Edition 2
1801 Varsity Drive
Raleigh, NC 27606-2072 USA
Phone: +1 919 754 3700
Phone: 888 733 4281
Fax: +1 919 754 3701
/etc/modprobe.d/dist-nfsv41.conf file with the following line and reboot the system:
alias nfs-layouttype4-1 nfs_layout_nfsv41_files
-o minorversion=1 mount option is specified, and the server is pNFS-enabled, the pNFS client code is automatically enabled.
fsfreeze(8) man page.
O_DIRECT I/O. These applications may use the raw block device, or the XFS file system in O_DIRECT
mode. (XFS is the only file system that does not fall back to buffered
I/O when doing certain allocation operations.) Only applications
designed for use with O_DIRECT I/O and DIF/DIX hardware should enable this feature.
/etc/cluster.conf configuration file to be used by pacemaker, rgmanager must be disabled. The risk of not doing this is high; after a successful conversion, it would be possible to start rgmanager and pacemaker on the same host, managing the same resources.
<rm disabled="1"> flag in /etc/cluster.conf.
<rm disabled="1"> flag appears in /etc/cluster.conf during a reconfiguration.
be2net driver is considered a Technology Preview in Red Hat Enterprise Linux 6.
dcbtool(8) and targetadmin(8) man pages.
audit subsystem in the Linux 2.6 kernel. Within the audispd-plugins
subpackage is a utility that allows for the transmission of audit
events to a remote aggregating machine. This remote audit logging
application, audisp-remote, is considered a Technology Preview in Red Hat Enterprise Linux 6.
fence_ipmilan
agent. This new Technology Preview is used to force a kernel dump of a
host if the host is configured to do so. Note that this feature is not a
substitute for the off operation in a production cluster.
fsck) or replay journal entries, which is similar to booting after pulling the power cord.
anaconda component, BZ#676025Skip Boot Loader Configuration
during the installation process. Boot loader configuration will need to
be completed manually after installation. This problem does not affect
users running Anaconda in the graphical mode (graphical mode also
includes VNC connectivity mode).
anaconda componentanaconda component/boot volume on an encrypted volume.
anaconda componentsdc instead of sda).
kernel componentinstall system with basic video driver installation option. A future Red Hat Enterprise Linux 6.2.z Extended Update Support update will remove this requirement.
kernel component em1 is used instead of eth0
on new Dell machines). However, the previously used network interface
names are preserved on the system and the upgraded system will still use
the previously used interfaces. This is not the case for Yum upgrades.
anaconda component kdump default on feature currently depends on Anaconda to insert the crashkernel= parameter to the kernel parameter list in the boot loader's configuration file.
firstaidkit componentanaconda component, BZ#623261 clearpart --initlabel kickstart command. Adding the --all switch—as in clearpart --initlabel --all—ensures disks are cleared correctly.
squashfs-tools componentattempt to access beyond end of device loop0: rw=0, want=248626, limit=248624
sys.log. These
errors do not prevent installation and only occur during the initial
setup. The file system created by the installer will function correctly.
anaconda componentyaboot component, BZ#613929 anaconda componentsystem-config-kickstart componentdracut component /etc/fcoe/ using biosdevname (new style interface naming scheme) for all the available Ethernet interfaces for FCoE BFS. However, it does not add the ifname
kernel command line for the FCoE interface that stays offline after
discovering FCoE targets during installation. Because of this, during
subsequent reboots, the system tries to find the old style ethX
interface name in the /etc/fcoe directory, which does not match with the file created by Anaconda using biosdevname. Therefore, due to the missing FCoE configuration file, an FCoE interface is never created on the Ethernet interface.
ifname=<biosdevname_interface_name>:<mac_address>
subscription manager componentcpuspeed component, BZ#626893 /proc/cpuinfo or /sys/device/system/cpu/*/cpufreq.
This is due to the firmware manipulating the CPU frequency without
providing any notification to the operating system. To avoid this ensure
that the HP Power Regulator option in the BIOS is set to OS Control. An alternative available on more recent systems is to set Collaborative Power Control to Enabled.
releng component, BZ#644778 releng componentgrub component, BZ#695951BOOTX64 rather than bootx64 to boot the installer due to case sensitivity issues.
grub component, BZ#698708 parted componentPackageKit componentovirt-node component, BZ#747102 kernel componentlibvirtd
service, which enables IP forwarding. The service causes a driver reset
on both Ethernet ports which causes a loss of all paths to an OS disk.
Under this condition, the system cannot load firmware files from the OS
disk to initialize Ethernet ports, eventually never recovers paths to
the OS disk, and fails to boot from SAN. To work around this issue add
the bnx2x.disable_tpa=1 option to the kernel
command line of the GRUB menu, or do not install virtualization related
software and manually enable IP forwarding when needed.
kernel componentnosmep kernel command line option.
vdsm component/root/.ssh directory is
missing from a host when it is added to a Red Hat Enterprise
Virtualization Manager data center, the directory is created with a
wrong SELinux context, and SSH'ing into the host is denied. To work
around this issue, manually create the /root/.ssh directory with the correct SELinux context:
~]#mkdir /root/.ssh~]#chmod 0700 /root/.ssh~]#restorecon /root/.ssh
vdsm componentlibvirt component/etc/libvirt/qemu.conf file, set the relaxed_acs_check = 1 parameter, and restart libvirtd (service libvirtd restart). Note that this action will re-open possible security issues.
virtio-win component, BZ#615928 libvirt component, BZ#622649 service libvirt reload command to restore libvirt's additional iptables rules.
virtio-win component, BZ#612801 qemu-kvm component, BZ#720597qemu-kvm component, BZ#612788 virt-v2v component/etc/virt-v2v.conf and /var/lib/virt-v2v/virt-v2v.db.
The former now contains only local customizations, whereas the latter
contains generic configuration which is not intended to be customized.
Prior to Red Hat Enterprise Linux 6.2, virt-v2v's -f flag defaulted to /etc/virt-v2v.conf. In Red Hat Enterprise Linux 6.2, it now defaults to both /etc/virt-v2v.conf and /var/lib/virt-v2v/virt-v2v.db. Data from both of these files is required during conversion.
/etc/virt-v2v.conf will not be updated. If a user explicitly specifies -f /etc/virt-v2v.conf on the command line, the behavior will be identical to the one prior to update. If the user does not specify the -f command line option, the configuration will use both /etc/virt-v2v.conf and /var/lib/virt-v2v/virt-v2v.db, with the former taking precedence.
/etc/virt-v2v.conf. If the user explicitly specifies -f /etc/virt-v2v.conf on the command line, virt-v2v will not be able to enable virtio support for any guests.
-f command line option, as this defaults to using both configuration files. If the -f command line option is used, it must be specified twice: first for /etc/virt-v2v.conf and second for /var/lib/virt-v2v/virt-v2v.conf.
/etc/virt-v2v.conf
file must contain a combined configuration file. This can be copied
from a Red Hat Enterprise Linux 6.1 system, or created by copying all
configuration elements from /var/lib/virt-v2v/virt-v2v.db to /etc/virt-v2v.conf.
virt-v2v component, BZ#618091 virt-v2v component, BZ#678232 spice-client componentdevice-mapper-multipath componentqueue_without_daemon yes
default option queues I/O even though all iSCSI links have been
disconnected when the system is shut down, which causes LVM to become
unresponsive when scanning all block devices. As a result, the system
cannot be shut down. To work around this issue, add the following line
into the defaults section of /etc/multipath.conf:
queue_without_daemon no
initscripts component/boot partitions by setting the sixth value of a /boot entry in /etc/fstab to 0.
iscsi-initiator-utils component, BZ#739843 iscsiadm -m iface has never been executed. This is due to the iscsiadm -m discovery command not checking interface settings while the iscsiadm -m iface does. To work around this issue, run the iscsiadm -m iface command at least once after installing the iscsi-initiatio-utils package. Once the interface setting is updated, discoveries are performed with no errors.
vdsm componentkernel component, BZ#606260 lvm2 componentlvm2 component pvmove command cannot currently
be used to move mirror devices. However, it is possible to move mirror
devices by issuing a sequence of two commands. For mirror images, add a
new image on the destination PV and then remove the mirror image on the
source PV:
~]$lvconvert -m +1 <vg/lv> <new PV>~]$lvconvert -m -1 <vg/lv> <old PV>
~]$lvconvert --mirrorlog core <vg/lv>~]$lvconvert --mirrorlog disk <vg/lv> <new PV>
~]$lvconvert --mirrorlog mirrored <vg/lv> <new PV>~]$lvconvert --mirrorlog disk <vg/lv> <old PV>
lvm2 componentNetworkManager component/etc/dhclient.conf file or, if using per-interface DHCP options, the /etc/dhclient-<ifname>.conf file:
option rfc3442-classless-static-routes code 121 = array of unsigned integer 8; option ms-classless-static-routes code 249 = array of unsigned integer 8; also request rfc3442-classless-static-routes; also request ms-classless-static-routes;
iprutils componentiprconfig command fails.
iprconfig command results in a failure as well.
corosync component, BZ#722469luci component, BZ#615898 luci will not function with Red Hat Enterprise Linux 5 clusters unless each cluster node has ricci version 0.12.2-14
ipa-server-install command should add a record to the static hostname lookup table in /etc/hosts and enable further configuration of Identity Management integrated services. However, a record is not added to /etc/hosts
when an IP address is passed as an CLI option and not interactively.
Consequently, Identity Management installation fails because integrated
services that are being configured expect the Identity Management server
hostname to be resolvable. To work around this issue, complete one of
the following:
ipa-server-install without the --ip-address option and pass the IP address interactively.
/etc/hosts before
the installation is started. The record should contain the Identity
Management server IP address and its full hostname (the hosts(5) man page specifies the record format).
sssd component, BZ#750922libldb. This failure occurs when the SSSD cache contains internal entries whose distinguished name contains the \, character sequence. The most likely example of this is for an invalid memberUID entry to appear in an LDAP group of the form:
memberUID: user1,user2
memberUID is a multi-valued attribute and should not have multiple users in the same attribute.
(Wed Nov 2 15:18:21 2011) [sssd] [ldb] (0): A transaction is still active in ldb context [0xaa0460] on /var/lib/sss/db/cache_<DOMAIN>.ldb
/var/lib/sss/db/cache_<DOMAIN>.ldb file and restart SSSD.
/var/lib/sss/db/cache_<DOMAIN>.ldb file/var/lib/sss/db/cache_<DOMAIN>.ldb file purges the cache of all entries (including cached credentials).
sssd component, BZ#751314memberUID values, SSSD fails to sanitize the values properly. The memberUID value should only contain one username. As a result, SSSD creates incorrect users, using the broken memberUID values as their usernames. This, for example, causes problems during cache indexing.
6ComputeNode subscription.
sssd component, BZ#741264 [domain/DOMAINNAME] section of the /etc/sssd/sssd.conf file:
ldap_referrals = false
kernel componentbnx2i and bnx2fc Broadcom drivers in Red Hat Enterprise Linux 6.2, remain a Technology Preview until further notice.
kexec-tools componentUUID/LABEL resolving is not functional. Avoid using the UUID/LABEL syntax when dumping core to Btrfs file systems.
kexec-tools component, BZ#600575 kdump.conf.
trace-cmd componenttrace-cmd service does start on 64-bit PowerPC and IBM System z systems because the sys_enter and sys_exit events do not get enabled on the aforementioned systems.
trace-cmd componentreport, does not work on IBM System z systems. This is due to the fact that the CONFIG_FTRACE_SYSCALLS parameter is not set on IBM System z systems.
tuned componentintel_idle.max_cstate=0 parameter, or at run time by using the cpu_dma_latency pm_qos interface.
libfprint component~]$ lsusb -v -d 147e:2016 | grep bcdDevicekernel componentlpfc)
does support DH-CHAP authentication on Red Hat Enterprise Linux 5, from
version 5.4. Future Red Hat Enterprise Linux 6 releases may include
DH-CHAP authentication.
kernel componentmpt2sas driver is "Phase 5 firmware" (that is, with version number in the form 05.xx.xx.xx).
