Chapter 8. Bug fixes

This part describes bugs fixed in Red Hat Enterprise Linux 9.1 that have a significant impact on users.

8.1. Installer and image creation

The installer no longer installs earlier versions of packages

Previously, the installer did not correctly load the DNF configuration file during the installation process. As a consequence, the installer sometimes installed earlier versions of select packages in the RPM transaction.

This bug has been fixed, and only the latest versions of packages are now installed from the installation repositories. In cases where it is impossible to install the latest versions of the packages, the installation fails as expected.


Anaconda installation is successful even if changing the network configuration in stage2

Previously, when using the boot argument, Anaconda did not unmount an NFS mount point that is used in initramfs to fetch the installation image into memory. As a consequence, the installation process could become unresponsive or fail with a timeout error if the network configuration was changed in stage2.

To fix this problem, the NFS mount point used to fetch the installation image into memory is unmounted in initramfs before switchroot. As a result, the installation process is completed without any interruption.


8.2. Subscription management

virt-who now connects to ESX servers correctly when in FIPS mode

Previously, when using the virt-who utility on a RHEL 9 system in FIPS mode, virt-who could not connect to ESX servers. As a consequence, virt-who did not report any ESX servers, even if configured for them, and logged the following error message:

ValueError: [digital envelope routines] unsupported

With this update, virt-who has been fixed to handle FIPS mode correctly, and the described problem no longer occurs.


8.3. Software management

DNF now correctly rolls back a transaction containing an item with the Reason Change Action type

Previously, running the dnf history rollback command on a transaction containing an item with the Reason Change Action type failed. With this update, the issue has been fixed, and dnf history rollback now works as expected.


8.4. Shells and command-line tools

The vi command in ReaR no longer results in an infinite loop

Previously, the ReaR rescue system did not contain the vi executable, only the /bin/vi script. As a consequence, the /bin/vi script caused an infinite loop when invoked. With this update, the ReaR rescue system contains the actual vi executable /usr/libexec/vi, and running the vi command no longer leads to an endless loop.


ReaR with the PXE output method no longer fails to store the output files in the rsync OUTPUT_URL location

Previously, the handling of the OUTPUT_URL variable with the OUTPUT=PXE and BACKUP=RSYNC options was removed. As a consequence, when using an rsync location for OUTPUT_URL, ReaR failed to copy the initrd and kernel files to this location, although it uploaded them to the location specified by BACKUP_URL. With this update, the behavior from RHEL 8.4 and earlier releases is restored. ReaR creates the required files at the designated OUTPUT_URL destination using rsync.


ReaR no longer fails to display an error message if it does not update the UUID in /etc/fstab

Previously, ReaR did not display an error message during recovery when it failed to update the universally unique identifier (UUID) in /etc/fstab to match the UUID of the newly created partition in case the UUIDs were different. This could have happened if the rescue image was out of sync with the backup. With this update, an error message occurs during recovery if the restored basic system files do not match the recreated system.


ReaR now supports restoring a system using NetBackup version 9

Previously, restoring a system using the NetBackup (NBU) method with NetBackup version 9 or later failed due to missing libraries and other files. With this update, the NBU_LD_LIBRARY_PATH variable contains the required library paths and the rescue system now incorporates the required files, and ReaR can use the NetBackup method.


ReaR no longer displays a false error message about missing symlink targets

Previously, ReaR displayed incorrect error messages about missing symlink targets for the build and source symlinks under /usr/lib/modules/ when creating the rescue image. This situation was harmless, and you could safely ignore the error message. With this update, ReaR does not report a false error message about missing symlink targets in this situation.


The cmx operation with no parameter no longer crashes the CIM Client

The cmx operation calls a method and returns XML, a parameter specifies the name of the called method. Previously, the command line sblim-wbemcli Common Information Model (CIM) Client crashed when running the cmx operation without an additional parameter. With this update, the cmx operation requires the parameter that defines the name of the called method. Invoking the cmx operation without this parameter results in an error message, and the CIM Client no longer crashes.


free command uses a new calculation method for used memory

Previously, the calculation of used memory in the free utility subtracted free space, cache space and buffer space from the total memory. Consequently, a discrepancy occurred when you compared the value of used memory with outcome of another tool because the free utility did not calculate shared memory. With this update, the free command uses a new calculation method that provides clear state of free memory and considers the unreclaimable cache. Used memory is now any memory that is not available, and includes also tmpfs objects that are in the virtual memory.


