Edition 3
1801 Varsity Drive
Raleigh, NC 27606-2072 USA
Phone: +1 919 754 3700
Phone: 888 733 4281
Fax: +1 919 754 3701
procfs entries, sysfs
default values, boot parameters, kernel configuration options, or any
noticeable behavior changes. For more details on the features added and
bugs fixed in the Red Hat Enterprise Linux 6.3 kernel, refer to the Kernel chapter in the 6.3 Release Notes, or Section 5.93.1,
“ RHSA-2012:0862 — Moderate: Red Hat Enterprise Linux 6.3 kernel
security, bug fix, and enhancement update ” in this book.
pci=use_crspci=use_crs boot
parameter no longer needs to be specified to force PCI resource
allocations to correspond to a specific host bridge the device resides
on. It is now the default behavior.
CONFIG_HPET_MMAP, hpet_mmapCONFIG_HPET_MMAP option. Additionally, the hpet_mmap kernel parameter has been added.
pcie_p=nomsipcie_p=nomsi kernel parameter has been added to allow users to disable MSI/MSI-X for PCI Express Native Hotplug (that is, the pciehp driver). When enabled all PCIe ports use INTx for hotplug services.
msi_irqs/sys/bus/pci/devices/<device>/msi_irqs.
This subdirectory exports the set of MSI vectors allocated by a given
PCI device, by creating a numbered subdirectory for each vector under msi_irqs. For each vector, various attributes can be exported. Currently the only attribute, named mode, tracks the operational mode of that vector (MSI versus MSI-X).
CONFIG_PCI_DEBUGCONFIG_PCI_DEBUG=y option is configured, the -DDEBUG flag is automatically added to the EXTRA_CFLAGS compilation flags.
CONFIG_STRICT_DEVMEMCONFIG_STRICT_DEVMEM option is enabled by default for the PowerPC architecture. This option restricts access to the /dev/mem
device. If this option is disabled, userspace access to all memory is
allowed, including kernel and userspace memory, and accidental memory
(write) access could potentially be harmful.
CONFIG_KEXEC_AUTO_RESERVE=y CONFIG_CRASH_DUMP=y CONFIG_PROC_VMCORE=y
KEXEC_AUTO_THRESHOLDKEXEC_AUTO_THRESHOLD option has been lowered to 2 GB.
/proc/mounts/proc/mounts file now shows the following mount options for CIFS under the dir_mode= parameter:
nostrictsync noperm backupuid backupgid
dmesg_restrict/proc/sys/kernel/dmesg_restrict file is only allowed for a root user that has the CAP_SYS_ADMIN identifier set.
printk.always_kmsg_dumpprintk.always_kmsg_dump,
has been added to save the final kernel messages to the reboot, halt,
poweroff, and emergency_restart paths. For usage information, refer to
the /usr/share/doc/kernel-doc-<version>/Documentation/kernel-parameters.txt file.
4096:
~]$ ulimit -Hn
4096
soft_panicsoft_panic, has been added. When soft_panic is set to 1,
it causes softdog to invoke kernel panic instead of a reboot when the
softdog timer expires. By invoking kernel panic, the system executes
kdump, if kdump is configured. Kdump then generates a vmcore which
provides additional information on the reasons of the failure.
/usr/share/doc/perf-<version>/examples.txt documentation file has been added to the perf package.
shm_rmid_forcedshm_rmid_forced sysctl option has been added. When set to 1,
all shared memory objects not referenced in current ipc namespace (with
no tasks attached to it) will be automatically forced to use IPC_RMID.
For more information refer to /usr/share/doc/kernel-doc-<version>/Documentation/sysctl/kernel.txt file.
accept_local/proc/sys/net/ipv4/conf/*/accept_local
sysctl setting has been added to allow a system to receive packets it
sent itself. This is needed in order to work with certain load balancing
solutions that load balance to themselves.
CONFIG_VGA_SWITCHEROOCONFIG_VGA_SWITCHEROO configuration option is now enabled by default to allow switching between two graphics cards.
O_DIRECT in FUSEO_DIRECT flag for files in FUSE (File system in Userspace) has been added.
CONFIG_IP_MROUTE_MULTIPLE_TABLESCONFIG_IP_MROUTE_MULTIPLE_TABLES=y has been added to enable support for multiple independent multicast routing instances.
nfs.max_session_slotsnfs.max_session_slots
module/kernel boot parameter has been added. This parameter sets the
maximum number of session slots that an NFS client attempts to negotiate
with the server.
/proc
/proc during boot up has been changed to:
~]# mount -t proc -o nosuid,noexec,nodev proc /procprocfs, please remount procfs with the old option:
~]# mount -t proc /proc /proc-s/--snapshot option in the lvcreate man page.
lvcreate(8) man page.
lvmetad daemon
is to eliminate the need for this scanning by dynamically aggregating
metadata information each time the status of a device changes. These
events are signaled to lvmetad by udev rules. If lvmetad is not running, LVM performs a scan as it normally would.
use_lvmetad parameter in the /etc/lvm/lvm.conf file, and enable the lvmetad daemon by configuring the lvm2-lvmetad init script.
/etc/modprobe.d/dist-nfsv41.conf file with the following line and reboot the system:
alias nfs-layouttype4-1 nfs_layout_nfsv41_files
-o minorversion=1 mount option is specified, and the server is pNFS-enabled, the pNFS client code is automatically enabled.
fsfreeze(8) man page.
O_DIRECT I/O. These applications may use the raw block device, or the XFS file system in O_DIRECT
mode. (XFS is the only file system that does not fall back to buffered
I/O when doing certain allocation operations.) Only applications
designed for use with O_DIRECT I/O and DIF/DIX hardware should enable this feature.
/etc/cluster.conf configuration file to be used by pacemaker, rgmanager must be disabled. The risk of not doing this is high; after a successful conversion, it would be possible to start rgmanager and pacemaker on the same host, managing the same resources.
<rm disabled="1"> flag in /etc/cluster.conf.
<rm disabled="1"> flag appears in /etc/cluster.conf during a reconfiguration.
autofs:
autofs daemon is configured to look up automount maps via SSSD, only a single file has to be configured: /etc/sssd/sssd.conf. Previously, the /etc/sysconfig/autofs file had to be configured to fetch autofs data.
be2net
driver is considered a Technology Preview in Red Hat Enterprise Linux
6.3. You must meet the following requirements to use the latest version
of SR-IOV support:
be2net driver software.
bnx2i and bnx2fc Broadcom drivers, remain a Technology Preview until further notice.
mpt2sas driver is fully supported. However, when used in the lockless mode, the driver is a Technology Preview.
dm-thinp targets, thin and thin-pool,
provide a device mapper device with thin-provisioning and scalable
snapshot capabilities. This feature is available as a Technology
Preview.
..no such file or directory
/etc/kdump.conf, system-config-kdump, or firstboot.
audit subsystem in the Linux 2.6 kernel. Within the audispd-plugins
sub-package is a utility that allows for the transmission of audit
events to a remote aggregating machine. This remote audit logging
application, audisp-remote, is considered a Technology Preview in Red Hat Enterprise Linux 6.
fence_ipmilan
agent. This new Technology Preview is used to force a kernel dump of a
host if the host is configured to do so. Note that this feature is not a
substitute for the off operation in a production cluster.
-cpu host flag.
/usr/share/seabios/bios-pm.bin file for the VM bios instead of the default /usr/share/seabios/bios.bin file.
numad daemon for the best manual placement of an application. The numad package is introduced as a Technology Preview.
anaconda component
ql4xdisablesysfsboot to 1 may cause boot from SAN failures.
anaconda component
dracut component
Bind targets to network interfaces; do not leave it unselected, as is the default. Additionally, you must use static IP addresses if using a network root device.
--iface= option to the iSCSI command, for example:
iscsi --ipaddr 10.34.39.46 --port 3260 --target iqn.2009-02.com.kvm:iscsibind --iface=eth0
anaconda component
/boot partition is using the first partition of multipath, or use LVM (which is the default behavior).
anaconda component
zerombr kickstart command. The --initlabel option of the clearpart command is not intended to serve this purpose.
anaconda component, BZ#676025Skip Boot Loader Configuration
during the installation process. Boot loader configuration will need to
be completed manually after installation. This problem does not affect
users running Anaconda in the graphical mode (graphical mode also
includes VNC connectivity mode).
anaconda component
anaconda component
/boot volume on an encrypted volume.
anaconda component
sdc instead of sda).
kernel component
em1 is used instead of eth0
on new Dell machines). However, the previously used network interface
names are preserved on the system and the upgraded system will still use
the previously used interfaces. This is not the case for Yum upgrades.
anaconda component
kdump default on feature currently depends on Anaconda to insert the crashkernel= parameter to the kernel parameter list in the boot loader's configuration file.
firstaidkit component
anaconda component, BZ#623261 clearpart --initlabel kickstart command. Adding the --all switch—as in clearpart --initlabel --all—ensures disks are cleared correctly.
squashfs-tools component
attempt to access beyond end of device loop0: rw=0, want=248626, limit=248624
anaconda component
yaboot component, BZ#613929 anaconda component
system-config-kickstart component
subscription manager component
subscription manager component, BZ#811771gpgkey. To re-enable the repository, upload the GPG keys, and ensure that the correct URL is added to your custom content definition.
cpuspeed component, BZ#626893 /proc/cpuinfo or /sys/device/system/cpu/*/cpufreq.
This is due to the firmware manipulating the CPU frequency without
providing any notification to the operating system. To avoid this ensure
that the HP Power Regulator option in the BIOS is set to OS Control. An alternative available on more recent systems is to set Collaborative Power Control to Enabled.
releng component, BZ#644778 grub component, BZ#695951BOOTX64 rather than bootx64 to boot the installer due to case sensitivity issues.
grub component, BZ#698708 virt-p2v component, BZ#816930virt-p2v component, BZ#808820vdsm component, BZ#826921/etc/vdsm/vdsm.conf file:
[irs] nfs_mount_options = soft,nosharecache,vers=3
vdsm component, BZ#749479vdsm component
cgconfig service is turned off, turn it on with the chkconfig cgconfig on command and reboot. If you prefer not to reboot your system, restarting the libvirt service and vdsm should be sufficient.
ovirt-node component, BZ#747102 kernel component
libvirtd
service, which enables IP forwarding. The service causes a driver reset
on both Ethernet ports which causes a loss of all paths to an OS disk.
Under this condition, the system cannot load firmware files from the OS
disk to initialize Ethernet ports, eventually never recovers paths to
the OS disk, and fails to boot from SAN. To work around this issue add
the bnx2x.disable_tpa=1 option to the kernel
command line of the GRUB menu, or do not install virtualization related
software and manually enable IP forwarding when needed.
vdsm component/root/.ssh/ directory is
missing from a host when it is added to a Red Hat Enterprise
Virtualization Manager data center, the directory is created with a
wrong SELinux context, and SSH'ing into the host is denied. To work
around this issue, manually create the /root/.ssh directory with the correct SELinux context:
~]#mkdir /root/.ssh~]#chmod 0700 /root/.ssh~]#restorecon /root/.ssh
vdsm component
libvirt component
/etc/libvirt/qemu.conf file, set the relaxed_acs_check = 1 parameter, and restart libvirtd (service libvirtd restart). Note that this action will re-open possible security issues.
virtio-win component, BZ#615928 libvirt component, BZ#622649 service libvirt reload command to restore libvirt's additional iptables rules.
virtio-win component, BZ#612801 qemu-kvm component, BZ#720597qemu-kvm component, BZ#612788 virt-v2v component, BZ#618091 virt-v2v component, BZ#678232 lvm2 component, BZ#832392issue_discards=1 is configured in the /etc/lvm/lvm.conf file, moving physical volumes via the pvmove command results in data loss. To work around this issue, ensure that issue_discards=0 is set in your lvm.conf file before moving any physical volumes.
lvm2 component, BZ#832033lvmetad daemon (currently a Technology Preview), avoid passing the --test argument to commands. The use of the --test argument may lead to inconsistencies in the cache that lvmetad maintains. This issue will be fixed in a future release. If the --test argument has been used, fix any problems by restarting the lvmetad daemon.
lvm2 component, BZ#820229lvrename Cannot rename <volume_name>: name format not recognized for internal LV <pool_name>This issue will be fixed in the next LVM2 release.
device-mapper-multipath component
queue_without_daemon yes
default option queues I/O even though all iSCSI links have been
disconnected when the system is shut down, which causes LVM to become
unresponsive when scanning all block devices. As a result, the system
cannot be shut down. To work around this issue, add the following line
into the defaults section of /etc/multipath.conf:
queue_without_daemon no
initscripts component
/boot partitions by setting the sixth value of a /boot entry in /etc/fstab to 0.
kernel component, BZ#606260 lvm2 component
lvm2 component pvmove command cannot currently
be used to move mirror devices. However, it is possible to move mirror
devices by issuing a sequence of two commands. For mirror images, add a
new image on the destination PV and then remove the mirror image on the
source PV:
~]$lvconvert -m +1 <vg/lv> <new PV>~]$lvconvert -m -1 <vg/lv> <old PV>
~]$lvconvert --mirrorlog core <vg/lv>~]$lvconvert --mirrorlog disk <vg/lv> <new PV>
~]$lvconvert --mirrorlog mirrored <vg/lv> <new PV>~]$lvconvert --mirrorlog disk <vg/lv> <old PV>
kernel component
/etc/sysconfig/network-scripts/ifcfg-eth<X> file:
LINKDELAY=10
NetworkManager component, BZ#758076samba component
ldapsam_compat back end. This back end was never designed to run a production LDAP and Samba environment for a long period of time. The ldapsam_compat
back end was created as a tool to ease migration from historical Samba
releases (version 2.2.x) to Samba version 3 and greater using the new ldapsam back end and the new LDAP schema. The ldapsam_compat
back end lack various important LDAP attributes and object classes in
order to fully provide full user and group management. In particular, it
cannot allocate user and group IDs. In the Red Hat Enterprise Linux Reference Guide, it is pointed out that this back end is likely to be deprecated in future releases. Refer to Samba's documentation for instructions on how to migrate existing setups to the new LDAP schema.
ldapsam_compat back end with their existing LDAP setup even when all the above restrictions apply.
kernel component, BZ#816888kernel component
/usr/share/doc/kernel-doc-<version>/Documentation/networking/ip-sysctl.txt and https://access.redhat.com/knowledge/solutions/53031.
perftest component
corosync component, BZ#722469luci component, BZ#615898 luci will not function with Red Hat Enterprise Linux 5 clusters unless each cluster node has ricci version 0.12.2-14.
