Chapter 6. Bug fixes

This part describes bugs fixed in Red Hat Enterprise Linux 8.3 that have a significant impact on users.

6.1. Installer and image creation

RHEL 8 initial setup now works properly via SSH

Previously, the RHEL 8 initial setup interface did not display when logged in to the system using SSH. As a consequence, it was impossible to perform the initial setup on a RHEL 8 machine managed via SSH. This problem has been fixed, and RHEL 8 initial setup now works correctly when performed via SSH.


Installation failed when using the reboot --kexec command

Previously, the RHEL 8 installation failed when a Kickstart file that contained the reboot --kexec command was used.

With this update, the installation with reboot --kexec now works as expected.


America/New York time zone can now be set correctly

Previously, the interactive Anaconda installation process did not allow users to set the America/New York time zone when using a kickstart file. With this update, users can now set America/New York as the preferred time zone in the interactive installer if a time zone is not specified in the kickstart file.


SELinux contexts are now set correctly

Previously, when SELinux was in enforcing mode, incorrect SELinux contexts on some folders and files resulted in unexpected AVC denials when attempting to access these files after installation.

With this update, Anaconda sets the correct SELinux contexts. As a result, you can now access the folders and files without manually relabeling the filesystem.


Automatic partitioning now creates a valid /boot partition

Previously, when installing RHEL on a system using automatic partitioning or using a kickstart file with preconfigured partitions, the installer created a partitioning scheme that could contain an invalid /boot partition. Consequently, the automatic installation process ended prematurely because the verification of the partitioning scheme failed. With this update, Anaconda creates a partitioning scheme that contains a valid /boot partition. As a result, the automatic installation completes as expected.


A GUI installation using the Binary DVD ISO image now completes successfully without CDN registration

Previously, when performing a GUI installation using the Binary DVD ISO image file, a race condition in the installer prevented the installation from proceeding until you registered the system using the Connect to Red Hat feature.

With this update, you can now proceed with the installation without registering the system using the Connect to Red Hat feature.


iSCSI or FCoE devices created in Kickstart and used in ignoredisk --only-use command no longer stop the installation process

Previously, when the iSCSI or FCoE devices created in Kickstart were used in the ignoredisk --only-use command, the installation program failed with an error similar to Disk "disk/by-id/scsi-360a9800042566643352b476d674a774a" given in ignoredisk command does not exist. This stopped the installation process.

With this update, the problem has been fixed. The installation program continues working.


System registration using CDN failed with the error message Name or service not known

When you attempted to register a system using the Content Delivery Network (CDN), the registration process failed with the error message Name or service not known.

This issue occurred because the empty Custom server URL and Custom Base URL values overwrote the default values for system registration.

With this update, the empty values now do not overwrite the default values, and the system registration completes successfully.


6.2. Software management

dnf-automatic now updates only packages with correct GPG signatures

Previously, the dnf-automatic configuration file did not check GPG signatures of downloaded packages before performing an update. As a consequence, unsigned updates or updates signed by key which was not imported could be installed by dnf-automatic even though repository configuration requires GPG signature check (gpgcheck=1). With this update, the problem has been fixed, and dnf-automatic checks GPG signatures of downloaded packages before performing the update. As a result, only updates with correct GPG signatures are installed from repositories that require GPG signature check.


Trailing comma no longer causes entries removal in an append type option

Previously, adding a trailing comma (an empty entry at the end of the list) to an append type option (for example, exclude, excludepkgs, includepkgs) caused all entries in the option to be removed. Also, adding two commas (an empty entry) caused that only entries after the commas were used.

With this update, empty entries other than leading commas (an empty entry at the beginning of the list) are ignored. As a result, only the leading comma now removes existing entries from the append type option, and the user can use it to overwrite these entries.


6.3. Shells and command-line tools

The ReaR disk layout no longer includes entries for Rancher 2 Longhorn iSCSI devices and file systems

This update removes entries for Rancher 2 Longhorn iSCSI devices and file systems from the disk layout created by ReaR.


Rescue image creation with a file larger than 4 GB is now enabled on IBM POWER, little endian

Previously, the ReaR utility could not create rescue images containing files larger than 4GB on IBM POWER, little endian architecture. With this update, the problem has been fixed, and it is now possible to create a rescue image with a file larger than 4 GB on IBM POWER, little endian.


