Part I. Notable Bug Fixes
This part describes bugs fixed in Red Hat Enterprise Linux 6.8 that have a significant impact on users.
Chapter 3. General Updates
abrt no longer missing a dependency on python-argparse
A previously missing dependency of the
abrt packages on the
python-argparse package resulting in errors like
ImportError: No module named argparse
has been fixed. This problem usually occurred if customers upgraded
from an earlier version of Red Hat Enterprise Linux, or during a fresh
installation if customers removed the
nfs-utils or
ipa-client packages. (BZ#
1246539)
rds-stress can now correctly send messages of varying size
The rds-stress command previously could
not send Reliable Datagram Sockets (RDS) messages of varying sizes if
RDMA was enabled due to bugs in both the kernel and in the rds-tools package. These bugs have been fixed and you can now send RDS messages of any size as expected. (BZ#746716)
Chapter 4. Authentication and Interoperability
The ca.subsystem.certreq parameter is no longer reported missing
Previously, Identity Management (IdM) expected the
ca.subsystem.certreq parameter to be defined in the
CS.cfg public key infrastructure (PKI) configuration file. When starting the IdM server, an error occurred if
ca.subsystem.certreq
was missing. The error was not necessary because neither PKI nor IdM
services use the parameter. To fix this problem, PKI code has been
updated to ensure the parameter is only retrieved if it exists. (BZ#
1313207)
The ipa-server-install utility no longer terminates unexpectedly due to unexpected comment lines in CS.cfg
An attempt to install an Identity Management server previously sometimes failed due to a problem with the
pki-common package. The fail occurred because the
CS.cfg
certificate authority (CA) configuration file which was being parsed
contained unexpected comment lines before configuration. This problem
has been fixed by making the parsing code ignore comment and blank
lines. (BZ#
1306989)
Installing an IdM server no longer fails if Java 1.8 is installed
The Public Key Infrastructure (PKI) server, included in Identity
Management (IdM), supports Java version 1.7 on Red Hat Enterprise Linux
6. The
ipa-server-install installation script failed on systems where the
java-1.8 package was installed and selected as the current system
java using the
alternatives utility. To fix this problem, the
pki-core code has been updated to bypass
alternatives on Red Hat Enterprise Linux 6 by forcing PKI servers to always run under OpenJDK version 1.7 regardless of the version of
java selected using
alternatives. (BZ#
1290535)
Samba no longer denies access when sharing the root directory of the system
Previously, due to a missing path check, Samba denied access when sharing the root directory of the system by using the path = / setting in the /etc/samba/smb.conf file. With this update, Samba no longer incorrectly treats the / path as a symbolic link and does not incorrectly deny access in the described situation. (BZ#1305870)
Acquiring keytabs takes longer with SELinux after memory leaks have been fixed
Previously, SELinux support in the
krb5 packages caused
krb5 to leak memory. This bug has been fixed. Note that acquiring keytabs now takes longer than before when SELinux is in
enforcing or
permissive mode. (BZ#
1311287)
sudo smart refresh updates no longer fail due to USN parsing errors
System Security Services Daemon (SSSD) did not correctly handle the format of the modifyTimestamp attribute of the OpenLDAP server. Consequently, smart refresh updates for the sudo utility did not work. After the user changed a sudo
rule with SSSD running, the logs showed an error stating that SSSD was
unable to parse the Update Sequence Number (USN) scheme. This update
fixes the problem, and smart refresh updates now work in the described
situation. (BZ#1312062)
SSSD stores sudo rules correctly when id_provider = ipa is set
Identity Management version 3.0 and previous use different format for the
ipasudocmd distinguished name (DN). Consequently, the System Security Services Daemon (SSSD) service was unable to store
sudo rules correctly when the
id_provider option was set to
ipa in the
/etc/sssd/sssd.conf file. This update fixes the problem, and
sudo rules now work as expected in the described situation. (BZ#
1313940)
The user is prompted for smart card PIN as expected
Due to insufficient SELinux policy rules, the
ppl_child process, running in the
sssd_t
SELinux domain, was unable to manage the authentication cache and
connect to Apache ports. Consequently, the system did not prompt the
user for smart card PIN. The SELinux policy rules, provided by the
selinux-policy
package, have been updated to allow this functionality. As a result,
the user is prompted for smart card PIN as expected in the described
situation. (BZ#
1299066)
Cloning a PKI server with an externally-signed CA certificate to Red Hat Enterprise Linux 7 no longer fails
Previously, when a Red Hat Enterprise Linux 6 public key
infrastructure (PKI) server was installed with an externally-signed
certificate authority (CA) certificate, the subsystem user was not
created properly. Consequently, cloning to Red Hat Enterprise Linux 7
failed.
For new Red Hat Enterprise Linux 6 installations, the code has been
fixed to create the subsystem user, add it to the subsystem group, and
map the subsystem certificate to the user properly. For existing Red Hat
Enterprise Linux 6 installations, the code has been modified to
automatically restore the subsystem user to the correct configuration on
restart.
As a result, cloning to Red Hat Enterprise Linux 7 now succeeds in the described situation. (BZ#
1256039)
ypserv no longer fails if the domainname parameter is unset
Previously, the
ypserv service failed to start when the
domainname parameter was not set in the
/etc/init.d/ypserv file. This update moves the check for
domainname to the
yppasswdd service, and in the described circumstances,
ypserv now starts as expected. (BZ#
456249)
yppasswd now correctly reports a failure of a user password change
Prior to this update, when the
yppasswd service failed to change the password of a
yppasswdd user, it still reported a success. A test has been added to
yppasswdd that verifies whether the write operation was successful. As a result, if
yppasswdd fails to change a user password, an error message is now logged about it. (BZ#
747334)
ypserv now correctly reports a non-existent map
The
ypserv service previously incorrectly returned an
Internal NIS error error message when a NIS client asked for a non-existent map using the
yp_first or
yp_next system calls. Now,
ypserv correctly returns the
No such map in server's domain error message in this scenario. (BZ#
988203)
mknetid no longer crashes when the passwd file contains empty lines or an unexpected format
Previously, using the mknetid utility on the passwd file with empty lines or an unexpected format in some cases caused mknetid to terminate unexpectedly. With this update, mknetid ignores the redundant elements in the passwd file, and no longer crashes in the situation described. (BZ#1071962)
ypbind no longer restarts on every renewal of DHCP
Prior to this update, the ypbind
service restarted on every renewal of the dynamic host configuration
protocol (DHCP), which caused NIS lookups to be slower, and in some
cases to time out. Now, ypbind restarts
on a DHCP renewal only if any changes occurred on the NIS domain or the
NIS domain or the NIS server. As a result, NIS lookups are faster and
experience less timeouts. (BZ#1238771)
Pacemaker does not update the fail count when on-fail=ignore is used
When a resource in a Pacemaker cluster failed to start, Pacemaker
updated the resource's last failure time and fail count, even if the
on-fail=ignore option was used. This could cause unwanted resource migrations. Now, Pacemaker does not update the fail count when
on-fail=ignore
is used. As a result, the failure is displayed in the cluster status
output, but is properly ignored and thus does not cause resource
migration. (BZ#
1200853)
pacemaker and other Corosync clients again connect successfully
Previously, the libqb library had a limited buffer size when building
names for IPC sockets. If the process IDs on the system exceeded 5
digits, they were truncated and the IPC socket names could become
non-unique. As a consequence, clients of the Corosync cluster manager
could fail to connect and could exit, assuming the cluster services were
unavailable. This could include pacemaker which could fail, leaving no
cluster services running. This update increases the buffer size used for
building IPC socket names to cover the maximum possible process ID
number. As a result, pacemaker and other Corosync clients start
consistently and continue running regardless of the process ID size.
(BZ#1276345)
Security features added to the luci interface to prevent clickjacking
Previously, luci was not defended
against clickjacking, a technique to attack a web site in which a user
is tricked into performing unintended or malicious actions through
purposefully injected elements on top of the genuine web page. To guard
against this type of attack, luci is now served with X-Frame-Options: DENY and Content-Security-Policy: frame-ancestors 'none' headers that are intended to prevent luci pages from being contained within external, possibly malicious, web pages. Additionally, when a user configures luci to use a custom certificate and is properly anchored with a recognized CA certificate, a Strict-Transport-Security
mechanism with a validity period of 7 days is enforced in newer web
browsers, also by means of a dedicated HTTP header. These new static
HTTP headers can be deactivated, should it be necessary to overcome
incompatibilites, and a user can add custom static HTTP headers in the /etc/sysconfig/luci file, which provides examples. (BZ#1270958)
glusterfs can now properly recover from failed synchronization of cached writes to backend
Previously, if synchronization of cached writes to a Gluster backend
failed due to a lack of space, write-behind marked the file descriptor (fd)
as bad. This meant virtual machines could not recover and could not be
restarted after synchronization to backend failed for any reason.
