Chapter 8. Bug fixes
This part describes bugs fixed in Red Hat Enterprise Linux 8.7 that have a significant impact on users.
8.1. Installer and image creation
The installer no longer installs earlier versions of packages
Previously, the installer did not correctly load the DNF configuration file during the installation process. As a consequence, the installer sometimes installed earlier versions of select packages in the RPM transaction.
This bug has been fixed, and only the latest versions of packages are now installed from the installation repositories. In cases where it is impossible to install the latest versions of the packages, the installation fails as expected.
Anaconda installation is successful even if changing the network configuration in stage2
Previously, when using the
rd.live.ram boot argument, Anaconda did not unmount an NFS mount point that is used in
initramfs to fetch the installation image into memory. As a consequence, the installation process could become unresponsive or fail with a timeout error if the network configuration was changed in stage2.
To fix this problem, the NFS mount point used to fetch the installation image into memory is unmounted in
initramfs before switchroot. As a result, the installation process is completed without any interruption.
Installer asks for the passphrase missing in the Kickstart file for the encrypted devices during the installation
Previously, when running the installer in graphical mode, if the passphrase was not specified in the Kickstart file, the installer would not ask for entering the passphrase for encrypted devices. As a consequence, the partitioning specified in the Kickstart file was not applied during the installation.
This update adds a dialog window that appears during the installation and asks for the missing passphrase. As a result, the installer properly applies the partitioning scheme specified in the Kickstart file.
Images now build successfully for packages in blueprint that contain conditional dependencies
Previously, when using the web console to customize a blueprint with packages that contained conditional dependencies, such as
podman, would cause the build to fail because of the missing dependencies. As a consequence, the conditional dependency was not met during the dep-solve packages. This issue is fixed now, and the builds will no longer fail when dep-solving conditional dependencies.
8.2. Software management
DNF now correctly rolls back a transaction containing an item with the
Reason Change Action type
Previously, running the
dnf history rollback command on a transaction containing an item with the
Reason Change Action type failed. With this update, the issue has been fixed, and
dnf history rollback now works as expected.
8.3. Shells and command-line tools
cmx operation with no parameter no longer crashes the CIM Client
cmx operation calls a method and returns XML, a parameter specifies the name of the called method. Previously, the command line
sblim-wbemcli Common Information Model (CIM) Client crashed when running the
cmx operation without an additional parameter. With this update, the
cmx operation requires the parameter that defines the name of the called method. Invoking the
cmx operation without this parameter results in an error message, and the CIM Client no longer crashes.
cvSaveImage function in the
opencv library no longer terminates the user application
opencv library could not use the
cvSaveImage function correctly. Consequently, the user application was terminated unexpectedly. With this update, the
cvSaveImage function writes the image data on disk and no longer terminates the user application.
ReaR no longer fails to display an error message if it does not update the UUID in
Previously, ReaR did not display an error message during recovery when it failed to update the universally unique identifier (UUID) in
/etc/fstab to match the UUID of the newly created partition in case the UUIDs were different. This could have happened if the rescue image was out of sync with the backup. With this update, an error message occurs during recovery if the restored basic system files do not match the recreated system.
ReaR with the PXE output method no longer fails to store the output files in the rsync
In RHEL 8.5, the handling of the
OUTPUT_URL variable with the
BACKUP=RSYNC options was removed. As a consequence, when using an rsync location for
OUTPUT_URL, ReaR failed to copy the
initrd and kernel files to this location, although it uploaded them to the location specified by
BACKUP_URL. With this update, the behavior from RHEL 8.4 and earlier releases is restored. ReaR creates the required files at the designated
OUTPUT_URL destination using rsync.
ReaR now supports restoring a system using NetBackup version 9
Previously, restoring a system using the NetBackup (NBU) method with NetBackup version 9 or later failed due to missing libraries and other files. With this update, the
NBU_LD_LIBRARY_PATH variable contains the required library paths and the rescue system now incorporates the required files, and ReaR can use the NetBackup method.
ReaR no longer displays a false error message about missing symlink targets
Previously, ReaR displayed incorrect error messages about missing symlink targets for the
source symlinks under
/usr/lib/modules/ when creating the rescue image. This situation was harmless, and you could safely ignore the error message. With this update, ReaR does not report a false error message about missing symlink targets in this situation.