O=$REALM, where $REALM
is the realm of the new Identity Management installation) is never
pulled. Consequently, the second stage of the installation process
always fails unless the --subject option is specified. To work around this issue, add the following option for the second stage of the installation: --subject "O=$REALM" where $REALM
is the realm of the new Identity Management installation. If a custom
subject was used for the first stage of the installation, use its value
instead. Using this work around, the certificate subject validation
procedure succeeds and the installation continues as expected.
ipa passwd
command. When reset, user's Kerberos credentials in the Directory
Server are properly generated and the user is able to log in using
Kerberos authentication.
ipa-client-install setup script. To work around this issue, install the policycoreutils package manually:
~]# yum install policycoreutilsipa-ldap-updater
fails with a traceback error when executed by a non-root user due to
the SASL EXTERNAL bind requiring root privileges. To work around this
issue, run the aforementioned command as the root user.
netgroup-find option to search for external hosts.
filter, subtree,
and other options are used to target those entries which are writable.
Attributes define which part(s) of those entries are writable. As a
result, the list of attributes will be writable to members of the
permission.
sssd component, BZ#808063ldap_disable_paging option in the sssd-ldap
man page does not indicate that it accepts the boolean values True or
False, and defaulting to False if it is not explicitly specified.
sudo commands are
not case sensitive. For example, executing the following commands will
result in the latter one failing due to the case insensitivity:
~]$ipa sudocmd-add /usr/bin/X⋮ ~]$ipa sudocmd-add /usr/bin/xipa: ERROR: sudo command with name "/usr/bin/x" already exists
mod_ssl module should not be installed on the same system, otherwise Identity Management is unable to issue certificates because mod_ssl holds the mod_proxy hooks. To work around this issue, uninstall mod_ssl.
ipa-server-install command should add a record to the static hostname lookup table in /etc/hosts and enable further configuration of Identity Management integrated services. However, a record is not added to /etc/hosts
when an IP address is passed as an CLI option and not interactively.
Consequently, Identity Management installation fails because integrated
services that are being configured expect the Identity Management server
hostname to be resolvable. To work around this issue, complete one of
the following:
ipa-server-install without the --ip-address option and pass the IP address interactively.
/etc/hosts before
the installation is started. The record should contain the Identity
Management server IP address and its full hostname (the hosts(5) man page specifies the record format).
sssd component, BZ#750922libldb. This failure occurs when the SSSD cache contains internal entries whose distinguished name contains the \, character sequence. The most likely example of this is for an invalid memberUID entry to appear in an LDAP group of the form:
memberUID: user1,user2
memberUID is a multi-valued attribute and should not have multiple users in the same attribute.
(Wed Nov 2 15:18:21 2011) [sssd] [ldb] (0): A transaction is still active in ldb context [0xaa0460] on /var/lib/sss/db/cache_<DOMAIN>.ldb
/var/lib/sss/db/cache_<DOMAIN>.ldb file and restart SSSD.
/var/lib/sss/db/cache_<DOMAIN>.ldb file/var/lib/sss/db/cache_<DOMAIN>.ldb file purges the cache of all entries (including cached credentials).
sssd component, BZ#751314memberUID values, SSSD fails to sanitize the values properly. The memberUID value should only contain one username. As a result, SSSD creates incorrect users, using the broken memberUID values as their usernames. This, for example, causes problems during cache indexing.
6ComputeNode subscription.
sssd component, BZ#741264 [domain/DOMAINNAME] section of the /etc/sssd/sssd.conf file:
ldap_referrals = false
ipmitool component
-N option when
setting retransmission intervals of IPMI messages over the LAN or
LANplus interface may cause various error messages to be returned. For
example:
~]#ipmitool -I lanplus -H $HOST -U root -P $PASS sensor listUnable to renew SDR reservation Close Session command failed: Reservation cancelled or invalid ~]#ipmitool -I lanplus -H $HOST -U root -P $PASS delloem powermonitorError getting power management information, return code c1 Close Session command failed: Invalid command
ipmitool component
~]# ipmitool -I lanplus -H $HOST -U root -P wrongpass delloem powermonitor
Error: Unable to establish IPMI v2 / RMCP+ session
Segmentation fault (core dumped)
kernel component,
be2net driver with a Virtual Function (VF) attached to a virtual guest results in kernel panic.
kernel component
sg_scan command) or similar functionality. Please consult Brocade directly for a Brocade equivalent of this functionality.
kernel componentbnx2i and bnx2fc Broadcom drivers, remain a Technology Preview until further notice.
kexec-tools component
UUID/LABEL resolving is not functional. Avoid using the UUID/LABEL syntax when dumping core to Btrfs file systems.
busybox component
/etc/kdump.conf: Unsupported type btrfs
/sbin/btrfsck file exists, and retry.
trace-cmd component
trace-cmd service does start on 64-bit PowerPC and IBM System z systems because the sys_enter and sys_exit events do not get enabled on the aforementioned systems.
trace-cmd component
report, does not work on IBM System z systems. This is due to the fact that the CONFIG_FTRACE_SYSCALLS parameter is not set on IBM System z systems.
tuned component
intel_idle.max_cstate=0 parameter, or at run time by using the cpu_dma_latency pm_qos interface.
libfprint component
~]$ lsusb -v -d 147e:2016 | grep bcdDevicekernel component
lpfc)
does support DH-CHAP authentication on Red Hat Enterprise Linux 5, from
version 5.4. Future Red Hat Enterprise Linux 6 releases may include
DH-CHAP authentication.
kernel component
mpt2sas driver is "Phase 5 firmware" (that is, with version number in the form 05.xx.xx.xx).
Note that following this recommendation is especially important on
complex SAS configurations involving multiple SAS expanders.
kernel component
iscsi_firmware parameter to grub's kernel command line. This will signal to dracut to boot from the iSCSI HBA.
kernel component
num_lro, rss_mask, and rss_xor) that were supported by older versions of the mlx4_en
driver have become obsolete and are no longer used. If you supply these
parameters, the Red Hat Enterprise Linux 6.3 driver will ignore them
and log a warning.
kernel component
kernel component
vmalloc=256MB
kernel component
open(2) system call), then the device is closed (via the close(2) system call), and the /dev/disk/by-id link for the device may be removed. When the problem on the device that caused the error is resolved, the by-id link is not re-created. To work around this issue, run the following command:
~]# echo 'change' > /sys/class/block/sdX/ueventkernel component
kernel component
mpt2sas
driver is connected to a storage using an SAS switch LSI SAS 6160, the
driver may become unresponsive during Controller Fail Drive Fail (CFDF)
testing. This is due to faulty firmware that is present on the switch.
To fix this issue, use a newer version (14.00.00.00 or later) of
firmware for the LSI SAS 6160 switch.
kernel component, BZ#690523scsi_dh modules) are not available when the storage driver (for example, lpfc)
is first loaded, I/O operations may be issued to SCSI multipath devices
that are not ready for those I/O operations. This can result in
significant delays during system boot and excessive I/O error messages
in the kernel log.
multipathd
is started (which is the default behavior), users can work around this
issue by making sure the appropriate SCSI device handlers (scsi_dh modules) are available by specifying one of the following kernel command line parameters which dracut consumes:
rdloaddriver=scsi_dh_emc
rdloaddriver=scsi_dh_rdac,scsi_dh_hp_sw
rdloaddriver=scsi_dh_emc,scsi_dh_rdac,scsi_dh_alua
scsi_dh modules does not matter.
scsi_dh module(s) to load before the storage driver is loaded or multipath is started.
kernel component, BZ#745713nohpet parameter or, alternatively, the clocksource=jiffies
parameter to the kernel command line of the guest. Or, if running under
Red Hat Enterprise Linux 5.7 or newer, locate the guest configuration
file for the guest and add the hpet=0 parameter in it.
kernel component
WARNING: BIOS bug: CPU MTRRs don't cover all of memory, losing <number>MB of RAM
disable_mtrr_trim kernel command line option.
kernel component
perf record command becomes unresponsive when specifying a tracepoint event and a hardware event at the same time.
kernel component
~]# ./perf record -agT -e sched:sched_switch -F 100 -- sleep 3kernel component
select()
call. However, it is safe to increase the default hard limit; that way,
applications requiring a large amount of file descriptors can increase
their soft limit without needing root privileges and without any user
intervention.
kernel component, BZ#770545sysctl vm.zone_reclaim_mode is now 0, whereas in Red Hat Enterprise Linux 6.1 it was 1.
kernel component
/etc/modprobe.d/dist-alsa.conf file:
options snd-hda-intel model=thinkpad
kernel component
bfa xxxx:xx:xx.x: Base port (WWN = xx:xx:xx:xx:xx:xx:xx:xx) lost fabric connectivity
bfa driver.
kernel component
lpfc driver is deprecating the sysfs mbox interface as it is no longer used by the Emulex tools. Reads and writes are now stubbed out and only return the -EPERM (Operation not permitted) symbol.
kernel component
scsi devices. It is
usually triggered when a large amounts of I/O operations are pending on
the controller in the first kernel before performing a kdump.
kernel component, BZ#679262/proc/kallsyms and /proc/modules show all zeros when accessed by a non-root user.
kernel component
nomce kernel boot option, which disables machine check error reporting, or the mce=ignore_ce kernel boot option, which disables correctable machine check error reporting.
kernel component
kernel: cciss0: <0x3230> at PCI 0000:1f:00.0 IRQ 71 using DAC … kernel: cciss1: <0x3230> at PCI 0000:02:00.0 IRQ 75 using DAC
pci=bfsort parameter to the kernel command line, and check again.
kernel component
be2iscsi driver results in kernel panic. To work around this issue, disable CHAP on the iSCSI target.
kernel component
tg3 driver normally handles. As a result, some of the routines that operate on the VPD blocks may fail. For example, the nvram test fails when running the ethtool –t command on BCM5719 and BCM5720 Ethernet Controllers.
kernel component
ethtool -t command on BCM5720 Ethernet controllers causes a loopback test failure because the tg3 driver does not wait long enough for a link.
kernel component
tg3 driver in Red Hat
Enterprise Linux 6.2 does not include support for Jumbo frames and TSO
(TCP Segmentation Offloading) on BCM5719 Ethernet controllers. As a
result, the following error message is returned when attempting to
configure, for example, Jumbo frames:
SIOCSIFMTU: Invalid argument
kernel component
lpfc_use_msi module parameter (in /sys/class/scsi_host/host#/lpfc_use_msi) being set to 2 by default, instead of the previous 0.
lpfc module parameter, lpfc_use_msi, to 0:
lpfc adapter may fail with mailbox errors. As a result, the lpfc adapter is not configured on the system. The following message appear in /var/log/messages:
lpfc 0000:04:08.0: 0:0:0443 Adapter failed to set maximum DMA length mbxStatus x0 lpfc 0000:04:08.0: 0:0446 Adapter failed to init (255), mbxCmd x9 CFG_RING, mbxStatus x0, ring 0 lpfc 0000:04:08.0: 0:1477 Failed to set up hba ACPI: PCI interrupt for device 0000:04:08.0 disabled
lpfc adapter is
operating, it may fail with mailbox errors, resulting in the inability
to access certain devices. The following message appear in /var/log/messages:
lpfc 0000:0d:00.0: 0:0310 Mailbox command x5 timeout Data: x0 x700 xffff81039ddd0a00 lpfc 0000:0d:00.0: 0:0345 Resetting board due to mailbox timeout lpfc 0000:0d:00.0: 0:(0):2530 Mailbox command x23 cannot issue Data: xd00 x2
lpfc adapter. The system BIOS logs the following messages:
Installing Emulex BIOS ...... Bringing the Link up, Please wait... Bringing the Link up, Please wait...
kernel component
netxen_nic is 4.0.550. This includes the boot firmware which is flashed in option ROM on the adapter itself.
kernel component, BZ#683012 vmcore. As a result, the second kernel is not loaded, and the system becomes unresponsive.
kernel component
vmcore
through the network using the Intel 82575EB ethernet device in a 32 bit
environment causes the networking driver to not function properly in
the kdump kernel, and prevent the vmcore from being captured.
kernel component #!/bin/sh # Disable hyper-threading processor cores on suspend and hibernate, re-enable # on resume. # This file goes into /etc/pm/sleep.d/ case $1 in hibernate|suspend) echo 0 > /sys/devices/system/cpu/cpu1/online echo 0 > /sys/devices/system/cpu/cpu3/online ;; thaw|resume) echo 1 > /sys/devices/system/cpu/cpu1/online echo 1 > /sys/devices/system/cpu/cpu3/online ;; esac
kernel component
nmi_watchdog registers with the perf subsystem. Consequently, during boot, the perf
subsystem grabs control of the performance counter registers, blocking
OProfile from working. To resolve this, either boot with the nmi_watchdog=0 kernel parameter set, or run the following command to disable it at run time:
echo 0 > /proc/sys/kernel/nmi_watchdognmi-watchdog, use the following command
echo 1 > /proc/sys/kernel/nmi_watchdogkernel component, BZ#603911 BUG: NMI Watchdog detected LOCKUP and have either ftrace_modify_code or ipi_handler in the backtrace. To work around this issue, disable NMI watchdog by setting the nmi_watchdog=0 kernel parameter, or using the following command at run time:
echo 0 > /proc/sys/kernel/nmi_watchdogkernel component
vmcore
via NFS. To work around this issue, utilize other kdump facilities, for
example dumping to the local file system, or dumping over SSH.
kernel component, BZ#587909 kernel component
nmi_watchdog=2 or nmi_watchdog=lapic parameters. The parameter nmi_watchdog=1 is not supported.
kernel component pci=noioapicquirk,
is required when installing the 32-bit variant of Red Hat Enterprise
Linux 6 on HP xw9300 workstations. Note that the parameter change is not
required when installing the 64-bit variant.
libwacom component
wacomcpl package, BZ#769466gnome-settings-daemon component, BZ#826128 acroread component
kernel component, BZ#681257 fprintd component
evolution component
anaconda component
xorg-x11-server component, BZ#623169 matahari component
matahari services.
qpidd running on port 49000)
does not require authentication. However, the Matahari broker is not
remotely accessible unless the firewall is disabled, or a rule is added
to make it accessible. Given the capabilities exposed by Matahari
agents, if Matahari is enabled, system administrators should be
extremely cautious with the options that affect remote access to
Matahari.
libreport component
/bin/sh: line 4: reporter-bugzilla: command not found
/etc/libreport/events.d/ccpp_event.conf file:
abrt-action-analyze-backtrace && ( bug_id=$(reporter-bugzilla -h `cat duphash`) && if test -n "$bug_id"; then abrt-bodhi -r -b $bug_id fi )
abrt-action-analyze-backtrace
irqbalance component, BZ#813078irqbalance(1) man page does not contain documentation for the IRQBALANCE_BANNED_CPUS and IRQBALANCE_BANNED_INTERRUPTS environment variables. The following documentation will be added to this man page in a future release:
IRQBALANCE_BANNED_CPUSProvides a mask of cpus which irqbalance should ignore and never assign interrupts to. This is a hex mask without the leading '0x', on systems with large numbers of processors each group of eight hex digits is sepearated ba a comma ','. i.e. `export IRQBALANCE_BANNED_CPUS=fc0` would prevent irqbalance from assigning irqs to the 7th-12th cpus (cpu6-cpu11) or `export IRQBALANCE_BANNED_CPUS=ff000000,00000001` would prevent irqbalance from assigning irqs to the 1st (cpu0) and 57th-64th cpus (cpu56-cpu63).
