The network --defroute option now works correctly in the %include script

Previously, the network --defroute option got ignored when used in the %include script during the kickstart installation. As a consequence, the device was set as the default route. With this update, the kickstart installation does not ignore the network --defroute option added in the %include script and the network connection is configured as expected. ( BZ#1990145 )

ubprocess.CalledProcessError: Command '['/usr/bin/xorrisofs', '-verbose', '-V', 'RHEL-8-5-0-BaseOS-x86_64', '-sysid', 'LINUX', '-isohybrid-mbr', '/usr/share/syslinux/isohdpfx.bin', '-b', 'isolinux/isolinux.bin', '-c', 'isolinux/boot.cat', '-boot-load-size', '4', '-boot-info-table', '-no-emul-boot', '-rock', '-joliet', '-eltorito-alt-boot', '-e', 'images/efiboot.img', '-no-emul-boot', '-isohybrid-gpt-basdat', '-o', '/run/osbuild/tree/installer.iso', '/run/osbuild/inputs/tree']' returned non-zero exit status 32.

Running createrepo_c --update on a modular repository now preserves modular metadata in it

Previously, when running the createrepo_c --update command on an already existing modular repository without the original source of modular metadata present, the default policy was to remove all additional metadata including modular metadata from this repository, which, consequently, broke it. To preserve metadata, it required running the createrepo_c --update command with the additional --keep-all-metadata option. With this update, you can preserve modular metadata on a modular repository by running createrepo_c --update without any additional option. To remove additional metadata, you can use the new --discard-additional-metadata option. ( BZ#1992209 )

Errors during the installation of the info subpackage do not happen anymore

Previously the fix-info-dir script expected the existence of a /dev/null file. With a new version of the texinfo package for software documentation, the installation of the info subpackage does not fail on systems that do not contain the /dev/null special file. Now the fix-info-dir script does not expect the existence of the /dev/null file, and avoids the possibility of an infinite loop. ( BZ#2022201 )

ERROR: LVM 'lvmdev' entry in /var/lib/rear/layout/disklayout.conf where volume_group or device is empty or more than one word

With this update, ReaR now comments out unused PVs in the disk layout file and is thus able to back up a system with unused PVs correctly. (BZ#2048454)

Remote users are no longer repetitively prompted to access smart cards

Previously, the polkit policy for the pcscd daemon incorrectly requested user interaction. As a consequence, non-local and non-privileged users could not access smart cards and encountered large numbers of prompts. With this update, the pcsc-lite package policy no longer includes the interactive prompts. As a result, remote card users are no longer repeatedly asked for privilege escalation. For additional information about adjusting the policy to escalate privileges of non-privileged users, see Controlling access to smart cards using polkit in Security hardening in RHEL product documentation. ( BZ#1928154 )

NetworkManager now uses a static IPv4 IP address as primary

The main purpose of primary and secondary addresses is to enable source address selection for connections that are not yet bound to an IP address. For these connections, the kernel automatically chooses an address. In a NetworkManager connection profile, you can configure a static IPv4 address and DHCP at the same time for one connection. Previously, if you configured a connection with DHCP and a static IPv4 address from the same range as the one provided by the DHCP server, NetworkManager incorrectly assigned the IP address that it received from the DHCP server as primary and the static IP address as secondary. RHEL 8.6 changes this to the intended behavior. As a result, if you configure both a static IPv4 address and DHCP in one connection profile, the static IP address is now always the primary and the address received from the DHCP server the secondary. Additionally, NetworkManager now also sets the src attribute for routes assigned by a DHCP server. With this functionality, destinations reachable through these routes use the IP address received from the DHCP server as a source. (BZ#2096256)

The dmidecode --type 17 command now successfully decodes DDR5 memory information

Previously, the dmidecode command failed to decode the DDR5 memory information. Consequently, dmidecode --type 17 returned the <OUT OF SPEC> message. The latest update of the package ( dmidecode-3.3-3.el8 ) has fixed this problem. As a result, dmidecode --type 17 now successfully decodes DDR5 memory information. (BZ#2027665)

xfsrestore command works correctly while restoring a backup

Previously, while restoring a backup created using the xfsdump command, xfsrestore created an orphanage directory. As a consequence, a few files were moved into the created orphanage directory with the following messages:

The -j flag now works when used in a Makefile

Previously, when you added the -j flag to MAKEFLAGS inside the Makefile, the targets were built sequentially instead of in parallel. This bug has been fixed, and now the targets are built at the same time when you use the -j flag in the Makefile. ( BZ#2004246 )

Certmonger can now automatically renew SCEP certificates with AD when challengePassword is required for enrollment