8.5. Infrastructure services

Unbound no longer validates SHA-1-based RSA signatures

Previously, OpenSSL did not validate SHA-1-based RSA signatures in the DEFAULT system-wide cryptographic policy. As a consequence, when Unbound tried to validate such signatures, the error from OpenSSL caused the resolution to fail. With this update, Unbound disables validation support of all RSA/SHA1 (algorithm number 5) and RSASHA1-NSEC3-SHA1 (algorithm number 7) signatures, which resolves the query. Note that this makes the result insecure under all system-wide cryptographic policies.


8.6. Security

OpenSSH key generation uses FIPS-compatible interfaces

The OpenSSL cryptographic library, which is used by OpenSSH, provides two interfaces: legacy and modern. Previously, OpenSSH used the legacy interface for key generation, which did not comply with Federal Information Processing Standards (FIPS) requirements. With this update, the ssh-keygen utility uses the FIPS-compliant API instead of the low-level FIPS-incompatible API. As a result, OpenSSH key generation is FIPS-compliant.


Cryptography not approved by FIPS no longer works in OpenSSL in FIPS mode

Previously, cryptography that was not FIPS-approved worked in the OpenSSL toolkit regardless of system settings. Consequently, you could use cryptographic algorithms and ciphers that should be disabled when the system is running in FIPS mode, for example:

  • TLS cipher suites using the RSA key exchange worked.
  • RSA-based algorithms for public-key encryption and decryption worked despite using the PKCS #1 and SSLv23 paddings or using keys shorter than 2048 bits.

This update contains fixes ensuring that cryptography not approved by FIPS no longer works in OpenSSL in FIPS mode.


Specifying arbitrary curves removed from OpenSSL

Previously, the checks of explicit curve parameters safety were incomplete. As a consequence, arbitrary elliptic curves with sufficiently large p values worked in RHEL. With this update, the checks now verify that the explicit curve parameters match one of the well-known supported curves. As a result, the option to specify arbitrary curves through the use of explicit curve parameters has been removed from OpenSSL. Parameter files, private keys, public keys, and certificates that specify arbitrary explicit curves no longer work in OpenSSL. Using explicit curve parameters to specify one of the well known and supported curves such as P-224, P-256, P-384, P-521, and secp256k1 remains supported in non-FIPS mode.


OpenSSL req uses AES-256-CBC for private keys encryption

Previously, the OpenSSL req tool encrypted private key files by using the 3DES algorithm. Because the 3DES algorithm is insecure and disallowed in the current FIPS 140 standard for cryptographic modules, req now generates private key files encrypted using the AES-256-CBC algorithm instead. The overall PKCS#8 file format remains unchanged.


OpenSSL no longer fails to connect when FFDHE is used

Previously, TLS connections that use the finite-field-based Diffie-Hellman ephemeral (FFDHE) key exchange mechanism sometimes failed when processing FFDHE key shares from a client. This was caused by overly restrictive checks in OpenSSL. As a consequence, the OpenSSL server aborted the connection with an internal_error alert. With this update, OpenSSL accepts smaller but still compliant client key shares. As a result, connections between OpenSSL and other implementations no longer randomly abort when using FFDHE key exchanges.


OpenSSL-based applications now work correctly with the Turkish locale

Because the OpenSSL library uses case-insensitive string comparison functions, OpenSSL-based applications did not work correctly with the Turkish locale, and omitted checks caused applications using this locale to crash. This update provides a patch to use the Portable Operating System Interface (POSIX) locale for case-insensitive string comparison. As a result, OpenSSL-based applications such as curl work correctly with the Turkish locale.


Permissions for insights-client added to the SELinux policy

The new insights-client service requires permissions which were not in the previous selinux-policy versions. As a consequence, some components of insights-client did not work correctly and reported access vector cache (AVC) error messages. This update adds new permissions to the SELinux policy. As a result, insights-client runs correctly without reporting AVC errors.