IRQBALANCE_BANNED_INTERRUPTSSpace seperated list of integer irq's which irqbalance should ignore and never change the affinity of. i.e. export IRQBALANCE_BANNED_INTERRUPTS="205 217 225"
rsyslog component
SIGHUP signal is issued. To reload the configuration, the rsyslog daemon needs to be restarted:
~]# service rsyslog restartparted component
/etc/dirsrv/slapd-ID/dse.ldif.
acl_TestRights - cache overflownThis update increases the default ACI cache limit to 2000 and allows it to be configurable by means of the new parameter
nsslapd-aclpb-max-selected-acls
in the configuration file entry "cn=ACL Plugin,cn=plugins,cn=config".
As a result, the aforementioned error message is not displayed unless
the new limit is exceeded, and it is now possible to change the limit
when needed.
ldapmodify
operation to modify RUV (Replica Update Vector) entries was allowed.
Consequently, 389 Directory Server became unresponsive when performing
such operations. This update disallows direct modification of RUV
entries. As a result, the server does not stop responding when
performing such operations, and returns an error message advising usage
of the CLEANRUV operation instead.
logconv.pl
script searched server logs for the "conn=0 fd=" string. Consequently,
the script reported a wrong number of server restarts. This update
modifies the script to search for the "conn=1 fd=" string instead. As a
result, the correct number of server restarts is now returned.
authzid attribute to be fully BER (Basic Encoding Rules) encoded. Consequently, the following error was returned when performing the ldapsearch command with proxy authorization:
unable to parse proxied authorization control (2 (protocol error))This update modifies the underlying source code so that full BER encoding of the provided authzid value is not required. As a consequence, no error is returned in the scenario described above.
ldapsearch
command on the "cn=config" object returned all attributes of the object,
including attributes with empty values. This update ensures that
attributes with empty values are not saved into "cn=config", and
enhances the ldapsearch command with a
check for empty attributes. As a result, only attributes that have a
value are returned in the aforementioned scenario.
.pid
files. In some cases, however, the files remain present even if the
associated processes have already been terminated. Consequently, the
upgrade scripts sometimes assumed that the Directory Server was online
and did not proceed with the database upgrade even if the server was
actually offline. This update adds an explicit test to check if the
processes referenced in the .pid files are really running. As a result, the upgrade scripts now work as expected.
repl-monitor command
used only the subdomain part of hostnames for host identification.
Consequently, hostnames with the identical subdomain part (for example:
"ldap.domain1", "ldap.domain2") were identified as a single host, and
inaccurate output was produced. This update ensures that the entire
hostname is used for host identification. As a result, all hostnames are
identified as separate and output of the repl-monitor command is accurate.
NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica dc=example,dc=com: 32This update ensures that DN strings are normalized before being used in modify operations. As a result, replication does not produce the error messages in the aforementioned scenario.
389-ds-base/ldap/servers/snmp/ directory contained .mib
files without copyright headers. Consequently, the files could not be
included in certain Linux distributions due to copyright reasons. This
update merges information from all such files into the redhat-directory.mib
file, which contains the required copyright information, and ensures
that it is the only file in the directory. As a result, no copyright
issues block 389 Directory Server from being included in any Linux
distribution.
strcmp
routines for value comparison. Consequently, using extensible search
filters with binary data returned incorrect results. This update
modifies the underlying source code to use binary-aware functions. As a
result, extensible search filters work with binary data correctly.
entryrdn index failed with the following error message:
_entryrdn_insert_key: Getting "nsuniqueid=ca681083-69f011e0-8115a0d5-f42e0a24,ou=People,dc=example,dc=com" failedWith this update, 389 Directory Server handles tombstones of child entries correctly, and the
entryrdn index can now be reindexed successfully with no errors.
entryrdn
index. Consequently, attempts to search for such entries were not
successful. This update ensures correct indexing of RUV tombstone
entries in the entryrdn index and search attempts for such entries are now successful.
Operations error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failedWith this update, the default timeout for such replication requests has been set to 10 minutes. As a result, no errors are returned when using replication with DNA to add users, and the operation succeeds.
dse.ldif file. This update modifies the error messages so that they include the name of and path to the file where the error was found.
attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.26] for the attribute [nisDomain]This update ensures that the server uses the latest version of the nisDomain schema. As a result, restarting the server after an upgrade does not show any errors.
connection attribute when performing anonymous search on cn=monitor returned the connection
attribute, even though it was denied by the default ACI. This update
ensures that the ACI is processed even if the attribute is not in the
schema. As a result, the connection attribute is not displayed if the ACI denies it.
tombstone_to_glue
function, the Directory Server terminated unexpectedly. This update
fixes the logic for getting ancestor tombstone entries and eliminates
the chance to convert a tombstone entry into an orphaned entry. As a
result, unexpected server termination no longer occurs in the
aforementioned scenario.
ldapcompare
command. Consequently, performing concurrent comparison operations on
virtual attributes caused the Directory Server to become unresponsive.
This update fixes the internal loop issue. As a result, the server
performs concurrent comparison operations without any issues.
ldif2dbm - _get_and_add_parent_rdns: Failed to convert DN cn=TESTRELM.COM to RDNThis update ensures that the server does not start before the upgrade procedure finishes. As a result, the server boots up successfully after the upgrade.
ldap_initialize() function is not
thread-safe. Consequently, 389 Directory Server terminated unexpectedly
during startup when using replication with many replication agreements.
This update ensures that calls of the ldap_initialize()
function are protected by a mutual exclusion. As a result, when using
replication with many replication agreements, the server starts up
correctly.
entryusn”
attribute modified cache entries directly. Consequently under heavy
loads, the server terminated unexpectedly when performing delete and
search operations using the “entryusn” and “memberof”
attributes with referential integrity enabled. This update ensures that
the entries are never modified in the cache directly. As a result, the
server performs searches in the previously described conditions without
terminating unexpectedly.
ldap_delete: Server is unwilling to perform (53) additional info: Not a valid operation.This update modifies the underlying source code so that deletion of Managed Entry Config entries is allowed and can be performed successfully.
logconv.pl script was only able to produce a summary of operations for a file or for a requested period. This update introduces the -m option for generation of per-second statistics, and the -M
option for generation of per-minute statistics. The statistics are
generated in CSV format suitable for further post-processing.
/var/spool/abrt-upload/ via the reporter-upload utility, the ABRT daemon copied the dump directory to /var/spool/abrt/
and incremented the crash count which was already incremented before.
Due to the crash count being incremented twice, the dump directory was
marked as a duplicate of itself and removed. With this update, the crash
count is no longer incremented for remotely uploaded dump directories,
thus fixing the issue.
abrt-cli(1) man page.
line variable to be freed twice. This update fixes this bug, and kernel oopses are now properly analyzed.
mailx plug-in did not function properly due to a missing default configuration file for the mailx plug-in. This update adds a default configuration file for the mailx plug-in: /etc/libreport/plugins/mailx.conf.
logger plug-in.
/tmp/anaconda-tb-* files to be sometimes recognized as a binary file and sometimes as a text file.
bugzilla plug-in from working correctly. This update resolves this issue by modifying the source code to work with the new Bugzilla API.
noprobe argument in a kickstart file was not passed to the last known codepath. Consequently, the noprobe request was not properly honored by Anaconda.
This update improves the code so that the argument is passed to the
last known codepath. As a result, device drivers are loaded according to
the device command in the kickstart file.
ifup command failed. This update sets the value of BOOTPROTO to dhcp in default network device configuration files. As a result, network devices can be activated successfully using the ifup command after reboot in the scenario described.
/proc
file. As a result, guests with one CPU can bring the boot device online
so the CMS configuration file can be read and automated installations
proceed as expected.
repo commands in kickstart generated by Anaconda contained base installation repository information but they should contain only additional repositories added either by the repo kickstart command or in the graphical user interface (GUI). Consequently, in media installations, the repo command generated for installation caused a failure when the kickstart file was used. With this update, Anaconda now generates repo commands only for additional repositories. As a result, kickstart will not fail for media installations.
USB devices used during installation are no longer automounted.
tty1 was put under control of Anaconda, but was not returned when Anaconda exited. Consequently, init did not have permission to modify tty1's settings to enable Ctrl+C functionality when Anaconda exited, which resulted in Ctrl+C not working when the installer prompted the user to press the Ctrl+C or Ctrl+Alt+Delete
key combination after Anaconda terminated unexpectedly. A code
returning tty1 control back to init was added to Anaconda. As a result, Ctrl+C now works as expected if the user is prompted to press it when Anaconda crashes.
=~
operator. This operator is used to check for the architecture when
including files. Consequently, some binaries which provide the grub
command were present on x86_64 versions of the installer, but were
missing from i686 media. The Bash code has been modified to prevent this
bug. As a result, the binaries are now also present on i686 media and
users can now use the grub command from installation media as expected.
127. This update fixes the ordering in the unmounting sequence and as a result, the dynamic linker and mdadm now work correctly.
stdout and stderr
were distinct. Consequently, if the stdout and stderr descriptors were
the same, using them both for writing resulted in overwriting and the
log file not containing all of the lines expected. With this update, if
the stdout and stderr descriptors are the same then only one of them is
used for both stdin and stderr. As a result, the log file contains all
lines from both stdout and stderr.
/proc/cmdline ends with \n but the installer only checked for \0. Consequently, the devel
argument was not detected when it was the last argument on the command
line and the installation failed. This update improves the code to also
check for \n. As a result, the devel argument is correctly parsed and installation proceeds as expected.
ICMP ECHO
packets will cause this test to fail, halting the installation and
asking the user whether or not the provided nameserver address is valid.
Consequently, automated installations using kickstart will stop if this
test fails. With this update, in the event that the ping test fails,
the nslookup command is used to validate the provided nameserver address. If the nslookup test succeeds then kickstart
will continue with the installation. As a result, automated network
installations on IBM System z in non-interactive mode will complete as
expected in the scenario described.
ksdevice = link command was present, the link
specification was not used consistently for device activation and
device configuration. Consequently, other network devices having link
status were sometimes misconfigured using the settings targeted to the
device activated by the installer. With this update, the code has been
improved and now refers to the same device with link
specification both in case of device activation and device
configuration. As a result, when multiple devices with link status are
present during installation, ksdevice = link
specification of the device to be activated and used by the installer
does not cause misconfiguration of another device having link status.
8 TB,
but Ext3FS and Ext4FS inherited this value without overriding it.
Consequently, when attempting to create an ext3 or ext4 file system of a
size greater than 8Tb the installer would
not allow it. With this update, the installer's upper bound for new ext3
and ext4 filesystem size has been adjusted from 8Tb to 16TB. As a result, the installer now allows creation of ext3 and ext4 filesystems up to 16TB.
DHCP
transaction timeout of 45 seconds without the possibility of
configuring a different value. Consequently, in certain cases
NetworkManager failed to obtain a network address. NetworkManager
has been extended to read the timeout parameter from a DHCP
configuration file and use that instead of the default value. Anaconda
has been updated to write out the dhcptimeout value to the interface
configuration file used for installation. As a result, the boot option dhcptimeout
works and NetworkManager now waits to obtain an address for the
duration of the DHCP transaction period as specified in the DHCP client
configuration file.
USB3 modules were not in the Anaconda
install image. Consequently, USB3 devices were not detected by Anaconda
during installation. This update adds the USB3 modules to the install
image and USB3 devices are now detected during installation.
clearpart
command or the installer's automatic partitioning options to clear old
data from the system's disks were used with complex storage devices such
as logical volumes and software RAID, LVM
tools caused the installation process to become unresponsive due to a
deadlock. Consequently, the installer failed when trying to remove old
metadata from complex storage devices. This update changes the LVM
commands in the udev
rules packaged with the installer to use a less restrictive method of
locking and the installer was changed to explicitly remove partitions
from a disk instead of simply creating a new partition table on top of
the old contents when it initializes a disk. As a result, LVM no longer
hangs in the scenario described.
/usr/lib/anaconda/textw/netconfig_text.py file tried to import a module from the wrong location. Consequently, Anaconda failed to start and the following error message was generated:
No module named textw.netconfig_text
The code has been corrected and the error no longer occurs in the scenario described.
PROXY, PROXY_USER, PROXY_PASSWORD environmental variables. As a result, pre and post installation scripts now have access to the proxy setting used by Anaconda.
--onbiosdisk=NUMBER option for the kickstart part command sometimes caused installation failures as Anaconda
was not able to find the disk that matches the specified BIOS disk
number. Users wishing to use BIOS disk numbering to control kickstart
installations were not able to successfully install Red Hat Enterprise
Linux. This update adjusts the comparison in Anaconda that matches the
BIOS disk number to determine the Linux device name. As a result, users
wishing to use BIOS disk numbering to control kickstart installations
will now be able to successfully install Red Hat Enterprise Linux.
qla4xxx.ql4xdisablesysfsboot boot option. With this update, it is enabled by default.
iSCSI
connections to network interfaces, which is required for installations
using multiple iSCSI connections to a target on a single subnet for
Device Mapper Multipath (DM-Multipath) connectivity. Consequently,
DM-Multipath connectivity could not be used on a single subnet as all
devices used the default network interface. With this update, the Bind targets to network interfaces option has been added to the “Advanced Storage Options”
dialog box. When turned on, targets discovered specifically for all
active network interfaces are available for selection and login. For
kickstart installations a new iscsi --iface
option can be used to specify network interface to which a target
should be bound. Once interface binding is used, all iSCSI connections
have to be bound, that is to say the --iface
option has to be specified for all iscsi commands in kickstart. Network
devices required for iSCSI connections can be activated either using
kickstart network command with the --activate option or in the graphical user interface (GUI) using the Configure Network button from the “Advanced Storage Options” dialog (“Connect Automatically”
has to be checked when configuring the device so that the device is
also activated in the installer). As a result, it is now possible to
configure and use DM-Multipath connectivity for iSCSI devices using
different network interfaces on a single subnet during installation.
%pre section of kickstart. This update adds curl to the install image and curl can be used in the %pre section of kickstart.
InfiniBand network using IPoIB network interfaces.
volgroup
command to specify initially unused space in megabytes or as a
percentage of the total volume group size. These options are only valid
for volume groups being created during installation. As a result, users
can effectively reserve space in a new volume group for snapshots while
still using the --grow option for logical volumes within the same volume group.
GPT disk label is now used for disks of size 2.2 TB and larger. As a result, Anaconda now allows installation to disks of size 2.2 TB and larger, but the installed system will not always boot properly on non-EFI
systems. Disks of size 2.2 TB and larger may be used during the
installation process, but only as data disks; they should not be used as
bootable disks.
IPv6 support is set to be disabled by the installer using the noipv6 boot option, or the network --nopipv6 kickstart command, or by using the “Configure TCP/IP” screen of the loader Text User Interface (TUI), and no network device is configured for IPv6 during installation, the IPv6 kernel modules on the installed system will now be disabled.
