Chapter 6. Bug fixes

This part describes bugs fixed in Red Hat Enterprise Linux 8.2 that have a significant impact on users.

6.1. Installer and image creation

Using the version or inst.version kernel boot parameters no longer stops the installation program

Previously, booting the installation program from the kernel command line using the version or inst.version boot parameters printed the version, for example anaconda 30.25.6, and stopped the installation program.

With this update, the version and inst.version parameters are ignored when the installation program is booted from the kernel command line, and as a result, the installation program is not stopped.

(BZ#1637472)

Support secure boot for s390x in the installer

Previously, RHEL 8.1 provided support for preparing boot disks for use in IBM Z environments that enforced the use of secure boot. The capabilities of the server and hypervisor used during installation determined if the resulting on-disk format contained secure boot support. There was no way to influence the on-disk format during installation. Consequently, if you installed RHEL 8.1 in an environment that supported secure boot, the system was unable to boot when moved to an environment that lacked secure boot support, as is done in some failover scenarios.

With this update, you can now configure the secure boot option of the zipl tool. To do so, you can use either:

  • The Kickstart zipl command and one of its options, for example: --secure-boot, --no-secure-boot, and --force-secure-boot.
  • From the Installation Summary window in the GUI, you can select the System > Installation Destination > Full disk summary and boot loader link and set the boot device. As a result, the installation can now be booted in environments that lack secure boot support.

(BZ#1659400)

The secure boot feature is now available

Previously, the default value for the secure= boot option was not set to auto, and as a result, the secure boot feature was not available. With this update, unless previously configured, the default value is set to auto, and the secure boot feature is now available.

(BZ#1750326)

The /etc/sysconfig/kernel file no longer references the new-kernel-pkg script

Previously, the /etc/sysconfig/kernel file referenced the new-kernel-pkg script. However, the new-kernel-pkg script is not included in a RHEL 8 system. With this update, the reference to the new-kernel-pkg script has been removed from the /etc/sysconfig/kernel file.

(BZ#1747382)

The installation does not set more than the maximum number of allowed devices in the boot-device NVRAM variable

Previously, the RHEL 8 installation program set more than the maximum number of allowed devices in the boot-device NVRAM variable. As a result, the installation failed on systems that had more than the maximum number of devices. With this update, the RHEL 8 installation program now checks the maximum device setting and only adds the permitted number of devices.

(BZ#1748756)

Installations work for an image location that uses a URL command in a Kickstart file located in a non-network location

Previously, the installation failed early in the process when network activation triggered by the image remote location was specified by a URL command in a Kickstart file located in a non-network location. This update fixes the issue, and installations that provide the image location by using a URL command in a Kickstart file that is located in a non-network location, for example, a CD-ROM or local block device, now work as expected.

(BZ#1649359)

The RHEL 8 installation program only checks ECKD DASD for unformatted devices

Previously, when checking for unformatted devices, the installation program checked all DASD devices. However, the installation program should only have checked ECKD DASD devices. As a consequence, the installation failed with a traceback when an FBA DASD device with SWAPGEN was used. With this update, the installation program does not check FBA DASD devices, and the installation completes successfully.

(BZ#1715303)

6.2. Software management

yum repolist no longer ends on first unavailable repository

Previously, the repository configuration option skip_if_unavailable was by default set as follows:

skip_if_unavailable=false

This setting forced the yum repolist command to end on first unavailable repository with an error and exit status 1. Consequently, yum repolist did not continue listing available repositories.

With this update, yum repolist has been fixed to no longer require any downloads. As a result, yum repolist does not provide any output requiring metadata, and the command now continues listing available repositories as expected.

Note that the number of available packages is only returned by yum repolist --verbose or yum repoinfo that still require available metadata. Therefore these commands will end on the first unavailable repository.

(BZ#1697472)

6.3. Shells and command-line tools

ReaR updates

RHEL 8.2 introduces a number of updates to the Relax-and-Recover (ReaR) utility.

The build directory handling has been changed. Previously, the build directory was kept in a temporary location in case ReaR encountered a failure. With this update, the build directory is deleted by default in non-interactive runs to prevent consuming disk space.

