Chapter 8. Bug fixes
This part describes bugs fixed in Red Hat Enterprise Linux 9.1 that have a significant impact on users.
8.1. Installer and image creation
The installer no longer installs earlier versions of packages
Previously, the installer did not correctly load the DNF configuration file during the installation process. As a consequence, the installer sometimes installed earlier versions of select packages in the RPM transaction.
This bug has been fixed, and only the latest versions of packages are now installed from the installation repositories. In cases where it is impossible to install the latest versions of the packages, the installation fails as expected.
Anaconda installation is successful even if changing the network configuration in stage2
Previously, when using the
rd.live.ram boot argument, Anaconda did not unmount an NFS mount point that is used in
initramfs to fetch the installation image into memory. As a consequence, the installation process could become unresponsive or fail with a timeout error if the network configuration was changed in stage2.
To fix this problem, the NFS mount point used to fetch the installation image into memory is unmounted in
initramfs before switchroot. As a result, the installation process is completed without any interruption.
8.2. Subscription management
virt-who now connects to ESX servers correctly when in FIPS mode
Previously, when using the
virt-who utility on a RHEL 9 system in FIPS mode,
virt-who could not connect to ESX servers. As a consequence,
virt-who did not report any ESX servers, even if configured for them, and logged the following error message:
ValueError: [digital envelope routines] unsupported
With this update,
virt-who has been fixed to handle FIPS mode correctly, and the described problem no longer occurs.
8.3. Software management
DNF now correctly rolls back a transaction containing an item with the
Reason Change Action type
Previously, running the
dnf history rollback command on a transaction containing an item with the
Reason Change Action type failed. With this update, the issue has been fixed, and
dnf history rollback now works as expected.
8.4. Shells and command-line tools
vi command in ReaR no longer results in an infinite loop
Previously, the ReaR rescue system did not contain the
vi executable, only the
/bin/vi script. As a consequence, the
/bin/vi script caused an infinite loop when invoked. With this update, the ReaR rescue system contains the actual
/usr/libexec/vi, and running the
vi command no longer leads to an endless loop.
ReaR with the PXE output method no longer fails to store the output files in the rsync
Previously, the handling of the
OUTPUT_URL variable with the
BACKUP=RSYNC options was removed. As a consequence, when using an rsync location for
OUTPUT_URL, ReaR failed to copy the
initrd and kernel files to this location, although it uploaded them to the location specified by
BACKUP_URL. With this update, the behavior from RHEL 8.4 and earlier releases is restored. ReaR creates the required files at the designated
OUTPUT_URL destination using rsync.
ReaR no longer fails to display an error message if it does not update the UUID in
Previously, ReaR did not display an error message during recovery when it failed to update the universally unique identifier (UUID) in
/etc/fstab to match the UUID of the newly created partition in case the UUIDs were different. This could have happened if the rescue image was out of sync with the backup. With this update, an error message occurs during recovery if the restored basic system files do not match the recreated system.
ReaR now supports restoring a system using NetBackup version 9
Previously, restoring a system using the NetBackup (NBU) method with NetBackup version 9 or later failed due to missing libraries and other files. With this update, the
NBU_LD_LIBRARY_PATH variable contains the required library paths and the rescue system now incorporates the required files, and ReaR can use the NetBackup method.
ReaR no longer displays a false error message about missing symlink targets
Previously, ReaR displayed incorrect error messages about missing symlink targets for the
source symlinks under
/usr/lib/modules/ when creating the rescue image. This situation was harmless, and you could safely ignore the error message. With this update, ReaR does not report a false error message about missing symlink targets in this situation.
cmx operation with no parameter no longer crashes the CIM Client
cmx operation calls a method and returns XML, a parameter specifies the name of the called method. Previously, the command line
sblim-wbemcli Common Information Model (CIM) Client crashed when running the
cmx operation without an additional parameter. With this update, the
cmx operation requires the parameter that defines the name of the called method. Invoking the
cmx operation without this parameter results in an error message, and the CIM Client no longer crashes.
free command uses a new calculation method for used memory
Previously, the calculation of used memory in the
free utility subtracted free space, cache space and buffer space from the total memory. Consequently, a discrepancy occurred when you compared the value of used memory with outcome of another tool because the
free utility did not calculate shared memory. With this update, the
free command uses a new calculation method that provides clear state of free memory and considers the unreclaimable cache. Used memory is now any memory that is not available, and includes also
tmpfs objects that are in the virtual memory.