(BZ#2081425, BZ#2077377, BZ#2087765, BZ#2107363)

SELinux staff_u users no longer can incorrectly switch to unconfined_r

Previously, when the secure_mode boolean was enabled, staff_u users could switch to the unconfined_r role, which was not expected behavior. As a consequence, staff_u users could perform privileged operations affecting the security of the system. With this update, the SELinux policy has been fixed, and staff_u users no longer can incorrectly switch to unconfined_r.


OpenSCAP no longer produces incorrect errors when checking available memory

Previously, when evaluating some XCCDF rules, OpenSCAP incorrectly showed the error message Failed to check available memory and produced invalid scan results. For example, this occurred for rules accounts_user_dot_no_world_writable_programs, accounts_user_dot_group_ownership and accounts_users_home_files_permissions. With this update, the bug in error handling is fixed and the error message appears only for real failures.


fagenrules --load now works correctly

Previously, the fapolicyd service did not correctly handle the signal hang up (SIGHUP). Consequently, fapolicyd terminated after receiving SIGHUP, and the fagenrules --load command did not work correctly. This update contains a fix for the problem. As a result, fagenrules --load now works correctly, and rule updates no longer require manual restarts of fapolicyd.


8.7. Networking

An instance now retains the primary IP address even after starting the nm-cloud-setup service in Alibaba Cloud

Previously, after launching an instance in the Alibaba Cloud, the nm-cloud-setup service configured the incorrect IP address as the primary IP address in case of multiple IPv4 addresses. Consequently, this affected the selection of the IPv4 source address for outgoing connections. With this update, after configuring secondary IP addresses manually, the NetworkManager package fetches the primary IP address from primary-ip-address metadata and configures both primary and secondary IP addresses correctly.


The NetworkManager utility enforces correct ordering of manually added IPv6 addresses

In general, the ordering of IPv6 addresses affects the priority for source address selection. For example when you make an outgoing TCP connection. Previously, the relative priority of IPv6 addresses added through the manual, dhcpv6, and autoconf6 methods was not correct. This update fixes the problem and the ordering priority now reflects this logic: manual > dhcpv6 > autoconf6. Also, the order of addresses under the ipv6.addresses setting was reversed so that the address added first has the highest priority.


8.8. Kernel

Network socket tagging works again

Certain legacy cgroup v1 controllers that have no cgroup v2 equivalent, such as net_prio or net_cls, previously interfered with the cgroup v2 socket tagging when they were mounted together with other cgroup v2 controllers in a mixed cgroup v1/v2 environment. As a consequence, a mixed cgroup v1/v2 environment using either the net_prio or net_cls v1 controller disabled proper network socket tagging with cgroup v2. This update eliminates this limitation, which makes it possible to use a mixed cgroup v1/v2 environment network socket tagging.


The kexec-tools package now supports the default crashkernel memory reservation values

The kexec-tools package now maintains the default crashkernel memory reservation values. The kdump service uses the default value to reserve the crash kernel memory for each kernel. This implementation also improves memory allocation for kdump when a system has less than 4 GB of available memory.

If the memory reserved by the default crashkernel value is not sufficient on your system, you can use the kdumpctl estimate command to get an estimated value without triggering a crash. The estimated crashkernel= value may not be accurate and can serve as a reference to set an appropriate crashkernel= value.


Systems can successfully run dynamic LPAR operations

Previously, users could not run dynamic logical partition (DLPAR) operations from the Hardware Management Console (HMC) if either of these conditions were met:

  • The Secure Boot feature was enabled that implicitly enables kernel lockdown mechanism in integrity mode.
  • The kernel lockdown mechanism was manually enabled in integrity or confidentiality mode.

In RHEL 9, kernel lockdown completely blocked Run Time Abstraction Services (RTAS) access to system memory accessible through the /dev/mem character device file. Several RTAS calls required write access to /dev/mem to function properly. Consequently, RTAS calls did not execute correctly and users would see the following error message:

HSCL2957 Either there is currently no RMC connection between the management console and the partition <LPAR name> or the partition does not support dynamic partitioning operations. Verify the network setup on the management console and the partition and ensure that any firewall authentication between the management console and the partition has occurred. Run the management console diagrmc command to identify problems that might be causing no RMC connection.

With this update, the problem has been fixed by providing a very narrow PowerPC-specific exception to lockdown. The exception permits RTAS to access the required /dev/mem areas. As a result, the problem no longer manifests in the described scenario.


