Chapter 6. Bug fixes
This part describes bugs fixed in Red Hat Enterprise Linux 8.3 that have a significant impact on users.
6.1. Installer and image creation
RHEL 8 initial setup now works properly via SSH
Previously, the RHEL 8 initial setup interface did not display when logged in to the system using SSH. As a consequence, it was impossible to perform the initial setup on a RHEL 8 machine managed via SSH. This problem has been fixed, and RHEL 8 initial setup now works correctly when performed via SSH.
Installation failed when using the
reboot --kexec command
Previously, the RHEL 8 installation failed when a Kickstart file that contained the
reboot --kexec command was used.
With this update, the installation with
reboot --kexec now works as expected.
America/New York time zone can now be set correctly
Previously, the interactive Anaconda installation process did not allow users to set the America/New York time zone when using a kickstart file. With this update, users can now set America/New York as the preferred time zone in the interactive installer if a time zone is not specified in the kickstart file.
SELinux contexts are now set correctly
Previously, when SELinux was in enforcing mode, incorrect SELinux contexts on some folders and files resulted in unexpected AVC denials when attempting to access these files after installation.
With this update, Anaconda sets the correct SELinux contexts. As a result, you can now access the folders and files without manually relabeling the filesystem.
Automatic partitioning now creates a valid
Previously, when installing RHEL on a system using automatic partitioning or using a kickstart file with preconfigured partitions, the installer created a partitioning scheme that could contain an invalid
/boot partition. Consequently, the automatic installation process ended prematurely because the verification of the partitioning scheme failed. With this update, Anaconda creates a partitioning scheme that contains a valid
/boot partition. As a result, the automatic installation completes as expected.
A GUI installation using the Binary DVD ISO image now completes successfully without CDN registration
Previously, when performing a GUI installation using the Binary DVD ISO image file, a race condition in the installer prevented the installation from proceeding until you registered the system using the Connect to Red Hat feature.
With this update, you can now proceed with the installation without registering the system using the Connect to Red Hat feature.
iSCSI or FCoE devices created in Kickstart and used in
ignoredisk --only-use command no longer stop the installation process
Previously, when the iSCSI or FCoE devices created in Kickstart were used in the
ignoredisk --only-use command, the installation program failed with an error similar to
Disk "disk/by-id/scsi-360a9800042566643352b476d674a774a" given in ignoredisk command does not exist. This stopped the installation process.
With this update, the problem has been fixed. The installation program continues working.
System registration using CDN failed with the error message Name or service not known
When you attempted to register a system using the Content Delivery Network (CDN), the registration process failed with the error message Name or service not known.
This issue occurred because the empty Custom server URL and Custom Base URL values overwrote the default values for system registration.
With this update, the empty values now do not overwrite the default values, and the system registration completes successfully.
6.2. Software management
dnf-automatic now updates only packages with correct GPG signatures
dnf-automatic configuration file did not check GPG signatures of downloaded packages before performing an update. As a consequence, unsigned updates or updates signed by key which was not imported could be installed by
dnf-automatic even though repository configuration requires GPG signature check (
gpgcheck=1). With this update, the problem has been fixed, and
dnf-automatic checks GPG signatures of downloaded packages before performing the update. As a result, only updates with correct GPG signatures are installed from repositories that require GPG signature check.
Trailing comma no longer causes entries removal in an
append type option
Previously, adding a trailing comma (an empty entry at the end of the list) to an
append type option (for example,
includepkgs) caused all entries in the option to be removed. Also, adding two commas (an empty entry) caused that only entries after the commas were used.
With this update, empty entries other than leading commas (an empty entry at the beginning of the list) are ignored. As a result, only the leading comma now removes existing entries from the
append type option, and the user can use it to overwrite these entries.
6.3. Shells and command-line tools
ReaR disk layout no longer includes entries for Rancher 2 Longhorn iSCSI devices and file systems
This update removes entries for Rancher 2 Longhorn iSCSI devices and file systems from the disk layout created by
Rescue image creation with a file larger than 4 GB is now enabled on IBM POWER, little endian
ReaR utility could not create rescue images containing files larger than 4GB on IBM POWER, little endian architecture. With this update, the problem has been fixed, and it is now possible to create a rescue image with a file larger than 4 GB on IBM POWER, little endian.