Previously, requests for renewal of SCEP certificates sent by certmonger to an Active Directory (AD) Network Device Enrollment Service (NDES) server included the challengePassword used to originally obtain the certificate. However, AD treats challengePassword as a one-time password (OTP). As a consequence, the renewal request was rejected. This update adds the challenge_password_otp option to certmonger . When enabled, this option prevents certmonger from sending the OTP with the SCEP renewal request. The administrator must also add the DisableRenewalSubjectNameMatch entry with a value of 1 to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP subkey in the AD registry. With this modification, AD no longer requires the signer certificate and requested certificate subject names to match. As a result, the SCEP certificate renewal is successful. To configure certmonger and the AD server for SCEP renewals to work: Open regedit on the AD server. In the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP subkey, add a new 32-bit REG_DWORD entry DisableRenewalSubjectNameMatch and set its value to 1 . On the server where certmonger is running, open the /etc/certmonger/certmonger.conf file and add the following section:

[scep]
challenge_password_otp = yes

# systemctl restart certmonger

FreeRADIUS proxy server no longer stops working when a second FreeRADIUS server is unavailable

When a FreeRADIUS server is configured as a proxy server it forwards request messages to another FreeRADIUS server. Previously, if the connection between these two servers was interrupted, the FreeRADIUS proxy server stopped working. With this fix, the FreeRADIUS proxy server is now able to reestablish a connection when the other server becomes available. ( BZ#2030173 )

Matrox GPU with a VGA display now works as expected

Prior to this release, your display showed no graphical output if you used the following system configuration: A GPU in the Matrox MGA G200 family A display connected over the VGA controller UEFI switched to legacy mode As a consequence, you could not use or install RHEL on this configuration. With this update, the mgag200 driver has been significantly rewritten, and as a result, the graphics output now works as expected. (BZ#1953926)

A playbook using the Metrics role completes successfully on multiple runs even if the Grafana admin password is changed

Previously, changes to the Grafana admin user password after running the Metrics role with the metrics_graph_service: yes boolean caused failure on subsequent runs of the Metrics role. This led to failures of playbooks using the Metrics role, and the affected systems were only partially set up for performance analysis. Now, the Metrics role uses the Grafana deployment API when it is available and no longer requires knowledge of username or password to perform the necessary configuration actions. As a result, a playbook using the Metrics role completes successfully on multiple runs even if the administrator changes the Grafana admin password. ( BZ#1967321 )

nm-connection-error-quark: ipv6.dns-search: this property is not allowed for 'method=ignore' (7)

strict NUMA binding policy no longer allows for moving runtime memory

Previously, when the strict NUMA binding policy was enabled in a VM ( <memory mode='strict'/> ), attempting to move runtime memory from that VM to another NUMA node in some cases partly or completely failed. To avoid this problem, the strict policy now completely prohibits moving runtime memory. In addition, the restrictive policy has been added, which works like the strict policy did previously. This means that it does allow for moving runtime memory to other NUMA nodes, but cannot ensure that the memory is moved completely. (BZ#2014369)

Rootless containers created in RHEL 8.5 and earlier using fuse-overlayfs now recognize removed files

Previously, in RHEL 8.4 and earlier, rootless images and containers were created or stored using the fuse-overlayfs file system. Using such images and containers in RHEL 8.5 and later introduced problems for unprivileged users using the overlayfs implementation provided by the kernel and who had removed files or directories from a container or from an image in RHEL 8.4. This problem did not apply to containers created by the root account. As a consequence, files or directories that were removed from a container or from an image were marked as such using the whiteout format when using the fuse-overlayfs file system. However, due to differences in the format, the kernel overlayfs implementation did not recognize the whiteout format created by fuse-overlayfs. As a result, any removed files or directories still appeared. This problem did not apply to containers created by the root account. With this update, the problem is solved. (JIRA:RHELPLAN-92741)

FDO process available as a Technology Preview

The FDO process for automatic provisioning and onboarding RHEL for Edge images is available as a Technology Preview. With that, you can build a RHEL for Edge Simplified Installer image, provision it to a RHEL for Edge image, and use the FDO (FIDO device onboarding) process to automatically provision and onboard your Edge devices, exchange data with other devices and systems connected on the networks. As a result, the FIDO device onboarding protocol performs device initialization at the manufacturing stage and then late binding to actually use the device. (BZ#1989930)

ReaR available on the 64-bit IBM Z architecture as a Technology Preview

Basic Relax and Recover (ReaR) functionality is now available on the 64-bit IBM Z architecture as a Technology Preview. You can create a ReaR rescue image on IBM Z only in the z/VM environment. Backing up and recovering logical partitions (LPARs) has not been tested. The only output method currently available is Initial Program Load (IPL). IPL produces a kernel and an initial ramdisk (initrd) that can be used with the zIPL bootloader.

