Language:
Format:

Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

6.8 Release Notes

Red Hat Enterprise Linux 6.8

Release Notes for Red Hat Enterprise Linux 6.8

Edition 8

Red Hat Customer Content Services

rhel-notes@redhat.com

Legal Notice

Abstract

The Release Notes provide high-level coverage of the improvements and additions that have been implemented in Red Hat Enterprise Linux 6.8 and document known problems in this release. For information about notable bug fixes, Technology Previews, deprecated functionality, and other details, refer to the Technical Notes.

Preface

Red Hat Enterprise Linux minor releases are an aggregation of individual enhancement, security, and bug fix errata. The Red Hat Enterprise Linux 6.8 Release Notes document describes the major changes made to the Red Hat Enterprise Linux 6 operating system and its accompanying applications for this minor release, as well as known problems. The Technical Notes document provides a list of notable bug fixes, all currently available Technology Previews, deprecated functionality, and other information.

Capabilities and limits of Red Hat Enterprise Linux 6 as compared to other versions of the system are available in the Red Hat Knowledgebase article available at https://access.redhat.com/articles/rhel-limits.

For information regarding the Red Hat Enterprise Linux life cycle, refer to https://access.redhat.com/support/policy/updates/errata/.

Chapter 1. Overview

Red Hat Enterprise Linux 6.8 is the last feature update in this major release, allowing enterprise customers access to upstream innovation on the secure, stable, and reliable Red Hat Enterprise Linux 6 platform. This section highlights the most notable enhancements.

Security

libreswan, an implementation of one of the most widely supported and standardized VPN protocols, replaces openswan as the Red Hat Enterprise Linux 6 VPN endpoint solution, giving Red Hat Enterprise Linux 6 customers access to recent advances in VPN security.

For more information about new security features, refer to Chapter 13, Security.

Authentication and Interoperability

Enhancements to Red Hat Identity Management include increased client-side performance as well as simplified client management through the addition of new capabilities to the System Security Services Daemon (SSSD). For example, cached authentication lookup on the client reduces the unnecessary exchange of user credentials with Active Directory servers. Also, support for adcli simplifies the management of Red Hat Enterprise Linux 6 systems interoperating with an Active Directory domain. In addition, SSSD now supports user authentication using smart cards, for both system login and related functions, such as sudo.

For details about new Identity Management and SSSD enhancements, as well as other features related to authentication and interoperability, refer to Chapter 3, Authentication and Interoperability.

System and Subscription Management

Relax-and-Recover (ReAR) is a new a system archiving utility that enables administrators to create local backups in ISO format that can be centrally archived and replicated remotely for simplified disaster recovery operations.
An enhanced yum utility simplifies the process of locating required packages to add and enable new platform features.

For details about subscription-management related features, see Chapter 16, System and Subscription Management.

Storage

Red Hat Enterprise Linux 6.8 provides increased visibility into storage usage and performance through dmstats, a program that displays and manages I/O statistics for user-defined regions of devices using the device-mapper driver.

For other storage features, see Chapter 15, Storage.

File Systems

The Scalable File System Add-on for Red Hat Enterprise Linux 6 now supports XFS file-system sizes up to 300 TB.

For detailed changes in file systems, refer to Chapter 8, File Systems.

Deploy Anywhere

An updated Red Hat Enterprise Linux 6.8 platform image enables customers to migrate their traditional workloads into container-based applications. The image is available in the Red Hat Container Registry and is suitable for deployment on Red Hat Enterprise Linux 7 or Red Hat Enterprise Linux Atomic Host.

Red Hat Insights

Since Red Hat Enterprise Linux 6.7, the Red Hat Insights service is available. Red Hat Insights is a proactive service designed to enable you to identify, examine, and resolve known technical issues before they affect your deployment. Insights leverages the combined knowledge of Red Hat Support Engineers, documented solutions, and resolved issues to deliver relevant, actionable information to system administrators.

The service is hosted and delivered through the customer portal at https://access.redhat.com/insights/ or through Red Hat Satellite. To register your systems, follow the Getting Started Guide for Insights. For further information, data security and limits, refer to https://access.redhat.com/insights/splash/.

Red Hat Customer Portal Labs

Red Hat Customer Portal Labs is a set of tools in a section of the Customer Portal available at https://access.redhat.com/labs/. The applications in Red Hat Customer Portal Labs can help you improve performance, quickly troubleshoot issues, identify security problems, and quickly deploy and configure complex applications. Some of the most popular applications are, for example:

Part I. New Features

This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 6.8.

Chapter 2. General Updates

Cross channel package dependency improvements

The yum utility has been enhanced to prompt the end user to search disabled package repositories on the system when a package dependency error occurs. This change will allow users to quickly resolve dependency errors by first checking all known channels for the missing package dependency.

To enable this functionality, execute yum update yum subscription-manager prior to upgrading your machine to Red Hat Enterprise Linux 6.8.

See the System and Subscription Management chapter for further details on the implementation of this feature. (BZ#1197245)

Packages moved to the `Optional` Channel

The following packages have been moved to the Optional channel:

gnome-devel-docs
libstdc++-docs
xorg-x11-docs

Note that if any of these packages have previously been installed, using the yum update command for updating these packages can lead to problems causing the update to fail. Enable the Optional channel before updating the mentioned installed packages or uninstall them before updating your system.

For detailed instructions on how to subscribe your system to the Optional channel, see the relevant Knowledgebase articles on Red Hat Customer Portal: https://access.redhat.com/solutions/392003 for Red Hat Subscription Management or https://access.redhat.com/solutions/70019 if your system is registered with RHN Classic. (BZ#1300789)

Chapter 3. Authentication and Interoperability

SSSD smart card support

SSSD now supports smart cards for local authentication. With this feature, the user can use a smart card to log on to the system using a text-based or graphical console, as well as local services such as the sudo service. The user places the smart card into the reader and provides the user name and the smart card PIN at the login prompt. If the certificate on the smart card is verified, the user is successfully authenticated.

Note that SSSD currently does not enable the user to acquire a Kerberos ticket using a smart card. To obtain a Kerberos ticket, the user is still required to authenticate using the kinit utility.

To enable smart card support in Red Hat Enterprise Linux 6, you must allow SSSD to prompt for password, one-time password (OTP), or the smart card PIN by modifying the auth lines of the /etc/pam.d/password-auth and /etc/pam.d/system-auth PAM configuration files. For detailed information, see the Identity Management Guide: http://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#idm-smart-cards (BZ#1270027)

Cache authentication in SSSD

Authentication against cache without a reconnection attempt is now available in SSSD even in online mode. Authenticating directly against the network server repeatedly can cause excessive application latency, which can make the login process overly time-consuming. (BZ#1237142)

The ou=sudoers,$DC part of the IdM server compatibility plug-in tree can now be disabled for better performance

The Identity Management (IdM) client is now able to look up sudo rules in the cn=sudorules,cn=sudo,$DC part of the IdM server's LDAP tree instead of the ou=sudoers,$DC compatibility tree generated by the slapi-nis Directory Server plug-in.

In environments where the compatibility tree is not required for other operations, such as for legacy client support, users can now disable the ou=sudoers,$DC part of the tree. This allows better performance because generating the compatibility tree using slapi-nis is resource-intensive, especially in environments with a large number of authentication operations. (BZ#1244957)

SSSD enables UID and GID mapping on individual clients

It is now possible to map users to a different UID and GID on specific Red Hat Enterprise Linux clients through client-side configuration by using SSSD provided by the sss_override utility. This client-side override possibility can resolve problems caused by UID and GID duplication or ease transition from a legacy system that previously used different ID mapping.

Note that the overrides are stored in the SSSD cache; removing the cache therefore also removes the overrides. See the sss_override(8) man page for more details about this feature. (BZ#1269422)

Caching for `initgroups` operations

The SSSD fast memory cache now supports the initgroups operations, which enhances the speed of initgroups processing and improves the performance of some applications, such as GlusterFS and slapi-nis. (BZ#1269421)

New packages: adcli

This update adds the adcli packages to Red Hat Enterprise Linux 6. The adcli utility allows users to manage host, user, and group objects in Active Directory (AD) from a Red Hat Enterprise Linux 6 client. The main use of the utility is joining a host to an AD domain and to renew the credentials of the host.

The adcli utility is site-aware and does not require additional configuration to join an AD domain. On clients that run the SSSD service, adcli can renew the host credentials on a regular basis. (BZ#1279725)

SSSD is now able to automatically renew the host credentials of Linux clients joined to AD

Certain Windows utilities can remove hosts from Active Directory (AD) after their password has not been updated for a long time. This is because these utilities consider such clients inactive.

With this feature, the host password of Linux clients joined to AD is regularly updated, which indicates the client is still actively used. As a result, Red Hat Enterprise Linux clients joined to AD are not removed in the described situation. (BZ#1290761)

SSSD can now automatically adjust ID ranges for AD clients in environments with large RIDs

The automatic ID mapping mechanism included in the SSSD service is now able to merge ID range domains. Previously, if the relative ID (RID) of the Active Directory (AD) domain was larger than 200,000, which is the default size of the ID range assigned by SSSD, the administrator was required to manually adjust the ID range assigned by SSSD to correspond with the RID.

With this enhancement, for AD clients with ID mapping enabled, SSSD automatically adjusts the ID ranges in the described situation. As a result, the administrator is no longer required to adjust the ID range manually, and the default SSSD ID mapping mechanism works even in large AD environments. (BZ#1268902)

SSSD now supports GPOs from different domain controllers

The System Security Services Daemon (SSSD) service has been updated to support group policy objects (GPOs) from different domain controllers. (BZ#1221365)

Support for SSLv2 has been disabled

SSLv2 is insecure and should not be used in current deployments, and thus has been disabled without a way to override. All modern browsers and frameworks cannot negotiate SSLv2 connections in default configuration and many cannot be configured to perform SSLv2 negotiation. A recent OpenSSL vulnerability (CVE-2015-3197) shows that keeping this code is a liability. In addition, upstream has already removed support for SSLv2 (MZBZ#1228555). (BZ#1304812)

OpenLDAP now supports TLSv1.2

The TLS layer of OpenLDAP has been enhanced to support the cipher string value TLSv1.2 along with new ciphers from the TLSv1.2 suite. Additionally, the new cipher strings AESGCM, SHA256, and SHA384 have been added. With this update, the cipher string DEFAULT selects a subset of the Network Security Services (NSS) defaults in order to be up to date with current security development. Note that the cipher string DEFAULT currently excludes AESGCM ciphers, in order not to break the Security Strength Factor (SSF) functionality. (BZ#1300701)

nss now supports ECDSA certificates

By default, the NSS library did not enable TLS cipher suites that use Elliptic Curve Cryptography (ECC). Applications that did not change the NSS default configuration were unable to connect to servers that mandated support for ECC key exchange, such as ECDHE. In particular, connecting to servers that use certificates with ECDSA keys failed.

This update changes the default configuration to enable TLS cipher suites that allow using ECC by default. As a result, applications using NSS defaults for communication over TLS can now connect to servers that use certificates with ECDSA keys. (BZ#1059682)

New SSSD default values for group names

The System Security Services Daemon (SSSD) now uses new default group names that are compatible with Windows and third-party solutions. This affects installations that have the id_provider configuration option set to ad in the /etc/sssd/sssd.conf file.