The semantics of the KEEP_BUILD_DIR configuration variable has been enhanced to include a new errors value. You can set the KEEP_BUILD_DIR variable to the following values:

  • errors to preserve the build directory on errors for debugging (the previous behavior)
  • y (true) to always preserve the build directory
  • n (false) to never preserve the build directory

The default value is an empty string with the meaning of errors when ReaR is being executed interactively (in a terminal) and false if ReaR is being executed non-interactively. Note that KEEP_BUILD_DIR is automatically set to true in debug mode (-d) and in debugscript mode (-D); this behavior has not been changed.

Notable bug fixes include:

  • Support for NetBackup 8.0 has been fixed.
  • ReaR no longer aborts with a bash error similar to xrealloc: cannot allocate on systems with a large number of users, groups, and users per group.
  • The bconsole command now shows its prompt, which enables you to perform a restore operation when using the Bacula integration.
  • ReaR now correctly backs up files also in situations when the docker service is running but no docker root directory has been defined, or when it is impossible to determine the status of the docker service.
  • Recovery no longer fails when using thin pools or recovering a system in Migration Mode.
  • Extremely slow rebuild of initramfs during the recovery process with LVM has been fixed.
  • ReaR now creates a working bootable ISO image on the AMD and Intel 64-bit architectures when using the UEFI bootloader. Booting a rescue image in this setup no longer aborts in Grub with the error message Unknown command 'configfile' (…​) Entering rescue mode…​. Support for GRUB_RESCUE in this setup, which previously could fail due to missing XFS filesystem support, has also been fixed.

(BZ#1729501)

mlocate-updatedb.timer is now enabled during the mlocate package installation

Previously, reindexing of the file database was not performed automatically, because the mlocate-updatedb.timer timer was disabled after the mlocate package installation. With this update, the mlocate-updatedb.timer timer is now a part of the 90-default.preset file and is enabled by default after the mlocate package installation. As a result, the file database is updated automatically.

(BZ#1817591)

6.4. Infrastructure services

dnsmasq now correctly handles the non-recursive DNS queries

Previously, dnsmasq forwarded all the non-recursive queries to an upstream server, which led to different responses. With this update, the non-recursive queries to local known names, such as DHCP host lease names or hosts read from the /etc/hosts file, are handled by dnsmasq and are not forwarded to an upstream server. As a result, the same response as to recursive queries to known names is returned.

(BZ#1700916)

dhclient no longer fails to renew the IP address after system time changes

Previously, if the system time changed, the system could lose the IP address assigned due to the removal by the kernel. With this update, dhclient uses monotonic timer to detect backward time jumps and issues the DHCPREQUEST message for lease extension in case of discontinuous jump in the system time. As a result, the system no longer loses the IP address in the described scenario.

(BZ#1729211)

ipcalc now returns the correct broadcast address for the /31 networks

This update fixes the ipcalc utility to follow the RFC 3021 standard properly. As a result, ipcalc returns the correct broadcast address when the /31 prefix is used on an interface.

(BZ#1638834)

/etc/services now contains proper NRPE port definition

This update adds the proper Nagios Remote Plug-in Executor (NRPE) service port definition to the /etc/services file.

(BZ#1730396)

The postfix DNS resolver code now uses res_search instead of res_query

Following its previous update in postfix, the DNS resolver code used the res_query function instead of the res_search function. As a consequence, the DNS resolver did not search host names in the current and parent domains with the following postfix configuration:

# postconf -e "smtp_host_lookup = dns"
# postconf -e "smtp_dns_resolver_options = res_defnames, res_dnsrch"

For example, for:

# postconf -e "relayhost = [smtp]"

and the domain name in the example.com format, the DNS resolver did not use the smtp.example.com SMTP server for relaying.

With this update, the DNS resolver code has been changed to use res_search instead of res_query, and it now searches the host names in the current and parent domains correctly.

(BZ#1723950)

PCRE, CDB, and SQLite can now be used with Postfix

In RHEL 8, the postfix package has been split into multiple subpackages, each subpackage providing a plug-in for a specific database. Previously, RPM packages containing the postfix-pcre, postfix-cdb, and postfix-sqlite plug-ins were not distributed. Consequently, databases with these plug-ins could not be used with Postfix. This update adds RPM packages containing the PCRE, CDB, and SQLite plug-ins to the AppStream repository. As a result, these plug-ins can be used after the appropriate RPM package is installed.

