation process could not proceed without manual intervention if the inst.repo=hd:<device>:<path> kernel boot parameter was pointing to a repository (not an ISO image) on a hard drive, and a non-root (/) path was used. With this update, the installation program can now propagate any <path> for a repository located on a hard drive, ensuring the installation proceeds as normal.


The --changesok option now allows the installation program to change the root password

Previously, using the --changesok option when installing Red Hat Enterprise Linux 8 from a Kickstart file did not allow the installation program to change the root password. With this update, the --changesok option is successfully passed by Kickstart, and as a result, users specifying the pwpolicy root –changesok option in their Kickstart file can now change the root password using the GUI, even if the password has already been set by Kickstart.


Image Building no longer fails when using lorax-composer API

Previously, when using lorax-composer API from a subscribed RHEL system, the image building process always failed. Anaconda could not access the repositories, because the subscription certificates from the host are not passed through. To fix the issue update lorax-composer, pykickstart, and Anaconda packages. That will allow to pass supported CDN certificates.


6.4.2. Shells and command-line tools

systemd in debug mode no longer produces unnecessary log messages

When using the systemd system and service manager in debug mode, systemd previously produced unnecessary and harmless log messages that started with:

"Failed to add rule for system call ..."

With this update, systemd has been fixed to no longer produce these unnecessary debug messages.


6.4.3. Security

fapolicyd no longer prevents RHEL updates

When an update replaces the binary of a running application, the kernel modifies the application binary path in memory by appending the " (deleted)" suffix. Previously, the fapolicyd file access policy daemon treated such applications as untrusted, and prevented them from opening and executing any other files. As a consequence, the system was sometimes unable to boot after applying updates.

With the release of the RHBA-2020:5241 advisory, fapolicyd ignores the suffix in the binary path so the binary can match the trust database. As a result, fapolicyd enforces the rules correctly and the update process can finish.


SELinux no longer prevents Tomcat from sending emails

Prior to this update, the SELinux policy did not allow the tomcat_t and pki_tomcat_t domains to connect to SMTP ports. Consequently, SELinux denied applications on the Tomcat server from sending emails. With this update of the selinux-policy packages, the policy allows processes from the Tomcat domains access SMTP ports, and SELinux no longer prevents applications on Tomcat from sending emails.


lockdev now runs correctly with SELinux

Previously, the lockdev tool could not transition into the lockdev_t context even though the SELinux policy for lockdev_t was defined. As a consequence, lockdev was allowed to run in the ‘unconfined_t’ domain when used by the root user. This introduced vulnerabilities into the system. With this update, the transition into lockdev_t has been defined, and lockdev can now be used correctly with SELinux in enforcing mode.


iotop now runs correctly with SELinux

Previously, the iotop tool could not transition into the iotop_t context even though the SELinux policy for iotop_t was defined. As a consequence, iotop was allowed to run in the ‘unconfined_t’ domain when used by the root user. This introduced vulnerabilities into the system. With this update, the transition into iotop_t has been defined, and iotop can now be used correctly with SELinux in enforcing mode.


SELinux now properly handles NFS ‘crossmnt’

The NFS protocol with the crossmnt option automatically creates internal mounts when a process accesses a subdirectory already used as a mount point on the server. Previously, this caused SELinux to check whether the process accessing an NFS mounted directory had a mount permission, which caused AVC denials. In the current version, SELinux permission checking skips these internal mounts. As a result, accessing an NFS directory that is mounted on the server side does not require mount permission.


An SELinux policy reload no longer causes false ENOMEM errors

Reloading the SELinux policy previously caused the internal security context lookup table to become unresponsive. Consequently, when the kernel encountered a new security context during a policy reload, the operation failed with a false "Out of memory" (ENOMEM) error. With this update, the internal Security Identifier (SID) lookup table has been redesigned and no longer freezes. As a result, the kernel no longer returns misleading ENOMEM errors during an SELinux policy reload.


Unconfined domains can now use smc_socket

Previously, the SELinux policy did not have the allow rules for the smc_socket class. Consequently, SELinux blocked an access to smc_socket for the unconfined domains. With this update, the allow rules have been added to the SELinux policy. As a result, the unconfined domains can use smc_socket.


Kerberos cleanup procedures are now compatible with GSSAPIDelegateCredentials and default cache from krb5.conf

Previously, when the default_ccache_name option was configured in the krb5.conf file, the kerberos credentials were not cleaned up with the GSSAPIDelegateCredentials and GSSAPICleanupCredentials options set. This bug is now fixed by updating the source code to clean up credential caches in the described use cases. After the configuration, the credential cache gets cleaned up on exit if the user configures it.


OpenSSH now correctly handles PKCS #11 URIs for keys with mismatching labels

Previously, specifying PKCS #11 URIs with the object part (key label) could prevent OpenSSH from finding related objects in PKCS #11. With this update, the label is ignored if the matching objects are not found, and keys are matched only by their IDs. As a result, OpenSSH is now able to use keys on smart cards referenced using full PKCS #11 URIs.


SSH connections with VMware-hosted systems now work properly

The previous version of the OpenSSH suite introduced a change of the default IP Quality of Service (IPQoS) flags in SSH packets, which was not correctly handled by the VMware virtualization platform. Consequently, it was not possible to establish an SSH connection with systems on VMware. The problem has been fixed in VMWare Workstation 15, and SSH connections with VMware-hosted systems now work correctly.


curve25519-sha256 is now supported by default in OpenSSH

Previously, the curve25519-sha256 SSH key exchange algorithm was missing in the system-wide crypto policies configurations for the OpenSSH client and server even though it was compliant with the default policy level. As a consequence, if a client or a server used curve25519-sha256 and this algorithm was not supported by the host, the connection might fail. This update of the crypto-policies package fixes the bug, and SSH connections no longer fail in the described scenario.


Ansible playbooks for OSPP and PCI-DSS profiles no longer exit after encountering a failure

Previously, Ansible remediations for the Security Content Automation Protocol (OSPP) and the Payment Card Industry Data Security Standard (PCI-DSS) profiles failed due to incorrect ordering and other errors in the remediations. This update fixes the ordering and errors in generated Ansible remediation playbooks, and Ansible remediations now work correctly.


Audit transport=KRB5 now works properly

Prior to this update, Audit KRB5 transport mode did not work correctly. Consequently, Audit remote logging using the Kerberos peer authentication did not work. With this update, the problem has been fixed, and Audit remote logging now works properly in the described scenario.


6.4.4. Networking

The kernel now supports destination MAC addresses in bitmap:ipmac, hash:ipmac, and hash:mac IP set types

Previously, the kernel implementation of the bitmap:ipmac, hash:ipmac, and hash:mac IP set types only allowed matching on the source MAC address, while destination MAC addresses could be specified, but were not matched against set entries. As a consequence, administrators could create iptables rules that used a destination MAC address in one of these IP set types, but packets matching the given specification were not actually classified. With this update, the kernel compares the destination MAC address and returns a match if the specified classification corresponds to the destination MAC address of a packet. As a result, rules that match packets against the destination MAC address now work correctly.


The gnome-control-center application now supports editing advanced IPsec settings

Previously, the gnome-control-center application only displayed the advanced options of IPsec VPN connections. Consequently, users could not change these settings. With this update, the fields in the advanced settings are now editable, and users can save the changes.


The TRACE target in the iptables-extensions(8) man page has been updated

Previously, the description of the TRACE target in the iptables-extensions(8) man page referred only to the compat variant, but Red Hat Enterprise Linux 8 uses the nf_tables variant. As a consequence, the man page did not reference the xtables-monitor command-line utility to display TRACE events. The man page has been updated and, as a result, now mentions xtables-monitor.


Error logging in the ipset service has been improved

Previously, the ipset service did not report configuration errors with a meaningful severity in the systemd logs. The severity level for invalid configuration entries was only informational, and the service did not report errors for an unusable configuration. As a consequence, it was difficult for administrators to identify and troubleshoot issues in the ipset service’s configuration. With this update, ipset reports configuration issues as warnings in systemd logs and, if the service fails to start, it logs an entry with the error severity including further details. As a result, it is now easier to troubleshoot issues in the configuration of the ipset service.


The ipset service now ignores invalid configuration entries during startup

The ipset service stores configurations as sets in separate files. Previously, when the service started, it restored the configuration from all sets in a single operation, without filtering invalid entries that can be inserted by manually editing a set. As a consequence, if a single configuration entry was invalid, the service did not restore further unrelated sets. The problem has been fixed. As a result, the ipset service detects and removes invalid configuration entries during the restore operation, and ignores invalid configuration entries.


The ipset list command reports consistent memory for hash set types

When you add entries to a hash set type, the ipset utility must resize the in-memory representation to for new entries by allocating an additional memory block. Previously, ipset set the total per-set allocated size to only the size of the new block instead of adding the value to the current in-memory size. As a consequence, the ip list command reported an inconsistent memory size. With this update, ipset correctly calculates the in-memory size. As a result, the ipset list command now displays the correct in-memory size of the set, and the output matches the actual allocated memory for hash set types.


The kernel now correctly updates PMTU when receiving ICMPv6 Packet Too Big message

In certain situations, such as for link-local addresses, more than one route can match a source address. Previously, the kernel did not check the input interface when receiving Internet Control Message Protocol Version 6 (ICMPv6) packets. Therefore, the route lookup could return a destination that did not match the input interface. Consequently, when receiving an ICMPv6 Packet Too Big message, the kernel could update the Path Maximum Transmission Unit (PMTU) for a different input interface. With this update, the kernel checks the input interface during the route lookup. As a result, the kernel now updates the correct destination based on the source address and PMTU works as expected in the described scenario.


The /etc/hosts.allow and /etc/hosts.deny files no longer contain outdated references to removed tcp_wrappers

Previously, the /etc/hosts.allow and /etc/hosts.deny files contained outdated information about the tcp_wrappers package. The files are removed in RHEL 8 as they are no longer needed for tcp_wrappers which is removed.


6.4.5. Kernel

tpm2-abrmd-selinux now has a proper dependency on selinux-policy-targeted

Previously, the tpm2-abrmd-selinux package had a dependency on the selinux-policy-base package instead of the selinux-policy-targeted package. Consequently, if a system had selinux-policy-minimum installed instead of selinux-policy-targeted, installation of the tpm2-abrmd-selinux package failed. This update fixes the bug and tpm2-abrmd-selinux can be installed correctly in the described scenario.


All /sys/kernel/debug files can be accessed

Previously, the return value for "Operation not permitted" (EPERM) error remained set until the end of the function regardless of the error. Consequently, any attempts to access certain /sys/kernel/debug (debugfs) files failed with an unwarranted EPERM error. This update moves the EPERM return value to the following block. As a result, debugfs files can be accessed without problems in the described scenario.


NICs are no longer affected by a bug in the qede driver for the 41000 and 45000 FastLinQ series

Previously, firmware upgrade and debug data collection operations failed due to a bug in the qede driver for the 41000 and 45000 FastLinQ series. It made the NIC unusable. The reboot (PCI reset) of the host made the NIC operational again.

This issue could occur in the following scenarios:

  • during the upgrade of Firmware of the NIC using the inbox driver
  • during the collection of debug data running the ethtool -d ethx command
  • while running an sosreport command that included ethtool -d ethx.
  • during the initiation of automatic debug data collection by the inbox driver, such as I/O timeout, Mail Box Command time-out and a Hardware Attention.

To fix this issue, Red Hat released an erratum via Red Hat Bug Advisory (RHBA). Before the release of RHBA, it was recommended to create a case in to request for supported fix.