Note that following this recommendation is especially important on
complex SAS configurations involving multiple SAS expanders.
kernel componentqla4xxx device,
upgrading from Red Hat Enterprise Linux 6.1 to Red Hat Enterprise Linux
6.2 will cause the system to fail to boot up with the new kernel. There
are various ways to work around this issue:
qla4xxx device firmware to manage discovering and logging in to iSCSI targets.
qla4xxx device:
~]# echo "options qla4xxx ql4xdisablesysfsboot=1" >> /etc/modprobe.d/qla4xxx.conf~]# yum -y reinstall kernelqla4xxx device firmware to manage discovering and logging in to iSCSI targets.
qla4xxx device:
~]# echo "options qla4xxx ql4xdisablesysfsboot=1" >> /etc/modprobe.d/qla4xxx.confqla4xxx discovery and login process.
~]# yum install -y dracut-network iscsi-initiator-utils
~]# yum -y reinstall kerneliscsi_firmware kernel option into GRUB's configuration: /boot/grub/menu.lst (for LILO, the Linux Loader, modify the /etc/lilo.conf file).
qla4xxx discovery and login process.
~]# yum install -y dracut-network iscsi-initiator-utils
iscsi_firmware kernel option into GRUB's configuration: /boot/grub/menu.lst (for LILO, the Linux Loader, modify the /etc/lilo.conf file).
kernel component, BZ#679262/proc/kallsyms and /proc/modules show all zeros when accessed by a non-root user.
kernel componentkernel componentnomce kernel boot option, which disables machine check error reporting, or the mce=ignore_ce kernel boot option, which disables correctable machine check error reporting.
kernel component kernel: cciss0: <0x3230> at PCI 0000:1f:00.0 IRQ 71 using DAC … kernel: cciss1: <0x3230> at PCI 0000:02:00.0 IRQ 75 using DAC
pci=bfsort parameter to the kernel command line, and check again.
kernel componentbe2iscsi driver results in kernel panic. To work around this issue, disable CHAP on the iSCSI target.
kernel componenttg3 driver normally handles. As a result, some of the routines that operate on the VPD blocks may fail. For example, the nvram test fails when running the ethtool –t command on BCM5719 and BCM5720 Ethernet Controllers.
kernel componentethtool -t command on BCM5720 Ethernet controllers causes a loopback test failure because the tg3 driver does not wait long enough for a link.
kernel componenttg3 driver in Red Hat
Enterprise Linux 6.2 does not include support for Jumbo frames and TSO
(TCP Segmentation Offloading) on BCM5719 Ethernet controllers. As a
result, the following error message is returned when attempting to
configure, for example, Jumbo frames:
SIOCSIFMTU: Invalid argument
kernel componentlpfc_use_msi module parameter (in /sys/class/scsi_host/host#/lpfc_use_msi) being set to 2 by default, instead of the previous 0.
lpfc module parameter, lpfc_use_msi, to 0:
lpfc adapter may fail with mailbox errors. As a result, the lpfc adapter is not configured on the system. The following message appear in /var/log/messages:
lpfc 0000:04:08.0: 0:0:0443 Adapter failed to set maximum DMA length mbxStatus x0 lpfc 0000:04:08.0: 0:0446 Adapter failed to init (255), mbxCmd x9 CFG_RING, mbxStatus x0, ring 0 lpfc 0000:04:08.0: 0:1477 Failed to set up hba ACPI: PCI interrupt for device 0000:04:08.0 disabled
lpfc adapter is
operating, it may fail with mailbox errors, resulting in the inability
to access certain devices. The following message appear in /var/log/messages:
lpfc 0000:0d:00.0: 0:0310 Mailbox command x5 timeout Data: x0 x700 xffff81039ddd0a00 lpfc 0000:0d:00.0: 0:0345 Resetting board due to mailbox timeout lpfc 0000:0d:00.0: 0:(0):2530 Mailbox command x23 cannot issue Data: xd00 x2
lpfc adapter. The system BIOS logs the following messages:
Installing Emulex BIOS ...... Bringing the Link up, Please wait... Bringing the Link up, Please wait...
kernel componentnetxen_nic is 4.0.550. This includes the boot firmware which is flashed in option ROM on the adapter itself.
kernel componentkernel componentkernel component, BZ#683012 vmcore. As a result, the second kernel is not loaded, and the system becomes unresponsive.
kernel componentedac modules in a loop on certain HP systems may cause kernel panic.
kernel componentmultipathd
is started, I/O errors occur. To work around this issue, use one of the
following kernel command line parameters which are consumed by dracut:
rdloaddriver=scsi_dh_emc
rdloaddriver=scsi_dh_rdac
rdloaddriver=scsi_dh_emc,scsi_dh_rdac
scsi_dh module to load before multipath is started.
kernel componentvmcore
through the network using the Intel 82575EB ethernet device in a 32 bit
environment causes the networking driver to not function properly in
the kdump kernel, and prevent the vmcore from being captured.
kernel component, BZ#701857 kernel componentNMI: IOCK error (debug interrupt?)
hpsa module in a configuration file such as /etc/modules.d/blacklist.conf, and specifying the disk_timeout option so that saving the vmcore over the network is possible.
kernel component #!/bin/sh # Disable hyper-threading processor cores on suspend and hibernate, re-enable # on resume. # This file goes into /etc/pm/sleep.d/ case $1 in hibernate|suspend) echo 0 > /sys/devices/system/cpu/cpu1/online echo 0 > /sys/devices/system/cpu/cpu3/online ;; thaw|resume) echo 1 > /sys/devices/system/cpu/cpu1/online echo 1 > /sys/devices/system/cpu/cpu3/online ;; esac
kernel componentnmi_watchdog registers with the perf subsystem. Consequently, during boot, the perf
subsystem grabs control of the performance counter registers, blocking
OProfile from working. To resolve this, either boot with the nmi_watchdog=0 kernel parameter set, or run the following command to disable it at run time:
echo 0 > /proc/sys/kernel/nmi_watchdognmi-watchdog, use the following command
echo 1 > /proc/sys/kernel/nmi_watchdogkernel component, BZ#603911 BUG: NMI Watchdog detected LOCKUP and have either ftrace_modify_code or ipi_handler in the backtrace. To work around this issue, disable NMI watchdog by setting the nmi_watchdog=0 kernel parameter, or using the following command at run time:
echo 0 > /proc/sys/kernel/nmi_watchdogkernel componentvmcore
via NFS. To work around this issue, utilize other kdump facilities, for
example dumping to the local file system, or dumping over SSH.
kernel component, BZ#587909 kernel componentnmi_watchdog=2 or nmi_watchdog=lapic parameters. The parameter nmi_watchdog=1 is not supported.
kernel component pci=noioapicquirk,
is required when installing the 32-bit variant of Red Hat Enterprise
Linux 6 on HP xw9300 workstations. Note that the parameter change is not
required when installing the 64-bit variant.
PackageKit component~]# rpm --import <file_containing_the_public_key>gnome-power-manager component, BZ#748704Session active, not inhibited, screen idle. If you see this test, your display server is broken and you should notify your distributor. Please see http://blogs.gnome.org/hughsie/2009/08/17/gnome-power-manager-and-blanking-removal-of-bodges/ for more information.
acroread componentkernel component, BZ#681257 fprintd componentevolution componentanaconda componentxorg-x11-server component, BZ#623169 Test::Inter module provides a framework for writing interactive test scripts in Perl. It is inspired by the Test::More framework.
0x40
into a character in order to display a non-printing character but did
not do so when processing a multibyte character. As a result, the readelf utility did not display a multibyte character in the ELF
header correctly. The code has been corrected and readelf no longer
displays garbled characters when processing multibyte, or non-ASCII, characters.
binutils --build-id command. This update removes that patch.
ifunc(), whose value can be determined at load time, allows for architecture dependent optimization. Prior to this update, the OS/ABI preprocessor macro was erroneously set to UNIX - Linux instead of UNIX - System V in an ELF header by a dynamic executable which used ifunc(). This update applies a backported patch which corrects the code and the error no longer occurs.
strip command, which is run as part of the RPM build process, did not copy the EI_OSABI value in the ELF file header properly, it set the value to zero. Consequently, if the EI_OSABI field of the debug file had a value of 3 (ABI tag for GNU/Linux), in the stripped file it was erroneously set to 0 (UNIX - System V). This update corrects the problem and strip now leaves the field intact.
-ldl in the list compiler options caused unexpected behavior when compiling C++ code. If -ldl was not placed at the end of parameter list, the GNU C Compiler (GCC) failed with an error in the format:
libtest.a(some_object_file.o): undefined reference to `.dlerror'-mcmodel=small -mno-minimal-toc as options, GNU linker, (ld), erroneously decided that if a section did not make use of the TOC it could belong to any TOC
group. Consequently, when a local function call was made from one
section of code to another section in the same object file, due to the
two sections being assigned to different TOC groups, a failure occurred and an error message in the following format was logged.
libbackend.a(cse.o)(.text.unlikely+0x60): sibling call optimization to `.opd' does not allow automatic multiple TOCs; recompile with -mminimal-toc or -fno-optimize-sibling-calls, or make `.opd' extern-mcmodel=small -mno-minimal-toc. Therefore code should be recompiled by running these commands again after applying the update.
l setup_arch to determine the target architecture, the following error was displayed.
No line number known for setup_archmultipath -ll
command returned output indicating that no paths to the device were
available with confusing "failed faulty running" rows presenting the
missing paths. Multipath devices now reload tables with no device paths
correctly.
multipath.conf without setting the fast_io_fail_tmo value, the multipathd daemon did not notify the user that fast_io_fail_tmo was not set. Multipath now issues a warning that fast_io_fail_tmo is not set under such circumstances.
manual,
multipath could keep alternating from the failover pathgroup to the
primary pathgroup infinitely. This happened because multipath was
incorrectly failing back to the primary pathgroup whenever a path
priority changed. With this update, multipath no longer fails back to
the primary pathgroup when a path's priority changes under such
circumstances.
multipathd
did not abort the path check and terminated unexpectedly when trying to
access the multipath device information. The Multipath daemon now
aborts any path checks when the multipath device is removed and the
problem no longer occurs.
defaults multipaths devices sections of the multipath.conf man page has been improved to provide a better clarification.
rr_min_io_rq option has been added to the default, devices, and multipaths sections of the multipath.conf
file. This option defines the number of I/O requests to route to a path
before switching to the next path in the current path group. Note that
the rr_min_io option is no longer used.
/etc/multipath.conf for a multipath device are ignored. These access permissions are now set with the udev rules.
malloc()
function could enter a deadlock while creating an error message string.
As a result, the process could become unresponsive. With this update,
the process uses the mmap() function to allocate memory for the error message instead of the malloc() function. The malloc() deadlock therefore no longer occurs and the process with a corrupted heap now aborts gracefully.
strncmp() function, which compares characters of two strings, optimized for IBM POWER4 and POWER7
architectures could return incorrect data. This happened because the
function accessed the data past the zero byte (\0) of the string under
certain circumstances. With this update, the function has been modified
to access the string data only until the zero byte and returns correct
data.
crypt() function could cause a
memory leak if used with a more complex salt. The leak arose when the
underlying NSS library attempted to call the dlopen() function from
libnspr4.so with the RTLD_NOLOAD flag. With this update, the dlopen()
with the RTLD_NOLOAD flag has been fixed and the memory leak no longer
occurs.
nscd daemon logged the following error into the log file if SELinux was active:
rhel61 nscd: Can't send to audit system: USER_AVC avc: netlink poll: error 4#012: exe="?" sauid=28 hostname=? addr=? terminal=?This happened because glibc failed to preserve the respective capabilities on UID change in the AVC thread. With this update, the AVC thread preservers the respective capabilities after the
nscd startup.
nscd
daemon cached an error, which did not signalize that the problem was
only transient, and the request failed. With this update, the daemon
caches a value signalizing that the unavailability is temporary and
retries to obtain new data after a set time limit.
getpwuid()
function failed to resolve UIDs to user names when using the passwd
utility in the compat mode with a big netgroup. This occurred because
glibc was compiled without the -DUSE_BINDINGDIR=1 option. With this
update, glibc has been compiled correctly and getpwuid() function works as expected.
