Chapter 8. Known issues

This part describes known issues in Red Hat Enterprise Linux 9.0 Beta.

8.1. Installer and image creation

The reboot --kexec and inst.kexec commands do not provide a predictable system state

Performing a RHEL installation with the reboot --kexec Kickstart command or the inst.kexec kernel boot parameters do not provide the same predictable system state as a full reboot. As a consequence, switching to the installed system without rebooting can produce unpredictable results.

Note that the kexec feature is deprecated and will be removed in a future release of Red Hat Enterprise Linux.

(BZ#1697896)

Local Media installation source is not detected when booting the installation from a USB that is created using a third party tool

When booting the RHEL installation from a USB that is created using a third party tool, the installer fails to detect the Local Media installation source (only Red Hat CDN is detected).

This issue occurs because the default boot option int.stage2= attempts to search for iso9660 image format. However, a third party tool might create an ISO image with a different format.

As a workaround, use either of the following solution:

  • When booting the installation, click the Tab key to edit the kernel command line, and change the boot option inst.stage2= to inst.repo=.
  • To create a bootable USB device on Windows, use Fedora Media Writer.
  • When using a third party tool like Rufus to create a bootable USB device, first regenerate the RHEL ISO image on a Linux system, and then use the third party tool to create a bootable USB device.

For more information on the steps involved in performing any of the specified workaround, see, Installation media is not auto detected during the installation of RHEL 8.3.

(BZ#1877697)

The auth and authconfig Kickstart commands require the AppStream repository

The authselect-compat package is required by the auth and authconfig Kickstart commands during installation. Without this package, the installation fails if auth or authconfig are used. However, by design, the authselect-compat package is only available in the AppStream repository.

To work around this problem, verify that the BaseOS and AppStream repositories are available to the installer or use the authselect Kickstart command during installation.

(BZ#1640697)

The USB CD-ROM drive is not available as an installation source in Anaconda

Installation fails when the USB CD-ROM drive is the source for it and the Kickstart ignoredisk --only-use= command is specified. In this case, Anaconda cannot find and use this source disk.

To work around this problem, use the harddrive --partition=sdX --dir=/ command to install from USB CD-ROM drive. As a result, the installation does not fail.

(BZ#1914955)

Minimal RHEL installation no longer includes the s390utils-base package

In RHEL 8.4 and later, the s390utils-base package is split into an s390utils-core package and an auxiliary s390utils-base package. Consequently, setting the RHEL installation to minimal-environment installs only the necessary s390utils-core package and not the auxiliary s390utils-base package. To work around this problem, manually install the s390utils-base package after completing the RHEL installation or explicitly install s390utils-base using a kickstart file.

(BZ#1932480)

Hard drive partitioned installations with iso9660 filesystem fails

You cannot install RHEL on systems where the hard drive is partitioned with the iso9660 filesystem. This is due to the updated installation code that is set to ignore any hard disk containing a iso9660 file system partition. This happens even when RHEL is installed without using a DVD.

To workaround this problem, add the following script in the kickstart file to format the disc before the installation starts.

Note: Before performing the workaround, backup the data available on the disk. The wipefs command formats all the existing data from the disk.

%pre
wipefs -a /dev/sda
%end

As a result, installations work as expected without any errors.

(BZ#1929105)

Anaconda fails to login iSCSI server using the no authentication method after unsuccessful CHAP authentication attempt

When you add iSCSI discs using CHAP authentication and the login attempt fails due to incorrect credentials, a relogin attempt to the discs with the no authentication method fails. To workaround this problem, close the current session and login using the no authentication method.

(BZ#1983602)

New XFS features prevent booting of PowerNV IBM POWER systems with firmware older than version 5.10

PowerNV IBM POWER systems use a Linux kernel for firmware, and use Petitboot as a replacement for GRUB. This results in the firmware kernel mounting /boot and Petitboot reading the GRUB config and booting RHEL.

The RHEL 9 kernel introduces bigtime=1 and inobtcount=1 features to the XFS filesystem, which kernels with firmware older than version 5.10 do not understand.