If the environment requires a different value for the group name attribute than the new default value of sAMAccountName, a manual configuration change is required. For example, this might be required in situations when providing groups with the same name as users. To revert to the old behaviour, set cn as the attribute value:

1. Set ldap_group_name = cn in the /etc/sssd/sssd.conf file.

2. Run the following commands to clear the SSSD cache:

# service sssd stop
# find /var/lib/sss/ ! -type d | xargs rm -f
# service sssd start

(BZ#1342458)

Chapter 4. Clustering

New Pacemaker features

The Red Hat Enterprise Linux 6.8 release supports the following Pacemaker features:

You can now use the pcs resource relocate run command to move a resource to its preferred node, as determined by current cluster status, constraints, location of resources and other settings.
When configuring fencing for redundant power supplies, you now are only required to define each device once and to specify that both devices are required to fence the node.
The new resource-discovery location constraint option allows you to indicate whether Pacemaker should perform resource discovery on a node for a specified resource.
Resources will now start as soon as their state has been confirmed on all nodes and all dependencies have been satisfied, rather than waiting for the state of all resources to be confirmed. This allows for faster startup of some services, and more even startup load.
Clone resources support a new clone-min metadata option, specifying that a certain number of instances must be running before any dependent resources can run. This is particularly useful for services behind a virtual IP and haproxy, as is often done with OpenStack.

These features are documented in Configuring the Red Hat High Availability Add-On with Pacemaker, available at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Configuring_the_Red_Hat_High_Availability_Add-On_with_Pacemaker/index.html. (BZ#1290458)

Graceful migration of resources when the `pacemaker_remote` service is stopped on an active Pacemaker Remote node

If the pacemaker_remote service is stopped on an active Pacemaker Remote node, the cluster will gracefully migrate resources off the node before stopping the node. Previously, Pacemaker Remote nodes were fenced when the service was stopped (including by commands such as yum update), unless the node was first explicitly taken out of the cluster. Software upgrades and other routine maintenance procedures are now much easier to perform on Pacemaker Remote nodes.

Note: All nodes in the cluster must be upgraded to a version supporting this feature before it can be used on any node. (BZ#1297564)

Support for SBD fencing with Pacemaker

The SBD (Storage-Based Death) daemon integrates with Pacemaker, a watchdog device, and, optionally, shared storage to arrange for nodes to reliably self-terminate when fencing is required. SBD can be particularly useful in environments where traditional fencing mechanisms are not possible. For information on using SBD with Pacemaker, see https://access.redhat.com/articles/2212861. (BZ#1313246)

The `glocktop` tool has been added to gfs2-utils

The gfs2-utils package now includes the glocktop tool, which can be used to troubleshoot locking-related performance problems that concern the Global File System 2 (GFS2). (BZ#1202817)

`pcs` now supports exporting a cluster configuration to a list of `pcs` commands

With this update, the pcs config export command can be used to export a cluster configuration to a list of pcs commands. Also, the pcs config import-cman command, which converts a CMAN cluster configuration to a Pacemaker cluster configuration, can now output a list of pcs commands that can be used to create the Pacemaker cluster configuration file. As a result, the user can determine what commands can be used to set up a cluster based on its configuration files. (BZ#1264795)

Fence agent for APC now supports firmware 6.x

The fence agent for APC now support firmware 6.x. (BZ#1259254)

Chapter 5. Compiler and Tools

dmidecode now supports SMBIOS 3.0.0

This update adds SMBIOS 3.0.0 support to the dmidecode utility. Now, dmidecode can work with 64-bit structures according to SMBIOS 3.0.0 specification. (BZ#1232558)

mcelog now supports additional Intel processors

The mcelog utility now supports 6th generation Intel Core processors, Intel Xeon processor E3 v5, and current Intel Pentium and Intel Celeron-branded processors. These new processors report with cpuid 0x4E and 0x5E.

Additionally, mcelog now also recognizes cpuids for current Intel Atom processors (0x26, 0x27, 0x35, 0x36, 0x37, 0x4a, 0x4c, 0x4d, 0x5a, and 0x5d) and Intel Xeon processor E5 v4, E7 v4, and Intel Xeon D (0x56 and 0x4f). (BZ#1255561)

python-linux-procfs rebased to version 0.4.9

The python-linux-procfs packages have been upgraded to upstream version 0.4.9, which provides a number of bug fixes and enhancements over the previous version.

Notable fixes include:

The package now contains API documentation installed in the /usr/share/docs/python-linux-procfs directory.
Handling of space separated fields in /proc/PID/flags has been improved which removes parsing errors previously encountered by python-linux-procfs. (BZ#1255725)

trace-cmd rebased to version 2.2.4

The trace-cmd packages have been upgraded to upstream version 2.2.4, which provides a number of bug fixes and enhancements over the previous version.

Notable changes include:

A new option -P is available for the trace-cmd list command. Use this option to list loaded plug-in files by path.
The trace-cmd report command has a new option, -t, which can be used to print full time stamps in reports. (BZ#1218670)

`tcsh` now supports `$anyerror` and `$tcsh_posix_status`

The tcsh command-language interpreter now supports the use of the $anyerror and $tcsh_posix_status variables, which define the tcsh behavior in case of an error of any pipelined command. This update brings the tcsh functionality closer to the Red Hat Enterprise Linux 7 tcsh version. Note that these two variables have opposite logical meanings. For more information, see the tcsh(1) manual page. (BZ#1256653)

OpenJDK 8 now supports ECC

With this update, OpenJDK 8 supports Elliptic Curve Cryptography (ECC) and the associated ciphers for TLS connections. ECC is in most cases preferable to older cryptographic solutions for making secure network connections.

Additionally, the java-1.8.0 package priority has been expanded to 7 digits. (BZ#1208307)

RC4 is now disabled by default in OpenJDK 6 and OpenJDK 7

Earlier OpenJDK packages allowed the RC4 cryptographic algorithm to be used when making secure connections using Transport Layer Security (TLS). This algorithm is no longer secure, and so has been disabled in this release. To retain its use, it is necessary to revert to the earlier setting of the jdk.tls.disabledAlgorithms of SSLv3, DH keySize < 768. This can be done permanently in the <java.home>/jre/lib/security/java.security file or by adding the following line:

jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768

to a new text file and passing the location of that file to Java on the command line using the argument -Djava.security.properties=<path to file>. (BZ#1217131)

rhino rebased to version 1.7R4

Rhino, an open-source implementation of JavaScript written in Java, has been rebased to version 1.7R4. This update fixes a JSON-related bug in the java-1.7.0-openjdk package, which uses rhino as a build dependency. Additionally, the previously missing manual page, README and LICENSE files have been added. (BZ#1244351)

pcp rebased to version 3.10.9

Several enhancements have been made to Performance Co-Pilot (PCP). Note that the majority of Performance Metric Domain Agents (PMDA) have been split into their own subrpms. This allows for more streamlined PCP installations.

Additions include new kernel metrics such as Intel NVME device support, IPv6 metrics, and container mappings to LXC containers, several new PMDAs (MIC, json, dm, slurm, pipe), and several new tools, including; pcp-verify(1), pcp-shping(1), pcp-atopsar(1), and pmrep(1). An export to Zabbix tool has also been added via zbxpcp(3). The pcp-atop tool has received a full rewrite, including a new NFS feature set. PCP's Performance Metrics Web Daemon (pmwebd) has received improvements, such as opening directories-as-archives for graphite, as well as adding support for the PCP pmStore(3) protocols. sar2pcp(1) has also been updated to include support for sysstat 11.0.1 commands. (BZ#1248272)

openmpi rebased to version 1.10.2

The openmpi packages have been upgraded to upstream version 1.10.2, which provides a number of bug fixes and enhancements over the previous version. Notable changes include the following:

The new name of the binary package is openmpi-1.10. Its environment module name on the x86_64 architecture is openmpi-1.10-x86_64.
To preserve compatibility with Red Hat Enterprise Linux 6.7, openmpi-1.8 is still available. Its package name is openmpi-1.8 and it keeps the environment module name ( openmpi-x86_64 on the x86_64 architecture) it had in Red Hat Enterprise Linux 6.7. (BZ#1130442)

Changes in Open MPI distribution

Open MPI is an open source Message Passing Interface implementation. The compat-openmpi package, which provides earlier versions of Open MPI for backward compatibility with previous minor releases of Red Hat Enterprise Linux 6, has been split into several subpackages based on the Open MPI version.

The names of the subpackages (and their respective environment module names on the x86_64 architecture) are:

openmpi-1.4 (openmpi-1.4-x86_64)
openmpi-1.4-psm (openmpi-1.4-psm-x86_64)
openmpi-1.5.3 (compat-openmpi-x86_64, aliased as openmpi-1.5.3-x86_64)
openmpi-1.5.3-psm (compat-openmpi-psm-x86_64, aliased as openmpi-1.5.3-psm-x86_64)
openmpi-1.5.4 (openmpi-1.5.4-x86_64)
openmpi-1.8 (openmpi-x86_64, aliased as openmpi-1.8-x86_64)

The yum install openmpi command in Red Hat Enterprise Linux 6.8 installs the openmpi-1.8 package for maximum compatibility with Red Hat Enterprise Linux 6.7. A later version of Open MPI is available in the openmpi-1.10 package. (BZ#1158864)

Omping is now fully supported

Open Multicast Ping (Omping) is a tool to test the IP multicast functionality, primarily in the local network. This utility allows users to test IP multicast functionality and assists in the diagnosing whether a problem is in the network configuration or there is a bug. In Red Hat Enterprise Linux 6, Omping was previously provided as a Technology Preview and it is now fully supported. (BZ#657370)

elfutils rebased to version 0.164

The eu-addr2line utility introduces the following improvements:

Input addresses are now always interpreted as hexadecimal numbers, never as octal or decimal numbers.
A new option, -a, --addresses, to print address before each entry.
A new option, -C, --demangle, to show demangled symbols.
A new option, --pretty-print, to print all information on one line.

The eu-strip utility is now able to:

Handle ELF files with merged strtab and shstrtab tables.
Handle missing SHF_INFO_LINK section flags.

The libdw library introduces improvements in the following functions:

dwfl_standard_find_debuginfo now searches any subdirectory of the binary path under the debuginfo root when the separate debug file could not be found by build ID.
dwfl_linux_proc_attach can now be called before any Dwfl_Modules have been reported.
dwarf_peel_type now also handles DW_TAG_atomic_type.

Various new preliminary DWARF5 constants are now recognized, namely DW_TAG_atomic_type, DW_LANG_Fortran03, DW_LANG_Fortran08, DW_LANG_Haskell. Additionally, a new header file, elfutils/known-dwarf.h, is now installed by the devel package. (BZ#1254647)

`glibc` now supports BIG5-HKSCS-2008

Previously, glibc supported an earlier version of the Hong Kong Supplementary Character Set, BIG5-HKSCS-2004. The BIG5-HKSCS character set map has been updated to the HKSCS-2008 revision of the standard. This allows Red Hat Enterprise Linux customers to write applications processing text that is encoded with this version of the standard. (BZ#1211748)

Human-readable installed-rpms

The format of the installed-rpms sosreport list has been simplified to allow for optimal human readability. (BZ#1267677)

OProfile now supports 6th Generation Intel Core processors

With this update, OProfile recognizes the 6th Generation Intel Core processors, and it now provides non-architected performance events for the 6th Generation Intel Core processors instead of defaulting to the small subset of architected performance events. (BZ#1254764)

OProfile updated to recognize the Intel Xeon Processor D-1500 product family

With this update, support for Intel Xeon Processor D-1500 product family has been added to OProfile, and the processor-specific events for this product family are now available.