With this update, glusterfs retries
synchronization to backend on error until synchronization succeeds until
a flush. Additionally, file descriptors are not marked as bad in this
scenario, and only operations overlapping with regions with failed
synchronizations fail until the synchronization is successful. Virtual
machines can therefore be resumed normally once the underlying error
condition is fixed and synchronization to backend succeeds. (BZ#1171261)
Fixed an AVC denial error when setting up Gluster storage on NFS Ganesha clusters
Attempting to set up Gluster storage on an NFS-Ganesha cluster
previously failed due to an Access Vector Cache (AVC) denial error. The
responsible SELinux policy has been adjusted to allow handling of
volumes mounted by NFS-Ganesha, and the described failure no longer
occurs. (BZ#
1241386)
Installing glusterfs no longer affects default logrotate settings
When installing the
glusterfs packages on Red Hat Enterprise Linux 6, the
glusterfs-logrotate and
glusterfs-georep-logrotate files were previously installed with several global
logrotate options. Consequently, the global options affected the default settings in the
/etc/logrotate.conf
file. The glusterfs RPMs have been rebuilt to prevent the default
settings from being overridden. As a result, global settings in
/etc/logrotate.conf continue to function as configured without being overridden by settings from
glusterfs logrotate files. (BZ#
1171865)
Fence agent for DM Multipath no longer loses SCSI keys on non-cluster reboot
Previously, the fence agent for DM Multipath lost SCSI keys when the
node was not rebooted using cluster methods. This resulted in an error
when the cluster tried to fence the node. With this update, keys are
properly regenerated after each reboot in this situation. (BZ#1254183)
Fence agent for HP Integrated Lights-Out (iLo) now uses TLS1.0 automatically when connection over SSL v3 fails
Previously, the fence agent for HP Integrated Lights-Out (iLO)
required the tls1.0 argument in order to use TLS1.0 instead of SSL v3.
With this update, TLS1.0 is used automatically when the connection over
SSL v3 fails. (BZ#1256902)
Chapter 6. Compiler and Tools
tcsh no longer in an inconsistent state after a command interruption
Interrupting the
eval sleep 10 command left the
tcsh
shell in an incosistent state. Consequently, it was necessary to press
the Ctrl+D key combination twice to successfully exit the shell. With
this update,
tcsh correctly exits after pressing Ctrl+D once. (BZ#
1219923)
Correct parsing of the if statement in tcsh
The tcsh shell failed to correctly parse the if statements if there was no space before the then keyword. Consequently, incorrect branches of the if statement were processed, which led to execution of incorrect sections of the code and misbehavior. The tcsh shell has been fixed to correctly process the source code when spaces before the then keyword are missing. (BZ#1231097)
RELRO protection now properly applied when requested
Previously, binary files started by the system loader would, in some
cases, lack the Relocation Read-Only (RELRO) protection even though this
had been explicitly requested when the application was built. This was
due to a miscommunication between the static linker and the system
loader. The underlying source code of the linker has been adjusted to
ensure that it makes it possible for the loader to apply the RELRO
protection, thus restoring the security feature for applications.
Applications and all dependent object files, archives, and libraries
built with a previous version of
binutils should be rebuilt to correct this defect. (BZ#
1227839)
Escape sequences correctly interpreted by tcsh
Previously, the tcsh command-language interpreter incorrectly consumed certain escape sequences, which start with the backslash \ character. This update fixes the interpretation of the escape sequences, and tcsh now returns the same results as in Red Hat Enterprise Linux 5. (BZ#1301857)
OpenMP heuristics adjusted for higher performance on multi-CPU systems
Heuristics used by the GNU OpenMP runtime ( libgomp
) to determine latency-reduction measures have been adjusted to take
into account CPU affinity on multiprocessor systems and to use a lower
spin count. As a result, programs that appeared deadlocked or ran very
slowly due to resource starvation now run considerably faster.
(BZ#1229852)
Reduced lock contention and increased performance for threaded applications calling localtime_r()
Lock contention in the localtime_r() function previously decreased
performance for threaded applications that needed to call this function
frequently. The lock acquisition in the
glibc library's internal routines has been reorganized to decrease the possibility of lock contention. (BZ#
1244585)
The make utility no longer terminates unexpectedly when processing $$eval commands or the $(shell) construct.
Due to bugs in the
make package, the
make utility sometimes terminated unexpectedly when processing files which contained
$$eval commands or
$(shell) processes. These bugs have been fixed, and
make no longer crashes in these situations. (BZ#
835483)
Parallel builds no longer terminate unexpectedly
Previously, a bug caused the
make
utility to display an error message and terminate unexpectedly when
executing parallel builds. This has now been fixed, and parallel builds
no longer crash due to this bug. (BZ#
861189)
Parallel builds no longer terminate unexpectedly due to $(eval) constructs
Previously, a bug caused the
make utility to terminate unexpectedly when executing parallel builds containing
$(eval) constructs. This has now been fixed, and parallel builds no longer crash due to this bug. (BZ#
1093149)
Multithreaded applications no longer crash when calling dprintf() and fork() concurrently
Multithreaded applications that use the dprintf() and fork()
glibc
functions concurrently could previously terminate unexpectedly with a
segmentation fault. With this update, the fork() implementation has been
fixed to ignore temporary streams created by dprintf(), and the
described problem no longer occurs. (BZ#
1275384)
Core C library (glibc) enhanced to increase malloc() scalability
A defect in the implementation of the malloc()
function could result in the unnecessary serialization of memory
allocation requests across threads. This update fixes the problem and
substantially increases the concurrent throughput of allocation requests
for applications that frequently create and destroy threads.
(BZ#1264189)
Improved documentation in /etc/mcelog/mcelog.conf
The default mcelog configuration file found at /etc/mcelog/mcelog.conf now contains better descriptions for several available options, such as mem-ce-error-log. (BZ#1170580)
The dynamic linker (ld.so) does not fail anymore when an audit module provides a DSO path
Previously, when an audit module provided an alternate DSO (dynamic shared object) path, the
ld.so
dynamic linker terminated unexpectedly with a segmentation fault. This
update addresses the bug, and now the dynamic linker keeps track of the
original DSO path for future reference and does not fail anymore. (BZ#
1211098)
glibc and tzdata updates no longer replace /etc/localtime symbolic links
Previously, on systems where the
/etc/localtime file was a symbolic link, updates of the
glibc and
tzdata packages replaced the link with the time-zone file defined in the
/etc/sysconfig/clock configuration file. A patch has been applied to address the problem and
/etc/localtime as a symbolic link is no longer replaced. For optimum compatibility, it is recommended not to modify
/etc/localtime directly. Instead, edit the
/etc/sysconfig/clock configuration file and execute the
tzdata-update command afterwards. (BZ#
1200555)
glibc POSIX real-time support no longer fails on large TLS data
A defect in the POSIX real-time support in the glibc
library caused asynchronous I/O or certain timer API calls to fail in
the presence of large thread-local storage (TLS) data. The librt
library has been fixed, and the impacted APIs no longer return error
messages when large TLS data is present in applications. (BZ#1299319)
iconv no longer adds a redundant shift sequence
Previously, the iconv utility
sometimes mishandled character conversion for the IBM930, IBM933,
IBM935, IBM937, and IBM939 character sets. Consequently, a redundant
shift sequence was included in the output of iconv.