8.5. Infrastructure services
Unbound no longer validates SHA-1-based RSA signatures
Previously, OpenSSL did not validate SHA-1-based RSA signatures in the DEFAULT system-wide cryptographic policy. As a consequence, when Unbound tried to validate such signatures, the error from OpenSSL caused the resolution to fail. With this update, Unbound disables validation support of all RSA/SHA1 (algorithm number 5) and RSASHA1-NSEC3-SHA1 (algorithm number 7) signatures, which resolves the query. Note that this makes the result insecure under all system-wide cryptographic policies.
OpenSSH key generation uses FIPS-compatible interfaces
The OpenSSL cryptographic library, which is used by OpenSSH, provides two interfaces: legacy and modern. Previously, OpenSSH used the legacy interface for key generation, which did not comply with Federal Information Processing Standards (FIPS) requirements. With this update, the
ssh-keygen utility uses the FIPS-compliant API instead of the low-level FIPS-incompatible API. As a result, OpenSSH key generation is FIPS-compliant.
Cryptography not approved by FIPS no longer works in OpenSSL in FIPS mode
Previously, cryptography that was not FIPS-approved worked in the OpenSSL toolkit regardless of system settings. Consequently, you could use cryptographic algorithms and ciphers that should be disabled when the system is running in FIPS mode, for example:
- TLS cipher suites using the RSA key exchange worked.
- RSA-based algorithms for public-key encryption and decryption worked despite using the PKCS #1 and SSLv23 paddings or using keys shorter than 2048 bits.
This update contains fixes ensuring that cryptography not approved by FIPS no longer works in OpenSSL in FIPS mode.
Specifying arbitrary curves removed from OpenSSL
Previously, the checks of explicit curve parameters safety were incomplete. As a consequence, arbitrary elliptic curves with sufficiently large
p values worked in RHEL. With this update, the checks now verify that the explicit curve parameters match one of the well-known supported curves. As a result, the option to specify arbitrary curves through the use of explicit curve parameters has been removed from OpenSSL. Parameter files, private keys, public keys, and certificates that specify arbitrary explicit curves no longer work in OpenSSL. Using explicit curve parameters to specify one of the well known and supported curves such as P-224, P-256, P-384, P-521, and
secp256k1 remains supported in non-FIPS mode.
req uses AES-256-CBC for private keys encryption
Previously, the OpenSSL
req tool encrypted private key files by using the 3DES algorithm. Because the 3DES algorithm is insecure and disallowed in the current FIPS 140 standard for cryptographic modules,
req now generates private key files encrypted using the AES-256-CBC algorithm instead. The overall PKCS#8 file format remains unchanged.
OpenSSL no longer fails to connect when FFDHE is used
Previously, TLS connections that use the finite-field-based Diffie-Hellman ephemeral (FFDHE) key exchange mechanism sometimes failed when processing FFDHE key shares from a client. This was caused by overly restrictive checks in OpenSSL. As a consequence, the OpenSSL server aborted the connection with an
internal_error alert. With this update, OpenSSL accepts smaller but still compliant client key shares. As a result, connections between OpenSSL and other implementations no longer randomly abort when using FFDHE key exchanges.
OpenSSL-based applications now work correctly with the Turkish locale
OpenSSL library uses case-insensitive string comparison functions, OpenSSL-based applications did not work correctly with the Turkish locale, and omitted checks caused applications using this locale to crash. This update provides a patch to use the Portable Operating System Interface (POSIX) locale for case-insensitive string comparison. As a result, OpenSSL-based applications such as curl work correctly with the Turkish locale.
insights-client added to the SELinux policy
insights-client service requires permissions which were not in the previous
selinux-policy versions. As a consequence, some components of
insights-client did not work correctly and reported access vector cache (AVC) error messages. This update adds new permissions to the SELinux policy. As a result,
insights-client runs correctly without reporting AVC errors.
