Chapter 5. Bug fixes

--leavebootorder no longer changes boot order

Previously, using --leavebootorder for the bootloader kickstart command did not work correctly on UEFI systems and changed the boot order. This caused the installer to add RHEL at the top of the list of installed systems in the UEFI boot menu.

Anaconda sets a static hostname before running the %post scripts

Previously, when Anaconda was setting the installer environment host name to the value from the kickstart configuration (network --hostname), it used to set a transient hostname. Some of the actions performed during %post script run, for example network device activation, were causing the host name reset to a value obtained by reverse dns.

Users can now specify user accounts in the RHEL for Edge Installer blueprint

Previously, performing an update on your blueprint without a user account defined in the edge commit for the upgrade, such as adding a rpm package, would cause users to be locked out of a system, after an upgrade is applied. It caused users to redefine user accounts when upgrading an existing system.This issue has been fixed to allow users to specify user accounts in the RHEL for Edge Installer blueprint, which creates a user on the system at installation time, rather than having the user as part of the ostree commit.

The basic graphics mode has been removed from the boot menu

Previously, the basic graphics mode was used to install RHEL on hardware with an unsupported graphics card or to work around issues in graphic drivers that prevented starting the graphical interface. With this update, the option to install in a basic graphics mode has been removed from the installer boot menu. Use the VNC installation options for graphical installations on unsupported hardware or to work around driver bugs.

virt-who now works correctly with Hyper-V hosts

Previously, when using virt-who to set up RHEL 9 virtual machines (VMs) on a Hyper-V hypervisor, virt-who did not properly communicate with the hypervisor, and the setup failed. This was because of a deprecated encryption method in the openssl package.

Running createrepo_c --update on a modular repository now preserves modular metadata in it

Previously, when running the createrepo_c --update command on an already existing modular repository without the original source of modular metadata present, the default policy was to remove all additional metadata including modular metadata from this repository, which, consequently, broke it. To preserve metadata, it required running the createrepo_c --update command with the additional --keep-all-metadata option.

RHEL 9 provides libservicelog 1.1.19

RHEL 9 is distributed with libservicelog version 1.1.19. Notable bug fixes include:

Hardware optimization enabled in libgcrypt when in the FIPS mode

Previously, the Federal Information Processing Standard (FIPS 140-2) did not allow using hardware optimization. Therefore, in previous versions of RHEL, the operation was disabled in the libgcrypt package when in the FIPS mode. RHEL 9 enables hardware optimization in FIPS mode, and as a result, all cryptographic operations are performed faster.

crypto-policies now can disable ChaCha20 cipher usage

Previously, the crypto-policies package used a wrong keyword to disable the ChaCha20 cipher in OpenSSL. Consequently, you could not disable ChaCha20 for the TLS 1.2 protocol in OpenSSL through crypto-policies. With this update, the -CHACHA20 keyword is used instead of -CHACHA20-POLY1305. As a result, you now can use the cryptographic policies for disabling ChaCha20 cipher usage in OpenSSL for TLS 1.2 and TLS 1.3.

64-bit IBM Z systems no longer become unbootable when installing in FIPS mode

Previously, the fips-mode-setup command with the --no-bootcfg option did not execute the zipl tool. Because fips-mode-setup regenerates the initial RAM disk (initrd), and the resulting system needs an update of zipl internal state to boot, this put 64-bit IBM Z systems into an unbootable state after installing in FIPS mode. With this update fips-mode-setup now executes zipl on 64-bit IBM Z systems even if invoked with --no-bootcfg, and as a result, the newly installed system boots successfully.

GNUTLS_NO_EXPLICIT_INIT no longer disables implicit library initialization

Previously, the GNUTLS_NO_EXPLICIT_INIT environment variable disabled implicit library initialization. In RHEL 9, the GNUTLS_NO_IMPLICIT_INIT variable disables implicit library initialization instead.

OpenSSL-based applications now work correctly with the Turkish locale

Because the OpenSSL library uses case-insensitive string comparison functions, OpenSSL-based applications did not work correctly with the Turkish locale, and omitted checks caused applications using this locale to crash. This update provides a patch to use the Portable Operating System Interface (POSIX) locale for case-insensitive string comparison. As a result, OpenSSL-based applications such as curl work correctly with the Turkish locale.

kdump no longer crashes due to SELinux permissions

The kdump crash recovery service requires additional SELinux permissions to start correctly. In previous versions, therefore, SELinux prevented kdump from working, kdump reported that it is not operational, and Access Vector Cache (AVC) denials were audited. In this version, the required permissions were added to selinux-policy and as a result, kdump works correctly and no AVC denial is audited.