To work around this problem, you can use another filesystem for /boot, for example ext4.

(BZ#1997832)

Installing RHEL from the boot menu using basic graphics mode from the Troubleshooting submenu fails

Installation process may fail to enter in the basic graphics mode on the hardware with an unsupported graphic card or due to any issue in the graphic driver that is preventing starting the graphical interface.

To work around this problem and boot the installer:

  • Using the text user interface, use the inst.text boot option.
  • Using the graphical user interface via VNC, use the inst.vnc option.

(BZ#1961092)

8.2. Shells and command-line tools

Renaming network interfaces using ifcfg files fails

On RHEL 9, the initscripts package is not installed by default. Consequently, renaming network interfaces using ifcfg files fails. To solve this problem, Red Hat recommends that you use udev rules or link files to rename interfaces. For further details, see Consistent network interface device naming and the systemd.link(5) man page.

If you cannot use one of the recommended solutions, install the initscripts package.

(BZ#2018112)

8.3. Infrastructure services

bind does not allow the same zone file in multiple zones

bind-9.11.4-9 does not allow the same zone file in multiple zones. To use a zone file the named service modifies the file. Consequently, the named service would not start if a configuration includes multiple zones sharing the same file path. To workaround, this problem, use the in-view clause to share one zone between multiple views. For example, use different paths for different zones, and include view names in the path.

(BZ#1984982)

8.4. Security

The OpenSSL TLS library does not detect if the PKCS#11 token supports creation of raw RSA or RSA-PSS signatures

The TLS-1.3 protocol requires the support for RSA-PSS signature. If the PKCS#11 token does not support raw RSA or RSA-PSS signatures, the server applications which use OpenSSL TLS library will fail to work with the RSA key if it is held by the PKCS#11 token. As a result, TLS communication will fail.

To work around this problem, configure server or client to use the TLS-1.2 version as the highest TLS protocol version available.

(BZ#1681178)

OpenSSL incorrectly handles PKCS #11 tokens that does not support raw RSA or RSA-PSS signatures

The OpenSSL library does not detect key-related capabilities of PKCS #11 tokens. Consequently, establishing a TLS connection fails when a signature is created with a token that does not support raw RSA or RSA-PSS signatures.

To work around the problem, add the following lines after the .include line at the end of the crypto_policy section in the /etc/pki/tls/openssl.cnf file:

SignatureAlgorithms = RSA+SHA256:RSA+SHA512:RSA+SHA384:ECDSA+SHA256:ECDSA+SHA512:ECDSA+SHA384
MaxProtocol = TLSv1.2

As a result, a TLS connection can be established in the described scenario.

(BZ#1685470)

OpenSSH HW acceleration does not work on IBM Z

In RHEL 9.0 Beta, some applications do not use the engine specified in the OpenSSL configuration to perform hardware offload of cryptographic functions. For example, the OpenSSH tools do not use hardware acceleration through the IBMCA engine on the 64-bit IBM Z systems.

(BZ#2019369)

SELinux staff_u users can incorrectly switch to unconfined_r

When the secure_mode boolean is enabled, staff_u users can incorrectly switch to the unconfined_r role. As a consequence, staff_u users can perform privileged operations affecting the security of the system.

(BZ#2021529)

usbguard-notifier logs too many error messages to the Journal

The usbguard-notifier service does not have inter-process communication (IPC) permissions for connecting to the usbguard-daemon IPC interface. Consequently, usbguard-notifier fails to connect to the interface, and it writes a corresponding error message to the Journal. Because usbguard-notifier starts with the --wait option, which ensures that usbguard-notifier attempts to connect to the IPC interface each second after a connection failure, by default, the log contains an excessive amount of these messages soon.