No kernel warnings after setting the ring buffer value from rx to max

The kernel was producing a warning message Missing unregister, handled but fix driver when an internal function expecting a clean input was called with a reused, already initialized structure. With this update, the problem has been fixed by reinitializing the structure before registering it again.


8.9. Boot loader

grubby now passes arguments to future kernels

When installing a newer version of the kernel, the grubby tool did not pass the kernel command-line arguments from the previous kernel version. As a consequence, the GRUB boot loader ignored user settings. With this fix, the user settings now persist after installing the new kernel version.


8.10. File systems and storage

Journal entries no longer stop the journal writes

Previously, in the VDO driver during device-mapper suspend operation and after resuming device operation, some journal blocks could still be marked as waiting for some metadata updates to be made before they could be reused, even though those updates had already been done. When enough journal entries were made for the journal to wrap around back to the same physical block, it was not available. Journal writes would stop, waiting for the block to become available, which never happened. Consequently, when some operations on a VDO device included a suspend or resume cycle, the device was in a frozen state after some journal updates. The journal updates before this device state were unpredictable because it was depended on previous allocation patterns within VDO, and the incoming write or discard patterns. With this update, after the suspend or resume cycle saving data to storage, the internal data structure state is reset and lockups no longer happened.


Adding a data device no longer triggers assertion failure

Previously, when adding additional devices to the cache, Stratis did not use cache immediately after initialization. As a consequence, the stratisd service returned an assertion failure message whenever a user attempted to add additional data devices to a pool. With this fix, cache is now used immediately after initialization and no assertion failures occur.


Resolved errors when adding new data devices to the encrypted pool

Previously, whenever the user initialized an encrypted pool with encrypted data devices, using a Clevis bind command on a tang server, specified with the --trust-url option, stratisd did not include the thumbprint part of the Clevis tang configuration in the internal data structures. Consequently, a failure occurred when attempting to add new data devices to the pool. With this update, the internal data structures of stratisd now include the thumbprint part of the Clevis tang configuration.


Connecting to NVMe namespaces from Broadcom initiators on AMD EPYC systems no longer require non-default IOMMU settings

By default, the RHEL kernel enables the IOMMU on AMD-based platforms. Previously, the lpfc driver did not use the scatter-gather list accessor macros. Consequently, certain servers with AMD processors encountered NVMe I/O problems, such as I/Os failing due to transfer length mismatches.

With this update, you do not need to put IOMMU into passthrough mode with a kernel command-line option in order to connect to NVMe namespaces from Broadcom initiators.


8.11. High availability and clusters

pcs now validates the value of stonith-watchdog-timeout

Previously, it was possible to set the stonith-watchdog-timeout property to a value that is incompatible with SBD configuration. This could result in a fence loop, or could cause the cluster to consider a fencing action to be successful even if the action is not finished. With this fix, pcs validates the value of stonith-watchdog-property when you set it, to prevent incorrect configuration.


pcs now recognizes the mode option when creating a new Booth ticket

Previously, when a user specified a mode option when adding a new Booth ticket, pcs reported the error invalid booth ticket option 'mode'. With this fix, you can now specify the mode option when creating a Booth ticket.


pcs now distinguishes between resources and stonith resources

Previously, some pcs commands did not distinguish between resources and stonith resources. This allowed users to use pcs resource sub-commands for stonith resources, and to use pcs stonith sub-commands for resources that are not stonith resources. This could lead to user confusion or resource misconfiguration. With this update, pcs displays a warning when there is a resource type mismatch.


8.12. Compilers and development tools

glibc now restores errno after loading an NSS module

Previously, the Name Service Switch (NSS) implementation in glibc set errno incorrectly during database enumeration using functions such as getpwent() if the last NSS module did not provide any data. As a result, applications using these enumeration functions incorrectly observed errors and failed. glibc now restores errno after loading an NSS module and, as a result, applications using these functions no longer fail.


The auditing interface now saves and restores the x8 register and the full width of the NEON registers for AArch64

Previously, a bug in the implementation of the dynamic loader’s audit interface caused the AArch64 saved register state to be incomplete compared to the procedure call standard. This bug has been fixed and the auditing interface now saves and restores the x8 register and the full width of the NEON registers for AArch64. Applications using the dynamic loader auditing interface can now inspect and influence the x8 register for AArch64. To use this new x8 register and have access to the full width of the NEON registers on AArch64, the audit modules must be recompiled to use the new version of the interface (LAV_CURRENT is 2).


