Chapter 8. Bug fixes

This part describes bugs fixed in Red Hat Enterprise Linux 8.7 that have a significant impact on users.

8.1. Installer and image creation

The installer no longer installs earlier versions of packages

Previously, the installer did not correctly load the DNF configuration file during the installation process. As a consequence, the installer sometimes installed earlier versions of select packages in the RPM transaction.

This bug has been fixed, and only the latest versions of packages are now installed from the installation repositories. In cases where it is impossible to install the latest versions of the packages, the installation fails as expected.

(BZ#1899494)

Anaconda installation is successful even if changing the network configuration in stage2

Previously, when using the rd.live.ram boot argument, Anaconda did not unmount an NFS mount point that is used in initramfs to fetch the installation image into memory. As a consequence, the installation process could become unresponsive or fail with a timeout error if the network configuration was changed in stage2.

To fix this problem, the NFS mount point used to fetch the installation image into memory is unmounted in initramfs before switchroot. As a result, the installation process is completed without any interruption.

(BZ#1970726)

Installer asks for the passphrase missing in the Kickstart file for the encrypted devices during the installation

Previously, when running the installer in graphical mode, if the passphrase was not specified in the Kickstart file, the installer would not ask for entering the passphrase for encrypted devices. As a consequence, the partitioning specified in the Kickstart file was not applied during the installation.

This update adds a dialog window that appears during the installation and asks for the missing passphrase. As a result, the installer properly applies the partitioning scheme specified in the Kickstart file.

(BZ#2029101)

Images now build successfully for packages in blueprint that contain conditional dependencies

Previously, when using the web console to customize a blueprint with packages that contained conditional dependencies, such as ipa-client, cockpit, podman, would cause the build to fail because of the missing dependencies. As a consequence, the conditional dependency was not met during the dep-solve packages. This issue is fixed now, and the builds will no longer fail when dep-solving conditional dependencies.

(BZ#2065734)

8.2. Software management

DNF now correctly rolls back a transaction containing an item with the Reason Change Action type

Previously, running the dnf history rollback command on a transaction containing an item with the Reason Change Action type failed. With this update, the issue has been fixed, and dnf history rollback now works as expected.

(BZ#2060815)

8.3. Shells and command-line tools

The cmx operation with no parameter no longer crashes the CIM Client

The cmx operation calls a method and returns XML, a parameter specifies the name of the called method. Previously, the command line sblim-wbemcli Common Information Model (CIM) Client crashed when running the cmx operation without an additional parameter. With this update, the cmx operation requires the parameter that defines the name of the called method. Invoking the cmx operation without this parameter results in an error message, and the CIM Client no longer crashes.

(BZ#2075807)

The cvSaveImage function in the opencv library no longer terminates the user application

Previously, the opencv library could not use the cvSaveImage function correctly. Consequently, the user application was terminated unexpectedly. With this update, the cvSaveImage function writes the image data on disk and no longer terminates the user application.

(BZ#2104776)

ReaR no longer fails to display an error message if it does not update the UUID in /etc/fstab

Previously, ReaR did not display an error message during recovery when it failed to update the universally unique identifier (UUID) in /etc/fstab to match the UUID of the newly created partition in case the UUIDs were different. This could have happened if the rescue image was out of sync with the backup. With this update, an error message occurs during recovery if the restored basic system files do not match the recreated system.

(BZ#2072978)

ReaR with the PXE output method no longer fails to store the output files in the rsync OUTPUT_URL location

In RHEL 8.5, the handling of the OUTPUT_URL variable with the OUTPUT=PXE and BACKUP=RSYNC options was removed. As a consequence, when using an rsync location for OUTPUT_URL, ReaR failed to copy the initrd and kernel files to this location, although it uploaded them to the location specified by BACKUP_URL. With this update, the behavior from RHEL 8.4 and earlier releases is restored. ReaR creates the required files at the designated OUTPUT_URL destination using rsync.

(BZ#2115918)

ReaR now supports restoring a system using NetBackup version 9

Previously, restoring a system using the NetBackup (NBU) method with NetBackup version 9 or later failed due to missing libraries and other files. With this update, the NBU_LD_LIBRARY_PATH variable contains the required library paths and the rescue system now incorporates the required files, and ReaR can use the NetBackup method.