SELinux no longer prevents
systemd-journal-gatewayd to call
/dev/shm/ files used by
Previously, SELinux policy did not contain a rule that allows the
systemd-journal-gatewayd daemon to access files created by the
corosync service. As a consequence, SELinux denied
systemd-journal-gatewayd to call the
newfstatat() function on shared memory files created by
corosync. With this update, SELinux no longer prevents
systemd-journal-gatewayd to call
newfstatat() on shared memory files created by
Libreswan now works with
seccomp=enabled on all configurations
Prior to this update, the set of allowed syscalls in the
Libreswan SECCOMP support implementation did not match new usage of RHEL libraries. Consequently, when SECCOMP was enabled in the
ipsec.conf file, the syscall filtering rejected even syscalls required for the proper functioning of the
pluto daemon; the daemon was killed, and the
ipsec service was restarted. With this update, all newly required syscalls have been allowed, and
Libreswan now works with the
seccomp=enabled option correctly.
SELinux no longer prevents
auditd to halt or power off the system
Previously, the SELinux policy did not contain a rule that allows the Audit daemon to start a
systemd unit. Consequently,
auditd could not halt or power off the system even when configured to do so in cases such as no space left on a logging disk partition.
This update of the
selinux-policy packages adds the missing rule, and
auditd can now properly halt and power off the system only with SELinux in enforcing mode.
IPTABLES_SAVE_ON_STOP now works correctly
IPTABLES_SAVE_ON_STOP feature of the
iptables service did not work because files with saved IP tables content received incorrect SELinux context. This prevented the
iptables script from changing permissions, and the script subsequently failed to save the changes. This update defines a proper context for the
ip6tables.save files, and creates a filename transition rule. As a consequence, the
IPTABLES_SAVE_ON_STOP feature of the
iptables service works correctly.
NSCD databases can now use different modes
Domains in the
nsswitch_domain attribute are allowed access to Name Service Cache Daemon (NSCD) services. Each NSCD database is configured in the
nscd.conf file, and the
shared property determines whether the database uses Shared memory or Socket mode. Previously, all NSCD databases had to use the same access mode, depending on the
nscd_use_shm boolean value. Now, using Unix stream socket is always allowed, and therefore different NSCD databases can use different modes.
oscap-ssh utility now works correctly when scanning a remote system with --sudo
When performing a Security Content Automation Protocol (SCAP) scan of a remote system using the
oscap-ssh tool with the
--sudo option, the
oscap tool on the remote system saves scan result files and report files into a temporary directory as the
root user. Previously, if the
umask settings on the remote machine were changed,
oscap-ssh might have been prevented access to these files. This update fixes the issue, and as a result,
oscap saves the files as the target user, and
oscap-ssh accesses the files normally.
OpenSCAP now handles remote file systems correctly
Previously, OpenSCAP did not reliably detect remote file systems if their mount specification did not start with two slashes. As a consequence, OpenSCAP handled some network-based file systems as local. With this update, OpenSCAP identifies file systems using the file-system type instead of the mount specification. As a result, OpenSCAP now handles remote file systems correctly.
OpenSCAP no longer removes blank lines from YAML multi-line strings
Previously, OpenSCAP removed blank lines from YAML multi-line strings within generated Ansible remediations from a datastream. This affected Ansible remediations and caused the
openscap utility to fail the corresponding Open Vulnerability and Assessment Language (OVAL) checks, producing false positive results. The issue is now fixed and as a result,
openscap no longer removes blank lines from YAML multi-line strings.
config.enabled now controls statements correctly
rsyslog incorrectly evaluated the
config.enabled directive during the configuration processing of a statement. As a consequence, the
parameter not known errors were displayed for each statement except for the
include() one. With this update, the configuration is processed for all statements equally. As a result,
config.enabled now correctly disables or enables statements without displaying any error.
fapolicyd no longer prevents RHEL updates
When an update replaces the binary of a running application, the kernel modifies the application binary path in memory by appending the " (deleted)" suffix. Previously, the
fapolicyd file access policy daemon treated such applications as untrusted, and prevented them from opening and executing any other files. As a consequence, the system was sometimes unable to boot after applying updates.
With the release of the RHBA-2020:5242 advisory,
fapolicyd ignores the suffix in the binary path so the binary can match the trust database. As a result,
fapolicyd enforces the rules correctly and the update process can finish.