The usbguard-selinux package is no longer dependent on usbguard

Previously, the usbguard-selinux package was dependent on the usbguard package. This, in combination with other dependencies of these packages, led to file conflicts when installing usbguard. As a consequence, this prevented the installation of usbguard on certain systems. With this version, usbguard-selinux no longer depends on usbguard, and as a result, dnf can install usbguard correctly.

dnf install and dnf update now work with fapolicyd in SELinux

The fapolicyd-selinux package, which contains SELinux rules for fapolicyd, did not contain permissions to watch all files and directories. As a consequence, the fapolicyd-dnf-plugin did not work correctly, causing any dnf install and dnf update commands to make the system stop responding indefinitely. In this version, the permissions to watch any file type were added to fapolicyd-selinux. As a result, the fapolicyd-dnf-plugin works correctly and the commands dnf install and dnf update are operational.

Ambient capabilities are now applied correctly to non-root users

As a safety measure, changing a UID (User Identifier) from root to non-root nullifies permitted, effective, and ambient sets of capabilities.

usbguard-notifier no longer logs too many error messages to the Journal

Previously, the usbguard-notifier service did not have inter-process communication (IPC) permissions for connecting to the usbguard-daemon IPC interface. Consequently, usbguard-notifier failed to connect to the interface, and it wrote a corresponding error message to the Journal. Because usbguard-notifier started with the --wait option, which ensured that usbguard-notifier attempted to connect to the IPC interface each second after a connection failure, by default, the log contained an excessive amount of these messages soon.

Wifi and 802.1x Ethernet connections profiles are now connecting properly

Previously, many Wifi and 802.1x Ethernet connections profiles were not able to connect. This bug is now fixed. All the profiles are now connecting properly. Profiles that use legacy cryptographic algorithms still work but you need to manually enable the OpenSSL legacy provider. This is required, for example, when you use DES with MS-CHAPv2 and RC4 with TKIP.

Afterburn no longer sets an overlong hostname in /etc/hostname

The maximum length of a RHEL hostname is 64 characters. However, certain cloud providers use the Fully-Qualified Domain Name (FQDN) as the hostname, which can be up to 255 characters. Previously, the afterburn-hostname service wrote such an overlong hostname directly to the /etc/hostname file. The systemd service truncated the hostname to 64 characters, and NetworkManager derived an incorrect DNS search domain from the truncated value. With this fix, afterburn-hostname truncates hostnames at the first dot or 64 characters, whichever comes first. As a result, NetworkManager no longer sets invalid DNS search domains in /etc/resolv.conf.

modprobe loads out-of-tree kernel modules as expected

The /etc/depmod.d/dist.conf configuration file provides a search order for the depmod utility. Based on the search order, depmod creates the modules.dep.bin file. This file lists module dependencies, which the modprobe utility uses for loading and unloading kernel modules and resolving module dependencies at the same time. Previously, /etc/depmod.d/dist.conf was missing. As a result, modprobe could not load some out-of-tree kernel modules. This update includes the /etc/depmod.d/dist.conf configuration file, which fixes the search order. As a result, modprobe loads out-of-tree kernel modules as expected.

alsa-lib now correctly handles audio devices that use UCM

A bug in the alsa-lib package caused incorrect parsing of the internal Use Case Manager (UCM) identifier. Consequently, some audio devices that used the UCM configuration were not detected or they did not function correctly. The problem occurred more often when the system used the pipewire sound service. With the new release of RHEL 9, the problem has been fixed by updating the alsa-lib library.