(BZ#2077404)

ReaR no longer displays a false error message about missing symlink targets

Previously, ReaR displayed incorrect error messages about missing symlink targets for the build and source symlinks under /usr/lib/modules/ when creating the rescue image. This situation was harmless, and you could safely ignore the error message. With this update, ReaR does not report a false error message about missing symlink targets in this situation.

(BZ#2021935)

Fallbacks of SR-IOV devices now complete successfully

Previously, Single Root I/O Virtualization (SR-IOV) devices did not fallback after device failover because the hcnmgr script used an incorrect active_slave attribute instead of a primary attribute. With this update, the hcnmgr script uses the correct attribute and fallbacks for SR-IOV devices complete successfully.

(BZ#2078514)

ppc64-diag rebased to version 2.7.8

The ppc64-diag package for platform diagnostics has been updated to version 2.7.8. Notable improvements and bug fixes include:

  • Updated build dependency to use libvpd utility version 2.2.9 or higher
  • Fixed extract_opal_dump error message on unsupported platform
  • Fixed build warning with GCC-8.5 and GCC-11 compilers

(BZ#2051313)

lsvpd rebased to version 1.7.14

The lsvpd package, which provides commands for constituting a hardware inventory system, has been updated to version 1.7.14. With this update, the lsvpd utility prevents corruption of the database file when you run the vpdupdate command.

(BZ#2051316)

libvpd rebased to version 2.2.9

The libvpd package, which contains classes for accessing the Vital Product Data (VPD), has been updated to version 2.2.9. Notable improvements and bug fixes include:

  • Fixed database locking
  • Updated libtool utility version information

(BZ#2051319)

8.4. Infrastructure services

The printer test page layout in RHEL 8 has changed

Previously, the print test page was not printed if the destination document format was PDF. This update introduces a new test page layout to work with a broader set of printers. Note that the test page does not contain any information regarding the printer or the test page print job.

(BZ#2064606)

The frr binary files and scripts have a new location

Previously, the frr package for managing dynamic routing stack contained its binary files and scripts in the /usr/lib/frr directory, which caused certain issues when applying the new targeted SELinux policy. Consequently, SELinux logged denial messages in access vector cache (AVC) and prevented frr from starting properly.

With this update, /usr/libexec/frr is the new location of the frr binary files and scripts. As a result, SELinux applies rules for binaries and scripts in /usr/libexec/frr and for other frr libraries in /usr/lib64/frr separately, and no longer produces denial messages.

(BZ#1714984, BZ#1941765)

8.5. Security

OpenSCAP remediation sets correct permissions for /etc/tmux.conf

Previously, when remediating the SCAP rule configure_tmux_lock_after_time, the /etc/tmux.conf file was created with permissions respecting umask (600). This caused /etc/tmux.conf to be unreadable by regular users. If a regular user logged in, they received an error message and had to wait for several minutes before a timeout ran out and they were logged in. With this update, the remediation of rule configure_tmux_lock_after_time sets specific permissions of /etc/tmux.conf to 644. As a result, regular users no longer encounter the error message or login delay.

(BZ#2064696)

SCAP rule for Rsyslog correctly identifies .conf files

Previously, rule "Ensure System Log Files Have Correct Permissions" (xccdf_org.ssgproject.content_rule_rsyslog_files_permissions) did not expand glob expressions in Rsyslog include statements. As a consequence, the rule did not parse all relevant configuration files, and some log files did not have their permissions checked. With this update, the rule correctly expands the glob expressions to identify the .conf files it needs to parse. As a result, the rule now correctly processes the required .conf files to ensure that all configured log files have the correct permissions.

(BZ#2075384)

Rules for chronyd do not require explicit chrony user configuration

RHEL runs chronyd under the chrony user by default. Previously, the check and remediation for the chronyd service configuration user were stricter than necessary. The overly strict check led to false positives and to excessive remediations. In this version, the check and remediations of the rule xccdf_org.ssgproject.content_rule_chronyd_run_as_chrony_user are updated, for both the minimalistic correct configuration and legacy explicit correct configurations pass. As a result, the rule respects the default RHEL behavior and does not require explicit chrony user configuration.