Automatic loading of
iptables extension modules by the
nft_compat module no longer hangs
Previously, when the
nft_compat module loaded an extension module while an operation on network name spaces (
netns) happened in parallel, a lock collision could occur if that extension registered a
pernet subsystem during initialization. As a consequence, the kernel-called
modprobe command hang. This could also be caused by other services, such as
libvirtd, that also execute
iptables commands. This problem has been fixed. As a result, loading
iptables extension modules by the
nft_compat module no longer hangs.
firewalld service now removes
ipsets when the service stops
Previously, stopping the
firewalld service did not remove
ipsets. This update fixes the problem. As a result,
ipsets are no longer left in the system after
firewalld no longer retains
ipset entries after shutdown
Previously, shutting down
firewalld did not remove
ipset entries. Consequently,
ipset entries remained active in the kernel even after stopping the
firewalld service. With this fix, shutting down
ipset entries as expected.
firewalld now restores
ipset entries after reloading
firewalld did not retain runtime
ipset entries after reloading. Consequently, users had to manually add the missing entries again. With this update,
firewalld has been modified to restore
ipset entries after reloading.
firewalld services are now mutually exclusive
Previously, it was possible to enable
firewalld services at the same time. As a consequence,
nftables was overriding
firewalld rulesets. With this update,
firewalld services are now mutually exclusive so that these cannot be enabled at the same time.
huge_page_setup_helper.py script now works correctly
A patch that updated the
huge_page_setup_helper.py script for Python 3 was accidentally removed. Consequently, after executing
huge_page_setup_helper.py, the following error message appeared:
SyntaxError: Missing parentheses in call to 'print'
With this update, the problem has been fixed by updating the
libhugetlbfs.spec file. As a result,
huge_page_setup_helper.py does not show any error in the described scenario.
bcc scripts now successfully compile a BPF module
During the script code compilation to create a Berkeley Packet Filter (BPF) module, the
bcc toolkit used kernel headers for data type definition. Some kernel headers needed the
KBUILD_MODNAME macro to be defined. Consequently, those
bcc scripts that did not add
KBUILD_MODNAME, were likely to fail to compile a BPF module across various CPU architectures. The following
bcc scripts were affected:
With this update, the problem has been fixed by adding
KBUILD_MODNAME to the default
cflags parameter for
bcc. As a result, this problem no longer appears in the described scenario. Also, customer scripts do not need to define
KBUILD_MODNAME themselves either.
bpftrace work properly on IBM Z
Previously, a feature backport introduced the
ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE kernel option. However, the
bcc-tools package and
bpftrace tracing language package for IBM Z architectures did not have proper support for this option. Consequently, the
bpf() system call failed with the
Invalid argument exception and
bpftrace failed with an error stating
Error loading program when trying to load the BPF program. With this update, the
ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE option is now removed. As a result, the problem no longer appears in the described scenario.
Boot process no longer fails due to lack of entropy
Previously, the boot process failed due to lack of entropy. A better mechanism is now used to allow the kernel to gather entropy early in the boot process, which does not depend on any hardware specific interrupts. This update fixes the problem by ensuring availability of sufficient entropy to secure random generation in early boot. As a result, the fix prevents kickstart timeout or slow boots and the boot process works as expected.
Repeated reboots using
kexec now work as expected
Previously, during the kernel reboot on the Amazon EC2 Nitro platform, the remove module (
rmmod) was not called during the
shutdown() call of the kernel execution path. Consequently, repeated kernel reboots using the
kexec system call led to a failure. With this update, the issue has been fixed by adding the PCI
shutdown() handler that allows safe kernel execution. As a result, repeated reboots using
kexec on Amazon EC2 Nitro platforms no longer fail.
Attempting to add
ICE driver NIC port to a mode 5 bonding master interface no longer fails
Previously, attempting to add the
ICE driver NIC port to a mode 5 (
balance-tlb) bonding master interface led to a failure with an error
Master 'bond0', Slave 'ens1f0': Error: Enslave failed. Consequently, you experienced an intermittent failure to add the NIC port to the bonding master interface. This update fixes the issue and adding the interface no longer fails.
6.7. High availability and clusters
When a GFS2 file system is used with the Filesystem agent the
fast_stop option now defaults to
Previously, when a GFS2 file system was used with the Filesystem agent, the
fast_stop option defaulted to
yes. This value could result in unnecessary fence events due to the length of time it can take a GFS2 file system to unmount. With this update, this option defaults to
no. For all other file systems it continues to default to
fence_evacuate agents now interpret
insecure option in a more standard way
fence_evacuate agents worked as if
--insecure was specified by default. With this update, customers who do not use valid certificates for their compute or evacuate services must set
insecure=true and use the
--insecure option when running manually from the CLI. This is consistent with the behavior of all other agents.