/etc/passwd.
This happened when the nss_compat mode was set as the mode was
primarily intended for use with NIS. With this update, getpwent returns
LDAP netgroup users even if the users have no NIS domain defined.
libresolv library is now compiled with the stack protector enabled.
setgroups function
after creating threads, glibc did not cross-thread signal and
supplementary group IDs were set only for the calling thread. With this
update, the cross-thread signaling in the function has been introduced
and supplementary group IDs are set on all involved threads as expected.
setlocale() function could fail.
This happened because parameter values were parsed in the set locale.
With this update, the parsing is locale-independent.
gethostbyname()
function terminated because of division by zero. This happened because
the getpagesize() function required the dl_pagesize field in the dynamic
linker's read-only state to be set. However, the field was not
initialized when a statically linked binary loaded the dynamic linker.
With this update, the getpagesize() function no longer requires a
non-zero value in the dl_pagesize field and falls back to querying the
value through the syscall() function if the field value is not set.
strlen() function for the AMD FX processors.
statvfs output received from kernel.
IP_MULTICAST_ALL socket option, which provides the ability to turn off IP Multicast multiplexing. This update adds the option to glibc.
expr: non-numeric argument
restorecon utility did not change MLS (multi-level security) levels unless the -F parameter was used. As a consequence, the /dev and /dev/pts filesystems were not correctly labelled after boot in systems with configured MLS policy. This bug has been fixed and the restorecon -F command is now used for /dev and /dev/pts by default.
crashkernel=128M, was specified to reserve crash dump memory, the kexec-disable upstart job unconditionally freed up the memory if the kdump mechanism was not enabled. This action could not be reverted until a reboot. With this update, kexec-disable job has been changed to not free reserved memory, unless the crashkernel parameter is set to auto, thus fixing this bug.
/etc/modprobe.d/bonding.conf file or the modprobe.conf file was used to set the bonding options, the bond0 interface never came up after a service restart because the arp_ip_target module was not restored. This bug has been fixed and arp_ip_target is now restored when configured in one of these files.
rc.sysinit script that allowed to properly set a hostname when more than one IP address was passed to the ipcalc utility. Even though it was difficult to emulate such a scenario, the rc.sysinit script has been fixed to prevent this bug, and ipcalc is now always passed only a single IP address.
ifdown and ifup utilities, the interface lost its IP address. With this update, the network scripts have been fixed to properly read the IPADDR0 parameter in interface configuration files, and now IP addresses of such interfaces are preserved in the described scenario.
/etc/init.d/network
script got into a loop and became unresponsive, trying to resolve MAC
addresses of the interfaces. As a result, the server was prevented from
completing its start-up sequence. With this update, /etc/init.d/network
has been fixed, MAC addresses of VLAN interfaces are now resolved
properly, and bonds between such interfaces now work as expected.
PREFIX option was specified for the ifcfg utility while the NETMASK option was undefined, the netmask was calculated without regard to the PREFIX value. With this update, the expand_config() function has been fixed to use the PREFIX properly, and the netmask is now calculated correctly in the described scenario.
rc.sysinit script has been fixed to run the /bin/plymouth command instead of /usr/bin/plymouth, thus fixing this bug. Additionally, other relevant scripts have been updated to properly work with the separated /usr/ directory.
/etc/init.d/halt script, no mount point set up with the word nfs
in its path could be unmounted at reboot or shut down. This bug has
been fixed and such mount points are now unmounted properly.
emergency parameter was appended to the kernel command line, the system failed to invoke the sulogin command. With this update, the rcS-emergency task, which is run before the rc.sysinit script if emergency is passed to the kernel, has been added, and sulogin is now properly invoked in the described scenario.
/etc/sysconfig/network-scripts/ifdown-eth script, the PID file name passed to the dhclient
utility during a shutdown procedure did not include the IP version
prefix. Consequently, leases for IPv6 addresses could not be released.
This bug has been fixed and the shut down procedure now works properly
both with the IPv4 and IPv6 clients.
ifup and ifdown
scripts explicitly ignored IPv6 configuration files that contained an
alias. With this update, clients properly utilize aliases on IPv6
devices in Red Hat Enterprise Linux.
syslog utility, and the error messages now appear in configured syslog channels.
sysctl utility could only be changed in the /etc/sysctl.conf file. With this update, several scripts have been updated to also recognize additional configuration files located in the /etc/sysctl.d/ directory.
ethtool command options. These options can be set via the ETHTOOL_OPTS parameter in configuration files located in the /etc/sysconfig/network-scripts/ directory and take effect after reboot.
/etc/ethers file, allowing to load these entries early in the system startup.
/var/log/ipaclient-install.log file did not provide enough information to determine the cause of the failure. With this update, the /var/log/ipaclient-install.log file contains improved debugging messages that make it easier to debug a possible installation failure.
ipa-replica-install command. With this update, after an installation of a replica with ipa-replica-install, the ipa service is enabled using the chkconfig utility so that the Identity Management services are started and available after a reboot.
bind service needs to be restarted when a new reverse zone is added over LDAP.
CURLOPT_GSSAPI_DELEGATION curl option. This option enables the credential delegation, thus fixing this bug.
memberOf attribute is rebuilt during installation, thus fixing this issue. Note that the 389 Directory Server (389-ds) may crash if it is restarted while this task is running. Wait for this task to complete before requesting a restart.
script stack space quota is exhausted
message and prevent a user from accessing the Web UI. This update split
the Web UI initialization to several smaller calls. Browsers no longer
report errors and the Web UI works as expected.
ipa-nis-manage command
disabled the NIS listener and also removed the netgroup compatibility
suffix. If NIS was disabled, the automatic creation of net groups was
disabled as well. Thus, creating a host group would fail to
automatically create a net group. With this update, disabling NIS has no
effect on the automatic creation of net groups when host groups are
created.
memberof LDAP attributes
pointing back to the permissions. Thus, a user could get an incorrect
list of permissions that were members of a DNS related privilege. With
this update, permission objects formatting has been fixed and the
missing memberof LDAP attributes in the
relevant DNS privileges are properly added. Users now get a valid list
of permissions (containing all the needed information) when displaying a
DNS related privilege.
migrate-ds command could contain a multi-valued RDN attribute. However, the migrate-ds
process picked only the first value of the RDN attribute and did not
respect the value that was present in the DN in the migrated LDAP
object. With this update, the value that is used in the original LDAP
object DN is used, rather than the first value of a multi-valued RDN. As
a result, LDAP objects with a multi-valued RDN attribute are migrated
without any errors.
ipa-client-install was run with the --password
option containing a bulk password for client enrollment, the password
could be printed to Identity Management client install log in a
plain-text format. This behavior has been fixed, and passwords are no
longer logged in the install log file.
/ipa/ui. This makes it look like no other web resources may be used. With this update, during the installation process, the --no-ui-redirect option can be used to disable the default Rewrite rule. This may also be commented out manually in the /etc/httpd/conf.d/ipa-rewrite.conf. As a result, the web server root can point to any specified place. However, /ipa must remain available to Identity Management.
automountkey-del command includes a --continue option which has no function and does not affect anything. With this update, the --continue has been hidden, and will be deprecated in the next major release.
ipa-getkeytab command failed with Bind errors. If 32-bit packages were used on a 64-bit system, the 32-bit cyrus-sasl-gssapi package was required. This update adds architecture-specific Requires to the RPM spec file, and retrieving of keytabs no longer fails.
cannot concatenate 'str' and 'NoneType' objects
auto.direct mount mounted on /-
was ignored because it was considered a duplicate. Consequently, direct
maps needed to be added manually. This update adds an exception for the
auto.direct map when importing so that its keys can be added, and
importing direct maps works as expected.
ipasudorunasgroup_group
attribute, making the output unclear. A proper label was added for
runAsGroup and the sudo option, which makes the output more
understandable.
ipa-replica-install did not ensure that the dbus service was running. Consequently, tracking certificates with certmonger returned an error and the installation failed. With this update, prior to starting certmonger, it is checked whether the dbus-daemon is running.
ipactl
use two different methods to determine whether Identity Management is
configured. If the Identity Management uninstallation was not complete, ipactl
may have claimed that the Identity Management server is not configured
while the Identity Management server installer refused to continue
because Identity Management was configured. With this update, a common
function that checks whether the Identity Management server is
configured has been added. During the uninstallation process of the
Identity Management server, checks are run that report left-over files
so that users can manually resolve these.
sudurole-add-option command did not display a summary after the option was added. With this update, a summary is printed in the form of Added option 'x' to Sudo Rule 'y'.
sudurole-remove-option command did not display a summary after the option was removed. With this update, a summary is printed in the form of Removed option 'x' to Sudo Rule 'y'.
--no-host-dns
option without a DNS resolvable host name caused the installation to
fail with DNS errors. This update moves the no-host-dns test so that it
is tested before any DNS lookups occur, and installations with the --no-host-dns option do not perform any DNS validation.
ipa-getkeytab and ipa-join
commands did not operate properly, and the client could not be enrolled
to the Identity Management server. As a result, client installations
failed every time. With this update, matching client A/PTR DNS records
are no longer a requirement for ipa-getkeytab and ipa-join, and client installations succeed even when the aforementioned records do not match.
automountmap or automountkey command returned the following error:
Map: ipa: ERROR: 'automountmapautomountmapname' is required
automountmap, is now returned.
krb5_store_password_if_offline parameter is set to True in the /etc/sssd/sssd.conf by default. Note that the --no-krb5-offline-passwords option of the ipa-client-install command may be used if storing passwords for offline use is not desired.
automountmap or automountkey command returned the following error:
Location: ipa: ERROR: 'automountlocationcn' is required
automountlocation, is now returned.
ipa-client-install command did not configure a hostname in the /etc/sysconfig/network file. Consequently, when the --hostname
value was passed to the client installer, that value was used during
enrollment. However, the system hostname did not match the name of the
machine. With this update, the /etc/sysconfig/network file is updated upon installation and /bin/hostname is executed with the hostname of the machine. The name used in the enrollment process now matches the hostname of the machine.
ipa user-mod --setattr)
may have returned a Not Found error. Renaming the actual users was
successful, but their user-private groups were not updated. With this
update, the 389-ds plugin has been modified so that the ipa_modrdn
plugin runs last. This plugin manages renaming of the Kerberos
principal name of the user. Renaming a user now also renames the
user-private group.
ipa-client-install command always ran /usr/sbin/authconfig to add the pam_krb5.so entry to PAM configuration files in the /etc/pam.d/
directory. However, this entry was not needed when an Identity
Management client is installed with SSSD support, which is the default
behavior. As a result, an unnecessary record was added to the PAM
configuration. With this update, /usr/sbin/authconfig is not run if the Identity Management client is configured with SSSD support.
ipa config-show command). This update adds Password Expiration Notification to the default list of attributes to shown by default when running the ipa config-show command.
