Chapter 6. Bug fixes
This part describes bugs fixed in Red Hat Enterprise Linux 8.2 that have a significant impact on users.
6.1. Installer and image creation
inst.version kernel boot parameters no longer stops the installation program
Previously, booting the installation program from the kernel command line using the
inst.version boot parameters printed the version, for example
anaconda 30.25.6, and stopped the installation program.
With this update, the
inst.version parameters are ignored when the installation program is booted from the kernel command line, and as a result, the installation program is not stopped.
Support secure boot for s390x in the installer
Previously, RHEL 8.1 provided support for preparing boot disks for use in IBM Z environments that enforced the use of secure boot. The capabilities of the server and hypervisor used during installation determined if the resulting on-disk format contained secure boot support. There was no way to influence the on-disk format during installation. Consequently, if you installed RHEL 8.1 in an environment that supported secure boot, the system was unable to boot when moved to an environment that lacked secure boot support, as is done in some failover scenarios.
With this update, you can now configure the secure boot option of the
zipl tool. To do so, you can use either:
ziplcommand and one of its options, for example:
- From the Installation Summary window in the GUI, you can select the System > Installation Destination > Full disk summary and boot loader link and set the boot device. As a result, the installation can now be booted in environments that lack secure boot support.
The secure boot feature is now available
Previously, the default value for the
secure= boot option was not set to auto, and as a result, the secure boot feature was not available. With this update, unless previously configured, the default value is set to auto, and the secure boot feature is now available.
/etc/sysconfig/kernel file no longer references the
/etc/sysconfig/kernel file referenced the
new-kernel-pkg script. However, the
new-kernel-pkg script is not included in a RHEL 8 system. With this update, the reference to the
new-kernel-pkg script has been removed from the
The installation does not set more than the maximum number of allowed devices in the
boot-device NVRAM variable
Previously, the RHEL 8 installation program set more than the maximum number of allowed devices in the
boot-device NVRAM variable. As a result, the installation failed on systems that had more than the maximum number of devices. With this update, the RHEL 8 installation program now checks the maximum device setting and only adds the permitted number of devices.
Installations work for an image location that uses a URL command in a Kickstart file located in a non-network location
Previously, the installation failed early in the process when network activation triggered by the image remote location was specified by a URL command in a Kickstart file located in a non-network location. This update fixes the issue, and installations that provide the image location by using a URL command in a Kickstart file that is located in a non-network location, for example, a CD-ROM or local block device, now work as expected.
The RHEL 8 installation program only checks ECKD DASD for unformatted devices
Previously, when checking for unformatted devices, the installation program checked all DASD devices. However, the installation program should only have checked ECKD DASD devices. As a consequence, the installation failed with a traceback when an FBA DASD device with SWAPGEN was used. With this update, the installation program does not check FBA DASD devices, and the installation completes successfully.
6.2. Software management
yum repolist no longer ends on first unavailable repository
Previously, the repository configuration option
skip_if_unavailable was by default set as follows:
This setting forced the
yum repolist command to end on first unavailable repository with an error and exit status 1. Consequently,
yum repolist did not continue listing available repositories.
With this update,
yum repolist has been fixed to no longer require any downloads. As a result,
yum repolist does not provide any output requiring metadata, and the command now continues listing available repositories as expected.
Note that the number of available packages is only returned by
yum repolist --verbose or
yum repoinfo that still require available metadata. Therefore these commands will end on the first unavailable repository.
6.3. Shells and command-line tools
RHEL 8.2 introduces a number of updates to the Relax-and-Recover (
The build directory handling has been changed. Previously, the build directory was kept in a temporary location in case
ReaR encountered a failure. With this update, the build directory is deleted by default in non-interactive runs to prevent consuming disk space.