The generic EDAC GHES driver now detects which DIMM reported an error

Previously, the EDAC GHES driver was not able to detect which DIMM reported an error. Consequently, the following error message appeared:

DIMM location: not present. DMI handle: 0x<ADDRESS>

The driver has been now updated to scan the DMI (SMBIOS) tables to detect the specific DIMM that matches the Desktop Management Interface (DMI) handle 0x<ADDRESS>. As a result, EDAC GHES correctly detects which specific DIMM reported a hardware error.


podman is able to checkpoint containers in RHEL 8

Previously, the version of the Checkpoint and Restore In Userspace (CRIU) package was outdated. Consequently, CRIU did not support container checkpoint and restore functionality, and the podman utility failed to checkpoint containers. When running the podman container checkpoint command, the following error message was displayed:

'checkpointing a container requires at least CRIU 31100'

This update fixes the problem by upgrading the version of the CRIU package. As a result, podman now supports container checkpoint and restore functionality.


early-kdump and standard kdump no longer fail if the add_dracutmodules+=earlykdump option is used in dracut.conf

Previously, an inconsistency occurred between the kernel version being installed for early-kdump and the kernel version initramfs was generated for. As a consequence, booting failed when early-kdump was enabled. In addition, if early-kdump detected that it was being included in a standard kdump initramfs image, it forced an exit. Therefore the standard kdump service also failed when trying to rebuild kdump initramfs if early-kdump was added as a default dracut module. As a consequence, early-kdump and standard kdump both failed. With this update, early-kdump uses the consistent kernel name during the installation, only the version differs from the running kernel. Also, the standard kdump service will forcibly drop early-kdump to avoid image generation failure. As a result, early-kdump and standard kdump no longer fail in the described scenario.


The first kernel with SME enabled now succeeds in dumping the vmcore

Previously, the encrypted memory in the first kernel with the active Secure Memory Encryption (SME) feature caused a failure of the kdump mechanism. Consequently, the first kernel was not able to dump the contents (vmcore) of its memory. With this update, the ioremap_encrypted() function has been added to remap the encrypted memory and modify the related code. As a result, the encrypted first kernel’s memory is now properly accessed, and the vmcore can be dumped and parsed by the crash tools in the described scenario.


The first kernel with SEV enabled now succeeds in dumping the vmcore

Previously, the encrypted memory in the first kernel with the active Secure Encrypted Virtualization (SEV) feature caused a failure of the kdump mechanism. Consequently, the first kernel was not able to dump the contents (vmcore) of its memory. With this update, the ioremap_encrypted() function has been added to remap the encrypted memory and modify the related code. As a result, the first kernel’s encrypted memory is now properly accessed, and the vmcore can be dumped and parsed by the crash tools in the described scenario.


Kernel now reserves more space for SWIOTLB

Previously, when Secure Encrypted Virtualization (SEV) or Secure Memory Encryption (SME) features was enabled in the kernel, the Software Input Output Translation Lookaside Buffer (SWIOTLB) technology had to be enabled as well and consumed a significant amount of memory. Consequently, the capture kernel failed to boot or got an out-of-memory error. This update fixes the bug by reserving extra crashkernel memory for SWIOTLB while SEV/SME is active. As a result, the capture kernel has more memory reserved for SWIOTLB and the bug no longer appears in the described scenario.


C-state transitions can now be disabled during hwlatdetect runs

To achieve real-time performance, the hwlatdetect utility needs to be able to disable power saving in the CPU during test runs. This update allows hwlatdetect to turn off C-state transitions for the duration of the test run and hwlatdetect is now able to detect hardware latencies more accurately.


6.4.6. Hardware enablement

The openmpi package can be installed now

Previously, a rebase on opensm package changed its soname mechanism. As a consequence, the openmpi package could not be installed due to unresolved dependencies. This update fixes the problem. As a result, the openmpi package can be installed now without any issue.


6.4.7. File systems and storage

The RHEL 8 installation program now uses the entry ID to set the default boot entry

Previously, the RHEL 8 installation program used the index of the first boot entry as the default, instead of using the entry ID. As a consequence, adding a new boot entry became the default, as it was sorted first and set to the first index. With this update, the installation program uses the entry ID to set the default boot entry, and as a result, the default entry is not changed, even if boot entries are added and sorted before the default.


The system now boots successfully when SME is enabled with smartpqi

Previously, the system failed to boot on certain AMD machines when the Secure Memory Encryption (SME) feature was enabled and the root disk was using the smartpqi driver.

When the boot failed, the system displayed a message similar to the following in the boot log:

smartpqi 0000:23:00.0: failed to allocate PQI error buffer

This problem was caused by the smartpqi driver, which was falling back to the Software Input Output Translation Lookaside Buffer (SWIOTLB) because the coherent Direct Memory Access (DMA) mask was not set.

With this update, the coherent DMA mask is now correctly set. As a result, the system now boots successfully when SME is enabled on machines that use the smartpqi driver for the root disk.


FCoE LUNs do not disappear after being created on the bnx2fc cards

Previously, after creating a FCoE LUN on the bnx2fc cards, the FCoE LUNs were not attached correctly. As a consequence, FCoE LUNs disappeared after being created on the bnx2fc cards on RHEL 8.0. With this update, FCoE LUNs are attached correctly. As a result, it is now possible to discover the FCoE LUNs after they are created on the bnx2fc cards.


VDO volumes no longer lose deduplication advice after moving to a different-endian platform

Previously, the Universal Deduplication Service (UDS) index lost all deduplication advice after moving the VDO volume to a platform that used a different endian. As a consequence, VDO was unable to deduplicate newly written data against the data that was stored before you moved the volume, leading to lower space savings.

With this update, you can now move VDO volumes between platforms that use different endians without losing deduplication advice.


kdump service works on large IBM POWER systems

Previously, RHEL8 kdump kernel did not start. As a consequence, the kdump initrd file on large IBM POWER systems was not created. With this update, squashfs-tools-4.3-19.el8 component is added. This update adds a limit (128) to the number of CPUs which the squashfs-tools-4.3-19.el8 component can use from the available pool (instead of using all the available CPUs). This fixes the running out of resources error. As a result, kdump service now works on large IBM POWER systems.


Verbosity debug options now added to nfs.conf

Previously, the /etc/nfs.conf file and the nfs.conf(5) man page did not include the following options:

  • verbosity
  • rpc-verbosity

As a consequence, users were unaware of the availability of these debug flags. With this update, these flags are now included in the [gssd] section of the /etc/nfs.conf file and are also documented in the nfs.conf(8) man page.


6.4.8. Dynamic programming languages, web and database servers

Socket::inet_aton() can now be used from multiple threads safely

Previously, the Socket::inet_aton() function, used for resolving a domain name from multiple Perl threads, called the unsafe gethostbyname() glibc function. Consequently, an incorrect IPv4 address was occasionally returned, or the Perl interpreter terminated unexpectedly. With this update, the Socket::inet_aton() implementation has been changed to use the thread-safe getaddrinfo() glibc function instead of gethostbyname(). As a result, the inet_aton() function from Perl Socket module can be used from multiple threads safely.

(BZ#1699793, BZ#1699958)

6.4.9. Compilers and development tools

gettext returns untranslated text even when out of memory

Previously, the gettext() function for text localization returned the NULL value instead of text when out of memory, resulting in applications lacking text output or labels. The bug has been fixed and now, gettext() - returns untranslated text when out of memory as expected.


The locale command now warns about LOCPATH being set whenever it encounters an error during execution

Previously, the locale command did not provide any diagnostics for the LOCPATH environment variable when it encountered errors due to an invalid LOCPATH. The locale command is now set to warn that LOCPATH has been set any time it encounters an error during execution. As a result, locale now reports LOCPATH along with any underlying errors that it encounters.


gdb now can read and correctly represent z registers in core files on aarch64 SVE

Previously, the gdb component failed to read z registers from core files with aarch64 scalable vector extension (SVE) architecture. With this update, the gdb component is now able to read z registers from core files. As a result, the info register command successfully shows the z register contents.


GCC rebased to version 8.3.1

The GNU Compiler Collection (GCC) has been updated to upstream version 8.3.1. This version brings a large number of miscellaneous bug fixes.


6.4.10. Identity Management

FreeRADIUS now resolves hostnames pointing to IPv6 addresses

In previous RHEL 8 versions of FreeRADIUS, the ipaddr utility only supported IPv4 addresses. Consequently, for the radiusd daemon to resolve IPv6 addresses, a manual update of the configuration was required after an upgrade of the system from RHEL 7 to RHEL 8. This update fixes the underlying code, and ipaddr in FreeRADIUS now uses IPv6 addresses, too.


The Nuxwdog service no longer fails to start the PKI server in HSM environments

Previously, due to bugs, the keyutils package was not installed as a dependency of the pki-core package. Additionally, the Nuxwdog watchdog service failed to start the public key infrastructure (PKI) server in environments that use a hardware security module (HSM). These problems have been fixed. As a result, the required keyutils package is now installed automatically as a dependency, and Nuxwdog starts the PKI server as expected in environments with HSM.


The IdM server now works correctly in the FIPS mode

Previously, the SSL connector for Tomcat server was incompletely implemented. As a consequence, the Identity Management (IdM) server with an installed certificate server did not work on machines with the FIPS mode enabled. This bug has been fixed by adding JSSTrustManager and JSSKeyManager. As a result, the IdM server works correctly in the described scenario.

Note that there are several bugs that prevent the IdM server from running in the FIPS mode in RHEL 8. This update fixes just one of them.


The KCM credential cache is now suitable for a large number of credentials in a single credential cache

Previously, if the Kerberos Credential Manager (KCM) contained a large number of credentials, Kerberos operations, such as kinit, failed due to a limitation of the size of entries in the database and the number of these entries.

This update introduces the following new configuration options to the kcm section of the sssd.conf file:

  • max_ccaches (integer)
  • max_uid_ccaches (integer)
  • max_ccache_size (integer)

As a result, KCM can now handle a large number of credentials in a single ccache.

For further information on the configuration options, see sssd-kcm man page.


Samba no longer denies access when using the sss ID mapping plug-in

Previously, when you ran Samba on the domain member with this configuration and added a configuration that used the sss ID mapping back end to the /etc/samba/smb.conf file to share directories, changes in the ID mapping back end caused errors. Consequently, Samba denied access to files in certain cases, even if the user or group existed and it was known by SSSD. The problem has been fixed. As a result, Samba no longer denies access when using the sss plug-in.


Default SSSD time-out values no longer conflict with each other

Previously, there was a conflict between the default time-out values. The default values for the following options have been changed to improve the failover capability:

  • dns_resolver_op_timeout - set to 2s (previously 6s)
  • dns_resolver_timeout - set to 4s (previously 6s)
  • ldap_opt_timeout - set to 8s (previously 6s)

Also, a new dns_resolver_server_timeout option, with default value of 1000 ms has been added, which specifies the time out duration for SSSD to switch from one DNS server to another.


6.4.11. Desktop

systemctl isolate now displays the console prompt

When running the systemctl isolate command from GNOME Terminal in a GNOME Desktop session, only a cursor was displayed, and not the console prompt. This update fixes gdm, and the console prompt is now displayed as expected in the described situation.


6.4.12. Graphics infrastructures

The 'i915' display driver now supports display configurations up to 3×4K.

Previously, it was not possible to have display configurations larger than 2×4K when using the 'i915' display driver in an Xorg session. With this update, the 'i915' driver now supports display configurations up to 3×4K.


Linux guests no longer display an error when initializing the GPU driver

Previously, Linux guests returned a warning when initializing the GPU driver. This happened because Intel Graphics Virtualization Technology –g (GVT -g) only simulates the DisplayPort (DP) interface for guest and leaves the ‘EDP_PSR_IMR’ and ‘EDP_PSR_IIR’ registers as default memory-mapped I/O (MMIO) read/write registers. To resolve this issue, handlers have been added to these registers and the warning is no longer returned.


6.4.13. The web console

It is possible to login to RHEL web console with session_recording shell

Previously, it was not possible for users of the tlog shell (which enables session recording) to log in to the RHEL web console. This update fixes the bug. The previous workaround of adding the tlog-rec-session shell to /etc/shells/ should be reverted after installing this update.