--forwarder or --ip-address
options. Consequently, installation could eventually fail, for example
because of an invalid name server configuration. With this update, all
IP addresses passed to the ipa-server-install, ipa-replica-install and ipa-dns-install commands are checked for validity.
ipa-client-install command
detected that the client hostname was not resolvable, it tried to add a
DNS record to the Identity Management server. However, it did not expect
that the client could have been using an IPv6 machine, and the
installation process failed. This update adds a check to make sure that
the process for adding a DNS record to the Identity Management server
works for both IPv4 and IPv6, and the Identity Management client
installation works as expected.
undefined was created. With this update, the service name field is required to be filled in.
allow and deny are accepted as types:
ipa: ERROR: invalid 'type': must be one of (u'allow', u'deny')
deny are not allowed. With this update, the deny type was deprecated because SSSD determined that properly enforcing the deny type was extremely difficult and dependent on how other libraries present host information.
ipa-server-install command did not
update the system hostname when it was installed with a custom
hostname. It passed the hostname to services using their own
configurations. However, some services failed to function properly as
they did not expect an Identity Management server to use a custom
hostname and not a system hostname. With this update, the system
hostname is updated to the value passed via ipa-server-install's --hostname option. The system hostname is also set in the system network configuration in /etc/sysconfig/network so that it is properly set after a system reboot. Refer to Section 2.8, “Authentication” for a known limitation regarding Identity Management server installations with custom hostnames.
null.
This update adds better detection of whether the CA 389-ds instance has
been installed to identify the current stage of the installation, thus
fixing this issue.
ipa-nis-manage command did not return an exit status of 0
when successful. With this update, the underlying source code has been
modified to address this issue, and correct exit codes are returned.
has_password, that is set when the host has a password set. If has_password is True, a password has been set on the host. However, there is no way to see what that password is once it has been set.
enrolledBy on the host. Prior to this update, an administrator was able to change this value by using the ipa host-mod --setattr. This action should not be allowed. This update fixes this behavior and write permissions have been removed from the enrolledBy attribute.
nss_ldap is not able to use DNS discovery
ipa-client-install command did not configure /usr/sbin/ntpdate to use correct NTP servers in the /etc/ntp/step-tickers. Additionally, the ipa-client-install did not store the state of the ntpd service before installation. Consequently, when an Identity Management client is installed, ntpdate may have used incorrect servers to synchronize with. When the Identity Management client was uninstalled, the ntpd may have been set to an incorrect state. With this update ipa-client-install configures ntpdate to use the IPA NTP server for synchronization. When an IPA client is uninstalled, both ntpdate configuration and ntpd status are restored.
/etc/krb5.conf file contained values which were not present in the standard configuration file (specifically: ticket_lifetime, renew_lifetime, and forwardable in the [libdefaults] section, and the entire [appdefaults] section). This update removes these unnecessary values and sections.
ipa dnsrecord-del) to the command line application which guides the user through the process of removing the required entries.
ipactl output. With this update, the amount of information displayed in the ipactl output has been reduced. The previously reported data is not available in the 389-ds error log only.
ipa-client-install did not
successfully run on a client when a one-time password was set on a host
in the Identity Management Web UI. Consequently, clients could not be
enrolled using a one-time password if it was set in the Web UI. With
this update, the krbLastPwdChange value is no longer set in the host entry when setting a host one-time password, thus fixing this issue.
runAsGroup
value from a sudo rule, the command appeared to be successful, but the
group information data included in the output was not updated and did
not show the proper membership. This update fixes this bug, and data is
refreshed before being returned.
runasuser (via ipa sudorule-remove-runasuser) and, consequently, defining a group, the RunAs Group
value was not included in the output. This was because the label for
the returned data was mislabeled and was not appearing in the output.
With this update, the underlying source code has been modified to
address this issue, and adding a group to runasuser is properly displayed.
--externaluser option was specified for the sudorule-mod command. As a result, erroneous values were stored in the entry. With this update, the --externaluser option was removed from the sudorule-mod command. It is advisable to use the sudorule-add-user command instead.
SELINUX=disabled in /etc/selinux/config) and attempting to restart the ipa service caused the ipa service to fail to start. This update ignores the value returned by restorecon, and the ipa service now starts as expected whether SELinux is enabled or disabled.
runAsGroup in a sudo role as a user, the name of that user is returned as the name of a group that may also be used as the runAsGroup.
As a result, the sudo rule was erroneous and referred to a non-existent
group. This was because the search filter for determining the CN value
was too generic. This update adds a test which assures user names no
longer appear as runAsGroup values.
sudorule-mod's --runasexternaluser or --runasexternalgroup options. With this update, the aforementioned options have been deprecated. It is advisable to use the sudorule-add-runasuser or sudorule-runasgroup commands instead.
ipa-nis-manage
command did not display an error and did not exit the command. With
this update, passing an empty password causes an error to appear (No password supplied), and the command is exited with the status code 1.
ipa-nis-manage command has an option, -y,
to specify the Directory Manager password in a file. This option caused
the command to crash if the file did not exist. An exception handler
around the password reader has been added, and a proper error message is
displayed when the supplied password file is non-existent or is not
readable.
runasuser (via ipa sudorule-add-runasuser) and, consequently, defining a group, the RunAs Group
value was not included in the output. This was because the label for
the returned data was mislabeled and was not appearing in the output.
With this update, the underlying source code has been modified to
address this issue, and adding a group to runasuser is properly displayed.
ipa passwd
command. Prior to this update, the command did not require entering the
old password. Consequently, anyone with access to that user's shell
could change his Identity Management password without knowing the old
password. With this update, the old password is always required in order
to change a user's password. The only exception is the administrator
user.
bind service was restarted. With this update, an updated bind-dyndb-ldap
package added a zone refresh option that Identity Management uses to
refresh the zone list in DNS. The default setting is 30 seconds. As a
result, new DNS zones are not immediately available, but the bind service does not have to be restarted anymore.
--no-host-dns option of the ipa-server-install
command still checked that the forward and reverse DNS entries existed
and matched. Installation of an Identity Management server using a host
name that could not be resolved would then fail. This update removes any
DNS validation when the --no-host-dns option is used.
RA Subsystem to IPA RA.
ipa-client-install command always
checked the specified server whether it was a valid Identity Management
server. However, if the Identity Management server was configured to
restrict access for anonymous binds (via the nsslapd-allow-anonymous-access option), the check failed and the installation processes returned an error and ended. With this update, when the ipa-client-install
command detects that the chosen server does not allow anonymous binds,
it skips server verification, reports a warning, and lets the user join
the Identity Management server.
/etc/hosts)
for records which could interfere with its IP address or hostname, and
cause forward or reverse DNS queries to be resolved to different values
than expected. The installation process now always checks for any
conflicting records in the /etc/hosts file.
--ip-address
option caused the installed server to not function properly. With this
update, it is verified whether the provided IP address is a configured
interface on the system. Providing an IP address that is not associated
with a local network interface will return an error message.
zonemgr email address could cause an installation to fail with an unclear message. This update adds a validator which requires the zonemgr to contain ASCII characters only.
ipa-client-install command did not return an exit status of 0
when successful. With this update, the underlying source code has been
modified to address this issue, and correct exit codes are returned.
value #0 invalid per syntax: Invalid syntax.
ipa-server-install called kdb5_ldap_util
to populate the directory with realm information. In the process of
doing so, it passes the Kerberos master database password and the
Kerberos directory password as parameters. As a result, a user could
list all running processes during the IPA server installation and
discover the aforementioned passwords. With this update, kdb5_ldap_util's interactive mode is used to pass the passwords instead of passing them via CLI parameters.
--no-reverse option. This update fixes this behavior, and a reverse zone is not created unless specified.
ipa-client-install command
attempted to auto-discover the Identity Management server in its domain,
it did not use any timeout when a server was found and was being
checked. If the found server was unresponsive during the auto-discovery,
the ipa-client-install command got stuck and did not continue. This update adds a 30 second timeout to the ipa-client-install auto-discovery server check.
--no-sssd option of the ipa-client-install command did not properly back up and restore the existing /etc/sssd/sssd.conf file. With this update, the underlying source code has been modified to address this issue, and the --no-sssd option works as expected.
--hostname option to set a
value outside an Identity Management-managed DNS domain did not return
an error and did not add the host to DNS. The DNS updating utility, nsupdate, was modified to properly return an error when an update fails.
--force option. This was because the --force
option was able to re-install over an already installed system, causing
the original saved files to be lost. This behavior is no longer
permitted; the client must be first uninstalled and only then it can be
re-installed.
Cannot resolve network address for KDC
/etc/krb5.conf
file was used during enrollment to contact the Identity Management KDC.
The process was always relying on DNS auto-discovery to find the
correct KDC and not the values provided by the end-user. With this
update, enrollment works even if the domain does not match the realm.
No permission to join this host to the IPA domain.
--on-master lacked proper documentation. This update makes the option invisible and removes it from documentation entirely.
/etc/sysconfig/krb5kdc
file, were not formatted properly on multi-CPU systems. As a
consequence, the KDC could not use the intended number of CPUs and
reported an error when it was (re)started. With this update, the
aforementioned arguments are now properly formatted, fixing this issue.
ypcat
command's netgroup output did not show users in netgroup triples.
Consequently, NIS-based authorization did not work as expected, and
access was denied when it should have been allowed. This was caused by a
syntax error in the triple rule. This update fixes this error, and
users are now properly included in the netgroup triples.
Exception in thread "main" java.lang.Error: Probable fatal error:No fonts found.
be2net driver could allow an attacker on the local network to cause a denial of service.
ext4_ext_convert_to_initialized()
worked. A local, unprivileged user with access to mount and unmount
ext4 file systems could use this flaw to cause a denial of service.
[bnx2x_extract_max_cfg:1079(eth11)]Illegal configuration detected for Max BW - using 100 instead
A problem has been detected and windows has been shut down to prevent damage to your computer.
struct mmsghdr {
struct msghdr msg_hdr;
unsigned msg_len;
};
ssize_t sendmmsg(int socket, struct mmsghdr *datagrams, int vlen, int flags);
StrictHostKeyChecking=no
option when dumping to SSH targets, causing the target kdump server's
SSH host key not to be checked. This could make it easier for a
man-in-the-middle attacker on the local network to impersonate the kdump SSH target server and possibly gain access to sensitive information in the vmcore dumps.
(initrd)
files with world-readable permissions. A local user could possibly use
this flaw to gain access to sensitive information, such as the private
SSH key used to authenticate to a remote server when kdump was configured to dump to an SSH target.
/root/.ssh/ directory and the host's private SSH keys) in the resulting initrd. This could lead to an information leak when initrd files were previously created with world-readable permissions.
/etc/kdump.conf are included in the initrd. The default is the key generated when running the service kdump propagate command, /root/.ssh/kdump_id_rsa.
dump-capture kernel became unresponsive and the following error message was logged.
ACPI Error: A valid RSDP was not foundacpi_rsdp, has been added to the noefi kernel command. Now, if EFI is detected, a command is given to the second kernel, in the format, noefi acpi_rsdp=X, not to use EFI and simultaneously passes the address of RSDP to the second kernel. The second kernel now boots successfully on EFI machines.
core_collector in kdump.conf, when kdump was configured to dump kernel data to a secure location using SSH, it generated a complete vmcore, without removing free pages. With this update, the default core collector will be makedumpfile when kdump is configured to use SSH. As a result, the vmcore dump file is now compressed by default.
/etc/mdadm.conf configuration file. As a consequence, mkdumprd failed to create an initial RAM disk file system (initrd) for kdump crash recovery and the kdump service failed to start. With this update, mkdumprd has been modified so that it now parses the configuration file and builds initrd correctly. The kdump service now starts as expected.
initrd) for use in conjunction with the booting of a second kernel within the kdump framework for crash recovery. Prior to this update, mkdumprd
became unresponsive when the running kernel was not the same as the
target kernel. With this update the problem has been fixed and mkdumprd no longer hangs in the scenario described.
sed: /etc/cluster_iface: No such file or directoryYour running kernel is using more than 70% of the amount of space you reserved for kdump, you should consider increasing your crashkernel reservationNon-fatal <unknown> scriptlet failure in rpm packageerror reading information on service kdump: No such file or directorycp: cannot stat `/lib/firmware/*': No such file or directorykdump.conf, force_rebuild, has been added. When enabled, this option forces the kdump init script to rebuild initrd every time the system starts, thus ensuring kdump has enough storage space on each system start-up.
nr_cpus=1 rather than maxcpus=1 to save memory required by the second kernel. PowerPC platforms currently cannot handle this feature.
maxcpus=1 instead of nr_cpus=1 for older kernels (see the enhancement above).
kdump.conf debug_mem_level option.
ext4 file systems, and also to XFS file systems on data disks (but not the root disk) has been added.