Fallbacks of SR-IOV devices now complete successfully
Previously, Single Root I/O Virtualization (SR-IOV) devices did not fallback after device failover because the
hcnmgr script used an incorrect
active_slave attribute instead of a
primary attribute. With this update, the
hcnmgr script uses the correct attribute and fallbacks for SR-IOV devices complete successfully.
ppc64-diag rebased to version 2.7.8
ppc64-diag package for platform diagnostics has been updated to version 2.7.8. Notable improvements and bug fixes include:
Updated build dependency to use
libvpdutility version 2.2.9 or higher
extract_opal_dumperror message on unsupported platform
Fixed build warning with
lsvpd rebased to version 1.7.14
lsvpd package, which provides commands for constituting a hardware inventory system, has been updated to version 1.7.14. With this update, the
lsvpd utility prevents corruption of the database file when you run the
libvpd rebased to version 2.2.9
libvpd package, which contains classes for accessing the Vital Product Data (VPD), has been updated to version 2.2.9. Notable improvements and bug fixes include:
- Fixed database locking
libtoolutility version information
8.4. Infrastructure services
The printer test page layout in RHEL 8 has changed
Previously, the print test page was not printed if the destination document format was PDF. This update introduces a new test page layout to work with a broader set of printers. Note that the test page does not contain any information regarding the printer or the test page print job.
frr binary files and scripts have a new location
frr package for managing dynamic routing stack contained its binary files and scripts in the
/usr/lib/frr directory, which caused certain issues when applying the new targeted SELinux policy. Consequently, SELinux logged denial messages in access vector cache (AVC) and prevented
frr from starting properly.
With this update,
/usr/libexec/frr is the new location of the
frr binary files and scripts. As a result, SELinux applies rules for binaries and scripts in
/usr/libexec/frr and for other
frr libraries in
/usr/lib64/frr separately, and no longer produces denial messages.
OpenSCAP remediation sets correct permissions for
Previously, when remediating the SCAP rule
/etc/tmux.conf file was created with permissions respecting umask (600). This caused
/etc/tmux.conf to be unreadable by regular users. If a regular user logged in, they received an error message and had to wait for several minutes before a timeout ran out and they were logged in. With this update, the remediation of rule
configure_tmux_lock_after_time sets specific permissions of
/etc/tmux.conf to 644. As a result, regular users no longer encounter the error message or login delay.
SCAP rule for Rsyslog correctly identifies
Previously, rule "Ensure System Log Files Have Correct Permissions" (
xccdf_org.ssgproject.content_rule_rsyslog_files_permissions) did not expand glob expressions in Rsyslog include statements. As a consequence, the rule did not parse all relevant configuration files, and some log files did not have their permissions checked. With this update, the rule correctly expands the glob expressions to identify the
.conf files it needs to parse. As a result, the rule now correctly processes the required
.conf files to ensure that all configured log files have the correct permissions.
chronyd do not require explicit
chrony user configuration
chronyd under the
chrony user by default. Previously, the check and remediation for the
chronyd service configuration user were stricter than necessary. The overly strict check led to false positives and to excessive remediations. In this version, the check and remediations of the rule
xccdf_org.ssgproject.content_rule_chronyd_run_as_chrony_user are updated, for both the minimalistic correct configuration and legacy explicit correct configurations pass. As a result, the rule respects the default RHEL behavior and does not require explicit
chrony user configuration.
Warning added to
The SCAP rule
xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost ensures that the Rsyslog daemon is configured to send log messages to a remote log host. However, the rule does not configure TCP queues. As a consequence, the system hangs if TCP queues are not configured, and the remote log host becomes unavailable. This update adds a warning message that explains how to configure TCP queues. If you encounter system hangs while using this rule, read the warning and configure the system properly.
sudo_custom_logfile works for custom
sudo log files
Previously, remediation of the SCAP Security Guide rule
xccdf_org.ssgproject.content_sudo_custom_logfile did not work for custom
sudo log files with a different path than
/var/log/sudo.log. With this update, the rule is fixed so that it can properly remediate if the system has a custom
sudo log file that does not match the expected path.
firewalld_sshd_port_enabled now works correctly
Previously, Bash remediation of the SCAP rule
xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled incorrectly handled lists of network interfaces. Additionally, configuration files had different names than required. This update has fixed the remediation. As a result, the remediation handles all network interfaces correctly, and configuration files have predictable names.