6.8. Dynamic programming languages, web and database servers
Optimized CPU consumption by
A previous update to the
libdb database caused an excessive CPU consumption in the trickle thread. With this update, the CPU usage has been optimized.
did_you_mean Ruby gem no longer contains a file with a non-commercial license
did_you_mean gem available in the
ruby:2.5 module stream contained a file with a non-commercial license. This update removes the affected file.
nginx can now load server certificates from hardware security tokens through the PKCS#11 URI
ssl_certificate directive of the
nginx web server supports loading TLS server certificates from hardware security tokens directly from PKCS#11 modules. Previously, it was impossible to load server certificates from hardware security tokens through the PKCS#11 URI.
6.9. Compilers and development tools
glibc dynamic loader no longer fails while loading a shared library that uses
DT_FILTER and has a constructor
Prior to this update, a defect in the dynamic loader implementation of shared objects as filters caused the dynamic loader to fail while loading a shared library that uses a filter and has a constructor. With this release, the dynamic loader implementation of filters (
DT_FILTER) has been fixed to correctly handle such shared libraries. As a result, the dynamic loader now works as expected in the mentioned scenario.
glibc can now remove pseudo-mounts from the
The kernel includes
automount pseudo-entries in the tables exposed to userspace. Consequently, programs that use the
getmntent() API see both regular mounts and these pseudo-mounts in the list. The pseudo-mounts do not correspond to real mounts, nor include valid information.
With this update, if the mount entry has the
ignore mount option present in the
automount(8) configuration the
glibc library now removes these pseudo-mounts from the
getmntent() list. Programs that expect the previous behavior have to use a different API.
movv1qi pattern no longer causes miscompilation in the auto-vectorized code on IBM Z
Prior to this update, wrong load instructions were emitted for the
movv1qi pattern. As a consequence, when auto-vectorization was in effect, a miscompilation could occur on IBM Z systems. This update fixes the
movv1qi pattern, and as a result, code compiles and runs correctly now.
PAPI_event_name_to_code() now works correctly in multiple threads
Prior to this update, the PAPI internal code did not handle thread coordination properly. As a consequence, when multiple threads used the
PAPI_event_name_to_code() operation, a race condition occurred and the operation failed. This update enhances the handling of multiple threads in the PAPI internal code. As a result, multithreaded code using the
PAPI_event_name_to_code() operation now works correctly.
Improved performance for the
glibc math functions on IBM Power Systems
glibc math functions performed unnecessary floating point status updates and system calls on IBM Power Systems, which negatively affected the performance. This update removes the unnecessary floating point status update, and improves the implementations of:
fesetround(). As a result, the performance of the math library is improved on IBM Power Systems.
Memory protection keys are now supported on IBM Power
On IBM Power Systems, the memory protection key interfaces
pkey_get were previously stub functions, and consequently always failed. This update implements the interfaces, and as a result, the GNU C Library (
glibc) now supports memory protection keys on IBM Power Systems.
Note that memory protection keys currently require the hash-based memory management unit (MMU), therefore you might have to boot certain systems with the
disable_radix kernel parameter.
papi-devel now install the required
papi-devel RPM packages did not declare a dependency on the matching
papi-libs package. Consequently, the tests failed to run, and developers did not have the required version of the
papi shared library available for their applications.
With this update, when the user installs either the
papi-devel packages, the
papi-libs package is also installed. As a result, the
papi-testsuite now has the correct library allowing the tests to run, and developers using
papi-devel have their executables linked with the appropriate version of the
papi shared library.
lldb packages for multiple architectures no longer leads to file conflicts
lldb packages installed architecture-dependent files in architecture-independent locations. As a consequence, installing both 32-bit and 64-bit versions of the packages led to file conflicts. This update packages the files in correct architecture-dependent locations. As a result, the installation of
lldb in the described scenario completes successfully.
getaddrinfo now correctly handles a memory allocation failure
Previously, after a memory allocation failure, the
getaddrinfo function of the GNU C Library
glibc did not release the internal resolver context. As a consequence,
getaddrinfo was not able to reload the
/etc/resolv.conf file for the rest of the lifetime of the calling thread, resulting in a possible memory leak.
