Chapter 8. Bug fixes

This part describes bugs fixed in Red Hat Enterprise Linux 9.4 that have a significant impact on users.

8.1. Installer and image creation

Anaconda displays WWID identifiers for multipath storage devices on the Installation Destination screen

Previously, Anaconda did not display any details, for example, device number, WWPN, or LUN for the multipath storage devices. As a consequence, it was difficult to select the correct installation destination from the Installation Destination > Add a disk screen. With this update, Anaconda now displays WWID identifiers for multipath storage devices. As a result, you can now easily identify and select the required installation destination on the advanced storage device screen.

Jira:RHEL-11384[1]

Installer now accepts additional time zone definitions in Kickstart files

Anaconda switched to a different, more restrictive method of validating time zone selections. This caused some time zone definitions, such as Japan, to be no longer valid despite being accepted in previous versions. Legacy Kickstart files with these definitions had to be updated. Otherwise, they would default to the Americas/New_York time zone.

The list of valid time zones was previously taken from pytz.common_timezones in the pytz Python library. This update changes the validation settings for the timezone Kickstart command to use pytz.all_timezones, which is a superset of the common_timezones list, and allows significantly more time zones to be specified. This change ensures that old Kickstart files made for Red Hat Enterprise Linux 6 still specify valid time zones.

Note: This change only applies to the timezone Kickstart command. The time zone selection in the graphical and text-based interactive interfaces remains unchanged. Existing Kickstart files for Red Hat Enterprise Linux 9 that had valid time zone selections do not require any updates.

Jira:RHEL-13150[1]

The installer now correctly creates bond device with multiple ports and a BOOTIF option

Previously, the installation program created incorrect connection profiles when the installation was booted with a bond network device with multiple ports along with the BOOTIF boot option. Consequently, the device used by the BOOTIF option was not added to the bond device though it was configured as one of its ports.

With this update, the installation program now correctly creates profiles in initramfs when the BOOTIF boot option is used. As a result, all the specified ports are now added to the bond device on the installed system.

Jira:RHEL-4766

Anaconda replaces the misleading error message when failing to boot an installation image

Previously, when the installation program failed to boot the installation image, for example due to missing source of stage2 specified in inst.stage2 or inst.repo, Anaconda displayed the following misleading error message:

/run/anaconda/initrd_errors.txt: No such file or directory

With this update, Anaconda issues a proper warning message to minimize the confusion.

Jira:RHEL-5638

The new version of xfsprogs no longer shrinks the size of /boot

Previously, the xfsprogs package with the 5.19 version in the RHEL 9.3 caused the size of /boot to shrink. As a consequence, it caused a difference in the available space on the /boot partition, if compared to the RHEL 9.2 version. This fix increases the /boot partition to 600 MiB for all images, instead of 500 MiB, and the /boot partition is no longer affected by space issues.

Jira:RHEL-7999

8.2. Security

Libreswan accepts IPv6 SAN extensions

Previously, IPsec connection failed when setting up certificate-based authentication with a certificate that contained a subjectAltName (SAN) extension with an IPv6 address. With this update, the pluto daemon has been modified to accept IPv6 SAN as well as IPv4. As a result, IPsec connection is now correctly established with IPv6 address embedded in the certificate as an ID.

Jira:RHEL-12278

Rules for managing virtual routing with ip vrf are added to the SELinux policy

You can use the ip vrf command to manage virtual routing of other network services. Previously, selinux-policy did not contain rules to support this usage. With this update, SELinux policy rules allow explicit transitions from the ip domain to the httpd, sshd, and named domains. These transitions apply when the ip command uses the setexeccon library call.

Jira:RHEL-14246[1]

SELinux policy denies SSH login for unconfined users when unconfined_login is set to off

Previously, the SELinux policy was missing a rule to deny unconfined users to log in via SSH when the unconfined_login boolean was set to off. As a consequence, with unconfined_login set to off, users still could log in with SSHD to an unconfined domain. This update adds a rule to the SELinux policy, and as a result, users cannot log in via sshd as unconfined when unconfined_login is off.

Jira:RHEL-1551

SELinux policy allows rsyslogd to execute confined commands

Previously, the SELinux policy was missing a rule to allow the rsyslogd daemon to execute SELinux-confined commands, such as systemctl. As a consequence, commands executed as an argument of the omprog directive failed. This update adds rules to the SELinux policy so that executables in the /usr/libexec/rsyslog directory that are run as an argument of omprog are in the syslogd_unconfined_script_t unconfined domain. As a result, commands executed as an argument of omprog finish successfully.

Jira:RHEL-11174

SELinux policy allows rsyslogd to execute confined commands

Previously, the SELinux policy was missing a rule to allow the rsyslogd daemon to execute SELinux-confined commands, such as systemctl. As a consequence, commands executed as an argument of the omprog directive failed. This update adds rules to the SELinux policy so that executables in the /usr/libexec/rsyslog directory that are run as an argument of omprog are in the syslogd_unconfined_script_t unconfined domain. As a result, commands executed as an argument of omprog finish successfully.

Jira:RHEL-10087

kmod runs in the SELinux MLS policy

Previously, the SELinux did not assign a private type for the /var/run/tmpfiles.d/static-nodes.conf file. As a consequence, the kmod utility may fail to work in the SELinux multi-level security (MLS) policy. This update adds the kmod_var_run_t label for /var/run/tmpfiles.d/static-nodes.conf to the SELinux policy, and as a result, kmod runs successfully in the SELinux MLS policy.

Jira:RHEL-1553

selinux-autorelabel runs in SELinux MLS policy

Previously, the SELinux policy did not assign a private type for the /usr/libexec/selinux/selinux-autorelabel utility. As a consequence, selinux-autorelabel.service might fail to work in the SELinux multi-level security (MLS) policy. This update adds the semanage_exec_t label to /usr/libexec/selinux/selinux-autorelabel, and as a result, selinux-autorelabel.service runs successfully in the SELinux MLS policy.