6.4. Security

SELinux no longer prevents systemd-journal-gatewayd to call newfstatat() on /dev/shm/ files used by corosync

Previously, SELinux policy did not contain a rule that allows the systemd-journal-gatewayd daemon to access files created by the corosync service. As a consequence, SELinux denied systemd-journal-gatewayd to call the newfstatat() function on shared memory files created by corosync. With this update, SELinux no longer prevents systemd-journal-gatewayd to call newfstatat() on shared memory files created by corosync.


Libreswan now works with seccomp=enabled on all configurations

Prior to this update, the set of allowed syscalls in the Libreswan SECCOMP support implementation did not match new usage of RHEL libraries. Consequently, when SECCOMP was enabled in the ipsec.conf file, the syscall filtering rejected even syscalls required for the proper functioning of the pluto daemon; the daemon was killed, and the ipsec service was restarted. With this update, all newly required syscalls have been allowed, and Libreswan now works with the seccomp=enabled option correctly.


SELinux no longer prevents auditd to halt or power off the system

Previously, the SELinux policy did not contain a rule that allows the Audit daemon to start a power_unit_file_t systemd unit. Consequently, auditd could not halt or power off the system even when configured to do so in cases such as no space left on a logging disk partition.

This update of the selinux-policy packages adds the missing rule, and auditd can now properly halt and power off the system only with SELinux in enforcing mode.


IPTABLES_SAVE_ON_STOP now works correctly

Previously, the IPTABLES_SAVE_ON_STOP feature of the iptables service did not work because files with saved IP tables content received incorrect SELinux context. This prevented the iptables script from changing permissions, and the script subsequently failed to save the changes. This update defines a proper context for the and files, and creates a filename transition rule. As a consequence, the IPTABLES_SAVE_ON_STOP feature of the iptables service works correctly.


NSCD databases can now use different modes

Domains in the nsswitch_domain attribute are allowed access to Name Service Cache Daemon (NSCD) services. Each NSCD database is configured in the nscd.conf file, and the shared property determines whether the database uses Shared memory or Socket mode. Previously, all NSCD databases had to use the same access mode, depending on the nscd_use_shm boolean value. Now, using Unix stream socket is always allowed, and therefore different NSCD databases can use different modes.


The oscap-ssh utility now works correctly when scanning a remote system with --sudo

When performing a Security Content Automation Protocol (SCAP) scan of a remote system using the oscap-ssh tool with the --sudo option, the oscap tool on the remote system saves scan result files and report files into a temporary directory as the root user. Previously, if the umask settings on the remote machine were changed, oscap-ssh might have been prevented access to these files. This update fixes the issue, and as a result, oscap saves the files as the target user, and oscap-ssh accesses the files normally.


OpenSCAP now handles remote file systems correctly

Previously, OpenSCAP did not reliably detect remote file systems if their mount specification did not start with two slashes. As a consequence, OpenSCAP handled some network-based file systems as local. With this update, OpenSCAP identifies file systems using the file-system type instead of the mount specification. As a result, OpenSCAP now handles remote file systems correctly.


OpenSCAP no longer removes blank lines from YAML multi-line strings

Previously, OpenSCAP removed blank lines from YAML multi-line strings within generated Ansible remediations from a datastream. This affected Ansible remediations and caused the openscap utility to fail the corresponding Open Vulnerability and Assessment Language (OVAL) checks, producing false positive results. The issue is now fixed and as a result, openscap no longer removes blank lines from YAML multi-line strings.


config.enabled now controls statements correctly

Previously, the rsyslog incorrectly evaluated the config.enabled directive during the configuration processing of a statement. As a consequence, the parameter not known errors were displayed for each statement except for the include() one. With this update, the configuration is processed for all statements equally. As a result, config.enabled now correctly disables or enables statements without displaying any error.


fapolicyd no longer prevents RHEL updates

When an update replaces the binary of a running application, the kernel modifies the application binary path in memory by appending the " (deleted)" suffix. Previously, the fapolicyd file access policy daemon treated such applications as untrusted, and prevented them from opening and executing any other files. As a consequence, the system was sometimes unable to boot after applying updates.

With the release of the RHBA-2020:5242 advisory, fapolicyd ignores the suffix in the binary path so the binary can match the trust database. As a result, fapolicyd enforces the rules correctly and the update process can finish.


6.5. Networking

Automatic loading of iptables extension modules by the nft_compat module no longer hangs

Previously, when the nft_compat module loaded an extension module while an operation on network name spaces (netns) happened in parallel, a lock collision could occur if that extension registered a pernet subsystem during initialization. As a consequence, the kernel-called modprobe command hang. This could also be caused by other services, such as libvirtd, that also execute iptables commands. This problem has been fixed. As a result, loading iptables extension modules by the nft_compat module no longer hangs.