Note that some events, such as LLC_REFS and LLC_MISSES, may not count correctly. Check http://www.intel.com/content/www/us/en/processors/xeon/xeon-d-1500-specification-update.html for a complete list of performance events affected. (BZ#1231399)

`SystemTap` rebased to version 2.9

The SystemTap instrumentation system has been rebased to version 2.9. Major improvements in this update include more complete manual pages, more portable and usable netfilter probes, better support for kernel backtraces without debuginfo, better debuginfo-related diagnostics, reduced translator memory usage, and better performance of generated code. (BZ#1254648)

powerpc-utils rebased to version 1.3.0

The powerpc-utils packages have been upgraded to upstream version 1.3.0, which provides a number of bug fixes and enhancements over the previous version. (BZ#1252706)

ipmitool rebased to version 1.8.15

The ipmitool packages have been upgraded to upstream version 1.8.15, which provides a number of bug fixes and enhancements over the previous version. The notable changes include support for the 13G Dell PowerEdge systems, support for host names longer than 64 bytes, and improved IPv6 support. (BZ#1253416)

memtest86+ rebased to version 5.01

The memtest86+ package has been upgraded to upstream version 5.01, which provides a number of bug fixes and enhancements over the previous version. Notable changes include the following:

Support for up to 2 TB of RAM on AMD64 and Intel 64 CPUs
Support for new Intel and AMD CPUs, for example Intel Haswell
Experimental SMT support up to 32 cores

For detailed changes, see http://www.memtest.org/#change (BZ#1009083)

New package: java-1.8.0-ibm

This update adds IBM Java 8 to Red Hat Enterprise Linux 6. The java-1.8.0-ibm package is available in the Supplementary channel. (BZ#1148503)

New option for arpwatch: `-p`

This update introduces option -p for the arpwatch command of the arpwatch network monitoring tool. This option disables promiscuous mode. (BZ#1006479)

Chapter 6. Desktop

LibreOffice rebased to version 4.3.7.2

The libreoffice packages have been upgraded to upstream version 4.3.7.2, which provides a number of bug fixes and enhancements over the previous version, including:

The possibility to print comments in page margin has been added.
Support for nested comments has been added.
OpenXML interoperability has been improved.
Accessibility support has been enhanced.
The color picker has been improved.
The start center has been improved.
Initial HiDPI support has been added.
The limitation on number of characters in a paragraph has been raised considerably.

For a complete list of bug fixes and enhancements provided by this upgrade, refer to https://wiki.documentfoundation.org/ReleaseNotes/4.3. (BZ#1258467)

mesa now supports additional Intel 3D graphics

The mesa package now supports integrated 3D graphics on 6th generation Intel Core processors, Intel Xeon processor E3 v5, and current Intel Pentium and Intel Celeron-branded processors. (BZ#1135362)

New Vinagre features

This update provides a number of features to Vinagre. Namely:

The ability to connect through RDP protocol to remote Windows machines has been added.
If requested, credentials can be stored in a keyring for RDP connections.
Minimize button has been added to the fullscreen toolbar so that users do not need to leave fullscreen mode to minimize the whole window.

In addition, the /apps/vinagre/plugins/active-plugins GConf key is now ignored as it could cause RDP not to be loaded. (BZ#1215093)

`vmwgfx` now supports 3D operations under VMware Workstation 10

The vmwgfx driver has been updated to version 4.4, which enables vmwgfx support for 3D operations under VMware Workstation 10. With this upgrade, the vmwgfx driver now allows virtualized Red Hat Enterprise Linux 6 system to work as intended on Windows workstations. (BZ#1164447)

x3270 rebased to version 3.3.15

The latest update of x3270 in Red Hat Enterprise Linux 6.8 adds support for oversize, dynamic screen resolutions, that is screen adjustment on window resizing, to the IBM 3270 terminal emulator for the X Window System. Viewing larger screen sizes thus works properly and larger files or outputs on the mainframe appear as expected. (BZ#1171849)

icedtea-web rebased to version 1.6.2

The icedtea-web packages have been upgraded to upstream version 1.6.2, which provides a number of bug fixes and enhancements over the previous version. Notable changes include the following:

The IcedTea-Web documentation and man pages have been significantly expanded.
IcedTea-Web now supports bash completion.
The Custom Policies and Run in Sandbox features have been enhanced.
An -html switch has been implemented for the Java Web Start (JavaWS) framework, which can serve as a replacement of the AppletViewer program.
It is now possible to use IcedTea-Web to create desktop and menu launchers for applets and JavaWS applications. (BZ#1275523)

Chapter 7. Directory Server in Red Hat Enterprise Linux

About Directory Server for Red Hat Enterprise Linux

This section describes changes in the main server component for Red Hat Directory Server - the 389-ds-base package, which includes the LDAP server itself and command line utilities and scripts for its administration. This package is part of the Red Hat Enterprise Linux base subscription channel and therefore available on all Red Hat Enterprise Linux Server systems due to Red Hat Identity Management components which depend on it.

Additional Red Hat Directory Server components, such as the Directory Server Console, are available in the rhel-x86_64-server-6-rhdirserv-9 additional subscription channel. A subscription to this channel is also required to obtain support for Red Hat Directory Server. Changes to the additional components in this channel are not described in this document.

Red Hat Directory Server version 9 is available for Red Hat Enterprise Linux 6. See https://access.redhat.com/products/red-hat-directory-server/get-started-v9 for information about getting started with Directory Server 9, and https://access.redhat.com/documentation/en/red-hat-directory-server/?version=9 for full documentation. (BZ#1333801)

Improved performance when deleting large quantities of multi-valued attributes

The API used to delete entries with large amounts of multi-valued attributes has been replaced with a significantly faster one, causing a large performance improvement in such situations. (BZ#1236148)

Chapter 8. File Systems

XFS runtime statistics are available per file system in the `/sys/fs/` directory

The existing XFS global statistics directory has been moved from the /proc/fs/xfs/ directory to the /sys/fs/xfs/ directory while maintaining compatibility with earlier versions with a symbolic link in /proc/fs/xfs/stat. New subdirectories will be created and maintained for statistics per file system in /sys/fs/xfs/, for example /sys/fs/xfs/sdb7/stats and /sys/fs/xfs/sdb8/stats. Previously, XFS runtime statistics were available only per server. Now, XFS runtime statistics are available per device. (BZ#1205640)

XFS supported file-system size has been increased

Previously, the supported file-system size for XFS was 100 TB. With this update, the supported file-system size for XFS has been increased to 300 TB. (BZ#1273090)

The `use_hostname_for_mounts` `autofs` option is now available

A new autofs option to override the use of an IP address when mounting to a host name with multiple associated addresses has been implemented. If strict Round Robin DNS is needed, the use_hostname_for_mounts option enables bypassing the usual availability and proximity check, and the host name is used in mount requests regardless of whether the requests have multiple IP addresses. (BZ#1248798)

Chapter 9. Hardware Enablement

Support for Sealevel model 2803 ROHS converters from USB to serial media

This update introduces support for Sealevel model 2803 ROHS converters from USB to serial media by including their IDs in the kernel. (BZ#1104343)

Backporting of the rtlwifi driver family

The rtlwifi driver family from upstream Linux kernel has been backported to support new Realtek wireless devices such as RTL8188CE, which are used on some variants of Lenovo laptops. (BZ#1263386)

Support for NCT6775 and compatible chips

This update introduces the NCT6775 kernel hwmon driver. This driver enables monitoring of the sensors associated with voltage, temperature, fan speed, and such, on hardware that includes a chip from Nuvoton's Super I/O series. (BZ#1260117)

Ethernet functionality added to mlx5_core

This enhancement update adds Ethernet functionality to the mlx5_core networking driver. The mlx5_core driver acts as a library of common functions, for example, initializing the device after reset required by certain adapter cards. This driver also implements the Ethernet interfaces for some adapter cards. Unlike mlx4_en/core, mlx5 drivers do not require the mlx5_en module as the Ethernet functionalities are built-in in the mlx5_core module. (BZ#1246031)

Support for O2Micro sdhci card reader model 8520

This update introduces support for the O2Micro sdhci card reader model 8520, which is used on newer Lenovo laptops. (BZ#1089109)

Support for solarflare devices and features

This update introduces a driver update that provides support for additional solarflare devices and features. (BZ#1123046)

Wacom Cintiq 27QHD Device Support

With this release, the Wacom Cintiq 27QHD is now supported in Red Hat Enterprise Linux 6. (BZ#1243328)

Wacom Intuos PT Tablet Device Support

With this release, several Wacom Intuos PT Tablets are now supported in Red Hat Enterprise Linux 6.8. The newly supported devices are:

PTH-650 Intuos5 touch (M)
CTH-480 Intuos Pen & Touch (S)
PTH-651 Intuos pro (M) (BZ#1252898)

Support for the Realtek 5229 card reader

This update introduces support for the Realtek 5229 card reader. (BZ#806173)

Support for the AMD GX-212JC processor

This update introduces support for the AMD GX-212JC processor. (BZ#1176662)

ppc64-diag rebased to version 2.7.0

The ppc64-diag packages have been upgraded to upstream version 2.7.0, which provides a number of bug fixes and enhancements over the previous version. Notable changes include the following:

Several security-related issues have been fixed, such as memory leaks, buffer overflows, and replacing the popen() function with execv() calls
Diagnostics support for the 5887 disk drive enclosure has been added
PCI Host Bridge (PHB) hot-plugging support has been added for PowerKVM guests (BZ#1252717)

librtas rebased to version 1.4.0

The librtas packages, which provide an IBM utility for the 64-bit PowerPC architecture support, have been updated to version 1.4.0 to provide various bug fixes and enhancements. With this update, the libofdt library has been decommissioned from the librtas package. (BZ#1252716)

lsvpd rebased to version 1.7.6

The lsvpd packages, which provide an IBM utility for the 64-bit PowerPC architecture support, have been updated to version 1.7.6 to provide various bug fixes, enhancements, and security fixes, such as buffer overflow and memory allocation validation. Additionally, the lsmcode utility adds support for OpenPower system. (BZ#1148150)

servicelog rebased to version 1.1.13

The servicelog packages, which provide an IBM utility for the 64-bit PowerPC architecture support, have been updated to version 1.1.13 to provide various bug fixes and enhancements. (BZ#1148139)

iprutils rebased to version 2.4.10.1

The iprutils packages, which provide an IBM utility for the 64-bit PowerPC architecture support, have been updated to version 2.4.10.1 to provide various bug fixes and enhancements.