(BZ#2081425, BZ#2077377, BZ#2087765, BZ#2107363)
staff_u users no longer can incorrectly switch to
Previously, when the
secure_mode boolean was enabled,
staff_u users could switch to the
unconfined_r role, which was not expected behavior. As a consequence,
staff_u users could perform privileged operations affecting the security of the system. With this update, the SELinux policy has been fixed, and
staff_u users no longer can incorrectly switch to
OpenSCAP no longer produces incorrect errors when checking available memory
Previously, when evaluating some XCCDF rules, OpenSCAP incorrectly showed the error message
Failed to check available memory and produced invalid scan results. For example, this occurred for rules
accounts_users_home_files_permissions. With this update, the bug in error handling is fixed and the error message appears only for real failures.
fagenrules --load now works correctly
fapolicyd service did not correctly handle the signal hang up (SIGHUP). Consequently,
fapolicyd terminated after receiving SIGHUP, and the
fagenrules --load command did not work correctly. This update contains a fix for the problem. As a result,
fagenrules --load now works correctly, and rule updates no longer require manual restarts of
An instance now retains the primary IP address even after starting the
nm-cloud-setup service in Alibaba Cloud
Previously, after launching an instance in the Alibaba Cloud, the
nm-cloud-setup service configured the incorrect IP address as the primary IP address in case of multiple IPv4 addresses. Consequently, this affected the selection of the IPv4 source address for outgoing connections. With this update, after configuring secondary IP addresses manually, the
NetworkManager package fetches the primary IP address from
primary-ip-address metadata and configures both primary and secondary IP addresses correctly.
NetworkManager utility enforces correct ordering of manually added IPv6 addresses
In general, the ordering of IPv6 addresses affects the priority for source address selection. For example when you make an outgoing TCP connection. Previously, the relative priority of IPv6 addresses added through the
autoconf6 methods was not correct. This update fixes the problem and the ordering priority now reflects this logic:
autoconf6. Also, the order of addresses under the
ipv6.addresses setting was reversed so that the address added first has the highest priority.
Network socket tagging works again
cgroup v1 controllers that have no
cgroup v2 equivalent, such as
net_cls, previously interfered with the
cgroup v2 socket tagging when they were mounted together with other
cgroup v2 controllers in a mixed
cgroup v1/v2 environment. As a consequence, a mixed
cgroup v1/v2 environment using either the
net_cls v1 controller disabled proper network socket tagging with
cgroup v2. This update eliminates this limitation, which makes it possible to use a mixed cgroup v1/v2 environment network socket tagging.
kexec-tools package now supports the default
crashkernel memory reservation values
kexec-tools package now maintains the default
crashkernel memory reservation values. The
kdump service uses the default value to reserve the crash kernel memory for each kernel. This implementation also improves memory allocation for
kdump when a system has less than 4 GB of available memory.
If the memory reserved by the default
crashkernel value is not sufficient on your system, you can use the
kdumpctl estimate command to get an estimated value without triggering a crash. The estimated
crashkernel= value may not be accurate and can serve as a reference to set an appropriate
Systems can successfully run dynamic LPAR operations
Previously, users could not run dynamic logical partition (DLPAR) operations from the Hardware Management Console (HMC) if either of these conditions were met:
The Secure Boot feature was enabled that implicitly enables kernel
lockdownmechanism in integrity mode.
lockdownmechanism was manually enabled in integrity or confidentiality mode.
In RHEL 9, kernel
lockdown completely blocked Run Time Abstraction Services (RTAS) access to system memory accessible through the
/dev/mem character device file. Several RTAS calls required write access to
/dev/mem to function properly. Consequently, RTAS calls did not execute correctly and users would see the following error message:
HSCL2957 Either there is currently no RMC connection between the management console and the partition <LPAR name> or the partition does not support dynamic partitioning operations. Verify the network setup on the management console and the partition and ensure that any firewall authentication between the management console and the partition has occurred. Run the management console diagrmc command to identify problems that might be causing no RMC connection.
With this update, the problem has been fixed by providing a very narrow PowerPC-specific exception to
lockdown. The exception permits RTAS to access the required
/dev/mem areas. As a result, the problem no longer manifests in the described scenario.