Protection uevents no longer cause reload failure of multipath devices

Previously, when a read-only path device was rescanned, the kernel sent out two write protection uevents - one with the device set to read/write, and the following with the device set to read-only. Consequently, upon detection of the read/write uevent on a path device, multipathd tried to reload the multipath device, which caused a reload error message. With this update, multipathd now checks that all the paths are set to read/write before reloading a device read/write. As a result, multipathd no longer tries to reload read/write whenever a read-only device is rescanned.

device-mapper-multipath rebased to version 0.8.7

The device-mapper-multipath package has been upgraded to version 0.8.7, which provides multiple bug fixes and enhancements. Notable changes include:

Pacemaker attribute manager correctly determines remote node attributes, preventing unfencing loops

Previously, Pacemaker’s controller on a node might be elected the Designated Controller (DC) before its attribute manager learned an already-active remote node is remote. When this occurred, the node’s scheduler would not see any of the remote node’s node attributes. If the cluster used unfencing, this could result in an unfencing loop. With the fix, the attribute manager can now learn a remote node is remote by means of additional events, including the initial attribute sync at start-up. As a result, no unfencing loop occurs, regardless of which node is elected DC.

-Wsequence-point warning behavior fixed

Previously, when compiling C++ programs with GCC, the -Wsequence-point warning option tried to warn about very long expressions, it could cause quadratic behavior and therefore significantly longer compilation time. With this update, -Wsequence-point doesn’t attempt to warn about extremely large expressions and as a result, does not increase compilation time.

MS-CHAP authentication with the OpenSSL legacy provider

Previously, FreeRADIUS authentication mechanisms that used MS-CHAP failed because they depended on MD4 hash functions, and MD4 has been deprecated in RHEL 9. With this update, you can authenticate FreeRADIUS users with MS-CHAP or MS-CHAPv2 if you enable the OpenSSL legacy provider.

Running sudo commands no longer exports the KRB5CCNAME environment variable

Previously, after running sudo commands, the environment variable KRB5CCNAME pointed to the Kerberos credential cache of the original user, which might not be accessible to the target user. As a result Kerberos related operations might fail as this cache is not accessible. With this update, running sudo commands no longer sets the KRB5CCNAME environment variable and the target user can use their default Kerberos credential cache.

SSSD correctly evaluates the default setting for the Kerberos keytab name in /etc/krb5.conf

Previously, if you defined a non-standard location for your krb5.keytab file, SSSD did not use this location and used the default /etc/krb5.keytab location instead. As a result, when you tried to log into the system, the login failed as the /etc/krb5.keytab contained no entries.

Authenticating to Directory Server in FIPS mode with passwords hashed with the PBKDF2 algorithm now works as expected

When Directory Server runs in Federal Information Processing Standard (FIPS) mode, the PK11_ExtractKeyValue() function is not available. As a consequence, prior to this update, users with a password hashed with the password-based key derivation function 2 (PBKDF2) algorithm were not able to authenticate to the server when FIPS mode was enabled. With this update, Directory Server now uses the PK11_Decrypt() function to get the password hash data. As a result, authentication with passwords hashed with the PBKDF2 algorithm now works as expected.

The Networking System Role no longer fails to set a DNS search domain if IPv6 is disabled

Previously, the nm_connection_verify() function of the libnm library did not ignore the DNS search domain if the IPv6 protocol was disabled. As a consequence, when you used the Networking RHEL System Role and set dns_search together with ipv6_disabled: true, the System Role failed with the following error:

Postfix role README no longer uses plain role name

Previously, the examples provided in the /usr/share/ansible/roles/rhel-system-roles.postfix/README.md used the plain version of the role name, postfix, instead of using rhel-system-roles.postfix. Consequently, users would consult the documentation and incorrectly use the plain role name instead of Full Qualified Role Name (FQRN). This update fixes the issue, and the documentation contains examples with the FQRN, rhel-system-roles.postfix, enabling users to correctly write playbooks.

Postfix RHEL System Role README.md no longer missing variables under the "Role Variables" section

Previously, the Postfix RHEL system role variables, such as postfix_check, postfix_backup, postfix_backup_multiple were not available under the "Role Variables" section. Consequently, users were not able to consult the Postfix role documentation. This update adds role variable documentation to the Postfix README section. The role variables are documented and available for users in the doc/usr/share/doc/rhel-system-roles/postfix/README.md documentation provided by rhel-system-roles.

Role tasks no longer change when running the same output

Previously, several of the role tasks would report as CHANGED when running the same input once again, even if there were no changes. Consequently, the role was not acting idempotent. To fix the issue, perform the following actions:

The logging_purge_confs option correctly deletes unnecessary configuration files

With the logging_purge_confs option set to true, it should delete unnecessary logging configuration files. Previously, however, unnecessary configuration files were not deleted from the configuration directory even if logging_purge_confs was set to true. This issue is now fixed and the option has been redefined as follows: if logging_purge_confs is set to true, Rsyslog removes files from the rsyslog.d directory which do not belong to any rpm packages. This includes configuration files generated by previous runs of the Logging role. The default value of logging_purge_confs is false.