fagenrules --load now works correctly
fapolicyd service did not correctly handle the signal hang up (SIGHUP). Consequently,
fapolicyd terminated after receiving the SIGHUP signal, and the
fagenrules --load command did not work properly. This update contains a fix for the problem. As a result,
fagenrules --load now works correctly, and rule updates no longer require manual restarts of
NetworkManager utility enforces correct ordering of IPv6 addresses from various sources
In general, the ordering of IPv6 addresses affects the priority for source address selection. For example, when you make an outgoing TCP connection. Previously, the relative priority of IPv6 addresses added through the
autoconf6 methods, was not correct. With this update, the problem has been fixed and the ordering priority now reflects this logic:
autoconf6. However, the order of addresses under the
ipv6.addresses setting did not change and the address added last still has the highest priority.
Asymmetric routing now works correctly
The previous minor version of RHEL 8 contained a change that caused connection tracking to fail in some cases. Consequently, asymmetric routing was not working correctly. This release reverts the change that was introduced in RHEL 8.6. As a result, the asymmetric routing works correctly.
A new ability to deprecate CgroupV1 memory.swappiness allowing for consistent swap behavior
CgroupV1 includes the
memory.swappiness per-cgroup swappiness value that controls the swap behavior of the given cgroup.
systemd processes run within
cgroups and the
sysctl swappiness value has minimal effect on
swap heuristics. Such cgroups ignore the values in
tuned configurations and processes running on the system are assigned a default swappiness value of
60. As a consequence, in cases with high memory pressure and page reclamation, earlier or more aggressive swapping can occur compared to the assigned swappiness value.
This update introduces a new
/proc/sys/vm/force_cgroupv2_swappiness, with a default value of
0. When set to
memory.swappiness value becomes deprecated and all per-cgroups swappiness values mirror the system-wide swappiness value in the
/proc/sys/vm/swappiness file. As a result, the memory swapping behavior of cgroups is more consistent.
Anaconda no longer fails after entering a passphrase for encrypted devices
kdump was disabled when preparing an installation, and the user selected encrypted disk partitioning, the Anaconda installer failed with a traceback after entering a passphrase for the encrypted device.
This update fixes the problem, and users no longer need to enable
kdump to create encrypted disk partitioning.
8.8. Boot loader
grubby now passes arguments to future kernels
When installing a newer version of the kernel, the
grubby tool did not pass the kernel command-line arguments from the previous kernel version. As a consequence, the GRUB boot loader ignored user settings. With this fix, the user settings now persist after installing the new kernel version.
8.9. High availability and clusters
pcs now recognizes the
mode option when creating a new Booth ticket
Previously, when a user specified a
mode option when adding a new Booth ticket,
pcs reported the error
invalid booth ticket option 'mode'. With this fix, you can now specify the
mode option when creating a Booth ticket.
pcs now validates the value of
Previously, it was possible to set the
stonith-watchdog-timeout property to a value that is incompatible with SBD configuration. This could result in a fence loop, or could cause the cluster to consider a fencing action to be successful even if the action is not finished. With this fix,
pcs validates the value of
stonith-watchdog-property when you set it, to prevent incorrect configuration.
8.10. Dynamic programming languages, web and database servers
MariaDB 10.5 now warns about dropping a non-existent table when the
OQGraph plug-in is enabled
Previously, when the
OQGraph storage engine plug-in was loaded to the
MariaDB 10.5 server,
MariaDB did not warn about dropping a non-existent table. In particular, when the user attempted to drop a non-existent table using the
DROP TABLE or
DROP TABLE IF EXISTS SQL commands,
MariaDB neither returned an error message nor logged a warning. This bug has been fixed, and a warning is now shown in the described scenario.
8.11. Compilers and development tools
Applications no longer deadlock when invoking
dclose from fork handler callbacks
Previously, applications invoked
pthread_atfork handler callbacks while
glibc had acquired an internal lock. As a result, registering fork handlers or calling
dclose from a fork handler could deadlock applications.
A different synchronization mechanism is now used to protect internal data structures while fork handlers are running. As a result, applications no longer deadlock when invoking
dclose from fork handler callbacks.
Wildcard functions in Makefiles no longer return symbolic links when only directories are expected
GLOB_ONLYDIR hint used by
glob() misreported symbolic links as directories on certain XFS filesystems. When using
make did not confirm that the hints were actually directories and, as a result, wildcard functions in Makefiles returned symbolic links when only directories were expected.