(BZ#1745321)

6.5. Security

openssl-pkcs11 no longer locks devices by attempting to log in to multiple devices

Previously, the openssl-pkcs11 engine attempted to log in to the first result of a search using the provided PKCS #11 URI and used the provided PIN even if the first result was not the intended device and the PIN matched another device. These failed authentication attempts locked the device.

openssl-pkcs11 now attempts to log in to a device only if the provided PKCS #11 URI matches only a single device. The engine now intentionally fails in case the PKCS #11 search finds more than one device. For this reason, you must provide a PKCS #11 URI that matches only a single device when using openssl-pkcs11 to log in to the device.

(BZ#1705505)

OpenSCAP offline scans using rpmverifyfile now work properly

Prior to this update, the OpenSCAP scanner did not correctly change the current working directory in offline mode, and the fchdir function was not called with the correct arguments in the OpenSCAP rpmverifyfile probe. The OpenSCAP scanner has been fixed to correctly change the current working directory in offline mode, and the fchdir function has been fixed to use correct arguments in rpmverifyfile. As a result, SCAP content that contains OVAL rpmverifyfile can be used by OpenSCAP to scan arbitrary file systems.

(BZ#1636431)

httpd now starts correctly if using an ECDSA private key without matching public key stored in a PKCS #11 device

Unlike RSA keys, ECDSA private keys do not necessarily contain public-key information. In this case, you cannot obtain the public key from an ECDSA private key. For this reason, a PKCS #11 device stores public-key information in a separate object whether it is a public-key object or a certificate object. OpenSSL expected the EVP_PKEY structure provided by an engine for a private key to contain the public-key information. When filling the EVP_PKEY structure to be provided to OpenSSL, the engine in the openssl-pkcs11 package tried to fetch the public-key information only from matching public-key objects and ignored the present certificate objects.

When OpenSSL requested an ECDSA private key from the engine, the provided EVP_PKEY structure did not contain the public-key information if the public key was not present in the PKCS #11 device, even when a matching certificate that contained the public key was available. As a consequence, since the Apache httpd web server called the X509_check_private_key() function, which requires the public key, in its start-up process, httpd failed to start in this scenario. This problem has been solved by loading the EC public key from the certificate if the public-key object is not available. As a result, httpd now starts correctly when ECDSA keys are stored in a PKCS #11 device.

(BZ#1664807)

scap-security-guide PCI-DSS remediations of Audit rules now work properly

Previously, the scap-security-guide package contained a combination of remediation and a check that could result in one of the following scenarios:

  • incorrect remediation of Audit rules
  • scan evaluation containing false positives where passed rules were marked as failed

Consequently, during the RHEL installation process, scanning of the installed system reported some Audit rules as either failed or errored.

With this update, the remediations have been fixed, and scanning of the system installed with the PCI-DSS security policy no longer reports false positives for Audit rules.

(BZ#1754919)

OpenSCAP now provides offline scanning of virtual machines and containers

Previously, refactoring of the OpenSCAP codebase caused certain RPM probes to fail to scan VM and containers file systems in offline mode. Consequently, the following tools could not be included in the openscap-utils package: oscap-vm and oscap-chroot. Furthermore, the openscap-containers package was completely removed from RHEL 8. With this update, the problems in the probes have been fixed.

As a result, RHEL 8 now contains the oscap-podman, oscap-vm, and oscap-chroot tools in the openscap-utils package.

(BZ#1618489)

OpenSCAP rpmverifypackage now works correctly

Previously, the chdir and chroot system calls were called twice by the rpmverifypackage probe. Consequently, an error occurred when the probe was utilized during an OpenSCAP scan with custom Open Vulnerability and Assessment Language (OVAL) content. The rpmverifypackage probe has been fixed to properly utilize the chdir and chroot system calls. As a result, rpmverifypackage now works correctly.

(BZ#1646197)

6.6. Networking

Locking in the qdisc_run function now does not cause kernel crash

Previously, a race condition when the pfifo_fast queue discipline resets while dequeuing traffic was leading to packet transmission after they were freed. As a consequence, sometimes kernel was getting terminated unexpectedly. With this update, locking in the qdisc_run function has been improved. As a result, kernel no longer crashes in the described scenario.

