Edition 2
1801 Varsity Drive
Raleigh, NC 27606-2072 USA
Phone: +1 919 754 3700
Phone: 888 733 4281
Fax: +1 919 754 3701
/etc/modprobe.d/dist-nfsv41.conf
file with the following line and reboot the system:
alias nfs-layouttype4-1 nfs_layout_nfsv41_files
-o minorversion=1
mount option is specified, and the server is pNFS-enabled, the pNFS client code is automatically enabled.
fsfreeze(8)
man page.
O_DIRECT
I/O. These applications may use the raw block device, or the XFS file system in O_DIRECT
mode. (XFS is the only file system that does not fall back to buffered I/O when doing certain allocation operations.) Only applications designed for use with O_DIRECT
I/O and DIF/DIX hardware should enable this feature.
/etc/cluster.conf
configuration file to be used by pacemaker, rgmanager must be disabled. The risk of not doing this is high; after a successful conversion, it would be possible to start rgmanager and pacemaker on the same host, managing the same resources.
<rm disabled="1">
flag in /etc/cluster.conf
.
<rm disabled="1">
flag appears in /etc/cluster.conf
during a reconfiguration.
be2net
driver is considered a Technology Preview in Red Hat Enterprise Linux 6.
dcbtool(8)
and targetadmin(8)
man pages.
audit
subsystem in the Linux 2.6 kernel. Within the audispd-plugins subpackage is a utility that allows for the transmission of audit events to a remote aggregating machine. This remote audit logging application, audisp-remote, is considered a Technology Preview in Red Hat Enterprise Linux 6.
fence_ipmilan
agent. This new Technology Preview is used to force a kernel dump of a host if the host is configured to do so. Note that this feature is not a substitute for the off
operation in a production cluster.
fsck
) or replay journal entries, which is similar to booting after pulling the power cord.
anaconda
component, BZ#676025Skip Boot Loader Configuration
during the installation process. Boot loader configuration will need to be completed manually after installation. This problem does not affect users running Anaconda in the graphical mode (graphical mode also includes VNC connectivity mode).
anaconda
componentanaconda
component/boot
volume on an encrypted volume.
anaconda
componentsdc
instead of sda
).
kernel
componentinstall system with basic video driver
installation option. A future Red Hat Enterprise Linux 6.2.z Extended Update Support update will remove this requirement.
kernel
component em1
is used instead of eth0
on new Dell machines). However, the previously used network interface names are preserved on the system and the upgraded system will still use the previously used interfaces. This is not the case for Yum upgrades.
anaconda
component kdump default on
feature currently depends on Anaconda to insert the crashkernel=
parameter to the kernel parameter list in the boot loader's configuration file.
firstaidkit
componentanaconda
component, BZ#623261 clearpart --initlabel
kickstart command. Adding the --all
switch—as in clearpart --initlabel --all
—ensures disks are cleared correctly.
squashfs-tools
componentattempt to access beyond end of device loop0: rw=0, want=248626, limit=248624
sys.log
. These errors do not prevent installation and only occur during the initial setup. The file system created by the installer will function correctly.
anaconda
componentyaboot
component, BZ#613929 anaconda
componentsystem-config-kickstart
componentdracut
component /etc/fcoe/
using biosdevname (new style interface naming scheme) for all the available Ethernet interfaces for FCoE BFS. However, it does not add the ifname
kernel command line for the FCoE interface that stays offline after discovering FCoE targets during installation. Because of this, during subsequent reboots, the system tries to find the old style ethX interface name in the /etc/fcoe
directory, which does not match with the file created by Anaconda using biosdevname. Therefore, due to the missing FCoE configuration file, an FCoE interface is never created on the Ethernet interface.
ifname=<biosdevname_interface_name>
:<mac_address>
subscription manager
componentcpuspeed
component, BZ#626893 /proc/cpuinfo
or /sys/device/system/cpu/*/cpufreq
. This is due to the firmware manipulating the CPU frequency without providing any notification to the operating system. To avoid this ensure that the HP Power Regulator
option in the BIOS is set to OS Control
. An alternative available on more recent systems is to set Collaborative Power Control
to Enabled
.
releng
component, BZ#644778 releng
componentgrub
component, BZ#695951BOOTX64
rather than bootx64
to boot the installer due to case sensitivity issues.
grub
component, BZ#698708 parted
componentPackageKit
componentovirt-node
component, BZ#747102 kernel
componentlibvirtd
service, which enables IP forwarding. The service causes a driver reset on both Ethernet ports which causes a loss of all paths to an OS disk. Under this condition, the system cannot load firmware files from the OS disk to initialize Ethernet ports, eventually never recovers paths to the OS disk, and fails to boot from SAN. To work around this issue add the bnx2x.disable_tpa=1
option to the kernel command line of the GRUB menu, or do not install virtualization related software and manually enable IP forwarding when needed.
kernel
componentnosmep
kernel command line option.
vdsm
component/root/.ssh
directory is missing from a host when it is added to a Red Hat Enterprise Virtualization Manager data center, the directory is created with a wrong SELinux context, and SSH'ing into the host is denied. To work around this issue, manually create the /root/.ssh
directory with the correct SELinux context:
~]#mkdir /root/.ssh
~]#chmod 0700 /root/.ssh
~]#restorecon /root/.ssh
vdsm
componentlibvirt
component/etc/libvirt/qemu.conf
file, set the relaxed_acs_check = 1
parameter, and restart libvirtd
(service libvirtd restart
). Note that this action will re-open possible security issues.
virtio-win
component, BZ#615928 libvirt
component, BZ#622649 service libvirt reload
command to restore libvirt's additional iptables rules.
virtio-win
component, BZ#612801 qemu-kvm
component, BZ#720597qemu-kvm
component, BZ#612788 virt-v2v
component/etc/virt-v2v.conf
and /var/lib/virt-v2v/virt-v2v.db
. The former now contains only local customizations, whereas the latter contains generic configuration which is not intended to be customized. Prior to Red Hat Enterprise Linux 6.2, virt-v2v's -f
flag defaulted to /etc/virt-v2v.conf
. In Red Hat Enterprise Linux 6.2, it now defaults to both /etc/virt-v2v.conf
and /var/lib/virt-v2v/virt-v2v.db
. Data from both of these files is required during conversion.
/etc/virt-v2v.conf
will not be updated. If a user explicitly specifies -f /etc/virt-v2v.conf
on the command line, the behavior will be identical to the one prior to update. If the user does not specify the -f
command line option, the configuration will use both /etc/virt-v2v.conf
and /var/lib/virt-v2v/virt-v2v.db
, with the former taking precedence.
/etc/virt-v2v.conf
. If the user explicitly specifies -f /etc/virt-v2v.conf
on the command line, virt-v2v will not be able to enable virtio support for any guests.
-f
command line option, as this defaults to using both configuration files. If the -f
command line option is used, it must be specified twice: first for /etc/virt-v2v.conf
and second for /var/lib/virt-v2v/virt-v2v.conf
.
/etc/virt-v2v.conf
file must contain a combined configuration file. This can be copied from a Red Hat Enterprise Linux 6.1 system, or created by copying all configuration elements from /var/lib/virt-v2v/virt-v2v.db
to /etc/virt-v2v.conf
.
virt-v2v
component, BZ#618091 virt-v2v
component, BZ#678232 spice-client
componentdevice-mapper-multipath
componentqueue_without_daemon yes
default option queues I/O even though all iSCSI links have been disconnected when the system is shut down, which causes LVM to become unresponsive when scanning all block devices. As a result, the system cannot be shut down. To work around this issue, add the following line into the defaults
section of /etc/multipath.conf
:
queue_without_daemon no
initscripts
component/boot
partitions by setting the sixth value of a /boot
entry in /etc/fstab
to 0
.
iscsi-initiator-utils
component, BZ#739843 iscsiadm -m iface
has never been executed. This is due to the iscsiadm -m discovery
command not checking interface settings while the iscsiadm -m iface
does. To work around this issue, run the iscsiadm -m iface
command at least once after installing the iscsi-initiatio-utils package. Once the interface setting is updated, discoveries are performed with no errors.
vdsm
componentkernel
component, BZ#606260 lvm2
componentlvm2
component pvmove
command cannot currently be used to move mirror devices. However, it is possible to move mirror devices by issuing a sequence of two commands. For mirror images, add a new image on the destination PV and then remove the mirror image on the source PV:
~]$lvconvert -m +1 <vg/lv> <new PV>
~]$lvconvert -m -1 <vg/lv> <old PV>
~]$lvconvert --mirrorlog core <vg/lv>
~]$lvconvert --mirrorlog disk <vg/lv> <new PV>
~]$lvconvert --mirrorlog mirrored <vg/lv> <new PV>
~]$lvconvert --mirrorlog disk <vg/lv> <old PV>
lvm2
componentNetworkManager
component/etc/dhclient.conf
file or, if using per-interface DHCP options, the /etc/dhclient-<ifname>.conf
file:
option rfc3442-classless-static-routes code 121 = array of unsigned integer 8; option ms-classless-static-routes code 249 = array of unsigned integer 8; also request rfc3442-classless-static-routes; also request ms-classless-static-routes;
iprutils
componentiprconfig
command fails.
iprconfig
command results in a failure as well.
corosync
component, BZ#722469luci
component, BZ#615898 luci
will not function with Red Hat Enterprise Linux 5 clusters unless each cluster node has ricci
version 0.12.2-14
ipa-server-install
command should add a record to the static hostname lookup table in /etc/hosts
and enable further configuration of Identity Management integrated services. However, a record is not added to /etc/hosts
when an IP address is passed as an CLI option and not interactively. Consequently, Identity Management installation fails because integrated services that are being configured expect the Identity Management server hostname to be resolvable. To work around this issue, complete one of the following:
ipa-server-install
without the --ip-address
option and pass the IP address interactively.
/etc/hosts
before the installation is started. The record should contain the Identity Management server IP address and its full hostname (the hosts(5)
man page specifies the record format).
sssd
component, BZ#750922libldb
. This failure occurs when the SSSD cache contains internal entries whose distinguished name contains the \,
character sequence. The most likely example of this is for an invalid memberUID
entry to appear in an LDAP group of the form:
memberUID: user1,user2
memberUID
is a multi-valued attribute and should not have multiple users in the same attribute.
(Wed Nov 2 15:18:21 2011) [sssd] [ldb] (0): A transaction is still active in ldb context [0xaa0460] on /var/lib/sss/db/cache_<DOMAIN>.ldb
/var/lib/sss/db/cache_<DOMAIN>.ldb
file and restart SSSD.
/var/lib/sss/db/cache_<DOMAIN>.ldb
file/var/lib/sss/db/cache_<DOMAIN>.ldb
file purges the cache of all entries (including cached credentials).
sssd
component, BZ#751314memberUID
values, SSSD fails to sanitize the values properly. The memberUID
value should only contain one username. As a result, SSSD creates incorrect users, using the broken memberUID
values as their usernames. This, for example, causes problems during cache indexing.