This update modifies the error handling path with an additional release operation for the resolver context. As a result,
/etc/resolv.conf with new configuration values even after an intermittent memory allocation failure.
glibc avoids certain failures caused by IFUNC resolver ordering
Previously, the implementation of the
libpthread libraries of the GNU C Library
glibc contained the indirect function (IFUNC) resolvers for the following functions:
vfork. In some cases, the IFUNC resolvers could execute before the
libpthread libraries were relocated. Consequently, applications would fail in the
glibc dynamic loader during early program startup.
With this release, the implementations of these functions have been moved into the
libc component of
glibc, which prevents the described problem from occurring.
Assertion failures no longer occur during
glibc dynamic loader did not roll back changes to the internal Thread Local Storage (TLS) module ID counter. As a consequence, an assertion failure in the
pthread_create function could occur after the
dlopen function had failed in certain ways. With this fix, the
glibc dynamic loader updates the TLS module ID counter at a later point in time, after certain failures can no longer happen. As a result, the assertion failures no longer occur.
glibc now installs correct dependencies for 32-bit applications using
nss_db.x86_64 package did not declare dependencies on the
nss_db.i686 package. Therefore automated installation did not install
nss_db.i686 on the system, despite having a 32-bit environment
glibc.i686 installed. As a consequence, 32-bit applications using
nss_db failed to perform accurate user database lookups, while 64-bit applications in the same setup worked correctly.
With this update, the
glibc packages now have weak dependencies that trigger the installation of the
nss_db.i686 package when both
nss_db are installed on the system. As a result, 32-bit applications using
nss_db now work correctly, even if the system administrator has not explicitly installed the
glibc locale information updated with Odia language
The name of Indian state previously known as Orissa has changed to Odisha, and the name of its official language has changed from Oriya to Odia. With this update, the
glibc locale information reflects the new name of the language.
LLVM sub packages now install arch-dependent files in arch-dependent locations
Previously, LLVM sub packages installed arch-dependent files in arch-independent locations. This resulted in conflicts when installing 32 and 64 bit versions of LLVM. With this update, package files are now correctly installed in arch-dependent locations, avoiding version conflicts.
Password and group lookups no longer fail in
nss_compat module of the
glibc library overwrote the
errno status with incorrect error codes during processing of password and group entries. Consequently, applications did not resize buffers as expected, causing password and group lookups to fail. This update fixes the problem, and the lookups now complete as expected.
6.10. Identity Management
SSSD no longer downloads every rule with a wildcard character by default
ldap_sudo_include_regexp option was incorrectly set to
true by default. As a consequence, when SSSD started running or after updating SSSD rules, SSSD downloaded every rule that contained a wildcard character (
*) in the
sudoHost attribute. This update fixes the bug, and the
ldap_sudo_include_regexp option is now properly set to
false by default. As a result, the described problem no longer occurs.
krb5 now only requests permitted encryption types
Previously, permitted encryption types specified in the
permitted_enctypes variable in the
/etc/krb5.conf file did not apply to the default encryption types if the
default_tkt_enctypes attributes were not set. Consequently, Kerberos clients were able to request deprecated cipher suites like RC4, which may cause other processes to fail. With this update, encryption types specified in the
permitted_enctypes variable apply to the default encryption types as well, and only permitted encryption types are requested.
The RC4 cipher suite, which has been deprecated in RHEL 8, is the default encryption type for users, services, and trusts between Active Directory (AD) domains in an AD forest.
- To ensure support for strong AES encryption types between AD domains in an AD forest, see the AD DS: Security: Kerberos "Unsupported etype" error when accessing a resource in a trusted domain Microsoft article.
To enable support for the deprecated RC4 encryption type in an IdM server for backwards compatibility with AD, use the
update-crypto-policies --set DEFAULT:AD-SUPPORTcommand.
KDCs now correctly enforce password lifetime policy from LDAP backends
Previously, non-IPA Kerberos Distribution Centers (KDCs) did not ensure maximum password lifetimes because the Kerberos LDAP backend incorrectly enforced password policies. With this update, the Kerberos LDAP backend has been fixed, and password lifetimes behave as expected.
Password expiration notifications sent to AD clients using SSSD
Previously, Active Directory clients (non-IdM) using SSSD were not sent password expiration notices because of a recent change in the SSSD interface for acquiring Kerberos credentials.
The Kerberos interface has been updated and expiration notices are now sent correctly.