The bug has been fixed and wildcard functions in Makefiles no longer return symbolic links when only directories are expected.
popen() no longer causes multithreaded processes to crash
Previously, a defect in
popen() caused applications to crash when using the interface from a multithreaded process. With this update, the bug has been fixed and multithreaded processes no longer crash when using
The mapping for the
0xBC code point for some IBM character sets is now
IBM424 character sets encoded the
EBCDIC code point
0xBC as the Unicode character
U+203E OVERLINE. As a result, when using the
iconv program provided by
glibc, converting text in those character sets containing the
0xBC code point failed for non-Unicode character sets such as
ISO-8859-1 because they could not encode the
U+203E OVERLINE character.
With this update, the bug has been fixed. As a result, input in the
IBM297 character sets can be converted to
ISO-8859-1 in all cases. For the
IBM424 character sets, conversion no longer fails if the input text contains the 0xBC code point and the respective output is
tempnam function now uses
getrandom to increase the randomness of generated file names
tempnam function in Red Hat Enterprise Linux 8.4 and later used time-derived randomness for choosing paths. As a result, the
tempnam function was not producing the full set of possible file names when invoked repeatedly in quick succession. This bug has been fixed by a new implementation that uses the
getrandom function to increase the randomness of the generated file names. As a result, the
tempnam function now generates more distinct file names.
POWER9-optimized strncpy function no longer gives incorrect results
Previously, the POWER9 strncpy function did not use the correct register as the source of the NUL bytes for padding. Consequently, the output buffer contained uninitialized register content instead of the NUL padding. With this update, the strncpy function has been fixed, and the end of the output buffer is now correctly padded with NUL bytes.
en_US@ampm locale is now listed correctly by
Previously, there was a defect in the listing of
en_US@ampm in the output of the
locale -a command. Consequently, the
setlocale API failed when trying to set this locale using its name/alias printed by
locale -a. With this update,
en_US@ampm is now listed correctly and calls to
setlocale succeed for all locales printed by
Unit masks for events are now all included in the
Previously, the testing of event unit mask information in
papi_xml_event_info was incomplete. In some cases, unit masks for events were not included in the
papi_xml_event_info output. This bug has been fixed and as a result,
papi_xml_event_command now prints out all the unit masks for an event.
8.12. Identity Management
Debug messages no longer logged to /var/log/messages by default
ipa-ods-exporter daemons logged all debug messages to
/var/log/messages by default, resulting in log files growing substantially. If required, you can now configure the debug log level by setting
debug=True in the
/etc/ipa/dns.conf file. For more information refer to the
default.conf(5) man page.
Preserving users accounts
Previously, if you ran the
ipa user-del --preserve user_login command to preserve a user account, the output incorrectly returned the message
Deleted user “user_login”. This message incorrectly indicates that the user was deleted and not preserved as expected. With this update, the output now returns
Preserved user “user_login”.
Transferring Kerberos databases greater than 4 GB
kprop service and the
kpropd command used a 32 bit value when storing the size of the Kerberos KDC database. As a result the transfer of the Kerberos database dump file from the primary Kerberos server to a replica server failed if the database size exceeded 4 GB.
This update modifies Kerberos and it can now transfer KDC databases greater than 4 GB.
The Airplane Mode switch is always displayed
Previously, the Airplane Mode switch in the Wi-Fi section of the Settings application disappeared after you enabled airplane mode. With this update, the problem has been fixed, and Settings always display the Airplane Mode switch, regardless of its state.
8.14. Graphics infrastructures
Hotkeys in Motif applications activate the correct item
Previously, menu hotkeys activated the wrong menu item in applications using the Motif toolkit. When a submenu was open and you pressed a hotkey associated with its item, the application activated an item in the parent menu instead.
With this update, the problem has been fixed, and hotkeys now activate the correct submenu items.
The desktop no longer fails to start with disabled IPv6 and DisallowTCP=false
Previously, the X11 desktop session failed to start after login under the following circumstances:
- IPv6 networking was disabled on your system.
DisallowTCP=falseoption was enabled in GDM configuration.
With this update, the problem has been fixed, and you can log into the X11 session as expected with the described configuration.
8.15. The web console
Removing USB host devices using the web console now works as expected
Previously, when you attached a USB device to a virtual machine (VM), the device number and bus number of the USB device changed after they were passed to the VM. As a consequence, using the web console to remove such devices failed due to the incorrect correlation of the device and bus numbers. With this update, the issue has been fixed and you can remove the USB host devices using the web console.