It is recommend to use the latest version of iprutils. If a system has already installed iprutils-2.4.9-2.el6, then to remove it, run the following command:

rpm -e --noscripts iprutils

(BZ#1252715)

Chapter 10. Installation and Booting

Using an HTTPS source for kickstart files is now supported

With this update, it is now possible to specify HTTPS sources for kickstart files. (BZ#1259880)

Increased debug logging for `NetworkManager`

The default log level of the NetworkManager utility has been increased to make debugging the installation process easier. (BZ#831777)

Automatic network device configuration using 802.1q VLAN tags from the iBFT

The installer configures network devices automatically, based on the iSCSI Boot Firmware Table (iBFT). Before this update, if 802.1q VLAN tagging was required for a device, the installer was not able to apply this information to the installed system. Now, if the 802.1q VLAN ID of a device is specified in the iBFT, the installer will use this information to automatically configure the device on the installed system. (BZ#831002)

Chapter 11. Kernel

The /proc/pid/cmdline file length is now unlimited

The /proc/pid/cmdline file length limit for the ps command was previously hard-coded in the kernel to 4096 characters. This update makes sure the length of /proc/pid/cmdline is unlimited, which is especially useful for listing processes with long command line arguments. (BZ#1100069)

Support for LSO and LRO

This update adds support for Large Send Offload (LSO) and Large Receive Offload (LRO) to the PowerVM virtual Ethernet driver (ibmveth). The enhancement allows you to enable LRO on the Shared Ethernet Adapter (SEA) in a mixed AIX and Linux Central Electronics Complex (CEC), allowing better networking performance and better interoperability with AIX in a shared ethernet adapter environment. (BZ#1233272)

ipr rebased to version 2.6.3

The ipr driver has been upgraded to upstream version 2.6.3, which provides a number of enhancements and bug fixes over the previous version. Namely, the update enables new SAS VRAID adapters on IBM Power Systems and includes recent performance improvements. As a result, the update improves disk performance and supports recent adapters on IBM Power Systems. (BZ#1252713)

ixgbe rebased to version 4.2.1

The ixgbe NIC driver has been upgraded to upstream version 4.2.1, which provides a number of bug fixes and enhancements over the previous version. Notably:

Null pointer crashes related to VLAN support have been fixed.
Two more devices from the Intel X550 Ethernet controller family are now supported: IDs 15AC and 15AD have been added.
Several PHY-related problems have been addressed: link disruptions and link flapping.
Added PHY-related support for Intel X550.
Performance has been improved. (BZ#1249244)

L2 cache information is gathered using the CPUID instruction

With this update, Level 2 (L2) processor cache information such as the base cache or the number of cache leaves is gathered using the CPUID instruction. (BZ#987679)

bnx2 rebased to version 2.2.6

The bnx2 NIC driver has been upgraded to upstream version 2.2.6, which provides a number of bug fixes and enhancements over the previous version. Notably:

Bandwidth allocation for some MF modes has been fixed.
Toggling of rxvlan can now be disabled.
A chip initialization bug has been fixed.
Inconsistent use of page sizes has been fixed. (BZ#1252124)

e100 rebased to version 3.5.24-k2-NAPI

The e100 NIC driver has been upgraded to upstream version 3.5.24-k2-NAPI, which provides a number of bug fixes over the previous version. Notably, the update adds error checking around DMA mapping to avoid resource leaks and fixes a possible NULL pointer dereference during initialization. (BZ#1150338)

e1000e rebased to version 3.2.6-k

The e1000e driver has been upgraded to upstream version 3.2.6-k, which provides a number of bug fixes over the previous version. Notably, the new version prevents possible data corruption and enables both ULP and EEE in Sx mode. (BZ#1249241)

MLDv1 and MLDv2 snooping added to bridge

With this update, the bridge module adds support to IPv6 multicast by snooping for MLDv1 and MLDv2. Now, IPv6 multicast messages are sent only to ports with subscribed multicast receivers. (BZ#587714)

perf has been updated

To support a greater range of hardware and incorporate numerous bug fixes, perf has been updated. Notable enhancements include:

Added support for additional model numbers of 5th Generation Intel Core i7 processors.
Added support for Intel Xeon v5 mobile and desktop processors.
Enabled support for the uncore subsystem for Intel Xeon v3 and v4 processors.
Enabled support for the uncore subsystem for Intel Xeon Processor D-1500. (BZ#1216217)

EDAC support for Intel Xeon v4

The kernel has been updated to incorporate new code that adds EDAC (Error Detection and Correction) support for the Xeon v4 memory controllers from Intel. (BZ#1245372)

Crash dump performance enhancements

The time taken to complete a crash dump on systems with large quantities of memory has been reduced in kexec-tools and makedumpfile by making use of mmap() to remove empty and unneeded pages. (BZ#1097904)

Interval Tree Support for Intel Xeon v3 and v4 core processors with Gen graphics

To enable access to the GPU functionality of some Intel processors without recompiling a custom kernel, Interval Tree support has been added. (BZ#1251197)

CPU microcode update for Intel processors

The kernel has been updated to contain the latest microcode definitions for all Intel processors. This is the latest update from Intel at the time of publishing and is designated version 20151106. (BZ#1244968)

Minimal support for secondary endpoints with nf_conntrack_proto_sctp

Basic multihoming support has been added to Stream Control Transmission Protocol (SCTP), allowing traffic between secondary endpoints to pass through where it would previously be classified as invalid and blocked by most common firewall configurations. (BZ#1267612)

The sch_qfq scheduler now supports QFQ+

The sch_qfq scheduler now supports the Quick Fair Queuing Plus (QFQ+) algorithm, which improves the scheduler's efficiency and accuracy. At the same time, a number of bug fixes have been applied to further improve the behavior of sch_qfq under various conditions. (BZ#1152235)

Tracking and capturing I/O statistics for the tape driver is available

It is now possible to track and capture I/O performance statistics, and measure tape device performance. The user can use the statistics exposed in the /sys/class/scsi_tape/ tree with custom tools. (BZ#875277)

mpt2sas and mpt3sas merged

The source codes of mpt2sas and mpt3sas drivers have been merged. Unlike in upstream, Red Hat Enterprise Linux 6 continues to maintain two binary drivers for compatibility reasons. (BZ#717090)

Firmware-assisted Crash Dumping

Red Hat Enterprise Linux 6.8 introduces support for firmware-assisted dump (fadump), which provides an alternative dumping mechanism to kdump. Fadump is supported only on PowerPC architecture. The goal of fadump is to enable the dump of a crashed system, and to do so from a fully-reset system, and to minimize the total elapsed time until the system is back in production use. Fadump is integrated with kdump infrastructure present in the user space to seemlessly switch between kdump and fadump mechanisms. (BZ#1254923)

Setting an SELinux context label for a block device

To be able to label device nodes, most commonly disks, as used by certain applications, this update provides the possibility to apply SELinux labels on device nodes created by udev. The system administrator can set a new option to give a label to a newly created device node as follows:

SECLABEL{selinux}="label"

(BZ#1015300)

New packages: libevdev

The libevdev packages have been added to Red Hat Enterprise Linux 6.8. These packages contain a library to wrap kernel evdev devices and provide a proper API to interact with these devices. (BZ#1250806)

lpfc driver update

With the latest update, LPE31000, LPE32000 HBAs, and all HBA variants of this architecture now detect and enable both Broadcom-ECD certified SFP and QSFP optics. For firmware rev 11.0.204.0 and later, unqualified optics are disabled, the network link shows link down state, and an error message is logged to the log file.

The lpfc driver in Red Hat Enterprise Linux 6.8 displays the following message and the network link does not come up:

3176 Misconfigured Physical Port - Port Name [wwpn] Unknown event status [status]

The users are recommended to use only Broadcom-ECD certified SFP and QSFP optics. If any of the 3176 messages are seen in the logs and the link does not come up, contact Broadcom-ECD technical support. (BZ#1295468)

Chapter 12. Networking

NetworkManager-openswan now supports libreswan

In Red Hat Enterprise Linux 6.8, the openswan IPsec implementation is considered obsolete and replaced by the libreswan implementation. The NetworkManager-openswan package now supports both openswan and libreswan in order to facilitate migration. (BZ#1267394)

New package: chrony

A new package, chrony, has been added to Red Hat Enterprise Linux 6. chrony is a versatile implementation of the Network Time Protocol (NTP), which can usually synchronize the system clock with a better accuracy than the ntpd daemon from the ntp package. It can be also used with the timemaster service from the linuxptp package to synchronize the clock to Precision Time Protocol (PTP) domains with sub-microsecond accuracy if hardware timestamping is available, and provide a fallback to other PTP domains or NTP sources. (BZ#1274811)

New packages: ldns

The ldns packages contain a library with the aim to simplify DNS programming in C. All low-level DNS/DNSSEC operations are supported. A higher level API has been defined which allows a programmer to, for instance, create or sign packets. (BZ#1284961)

`wpa_supplicant` can now send logs into the syslog

Previously, wpa_supplicant could only save log messages into the /var/log/wpa_supplicant.log file. This update adds the capability to save log messages into the system log, allowing you to use additional features provided by syslog such as remote logging.

To activate this feature, add the new -s option into OTHER_ARGS in the /etc/sysconfig/wpa_supplicant configuration file. (BZ#822128)

Enhancements in system-config-network

The Network Configuration tool (the system-config-network package) has received multiple user interface improvements in this release. Notable enhancements include additional fields for the PEERDNS and ONBOOT settings and an added Delete button in the list of interfaces. (BZ#1214729)

New packages: unbound

Unbound is a validating, recursive, and caching DNS resolver. It is designed as a set of modular components that also support DNS Security Extensions (DNSSEC). (BZ#1284964)

`nm-connection-editor` now allows a higher range of VLAN ids

The VLAN id is no longer limited to the range 0-100 in nm-connection-editor. The new allowed range is between 0 and 4095. (BZ#1258218)

`NetworkManager` supports locking Wi-Fi network connections to a specific radio frequency band

NetworkManager now allows you to specify a certain frequency band such for a Wi-Fi connection. To lock a connection to a certain band, use the new BAND= option in the connection configuration file in the /etc/sysconfig/network-scripts/ directory. Values for this option are based on the IEEE 802.11 protocol specifications; to specify the 2.4 GHz band, use BAND=bg, and to specify the 5 GHz band, use BAND=a. (BZ#1254070)

`NetworkManager` now supports iBFT

A plug-in for iSCSI Boot Firmware Table (iBFT) configuration has been added to NetworkManager. This plug-in ensures that initial network configuration for hosts booting from iSCSI in a VLAN is correct. (BZ#1198325)

Chapter 13. Security

TLS 1.2 support added to basic system components

With these updates, basic system tools, such as yum, stunnel, vsftpd, Git, or Postfix have been modified to support the 1.2 version of the TLS protocol. This is to ensure that the tools are not vulnerable to security exploits that exist for older versions of the protocol. (BZ#1253743)

NSS now enables the TLS version 1.2 protocol by default

In order to satisfy current best security practices, the Transport Layer Security (TLS) 1.2 protocol has been enabled by default in NSS. This means that it is no longer necessary to explicitly enable it in applications that use NSS library defaults.

If both sides of TLS connection enable TLS 1.2, this protocol version is now used automatically. (BZ#1272504)

`pycurl` now provides options to require TLSv1.1 or 1.2

With this update, pycurl has been enhanced to support options that make it possible to require the use of the 1.1 or 1.2 versions of the TLS protocol, which improves the security of communication. (BZ#1260406)

PHP `cURL` module now supports TLS 1.1 and TLS 1.2

Support for the TLS protocol version 1.1 and 1.2, which was previously made available in the curl library, has been added to the PHP cURL extension. (BZ#1255920)

`openswan` deprecated in favor of `libreswan`

The openswan packages have been deprecated, and libreswan packages have been introduced as a direct replacement for openswan. libreswan is a more stable and secure VPN solution for Red Hat Enterprise Linux 6. libreswan is already available as the VPN endpoint solution for Red Hat Enterprise Linux 7. openswan will be replaced by libreswan during system upgrade. See https://access.redhat.com/articles/2089191 for instructions on how to migrate from openswan to libreswan.