No kernel warnings after setting the ring buffer value from
The kernel was producing a warning message
Missing unregister, handled but fix driver when an internal function expecting a clean input was called with a reused, already initialized structure. With this update, the problem has been fixed by reinitializing the structure before registering it again.
8.9. Boot loader
grubby now passes arguments to future kernels
When installing a newer version of the kernel, the
grubby tool did not pass the kernel command-line arguments from the previous kernel version. As a consequence, the GRUB boot loader ignored user settings. With this fix, the user settings now persist after installing the new kernel version.
8.10. File systems and storage
Journal entries no longer stop the journal writes
Previously, in the VDO driver during device-mapper suspend operation and after resuming device operation, some journal blocks could still be marked as waiting for some metadata updates to be made before they could be reused, even though those updates had already been done. When enough journal entries were made for the journal to wrap around back to the same physical block, it was not available. Journal writes would stop, waiting for the block to become available, which never happened. Consequently, when some operations on a VDO device included a suspend or resume cycle, the device was in a frozen state after some journal updates. The journal updates before this device state were unpredictable because it was depended on previous allocation patterns within VDO, and the incoming write or discard patterns. With this update, after the suspend or resume cycle saving data to storage, the internal data structure state is reset and lockups no longer happened.
Adding a data device no longer triggers assertion failure
Previously, when adding additional devices to the cache, Stratis did not use cache immediately after initialization. As a consequence, the
stratisd service returned an assertion failure message whenever a user attempted to add additional data devices to a pool. With this fix, cache is now used immediately after initialization and no assertion failures occur.
Resolved errors when adding new data devices to the encrypted pool
Previously, whenever the user initialized an encrypted pool with encrypted data devices, using a Clevis bind command on a tang server, specified with the
stratisd did not include the thumbprint part of the Clevis tang configuration in the internal data structures. Consequently, a failure occurred when attempting to add new data devices to the pool. With this update, the internal data structures of
stratisd now include the thumbprint part of the Clevis tang configuration.
Connecting to NVMe namespaces from Broadcom initiators on AMD EPYC systems no longer require non-default IOMMU settings
By default, the RHEL kernel enables the IOMMU on AMD-based platforms. Previously, the
lpfc driver did not use the scatter-gather list accessor macros. Consequently, certain servers with AMD processors encountered NVMe I/O problems, such as I/Os failing due to transfer length mismatches.
With this update, you do not need to put IOMMU into passthrough mode with a kernel command-line option in order to connect to NVMe namespaces from Broadcom initiators.
8.11. High availability and clusters
pcs now validates the value of
Previously, it was possible to set the
stonith-watchdog-timeout property to a value that is incompatible with SBD configuration. This could result in a fence loop, or could cause the cluster to consider a fencing action to be successful even if the action is not finished. With this fix,
pcs validates the value of
stonith-watchdog-property when you set it, to prevent incorrect configuration.
pcs now recognizes the
mode option when creating a new Booth ticket
Previously, when a user specified a
mode option when adding a new Booth ticket,
pcs reported the error
invalid booth ticket option 'mode'. With this fix, you can now specify the
mode option when creating a Booth ticket.
pcs now distinguishes between resources and stonith resources
pcs commands did not distinguish between resources and stonith resources. This allowed users to use
pcs resource sub-commands for stonith resources, and to use
pcs stonith sub-commands for resources that are not stonith resources. This could lead to user confusion or resource misconfiguration. With this update,
pcs displays a warning when there is a resource type mismatch.
8.12. Compilers and development tools
glibc now restores errno after loading an NSS module
Previously, the Name Service Switch (NSS) implementation in
glibc set errno incorrectly during database enumeration using functions such as
getpwent() if the last NSS module did not provide any data. As a result, applications using these enumeration functions incorrectly observed errors and failed.
glibc now restores errno after loading an NSS module and, as a result, applications using these functions no longer fail.
The auditing interface now saves and restores the x8 register and the full width of the NEON registers for AArch64
Previously, a bug in the implementation of the dynamic loader’s audit interface caused the
AArch64 saved register state to be incomplete compared to the procedure call standard. This bug has been fixed and the auditing interface now saves and restores the x8 register and the full width of the NEON registers for
AArch64. Applications using the dynamic loader auditing interface can now inspect and influence the x8 register for
AArch64. To use this new x8 register and have access to the full width of the NEON registers on
AArch64, the audit modules must be recompiled to use the new version of the interface (LAV_CURRENT is 2).