6ComputeNode
subscription.
sssd
component, BZ#741264 [domain/DOMAINNAME]
section of the /etc/sssd/sssd.conf
file:
ldap_referrals = false
kernel
componentbnx2i
and bnx2fc
Broadcom drivers in Red Hat Enterprise Linux 6.2, remain a Technology Preview until further notice.
kexec-tools
componentUUID/LABEL
resolving is not functional. Avoid using the UUID/LABEL
syntax when dumping core to Btrfs file systems.
kexec-tools
component, BZ#600575 kdump.conf
.
trace-cmd
componenttrace-cmd
service does start on 64-bit PowerPC and IBM System z systems because the sys_enter
and sys_exit
events do not get enabled on the aforementioned systems.
trace-cmd
componentreport
, does not work on IBM System z systems. This is due to the fact that the CONFIG_FTRACE_SYSCALLS
parameter is not set on IBM System z systems.
tuned
componentintel_idle.max_cstate=0
parameter, or at run time by using the cpu_dma_latency pm_qos interface.
libfprint
component~]$ lsusb -v -d 147e:2016 | grep bcdDevice
kernel
componentlpfc
) does support DH-CHAP authentication on Red Hat Enterprise Linux 5, from version 5.4. Future Red Hat Enterprise Linux 6 releases may include DH-CHAP authentication.
kernel
componentmpt2sas
driver is "Phase 5 firmware" (that is, with version number in the form 05.xx.xx.xx
). Note that following this recommendation is especially important on complex SAS configurations involving multiple SAS expanders.
kernel
componentqla4xxx
device, upgrading from Red Hat Enterprise Linux 6.1 to Red Hat Enterprise Linux 6.2 will cause the system to fail to boot up with the new kernel. There are various ways to work around this issue:
qla4xxx
device firmware to manage discovering and logging in to iSCSI targets.
qla4xxx
device:
~]# echo "options qla4xxx ql4xdisablesysfsboot=1" >> /etc/modprobe.d/qla4xxx.conf
~]# yum -y reinstall kernel
qla4xxx
device firmware to manage discovering and logging in to iSCSI targets.
qla4xxx
device:
~]# echo "options qla4xxx ql4xdisablesysfsboot=1" >> /etc/modprobe.d/qla4xxx.conf
qla4xxx
discovery and login process.
~]# yum install -y dracut-network iscsi-initiator-utils
~]# yum -y reinstall kernel
iscsi_firmware
kernel option into GRUB's configuration: /boot/grub/menu.lst
(for LILO, the Linux Loader, modify the /etc/lilo.conf
file).
qla4xxx
discovery and login process.
~]# yum install -y dracut-network iscsi-initiator-utils
iscsi_firmware
kernel option into GRUB's configuration: /boot/grub/menu.lst
(for LILO, the Linux Loader, modify the /etc/lilo.conf
file).
kernel
component, BZ#679262/proc/kallsyms
and /proc/modules
show all zeros when accessed by a non-root user.
kernel
componentkernel
componentnomce
kernel boot option, which disables machine check error reporting, or the mce=ignore_ce
kernel boot option, which disables correctable machine check error reporting.
kernel
component kernel: cciss0: <0x3230> at PCI 0000:1f:00.0 IRQ 71 using DAC … kernel: cciss1: <0x3230> at PCI 0000:02:00.0 IRQ 75 using DAC
pci=bfsort
parameter to the kernel command line, and check again.
kernel
componentbe2iscsi
driver results in kernel panic. To work around this issue, disable CHAP on the iSCSI target.
kernel
componenttg3
driver normally handles. As a result, some of the routines that operate on the VPD blocks may fail. For example, the nvram
test fails when running the ethtool –t
command on BCM5719 and BCM5720 Ethernet Controllers.
kernel
componentethtool -t
command on BCM5720 Ethernet controllers causes a loopback test failure because the tg3
driver does not wait long enough for a link.
kernel
componenttg3
driver in Red Hat Enterprise Linux 6.2 does not include support for Jumbo frames and TSO (TCP Segmentation Offloading) on BCM5719 Ethernet controllers. As a result, the following error message is returned when attempting to configure, for example, Jumbo frames:
SIOCSIFMTU: Invalid argument
kernel
componentlpfc_use_msi
module parameter (in /sys/class/scsi_host/host#/lpfc_use_msi
) being set to 2
by default, instead of the previous 0
.
lpfc
module parameter, lpfc_use_msi
, to 0
:
lpfc
adapter may fail with mailbox errors. As a result, the lpfc
adapter is not configured on the system. The following message appear in /var/log/messages
:
lpfc 0000:04:08.0: 0:0:0443 Adapter failed to set maximum DMA length mbxStatus x0 lpfc 0000:04:08.0: 0:0446 Adapter failed to init (255), mbxCmd x9 CFG_RING, mbxStatus x0, ring 0 lpfc 0000:04:08.0: 0:1477 Failed to set up hba ACPI: PCI interrupt for device 0000:04:08.0 disabled
lpfc
adapter is operating, it may fail with mailbox errors, resulting in the inability to access certain devices. The following message appear in /var/log/messages
:
lpfc 0000:0d:00.0: 0:0310 Mailbox command x5 timeout Data: x0 x700 xffff81039ddd0a00 lpfc 0000:0d:00.0: 0:0345 Resetting board due to mailbox timeout lpfc 0000:0d:00.0: 0:(0):2530 Mailbox command x23 cannot issue Data: xd00 x2
lpfc
adapter. The system BIOS logs the following messages:
Installing Emulex BIOS ...... Bringing the Link up, Please wait... Bringing the Link up, Please wait...
kernel
componentnetxen_nic
is 4.0.550. This includes the boot firmware which is flashed in option ROM on the adapter itself.
kernel
componentkernel
componentkernel
component, BZ#683012 vmcore
. As a result, the second kernel is not loaded, and the system becomes unresponsive.
kernel
componentedac
modules in a loop on certain HP systems may cause kernel panic.
kernel
componentmultipathd
is started, I/O errors occur. To work around this issue, use one of the following kernel command line parameters which are consumed by dracut:
rdloaddriver=scsi_dh_emc
rdloaddriver=scsi_dh_rdac
rdloaddriver=scsi_dh_emc,scsi_dh_rdac
scsi_dh
module to load before multipath is started.
kernel
componentvmcore
through the network using the Intel 82575EB ethernet device in a 32 bit environment causes the networking driver to not function properly in the kdump kernel, and prevent the vmcore
from being captured.
kernel
component, BZ#701857 kernel
componentNMI: IOCK error (debug interrupt?)
hpsa
module in a configuration file such as /etc/modules.d/blacklist.conf
, and specifying the disk_timeout
option so that saving the vmcore
over the network is possible.
kernel
component #!/bin/sh # Disable hyper-threading processor cores on suspend and hibernate, re-enable # on resume. # This file goes into /etc/pm/sleep.d/ case $1 in hibernate|suspend) echo 0 > /sys/devices/system/cpu/cpu1/online echo 0 > /sys/devices/system/cpu/cpu3/online ;; thaw|resume) echo 1 > /sys/devices/system/cpu/cpu1/online echo 1 > /sys/devices/system/cpu/cpu3/online ;; esac
kernel
componentnmi_watchdog
registers with the perf
subsystem. Consequently, during boot, the perf
subsystem grabs control of the performance counter registers, blocking OProfile from working. To resolve this, either boot with the nmi_watchdog=0
kernel parameter set, or run the following command to disable it at run time:
echo 0 > /proc/sys/kernel/nmi_watchdog
nmi-watchdog
, use the following command
echo 1 > /proc/sys/kernel/nmi_watchdog
kernel
component, BZ#603911 BUG: NMI Watchdog detected LOCKUP
and have either ftrace_modify_code
or ipi_handler
in the backtrace. To work around this issue, disable NMI watchdog by setting the nmi_watchdog=0
kernel parameter, or using the following command at run time:
echo 0 > /proc/sys/kernel/nmi_watchdog
kernel
componentvmcore
via NFS. To work around this issue, utilize other kdump facilities, for example dumping to the local file system, or dumping over SSH.
kernel
component, BZ#587909 kernel
componentnmi_watchdog=2
or nmi_watchdog=lapic
parameters. The parameter nmi_watchdog=1
is not supported.
kernel
component pci=noioapicquirk
, is required when installing the 32-bit variant of Red Hat Enterprise Linux 6 on HP xw9300 workstations. Note that the parameter change is not required when installing the 64-bit variant.
PackageKit
component~]# rpm --import <file_containing_the_public_key>
gnome-power-manager
component, BZ#748704Session active, not inhibited, screen idle. If you see this test, your display server is broken and you should notify your distributor. Please see http://blogs.gnome.org/hughsie/2009/08/17/gnome-power-manager-and-blanking-removal-of-bodges/ for more information.
acroread
componentkernel
component, BZ#681257 fprintd
componentevolution
componentanaconda
componentxorg-x11-server
component, BZ#623169 Test::Inter
module provides a framework for writing interactive test scripts in Perl. It is inspired by the Test::More
framework.
0x40
into a character in order to display a non-printing character but did not do so when processing a multibyte character. As a result, the readelf utility did not display a multibyte character in the ELF header correctly. The code has been corrected and readelf no longer displays garbled characters when processing multibyte, or non-ASCII, characters.
binutils --build-id
command. This update removes that patch.
ifunc()
, whose value can be determined at load time, allows for architecture dependent optimization. Prior to this update, the OS/ABI preprocessor macro was erroneously set to UNIX - Linux
instead of UNIX - System V
in an ELF header by a dynamic executable which used ifunc()
. This update applies a backported patch which corrects the code and the error no longer occurs.
strip
command, which is run as part of the RPM build process, did not copy the EI_OSABI
value in the ELF file header properly, it set the value to zero. Consequently, if the EI_OSABI
field of the debug file had a value of 3
(ABI tag for GNU/Linux), in the stripped file it was erroneously set to 0
(UNIX - System V
). This update corrects the problem and strip
now leaves the field intact.
-ldl
in the list compiler options caused unexpected behavior when compiling C++ code. If -ldl
was not placed at the end of parameter list, the GNU C Compiler (GCC) failed with an error in the format:
libtest.a(some_object_file.o): undefined reference to `.dlerror'
-mcmodel=small -mno-minimal-toc
as options, GNU linker, (ld), erroneously decided that if a section did not make use of the TOC it could belong to any TOC group. Consequently, when a local function call was made from one section of code to another section in the same object file, due to the two sections being assigned to different TOC groups, a failure occurred and an error message in the following format was logged.
libbackend.a(cse.o)(.text.unlikely+0x60): sibling call optimization to `.opd' does not allow automatic multiple TOCs; recompile with -mminimal-toc or -fno-optimize-sibling-calls, or make `.opd' extern
-mcmodel=small -mno-minimal-toc
. Therefore code should be recompiled by running these commands again after applying the update.
l setup_arch
to determine the target architecture, the following error was displayed.
No line number known for setup_arch
multipath -ll
command returned output indicating that no paths to the device were available with confusing "failed faulty running" rows presenting the missing paths. Multipath devices now reload tables with no device paths correctly.
multipath.conf
without setting the fast_io_fail_tmo value, the multipathd daemon did not notify the user that fast_io_fail_tmo was not set. Multipath now issues a warning that fast_io_fail_tmo is not set under such circumstances.
manual
, multipath could keep alternating from the failover pathgroup to the primary pathgroup infinitely. This happened because multipath was incorrectly failing back to the primary pathgroup whenever a path priority changed. With this update, multipath no longer fails back to the primary pathgroup when a path's priority changes under such circumstances.
multipathd
did not abort the path check and terminated unexpectedly when trying to access the multipath device information. The Multipath daemon now aborts any path checks when the multipath device is removed and the problem no longer occurs.
defaults multipaths devices
sections of the multipath.conf
man page has been improved to provide a better clarification.
rr_min_io_rq
option has been added to the default
, devices
, and multipaths
sections of the multipath.conf
file. This option defines the number of I/O requests to route to a path before switching to the next path in the current path group. Note that the rr_min_io
option is no longer used.
/etc/multipath.conf
for a multipath device are ignored. These access permissions are now set with the udev rules.
malloc()
function could enter a deadlock while creating an error message string. As a result, the process could become unresponsive. With this update, the process uses the mmap()
function to allocate memory for the error message instead of the malloc()
function. The malloc()
deadlock therefore no longer occurs and the process with a corrupted heap now aborts gracefully.
strncmp()
function, which compares characters of two strings, optimized for IBM POWER4 and POWER7 architectures could return incorrect data. This happened because the function accessed the data past the zero byte (\0) of the string under certain circumstances. With this update, the function has been modified to access the string data only until the zero byte and returns correct data.
crypt()
function could cause a memory leak if used with a more complex salt. The leak arose when the underlying NSS library attempted to call the dlopen() function from libnspr4.so with the RTLD_NOLOAD flag. With this update, the dlopen() with the RTLD_NOLOAD flag has been fixed and the memory leak no longer occurs.
nscd
daemon logged the following error into the log file if SELinux was active:
rhel61 nscd: Can't send to audit system: USER_AVC avc: netlink poll: error 4#012: exe="?" sauid=28 hostname=? addr=? terminal=?This happened because glibc failed to preserve the respective capabilities on UID change in the AVC thread. With this update, the AVC thread preservers the respective capabilities after the
nscd
startup.
nscd
daemon cached an error, which did not signalize that the problem was only transient, and the request failed. With this update, the daemon caches a value signalizing that the unavailability is temporary and retries to obtain new data after a set time limit.
getpwuid()
function failed to resolve UIDs to user names when using the passwd utility in the compat mode with a big netgroup. This occurred because glibc was compiled without the -DUSE_BINDINGDIR=1 option. With this update, glibc has been compiled correctly and getpwuid()
function works as expected.