Note that the openswan packages remain available in the repository. To install openswan instead of libreswan, use the -x option of yum to exclude libreswan: yum install openswan -x libreswan. (BZ#1266222)

SELinux support added for GlusterFS

With this update, the SELinux mandatory access control is provided for the glusterd (GlusterFS Management Service) and glusterfsd (NFS server) processes as a part of Red Hat Gluster Storage. (BZ#1241112)

shadow-utils rebased to version 4.1.5.1

The shadow-utils package, which provides utilities for managing user and group accounts, has been rebased to version 4.1.5.1. This is the same as the version of shadow-utils in Red Hat Enterprise Linux 7. Enhancements include improved auditing, which was corrected to provide a better record of system-administrator actions on the user-account database. The main new feature added to this package is the support for operation in chroot environments using the --root option of the respective tools. (BZ#1257643)

audit rebased to version 2.4.5

The audit package, which provides the user-space utilities for storing and searching the audit records generated by the audit subsystem in the Linux kernel, has been rebased to version 2.4.5. This update includes enhanced event interpretation facilities that provide more system-call names and arguments to make the understanding of events easier.

This update also has an important behavior change in the way that auditd records events to disk. If you are using either data or sync modes for the flush setting in auditd.conf, you will see a performance decrease in auditd's ability to log events. This is because it was previously not properly informing the kernel that full synchronous writes should be used. This was corrected, which has improved the reliability of the operation, but this has come at the expense of performance. If the performance drop is not tolerable, the flush setting should be changed to incremental and the freq setting will control how often auditd instructs the kernel to synchronize all records to disk. A freq setting of 100 should give good performance while making sure that new records are flushed to disk periodically. (BZ#1257650)

LWP now supports host name and certificate verification

Certificate and host-name verification, which is disabled by default, has been implemented in the World Wide Web library for Perl (LWP, also called libwww-perl). This allows users of the LWP::UserAgent Perl module to verify the identity of HTTPS servers. To enable the verification, make sure the IO::Socket::SSL Perl module is installed and the PERL_LWP_SSL_VERIFY_HOSTNAME environment variable set to 1 or that the application is modified to set the ssl_opts option correctly. See LWP::UserAgent POD for more details. (BZ#745800)

Perl `Net:SSLeay` now supports elliptic curve parameters

Support for elliptic-curve parameters has been added to the Perl Net:SSLeay module, which contains bindings to the OpenSSL library. Namely, the EC_KEY_new_by_curve_name(), EC_KEY_free*(), SSL_CTX_set_tmp_ecdh(), and OBJ_txt2nid() subroutines have been ported from upstream. This is required for the support of the Elliptic Curve Diffie–Hellman Exchange (ECDHE) key exchange in the IO::Socket::SSL Perl module. (BZ#1044401)

Perl `IO::Socket::SSL` now supports ECDHE

Support for Elliptic Curve Diffie–Hellman Exchange (ECDHE) has been added to the IO::Socket::SSL Perl module. The new SSL_ecdh_curve option can be used for specifying a suitable curve by the Object Identifier (OID) or Name Identifier (NID). As a result, it is now possible to override the default elliptic curve parameters when implementing a TLS client using IO::Socket:SSL. (BZ#1078084)

openscap rebased to version 1.2.8

OpenSCAP, a set of libraries providing a path for the integration of SCAP standards, has been rebased to 1.2.8, the latest upstream version. Notable enhancements include support for the OVAL-5.11 and OVAL-5.11.1 language versions, the introduction of a verbose mode, which helps to understand the details of running scans, two new commands, oscap-ssh and oscap-vm, for scanning over SSH and scanning of inactive virtual systems respectively, native support for bz2 archives, and a modern interface for HTML reports and guides. (BZ#1259037)

scap-workbench rebased to version 1.1.1

The scap-workbench package has been rebased to version 1.1.1, which provides a new SCAP Security Guide integration dialog. It can help the administrator choose a product that needs to be scanned instead of choosing content files. The new version also offers a number of performance and user-experience improvements, including improved rule searching in the tailoring window and the possibility to fetch remote resources in SCAP content using the GUI. (BZ#1269551)

scap-security-guide rebased to version 0.1.28

The scap-security-guide package has been rebased to the latest upstream version (0.1.28), which offers a number of important fixes and enhancements. These include several improved or completely new profiles for both Red Hat Enterprise Linux 6 and 7, added automated checks and remediation scripts for many rules, human readable OVAL IDs that are consistent between releases, or HTML-formatted guides accompanying each profile. (BZ#1267509)

Support for SSLv3 and RC4 disabled in `luci`

The use of the insecure SSLv3 protocol and RC4 algorithm has been disabled in luci, the web-based high availability administration application. By default, only TLSv1.0 and higher protocol versions are allowed, and the digest algorithm used for self-managed certificates has been updated to SHA256. It is possible to re-enable SSLv3 (by uncommenting the allow_insecure options in relevant sections of the /etc/sysconfig/luci configuration file), but that is only for unlikely and unpredictable cases and should be used with extreme caution.

This update also adds the possibility to adjust the most important SSL/TLS properties (in addition to the mentioned allow_insecure): the path to the certificate pair and the cipher list. These settings can be used either globally, or independently for both secure channels (HTTPS web UI access and connection with ricci instances). (BZ#1156167)

Chapter 14. Servers and Services

mod_nss now supports server-side SNI

This update adds server-side Server Name Indication (SNI) support to the mod_nss package. (BZ#1295490)

Non-root user support in `httpd` `mod_rewrite`

The mod_rewrite module provided with the Apache HTTP Server now supports running external mapping programs as a non-root user. This reduces security risk from using mod_rewrite mapping because a non-privileged process can be used. (BZ#1035230)

tomcat6 now supports disableURLRewriting

This update adds the disableURLRewriting attribute to the Tomcat 6 servlet container. The attribute allows to disable support for using URL rewriting to track session IDs for specific contexts. (BZ#1221877)

Logging capabilities of the `tftp` server have been enhanced

As a result of improved logging, the Trivial File Transfer Protocol (TFTP) server can now track successes and failures. For example, a log event is now created when a client successfully finishes downloading a file, or the file not found message is provided in case of a failure. (BZ#917817)

`Squid` can log IP addresses and ports of remote hosts

In previous versions, the Squid caching and forwarding web proxy had the ability to log the URL, which included the host name. However, Squid could not log the IP address of the destination server. This update enables Squid to log IP addresses and ports of remote hosts, which is especially useful when dealing with hosts that have multiple IP addresses. (BZ#848124)

new ignore-client-uids option

When a client machine can boot different operating systems (OS), each OS can send a different DHCP client identifier (UID) and consequently obtain a different IP address from the server. Now, the user can configure a server to treat such a machine as a single entity regardless of the OS it runs at the moment with a new ignore-client-uids option.

This option causes the server to not record a client's UID in its lease. To configure ignore-client-uids, add the following line to the /etc/dhcp/dhcpd.conf file:

ignore-client-uids true;

This configuration causes that the UID for clients will not be recorded. If this statement is not present or has a value of false or off, then client UIDs will be recorded. (BZ#1196768)

A `Tuned` profile optimized for Oracle database servers has been included

A new oracle Tuned profile, which is specifically optimized for the Oracle databases load, is now available. The new profile is delivered in the tuned-profiles-oracle subpackage, so that other related profiles can be added in the future. The oracle profile is based on the enterprise-storage profile, but modifies kernel parameters based on Oracle database requirements and turns transparent huge pages off. (BZ#1196294)

New package: squid34

A new package squid34 version 3.4.14 has been released. This package cannot be installed together with the squid package. squid34 improves stability and fixes multiple bugs originally reported against squid.

The most important new features in squid34 include:

Helper protocol extensions
SSL Server Certificate Validator
Store-ID
TPROXY Support for OpenBSD 5.1 and later, and FreeBSD 9 and later
Transaction Annotations
Multicast DNS (BZ#1265328)

The BIND server now supports CAA records

Certification Authority Authorization (CAA) support has been added to the Berkeley Internet Name Domain (BIND) server. Now, users can restrict Certification Authorities by specifying the DNS record. (BZ#1252611)

The `LocalAddress` and `LocalPort` keywords are now supported for `Match` conditions in `sshd_config`

Systems connected to several physical networks might require different access policies. With this update, you can enforce different policies for different local addresses or ports directly in sshd_config, without the need to run several services with different configuration files. (BZ#1211673)

Support for disabling selected GSSAPI key exchange algorithms

After CVE-2015-4000 (Logjam) was discovered, the gss-group1-sha1 algorithm is not considered secure anymore. Previously, there was no possibility to disable this single key exchange method. With this update, the administrator can disable this or other selected algorithms used by GSSAPI key exchange in sshd_config. (BZ#1253060)

New `authorized_keys_command` option in `pam_ssh_agent_auth`

Managing sudo rules across multiple systems might require to list SSH keys from LDAP, which was previously not possible. With this update, you can set up pam_ssh_agent_auth to get the authorized keys from LDAP or a different service easily. The feature has been backported from the upstream version. (BZ#1299555)

Chapter 15. Storage

The `multipath` utility can now save data between prioritizer calls

This feature has been implemented in the asymmetric logical unit access (ALUA) prioritizer, and reduces the number of commands sent to the target array. As a result, target arrays are no longer overloaded with commands if there is a large number of paths. (BZ#1081395)

Asynchronous checkers can use the multipath checker_timeout option

Asynchronous checkers now use the checker_timeout option in the multipath.conf file to determine when to stop waiting for a response from the array and fail the non-responsive path. This behavior for asynchronous checkers can be configured in the same way as for synchronous checkers. (BZ#1153704)

nfsidmap -d option added

The nfsidmap -d option has been added to display the system's effective NFSv4 domain name on stdout. (BZ#948680)

Configurable connection timeout for mounted CIFS shares

Idling CIFS clients send an echo call every 60 seconds. The echo interval is hard-coded, and is used to calculate the timeout value for an unreachable server. This timeout value is usually set to (2 * echo interval) + 17 seconds. With this feature, users can change the echo interval setting, which enables them to change the timeout interval for unresponsive servers. To change the echo interval, use the echo_interval=n mount option, where n is the echo interval in seconds. (BZ#1234960)

Support for device-mapper statistics facility (`dmstats`)

The Red Hat Enterprise Linux 6.8 release supports a device-mapper statistics facility, the dmstats program. The dmstats program displays and manages I/O statistics for user-defined regions of devices that use the device-mapper driver. The dmstats program provides a similar functionality to the iostats program, but at levels of finer granularity than a whole device. For information on the dmstats program, see the dmstats(8) man page. (BZ#1267664)

Support for raw format mode in multipathd formatted output commands

The multipathd formatted ouput commands now offer a raw format mode that removes the headers and additional padding between fields. Support for additional format wildcards has been added as well. Raw format mode makes it easer to collect and parse information about multipath devices, particularly for use in scripting. For information on raw format mode, see the DM Multipath Guide. (BZ#1145442)

Chapter 16. System and Subscription Management

New `search-disabled-repos` plug-in for `yum`

The search-disabled-repos plug-in for yum has been added to the subscription-manager packages. This plug-in allows users to successfully complete yum operations that fail due to the source repository being dependent on a disabled repository. When search-disabled-repos is installed in the described scenario, yum displays instructions to temporarily enable repositories that are currently disabled and to search for missing dependencies.