POWER9-optimized strncpy function no longer gives incorrect results

Previously, the POWER9 strncpy function did not use the correct register as the source of the NUL bytes for padding. Consequently, the output buffer contained uninitialized register content instead of the NUL padding. With this update, the strncpy function has been fixed, and the end of the output buffer is now correctly padded with NUL bytes.


Valgrind override of glibc memmem function installed on IBMz15 architecture

Previously, a missing valgrind override of the glibc memmem function lead to false positive warnings of:

Conditional jump or move depends on uninitialised value(s)

This update includes a valgrind override of the glibc memmem function and, as a result, there are no longer false positive warnings when using the memmem function in programs running under valgrind on the IBMz15 architecture.


8.13. Identity Management

The ipa user-del --preserve user_login output no longer indicates that the user was deleted

Previously, if you ran the ipa user-del --preserve user_login command to preserve a user account, the output incorrectly returned the message Deleted user “user_login”. With this update, the output now returns Preserved user “user_login”.


PKINIT user authentication now works correctly in the RHEL 9 Kerberos client - Heimdal KDC scenario

Previously, the PKINIT authentication of an IdM user on a RHEL 9 Kerberos client against the Heimdal Kerberos Distribution Center (KDC) failed. This failure occurred because the Kerberos client did not support the supportedCMSTypes field required in the context of the deprecation of the SHA-1 algorithm in RHEL 9.

With this update, the RHEL 9 Kerberos client sends a list of signature algorithms including sha512WithRSAEncryption, and sha256WithRSAEncryption as supportedCMSTypes during PKINIT to Heimdal KDC. Heimdal KDC uses sha512WithRSAEncryption and, as a result, PKINIT authentication works correctly.


Handling unreadable objects in an LDAP group’s member list

Before this update, SSSD inconsistently handled the unreadable objects in an LDAP group’s member list and this resulted in unreadable objects causing an error or in certain situations unreadable objects were ignored.

With this update, SSSD has a new option ldap_ignore_unreadable_references to modify this behavior. If the ldap_ignore_unreadable_references option is set to false, unreadable objects cause an error and if set to true, unreadable objects are ignored. The default is set to false and because of the original inconsistent behavior, after the update, some group lookups may fail. In this case, set ldap_ignore_unreadable_references = True in the corresponding [domain/name of the domain] section in the /etc/sssd/sssd.conf file.

This allows unreadable objects to be handled in a consistent manner and the behavior can be tuned using the new ldap_ignore_unreadable_references option.


8.14. Desktop

Subscription enrolling with Activation keys has been fixed

Previously, you could not enroll your Red Hat subscription in Settings using Activation keys. Settings displayed the following error after pressing Register:

Failed to register system; Failed to RegisterWithActivationKeys: Unknown arguments: dict_keys(['enable_content'])

With this update, the problem has been fixed, and you can now enroll your subscription using Activation keys as expected in Settings.


8.15. Graphics infrastructures now enables the X11 SECURITY extension

Previously, the display server did not provide the X11 SECURITY extension. As a consequence, applications that used this extension terminated unexpectedly.

With this update, enables the X11 SECURITY extension. As a result, applications that depend on the extension now work as expected.


Matrox GPU with a VGA display now works as expected

Prior to this release, your display showed no graphical output if you used the following system configuration:

  • A GPU in the Matrox MGA G200 family
  • A display connected over the VGA controller
  • UEFI switched to legacy mode

As a consequence, you could not use or install RHEL on this configuration.

With this update, the mgag200 driver has been significantly rewritten, and as a result, the graphics output now works as expected.


8.16. The web console

Removing USB host devices using the web console now works as expected

Previously, when you attached a USB device to a virtual machine (VM), the device number and bus number of the USB device changed after they were passed to the VM. As a consequence, using the web console to remove such devices failed due to the incorrect correlation of the device and bus numbers. With this update, the issue has been fixed and you can remove the USB host devices using the web console.


Attaching multiple host devices using the web console now works as expected

Previously, when you selected multiple devices to attach to a virtual machine (VM) using the web console, only a single device was attached and the rest were ignored. With this update, the issue has been fixed and you can now simultaneously attach multiple host devices using the web console.