/etc/passwd
. This happened when the nss_compat mode was set as the mode was primarily intended for use with NIS. With this update, getpwent returns LDAP netgroup users even if the users have no NIS domain defined.
libresolv
library is now compiled with the stack protector enabled.
setgroups
function after creating threads, glibc did not cross-thread signal and supplementary group IDs were set only for the calling thread. With this update, the cross-thread signaling in the function has been introduced and supplementary group IDs are set on all involved threads as expected.
setlocale()
function could fail. This happened because parameter values were parsed in the set locale. With this update, the parsing is locale-independent.
gethostbyname()
function terminated because of division by zero. This happened because the getpagesize() function required the dl_pagesize field in the dynamic linker's read-only state to be set. However, the field was not initialized when a statically linked binary loaded the dynamic linker. With this update, the getpagesize() function no longer requires a non-zero value in the dl_pagesize field and falls back to querying the value through the syscall() function if the field value is not set.
strlen()
function for the AMD FX processors.
statvfs
output received from kernel.
IP_MULTICAST_ALL
socket option, which provides the ability to turn off IP Multicast multiplexing. This update adds the option to glibc.
expr: non-numeric argument
restorecon
utility did not change MLS (multi-level security) levels unless the -F
parameter was used. As a consequence, the /dev
and /dev/pts
filesystems were not correctly labelled after boot in systems with configured MLS policy. This bug has been fixed and the restorecon -F
command is now used for /dev
and /dev/pts
by default.
crashkernel=128M
, was specified to reserve crash dump memory, the kexec-disable
upstart job unconditionally freed up the memory if the kdump
mechanism was not enabled. This action could not be reverted until a reboot. With this update, kexec-disable
job has been changed to not free reserved memory, unless the crashkernel
parameter is set to auto
, thus fixing this bug.
/etc/modprobe.d/bonding.conf
file or the modprobe.conf
file was used to set the bonding options, the bond0 interface never came up after a service restart because the arp_ip_target
module was not restored. This bug has been fixed and arp_ip_target
is now restored when configured in one of these files.
rc.sysinit
script that allowed to properly set a hostname when more than one IP address was passed to the ipcalc
utility. Even though it was difficult to emulate such a scenario, the rc.sysinit
script has been fixed to prevent this bug, and ipcalc
is now always passed only a single IP address.
ifdown
and ifup
utilities, the interface lost its IP address. With this update, the network scripts have been fixed to properly read the IPADDR0
parameter in interface configuration files, and now IP addresses of such interfaces are preserved in the described scenario.
/etc/init.d/network
script got into a loop and became unresponsive, trying to resolve MAC addresses of the interfaces. As a result, the server was prevented from completing its start-up sequence. With this update, /etc/init.d/network
has been fixed, MAC addresses of VLAN interfaces are now resolved properly, and bonds between such interfaces now work as expected.
PREFIX
option was specified for the ifcfg
utility while the NETMASK
option was undefined, the netmask was calculated without regard to the PREFIX
value. With this update, the expand_config()
function has been fixed to use the PREFIX
properly, and the netmask is now calculated correctly in the described scenario.
rc.sysinit
script has been fixed to run the /bin/plymouth
command instead of /usr/bin/plymouth
, thus fixing this bug. Additionally, other relevant scripts have been updated to properly work with the separated /usr/
directory.
/etc/init.d/halt
script, no mount point set up with the word nfs
in its path could be unmounted at reboot or shut down. This bug has been fixed and such mount points are now unmounted properly.
emergency
parameter was appended to the kernel command line, the system failed to invoke the sulogin command. With this update, the rcS-emergency
task, which is run before the rc.sysinit
script if emergency
is passed to the kernel, has been added, and sulogin is now properly invoked in the described scenario.
/etc/sysconfig/network-scripts/ifdown-eth
script, the PID file name passed to the dhclient
utility during a shutdown procedure did not include the IP version prefix. Consequently, leases for IPv6 addresses could not be released. This bug has been fixed and the shut down procedure now works properly both with the IPv4 and IPv6 clients.
ifup
and ifdown
scripts explicitly ignored IPv6 configuration files that contained an alias. With this update, clients properly utilize aliases on IPv6 devices in Red Hat Enterprise Linux.
syslog
utility, and the error messages now appear in configured syslog
channels.
sysctl
utility could only be changed in the /etc/sysctl.conf
file. With this update, several scripts have been updated to also recognize additional configuration files located in the /etc/sysctl.d/
directory.
ethtool
command options. These options can be set via the ETHTOOL_OPTS
parameter in configuration files located in the /etc/sysconfig/network-scripts/
directory and take effect after reboot.
/etc/ethers
file, allowing to load these entries early in the system startup.
/var/log/ipaclient-install.log
file did not provide enough information to determine the cause of the failure. With this update, the /var/log/ipaclient-install.log
file contains improved debugging messages that make it easier to debug a possible installation failure.
ipa-replica-install
command. With this update, after an installation of a replica with ipa-replica-install
, the ipa
service is enabled using the chkconfig utility so that the Identity Management services are started and available after a reboot.
bind
service needs to be restarted when a new reverse zone is added over LDAP.
CURLOPT_GSSAPI_DELEGATION
curl option. This option enables the credential delegation, thus fixing this bug.
memberOf
attribute is rebuilt during installation, thus fixing this issue. Note that the 389 Directory Server (389-ds) may crash if it is restarted while this task is running. Wait for this task to complete before requesting a restart.
script stack space quota is exhausted
message and prevent a user from accessing the Web UI. This update split the Web UI initialization to several smaller calls. Browsers no longer report errors and the Web UI works as expected.
ipa-nis-manage
command disabled the NIS listener and also removed the netgroup compatibility suffix. If NIS was disabled, the automatic creation of net groups was disabled as well. Thus, creating a host group would fail to automatically create a net group. With this update, disabling NIS has no effect on the automatic creation of net groups when host groups are created.
memberof
LDAP attributes pointing back to the permissions. Thus, a user could get an incorrect list of permissions that were members of a DNS related privilege. With this update, permission objects formatting has been fixed and the missing memberof
LDAP attributes in the relevant DNS privileges are properly added. Users now get a valid list of permissions (containing all the needed information) when displaying a DNS related privilege.
migrate-ds
command could contain a multi-valued RDN attribute. However, the migrate-ds
process picked only the first value of the RDN attribute and did not respect the value that was present in the DN in the migrated LDAP object. With this update, the value that is used in the original LDAP object DN is used, rather than the first value of a multi-valued RDN. As a result, LDAP objects with a multi-valued RDN attribute are migrated without any errors.
ipa-client-install
was run with the --password
option containing a bulk password for client enrollment, the password could be printed to Identity Management client install log in a plain-text format. This behavior has been fixed, and passwords are no longer logged in the install log file.
/ipa/ui
. This makes it look like no other web resources may be used. With this update, during the installation process, the --no-ui-redirect
option can be used to disable the default Rewrite rule. This may also be commented out manually in the /etc/httpd/conf.d/ipa-rewrite.conf
. As a result, the web server root can point to any specified place. However, /ipa
must remain available to Identity Management.
automountkey-del
command includes a --continue
option which has no function and does not affect anything. With this update, the --continue
has been hidden, and will be deprecated in the next major release.
ipa-getkeytab
command failed with Bind errors. If 32-bit packages were used on a 64-bit system, the 32-bit cyrus-sasl-gssapi package was required. This update adds architecture-specific Requires
to the RPM spec file, and retrieving of keytabs no longer fails.
cannot concatenate 'str' and 'NoneType' objects
auto.direct
mount mounted on /-
was ignored because it was considered a duplicate. Consequently, direct maps needed to be added manually. This update adds an exception for the auto.direct map when importing so that its keys can be added, and importing direct maps works as expected.
ipasudorunasgroup_group
attribute, making the output unclear. A proper label was added for runAsGroup and the sudo option, which makes the output more understandable.
ipa-replica-install
did not ensure that the dbus
service was running. Consequently, tracking certificates with certmonger returned an error and the installation failed. With this update, prior to starting certmonger, it is checked whether the dbus-daemon is running.
ipactl
use two different methods to determine whether Identity Management is configured. If the Identity Management uninstallation was not complete, ipactl
may have claimed that the Identity Management server is not configured while the Identity Management server installer refused to continue because Identity Management was configured. With this update, a common function that checks whether the Identity Management server is configured has been added. During the uninstallation process of the Identity Management server, checks are run that report left-over files so that users can manually resolve these.
sudurole-add-option
command did not display a summary after the option was added. With this update, a summary is printed in the form of Added option 'x' to Sudo Rule 'y'
.
sudurole-remove-option
command did not display a summary after the option was removed. With this update, a summary is printed in the form of Removed option 'x' to Sudo Rule 'y'
.
--no-host-dns
option without a DNS resolvable host name caused the installation to fail with DNS errors. This update moves the no-host-dns test so that it is tested before any DNS lookups occur, and installations with the --no-host-dns
option do not perform any DNS validation.
ipa-getkeytab
and ipa-join
commands did not operate properly, and the client could not be enrolled to the Identity Management server. As a result, client installations failed every time. With this update, matching client A/PTR DNS records are no longer a requirement for ipa-getkeytab
and ipa-join
, and client installations succeed even when the aforementioned records do not match.
automountmap
or automountkey
command returned the following error:
Map: ipa: ERROR: 'automountmapautomountmapname' is required
automountmap
, is now returned.
krb5_store_password_if_offline
parameter is set to True
in the /etc/sssd/sssd.conf
by default. Note that the --no-krb5-offline-passwords
option of the ipa-client-install
command may be used if storing passwords for offline use is not desired.
automountmap
or automountkey
command returned the following error:
Location: ipa: ERROR: 'automountlocationcn' is required
automountlocation
, is now returned.
ipa-client-install
command did not configure a hostname in the /etc/sysconfig/network
file. Consequently, when the --hostname
value was passed to the client installer, that value was used during enrollment. However, the system hostname did not match the name of the machine. With this update, the /etc/sysconfig/network
file is updated upon installation and /bin/hostname
is executed with the hostname of the machine. The name used in the enrollment process now matches the hostname of the machine.
ipa user-mod --setattr
) may have returned a Not Found error. Renaming the actual users was successful, but their user-private groups were not updated. With this update, the 389-ds
plugin has been modified so that the ipa_modrdn
plugin runs last. This plugin manages renaming of the Kerberos principal name of the user. Renaming a user now also renames the user-private group.
ipa-client-install
command always ran /usr/sbin/authconfig
to add the pam_krb5.so
entry to PAM configuration files in the /etc/pam.d/
directory. However, this entry was not needed when an Identity Management client is installed with SSSD support, which is the default behavior. As a result, an unnecessary record was added to the PAM configuration. With this update, /usr/sbin/authconfig
is not run if the Identity Management client is configured with SSSD support.
ipa config-show
command). This update adds Password Expiration Notification to the default list of attributes to shown by default when running the ipa config-show
command.