Jira:RHEL-14289

/bin = /usr/bin file context equivalency rule added to SELinux policy

Previously, the SELinux policy did not contain the /bin = /usr/bin file context equivalency rule. As a consequence, the restorecond daemon did not work correctly. This update adds the missing rule to the policy, and as a consequence, restorecond works correctly in SELinux enforcing mode.

IMPORTANT
This change overrides any local policy modules which use file context specification for a pattern in /bin.

Jira:RHEL-5032

SELinux policy contains rules for additional services and applications

This version of the selinux-policy package contains additional rules. Most notably, users in the sysadm_r role can execute the following commands:

  • sudo traceroute (RHEL-14077)
  • sudo tcpdump (RHEL-15432)

Jira:RHEL-15432

SELinux policy adds permissions for QAT firmware

Previously, when updating the Intel QuickAssist Technology (QAT) with the Intel VT-d kernel option enabled, missing SELinux permissions caused denials. This update adds additional permissions for the qat service. As a result, QAT can be updated correctly.

Jira:RHEL-19051[1]

Rsyslog can execute privileged commands through omprog

Previously, the omprog module of Rsyslog could not execute certain external programs, especially programs that contain privileged commands. As a consequence, the use of scripts that involve privileged commands through omprog was restricted. With this update, the SELinux policy was adjusted. Place your scripts into the /usr/libexec/rsyslog directory to ensure compatibility with the adjusted SELinux policy. As a result, Rsyslog now can execute scripts, including those with privileged commands, through the omprog module.

Jira:RHEL-5196

The semanage fcontext command no longer reorders local modifications

The semanage fcontext -l -C command lists local file context modifications stored in the file_contexts.local file. The restorecon utility processes the entries in the file_contexts.local from the most recent entry to the oldest. Previously, semanage fcontext -l -C listed the entries in an incorrect order. This mismatch between processing order and listing order caused problems when managing SELinux rules. With this update, semanage fcontext -l -C displays the rules in the correct and expected order, from the oldest to the newest.

Jira:RHEL-25263[1]

CardOS 5.3 cards with offsets no longer cause problems in OpenSC

Previously, file caching did not work correctly for some CardOS 5.3 cards that stored certificates on different offsets of a single PKCS #15 file. This occurred because file caching ignored the offset part of the file, which caused repetitive overriding of the cache and reading invalid data from file cache. The problem was identified and fixed upstream, and after this update, CardOS 5.3 cards work correctly with the file cache.

Jira:RHEL-4079[1]

8.3. Subscription management

subscription-manager no longer retains nonessential text in the terminal

Starting with RHEL 9.1, subscription-manager displays progress information while processing any operation. Previously, for some languages, typically non-Latin, progress messages did not clean up after the operation finished. With this update, all the messages are cleaned up properly when the operation finishes.

If you have disabled the progress messages before, you can re-enable them by entering the following command:

# subscription-manager config --rhsm.progress_messages=1

Bugzilla:2136694[1]

8.4. Software management

The librhsm library now returns the correct /etc/rhsm-host prefix if librhsm is run in a container

The librhsm library rewrites path prefixes to CA certificates from the /etc/rhsm to /etc/rhsm-host path if librhsm is run in a container. Previously, librhsm returned the wrong /etc/rhsm-host-host prefix because of a string manipulation mistake. With this update, the issue has been fixed, and the librhsm library now returns the correct /etc/rhsm-host prefix.

Jira:RHEL-14224

systemd now correctly manages the /run/user/0 directory created by librepo

Previously, if the librepo functions were called from an Insights client before logging in root, the /run/user/0 directory could be created with a wrong SELinux context type. This prevented systemd from cleaning the directory after you logged out from root.

With this update, the librepo package now sets a default creation type according to default file system labeling rules defined in a SELinux policy. As a result, systemd now correctly manages the /run/user/0 directory created by librepo.

Jira:RHEL-11240

systemd now correctly manages the /run/user/0 directory created by libdnf

Previously, if the libdnf functions were called from an Insights client before logging in root, the /run/user/0 directory could be created with a wrong SELinux context type. This prevented systemd from cleaning the directory after you logged out from root.

With this update, the libdnf package now sets a default creation type according to default file system labeling rules defined in a SELinux policy. As a result, systemd now correctly manages the /run/user/0 directory created by libdnf.

Jira:RHEL-11238

The dnf needs-restarting --reboothint command now recommends a reboot to update the CPU microcode

To fully update the CPU microcode, you must reboot a system. Previously, when you installed the microcode_ctl package, which contains the updated CPU microcode, the dnf needs-restarting --reboothint command did not recommend the reboot. With this update, the issue has been fixed, and dnf needs-restarting --reboothint now recommends a reboot to update the CPU microcode.

Jira:RHEL-4600

8.5. Shells and command-line tools

The top -u command now displays at least one process when you sort the processes by memory

Previously, when you executed the top command with the -u <user> parameter, where the user was different from the one running the command, all processes disappeared when the M key was pressed to sort the processes by memory. With this update, the top command displays at least one process when you sort the processes by memory.

Note

To preserve the position of the cursor, not all processes are displayed. You can scroll up through the results to display the remaining processes.

Jira:RHEL-16278

ReaR now determines the presence of a BIOS boot loader when both BIOS and UEFI boot loaders are installed

Previously, in a hybrid boot loader setup (UEFI and BIOS), when UEFI was used to boot, Relax-and-Recover (ReaR) restored only the UEFI boot loader and not the BIOS boot loader. This would result in a system that had a GUID Partition Table (GPT), a BIOS Boot Partition, but not a BIOS boot loader. In this situation, ReaR failed to create the rescue image, the attempt to produce a backup or a rescue image by using the rear mkbackup or rear mkrescue command would fail with the following error message:

ERROR: Cannot autodetect what is used as boot loader, see default.conf about 'BOOTLOADER'.