8.17. Red Hat Enterprise Linux System Roles

The network RHEL role manages ansible_managed parameter in the configuration files

Previously, the Ansible role was unable to provide the correct ansible_managed header for the network role managed configuration files. As a consequence, system administrators were uncertain about which files were managed by Ansible. With this fix, the role managed files have a correct ansible_managed header, and system administrators can reliably tell about which files are managed Ansible.


Fixed a typo to support active-backup for the correct bonding mode

Previously, there was a typo,active_backup, in supporting the InfiniBand port while specifying active-backup bonding mode. Due to this typo, the connection failed to support the correct bonding mode for the InfiniBand bonding port. This update fixes the typo by changing bonding mode to active-backup. The connection now successfully supports the InfiniBand bonding port.


The IPRouteUtils.get_route_tables_mapping() function now accepts any whitespace sequence

Previously, a parser for the iproute2 routing table database, such as /etc/iproute2/rt_tables, asserted that entries in the file were of the form 254 main and only a single space character separated the numeric id and the name. Consequently, the parser failed to cache all the mappings between the route table name and table id.Therefore the user could not add a static route into the route table by defining the route table name. With this update, the parser accepts any whitespace sequence in between the table ID and table name. As a result, as the parser caches all the mapping between the route table name and table ID, users can add a static route into the route table by defining the route table name.


The forward_port parameter now accepts both the string and dict option

Previously, in the firewall RHEL System role, the forward_port parameter only accepted the string option. However, the role documentation claimed that both string and dict options were supported. Consequently, the users reading and following the documentation were getting an error. This bug has been fixed by making forward_port accept both options. As a result, the users can safely follow the documentation to configure port forwarding.


Configuration by the metrics role now follows symbolic links correctly

When the mssql pcp package is installed, the mssql.conf file is located in /etc/pcp/mssql/ and is targeted by the symbolic link /var/lib/pcp/pmdas/mssql/mssql.conf. Previously, however, the metrics role overwrote the symbolic link instead of following it and configuring mssql.conf. Consequently, running the metrics role changed the symbolic link to a regular file and the configuration therefore only affected the /var/lib/pcp/pmdas/mssql/mssql.conf file. This resulted in a failed symbolic link, and the main configuration file /etc/pcp/mssql/mssql.conf was not affected by the configuration. The issue is now fixed and the follow: yes option to follow the symbolic link has been added to the metrics role. As a result, the metrics role preserves the symbolic links and correctly configures the main configuration file.


The kernel_settings configobj is available on managed hosts

Previously, the kernel_settings role did not install the python3-configobj package on managed hosts. As a consequence, the role returned an error stating that the configobj Python module could not be found. With this fix, the role ensures that the python3-configobj package is present on managed hosts and the kernel_settings role works as expected.


The mount_options parameter for volumes is now valid for a volume

Previously, the parameter was accidentally removed from the list of valid parameters for a volume. Consequently, users were unable to set the mount_options parameter for volumes. With this bug fix, the mount_options parameter has been added back to the list of valid parameters and the code has been refactored to catch the errors. As a result, the storage RHEL system role can set the mount_options parameter for volumes.


The storage RHEL System Role now correctly supports striped and raid0 levels for LVM volumes

The storage RHEL System Role previously incorrectly reported RAID levels striped and raid0 as not supported for LVM volumes. This is now fixed and the role can now correctly create LVM volumes of all RAID levels supported by LVM: raid0, raid1, raid4, raid5, raid6, raid10, striped and mirror.


The metrics RHEL System Role README and documentation now clearly specifies supported Redis and Grafana versions on specific versions of RHEL by the role

Previously, when trying to use the metrics role with unsupported versions of Redis and Grafana on unsupported platforms, the role failed. This update clarifies the documentation about which versions of Redis and Grafana are supported on which versions of RHEL by the role. As a result, you can avoid trying to use unsupported versions of Redis and Grafana on unsupported platforms.


Minimal RSA key bit length option in the ssh and sshd RHEL System Roles

Accidentally using short RSA keys might make the system more vulnerable to attacks. With this update, you can set RSA key minimal bit lengths for OpenSSH clients and servers by using the RequiredRSASize option in the ssh and sshd RHEL System Roles.