--forwarder
or --ip-address
options. Consequently, installation could eventually fail, for example because of an invalid name server configuration. With this update, all IP addresses passed to the ipa-server-install
, ipa-replica-install
and ipa-dns-install
commands are checked for validity.
ipa-client-install
command detected that the client hostname was not resolvable, it tried to add a DNS record to the Identity Management server. However, it did not expect that the client could have been using an IPv6 machine, and the installation process failed. This update adds a check to make sure that the process for adding a DNS record to the Identity Management server works for both IPv4 and IPv6, and the Identity Management client installation works as expected.
undefined
was created. With this update, the service name field is required to be filled in.
allow
and deny
are accepted as types:
ipa: ERROR: invalid 'type': must be one of (u'allow', u'deny')
deny
are not allowed. With this update, the deny
type was deprecated because SSSD determined that properly enforcing the deny
type was extremely difficult and dependent on how other libraries present host information.
ipa-server-install
command did not update the system hostname when it was installed with a custom hostname. It passed the hostname to services using their own configurations. However, some services failed to function properly as they did not expect an Identity Management server to use a custom hostname and not a system hostname. With this update, the system hostname is updated to the value passed via ipa-server-install
's --hostname
option. The system hostname is also set in the system network configuration in /etc/sysconfig/network
so that it is properly set after a system reboot. Refer to Section 2.8, “Authentication” for a known limitation regarding Identity Management server installations with custom hostnames.
null
. This update adds better detection of whether the CA 389-ds instance has been installed to identify the current stage of the installation, thus fixing this issue.
ipa-nis-manage
command did not return an exit status of 0
when successful. With this update, the underlying source code has been modified to address this issue, and correct exit codes are returned.
has_password
, that is set when the host has a password set. If has_password
is True, a password has been set on the host. However, there is no way to see what that password is once it has been set.
enrolledBy
on the host. Prior to this update, an administrator was able to change this value by using the ipa host-mod --setattr
. This action should not be allowed. This update fixes this behavior and write permissions have been removed from the enrolledBy
attribute.
nss_ldap is not able to use DNS discovery
ipa-client-install
command did not configure /usr/sbin/ntpdate to use correct NTP servers in the /etc/ntp/step-tickers
. Additionally, the ipa-client-install
did not store the state of the ntpd
service before installation. Consequently, when an Identity Management client is installed, ntpdate may have used incorrect servers to synchronize with. When the Identity Management client was uninstalled, the ntpd
may have been set to an incorrect state. With this update ipa-client-install
configures ntpdate to use the IPA NTP server for synchronization. When an IPA client is uninstalled, both ntpdate configuration and ntpd
status are restored.
/etc/krb5.conf
file contained values which were not present in the standard configuration file (specifically: ticket_lifetime
, renew_lifetime
, and forwardable
in the [libdefaults]
section, and the entire [appdefaults]
section). This update removes these unnecessary values and sections.
ipa dnsrecord-del
) to the command line application which guides the user through the process of removing the required entries.
ipactl
output. With this update, the amount of information displayed in the ipactl
output has been reduced. The previously reported data is not available in the 389-ds error log only.
ipa-client-install
did not successfully run on a client when a one-time password was set on a host in the Identity Management Web UI. Consequently, clients could not be enrolled using a one-time password if it was set in the Web UI. With this update, the krbLastPwdChange
value is no longer set in the host entry when setting a host one-time password, thus fixing this issue.
runAsGroup
value from a sudo rule, the command appeared to be successful, but the group information data included in the output was not updated and did not show the proper membership. This update fixes this bug, and data is refreshed before being returned.
runasuser
(via ipa sudorule-remove-runasuser
) and, consequently, defining a group, the RunAs Group value was not included in the output. This was because the label for the returned data was mislabeled and was not appearing in the output. With this update, the underlying source code has been modified to address this issue, and adding a group to runasuser
is properly displayed.
--externaluser
option was specified for the sudorule-mod
command. As a result, erroneous values were stored in the entry. With this update, the --externaluser
option was removed from the sudorule-mod
command. It is advisable to use the sudorule-add-user
command instead.
SELINUX=disabled
in /etc/selinux/config
) and attempting to restart the ipa
service caused the ipa
service to fail to start. This update ignores the value returned by restorecon
, and the ipa
service now starts as expected whether SELinux is enabled or disabled.
runAsGroup
in a sudo role as a user, the name of that user is returned as the name of a group that may also be used as the runAsGroup
. As a result, the sudo rule was erroneous and referred to a non-existent group. This was because the search filter for determining the CN value was too generic. This update adds a test which assures user names no longer appear as runAsGroup
values.
sudorule-mod
's --runasexternaluser
or --runasexternalgroup
options. With this update, the aforementioned options have been deprecated. It is advisable to use the sudorule-add-runasuser
or sudorule-runasgroup
commands instead.
ipa-nis-manage
command did not display an error and did not exit the command. With this update, passing an empty password causes an error to appear (No password supplied
), and the command is exited with the status code 1
.
ipa-nis-manage
command has an option, -y
, to specify the Directory Manager password in a file. This option caused the command to crash if the file did not exist. An exception handler around the password reader has been added, and a proper error message is displayed when the supplied password file is non-existent or is not readable.
runasuser
(via ipa sudorule-add-runasuser
) and, consequently, defining a group, the RunAs Group value was not included in the output. This was because the label for the returned data was mislabeled and was not appearing in the output. With this update, the underlying source code has been modified to address this issue, and adding a group to runasuser
is properly displayed.
ipa passwd
command. Prior to this update, the command did not require entering the old password. Consequently, anyone with access to that user's shell could change his Identity Management password without knowing the old password. With this update, the old password is always required in order to change a user's password. The only exception is the administrator user.
bind
service was restarted. With this update, an updated bind-dyndb-ldap package added a zone refresh option that Identity Management uses to refresh the zone list in DNS. The default setting is 30 seconds. As a result, new DNS zones are not immediately available, but the bind
service does not have to be restarted anymore.
--no-host-dns
option of the ipa-server-install
command still checked that the forward and reverse DNS entries existed and matched. Installation of an Identity Management server using a host name that could not be resolved would then fail. This update removes any DNS validation when the --no-host-dns
option is used.
RA Subsystem
to IPA RA
.
ipa-client-install
command always checked the specified server whether it was a valid Identity Management server. However, if the Identity Management server was configured to restrict access for anonymous binds (via the nsslapd-allow-anonymous-access
option), the check failed and the installation processes returned an error and ended. With this update, when the ipa-client-install
command detects that the chosen server does not allow anonymous binds, it skips server verification, reports a warning, and lets the user join the Identity Management server.
/etc/hosts
) for records which could interfere with its IP address or hostname, and cause forward or reverse DNS queries to be resolved to different values than expected. The installation process now always checks for any conflicting records in the /etc/hosts
file.
--ip-address
option caused the installed server to not function properly. With this update, it is verified whether the provided IP address is a configured interface on the system. Providing an IP address that is not associated with a local network interface will return an error message.
zonemgr
email address could cause an installation to fail with an unclear message. This update adds a validator which requires the zonemgr
to contain ASCII characters only.
ipa-client-install
command did not return an exit status of 0
when successful. With this update, the underlying source code has been modified to address this issue, and correct exit codes are returned.
value #0 invalid per syntax: Invalid syntax.
ipa-server-install
called kdb5_ldap_util to populate the directory with realm information. In the process of doing so, it passes the Kerberos master database password and the Kerberos directory password as parameters. As a result, a user could list all running processes during the IPA server installation and discover the aforementioned passwords. With this update, kdb5_ldap_util's interactive mode is used to pass the passwords instead of passing them via CLI parameters.
--no-reverse
option. This update fixes this behavior, and a reverse zone is not created unless specified.
ipa-client-install
command attempted to auto-discover the Identity Management server in its domain, it did not use any timeout when a server was found and was being checked. If the found server was unresponsive during the auto-discovery, the ipa-client-install
command got stuck and did not continue. This update adds a 30 second timeout to the ipa-client-install
auto-discovery server check.
--no-sssd
option of the ipa-client-install
command did not properly back up and restore the existing /etc/sssd/sssd.conf
file. With this update, the underlying source code has been modified to address this issue, and the --no-sssd
option works as expected.
--hostname
option to set a value outside an Identity Management-managed DNS domain did not return an error and did not add the host to DNS. The DNS updating utility, nsupdate, was modified to properly return an error when an update fails.
--force
option. This was because the --force
option was able to re-install over an already installed system, causing the original saved files to be lost. This behavior is no longer permitted; the client must be first uninstalled and only then it can be re-installed.
Cannot resolve network address for KDC
/etc/krb5.conf
file was used during enrollment to contact the Identity Management KDC. The process was always relying on DNS auto-discovery to find the correct KDC and not the values provided by the end-user. With this update, enrollment works even if the domain does not match the realm.
No permission to join this host to the IPA domain.
--on-master
lacked proper documentation. This update makes the option invisible and removes it from documentation entirely.
/etc/sysconfig/krb5kdc
file, were not formatted properly on multi-CPU systems. As a consequence, the KDC could not use the intended number of CPUs and reported an error when it was (re)started. With this update, the aforementioned arguments are now properly formatted, fixing this issue.
ypcat
command's netgroup output did not show users in netgroup triples. Consequently, NIS-based authorization did not work as expected, and access was denied when it should have been allowed. This was caused by a syntax error in the triple rule. This update fixes this error, and users are now properly included in the netgroup triples.
Exception in thread "main" java.lang.Error: Probable fatal error:No fonts found.
be2net
driver could allow an attacker on the local network to cause a denial of service.
ext4_ext_convert_to_initialized()
worked. A local, unprivileged user with access to mount and unmount ext4 file systems could use this flaw to cause a denial of service.
[bnx2x_extract_max_cfg:1079(eth11)]Illegal configuration detected for Max BW - using 100 instead
A problem has been detected and windows has been shut down to prevent damage to your computer.
struct mmsghdr { struct msghdr msg_hdr; unsigned msg_len; }; ssize_t sendmmsg(int socket, struct mmsghdr *datagrams, int vlen, int flags);
StrictHostKeyChecking=no
option when dumping to SSH targets, causing the target kdump server's SSH host key not to be checked. This could make it easier for a man-in-the-middle attacker on the local network to impersonate the kdump SSH target server and possibly gain access to sensitive information in the vmcore dumps.
(initrd)
files with world-readable permissions. A local user could possibly use this flaw to gain access to sensitive information, such as the private SSH key used to authenticate to a remote server when kdump was configured to dump to an SSH target.
/root/.ssh/
directory and the host's private SSH keys) in the resulting initrd
. This could lead to an information leak when initrd
files were previously created with world-readable permissions.
/etc/kdump.conf
are included in the initrd
. The default is the key generated when running the service kdump propagate
command, /root/.ssh/kdump_id_rsa
.
dump-capture
kernel became unresponsive and the following error message was logged.
ACPI Error: A valid RSDP was not found
acpi_rsdp
, has been added to the noefi
kernel command. Now, if EFI is detected, a command is given to the second kernel, in the format, noefi acpi_rsdp=X
, not to use EFI and simultaneously passes the address of RSDP to the second kernel. The second kernel now boots successfully on EFI machines.
core_collector
in kdump.conf, when kdump was configured to dump kernel data to a secure location using SSH, it generated a complete vmcore, without removing free pages. With this update, the default core collector will be makedumpfile when kdump is configured to use SSH. As a result, the vmcore dump file is now compressed by default.
/etc/mdadm.conf
configuration file. As a consequence, mkdumprd failed to create an initial RAM disk file system (initrd
) for kdump crash recovery and the kdump service failed to start. With this update, mkdumprd has been modified so that it now parses the configuration file and builds initrd
correctly. The kdump service now starts as expected.
initrd
) for use in conjunction with the booting of a second kernel within the kdump framework for crash recovery. Prior to this update, mkdumprd became unresponsive when the running kernel was not the same as the target kernel. With this update the problem has been fixed and mkdumprd no longer hangs in the scenario described.
sed: /etc/cluster_iface: No such file or directory
Your running kernel is using more than 70% of the amount of space you reserved for kdump, you should consider increasing your crashkernel reservation
Non-fatal <unknown> scriptlet failure in rpm package
error reading information on service kdump: No such file or directory
cp: cannot stat `/lib/firmware/*': No such file or directory
kdump.conf
, force_rebuild
, has been added. When enabled, this option forces the kdump init script to rebuild initrd
every time the system starts, thus ensuring kdump has enough storage space on each system start-up.
nr_cpus=1
rather than maxcpus=1
to save memory required by the second kernel. PowerPC platforms currently cannot handle this feature.
maxcpus=1
instead of nr_cpus=1
for older kernels (see the enhancement above).
kdump.conf
debug_mem_level
option.
ext4
file systems, and also to XFS
file systems on data disks (but not the root disk) has been added.