(BZ#2077531)

Warning added to rsyslog_remote_loghost

The SCAP rule xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost ensures that the Rsyslog daemon is configured to send log messages to a remote log host. However, the rule does not configure TCP queues. As a consequence, the system hangs if TCP queues are not configured, and the remote log host becomes unavailable. This update adds a warning message that explains how to configure TCP queues. If you encounter system hangs while using this rule, read the warning and configure the system properly.

(BZ#2078974)

Remediation of sudo_custom_logfile works for custom sudo log files

Previously, remediation of the SCAP Security Guide rule xccdf_org.ssgproject.content_sudo_custom_logfile did not work for custom sudo log files with a different path than /var/log/sudo.log. With this update, the rule is fixed so that it can properly remediate if the system has a custom sudo log file that does not match the expected path.

(BZ#2083109)

Remediation of firewalld_sshd_port_enabled now works correctly

Previously, Bash remediation of the SCAP rule xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled incorrectly handled lists of network interfaces. Additionally, configuration files had different names than required. This update has fixed the remediation. As a result, the remediation handles all network interfaces correctly, and configuration files have predictable names.

(BZ#2109602)

fagenrules --load now works correctly

Previously, the fapolicyd service did not correctly handle the signal hang up (SIGHUP). Consequently, fapolicyd terminated after receiving the SIGHUP signal, and the fagenrules --load command did not work properly. This update contains a fix for the problem. As a result, fagenrules --load now works correctly, and rule updates no longer require manual restarts of fapolicyd.

(BZ#2070639)

8.6. Networking

The NetworkManager utility enforces correct ordering of IPv6 addresses from various sources

In general, the ordering of IPv6 addresses affects the priority for source address selection. For example, when you make an outgoing TCP connection. Previously, the relative priority of IPv6 addresses added through the manual, dhcpv6, and autoconf6 methods, was not correct. With this update, the problem has been fixed and the ordering priority now reflects this logic: manual > dhcpv6 > autoconf6. However, the order of addresses under the ipv6.addresses setting did not change and the address added last still has the highest priority.

(BZ#2097270)

Asymmetric routing now works correctly

The previous minor version of RHEL 8 contained a change that caused connection tracking to fail in some cases. Consequently, asymmetric routing was not working correctly. This release reverts the change that was introduced in RHEL 8.6. As a result, the asymmetric routing works correctly.

(BZ#2062870)

8.7. Kernel

A new ability to deprecate CgroupV1 memory.swappiness allowing for consistent swap behavior

CgroupV1 includes the memory.swappiness per-cgroup swappiness value that controls the swap behavior of the given cgroup.

However, systemd processes run within cgroups and the sysctl swappiness value has minimal effect on swap heuristics. Such cgroups ignore the values in sysctl or tuned configurations and processes running on the system are assigned a default swappiness value of 60. As a consequence, in cases with high memory pressure and page reclamation, earlier or more aggressive swapping can occur compared to the assigned swappiness value.

This update introduces a new sysctl variable, /proc/sys/vm/force_cgroupv2_swappiness, with a default value of 0. When set to 1, the memory.swappiness value becomes deprecated and all per-cgroups swappiness values mirror the system-wide swappiness value in the /proc/sys/vm/swappiness file. As a result, the memory swapping behavior of cgroups is more consistent.

(BZ#2084242)

Anaconda no longer fails after entering a passphrase for encrypted devices

Previously, if kdump was disabled when preparing an installation, and the user selected encrypted disk partitioning, the Anaconda installer failed with a traceback after entering a passphrase for the encrypted device.

This update fixes the problem, and users no longer need to enable kdump to create encrypted disk partitioning.

(BZ#2086100)

8.8. Boot loader

grubby now passes arguments to future kernels

When installing a newer version of the kernel, the grubby tool did not pass the kernel command-line arguments from the previous kernel version. As a consequence, the GRUB boot loader ignored user settings. With this fix, the user settings now persist after installing the new kernel version.