The nbde_client RHEL System Role now uses proper spacing when specifying extra Dracut command line-parameters

The Dracut framework requires proper spacing when specifying additional parameters, such as kernel command-line parameters. If the parameters are not specified with proper spacing, Dracut might not append the specified extra parameters to the kernel command line. With this update, the nbde_client RHEL System Role uses proper spacing when creating add-on Dracut configuration files. As a result, the role correctly sets Dracut command-line parameters.


The tlog RHEL System Roles is now correctly overlaid by SSSD

Previously, the tlog RHEL System Role relied on the System Security Services Daemon (SSSD) files provider and on enabled authselect option with-files-domain to set up correct passwd entries in the nsswitch.conf file. In RHEL 9.0, SSSD did not implicitly enable the files provider by default, and consequently the tlog-rec-session shell overlay by SSSD did not work. With this fix, the tlog role now updates the nsswitch.conf to ensure tlog-rec-session is correctly overlaid by SSSD.


The metrics RHEL System Role automatically restarts pmie and pmlogger services after an update to their configuration

Previously, the pmie and pmlogger services did not restart after their configuration was changed and waited for handler execution. This caused errors with other metrics services, which required pmie and pmlogger configuration to match their runtime behavior. With this update, the role restarts pmie and pmlogger immediately after a configuration update, their configuration matches runtime behavior of dependent metrics services, and they work correctly.


8.18. Virtualization

Network traffic performance in virtual machines is no longer reduced when under heavy load

Previously, RHEL virtual machines had, in some cases, decreased performance when handling high levels of network traffic. The underlying code has been fixed and network traffic performance now works as expected in the described circumstances.


8.19. RHEL in cloud environments

The SR-IOV functionality of a network adapter attached to a Hyper-V VM now works reliably

Previously, when attaching a network adapter with single-root I/O virtualization (SR-IOV) enabled to a RHEL 9 virtual machine (VM) running on Microsoft Hyper-V hypervisor, the SR-IOV functionality in some cases did not work correctly. A bug in the Hyper-V specific memory-mapped I/O (MMIO) allocation code has been fixed and the SR-IOV functionality now works as expected on Hyper-V VMs.


SR-IOV no longer performs suboptimally in ARM 64 RHEL 9 virtual machines on Azure

Previously, SR-IOV networking devices had significantly lower throughout and higher latency than expected in ARM 64 RHEL 9 virtual machines (VMs) running on a Microsoft Azure platform. The problem has been fixed, and the affected VMs now perform as expected.


8.20. Containers

podman system connection add and podman image scp no longer fail

Podman uses SHA-1 hashes for the RSA key exchange. Previously, the regular SSH connection among machines using RSA keys worked, while the podman system connection add and podman image scp commands did not work using the same RSA keys, because the SHA-1 hashes were not accepted for key exchange on RHEL 9. With the update, the problem has been fixed.


Container images signed with a Beta GPG key can now be pulled

Previously, when you pulled RHEL Beta container images, Podman failed with the error message: Error: Source image rejected: None of the signatures were accepted. The images failed to be pulled due to current builds being configured to not trust the RHEL Beta GPG keys by default. With this update, the /etc/containers/policy.json file supports a new keyPaths field which accepts a list of files containing the trusted keys. Because of this, the container images signed with GA and Beta GPG keys are now accepted in the default configuration.


Podman no longer fails to pull a container "X509: certificate signed by unknown authority"

Previously, if you had your own internal registry signed by our own CA certificate, then you had to import the certificate onto your host machine. Otherwise, an error occurs:

x509: certificate signed by unknown authority

With this update, the problem has been fixed.


DNF and YUM no longer fail because of non-matching repository IDs

Previously, DNF and YUM repository IDs did not match the format that DNF or YUM expected. For example, if you ran the following example, the error occurred:

# podman run -ti ubi8-ubi
# dnf debuginfo-install dnsmasq
This system is not registered with an entitlement server. You can use subscription-manager to register.

With this update, the problem has been fixed. Suffix --debug-rpms was added to all debug repository names (for example ubi-8-appstream-debug-rpms), and also the suffix -rpms was added to all UBI repository names (for example ubi-8-appstream-rpms).

For more information, see Universal Base Images (UBI): Images, repositories, packages, and source code.