With this update, ReaR determines the presence of both UEFI and BIOS boot loaders, restores them, and does not fail when it does not encounter the BIOS boot loader on the system with the BIOS Boot Partition in GPT. As a result, systems with the hybrid UEFI and BIOS boot loader setup can be backed up and recovered multiple times.

Jira:RHEL-16864[1]

ReaR no longer uses the logbsize, sunit and swidth mount options during recovery

Previously, when restoring an XFS file system with the parameters different from the original ones by using the MKFS_XFS_OPTIONS configuration setting, Relax-and-Recover (ReaR) mounted this file system with mount options applicable for the original file system, but not for the restored file system. As a consequence, the disk layout recreation would fail with the following error message when ReaR ran the mount command :

wrong fs type, bad option, bad superblock on and missing codepage or helper program, or other error.

The kernel log displayed either of the following messages:

 logbuf size must be greater than or equal to log stripe size
alignment check failed: sunit/swidth vs. agsize

With this update, ReaR avoids using the logbsize, sunit and swidth mount options when mounting recreated XFS file systems. As a result, when you use the MKFS_XFS_OPTIONS configuration setting, the disk layout recreation succeeds.

Jira:RHEL-10478[1]

ReaR recovery no longer fails on systems with a small thin pool metadata size

Previously, ReaR did not save the size of the pool metadata volume when saving a layout of an LVM volume group with a thin pool. During recovery, ReaR recreated the pool with the default size even if the system used a non-default pool metadata size.

As a consequence, when the original pool metadata size was smaller than the default size and no free space was available in the volume group, the layout recreation during system recovery failed with a message in the log similar to these examples:

Insufficient free space: 230210 extents needed, but only 230026 available

or

Volume group "vg" has insufficient free space (16219 extents): 16226 required.

With this update, the recovered system has a metadata volume with the same size as the original system. As a result, the recovery of a system with a small thin pool metadata size and no extra free space in the volume group finishes successfully.

Jira:RHEL-6984

ReaR now preserves logs from the bprestore command of NetBackup in the rescue system and the recovered system

Previously, when using the NetBackup integration (BACKUP=NBU), ReaR added the log from the bprestore command during recovery to a directory that was deleted on exit. Additionally, ReaR did not save further logs produced by the command under the /usr/openv/netbackup/logs/bprestore/ directory on the recovered system.

As a consequence, if the bprestore command failed during recovery, the logs were deleted unless the rear recover command was run with the -d or -D option. Moreover, even if the recovery finished successfully, the logs under /usr/openv/netbackup/logs/bprestore/ directory were lost after a reboot and could not be examined.

With this update, ReaR keeps the log from the bprestore command in the /var/lib/rear/restore directory in the rescue system where it persists after the rear recover command has finished until the rescue system is rebooted. If the system is recovered, all logs from /usr/openv/netbackup/logs/bprestore/ are copied to the /var/log/rear/recover/restore directory together with the log from /var/lib/rear/restore in case further examination is required.

Jira:RHEL-17393

ReaR no longer fails during recovery if the TMPDIR variable is set in the configuration file

Previously, the ReaR default configuration file /usr/share/rear/conf/default.conf contained the following instructions:

# To have a specific working area directory prefix for Relax-and-Recover
# specify in /etc/rear/local.conf something like
#
#   export TMPDIR="/prefix/for/rear/working/directory"
#
# where /prefix/for/rear/working/directory must already exist.
# This is useful for example when there is not sufficient free space
# in /tmp or $TMPDIR for the ISO image or even the backup archive.

The instructions mentioned above did not work correctly because the TMPDIR variable had the same value in the rescue environment, which was not correct if the directory specified in the TMPDIR variable did not exist in the rescue image.

As a consequence, when the rescue image was booted, setting and exporting TMPDIR in the /etc/rear/local.conf file led to the following error :

mktemp: failed to create file via template '/prefix/for/rear/working/directory/tmp.XXXXXXXXXX': No such file or directory
cp: missing destination file operand after '/etc/rear/mappings/mac'
Try 'cp --help' for more information.
No network interface mapping is specified in /etc/rear/mappings/mac

or the following error and cancel later, when running rear recover:

ERROR: Could not create build area

With this update, ReaR clears the TMPDIR variable in the rescue environment. ReaR also detects when the variable has been set in /etc/rear/local.conf, and prints a warning if the variable is set. The comment in /usr/share/rear/conf/default.conf has been changed to instruct to set and export TMPDIR in the environment before executing rear instead of setting it in /etc/rear/local.conf.

If the command export TMPDIR=…​ is used in /etc/rear/local.conf, ReaR now prints the following warning:

Warning: Setting TMPDIR in a configuration file is deprecated. To specify a working area directory prefix, export TMPDIR before executing 'rear'

As a result, the recovery is successful in the described configuration.

Setting TMPDIR in a configuration file such as /etc/rear/local.conf is now deprecated and the functionality will be removed in a future release. It is recommended to remove such settings from /etc/rear/local.conf, and to set and export TMPDIR in the environment before calling ReaR instead.

Jira:RHEL-24847

8.6. Networking

wwan_hwsim is now in the kernel-modules-internal package

The wwan_hwsim kernel module provides a framework for simulating and testing various networking scenarios that use wireless wide area network (WWAN) devices. Previously, wwan_hwsim was a part of the kernel-modules-extra package. However, with this release, it is moved to the kernel-modules-internal package, which contains other similarly-oriented utilities. Note that the WWAN feature for PCI modem is still a Technology Preview.

Jira:RHEL-24618[1]

The xdp-loader features command now works as expected

The xdp-loader utility was compiled against the previous version of libbpf. As a consequence, xdp-loader features failed with an error:

Cannot display features, because xdp-loader was compiled against an old version of libbpf without support for querying features.

The utility is now compiled against the correct libbpf version. As a result, the command now works as expected.