For XFS, the XFS layer product needs to be installed. Layered products are those not included by default in the base Red Hat Enterprise Linux operating system.
Btrfs
file systems has been added.
BusyBox's "findfs" utility does not yet support Btrfs, so UUID/LABEL resolving does not work. Avoid using UUID/LABEL syntax when dumping core to Btrfs file systems. Btrfs itself is still considered experimental; refer to Red Hat Technical Notes.
mount
command. Consequently, when the command mount -t debugfs debug /sys/kernel/debug
was issued in the kdump service script, if the file system was already mounted, the message returned was erroneously logged as an error message. With this update, the logic in the kdump service script has been improved and the kdump service script now functions as expected.
SPICE
protocol.
--host-subject
command line option are now ignored.
--version
command line option for the spicec
command has been added.
CKM_RSA_X_590
encrypting mechanism even though it reported support for this mechanism. Consequently, if such middleware was used by libcacard virtual smart cards, smart cards failed to emulate any RSA authentication based operations, such as requesting a security pin or retrieving user certificates. The library has been modified to handle CKM_RSA_X590
failures by falling back to use CKM_RSA_PKCS
encryption. Virtual smart cards now work correctly with AET middleware.
Obsolete
lines in the package spec file, updating spice-client forced an update of spice-server as well, and vice versa. With this update, all "Obsolete" lines have been removed from the spice-client.spec
file, and updating spice-client no longer forces the update of spice-server.
SPICE
client did not correctly handle monitor setting routines when it was running on a client machine with multiple monitors. As a consequence, the client entered an infinite loop while trying to rearrange monitors, which eventually caused the client to terminate unexpectedly. With this update, the code has been modified to prevent the client from entering this loop, and the client thus no longer crashes.
SPICE
client failed to connect to the SPICE server on the target host after a virtual machine had been migrated to a remote machine. This happened when the migration of the virtual machine took longer than the expiration time of the SPICE ticket that was set on the target host. Without a valid password, the SPICE server refused connection from the SPICE client and the SPICE session had to be closed. To prevent this problem, support for spice semi-seamless migration has been added. Other components such as spice-protocol, spice-server and qemu-kvm have also been modified to support this feature. SPICE now allows the SPICE client to connect to the SPICE server on the target host at the very start of the virtual machine migration, just before the migrate monitor command is given to the qemu-kvm application. With a valid ticket on the target host, the SPICE ticket on the destination no longer expires and the SPICE client now remains open when the virtual machine migration is done.
SPICE
client could attempt to free memory that has already been freed. Therefore, when the KDE desktop screen of the client machine with the running SPICE client was locked, the SPICE client terminated unexpectedly with a segmentation fault after unlocking the screen. The code has been modified to free memory correctly, and the SPICE client no longer crashes in the scenario described.
SPICE
client sessions at the same time and the screen resolution on the client machine was changed, the SPICE client could often enter an infinite loop in the code. As a consequence, the X Windows server consumed up to 100% of CPU and caused the client machine to be unresponsive. With this update, the underlying code has been modified to prevent the client from entering the loop, and the problem no longer occurs.
--color-depth
and --disable-effects
client WAN options was inaccurate. With this update, the spicec --help
command now clearly states that these WAN options have effect only if supported by the guest vdagent
.
SPICE
server establishes secured connections, the SPICE client log contained secure-connection messages that included the misleading string, connect_unsecure
. With this update, the function used to establish secure connections has been renamed and secure-connection messages in the client log now contain the connect_to_peer
string.
SPICE
client expected an existence of the primary screen surface when it attempted to handle the creation of non-primary screen surfaces. The primary surface did not exist at the time, therefore the SPICE client terminated unexpectedly. With this update, the SPICE client now ensures that the screen exists before starting operations on it. The SPICE client no longer crashes in the scenario described.
--smartcard-db
client command line option was not handled properly. As a consequence, when running with this option, the SPICE
client terminated with the following error message:
Error: unhandled exception: cmd line error
--smartcard-db
option is now handled properly and the SPICE client works as expected using this option.
SPICE
client with WAN options and the SPICE agent (vdagent
) was running on the guest, the client initiated handshaking. If the vdagent did not support WAN options, it did not reply to the client and connection thus failed with the vdagent
timeout. Also with certain WAN options, such as --color-depth 16
, the attempt to connect failed with the vdagent timeout even though no vdagent
was running on the guest. With this update, the SPICE client checks capabilities of the vdagent. If vdagent does not support WAN options or there is no vdagent
running on the guest, the client continues with the message sequence initiation and connection is now successful.
SPICE
client returned exit code 0
when running without the --host
command line option, although the client correctly displayed the following error message:
spicec: missing --host
error code 14
in this scenario.
do_part_get_bootable()
API function parsed the output of parted with an assumption that the partition layout on the guest image was well ordered. As a consequence, the part-get-bootable API would produce an incorrect result or even terminate with disks where the partitions were not in the usual order or were missing. With this update, the source code is modified so that libuguestfs can correctly handle disks with unordered partitions.
libguestfs
protocol lost synchronization when using the upload
command in the guestfish
command line tool before mounting any disks. Uploading files failed and an error message was reported due to the library and the daemon sending cancel messages in an incorrect order. With this update, if the daemon detects cancellation, it sends the remaining data in its output buffer instead of discarding it.
/etc/fstab
file, the virt-inspector utility reported the unknown filesystem
error message. The source code has been modified, and the utility now works correctly and no longer displays error messages.
guestfs_kill_subprocess()
function and then closing the connection handle by calling guestfs_close()
could cause the libguestfs connection to become unresponsive. The source code has been modified to close the connection correctly so that the connections no longer hangs.
guestfish
command line tool, the mapped devices created by luks-open
were not listed. With this update, /dev/mapper/ paths are added to tab-completion and the devices are displayed when pressing the tab key.
qemu-img
command which contained an incorrect decimal point in the output. As a result, an error message was reported. With this update, the source code is modified so that the virt-make-fs tool invokes qemu-img
correctly in all cases.
/etc/fstab
file contained file systems marked with LABEL. This update modifies the source code so that the file systems are mounted correctly. As a result, virt-v2v no longer fails.
Legacy BIOS Bootable
flag in the GPT
(GUID Partition Table) attribute field.
LUKS
(Linux Unified Key Setup) encrypted disks. As a result, loading of shared libraries failed with an error message. An upstream patch has been applied to address this issue and libguestfs now works correctly on LUKS devices.
guestfish --remote run
should not be used in a command substitution context.
guestfs_last_errno()
function was not exposed in the Perl bindings. As a consequence, it was not directly possible to determine the precise cause of some failures. To fix this problem, guestfs_last_errno() is now exposed in the Perl bindings.
OSError: [Errno 2] No such file or directory
ERROR cannot send monitor command '{"execute":"query-balloon"}': Connection reset by peer
Home
directory. With this update, Python's paste tool now uses the -Es
flag, and so avoids this behavior.
/var/lib/luci/data/luci.db
can be fully backed up and restored.
cluster.conf
file. The Run Exclusive option was enabled in luci by default, without it being manually enabled, and services could therefore become exclusive without users knowing about it. Now, luci is modified to correspond with the cluster.conf
file: if the Run Exclusive
option is not enabled, the checkbox is not checked.
fence_vmware
fence agent.
pvmove
command could become unresponsive. With this update, the underlying source code has been modified to address this issue, and the pvmove
command no longer hangs.
lvresize
command, the size was rounded down to the stripe boundary. This could pose a problem when shrinking the volume with a file system on it. Even if a user determined the new size so that the file system did fit entirely onto the volume, and resized the volume, the alignment done by the lvresize
command might have cut off a part of the file system, causing it to become corrupted. This update fixes the rounding for striped volumes so that a volume is never reduced more than requested.
lvcreate --alloc anywhere
command did not guarantee placement of data on different physical devices. With this update, the above command tries to allocate each mirror image on a separate device first before placing it on a device that is already used.
lvcreate
command was used with large physical volumes while using %FREE
, %VG
, %PVS
or %ORIGIN
for size definition, the resulting LV size was incorrectly calculated. This was caused by an integer overflow while calculating the percentages. This update provides a better way of calculating the sizes, by using proper typecasting, so that the overflow no longer occurs.
/etc/lvm/lvm.conf
). At the early stage of the system start-up, when the early init script tries to activate any existing VGs, the cluster infrastructure is still not initialized (as well as the network interface) and therefore cluster locking cannot be used and the system falls back to file-based locking instead, causing several misleading error and warning messages to be returned. With this update, these error and warning messages are suppressed during the system start-up, and the system falls back to usable locking mechanism silently.
vgimportclone
script triggered a code path in LVM that caused it to access already-released memory when a duplicated PV was found. Consequently, the VG that contained such PV was found to be inconsistent and the process ended up with a failure to read the VG. This update fixes this failure by saving such problematic strings to a temporary buffer, and thus avoiding improper memory access.
clvmd
) was crashing when attempting to create a high number of volume groups at once. This was caused by the limit set by the number of available file descriptors per process. While clvmd
was creating pipes and the limit was reached under the pressure of high number of requests, clvmd
did not return an error but continued to use uninitialized pipes instead, eventually causing it to crash. With this update, clvmd
now returns an error message immediately if the pipe creation fails.
lvremove
command could cause a failure to remove a logical volume. This failure was caused by processing an asynchronous udev event that kept the volume opened while the lvremove
command tried to remove it. These asynchronous events are triggered when the watch
udev rule is applied (it is set for device-mapper/LVM2 devices when using the udisks package that installs /lib/udev/rules.d/80-udisks.rules
).
watch
rule set and is closed after a read-write open).
udevadm settle
command in between.
lvconvert
command, the Unable to create a snapshot of a locked|pvmove|mirrored LV error message has been changed to Unable to convert an LV into a snapshot of a locked|pvmove|mirrored LV. for clarity reasons.
/
”) caused LVM commands to fail while generating an archive of current metadata. Because a hostname is a part of the temporary archive file name, a file path that was ambiguous was created, which caused the whole archive operation to fail. This update fixes this by replacing any slash character (“/
”) with a question mark character (“?
”) in the hostname string and then is used to compose the temporary archive file name.
/dev
were created and removed incorrectly, causing them to exist when the device had already been removed or vice versa.
verify_udev_operations
option found in the activation
section of the /etc/lvm/lvm.conf
file.
--force
option from the lvrename
manpage.
vgsplit
command is now able to split a volume group containing a mirror with mirrored logs.
lvm_vg_write
call, making it possible to calculate all PV properties and query them without actually writing the PV label on the disk.
resync
status, as being in the reshape
status. As a consequence, mdadm rejected to assemble the IMSM RAID device as an external data file is needed to reassemble a device in the reshape
status. If booting from the IMSM RAID device, the boot process could fail under these circumstances. With this update, mdadm detects that an IMSM RAID device is in the resync
mode, assembles the device correctly, and launches its synchronization.