6.4.14. Virtualization

Hot-plugging PCI devices to a pcie-to-pci bridge controller works correctly

Previously, if a guest virtual machine configuration contained a pcie-to-pci-bridge controller that had no endpoint devices attached to it at the time the guest was started, hot-plugging new devices to that controller was not possible. This update improves how hot-plugging legacy PCI devices on a PCIe system is handled, which prevents the problem from occurring.


Enabling nested virtualization no longer blocks live migration

Previously, the nested virtualization feature was incompatible with live migration. As a consequence, enabling nested virtualization on a RHEL 8 host prevented migrating any virtual machines (VMs) from the host, as well as saving VM state snapshots to disk. This update fixes the described problem, and the impacted VMs are now possible to migrate.


6.4.15. Supportability

redhat-support-tool now creates an sosreport archive

Previously, the redhat-support-tool utility was unable to create an sosreport archive. The workaround was running the sosreport command separately and then entering the redhat-support-tool addattachment -c command to upload the archive. Users can also use the web UI on Customer Portal which creates the customer case and uploads the sosreport archive.

In addition, command options such as findkerneldebugs, btextract, analyze, or diagnose do not work as expected and will be fixed in a future release.


6.5. Technology Previews

This part provides a list of all Technology Previews available in Red Hat Enterprise Linux 8.1.

For information on Red Hat scope of support for Technology Preview features, see Technology Preview Features Support Scope.

6.5.1. Networking

TIPC has full support

The Transparent Inter Process Communication (TIPC) is a protocol specially designed for efficient communication within clusters of loosely paired nodes. It works as a kernel module and provides a tipc tool in iproute2 package to allow designers to create applications that can communicate quickly and reliably with other applications regardless of their location within the cluster. This feature is now fully supported in RHEL 8.


eBPF for tc available as a Technology Preview

As a Technology Preview, the Traffic Control (tc) kernel subsystem and the tc tool can attach extended Berkeley Packet Filtering (eBPF) programs as packet classifiers and actions for both ingress and egress queueing disciplines. This enables programmable packet processing inside the kernel network data path.


nmstate available as a Technology Preview

Nmstate is a network API for hosts. The nmstate packages, available as a Technology Preview, provide a library and the nmstatectl command-line utility to manage host network settings in a declarative manner. The networking state is described by a pre-defined schema. Reporting of the current state and changes to the desired state both conform to the schema.

For further details, see the /usr/share/doc/nmstate/ file and the examples in the /usr/share/doc/nmstate/examples directory.


AF_XDP available as a Technology Preview

Address Family eXpress Data Path (AF_XDP) socket is designed for high-performance packet processing. It accompanies XDP and grants efficient redirection of programmatically selected packets to user space applications for further processing.


XDP available as a Technology Preview

The eXpress Data Path (XDP) feature, which is available as a Technology Preview, provides a means to attach extended Berkeley Packet Filter (eBPF) programs for high-performance packet processing at an early point in the kernel ingress data path, allowing efficient programmable packet analysis, filtering, and manipulation.


KTLS available as a Technology Preview

In Red Hat Enterprise Linux 8, Kernel Transport Layer Security (KTLS) is provided as a Technology Preview. KTLS handles TLS records using the symmetric encryption or decryption algorithms in the kernel for the AES-GCM cipher. KTLS also provides the interface for offloading TLS record encryption to Network Interface Controllers (NICs) that support this functionality.


The systemd-resolved service is now available as a Technology Preview

The systemd-resolved service provides name resolution to local applications. The service implements a caching and validating DNS stub resolver, an Link-Local Multicast Name Resolution (LLMNR), and Multicast DNS resolver and responder.

Note that, even if the systemd package provides systemd-resolved, this service is an unsupported Technology Preview.


6.5.2. Kernel

Control Group v2 available as a Technology Preview in RHEL 8

Control Group v2 mechanism is a unified hierarchy control group. Control Group v2 organizes processes hierarchically and distributes system resources along the hierarchy in a controlled and configurable manner.

Unlike the previous version, Control Group v2 has only a single hierarchy. This single hierarchy enables the Linux kernel to:

  • Categorize processes based on the role of their owner.
  • Eliminate issues with conflicting policies of multiple hierarchies.

Control Group v2 supports numerous controllers:

  • CPU controller regulates the distribution of CPU cycles. This controller implements:

    • Weight and absolute bandwidth limit models for normal scheduling policy.
    • Absolute bandwidth allocation model for real time scheduling policy.
  • Memory controller regulates the memory distribution. Currently, the following types of memory usages are tracked:

    • Userland memory - page cache and anonymous memory.
    • Kernel data structures such as dentries and inodes.
    • TCP socket buffers.
  • I/O controller regulates the distribution of I/O resources.
  • Writeback controller interacts with both Memory and I/O controllers and is Control Group v2 specific.

The information above was based on link: You can refer to the same link to obtain more information about particular Control Group v2 controllers.


kexec fast reboot as a Technology Preview

The kexec fast reboot feature, continues to be available as a Technology Preview. Rebooting is now significantly faster thanks to kexec fast reboot. To use this feature, load the kexec kernel manually, and then reboot the operating system.


eBPF available as a Technology Preview

Extended Berkeley Packet Filter (eBPF) is an in-kernel virtual machine that allows code execution in the kernel space, in the restricted sandbox environment with access to a limited set of functions.

The virtual machine includes a new system call bpf(), which supports creating various types of maps, and also allows to load programs in a special assembly-like code. The code is then loaded to the kernel and translated to the native machine code with just-in-time compilation. Note that the bpf() syscall can be successfully used only by a user with the CAP_SYS_ADMIN capability, such as the root user. See the bpf(2) man page for more information.

The loaded programs can be attached onto a variety of points (sockets, tracepoints, packet reception) to receive and process data.

There are numerous components shipped by Red Hat that utilize the eBPF virtual machine. Each component is in a different development phase, and thus not all components are currently fully supported. All components are available as a Technology Preview, unless a specific component is indicated as supported.

The following notable eBPF components are currently available as a Technology Preview:

  • The BPF Compiler Collection (BCC) tools package, a collection of dynamic kernel tracing utilities that use the eBPF virtual machine. The BCC tools package is available as a Technology Preview on the following architectures: the 64-bit ARM architecture, IBM Power Systems, Little Endian, and IBM Z. Note that it is fully supported on the AMD and Intel 64-bit architectures.
  • bpftrace, a high-level tracing language that utilizes the eBPF virtual machine.
  • The eXpress Data Path (XDP) feature, a networking technology that enables fast packet processing in the kernel using the eBPF virtual machine.


Soft-RoCE available as a Technology Preview

Remote Direct Memory Access (RDMA) over Converged Ethernet (RoCE) is a network protocol which implements RDMA over Ethernet. Soft-RoCE is the software implementation of RoCE which supports two protocol versions, RoCE v1 and RoCE v2. The Soft-RoCE driver, rdma_rxe, is available as an unsupported Technology Preview in RHEL 8.


6.5.3. Hardware enablement

The igc driver available as a Technology Preview for RHEL 8

The igc Intel 2.5G Ethernet Linux wired LAN driver is now available on all architectures for RHEL 8 as a Technology Preview. The ethtool utility also supports igc wired LANs.


6.5.4. File systems and storage

NVMe/TCP is available as a Technology Preview

Accessing and sharing Nonvolatile Memory Express (NVMe) storage over TCP/IP networks (NVMe/TCP) and its corresponding nvme-tcp.ko and nvmet-tcp.ko kernel modules have been added as a Technology Preview.

The use of NVMe/TCP as either a storage client or a target is manageable with tools provided by the nvme-cli and nvmetcli packages.

NVMe/TCP provides a storage transport option along with the existing NVMe over Fabrics (NVMe-oF) transport, which include Remote Direct Memory Access (RDMA) and Fibre Channel (NVMe/FC).


File system DAX is now available for ext4 and XFS as a Technology Preview

In Red Hat Enterprise Linux 8.1, file system DAX is available as a Technology Preview. DAX provides a means for an application to directly map persistent memory into its address space. To use DAX, a system must have some form of persistent memory available, usually in the form of one or more Non-Volatile Dual In-line Memory Modules (NVDIMMs), and a file system that supports DAX must be created on the NVDIMM(s). Also, the file system must be mounted with the dax mount option. Then, an mmap of a file on the dax-mounted file system results in a direct mapping of storage into the application’s address space.



OverlayFS is a type of union file system. It enables you to overlay one file system on top of another. Changes are recorded in the upper file system, while the lower file system remains unmodified. This allows multiple users to share a file-system image, such as a container or a DVD-ROM, where the base image is on read-only media. See the Linux kernel documentation for additional information:

OverlayFS remains a Technology Preview under most circumstances. As such, the kernel logs warnings when this technology is activated.

Full support is available for OverlayFS when used with supported container engines (podman, cri-o, or buildah) under the following restrictions:

  • OverlayFS is supported for use only as a container engine graph driver. Its use is supported only for container COW content, not for persistent storage. You must place any persistent storage on non-OverlayFS volumes. Only the default container engine configuration can be used; that is, one level of overlay, one lowerdir, and both lower and upper levels are on the same file system.
  • Only XFS is currently supported for use as a lower layer file system.

Additionally, the following rules and limitations apply to using OverlayFS:

  • The OverlayFS kernel ABI and userspace behavior are not considered stable, and might see changes in future updates.
  • OverlayFS provides a restricted set of the POSIX standards. Test your application thoroughly before deploying it with OverlayFS. The following cases are not POSIX-compliant:

    • Lower files opened with O_RDONLY do not receive st_atime updates when the files are read.
    • Lower files opened with O_RDONLY, then mapped with MAP_SHARED are inconsistent with subsequent modification.
    • Fully compliant st_ino or d_ino values are not enabled by default on RHEL 8, but you can enable full POSIX compliance for them with a module option or mount option.

      To get consistent inode numbering, use the xino=on mount option.

      You can also use the redirect_dir=on and index=on options to improve POSIX compliance. These two options make the format of the upper layer incompatible with an overlay without these options. That is, you might get unexpected results or errors if you create an overlay with redirect_dir=on or index=on, unmount the overlay, then mount the overlay without these options.

  • Commands used with XFS:

    • XFS file systems must be created with the -n ftype=1 option enabled for use as an overlay.
    • With the rootfs and any file systems created during system installation, set the --mkfsoptions=-n ftype=1 parameters in the Anaconda kickstart.
    • When creating a new file system after the installation, run the # mkfs -t xfs -n ftype=1 /PATH/TO/DEVICE command.
    • To determine whether an existing file system is eligible for use as an overlay, run the # xfs_info /PATH/TO/DEVICE | grep ftype command to see if the ftype=1 option is enabled.
  • SELinux security labels are enabled by default in all supported container engines with OverlayFS.
  • There are several known issues associated with OverlayFS in this release. For details, see Non-standard behavior in the Linux kernel documentation:


Stratis is now available as a Technology Preview

Stratis is a new local storage manager. It provides managed file systems on top of pools of storage with additional features to the user.

Stratis enables you to more easily perform storage tasks such as:

  • Manage snapshots and thin provisioning
  • Automatically grow file system sizes as needed
  • Maintain file systems

To administer Stratis storage, use the stratis utility, which communicates with the stratisd background service.

Stratis is provided as a Technology Preview.

For more information, see the Stratis documentation: Setting up Stratis file systems.


A Samba server, available to IdM and AD users logged into IdM hosts, can now be set up on an IdM domain member as a Technology Preview

With this update, you can now set up a Samba server on an Identity Management (IdM) domain member. The new ipa-client-samba utility provided by the same-named package adds a Samba-specific Kerberos service principal to IdM and prepares the IdM client. For example, the utility creates the /etc/samba/smb.conf with the ID mapping configuration for the sss ID mapping back end. As a result, administrators can now set up Samba on an IdM domain member.