The semantics of the
KEEP_BUILD_DIR configuration variable has been enhanced to include a new
errors value. You can set the
KEEP_BUILD_DIR variable to the following values:
errorsto preserve the build directory on errors for debugging (the previous behavior)
true) to always preserve the build directory
false) to never preserve the build directory
The default value is an empty string with the meaning of
ReaR is being executed interactively (in a terminal) and
ReaR is being executed non-interactively. Note that
KEEP_BUILD_DIR is automatically set to
true in debug mode (
-d) and in debugscript mode (
-D); this behavior has not been changed.
Notable bug fixes include:
- Support for NetBackup 8.0 has been fixed.
ReaRno longer aborts with a bash error similar to
xrealloc: cannot allocateon systems with a large number of users, groups, and users per group.
bconsolecommand now shows its prompt, which enables you to perform a restore operation when using the Bacula integration.
ReaRnow correctly backs up files also in situations when the
dockerservice is running but no
dockerroot directory has been defined, or when it is impossible to determine the status of the
- Recovery no longer fails when using thin pools or recovering a system in Migration Mode.
Extremely slow rebuild of
initramfsduring the recovery process with LVM has been fixed.
ReaRnow creates a working bootable ISO image on the AMD and Intel 64-bit architectures when using the UEFI bootloader. Booting a rescue image in this setup no longer aborts in Grub with the error message
Unknown command 'configfile' (…) Entering rescue mode…. Support for GRUB_RESCUE in this setup, which previously could fail due to missing XFS filesystem support, has also been fixed.
mlocate-updatedb.timer is now enabled during the
mlocate package installation
Previously, reindexing of the file database was not performed automatically, because the
mlocate-updatedb.timer timer was disabled after the
mlocate package installation. With this update, the
mlocate-updatedb.timer timer is now a part of the
90-default.preset file and is enabled by default after the
mlocate package installation. As a result, the file database is updated automatically.
6.4. Infrastructure services
dnsmasq now correctly handles the non-recursive DNS queries
dnsmasq forwarded all the non-recursive queries to an upstream server, which led to different responses. With this update, the non-recursive queries to local known names, such as DHCP host lease names or hosts read from the
/etc/hosts file, are handled by
dnsmasq and are not forwarded to an upstream server. As a result, the same response as to recursive queries to known names is returned.
dhclient no longer fails to renew the IP address after system time changes
Previously, if the system time changed, the system could lose the IP address assigned due to the removal by the kernel. With this update,
dhclient uses monotonic timer to detect backward time jumps and issues the
DHCPREQUEST message for lease extension in case of discontinuous jump in the system time. As a result, the system no longer loses the IP address in the described scenario.
ipcalc now returns the correct broadcast address for the
This update fixes the
ipcalc utility to follow the RFC 3021 standard properly. As a result,
ipcalc returns the correct broadcast address when the
/31 prefix is used on an interface.
/etc/services now contains proper NRPE port definition
This update adds the proper Nagios Remote Plug-in Executor (NRPE) service port definition to the
postfix DNS resolver code now uses
res_search instead of
Following its previous update in
postfix, the DNS resolver code used the
res_query function instead of the
res_search function. As a consequence, the DNS resolver did not search host names in the current and parent domains with the following
# postconf -e "smtp_host_lookup = dns" # postconf -e "smtp_dns_resolver_options = res_defnames, res_dnsrch"
For example, for:
# postconf -e "relayhost = [smtp]"
and the domain name in the example.com format, the DNS resolver did not use the smtp.example.com SMTP server for relaying.
With this update, the DNS resolver code has been changed to use
res_search instead of
res_query, and it now searches the host names in the current and parent domains correctly.