For XFS, the XFS layer product needs to be installed. Layered products are those not included by default in the base Red Hat Enterprise Linux operating system.
Btrfs file systems has been added.
BusyBox's "findfs" utility does not yet support Btrfs, so UUID/LABEL resolving does not work. Avoid using UUID/LABEL syntax when dumping core to Btrfs file systems. Btrfs itself is still considered experimental; refer to Red Hat Technical Notes.
mount command. Consequently, when the command mount -t debugfs debug /sys/kernel/debug
was issued in the kdump service script, if the file system was already
mounted, the message returned was erroneously logged as an error
message. With this update, the logic in the kdump service script has
been improved and the kdump service script now functions as expected.
SPICE protocol.
--host-subject command line option are now ignored.
--version command line option for the spicec command has been added.
CKM_RSA_X_590
encrypting mechanism even though it reported support for this
mechanism. Consequently, if such middleware was used by libcacard
virtual smart cards, smart cards failed to emulate any RSA
authentication based operations, such as requesting a security pin or
retrieving user certificates. The library has been modified to handle CKM_RSA_X590 failures by falling back to use CKM_RSA_PKCS encryption. Virtual smart cards now work correctly with AET middleware.
Obsolete lines in the package spec file, updating spice-client forced an update of spice-server as well, and vice versa. With this update, all "Obsolete" lines have been removed from the spice-client.spec file, and updating spice-client no longer forces the update of spice-server.
SPICE client did not correctly
handle monitor setting routines when it was running on a client machine
with multiple monitors. As a consequence, the client entered an infinite
loop while trying to rearrange monitors, which eventually caused the
client to terminate unexpectedly. With this update, the code has been
modified to prevent the client from entering this loop, and the client
thus no longer crashes.
SPICE client failed to connect
to the SPICE server on the target host after a virtual machine had been
migrated to a remote machine. This happened when the migration of the
virtual machine took longer than the expiration time of the SPICE ticket
that was set on the target host. Without a valid password, the SPICE
server refused connection from the SPICE client and the SPICE session
had to be closed. To prevent this problem, support for spice
semi-seamless migration has been added. Other components such as spice-protocol, spice-server and qemu-kvm
have also been modified to support this feature. SPICE now allows the
SPICE client to connect to the SPICE server on the target host at the
very start of the virtual machine migration, just before the migrate
monitor command is given to the qemu-kvm
application. With a valid ticket on the target host, the SPICE ticket
on the destination no longer expires and the SPICE client now remains
open when the virtual machine migration is done.
SPICE client could attempt to free memory that has already been freed. Therefore, when the KDE
desktop screen of the client machine with the running SPICE client was
locked, the SPICE client terminated unexpectedly with a segmentation
fault after unlocking the screen. The code has been modified to free
memory correctly, and the SPICE client no longer crashes in the scenario
described.
SPICE client
sessions at the same time and the screen resolution on the client
machine was changed, the SPICE client could often enter an infinite loop
in the code. As a consequence, the X Windows
server consumed up to 100% of CPU and caused the client machine to be
unresponsive. With this update, the underlying code has been modified to
prevent the client from entering the loop, and the problem no longer
occurs.
--color-depth and --disable-effects client WAN options was inaccurate. With this update, the spicec --help command now clearly states that these WAN options have effect only if supported by the guest vdagent.
SPICE server
establishes secured connections, the SPICE client log contained
secure-connection messages that included the misleading string, connect_unsecure.
With this update, the function used to establish secure connections has
been renamed and secure-connection messages in the client log now
contain the connect_to_peer string.
SPICE client expected
an existence of the primary screen surface when it attempted to handle
the creation of non-primary screen surfaces. The primary surface did not
exist at the time, therefore the SPICE client terminated unexpectedly.
With this update, the SPICE client now ensures that the screen exists
before starting operations on it. The SPICE client no longer crashes in
the scenario described.
--smartcard-db client command line option was not handled properly. As a consequence, when running with this option, the SPICE client terminated with the following error message:
Error: unhandled exception: cmd line error
--smartcard-db option is now handled properly and the SPICE client works as expected using this option.
SPICE client with WAN options and the SPICE agent (vdagent)
was running on the guest, the client initiated handshaking. If the
vdagent did not support WAN options, it did not reply to the client and
connection thus failed with the vdagent timeout. Also with certain WAN options, such as --color-depth 16, the attempt to connect failed with the vdagent timeout even though no vdagent
was running on the guest. With this update, the SPICE client checks
capabilities of the vdagent. If vdagent does not support WAN options or
there is no vdagent running on the guest, the client continues with the message sequence initiation and connection is now successful.
SPICE client returned exit code 0 when running without the --host command line option, although the client correctly displayed the following error message:
spicec: missing --host
error code 14 in this scenario.
do_part_get_bootable()
API function parsed the output of parted with an assumption that the
partition layout on the guest image was well ordered. As a consequence,
the part-get-bootable
API would produce an incorrect result or even terminate with disks where
the partitions were not in the usual order or were missing. With this
update, the source code is modified so that libuguestfs can correctly handle disks with unordered partitions.
libguestfs protocol lost synchronization when using the upload command in the guestfish
command line tool before mounting any disks. Uploading files failed and
an error message was reported due to the library and the daemon sending
cancel messages in an incorrect order. With this update, if the daemon
detects cancellation, it sends the remaining data in its output buffer
instead of discarding it.
/etc/fstab file, the virt-inspector utility reported the unknown filesystem error message. The source code has been modified, and the utility now works correctly and no longer displays error messages.
guestfs_kill_subprocess() function and then closing the connection handle by calling guestfs_close()
could cause the libguestfs connection to become unresponsive. The
source code has been modified to close the connection correctly so that
the connections no longer hangs.
guestfish command line tool, the mapped devices created by luks-open
were not listed. With this update, /dev/mapper/ paths are added to
tab-completion and the devices are displayed when pressing the tab key.
qemu-img
command which contained an incorrect decimal point in the output. As a
result, an error message was reported. With this update, the source code
is modified so that the virt-make-fs tool invokes qemu-img correctly in all cases.
/etc/fstab
file contained file systems marked with LABEL. This update modifies the
source code so that the file systems are mounted correctly. As a
result, virt-v2v no longer fails.
Legacy BIOS Bootable flag in the GPT (GUID Partition Table) attribute field.
LUKS
(Linux Unified Key Setup) encrypted disks. As a result, loading of
shared libraries failed with an error message. An upstream patch has
been applied to address this issue and libguestfs now works correctly on
LUKS devices.
guestfish --remote run should not be used in a command substitution context.
guestfs_last_errno()
function was not exposed in the Perl bindings. As a consequence, it was
not directly possible to determine the precise cause of some failures.
To fix this problem, guestfs_last_errno() is now exposed in the Perl
bindings.
OSError: [Errno 2] No such file or directory
ERROR cannot send monitor command '{"execute":"query-balloon"}':
Connection reset by peer
Home directory. With this update, Python's paste tool now uses the -Es flag, and so avoids this behavior.
/var/lib/luci/data/luci.db can be fully backed up and restored.
cluster.conf file. The Run Exclusive option was enabled in luci
by default, without it being manually enabled, and services could
therefore become exclusive without users knowing about it. Now, luci is modified to correspond with the cluster.conf file: if the Run Exclusive option is not enabled, the checkbox is not checked.
fence_vmware fence agent.
pvmove
command could become unresponsive. With this update, the underlying
source code has been modified to address this issue, and the pvmove command no longer hangs.
lvresize
command, the size was rounded down to the stripe boundary. This could
pose a problem when shrinking the volume with a file system on it. Even
if a user determined the new size so that the file system did fit
entirely onto the volume, and resized the volume, the alignment done by
the lvresize command might have cut off a
part of the file system, causing it to become corrupted. This update
fixes the rounding for striped volumes so that a volume is never reduced
more than requested.
lvcreate --alloc anywhere
command did not guarantee placement of data on different physical
devices. With this update, the above command tries to allocate each
mirror image on a separate device first before placing it on a device
that is already used.
lvcreate command was used with large physical volumes while using %FREE, %VG, %PVS or %ORIGIN
for size definition, the resulting LV size was incorrectly calculated.
This was caused by an integer overflow while calculating the
percentages. This update provides a better way of calculating the sizes,
by using proper typecasting, so that the overflow no longer occurs.
/etc/lvm/lvm.conf). At the
early stage of the system start-up, when the early init script tries to
activate any existing VGs, the cluster infrastructure is still not
initialized (as well as the network interface) and therefore cluster
locking cannot be used and the system falls back to file-based locking
instead, causing several misleading error and warning messages to be
returned. With this update, these error and warning messages are
suppressed during the system start-up, and the system falls back to
usable locking mechanism silently.
vgimportclone script triggered a
code path in LVM that caused it to access already-released memory when a
duplicated PV was found. Consequently, the VG that contained such PV
was found to be inconsistent and the process ended up with a failure to
read the VG. This update fixes this failure by saving such problematic
strings to a temporary buffer, and thus avoiding improper memory access.
clvmd) was
crashing when attempting to create a high number of volume groups at
once. This was caused by the limit set by the number of available file
descriptors per process. While clvmd was creating pipes and the limit was reached under the pressure of high number of requests, clvmd did not return an error but continued to use uninitialized pipes instead, eventually causing it to crash. With this update, clvmd now returns an error message immediately if the pipe creation fails.
lvremove command could
cause a failure to remove a logical volume. This failure was caused by
processing an asynchronous udev event that kept the volume opened while
the lvremove command tried to remove it. These asynchronous events are triggered when the watch udev rule is applied (it is set for device-mapper/LVM2 devices when using the udisks package that installs /lib/udev/rules.d/80-udisks.rules).
watch rule set and is closed after a read-write open).
udevadm settle command in between.
lvconvert command, the Unable to create a snapshot of a locked|pvmove|mirrored LV error message has been changed to Unable to convert an LV into a snapshot of a locked|pvmove|mirrored LV. for clarity reasons.
/”)
caused LVM commands to fail while generating an archive of current
metadata. Because a hostname is a part of the temporary archive file
name, a file path that was ambiguous was created, which caused the whole
archive operation to fail. This update fixes this by replacing any
slash character (“/”) with a question mark character (“?”) in the hostname string and then is used to compose the temporary archive file name.
/dev were created and removed incorrectly, causing them to exist when the device had already been removed or vice versa.
verify_udev_operations option found in the activation section of the /etc/lvm/lvm.conf file.
--force option from the lvrename manpage.
vgsplit command is now able to split a volume group containing a mirror with mirrored logs.
lvm_vg_write call, making it possible to calculate all PV properties and query them without actually writing the PV label on the disk.
resync status, as being in the reshape
status. As a consequence, mdadm rejected to assemble the IMSM RAID
device as an external data file is needed to reassemble a device in the reshape
status. If booting from the IMSM RAID device, the boot process could
fail under these circumstances. With this update, mdadm detects that an
IMSM RAID device is in the resync mode, assembles the device correctly, and launches its synchronization.