VLAN discovery option for Fibre Channel over Ethernet (FCoE) devices added during installation using Anaconda's
graphical user interface was required. All FCoE devices created in
Anaconda installer were configured to perform VLAN discovery using the fcoemon daemon by setting the AUTO_VLAN value of its configuration file to yes. A new “Use auto vlan” checkbox was added to the “Advanced Storage Options” dialog, which is invoked by the Add Advanced Target button in “Advanced Storage Devices”
screen. As a result, when adding FCoE device in Anaconda, it is now
possible to configure the VLAN discovery option of the device using “Use auto vlan” checkbox in “Advanced Storage Options” dialog. The value of AUTO_VLAN option of FCoE device configuration file /etc/fcoe/cfg-device is set accordingly.
/etc/fcoe/ directory using biosdevname,
which is the new style interface naming scheme, for all the available
Ethernet interfaces for FCoE BFS. However, it did not add the ifname
kernel command line argument for FCoE interface that stays offline
after discovering FCoE targets during installation. Because of this,
during subsequent reboot the system tried to find the old style ethX interface name in /etc/fcoe/,
which does not match the file created by Anaconda using biosdevname.
Therefore, due to the missing FCoE config file, FCoE interface is never
created on this interface. Consequently, during FCoE BFS installation,
when an Ethernet interface went offline after discovering the targets,
FCoE links did not come up after reboot. This update adds dracut ip
parameters for all FCoE interfaces including those that went offline
during installation. As a result, FCoE interfaces disconnected during
installation will be activated after reboot.
swap --recommended
command in kickstart created a swap file of size 2 GB plus the
installed RAM size regardless of the amount of RAM installed.
Consequently, machines with a large amount of RAM had huge swap files
prolonging the time before the oom_kill syscall was invoked even in malfunctioning cases. In this update, swap size calculations for swap --recommended were changed to meet the values recommended in the documentation https://access.redhat.com/knowledge/solutions/15244 and the --same-as-ram option was added for the swap
kickstart command and as the default in GUI/TUI installations. As a
result, machines with a lot of RAM have a reasonable swap size now if swap --recommended is used. However, hibernation might not work with this configuration. If users want to use hibernation they should use swap --same-as-ram.
ONBOOT=yes in the ifcfg
configuration file during installation for all network interfaces used
by FCoE. As a result, all network devices used for installation to FCoE
storage devices are activated automatically after reboot.
nc) networking utility to the install environment. Users can now use the nc program in Rescue mode.
$prefix/lib/firmware paths on a Driver Update Disk (DUD). This update adds the $prefix/lib/firmware/updates directory to the path to be searched for firmware. RPM files containing firmware updates can now have firmware files in %prefix/lib/firmware/updates.
DNS (Domain Name System) protocols. BIND includes a DNS server (named),
which resolves host names to IP addresses; a resolver library (routines
for applications to use when interfacing with DNS); and tools for
verifying that the DNS server is operating properly.
/etc/resolv.conf contained nameservers with disabled recursion, nslookup failed to resolve certain host names. With this update, a patch has been applied and nslookup now works as expected in the scenario described.
named daemon could become unresponsive on shutdown. With this update, the error handling has been improved and named exits on shutdown gracefully.
named daemon
uses the atomic operations feature to speed-up access to shared data.
This feature did not work correctly on 32-bit and 64-bit PowerPC
architectures. Therefore, named
sometimes became unresponsive on these architectures. This update
disables the atomic operations feature on 32-bit and 64-bit PowerPC
architectures, which ensures that named is now more stable and reliable and no longer hangs.
named could terminate unexpectedly. With this update, the underlying code has been fixed and the race condition no longer occurs.
named daemon, configured as the
master server, sometimes failed to transfer an uncompressible zone. The
following error message was logged:
transfer of './IN': sending zone data: ran out of space
The code which handles zone transfers has been fixed and this error no longer occurs in the scenario described.
named
sometimes terminated unexpectedly with an assertion failure. With this
update, a patch has been applied to make the code more robust, and named no longer crashes in the scenario described.
rndc.key file was generated during package installation by the rndc-confgen -a command, but this feature was removed in Red Hat Enterprise Linux 6.1 because users reported that installation of bind package sometimes hung due to lack of entropy in /dev/random. The named initscript now generates rndc.key during the service startup if it does not exist.
rndc reload command was executed, named failed to update DNSSEC trust anchors and emitted the following message to the log:
managed-keys-zone ./IN: Failed to create fetch for DNSKEY update
This issue was fixed in the 9.8.2rc1 upstream version.
/dev/null device. In addition, some empty directories were left behind after uninstalling bind. With this update, the bind-chroot packaging errors have been fixed.
named.conf file to override the configuration supplied by the plug-in. Consequently, named sometimes failed to start. With this update the named.conf is parsed before plug-in initialization and named now starts as expected.
/var/named directory was mounted the /etc/init.d/named initscript did not distinguish between situations when chroot configuration was enabled and when chroot was not enabled. Consequently, when stopping the named service the /var/named directory was always unmounted. The initscript has been fixed and now unmounts /var/named only when chroot configuration is enabled. As a result, /var/named stays mounted after the named service is stopped when chroot configuration is not enabled.
rrset-order option now supports fixed
ordering. When this option is set, the resource records for each domain
name are always returned in the order they are loaded from the zone
file.
named logged too many messages relating to external DNS queries. The severity of these error messages has been decreased from “notice” to “debug” so that the system log is not flooded with mostly unnecessary information.
named daemon now uses portreserve to reserve the Remote Name Daemon Control (RNDC) port to avoid conflicts with other services.
LDAP back end is a plug-in
for BIND that provides back-end capabilities to LDAP databases. It
features support for dynamic updates and internal caching that help to
reduce the load on LDAP servers.
LDAP
server failed, the bind-dyndb-ldap plug-in did not try to connect
again. Consequently, users had to execute the "rndc reload" command to
make the plug-in work. With this update, the plug-in periodically
retries to connect to an LDAP server. As a result, user intervention is
no longer required and the plug-in works as expected.
zone_refresh period timed out and a zone was removed from the LDAP
server, the plug-in continued to serve the removed zone. With this
update, the plug-in no longer serves zones which have been deleted from
LDAP when the zone_refresh parameter is set.
rndc reload command or a SIGHUP
signal and the plug-in failed to connect to an LDAP server, the plug-in
caused named to terminate unexpectedly when it received a query which
belonged to a zone previously handled by the plug-in. This has been
fixed, the plug-in no longer serves its zones when connection to LDAP
fails during reload and no longer crashes in the scenario described.
LDAP
server for some time, then reconnected successfully, and some zones
previously present had been removed from the LDAP server. The bug has
been fixed and the plug-in no longer crashes in the scenario described.
DNS server, the plug-in did not put A or AAAA glue records in the “additional section”
of a DNS answer. Consequently, the delegated sub-domain was not
accessible by other DNS servers. With this update, the plug-in has been
fixed and now returns A or AAAA glue records of a delegated sub-domain
in the “additional section”. As a result, delegated zones are correctly resolvable in the scenario described.
idnsAllowQuery and idnsAllowTransfer, which can be used to set ACLs for queries or transfers. Refer to /usr/share/doc/bind-dyndb-ldap/README for information on the attributes.
idnsForwarders and idnsForwardPolicy which can be used to configure forwarding. Refer to /usr/share/doc/bind-dyndb-ldap/README for a detailed description.
sync_ptr that can be used to keep A and AAAA records and their PTR records synchronized. Refer to /usr/share/doc/bind-dyndb-ldap/README for a detailed description.
LDAP and configuration was only taken from the named.conf file. With this update, configuration information can be obtained from idnsConfigObject
in LDAP. Note that options set in named.conf have lower priority than
options set in LDAP. The priority will change in future updates. Refer
to the README file for more details.
qdiskd interaction timer has been improved.
ping command examples on the qdisk(5) manual page did not include the -w option. If the ping command is run without the option, the action can timeout. With this update, the -w option has been added to those ping commands.
GFS2 file systems created with large numbers of journal metadata blocks now pass the fsck check cleanly.
totem.miss_count_const constant as a valid option. As a consequence, users were not able to validate cluster.conf when this option was in use. This option is now recognized correctly by the RELAX NG schema, and the cluster.conf file can be validated as expected.
cmannotifyd daemon is often started after the cman utility, which means that cmannotifyd does not receive or dispatch any notifications on the current cluster status at startup. This update modifies the cman connection loop to generate a notification that the configuration and membership have changed.
free() function in the gfs2_edit code could lead to memory leaks and so cause various problems. For example, when the user executed the gfs2_edit savemeta command, the gfs2_edit utility could become unresponsive or even terminate unexpectedly. This update applies multiple upstream patches so that the free() function is now used correctly and memory leaks no longer occur. With this update, save statistics for the gfs2_edit savemeta
command are now reported more often so that users know that the process
is still running when saving a large dinode with a huge amount of
metadata.
GFS1
(which had different fields) that calculated distances between resource
groups and did not work with only one resource group. This update adds
the rgrp_size() function in libgfs2, which
calculates the size of the resource group instead of determining its
distance from the previous resource group. A file system with only one
resource group can now be expanded successfully.
GFS2
file system. The messages also contained absolute build paths and
source code references, which was unwanted. A patch has been applied to
provide users with comprehensive error messages in the described
scenario.
gfs_controld daemon ignored an error returned by the dlm_controld daemon for the dlmc_fs_register() function while mounting a file system. This resulted in a successful mount, but recovery of a GFS
file system could not be coordinated using Distributed Lock Manager
(DLM). With this update, mounting a file system is not successful under
these circumstances and an error message is returned instead.
GFS1 file system to convert a file system from GFS1 to GFS2. However, the gfs2_convert utility required the user to run the gfs_fsck
utility prior to conversion, but because this tool is not included in
Red Hat Enterprise Linux 6, users had to use Red Hat Enterprise Linux 5
to run this utility. With this update, the gfs2_fsck utility now allows users to perform a complete GFS1 to GFS2 conversion on Red Hat Enterprise Linux 6 systems.
qdiskd daemon and the device-mapper-multipath utility is a very complex operation, and it was previously easy to misconfigure qdiskd in this setup, which could consequently lead to a cluster nodes failure. Input and output operations of the qdiskd
daemon have been improved to automatically detect multipath-related
timeouts without requiring manual configuration. Users can now easily
deploy qdiskd with device-mapper-multipath.
multipathd daemon was not
correctly stopping waiter threads during shutdown. The waiter threads
could access freed memory and cause the daemon to terminate unexpectedly
during shutdown. With this update, the mutlipathd daemon now correctly stops the waiter threads before they can access any freed memory and no longer crashes during shutdown.
multipathd did not disable the queue_if_no_path option on multipath devices by default. When multipathd
was stopped during shutdown, I/O of the device was added to the queue
if all paths to a device were lost, and the shutdown process became
unresponsive. With this update, multipathd now sets the queue_without_daemon option to no by default. As a result, all multipath devices stop queueing when multipathd is stopped and multipath now shuts down as expected.
multipathd and udev to rename the new multipath device nodes. If udev renamed the device node first, multipathd removed the device created by udev and failed to create the new device node. With this update, multipathd
immediately creates the new device nodes, and the race condition no
longer occurs. As a result, the renamed device is now available as
expected.
flush_on_last_dev handling code did not implement handling of the queue feature properly. Consequently, even though the flush_on_last_del feature was activated, multipathd
re-enabled queueing on multipath devices that could not be removed
immediately after the last path device was deleted. With this update,
the code has been fixed and when the user sets flush_on_last_del, their multipath devices correctly disable queueing, even if the devices cannot be closed immediately.
multipathd did not set the max_fds option by default, which sets the maximum number of file descriptors that multipathd can open. Also, the user_friendly_names setting could only be configured in the defaults section of /etc/multipath.conf. The user had to set max_fds manually and override the default user_friendly_names value in their device-specific configurations. With this update, multipath now sets max_fds to the system maximum by default, and user_friendly_names can be configured in the devices section of multipath.conf. Users no longer need to set max_fds for large setups, and they are able to select user_friendly_names per device type.
hwtable_regex_match option was added to the defaults section of multipath.conf. If it is set to yes,
Multipath uses regular-expression matching to determine if the user's
vendor and product strings match the built-in device configuration
strings: the user can use the actual vendor and product information from
their hardware in their device configuration, and it will modify the
default configuration for that device. The option is set to no by default.
multipathd was using a
deprecated Out-of-Memory (OOM) adjustment interface. Consequently, the
daemon was not protected from the OOM killer properly; the OOM killer
could kill the daemon when memory was low and the user was unable to
restore failed paths. With this update, multipathd now uses the new Out-of-Memory adjustment interface and can no longer be killed by the Out-of-Memory killer.
multipath.conf file now contains a comment which informs the user that the configuration must be reloaded for any changes to take effect.
multipathd daemon incorrectly exited with code 1 when multipath -h (print usage) was run. With this update, the underlying code has been modified and multipathd now returns code 0 as expected in the scenario described.
multipathd threads did not check if multipathd was shutting down before they started their execution. Consequently, the multipathd daemon could terminate unexpectedly with a segmentation fault on shutdown. With this update, the multipathd threads now check if multipathd is shutting down before triggering their execution, and multipathd no longer terminates with a segmentation fault on shutdown.
multipathd daemon did not have a
failover method to handle switching of path groups when multiple nodes
were using the same storage. Consequently, if one node lost access to
the preferred paths to a logical unit, while the preferred path of the
other node was preserved, multipathd could end up switching back and forth between path groups. This update adds the followover failback method to device-mapper-multipath. If the followover failback method is set, multipathd
does not fail back to the preferred path group, unless it just came
back online. When multiple nodes are using the same storage, a path
failing on one machine now no longer causes the path groups to
continually switch back and forth.
tur,
the checks were not performed asynchronously. If a device failed and
the checker was waiting for the SCSI layer to fail back, the checks on
other paths were kept waiting. The checker has been rewritten so as to
check the paths asynchronously, and the path checking on other paths
continues as expected.
tur path checker by default. Also flush_on_last_del has been enabled, dev_loss_tmo has been set to infinity, fast_io_fail_tmo has been set to 5, and pg_init_retries has been set to 50.