PCRE, CDB, and SQLite can now be used with Postfix
In RHEL 8, the
postfix package has been split into multiple subpackages, each subpackage providing a plug-in for a specific database. Previously, RPM packages containing the
postfix-sqlite plug-ins were not distributed. Consequently, databases with these plug-ins could not be used with Postfix. This update adds RPM packages containing the PCRE, CDB, and SQLite plug-ins to the AppStream repository. As a result, these plug-ins can be used after the appropriate RPM package is installed.
openssl-pkcs11 no longer locks devices by attempting to log in to multiple devices
openssl-pkcs11 engine attempted to log in to the first result of a search using the provided PKCS #11 URI and used the provided PIN even if the first result was not the intended device and the PIN matched another device. These failed authentication attempts locked the device.
openssl-pkcs11 now attempts to log in to a device only if the provided PKCS #11 URI matches only a single device. The engine now intentionally fails in case the PKCS #11 search finds more than one device. For this reason, you must provide a PKCS #11 URI that matches only a single device when using
openssl-pkcs11 to log in to the device.
OpenSCAP offline scans using
rpmverifyfile now work properly
Prior to this update, the OpenSCAP scanner did not correctly change the current working directory in offline mode, and the
fchdir function was not called with the correct arguments in the OpenSCAP
rpmverifyfile probe. The OpenSCAP scanner has been fixed to correctly change the current working directory in offline mode, and the
fchdir function has been fixed to use correct arguments in
rpmverifyfile. As a result, SCAP content that contains OVAL
rpmverifyfile can be used by OpenSCAP to scan arbitrary file systems.
httpd now starts correctly if using an ECDSA private key without matching public key stored in a PKCS #11 device
Unlike RSA keys, ECDSA private keys do not necessarily contain public-key information. In this case, you cannot obtain the public key from an ECDSA private key. For this reason, a PKCS #11 device stores public-key information in a separate object whether it is a public-key object or a certificate object. OpenSSL expected the
EVP_PKEY structure provided by an engine for a private key to contain the public-key information. When filling the
EVP_PKEY structure to be provided to OpenSSL, the engine in the
openssl-pkcs11 package tried to fetch the public-key information only from matching public-key objects and ignored the present certificate objects.
When OpenSSL requested an ECDSA private key from the engine, the provided
EVP_PKEY structure did not contain the public-key information if the public key was not present in the PKCS #11 device, even when a matching certificate that contained the public key was available. As a consequence, since the Apache
httpd web server called the
X509_check_private_key() function, which requires the public key, in its start-up process,
httpd failed to start in this scenario. This problem has been solved by loading the EC public key from the certificate if the public-key object is not available. As a result,
httpd now starts correctly when ECDSA keys are stored in a PKCS #11 device.
scap-security-guide PCI-DSS remediations of Audit rules now work properly
scap-security-guide package contained a combination of remediation and a check that could result in one of the following scenarios:
- incorrect remediation of Audit rules
- scan evaluation containing false positives where passed rules were marked as failed
Consequently, during the RHEL installation process, scanning of the installed system reported some Audit rules as either failed or errored.
With this update, the remediations have been fixed, and scanning of the system installed with the PCI-DSS security policy no longer reports false positives for Audit rules.
OpenSCAP now provides offline scanning of virtual machines and containers
Previously, refactoring of the OpenSCAP codebase caused certain RPM probes to fail to scan VM and containers file systems in offline mode. Consequently, the following tools could not be included in the
oscap-chroot. Furthermore, the
openscap-containers package was completely removed from RHEL 8. With this update, the problems in the probes have been fixed.
As a result, RHEL 8 now contains the
oscap-chroot tools in the
rpmverifypackage now works correctly
chroot system calls were called twice by the
rpmverifypackage probe. Consequently, an error occurred when the probe was utilized during an OpenSCAP scan with custom Open Vulnerability and Assessment Language (OVAL) content. The
rpmverifypackage probe has been fixed to properly utilize the
chroot system calls. As a result,
rpmverifypackage now works correctly.
Locking in the
qdisc_run function now does not cause kernel crash
Previously, a race condition when the
pfifo_fast queue discipline resets while dequeuing traffic was leading to packet transmission after they were freed. As a consequence, sometimes kernel was getting terminated unexpectedly. With this update, locking in the
qdisc_run function has been improved. As a result, kernel no longer crashes in the described scenario.