(BZ#1978226)

8.9. High availability and clusters

pcs now recognizes the mode option when creating a new Booth ticket

Previously, when a user specified a mode option when adding a new Booth ticket, pcs reported the error invalid booth ticket option 'mode'. With this fix, you can now specify the mode option when creating a Booth ticket.

(BZ#1786964)

pcs now validates the value of stonith-watchdog-timeout

Previously, it was possible to set the stonith-watchdog-timeout property to a value that is incompatible with SBD configuration. This could result in a fence loop, or could cause the cluster to consider a fencing action to be successful even if the action is not finished. With this fix, pcs validates the value of stonith-watchdog-property when you set it, to prevent incorrect configuration.

(BZ#1954099)

8.10. Dynamic programming languages, web and database servers

MariaDB 10.5 now warns about dropping a non-existent table when the OQGraph plug-in is enabled

Previously, when the OQGraph storage engine plug-in was loaded to the MariaDB 10.5 server, MariaDB did not warn about dropping a non-existent table. In particular, when the user attempted to drop a non-existent table using the DROP TABLE or DROP TABLE IF EXISTS SQL commands, MariaDB neither returned an error message nor logged a warning. This bug has been fixed, and a warning is now shown in the described scenario.

(BZ#1944653)

8.11. Compilers and development tools

Applications no longer deadlock when invoking pthread_atfork or dclose from fork handler callbacks

Previously, applications invoked pthread_atfork handler callbacks while glibc had acquired an internal lock. As a result, registering fork handlers or calling dclose from a fork handler could deadlock applications.

A different synchronization mechanism is now used to protect internal data structures while fork handlers are running. As a result, applications no longer deadlock when invoking pthread_atfork or dclose from fork handler callbacks.

(BZ#1888660)

Wildcard functions in Makefiles no longer return symbolic links when only directories are expected

Previously, the GLOB_ONLYDIR hint used by glob() misreported symbolic links as directories on certain XFS filesystems. When using glob(), make did not confirm that the hints were actually directories and, as a result, wildcard functions in Makefiles returned symbolic links when only directories were expected.

The bug has been fixed and wildcard functions in Makefiles no longer return symbolic links when only directories are expected.

(BZ#1982608)

popen() no longer causes multithreaded processes to crash

Previously, a defect in popen() caused applications to crash when using the interface from a multithreaded process. With this update, the bug has been fixed and multithreaded processes no longer crash when using popen().

(BZ#2065588)

The mapping for the 0xBC code point for some IBM character sets is now U+00AF MACRON

Previously, the IBM256, IBM277, IBM278, IBM280, IBM284, IBM297, and IBM424 character sets encoded the EBCDIC code point 0xBC as the Unicode character U+203E OVERLINE. As a result, when using the iconv program provided by glibc, converting text in those character sets containing the 0xBC code point failed for non-Unicode character sets such as ISO-8859-1 because they could not encode the U+203E OVERLINE character.

With this update, the bug has been fixed. As a result, input in the IBM277, IBM278, IBM280, IBM284, and IBM297 character sets can be converted to ISO-8859-1 in all cases. For the IBM256 and IBM424 character sets, conversion no longer fails if the input text contains the 0xBC code point and the respective output is U+00AF MACRON.

(BZ#1961109)

The tempnam function now uses getrandom to increase the randomness of generated file names

Previously, the tempnam function in Red Hat Enterprise Linux 8.4 and later used time-derived randomness for choosing paths. As a result, the tempnam function was not producing the full set of possible file names when invoked repeatedly in quick succession. This bug has been fixed by a new implementation that uses the getrandom function to increase the randomness of the generated file names. As a result, the tempnam function now generates more distinct file names.

(BZ#2089247)

POWER9-optimized strncpy function no longer gives incorrect results

Previously, the POWER9 strncpy function did not use the correct register as the source of the NUL bytes for padding. Consequently, the output buffer contained uninitialized register content instead of the NUL padding. With this update, the strncpy function has been fixed, and the end of the output buffer is now correctly padded with NUL bytes.