If you choose to follow the instructions and turn off the default notify_only behavior in the /etc/yum/pluginconf.d/search-disabled-repos.conf file, future yum operations will prompt you to temporarily or permanently enable all the disabled repositories needed to fulfill the yum transaction. (BZ#1268376)

Easier troubleshooting with `yum`

The yum utility is now able to identify certain frequently occurring errors and provides a link to a relevant Red Hat Knowledgebase article. This helps users identify typical problems and address their cause. (BZ#1248686)

New package: rear

Relax-and-Recover (rear) is a recovery and system migration utility. Written in bash, it allows you to use tools already present on your system to continuously create recovery images which can be saved locally or on a remote server, and to use these images to easily restore the system in case of software or hardware failure. The tool also supports integration with various external tools such as backup solutions ( Symantec NetBackup, duplicity, IBM TSM, etc.) and monitoring systems ( Nagios, Opsview).

The rear utility is available in base channels for all variants of Red Hat Enterprise Linux 6.8 on all architectures.

The utility produces a bootable image and restores from backup using this image. It also allows to restore to different hardware and can therefore be used as a migration utility as well. (BZ#981637)

`iostat` now supports separate statistics for `r_await` and `w_await`

The iostat tool now supports separate statistics for r_await (average time for read requests issued to the device to be served) and w_await (average time for write requests issued to the device to be served) in the Device Utilization Report. Use the -x option to obtain a report which includes this information. (BZ#1185057)

TLS 1.1 and 1.2 are now enabled by default in `libcurl`

Previously, versions 1.1 and 1.2 of the TLS protocol were disabled by default in libcurl. Users were required to explicitly enable these TLS versions in utilities based on libcurl in order to allow these utilities to securely communicate with servers that do not accept SSL 3.0 and TLS 1.0 connections. With this update, TLS 1.1 and TLS 1.2 are no longer disabled by default in libcurl. You can, however, explicitly disable them using the libcurl API. (BZ#1289205)

`libcurl` can now connect to SCP and SFTP servers through a HTTP proxy

Implementations of the SCP and SFTP protocols in libcurl have been enhanced and now support tunneling through HTTP proxies. (BZ#1258566)

`abrt` can now exclude specific programs from being dumped

Previously, ignoring crashes of blacklisted programs in abrt did not prevent it from creating their core dumps - the dumps were still written to disk and then deleted. This approach allowed abrt to notify system administrators of a crash while not using disk space to store unneeded crash dumps. However, creating these dumps only to delete them later was unnecessarily wasting system resources. This update introduces a new configuration option IgnoredPaths in the /etc/abrt/plugins/CCpp.conf configuration file, which allows you to specify a comma-separated list of file system path globs which will not be dumped at all. (BZ#1208713)

User and group whitelisting added to `abrt`

Previously, abrt allowed all users to generate and collect core dumps, which could potentially enable any user to maliciously generate a large number of core dumps and waste system resources. This update adds a whitelisting functionality to abrt, and you can now only allow specific users or groups to generate core dumps. Use the new AllowedUsers = user1, user2, ... and AllowedGroups = group1, group2, ... options in the /etc/abrt/plugins/CCpp.conf configuration file to restrict core dump generation and collection to these users or groups, or leave these options empty to configure abrt to process core dumps for all users and groups. (BZ#1256705)

libvpd rebased to version 2.2.5

The libvpd packages have been upgraded to upstream version 2.2.5, which provides a number of bug fixes and enhancements over the previous version. Notably, this version includes:

Improved error handling
Security improvements such as fixing a potential buffer overflow and memory allocation validation (BZ#1148140)

libservicelog rebased to version 1.1.15

The libservicelog packages have been upgraded to upstream version 1.1.15, which provides a number of bug fixes and enhancements over the previous version. (BZ#1148141)

`sysctl` configuration files can now contain longer lines

Previously, sysctl configuration files could only contain lines up to 255 characters long. With this update, the maximum acceptable line length has been increased to 4095 characters. (BZ#1201024)

`ps` can now display thread cgroups

This update introduces a new format specifier thcgr, which can be used to display the cgroup of each listed thread. (BZ#1284076)

`reporter-upload` now allows configuring optional SSH keys

The reporter-upload tool, which is used by abrt to submit collected problem data, now allows you to use optional SSH key files. You can specify a key file using one of the following ways:

The SSHPublicKey and SSHPrivateKey options in the /etc/libreport/plugins/upload.conf configuration file.
Using -b and -r command line options for the public and private key, respectively.
Setting the Upload_SSHPublicKey and Upload_SSHPrivateKey environment variables, respectively.

If none of these options or variables are used, reporter-upload will attempt to use the default SSH key from the user's ~/.ssh/ directory. (BZ#1261120)

Chapter 17. Virtualization

Support for Hyper-V storage with 4096-byte sectors

Red Hat Enterprise Linux guests running on the Microsoft Hyper-V hypervisor are now able to properly handle 4096-byte sectors for Hyper-V storage when such sector size is reported by the host. This can significantly improve the I/O performance of Red Hat Enterprise Linux guests running on the described type of storage. (BZ#1217570)

Red Hat Enterprise Linux guests now support reporting kernel crashes on Hyper-V

Red Hat Enterprise Linux guests running on the Microsoft Hyper-V hypervisor are now able to report kernel crashes to the Hyper-V host. If such a crash occurs, the kernel panic notification data is captured in the Windows Event Viewer as a 18590 event. The event contains the relative instruction pointer (RIP) and 4 basic CPU registers. (BZ#1229904)

Hyper-V guests now support TRIM

Red Hat Enterprise Linux virtual machines on Hyper-V now support performing the TRIM operation on Hyper-V virtual hard disk (VHDX) files. This prevents VHDX files on these machines from growing to excessive sizes. As a result, it is now possible to use thin-provisioned VHDX storage. (BZ#1247699)

Hyper-V guests now support Windows 10 protocol

This update introduces support for Windows 10 and Windows Server 2016 host protocols when Red Hat Enterprise Linux is running as a guest on Microsoft Hyper-V. (BZ#1267592)

Setting the account password is now possible for any guest user

The guest-set-user-password command has been introduced for the QEMU guest agent. This allows setting the account password for any guest user, including the root, when using QEMU and KVM. (BZ#1174181)

virtio-win support for Windows 10

The virtio-win package now includes drivers for Windows 10, which allows users of virtio-win to create Windows 10 guests. (BZ#1275050)

Red Hat Enterprise Linux 6 Hyper-V Generation 2 guests fully supported

With Red Hat Enterprise 6.8, it is fully supported for Red Hat Enterprise Linux 6 to be hosted as Generation 2 virtual machines on the 2012 R2 and later versions of the Microsoft Hyper-V Server host. In addition to the functions supported in the previous generation, Generation 2 provides new functions on a virtual machine, such as boot from a SCSI virtual hard disk, or UEFI firmware support. (BZ#1056676)

New package: WALinuxAgent

The Microsoft Azure Linux Agent (WALA) version 2.0.16 has been included in the Extras channel. This agent supports the provisioning and running of Linux Virtual Machines in the Windows Azure cloud and should be installed on Linux images that are built to run in the Windows Azure environment. (BZ#1215872)

virt-who rebased to version 0.16-7

virt-who queries of the Hyper-V hypervisor have been extended to include the capacity (socket counts so that the subscription applied to the hypervisor can be evaluated), name, and type to be displayed in the SMS inventory to make it easier for the user to identify the system.
the virt-who interval, VIRTWHO_INTERVAL=, has been extended to 1 minute to prevent from failures in communication with Subscription-Manager.
virt-who now supports connecting Red Hat Enterprise Virtualization Manager (RHEV-M) and the Hyper-V hypervisor through proxy.
virt-who now allows filtering for hosts that are sent by virt-who to Red Hat Subscription-Manager.
virt-who is able to report which virtual guests of virtual machines are active on all known hypervisors. (BZ#1258765)

Chapter 18. Red Hat Software Collections

Red Hat Software Collections is a Red Hat content set that provides a set of dynamic programming languages, database servers, and related packages that you can install and use on all supported releases of Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7 on AMD64 and Intel 64 architectures. Red Hat Developer Toolset is included as a separate Software Collection.

Red Hat Developer Toolset is designed for developers working on the Red Hat Enterprise Linux platform. It provides current versions of the GNU Compiler Collection, GNU Debugger, and other development, debugging, and performance monitoring tools. Since Red Hat Software Collections 2.3, the Eclipse development platform is provided as a separate Software Collection.

Dynamic languages, database servers, and other tools distributed with Red Hat Software Collections do not replace the default system tools provided with Red Hat Enterprise Linux, nor are they used in preference to these tools. Red Hat Software Collections uses an alternative packaging mechanism based on the scl utility to provide a parallel set of packages. This set enables optional use of alternative package versions on Red Hat Enterprise Linux. By using the scl utility, users can choose which package version they want to run at any time.

Important

Red Hat Software Collections has a shorter life cycle and support term than Red Hat Enterprise Linux. For more information, see the Red Hat Software Collections Product Life Cycle.

See the Red Hat Software Collections documentation for the components included in the set, system requirements, known problems, usage, and specifics of individual Software Collections.

See the Red Hat Developer Toolset documentation for more information about the components included in this Software Collection, installation, usage, known problems, and more.

Part II. Known Issues

This part documents known problems in Red Hat Enterprise Linux 6.8.

Chapter 19. General Updates

resource-agents-sap-hana shipped in an incorrect channel

The resource-agents-sap-hana package has been available as part of the High Availability Add-On in Red Hat Enterprise Linux 6.7 and 6.8. However, asynchronous updates for this package were made available through the Red Hat Enterprise Linux for SAP HANA repository. Consequently, package updates on systems that do not enable both the Red Hat Enterprise Linux High Availability Add-On and Red Hat Enterprise Linux for SAP HANA repositories can fail. To avoid this problem, enable both the RHEL for SAP HANA and Red Hat Enterprise Linux High Availability channels in Red Hat Subscription Manager, Red Hat Network, or Red Hat Network Satellite prior to updating any applicable systems. If you do not have access to SAP HANA content, remove the resource-agents-sap-hana package by running the rpm -e command. (BZ#1334776)

Incorrect information about the expected default settings of services in Red Hat Enterprise Linux 7

The module of Preupgrade Assistant that handles initscripts provides incorrect information about the expected default settings of the services in Red Hat Enterprise Linux 7 according to the /usr/lib/systemd/system-preset/90-default.preset file in Red Hat Enterprise Linux 7 and according to the current settings of the Red Hat Enterprise Linux 6 system. In addition, the module does not check the default settings of the system but only the settings for the runlevel used during the processing of the check script, which might not be the default runlevel of the system. As a consequence, initscripts are not handled in the anticipated way and the new system needs more manual action than expected. However, the user is informed about the settings that will be chosen for relevant services, despite the presumable default settings. (BZ#1366671)

The default value of `first_valid_uid` in Dovecot has changed in Red Hat Enterprise Linux 7

Since Red Hat Enterprise Linux 7.3, the default value of the first_valid_uid configuration option of Dovecot has changed from 500 in Red Hat Enterprise Linux 6 to 1000 in Red Hat Enterprise Linux 7. Consequently, if a Red Hat Enterprise Linux 6 installation does not have first_valid_uid explicitly defined, the Dovecot configuration will not allow users with UID less than 1000 to log in after the update to Red Hat Enterprise Linux 7.