To work around the problem, allow a user or a group under which usbguard-notifier is running to connect to the IPC interface. For example, the following error message contains the UID and GID values for the GNOME Display Manager (GDM):

IPC connection denied: uid=42 gid=42 pid=8382, where uid and gid 42 = gdm

To grant the missing permissions to the gdm user, use the usbguard command and restart the usbguard daemon:

# usbguard add-user gdm --group --devices listen
# systemctl restart usbguard

After granting the missing permissions, the error messages no longer appear in the log.

(BZ#2009226)

8.5. Networking

An empty rd.znet option in the kernel command line causes the network configuration to fail

An rd.znet option without any arguments, such as net types or subchannels, in the kernel fails to configure networking. To work around this problem, either remove the rd.znet option from the command line completely or specify relevant net types, subchannels, and other relevant options. For more information about these options, see the dracut.cmdline(7) man page.

(BZ#1931284)

Failure to update the session key causes the connection to break

Kernel Transport Layer Security (kTLS) protocol does not support updating the session key, which is used by the symmetric cipher. Consequently, the user cannot update the key, which causes a connection break. To work around this problem, disable kTLS. As a result, with the workaround, it is possible to successfully update the session key.

(BZ#2013650)

8.6. Kernel

modprobe fails to install some out-of-tree kernel modules

The /etc/depmod.d/dist.conf file provides a search order for the depmod utility. Based on the search order, depmod creates the modules.dep.bin file. This file lists module dependencies, which the modprobe utility uses for loading and unloading kernel modules and resolving module dependencies at the same time. Since /etc/depmod.d/dist.conf is missing due to some prior RHEL changes, modprobe cannot load some out-of-tree kernel modules. To work around this problem, provide a config file for your out-of-tree module, or install any out-of-tree kernel module in the /lib/modules/$(uname -r)/updates/ directory instead of the /lib/modules/$(uname -r)/extra/ directory.

(BZ#1985100)

RPM macros for building out-of-tree kernel module RPMs cause various problems

RPM macros for building out-of-tree kernel modules in RHEL 9 (including the %kernel_module_package) were broken due to several packaging changes in the kernel RPM.

The specific errors and their workarounds are detailed in Errors and workarounds when building out-of-tree kernel module RPMs using %kernel_module_package macros

As a result, it is possible to successfully build an out-of-tree kernel module RPM.

(BZ#1971748)

kdump fails to start on RHEL 9 kernel

The RHEL 9 kernel does not have the crashkernel=auto configured as default. Consequently, the kdump service fails to start by default.

To work around this problem, configure the crashkernel= option to the required value.

For example, to reserve 256 MB of memory using the grubby utility, execute:

grubby --args crashkernel=256M --update-kernel ALL

As a result, the RHEL 9 kernel starts kdump and uses the configured memory size value to dump the vmcore file.

(BZ#1894783)

Audio devices that use the Use Case Manager configuration are not detected or they do not function properly

A bug in the alsa-lib package causes that the internal Use Case Manager (UCM) identifier is not correctly parsed. Consequently, some audio devices that use the Use Case configuration are not detected or they do not function properly. The problem occurs more when the pipewire sound service is used.

(BZ#2015863)

kTLS does not support offloading of TLS 1.3 to NICs

Kernel Transport Layer Security (kTLS) does not support offloading of TLS 1.3 to NICs. Consequently, software encryption is used with TLS 1.3 even when the NICs support TLS offload. To work around this problem, disable TLS 1.3 if offload is required. As a result, you can offload only TLS 1.2. When TLS 1.3 is in use, there is lower performance, since TLS 1.3 cannot be offloaded.

(BZ#2000616)

8.7. File systems and storage

System does not boot via iSCSI

The dependencies of the iscsi-init.service can create a deadlock that blocks running iscsid in an initramfs environment. Booting from iSCSI does not work because iscsi-init does not start and blocks iscsid from starting. As a consequence, no iSCSI sessions can be established in the initramfs.