(BZ#2091553)

The en_US@ampm locale is now listed correctly by locale -a

Previously, there was a defect in the listing of en_US@ampm in the output of the locale -a command. Consequently, the setlocale API failed when trying to set this locale using its name/alias printed by locale -a. With this update, en_US@ampm is now listed correctly and calls to setlocale succeed for all locales printed by locale -a.

(BZ#2104907)

Unit masks for events are now all included in the papi_xml_event_info output

Previously, the testing of event unit mask information in papi_xml_event_info was incomplete. In some cases, unit masks for events were not included in the papi_xml_event_info output. This bug has been fixed and as a result, papi_xml_event_command now prints out all the unit masks for an event.

(BZ#2037426)

8.12. Identity Management

Debug messages no longer logged to /var/log/messages by default

Previously, the ipa-dnskeysyncd and ipa-ods-exporter daemons logged all debug messages to /var/log/messages by default, resulting in log files growing substantially. If required, you can now configure the debug log level by setting debug=True in the /etc/ipa/dns.conf file. For more information refer to the default.conf(5) man page.

(BZ#2059396)

Preserving users accounts

Previously, if you ran the ipa user-del --preserve user_login command to preserve a user account, the output incorrectly returned the message Deleted user “user_login”. This message incorrectly indicates that the user was deleted and not preserved as expected. With this update, the output now returns Preserved user “user_login”.

(BZ#2022028)

Transferring Kerberos databases greater than 4 GB

Previously, the kprop service and the kpropd command used a 32 bit value when storing the size of the Kerberos KDC database. As a result the transfer of the Kerberos database dump file from the primary Kerberos server to a replica server failed if the database size exceeded 4 GB.

This update modifies Kerberos and it can now transfer KDC databases greater than 4 GB.

(BZ#2026462)

8.13. Desktop

The Airplane Mode switch is always displayed

Previously, the Airplane Mode switch in the Wi-Fi section of the Settings application disappeared after you enabled airplane mode. With this update, the problem has been fixed, and Settings always display the Airplane Mode switch, regardless of its state.

(BZ#2079139)

8.14. Graphics infrastructures

Hotkeys in Motif applications activate the correct item

Previously, menu hotkeys activated the wrong menu item in applications using the Motif toolkit. When a submenu was open and you pressed a hotkey associated with its item, the application activated an item in the parent menu instead.

With this update, the problem has been fixed, and hotkeys now activate the correct submenu items.

(BZ#2060571)

The desktop no longer fails to start with disabled IPv6 and DisallowTCP=false

Previously, the X11 desktop session failed to start after login under the following circumstances:

  • IPv6 networking was disabled on your system.
  • The DisallowTCP=false option was enabled in GDM configuration.

With this update, the problem has been fixed, and you can log into the X11 session as expected with the described configuration.

(BZ#2075132)

8.15. The web console

Removing USB host devices using the web console now works as expected

Previously, when you attached a USB device to a virtual machine (VM), the device number and bus number of the USB device changed after they were passed to the VM. As a consequence, using the web console to remove such devices failed due to the incorrect correlation of the device and bus numbers. With this update, the issue has been fixed and you can remove the USB host devices using the web console.

(JIRA:RHELPLAN-109067)

Attaching multiple host devices using the web console now works as expected

Previously, when you selected multiple devices to attach to a virtual machine (VM) using the web console, only a single device was attached and the rest were ignored. With this update, the issue has been fixed and you can now simultaneously attach multiple host devices using the web console.

(JIRA:RHELPLAN-115603)

8.16. Red Hat Enterprise Linux System Roles

Fixed a typo to support active-backup for the correct bonding mode

Previously, there was a typo,active_backup, in supporting the InfiniBand port while specifying active-backup bonding mode. Due to this typo, the connection failed to support the correct bonding mode for the InfiniBand bonding port. This update fixes the typo by changing bonding mode to active-backup. The connection now successfully supports the InfiniBand bonding port.

(BZ#2064067)

The IPRouteUtils.get_route_tables_mapping() function now accepts any whitespace sequence

Previously, a parser for the iproute2 routing table database, such as /etc/iproute2/rt_tables, asserted that entries in the file were of the form 254 main and only a single space character separated the numeric id and the name. Consequently, the parser failed to cache all the mappings between the route table name and table id.Therefore the user could not add a static route into the route table by defining the route table name. With this update, the parser accepts any whitespace sequence in between the table ID and table name. As a result, as the parser caches all the mapping between the route table name and table ID, users can add a static route into the route table by defining the route table name.