A playbook using the Metrics role completes successfully on multiple runs even if the Grafana admin password is changed

Previously, changes to the Grafana admin user password after running the Metrics role with the metrics_graph_service: yes boolean caused failure on subsequent runs of the Metrics role. This led to failures of playbooks using the Metrics role, and the affected systems were only partially set up for performance analysis. Now, the Metrics role uses the Grafana deployment API when it is available and no longer requires knowledge of username or password to perform the necessary configuration actions. As a result, a playbook using the Metrics role completes successfully on multiple runs even if the administrator changes the Grafana admin password.

Configuration by the Metrics role now follows symbolic links correctly

When the mssql pcp package is installed, the mssql.conf file is located in /etc/pcp/mssql/ and is targeted by the symbolic link /var/lib/pcp/pmdas/mssql/mssql.conf. Previously, however, the Metrics role overwrote the symbolic link instead of following it and configuring mssql.conf. Consequently, running the Metrics role changed the symbolic link to a regular file and the configuration therefore only affected the /var/lib/pcp/pmdas/mssql/mssql.conf file. This resulted in a failed symbolic link, and the main configuration file /etc/pcp/mssql/mssql.conf was not affected by the configuration. The issue is now fixed and the follow: yes option to follow the symbolic link has been added to the Metrics role. As a result, the Metrics role preserves the symbolic links and correctly configures the main configuration file.

The timesync role no longer fails to find the requested service ptp4l

Previously, on some versions of RHEL, the Ansible service_facts module, reported service facts incorrectly. Consequently, the timesync role reported an error attempting to stop the ptp4l service. With this fix, the Ansible service_facts module checks the return value of the tasks to stop timesync services. If the returned value is failed, but the error message is Could not find the requested service NAME:, then the module assumes success. As a result, the timesync role now runs without errors like Could not find the requested service ptp4l.

The kernel_settings configobj is available on managed hosts

Previously, the kernel_settings role did not install the python3-configobj package on managed hosts. As a consequence, the role returned an error stating that the configobj Python module could not be found. With this fix, the role ensures that the python3-configobj package is present on managed hosts and the kernel_settings role works as expected.

The Terminal Session Recording role tlog-rec-session is now correctly overlaid by SSSD

Previously, the Terminal Session Recording RHEL System Role relied on the System Security Services Daemon (SSSD) files provider and on enabled authselect option with-files-domain to set up correct passwd entries in the nsswitch.conf file. In RHEL 9.0, SSSD did not implicitly enable the files provider by default, and consequently the tlog-rec-session shell overlay by SSSD did not work. With this fix, the Terminal Session Recording role now updates the nsswitch.conf to ensure tlog-rec-session is correctly overlaid by SSSD.

The SSHD System Role can manage systems in FIPS mode

Previously, the SSHD System Role could not create the not allowed HostKey type when called. As a consequence, the SSHD System Role could not manage RHEL 8 and older systems in Federal Information Processing Standard (FIPS) mode. With this update, the SSHD System Role detects FIPS mode and adjusts the default HostKey list correctly. As a result, the system role can manage RHEL systems in FIPS mode with the default HostKey configuration.

The SSHD System Role uses the correct template file

Previously, the SSHD System Role used a wrong template file. As a consequence, the generated sshd_config file did not contain the ansible_managed comment. With this update, the system role uses the correct template file and sshd_config contains the correct ansible_managed comment.

The Kdump RHEL System Role is be able to reboot, or indicate that a reboot is required

Previously, the Kdump RHEL System Role ignored managed nodes without any reserved memory for crash kernel. Consequently, the role finished with the "Success" status, even if it did not configure the system properly. With this update of RHEL 9, the problem has been fixed. In cases when managed nodes do not have any memory reserved for the crash kernel, the Kdump RHEL System Role fails and suggests that users set the kdump_reboot_ok variable to true to properly configure the kdump service on managed nodes.