AF_XDP available as a Technology Preview

Address Family eXpress Data Path ( AF_XDP ) socket is designed for high-performance packet processing. It accompanies XDP and grants efficient redirection of programmatically selected packets to user space applications for further processing. (BZ#1633143)

# tc filter add dev enp0s1 ingress protocol mpls_uc flower mpls lse depth 1 label 12323 lse depth 2 label 45832 \
action mpls dec_ttl pipe \
action mpls modify label 549386 pipe \
action pedit ex munge eth dst set 00:00:5E:00:53:01 pipe \
action pedit ex munge eth src set 00:00:5E:00:53:02 pipe \
action mirred egress redirect dev enp0s2

# yum install nispor

# yum install nmstate

The kexec fast reboot feature is available as a Technology Preview

The kexec fast reboot feature continues to be available as a Technology Preview. The kexec fast reboot significantly speeds the boot process as the kernel enables booting directly into the second kernel without passing through the Basic Input/Output System (BIOS) first. To use this feature: Load the kexec kernel manually. Reboot the operating system. ( BZ#1769727 )

File system DAX is now available for ext4 and XFS as a Technology Preview

In Red Hat Enterprise Linux 8, the file system DAX is available as a Technology Preview. DAX provides a means for an application to directly map persistent memory into its address space. To use DAX, a system must have some form of persistent memory available, usually in the form of one or more Non-Volatile Dual In-line Memory Modules (NVDIMMs), and a file system that provides the capability of DAX must be created on the NVDIMM(s). Also, the file system must be mounted with the dax mount option. Then, a mmap of a file on the dax-mounted file system results in a direct mapping of storage into the application’s address space. (BZ#1627455)

# xfs_info /mount-point | grep ftype

Pacemaker podman bundles available as a Technology Preview

Pacemaker container bundles now run on Podman, with the container bundle feature being available as a Technology Preview. There is one exception to this feature being Technology Preview: Red Hat fully supports the use of Pacemaker bundles for Red Hat Openstack. (BZ#1619620)

Identity Management JSON-RPC API available as Technology Preview

An API is available for Identity Management (IdM). To view the API, IdM also provides an API browser as a Technology Preview. Previously, the IdM API was enhanced to enable multiple versions of API commands. These enhancements could change the behavior of a command in an incompatible way. Users are now able to continue using existing tools and scripts even if the IdM API changes. This enables: Administrators to use previous or later versions of IdM on the server than on the managing client. Developers can use a specific version of an IdM call, even if the IdM version changes on the server. In all cases, the communication with the server is possible, regardless if one side uses, for example, a newer version that introduces new options for a feature. For details on using the API, see Using the Identity Management API to Communicate with the IdM Server (TECHNOLOGY PREVIEW) . ( BZ#1664719 )

# ipa-acme-manage enable
The ipa-acme-manage command was successful

# ipa-acme-manage disable
The ipa-acme-manage command was successful

# ipa-acme-manage status
ACME is enabled
The ipa-acme-manage command was successful

GNOME for the 64-bit ARM architecture available as a Technology Preview

The GNOME desktop environment is now available for the 64-bit ARM architecture as a Technology Preview. This enables administrators to configure and manage servers from a graphical user interface (GUI) remotely, using the VNC session. As a consequence, new administration applications are available on the 64-bit ARM architecture. For example: Disk Usage Analyzer ( baobab ), Firewall Configuration ( firewall-config ), Red Hat Subscription Manager ( subscription-manager ), or the Firefox web browser. Using Firefox , administrators can connect to the local Cockpit daemon remotely. (JIRA:RHELPLAN-27394, BZ#1667225, BZ#1667516, BZ#1724302 )

VNC remote console available as a Technology Preview for the 64-bit ARM architecture

On the 64-bit ARM architecture, the Virtual Network Computing (VNC) remote console is available as a Technology Preview. Note that the rest of the graphics stack is currently unverified for the 64-bit ARM architecture. (BZ#1698565)

Stratis available as a Technology Preview in the RHEL web console

With this update, the Red Hat Enterprise Linux web console provides the ability to manage Stratis storage as a Technology Preview. To learn more about Stratis, see What is Stratis . (JIRA:RHELPLAN-108438)