Directory Server no longer leaks memory when using indirect COS definitions
Previously, after processing an indirect Class Of Service (COS) definition, Directory Server leaked memory for each search operation that used an indirect COS definition. With this update, Directory Server frees all internal COS structures associated with the database entry after it has been processed. As a result, the server no longer leaks memory when using indirect COS definitions.
Adding ID overrides of AD users now works in IdM Web UI
Previously, adding ID overrides of Active Directory (AD) users to Identity Management (IdM) groups in the Default Trust View for the purpose of granting access to management roles failed when using the IdM Web UI. This update fixes the bug. As a result, you can now use both the Web UI as well as the IdM command-line interface (CLI) in this scenario.
FreeRADIUS no longer generates certificates during package installation
Previously, FreeRADIUS generated certificates during package installation, resulting in the following issues:
- If FreeRADIUS was installed using Kickstart, certificates might be generated at a time when entropy on the system was insufficient, resulting in either a failed installation or a less secure certificate.
- The package was difficult to build as part of an image, such as a container, because the package installation occurs on the builder machine instead of the target machine. All instances that are spawned from the image had the same certificate information.
- It was difficult for an end-user to generate a simple VM in their environment as the certificates would have to be removed and regenerated manually.
With this update, the FreeRADIUS installation no longer generates default self-signed CA certificates nor subordinate CA certificates. When FreeRADIUS is launched via
- If all of the required certificates are missing, a set of default certificates are generated.
- If one or more of the expected certificates are present, it does not generate new certificates.
FreeRADIUS now generates FIPS-compliant Diffie-Hellman parameters
Due to new FIPS requirements that do not allow
openssl to generate Diffie-Hellman (dh) parameters via
dhparam, the dh parameter generation has been removed from the FreeRADIUS bootstrap scripts and the file,
rfc3526-group-18-8192.dhparam, is included with the FreeRADIUS packages for all systems, and thus enables FreeRADIUS to start in FIPS mode.
Note that you can customize
/etc/raddb/certs/Makefile to restore the DH parameter generation if required.
Healthcheck now properly updates both
yum update healthcheck did not update the
ipa-healthcheck package but replaced it with the
ipa-healthcheck-core package. As a consequence, the
ipa-healthcheck command did not work after the update.
This update fixes the bug, and updating
ipa-healthcheck now correctly updates both the
ipa-healthcheck package and the
ipa-healthcheck-core package. As a result, the
Healthcheck tool works correctly after the update.
6.11. Graphics infrastructures
Laptops with hybrid Nvidia GPUs can now successfully resume from suspend
nouveau graphics driver sometimes could not power on hybrid Nvidia GPUs on certain laptops from power-save mode. As a result, the laptops failed to resume from suspend.
With this update, several problems in the Runtime Power Management (
runpm) system have been fixed. As a result, the laptops with hybrid graphics can now successfully resume from suspend.
(JIRA:RHELPLAN-57572, BZ#1798631, BZ#1808012, JIRA:RHELPLAN-45934, JIRA:RHELPLAN-24437, BZ#1667516, BZ#1667225)
Migrating virtual machines with the default CPU model now works more reliably
Previously, if a virtual machine (VM) was created without a specific CPU model, QEMU used a default model that was not visible to the
libvirt service. As a consequence, it was possible to migrate the VM to a host that did not support the default CPU model of the VM, which sometimes caused crashes and incorrect behavior in the guest OS after the migration.
With this update,
libvirt explicitly uses the
qemu64 model as default in the XML configuration of the VM. As a result, if the user attempts migrating a VM with the default CPU model to a host that does not support that model,
libvirt correctly generates an error message.
Note, however, that Red Hat strongly recommends using a specific CPU model for your VMs.
(JIRA:RHELPLAN-45906, BZ#1798631, BZ#1808012, JIRA:RHELPLAN-45934, JIRA:RHELPLAN-24437, BZ#1667516, BZ#1667225)
Notes on FIPS support with Podman
The Federal Information Processing Standard (FIPS) requires certified modules to be used. Previously, Podman correctly installed certified modules in containers by enabling the proper flags at startup. However, in this release, Podman does not properly set up the additional application helpers normally provided by the system in the form of the FIPS system-wide crypto-policy. Although setting the system-wide crypto-policy is not required by the certified modules it does improve the ability of applications to use crypto modules in compliant ways. To work around this problem, change your container to run the
update-crypto-policies --set FIPS command before any other application code was executed. The
update-crypto-policies --set FIPS command is no longer required with this fix.