OSError: [Errno 2] No such file or directory: '/sys/kernel/config/target
WARNING: Internal sanity check failed in event handler for request 6
nscd daemon
received a CNAME (Canonical Name) record as a response to a DNS (Domain
Name System) query, the cached DNS entry adopted the TTL (Time to Live)
value of the underlying A or AAAA
response. This caused the nscd daemon to wait an unexpectedly long time
before reloading the DNS entry. With this update, nscd uses the
shortest TTL from the response as the TTL for the entire record. DNS
entries are now reloaded as expected in this scenario.
memcpy()
function, the optimized function variant was used. However, the
optimized function variant copies the buffer backwards. As a result, if
the source and target buffers were overlapping, the program behaved in
an unexpected way. While such calling is a violation of ANSI/ISO
standards and therefore considered an error, this update restores the
prior memcpy() behavior and such programs now use the non-optimized
variant of the function to allow applications to behave as before.
malloc()
routines, glibc incorrectly allocated too much memory. This could cause
a multi-threaded application to allocate more memory to the threads
than expected. With this update, the race condition has been fixed, and
malloc's behavior is now consistent with the documentation regarding the
MALLOC_ARENA_TEST and MALLOC_ARENA_MAX environment variables.
gaih_getanswer() function. As a consequence, the getaddrinfo() function could not properly return all addresses. This update fixes an incorrect error test condition in gaih_getanswer() so that glibc now correctly parses the second response buffer. The getaddrinfo() function now correctly returns all addresses.
htons() function with the -O2 and -Wconversion parameters caused bogus warnings similar to the following:
warning: conversion to \u2018short unsigned int\u2019 from \u2018int\u2019 may alter its value
fork()
call. As a result, shared robust mutex locks were not cleaned up after
the child process exited. This update ensures that the robust futex list
is correctly initialized after a fork system call.
malloc()
function could enter a deadlock while creating an error message string.
As a result, the process could become unresponsive. With this update,
the process uses the mmap() function to allocate memory for the error message instead of the malloc() function. The malloc() deadlock therefore no longer occurs and the process with a corrupted heap now aborts gracefully.
alloca()
to allocate buffers in various routines. If such allocations applied
large internal memory requests, stack overflows could occur and the
application could terminate unexpectedly. This update applies several
upstream patches so that glibc now uses malloc() for these allocations and the problem no longer occurs.
pthread_create()
function. Consequently, some programs incorrectly issued an error for a
transient failure, such as a temporary out-of-memory condition. This
update ensures that glibc returns the correct error code when memory
allocation fails in the pthread_create() function.
getopt
routines changed and, as the respective Japanese translation was not
adapted, the system failed to find the Japanese version of the message.
As a result, the error message was displayed in English even if the
system locale was set to Japanese. This update fixes the Japanese
translation of the error string and the problem no longer occurs.
IO_flush_all_lockp() function was incorrect. This resulted in a race condition with occasional deadlocks when calling the fork() function in multi-threaded applications. This update fixes the locking and avoids the race condition.
nscd daemon cached
all transient results even if they were negative. This could result in
erroneous nscd results. This update ensures that negative results of
transient errors are not cached.
resolv.conf file contained only nameservers with IPv6 and options rotate
was set, the search domain was always appended. However, this is not
desired in the case of fully qualified domain names (FQDN) and if an
FQDN was used, the resolution failed. With this update, the underlying
code has been modified and if more than one IPv6 nameserver is defined
in resolv.conf, the FQDN is resolved correctly. Refer to bug 771204 for further information about this problem.
resolv.conf file, glibc
did not handle the parsing of spaces in nameserver entries correctly.
Consequently, correct DNS lookups failed. This update fixes the space
parsing and the problem no longer occurs.
getaddrinfo() call could return
an incorrect value. This happened because the query for getaddrinfo was
more complex than necessary and getaddrinfo failed to handle the
additional information returned by the query correctly. With this
update, the query no longer returns the addition information and the
problem is fixed.
ip commands explicitly with the -6 flag in the /etc/sysconfig/network-scripts/rule-DEVICE_NAME configuration file where DEVICE_NAME
is the name of the respective network interface. With this update, the
related network scripts have been modified to provide support for
IPv6-based policy routing and IPv6 routing is now configured separately
in the /etc/sysconfig/network-scripts/rule6-DEVICE_NAME configuration file.
sshd. With this update, the entropy created by the disk activity during system installation is saved in the /var/lib/random-seed file and used for key generation. This provides enough randomness and allows generation of keys based on sufficient entropy.
/dev/tty device ended with an error and consequently, it was not possible to read from the /dev/tty device. This happened because, when activating single-user mode, the rc.sysinit script called the sulogin
application directly. However, sulogin needs to be the console owner to
operate correctly. With this update, rc.sysinit starts the rcS-emergency job, which then runs sulogin with the correct console setting.
ifconfig commands have been changed to aliases to the respective ip commands and ifconfig now handles 20-byte MAC addresses correctly.
sysfs() call did not remove the arp_ip_target correctly. As a consequence, the following error was reported when attempting to shut down a bonding device:
ifdown-eth: line 64: echo: write error: Invalid argument
arp_ip_target is now removed correctly.
serial.conf file now contains improved comments on how to create an /etc/init/tty<device>.conf file that corresponds to the active serial device.
network service showed error messages on service startup similar to the following:
Error: either "dev" is duplicate, or "20" is a garbage.
halt initscript did not contain support for the apcupsd
daemon, the daemon for power mangement and controlling of APC's UPS
(Uninterruptible Power Supply) supplies. Consequently, the supplies were
not turned off on power failure. This update adds the support to the
script and the UPS models are now turned off in power-failure situations
as expected.
kernel.msgmnb and kernel.msgmax were incorrect. With this update, the comments have been fixed and the variables are now described correctly.
69: echo: write error: Invalid argument
/etc/sysconfig/netconsole
file. This happened because the address was resolved as two identical
addresses and the script failed. This update modifies the netconsole script so that it handles the MAC address correctly and the device is discovered as expected.
ms_MY) locale, some
services did not work properly. This happened due to a typographical
mistake in the ms.po file. This update fixes the mistake and services in
the ms_MY locale run as expected.
primary option for bonding in the ifup-eth
tool had a timing issue when bonding NIC devices. Consequently, the
bonding was configured, but it was the active interface that was
enslaved first. With this update, the timing of bonding with the primary option has been corrected and the device defined in the primary option is enslaved first as expected.
NISDOMAIN parameter in the /etc/sysconfig/network file, or other relevant configuration files.
ipa passwd CLI command was used to change user's password, it returned the following error message when the password change failed:
ipa: ERROR: Constraint violation: Password Fails to meet minimum strength criteria
ipa passwd command fails.
/etc/hosts file so that the custom
hostname is resolvable and the installation can continue. However,
previously, the record was not added when the IP address was passed
using the --ip-address option. As a result,
installation failed because subsequent steps could not resolve the
machine's IP address. With this update, a host record is added to /etc/hosts even when the IP address is passed via the --ip-address option, and the installation process continues as expected.
389 and 636)
are free. Users can combine an Identity Management server with custom
LDAP server instances as long as they run on custom ports.
force-sync, re-initialize, and del sub-commands of the ipa-replica-manage
command failed when used against a winsync agreement on an Active
Directory machine, limiting the user's ability to control winsync
replication agreements. With this update, the ipa-replica-manage was fixed to manage both standard replication agreement and winsync agreements in a more robust way.
--no-host-dns option was passed. When a hostname was not resolvable and the --no-host-dns option was used, the ipa-replica-install utility failed during the installation and did not amend the hostname resolution in the same way as the ipa-server-install utility does. With this update, ipa-server-install and ipa-replica-install now share host IP address processing, and both add a record to the /etc/hosts file when the server or replica hostname is not resolvable.
--external-ca
option, the installation is divided in two stages. The second stage of
the installation process reads configuration options from a file stored
by the first stage. Previously, the installer did not properly store a
value with the DNS forwarder IP address, which was then misread by the
second stage of the installation process, and name server configuration
in the second stage of the installation failed. With this update, the
forwarder option is correctly stored, and installation works as
expected.
memberOf attribute) were being replicated. This forced all Identity Management replicas' LDAP servers to re-process the memberOf
data and increase the load on the LDAP servers. When many entries were
added to a replica in a short period of time, or when a replica was
being re-initialized from another master, all replicas were flooded with
memberOf changes, which caused high load on all replica machines and caused performance issues. New replica agreements, added by the ipa-replica-install
utility, no longer ignore lists of attributes excluded from
replication. Re-initialization or a high number of added entries in an
Identity Management LDAP server no longer causes performance issues
caused by memberOf processing. Old replica agreements have also been updated to contain the correct list of attributes excluded from replication.
ipa automountmap-add-indirect command creates a new map and adds a key to the parent map (auto.master by default) which references the new indirect map. Because map nesting is only allowed in the auto.master map, a submount map referenced in other maps needs to follow a standard submount format (that is, <key> <origin> <mapname>) so that the referenced map is correctly loaded from LDAP. However, the automountmap-add-indirect sub-command did not follow this distinction and the <origin> and <mapname> attributes were not filled correctly. Therefore, submount maps referenced in a non-auto.master map were not recognized as automount maps by the autofs client software, and were not mounted. Submount maps referenced in a map that is not an auto.master map now follow a standard submount format, with the correct <key>, <origin> (-fstype=autofs), and <mapname> (ldap:$MAP_NAME). autofs client software is now able to correctly process submount maps both in auto.master and in other maps, and mount them.
subjectKeyIdentifier field even though it is marked with the SHOULD
keyword in the RFC 3280 document. Because of this, certain applications
processing these certificates could report errors. With this update,
the certificate template for both current and new IPA server
installations now contain the subjectKeyIdentifier field.
dirsrv or pkiuser
users, which the Directory Server uses to run its instances. These
users also own log files produced by the Directory Server. If an
Identity Management server was installed again, and the newly added
system users' UIDs changed, the Directory Server could fail to start
because the Directory Server instance was not permitted to write to the
log files owned by the old system users with different UIDs. With this
update, system users generated by an Identity Management server
installation are no longer removed during the uninstall process.
--raw
option were passed. An Internal Error was also returned when an invalid
attribute was passed to the ACI attribute list option. Option
processing is now more robust and more strict in validation. Proper
errors are now returned when invalid or empty option values are passed.
nsslapd-minssf
attribute in the Directory Server instance configuration to increase
security demands on the connection to the instance, some applications
(for example, SSSD)
may have stopped working as they could no longer read RootDSE
anonymously. To fix this issue, Identity Management now sets the nsslapd-minssf-exclude-rootdse
option in the Directory Server instance configuration. Users and
applications can access RootDSE in an Identity Management Directory
Server instance anonymously even when the instance is configured with
increased security demands on incoming connections.
all options. With this update, the entire Netgroup page has been redesigned to add this functionality.
ipa user-status command that
provides the number of failed login attempts on all configured replicas
along with the time of the last successful or failed login attempt.
host
plug-in did not allow storing of machine MAC addresses. Administrators
could not assign MAC addresses to host entries in Identity Management.
With this update, a new attribute for MAC addresses was added to the
Identity Management host plug-in. Administrators can now assign a MAC
address to a host entry. The value can then be read from the Identity
Management LDAP server with, for example, the following command:
~]$ getent ethers <hostname>Read DNS Entries. As a result, only permitted users can now access all DNS records in Identity Management Directory Server instances.
ERROR: kernel read fault at 0x0000000000000018 (addr) near identifier '@cast' at /usr/share/systemtap/tapset/x86_64/jstack.stp:362:29
PKCS #12 Creation Failed java.lang.IllegalArgumentException: bagType or bagContent is null
Shutting down interface breth0This happened after configuring the NetConsole functionality with no bridge on top of a bond due to a mistake in the linking to the device structure. With this update, the linking has been fixed and the device binding is processed correctly in this scenario.
5915: WARN_ON_ONCE(test_tsk_need_resched(next));An upstream patch has been provided to address this issue and the WARN_ON_ONCE() call is no longer present in schedule(), thus fixing this bug.
NFS: directory A/B/C contains a readdir loop.This update fixes the bug by turning off the loop detection and letting the NFS client try to recover in the described scenario and the messages are no longer returned.
xvd. Consider the example below:
| Red Hat Enterprise Linux 6.0 | Red Hat Enterprise Linux 6.1 or later | |
|---|---|---|
emulated IDE
| hda -> xvda | unchanged |
emulated SCSI
| sda -> xvda | sda -> xvde, sdb -> xvdf, ... |
xen_blkfront.sda_is_xvda, that provides a seamless upgrade path from 6.0 to 6.3 kernel release. The default value of xen_blkfront.sda_is_xvda is 0 and it keeps the naming scheme consistent with 6.1 and later releases. When xen_blkfront.sda_is_xvda is set to 1, the naming scheme reverts to the 6.0-compatible mode.
xvd[a-d], it is advised to add the xen_blkfront.sda_is_xvda=1 parameter to the kernel command line before performing the upgrade.
procfs entries, sysfs default values, boot parameters, kernel configuration options, or any noticeable behavior changes, refer to Chapter 1, Important Kernel Changes to Note.
ifcfg files when gaining the bridge member name for the dump kernel and kdump over network succeeds in this scenario.
BOOTPROTO property in the ifcfg<device> networking script of the bonding device was set to none. This happened because the mkdumprd utility did not handle the BOOTPROTO setting correctly. With this update, mkdumprd handles the setting correctly and kdump succeeds when dumping remotely over a bonding device with the BOOTPROTO=none setting.
crashkernel boot option is set to auto to allow automatic reservation of memory for the kdump kernel, the threshold memory changes to 2 . However, the firstboot application was incorrectly using the 4 GB threshold. With this update, firstboot uses the same threshold value as the kernel.
/etc/kdump.conf
file does not define a dump target. However, mkdumprd used the device
name instead of its UUID (Universally Unique Identifier), which could
cause kdump to fail. With this update, the device UUID is used instead
of its device name by default and kdump over root device succeeds in the
scenario described.
default_action property was set to shell in the kdump.conf
file. With this update, the pipeline redirection fails as soon as
makedumpfile fails and the shell is dropped immediately in the scenario
described.
ext4
file system, the kdump initrd (initial RAM disk) could have been
created with zero-byte size. This happened because the system waits for
several seconds before writing the changes to the disk on an ext4 file
system. Consequently, the kdump initial root file system (rootfs) could
not be mounted and kdump failed. This update modifies kexec-tools so
that it perform the sync operations after creating initrd. This ensures
that initrd is properly written to the disk before trying to mount
rootfs, and kdump now successfully proceeds and captures the core dump
on systems with an ext4 file system.
/lib/modules/<kernelVersion>/
directory) of a modprobe and did not cover other module directories.
Consequently, mkdumprd failed if there were modules located in other
that the default path directory. The mkdumprd utility now handles /lib/modules/<kernelVersion>/updates/ as well as the /lib/modules/<kernelVersion>/ directory and mkdumprd succeeds under these circumstances.
/etc/init.d/kdump: line 281: /usr/sbin/sestatus: No such file or directory
selinux=0
option to the kernel command line. A system with SELinux enabled and
the policycoreutils package not installed is considered a broken
environment in which kdump returns the aforementioned errors. When you
remove the policycoreutils package, make sure you have also disabled SELinux with selinux=0; otherwise, the problem will preserve.
rksh) does
not allow redirections using a pipeline. Consequently, kdump failed if
the remote user that was used when requesting the core dump was
configured with a restricted shell. With this update, the dd command is used instead of cat to copy vmcore, and kdump succeeds when a remote user uses the rksh shell.
iwlwifi (Intel Wireless WiFi Link) modules for interface devices were included in kdump initrd. With this update, the iwlwifi modules are no longer loaded into kdump initrd.
PREFIX variable setting and the ifconfig utility failed during core dumping over network. With this update, the mkdumprd utility handles the PREFIX variable setting in ifcfg-<device> network scripts correctly.