AMD SEV and SEV-ES for KVM virtual machines

As a Technology Preview, RHEL 8 provides the Secure Encrypted Virtualization (SEV) feature for AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine (VM), SEV encrypts the VM’s memory to protect the VM from access by the host. This increases the security of the VM. In addition, the enhanced Encrypted State version of SEV (SEV-ES) is also provided as Technology Preview. SEV-ES encrypts all CPU register contents when a VM stops running. This prevents the host from modifying the VM’s CPU registers or reading any information from them. Note that SEV and SEV-ES work only on the 2nd generation of AMD EPYC CPUs (codenamed Rome) or later. Also note that RHEL 8 includes SEV and SEV-ES encryption, but not the SEV and SEV-ES security attestation. (BZ#1501618, BZ#1501607, JIRA:RHELPLAN-7677)

Toolbox is available as a Technology Preview

Previously, the Toolbox utility was based on RHEL CoreOS github.com/coreos/toolbox. With this release, Toolbox has been replaced with github.com/containers/toolbox. (JIRA:RHELPLAN-77238)

Several Kickstart commands and options have been deprecated

Using the following commands and options in RHEL 8 Kickstart files will print a warning in the logs: auth or authconfig device deviceprobe dmraid install lilocheck mouse multipath bootloader --upgrade ignoredisk --interactive partition --active reboot --kexec Where only specific options are listed, the base command and its other options are still available and not deprecated. For more details and related changes in Kickstart, see the Kickstart changes section of the Considerations in adopting RHEL 8 document. (BZ#1642765)

rpmbuild --sign is deprecated

The rpmbuild --sign command is deprecated since RHEL 8.1. Using this command in future releases of Red Hat Enterprise Linux can result in an error. It is recommended that you use the rpmsign command instead. ( BZ#1688849 )

The OpenEXR component has been deprecated

The OpenEXR component has been deprecated. Hence, the support for the EXR image format has been dropped from the imagecodecs module. ( BZ#1886310 )

NSS SEED ciphers are deprecated

The Mozilla Network Security Services ( NSS ) library will not support TLS cipher suites that use a SEED cipher in a future release. To ensure smooth transition of deployments that rely on SEED ciphers when NSS removes support, Red Hat recommends enabling support for other cipher suites. Note that SEED ciphers are already disabled by default in RHEL. ( BZ#1817533 )

# update-crypto-policies --set LEGACY

For more information, see the Strong crypto defaults in RHEL 8 and deprecation of weak crypto algorithms Knowledgebase article on the Red Hat Customer Portal and the update-crypto-policies(8) man page. ( BZ#1660839 )

Network scripts are deprecated in RHEL 8

Network scripts are deprecated in Red Hat Enterprise Linux 8 and they are no longer provided by default. The basic installation provides a new version of the ifup and ifdown scripts which call the NetworkManager service through the nmcli tool. In Red Hat Enterprise Linux 8, to run the ifup and the ifdown scripts, NetworkManager must be running. Note that custom commands in /sbin/ifup-local , ifdown-pre-local and ifdown-local scripts are not executed. If any of these scripts are required, the installation of the deprecated network scripts in the system is still possible with the following command:

~]# yum install network-scripts

The ifup and ifdown scripts link to the installed legacy network scripts. Calling the legacy network scripts shows a warning about their deprecation. (BZ#1647725)

Kernel live patching now covers all RHEL minor releases

Since RHEL 8.1, kernel live patches have been provided for selected minor release streams of RHEL covered under the Extended Update Support (EUS) policy to remediate Critical and Important Common Vulnerabilities and Exposures (CVEs). To accommodate the maximum number of concurrently covered kernels and use cases, the support window for each live patch will be decreased from 12 to 6 months for every minor, major and zStream version of the kernel. It means that on the day a kernel live patch is released, it will cover every minor release and scheduled errata kernel delivered in the past 6 months. For example, 8.4.x will have a one-year support window, but 8.4.x+1 will have 6 months. For more information about this feature, see Applying patches with kernel live patching . For details about available kernel live patches, see Kernel Live Patch life cycles . ( BZ#1958250 )

The kernelopts environment variable has been deprecated

In RHEL 8, the kernel command-line parameters for systems using the GRUB2 bootloader were defined in the kernelopts environment variable. The variable was stored in the /boot/grub2/grubenv file for each kernel boot entry. However, storing the kernel command-line parameters using kernelopts was not robust. Therefore, with a future major update of RHEL, kernelopts will be removed and the kernel command-line parameters will be stored in the Boot Loader Specification (BLS) snippet instead. ( BZ#2060759 )

VDO write modes other than async are deprecated

VDO supports several write modes in RHEL 8: async async-unsafe Starting with RHEL 8.4, the following write modes are deprecated: Devices above the VDO layer cannot recognize if VDO is synchronous, and consequently, the devices cannot take advantage of the VDO sync mode.