Jira:RHEL-3382

Mellanox ConnectX-5 adapter works in the DMFS mode

Previously, while using the Ethernet switch device driver model (switchdev) mode, the mlx5 driver failed if configured in the device managed flow steering (DMFS) mode on the ConnectX-5 adapter. Consequently, the following error message appeared:

mlx5_core 0000:5e:00.0: mlx5_cmd_out_err:780:(pid 980895): DELETE_FLOW_TABLE_ENTRY(0x938) op_mod(0x0) failed, status bad resource(0x5), syndrome (0xabe70a), err(-22)

As a result, when you update the firmware version of the ConnectX-5 adapter to 16.35.3006 or later, the error message will not appear.

Jira:RHEL-9897[1]

8.7. Kernel

crash was rebased to version 8.0.4

The crash utility was upgraded to version 8.0.4, which provides multiple bug fixes. Notable repairs include:

  • Fixed the segmentation fault when the non-panicking CPUs failed to stop during the kernel panic.
  • The critical error incorrectly did not cause the kernel panic when the panic_on_oops kernel parameter was disabled.
  • The crash utility did not properly resolve the hashed freelist pointers for the kernels compiled with the CONFIG_SLAB_FREELIST_HARDENED=y configuration option.
  • A change in the kernel module memory layout terminology. The change replaced module_layout with module_memory to better indicate memory-related aspects of the crash utility. Without this change, crash cannot start a session with an error message such as this:

     crash: invalid structure member offset: module_core_size
                 FILE: kernel.c  LINE: 3787  FUNCTION: module_init()

Jira:RHEL-9009

tuna launches GUI when needed

Previously, if you ran the tuna utility without any subcommand, it would launch the GUI. This behavior was desirable if you had a display. In the opposite case, tuna on a machine without a display would not exit gracefully. With this update, tuna detects whether you have a display, and the GUI is launched or not launched accordingly.

Jira:RHEL-8859[1]

Intel TPM chips are now detected correctly

Previously, a side effect in a bug fix to AMD Trusted Platform Module (TPM) chips also affected Intel TPM chips. As a consequence, RHEL failed to detect certain Intel TPM chips.

With this update, the AMD TPM bug fix has been revised. As a result, RHEL now detects the Intel TPM chips correctly.

Jira:RHEL-18985[1]

RHEL previously failed to recognize NVMe disks when VMD was enabled

When you reset or reattached a driver, the Volume Management Device (VMD) domain previously did not soft-reset. Consequently, the hardware could not properly detect and enumerate its devices. With this update, the operating system with VMD enabled now correctly recognizes NVMe disks, especially when resetting a server or working with a VM machine.

Bugzilla:2128610[1]

8.8. File systems and storage

multipathd now successfully removes devices that have outstanding queued I/O

Previously, the multipathd command did not disable the queue_if_no_path parameter before removing a device. This was possible only if there was an outstanding queued I/O to the multipath device itself, and not to the partition devices. Consequently, multipathd would hang, and could no longer maintain the multipath devices. With this update, the multipathd now disables queuing before executing the remove command such as multipath -F, multipath -f <device>, multipathd remove maps, or multipathd remove map <device>. As a result, multipathd now successfully removes devices that have outstanding queued I/O.

Jira:RHEL-4998[1]

The no_read_workqueue, no_write_workqueue, and try_verify_in_taskle options of the dm-crypt and dm-verity devices are temporarily disabled

Previously, the dm-crypt devices created by using either the no_read_workqueue or no_write_workqueue option and dm-verity devices created by using the try_verify_in_tasklet option caused memory corruption. Consequently, random kernel memory was corrupted, which caused various system problems. With this update, these options are temporarily disabled. Note that this fix can cause dm-verity and dm-crypt to perform slower on some workloads.

Jira:RHEL-23572[1]

Multipathd now checks if a device is incorrectly queuing I/O

Previously, a multipath device restarted queuing I/O, even though it was configured to fail, under the following conditions:

  • The multipath device was configured with the queue_if_no_paths parameter set to several retries.
  • A path device was removed from the multipath device that had no working paths and was no longer queuing I/O.

With this update, the issue has been fixed. As a result, multipath devices no longer restarts queuing I/O if the queuing is disabled and a path is removed while there are no usable paths.

Jira:RHEL-17234[1]

Removing duplicate entry from nvmf_log_connect_error

Previously, due to a duplicate commit merge error, a log message was repeated in the nvmf_log_connect_error kernel function. Consequently, when the kernel was unable to connect to a fabric-attached Non-volatile Memory Express (NVMe) device, the Connect command failed message appeared twice. With this update, the duplicate log message is now removed from the kernel, resulting in only a single log message available for each error.

Jira:RHEL-21545[1]

The kernel no longer crashes when namespaces are added and removed

Previously, when NVMe namespaces were rapidly added and removed, a namespace disappeared between successive commands used to probe the namespace. In a specific case, a storage array did not return an invalid namespace error but instead returned a buffer filled with zero. Consequently, the kernel crashed due to the divide-by-zero error. With this update, the kernel now validates data from responses to both the Identify Namespace data structure issued to the storage. As a result, the kernel no longer crashes.

Jira:RHEL-14751[1]

The newly allocated sections of the data device are now properly aligned

Previously, when a Stratis pool was expanded, it was possible to allocate the new regions of the pool. But the newly allocated regions were not correctly aligned with the previously allocated regions. Consequently, it could cause a performance degradation along with a nonzero entry in the Stratis thin pool’s alignment_offset file in sysfs. With this update, when the pool expands, the newly allocated region of the data device is properly aligned with the previously allocated region. As a result, there is no degradation in performance and no nonzero entry in the Stratis thin pool’s alignment_offset file in sysfs.

Jira:RHEL-16736

System boots correctly when adding a NVMe-FC device as a mount point in /etc/fstab

Previously, due to a known issue in the nvme-cli nvmf-autoconnect systemd services, systems failed to boot while adding the Non-volatile Memory Express over Fibre Channel (NVMe-FC) devices as a mount point in the /etc/fstab file. Consequently, the system entered into an emergency mode. With this update, a system boots without any issue when mounting an NVMe-FC device.