/var/crash/
directory. With this update, kdump checks the device header of the
target device. If the header is invalid, kdump does not handle the
situation as a crash and the redundant resources are no longer created
on raw devices.
kdump.conf
file. However, running init in user space to capture the core dump
could cause an OOM (Out of Memory) state in the dump kernel. With this
update, the kernel is now rebooted by default under these circumstances.
Also, a new default option, mount_root_run_init,
has been added to kdump. With this option, the kernel mounts the root
partition, and runs the init and kdump service to try to save the kernel
core dump, which allows the user to apply the previous behavior of
kdump.
sadump dump format.
libguestfs daemon terminated unexpectedly when it attempted to mount a non-existent disk. This happened because libguestfs
returned an unexpected error to any program that accidentally tried to
mount a non-existent disk and all further operations intended to handle
such a situation failed. With this update, libguestfs returns an appropriate error message and remains stable in the scenario described.
guestfs_launch() function at the same time, an unexpected error could be returned. The respective code in the libguestfs
library has been modified to be thread-safe in this scenario and the
library can be used from multi-threaded programs with more than one
libguestfs handle.
/bin directory is a symbolic link, while it was a directory in previous releases. Due to this change, libguestfs
could not inspect a guest with Fedora 17 and newer. With this update,
the libguestfs inspection has been changed so that it now recognizes
such guests as expected.
autoexec.bat or boot.ini or ntldr
file in its root a candidate for a Windows root disk. If a guest had an
HP recovery partition, libguestfs could not recognize the HP recovery
partition and handled the system as being dual-boot. Consequently, some
virt tools did not work as they do not support multi-boot guests. With
this update, libguestfs investigates a potential Windows root disk
properly and no longer recognizes the special HP recovery partition as a
Windows root disk.
NULL, the binding process terminated unexpectedly with a segmentation fault when the g.launch()
function was called under some circumstances. With this update, the
error string is now set properly on all failure paths in the described
scenario and Python programs no longer terminate with a segmentation
fault when calling the g.launch() function under these circumstances.
:).
Previously, libguestfs resolved the link to the disk image before
sending it to qemu. If the resolved link contained the colon character,
qemu failed to run. Also, libguestfs sometimes failed to open a disk
image file under these circumstances due to incorrect handling of
special characters. With this update, libguestfs no longer resolves a
link to a disk image before sending it to qemu and is able to handle any
filenames, except for filenames that contain a colon character. Also,
libguestfs now returns correct diagnostic messages when presented with a
filename that contains a colon character.
/etc/fstab file. With this update, support for such RAID paths has been added and the virt-p2v tool is now able to successfully convert these guests.
error: Failed to start domain [domain name] error: Timed out during operation cannot acquire state change lockWith this update, libvirt handles this situation properly, and guests now start as expected.
error: Timed out during operation: cannot acquire state change lockThis update adds support for registering cleanup callbacks which are called for a domain when a connection is closed. The migration API is more robust to failures, and if a migration process is terminated, it can be restarted with a subsequent command.
warning : virDomainDiskDefForeachPath:7654 : Ignoring open failure on xxx.xxxThese messages were harmless and could be safely ignored. With this update, the messages are no longer reported unless a problem occurs.
<mac address='xx:xx:xx:xx:xx:xx'/>).
.), luci
failed to redirect the browser to the resource that was just created.
As a result, error 500 was displayed, even though the resource was
created correctly. This update corrects the code that handles
redirection of the browser after creating such a resource and luci
redirects the browser to a screen that displays the resource as
expected.
/etc/sysconfig/luci file.
force_unmount option was not shown
for file-system resources and the user could not change the
configuration to enable or disable this option. A checkbox that displays
its current state was added and the user can now view and change the force_unmount attribute of file-system resources.
tunneled, was added to the VM (Virtual Machine) resource agent script. This update adds a checkbox displaying the current value of the tunneled attribute to the VM configuration screen so that the user can enable or disable the attribute.
Redundant Ring configuration tab is now available in the Configure tab of clusters to allow RRP configuration from luci.
reboot icon was similar to the refresh
icon and the user could have mistakenly rebooted a cluster node instead
of refreshing the status information. With this update, the reboot icon has been changed. Also, a dialog box is now displayed before reboot so the user must confirm their reboot request.
volume_list parameter of lvm.conf.
The code has been improved to temporarily copy the mirror's tags to the
in-coming image so that it can be properly activated. As a result,
high-availability (HA) LVM service relocation now works as expected.
lvremove command could fail with the error message “Can't remove open logical volume”
despite the volume itself not being in use anymore. In most cases, such
a situation was caused by the udev daemon that still processed events
that preceded the removal and it kept the device open while lvremove
tried to remove it at the same time. This update adds a retry loop to
help to avoid this problem. The removal is tried several times before
the command fails completely.
--virtualsize, is now properly activated exclusively only (on local node).
clvmd received an
invalid request through its socket (for example an incomplete header was
sent), the clvmd process could terminate unexpectedly or stay in an
infinite loop. Additional checks have been added so that such invalid
packets now cause a proper error reply to the client and clvmd no longer
crashes in the scenario described.
dmeventd) is used, for example, for monitoring LVM based mirrors and snapshots. When attempting to create a snapshot using lvm2, the lvcreate -s command resulted in a dlopen
error if dmeventd was upgraded after the last system restart. With this
update, dmeventd is now restarted during a package update to fetch new
versions of installed libraries to avoid any code divergence that could
end up with a symbol lookup failure.
clvmd with option -S should preserve exclusive locks on a restarted cluster node. However the option -E,
which should pass such exclusive locks, had errors in its
implementation. Consequently, exclusive locks were not preserved in a
cluster after restart. This update implements proper support for option -E. As a result, after restarting clvmd the locks will preserve a cluster's exclusive state.
dmsetup [--force] remove device_name command. The --force
option failed, reporting that the device was busy. Consequently, the
underlying block device could not be detached from the system. With this
update, dmsetup has a new command wipe_table
to wipe the table of the device. Any subsequent I/O sent to the device
returns errors and any devices used by the table, that is to say devices
to which the I/O is forwarded, are closed. As a result, if a
long-running process keeps a device open after it has finished using it,
the underlying devices can be released before that process exits.
log/prefix and log/command_names directive in lvm.conf) caused the lvm2-monitor init script to fail to start monitoring for relevant VGs. The init script acquires the list of VGs first by calling the vgs
command and then it uses its output for further processing. However, if
the prefix or command name directive is used on output, the VG name was
not correctly formatted. To solve this, the lvm2-monitor init script
now overrides the log/prefix and log/command_names setting so the
command's output is always suitable for use in the init script.
lvconvert --merge
command did not check if the snapshot in question was invalid before
proceeding. Consequently, the operation failed part-way through, leaving
an invalid snapshot. This update disallows an invalid snapshot to be
merged. In addition, it allows the removal of an invalid snapshot that
was to be merged on next activation, or that was invalidated while
merging (the user will be prompted for confirmation).
lvconvert --splitmirrors
fails to strip it off. This leads to an attempt to use a Logical Volume
name that is invalid. This release detects and validates any supplied
Volume Group name correctly.
pvmove was used on a
clustered VG, temporarily activated pvmove devices were improperly
activated cluster-wide (that is to say, on all nodes). Consequently, in
some situations, such as when using tags or HA-LVM configuration, pvmove
failed. This update fixes the problem, pvmove now activates all such
devices exclusively if the Logical Volumes to be moved are already
exclusively activated.
vgreduce command
was executed with a non-existent VG, it unnecessarily tried to unlock
the VG at command exit. However the VG was not locked at that time as it
was unlocked as part of the error handling process. Consequently, the
vgreduce command failed with the internal error “Attempt to unlock unlocked VG”
when it was executed with a non-existent VG. This update improves the
code to provide a proper check so that only locked VGs are unlocked at
vgreduce command exit.
lvmetad)
is to eliminate the need for this scanning by dynamically aggregating
metadata information each time the status of a device changes. These
events are signaled to lvmetad by udev rules. If lvmetad
is not running, LVM performs a scan as it normally would. This feature
is provided as a Technology Preview and is disabled by default in Red
Hat Enterprise Linux 6.3. To enable it, refer to the use_lvmetad parameter in the /etc/lvm/lvm.conf file, and enable the lvmetad daemon by configuring the lvm2-lvmetad init script.
dmsetup command now supports displaying block device names for any devices listed in the “deps”, “ls” and “info” command output. For the dmsetup “deps” and “ls” command, it is possible to switch among “devno” (major and minor number, the default and the original behavior), “devname” (mapping name for a device-mapper device, block device name otherwise) and “blkdevname” (always display a block device name). For the dmsetup “info” command, it is possible to use the new “blkdevname” and “blkdevs_used” fields.
/dev entries being created by udev. To solve this problem, the libdevmapper library together with the dmsetup command now supports encoding of udev-blacklisted characters by using the “\xNN” format where NN is the hex value of the character. This format is supported by udev. There are three “mangling” modes in which libdevmapper can operate: “none” (no mangling), “hex” (always mangle any blacklisted character) and “auto” (use detection and mangle only if not mangled yet). The default mode used is “auto”
and any libdevmapper user is affected unless this setting is changed by
the respective libdevmapper call. To support this feature, the dmsetup
command has a new --manglename <mangling_mode> option to define the name mangling mode used while processing device-mapper names. The dmsetup info -c -o command has new fields to display: “mangled_name” and “unmangled_name”. There is also a new dmsetup mangle
command that renames any existing device-mapper names to its correct
form automatically. It is strongly advised to issue this command after
an update to correct any existing device-mapper names.
lvextend
will cause the initial synchronization to be skipped. This can save
time and is acceptable if the user does not intend to read what they
have not written.
activation/read_only_volume_list,
makes it possible to activate particular volumes always in read-only
mode, regardless of the actual permissions on the volumes concerned.
This parameter overrides the --permission rw option stored in the metadata.
dmeventd would log redundant informative messages in the form “Another thread is handling an event. Waiting...”. This needlessly flooded system log files. This behavior has been fixed in this update.
-s or --snapshot option in the lvcreate man page.
~]$ lvconvert --type raid1 <VG>/<mirrored LV>
vgcfgrestore command.
mdadm --add command could fail
when adding to an array a device similar to a recent member of the
array. With this update, the code restricting device addition has been
corrected to only apply to members of recent arrays which have failed
and require manual assembly.
1.0. This happened because mdadm
occasionally failed to calculate the bitmap location correctly. With
this update, a write-intent bitmap can be added to such an MD array as
expected.
mdadm --monitor command terminated
unexpectedly after completing a resynchronization process due to buffer
overflowing. This happened when there were more than 40 mismatches
reported during the resync process as the respective buffer could hold
only 40 mismatch reports. With this update, the buffer has been enlarged
and can now hold up to 80 mismatch reports.
/etc/mdadm.conf file
excluded automatic startup of version 0.90 RAID arrays (however, if such
an array was needed on boot, dracut did start this array). The user
could add +0.90 to the AUTO line in the /etc/mdadm.conf file to have such RAID arrays come up on boot.
+0.90 to the AUTO line in /etc/mdadm.conf).
--oneshot/-1 option when running the mdadm --monitor --scan --oneshot
command or its short equivalent. Consequenlty, mdadm was monitoring the
respective device continuously. With this update, the underlying code
has been modified and the --oneshot option is applied as expected.
recover to idle. Consequently, the mdmon
daemon could detect this change, finish the rebuild process, and write
the metadata of the unfinished rebuild process to disks before the
restart. After restart, the RAID volume was in the Normal state in OROM and the rebuild seemed to be finished. However, the RAID volume was in the auto-read-only state, metadata was in the Dirty
state, and the data was inconsistent (out-of-sync). With this update,
the appropriate test has been added and, when mdmon now detects the
change of sync_action from recover to idle, it checks if the rebuild process has really finished.
--size max option has been added,
allowing the administrator of an IMSM array to enlarge the last volume
in the array to take up the remaining space in the array.
CMake Error at docs/api/cmake_install.cmake:31 (FILE): file INSTALL cannot find file "/usr/src/redhat/BUILD/qpid-cpp-0.12/build/docs/api/html" to install.
SNMP agents, tools for generating and handling SNMP traps, a version of the netstat command which uses SNMP, and a Tk/Perl Management Information Base (MIB) browser.
extend directive (in /etc/snmp/snmpd.conf) could use this flaw to crash snmpd via a crafted SNMP GET request.
snmpd terminating unexpectedly when an AgentX
subagent disconnected while processing a request. This fix, however,
introduced a memory leak. With this update, this memory leak is fixed.
OIDs (object identifiers). With this update, conversion of interface indexes is fixed and BRIDGE-MIB reports correct ifIndex OIDs.
snmpd erroneously enabled verbose logging when parsing the proxy option in the snmpd.conf file. Consequently, unexpected debug messages were sometimes written to the system log. With this update, snmpd no longer modifies logging settings when parsing the proxy option. As a result, no debug messages are sent to the system log unless explicitly enabled by the system administrator.
snmpd daemon strictly implemented RFC 2780. However, this specification no longer scales well with modern big storage devices with small allocation units. Consequently, snmpd reported a wrong value for the “HOST-RESOURCES-MIB::hrStorageSize” object when working with a large file system (larger than 16TB), because the accurate value did not fit into Integer32 as specified in the RFC. To address this problem, this update adds a new option to the /etc/snmp/snmpd.conf configuration file, “realStorageUnits”. By changing the value of this option to 0, users can now enable recalculation of all values in “hrStorageTable” to ensure that the multiplication of “hrStorageSize” and “hrStorageAllocationUnits” always produces an accurate device size. The values of “hrStorageAllocationUnits” are then artificial in this case and no longer represent the real size of the allocation unit on the storage device.
snmpd properly recognizes VxFS, ReiserFS, and OCFS2 devices and reports them in “HOST-RESOURCES-MIB::hrStorageTable”.
register() method in the “NetSNMP::agent” module and terminated unexpectedly when this method failed. With this update, the register() method has been fixed and the updated Perl modules no longer crash on failure.
snmpd) did not
properly fill a set of watched socket file descriptors. Therefore, the
daemon sometimes terminated unexpectedly with the “select: bad file descriptor” error message when more than 32 AgentX subagents connected to snmpd on 32-bit platforms or more than 64 subagents on 64-bit platforms. With this update, snmpd properly clears sets of watched file descriptors and no longer crashes when handling a large number of subagents.
snmpd erroneously checked the length of “SNMP-TARGET-MIB::snmpTargetAddrRowStatus” value in incoming “SNMP-SET” requests on 64-bit platforms. Consequently, snmpd sent an incorrect reply to the “SNMP-SET” request. With this update, the check of “SNMP-TARGET-MIB::snmpTargetAddrRowStatus” is fixed and it is possible to set it remotely using “SNMP-SET” messages.
snmpd did not check the permissions of its MIB index files stored in the /var/lib/net-snmp/mib_indexes
directory and assumed it could read them. If the read access was
denied, for example due to incorrect SELinux contexts on these files, snmpd crashed. With this update, snmpd checks if its MIB index files were correctly opened and does not crash if they cannot be opened.