Due to IdM Trust Controllers not supporting the Global Catalog Service, AD-enrolled Windows hosts cannot find IdM users and groups in Windows. Additionally, IdM Trust Controllers do not support resolving IdM groups using the Distributed Computing Environment / Remote Procedure Calls (DCE/RPC) protocols. As a consequence, AD users can only access the Samba shares and printers from IdM clients.

For details, see Setting up Samba on an IdM domain member.


6.5.5. High availability and clusters

Pacemaker podman bundles available as a Technology Preview

Pacemaker container bundles now run on the podman container platform, with the container bundle feature being available as a Technology Preview. There is one exception to this feature being Technology Preview: Red Hat fully supports the use of Pacemaker bundles for Red Hat Openstack.


Heuristics in corosync-qdevice available as a Technology Preview

Heuristics are a set of commands executed locally on startup, cluster membership change, successful connect to corosync-qnetd, and, optionally, on a periodic basis. When all commands finish successfully on time (their return error code is zero), heuristics have passed; otherwise, they have failed. The heuristics result is sent to corosync-qnetd where it is used in calculations to determine which partition should be quorate.


New fence-agents-heuristics-ping fence agent

As a Technology Preview, Pacemaker now supports the fence_heuristics_ping agent. This agent aims to open a class of experimental fence agents that do no actual fencing by themselves but instead exploit the behavior of fencing levels in a new way.

If the heuristics agent is configured on the same fencing level as the fence agent that does the actual fencing but is configured before that agent in sequence, fencing issues an off action on the heuristics agent before it attempts to do so on the agent that does the fencing. If the heuristics agent gives a negative result for the off action it is already clear that the fencing level is not going to succeed, causing Pacemaker fencing to skip the step of issuing the off action on the agent that does the fencing. A heuristics agent can exploit this behavior to prevent the agent that does the actual fencing from fencing a node under certain conditions.

A user might want to use this agent, especially in a two-node cluster, when it would not make sense for a node to fence the peer if it can know beforehand that it would not be able to take over the services properly. For example, it might not make sense for a node to take over services if it has problems reaching the networking uplink, making the services unreachable to clients, a situation which a ping to a router might detect in that case.


6.5.6. Identity Management

Identity Management JSON-RPC API available as Technology Preview

An API is available for Identity Management (IdM). To view the API, IdM also provides an API browser as Technology Preview.

In Red Hat Enterprise Linux 7.3, the IdM API was enhanced to enable multiple versions of API commands. Previously, enhancements could change the behavior of a command in an incompatible way. Users are now able to continue using existing tools and scripts even if the IdM API changes. This enables:

  • Administrators to use previous or later versions of IdM on the server than on the managing client.
  • Developers to use a specific version of an IdM call, even if the IdM version changes on the server.

In all cases, the communication with the server is possible, regardless if one side uses, for example, a newer version that introduces new options for a feature.

For details on using the API, see Using the Identity Management API to Communicate with the IdM Server (TECHNOLOGY PREVIEW).


DNSSEC available as Technology Preview in IdM

Identity Management (IdM) servers with integrated DNS now support DNS Security Extensions (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are automatically generated and rotated.

Users who decide to secure their DNS zones with DNSSEC are advised to read and follow these documents:

Note that IdM servers with integrated DNS use DNSSEC to validate DNS answers obtained from other DNS servers. This might affect the availability of DNS zones that are not configured in accordance with recommended naming practices.


6.5.7. Graphics infrastructures

VNC remote console available as a Technology Preview for the 64-bit ARM architecture

On the 64-bit ARM architecture, the Virtual Network Computing (VNC) remote console is available as a Technology Preview. Note that the rest of the graphics stack is currently unverified for the 64-bit ARM architecture.


6.5.8. Red Hat Enterprise Linux System Roles

The postfix role of RHEL System Roles available as a Technology Preview

Red Hat Enterprise Linux System Roles provides a configuration interface for Red Hat Enterprise Linux subsystems, which makes system configuration easier through the inclusion of Ansible Roles. This interface enables managing system configurations across multiple versions of Red Hat Enterprise Linux, as well as adopting new major releases.

The rhel-system-roles packages are distributed through the AppStream repository.

The postfix role is available as a Technology Preview.

The following roles are fully supported:

  • kdump
  • network
  • selinux
  • storage
  • timesync

For more information, see the Knowledgebase article about RHEL System Roles.


rhel-system-roles-sap available as a Technology Preview

The rhel-system-roles-sap package provides Red Hat Enterprise Linux (RHEL) System Roles for SAP, which can be used to automate the configuration of a RHEL system to run SAP workloads. These roles greatly reduce the time to configure a system to run SAP workloads by automatically applying the optimal settings that are based on best practices outlined in relevant SAP Notes. Access is limited to RHEL for SAP Solutions offerings. Please contact Red Hat Customer Support if you need assistance with your subscription.

The following new roles in the rhel-system-roles-sap package are available as a Technology Preview:

  • sap-preconfigure
  • sap-netweaver-preconfigure
  • sap-hana-preconfigure

For more information, see Red Hat Enterprise Linux System Roles for SAP.

Note: RHEL 8.1 for SAP Solutions is scheduled to be validated for use with SAP HANA on Intel 64 architecture and IBM POWER9. Other SAP applications and database products, for example, SAP NetWeaver and SAP ASE, can use RHEL 8.1 features. Please consult SAP Notes 2369910 and 2235581 for the latest information about validated releases and SAP support.


rhel-system-roles-sap rebased to version 1.1.1

With the RHBA-2019:4258 advisory, the rhel-system-roles-sap package has been updated to provide multiple bug fixes. Notably:

  • SAP system roles work on hosts with non-English locales
  • kernel.pid_max is set by the sysctl module
  • nproc is set to unlimited for HANA (see SAP note 2772999 step 9)
  • hard process limit is set before soft process limit
  • code that sets process limits now works identically to role sap-preconfigure
  • handlers/main.yml only works for non-uefi systems and is silently ignored on uefi systems
  • removed unused dependency on rhel-system-roles
  • removed libssh2 from the sap_hana_preconfigure_packages
  • added further checks to avoid failures when certain CPU settings are not supported
  • converted all true and false to lowercase
  • updated minimum package handling
  • host name and domain name set correctly
  • many minor fixes

The rhel-system-roles-sap package is available as a Technology Preview.


6.5.9. Virtualization

Select Intel network adapters now support SR-IOV in RHEL guests on Hyper-V

As a Technology Preview, Red Hat Enterprise Linux guest operating systems running on a Hyper-V hypervisor can now use the single-root I/O virtualization (SR-IOV) feature for Intel network adapters supported by the ixgbevf and iavf drivers. This feature is enabled when the following conditions are met:

  • SR-IOV support is enabled for the network interface controller (NIC)
  • SR-IOV support is enabled for the virtual NIC
  • SR-IOV support is enabled for the virtual switch
  • The virtual function (VF) from the NIC is attached to the virtual machine.

The feature is currently supported with Microsoft Windows Server 2019 and 2016.


KVM virtualization is usable in RHEL 8 Hyper-V virtual machines

As a Technology Preview, nested KVM virtualization can now be used on the Microsoft Hyper-V hypervisor. As a result, you can create virtual machines on a RHEL 8 guest system running on a Hyper-V host.

Note that currently, this feature only works on Intel systems. In addition, nested virtualization is in some cases not enabled by default on Hyper-V. To enable it, see the following Microsoft documentation:


AMD SEV for KVM virtual machines

As a Technology Preview, RHEL 8 introduces the Secure Encrypted Virtualization (SEV) feature for AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine (VM), SEV encrypts VM memory so that the host cannot access data on the VM. This increases the security of the VM if the host is successfully infected by malware.

Note that the number of VMs that can use this feature at a time on a single host is determined by the host hardware. Current AMD EPYC processors support up to 15 running VMs using SEV.

Also note that for VMs with SEV configured to be able to boot, you must also configure the VM with a hard memory limit. To do so, add the following to the VM’s XML configuration:

  <hard_limit unit='KiB'>N</hard_limit>

The recommended value for N is equal to or greater then the guest RAM + 256 MiB. For example, if the guest is assigned 2 GiB RAM, N should be 2359296 or greater.

(BZ#1501618, BZ#1501607, JIRA:RHELPLAN-7677)

Intel vGPU

As a Technology Preview, it is now possible to divide a physical Intel GPU device into multiple virtual devices referred to as mediated devices. These mediated devices can then be assigned to multiple virtual machines (VMs) as virtual GPUs. As a result, these VMs share the performance of a single physical Intel GPU.

Note that only selected Intel GPUs are compatible with the vGPU feature. In addition, assigning a physical GPU to VMs makes it impossible for the host to use the GPU, and may prevent graphical display output on the host from working.


Nested virtualization now available on IBM POWER 9

As a Technology Preview, it is now possible to use the nested virtualization features on RHEL 8 host machines running on IBM POWER 9 systems. Nested virtualization enables KVM virtual machines (VMs) to act as hypervisors, which allows for running VMs inside VMs.

Note that nested virtualization also remains a Technology Preview on AMD64 and Intel 64 systems.

Also note that for nested virtualization to work on IBM POWER 9, the host, the guest, and the nested guests currently all need to run one of the following operating systems:

  • RHEL 8
  • RHEL 7 for POWER 9

(BZ#1505999, BZ#1518937)

Creating nested virtual machines

As a Technology Preview, nested virtualization is available for KVM virtual machines (VMs) in RHEL 8. With this feature, a VM that runs on a physical host can act as a hypervisor, and host its own VMs.

Note that nested virtualization is only available on AMD64 and Intel 64 architectures, and the nested host must be a RHEL 7 or RHEL 8 VM.


6.5.10. Containers

The podman-machine command is unsupported

The podman-machine command for managing virtual machines, is available only as a Technology Preview. Instead, run Podman directly from the command line.


6.6. Deprecated functionality

This part provides an overview of functionality that has been deprecated in Red Hat Enterprise Linux 8.1.

Deprecated functionality will likely not be supported in future major releases of this product and is not recommended for new deployments. For the most recent list of deprecated functionality within a particular major release, refer to the latest version of release documentation.

The support status of deprecated functionality remains unchanged within Red Hat Enterprise Linux 8. For information about the length of support, see Red Hat Enterprise Linux Life Cycle and Red Hat Enterprise Linux Application Streams Life Cycle.

Deprecated hardware components are not recommended for new deployments on the current or future major releases. Hardware driver updates are limited to security and critical fixes only. Red Hat recommends replacing this hardware as soon as reasonably feasible.

A package can be deprecated and not recommended for further use. Under certain circumstances, a package can be removed from a product. Product documentation then identifies more recent packages that offer functionality similar, identical, or more advanced to the one deprecated, and provides further recommendations.

For information regarding functionality that is present in RHEL 7 but has been removed in RHEL 8, see Considerations in adopting RHEL 8 .

6.6.1. Installer and image creation

Several Kickstart commands and options have been deprecated

Using the following commands and options in RHEL 8 Kickstart files will print a warning in the logs.

  • auth or authconfig
  • device
  • deviceprobe
  • dmraid
  • install
  • lilo
  • lilocheck
  • mouse
  • multipath
  • bootloader --upgrade
  • ignoredisk --interactive
  • partition --active
  • reboot --kexec

Where only specific options are listed, the base command and its other options are still available and not deprecated.

For more details and related changes in Kickstart, see the Kickstart changes section of the Considerations in adopting RHEL 8 document.


The --interactive option of the ignoredisk Kickstart command has been deprecated

Using the --interactive option in future releases of Red Hat Enterprise Linux will result in a fatal installation error. It is recommended that you modify your Kickstart file to remove the option.