Jira:RHEL-8171[1]

LUNs are now visible during the operating system installation

Previously, the system was not using the authentication information from firmware sources, specifically in cases involving iSCSI hardware offload with CHAP (Challenge-Handshake Authentication Protocol) authentication stored in the iSCSI iBFT (Boot Firmware Table). As a consequence, the iSCSI login failed during installation.

With the fix in the udisks2-2.9.4-9.el9 firmware authentication, this issue is now resolved and LUNs are visible during the installation and initial boot.

Bugzilla:2213769[1]

8.9. High availability and clusters

Configuring the tls and keep_active_partition_tie_breaker quorum device options without specifying --force

Previously, when configuring a quorum device, a user could not configure the tls and keep_active_partition_tie_breaker options for a quorum device model net without specifying the --force option. With this update, configuring these options no longer requires you to specify --force.

Jira:RHEL-7746

Issues with moving and banning clone and bundle resources now corrected

This bug fix addresses two limitations of moving bundled and clone resources:

  • When a user tried to move a bundled resource out of its bundle or ban it from running in its bundle, pcs created a constraint but the constraint had no effect. This caused the move to fail with an error message. With this fix, pcs disallows moving and banning bundled resources from their bundles and prints an error message noting that bundled resources cannot be moved out of their bundles.
  • When a user tried to move a bundle or clone resource, pcs exited with an error message noting that bundle or clone resources cannot be moved. This fix relaxes validation of move commands. It is now possible to move clone and bundle resources. When moving clone resources, you must specify a destination node if more than one instance of a clone is running. Only one-replica bundles can be moved.

Jira:RHEL-7744

Output of pcs status command no longer shows warning for expired constraints

Previously, when moving a cluster resource created a temporary location constraint, the pcs status command displayed a warning even after the constraint expired. With this fix, the pcs status command filters out expired constraints and they no longer generate a warning message in the command output.

Jira:RHEL-7669

Disabling the auto_tie_breaker quorum option no longer allowed when SBD fencing requires it

Previously, pcs allowed a user to disable the auto_tie_breaker quorum option even when a cluster configuration required this option for SBD fencing to work correctly. With this fix, pcs generates an error message when a user attempts to disable auto_tie_breaker on a system where SBD fencing requires that the auto_tie_breaker option be enabled.

Jira:RHEL-7730

8.10. Dynamic programming languages, web and database servers

httpd works correctly if a DAV repository location is configured by using a regular expression match

Previously, if a Distributed Authoring and Versioning (DAV) repository was configured in the Apache HTTP Server by using a regular expression match (such as LocationMatch), the mod_dav httpd module was unable to determine the root of the repository from the path name. As a consequence, httpd did not handle requests from third-party providers (for example, Sub-version’s mod_dav_svn module).

With this update, you can specify the repository root path by using the new DevBasePath directive in the httpd.conf file. For example:

<LocationMatch "^/repos/">
    DAV svn
    DavBasePath /repos
    SVNParentPath /var/www/svn
</LocationMatch>

As a result, httpd handles requests correctly if a DAV repository location is configured by using a regular expression match.

Jira:RHEL-6600

8.11. Compilers and development tools

ldconfig no longer crashes after an interrupted system upgrade

Previously, the ldconfig utility terminated unexpectedly with a segmentation fault when processing incomplete shared objects left in the /usr/lib64 directory after an interrupted system upgrade. With this update, ldconfig ignores temporary files written during system upgrades. As a result, ldconfig no longer crashes after an interrupted system upgrade.

Jira:RHEL-14383

glibc now uses the number of configured processors for malloc arena tuning

Previously, glibc used the per-thread CPU affinity mask for tuning the maximum arena count for malloc. As a consequence, restricting the thread affinity mask to a small subset of CPUs in the system could lead to performance degradation.

glibc has been changed to use the configured number of CPUs for determining the maximum arena count. As a result, applications use a larger number of arenas, even when running with a restricted per-thread CPU affinity mask, and the performance degradation no longer occurs.

Jira:RHEL-17157[1]

Improved glibc compatibility with applications using dlclose on shared objects involved in a dependency cycle

Previously, when unloading a shared object in a dependency cycle using the dlclose function in glibc, that object’s ELF destructor might not have been called before all other objects were unloaded. As a consequence of this late ELF destructor execution, applications experienced crashes and other errors due to the initial shared object’s dependencies already being deinitialized.

With this update, glibc has been fixed to first call the ELF destructor of the immediate object being unloaded before any other ELF destructors are executed. As a result, compatibility with applications using dlclose on shared objects involved in a dependency cycle is improved and crashes no longer occur.

Jira:RHEL-2491[1]

make no longer tries to run directories

Previously, make did not check if an executable it was trying to run was actually an executable. Consequently, if the path included a directory with the same name as the executable, make tried to run the directory instead. With this update, make now does additional checks when searching for an executable. As a result, make no longer tries to run directories.

Jira:RHEL-22829

Improved glibc wide-character write performance

Previously, the wide stdio stream implementation in glibc did not treat the default buffer size as large enough for wide-character write operations and used a 16-byte fallback buffer instead, negatively impacting performance. With this update, buffer management is fixed and the entire write buffer is used. As a result, glibc wide-character write performance is improved.

Jira:RHEL-19862[1]

The glibc getaddrinfo function now correctly reads ncsd cache information

Previously, a bug in the glibc getaddrinfo function would cause it to occasionally return empty elements in the list address information structure. With this update, the getaddrinfo function has been fixed to read and translate ncsd cache data correctly and, as a result, returns correct address information.