The DBus APIs in
org.fedoraproject.FirewallD1.config.service work as expected
Previously, the DBus API
queryIncludes functions in
org.fedoraproject.FirewallD1 returned an error message:
org.fedoraproject.FirewallD1.Exception: list index out of range due to bad indexing. With this update, the DBus API
queryIncludes functions work as expected.
RHEL no longer logs a kernel warning when unloading the
Previously, the IP virtual server (
ipvs) module used an incorrect reference counting, which caused a race condition when unloading the module. Consequently, RHEL logged a kernel warning. This update fixes the race condition. As a result, the kernel no longer logs the warning when you unload the
nft utility no longer interprets arguments as command-line options after the first non-option argument
nft utility accepted options anywhere in an
nft command. For example, admins could use options between or after non-option arguments. As a consequence, due to the leading dash,
nft interpreted negative priority values as options, and the command failed. The
nft utility’s command-line parser has been updated to not interpret arguments that are starting with a dash after the first non-option argument has been read. As a result, admins no longer require workarounds to pass negative priority values to
Note that due to this change, you must now pass all command-options to
nft before the first non-option argument. Before you update, verify your nftables scripts to match this new criteria to ensure that the script works as expected after you installed this update.
/etc/hosts.deny files no longer contain outdated references to removed
/etc/hosts.deny files contained outdated information about the
tcp_wrappers package. The files are removed in RHEL 8 as they are no longer needed for
tcp_wrappers which is removed.
Subsection memory hotplug is now fully supported
Previously, some platforms aligned physical memory regions such as Dual In-Line Modules (DIMMs) and interleave sets to 64MiB memory boundary. However, as the Linux hotplug subsystem uses a memory size of 128MiB, hot-plugging new devices caused multiple memory regions to overlap in a single hotplug memory window. Consequently, this caused failure in listing the available persistent memory namespaces with the following or a similar call trace:
WARNING: CPU: 38 PID: 928 at arch/x86/mm/init_64.c:850 add_pages+0x5c/0x60 [..] RIP: 0010:add_pages+0x5c/0x60 [..] Call Trace: devm_memremap_pages+0x460/0x6e0 pmem_attach_disk+0x29e/0x680 [nd_pmem] ? nd_dax_probe+0xfc/0x120 [libnvdimm] nvdimm_bus_probe+0x66/0x160 [libnvdimm]
This update fixes the problem and supports Linux hotplug subsystem to enable multiple memory regions to share a single hotplug memory window.
Data corruption now triggers a BUG instead of a WARN message
With this enhancement, the list corruptions at
lib/list_debug.c now triggers a BUG, which generates a report with a
vmcore. Previously, when encountering a data corruption, a simple WARN was generated, which was likely to go unnoticed. With
set CONFIG_BUG_ON_DATA_CORRUPTION, the kernel now creates a crash and triggers a BUG in response to data corruption. This prevents further damage and reduces the security risk. The
kdump now generates a
vmcore, which improves the data corruption bug reporting.
Intel Carlsville card is available but not verified in RHEL 8.2
Intel Carlsville card support is available but not tested on Red Hat Enterprise Linux 8.2.
6.8. File systems and storage
SCSI drivers no longer use an excessive amount of memory
Previously, certain SCSI drivers used a larger amount of memory than in RHEL 7. In certain cases, such as vPort creation on a Fibre Channel host bus adapter (HBA), the memory usage was excessive, depending upon the system configuration.
The increased memory usage was caused by memory preallocation in the block layer. Both the multiqueue block device scheduling (BLK-MQ) and the multiqueue SCSI stack (SCSI-MQ) preallocated memory for each I/O request, leading to the increased memory usage.
With this update, the block layer limits the amount of memory preallocation, and as a result, the SCSI drivers no longer use an excessive amount of memory.