--size
option with no chunk size specified, the mdadm utility rounded the
default chunk size incorrectly. With this update, the rounding process
has been modified and arrays are created with the correct size
alignment.
mdadm: Failed to restore critical section for reshape - sorryThis happened because during the process, the RAID level for RAID0 devices is temporarily changed to RAID4; however, the Grow_restart() function called on restart did not allow any RAID level changes. With this update, the level change has been allowed and the problem no longer occurs.
mdstat --examine
command contained incorrect status information. This happened because
the DELAYED/PENDING status of a RAID device during resync was translated
to an incorrect status. An upstream patch that fixes this bug has been
applied and the mdstat --examine command now returns correct status information.
netstat command which uses SNMP, and a Tk/Perl management information base (MIB) browser.
snmptrapd,
the Net-SNMP daemon for processing traps, leaked memory when processing
incoming SNMP traps in embedded Perl. This caused the amount of consumed
memory to grow over time, making the memory consumption even larger if
the daemon was processing SNMPv1 traps. With this update, the underlying
source code has been adapted to prevent such memory leaks, and
processing incoming SNMP traps in embedded Perl no longer increases the
memory consumption.
snmpd, the Net-SNMP agent, gathered the disk IO and CPU usage statistics for UCD-SNMP::systemStats as 64-bit. However, relevant MIB describes these statistics as 32-bit and as a consequence, snmpd wrote the following message to the system log when processing the 64-bit values:
truncating integer value > 32 bits
snmpd to collect values for UCD-SNMP::systemStats as 32-bit integers so that it no longer reports the aforementioned message to syslog.
snmpd daemon did not detect errors when accessing the /proc file system. Consequent to this, an attempt to read information about an exited process while gathering information for a HOST-RESOURCES-MIB::hrSWRunTable
table caused the daemon to terminate unexpectedly with a segmentation
fault. This update adapts the underlying source code to make sure that
such errors are now properly detected, and snmpd no longer crashes when populating HOST-RESOURCES-MIB::hrSWRunTable.
snmpd daemon reported HOST-RESOURCES-MIB::hrSystemDate
with an incorrect sign in the timezone offset. This update applies a
patch to make sure the timezone offset is properly recalculated and the
value reported by snmpd is now correct.
snmpd daemon
tracked all network interfaces that were present on the system while it
was running, including interfaces that were removed from the system
during this time. Consequent to this, when an interface which had been
removed was re-instantiated with the same name but with a different
interface index, snmpd reported both interfaces separately in IF-MIB::ifTable. This typically happened to Point-to-Point Protocol (PPP) interfaces. This update adds two new options, interface_fadeout and interface_replace_old, to the /etc/snmpd/snmpd.conf configuration file, which allows system administrators to control the behavior of snmpd when two interfaces with the same name but a different interface index are detected. Refer to the snmpd.conf(5) manual page for details.
snmpd daemon silently ignored the second interface while populating IP-MIB::ipAddressTable. With this update, snmpd
has been adapted to add a message that the second interface is being
ignored to the system log in this scenario. This allows system
administrators to determine why the second interface is missing from IP-MIB::ipAddressTable.
snmpd daemon ignored SIGCHLD signals from processes that were spawned as a result of the pass_persist configuration option. However, this led to unnecessary defunct processes on the system. With this update, the snmpd daemon has been adapted to correctly process the SIGCHLD signals so that such defunct processes are no longer created.
snmpd daemon incorrectly ignored XFS file systems when populating HOST-RESOURCES-MIB::hrFSTable. This update adds support for the XFS file system to HOST-RESOURCES-MIB::hrFSTable so that snmpd no longer omits such file systems from the report.
snmpd daemon did not distinguish between outgoing SMUX messages and always incremented their Request-ID, even when multiple SMUX messages were sent as a result of one incoming SNMP request with multiple variables. However, RFC 1227 requires that such SMUX messages should have the same Request-ID. With this update, snmpd properly recognizes multiple outgoing SMUX messages that are the result of one incoming SNMP request and assigns them the same Request-ID.
IP-MIB::ipNetToPhysicalTable, the previous version of the snmpd
daemon did not properly recover and may have terminated unexpectedly as
a consequence. This update adapts the underlying source code to detect
that the system is running out of memory, and snmpd no longer crashes in this situation.
netsnmp module for the Python
programming language did not properly initialize an SNMP session with
SNMPv3 authentication. Consequent to this, and attempt to use such a
session caused Python to terminate unexpectedly with a segmentation
fault. This update ensures that SNMP sessions with SNMPv3 authentication
are now initialized properly and can be used in Python modules as
expected.
netsnmp Python module did not properly parse OID names that included an MIB name (such as IF-MIB::ifTable).
With this update, the regular expression for parsing OID names has been
corrected and the aforementioned Python module now parses such names
properly.
snmpd daemon did not verify the result of reading from a network socket in the SMUX module. Consequent to this, snmpd may have been unable to close erroneous SMUX sessions, because it failed to detect some network errors. With this update, the snmpd
daemon has been adapted to properly detect errors when reading from a
SMUX socket so that it can now react to these errors properly.
AgentX subagent was being disconnected from the snmpd
daemon, the daemon did not properly detach all outstanding SNMP
requests from the internal session object representing this agent. As a
consequence, snmpd could terminate unexpectedly while processing these requests. With this update, the snmpd daemon ensures that outstanding SNMP requests do not point to an AgentX session that is closed.
RELRO
flag, the ELF sections are reordered to include internal data sections
before program's data sections, and the Global Offset Table (GOT)
address section of the resulting ELF file is mapped read-only. This
ensures that any attempt to overwrite the GOT entry and gain control
over the execution flow of a program fails with an error. For this
reason, the Net-SNMP daemons, binaries, and shared libraries are now
built with full RELRO protection.
signer 0 status = SigningCertNotFound cmsutil: problem decoding: Unrecognized Object Identifier.
NSS_Shutdown()
function call because the client certificate was not freed and the
cache could not be destroyed. With this update, the peer certificate is
freed in OpenLDAP library after certificate validation is finished, all
cache entries can now be deleted properly, and the NSS_Shutdown() call now succeeds as expected.
CN=*.example.com),
the connection to the server failed. With this update, the library has
been fixed to verify wildcard hostnames used in certificates correctly,
and the connection to the server now succeeds if the wildcard common
name matches the server name.
slapd-config(5) and ldap.conf(5)
manual pages contained incorrect information about TLS settings. This
update adds new TLS documentation relevant for the Mozilla NSS
cryptographic library.
openldap
client tool, and the file was not terminated by a newline character,
the client terminated unexpectedly. With this update, client utilities
are able to properly handle such LDIF files, and the crashes no longer
occur in the described scenario.
ldapadd utility or another openldap
client tool, and a line in the file was split into two lines but was
missing correct indentation (the second line has to be indented by one
space character), the client terminated unexpectedly. With this update,
client utilities are able to properly handle such filetype LDIF files, and the crashes no longer occur in the described scenario.
TLS_REQCERT option set to never and the TLS_CACERTDIR
option set to an empty directory, TLS connection attempts to a remote
server failed as TLS could not be initialized on the client side. Now, TLS_CACERTDIR errors are ignored when TLS_REQCERT is set to never, thus fixing this bug.
slapd.conf file was converted into a new slapd.d directory while the constraint overlay was in place, the constraint_attribute option of the size or count type was converted to the olcConstraintAttribute
option with its value part missing. A patch has been provided to
address this issue and constraint_attribute options are now converted
correctly in the described scenario.
TLS_REQCERT option set to never
and the remote LDAP server uses a certificate issued by a CA
(Certificate Authority) whose certificate has expired, connection
attempts to the server failed due to the expired certificate. Now,
expired CA certificates are ignored when TLS_REQCERT is set to never, thus fixing this bug.
-fno-strict-aliasing
option is passed to the compiler to avoid optimizations that can
produce invalid code, and no warning messages are now returned during
the package compilation.
olcDDStolerance option
was shortening TTL (time to live) for dynamic entries, instead of
prolonging it. Consequently, when an OpenLDAP server was configured with
the dds overlay and the olcDDStolerance
option was enabled, the dynamic entries were deleted before their TTL
expired. A patch has been provided to address this issue and the real
lifetime of a dynamic entry is now calculated properly, as described in
documentation.
tlsm_find_and_verify_cert_key()
function. Now, verified certificates and keys are properly disposed of
when their verification fails, and memory leaks no longer occur in the
described scenario.
olcVerifyClient option was set to allow in an OpenLDAP server or the TLS_REQCERT option was set to allow
in a client utility, while the remote peer certificate was invalid,
OpenLDAP server/client connection failed. With this update, invalid
remote peer certificates are ignored, and connections can now be
established in the described scenario.
/ character was printed during the installation. With this update, the responsible RPM scriptlet has been fixed and the / character is no longer printed in the described scenario.
slapo-unique manual
page was missing information about quoting the keywords and URIs
(uniform resource identifiers), and the attribute parameter was not
described in the section about unique_strict configuration options. A
patch has been provided to address these issues and the manual page is
now up-to-date.
cn=config) could only be modified manually when the slapd daemon was not running. With this update, the ldapi:///
interface has been enabled by default, and the ACLs (access control
lists) now enable the root user to modify the server configuration
without stopping the server and using OpenLDAP client tools if he is
authenticated using ldapi:/// and the SASL/EXTERNAL mechanism.
-Wl,-z,relro flags when compiling the package. The openldap package is now provided with partial RELRO protection.
attrd: Cannot append to /var/log/cluster/corosync.log: Permission denied
NameError: global name 'listconfigs' is not defined
dracut: /sbin/load_policy: Can't load policy: No such file or directory
WARNING: Direct use of qemu-kvm from the command line is unsupported. WARNING: Only use via libvirt. WARNING: Some options listed here may not be available in future releases.
512 bytes. With this update, cmsfs-fuse has been modified to detect the label information of FBA-512 disks and the formatted block size is now read from the label. FBA-512 disks can now be mounted with cmsfs-fuse as expected.
512 bytes was larger than 256 MB. With this update, cmsfs-fuse
has been modified to calculate logical addresses correctly, and disks
with a block size of 512 bytes can be written to regardless of their
capacity.
contiguous writes to the file in the fixed record format without any failures.
-o big_writes option, which enables write operations bigger than 4 KB, and the previously written record was larger than a disk block size. With this update, cmsfs-fuse
resets the record length attribute after every write operation, and
writing to a file no longer fails in the scenario described.
qetharp utility did not check the lenght of the given interface name parameter. Therefore, the qetharp command terminated with a buffer overflow when it was executed with an interface name that was longer than 16 bytes. With this update, qetharp checks the length of the interface name parameter, and properly exits with the Error: interface name too long error message if the parameter is longer than it is allowed to be.
free() function call in the configuration file of cmsfs-fuse, the utility attempted to deallocate already freed memory. As a consequence, cmsfs-fuse
expressed unpredictable behavior in the file type translation mode,
such as a no longer accessible file system. With this update, the
superfluous free() function call has been removed, and cmsfs-fuse now behaves as expected.
2 GB. With this update, cmsfs-fuse
has been modified to cast data type of variables, structure members and
functions used in the calculation to a longer data type before
calculating the file size. The cmsfs-fuse utility now works as expected and files larger than 2 GB can now be created.
memory hole, and the chmem utility did not work at all. The lsmem and chmem utilities have been modified to work correctly with non-contiguous memory.
sysfs device tree that was changing. If a device disappeared from the device tree while lscss or lsdasd was attempting to access attributes of the device, the tool displayed pointless error messages. With this update, the lscss and lsdasd code has been modified to suppress the related error messages. In addition, the return code of the lscss -h and lsdasd -h commands has been corrected.
SCSI Generic (sg) driver was loaded in the kernel and sg functionality was thus available. Therefore, lsluns silently failed when it was started and sg functionality was unavailable on the system. With this update, lsluns now includes the missing check and exits with an error message when it is started on the system with the sg functionality unavailable.
HiperSockets and HiperSocket connections, including an explanation on how to configure a HiperSocket device.
DELAY_MINUTES variable to delay restart of a system on kernel panic. However, users expected immediate action, therefore dumpconf has been modified to set the DELAY_MINUTES variable to 0 on system restart. Restart of the system with dumpconf is now triggered immediately.
cpuplugd daemon did not
properly handle lines commented out and did not correctly match strings
in its configuration file. Consequently, lines in the configuration file
that were commented out could be executed, which resulted in a parsing
error, and invalid variable names were sometimes not rejected. The
comment handling and string matching routines has been corrected in the
code, and cpuplugd now behaves as expected when parsing the configuration file.
range from 0 to 11 instead of a range from 1 to 12,
which resulted in timestamps shifted by one month backward. To correct
this problem, returned integer is incremented by one. The zfcpdbf now generates correct timestamps.
lsluns --help command incorrectly suggested using an invalid --ports option. This mistake has been corrected, and the lsluns --help now correctly displays the --port option.