Jira:RHEL-16643

Improved glibc compatibility with applications using dlclose on shared objects involved in a dependency cycle

Previously, when unloading a shared object in a dependency cycle using the dlclose function in glibc, that object’s ELF destructor might not have been called before all other objects were unloaded. As a consequence of this late ELF destructor execution, applications experienced crashes and other errors due to the initial shared object’s dependencies already being deinitialized.

With this update, glibc has been fixed to first call the ELF destructor of the immediate object being unloaded before any other ELF destructors are executed. As a result, compatibility with applications using dlclose on shared objects involved in a dependency cycle is improved and crashes no longer occur.

Jira:RHEL-12362

ncsd no longer fails to start due to inconsistent cache expiry information

Previously, the glibc Name Service Switch Caching Daemon (nscd) could fail to start due to inconsistent cache expiry information in the persistent cache file. With this update, ncsd now marks cache entries with inconsistent timing information for deletion and skips them. As a result, ncsd no longer fails to start due to inconsistent cache expiry information.

Jira:RHEL-3397

Consistently fast glibc thread-local storage performance

Previously, the glibc dynamic linker did not adjust certain thread-local storage (TLS) metadata after shared objects with TLS were loaded by using the dlopen() function, which consequently caused slow TLS access. With this update, the dynamic linker now updates TLS metadata for TLS changes caused by dlopen() calls. As a result, TLS access is consistently fast.

Jira:RHEL-2123

8.12. Identity Management

Allocated memory now released when an operation is completed

Previously, memory allocated by the KCM for each operation was not being released until the connection was closed. As a result, for client applications that opened a connection and ran many operations on the same connection, it led to a noticeable memory increase because the allocated memory was not released until the connection closed. With this update, the memory allocated for an operation is now released as soon as the operation is completed.

Jira:SSSD-7015

IdM clients correctly retrieve information for trusted AD users when their names contain mixed case characters

Previously, if you attempted a user lookup or authentication of a user, and that trusted Active Directory (AD) user contained mixed case characters in their names and they were configured with overrides in IdM, an error was returned preventing users from accessing IdM resources.

With this update, a case-sensitive comparison is replaced with a case-insensitive comparison that ignores the case of a character. As a result, IdM clients can now lookup users of an AD trusted domain, even if their usernames contain mixed case characters and they are configured with overrides in IdM.

Jira:SSSD-6096

SSSD correctly returns an error if no grace logins remain while changing a password

Previously, if a user’s LDAP password had expired, SSSD tried to change the password even after the initial bind of the user failed as there were no more grace logins left. However, the error returned to the user did not indicate the reason for the failure. With this update, the request to change the password is aborted if the bind fails and SSSD returns an error message indicating there are no more grace logins and the password must be changed by another means.

Jira:SSSD-6184

Removing systems from a domain using the realm leave command

Previously, if multiple names were set for the ad_server option in the sssd.conf file, running the realm leave command resulted in parsing errors and the system was not removed from the domain. With this update, the ad_server option is properly evaluated and the correct domain controller name is used and the system is correctly removed from the domain.

Jira:SSSD-6081

KCM logs to the correct sssd.kcm.log file

Previously, logrotate correctly rotated the Kerberos Credential Manager (KCM) log files but KCM incorrectly wrote the logs to the old log file, sssd_kcm.log.1. If KCM was restarted, it used the correct log file. With this update, after logrotate is invoked, log files are rotated and KCM correctly logs to the sssd_kcm.log file.

Jira:SSSD-6652

The realm leave --remove command no longer asks for credentials

Previously, the realm utility did not correctly check if a valid Kerberos ticket was available when running the realm leave operation. As a result, users were asked to enter a password even though a valid Kerberos ticket was available. With this update, realm now correctly verifies if there is a valid Kerberos ticket and no longer requests the user to enter a password when running the realm leave --remove command.

Jira:SSSD-6425

KDC now runs extra checks when general constrained delegation requests is processed

Previously, the forwardable flag in Kerberos tickets issued by KDCs running on Red Hat Enterprise Linux 8 was vulnerable, allowing unauthorized modification without detection. This vulnerability could lead to impersonation attacks, even from or by users without specific privileges. With this update, KDC runs extra checks when it processes general constrained delegation requests, ensuring detection and rejection of unauthorized flag modifications, thus removing the vulnerability.

Jira:RHEL-9984[1]

Check on the forwardable flag is disabled in cases where SIDs are generated for the domain

Previously, the update providing a fix for CVE-2020-17049 relied on the Kerberos PAC to run certain checks on the ticket forwardable flag when the KDC processes a general constrained delegation request. However, the PAC is generated only on domains where the SIDs generation task was executed in the past. While this task is automatically performed for all IdM domains created on Red Hat Enterprise Linux (RHEL) 8.5 and newer, domains initialized on older versions require manual execution of this task.

In case the SIDs generation task was never executed manually for IdM domains initialized on RHEL 8.4 and older, the PAC will be missing on Kerberos tickets, resulting in rejection of all general constrained delegation requests. This includes IdM’s HTTP API, which relies on general constrained delegation.

With this update, the check of the forwardable flag is disabled in cases where SIDs were not generated for the domain. Services relying on general constrained delegation, including IdM HTTP API, continue working. However, Red Hat recommends running the SIDs generation task on the domain as soon as possible, especially if the domain has custom general constrained delegation rules configured. Until this is done, the domain remains vulnerable to CVE-2020-17049.

Jira:RHEL-22313

IdM Vault encryption and decryption no longer fails in FIPS mode

Previously, IdM Vault used OpenSSL RSA-PKCS1v15 as the default padding wrapping algorithm. However, none of the FIPS certified modules in RHEL supported PKCS#1 v1.5 as a FIPS approved algorithm, causing IdM Vault to fail in FIPS mode. With this update, IdM Vault supports the RSA-OAEP padding wrapping algorithm as a fallback. As a result, IdM Vault encryption and decryption now work correctly in FIPS mode.