Attaching multiple host devices using the web console now works as expected
Previously, when you selected multiple devices to attach to a virtual machine (VM) using the web console, only a single device was attached and the rest were ignored. With this update, the issue has been fixed and you can now simultaneously attach multiple host devices using the web console.
8.16. Red Hat Enterprise Linux System Roles
Fixed a typo to support
active-backup for the correct bonding mode
Previously, there was a typo,
active_backup, in supporting the InfiniBand port while specifying
active-backup bonding mode. Due to this typo, the connection failed to support the correct bonding mode for the InfiniBand bonding port. This update fixes the typo by changing bonding mode to
active-backup. The connection now successfully supports the InfiniBand bonding port.
IPRouteUtils.get_route_tables_mapping() function now accepts any whitespace sequence
Previously, a parser for the
iproute2 routing table database, such as
/etc/iproute2/rt_tables, asserted that entries in the file were of the form
254 main and only a single space character separated the numeric id and the name. Consequently, the parser failed to cache all the mappings between the route table name and table id.Therefore the user could not add a static route into the route table by defining the route table name. With this update, the parser accepts any whitespace sequence in between the table ID and table name. As a result, as the parser caches all the mapping between the route table name and table ID, users can add a static route into the route table by defining the route table name.
Configuration by the
metrics RHEL System Role follows symbolic links correctly
mssql pcp package is installed, the
mssql.conf file is located in
/etc/pcp/mssql/ and is targeted by the symbolic link
/var/lib/pcp/pmdas/mssql/mssql.conf. Previously, however, the
metrics role overwrote the symbolic link instead of following it and configuring
mssql.conf. Consequently, running the
metrics role changed the symbolic link to a regular file and the configuration therefore only affected the
/var/lib/pcp/pmdas/mssql/mssql.conf file. This resulted in a failed symbolic link, and the main configuration file
/etc/pcp/mssql/mssql.conf was not affected by the configuration. The problem is now fixed and the
follow: yes option to follow the symbolic link has been added to the
metrics role. As a result, the
metrics role preserves the symbolic links and correctly configures the main configuration file.
tlog RHEL System Roles is now correctly overlaid by SSSD
tlog RHEL System Role relied on the System Security Services Daemon (SSSD) files provider and on enabled
with-files-domain to set up correct
passwd entries in the
nsswitch.conf file. In RHEL 9.0, SSSD did not implicitly enable the files provider by default, and consequently the
tlog-rec-session shell overlay by SSSD did not work. With this fix, the
tlog role now updates the
nsswitch.conf to ensure
tlog-rec-session is correctly overlaid by SSSD.
mount_options parameter for volumes is now valid for a volume
Previously, the parameter was accidentally removed from the list of valid parameters for a volume. Consequently, users were unable to set the
mount_options parameter for volumes. With this bug fix, the
mount_options parameter has been added back to the list of valid parameters and the code has been refactored to catch the errors. As a result, the
storage RHEL system role can set the
mount_options parameter for volumes.
metrics RHEL System Role README and documentation now clearly specifies supported Redis and Grafana versions on specific versions of RHEL by the role
Previously, when trying to use the
metrics role with unsupported versions of Redis and Grafana on unsupported platforms, the role failed. This update clarifies the documentation about which versions of Redis and Grafana are supported on which versions of RHEL by the role. As a result, you can avoid trying to use unsupported versions of Redis and Grafana on unsupported platforms.
kernel_settings RHEL System Role now correctly installs
kernel_settings role returned an error that the
python3-configobj package could not be found. The role failed to find the package because it did not install
python3-configobj on managed hosts. With this update, the role now installs
python3-configobj on managed hosts and works correctly.
storage RHEL System Role now correctly supports
raid0 levels for LVM volumes
storage RHEL System Role previously incorrectly reported RAID levels
raid0 as not supported for LVM volumes. This is now fixed and the role can now correctly create LVM volumes of all RAID levels supported by LVM:
metrics RHEL System Role automatically restarts
pmlogger services after an update to their configuration
pmlogger services did not restart after their configuration was changed and waited for handler execution. This caused errors with other
metrics services, which required
pmlogger configuration to match their runtime behavior. With this update, the role restarts
pmlogger immediately after a configuration update, their configuration matches runtime behavior of dependent metrics services, and they work correctly.