The generated non-conforming output could result in an inability to
read the output data. The character conversion routines have been
corrected and no longer output a redundant shift sequence. (BZ#1293914)
/etc/gai.conf no longer listed as belonging to the glibc-common package
Previously, the
/etc/gai.conf configuration file could be flagged as modified when the
rpm -V command was used to check the
glibc-common package, even though that package did not own that file. This update removes the erroneous file entry from
glibc-common. As a result
rpm -V glibc-common no longer lists the
/etc/gai.conf configuration file as modified. (BZ#
1223818)
Naming convention for java-1.8.0-openjdk installation made consistent
Previously, the automatically generated name for the installation directory for the
java-1.8.0-openjdk package was not consistent with installation directory names for the
java-1.6.0-openjdk and
java-1.7.0-openjdk
packages. As a consequence, applications and automated tools that
expected a consistent Java naming pattern failed when interacting with
java-1.8.0-openjdk. With this update,
java-1.8.0-openjdk
installation directory follows the same pattern as the previous
versions, which prevents the described problem. Note that due to the
changes in the path structure, it is now impossible to revert to a
version of
java-1.8.0-openjdk prior to this update. (BZ#
1217177)
LDAP bind passwords are properly obfuscated
In some cases, it was previously possible for the
sosreport
utility to capture LDAP bind credentials in plain text. This problem
has been fixed, and LDAP bind passwords are now obfuscated in
sosreport as expected. (BZ#
1227462)
sosreport no longer times out when ipa-replica-image is used
Previously, using the ipa-replica-image command caused the sosreport
utility to take longer to execute and in some cases to time out. In
addition, not all the information needed to troubleshoot
certification-related problems was captured in sosreport. This update ensures that sufficient certification-related information is collected by sosreport and removes ipa-replica-image, which prevents the described timeouts from occurring. (BZ#1203947)
tar now correctly sets ACL when --acls is used
Previously, when a tar file was extracted using the
--acls option, the extracted files inherited the default Access Control Lists (ACL) from the parent directory. With this update, when
--acls is used,
tar extracts all files and directories with the same ACLs that are set in the archive. (BZ#
1220891)
tar correctly handles archives created by a user with a big UID
When a user with a UID or GID greater than 2097151 created a pax archive, the archive was created correctly but tar returned a misleading warning message and a non-zero exit status. This bug has been fixed, tar now exits with the correct exit status and no false warning messages. (BZ#1247788)
OProfile fixed to prevent buffer overflow caused by long arguments
Prior to this update, the argument-check code in OProfile suffered
from a problem that could cause a buffer overflow when passed a long
path name or event unit mask. This update addresses the problems, and
long arguments no longer cause a buffer overflow. (BZ#1206242)
OProfile now works correctly on IBM POWER7+ systems
Prior to this update, OProfile for IBM POWER Systems was built using an old version of the libpfm libraries, which resulted in support for the POWER7+ processors not being available and the operf and ocount tools not being able to run successfully on new IBM POWER Systems. This bug has been fixed, and the operf and ocount commands now work as expected on POWER7+ systems as well. (BZ#1303970)
Applications no longer fail with 'dlopen: cannot load any more object with static TLS'
The glibc dynamic loader was unable to
load more than 16 shared libraries that make use of static thread-local
storage (TLS). Consequently, applications could fail with an error
message, dlopen: cannot load any more object with static TLS.
This bug has been fixed, and applications now start correctly in this
scenario, provided sufficient static storage space is available.
(BZ#1198802)
GDB now generates smaller core files and respects core-dump filtering
The gcore command, which provides GDB
with its own core-dumping functionality, has been updated to more
closely simulate the function of the Linux kernel core-dumping code,
thus generating smaller core-dump files. GDB now also respects the /proc/PID/coredump_filter file, which controls what memory segments are written to core-dump files. (BZ#1085906)
GDB no longer kills running processes with deleted executables
Prior to this update, GDB attempting
to attach to a running process with a deleted executable would
accidentally kill the process. This bug has been fixed, and GDB no longer erroneously kills processes with deleted executables. (BZ#1219747)
Fixed signal handling in Bash
Due to the signal handler function calling certain signal-unsafe functions such as
malloc(), the
Bash
shell in some cases became unresponsive after it received a signal.
This update ensures that the signal handler no longer calls
signal-unsafe functions, which prevents the described bug from
occurring. (BZ#
868846)
Command substitution now works inside arithmetic expressions in bash
Previously, bash did not save input
line state across recursive calls to the shell parser, causing the shell
to fail to parse command substitution inside arithmetic expressions.
For example, the following command failed:
for point in "/boot"; do disk_dir["$( df -P $point | awk '{print $1}' )"]=1; done
This bug has been fixed,
bash now
saves input line state before making recursive calls to the parser, and
command substitution now works inside arithmetic expressions. (BZ#
1207803)
KornShell now resets and modifies signal traps as expected and no longer crashes
Previously, KornShell (ksh) terminated unexpectedly with a
segmentation fault when attempting to reset or modify certain signal
traps. With this update, ksh does not attempt to free memory used for a
string literal. As a result, ksh no longer crashes in the described
situation. (BZ#
1247383)
Printing the ls output no longer takes a long time when extended attributes and ACLs are not supported
Previously, listing files and directories on file systems without
support for extended attributes and access control lists (ACLs) involved
unnecessary and high-cost lstat() and lgetxattr() system calls for
every file. As a consequence, it could take several seconds to print the
output of the ls command. Now, when the result of the system call is not supported, ls does not try the call again on this mount point. As a result, the printing speed of the ls output has improved significantly in the described situation. (BZ#1248141)
KornShell no longer omits a background process in a command list when forking
Due to a bug in KornShell (ksh), forking a background process in a
command list could previously omit that process completely. The source
code that handles forking sub-processes has been modified, and a
background process in a command list is now executed as expected. (BZ#
1217236)
Multibyte characters are no longer corrupted in KornShell
Previously, the multibyte unicode parser received shifted input after a
command-line option variable in KornShell (ksh). Consequently, the
multibyte character after a command-line variable became corrupted. A
patch has been applied to fix multibyte input parsing. As a result,
multibyte characters are handled correctly in the described situation.
(BZ#
1256495)
The Oracle ACFS is now included among known file systems
Previously, the Oracle ASM Cluster file system (ACFS) was not listed among known file systems for the stat and tail utilities. As a consequence, the tail
utility printed an error message stating that the file system was not
recognized. ACFS has been added to the list of known file systems, and
the error message no longer appears in the described situation.
In addition, other file systems recognized by upstream have been added to the list of known file systems as well, namely
acfs,
bpf_fs,
btrfs_test,
configfs,
efivarfs,
exofs,
f2fs,
hfs+,
hfsx,
hostfs,
ibrix,
logfs,
nsfs,
overlayfs,
smackfs,
snfs,
tracefs, and
ubifs. (BZ#
1280333)
The netfs stop command now only unmounts relevant loop devices
Previously, all loop devices were umnounted when stopping the netfs service. With this update, when running the netfs stop command, only relevant loop devices are unmounted; that is, the ones that are mounted on top of a network mount. (BZ#1156231)
pdftops now generates valid PostScript files
Previously, the pdftops utility of Poppler converted PDF files with
embedded PostScript Type 1 fonts in the Printer Font Binary (PFB) format
together with the PFB headers. As a consequence, incorrect PostScript
files were produced from such conversions. Poppler has been fixed to
recognize the PFB headers and exclude them from the conversion, and the
described problem no longer occurs. (BZ#
1232210)
Creating thumbnails with Nautilus works as expected
Prior to this update, Nautilus was restricting the stack size for the
thread that was creating thumbnails, and the libraries creating those
thumbnails were at some point out of memory. As a consequence, Nautilus
terminated unexpectedly when creating a thumbnail of big images,
specially images of the jp2 type. This bug has been fixed, and Nautilus
no longer crashes when creating thumbnails. (BZ#1268970)
xfreerdp no longer crashes when connecting to a CA-signed RDP server
Previously, the xfreerdp client
terminated unexpectedly when connecting to a Certification Authority
(CA)-signed Remote Desktop Protocol (RDP) server. With this update, the
pointer dereference in CA verification code that caused the crash has
been fixed, and connecting to a CA-signed RDP server works as expected.
(BZ#1186916)
Responsiveness fixes for gnome-vfs2 user interfaces
Previously, the gnome-vfs2 service called the stat()
function for every file on the Multiversion File System (MVFS), used
for example by the IBM Rational ClearCase utilities. This behavior
significantly slowed down file operations. With this update, the
unnecessary stat() operations have been limited. As a result, gnome-vfs2 user interfaces, such as Nautilus, are more responsive on MVFS. (BZ#917810)
gvfs correctly checks if the metadata database has been loaded
Prior to this update, the
gvfs
metadata daemon or client applications such as Nautilus terminated
unexpectedly when uninitialized internal structures were used for
corrupted or unreadable metadata databases. This update adds a missing
check that verifies that the metadata database has been loaded properly.
As a result, in the described circumstances, an error is returned
instead of a crash occurring. (BZ#
1110451)
The gvfs archive backend no longer crashes due to certain archive file paths
Mounting the
gvfs archive backend
previously terminated unexpectedly when used with archives that had a
single dot (".") character as a component of their file path. With this
update, these file path components are skipped, and in the mentioned
situation, the archive backend mounts correctly. (BZ#
713179)
Chapter 8. Directory Server in Red Hat Enterprise Linux
About Directory Server for Red Hat Enterprise Linux
This section describes changes in the main server component for Red Hat Directory Server - the 389-ds-base
package, which includes the LDAP server itself and command line
utilities and scripts for its administration. This package is part of
the Red Hat Enterprise Linux base subscription channel and therefore
available on all Red Hat Enterprise Linux Server systems due to Red Hat
Identity Management components which depend on it.