(BZ#2115884)

Configuration by the metrics RHEL System Role follows symbolic links correctly

When the mssql pcp package is installed, the mssql.conf file is located in /etc/pcp/mssql/ and is targeted by the symbolic link /var/lib/pcp/pmdas/mssql/mssql.conf. Previously, however, the metrics role overwrote the symbolic link instead of following it and configuring mssql.conf. Consequently, running the metrics role changed the symbolic link to a regular file and the configuration therefore only affected the /var/lib/pcp/pmdas/mssql/mssql.conf file. This resulted in a failed symbolic link, and the main configuration file /etc/pcp/mssql/mssql.conf was not affected by the configuration. The problem is now fixed and the follow: yes option to follow the symbolic link has been added to the metrics role. As a result, the metrics role preserves the symbolic links and correctly configures the main configuration file.

(BZ#2060377)

The tlog RHEL System Roles is now correctly overlaid by SSSD

Previously, the tlog RHEL System Role relied on the System Security Services Daemon (SSSD) files provider and on enabled authselect option with-files-domain to set up correct passwd entries in the nsswitch.conf file. In RHEL 9.0, SSSD did not implicitly enable the files provider by default, and consequently the tlog-rec-session shell overlay by SSSD did not work. With this fix, the tlog role now updates the nsswitch.conf to ensure tlog-rec-session is correctly overlaid by SSSD.

(BZ#2072749)

The mount_options parameter for volumes is now valid for a volume

Previously, the parameter was accidentally removed from the list of valid parameters for a volume. Consequently, users were unable to set the mount_options parameter for volumes. With this bug fix, the mount_options parameter has been added back to the list of valid parameters and the code has been refactored to catch the errors. As a result, the storage RHEL system role can set the mount_options parameter for volumes.

(BZ#2083378)

The metrics RHEL System Role README and documentation now clearly specifies supported Redis and Grafana versions on specific versions of RHEL by the role

Previously, when trying to use the metrics role with unsupported versions of Redis and Grafana on unsupported platforms, the role failed. This update clarifies the documentation about which versions of Redis and Grafana are supported on which versions of RHEL by the role. As a result, you can avoid trying to use unsupported versions of Redis and Grafana on unsupported platforms.

(BZ#2100285)

The kernel_settings RHEL System Role now correctly installs python3-configobj

Previously, the kernel_settings role returned an error that the python3-configobj package could not be found. The role failed to find the package because it did not install python3-configobj on managed hosts. With this update, the role now installs python3-configobj on managed hosts and works correctly.

(BZ#2060378)

The storage RHEL System Role now correctly supports striped and raid0 levels for LVM volumes

The storage RHEL System Role previously incorrectly reported RAID levels striped and raid0 as not supported for LVM volumes. This is now fixed and the role can now correctly create LVM volumes of all RAID levels supported by LVM: raid0, raid1, raid4, raid5, raid6, raid10, striped and mirror.

(BZ#2083426)

The metrics RHEL System Role automatically restarts pmie and pmlogger services after an update to their configuration

Previously, the pmie and pmlogger services did not restart after their configuration was changed and waited for handler execution. This caused errors with other metrics services, which required pmie and pmlogger configuration to match their runtime behavior. With this update, the role restarts pmie and pmlogger immediately after a configuration update, their configuration matches runtime behavior of dependent metrics services, and they work correctly.

(BZ#2100298)

The forward_port parameter now accepts both the string and dict option

Previously, in the firewall RHEL System role, the forward_port parameter only accepted the string option. However, the role documentation claimed that both string and dict options were supported. Consequently, the users reading and following the documentation were getting an error. This bug has been fixed by making forward_port accept both options. As a result, the users can safely follow the documentation to configure port forwarding.