OID parameter of “sysObjectID” (an snmpd.conf config file option) was not correctly stored in snmpd, which resulted in “SNMPv2-MIB::sysObjectID” being truncated if the OID had more than 10 components. In this update, handling of the OID length is fixed and “SNMPv2-MIB::sysObjectID” is returned correctly.
snmpd was started and did not find a network interface which had been present during the last snmpd shutdown, the following error message was logged:
snmpd: error finding row index in _ifXTable_container_row_restore snmpd, enumerated active TCP connections for “TCP-MIB::tcpConnectionTable” in an inefficient way with O(n^2) complexity. With many TCP connections, an SNMP client could time out before snmpd processed a request regarding the “tcpConnectionTable”, and sent a response. This update improves the enumeration mechanism and snmpd now swiftly responds to SNMP requests in the “tcpConnectionTable”.
OID) was out of the subtree registered by the proxy statement in the /etc/snmp/snmpd.conf configuration file, the previous version of the snmpd daemon failed to use a correct OID of proxied “GETNEXT” requests. With this update, snmpd now adjusts the OIDs of proxied “GETNEXT” requests correctly and sends correct requests to the remote agent as expected.
/var/lib/net-snmp directory to store persistent data, for example the cache of parsed MIB files. This directory is created by the net-snmp
package and when this package is not installed, Net-SNMP utilities and
libraries create the directory with the wrong SELinux context, which
results in an Access Vector Cache (AVC) error reported by SELinux. In
this update, the /var/lib/net-snmp directory is created by the net-snmp-lib
package, therefore all Net-SNMP utilities and libraries do not need to
create the directory and the directory will have the correct SELinux
context.
snmpd and snmptrapd daemons will be restarted automatically.
WWAN), and PPPoE devices, and provides VPN integration with a variety of different VPN services.
DHCP
transaction timeout of 45 seconds without the possibility of
configuring a different value. Consequently, in certain cases
NetworkManager failed to obtain a network address. NetworkManager has
been extended to read the timeout parameter from a DHCP configuration
file and use that instead of the default value. As a result,
NetworkManager will wait to obtain an address for the duration of the
DHCP transaction period as specified in the DHCP client configuration
file.
/var/log/messages
file. An upstream patch has been applied to prevent NetworkManager from
trying to initialize the user settings proxy if the user settings
service does not exist. As a result, warning messages are no longer
generated in the scenario described.
/var/log/messages log file when changing the hostname. An upstream patch has been applied to the nm-dispatcher script and NetworkManager no longer generates unnecessary warnings during a hostname change.
EAP-FAST authentication for WPA2 Enterprise
wireless networks, which made it unusable in some wireless
environments. NetworkManager has been enhanced to handle EAP-FAST
authentication.
IP-over-InfiniBand interfaces, which prevented installation in some situations. These interfaces are now recognized.
VLAN and bonding interfaces were not supported by NetworkManager
and required special configuration to ensure NetworkManager did not
interfere with their operation. NetworkManager now recognizes and can
configure VLAN and bonding interfaces but only if the NM_BOND_VLAN_ENABLED key is set to yes in /etc/sysconfig/network. The default is that this option is set to no.
Wi-Fi networks, and a user tried to create a network using nm-applet, the setup silently failed. With this update, nm-applet now issues a notification providing the reason for the failure.
VPN connection, the connection editor displayed an insensitive
button without giving any indication of the cause. This update adds a
tooltip to the button informing the user that editing a VPN connection
is disabled due to missing VPN plug-ins.
pkcs11n.h:365:26: warning: "__GNUC_MINOR" is not defined
echo "RequiredAuthentications2 publickey,password" >> /etc/ssh/sshd_config
next payload type of ISAKMP Identification Payload has an unknown value:
sha2_truncbug parameter is set to yes, Openswan now passes the correct key length to the kernel, which ensures interoperability between older and newer kernels.
ERROR: apc-fencing: required parameter port not defined
WARNING: apc-fencing: action start not advertised in meta-data, it may not be supported by the RA WARNING: apc-fencing: action stop not advertised in meta-data, it may not be supported by the RA
ERROR:pam_pkcs11.c:224: Remote login (from localhost:13.0) is not (yet) supported
Can't locate ExtUtils/MakeMaker.pm in @INC
Partitions required for raid
Network error. Please check the connection details, or see /var/log/rhsm/rhsm.log for more information.
Error changing VM configuration: 'NoneType' object is not callable
RuntimeError: dictionary changed size during iteration
Error adding device: An error occurred, but the cause is unknown
AttributeError: 'NoneType' object has no attribute 'replace'
qemu-img: error while reading from new backing fileWith this update, backing files are handled correctly, and the "qemu-img rebase" command succeeds even if a backing file is smaller than the rebased image.
/dev/ipath*
files were not permissive enough for normal users to access.
Consequently, when a normal user attempted to run a Message Passing
Interface (MPI) application using the Performance Scaled Messaging (PSM)
Byte Transfer Layer (BTL), it failed due to the inability to open files
starting with /dev/ipath. This update makes sure that the files starting with /dev/ipath
have the correct permissions to be opened in read-write mode by normal
users. As a result, attempts to run an MPI application using the PSM BTL
succeed.
subnet_prefix
option on the command line. Consequently, in order to have two
instances of OpenSM running on two different fabrics at the same time
and on the same machine, the sysadmin had to edit two different opensm.conf
files and specify the subnet_prefix separately in each file in order to
have different prefixes on the different subnets. With this update,
OpenSM accepts a subnet_prefix option and the OpenSM init script now
starts OpenSM using this option when it is being started on multiple
fabrics. As a result, a sysadmin is no longer required to hand edit
multiple opensm.conf files to create otherwise identical configurations that only vary by which fabric they are managing.
cannot transition QP to RTR stateThis updated kernel stack provides a fix for the libibverbs based RoCE QP creation and now users can properly create QPs whether they use libibverbs or librdmacm as the connection initiation method.
TCP
ports that openmpi used they could not do so. This update to a later
upstream version that does not have this problem allows users to now
limit which TCP ports openmpi attempts to use.
libmlx4.conf
modprobe configuration, usage of modprobe could result in an infinite
loop of modprobe processes. If the bug was encountered, the processes
would continually fork until there were no processes able to run and the
system would become unresponsive. This update improves the code and as a
result an incorrect configuration of options in /etc/modprobe.d/libmlx4.conf no longer results in a system that is unresponsive and that requires a hard reboot in order to be restored to proper operation.
PF_RDS
in its source code that did not match the officially assigned value for
PF_RDS and so qperf would compile with the wrong PF_RDS constant.
Consequently, when it was run it would mistakenly think RDS (Reliable
Datagram Service) was not supported on the machine even when it was and
would refuse to run any RDS tests. This update removes the PF_RDS
constant from the qperf source code so that it will pick up the correct
constant from the system header files. As a result, qperf now properly
runs RDS performance tests.
chkconfig --list
command would not show the srpd service at all and the service could
not be enabled. The srptools RPM now properly adds the srpd init script
to the list of available services (it is disabled by default). Users can
now see the srpd service using chkconfig --list and can enable the srpd
service with the chkconfig --level 345 srpd on command.
SSLCertificateVerifyFailedError exception was raised and a traceback was written to the /var/log/up2date
file. This update corrects the exception handling mechanism to ensure
that a proper error message is displayed in this scenario.
rhn_register
utility did not associate the guest with the virtual host. Consequent
to this, the virtual host appeared to have no virtual guests. This
update ensures that rhn_register correctly pairs the guest with the managed virtual host.
rhn-channel utility failed with both a traceback and an error message. With this update, the utility now displays only the error message.
rhnreg_ks
utility with a relative path to the SSL certificate caused it to store
this relative path in the configuration file. Consequently, an attempt
to run any other utility that uses this configuration file from a
different directory rendered such a utility unable to open the
certificate. This update adapts rhnreg_ks to store an absolute path.
rhnreg_ks and rhn_register tools now notify Red Hat Subscription Manager over D-Bus.
rhn_register utility reported an error at the very end of the registration process. This update adapts rhn_register to report invalid credentials immediately.
/etc/yum/pluginconf.d/rhnplugin.conf configuration file, a subsequent update of the yum-rhn-plugin package re-enabled this channel. This update ensures that such configuration changes are persistent.
rhn-setup utility on a system without the newt-python package installed could fail with an ImportError. This update adds newt-python as a dependency of the rhn-client-tools package.
rhn_check utility could incorrectly report an attempt to update already updated packages as failed. To prevent this, yum-rhn-plugin
has been adapted to ensure that packages that are already updated are
properly removed from the list of packages that are scheduled for an
update.
rhn_check utility no longer displays debugging messages without a space after the do_call keyword.
Inflate (token) returned -5
IPv6
address. Consequently, an IPv6 address written in capital letters was
not deleted. Thus update makes the IPv6 search case insensitive and the
problem no longer occurs.
mmap
function on the whole disk. This can fail for very large disks or if
the virtual memory is limited. This update adds a fallback to the pread and pwrite commands in case the mmap system call fails.
NONROUTER and PRIROUTER
option for layer-3 VSWITCHes but not plain IP VSWITCH configurations.
Therefore the layer 3 address for a network interface (NIC) was not
detected automatically for virtual NICs connected to plain IP VSWITCHes
and the virtual NIC was treated as a layer-2 device. Consequently,
configuring a virtual NIC using the znetconf tool failed. With this update, the IP option is interpreted as a layer-3 indicator and configuring a virtual NIC using znetconf works as expected.
IPv6 support to the qetharp tool has been added. This enhancement adds IPv6 support to the qetharp tool for inspection and modification of the ARP cache of Open Systems Adapter (OSA) cards or HiperSockets (real and virtual) operated in layer-3 mode.
NT_STATUS_NONE_MAPPED
sshd init script tried to regenerate new keys during the sshd service startup and the ssh-keygen command failed to write public keys because of an incorrect SELinux security context for the ssh_host_rsa_key.pub file. The security context has been updated and now the sshd service can start up correctly.
rndc service from reading the /proc/loadavg file. This update provides updated SELinux rules that allow rndc to read the /proc/loadavg file.
unconfined_t domain) ran the ssh-keygen utility, the SELinux policy did not allow ssh-keygen to create a key outside of the ~/.ssh
directory. This update adapts the relevant SELinux policy to make sure a
key can be created by a non-root user in the described scenario.
selinux_avcstat
Munin plug-in, this caused Access Vector Cache (AVC) messages to be
written to the audit log. With this update, a new SELinux policy has
been provided for selinux_avcstat to fix this bug.
openswan utility to use the labeled IPsec protocol. This update provides updated SELinux rules and allows openswan to label IPsec as expected.
nagios event
handlers were not supported by any SELinux policy, which broke their
functionality. With this update, this support has been added to SELinux
policy and nagios event handlers now work correctly with SELinux.
google-chrome program was unable to execute the nacl_helper_bootstrap command. This update provides an updated SELinux security context and rules that allow google-chrome to execute nacl_helper_bootstrap.
newrole or sudo command together with the sssd service configured, when the user was logged in the wuth custom MLS range. This update fixes the relevant SELinux policy to allow users to use this configuration.
mail program as root with the unconfined.pp
policy module disabled resulted in a permission to be denied and an AVC
message to be generated. This update fixes relevant SELinux policy
rules to allow the mail program to run properly in the described scenario.
subscription-manager service from reading the /proc/2038/net/psched file. This update provides updated SELinux rules that allow subscription-manager to read that file.
pyzor application was denied the permission to write to the ABRT socket file. Consequently, an AVC message was reported. This update corrects the SELinux policy to grant pyzor the necessary permission in the described scenario.
smbcontrol
program was unable to send a signal to itself. Consequently, AVC
messages were written to the audit log. This update fixes the relevant
policy to support this operation.
gridengine mpi jobs were not started correctly. A new policy for these jobs has been provided and gridengine mpi jobs now work as expected.
cron jobs were set to run in the cronjob_t domain when the SELinux MLS policy was enabled. As a consequence, users could not run their cron jobs. The relevant policy rules have been modified and user cron jobs now run in the user domain, thus fixing this bug.
libvirt commands, such as virsh iface-start or virsh iface-destroy,
with SELinux in Enforcing mode and NetworkManager enabled, the commands
took an excessive amount of time to finish successfully. With this
update, the relevant policy has been added and libvirt commands now work as expected.
auditd daemon was listening on port 60, the SELinux Multi-Level Security (MLS) policy prevented auditd
from sending audit events to itself from the same system if it was also
running on port 61. This update fixes the relevant policy and this
configuration now works as expected.
audisp-remote plug-in.
rsyslogd daemon was unable to start because it was not previously allowed to run the setsched operation using the Transport Layer Security (TLS) protocol. This update corrects the relevant SELinux policy and rsyslogd now starts as expected.
ssh-keygen
utility could not access various applications and thus could not be
used to generate SSH keys for such applications. With this update, the ssh_keygen_t SELinux domain type has been implemented as unconfined, which ensures the ssh-keygen utility works correctly.
ssh-keygen utility was not able to read from and write to the /var/lib/condor/
directory. Consequently, with SELinux in Enforcing mode, an OpenMPI job
submitted to the parallel universe environment failed to generate SSH
keys. With this update, a new SELinux policy has been provided for the /var/lib/condor/ directory, which allows ssh-keygen to access this directory as expected.
/var/www/vweb1/logs/ directory was labeled as httpd_log_t, which blocked access to parts of additional web space. With this update, the httpd_log_t security context has been removed for this directory, thus fixing this bug.
httpd service could not read Git files with the git_system_content_t security label. This update corrects the relevant SELinux policy rules to allow httpd to read these Git files.
quotacheck -c /user/home/directory command was used. This update provides updated SELinux rules that allow to properly set up quotas in the described scenario.
sanlock daemon from searching NFS directories. This update provides the sanlock_use_nfs boolean variable to fix this bug.
spamc_exec_t and razor_exec_t files were alias files, thus referencing the same context. Consequently, the restorecon utility reported these mislabeled files as related to the razor application. With this update, the razor.pp policy file has been removed and restorecon no longer reports these mislabeled files.
keyctl_join_session_keyring() and keyctl_setperm() functions to connect to the kernel keyring and store passwords securely while the sssd daemon was running, it was permitted by SELinux. This update fixes the relevant SELinux policy rules to allow the SSSD sys_admin capability to process these operations properly.
qpidd service from starting. This update provides updated SELinux rules, which allow qpidd to be started correctly.
/var/spool/postfix/deferred
directory, the Postfix email server terminated. This update provides
updated SELinux rules to allows Postfix to run as expected.
SELinux: Could not downgrade policy file /etc/selinux/targeted/policy/policy.24, searching for an older version. SELinux: Could not open policy file -- /etc/selinux/targeted/policy/policy.24: No such file or directory load_policy: Can't load policy: No such file or directory
ssh-keygen
utility was unable to write to NFS home directories due to missing
SELinux policy rules. This update provides updated SELinux rules that
allow ssh-keygen to write to NFS home directories using the use_nfs_home_dirs boolean variable.
check_disk
Munin plug-in on a remote system via NRPE (Nagios Remote Plugin
Executor), the permission was denied and an AVC message was generated.