Additional Red Hat Directory Server components, such as the Directory Server Console, are available in the rhel-x86_64-server-6-rhdirserv-9
additional subscription channel. A subscription to this channel is also
required to obtain support for Red Hat Directory Server. Changes to the
additional components in this channel are not described in this
document.
Large amounts of skipped updates in fractional replication no longer cause performance loss
During fractional replication, if a large number of skipped updates
was present, the supplier could previously acquire a replica for a long
time and fail to update the Replica Update Vector (RUV) at the end of
the session. This then caused the next session to evaluate the same
skipped updates, resulting in poor performance. This bug has been fixed
by adding a system subentry which is occasionally updated even if there
are no applicable changes to be replicated, and the problem no longer
occurs. (BZ#1259383)
Fixed a crash while trimming the retro changelog
When trimming the retro changelog (
retroCL), entries are first deleted from the changelog itself and then also from the cache. The
389-ds-base
server was, however, missing a check to verify that the entries are
actually present in the cache, which could lead to the server attempting
to delete nonexistent entries and subsequently crash on systems where
not all changelog entries could fit in the cache due to its small size. A
check has been added to make sure only entries actually present in the
cache are being deleted, and the server no longer crashes when trimming
the retro changelog. (BZ#
1244970)
Fixed a crash in the backend add function
When a callback at
BE_TXN in the backend
add function failed on a cached entry, the function was attempting to
free the entry twice instead of removing it from the cache and then
freeing it. This update adds remove and free code to the backend add
function and the function no longer attempts to free cached entries
twice. (BZ#
1265851)
389-ds-base server no longer crashes when attempting to replace a nonexistent attribute
When a replace operation for a nonexistent attribute was performed
without providing new values, the entry was stored with incorrect
metadata: an empty deleted value without an attribute deletion change
state number (CSN). This entry could then result in memory corruption
and cause the server to terminate unexpectedly. To fix this bug,
additional space to store metadata is now allocated and the server no
longer crashes in this scenario. (BZ#1298496)
389-ds-base no longer hangs due to modified entry remaining locked
During a modify operation, the modified entry is inserted into entry
cache and locked until the modified entry is returned. In cases where
the entry is removed from the entry cache after it is committed but
before the return operation, the modified entry previously remained
locked, and any subsequent write operations on the same entry then
caused the server to hang. This bug has been fixed by adding a flag so
that the entry can be unlocked whether it is present in the entry cache
or not, and the server no longer hangs in this situation. (BZ#
1273552)
Fixed a deadlock during backend deletion in Directory Server
Previously, transaction information was not passed to one of the
database helper functions during backend deletion. This could result in a
deadlock if a plug-in attempted to access data in the area locked by
the transaction. With this update, transaction info is passed to all
necessary database helper functions, and a deadlock no longer occurs in
the described situation. (BZ#
1278585)
ns-slapd no longer crashes on multiple asynchronous searches if a request is abandoned
When multiple simple paged results searches were requested
asynchronously in a persistent connection and one of the requests was
abandoned, contention among the asynchronous requests could occur and
cause the ns-slapd service to crash. This bug has been fixed and ns-slapd no longer crashes due to abandoned requests. (BZ#1247792)
Simple paged results slots are now being correctly released after search failure
Previously, if a simple paged results search failed in the Directory
Server backend, its slot was not released, which caused the connection
object to accumulate unreleased slots over time. This problem has been
fixed, and slots are now correctly released in the event of a search
failure. (BZ#
1290243)
ns-slapd no longer crashes when freeing a search results object
Previously, when Directory Server freed a search results object, there
was a brief period of time before the freed information was set to the
pagedresults handle. If the
paged-results handle was released due to a timeout in during this period, a double free event occured, causing
ns-slapd to crash. This problem has been eliminated and double free no longer occurs when freeing search results objects. (BZ#
1267296)
Fixed a deadlock in asynchronous simple paged results requests
A previous fix to deadlock in the asynchronous simple paged results
requests caused another self deadlock due to a regression. To address
this problem, a simple
PR_Lock on a connection object has been replaced with a re-entrant
PR_Monitor. As a result, the deadlock no longer occurs. (BZ#
1296694)
Deletion of attributes without a value on the master server now replicates correctly
Previously, when an attribute which does not have a value on the
master server was deleted, the deletion was not replicated to other
servers. The regression that caused this bug has been fixed and the
change now replicates as expected. (BZ#
1251288)
Directory Server no longer logs false attrlist_replace errors
Previously, Directory Server could in some circumstances repeatedly log
attrlist_replace
error messages in error. This problem was caused by memory corruption
due to a wrong memory copy function being used. The memory copy function
has been replaced with
memmove, which prevents this case memory corruption, and the server no longer logs these error messages. (BZ#
1267405)
cleanAllRUV now clears the changelog completely
Previously, after the
cleanAllRUV task finished, the changelog still contained entries from the cleaned
rid. As a consequence, the RUV could contain undesirable data, and the RUV element could be missing the replica URL. Now,
cleanAllRUV cleans changelog completely as expected. (BZ#
1270002)
Replication failures no longer result in missing changes after additional updates
Previously, if a replicated update failed on the consumer side, it was
never retried due to a bug in the replication asynchronous result
thread which caused it to miss the failure before another update was
replicated successfully. The second update also updated the consumer
Replica Update Vector (RUV), and the first (failed) update was lost. In
this release, replication failures cause the connection to close,
stopping the replication session and preventing any subsequent updates
from updating the consumer RUV, which allows the supplier to retry the
operation in the next replication session. No updates are therefore
lost. (BZ#
1294770)
Unnecessary keep alive entries no longer cause missing replication
Previously, a
keep alive entry was being
created at too many opportunities during replication, potentially
causing a race condition when adding the entry to the replica changelog
and resulting in operations being dropped from the replication. With
this update, unnecessary
keep alive entry creation has been eliminated, and missing replication no longer occurs. (BZ#
1307152)
nsMatchingRule is now correctly applied to attribute information
Previously, when
nsMatchingRule was dynamically updated in an index entry, the value was not applied to the attribute information. This caused the
dbverify utility to report database corruption in error. In this release,
nsMatchingRule changes are correctly applied to attribute information, and
dbverify no longer falsely reports database corruption. (BZ#
1236656)
Tombstone entries no longer create unnecessary index entries
When an entry is deleted, its indexed attribute values are also
removed from each index file. However, if the entry is turned into a
tombstone entry, reindexing previously added the removed attribute value
back into the index. This bug has been fixed, and index files no longer
contain unnecessary key-value pairs generated by tombstone entries.
(BZ#
1255290)
Index is now updated properly when several values of the same attribute are deleted
Previously, when several values of the same attribute were deleted using the ldapmodify
command, and at least one of them was added again during the same
operation, the equality index was not updated. As a consequence, an
exact search for the re-added attribute value did not return the entry.
The logic of the index code has been modified to update the index if at
least one of the values in the entry changes, and the exact search for
the re-added attribute value now returns the correct entry. (BZ#1282457)
COS cache now correctly adds all definitions
A previous bug fix related to the Class of Service (COS) object cache
introduced a regression which caused it to stop adding definitions after
the first one, instead of adding all definitions. This problem has been
fixed and the COS cache now correctly adds all definitions as designed.
(BZ#
1259546)
Improved ACL performance
Previously, unnecessarily complicated regular expressions were used in
the Access Control List (ACL) implementation in Directory Server. These
regular expressions have been removed and the ACL implementation
reworked, resulting in improved performance. (BZ#
1236156)
ntUserlastLogon and ntUserlastLogoff attributes are now synchronized between Directory Server and Active Directory
Previously, WinSync account synchronization could not update the ntUserlastLogon and ntUserlastLogoff
attributes in Directory Server when synchronizing with Active
Directory. This bug has been fixed and these attributes are now being
updated correctly based on the lastLogonTimestamp and lastLogoffTimestamp attributes in Active Directory. (BZ#1245237)
Chapter 9. Installation and Booting
Add-on repositories are now handled correctly when generating and reading kickstart files.
Previously, installation would stop and display an error when
performing an installation from a kickstart file generated by a previous
installation which used optical media, and enabled one or more add-on
repositories. With this update, generated kickstart files will include
commands to automatically enable add-on repositories when necessary.
(BZ#1099178)
The zerombr command is now correctly added to anaconda-ks.cfg when installing using kickstart
Previously, when an installation was performed with the kickstart utility using the zerombr option, this option was not added to the generated /root/anaconda-ks.cfg kickstart file. This bug has been fixed, and zerombr is now correctly added to anaconda-ks.cfg. (BZ#1246663)
When using the network service, default routes are now correctly created on an installed system.