--size
option with no chunk size specified, the mdadm utility rounded the default chunk size incorrectly. With this update, the rounding process has been modified and arrays are created with the correct size alignment.
mdadm: Failed to restore critical section for reshape - sorryThis happened because during the process, the RAID level for RAID0 devices is temporarily changed to RAID4; however, the Grow_restart() function called on restart did not allow any RAID level changes. With this update, the level change has been allowed and the problem no longer occurs.
mdstat --examine
command contained incorrect status information. This happened because the DELAYED/PENDING status of a RAID device during resync was translated to an incorrect status. An upstream patch that fixes this bug has been applied and the mdstat --examine
command now returns correct status information.
netstat
command which uses SNMP, and a Tk/Perl management information base (MIB) browser.
snmptrapd
, the Net-SNMP daemon for processing traps, leaked memory when processing incoming SNMP traps in embedded Perl. This caused the amount of consumed memory to grow over time, making the memory consumption even larger if the daemon was processing SNMPv1 traps. With this update, the underlying source code has been adapted to prevent such memory leaks, and processing incoming SNMP traps in embedded Perl no longer increases the memory consumption.
snmpd
, the Net-SNMP agent, gathered the disk IO and CPU usage statistics for UCD-SNMP::systemStats
as 64-bit. However, relevant MIB describes these statistics as 32-bit and as a consequence, snmpd
wrote the following message to the system log when processing the 64-bit values:
truncating integer value > 32 bits
snmpd
to collect values for UCD-SNMP::systemStats
as 32-bit integers so that it no longer reports the aforementioned message to syslog.
snmpd
daemon did not detect errors when accessing the /proc
file system. Consequent to this, an attempt to read information about an exited process while gathering information for a HOST-RESOURCES-MIB::hrSWRunTable
table caused the daemon to terminate unexpectedly with a segmentation fault. This update adapts the underlying source code to make sure that such errors are now properly detected, and snmpd
no longer crashes when populating HOST-RESOURCES-MIB::hrSWRunTable
.
snmpd
daemon reported HOST-RESOURCES-MIB::hrSystemDate
with an incorrect sign in the timezone offset. This update applies a patch to make sure the timezone offset is properly recalculated and the value reported by snmpd
is now correct.
snmpd
daemon tracked all network interfaces that were present on the system while it was running, including interfaces that were removed from the system during this time. Consequent to this, when an interface which had been removed was re-instantiated with the same name but with a different interface index, snmpd
reported both interfaces separately in IF-MIB::ifTable
. This typically happened to Point-to-Point Protocol (PPP) interfaces. This update adds two new options, interface_fadeout
and interface_replace_old
, to the /etc/snmpd/snmpd.conf
configuration file, which allows system administrators to control the behavior of snmpd
when two interfaces with the same name but a different interface index are detected. Refer to the snmpd.conf(5) manual page for details.
snmpd
daemon silently ignored the second interface while populating IP-MIB::ipAddressTable
. With this update, snmpd
has been adapted to add a message that the second interface is being ignored to the system log in this scenario. This allows system administrators to determine why the second interface is missing from IP-MIB::ipAddressTable
.
snmpd
daemon ignored SIGCHLD
signals from processes that were spawned as a result of the pass_persist
configuration option. However, this led to unnecessary defunct processes on the system. With this update, the snmpd
daemon has been adapted to correctly process the SIGCHLD
signals so that such defunct processes are no longer created.
snmpd
daemon incorrectly ignored XFS file systems when populating HOST-RESOURCES-MIB::hrFSTable
. This update adds support for the XFS file system to HOST-RESOURCES-MIB::hrFSTable
so that snmpd
no longer omits such file systems from the report.
snmpd
daemon did not distinguish between outgoing SMUX messages and always incremented their Request-ID
, even when multiple SMUX messages were sent as a result of one incoming SNMP request with multiple variables. However, RFC 1227 requires that such SMUX messages should have the same Request-ID
. With this update, snmpd
properly recognizes multiple outgoing SMUX messages that are the result of one incoming SNMP request and assigns them the same Request-ID
.
IP-MIB::ipNetToPhysicalTable
, the previous version of the snmpd
daemon did not properly recover and may have terminated unexpectedly as a consequence. This update adapts the underlying source code to detect that the system is running out of memory, and snmpd
no longer crashes in this situation.
netsnmp
module for the Python programming language did not properly initialize an SNMP session with SNMPv3 authentication. Consequent to this, and attempt to use such a session caused Python to terminate unexpectedly with a segmentation fault. This update ensures that SNMP sessions with SNMPv3 authentication are now initialized properly and can be used in Python modules as expected.
netsnmp
Python module did not properly parse OID names that included an MIB name (such as IF-MIB::ifTable
). With this update, the regular expression for parsing OID names has been corrected and the aforementioned Python module now parses such names properly.
snmpd
daemon did not verify the result of reading from a network socket in the SMUX module. Consequent to this, snmpd
may have been unable to close erroneous SMUX sessions, because it failed to detect some network errors. With this update, the snmpd
daemon has been adapted to properly detect errors when reading from a SMUX socket so that it can now react to these errors properly.
AgentX
subagent was being disconnected from the snmpd
daemon, the daemon did not properly detach all outstanding SNMP requests from the internal session object representing this agent. As a consequence, snmpd
could terminate unexpectedly while processing these requests. With this update, the snmpd
daemon ensures that outstanding SNMP requests do not point to an AgentX session that is closed.
RELRO
flag, the ELF sections are reordered to include internal data sections before program's data sections, and the Global Offset Table (GOT) address section of the resulting ELF file is mapped read-only. This ensures that any attempt to overwrite the GOT entry and gain control over the execution flow of a program fails with an error. For this reason, the Net-SNMP daemons, binaries, and shared libraries are now built with full RELRO
protection.
signer 0 status = SigningCertNotFound cmsutil: problem decoding: Unrecognized Object Identifier.
NSS_Shutdown()
function call because the client certificate was not freed and the cache could not be destroyed. With this update, the peer certificate is freed in OpenLDAP library after certificate validation is finished, all cache entries can now be deleted properly, and the NSS_Shutdown()
call now succeeds as expected.
CN=*.example.com
), the connection to the server failed. With this update, the library has been fixed to verify wildcard hostnames used in certificates correctly, and the connection to the server now succeeds if the wildcard common name matches the server name.
slapd-config(5)
and ldap.conf(5)
manual pages contained incorrect information about TLS settings. This update adds new TLS documentation relevant for the Mozilla NSS cryptographic library.
openldap
client tool, and the file was not terminated by a newline character, the client terminated unexpectedly. With this update, client utilities are able to properly handle such LDIF files, and the crashes no longer occur in the described scenario.
ldapadd
utility or another openldap
client tool, and a line in the file was split into two lines but was missing correct indentation (the second line has to be indented by one space character), the client terminated unexpectedly. With this update, client utilities are able to properly handle such filetype LDIF
files, and the crashes no longer occur in the described scenario.
TLS_REQCERT
option set to never
and the TLS_CACERTDIR
option set to an empty directory, TLS connection attempts to a remote server failed as TLS could not be initialized on the client side. Now, TLS_CACERTDIR
errors are ignored when TLS_REQCERT
is set to never
, thus fixing this bug.
slapd.conf
file was converted into a new slapd.d
directory while the constraint overlay was in place, the constraint_attribute
option of the size
or count
type was converted to the olcConstraintAttribute
option with its value part missing. A patch has been provided to address this issue and constraint_attribute options are now converted correctly in the described scenario.
TLS_REQCERT
option set to never
and the remote LDAP server uses a certificate issued by a CA (Certificate Authority) whose certificate has expired, connection attempts to the server failed due to the expired certificate. Now, expired CA certificates are ignored when TLS_REQCERT
is set to never
, thus fixing this bug.
-fno-strict-aliasing
option is passed to the compiler to avoid optimizations that can produce invalid code, and no warning messages are now returned during the package compilation.
olcDDStolerance
option was shortening TTL (time to live) for dynamic entries, instead of prolonging it. Consequently, when an OpenLDAP server was configured with the dds overlay and the olcDDStolerance
option was enabled, the dynamic entries were deleted before their TTL expired. A patch has been provided to address this issue and the real lifetime of a dynamic entry is now calculated properly, as described in documentation.
tlsm_find_and_verify_cert_key()
function. Now, verified certificates and keys are properly disposed of when their verification fails, and memory leaks no longer occur in the described scenario.
olcVerifyClient
option was set to allow
in an OpenLDAP server or the TLS_REQCERT
option was set to allow
in a client utility, while the remote peer certificate was invalid, OpenLDAP server/client connection failed. With this update, invalid remote peer certificates are ignored, and connections can now be established in the described scenario.
/
character was printed during the installation. With this update, the responsible RPM scriptlet has been fixed and the /
character is no longer printed in the described scenario.
slapo-unique
manual page was missing information about quoting the keywords and URIs (uniform resource identifiers), and the attribute parameter was not described in the section about unique_strict configuration options. A patch has been provided to address these issues and the manual page is now up-to-date.
cn=config
) could only be modified manually when the slapd
daemon was not running. With this update, the ldapi:///
interface has been enabled by default, and the ACLs (access control lists) now enable the root user to modify the server configuration without stopping the server and using OpenLDAP client tools if he is authenticated using ldapi:///
and the SASL/EXTERNAL mechanism.
-Wl,-z,relro
flags when compiling the package. The openldap package is now provided with partial RELRO protection.
attrd: Cannot append to /var/log/cluster/corosync.log: Permission denied
NameError: global name 'listconfigs' is not defined
dracut: /sbin/load_policy: Can't load policy: No such file or directory
WARNING: Direct use of qemu-kvm from the command line is unsupported. WARNING: Only use via libvirt. WARNING: Some options listed here may not be available in future releases.
512 bytes
. With this update, cmsfs-fuse has been modified to detect the label information of FBA-512 disks and the formatted block size is now read from the label. FBA-512 disks can now be mounted with cmsfs-fuse as expected.
512 bytes
was larger than 256 MB
. With this update, cmsfs-fuse has been modified to calculate logical addresses correctly, and disks with a block size of 512 bytes can be written to regardless of their capacity.
contiguous writes
to the file in the fixed record format without any failures.
-o big_writes
option, which enables write operations bigger than 4 KB
, and the previously written record was larger than a disk block size. With this update, cmsfs-fuse resets the record length attribute after every write operation, and writing to a file no longer fails in the scenario described.
qetharp
utility did not check the lenght of the given interface name parameter. Therefore, the qetharp
command terminated with a buffer overflow when it was executed with an interface name that was longer than 16 bytes
. With this update, qetharp
checks the length of the interface name parameter, and properly exits with the Error: interface name too long
error message if the parameter is longer than it is allowed to be.
free()
function call in the configuration file of cmsfs-fuse, the utility attempted to deallocate already freed memory. As a consequence, cmsfs-fuse expressed unpredictable behavior in the file type translation mode, such as a no longer accessible file system. With this update, the superfluous free() function call has been removed, and cmsfs-fuse now behaves as expected.
2 GB
. With this update, cmsfs-fuse has been modified to cast data type of variables, structure members and functions used in the calculation to a longer data type before calculating the file size. The cmsfs-fuse utility now works as expected and files larger than 2 GB
can now be created.
memory hole
, and the chmem utility did not work at all. The lsmem and chmem utilities have been modified to work correctly with non-contiguous memory.
sysfs
device tree that was changing. If a device disappeared from the device tree while lscss or lsdasd was attempting to access attributes of the device, the tool displayed pointless error messages. With this update, the lscss and lsdasd code has been modified to suppress the related error messages. In addition, the return code of the lscss -h
and lsdasd -h
commands has been corrected.
SCSI Generic (sg)
driver was loaded in the kernel and sg functionality
was thus available. Therefore, lsluns silently failed when it was started and sg functionality
was unavailable on the system. With this update, lsluns now includes the missing check and exits with an error message when it is started on the system with the sg functionality
unavailable.
hsuid
attribute in its output when providing information about QETH
network devices on the system. The lsqeth
script has been modified to include hsuid
in its output array, and this attribute is now correctly displayed.
HiperSockets
and HiperSocket connections
, including an explanation on how to configure a HiperSocket device
.
DELAY_MINUTES
variable to delay restart of a system on kernel panic
. However, users expected immediate action, therefore dumpconf has been modified to set the DELAY_MINUTES
variable to 0
on system restart. Restart of the system with dumpconf is now triggered immediately.
cpuplugd
daemon did not properly handle lines commented out and did not correctly match strings in its configuration file. Consequently, lines in the configuration file that were commented out could be executed, which resulted in a parsing error, and invalid variable names were sometimes not rejected. The comment handling and string matching routines has been corrected in the code, and cpuplugd
now behaves as expected when parsing the configuration file.
range from 0 to 11
instead of a range from 1 to 12
, which resulted in timestamps shifted by one month backward. To correct this problem, returned integer is incremented by one. The zfcpdbf now generates correct timestamps.
lsluns --help
command incorrectly suggested using an invalid --ports
option. This mistake has been corrected, and the lsluns --help
now correctly displays the --port
option.