(BZ#1744397)

The DBus APIs in org.fedoraproject.FirewallD1.config.service work as expected

Previously, the DBus API getIncludes, setIncludes, and queryIncludes functions in org.fedoraproject.FirewallD1 returned an error message: org.fedoraproject.FirewallD1.Exception: list index out of range due to bad indexing. With this update, the DBus API getIncludes, setIncludes, and queryIncludes functions work as expected.

(BZ#1737045)

RHEL no longer logs a kernel warning when unloading the ipvs module

Previously, the IP virtual server (ipvs) module used an incorrect reference counting, which caused a race condition when unloading the module. Consequently, RHEL logged a kernel warning. This update fixes the race condition. As a result, the kernel no longer logs the warning when you unload the ipvs module.

(BZ#1687094)

The nft utility no longer interprets arguments as command-line options after the first non-option argument

Previously, the nft utility accepted options anywhere in an nft command. For example, admins could use options between or after non-option arguments. As a consequence, due to the leading dash, nft interpreted negative priority values as options, and the command failed. The nft utility’s command-line parser has been updated to not interpret arguments that are starting with a dash after the first non-option argument has been read. As a result, admins no longer require workarounds to pass negative priority values to nft.

Note that due to this change, you must now pass all command-options to nft before the first non-option argument. Before you update, verify your nftables scripts to match this new criteria to ensure that the script works as expected after you installed this update.

(BZ#1778883)

The /etc/hosts.allow and /etc/hosts.deny files no longer contain outdated references to removed tcp_wrappers

Previously, the /etc/hosts.allow and /etc/hosts.deny files contained outdated information about the tcp_wrappers package. The files are removed in RHEL 8 as they are no longer needed for tcp_wrappers which is removed.

(BZ#1663556)

6.7. Kernel

Subsection memory hotplug is now fully supported

Previously, some platforms aligned physical memory regions such as Dual In-Line Modules (DIMMs) and interleave sets to 64MiB memory boundary. However, as the Linux hotplug subsystem uses a memory size of 128MiB, hot-plugging new devices caused multiple memory regions to overlap in a single hotplug memory window. Consequently, this caused failure in listing the available persistent memory namespaces with the following or a similar call trace:

WARNING: CPU: 38 PID: 928 at arch/x86/mm/init_64.c:850
add_pages+0x5c/0x60
    [..]
    RIP: 0010:add_pages+0x5c/0x60
    [..]
    Call Trace:
     devm_memremap_pages+0x460/0x6e0
     pmem_attach_disk+0x29e/0x680 [nd_pmem]
     ? nd_dax_probe+0xfc/0x120 [libnvdimm]
     nvdimm_bus_probe+0x66/0x160 [libnvdimm]

This update fixes the problem and supports Linux hotplug subsystem to enable multiple memory regions to share a single hotplug memory window.

(BZ#1724969)

Data corruption now triggers a BUG instead of a WARN message

With this enhancement, the list corruptions at lib/list_debug.c now triggers a BUG, which generates a report with a vmcore. Previously, when encountering a data corruption, a simple WARN was generated, which was likely to go unnoticed. With set CONFIG_BUG_ON_DATA_CORRUPTION, the kernel now creates a crash and triggers a BUG in response to data corruption. This prevents further damage and reduces the security risk. The kdump now generates a vmcore, which improves the data corruption bug reporting.

(BZ#1714330)

Support for Intel Carlsville card is available but not verified in RHEL 8.2

The Intel Carlsville card support is available but not tested on Red Hat Enterprise Linux 8.2.

(BZ#1720227)

6.8. File systems and storage

SCSI drivers no longer use an excessive amount of memory

Previously, certain SCSI drivers used a larger amount of memory than in RHEL 7. In certain cases, such as vPort creation on a Fibre Channel host bus adapter (HBA), the memory usage was excessive, depending upon the system configuration.

The increased memory usage was caused by memory preallocation in the block layer. Both the multiqueue block device scheduling (BLK-MQ) and the multiqueue SCSI stack (SCSI-MQ) preallocated memory for each I/O request, leading to the increased memory usage.