Previously, device-specific GATEWAY values were being included in the /etc/sysconfig/network configuration file, which applies to all devices. As a consequence, for some network configurations using the network service, default routes were not created. With this update, the GATEWAY parameter is no longer created in /etc/sysconfig/network, and default routes are now created correctly. (BZ#1181290)
The DEFROUTE option is now handled correctly when the installer generates a kickstart file.
Previously, if the DEFROUTE option was set in an ifcfg
configuration file during installation, this was not reflected in the
kickstart file subsequently generated by the installer. This bug has
been fixed, and now the installer generates kickstart files which
reflect DEFROUTE settings used during installation by setting the --nodefroute network command option accordingly. (BZ#1274686)
The kdump kernel is no longer added to /etc/zipl.conf when kernel-kdump is marked for installation
Previously, when installing kernel-kdump, an entry for the kdump kernel was added to the list of kernels in the /etc/zipl.conf configuration file. This bug is now fixed, and the kdump kernel is no longer added to the list. (BZ#1256211)
/dev/disk/by-path/ now accounts for NPIV paths
Previously, if two or more virtual host bus adapters (HBAs) were
created on a single physical HBA, only a single link to the device was
created in the
/dev/disk/by-path/ directory instead of one link for each path. As a consequence, creating a
virsh
pool with virtual HBAs by using Fibre Channel N_Port ID Virtualization
(NPIV) did not work correctly. With this update, symbolic links in
/dev/disk/by-path/ are created correctly and are unique. Symbolic links in
/dev/disk/by-path/ created by
udev for logical unit numbers (LUNs) connected through a physical Fibre Channel N_Port stay the same. (BZ#
1032218)
Removed unintended kernel warning message
A recent change in Red Hat Enterprise Linux 6.8 caused an unintended
warning message to be displayed in certain situations where a file size
is increased, such as by using fallocate operations:
WARNING: at mm/truncate.c:614 pagecache_isize_extended+0x10d/0x120()
This bug has been fixed, and operations which increase file size no
longer cause this warning message to be displayed or logged.
(BZ#1205014)
librdmacm no longer outputs warnings and errors if no RDMA hardware is present
Previously, if librdmacm was installed
on a system with no RDMA hardware present, it could, in some
circumstances, output superfluous warning and error messages to the
standard error stream (stderr). With this update, librdmacm no longer outputs warning and error messages to stderr in such cases. (BZ#1231766)
Fixed kernel booting issues with the mlx5 driver
When the mlx5 driver was enabled on a system with non-fatal PCIe errors, the kernel previously failed to boot, crashing in the mlx5
probe routine shortly after it enabled PCIe error handling. The patch
causing this bug has been removed, and kernel now boots successfully
when this driver is enabled. (BZ#1324599)
Changing snapshot read-only status no longer causes a kernel crash
Previously, the dm-snapshot target had
improper handover of the exception store when the target was reloaded.
As a consequence, when changing read-only status of the snapshot volume
with lvchange -p r or lvchange -p rw commands and there was I/O to the origin volume in progress, the kernel crashed with the BUG()
macro. With this update, the origin logical volume is suspended during
exception store handover, so that there is no I/O in progress during the
handover. As a result, changing snapshot read-only status no longer
causes the aforementioned kernel crash. (BZ#1177389)
qla2xxx updated to version 8.07.00.26.06.8-k
The qla2xxx driver has been updated to
version 8.07.00.26.06.8-k. This update backports initiator side
upstream fixes and minor enhancements through 8.07.00.26. (BZ#1252111)
Memory leak in devpts_kill_sb() fixed
The devpts pseudo-file system allocates IDR resources during use. However, prior to this update, devpts
did not free them when it was unmounted. Consequently, the resources
use by the IDR system were leaked which could cause problems with
frequent starting and stopping of containers, particularly with a high
number of containers used. This update applies an upstream patch which
releases these resources at unmount, and the IDR resources used by the devpts file system are no longer leaked at unmount. (BZ#1283557)
Setting a sysctl parameter now executes successfully
While executing the sysctl -w vm.compact_memory=1 command to set a sysctl parameter, the system previously returned the following error messages:
error: "Success" setting key "vm.compact_memory"
The provided patch fixes this bug, and the aforementioned command now executes successfully. (BZ#1278842)
netconsole no longer causes kernel crash
Resetting an ixgbe or vmxnet3 adapter while sending a message over netconsole or netpoll
at the same time could previously cause a kernel crash. This update
adds mutual exclusion between the core adapter reset path and netpoll
transmit path, preventing kernel crashes in this situation. (BZ#1252212)
Loop checks added to VFS to prevent kernel crashes
The NFS client was previously failing to detect a directory loop for
some NFS server directory structures. This failure could cause NFS
inodes to remain referenced after attempting to unmount the file system,
leading to a kernel crash. This update adds loop checks to VFS, which
effectively prevents this problem from occurring. (BZ#
1254020)
Playing audio from a USB sound card works as expected
Due to incorrect URB_ISO_ASAP semantics,
playing an audio file using a USB sound card could previously fail for
some hardware configurations. This update fixes the bug, and playing
audio from a USB sound card now works as expected. (BZ#1255071)
Page fault and subsequent kernel oops in the HID driver fixed
Previously, when the Human Interface Device (HID) driver ran a report
on an unaligned buffer, it could cause a page fault interrupt and a
kernel oops when the end of the report was read. This update fixes this
bug by padding the end of the report with extra bytes, so the reading of
the report never crosses a page boundary. As a result, the page fault
and subsequent kernel oops no longer occur. (BZ#1256568)
Fixed a deadlock when syncing a frozen file system
Due to broken s_umount lock ordering, a race condition occurred when an unlinked file was closed and the sync (or syncfs) utility was run at the same time. As a consequence, a deadlock occurred on a frozen file system between sync and a process trying to unfreeze the file system. With this update, sync (or syncfs) is skipped on frozen file systems, and deadlock no longer occurs in the aforementioned situation. (BZ#1241791)
dracut dependencies updated to prevent boot failures
The Deterministic Random Bit Generator (DRBG) module must be loaded
during boot before cryptographic ciphers can be used. However, older
versions of dracut did not include DRBG in the initramfs
image which could use cryptographic ciphers for disk encryption. As a
consequence, if disk encryption was in use on the root file system, the
boot process failed. This update adds the DRBG module into the
dependency list of dracut, ensuring that the module is present in the initramfs, and systems with encrypted root file systems can now boot successfully. (BZ#1241338)
Packets are now counted correctly
Due to a regression, packets counter detected only the number of
normally processed completions (packets), but failed to detect erroneous
ones. As these packets were thus never acknowledged, the firmware kept
returning interrupt requests (IRQs). A patch has been provided to fix
this bug, and all packets are now counted as expected. (BZ#1241287)
Fixed a deadlock when removing directories
When removing a directory while a reference was held to that directory
by a reference to a negative child dentry, the directory dentry was
previously not killed. In addition, once the negative child dentry was
killed, an unlinked and unused dentry was still present in the cache.
This could cause a deadlock by forcing dentry eviction while the file
system in question was frozen. With this update, all unused dentries are
unhashed and evicted immediately after a successful directory removal,
which avoids the deadlock, and the system no longer hangs in the
aforementioned scenario. (BZ#1241030)
Mapping hugetlb areas no longer causes data corruption
Inside hugetlb, region data structures were protected by a combination of a memory map semaphore and a single hugetlb
instance mutex. However, a page-fault scalability improvement
backported to the kernel in a previous release removed the single mutex
and introduced a new mutex table, making the locking combination
insufficient and leading to possible race windows that could cause
corruption and undefined behavior. The problem could be observed for
example when software mapping or remapping hugetlb
areas with concurrent threads reading or writing to same areas, which
caused page faults. This update fixes the problem by introducing a
required spinlock to the region tracking functions for proper serialization. (BZ#1260755)
multipath request queue no longer causes stalls
Previously, running the multipath request queue caused regressions in
cases where paths failed regularly under I/O load. This regression
manifested as I/O stalls that exceeded 300 seconds. This update reverts
the changes aimed to reduce running the multipath request queue,
resulting in I/O completing in a timely manner. (BZ#1240767)
inodes are now freed as intended
Previously, when opening a file by its file handle (fhandle) with its dentry not present in the dcache ('cold dcache'), and then making use of the unlink() and close() functions, the inode was not freed upon the close() system call. As a consequence, the iput() final was delayed indefinitely. A patch has been provided to fix this bug, and the inode is now freed as expected. (BZ#1236736)
The vmxnet3 driver is now compatible with the vmxnet3 adapter version 2
Due to a bug, the vmxnet3 driver demonstrated incorrect behavior such as memory leaks or 'screaming interrupts' when in use with vmxnet3 adapter version 2. Several upstream patches have been applied to fix the behavior of the vmxnet3 driver - namely, this update fixes memory leaks in the rx path, implements a handler for PCI shutdown, and makes vmxnet3 compatible with adapter version 2. (BZ#1236564)
IP fragments are discarded in time
The memory used by the defragmentation engine is accounted for per
CPU. However, on systems with numerous CPUs, the per-CPU caches could
deviate from reality, thus causing the defragmentation engine to discard
old fragments too early. This update adds a fix to minimize this
discrepancy, and old IP fragments are now discarded at the correct time.