POWER9-optimized strncpy function no longer gives incorrect results
Previously, the POWER9 strncpy function did not use the correct register as the source of the NUL bytes for padding. Consequently, the output buffer contained uninitialized register content instead of the NUL padding. With this update, the strncpy function has been fixed, and the end of the output buffer is now correctly padded with NUL bytes.
Valgrind override of
memmem function installed on IBMz15 architecture
Previously, a missing valgrind override of the
memmem function lead to false positive warnings of:
Conditional jump or move depends on uninitialised value(s)
This update includes a valgrind override of the
memmem function and, as a result, there are no longer false positive warnings when using the
memmem function in programs running under valgrind on the IBMz15 architecture.
8.13. Identity Management
ipa user-del --preserve user_login output no longer indicates that the user was deleted
Previously, if you ran the
ipa user-del --preserve user_login command to preserve a user account, the output incorrectly returned the message
Deleted user “user_login”. With this update, the output now returns
Preserved user “user_login”.
PKINIT user authentication now works correctly in the RHEL 9 Kerberos client - Heimdal KDC scenario
Previously, the PKINIT authentication of an IdM user on a RHEL 9 Kerberos client against the Heimdal Kerberos Distribution Center (KDC) failed. This failure occurred because the Kerberos client did not support the
supportedCMSTypes field required in the context of the deprecation of the SHA-1 algorithm in RHEL 9.
With this update, the RHEL 9 Kerberos client sends a list of signature algorithms including
supportedCMSTypes during PKINIT to Heimdal KDC. Heimdal KDC uses
sha512WithRSAEncryption and, as a result, PKINIT authentication works correctly.
Handling unreadable objects in an LDAP group’s member list
Before this update, SSSD inconsistently handled the unreadable objects in an LDAP group’s member list and this resulted in unreadable objects causing an error or in certain situations unreadable objects were ignored.
With this update, SSSD has a new option
ldap_ignore_unreadable_references to modify this behavior. If the
ldap_ignore_unreadable_references option is set to
false, unreadable objects cause an error and if set to
true, unreadable objects are ignored. The default is set to
false and because of the original inconsistent behavior, after the update, some group lookups may fail. In this case, set
ldap_ignore_unreadable_references = True in the corresponding
[domain/name of the domain] section in the
This allows unreadable objects to be handled in a consistent manner and the behavior can be tuned using the new
Subscription enrolling with Activation keys has been fixed
Previously, you could not enroll your Red Hat subscription in Settings using Activation keys. Settings displayed the following error after pressing Register:
Failed to register system; Failed to RegisterWithActivationKeys: Unknown arguments: dict_keys(['enable_content'])
With this update, the problem has been fixed, and you can now enroll your subscription using Activation keys as expected in Settings.
8.15. Graphics infrastructures
X.org now enables the X11 SECURITY extension
Previously, the X.org display server did not provide the X11
SECURITY extension. As a consequence, applications that used this extension terminated unexpectedly.
With this update, X.org enables the X11
SECURITY extension. As a result, applications that depend on the extension now work as expected.
Matrox GPU with a VGA display now works as expected
Prior to this release, your display showed no graphical output if you used the following system configuration:
- A GPU in the Matrox MGA G200 family
- A display connected over the VGA controller
- UEFI switched to legacy mode
As a consequence, you could not use or install RHEL on this configuration.
With this update, the
mgag200 driver has been significantly rewritten, and as a result, the graphics output now works as expected.
8.16. The web console
Removing USB host devices using the web console now works as expected
Previously, when you attached a USB device to a virtual machine (VM), the device number and bus number of the USB device changed after they were passed to the VM. As a consequence, using the web console to remove such devices failed due to the incorrect correlation of the device and bus numbers. With this update, the issue has been fixed and you can remove the USB host devices using the web console.
Attaching multiple host devices using the web console now works as expected
Previously, when you selected multiple devices to attach to a virtual machine (VM) using the web console, only a single device was attached and the rest were ignored. With this update, the issue has been fixed and you can now simultaneously attach multiple host devices using the web console.