6.6.2. Software management

The rpmbuild --sign command has been deprecated

With this update, the rpmbuild --sign command has become deprecated. Using this command in future releases of Red Hat Enterprise Linux can result in an error. It is recommended that you use the rpmsign command instead.


6.6.3. Security

TLS 1.0 and TLS 1.1 are deprecated

The TLS 1.0 and TLS 1.1 protocols are disabled in the DEFAULT system-wide cryptographic policy level. If your scenario, for example, a video conferencing application in the Firefox web browser, requires using the deprecated protocols, switch the system-wide cryptographic policy to the LEGACY level:

# update-crypto-policies --set LEGACY

For more information, see the Strong crypto defaults in RHEL 8 and deprecation of weak crypto algorithms Knowledgebase article on the Red Hat Customer Portal and the update-crypto-policies(8) man page.


DSA is deprecated in RHEL 8

The Digital Signature Algorithm (DSA) is considered deprecated in Red Hat Enterprise Linux 8. Authentication mechanisms that depend on DSA keys do not work in the default configuration. Note that OpenSSH clients do not accept DSA host keys even in the LEGACY system-wide cryptographic policy level.


SSL2 Client Hello has been deprecated in NSS

The Transport Layer Security (TLS) protocol version 1.2 and earlier allow to start a negotiation with a Client Hello message formatted in a way that is backward compatible with the Secure Sockets Layer (SSL) protocol version 2. Support for this feature in the Network Security Services (NSS) library has been deprecated and it is disabled by default.

Applications that require support for this feature need to use the new SSL_ENABLE_V2_COMPATIBLE_HELLO API to enable it. Support for this feature may be removed completely in future releases of Red Hat Enterprise Linux 8.


TPM 1.2 is deprecated

The Trusted Platform Module (TPM) secure cryptoprocessor standard version was updated to version 2.0 in 2016. TPM 2.0 provides many improvements over TPM 1.2, and it is not backward compatible with the previous version. TPM 1.2 is deprecated in RHEL 8, and it might be removed in the next major release.


6.6.4. Networking

Network scripts are deprecated in RHEL 8

Network scripts are deprecated in Red Hat Enterprise Linux 8 and they are no longer provided by default. The basic installation provides a new version of the ifup and ifdown scripts which call the NetworkManager service through the nmcli tool. In Red Hat Enterprise Linux 8, to run the ifup and the ifdown scripts, NetworkManager must be running.

Note that custom commands in /sbin/ifup-local, ifdown-pre-local and ifdown-local scripts are not executed.

If any of these scripts are required, the installation of the deprecated network scripts in the system is still possible with the following command:

~]# yum install network-scripts

The ifup and ifdown scripts link to the installed legacy network scripts.

Calling the legacy network scripts shows a warning about their deprecation.


6.6.5. Kernel

Diskless boot has been deprecated

Diskless booting allows multiple systems to share a root filesystem via the network. While convenient, it is prone to introducing network latency in realtime workloads. With a future minor update of RHEL for Real Time 8, the diskless booting will no longer be supported.


The rdma_rxe Soft-RoCE driver is deprecated

Software Remote Direct Memory Access over Converged Ethernet (Soft-RoCE), also known as RXE, is a feature that emulates Remote Direct Memory Access (RDMA). In RHEL 8, the Soft-RoCE feature is available as an unsupported Technology Preview. However, due to stability issues, this feature has been deprecated and will be removed in RHEL 9.


6.6.6. Hardware enablement

The qla3xxx driver is deprecated

The qla3xxx driver has been deprecated in RHEL 8. The driver will likely not be supported in future major releases of this product, and thus it is not recommended for new deployments.


The dl2k, dnet, ethoc, and dlci drivers are deprecated

The dl2k, dnet, ethoc, and dlci drivers have been deprecated in RHEL 8. The drivers will likely not be supported in future major releases of this product, and thus they are not recommended for new deployments.


6.6.7. File systems and storage

The elevator kernel command line parameter is deprecated

The elevator kernel command line parameter was used in earlier RHEL releases to set the disk scheduler for all devices. In RHEL 8, the parameter is deprecated.

The upstream Linux kernel has removed support for the elevator parameter, but it is still available in RHEL 8 for compatibility reasons.

Note that the kernel selects a default disk scheduler based on the type of device. This is typically the optimal setting. If you require a different scheduler, Red Hat recommends that you use udev rules or the Tuned service to configure it. Match the selected devices and switch the scheduler only for those devices.

For more information, see Setting the disk scheduler.


NFSv3 over UDP has been disabled

The NFS server no longer opens or listens on a User Datagram Protocol (UDP) socket by default. This change affects only NFS version 3 because version 4 requires the Transmission Control Protocol (TCP).

NFS over UDP is no longer supported in RHEL 8.


6.6.8. Desktop

The libgnome-keyring library has been deprecated

The libgnome-keyring library has been deprecated in favor of the libsecret library, as libgnome-keyring is not maintained upstream, and does not follow the necessary cryptographic policies for RHEL. The new libsecret library is the replacement that follows the necessary security standards.


6.6.9. Graphics infrastructures

AGP graphics cards are no longer supported

Graphics cards using the Accelerated Graphics Port (AGP) bus are not supported in Red Hat Enterprise Linux 8. Use the graphics cards with PCI-Express bus as the recommended replacement.


6.6.10. The web console

The web console no longer supports incomplete translations

The RHEL web console no longer provides translations for languages that have translations available for less than 50 % of the Console’s translatable strings. If the browser requests translation to such a language, the user interface will be in English instead.


6.6.11. Virtualization

virt-manager has been deprecated

The Virtual Machine Manager application, also known as virt-manager, has been deprecated. The RHEL 8 web console, also known as Cockpit, is intended to become its replacement in a subsequent release. It is, therefore, recommended that you use the web console for managing virtualization in a GUI. Note, however, that some features available in virt-manager may not be yet available the RHEL 8 web console.


Virtual machine snapshots are not properly supported in RHEL 8

The current mechanism of creating virtual machine (VM) snapshots has been deprecated, as it is not working reliably. As a consequence, it is recommended not to use VM snapshots in RHEL 8.

Note that a new VM snapshot mechanism is under development and will be fully implemented in a future minor release of RHEL 8.


The Cirrus VGA virtual GPU type has been deprecated

With a future major update of Red Hat Enterprise Linux, the Cirrus VGA GPU device will no longer be supported in KVM virtual machines. Therefore, Red Hat recommends using the stdvga, virtio-vga, or qxl devices instead of Cirrus VGA.


6.6.12. Deprecated packages

The following packages have been deprecated and will probably not be included in a future major release of Red Hat Enterprise Linux:

  • 389-ds-base-legacy-tools
  • authd
  • custodia
  • hostname
  • libidn
  • net-tools
  • network-scripts
  • nss-pam-ldapd
  • sendmail
  • yp-tools
  • ypbind
  • ypserv

6.7. Known issues

This part describes known issues in Red Hat Enterprise Linux 8.

6.7.1. Installer and image creation

The auth and authconfig Kickstart commands require the AppStream repository

The authselect-compat package is required by the auth and authconfig Kickstart commands during installation. Without this package, the installation fails if auth or authconfig are used. However, by design, the authselect-compat package is only available in the AppStream repository.

To work around this problem, verify that the BaseOS and AppStream repositories are available to the installer or use the authselect Kickstart command during installation.


The reboot --kexec and inst.kexec commands do not provide a predictable system state

Performing a RHEL installation with the reboot --kexec Kickstart command or the inst.kexec kernel boot parameters do not provide the same predictable system state as a full reboot. As a consequence, switching to the installed system without rebooting can produce unpredictable results.

Note that the kexec feature is deprecated and will be removed in a future release of Red Hat Enterprise Linux.


Anaconda installation includes low limits of minimal resources setting requirements

Anaconda initiates the installation on systems with minimal resource settings required available and do not provide previous message warning about the required resources for performing the installation successfully. As a result, the installation can fail and the output errors do not provide clear messages for possible debug and recovery. To work around this problem, make sure that the system has the minimal resources settings required for installation: 2GB memory on PPC64(LE) and 1GB on x86_64. As a result, it should be possible to perform a successful installation.


Installation fails when using the reboot --kexec command

The RHEL 8 installation fails when using a Kickstart file that contains the reboot --kexec command. To avoid the problem, use the reboot command instead of reboot --kexec in your Kickstart file.


Support secure boot for s390x in the installer

RHEL 8.1 provides support for preparing boot disks for use in IBM Z environments that enforce the use of secure boot. The capabilities of the server and Hypervisor used during installation determine if the resulting on-disk format contains secure boot support or not. There is no way to influence the on-disk format during installation.

Consequently, if you install RHEL 8.1 in an environment that supports secure boot, the system is unable to boot when moved to an environment lacking secure boot support, as it is done in some fail-over scenarios.

To work around this problem, you need to configure the zipl tool that controls the on-disk boot format. zipl can be configured to write the previous on-disk format even if the environment in which it is run supports secure boot. Perform the following manual steps as root user once the installation of RHEL 8.1 is completed:

  1. Edit the configuration file /etc/zipl.conf
  2. Add a line containing "secure=0" to the section labelled "defaultboot".

    Example contents of the `zipl.conf` file after the change:
  3. Run the zipl tool without parameters

After performing these steps, the on-disk format of the RHEL 8.1 boot disk will no longer contain secure boot support. As a result, the installation can be booted in environments that lack secure boot support.


RHEL 8 initial setup cannot be performed via SSH

Currently, the RHEL 8 initial setup interface does not display when logged in to the system using SSH. As a consequence, it is impossible to perform the initial setup on a RHEL 8 machine managed via SSH. To work around this problem, perform the initial setup in the main system console (ttyS0) and, afterwards, log in using SSH.


The default value for the secure= boot option is not set to auto

Currently, the default value for the secure= boot option is not set to auto. As a consequence, the secure boot feature is not available because the current default is disabled. To work around this problem, manually set secure=auto in the [defaultboot] section of the /etc/zipl.conf file. As a result, the secure boot feature is made available. For more information, see the zipl.conf man page.


Copying the content of the Binary DVD.iso file to a partition omits the .treeinfo and .discinfo files

During local installation, while copying the content of the RHEL 8 Binary DVD.iso image file to a partition, the * in the cp <path>/\* <mounted partition>/dir command fails to copy the .treeinfo and .discinfo files. These files are required for a successful installation. As a result, the BaseOS and AppStream repositories are not loaded, and a debug-related log message in the anaconda.log file is the only record of the problem.

To work around the problem, copy the missing .treeinfo and .discinfo files to the partition.


Self-signed HTTPS server cannot be used in Kickstart installation

Currently, the installer fails to install from a self-signed https server when the installation source is specified in the kickstart file and the --noverifyssl option is used:

url --url=https://SERVER/PATH --noverifyssl

To work around this problem, append the inst.noverifyssl parameter to the kernel command line when starting the kickstart installation.

For example:

inst.ks=<URL> inst.noverifyssl


6.7.2. Software management

yum repolist ends on first unavailable repository with skip_if_unavailable=false

The repository configuration option skip_if_unavailable is by default set as follows:


This setting forces the yum repolist command to end on first unavailable repository with an error and exit status 1. Consequently, yum repolist does not continue listing available repositiories.

Note that it is possible to override this setting in each repository’s *.repo file.

However, if you want to keep the default settings, you can work around the problem by using yum repolist with the following option:



6.7.3. Subscription management

syspurpose addons have no effect on the subscription-manager attach --auto output.

In Red Hat Enterprise Linux 8, four attributes of the syspurpose command-line tool have been added: role,usage, service_level_agreement and addons. Currently, only role, usage and service_level_agreement affect the output of running the subscription-manager attach --auto command. Users who attempt to set values to the addons argument will not observe any effect on the subscriptions that are auto-attached.