This update fixes relevant SELinux policy rules to allow check_disk to read the /sys/ directory, thus fixing this bug.
ipa_memcached service was missing. Consequently, ipa_memcached did not work correctly with SELinux in Enforcing mode. This update adds support for ipa_memcached, thus fixing this bug.
sysadm_t SELinux domain was not able to run the rpm command. This update provides updated SELinux rules to allow administrators to run rpm in the described scenario.
/var/lib/
directory. Consequently, these plug-ins could not work correctly. This
update provides updated SELinux rules, which allow these plug-ins to
access /var/lib/ and work as expected.
snmpd service to connect
through the AgentX (Agent Extensibility) protocol. This bug has been
fixed and the updated SELinux policy rules now allow to run custom
cluster MIB implemantions.
httpd service was unable to access link files in the /var/lib/zarafa/
directory, which caused various problems for the Zarafa groupware with
DRBD (Distributed Replicated Block Device) support. This update provides
updated SELinux rules and allows httpd to access the directory and Zarafa now works as expected.
ssh-keygen utility was unable to access the /var/lib/condor/ directory. This update provides a new SELinux policy for /var/lib/condor/, which allows ssh-keygen to read from and write to this directory, thus fixing this bug.
tgtd service resulted in SELinux AVC denial messages being returned when tgtd was not able to read the abi_version value. This update fixes the relevant SELinux policy rules to allow tgtd to read abi_version.
google-chrome application was not able to write to this home directroy. With this update, the use_nfs_home_dirs variable has been fixed and google-chrome can now write to the NFS home directory in the described scenario.
qpidd service from connecting to the AMQP (Advanced Message Queuing Protocol) port when the qpidd daemon was configured with Corosync clustering. This update provides updated SELinux rules, which allow qpidd to be started correctly.
dirsrv utility executed the modutil -dbdir /etc/dirsrv/slapd-instname -fips command to enable FIPS mode in an NSS (Network Security Service) key/certificate database. This happened because the NSS_Initialize() function attempted to use pre-link with the dirsrv_t
context. With this update, the pre-link is allowed to re-label its own
temporary files under these circumstances and the problem no longer
occurs.
dirsrv service failed to start properly due to this issue. This update provides an updated SELinux context for the /var/run/slapd.* socket and these services can be started as expected now.
CAP_SYS_RESOURCE
privilege, which is needed to request a higher open file-descriptor
limit. With this update, a new SELinux policy rule has been added to
allow the CAP_SYS_RESOURCE capability for the SSSD service.
chsh utility did not work on servers that authenticated with Kerberos. SELinux prevented chsh from accessing certain files and directories. Now, updated SELinux rules have been provided to allow chsh to work properly in the described scenario.
nfsclock service produced an AVC denial message then reported to the /var/log/audit/audit.log log file. Updated SELinux policy rules have been provided, which allow the rpc.statd binary to execute the sm-notify binary, and restarting nfsclock now works properly.
/usr/bin/R utility in user home directories, an incorrect SELinux context type of user_home_dir_t was returned, rather than the expected user_home_t context. This update fixes the relevant SELinux policy rules to allow /usr/bin/R to create directories in user home directories with correct labeling.
xfstest
utility on this partition failed because write operations were denied
on this partition. With this update, appropriate SELinux policy rules
have been provided and write operations are now allowed to such
partitions in the described scenario.
/etc/selinux/targeted/seusers file. Now, the selinux-policy.spec file has been modified to store its users' information separately and selinux-policy-minimum can be installed properly.
~/Maildir/ set up. To fix this bug, a new SELinux context has been provided for the /root/Maildir/ directory.
rpc.rquotad: Cannot open quotafile aquota.user and the associated AVC.
internal-sftp subsystem configured, users with the unconfined_t SELinux type were unable to connect using the sftp utility. This update fixes the SELinux policy to allow users to utilize sftp successfully in the described scenario.
nfs_export_* booleans values being removed from Red Hat Enterprise Linux 6.3, users could not export subdirectories under the /tmp/
directory and the mounting operations to such directories also failed.
With this update, appropriate rules have been provided to allow users to
perform these actions in the described scenario.
cgconfig service could not be started if an NIS (Network Information Service) user was specified in the /etc/cgconfig file. This update fixes the relevant SELinux policy rules and allow cgconfig to use NIS properly.
sieve script was not working
correctly with SELinux in Enforcing mode. This update provides
appropriate SELinux policy rules to allow the sieve script to work correctly in the described scenario.
heartbeat service could not be started correctly. New SELinux policy rules have been provided to allow heartbeat to execute the /usr/lib64/heartbeat/plugins/InterfaceMgr/generic.so binary, thus fixing this bug.
service libvirt-qmf restart command caused AVC denial messages to be logged to the /var/log/audit/audit.log file. This update fixes the relevant SELinux policy rules and the command no longer produces AVC messages.
package-cleanup utility did not work properly when called from a cron job. To fix this bug, the /usr/bin/package-cleanup binary has been labeled with the rpm_exec_t SELinux policy label and package-cleanup now works as expected in the described scenario.
system-config-kdump utlity did not work properly with SELinux enabled. To fix this bug, the /etc/zipl.conf file has been labeled with the boot_t SELinux security label.
telnet or ssh works correctly under SELinux, some agents use SNMP. However, the snmpwalk, snmpget, and snmpset
utilities did not work due to an incorrect SELinux policy. SELinux
policy rules have been updated to allow SNMP utilities running with the fenced_t security type to be able to create files under the /var/lib/net-snmp/ directory, thus fixing this bug.
sysadm_r SELinux role could not create a cron job for another user. This bug has been fixed and the sysadm_r SELinux role now belongs among cron admin roles, thus fixing this bug.
cfengine service has been added to make the system management work while using cfengine.
quota-nld service.
flash plug-in. Previously, the plugin-container processes of this plug-in were running as unconfined.
matahari-qmf-sysconfigd and matahari-qmf-sysconfig-consoled services.
allow_nfsd_anon_write nfs_export_all_rw nfs_export_all_ro
secadm_r, sysadm_r and auditadm_r SELinux roles related to certain operations with log files. This update introduces the new sysadm_secadm.pp SELinux module to provide the role separation.
sysadm_secadm.pp module is disabled, sysadm_r is unable to modify security files in the /var/log/ directory, which only secadm_r can do. The basic separation of the roles is as follows:
auditadm_r role is able to modify the /var/log/audit.log log file.
secadm_r role is able to modify various SELinux properties as well as files in the /var/log/ directory with necessary level. Users of this role can also change a level or a SELinux state, or can load a new module.
sysadm_r role (with sysadm_secadm disabled) is able to modify all non-security files because sysadm_r is based on the userdom_admin_user_template() function, which contains the following directives:
files_manage_non_security_dirs($1_t) files_manage_non_security_files($1_t)
/var/log/audit/audit.log, the auditd daemon configuration files, or change a level or a SELinux state.
rsync utility could not access files in either NFS or CIFS home directories. The new rsync_use_nfs boolean value has been provided to provide support for both file systems.
privsep parent process always ran in the sshd_t domain. Consequently, the sshd_t
domain had to be relaxed more than necessary for user SSH processes.
This update introduces new SELinux policy rules to support permission
separation for user SSH processes, each of which now runs in user
context as expected.
matahari-qmf-rpcd service.
man httpd_selinux man staff_selinux
ssh_to_job for VM/Java/Sched/Local universe.
libvirt-qmf service.
lvmetad daemon.
ZFS file system.
/root/anaconda-ks.cfg),
but did not remove the root user's password from it before adding the
file to the resulting archive of debugging information. An attacker able
to access the archive could possibly use this flaw to obtain the root
user's password. /root/anaconda-ks.cfg usually only contains a hash of the password, not the plain text password.
/root/anaconda-ks.cfg file is created by all installation types.
/proc/net/
directory was specified incorrectly in SOS code. As a consequence,
information necessary to debug certain bonding configurations from this
directory was not available in the resulting archive. This update
corrects the SOS networking module and ensures correct specification of
the /proc/net/ directory. As a result, generated sosreport tarballs contain the expected set of /proc/net/ files.
sosreport utility
failed to collect log files from Red Hat Network (RHN) Proxy Server
installations. The problem was caused by an outdated package
specification, which did not match the current package naming
conventions. Consequently, logs that are sometimes required for RHN
Proxy Server problem diagnostics were not collected automatically. This
update corrects the package specification to match the current package
naming conventions. As a result, RHN Proxy Server logs are collected
correctly.
brctl command (used for Ethernet bridge configuration) was parsed incorrectly and caused sosreport to log errors. As a consequence, the sosreport
command emitted a Python backtrace and certain bridge configuration
information could not be collected. This update corrects the parsing of
the brctl command output. As a result, no backtrace is emitted and all bridge configuration data is collected.
sosreport
was limited due to changes to the logging subsystem introduced in SOS
version 2.0. Consequently, very limited debug log information was
collected as of that version of SOS. This update enhances the log
subsystem and re-enables all previously disabled log messages. As a
result, verbose log messages are now produced and recorded when
requested via command-line options.
sosreport did not
correctly handle targets of symbolic links when copying files and
directories into reports. Consequently, links in the report directory
structure could have invalid targets. This update fixes the library
routines dealing with file copying. The fix ensures that symbolic link
targets are always copied when a requested path contains a symbolic
link. As a result, sosreport handles symbolic link targets correctly and symbolic links in the report directory structure are always valid.
/var/log/mcelog
file. As a consequence, important information on the state of system
hardware and previous hardware errors was sometimes missing in SOS
reports. This update extends the SOS hardware module so that the MCE
logs are collected when present in the /var/log/mcelog file. As a result, MCE log data is available in generated SOS reports.
libvirtd.log file may be located in a different directory. Consequently, the libvirtd.log file was not collected on such systems. This update modifies sosreport so that it uses a wildcard matching both possible locations of the file. As a result, the libvirtd.log file is now collected on all supported releases.
sosreport discarded
program output from stderr (standard error stream). As a consequence,
program warnings, diagnostics, and other messages were not included in
reports generated by sosreport. This update modifies the way in which sosreport
executes external programs. As a consequence, both stderr and stdout
(standard output stream) messages returned by executed external programs
are now included in reports generated by sosreport.
GlusterFS file system. As a consequence, running sosreport on a system where gluster
packages were installed did not collect any Gluster-specific
information from the system. This update adds a new plug-in that is
necessary to collect the requisite logs for the Gluster product. As a
result, information is collected from files located in the /etc/glusterd/ and /var/log/glusterfs/
directories. Several sets of command output are also collected to
record the current state of the Gluster subsystem in the resulting
report.
ldap_sasl_minssf option has been
added to the configuration of SSSD. This option can be used to specify
the minimal level of encryption SSSD (or rather, the LDAP library used
by SSSD) should use when communicating with a server.
ldap_chpass_update_last_change,
has been added to SSSD configuration. If this option is enabled, SSSD
attempts to change the shadowLastChange LDAP attribute to the current
time. Note that this is only related to a case when the LDAP password
policy is used (usually taken care of by LDAP server), that is, the LDAP
extended operation is used to change the password. Also note that the
attribute has to be writable by the user who is changing the password.
entry_cache_user_timeout entry_cache_group_timeout entry_cache_netgroup_timeout entry_cache_service_timeout
debug_level option in the "/etc/sssd/sssd.conf" file. For more information, refer to the Red Hat Enterprise Linux 6.3 Release Notes.
ldap_disable_paging has been added to SSSD, which allows the user to disable paging control on such servers manually.
pam_check_host_attr, users can now set the ldap_access_order = host and ldap_user_authorized_host options to enable access-control based on the presence of this attribute in LDAP.
ipa_hbac_support_srchost option to true.
override_homedir option that allows the user to define a per-client override values for the home directory attribute.
According to TLD or attribute directive in tag file, attribute value does not accept any expressions
Disk /dev/mapper/[volume name] doesn't contain a valid partition table
/var/lib/virt-v2v/ directory did not contain any files other than virt-v2v.db, the conversion failed with an error message similar to:
/transfer0w34SV: umount: /sysroot/transfer0w34SV: not mounted at /usr/share/perl5/vendor_perl/Sys/VirtConvert/GuestfsHandle.pm line 193. at /usr/share/perl5/vendor_perl/Sys/VirtConvert/Config.pm line 262The underlying source code has been modified to correctly handle situations when there is no software available locally for installation into a guest during conversion, and so ensures that the conversion succeeds.
/dev/xvdX devices in the fstab or GRUB device map file, the /dev/xvdX
devices in these files were not updated. With this update, the virt-v2v
and virt-p2v utilities now look in the Xen HVM guest configuration
files during the conversion process for devices named /dev/xvdX as well as /dev/hdX. Both are treated as identical and either is converted to /dev/vdX.
References to Xen paravirtualized block devices in fstab and device map
of Xen HVM guest are now correctly updated during the conversion.
--vmtype, which forces the conversion process to mark the newly created Red Hat Enterprise Virtualization virtual machine as either Desktop or Server. If --vmtype is omitted, virt-v2v attempts to determine the correct type.
virt-v2v.conf file. All the dependencies of "user-custom" are installed during the conversion process.
SPICE protocol.
--attach, or -a, option. With this update, the virt-viewer manual page explains that libvirt can be used to directly attach virt-viewer to a local display instead of making a TCP/UNIX socket connection when using one of the aforementioned options.
Unable to authenticate with remote desktop server at localhost:5900: Unable to collect credentials.Retry connection again?The underlying source code has been modified to ensure correct signal handling. Now, if virt-viewer receives a signal about a session being canceled, virt-viewer is disconnected and exits without error messages, as expected.
[ and ],
around the host component. It was thus not possible to connect to a
remote libvirt server whose URI address contained raw IPv6 addresses
(for example qemu+ssh://root@[2001::xxxx:1]/system).
With this update, the URI parsing has been fixed to take account of the
IPv6 address syntax, so it is now possible to connect to remote libvirt
servers using raw IPv6 addresses.
Segmentation fault (core dumped)The underlying source code has been modified to prevent the race condition from occurring, and virt-viewer now exits gracefully, without error messages.
GtkWindow object was not freed. This update modifies virt-viewer ensure that windows are closed when a display closes.
Current allocation mode is local Last OS error: 2 GPL Ghostscript 8.70: Unrecoverable error, exit code 1 EPS object read OK, but no preview bitmap found/generated
warning: dereferencing type-punned pointer will break strict-aliasing rules
Could not switch the monitor configuration Could not set the configuration for CRT63
_init__.py:2000:downloadPkgs:UnicodeEncodeError: 'ascii' codec can't encode character
| Revision History | ||||
|---|---|---|---|---|
| Revision 1-1 | Wed Jun 20 2012 | |||
| ||||
| Revision 1-0 | Tue April 24 2012 | |||
| ||||