8.17. Red Hat Enterprise Linux System Roles
network RHEL role manages
ansible_managed parameter in the configuration files
Previously, the Ansible role was unable to provide the correct
ansible_managed header for the
network role managed configuration files. As a consequence, system administrators were uncertain about which files were managed by Ansible. With this fix, the role managed files have a correct
ansible_managed header, and system administrators can reliably tell about which files are managed Ansible.
Fixed a typo to support
active-backup for the correct bonding mode
Previously, there was a typo,
active_backup, in supporting the InfiniBand port while specifying
active-backup bonding mode. Due to this typo, the connection failed to support the correct bonding mode for the InfiniBand bonding port. This update fixes the typo by changing bonding mode to
active-backup. The connection now successfully supports the InfiniBand bonding port.
IPRouteUtils.get_route_tables_mapping() function now accepts any whitespace sequence
Previously, a parser for the
iproute2 routing table database, such as
/etc/iproute2/rt_tables, asserted that entries in the file were of the form
254 main and only a single space character separated the numeric id and the name. Consequently, the parser failed to cache all the mappings between the route table name and table id.Therefore the user could not add a static route into the route table by defining the route table name. With this update, the parser accepts any whitespace sequence in between the table ID and table name. As a result, as the parser caches all the mapping between the route table name and table ID, users can add a static route into the route table by defining the route table name.
forward_port parameter now accepts both the
Previously, in the
firewall RHEL System role, the
forward_port parameter only accepted the
string option. However, the role documentation claimed that both
dict options were supported. Consequently, the users reading and following the documentation were getting an error. This bug has been fixed by making
forward_port accept both options. As a result, the users can safely follow the documentation to configure port forwarding.
Configuration by the
metrics role now follows symbolic links correctly
mssql pcp package is installed, the
mssql.conf file is located in
/etc/pcp/mssql/ and is targeted by the symbolic link
/var/lib/pcp/pmdas/mssql/mssql.conf. Previously, however, the
metrics role overwrote the symbolic link instead of following it and configuring
mssql.conf. Consequently, running the
metrics role changed the symbolic link to a regular file and the configuration therefore only affected the
/var/lib/pcp/pmdas/mssql/mssql.conf file. This resulted in a failed symbolic link, and the main configuration file
/etc/pcp/mssql/mssql.conf was not affected by the configuration. The issue is now fixed and the
follow: yes option to follow the symbolic link has been added to the
metrics role. As a result, the
metrics role preserves the symbolic links and correctly configures the main configuration file.
configobj is available on managed hosts
kernel_settings role did not install the
python3-configobj package on managed hosts. As a consequence, the role returned an error stating that the
configobj Python module could not be found. With this fix, the role ensures that the
python3-configobj package is present on managed hosts and the
kernel_settings role works as expected.
mount_options parameter for volumes is now valid for a volume
Previously, the parameter was accidentally removed from the list of valid parameters for a volume. Consequently, users were unable to set the
mount_options parameter for volumes. With this bug fix, the
mount_options parameter has been added back to the list of valid parameters and the code has been refactored to catch the errors. As a result, the
storage RHEL system role can set the
mount_options parameter for volumes.
storage RHEL System Role now correctly supports striped and raid0 levels for LVM volumes
storage RHEL System Role previously incorrectly reported RAID levels
raid0 as not supported for LVM volumes. This is now fixed and the role can now correctly create LVM volumes of all RAID levels supported by LVM:
metrics RHEL System Role README and documentation now clearly specifies supported Redis and Grafana versions on specific versions of RHEL by the role
Previously, when trying to use the
metrics role with unsupported versions of Redis and Grafana on unsupported platforms, the role failed. This update clarifies the documentation about which versions of Redis and Grafana are supported on which versions of RHEL by the role. As a result, you can avoid trying to use unsupported versions of Redis and Grafana on unsupported platforms.