VDO can now suspend before UDS has finished rebuilding
dmsetup suspend command became unresponsive if you attempted to suspend a VDO volume while the UDS index was rebuilding. The command finished only after the rebuild.
With this update, the problem has been fixed. The
dmsetup suspend command can finish before the UDS rebuild is done without becoming unresponsive.
6.9. Dynamic programming languages, web and database servers
mod_cgid logging have been fixed
Prior to this update, if the
httpd module was used under a threaded multi-processing module (MPM), the following logging problems occurred:
stderroutput of the CGI script was not prefixed with standard timestamp information.
stderroutput of the CGI script was not correctly redirected to a log file specific to the
VirtualHost, if configured.
This update fixes the problems, and
mod_cgid logging now works as expected.
6.10. Compilers and development tools
Unrelocated and uninitialized shared objects no longer result in failures if
Previously, if the
dlopen call failed, the
glibc dynamic linker did not remove shared objects with the
NODELETE mark before reporting the error. Consequently, the unrelocated and uninitialized shared objects remained in the process image, eventually resulting in assertion failures or crashes. With this update, the dynamic loader uses a pending
NODELETE state to remove shared objects upon
dlopen failure, before marking them as
NODELETE permanently. As a result, the process does not leave any unrelocated objects behind. Also, lazy binding failures while ELF constructors and destructors run now terminate the process.
Advanced SIMD functions on the 64-bit ARM architecture no longer miscompile when lazily resolved
Previously, the new vector Procedure Call Standard (PCS) for Advanced SIMD did not properly save and restore certain callee-saved registers when lazily resolving Advanced SIMD functions. As a consequence, binaries could misbehave at runtime. With this update, the Advanced SIMD and SVE vector functions in the symbol table are marked with
.variant_pcs and, as a result, the dynamic linker will bind such functions early.
sudo wrapper script now parses options
/opt/redhat/devtoolset*/root/usr/bin/sudo wrapper script did not correctly parse
sudo options. As a consequence, some
sudo options (for example,
sudo -i) could not be executed. With this update, more
sudo options are correctly parsed and, as a result, the
sudo wrapper script works more like
Alignment of TLS variables in
glibc has been fixed
Previously, aligned thread-local storage (TLS) data could, under certain conditions, become instantiated without the expected alignment. With this update, the POSIX Thread Library
libpthread has been enhanced to ensure correct alignment under any conditions. As a result, aligned TLS data is now correctly instantiated for all threads with the correct alignment.
pututxline calls following
EAGAIN error no longer corrupt the
pututxline function tries to acquire a lock and does not succeed in time, the function returns with
EAGAIN error code. Previously in this situation, if
pututxline was called immediately again and managed to obtain the lock, it did not use an already-allocated matching slot in the
utmp file, but added another entry instead. As a consequence, these unused entries increased the size of the
utmp file substantially. This update fixes the issue, and the entries are added to the
utmp file correctly now.
mtrace no longer hangs when internal failures occur
Previously, a defect in the
mtrace tool implementation could cause memory tracing to hang. To fix this issue, the
mtrace memory tracing implementation has been made more robust to avoid the hang even in the face of internal failures. As a result, users can now call
mtrace and it no longer hangs, completing in bounded time.
fork function avoids certain deadlocks related to use of
Previously, if a program registered an
atfork handler and invoked
fork from an asynchronous-signal handler, a defect in the internal implementation-dependent lock could cause the program to freeze. With this update, the implementation of
fork and its
atfork handlers is adjusted to avoid the deadlock in single-threaded programs.
strstr no longer returns incorrect matches for a truncated pattern
On certain IBM Z platforms (z15, previously known as arch13), the
strstr function did not correctly update a CPU register when handling search patterns that cross a page boundary. As a consequence,
strstr returned incorrect matches. This update fixes the problem, and as a result,
strstr works as expected in the mentioned scenario.