--config or --auto option on a device with no valid disk label, fdasd could stop with the following output:
no known label Should I create a new one? (y/n)
Disc does not contain a VOL1 label, cannot create partitions. exiting...
cpuplugd(8) man page has been modified to correct several typos and add one missing word.
cpuplugd daemon did
not handle a sub-string matching correctly. The daemon also used an
incorrect string length when working with user-defined variables. As a
consequence, the daemon returned a parsing error if a user-defined
variable name matches the prefix of a pre-defined variable, or a
substring of another user-defined variable. With this update, the
sub-string matching has been corrected, and cpuplugd now uses correct
string length in string comparing operations. Parsing errors no longer
occur in the scenario described.
cpuplugd did not use any mechanism to prevent multiple cpuplugd instances from starting. As a consequence, a race between the PID
file creation and a daemon startup could result in multiple cpuplugd
instances running concurrently. To resolve this problem, a file locking
mechanism that uses the flock() function has been introduced in the cpuplugd code. Only one instance of cpuplugd is now allowed to run at the same time.
cpuplugd had previously not implemented sanity checks regarding minimum and maximum values for valid CPU and memory intervals. If a configuration with incorrect intervals was used, the daemon could not work properly, and CPU and memory could not be used optimally. With this update, cpuplugd now includes CPU and memory sanity checks, ensuring its efficiency.
ferror() test, the lsreipl utility returned an error message when it attempted to read an empty sysfs file. With this update, the missing check has been added, and lsreipl no longer returns error messages when attempting to read an empty file.
libzfcphbaapi library was missing some event thread cleanup code in the HBA_FreeLibrary() function. Therefore, the zfcp_ping tool could terminate unexpectedly with a segmentation fault if no on-line adapter was discovered. The missing event thread cleanup has been added in the code using the pthread_cancel and pthread_join functions. The zfcp_ping tool no longer crashes under these circumstances.
grep command in its postinstall and postuninstall scripts but it was not dependent on the grep package. Therefore, error messages were displayed when installing s390utils-iucvterm. With this update, the grep package has been added as a prerequisite for s390utils-iucvterm. No error messages now occur during the package installation.
Logical Unit Numbers (LUNs) without the -a, --active option, the lsluns utility filtered a scan for well known LUNs with value 0xc101000000000000 and 0x0000000000000000, because the SCSI report luns command is sent only to these LUNs. As a consequence, the lsluns -a command did not show all active LUNs but only active well known LUNs. The lsluns utility has been modified to not filter LUNs when issued with the -a option, and it now shows all active LUNs.
exit code 0 even if an error had occured. This update adds the missing return code and the dasdinfo tool now returns correct return code values.
libzfcphbaapi.so common library to the /etc/hba.conf configuration file. Therefore, s390utils-libzfcphbaapi failed to register with the /etc/hba.conf configuration file. With this update, the postinstall script adds the libzfcphbaapi /usr/lib64/libzfcphbaapi-2.1.so line to the /etc/hba.conf configuration file and thus registers the s390utils-libzfcphbaapi package.
--output command line option in the code, although it was referred to as the --outfile option in the documentation. Using the --outfile option as suggested by documentation thus resulted in a ziomon failure. With this update, ziomon has been modified to accept the --outfile command line option as documented.
debugfs file system is mounted on the /sys/kernel/debug/ directory. Therefore, if the mount point was a different directory, ziomon failed. The missing test is now included in ziomon, and it now works as expected: continues if a file system is mounted on the /sys/kernel/debug/ directory, or exits with the ziomon: Error: Debugfs not mounted on /sys/kernel/debug. error message if a file system is mounted on a different mount point.
device-mapper multipath devices, zipl uses the zipl_helper.device-mapper script, which parses output of other programs. If any of these programs had locale dependent output, the script was unable to parse the output. Consequently, zipl terminated with the following error:
Script could not determine target parameters
zipl_helper.device-mapper script has been modified to set up standard locale for the current process and all child processes. The problem described no longer occurs.
Linux 2.6 scheduler provide the same CPU optimization functionality as the cpuplugd daemon does, without the negative effects of cpuplugd operations. Therefore, the cpuplugd daemon is now disabled on the system by default.
cpuplugd daemon has been improved, and cpuplugd now provides more advanced control of the VM Resource Manager (VMRM) Cooperative Memory Management (CMM) memory balloon.
/proc/vmstat and /proc/meminfo files can now be used in cpuplugd rules and user-defined variables.
cpustat.total_ticks variable has been introduced, which simplifies user-defined CPU percentage calculations.
SIGHUP
signal receipt. This could cause the daemon to terminate unexpectedly
with a segmentation fault if the maximum history level increased. The
history data is now re-allocated and re-initialized when the daemon is
reloaded and maximum history level has changed.
sleep() function and for swap rate calculation. This could lead to incorrect data under certain circumstances. The cpuplugd daemon now uses the actual time in its calculations.
re-IPL from multipath devices has been added.
re-IPL from Named Saved System (NSS) has been added.
re-IPL.
auto target" has been added. For the ccw, fcp, and node targets, chreipl can automatically find the correct re-IPL target.
pam_winbind
module stopped operating. As a result, there were failures encountered
if users attempted to log in. With this update, the bug has been fixed
so that pam_winbind now works, as expected.
force create mode parameter was not honored properly. As a result, files created on a mounted Samba share did not properly follow the umask parameter, and files with undesired permissions were created. With this update, the bug has been fixed and no longer occurs.
gidNumber LDAP attribute. Instead, Winbind uses the primaryGroupID LDAP attribute. As a result, setting the gidNumber attribute in AD has no effect for accounts if Winbind is used. With this update, the man pages have been updated accordingly to reflect the aforementioned limitation.
follow symlinks = yes
parameter was not set. This bug has been fixed in this update so that
extracting files from the ZIP archive now works as expected.
service_selinux(8) manual page. Previously, there was no manual page for the MySQL service (mysqld). This update corrects this error, and the selinux-policy packages now provide the mysql_selinux(8) manual page as expected.
userdel -r
command caused Access Vector Cache (AVC) messages to be written to the
audit log. With this update, the relevant policy has been corrected so
that userdel no longer produces these messages.
semanage boolean -l
command contained errors. This update fixes the descriptions of various
SELinux Booleans to ensure the aforementioned command now produces
correct output without errors.
secadm
SELinux user was not allowed to modify SELinux configuration files. With
this update, the relevant SELinux policy has been corrected and the secadm SELinux user can now modify such configuration files as expected.
rsyslogd
service was previously unable to send messages encrypted with the
Transport Layer Security (TLS) protocol. This update corrects the
relevant SELinux policy, and rsyslogd can now send such messages as expected.
fenced_can_ssh Boolean, which allows the fencing agents to use these protocols.
xinetd service was unable to connect to localhost and the operation failed. With this update, xinetd
is now trusted to write outbound packets regardless of the network's or
node's Multi-Level Security (MLS) range, which resolves this issue.
/etc/cgrules.conf configuration file, SELinux incorrectly prevented cgroups
from properly applying rules to NIS users. This update corrects this
error by adding an appropriate policy so that SELinux no longer prevents
cgroups from applying rules to NIS users.
kadmind) was unable to contact the LDAP server and failed to start. This update fixes the relevant policy and kadmind now starts as expected.
sssd service did not work properly and when any user authenticated to the sshd
service using the Generic Security Services Application Program
Interface (GSSAPI), subsequent authentication attempts failed. This
update adds an appropriate security file context for the /var/cache/krb5cache/ directory, which allows sssd to work correctly.
puppetmaster service was not allowed to get attributes of the chage
utility and any attempt to do so caused Access Vector Cache (AVC)
messages to be written to the audit log. With this update, the SELinux
policy rules have been adapted to allow puppetmaster to perform this operation.
/var/spool/postfix/maildrop/ directory to make sure Postfix is now allowed to re-send queued email messages as expected.
/var/lib/squeezeboxserver/ directory having an incorrect security context, an attempt to start the squeezeboxserver
service with SELinux running in enforcing mode failed and Access Vector
Cache (AVC) messages were written to the audit log. With this update,
the security context of this directory has been corrected so that
SELinux no longer prevents squeezeboxserver from starting.
root user (in the unconfined_t domain) ran the ssh-keygen utility and the ~/.ssh/
directory did not exist, the utility created this directory with an
incorrect security context. This update adapts the relevant SELinux
policy to make sure ~/.ssh/ is now created with the correct context (the ssh_home_t type).
sys_module
capabilities, which caused various Access Vector Cache (AVC) messages
to be written to the audit log. With this update, an appropriate dontaudit rule has been added to make sure such messages are no longer logged.
FAT32 or NTFS. This update corrects the SELinux policy so that grubby can now work as expected.
omsnmp module enabled, the latest version of the rsyslog daemon can send log messages as SNMP traps. This update adapts the SELinux policy to support this new functionality.
sys_module
capabilities, which caused various Access Vector Cache (AVC) messages
to be written to the audit log. With this update, an appropriate dontaudit rule has been added to make sure such messages are no longer logged.
6514 (the syslog over TLS port). This update adds a new SELinux policy that allows rsyslog clients to connect to this port.
localhost. This update corrects this error, and the selinux-policy packages now provide updated SELinux rules that allow hddtemp to listen on localhost as expected.
openvpn service failed, because SELinux prevented it. This update provides updated SELinux rules and adds a sys_nice capability so that users are now allowed to modify the scheduling priority as expected.
allow_unconfined_qemu_transition Boolean has been removed to make sure that QEMU is allowed to work together with the libguestfs library.
hostname command when HOST_NAME=`hostname` was specified in the configuration file. This update adapts the SELinux policy to support the aforementioned procmail option.
fileinject
custom property caused Access Vector Cache (AVC) messages to be written
to the audit log. With this update, the relevant SELinux policy has
been corrected to ensure this action no longer produces such messages.
MAXCONN option in the /etc/sysconfig/memcached configuration file was set to a value greater than 1024, an attempt to start the memcached
service caused Access Vector Cache (AVC) messages to be written to the
audit log. This update corrects the relevant SELinux policy so that memcached no longer produces AVC messages in this scenario.
service_selinux(8) manual page. Previously, there was no manual page for the Squid caching proxy (squid). This update corrects this error, and the selinux-policy packages now provide the squid_selinux(8) manual page as expected.
abrtd).
/var/qmail/queue/ directory. With this update, this error has been fixed and the updated SELinux rules now allow these operations.
seinfo -r command incorrectly contained lsassd_t,
which is not a role. This update corrects the relevant policy to make
sure the aforementioned command now produces correct output.
DumpLocation option in the abrt.conf configuration file was set to /tmp/abrt, restarting the abrtd
service caused various Access Vector Cache (AVC) messages to be written
to the audit log. This update corrects the relevant SELinux policy to
add support for this option, and such AVC messages are no longer
reported when the abrtd service is restarted.
/dev/random). This update adds appropriate SELinux rules to grant virsh access to this device.
/etc/passwd.adjunct file to make it possible to use this file on a Network Information Service (NIS) server.
dhcpd daemon, the SELinux policy incorrectly prevented this daemon from setting the setgid and setuid capabilities. This update corrects the relevant SELinux policy so that dhcpd can now work properly.
/etc/dhcp/dhcp6.conf and /etc/rc.d/init.d/dhcpcd6 files had an incorrect security context. This update corrects this error, and both /etc/dhcp/dhcp6.conf and /etc/rc.d/init.d/dhcpcd6 are now labeled correctly.
sanlock
deamon from working properly and various Access Vector Cache (AVC)
messages appeared in the audit log. With this update, an appropriate
SELinux policy has been added so that sanlock can now work as expected.
tcp/119. Since cyrus-master
needs this port in order to run as a Network News Transfer Protocol
(NNTP) server, this update fixes the relevant policy to support this
configuration.
fence_scsi.key file that used to be located in the /var/lib/cluster/ directory has been recently moved to /var/run/cluster/. This update ensures that this file retains the correct security context.