Jira:RHEL-12143[1]

Directory Server no longer fails after abandoning the paged result search

Previously, a race condition was a reason for heap corruption and Directory Server failure during abandoning paged result search. With this update, the race condition was fixed, and Directory Server failure no longer occurs.

Jira:RHEL-16830[1]

If the nsslapd-numlisteners attribute value is more than 2, Directory Server no longer fails

Previously, if the nsslapd-numlisteners attribute value was higher than 2, Directory Server sometimes closed the listening file descriptor instead of the accepted file descriptor. As a consequence, a segmentation fault occurred in Directory Server. With this update, Directory Server closes the correct descriptor and continues listening on ports correctly.

Jira:RHEL-17175

The autobind operation now does not impacts operations performed on other connections

Previously, when the autobind operation was in progress, Directory Server stopped listening to new operations on any connection. With this update, the autobind operation does not impact the operations performed on the other connection.

Jira:RHEL-5111

The IdM client installer no longer specifies the TLS CA configuration in the ldap.conf file

Previously, the IdM client installer specified the TLS CA configuration in the ldap.conf file. With this update, OpenLDAP uses the default truststore and the IdM client installer does not set up the TLS CA configuration in the ldap.conf file.

Bugzilla:2094673

8.13. The web console

VNC console now works at most resolutions

Previously, when using the Virtual Network Computing (VNC) console under certain display resolutions, a mouse offset problem was present or only a part of the interface was visible. Consequently, using the VNC console was not possible.

With this update, the problem has been fixed and the VNC console works correctly at most resolutions, with the exception of ultra high resolutions, such as 3840 x 2160 px.

Note that a small offset between the recorded and displayed positions of the cursor might still be present. However, this does not significantly impact the usability of the VNC console.

Bugzilla:2030836

8.14. Red Hat Enterprise Linux System Roles

Cluster start no longer times out when the SBD delay-start value is high

Previously, when a user configured SBD fencing in a cluster by using the ha_cluster System Role and set the delay-start option to a value close to or higher than 90 seconds, the cluster start timed out. This is because the default systemd start timeout is 90 seconds, which the system reached before the SBD start delay value. With this fix, the ha_cluster System Role overrides the sbd.service start timeout in systemd so that it is higher than the value of delay-start. This allows the system to start successfully even with high values of the delay-start option.

Jira:RHEL-18026[1]

network role validates routing rules with 0.0.0.0/0 or ::/0

Previously, when the from: or to: settings were set to the 0.0.0.0/0 or ::/0 addresses in the routing rule, the network RHEL System Role failed to configure the routing rule and rejected the settings as invalid. With this update, the network role allows 0.0.0.0/0 and ::/0 for from: and to: in routing rule validation. As a result, the role successfully configures the routing rules without raising the validation errors.

Jira:RHEL-1683

Running read-scale clusters and installing mssql-server-ha no longer requires certain variables

Previously, if you used the mssql RHEL System Role to configure a read-scale cluster without certain variables (mssql_ha_virtual_ip, mssql_ha_login, mssql_ha_login_password, and mssql_ha_cluster_run_role), the role failed with an error message “Variable not defined”. However, these variables are not necessary to run a read-scale cluster. The role also tried to install the mssql-server-ha, which is not required for a read-scale cluster. With this fix, the requirement for these variables was removed. As a result, running a read-scale cluster proceeds successfully without the error message.

Jira:RHEL-3540

The Kdump system role works correctly when the kexec_crash_size file is busy

The /sys/kernel/kexec_crash_size file provides the size of the memory region allocated for crash kernel memory.

Previously, the Kdump system role failed when the /sys/kernel/kexec_crash_size file was busy. With this update, the system role retries reading the file when it is available. As a result, the system role no longer fails when the file is busy.

Jira:RHEL-3353

selinux role no longer uses the item loop variable

Previously, the selinux RHEL System Role used the  item loop variable. This might have resulted in the following warning message when you called the selinux role from another role:

[WARNING]: TASK: fedora.linux_system_roles.selinux : Restore SELinux labels on filesystem tree: The loop variable 'item' is already in use.
You should set the `loop_var` value in the `loop_control` option for the task to something else to avoid variable collisions and unexpected behavior.

With this release, the selinux role uses __selinux_item as a loop variable. As a result, the warning that the item variable is already in use is no longer displayed even if you call the selinux role from another role.

Jira:RHEL-19040

The ha_cluster system role now correctly configures a firewall on a qnetd host

Previously, when a user configured a qnetd host and set the ha_cluster_manage_firewall variable to true by using the ha_cluster system role, the role did not enable high-availability services in the firewall. With this fix, the ha_cluster system role now correctly configures a firewall on a qnetd host.

Jira:RHEL-17875

The postgresql RHEL System Role now installs the correct version of PostgreSQL

Previously, if you tried to run the postgresql RHEL System Role with the postgresql_version: "15" variable defined on a RHEL managed node, PostgreSQL version 13 was installed instead of version 15. This bug has been fixed, and the postgresql role installs the version set in the variable.

Jira:RHEL-5274

keylime_server role correctly reports registrar service status

Previously, when the keylime_server role playbook provided incorrect information, the role incorrectly reported the start as successful. With this update, the role now correctly reports a failure when incorrect information is provided, and the timeout when waiting for opened ports has been reduced from approximately 300 seconds to approximately 30 seconds.

Jira:RHEL-15909

The podman RHEL system role now sets and cancels linger properly for rootless containers

Previously, the podman RHEL System Role did not set and cancel linger properly for rootless containers. Consequently, deploying secrets or containers for rootless users produced errors in some cases, and failed to cancel linger when removing resources in some cases. With this update, the podman RHEL System Role ensures that linger is enabled for rootless users before doing any secret or container resource management, and ensures that linger is canceled for rootless users when there are no more secrets or container resources to be managed. As a result, the role correctly manages lingering for rootless users.

Jira:RHEL-22228

nbde_server role now works with socket overrides

Previously, the nbde_server RHEL System Role assumed that the only file in the tangd socket override directory was the override.conf file for a custom port. Consequently, the role deleted the directory if there was no port customization without checking other files, and the system re-created the directory in subsequent runs.