6.7.4. Shells and command-line tools

Applications using Wayland protocol cannot be forwarded to remote display servers

In Red Hat Enterprise Linux 8.1, most applications use the Wayland protocol by default instead of the X11 protocol. As a consequence, the ssh server cannot forward the applications that use the Wayland protocol but is able to forward the applications that use the X11 protocol to a remote display server.

To work around this problem, set the environment variable GDK_BACKEND=x11 before starting the applications. As a result, the application can be forwarded to remote display servers.


systemd-resolved.service fails to start on boot

The systemd-resolved service occasionally fails to start on boot. If this happens, restart the service manually after the boot finishes by using the following command:

# systemctl start systemd-resolved

However, the failure of systemd-resolved on boot does not impact any other services.


6.7.5. Infrastructure services

Support for DNSSEC in dnsmasq

The dnsmasq package introduces Domain Name System Security Extensions (DNSSEC) support for verifying hostname information received from root servers.

Note that DNSSEC validation in dnsmasq is not compliant with FIPS 140-2. Do not enable DNSSEC in dnsmasq on Federal Information Processing Standard (FIPS) systems, and use the compliant validating resolver as a forwarder on the localhost.


6.7.6. Security

redhat-support-tool does not work with the FUTURE crypto policy

Because a cryptographic key used by a certificate on the Customer Portal API does not meet the requirements by the FUTURE system-wide cryptographic policy, the redhat-support-tool utility does not work with this policy level at the moment. To work around this problem, use the DEFAULT crypto policy while connecting to the Customer Portal API.


SELINUX=disabled in /etc/selinux/config does not work properly

Disabling SELinux using the SELINUX=disabled option in the /etc/selinux/config results in a process in which the kernel boots with SELinux enabled and switches to disabled mode later in the boot process. This might cause memory leaks and race conditions and consequently also kernel panics. To work around this problem, disable SELinux by adding the selinux=0 parameter to the kernel command line as described in the Changing SELinux modes at boot time section of the Using SELinux title if your scenario really requires to completely disable SELinux.


libselinux-python is available only through its module

The libselinux-python package contains only Python 2 bindings for developing SELinux applications and it is used for backward compatibility. For this reason, libselinux-python is no longer available in the default RHEL 8 repositories through the dnf install libselinux-python command.

To work around this problem, enable both the libselinux-python and python27 modules, and install the libselinux-python package and its dependencies with the following commands:

# dnf module enable libselinux-python
# dnf install libselinux-python

Alternatively, install libselinux-python using its install profile with a single command:

# dnf module install libselinux-python:2.8/common

As a result, you can install libselinux-python using the respective module.


udica processes UBI 8 containers only when started with --env container=podman

The Red Hat Universal Base Image 8 (UBI 8) containers set the container environment variable to the oci value instead of the podman value. This prevents the udica tool from analyzing a container JavaScript Object Notation (JSON) file.

To work around this problem, start a UBI 8 container using a podman command with the --env container=podman parameter. As a result, udica can generate an SELinux policy for a UBI 8 container only when you use the described workaround.


Removing the rpm-plugin-selinux package leads to removing all selinux-policy packages from the system

Removing the rpm-plugin-selinux package disables SELinux on the machine. It also removes all selinux-policy packages from the system. Repeated installation of the rpm-plugin-selinux package then installs the selinux-policy-minimum SELinux policy, even if the selinux-policy-targeted policy was previously present on the system. However, the repeated installation does not update the SELinux configuration file to account for the change in policy. As a consequence, SELinux is disabled even upon reinstallation of the rpm-plugin-selinux package.

To work around this problem:

  1. Enter the umount /sys/fs/selinux/ command.
  2. Manually install the missing selinux-policy-targeted package.
  3. Edit the /etc/selinux/config file so that the policy is equal to SELINUX=enforcing.
  4. Enter the command load_policy -i.

As a result, SELinux is enabled and running the same policy as before.


SELinux prevents systemd-journal-gatewayd to call newfstatat() on shared memory files created by corosync

SELinux policy does not contain a rule that allows the systemd-journal-gatewayd daemon to access files created by the corosync service. As a consequence, SELinux denies systemd-journal-gatewayd to call the newfstatat() function on shared memory files created by corosync.

To work around this problem, create a local policy module with an allow rule which enables the described scenario. See the audit2allow(1) man page for more information on generating SELinux policy allow and dontaudit rules. As a result of the previous workaround, systemd-journal-gatewayd can call the function on shared memory files created by corosync with SELinux in enforcing mode.


Negative effects of the default logging setup on performance

The default logging environment setup might consume 4 GB of memory or even more and adjustments of rate-limit values are complex when systemd-journald is running with rsyslog.

See the Negative effects of the RHEL default logging setup on performance and their mitigations Knowledgebase article for more information.


Parameter not known errors in the rsyslog output with config.enabled

In the rsyslog output, an unexpected bug occurs in configuration processing errors using the config.enabled directive. As a consequence, parameter not known errors are displayed while using the config.enabled directive except for the include() statements.

To work around this problem, set config.enabled=on or use include() statements.


Certain rsyslog priority strings do not work correctly

Support for the GnuTLS priority string for imtcp that allows fine-grained control over encryption is not complete. Consequently, the following priority strings do not work properly in rsyslog:


To work around this problem, use only correctly working priority strings:


As a result, current configurations must be limited to the strings that work correctly.


Connections to servers with SHA-1 signatures do not work with GnuTLS

SHA-1 signatures in certificates are rejected by the GnuTLS secure communications library as insecure. Consequently, applications that use GnuTLS as a TLS backend cannot establish a TLS connection to peers that offer such certificates. This behavior is inconsistent with other system cryptographic libraries. To work around this problem, upgrade the server to use certificates signed with SHA-256 or stronger hash, or switch to the LEGACY policy.


TLS 1.3 does not work in NSS in FIPS mode

TLS 1.3 is not supported on systems working in FIPS mode. As a result, connections that require TLS 1.3 for interoperability do not function on a system working in FIPS mode.

To enable the connections, disable the system’s FIPS mode or enable support for TLS 1.2 in the peer.


OpenSSL incorrectly handles PKCS #11 tokens that does not support raw RSA or RSA-PSS signatures

The OpenSSL library does not detect key-related capabilities of PKCS #11 tokens. Consequently, establishing a TLS connection fails when a signature is created with a token that does not support raw RSA or RSA-PSS signatures.

To work around the problem, add the following lines after the .include line at the end of the crypto_policy section in the /etc/pki/tls/openssl.cnf file:

SignatureAlgorithms = RSA+SHA256:RSA+SHA512:RSA+SHA384:ECDSA+SHA256:ECDSA+SHA512:ECDSA+SHA384
MaxProtocol = TLSv1.2

As a result, a TLS connection can be established in the described scenario.


The OpenSSL TLS library does not detect if the PKCS#11 token supports creation of raw RSA or RSA-PSS signatures

The TLS-1.3 protocol requires the support for RSA-PSS signature. If the PKCS#11 token does not support raw RSA or RSA-PSS signatures, the server applications which use OpenSSL TLS library will fail to work with the RSA key if it is held by the PKCS#11 token. As a result, TLS communication will fail.

To work around this problem, configure server or client to use the TLS-1.2 version as the highest TLS protocol version available.


OpenSSL generates a malformed status_request extension in the CertificateRequest message in TLS 1.3

OpenSSL servers send a malformed status_request extension in the CertificateRequest message if support for the status_request extension and client certificate-based authentication are enabled. In such case, OpenSSL does not interoperate with implementations compliant with the RFC 8446 protocol. As a result, clients that properly verify extensions in the ‘CertificateRequest’ message abort connections with the OpenSSL server. To work around this problem, disable support for the TLS 1.3 protocol on either side of the connection or disable support for status_request on the OpenSSL server. This will prevent the server from sending malformed messages.


ssh-keyscan cannot retrieve RSA keys of servers in FIPS mode

The SHA-1 algorithm is disabled for RSA signatures in FIPS mode, which prevents the ssh-keyscan utility from retrieving RSA keys of servers operating in that mode.

To work around this problem, use ECDSA keys instead, or retrieve the keys locally from the /etc/ssh/ file on the server.


scap-security-guide PCI-DSS remediation of Audit rules does not work properly

The scap-security-guide package contains a combination of remediation and a check that can result in one of the following scenarios:

  • incorrect remediation of Audit rules
  • scan evaluation containing false positives where passed rules are marked as failed

Consequently, during the RHEL 8.1 installation process, scanning of the installed system reports some Audit rules as either failed or errored.

To work around this problem, follow the instructions in the RHEL-8.1 workaround for remediating and scanning with the scap-security-guide PCI-DSS profile Knowledgebase article.


Certain sets of interdependent rules in SSG can fail

Remediation of SCAP Security Guide (SSG) rules in a benchmark can fail due to undefined ordering of rules and their dependencies. If two or more rules need to be executed in a particular order, for example, when one rule installs a component and another rule configures the same component, they can run in the wrong order and remediation reports an error. To work around this problem, run the remediation twice, and the second run fixes the dependent rules.


A utility for security and compliance scanning of containers is not available

In Red Hat Enterprise Linux 7, the oscap-docker utility can be used for scanning of Docker containers based on Atomic technologies. In Red Hat Enterprise Linux 8, the Docker- and Atomic-related OpenSCAP commands are not available.

To work around this problem, see the Using OpenSCAP for scanning containers in RHEL 8 article on the Customer Portal. As a result, you can use only an unsupported and limited way for security and compliance scanning of containers in RHEL 8 at the moment.


OpenSCAP does not provide offline scanning of virtual machines and containers

Refactoring of OpenSCAP codebase caused certain RPM probes to fail to scan VM and containers file systems in offline mode. For that reason, the following tools were removed from the openscap-utils package: oscap-vm and oscap-chroot. Also, the openscap-containers package was completely removed.


OpenSCAP rpmverifypackage does not work correctly

The chdir and chroot system calls are called twice by the rpmverifypackage probe. Consequently, an error occurs when the probe is utilized during an OpenSCAP scan with custom Open Vulnerability and Assessment Language (OVAL) content.

To work around this problem, do not use the rpmverifypackage_test OVAL test in your content or use only the content from the scap-security-guide package where rpmverifypackage_test is not used.


SCAP Workbench fails to generate results-based remediations from tailored profiles

The following error occurs when trying to generate results-based remediation roles from a customized profile using the SCAP Workbench tool:

Error generating remediation role .../ Exit code of oscap was 1: [output truncated]

To work around this problem, use the oscap command with the --tailoring-file option.


OSCAP Anaconda Addon does not install all packages in text mode

The OSCAP Anaconda Addon plugin cannot modify the list of packages selected for installation by the system installer if the installation is running in text mode. Consequently, when a security policy profile is specified using Kickstart and the installation is running in text mode, any additional packages required by the security policy are not installed during installation.

To work around this problem, either run the installation in graphical mode or specify all packages that are required by the security policy profile in the security policy in the %packages section in your Kickstart file.

As a result, packages that are required by the security policy profile are not installed during RHEL installation without one of the described workarounds, and the installed system is not compliant with the given security policy profile.


OSCAP Anaconda Addon does not correctly handle customized profiles

The OSCAP Anaconda Addon plugin does not properly handle security profiles with customizations in separate files. Consequently, the customized profile is not available in the RHEL graphical installation even when you properly specify it in the corresponding Kickstart section.

To work around this problem, follow the instructions in the Creating a single SCAP data stream from an original DS and a tailoring file Knowledgebase article. As a result of this workaround, you can use a customized SCAP profile in the RHEL graphical installation.