--config
or --auto
option on a device with no valid disk label, fdasd could stop with the following output:
no known label Should I create a new one? (y/n)
Disc does not contain a VOL1 label, cannot create partitions. exiting...
cpuplugd
(8) man page has been modified to correct several typos and add one missing word.
cpuplugd
daemon did not handle a sub-string matching correctly. The daemon also used an incorrect string length when working with user-defined variables. As a consequence, the daemon returned a parsing error if a user-defined variable name matches the prefix of a pre-defined variable, or a substring of another user-defined variable. With this update, the sub-string matching has been corrected, and cpuplugd now uses correct string length in string comparing operations. Parsing errors no longer occur in the scenario described.
cpuplugd
did not use any mechanism to prevent multiple cpuplugd
instances from starting. As a consequence, a race between the PID file creation and a daemon startup could result in multiple cpuplugd instances running concurrently. To resolve this problem, a file locking mechanism that uses the flock()
function has been introduced in the cpuplugd
code. Only one instance of cpuplugd
is now allowed to run at the same time.
cpuplugd
had previously not implemented sanity checks regarding minimum and maximum values for valid CPU
and memory intervals. If a configuration with incorrect intervals was used, the daemon could not work properly, and CPU and memory could not be used optimally. With this update, cpuplugd
now includes CPU and memory sanity checks, ensuring its efficiency.
ferror()
test, the lsreipl utility returned an error message when it attempted to read an empty sysfs
file. With this update, the missing check has been added, and lsreipl no longer returns error messages when attempting to read an empty file.
libzfcphbaapi
library was missing some event thread cleanup code in the HBA_FreeLibrary()
function. Therefore, the zfcp_ping tool could terminate unexpectedly with a segmentation fault if no on-line adapter was discovered. The missing event thread cleanup has been added in the code using the pthread_cancel
and pthread_join
functions. The zfcp_ping tool no longer crashes under these circumstances.
grep
command in its postinstall and postuninstall scripts but it was not dependent on the grep package. Therefore, error messages were displayed when installing s390utils-iucvterm. With this update, the grep package has been added as a prerequisite for s390utils-iucvterm. No error messages now occur during the package installation.
Logical Unit Numbers
(LUNs) without the -a, --active
option, the lsluns utility filtered a scan for well known LUNs with value 0xc101000000000000
and 0x0000000000000000
, because the SCSI report luns command is sent only to these LUNs. As a consequence, the lsluns -a
command did not show all active LUNs but only active well known LUNs
. The lsluns utility has been modified to not filter LUNs when issued with the -a
option, and it now shows all active LUNs.
exit code 0
even if an error had occured. This update adds the missing return code and the dasdinfo tool now returns correct return code values.
libzfcphbaapi.so
common library to the /etc/hba.conf
configuration file. Therefore, s390utils-libzfcphbaapi failed to register with the /etc/hba.conf
configuration file. With this update, the postinstall script adds the libzfcphbaapi /usr/lib64/libzfcphbaapi-2.1.so
line to the /etc/hba.conf
configuration file and thus registers the s390utils-libzfcphbaapi package.
--output
command line option in the code, although it was referred to as the --outfile
option in the documentation. Using the --outfile
option as suggested by documentation thus resulted in a ziomon failure. With this update, ziomon has been modified to accept the --outfile
command line option as documented.
debugfs
file system is mounted on the /sys/kernel/debug/
directory. Therefore, if the mount point was a different directory, ziomon failed. The missing test is now included in ziomon, and it now works as expected: continues if a file system is mounted on the /sys/kernel/debug/
directory, or exits with the ziomon: Error: Debugfs not mounted on /sys/kernel/debug.
error message if a file system is mounted on a different mount point.
device-mapper multipath
devices, zipl uses the zipl_helper.device-mapper
script, which parses output of other programs. If any of these programs had locale
dependent output, the script was unable to parse the output. Consequently, zipl terminated with the following error:
Script could not determine target parameters
zipl_helper.device-mapper
script has been modified to set up standard locale
for the current process and all child processes. The problem described no longer occurs.
Linux 2.6 scheduler
provide the same CPU optimization functionality as the cpuplugd
daemon does, without the negative effects of cpuplugd
operations. Therefore, the cpuplugd
daemon is now disabled on the system by default.
cpuplugd
daemon has been improved, and cpuplugd now provides more advanced control of the VM Resource Manager
(VMRM) Cooperative Memory Management
(CMM) memory balloon.
/proc/vmstat
and /proc/meminfo
files can now be used in cpuplugd
rules and user-defined variables.
cpustat.total_ticks
variable has been introduced, which simplifies user-defined CPU percentage calculations.
SIGHUP
signal receipt. This could cause the daemon to terminate unexpectedly with a segmentation fault if the maximum history level increased. The history data is now re-allocated and re-initialized when the daemon is reloaded and maximum history level has changed.
sleep()
function and for swap rate
calculation. This could lead to incorrect data under certain circumstances. The cpuplugd
daemon now uses the actual time in its calculations.
re-IPL
from multipath devices has been added.
re-IPL
from Named Saved System
(NSS) has been added.
re-IPL
.
auto target
" has been added. For the ccw, fcp, and node targets, chreipl can automatically find the correct re-IPL
target.
pam_winbind
module stopped operating. As a result, there were failures encountered if users attempted to log in. With this update, the bug has been fixed so that pam_winbind
now works, as expected.
force create mode
parameter was not honored properly. As a result, files created on a mounted Samba share did not properly follow the umask
parameter, and files with undesired permissions were created. With this update, the bug has been fixed and no longer occurs.
gidNumber
LDAP attribute. Instead, Winbind uses the primaryGroupID
LDAP attribute. As a result, setting the gidNumber
attribute in AD has no effect for accounts if Winbind is used. With this update, the man pages have been updated accordingly to reflect the aforementioned limitation.
follow symlinks = yes
parameter was not set. This bug has been fixed in this update so that extracting files from the ZIP archive now works as expected.
service
_selinux(8) manual page. Previously, there was no manual page for the MySQL service (mysqld
). This update corrects this error, and the selinux-policy packages now provide the mysql_selinux(8) manual page as expected.
userdel -r
command caused Access Vector Cache (AVC) messages to be written to the audit log. With this update, the relevant policy has been corrected so that userdel no longer produces these messages.
semanage boolean -l
command contained errors. This update fixes the descriptions of various SELinux Booleans to ensure the aforementioned command now produces correct output without errors.
secadm
SELinux user was not allowed to modify SELinux configuration files. With this update, the relevant SELinux policy has been corrected and the secadm
SELinux user can now modify such configuration files as expected.
rsyslogd
service was previously unable to send messages encrypted with the Transport Layer Security (TLS) protocol. This update corrects the relevant SELinux policy, and rsyslogd
can now send such messages as expected.
fenced_can_ssh
Boolean, which allows the fencing agents to use these protocols.
xinetd
service was unable to connect to localhost
and the operation failed. With this update, xinetd
is now trusted to write outbound packets regardless of the network's or node's Multi-Level Security (MLS) range, which resolves this issue.
/etc/cgrules.conf
configuration file, SELinux incorrectly prevented cgroups
from properly applying rules to NIS users. This update corrects this error by adding an appropriate policy so that SELinux no longer prevents cgroups
from applying rules to NIS users.
kadmind
) was unable to contact the LDAP server and failed to start. This update fixes the relevant policy and kadmind
now starts as expected.
sssd
service did not work properly and when any user authenticated to the sshd service using the Generic Security Services Application Program Interface (GSSAPI), subsequent authentication attempts failed. This update adds an appropriate security file context for the /var/cache/krb5cache/
directory, which allows sssd
to work correctly.
puppetmaster
service was not allowed to get attributes of the chage utility and any attempt to do so caused Access Vector Cache (AVC) messages to be written to the audit log. With this update, the SELinux policy rules have been adapted to allow puppetmaster
to perform this operation.
/var/spool/postfix/maildrop/
directory to make sure Postfix is now allowed to re-send queued email messages as expected.
/var/lib/squeezeboxserver/
directory having an incorrect security context, an attempt to start the squeezeboxserver
service with SELinux running in enforcing mode failed and Access Vector Cache (AVC) messages were written to the audit log. With this update, the security context of this directory has been corrected so that SELinux no longer prevents squeezeboxserver
from starting.
root
user (in the unconfined_t
domain) ran the ssh-keygen
utility and the ~/.ssh/
directory did not exist, the utility created this directory with an incorrect security context. This update adapts the relevant SELinux policy to make sure ~/.ssh/
is now created with the correct context (the ssh_home_t
type).
sys_module
capabilities, which caused various Access Vector Cache (AVC) messages to be written to the audit log. With this update, an appropriate dontaudit
rule has been added to make sure such messages are no longer logged.
FAT32
or NTFS
. This update corrects the SELinux policy so that grubby can now work as expected.
omsnmp
module enabled, the latest version of the rsyslog daemon can send log messages as SNMP traps. This update adapts the SELinux policy to support this new functionality.
sys_module
capabilities, which caused various Access Vector Cache (AVC) messages to be written to the audit log. With this update, an appropriate dontaudit
rule has been added to make sure such messages are no longer logged.
6514
(the syslog over TLS port). This update adds a new SELinux policy that allows rsyslog clients to connect to this port.
localhost
. This update corrects this error, and the selinux-policy packages now provide updated SELinux rules that allow hddtemp to listen on localhost
as expected.
openvpn
service failed, because SELinux prevented it. This update provides updated SELinux rules and adds a sys_nice
capability so that users are now allowed to modify the scheduling priority as expected.
allow_unconfined_qemu_transition
Boolean has been removed to make sure that QEMU is allowed to work together with the libguestfs
library.
hostname
command when HOST_NAME=`hostname`
was specified in the configuration file. This update adapts the SELinux policy to support the aforementioned procmail option.
fileinject
custom property caused Access Vector Cache (AVC) messages to be written to the audit log. With this update, the relevant SELinux policy has been corrected to ensure this action no longer produces such messages.
MAXCONN
option in the /etc/sysconfig/memcached
configuration file was set to a value greater than 1024
, an attempt to start the memcached
service caused Access Vector Cache (AVC) messages to be written to the audit log. This update corrects the relevant SELinux policy so that memcached
no longer produces AVC messages in this scenario.
service
_selinux(8) manual page. Previously, there was no manual page for the Squid caching proxy (squid
). This update corrects this error, and the selinux-policy packages now provide the squid_selinux(8) manual page as expected.
abrtd
).
/var/qmail/queue/
directory. With this update, this error has been fixed and the updated SELinux rules now allow these operations.
seinfo -r
command incorrectly contained lsassd_t
, which is not a role. This update corrects the relevant policy to make sure the aforementioned command now produces correct output.
DumpLocation
option in the abrt.conf
configuration file was set to /tmp/abrt
, restarting the abrtd
service caused various Access Vector Cache (AVC) messages to be written to the audit log. This update corrects the relevant SELinux policy to add support for this option, and such AVC messages are no longer reported when the abrtd
service is restarted.
/dev/random
). This update adds appropriate SELinux rules to grant virsh access to this device.
/etc/passwd.adjunct
file to make it possible to use this file on a Network Information Service (NIS) server.
dhcpd
daemon, the SELinux policy incorrectly prevented this daemon from setting the setgid
and setuid
capabilities. This update corrects the relevant SELinux policy so that dhcpd
can now work properly.
/etc/dhcp/dhcp6.conf
and /etc/rc.d/init.d/dhcpcd6
files had an incorrect security context. This update corrects this error, and both /etc/dhcp/dhcp6.conf
and /etc/rc.d/init.d/dhcpcd6
are now labeled correctly.
sanlock
deamon from working properly and various Access Vector Cache (AVC) messages appeared in the audit log. With this update, an appropriate SELinux policy has been added so that sanlock
can now work as expected.
tcp/119
. Since cyrus-master needs this port in order to run as a Network News Transfer Protocol (NNTP) server, this update fixes the relevant policy to support this configuration.
fence_scsi.key
file that used to be located in the /var/lib/cluster/
directory has been recently moved to /var/run/cluster/
. This update ensures that this file retains the correct security context.