forward_port parameter now accepts both the
Previously, in the
firewall RHEL System role, the
forward_port parameter only accepted the
string option. However, the role documentation claimed that both
dict options were supported. Consequently, the users reading and following the documentation were getting an error. This bug has been fixed by making
forward_port accept both options. As a result, the users can safely follow the documentation to configure port forwarding.
nbde_client System Role now uses proper spacing when specifying extra Dracut command line-parameters
The Dracut framework requires proper spacing when specifying additional parameters, such as kernel command-line parameters. If the parameters are not specified with proper spacing, Dracut might not append the specified extra parameters to the kernel command line. With this update, the
nbde_client System Role uses proper spacing when creating add-on Dracut configuration files. As a result, the role correctly sets Dracut command-line parameters.
Minimal RSA key bit length option in the
sshd RHEL System Roles
Accidentally using short RSA keys might make the system more vulnerable to attacks. With this update, you can set RSA key minimal bit lengths for OpenSSH clients and servers by using the
RSAMinSize option in the
sshd RHEL System Roles.
The NBDE Client System Role supports static IP addresses
In previous versions of RHEL, restarting a system with a static IP address and configured with the Network Bound Disk Encryption (NBDE) Client System Role would change the system’s IP address. With this change, systems with static IP addresses are supported by the NBDE Client System Role, and their IP addresses do not change after a reboot.
Note that by default, the NBDE role uses DHCP when booting, and switches to the configured static IP when the system is booted.
Live pre-copy migration of VMs with failover VFs now works correctly
Previously, attempting to pre-copy migrate a running virtual machine (VM) failed if the VM used a device with the virtual function (VF) failover capability enabled. This update fixes the problem, and migrating VMs in the described scenario now works correctly.
8.18. RHEL in cloud environments
An instance now retains the primary IP address even after starting the nm-cloud-setup service in Alibaba Cloud
Previously, after launching an instance in the Alibaba Cloud, the nm-cloud-setup service configured the incorrect IP address as the primary IP address in case of multiple IPv4 addresses. Consequently, this affected the selection of the IPv4 source address for outgoing connections. With this update, after configuring secondary IP addresses manually, the NetworkManager package fetches the primary IP address from primary-ip-address metadata and configures both primary and secondary IP addresses correctly.
SR-IOV no longer performs suboptimally in ARM 64 RHEL 8 virtual machines on Azure
Previously, SR-IOV networking devices had significantly lower throughout and higher latency than expected in ARM 64 RHEL 8 virtual machines (VMs) running on a Microsoft Azure platform. The problem has been fixed, and the affected VMs now perform as expected.
Starting a RHEL 8 virtual machine on AWS using
cloud-init no longer takes longer than expected
Previously, initializing an EC2 instance of RHEL 8 using the
cloud-init service on Amazon Web Services (AWS) took an excessive amount of time. The Amazon Machine Images (AMIs) of RHEL 8 have been updated to include a fix for the problem, and intializing EC2 instances of RHEL 8 now works correctly.
However, you might still encounter slow intialization when customizing and uploading your own RHEL 8 image. To avoid this problem, remove the
/etc/resolv.conf file from the image you are using for VM creation before uploading the image to AWS.
DNF and YUM no longer fail because of non-matching repository IDs
Previously, DNF and YUM repository IDs did not match the format that DNF or YUM expected. For example, if you ran the following example, the error occurred:
# podman run -ti ubi8-ubi # dnf debuginfo-install dnsmasq ... This system is not registered with an entitlement server. You can use subscription-manager to register.
With this update, the problem has been fixed. Suffix
--debug-rpms was added to all debug repository names (for example
ubi-8-appstream-debug-rpms), and also the suffix
-rpms was added to all UBI repository names (for example
For more information, see Universal Base Images (UBI): Images, repositories, packages, and source code.
Container images signed with a Beta GPG key can now be pulled
Previously, when you pulled RHEL Beta container images, Podman failed with the error message:
Error: Source image rejected: None of the signatures were accepted. The images failed to be pulled due to current builds being configured to not trust the RHEL Beta GPG keys by default. With this update, the
/etc/containers/policy.json file supports a new
keyPaths field which accepts a list of files containing the trusted keys. Because of this, the container images signed with GA and Beta GPG keys are now accepted in the default configuration.