To avoid breaking of the configuration, redefine first_valid_uid to 500 after the upgrade in the /etc/dovecot/conf.d/10-mail.conf file. Note that only installations where first_valid_uid is not explicitly defined are affected by this problem. (BZ#1388967)

Chapter 20. Authentication and Interoperability

Do not use SELinux in enforcing mode when sharing the root directory

Samba requires a shared directory to be labeled samba_share_t when SELinux is in enforcing mode. However, when sharing the whole root directory of the system by using the path = / configuration in the /etc/samba/smb.conf file, labeling the root directory as samba_share_t causes critical system malfunctions.

Red Hat strongly discourages users from labeling the root directory with the samba_share_t label. Therefore, do not use SELinux in enforcing mode when sharing the root directory using Samba. (BZ#1320172)

SSSD does not support the LDAP externalUser attribute

The System Security Services Daemon (SSSD) service is missing support for the externalUser LDAP attribute of the Identity Management (IdM) schema. In consequence, the assignment of sudo rules to local accounts, such as by using the /etc/passwd file, fails. The problem affects only accounts outside of the IdM domains and Active Directory (AD) trusted domains.

To work around this problem, set the LDAP sudo search base as follows in the [domain] section of the /etc/sssd/sssd.conf file:

ldap_sudo_search_base = ou=sudoers,dc=example,dc=com

This enables SSSD to resolve users defined in externalUser. (BZ#1321884)

SSSD incorrectly creates local overrides in an AD environment

The sss_override tool creates case-insensitive distinguished names (DN) when the id_provider option is set to ad in the /etc/sssd/sssd.conf file. However, the DNs in the SSSD cache are stored case-sensitive. As a consequence, local overrides are not created for users from the Active Directory (AD) subdomain or for users with mixed-case account names. (BZ#1327272)

`sssd_be` does not terminate forked child processes

When the id_provider option is set to ad in the /etc/sssd/sssd.conf file, a helper process inside sssd_be processes sometimes fails. In consequence, the process is spawning new sssd_be instances, which consume additional memory. To work around this problem, install the adcli package and restart the sssd daemon. (BZ#1336453)

SSSD fails to manage sudo rules from the IdM LDAP tree

The System Security Services Daemon (SSSD) currently uses the IdM LDAP tree by default. As a consequence, it is not possible to assign sudo rules to non-POSIX groups. To work around this problem, modify the /etc/sssd/sssd.conf file to set your domain to use the compat tree again:

[domain/EXAMPLE]
...
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com

As a result, SSSD will load sudo rules from the compat tree and you will be able to assign rules to non-POSIX groups.

Note that Red Hat recommends to configure groups referenced in sudo rules as POSIX groups.

The HP keyboard KUS1206 does not handle smart cards correctly and can become unresponsive

When using the HP keyboard KUS1206 with a built-in smart card reader, you might experience the following problems:

The keyboard detects smart cards inconsistently.
When the user logs in to the system with a password and the smart card is not inserted, the following message appears continuously in the /var/log/messages file:
```
pcscd: commands.c:957:CmdGetSlotStatus Card absent or mute
```
The keyboard sometimes becomes unresponsive.

Chapter 21. Compiler and Tools

LVM2 detection on FCoE storage and mounting of file systems specified in `/etc/fstab` on FCoE storage can fail

The fcoe init scripts cannot determine what devices can be assigned through the FCoE storage fabric, and therefore whether the startup process needs to wait for device discovery. Consequently, logical volume (LVM2) detection on FCoE attached storage and mounting of file systems specified in /etc/fstab on FCoE storage can fail during system startup due to an incomplete FCoE device discovery.

To work around this problem, use /dev/disk/by-path/fc-* symbolic links as the specified block special device in /etc/fstab along with the _netdev mount option. The fcoe init script waits longer for the specified devices to attach.

Sometimes, Fibre Channel by-path symbolic links are not a suitable option, such as when using LVM2 or mounting by labels. You can, starting with version 1.0.28 of the fcoe-utils packages, use the MINIMUM_WAIT option in the /etc/fcoe/config file in such cases.

The default value of MINIMUM_WAIT is 0. Set the value to the number of seconds you want the fcoe init script to delay allowing device discovery to complete. Using MINIMUM_WAIT adds time to the system boot process, but could be necessary to allow block devices to be present before LVM2 and file system mounting scripts are run. (BZ#980961)

Chapter 22. Desktop

Using Radeon or Nouveau can cause incorrectly rendered graphics

A bug in the Xorg server can, under rare circumstances, cause graphics to be rendered incorrectly if using the Radeon or Nouveau graphics device driver. For example, the Thunderbird message pane can be displayed incorrectly.

For Nouveau, as a workaround, add the WrappedFB option to the xorg.conf file as follows:

Section "Device"
Identifier "nouveau-device"
Driver "nouveau"
Option "WrappedFB" "true"
EndSection

This workaround avoids the faulty logic in the X server, and the Thunderbird message pane will be displayed correctly. (BZ#1076595)

Chapter 23. Installation and Booting

BFS installation fails on VV when automatic LVM partitioning is selected

When attempting installation using Boot From SAN (BFS) with an HP StoreServ 3PAR Storage Volume (VV), the installation fails during disk partitioning and LVM volume group activation with the message:

Volume group "VolGroup" has insufficient free space.

The failure is seen across all StoreServ volume types (Std VV, TPVV, TDVV). To work around this problem, if using LVM, select the Custom Partition Layout option and reduce the swap and /home partition size by 1-2 GB. If not using LVM, Select the Standard Partition option. (BZ#1190264)

Using the `--nocore` option in the `%packages` section of a kickstart file may result in a broken system

If the --nocore option is used in the %packages section of a kickstart file, core system packages and libraries will not be installed, which may result in the system being unable to perform essential tasks such as user creation, and may render the system unusable. To avoid this problem, do not use --nocore. (BZ#1191897)

The zipl boot loader requires target information in each section

When calling the zipl tool manually from a command line using a section name as a parameter, the tool was previously using the target defined in the default section of the /etc/zipl.conf file. In the current version of zipl the default sections' target is not being used automatically, resulting in an error.

To work around the problem, manually edit the /etc/zipl.conf configuration file and copy the line starting with target= from the default section to every section. (BZ#1203627)

The installer displays the number of multipath devices and number of multipath devices selected incorrectly

Multipath devices are configured properly, but the installer displays the number of devices and number of selected devices incorrectly. There is no known workaround at this point. (BZ#914637)

The installer displays the amount of disk space within multipath devices incorrectly

Multipath devices are configured properly, but the installer displays disk space and number of devices incorrectly. There is no known workaround at this point. (BZ#1014425)

Chapter 24. Kernel

e1000e cards might not get an IPv4 address

Some e1000e network interface cards (NICs) might fail to get an IPv4 address assigned after the system is rebooted. To work around this problem, add the following line to the /etc/sysconfig/network-scripts/ifcfg-<interface> file:

LINKDELAY=10

(BZ#822725)

System freeze when loading Intel Skylake integrated graphics cards

On systems with Intel Skylake integrated graphics cards present, the system can freeze during the initial boot process when it starts to load the video driver. This known issue is caused by a race condition in version 2.6.32 of the kernel firmware loader.

As a workaround, if using the installer CD, try installing with the basic video driver. Otherwise, add the nomodeset parameter to the kernel command line, which instructs the kernel to not load Intel Skylake integrated graphics driver and use BIOS modes instead. (BZ#1309875)

ecb fails when dracut is not upgraded

When upgrading only the kernel rpm from Red Hat Enterprise Linux 6.7 to version 6.8, it is necessary to also upgrade the dracut package to the latest version, that is dracut-004-409.el6.rpm, to enable the ecb module to work.

The ecb kernel module is needed by the drbg kernel module when using the AES implementation on non-x86 architectures. Otherwise, the drbg AES implementation fails with a warning message while other drbg modules still work. (BZ#1315832)

kernel panic in xfrm6 stack

During an overload and when Ethernet Flow Control is disabled, if IPSec policy is configured for the IPv6 protocol, sending UDP datagrams over the IPv6 protocol can lead to a kernel panic.

So far, there is no workaround or fix available. (BZ#1327680)

Intel Xeon v5 causes GPU to hang

On GT3 and GT4 architectures, Intel Xeon v5 integrated graphics can experience problems with GPU lock-up, leading to GPU hang.

As a workaround, add the i915.enable_rc6=0 option to the kernel command line to disable the RC6 power saving state on Intel Xeon v5. (BZ#1323945)

Chapter 25. Networking

The `keyingtries` libreswan option set to `0` is mistakenly interpreted as `1`

The default value of keyingtries is 0 which means 'retry forever'. Due to this bug, if a temporary problem occurs during an active negotiation, the connection will not be attempted more than once.

To work around this problem, set the keyingtries option to a sufficiently large number. (BZ#1289498)

Chapter 26. Storage

Change in behavior of `lvchange --zero n`

When the lvchange --zero n command is run against an active thin pool, the change will not take effect until the next time the pool is deactivated. In previous releases it took effect immediately, and this behavior will be reinstated in a future release. (BZ#1328245)

Chapter 27. System and Subscription Management

Some Italian text is missing from subscription-manager

Due to some missing translations in the subscription-manager tool, when using subscription-manager in Italian, some messages will appear in English. (BZ#1318404)

ReaR supports only grub during system recovery

ReaR supports only the grub boot loader. Consequently, ReaR cannot automatically recover a system with a different boot loader. Notably, yaboot is not yet supported by ReaR on ⁠PowerPC machines. To work around this problem, edit the boot loader manually. (BZ#1313874)

ReaR works only on the eth0 interface

ReaR produces a rescue system that does not support mounting an NFS server using an interface other than eth0. Consequently, the backup files cannot be downloaded and the system cannot be restored. To work around this problem, ensure that the used interface is eth0 by restarting dhclient. (BZ#1313417)

ReaR fails to create an ISO on IBM System z

ReaR is unable to create an ISO image on IBM System z systems. To work around this problem, use a different type of rescue system than ISO. (BZ#1309597)

ReaR creates two ISO images instead of one

In ReaR, the OUTPUT_URL directive enables specifying location for the ISO image containing the rescue system. Currently, with this directive set, ReaR creates two copies of the ISO image: one in the specified directory and one in the /var/lib/rear/output/ default directory. This requires additional space for the image. This is especially important if a full-system backup is included into the ISO image (using the BACKUP=NETFS and BACKUP_URL=iso:///backup/ configuration).

To work around this behavior, delete the extra ISO image once ReaR has finished working or, to avoid having a period of time with double storage consumption, create the image in the default directory and then move it to the desired location manually.

There is a request for enhancement to change this behavior and make ReaR create only one copy of the ISO image. (BZ#1320551)

Chapter 28. Virtualization

Limited CPU support for Windows 10 and Windows Server 2016 guests

On a Red Hat Enterprise 6 host, Windows 10 and Windows Server 2016 guests can only be created when using the following CPU models:

the Intel Xeon E series
the Intel Xeon E7 family
Intel Xeon v2, v3, and v4
Opteron G2, G3, G4, G5, and G6

For these CPU models, also make sure to set the CPU model of the guest to match the CPU model detected by running the virsh capabilities command on the host. Using the application default or hypervisor default prevents the guests from booting properly.