(BZ#1235465)
GFS2 now references correct value
The GFS2 file system previously had a rare timing window that
sometimes caused it to reference an uninitialized variable.
Consequently, a kernel panic occurred. The code has been changed to
reference the correct value during this timing window, and the kernel no
longer panics. (BZ#1267995)
Software using IPC SysV semaphores works with kernel correctly
At a process or thread exit, when the Linux kernel undoes any SysV semaphore operations done previously (ones done using semop with the SEM_UNDO
flag), there was a possible race condition with another process or
thread removing the same semaphore set where the operations occurred,
leading to a possible use of in-kernel-freed memory and then to possible
unpredictable behaviour. This bug could be noticed with software which
uses IPC SysV semaphores, such as IBM DB2,
which could in certain cases have some of its processes or utilities
get incorrectly stalled in an IPC semaphore operation or system call
after the race condition happened. A patch has been provided to fix this
bug, and the kernel now behaves as expected in the aforementioned
scenario. (BZ#1233300)
Fixed a race condition in perf buildid-cache
Prior to this update, multiple instances trying to copy the same file triggered a race condition in perf buildid-cache that could truncate system libraries and other files. With this update, unique temporary files are used when copying to the buildid directory to prevent the aforementioned race condition from occurring. (BZ#1229673)
Cache serialization has been added to prevent kernel crashes
Due to a race condition whereby a cache operation could be submitted
after a cache object was killed, the kernel occasionally crashed on
systems running the cachefilesd service.
The provided patch prevents the race condition by adding serialization
in the code that makes the object unavailable. As a result, all
subsequent operations on the object are rejected and the kernel no
longer crashes in this scenario. (BZ#1096893)
Reloading or removing edac modules now works as expected
Previously, reloading or removing edac modules on a system using the i7core_edac
module could lead to a number of warning messages to be returned and a
subsequent kernel crash. The underlying source code has been patched,
and the kernel no longer crashes when operating with edac modules. (BZ#1227845)
Custom MAC addresses can be specified again for bond interfaces
On a system with a bonded interface, the user could not specify their
own custom MAC address for the bond. A patch has been provided to fix
this bug, and custom MAC addresses can be specified again in the
aforementioned situation. (BZ#
1225359)
The st and sg drivers now work correctly
Due to the incorrect length for the FCP_RSP_INFO field, parts of the field could be copied, and the st and sg drivers thus did not work correctly. With this update, the code related to the FCP protocol has been updated, and st and sg now work as expected. (BZ#1223105)
Slave interfaces turn into promiscuous mode automatically
If a bonding VLAN interface turned into promiscuous mode while it was
inactive, the slave interfaces previously did not turn into promiscuous
mode automatically even after the bonding VLAN interface became active
again. With this update, flag changes are always propagated to
interfaces, and slave interfaces thus enter promiscuous mode as
expected. (BZ#1222823)
force_hrtimer_reprogram parameter added to kernel
Due to a timer expiry issue, the scheduler tick previously stopped for too long when the ksoftirqd daemon for hrtimer was blocked by a running process. This update adds the force_hrtimer_reprogram kernel parameter. If force_hrtimer_reprogram=1
is used on the kernel command line, the reprogramming of all expired
timers is forced, which prevents this bug from occuring. (BZ#1285142)
ipr memory buffer indexing updated
A bug in the ipr driver on 64-bit IBM
Power Systems (ppc64) could result in backwards memory buffer indexing
and cause a kernel crash when running the Hardware Test Exerciser (HTX)
test suite. With this update, ipr memory
buffer indexing uses a bit mask operation instead of modulo, causing
low bits to be masked off so that no backwards indexing is possible, and
preventing the crash. (BZ#1209543)
cgroup_threadgroup_rwsem variable added to kernel
Previously, the attach_task_by_pid() function in some cases raced with an exiting thread and tried to lock or unlock the already freed group_rwsem member of the signal_struct list. As a consequence, a kernel crash could occur. This update adds the cgroup_threadgroup_rwsem variable, which fixes this bug and prevents the kernel crash from occurring in this scenario. (BZ#1198732)
Adding keys into a revoked keyring no longer causes a memory leak
Attempting to use the request_key()
function to add a key into a revoked keyring was previously causing a
resource leak in the kernel error path. Keys which were allocated and
then failed became stuck in kernel memory and were impossible for the
garbage collector to remove. With this update, the reference count on
failed keys will now correctly reach 0 in this situation, allowing the
garbage collector to remove them so that failed keys will no longer stay
in memory indefinitely. (BZ#1188442)
Kernel panic caused by repeated fork() no longer occurs
Previously, an unusual forking pattern could cause the anon_vma_chain and anon_vma slab
memory to grow infinitely even though the number of processes involved
stayed low. As a consequence, a kernel panic occurred. The provided
patch adds a heuristic which reuses existing anon_vma instead of forking a new one and adds the anon_vma->degree counter which makes sure the count of anon_vma
members is not bigger than twice the count of virtual memory areas. As a
result, the kernel panic no longer occurs in this situation.
(BZ#1151823)
Fixed job scheduling now ensures balanced CPU load
Due to prematurely decremented calc_load_task,
the calculated load average was off by up to the number of CPUs in the
machine. As a consequence, job scheduling worked improperly causing a
drop in the system performance. This update keeps the delta of the CPU
going into NO_HZ idle separately, and folds
the pending idle delta into the global active count while correctly
aging the averages for the idle-duration when leaving NO_HZ mode. Now, job scheduling works correctly, ensuring balanced CPU load. (BZ#1167755)
Only single processe can free specific memory page
A race condition was found in hash table invalidation code between
inode invalidation and inode clearing code in the GFS2 file system. In
some circumstances, two processes could attempt to free the same memory,
resulting in a kernel panic. This update adds a spin_lock
to the hash table invalidation code allowing only a single process to
attempt to free a specific memory page, which prevents the race
condition from occurring. (BZ#1250663)
macvtap transfers VLAN packets over be2net successfully
Previously, VLAN stacked on the macvlan or macvtap device did not work for devices that implement and use VLAN filters. As a consequence, macvtap passthrough mode failed to transfer VLAN packets over the be2net driver. This update implements VLAN ndo calls to the macvlan driver to pass appropriate VLAN tag IDs to lower devices. As a result, macvtap transfers VLAN packets over be2net successfully. (BZ#1213846)
primary_reselect=failure now works properly
A bug caused the primary_reselect=failure
bond parameter to work incorrectly. The primary interface was always
taking over even if others did not fail. With this update, the parameter
works as expected, and the primary bond interface only takes over if
the current non-primary active interface fails. (BZ#1290672)
Log messages from logshifter are now processed correctly
Under significant load, some applications such as logshifter could
generate bursts of log messages too large for the system logger to
spool. Due to a race condition, log messages from that application could
then be lost even after the log volume dropped to manageable levels.