/dev/bsr* devices were incorrectly labeled with the device_t type. This update changes the security context of these devices to cpu_device_t.
sssd service was not allowed to create, delete, or read symbolic links in the /var/lib/sss/pipes/private/ directory. This update corrects the relevant SELinux policy rules to allow sssd to perform these operations.
SECMARK kernel feature.
piranha-gui service was denied access to the /etc/sysconfig/ha/lvs.cf file. This update corrects the SELinux policy to grant piranha-gui this access.
rhev-agentd daemon from getting attributes of all available mount points. This update corrects the relevant SELinux policy so that rhev-agentd can gather all necessary information.
sshd service from getting attributes of the /root/.hushlogin file. This update adds a new type for this file and updates its security context to make sure that sshd can access it as expected.
/var/run/nslcd/
directory, SELinux incorrectly denied this access and wrote relevant
Access Vector Cache (AVC) messages to the audit log. With this update,
this error has been fixed and the selinux-policy packages now provide updated SELinux policy rules that allow finger to access this directory, as expected.
dynamic_ownership option was enabled in the /etc/libvirtd/qemu.conf
configuration file. This update fixes the relevant SELinux policy to
make sure such a USB device can now be correctly attached in this
scenario.
unconfined module was disabled, an attempt to start the dirsrv-admin
service failed and Access Vector Cache (AVC) messages were written to
the audit log. With this update, this error has been fixed and dirsrv-admin now starts as expected in this situation.
sanlock and wdmd services has been added to enable using these services with libvirt and vdsm.
corosync_t domain type.
drbd service has been added.
initrc_t domain: pppoe-server, lldpad, fcoemon, cimserver, uuid, and gatherd.
initrc_t domain.
git_cgit_read_gitosis_content, has been added to allow Gitolite to display a list of available Git repositories.
virt_use_sanlock, has been added to allow the libvirtd daemon to access the sanlock.sock file.
setroubleshootd man page described an option that was not supported by the setroubleshootd service. This update corrects the man page content by removing the unsupported option.
-a/--analyze option with another option (for example, sealert -a ./test-audit.log -b caused sealert to not work properly. This bug has been fixed and sealert alerts the user that the -a/--analyze option can not be used with another option.
Ignore
button in the SETroubleshoot GUI and, consequently, reproducing that
same AVC message, would not ignore that message. With this update, the
underlying source code has been modified to address this issue, and
ignored AVC messages no longer appear in the SETroubleshoot GUI.
show to view the alert brought up the sealert browser but showed no alerts. An error message was also logged in /var/log/messages. This was because the /var/lib/setroubleshoot/setroubleshoot_database.xml
database contained localized content which could not be parsed. With
this update, the aforementioned database no longer contains localized
content, and the sealert browser correctly shows all alerts.
sealert -s or sealert -S commands failed with a segmentation fault when LANG was set to Japanese (LANG=ja-JP). With this update, the underlying source code has been modified to address this issue, and the sealert command no longer fails on localized file analyses.
net-pf-10 kernel module. The appropriate setroubleshoot plugin was updated to not display these messages when IPv6 is blacklisted. It is recommended that users disable IPv6 using the /etc/sysctl.conf file. In such a case, AVC messages do not appear at all.
report library to send problem reports to Bugzilla. To unify configuration for bug reporting, a new library (libreport) was created, which unifies problem reporting in all applications. With this update, setroubleshoot uses the new libreport library for problem reporting.
"smartd: internal error in MailWarning(): cfg.mailwarn->emailfreq=0"
yum plug-in option attempted to gather the repository list, but this option was broken: running sosreport -k yum.yumlist=True returned the following error:
no such option "yumlist" for plugin (yum)" error yum plug-in option is usable, and instead will include the output of the yum list command, if enabled (sosreport -k yum.yumlist=True). As this operation can be slow, yum.yumlist is disabled by default.
/etc/nslcd.conf file. Consequently, no nslcd.conf file was found when running sosreport. With this update, sos now includes /etc/nslcd.conf in its reports on systems that are using the nss-pam-ldapd nsswitch module.
/sbin/chkconfig --list autofs command. This update corrects the problem and the output of chkconfig --list autofs is now correctly stored in the sos_commands/autofs/chkconfig_--list_autofs file.
stdout.strip()
function on the returned command output and the function truncated the
leading and trailing whitespace characters. With this update, the
function is no longer called in this situation and the returned command
output is correct.
checkenabled() function was looking for the qpid package. However, no such package exists. With this update, the checkenabled() function now looks for the correct qpid-tool packages and sosreport
gathers all the relevant qpid data as expected. In addition, a much
greater set of configuration files and tool output is collected in this
version.
hardware.py
plug-in was incorrect. Therefore the utility failed to locate and
capture data from the plug-in. With this update, the path has been
corrected and the problem no longer occurs.
lsusb, lsusb -v, and lsusb -t commands is now collected by sosreport using the hardware plug-in.
ibv_devices and ibv_devinfo commands in the sosreport debugging archive.
/etc/tgt/targets.conf file and the output of tgtadm --lld iscsi --op show --mode target command in the sosreport debugging archive.
syslogsize
option was specified. With this update, such files are truncated to 15
MB, in such a manner as to include the latest events, and saved in the /sosreport/sos_commands/ directory.
/etc/init directory.
brctl show and brctl showstp commands.
/proc/vmmemctl.
/etc/rhsm/ content.
ethtool -g, ethtool -c, and ethtool -a commands by default.
supportedControl attribute of the server rootDSE entry, SSSD terminated unexpectedly with a segmentation fault. With this update, this bug has been fixed.
inotify kernel subsystem to detect whether a Domain Name System (DNS) resolver file was changed. If inotify returned an error (for example due to resource exhaustion), SSSD terminated unexpectedly and network logins no longer worked. With this update, SSSD itself detects the failure in the described scenario and falls back to the five-second polling, fixing this bug.
/etc/resolv.conf file, if the first one failed to resolve a hostname. As a result, SSSD
switched to offline mode without asking the other configured name
servers. With this update, the bug has been fixed by configuring the
resolver to query all name servers so that hostname resolution correctly
retries until it either queries all the configured name servers or
resolves the hostname.
ldap_default_authtok option was used, the ldap_default_authtok_type option was set to password even if it was not explicitly specified in the configuration file. With this update, password has been made the default value for the ldap_default_authtok_type option, thus the bug is now fixed.
GID=0 set which acted like a "root" group. As a result, the operation that processed members belonging to the group with GID=0 was aborted. With this update, groups with GID=0
are treated as non-POSIX groups (that is groups that are containers
only and not reported to clients) so that the groups are handled
gracefully.
pam_sss module even though the packet was corrupt. As a result, the SSSD PAM responder terminated unexpectedly. With this update, SSSD
now detects if the response packet is already created so that in case
of the error, the client will be forcibly disconnected and the SSSD will not crash.
/var/tmp/
directory. Because the file names are not standardized, they were not
handled by the Security-Enhanced Linux (SELinux) policy correctly. As a
result, when using SELinux in Enforcing mode, SSSD did not work with the option krb5_validate set to true.
With this update, support to specify the Kerberos replay cache
directory, both at compilation time and in the configuration file, has
been added into SSSD,
also a corresponding SELinux policy update has been made to accomodate
the Kerberos replay cache directory, thus the bug is fixed.
libunistring for performing string comparisons where applicable so that SSSD is able to handle UTF-8 strings in the host-based access control rules.
ccache file for the user if the old ccache
file had already expired. The SSH daemon used different processes with
different UID values for different parts of the login process. As a
result, if a user password expired after the user logged in, SSSD was unable to switch to a new ccache. With this update, SSSD forces removal of the old ccache if the Kerberos authentication subprocess returns a special PAM_NEW_AUTHTOK_REQD return code so that SSSD is able to recreate a ccache file instead of an existing (but inactive) ccache file for a user who logs in via SSH with an expired password.
sssd daemon package did not explicitly specify that it required the sssd-client package of the same architecture. As a result, it was difficult to specify to install both primary and secondary architecture sssd-client packages on multiarch systems. With this update, the main sssd package now requires the sssd-client package of the same architecture, thus the bug is fixed.
/etc/krb5.conf file is used in the case mentioned above.
krb5_renew_interval parameter.
ipa_server
parameter resolves to. Previously, when the hostname resolved to an
IPv6 address, the LDAP URI routines returned an error. As a result, the
IPA provider was unable to function correctly in an IPv6 environment.
With this update, the IPA provider now escapes all IPv6 addresses so
that they can be consumed by the LDAP routines correctly, thus the bug
is fixed.
member attribute had different value than what was determined as the primary name for that member object. With this update, SSSD stores all user name or group name aliases in the cache. When determining the membership structure, SSSD checks for aliases in addition to the primary name so that the membership structure is correctly determined and returned.
initgroups
operation performed too many disk writes, thus slowing the operation
down. With this update, all entities retrieved from the remote server
are first stored in an internal hash table, and then only a single
transaction is used to store all the groups and their memberships so
that the initgroups operation is now faster, especially for users who are members of a large number of groups.
initgroups
and login operations failed for users whose user names contained
special characters. With this update, the user names are now escaped,
thus the bug is fixed.
initgroups operation. As a result, the initgroups
operation failed. With this update, the IPA provider has been fixed so
that the provider now gracefully handles users without group memberships
and the initgroups operation succeeds for users who are not members of any group.
ldap_uri parameter was incorrectly configured so that the hostname part was missing, SSSD stored NULL in the pointer, in which the hostname was saved, and used it later on for establishing a connection. As a result, SSSD
accessed the NULL pointer and terminated unexpectedly. With this
update, the URI parsing function has been changed so it aborts when it
cannot parse a valid hostname from the specified URI. SSSD reports an error and does not crash when an invalid ldap_uri parameter is used in the configuration file.
simple access provider in SSSD required that the user primary group was available to SSSD. As a result, the simple access provider did not work for users whose primary group was a local group stored in the /etc/group file because SSSD only handles remote groups. With this update, the failure to find the user primary group in the simple access provider is no longer treated as fatal so that users with the local primary group are handled correctly by the simple access provider.
pam_sss module. As a result, tools that communicate directly with the password-change servers (for example kpasswd) were unable to operate. With this update, SSSD always passes the IP addresses of password change servers to the Kerberos library, thus the bug is fixed.
initgroups() operations, SSSD
consumed extensive amount of memory, especially for complex membership
structures. With this update, the problem with the memory consumption
has been fixed.
initgroups() operation did not return all groups correctly. With this update, SSSD has been changed so that it can examine non-UNIX groups for potential UNIX nested member groups. SSSD is now able to return the complete list of groups even if the hierarchy mixes UNIX and non-UNIX groups.
ipa_hbac_treat_deny_as has been added to SSSD. The default value for the option is DENY_ALL, which means that any DENY rule in the whole set of rules will deny access regardless of what is the actual rule. Alternatively, the option can be set to IGNORE to skip the DENY rules.
DENY rules altogether, setting the ipa_hbac_treat_deny_as option to IGNORE may, under certain circumstances, allow access to users who are not intended to be allowed.
~]#rm -f /etc/pki/entitlement/*~]#subscription-manager refresh
[Errno 14] PYCURL ERROR 22 - "NSS: private key not found for certificate: PEM Token #1:1310636811763322869.pem"
ERROR: Unable to canonicalize path [...]: No such file or directorySystemTap now loads the correct uprobe module and user-space application probing works as expected with the "--remote" option even if the uprobe kernel module is not currently loaded on remote machine.
| Revision History | ||||
|---|---|---|---|---|
| Revision 1-0 | Tue Dec 6 2011 | |||
| ||||