The firewalld service now removes ipsets when the service stops

Previously, stopping the firewalld service did not remove ipsets. This update fixes the problem. As a result, ipsets are no longer left in the system after firewalld stops.


firewalld no longer retains ipset entries after shutdown

Previously, shutting down firewalld did not remove ipset entries. Consequently, ipset entries remained active in the kernel even after stopping the firewalld service. With this fix, shutting down firewalld removes ipset entries as expected.


firewalld now restores ipset entries after reloading

Previously, firewalld did not retain runtime ipset entries after reloading. Consequently, users had to manually add the missing entries again. With this update, firewalld has been modified to restore ipset entries after reloading.


nftables and firewalld services are now mutually exclusive

Previously, it was possible to enable nftables and firewalld services at the same time. As a consequence, nftables was overriding firewalld rulesets. With this update, nftables and firewalld services are now mutually exclusive so that these cannot be enabled at the same time.


6.6. Kernel

The script now works correctly

A patch that updated the script for Python 3 was accidentally removed. Consequently, after executing, the following error message appeared:

SyntaxError: Missing parentheses in call to 'print'

With this update, the problem has been fixed by updating the libhugetlbfs.spec file. As a result, does not show any error in the described scenario.


The bcc scripts now successfully compile a BPF module

During the script code compilation to create a Berkeley Packet Filter (BPF) module, the bcc toolkit used kernel headers for data type definition. Some kernel headers needed the KBUILD_MODNAME macro to be defined. Consequently, those bcc scripts that did not add KBUILD_MODNAME, were likely to fail to compile a BPF module across various CPU architectures. The following bcc scripts were affected:

  • bindsnoop
  • sofdsnoop
  • solisten
  • tcpaccept
  • tcpconnect
  • tcpconnlat
  • tcpdrop
  • tcpretrans
  • tcpsubnet
  • tcptop
  • tcptracer

With this update, the problem has been fixed by adding KBUILD_MODNAME to the default cflags parameter for bcc. As a result, this problem no longer appears in the described scenario. Also, customer scripts do not need to define KBUILD_MODNAME themselves either.


bcc-tools and bpftrace work properly on IBM Z

Previously, a feature backport introduced the ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE kernel option. However, the bcc-tools package and bpftrace tracing language package for IBM Z architectures did not have proper support for this option. Consequently, the bpf() system call failed with the Invalid argument exception and bpftrace failed with an error stating Error loading program when trying to load the BPF program. With this update, the ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE option is now removed. As a result, the problem no longer appears in the described scenario.

(BZ#1847837, BZ#1853964)

Boot process no longer fails due to lack of entropy

Previously, the boot process failed due to lack of entropy. A better mechanism is now used to allow the kernel to gather entropy early in the boot process, which does not depend on any hardware specific interrupts. This update fixes the problem by ensuring availability of sufficient entropy to secure random generation in early boot. As a result, the fix prevents kickstart timeout or slow boots and the boot process works as expected.


Repeated reboots using kexec now work as expected

Previously, during the kernel reboot on the Amazon EC2 Nitro platform, the remove module (rmmod) was not called during the shutdown() call of the kernel execution path. Consequently, repeated kernel reboots using the kexec system call led to a failure. With this update, the issue has been fixed by adding the PCI shutdown() handler that allows safe kernel execution. As a result, repeated reboots using kexec on Amazon EC2 Nitro platforms no longer fail.


Attempting to add ICE driver NIC port to a mode 5 bonding master interface no longer fails

Previously, attempting to add the ICE driver NIC port to a mode 5 (balance-tlb) bonding master interface led to a failure with an error Master 'bond0', Slave 'ens1f0': Error: Enslave failed. Consequently, you experienced an intermittent failure to add the NIC port to the bonding master interface. This update fixes the issue and adding the interface no longer fails.


6.7. High availability and clusters

When a GFS2 file system is used with the Filesystem agent the fast_stop option now defaults to no

Previously, when a GFS2 file system was used with the Filesystem agent, the fast_stop option defaulted to yes. This value could result in unnecessary fence events due to the length of time it can take a GFS2 file system to unmount. With this update, this option defaults to no. For all other file systems it continues to default to yes.


fence_compute and fence_evacuate agents now interpret insecure option in a more standard way

Previously, the fence_compute and fence_evacuate agents worked as if --insecure was specified by default. With this update, customers who do not use valid certificates for their compute or evacuate services must set insecure=true and use the --insecure option when running manually from the CLI. This is consistent with the behavior of all other agents.