To work around this problem, use the following steps:

  1. Navigate to an initramfs emergency shell by adding rd.break=initqueue to the kernel command line in grub.
  2. Verify if the /etc/iscsi/initiatorname.iscsi file exists. If it exists, iscsi-init is not required.
  3. Manually start iscsid by executing the /usr/sbin/iscsid command as root.
  4. Exit the shell, the system should continue to boot from iSCSI at this point.
  5. Once the system has booted from iSCSI, edit the /usr/lib/systemd/system/iscsi-init.service file and add the "DefaultDependencies=no" in the [Unit] section.

    Do not use systemctl edit because it creates a new file in the /etc/systemd directory, while dracut will continue to the original one.

  6. Rebuild the initramfs file by using the dracut --rebuild command as root.

You should now be able to successfully reboot using iSCSI

(BZ#2016482)

8.8. Red Hat Enterprise Linux System Roles

Some RHEL System Roles do not work with the ansible-core 2.11 package

The RHEL 9 Beta release includes the ansible-core 2.11 package. This is a version of Ansible that has only the core functionality. That means that the modules such as firewalld, and plugins such as json_query, among many others. As a consequence, the following system roles will not work in RHEL 9 Beta with the ansible-core 2.11 package:

  • ha_cluster
  • kdump
  • logging
  • selinux
  • storage
  • timesync
  • vpn

Currently, there is no workaround available.

(JIRA:RHELPLAN-92523)

8.9. Virtualization

RHEL 9 virtual machines cannot use DASD as virtio block storage on IBM Z

Currently, virtual machines (VMs) running RHEL 9 on IBM Z hardware are not able to use DASD storage devices attached with the virtio-blk driver. You should not upgrade your VMs to RHEL 9 Beta if you plan to use the described devices.

(BZ#2008401)

Hot-unplugging a mounted virtual disk sometimes causes the guest kernel to crash on IBM Z

Currently, when detaching a mounted disk from a running virtual machine (VM) on IBM Z hardware, the VM kernel crashes under the following conditions:

  • The disk has been attached with target bus type scsi and is mounted inside the guest.
  • After hot-unplugging the disk device, the corresponding SCSI controller is hot-unplugged as well.

When the kernel crashes, the VM automatically reboots. If you need to unplug the disk and controller fully, you can avoid the VM crashing by first shutting off the VM. In addition, remove the disk from the guest’s fstab file if present in order to boot gracefully next time.

(BZ#1997541)

Installing a virtual machine over https in some cases fails

Currently, the virt-install utility fails when attempting to install a guest operating system from an ISO source over a https connection - for example using virt-install --cdrom https://example/path/to/image.iso. Instead of creating a virtual machine (VM), the described operation terminates unexpectedly with an "internal error: process exited while connecting to monitor" message. To work around this problem, use a different connection protocol or a different installation source.

(BZ#2014229)

8.10. RHEL in cloud environments

RHEL 9 VMs on Azure sometimes lose network connection

Currently, RHEL 9 virtual machines running on the Microsoft Azure hypervisor have problems with the ordering cycle after rebooting. This may cause certain services to terminate unexpectedly, including NetworkManager, which may in turn cause network disconnections. To work around the issue, restart the VM or access the serial console and start the NetworkManager service.

(BZ#1998445)

8.11. Containers

Container images signed with a Beta GPG key can not be pulled

Currently, when you try to pull RHEL 9 Beta container images, podman exits with the error message: Error: Source image rejected: None of the signatures were accepted. The images fail to be pulled due to current builds being configured to not trust the RHEL Beta GPG keys by default.

As a workaround, ensure that the Red Hat Beta GPG key is stored on your local system and update the existing trust scope with the podman image trust set command for the appropriate beta namespace.

If you do not have the Beta GPG key stored locally, you can pull it by running the following command:

sudo wget -O /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta https://www.redhat.com/security/data/f21541eb.txt

To add the Beta GPG key as trusted to your namespace, use one of the following commands:

$ sudo podman image trust set -f /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta registry.access.redhat.com/namespace

and

$ sudo podman image trust set -f /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta registry.redhat.io/namespace

Replace namespace with ubi9-beta or rhel9-beta.

(BZ#2020026)