This update fixes the kernel mechanism used to notify the transmitter
end of the socket used by the system logger that more space is available
on the receiver side, removing a race condition which previously caused
the sender to stop transmitting new messages and allowing all log
messages to be processed correctly. (BZ#1284900)
KVM virtual guests now connect via a bridged interface successfully
Previously, a bridge interface could exist on top of a bonded
interface which was above a physical interface with the large receive
offload (LRO) flag still on. Bridge interfaces are incompatible with LRO
enabled on any underlying devices, which caused network communications
on the bridge, such as that from a Virtual Machine (VM) to fail to
function properly. This update makes sure devices underneath a bridge
all get LRO disabled, and a VM now connects via a bridged interface
successfully. (BZ#1258446)
SwapFree size is now correct
A previous change in the get_swap_page() locking removed the use of the swap_lock spinlock. This could cause nr_swap_pages corruption and invalid SwapFree information in the /proc/meminfo file, where the size of SwapFree could exceed the size of SwapTotal. This update uses an atomic variable for nr_swap_pages, and the size of SwapFree in /proc/meminfo is now correct. (BZ#1252362)
SCSI error handling no longer causes deadlocks
Previously, when a SCSI command timed out on a removable media device,
the error handling code always attempted to re-lock the door of the
device. This could cause a deadlock because the request to issue a
command to re-lock the door could not be allocated if all requests were
in use. With this update, SCSI error handling only attempts to re-lock
if the device was reset as part of the error handling procedure, and the
deadlock no longer occurs. (BZ#995234)
LRO flags now propagate correctly
Large Receive Offload (LRO) flag disabling was not being propagated
downwards from above devices in the VLAN and bond hierarchy, breaking
the flow of traffic. This bug has been fixed and LRO flags now propagate
correctly. (BZ#1259008)
multicast group assignments fixed
The kernel was incorrectly assigning multicast groups for the
nl80211 protocol, causing problems with
nl80211 wireless drivers, for example, preventing
hostapd from starting and initializing wireless devices in Access Point mode. This update fixes multicast group assignments for
nl80211 and allows wireless devices to be managed correctly. (BZ#
1259870)
Sending a UDP datagram over IPv6 works as expected
Due to a race condition, an ipv6_txoptions
corruption previously appeared when sending a UDP datagram over the
IPv6 protocol. An upstream patch has been applied to prevent data
corruption that led to the kernel panic. (BZ#1312740)
nvme hard-lockup panic no longer occurs
When the the nvme driver held the queue lock for too long, for example during DMA mapping, a lockup occurred leading to the nvme hard-lockup panic. This update fixes the underlying source code, and nvme now works as expected. (BZ#1227342)
BUG_ON() in fs_clear_inode() no longer occurs
Previously, the BUG_ON() signal appeared in the fs_clear_inode()
function where the nfs_have_writebacks() function reported a positive
value for nfs_inode->npages. As a consequence, a kernel panic
occurred. The provided patch performs a serialization by holding the
inode i_lock over the check of PagePrivate and locking the request,
which fixes this bug. (BZ#1135601)
UID and GID are assigned correct values
Due to a regression, the UID and GID environment variables were not
assigned correct values during autofs mount requests. This update
provides a patch that fixes the UID and GID assignment so that UID and
GID now take on the value of the user that has triggered the mount.
(BZ#1248820)
Using LUKS and IPSEC simultaneously no longer leads to data corruption
When using IPSEC and a LUKS-encrypted volume simultaneously, data
corruption on a LUKS volume could occur. The provided patch fixes this
bug, and data corruption no longer occurs when using LUKS and IPSEC
simultaneously. (BZ#1259023)
VLAN_GROUP_ARRAY_LEN has been revived
In a previous update, the VLAN_GROUP_ARRAY_LEN kernel macro was
renamed to VLAN_N_VID. Due to this rename, when compiling a kernel
module requiring VLAN_GROUP_ARRAY_LEN, for example the vmxnet3 external
driver, the compilation failed. With this update, the old macro has been
revived so that the third party modules succeed to compile.
(BZ#1242145)
Corrupted ELF header has been fixed
Previously, the corrupted ELF header of the /proc/vmcore ELF file caused that the ELF file could not be read correctly. As a consequence, the kdump service terminated unexpectedly, resulting in a kernel panic. The provided patch fixes the ELF header, and kdump now succeeds as expected. (BZ#1236437)
Quota warning deadlocks on tty mutex have been fixed
Previously, the quota code could call into the tty layer to print a
warning, which could cause a lock inversion between
tty->atomic_write_lock and dqptr_sem. The provided patch prevents the
quota utility code from calling the tty layer with dqptr_sem semaphore
held, and processes no longer end up in a deadlock. (BZ#1232387)
anon_vma degree is always decremented when the VMA list is empty
In the anon_vma data structure, the degree counts the number of child anon_vma members and of virtual memory areas that point to this anon_vma. In the unlink_anon_vma() function, when its list is empty, anon_vma
is going to be freed whether the external reference count is zero or
not, so the parent's degree should be decremented. However, failure to
decrement the degree triggered a BUG_ON() signal in unlink_anon_vma().
The provided patch fixes this bug, and the degree is now decremented as
expected. (BZ#1309898)
Repeated sysrq events proceed as expected
Previously, repeated sysrq events in an NMI context could cause a deadlock, leading to a system crash. The provided patchset adds minimal support for the seq_buf buffer and a per_cpu printk() function, which prevents the aforementioned deadlock from occurring. (BZ#1104266)
Unix domain datagram socket no longer experiences deadlock
Due to a regression, a Unix domain datagram socket could come to a
deadlock when sending a datagram to itself. The provided patch adds
another sk check to the unix_dgram_sendmsg() function, and the
aforementioned deadlock no longer occurs. (BZ#1309241)
Exiting process decrements a counter as expected
Previously, when Kernel Shared Memory (KSM) or page migration were in
use, an exiting process could fail to decrement a counter related to
anonymous virtual memory areas. As a consequence, the counter unbalance
triggered a kernel panic. The provided patch fixes this bug, and the
kernel panic no longer occurs in the aforementioned scenario.
(BZ#1126228)
VGA output speed in UEFI boot mode improved
Previously, the VGA console was very slow in UEFI boot mode, which
resulted in a large difference in boot time for servers with many CPUs
or I/O devices. As a consequence, printing large amount of debug output
during the boot phase was extremely slow, making it difficult to analyze
issues that occur during boot time. In addition, the VGA output
slowdown continued during OS runtime, which could lead to a system hang.
The provided fix improves the VGA output speed in UEFI boot mode,
preventing the aforementioned problems. (BZ#1290686)
ndo_set_multicast_list field is again present in network drivers
When creating a VLAN interface on top of a netxen_nic physical interface after changing its MAC address, ping over VLAN to a remote VLAN previously failed. The provided patch adds back the use of the ndo_set_multicast_list field in network drivers, and the ping now succeeds as expected. (BZ#1213207)
fio no longer corrupts XFS
After adjusting the extent size with the xfs_fio utility and running the fio
tool with the configuration file provided, the XFS file system
previously became corrupted. The provided patch extends the size hints,
and fio no longer corrupts XFS. (BZ#1211110)
NFS mount now reports correctly
When configuring the firewall on the NFS server to reject all the
packets of 2049 and mounting the share on the NFS client, the following
error was returned:
connection timed out
The provided fix corrects the error message, which now reads:
connection refused
(BZ#1206555)
Automatic signing is now enabled
When setting a security type with the
sec= mount option and no signing had been specified with the trailing
i,
automatic signing was not previously enabled. For example, in DFS
mounts where the DFS node requires signing but the client had disabled
it using
sec=, the user could not mount the DFS node if the node required signing to be enabled. The provided fix sets
MAY_SIGN flags for all security types, thus fixing this bug. (BZ#
1197875)
Writing a large file using direct I/O now proceeds successfully
Previously, writing a large file using direct I/O in 16 MB chunks
sometimes caused a pathological allocation pattern where 16 MB chunks of
large free extent were allocated to a file in a reversed order. The
provided patch avoids the backward allocation, and writing a large file
using direct I/O now proceeds successfully. (BZ#1302777)
Fix for shrinker return value prevents system hang
The shrink_dcache_memory shrinker is prone to overflow, reporting the following line in the log:
negative objects to delete
As a consequence, the system previously hung. The provided patch tests
for this overflow sign extension from any shrinker return value, and
refuses to set the max_pass variable larger than the INT_MAX preprocessor macro. As a result, the aforementioned hang no longer occurs. (BZ#1159675)
perf has been updated
To support a greater range of hardware and incorporate numerous bug fixes, perf has been updated. Notable enhancements include:
Added support for additional model numbers of 5th Generation Intel Core i7 processors.
Added support for Intel Xeon v5 mobile and desktop processors.
Enabled support for the uncore subsystem for Intel Xeon v3 and v4 processors.
Enabled support for the uncore subsystem for Intel Xeon Processor D-1500. (BZ#1189317)
Configuring settings for multiple WWPNs is now easier
This enhancement update adds support for tag and untag commands in targetcli. Instead of configuring LUN mapping using the numeric WWPN, for example 20:00:00:1b:21:59:12:36, it is now possible to give one or more WWPNs a descriptive name with the tag command, and then use the tag to configure LUN mappings. See help tag and help untag commands within the acls configuration node for more information. (BZ#882092)
Systems with iscsi_firmware are able to boot
A previous regression in dracut caused systems with iSCSI offloading
or iSCSI Boot Firmware Table (iBFT) to stop booting in some cases.