The nm provider in the Networking System Role now correctly manages bridges

Previously, if you used the initscripts provider, the Networking System Role created an ifcfg file which configured NetworkManager to mark bridge interfaces as unmanaged. Also, NetworkManager failed to detect followup initscript actions. For example, the down and absent actions of initscript provider will not change the NetworkManager’s understanding on unmanaged state of this interface if not reloading the connection after the down and absent actions. With this fix, the Networking System Role uses the NM.Client.reload_connections_async() function to reload NetworkManager on managed hosts with NetworkManager 1.18. As a result, NetworkManager manages the bridge interface when switching the provider from initscript to nm.

Fixed a typo to support active-backup for the correct bonding mode

Previously, there was a typo,active_backup, in supporting the InfiniBand port while specifying active-backup bonding mode. Due to this typo, the connection failed to support the correct bonding mode for the InfiniBand bonding port. This update fixes the typo by changing bonding mode to active-backup. The connection now successfully supports the InfiniBand bonding port.

The Logging System Role no longer calls tasks multiple times

Previously, the Logging role was calling tasks multiple times that should have been called only once. As a consequence, the extra task calls slowed down the execution of the role. With this fix, the Logging role was changed to call the tasks only once, improving the Logging role performance.

RHEL System Roles now handle multi-line ansible_managed comments in generated files

Previously, some of the RHEL System Roles were using # {{ ansible_managed }} to generate some of the files. As a consequence, if a customer had a custom multi-line ansible_managed setting, the files would be generated incorrectly. With this fix, all of the system roles use the equivalent of {{ ansible_managed | comment }} when generating files so that the ansible_managed string is always properly commented, including multi-line ansible_managed values. Consequently, generated files have the correct multi-line ansible_managed value.

The Firewall System Role now reloads the firewall immediately when target changes

Previously, the Firewall System Role was not reloading the firewall when the target parameter has been changed. With this fix, the Firewall role reloads the firewall when the target changes, and as a result, the target change is immediate and available for subsequent operations.

The group option in the Certificate System Role no longer keeps certificates inaccessible to the group

Previously, when setting the group for a certificate, the mode was not set to allow group read permission. As a consequence, group members were unable to read certificates issued by the Certificate role. With this fix, the group setting now ensures that the file mode includes group read permission. As a result, the certificates issued by the Certificate role for groups are accessible by the group members.

The Logging role no longer misses quotes for the immark module interval value

Previously, the interval field value for the immark module was not properly quoted, because the immark module was not properly configured. This fix ensures that the interval value is properly quoted. Now, the immark module works as expected.

The /etc/tuned/kernel_settings/tuned.conf file has a proper ansible_managed header

Previously, the kernel_settings RHEL System Role had a hard-coded value for the ansible_managed header in the /etc/tuned/kernel_settings/tuned.conf file. Consequently, users could not provide their custom ansible_managed header. In this update, the problem has been fixed so that kernel_settings updates the header of /etc/tuned/kernel_settings/tuned.conf with user’s ansible_managed setting. As a result, /etc/tuned/kernel_settings/tuned.conf has a proper ansible_managed header.

The VPN System Role filter plugin vpn_ipaddr now converts to FQCN (Fully Qualified Collection Name)

Previously, the conversion from the legacy role format to the collection format was not converting the filter plugin vpn_ipaddr to FQCN (Fully Qualified Collection Name) redhat.rhel_system_roles.vpn_ipaddr. As a consequence, the VPN role could not find the plugin by the short name and reported an error. With this fix, the conversion script has been changed so that the filter is converted to FQCN format in the collection. And now the VPN role runs without issuing the error.

Job for kdump.service no longer fails

Previously, the Kdump role code for configuring the kernel crash size was not updated for RHEL9, which requires the use of kdumpctl reset-crashkernel. As a consequence, the kdump.service could not start and issued an error. With this update, the kdump.service role uses kdumpctl reset-crashkernel to configure the crash kernel size. Now, kdump.service role successfully starts the kdump service and the kernel crash size is configured correctly.

Hot-unplugging a mounted virtual disk no longer causes the guest kernel to crash on IBM Z

Previously, when detaching a mounted disk from a running virtual machine (VM) on IBM Z hardware, the VM kernel crashed under the following conditions:

UBI 9-Beta containers can run on RHEL 7 and 8 hosts

Previously, the UBI 9-Beta container images had an incorrect seccomp profile set in the containers-common package. As a consequence, containers were not able to deal with certain system calls causing a failure. With this update, the problem has been fixed.