6.8. Dynamic programming languages, web and database servers

Optimized CPU consumption by libdb

A previous update to the libdb database caused an excessive CPU consumption in the trickle thread. With this update, the CPU usage has been optimized.


The did_you_mean Ruby gem no longer contains a file with a non-commercial license

Previously, the did_you_mean gem available in the ruby:2.5 module stream contained a file with a non-commercial license. This update removes the affected file.


nginx can now load server certificates from hardware security tokens through the PKCS#11 URI

The ssl_certificate directive of the nginx web server supports loading TLS server certificates from hardware security tokens directly from PKCS#11 modules. Previously, it was impossible to load server certificates from hardware security tokens through the PKCS#11 URI.


6.9. Compilers and development tools

The glibc dynamic loader no longer fails while loading a shared library that uses DT_FILTER and has a constructor

Prior to this update, a defect in the dynamic loader implementation of shared objects as filters caused the dynamic loader to fail while loading a shared library that uses a filter and has a constructor. With this release, the dynamic loader implementation of filters (DT_FILTER) has been fixed to correctly handle such shared libraries. As a result, the dynamic loader now works as expected in the mentioned scenario.


glibc can now remove pseudo-mounts from the getmntent() list

The kernel includes automount pseudo-entries in the tables exposed to userspace. Consequently, programs that use the getmntent() API see both regular mounts and these pseudo-mounts in the list. The pseudo-mounts do not correspond to real mounts, nor include valid information.

With this update, if the mount entry has the ignore mount option present in the automount(8) configuration the glibc library now removes these pseudo-mounts from the getmntent() list. Programs that expect the previous behavior have to use a different API.


The movv1qi pattern no longer causes miscompilation in the auto-vectorized code on IBM Z

Prior to this update, wrong load instructions were emitted for the movv1qi pattern. As a consequence, when auto-vectorization was in effect, a miscompilation could occur on IBM Z systems. This update fixes the movv1qi pattern, and as a result, code compiles and runs correctly now.


PAPI_event_name_to_code() now works correctly in multiple threads

Prior to this update, the PAPI internal code did not handle thread coordination properly. As a consequence, when multiple threads used the PAPI_event_name_to_code() operation, a race condition occurred and the operation failed. This update enhances the handling of multiple threads in the PAPI internal code. As a result, multithreaded code using the PAPI_event_name_to_code() operation now works correctly.


Improved performance for the glibc math functions on IBM Power Systems

Previously, the glibc math functions performed unnecessary floating point status updates and system calls on IBM Power Systems, which negatively affected the performance. This update removes the unnecessary floating point status update, and improves the implementations of: ceil(), ceilf(), fegetmode(), fesetmode(), fesetenv(), fegetexcept(), feenableexcept(), fedisablexcept(), fegetround() and fesetround(). As a result, the performance of the math library is improved on IBM Power Systems.


Memory protection keys are now supported on IBM Power

On IBM Power Systems, the memory protection key interfaces pkey_set and pkey_get were previously stub functions, and consequently always failed. This update implements the interfaces, and as a result, the GNU C Library (glibc) now supports memory protection keys on IBM Power Systems.

Note that memory protection keys currently require the hash-based memory management unit (MMU), therefore you might have to boot certain systems with the disable_radix kernel parameter.


papi-testsuite and papi-devel now install the required papi-libs package

Previously, the papi-testsuite and papi-devel RPM packages did not declare a dependency on the matching papi-libs package. Consequently, the tests failed to run, and developers did not have the required version of the papi shared library available for their applications.

With this update, when the user installs either the papi-testsuite or papi-devel packages, the papi-libs package is also installed. As a result, the papi-testsuite now has the correct library allowing the tests to run, and developers using papi-devel have their executables linked with the appropriate version of the papi shared library.


Installing the lldb packages for multiple architectures no longer leads to file conflicts

Previously, the lldb packages installed architecture-dependent files in architecture-independent locations. As a consequence, installing both 32-bit and 64-bit versions of the packages led to file conflicts. This update packages the files in correct architecture-dependent locations. As a result, the installation of lldb in the described scenario completes successfully.


getaddrinfo now correctly handles a memory allocation failure

Previously, after a memory allocation failure, the getaddrinfo function of the GNU C Library glibc did not release the internal resolver context. As a consequence, getaddrinfo was not able to reload the /etc/resolv.conf file for the rest of the lifetime of the calling thread, resulting in a possible memory leak.