To be able to use Windows 10 guests on Legacy Intel Core 2 processors (also known as Penryn) or Intel Xeon 55xx and 75xx processor families (also known as Nehalem), add the following flag to the Domain XML file, with either Penryn or Nehalem as MODELNAME:

<cpu mode='custom' match='exact'>
<model>MODELNAME</model>
<feature name='erms' policy='require'/>
</cpu>

Other CPU models are not supported, and both Windows 10 guests and Windows Server 2016 guests created on them are likely to become unresponsive during the boot process. (BZ#1252134)

Resizing VHDX files can take a very long time

When an ext3 file system is being used in the guest, resizing very large Microsoft Hyper-V virtual hard disk (VHDX) devices in some cases causes the VHDX file to grow to an excessive size, and thus takes significantly longer than intended. To work around this problem, use ext4 or xfs file systems, or set the following custom parameters when creating VHDX files:

VHDX BlockSize = 1MB
flex_bg=4096

These ensure that VHDX files require the expected amount of disk space, which in turn makes file system operations much faster. (BZ#1024137)

Multifunction does not work correctly when hot-plugging virtual PCI devices

Hot-plugging a new function on a virtual PCI device that has the multifunction option enabled does not correctly trigger PCI device initialization. As a consequence, the guest does not recognize the hot-plugged function, and thus cannot use it. To work around this problem, initiate a rescan of the PCI Host Bridge in the guest, for example with the following command:

# echo 1 > /sys/bus/pci/devices/0000\:00\:00.0/rescan

In the above example, replace 0000\:00\:00.0 with the correct bus:device:function combination of the device you wish to rescan.

This forces the guest device drivers to configure newly hot-plugged devices for use, and thus makes the function available. (BZ#1208430)

Soft-rebooted Windows guests cannot detect some of their bootable devices

Under certain circumstances, soft-rebooting a Windows guest (for example by using the Ctrl+Alt+Del keys) causes the guest not to detect some of its bootable devices. To work around this problem, perform a hard reboot of the guest - for example by the Shutdown button in the virt-manager interface, or by the system_reset command in the QEMU monitor console. (BZ#1129549)

Using qemu-img to modify an image that is in use can corrupt the image

Opening a QEMU disk image from multiple processes at the same time, for example by attempting to take a snapshot of a QEMU image while the guest is running, in some cases corrupts the image. To avoid this problem, never use the qemu-img utility to modify images in use by a running virtual machine or any other process. In addition, be aware that querying an image that is being modified by another process may trigger an inconsistent state error. This update also adds an admonition about the mentioned problem to the qemu-img(1) man page. (BZ#1297424)

virtio-win VFD files do not contain Windows 10 drivers

Due to limitations on the floppy device file size, the virtual floppy disk (VFD) files in the virtio-win packages do not contain a Windows 10 folder. If you need to install Windows 10 drivers from a VFD, use the Windows 8 or Windows 8.1 drivers instead. Alternatively, the Windows 10 drivers can be installed from the ISO file in the /usr/share/virtio-win/ directory. (BZ#1315940)

Booting virtual machines with the `fsgsbase` and `smep` flags on older host CPUs fails

The fsgsbase and smep CPU flags are not properly emulated on certain older CPU models, such as the early Intel Xeon E processors. As a consequence, using fsgsbase and smep when booting a Windows guest virtual machine on a host with one of the described CPUs causes the boot to fail. Similarly, using smep when booting a Red Hat Enterprise Linux guest virtual machine on a host with one of the described CPUs causes the boot to fail. To work around this problem, do not use fsgsbase and smep if the CPU does not support them. (BZ#1371765)

Appendix A. Component Versions

This appendix is a list of components and their versions in the Red Hat Enterprise Linux 6.8 release.

Table A.1. Component Versions

Component	Version
Kernel	2.6.32-642
QLogic `qla2xxx` driver	8.07.00.26.06.8-k
QLogic ql2xxx firmware	ql2100-firmware-1.19.38-3.1 ql2200-firmware-2.02.08-3.1 ql23xx-firmware-3.03.27-3.1 ql2400-firmware-7.03.00-1 ql2500-firmware-7.03.00-1
Emulex `lpfc` driver	0:11.0.0.4
iSCSI initiator utils	iscsi-initiator-utils-6.2.0.873-21
DM-Multipath	device-mapper-multipath-0.4.9-93
LVM	lvm2-2.02.143-7

Appendix B. Revision History

Revision History

Revision 0.2-8 Thu Apr 27 2017 Lenka Špačková

Red Hat Access Labs renamed to Red Hat Customer Portal Labs.

Revision 0.2-7 Tue Mar 21 2017 Jiří Herrmann

Updated a Virtualization Known Issue.

Revision 0.2-6 Mon Mar 13 2017 Lenka Špačková

Added a known issue to Authentication and Interoperability.

Revision 0.2-5 Fri Dec 16 2016 Lenka Špačková

Updated the Red Hat Software Collections chapter.

Revision 0.2-4 Thu Oct 27 2016 Lenka Špačková

Added two known issues to General Updates.

Revision 0.2-3 Wed Oct 25 2016 Jiri Herrmann

Added a virtualization known issue (fsgsbase and smep).

Revision 0.2-1 Wed Sep 07 2016 Lenka Špačková

Added an SSSD known issue (Authentication and Interoperability).

Revision 0.2-0 Mon Aug 29 2016 Lenka Špačková

Added two known issues (Installation and Booting).

Revision 0.1-9 Mon Aug 01 2016 Lenka Špačková

Updated a known issue regarding limited CPU support for Windows 10 guests (Virtualization).

Revision 0.1-8 Fri Jul 01 2016 Lenka Špačková

Fixed commands in an SSSD feature.

Revision 0.1-6 Wed Jun 08 2016 Lenka Špačková

Added an SSSD feature (new default values for group names).

Revision 0.1-4 Fri Jun 03 2016 Lenka Špačková

Added Bugzilla numbers to individual descriptions.

Revision 0.1-3 Fri May 27 2016 Lenka Špačková

Added new known issues (SSSD, ReaR).

Revision 0.1-2 Mon May 16 2016 Lenka Špačková

Added a new feature to Clustering (fence agent).

Revision 0.1-1 Thu May 12 2016 Lenka Špačková

Added known issues related to ReaR.

Revision 0.1-0 Tue May 10 2016 Lenka Špačková

Release of the Red Hat Enterprise Linux 6.8 Release Notes.

Revision 0.0-5 Tue Mar 15 2016 Lenka Špačková

Release of the Red Hat Enterprise Linux 6.8 Beta Release Notes.

Legal Notice

This document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0 Unported License. If you distribute this document, or a modified version of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If the document is modified, all Red Hat trademarks must be removed.

Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.

Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.

Linux® is the registered trademark of Linus Torvalds in the United States and other countries.

Java® is a registered trademark of Oracle and/or its affiliates.

XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.

MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.

Node.js® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.

The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.

All other trademarks are the property of their respective owners.

Language and Page Formatting Options

Red Hat Training

6.8 Release Notes

Release Notes for Red Hat Enterprise Linux 6.8

Red Hat Customer Content Services

Preface

Chapter 1. Overview

Security

Authentication and Interoperability

System and Subscription Management

Storage

File Systems

Deploy Anywhere

Red Hat Insights

Red Hat Customer Portal Labs

Part I. New Features

Chapter 2. General Updates

Cross channel package dependency improvements

Packages moved to the Optional Channel

Chapter 3. Authentication and Interoperability

SSSD smart card support

Cache authentication in SSSD

The ou=sudoers,$DC part of the IdM server compatibility plug-in tree can now be disabled for better performance

SSSD enables UID and GID mapping on individual clients

Caching for initgroups operations

New packages: adcli

SSSD is now able to automatically renew the host credentials of Linux clients joined to AD

SSSD can now automatically adjust ID ranges for AD clients in environments with large RIDs

SSSD now supports GPOs from different domain controllers

Support for SSLv2 has been disabled

OpenLDAP now supports TLSv1.2

nss now supports ECDSA certificates

New SSSD default values for group names

Chapter 4. Clustering

New Pacemaker features

Graceful migration of resources when the pacemaker_remote service is stopped on an active Pacemaker Remote node

Support for SBD fencing with Pacemaker

The glocktop tool has been added to gfs2-utils

pcs now supports exporting a cluster configuration to a list of pcs commands

Fence agent for APC now supports firmware 6.x

Chapter 5. Compiler and Tools

dmidecode now supports SMBIOS 3.0.0

mcelog now supports additional Intel processors

python-linux-procfs rebased to version 0.4.9

trace-cmd rebased to version 2.2.4

tcsh now supports $anyerror and $tcsh_posix_status

OpenJDK 8 now supports ECC

RC4 is now disabled by default in OpenJDK 6 and OpenJDK 7

rhino rebased to version 1.7R4

pcp rebased to version 3.10.9

openmpi rebased to version 1.10.2

Changes in Open MPI distribution

Omping is now fully supported

elfutils rebased to version 0.164

glibc now supports BIG5-HKSCS-2008

Human-readable installed-rpms

OProfile now supports 6th Generation Intel Core processors

OProfile updated to recognize the Intel Xeon Processor D-1500 product family

SystemTap rebased to version 2.9

powerpc-utils rebased to version 1.3.0

ipmitool rebased to version 1.8.15

memtest86+ rebased to version 5.01

New package: java-1.8.0-ibm

New option for arpwatch: -p

Chapter 6. Desktop

LibreOffice rebased to version 4.3.7.2

mesa now supports additional Intel 3D graphics

New Vinagre features

vmwgfx now supports 3D operations under VMware Workstation 10

x3270 rebased to version 3.3.15

icedtea-web rebased to version 1.6.2

Chapter 7. Directory Server in Red Hat Enterprise Linux

About Directory Server for Red Hat Enterprise Linux

Improved performance when deleting large quantities of multi-valued attributes

Chapter 8. File Systems

XFS runtime statistics are available per file system in the /sys/fs/ directory

XFS supported file-system size has been increased

The use_hostname_for_mounts autofs option is now available

Chapter 9. Hardware Enablement

Support for Sealevel model 2803 ROHS converters from USB to serial media

Packages moved to the `Optional` Channel

Caching for `initgroups` operations

Graceful migration of resources when the `pacemaker_remote` service is stopped on an active Pacemaker Remote node

The `glocktop` tool has been added to gfs2-utils

`pcs` now supports exporting a cluster configuration to a list of `pcs` commands

`tcsh` now supports `$anyerror` and `$tcsh_posix_status`

`glibc` now supports BIG5-HKSCS-2008

`SystemTap` rebased to version 2.9

New option for arpwatch: `-p`

`vmwgfx` now supports 3D operations under VMware Workstation 10

XFS runtime statistics are available per file system in the `/sys/fs/` directory

The `use_hostname_for_mounts` `autofs` option is now available

Increased debug logging for `NetworkManager`

`wpa_supplicant` can now send logs into the syslog

`nm-connection-editor` now allows a higher range of VLAN ids

`NetworkManager` supports locking Wi-Fi network connections to a specific radio frequency band

`NetworkManager` now supports iBFT