(BZ#2101607)

The nbde_client System Role now uses proper spacing when specifying extra Dracut command line-parameters

The Dracut framework requires proper spacing when specifying additional parameters, such as kernel command-line parameters. If the parameters are not specified with proper spacing, Dracut might not append the specified extra parameters to the kernel command line. With this update, the nbde_client System Role uses proper spacing when creating add-on Dracut configuration files. As a result, the role correctly sets Dracut command-line parameters.

(BZ#2115161)

Minimal RSA key bit length option in the ssh and sshd RHEL System Roles

Accidentally using short RSA keys might make the system more vulnerable to attacks. With this update, you can set RSA key minimal bit lengths for OpenSSH clients and servers by using the RSAMinSize option in the ssh and sshd RHEL System Roles.

(BZ#2109997)

The NBDE Client System Role supports static IP addresses

In previous versions of RHEL, restarting a system with a static IP address and configured with the Network Bound Disk Encryption (NBDE) Client System Role would change the system’s IP address. With this change, systems with static IP addresses are supported by the NBDE Client System Role, and their IP addresses do not change after a reboot.

Note that by default, the NBDE role uses DHCP when booting, and switches to the configured static IP when the system is booted.

(BZ#2071011)

8.17. Virtualization

Live pre-copy migration of VMs with failover VFs now works correctly

Previously, attempting to pre-copy migrate a running virtual machine (VM) failed if the VM used a device with the virtual function (VF) failover capability enabled. This update fixes the problem, and migrating VMs in the described scenario now works correctly.

(BZ#2054656)

8.18. RHEL in cloud environments

An instance now retains the primary IP address even after starting the nm-cloud-setup service in Alibaba Cloud

Previously, after launching an instance in the Alibaba Cloud, the nm-cloud-setup service configured the incorrect IP address as the primary IP address in case of multiple IPv4 addresses. Consequently, this affected the selection of the IPv4 source address for outgoing connections. With this update, after configuring secondary IP addresses manually, the NetworkManager package fetches the primary IP address from primary-ip-address metadata and configures both primary and secondary IP addresses correctly.

(BZ#2082000)

SR-IOV no longer performs suboptimally in ARM 64 RHEL 8 virtual machines on Azure

Previously, SR-IOV networking devices had significantly lower throughout and higher latency than expected in ARM 64 RHEL 8 virtual machines (VMs) running on a Microsoft Azure platform. The problem has been fixed, and the affected VMs now perform as expected.

(BZ#2068429)

Starting a RHEL 8 virtual machine on AWS using cloud-init no longer takes longer than expected

Previously, initializing an EC2 instance of RHEL 8 using the cloud-init service on Amazon Web Services (AWS) took an excessive amount of time. The Amazon Machine Images (AMIs) of RHEL 8 have been updated to include a fix for the problem, and intializing EC2 instances of RHEL 8 now works correctly.

However, you might still encounter slow intialization when customizing and uploading your own RHEL 8 image. To avoid this problem, remove the /etc/resolv.conf file from the image you are using for VM creation before uploading the image to AWS.

(BZ#1862930)

8.19. Containers

DNF and YUM no longer fail because of non-matching repository IDs

Previously, DNF and YUM repository IDs did not match the format that DNF or YUM expected. For example, if you ran the following example, the error occurred:

# podman run -ti ubi8-ubi
# dnf debuginfo-install dnsmasq
...
This system is not registered with an entitlement server. You can use subscription-manager to register.

With this update, the problem has been fixed. Suffix --debug-rpms was added to all debug repository names (for example ubi-8-appstream-debug-rpms), and also the suffix -rpms was added to all UBI repository names (for example ubi-8-appstream-rpms).

For more information, see Universal Base Images (UBI): Images, repositories, packages, and source code.

(BZ#2120378)

Container images signed with a Beta GPG key can now be pulled

Previously, when you pulled RHEL Beta container images, Podman failed with the error message: Error: Source image rejected: None of the signatures were accepted. The images failed to be pulled due to current builds being configured to not trust the RHEL Beta GPG keys by default. With this update, the /etc/containers/policy.json file supports a new keyPaths field which accepts a list of files containing the trusted keys. Because of this, the container images signed with GA and Beta GPG keys are now accepted in the default configuration.

(BZ#2020301)