This update modifies the error handling path with an additional release operation for the resolver context. As a result, getaddrinfo reloads /etc/resolv.conf with new configuration values even after an intermittent memory allocation failure.


glibc avoids certain failures caused by IFUNC resolver ordering

Previously, the implementation of the librt and libpthread libraries of the GNU C Library glibc contained the indirect function (IFUNC) resolvers for the following functions: clock_gettime, clock_getcpuclockid, clock_nanosleep, clock_settime, vfork. In some cases, the IFUNC resolvers could execute before the librt and libpthread libraries were relocated. Consequently, applications would fail in the glibc dynamic loader during early program startup.

With this release, the implementations of these functions have been moved into the libc component of glibc, which prevents the described problem from occurring.


Assertion failures no longer occur during pthread_create

Previously, the glibc dynamic loader did not roll back changes to the internal Thread Local Storage (TLS) module ID counter. As a consequence, an assertion failure in the pthread_create function could occur after the dlopen function had failed in certain ways. With this fix, the glibc dynamic loader updates the TLS module ID counter at a later point in time, after certain failures can no longer happen. As a result, the assertion failures no longer occur.


glibc now installs correct dependencies for 32-bit applications using nss_db

Previously, the nss_db.x86_64 package did not declare dependencies on the nss_db.i686 package. Therefore automated installation did not install nss_db.i686 on the system, despite having a 32-bit environment glibc.i686 installed. As a consequence, 32-bit applications using nss_db failed to perform accurate user database lookups, while 64-bit applications in the same setup worked correctly.

With this update, the glibc packages now have weak dependencies that trigger the installation of the nss_db.i686 package when both glibc.i686 and nss_db are installed on the system. As a result, 32-bit applications using nss_db now work correctly, even if the system administrator has not explicitly installed the nss_db.i686 package.


glibc locale information updated with Odia language

The name of Indian state previously known as Orissa has changed to Odisha, and the name of its official language has changed from Oriya to Odia. With this update, the glibc locale information reflects the new name of the language.


LLVM sub packages now install arch-dependent files in arch-dependent locations

Previously, LLVM sub packages installed arch-dependent files in arch-independent locations. This resulted in conflicts when installing 32 and 64 bit versions of LLVM. With this update, package files are now correctly installed in arch-dependent locations, avoiding version conflicts.


Password and group lookups no longer fail in glibc

Previously, the nss_compat module of the glibc library overwrote the errno status with incorrect error codes during processing of password and group entries. Consequently, applications did not resize buffers as expected, causing password and group lookups to fail. This update fixes the problem, and the lookups now complete as expected.


6.10. Identity Management

SSSD no longer downloads every rule with a wildcard character by default

Previously, the ldap_sudo_include_regexp option was incorrectly set to true by default. As a consequence, when SSSD started running or after updating SSSD rules, SSSD downloaded every rule that contained a wildcard character (*) in the sudoHost attribute. This update fixes the bug, and the ldap_sudo_include_regexp option is now properly set to false by default. As a result, the described problem no longer occurs.


krb5 now only requests permitted encryption types

Previously, permitted encryption types specified in the permitted_enctypes variable in the /etc/krb5.conf file did not apply to the default encryption types if the default_tgs_enctypes or default_tkt_enctypes attributes were not set. Consequently, Kerberos clients were able to request deprecated cipher suites like RC4, which may cause other processes to fail. With this update, encryption types specified in the permitted_enctypes variable apply to the default encryption types as well, and only permitted encryption types are requested.

The RC4 cipher suite, which has been deprecated in RHEL 8, is the default encryption type for users, services, and trusts between Active Directory (AD) domains in an AD forest.


KDCs now correctly enforce password lifetime policy from LDAP backends

Previously, non-IPA Kerberos Distribution Centers (KDCs) did not ensure maximum password lifetimes because the Kerberos LDAP backend incorrectly enforced password policies. With this update, the Kerberos LDAP backend has been fixed, and password lifetimes behave as expected.


Password expiration notifications sent to AD clients using SSSD

Previously, Active Directory clients (non-IdM) using SSSD were not sent password expiration notices because of a recent change in the SSSD interface for acquiring Kerberos credentials.

The Kerberos interface has been updated and expiration notices are now sent correctly.


Directory Server no longer leaks memory when using indirect COS definitions

Previously, after processing an indirect Class Of Service (COS) definition, Directory Server leaked memory for each search operation that used an indirect COS definition. With this update, Directory Server frees all internal COS structures associated with the database entry after it has been processed. As a result, the server no longer leaks memory when using indirect COS definitions.