C.UTF-8 locale source ellipsis expressions in
glibc are fixed
Previously, a defect in the C.UTF-8 source locale resulted in all Unicode code points above U+10000 lacking collation weights. As a consequence, all code points above U+10000 did not collate as expected. The C.UTF-8 source locale has been corrected, and the newly compiled binary locale now has collation weights for all Unicode code points. The compiled C.UTF-8 locale is 5.3MiB larger as a result of this fix.
glibc no longer fails when
getpwent() is called without calling
/etc/nsswitch.conf file pointed to the Berkeley DB (
db) password provider, you could request data using the
getpwent() function without first calling
setpwent() only once. When you called the
endpwent() function, further calls to
getpwent() without first calling
glibc to fail because
endpwent() could not reset the internals to allow a new query. This update fixes the problem. As a result, after you end one query with
endpwent(), further calls to
getpwent() will start a new query even if you do not call
ltrace can now trace system calls in hardened binaries
ltrace did not produce any results on certain hardened binaries, such as system binaries, on the AMD and Intel 64-bit architectures. With this update,
ltrace can now trace system calls in hardened binaries.
Intel’s JCC flaw no longer causes significant performance loss in the GCC compiler
Certain Intel CPUs are affected by the Jump Conditional Code (JCC) bug causing machine instructions to be executed incorrectly. Consequently, the affected CPUs might not execute programs properly. The full fix involves updating the microcode of vulnerable CPUs, which can cause a performance degradation. This update enables a workaround in the assembler that helps to reduce the performance loss. The workaround is not enabled by default.
To apply the workaround, recompile a program using GCC with the
-Wa,-mbranches-within-32B-boundaries command-line option. A program recompiled with this command-line option will not be affected by the JCC flaw, but the microcode update is still necessary to fully protect a system.
Note that applying the workaround will increase the size of the program and can still cause a slight performance decrease, although it should be less than it would have been without the recompilation.
make no longer slows down when using parallel builds
Previously, while running parallel builds,
make sub-processes could become temporarily unresponsive when waiting for their turn to run. As a consequence, builds with high
-j values slowed down or ran at lower effective
-j values. With this update, the job control logic of
make is now non-blocking. As a result, builds with high
-j values run at full
ltrace tool now reports function calls correctly
Because of improvements to binary hardening applied to all RHEL components, the
ltrace tool previously could not detect function calls in binary files coming from RHEL components. As a consequence,
ltrace output was empty because it did not report any detected calls when used on such binary files. This update fixes the way
ltrace handles function calls, which prevents the described problem from occurring.
6.11. Identity Management
dsctl utility no longer fails to manage instances with a hyphen in their name
dsctl utility did not correctly parse hyphens in the Directory Server instance names. As a consequence, administrators could not use
dsctl to manage instances with a hyphen in their name. This update fixes the problem, and
dsctl now works as expected in the mentioned scenario.
Directory Server instance names can now have up to 103 characters
When an LDAP client establishes a connection to Directory Server, the server stores information related to the client address in a local buffer. Previously, the size of this buffer was too small to store an LDAPI path name longer than 46 characters. For example, this is the case if name of the Directory Server instance is too long. As a consequence, the server terminated unexpectedly due to an buffer overflow. This update increases the buffer size to the maximum size the Netscape Portable Runtime (NSPR) library supports for the path name. As a result, Directory Server no longer crashes in the mentioned scenario.
Note that due to the limitation in the NSPR library, an instance name can be maximum 103 characters.
pkidestroy utility now picks the correct instance
pkidestroy --force command executed on a half-removed instance picked the
pki-tomcat instance by default, regardless of the instance name specified with the
-i instance option.