With this update, the block layer limits the amount of memory preallocation, and as a result, the SCSI drivers no longer use an excessive amount of memory.

(BZ#1698297)

VDO can now suspend before UDS has finished rebuilding

Previously, the dmsetup suspend command became unresponsive if you attempted to suspend a VDO volume while the UDS index was rebuilding. The command finished only after the rebuild.

With this update, the problem has been fixed. The dmsetup suspend command can finish before the UDS rebuild is done without becoming unresponsive.

(BZ#1737639)

6.9. Dynamic programming languages, web and database servers

Problems in mod_cgid logging have been fixed

Prior to this update, if the mod_cgid Apache httpd module was used under a threaded multi-processing module (MPM), the following logging problems occurred:

  • The stderr output of the CGI script was not prefixed with standard timestamp information.
  • The stderr output of the CGI script was not correctly redirected to a log file specific to the VirtualHost, if configured.

This update fixes the problems, and mod_cgid logging now works as expected.

(BZ#1633224)

6.10. Compilers and development tools

Unrelocated and uninitialized shared objects no longer result in failures if dlopen fails

Previously, if the dlopen call failed, the glibc dynamic linker did not remove shared objects with the NODELETE mark before reporting the error. Consequently, the unrelocated and uninitialized shared objects remained in the process image, eventually resulting in assertion failures or crashes. With this update, the dynamic loader uses a pending NODELETE state to remove shared objects upon dlopen failure, before marking them as NODELETE permanently. As a result, the process does not leave any unrelocated objects behind. Also, lazy binding failures while ELF constructors and destructors run now terminate the process.

(BZ#1410154)

Advanced SIMD functions on the 64-bit ARM architecture no longer miscompile when lazily resolved

Previously, the new vector Procedure Call Standard (PCS) for Advanced SIMD did not properly save and restore certain callee-saved registers when lazily resolving Advanced SIMD functions. As a consequence, binaries could misbehave at runtime. With this update, the Advanced SIMD and SVE vector functions in the symbol table are marked with .variant_pcs and, as a result, the dynamic linker will bind such functions early.

(BZ#1726641)

The sudo wrapper script now parses options

Previously, the /opt/redhat/devtoolset*/root/usr/bin/sudo wrapper script did not correctly parse sudo options. As a consequence, some sudo options (for example, sudo -i) could not be executed. With this update, more sudo options are correctly parsed and, as a result, the sudo wrapper script works more like /usr/bin/sudo.

(BZ#1774118)

Alignment of TLS variables in glibc has been fixed

Previously, aligned thread-local storage (TLS) data could, under certain conditions, become instantiated without the expected alignment. With this update, the POSIX Thread Library libpthread has been enhanced to ensure correct alignment under any conditions. As a result, aligned TLS data is now correctly instantiated for all threads with the correct alignment.

(BZ#1764214)

Repeated pututxline calls following EINTR or EAGAIN error no longer corrupt the utmp file

When the pututxline function tries to acquire a lock and does not succeed in time, the function returns with EINTR or EAGAIN error code. Previously in this situation, if pututxline was called immediately again and managed to obtain the lock, it did not use an already-allocated matching slot in the utmp file, but added another entry instead. As a consequence, these unused entries increased the size of the utmp file substantially. This update fixes the issue, and the entries are added to the utmp file correctly now.

(BZ#1749439)

mtrace no longer hangs when internal failures occur

Previously, a defect in the mtrace tool implementation could cause memory tracing to hang. To fix this issue, the mtrace memory tracing implementation has been made more robust to avoid the hang even in the face of internal failures. As a result, users can now call mtrace and it no longer hangs, completing in bounded time.

(BZ#1764235)

The fork function avoids certain deadlocks related to use of pthread_atfork

Previously, if a program registered an atfork handler and invoked fork from an asynchronous-signal handler, a defect in the internal implementation-dependent lock could cause the program to freeze. With this update, the implementation of fork and its atfork handlers is adjusted to avoid the deadlock in single-threaded programs.

(BZ#1746928)

strstr no longer returns incorrect matches for a truncated pattern

On certain IBM Z platforms (z15, previously known as arch13), the strstr function did not correctly update a CPU register when handling search patterns that cross a page boundary. As a consequence, strstr returned incorrect matches. This update fixes the problem, and as a result, strstr works as expected in the mentioned scenario.