6.7.7. Networking

The formatting of the verbose output of arptables now matches the format of the utility on RHEL 7

In RHEL 8, the iptables-arptables package provides an nftables-based replacement of the arptables utility. Previously, the verbose output of arptables separated counter values only with a comma, while arptables on RHEL 7 separated the described output with both a space and a comma. As a consequence, if you used scripts created on RHEL 7 that parsed the output of the arptables -v -L command, you had to adjust these scripts. This incompatibility has been fixed. As a result, arptables on RHEL 8.1 now also separates counter values with both a space and a comma.


nftables does not support multi-dimensional IP set types

The nftables packet-filtering framework does not support set types with concatenations and intervals. Consequently, you cannot use multi-dimensional IP set types, such as hash:net,port, with nftables.

To work around this problem, use the iptables framework with the ipset tool if you require multi-dimensional IP set types.


IPsec network traffic fails during IPsec offloading when GRO is disabled

IPsec offloading is not expected to work when Generic Receive Offload (GRO) is disabled on the device. If IPsec offloading is configured on a network interface and GRO is disabled on that device, IPsec network traffic fails.

To work around this problem, keep GRO enabled on the device.


6.7.8. Kernel

The i40iw module does not load automatically on boot

Due to many i40e NICs not supporting iWarp and the i40iw module not fully supporting suspend/resume, this module is not automatically loaded by default to ensure suspend/resume works properly. To work around this problem, manually edit the /lib/udev/rules.d/90-rdma-hw-modules.rules file to enable automated load of i40iw.

Also note that if there is another RDMA device installed with a i40e device on the same machine, the non-i40e RDMA device triggers the rdma service, which loads all enabled RDMA stack modules, including the i40iw module.


Network interface is renamed to kdump-<interface-name> when fadump is used

When firmware-assisted dump (fadump) is utilized to capture a vmcore and store it to a remote machine using SSH or NFS protocol, the network interface is renamed to kdump-<interface-name> if <interface-name> is generic, for example, *eth#, or net#. This problem occurs because the vmcore capture scripts in the initial RAM disk (initrd) add the kdump- prefix to the network interface name to secure persistent naming. The same initrd is used also for a regular boot, so the interface name is changed for the production kernel too.


Systems with a large amount of persistent memory experience delays during the boot process

Systems with a large amount of persistent memory take a long time to boot because the initialization of the memory is serialized. Consequently, if there are persistent memory file systems listed in the /etc/fstab file, the system might timeout while waiting for devices to become available. To work around this problem, configure the DefaultTimeoutStartSec option in the /etc/systemd/system.conf file to a sufficiently large value.


KSM sometimes ignores NUMA memory policies

When the kernel shared memory (KSM) feature is enabled with the merge_across_nodes=1 parameter, KSM ignores memory policies set by the mbind() function, and may merge pages from some memory areas to Non-Uniform Memory Access (NUMA) nodes that do not match the policies.

To work around this problem, disable KSM or set the merge_across_nodes parameter to 0 if using NUMA memory binding with QEMU. As a result, NUMA memory policies configured for the KVM VM will work as expected.


The system enters the emergency mode at boot-time when fadump is enabled

The system enters the emergency mode when fadump (kdump) or dracut squash module is enabled in the initramfs scheme because systemd manager fails to fetch the mount information and configure the LV partition to mount. To work around this problem, add the following kernel command line parameter<VG>/<LV> to discover and mount the failed LV partition appropriately. As a result, the system will boot successfully in the described scenario.


Using irqpoll in the kdump kernel command line causes a vmcore generation failure

Due to an existing underlying problem with the nvme driver on the 64-bit ARM architectures running on the Amazon Web Services (AWS) cloud platforms, the vmcore generation fails if the irqpoll kdump command line argument is provided to the first kernel. Consequently, no vmcore is dumped in the /var/crash/ directory after a kernel crash. To work around this problem:

  1. Add irqpoll to the KDUMP_COMMANDLINE_REMOVE key in the /etc/sysconfig/kdump file.
  2. Restart the kdump service by running the systemctl restart kdump command.

As a result, the first kernel correctly boots and the vmcore is expected to be captured upon the kernel crash.


Debug kernel fails to boot in crash capture environment in RHEL 8

Due to memory-demanding nature of the debug kernel, a problem occurs when the debug kernel is in use and a kernel panic is triggered. As a consequence, the debug kernel is not able to boot as the capture kernel, and a stack trace is generated instead. To work around this problem, increase the crash kernel memory accordingly. As a result, the debug kernel successfully boots in the crash capture environment.


softirq changes can cause the localhost interface to drop UDP packets when under heavy load

Changes in the Linux kernel’s software interrupt (softirq) handling are done to reduce denial of service (DOS) effects. Consequently, this leads to situations where the localhost interface drops User Datagram Protocol (UDP) packets under heavy load.

To work around this problem, increase the size of the network device backlog buffer to value 6000:

echo 6000 > /proc/sys/net/core/netdev_max_backlog

In Red Hat tests, this value was sufficient to prevent packet loss. More heavily loaded systems might require larger backlog values. Increased backlogs have the effect of potentially increasing latency on the localhost interface.

The result is to increase the buffer and allow more packets to be waiting for processing, which reduces the chances of dropping localhost packets.


6.7.9. Hardware enablement

The HP NMI watchdog in some cases does not generate a crash dump

The hpwdt driver for the HP NMI watchdog is sometimes not able to claim a non-maskable interrupt (NMI) generated by the HPE watchdog timer because the NMI was instead consumed by the perfmon driver. As a consequence, hpwdt in some cases cannot call a panic to generate a crash dump.


Installing RHEL 8.1 on a test system configured with a QL41000 card results in a kernel panic

While installing RHEL 8.1 on a test system configured with a QL41000 card, the system is unable to handle the kernel NULL pointer dereference at 000000000000003c card. As a consequence, it results in a kernel panic error. There is no work around available for this issue.


The cxgb4 driver causes crash in the kdump kernel

The kdump kernel crashes while trying to save information in the vmcore file. Consequently, the cxgb4 driver prevents the kdump kernel from saving a core for later analysis. To work around this problem, add the "novmcoredd" parameter to the kdump kernel command line to allow saving core files.


6.7.10. File systems and storage

Certain SCSI drivers might sometimes use an excessive amount of memory

Certain SCSI drivers use a larger amount of memory than in RHEL 7. In certain cases, such as vPort creation on a Fibre Channel host bus adapter (HBA), the memory usage might be excessive, depending upon the system configuration.

The increased memory usage is caused by memory preallocation in the block layer. Both the multiqueue block device scheduling (BLK-MQ) and the multiqueue SCSI stack (SCSI-MQ) preallocate memory for each I/O request in RHEL 8, leading to the increased memory usage.


VDO cannot suspend until UDS has finished rebuilding

When a Virtual Data Optimizer (VDO) volume starts after an unclean system shutdown, it rebuilds the Universal Deduplication Service (UDS) index. If you try to suspend the VDO volume using the dmsetup suspend command while the UDS index is rebuilding, the suspend command might become unresponsive. The command finishes only after the rebuild is done.

The unresponsiveness is noticeable only with VDO volumes that have a large UDS index, which causes the rebuild to take a longer time.


An NFS 4.0 patch can result in reduced performance under an open-heavy workload

Previously, a bug was fixed that, in some cases, could cause an NFS open operation to overlook the fact that a file had been removed or renamed on the server. However, the fix may cause slower performance with workloads that require many open operations. To work around this problem, it might help to use NFS version 4.1 or higher, which have been improved to grant delegations to clients in more cases, allowing clients to perform open operations locally, quickly, and safely.


6.7.11. Dynamic programming languages, web and database servers

nginx cannot load server certificates from hardware security tokens

The nginx web server supports loading TLS private keys from hardware security tokens directly from PKCS#11 modules. However, it is currently impossible to load server certificates from hardware security tokens through the PKCS#11 URI. To work around this problem, store server certificates on the file system


php-fpm causes SELinux AVC denials when php-opcache is installed with PHP 7.2

When the php-opcache package is installed, the FastCGI Process Manager (php-fpm) causes SELinux AVC denials. To work around this problem, change the default configuration in the /etc/php.d/10-opcache.ini file to the following:


Note that this problem affects only the php:7.2 stream, not the php:7.3 one.


6.7.12. Compilers and development tools

The ltrace tool does not report function calls

Because of improvements to binary hardening applied to all RHEL components, the ltrace tool can no longer detect function calls in binary files coming from RHEL components. As a consequence, ltrace output is empty because it does not report any detected calls when used on such binary files. There is no workaround currently available.

As a note, ltrace can correctly report calls in custom binary files built without the respective hardening flags.


6.7.13. Identity Management

AD users with expired accounts can be allowed to log in when using GSSAPI authentication

The accountExpires attribute that SSSD uses to see whether an account has expired is not replicated to the global catalog by default. As a result, users with expired accounts can log in when using GSSAPI authentication. To work around this problem, the global catalog support can be disabled by specifying ad_enable_gc=False in the sssd.conf file. With this setting, users with expired accounts will be denied access when using GSSAPI authentication.

Note that SSSD connects to each LDAP server individually in this scenario, which can increase the connection count.


Using the cert-fix utility with the --agent-uid pkidbuser option breaks Certificate System

Using the cert-fix utility with the --agent-uid pkidbuser option corrupts the LDAP configuration of Certificate System. As a consequence, Certificate System might become unstable and manual steps are required to recover the system.


Changing /etc/nsswitch.conf requires a manual system reboot

Any change to the /etc/nsswitch.conf file, for example running the authselect select profile_id command, requires a system reboot so that all relevant processes use the updated version of the /etc/nsswitch.conf file. If a system reboot is not possible, restart the service that joins your system to Active Directory, which is the System Security Services Daemon (SSSD) or winbind.


No information about required DNS records displayed when enabling support for AD trust in IdM

When enabling support for Active Directory (AD) trust in Red Hat Enterprise Linux Identity Management (IdM) installation with external DNS management, no information about required DNS records is displayed. Forest trust to AD is not successful until the required DNS records are added. To work around this problem, run the 'ipa dns-update-system-records --dry-run' command to obtain a list of all DNS records required by IdM. When external DNS for IdM domain defines the required DNS records, establishing forest trust to AD is possible.


SSSD returns incorrect LDAP group membership for local users

If the System Security Services Daemon (SSSD) serves users from the local files, the files provider does not include group memberships from other domains. As a consequence, if a local user is a member of an LDAP group, the id local_user command does not return the user’s LDAP group membership. To work around the problem, either revert the order of the databases where the system is looking up the group membership of users in the /etc/nsswitch.conf file, replacing sss files with files sss, or disable the implicit files domain by adding


to the [sssd] section in the /etc/sssd/sssd.conf file.

As a result, id local_user returns correct LDAP group membership for local users.


Default PAM settings for systemd-user have changed in RHEL 8 which may influence SSSD behavior

The Pluggable authentication modules (PAM) stack has changed in Red Hat Enterprise Linux 8. For example, the systemd user session now starts a PAM conversation using the systemd-user PAM service. This service now recursively includes the system-auth PAM service, which may include the interface. This means that the SSSD access control is always called.

Be aware of the change when designing access control rules for RHEL 8 systems. For example, you can add the systemd-user service to the allowed services list.

Please note that for some access control mechanisms, such as IPA HBAC or AD GPOs, the systemd-user service is has been added to the allowed services list by default and you do not need to take any action.


SSSD does not correctly handle multiple certificate matching rules with the same priority

If a given certificate matches multiple certificate matching rules with the same priority, the System Security Services Daemon (SSSD) uses only one of the rules. As a workaround, use a single certificate matching rule whose LDAP filter consists of the filters of the individual rules concatenated with the | (or) operator. For examples of certificate matching rules, see the sss-certamp(5) man page.


Private groups fail to be created with auto_private_group = hybrid when multiple domains are defined

Private groups fail to be created with the option auto_private_group = hybrid when multiple domains are defined and the hybrid option is used by any domain other than the first one. If an implicit files domain is defined along with an AD or LDAP domain in the sssd.conf`file and is not marked as `MPG_HYBRID, then SSSD fails to create a private group for a user who has uid=gid and the group with this gid does not exist in AD or LDAP.