With this release, the role has been fixed to prevent changing attributes of the port override file and deleting the directory if there are other files. As a result, the role correctly works if tangd socket override files are managed also outside of the role.

Jira:RHEL-25508

A volume quadlet service name no longer fails

Previously, starting the volume service name produced an error similar to the following one: "Could not find the requested service NAME.volume: host" With this update, the volume quadlet service name is changed to basename-volume.service. As a result, the volume service starts with no errors.

For more information, see Volume unit man page.

Jira:RHEL-21401

Ansible now preserves JSON strings for use in secrets

Previously, Ansible converted JSON strings to the corresponding JSON object if the value was used in a loop and strings similar to data: "{{ value }}" As a consequence, you cannot pass JSON strings as secrets and have the value preserved. This update casts the data value to a string when passing to the podman_secret module. As a result, JSON strings are preserved as-is for use in secrets.

Jira:RHEL-22309

The rhc system role no longer fails on the registered systems when rhc_auth contains activation keys

Previously, a failure occurred when you executed playbook files on the registered systems with the activation key specified in the rhc_auth parameter. This issue has been resolved. It is now possible to execute playbook files on the already registered systems, even when activation keys are provided in the rhc_auth parameter.

Bugzilla:2186218

8.15. Virtualization

RT VMs with a FIFO scheduler now boots correctly

Previously, after setting a real-time (RT) virtual machine (VM) to use the fifo setting for the vCPU scheduler, the VM became unresponsive when you attempted to boot it. Instead, the VM displayed the Guest has not initialized the display (yet) error. With this update, the error has been fixed, and setting fifo for the vCPU scheduler works as expected in the described circumstances.

Jira:RHEL-2815[1]

A dump failure no longer blocks IBM Z VMs with Secure Execution from running

Previously, when a dump of an IBM Z virtual machine (VM) with Secure Execution failed, the VM remained in a paused state and was blocked from running. For example, dumping a VM by using the virsh dump command fails if there is not enough space on the disk.

The underlying code has been fixed and Secure Execution VMs resume operation successfully after a dump failure.

Jira:RHEL-16695[1]

The installation program shows the expected system disk to install RHEL on VM

Previously, when installing RHEL on a VM using virtio-scsi devices, it was possible that these devices did not appear in the installation program because of a device-mapper-multipath bug. Consequently, during installation, if some devices had a serial set and some did not, the multipath command was claiming all the devices that had a serial. Due to this, the installation program was unable to find the expected system disk to install RHEL in the VM.

With this update, multipath correctly sets the devices with no serial as having no World Wide Identifier (WWID) and ignores them. On installation, multipath only claims devices that multipathd uses to bind a multipath device, and the installation program shows the expected system disk to install RHEL in the VM.

Bugzilla:1926147[1]

Using a large number of queues no longer causes VMs to fail

Previously, virtual machines (VMs) might have failed when the virtual Trusted Platform Module (vTPM) device was enabled and the multi-queue virtio-net feature was configured to use more than 250 queues.

This problem was caused by a limitation in the vTPM device. With this update, the problem has been fixed and VMs with more than 250 queues and with vTPM enabled now work reliably.

Jira:RHEL-13335[1]

Windows guests boot more reliably after a v2v conversion on hosts with AMD EPYC CPUs

After using the virt-v2v utility to convert a virtual machine (VM) that uses Windows 11 or a Windows Server 2022 as the guest OS, the VM previously failed to boot. This occurred on hosts that use AMD EPYC series CPUs. Now, the underlying code has been fixed and VMs boot as expected in the described circumstances.

Bugzilla:2168082[1]

nodedev-dumpxml lists attributes correctly for certain mediated devices

Before this update, the nodedev-dumpxml utility did not list attributes correctly for mediated devices that were created using the nodedev-create command. This has been fixed, and nodedev-dumpxml now displays the attributes of the affected mediated devices properly.

Bugzilla:2143158

virtiofs devices could not be attached after restarting virtqemud or libvirtd

Previously, restarting the virtqemud or libvirtd services prevented virtiofs storage devices from being attached to virtual machines (VMs) on your host. This bug has been fixed, and you can now attach virtiofs devices in the described scenario as expected.

Bugzilla:2078693

Hot plugging a Watchdog card to a virtual machine no longer fails

Previously, if no PCI slots were available, adding a Watchdog card to a running virtual machine (VM) failed with the following error:

Failed to configure watchdog
ERROR Error attempting device hotplug: internal error: No more available PCI slots

With this update, the problem has been fixed and adding a Watchdog card to a running VM now works as expected.

Bugzilla:2173584

blob resources now work correctly for virtio-gpu on IBM Z

Previously, the virtio-gpu device was incompatible with blob memory resources on IBM Z systems. As a consequence, if you configured a virtual machine (VM) with virtio-gpu on an IBM Z host to use blob resources, the VM did not have any graphical output.

With this update, virtio devices have an optional blob attribute. Setting blob to on enables the use of blob resources in the device. This prevents the described problem in virtio-gpu devices, and can also accelerate the display path by reducing or eliminating copying of pixel data between the guest and host. Note that blob resource support requires QEMU version 6.1 or later.

Jira:RHEL-7135

Reinstalling virtio-win drivers no longer causes DNS configuration to reset on the guest

In virtual machines (VMs) that use a Windows guest operating system, reinstalling or upgrading virtio-win drivers for the network interface controller (NIC) previously caused DNS settings in the guest to reset. As a consequence, your Windows guest in some cases lost network connectivity.

With this update, the described problem has been fixed. As a result, if you reinstall or upgrade from the latest version of virtio-win, the problem no longer occurs. Note, however, that upgrading from a prior version of virtio-win will not fix the problem, and DNS resets might still occur in your Windows guests.

Jira:RHEL-1860[1]