(BZ#1777241)

C.UTF-8 locale source ellipsis expressions in glibc are fixed

Previously, a defect in the C.UTF-8 source locale resulted in all Unicode code points above U+10000 lacking collation weights. As a consequence, all code points above U+10000 did not collate as expected. The C.UTF-8 source locale has been corrected, and the newly compiled binary locale now has collation weights for all Unicode code points. The compiled C.UTF-8 locale is 5.3MiB larger as a result of this fix.

(BZ#1361965)

glibc no longer fails when getpwent() is called without calling setpwent()

If your /etc/nsswitch.conf file pointed to the Berkeley DB (db) password provider, you could request data using the getpwent() function without first calling setpwent() only once. When you called the endpwent() function, further calls to getpwent() without first calling setpwent() caused glibc to fail because endpwent() could not reset the internals to allow a new query. This update fixes the problem. As a result, after you end one query with endpwent(), further calls to getpwent() will start a new query even if you do not call setpwent().

(BZ#1747502)

ltrace can now trace system calls in hardened binaries

Previously, ltrace did not produce any results on certain hardened binaries, such as system binaries, on the AMD and Intel 64-bit architectures. With this update, ltrace can now trace system calls in hardened binaries.

(BZ#1655368)

Intel’s JCC flaw no longer causes significant performance loss in the GCC compiler

Certain Intel CPUs are affected by the Jump Conditional Code (JCC) bug causing machine instructions to be executed incorrectly. Consequently, the affected CPUs might not execute programs properly. The full fix involves updating the microcode of vulnerable CPUs, which can cause a performance degradation. This update enables a workaround in the assembler that helps to reduce the performance loss. The workaround is not enabled by default.

To apply the workaround, recompile a program using GCC with the -Wa,-mbranches-within-32B-boundaries command-line option. A program recompiled with this command-line option will not be affected by the JCC flaw, but the microcode update is still necessary to fully protect a system.

Note that applying the workaround will increase the size of the program and can still cause a slight performance decrease, although it should be less than it would have been without the recompilation.

(BZ#1777002)

make no longer slows down when using parallel builds

Previously, while running parallel builds, make sub-processes could become temporarily unresponsive when waiting for their turn to run. As a consequence, builds with high -j values slowed down or ran at lower effective -j values. With this update, the job control logic of make is now non-blocking. As a result, builds with high -j values run at full -j speed.

(BZ#1774790)

The ltrace tool now reports function calls correctly

Because of improvements to binary hardening applied to all RHEL components, the ltrace tool previously could not detect function calls in binary files coming from RHEL components. As a consequence, ltrace output was empty because it did not report any detected calls when used on such binary files. This update fixes the way ltrace handles function calls, which prevents the described problem from occurring.

(BZ#1618748)

6.11. Identity Management

The dsctl utility no longer fails to manage instances with a hyphen in their name

Previously, the dsctl utility did not correctly parse hyphens in the Directory Server instance names. As a consequence, administrators could not use dsctl to manage instances with a hyphen in their name. This update fixes the problem, and dsctl now works as expected in the mentioned scenario.

(BZ#1715406)

Directory Server instance names can now have up to 103 characters

When an LDAP client establishes a connection to Directory Server, the server stores information related to the client address in a local buffer. Previously, the size of this buffer was too small to store an LDAPI path name longer than 46 characters. For example, this is the case if name of the Directory Server instance is too long. As a consequence, the server terminated unexpectedly due to an buffer overflow. This update increases the buffer size to the maximum size the Netscape Portable Runtime (NSPR) library supports for the path name. As a result, Directory Server no longer crashes in the mentioned scenario.

Note that due to the limitation in the NSPR library, an instance name can be maximum 103 characters.

(BZ#1748016)

The pkidestroy utility now picks the correct instance

Previously, the pkidestroy --force command executed on a half-removed instance picked the pki-tomcat instance by default, regardless of the instance name specified with the -i instance option.

As a consequence, this removed the pki-tomcat instance instead of the intended instance, and the --remove-logs option did not remove the intended instance’s logs. pkidestroy now applies the right instance name, removing only the intended instance’s leftovers.