/dev/bsr*
devices were incorrectly labeled with the device_t
type. This update changes the security context of these devices to cpu_device_t
.
sssd
service was not allowed to create, delete, or read symbolic links in the /var/lib/sss/pipes/private/
directory. This update corrects the relevant SELinux policy rules to allow sssd
to perform these operations.
SECMARK
kernel feature.
piranha-gui
service was denied access to the /etc/sysconfig/ha/lvs.cf
file. This update corrects the SELinux policy to grant piranha-gui
this access.
rhev-agentd
daemon from getting attributes of all available mount points. This update corrects the relevant SELinux policy so that rhev-agentd
can gather all necessary information.
sshd
service from getting attributes of the /root/.hushlogin
file. This update adds a new type for this file and updates its security context to make sure that sshd
can access it as expected.
/var/run/nslcd/
directory, SELinux incorrectly denied this access and wrote relevant Access Vector Cache (AVC) messages to the audit log. With this update, this error has been fixed and the selinux-policy packages now provide updated SELinux policy rules that allow finger to access this directory, as expected.
dynamic_ownership
option was enabled in the /etc/libvirtd/qemu.conf
configuration file. This update fixes the relevant SELinux policy to make sure such a USB device can now be correctly attached in this scenario.
unconfined
module was disabled, an attempt to start the dirsrv-admin
service failed and Access Vector Cache (AVC) messages were written to the audit log. With this update, this error has been fixed and dirsrv-admin
now starts as expected in this situation.
sanlock
and wdmd
services has been added to enable using these services with libvirt and vdsm.
corosync_t
domain type.
drbd
service has been added.
initrc_t
domain: pppoe-server
, lldpad
, fcoemon
, cimserver
, uuid
, and gatherd
.
initrc_t
domain.
git_cgit_read_gitosis_content
, has been added to allow Gitolite to display a list of available Git repositories.
virt_use_sanlock
, has been added to allow the libvirtd
daemon to access the sanlock.sock
file.
setroubleshootd
man page described an option that was not supported by the setroubleshootd
service. This update corrects the man page content by removing the unsupported option.
-a
/--analyze
option with another option (for example, sealert -a ./test-audit.log -b
caused sealert to not work properly. This bug has been fixed and sealert alerts the user that the -a
/--analyze
option can not be used with another option.
Ignore
button in the SETroubleshoot GUI and, consequently, reproducing that same AVC message, would not ignore that message. With this update, the underlying source code has been modified to address this issue, and ignored AVC messages no longer appear in the SETroubleshoot GUI.
show
to view the alert brought up the sealert browser but showed no alerts. An error message was also logged in /var/log/messages
. This was because the /var/lib/setroubleshoot/setroubleshoot_database.xml
database contained localized content which could not be parsed. With this update, the aforementioned database no longer contains localized content, and the sealert browser correctly shows all alerts.
sealert -s
or sealert -S
commands failed with a segmentation fault when LANG was set to Japanese (LANG=ja-JP
). With this update, the underlying source code has been modified to address this issue, and the sealert
command no longer fails on localized file analyses.
net-pf-10
kernel module. The appropriate setroubleshoot plugin was updated to not display these messages when IPv6 is blacklisted. It is recommended that users disable IPv6 using the /etc/sysctl.conf
file. In such a case, AVC messages do not appear at all.
report
library to send problem reports to Bugzilla. To unify configuration for bug reporting, a new library (libreport
) was created, which unifies problem reporting in all applications. With this update, setroubleshoot uses the new libreport
library for problem reporting.
"smartd: internal error in MailWarning(): cfg.mailwarn->emailfreq=0"
yum
plug-in option attempted to gather the repository list, but this option was broken: running sosreport -k yum.yumlist=True
returned the following error:
no such option "yumlist" for plugin (yum)" error
yum
plug-in option is usable, and instead will include the output of the yum list
command, if enabled (sosreport -k yum.yumlist=True
). As this operation can be slow, yum.yumlist is disabled by default.
/etc/nslcd.conf
file. Consequently, no nslcd.conf
file was found when running sosreport. With this update, sos now includes /etc/nslcd.conf
in its reports on systems that are using the nss-pam-ldapd nsswitch module.
/sbin/chkconfig --list autofs
command. This update corrects the problem and the output of chkconfig --list autofs
is now correctly stored in the sos_commands/autofs/chkconfig_--list_autofs
file.
stdout.strip()
function on the returned command output and the function truncated the leading and trailing whitespace characters. With this update, the function is no longer called in this situation and the returned command output is correct.
checkenabled()
function was looking for the qpid package. However, no such package exists. With this update, the checkenabled()
function now looks for the correct qpid-tool packages and sosreport gathers all the relevant qpid data as expected. In addition, a much greater set of configuration files and tool output is collected in this version.
hardware.py
plug-in was incorrect. Therefore the utility failed to locate and capture data from the plug-in. With this update, the path has been corrected and the problem no longer occurs.
lsusb
, lsusb -v
, and lsusb -t
commands is now collected by sosreport using the hardware plug-in.
ibv_devices
and ibv_devinfo
commands in the sosreport debugging archive.
/etc/tgt/targets.conf
file and the output of tgtadm --lld iscsi --op show --mode target
command in the sosreport debugging archive.
syslogsize
option was specified. With this update, such files are truncated to 15 MB, in such a manner as to include the latest events, and saved in the /sosreport/sos_commands/
directory.
/etc/init
directory.
brctl show
and brctl showstp
commands.
/proc/vmmemctl
.
/etc/rhsm/
content.
ethtool -g
, ethtool -c
, and ethtool -a
commands by default.
supportedControl
attribute of the server rootDSE
entry, SSSD terminated unexpectedly with a segmentation fault. With this update, this bug has been fixed.
inotify
kernel subsystem to detect whether a Domain Name System (DNS) resolver file was changed. If inotify
returned an error (for example due to resource exhaustion), SSSD terminated unexpectedly and network logins no longer worked. With this update, SSSD itself detects the failure in the described scenario and falls back to the five-second polling, fixing this bug.
/etc/resolv.conf
file, if the first one failed to resolve a hostname. As a result, SSSD switched to offline mode without asking the other configured name servers. With this update, the bug has been fixed by configuring the resolver to query all name servers so that hostname resolution correctly retries until it either queries all the configured name servers or resolves the hostname.
ldap_default_authtok
option was used, the ldap_default_authtok_type
option was set to password
even if it was not explicitly specified in the configuration file. With this update, password
has been made the default value for the ldap_default_authtok_type
option, thus the bug is now fixed.
GID=0
set which acted like a "root" group. As a result, the operation that processed members belonging to the group with GID=0
was aborted. With this update, groups with GID=0
are treated as non-POSIX groups (that is groups that are containers only and not reported to clients) so that the groups are handled gracefully.
pam_sss
module even though the packet was corrupt. As a result, the SSSD PAM responder terminated unexpectedly. With this update, SSSD now detects if the response packet is already created so that in case of the error, the client will be forcibly disconnected and the SSSD will not crash.
/var/tmp/
directory. Because the file names are not standardized, they were not handled by the Security-Enhanced Linux (SELinux) policy correctly. As a result, when using SELinux in Enforcing mode, SSSD did not work with the option krb5_validate
set to true
. With this update, support to specify the Kerberos replay cache directory, both at compilation time and in the configuration file, has been added into SSSD, also a corresponding SELinux policy update has been made to accomodate the Kerberos replay cache directory, thus the bug is fixed.
libunistring
for performing string comparisons where applicable so that SSSD is able to handle UTF-8 strings in the host-based access control rules.
ccache
file for the user if the old ccache
file had already expired. The SSH daemon used different processes with different UID values for different parts of the login process. As a result, if a user password expired after the user logged in, SSSD was unable to switch to a new ccache
. With this update, SSSD forces removal of the old ccache
if the Kerberos authentication subprocess returns a special PAM_NEW_AUTHTOK_REQD
return code so that SSSD is able to recreate a ccache
file instead of an existing (but inactive) ccache
file for a user who logs in via SSH with an expired password.
sssd
daemon package did not explicitly specify that it required the sssd-client package of the same architecture. As a result, it was difficult to specify to install both primary and secondary architecture sssd-client packages on multiarch systems. With this update, the main sssd package now requires the sssd-client package of the same architecture, thus the bug is fixed.
/etc/krb5.conf
file is used in the case mentioned above.
krb5_renew_interval
parameter.
ipa_server
parameter resolves to. Previously, when the hostname resolved to an IPv6 address, the LDAP URI routines returned an error. As a result, the IPA provider was unable to function correctly in an IPv6 environment. With this update, the IPA provider now escapes all IPv6 addresses so that they can be consumed by the LDAP routines correctly, thus the bug is fixed.
member
attribute had different value than what was determined as the primary name for that member object. With this update, SSSD stores all user name or group name aliases in the cache. When determining the membership structure, SSSD checks for aliases in addition to the primary name so that the membership structure is correctly determined and returned.
initgroups
operation performed too many disk writes, thus slowing the operation down. With this update, all entities retrieved from the remote server are first stored in an internal hash table, and then only a single transaction is used to store all the groups and their memberships so that the initgroups
operation is now faster, especially for users who are members of a large number of groups.
initgroups
and login operations failed for users whose user names contained special characters. With this update, the user names are now escaped, thus the bug is fixed.
initgroups
operation. As a result, the initgroups
operation failed. With this update, the IPA provider has been fixed so that the provider now gracefully handles users without group memberships and the initgroups
operation succeeds for users who are not members of any group.
ldap_uri
parameter was incorrectly configured so that the hostname part was missing, SSSD stored NULL in the pointer, in which the hostname was saved, and used it later on for establishing a connection. As a result, SSSD accessed the NULL pointer and terminated unexpectedly. With this update, the URI parsing function has been changed so it aborts when it cannot parse a valid hostname from the specified URI. SSSD reports an error and does not crash when an invalid ldap_uri
parameter is used in the configuration file.
simple
access provider in SSSD required that the user primary group was available to SSSD. As a result, the simple
access provider did not work for users whose primary group was a local group stored in the /etc/group
file because SSSD only handles remote groups. With this update, the failure to find the user primary group in the simple
access provider is no longer treated as fatal so that users with the local primary group are handled correctly by the simple
access provider.
pam_sss
module. As a result, tools that communicate directly with the password-change servers (for example kpasswd) were unable to operate. With this update, SSSD always passes the IP addresses of password change servers to the Kerberos library, thus the bug is fixed.
initgroups()
operations, SSSD consumed extensive amount of memory, especially for complex membership structures. With this update, the problem with the memory consumption has been fixed.
initgroups()
operation did not return all groups correctly. With this update, SSSD has been changed so that it can examine non-UNIX groups for potential UNIX nested member groups. SSSD is now able to return the complete list of groups even if the hierarchy mixes UNIX and non-UNIX groups.
ipa_hbac_treat_deny_as
has been added to SSSD. The default value for the option is DENY_ALL
, which means that any DENY
rule in the whole set of rules will deny access regardless of what is the actual rule. Alternatively, the option can be set to IGNORE
to skip the DENY
rules.
DENY
rules altogether, setting the ipa_hbac_treat_deny_as
option to IGNORE
may, under certain circumstances, allow access to users who are not intended to be allowed.
~]#rm -f /etc/pki/entitlement/*
~]#subscription-manager refresh
[Errno 14] PYCURL ERROR 22 - "NSS: private key not found for certificate: PEM Token #1:1310636811763322869.pem"
ERROR: Unable to canonicalize path [...]: No such file or directorySystemTap now loads the correct uprobe module and user-space application probing works as expected with the "--remote" option even if the uprobe kernel module is not currently loaded on remote machine.
Revision History | ||||
---|---|---|---|---|
Revision 1-0 | Tue Dec 6 2011 | |||
|