Adding ID overrides of AD users now works in IdM Web UI

Previously, adding ID overrides of Active Directory (AD) users to Identity Management (IdM) groups in the Default Trust View for the purpose of granting access to management roles failed when using the IdM Web UI. This update fixes the bug. As a result, you can now use both the Web UI as well as the IdM command-line interface (CLI) in this scenario.


FreeRADIUS no longer generates certificates during package installation

Previously, FreeRADIUS generated certificates during package installation, resulting in the following issues:

  • If FreeRADIUS was installed using Kickstart, certificates might be generated at a time when entropy on the system was insufficient, resulting in either a failed installation or a less secure certificate.
  • The package was difficult to build as part of an image, such as a container, because the package installation occurs on the builder machine instead of the target machine. All instances that are spawned from the image had the same certificate information.
  • It was difficult for an end-user to generate a simple VM in their environment as the certificates would have to be removed and regenerated manually.

With this update, the FreeRADIUS installation no longer generates default self-signed CA certificates nor subordinate CA certificates. When FreeRADIUS is launched via systemd:

  • If all of the required certificates are missing, a set of default certificates are generated.
  • If one or more of the expected certificates are present, it does not generate new certificates.


FreeRADIUS now generates FIPS-compliant Diffie-Hellman parameters

Due to new FIPS requirements that do not allow openssl to generate Diffie-Hellman (dh) parameters via dhparam, the dh parameter generation has been removed from the FreeRADIUS bootstrap scripts and the file, rfc3526-group-18-8192.dhparam, is included with the FreeRADIUS packages for all systems, and thus enables FreeRADIUS to start in FIPS mode.

Note that you can customize /etc/raddb/certs/bootstrap and /etc/raddb/certs/Makefile to restore the DH parameter generation if required.


Updating Healthcheck now properly updates both ipa-healthcheck-core and ipa-healthcheck

Previously, entering yum update healthcheck did not update the ipa-healthcheck package but replaced it with the ipa-healthcheck-core package. As a consequence, the ipa-healthcheck command did not work after the update.

This update fixes the bug, and updating ipa-healthcheck now correctly updates both the ipa-healthcheck package and the ipa-healthcheck-core package. As a result, the Healthcheck tool works correctly after the update.


6.11. Graphics infrastructures

Laptops with hybrid Nvidia GPUs can now successfully resume from suspend

Previously, the nouveau graphics driver sometimes could not power on hybrid Nvidia GPUs on certain laptops from power-save mode. As a result, the laptops failed to resume from suspend.

With this update, several problems in the Runtime Power Management (runpm) system have been fixed. As a result, the laptops with hybrid graphics can now successfully resume from suspend.

(JIRA:RHELPLAN-57572, BZ#1798631, BZ#1808012, JIRA:RHELPLAN-45934, JIRA:RHELPLAN-24437, BZ#1667516, BZ#1667225)

6.12. Virtualization

Migrating virtual machines with the default CPU model now works more reliably

Previously, if a virtual machine (VM) was created without a specific CPU model, QEMU used a default model that was not visible to the libvirt service. As a consequence, it was possible to migrate the VM to a host that did not support the default CPU model of the VM, which sometimes caused crashes and incorrect behavior in the guest OS after the migration.

With this update, libvirt explicitly uses the qemu64 model as default in the XML configuration of the VM. As a result, if the user attempts migrating a VM with the default CPU model to a host that does not support that model, libvirt correctly generates an error message.

Note, however, that Red Hat strongly recommends using a specific CPU model for your VMs.

(JIRA:RHELPLAN-45906, BZ#1798631, BZ#1808012, JIRA:RHELPLAN-45934, JIRA:RHELPLAN-24437, BZ#1667516, BZ#1667225)

6.13. Containers

Notes on FIPS support with Podman

The Federal Information Processing Standard (FIPS) requires certified modules to be used. Previously, Podman correctly installed certified modules in containers by enabling the proper flags at startup. However, in this release, Podman does not properly set up the additional application helpers normally provided by the system in the form of the FIPS system-wide crypto-policy. Although setting the system-wide crypto-policy is not required by the certified modules it does improve the ability of applications to use crypto modules in compliant ways. To work around this problem, change your container to run the update-crypto-policies --set FIPS command before any other application code was executed. The update-crypto-policies --set FIPS command is no longer required with this fix.