(BZ#1698084)

The ldap_user_authorized_service description has been updated in the sssd-ldap man page

The Pluggable authentication modules (PAM) stack has been changed in RHEL 8. For example, the systemd user session now starts a PAM conversation using the systemd-user PAM service. This service now recursively includes the system-auth PAM service, which may include the pam_sss.so interface. This means that the SSSD access control is always called.

You should be aware of this change when designing access control rules for RHEL 8 systems. For example, you can add the systemd-user service to the allowed services list.

Please note for some access control mechanisms, such as IPA HBAC or AD GPOs, the systemd-user service has been added to the allowed services list by default and you do not need to take any action.

The sssd-ldap man page has been updated to include this information.

(BZ#1669407)

Information about required DNS records is now displayed when enabling support for AD trust in IdM

Previously, when enabling support for Active Directory (AD) trust in Red Hat Enterprise Linux Identity Management (IdM) installation with external DNS management, no information about required DNS records was displayed. Entering the ipa dns-update-system-records --dry-run command manually was necesary to obtain a list of all DNS records required by IdM.

With this update, the ipa-adtrust-install command correctly lists the DNS service records for manual addition to the DNS zone.

(BZ#1665051)

6.12. Desktop

GNOME Shell on Wayland no longer performs slowly when using a software renderer

Previously, the Wayland back end of GNOME Shell did not use a cacheable framebuffer when using a software renderer. As a consequence, software-rendered GNOME Shell on Wayland was slow compared to software-rendered GNOME Shell on the X.org back end.

With this update, an intermediate shadow framebuffer has been added in GNOME Shell on Wayland. As a result, software-rendered GNOME Shell on Wayland now performs as well as GNOME Shell on X.org.

(BZ#1737553)

6.13. Virtualization

Starting a VM on a 10th generation Intel Core processor no longer fails

Previously, starting a virtual machine (VM) failed on a host model that used a 10th generation Intel Core processor, also known as Icelake-Server. With this update, libvirt no longer attempts to disable the pconfig CPU feature which is not supported by QEMU. As a result, starting a VM on a host model running a 10th generation Intel processor no longer fails.

(BZ#1749672)

Using cloud-init to provision virtual machines on Microsoft Azure now works correctly

Previously, it was not possible to use the cloud-init utility to provision a RHEL 8 virtual machine (VM) on the Microsoft Azure platform. This update fixes the cloud-init handling of the Azure endpoints, and provisioning RHEL 8 VMs on Azure now proceeds as expected.

(BZ#1641190)

RHEL 8 virtual machines on RHEL 7 hosts can be reliably viewed in higher resolution than 1920x1200

Previously, when using a RHEL 8 virtual machine (VM) running on a RHEL 7 host system, certain methods of displaying the the graphical output of the VM, such as running the application in kiosk mode, could not use greater resolution than 1920x1200. As a consequence, displaying VMs using those methods only worked in resolutions up to 1920x1200 even if the host hardware supported higher resolutions. This update adjusts DRM and QXL drivers in a way to prevent the described problem from occurring.

(BZ#1635295)

Customizing an ESXi VM using cloud-init and rebooting the VM now works correctly

Previously, if the cloud-init service was used to modify a virtual machine (VM) running on the VMware ESXi hypervisor to use static IP and the VM was then cloned, the new cloned VM in some cases took a very long time to reboot. This update modifies cloud-init not to rewrite the VM’s static IP to DHCP, which prevents the described problem from occurring.

(BZ#1666961, BZ#1706482)

6.14. Containers

Pulling images from the quay.io registry no longer leads to unintended images

Previously, having the quay.io container image registry listed in the default registries search list provided in /etc/containers/registries.conf could allow a user to pull a spoofed image when using a short name. To fix this issue, the quay.io container image registry has been removed from the default registries search list in /etc/containers/registries.conf. As a result, pulling images from the quay.io registry now requires users to specify the full repository name, such as quay.io/myorg/myimage. The quay.io registry can be added back to the default registries search list in /etc/containers/registries.conf to reenable pulling container images using short names, however, this is not recommended as it could create a security risk.

(BZ#1784267)