As a consequence, this removed the
pki-tomcat instance instead of the intended instance, and the
--remove-logs option did not remove the intended instance’s logs.
pkidestroy now applies the right instance name, removing only the intended instance’s leftovers.
ldap_user_authorized_service description has been updated in the
sssd-ldap man page
The Pluggable authentication modules (PAM) stack has been changed in RHEL 8. For example, the
systemd user session now starts a PAM conversation using the
systemd-user PAM service. This service now recursively includes the
system-auth PAM service, which may include the
pam_sss.so interface. This means that the SSSD access control is always called.
You should be aware of this change when designing access control rules for RHEL 8 systems. For example, you can add the
systemd-user service to the allowed services list.
Please note for some access control mechanisms, such as IPA HBAC or AD GPOs, the
systemd-user service has been added to the allowed services list by default and you do not need to take any action.
sssd-ldap man page has been updated to include this information.
Information about required DNS records is now displayed when enabling support for AD trust in IdM
Previously, when enabling support for Active Directory (AD) trust in Red Hat Enterprise Linux Identity Management (IdM) installation with external DNS management, no information about required DNS records was displayed. Entering the
ipa dns-update-system-records --dry-run command manually was necesary to obtain a list of all DNS records required by IdM.
With this update, the
ipa-adtrust-install command correctly lists the DNS service records for manual addition to the DNS zone.
GNOME Shell on Wayland no longer performs slowly when using a software renderer
Previously, the Wayland back end of GNOME Shell did not use a cacheable framebuffer when using a software renderer. As a consequence, software-rendered GNOME Shell on Wayland was slow compared to software-rendered GNOME Shell on the X.org back end.
With this update, an intermediate shadow framebuffer has been added in GNOME Shell on Wayland. As a result, software-rendered GNOME Shell on Wayland now performs as well as GNOME Shell on X.org.
Starting a VM on a 10th generation Intel Core processor no longer fails
Previously, starting a virtual machine (VM) failed on a host model that used a 10th generation Intel Core processor, also known as Icelake-Server. With this update,
libvirt no longer attempts to disable the
pconfig CPU feature which is not supported by QEMU. As a result, starting a VM on a host model running a 10th generation Intel processor no longer fails.
cloud-init to provision virtual machines on Microsoft Azure now works correctly
Previously, it was not possible to use the
cloud-init utility to provision a RHEL 8 virtual machine (VM) on the Microsoft Azure platform. This update fixes the
cloud-init handling of the Azure endpoints, and provisioning RHEL 8 VMs on Azure now proceeds as expected.
RHEL 8 virtual machines on RHEL 7 hosts can be reliably viewed in higher resolution than 1920x1200
Previously, when using a RHEL 8 virtual machine (VM) running on a RHEL 7 host system, certain methods of displaying the the graphical output of the VM, such as running the application in kiosk mode, could not use greater resolution than 1920x1200. As a consequence, displaying VMs using those methods only worked in resolutions up to 1920x1200 even if the host hardware supported higher resolutions. This update adjusts DRM and QXL drivers in a way to prevent the described problem from occurring.
Customizing an ESXi VM using
cloud-init and rebooting the VM now works correctly
Previously, if the
cloud-init service was used to modify a virtual machine (VM) running on the VMware ESXi hypervisor to use static IP and the VM was then cloned, the new cloned VM in some cases took a very long time to reboot. This update modifies
cloud-init not to rewrite the VM’s static IP to DHCP, which prevents the described problem from occurring.
Pulling images from the quay.io registry no longer leads to unintended images
Previously, having the quay.io container image registry listed in the default registries search list provided in
/etc/containers/registries.conf could allow a user to pull a spoofed image when using a short name. To fix this issue, the quay.io container image registry has been removed from the default registries search list in
/etc/containers/registries.conf. As a result, pulling images from the
quay.io registry now requires users to specify the full repository name, such as
quay.io/myorg/myimage. The quay.io registry can be added back to the default registries search list in
/etc/containers/registries.conf to reenable pulling container images using short names, however, this is not recommended as it could create a security risk.