The sssd_nss responder checks for the value of the auto_private_groups option in the first domain only. As a consequence, in setups where multiple domains are configured, which includes the default setup on RHEL 8, the option auto_private_group has no effect.

To work around this problem, set enable_files_domain = false in the sssd section of of sssd.conf. As a result, If the enable_files_domain option is set to false, then sssd does not add a domain with id_provider=files at the start of the list of active domains, and therefore this bug does not occur.


python-ply is not FIPS compatible

The YACC module of the python-ply package uses the MD5 hashing algorithm to generate the fingerprint of a YACC signature. However, FIPS mode blocks the use of MD5, which is only allowed in non-security contexts. As a consequence, python-ply is not FIPS compatible. On a system in FIPS mode, all calls to ply.yacc.yacc() fail with the error message:

"UnboundLocalError: local variable 'sig' referenced before assignment"

The problem affects python-pycparser and some use cases of python-cffi. To work around this problem, modify the line 2966 of the file /usr/lib/python3.6/site-packages/ply/, replacing sig = md5() with sig = md5(usedforsecurity=False). As a result, python-ply can be used in FIPS mode.


6.7.14. Desktop

Limitations of the Wayland session

With Red Hat Enterprise Linux 8, the GNOME environment and the GNOME Display Manager (GDM) use Wayland as the default session type instead of the X11 session, which was used with the previous major version of RHEL.

The following features are currently unavailable or do not work as expected under Wayland:

  • Multi-GPU setups are not supported under Wayland.
  • X11 configuration utilities, such as xrandr, do not work under Wayland due to its different approach to handling, resolutions, rotations, and layout. You can configure the display features using GNOME settings.
  • Screen recording and remote desktop require applications to support the portal API on Wayland. Certain legacy applications do not support the portal API.
  • Pointer accessibility is not available on Wayland.
  • No clipboard manager is available.
  • GNOME Shell on Wayland ignores keyboard grabs issued by most legacy X11 applications. You can enable an X11 application to issue keyboard grabs using the /org/gnome/mutter/wayland/xwayland-grab-access-rules GSettings key. By default, GNOME Shell on Wayland enables the following applications to issue keyboard grabs:

    • GNOME Boxes
    • Vinagre
    • Xephyr
    • virt-manager, virt-viewer, and remote-viewer
    • vncviewer
  • Wayland inside guest virtual machines (VMs) has stability and performance problems. RHEL automatically falls back to the X11 session when running in a VM.

If you upgrade to RHEL 8 from a RHEL 7 system where you used the X11 GNOME session, your system continues to use X11. The system also automatically falls back to X11 when the following graphics drivers are in use:

  • The proprietary NVIDIA driver
  • The cirrus driver
  • The mga driver
  • The aspeed driver

You can disable the use of Wayland manually:

  • To disable Wayland in GDM, set the WaylandEnable=false option in the /etc/gdm/custom.conf file.
  • To disable Wayland in the GNOME session, select the legacy X11 option by using the cogwheel menu on the login screen after entering your login name.

For more details on Wayland, see


Drag-and-drop does not work between desktop and applications

Due to a bug in the gnome-shell-extensions package, the drag-and-drop functionality does not currently work between desktop and applications. Support for this feature will be added back in a future release.


Disabling flatpak repositories from Software Repositories is not possible

Currently, it is not possible to disable or remove flatpak repositories in the Software Repositories tool in the GNOME Software utility.


Generation 2 RHEL 8 virtual machines sometimes fail to boot on Hyper-V Server 2016 hosts

When using RHEL 8 as the guest operating system on a virtual machine (VM) running on a Microsoft Hyper-V Server 2016 host, the VM in some cases fails to boot and returns to the GRUB boot menu. In addition, the following error is logged in the Hyper-V event log:

The guest operating system reported that it failed with the following error code: 0x1E

This error occurs due to a UEFI firmware bug on the Hyper-V host. To work around this problem, use Hyper-V Server 2019 as the host.


GNOME Shell on Wayland performs slowly when using a software renderer

When using a software renderer, GNOME Shell as a Wayland compositor (GNOME Shell on Wayland) does not use a cacheable framebuffer for rendering the screen. Consequently, GNOME Shell on Wayland is slow. To workaround the problem, go to the GNOME Display Manager (GDM) login screen and switch to a session that uses the X11 protocol instead. As a result, the Xorg display server, which uses cacheable memory, is used, and GNOME Shell on Xorg in the described situation performs faster compared to GNOME Shell on Wayland.


System crash may result in fadump configuration loss

This issue is observed on systems where firmware-assisted dump (fadump) is enabled, and the boot partition is located on a journaling file system such as XFS. A system crash might cause the boot loader to load an older initrd that does not have the dump capturing support enabled. Consequently, after recovery, the system does not capture the vmcore file, which results in fadump configuration loss.

To work around this problem:

  • If /boot is a separate partition, perform the following:

    1. Restart the kdump service
    2. Run the following commands as the root user, or using a user account with CAP_SYS_ADMIN rights:

      # fsfreeze -f
      # fsfreeze -u
  • If /boot is not a separate partition, reboot the system.


Potential risk when using the default value for ldap_id_use_start_tls option

When using ldap:// without TLS for identity lookups, it can pose a risk for an attack vector. Particularly a man-in-the-middle (MITM) attack which could allow an attacker to impersonate a user by altering, for example, the UID or GID of an object returned in an LDAP search.

Currently, the SSSD configuration option to enforce TLS, ldap_id_use_start_tls, defaults to false. Ensure that your setup operates in a trusted environment and decide if it is safe to use unencrypted communication for id_provider = ldap. Note id_provider = ad and id_provider = ipa are not affected as they use encrypted connections protected by SASL and GSSAPI.

If it is not safe to use unencrypted communication, enforce TLS by setting the ldap_id_use_start_tls option to true in the /etc/sssd/sssd.conf file. The default behavior is planned to be changed in a future release of RHEL.


6.7.15. Graphics infrastructures

radeon fails to reset hardware correctly

The radeon kernel driver currently does not reset hardware in the kexec context correctly. Instead, radeon falls over, which causes the rest of the kdump service to fail.

To work around this problem, blacklist radeon in kdump by adding the following line to the /etc/kdump.conf file:

dracut_args --omit-drivers "radeon"
force_rebuild 1

Restart the machine and kdump. After starting kdump, the force_rebuild 1 line may be removed from the configuration file.

Note that in this scenario, no graphics will be available during kdump, but kdump will work successfully.


6.7.16. The web console

Unprivileged users can access the Subscriptions page

If a non-administrator navigates to the Subscriptions page of the web console, the web console displays a generic error message “Cockpit had an unexpected internal error”.

To work around this problem, sign in to the web console with a privileged user and make sure to check the Reuse my password for privileged tasks checkbox.


6.7.17. Virtualization

Using cloud-init to provision virtual machines on Microsoft Azure fails

Currently, it is not possible to use the cloud-init utility to provision a RHEL 8 virtual machine (VM) on the Microsoft Azure platform. To work around this problem, use one of the following methods:

  • Use the WALinuxAgent package instead of cloud-init to provision VMs on Microsoft Azure.
  • Add the following setting to the [main] section in the /etc/NetworkManager/NetworkManager.conf file:



RHEL 8 virtual machines on RHEL 7 hosts in some cases cannot be viewed in higher resolution than 1920x1200

Currently, when using a RHEL 8 virtual machine (VM) running on a RHEL 7 host system, certain methods of displaying the the graphical output of the VM, such as running the application in kiosk mode, cannot use greater resolution than 1920x1200. As a consequence, displaying VMs using those methods only works in resolutions up to 1920x1200, even if the host hardware supports higher resolutions.


Low GUI display performance in RHEL 8 virtual machines on a Windows Server 2019 host

When using RHEL 8 as a guest operating system in graphical mode on a Windows Server 2019 host, the GUI display performance is low, and connecting to a console output of the guest currently takes significantly longer than expected.

This is a known issue on Windows 2019 hosts and is pending a fix by Microsoft. To work around this problem, connect to the guest using SSH or use Windows Server 2016 as the host.


Installing RHEL virtual machines sometimes fails

Under certain circumstances, RHEL 7 and RHEL 8 virtual machines created using the virt-install utility fail to boot if the --location option is used.

To work around this problem, use the --extra-args option instead and specify an installation tree reachable by the network, for example:


This ensures that the RHEL installer finds the installation files correctly.


Displaying multiple monitors of virtual machines that use Wayland is not possible with QXL

Using the remote-viewer utility to display more than one monitor of a virtual machine (VM) that is using the Wayland display server causes the VM to become unresponsive and the Waiting for display status message to be displayed indefinitely.

To work around this problem, use virtio-gpu instead of qxl as the GPU device for VMs that use Wayland.


virsh iface-\* commands do not work consistently

Currently, virsh iface-* commands, such as virsh iface-start and virsh iface-destroy, frequently fail due to configuration dependencies. Therefore, it is recommended not to use virsh iface-\* commands for configuring and managing host network connections. Instead, use the NetworkManager program and its related management applications.


Customizing an ESXi VM using cloud-init and rebooting the VM causes IP setting loss and makes booting the VM very slow

Currently, if the cloud-init service is used to modify a virtual machine (VM) that runs on the VMware ESXi hypervisor to use static IP and the VM is then cloned, the new cloned VM in some cases takes a very long time to reboot. This is caused cloud-init rewriting the VM’s static IP to DHCP and then searching for an available datasource.

To work around this problem, you can uninstall cloud-init after the VM is booted for the first time. As a result, the subsequent reboots will not be slowed down.

(BZ#1666961, BZ#1706482)

RHEL 8 virtual machines sometimes cannot boot on Witherspoon hosts

RHEL 8 virtual machines (VMs) that use the pseries-rhel7.6.0-sxxm machine type in some cases fail to boot on Power9 S922LC for HPC hosts (also known as Witherspoon) that use the DD2.2 or DD2.3 CPU.

Attempting to boot such a VM instead generates the following error message:

qemu-kvm: Requested safe indirect branch capability level not supported by kvm

To work around this problem, configure the virtual machine’s XML configuration as follows:

<domain type='qemu' xmlns:qemu=''>
    <qemu:arg value='-machine'/>
    <qemu:arg value='cap-ibs=workaround'/>

(BZ#1732726, BZ#1751054)

IBM POWER virtual machines do not work correctly with zero memory NUMA nodes

Currently, when an IBM POWER virtual machine (VM) running on a RHEL 8 host is configured with a NUMA node that uses zero memory (memory='0'), the VM cannot boot. Therefore, Red Hat strongly recommends not using IBM POWER VMs with zero-memory NUMA nodes on RHEL 8.


Migrating a POWER9 guest from a RHEL 7-ALT host to RHEL 8 fails

Currently, migrating a POWER9 virtual machine from a RHEL 7-ALT host system to RHEL 8 becomes unresponsive with a "Migration status: active" status.

To work around this problem, disable Transparent Huge Pages (THP) on the RHEL 7-ALT host, which enables the migration to complete successfully.


SMT CPU topology is not detected by VMs when using host passthrough mode on AMD EPYC

When a virtual machine (VM) boots with the CPU host passthrough mode on an AMD EPYC host, the TOPOEXT CPU feature flag is not present. Consequently, the VM is not able to detect a virtual CPU topology with multiple threads per core. To work around this problem, boot the VM with the EPYC CPU model instead of host passthrough.


Virtual machines sometimes fail to start when using many virtio-blk disks

Adding a large number of virtio-blk devices to a virtual machine (VM) may exhaust the number of interrupt vectors available in the platform. If this occurs, the VM’s guest OS fails to boot, and displays a dracut-initqueue[392]: Warning: Could not boot error.