Minimal RSA key bit length option in the
sshd RHEL System Roles
Accidentally using short RSA keys might make the system more vulnerable to attacks. With this update, you can set RSA key minimal bit lengths for OpenSSH clients and servers by using the
RequiredRSASize option in the
sshd RHEL System Roles.
nbde_client RHEL System Role now uses proper spacing when specifying extra Dracut command line-parameters
The Dracut framework requires proper spacing when specifying additional parameters, such as kernel command-line parameters. If the parameters are not specified with proper spacing, Dracut might not append the specified extra parameters to the kernel command line. With this update, the
nbde_client RHEL System Role uses proper spacing when creating add-on Dracut configuration files. As a result, the role correctly sets Dracut command-line parameters.
tlog RHEL System Roles is now correctly overlaid by SSSD
tlog RHEL System Role relied on the System Security Services Daemon (SSSD) files provider and on enabled
with-files-domain to set up correct
passwd entries in the
nsswitch.conf file. In RHEL 9.0, SSSD did not implicitly enable the files provider by default, and consequently the
tlog-rec-session shell overlay by SSSD did not work. With this fix, the
tlog role now updates the
nsswitch.conf to ensure
tlog-rec-session is correctly overlaid by SSSD.
metrics RHEL System Role automatically restarts
pmlogger services after an update to their configuration
pmlogger services did not restart after their configuration was changed and waited for handler execution. This caused errors with other
metrics services, which required
pmlogger configuration to match their runtime behavior. With this update, the role restarts
pmlogger immediately after a configuration update, their configuration matches runtime behavior of dependent metrics services, and they work correctly.
Network traffic performance in virtual machines is no longer reduced when under heavy load
Previously, RHEL virtual machines had, in some cases, decreased performance when handling high levels of network traffic. The underlying code has been fixed and network traffic performance now works as expected in the described circumstances.
8.19. RHEL in cloud environments
The SR-IOV functionality of a network adapter attached to a Hyper-V VM now works reliably
Previously, when attaching a network adapter with single-root I/O virtualization (SR-IOV) enabled to a RHEL 9 virtual machine (VM) running on Microsoft Hyper-V hypervisor, the SR-IOV functionality in some cases did not work correctly. A bug in the Hyper-V specific memory-mapped I/O (MMIO) allocation code has been fixed and the SR-IOV functionality now works as expected on Hyper-V VMs.
SR-IOV no longer performs suboptimally in ARM 64 RHEL 9 virtual machines on Azure
Previously, SR-IOV networking devices had significantly lower throughout and higher latency than expected in ARM 64 RHEL 9 virtual machines (VMs) running on a Microsoft Azure platform. The problem has been fixed, and the affected VMs now perform as expected.
podman system connection add and
podman image scp no longer fail
Podman uses SHA-1 hashes for the RSA key exchange. Previously, the regular SSH connection among machines using RSA keys worked, while the
podman system connection add and
podman image scp commands did not work using the same RSA keys, because the SHA-1 hashes were not accepted for key exchange on RHEL 9. With the update, the problem has been fixed.
Container images signed with a Beta GPG key can now be pulled
Previously, when you pulled RHEL Beta container images, Podman failed with the error message:
Error: Source image rejected: None of the signatures were accepted. The images failed to be pulled due to current builds being configured to not trust the RHEL Beta GPG keys by default. With this update, the
/etc/containers/policy.json file supports a new
keyPaths field which accepts a list of files containing the trusted keys. Because of this, the container images signed with GA and Beta GPG keys are now accepted in the default configuration.
Podman no longer fails to pull a container "X509: certificate signed by unknown authority"
Previously, if you had your own internal registry signed by our own CA certificate, then you had to import the certificate onto your host machine. Otherwise, an error occurs:
x509: certificate signed by unknown authority
With this update, the problem has been fixed.
DNF and YUM no longer fail because of non-matching repository IDs
Previously, DNF and YUM repository IDs did not match the format that DNF or YUM expected. For example, if you ran the following example, the error occurred:
# podman run -ti ubi8-ubi # dnf debuginfo-install dnsmasq ... This system is not registered with an entitlement server. You can use subscription-manager to register.
With this update, the problem has been fixed. Suffix
--debug-rpms was added to all debug repository names (for example
ubi-8-appstream-debug-rpms), and also the suffix
-rpms was added to all UBI repository names (for example
For more information, see Universal Base Images (UBI): Images, repositories, packages, and source code.