Consequently, freshly installed Red Hat Enterprise Linux 6.8 systems
with iscsi_firmware on the kernel command
line could be unable to boot. This update fixes the bug, and systems in
the described scenario are able to boot as expected. (BZ#1322209)
logrotate now correctly works with wpa_supplicant
Previously, wpa_supplicant did not correctly truncate the log file when the logrotate script attempted to rotate it. This bug has been fixed and logrotate now correctly coordinates log rotation with wpa_supplicant. (BZ#908306)
Bug fixes in system-config-network
This release brings multiple bug fixes to the Network Configuration tool (system-config-network). Notable fixes include:
Previously, when system-config-network was used to change the system host name, the new host name was appended to the /etc/hosts file every time, even if the same host name was previously used. This could cause the /etc/hosts file to be unnecessarily cluttered. With this update, new host names are only appended if they have not been used previously.
A bug preventing suppression of DNS settings has been fixed and you
can now suppress DNS settings by leaving the DNS field empty.
In some circumstances, system-config-network
could display text messages in the text-based interface before the text
framework was properly cleaned, resulting in the message being
distorted. This bug has been fixed and text messages from this tool now
display correctly. (BZ#1086282)
NetworkManager no longer brings down connections when saving a configuration file in vim
Previously, editing network connection configuration files in editors
which save files by deleting and recreating them (such as vim) caused NetworkManager
to bring down the edited connection if it was active at the time. This
bug has been fixed and active connections can now be safely edited in
any text editor. (BZ#1272617)
Bond devices not created by NetworkManager now work correctly
Previously, bond devices named bond0, which created when the bonding module was loaded and not by NetworkManager, were incorrectly configured if the network service was disabled. This bug has been fixed and bond devices now work correctly with NetworkManager. (BZ#1292502)
NetworkManager no longer ignores the DHCP-provided list of search domains
Previously, NetworkManager used the host's DNS domain suffix to configure the DNS resolver (/etc/resolv.conf), and ignored the list of search domain supplied by DHCP. This bug has been fixed and NetworkManager now correctly configures the DNS resolver using DHCP. (BZ#1202539)
NetworkManager can now distinguish between software and hardware devices with the same hadware address
Previously, NetworkManager ignored
connections for software devices such as bonds and bridges if the
underlying hardware devices used the same hardware address (the HWADDR key) and used the NM_CONTROLLED=no setting. This bug has been fixed and NetworkManager now works with such devices correctly. (BZ#902907)
Fixed ordering in the output of semanage fcontext -l
Previously, the
semanage fcontext -l command did not print SELinux rules in the order in which the user added them and the
restorecon
utility used them. This could pose problems when managing SELinux
rules, because the order in which the rules were displayed to the user
did not match the order in which restorecon executed them. A patch has
been applied to fix this problem, and
semanage fcontext -l now displays the rules in the correct and expected order. (BZ#
1206767)
Chapter 13. Servers and Services
Tomcat 6 starts as expected when the fr_FR language is configured
Previously, there was an incorrect entry in the Tomcat 6 LocalStrings_fr.properties file. As a consequence, Tomcat 6 showed and exception during the startup when the LANG variable in the /etc/tomcat6/tomcat6.conf file was set to fr_FR. This update fixes the entry and now Tomcat 6 starts without the exception. (BZ#1072484)
tomcat6 now provides noarch packages
Previous releases provided the
tomcat6
packages as architecture-dependent. However, the Tomcat 6 servlet
container is a Java application without any native components.
Therefore, this release provides the packages as
architecture-independent. (BZ#
1155509)
The Tomcat 6 NIO connector does not leak memory anymore
Previously, a memory leak sometimes occurred when using the Tomcat 6
Non-blocking I/O (NIO) connector. This update ensures that Tomcat 6
removes processors from the RequestGroupInfo list and returns them to
the recycledProcessors queue. As a result, the NIO connector no longer
leaks memory. (BZ#
1268352)
mod_nss now supports changing the SSL renegotiation buffer size
This update adds the NSSRenegBufferSize parameter to the mod_nss
package. The parameter allows users to configure the amount of memory
to be used for buffering a POST request when a per-location SSL
renegotiation is required. Previously, mod_nss did not support this functionality, which caused such requests to fail with the following message recorded in Apache logging:
request body exceeds maximum size for SSL buffer, could not buffer message body to allow SSL renegotiation to proceed.
NSSRenegBufferSize accepts buffer size in bytes. The default value is 128K. Setting
NSSRenegBufferSize to
0 disables the buffering. (BZ#
1214366)
Documentation for tcp_wrappers no longer refers to unavailable binaries
The hosts_access(5) man page, which is a part of the tcp_wrappers package, previously referred to tcpdchk and tcpdmatch binaries which were not included in this package, causing confusion. References to tcpdchk have been removed from the man page, and a modified version of tcpdmatch has been added to the package, allowing you to test your configurations by following the provided instructions. (BZ#1084458)
openssh-clients no longer keeps exited sessions open
Previously, the implementation of openssh-clients did not adhere to
RFC 4253, The Secure Shell (SSH) Transport Layer Protocol, as in some
cases, a language tag was not sent for the SSH_MSG_DISCONNECT message. As a consequence, when connected to the server from a Red Hat Enterprise Linux 6 ssh-client
and disconnected by closing the session, the server kept the session
(TCP socket) open until it timed out. This bug has been fixed by adding
correct parameters for the SSH_MSG_DISCONNECT message, which makes the server close the session as expected. (BZ#1222500)
Pegasus CIM server now disables SSLv3 and uses TLS1.0 or later by default
The Pegasus CIM server previously had no option to disable the SSLv3
protocol, which is now considered insecure. This update contains a
backported upstream fix which changes the default behavior so that SSLv3
is disabled, TLS1.0 or later is used, and SSLv3 can be reenabled using
the
sslBackwardCompatibility option if necessary. (BZ#
1238329)
vsftpd can now use wildcards in commands correctly
A regression in the vsftpd FTP client previously caused commands which used wildcards (such as * or ?) to fail. This bug has been fixed and you can now use wildcards in commands such as ls in vsftpd again. (BZ#1315957)
Print jobs no longer disappear from cups queue for non-responsive printers
Previously, when a print job was submitted to a print queue which was
trying to send jobs to a non-responsive printer, and then the queue was
disabled and reenabled, the print job disappeared due to a bug in the cups service. An upstream fix was backported into cups, and jobs no longer disappear from queues when they are disabled and reenabled. (BZ#1293498)
The Dovecot IMAP server now returns the CP932 character in IMAP search results
A bug in the charset conversion algorithm caused IMAP searches not to
return messages that contained the CP932 character. An upstream fix has
been backported to fix this bug, and the IMAP search command na finds
messages containing the CP932 character as expected. (BZ#1275233)
Applications no longer access database files on a NFS share ineffectively
Prior to this update, some applications performed poorly when
performing operations on database files hosted on a NFS share. This was
caused by the frequent invalidations of cache on the NFS client. This
update introduces a new environment variable
NDBM_LOCK,
which prevents cache invalidation. As a result, the relevant
applications no longer perform poorly in the described scenario. (BZ#
668702)
rescan-scsi-bus.sh now correctly interprets multiple word device descriptions
The rescan-scsi-bus.sh script, found in the sg3_utils package, previously misinterpreted SCSI device types that were described using more than one word, such as Medium Changer or Optical Device.
Consequently, when the script was run on systems that had such device
types attached, the script printed multiple misleading error messages.
With this update, device types described with multiple words are handled
correctly, and the proper device type description is returned to the
user without any errors. (BZ#1210438)
rescan-scsi-bus.sh no longer removes /dev/null
When running the
rescan-scsi-bus.sh script, due to incorrect syntax in redirecting output to the
/dev/null device file while executing the
/bin/rm utility, the redirection did not happen but
/dev/null was instead interpreted as a file to be removed. As a consequence, running
rescan-scsi-bus.sh with the
--update option removed
/dev/null during execution. This bug has been fixed, and /dev/null is no longer removed by
rescan-scsi-bus.sh. (BZ#
1245302)
Additional result codes are now recognized by sg_persist
Previously, some SCSI hosts could return result codes which were not recognized by sg_persist, causing it to output an error message claiming the result code is invalid. This update adds additional return codes, such as DID_NEXUS_FAILURE, and the problem no longer occurs. (BZ#886611)
iSCSI boot works correctly in Multi Function mode
Due to incorrect handling of Multi Function mode when dealing with the
bnx2x driver, booting iSCSI from Storage Area Network (SAN) did not
work correctly for some Host Bus Adapters (HBAs). The underlying source
code has been fixed, and iSCSI boot now works correctly in Multi
Function mode. (BZ#1276545)
Chapter 15. System and Subscription Management
iostat can now print device names longer than 72 characters
Previously, device names longer than 72 characters were being truncated in
iostat output because the device name field was too short. The allocated space for device names has been increased, and
iostat can now print significantly longer device names in the output. (BZ#
1308862)
Corrupted data files no longer crash sar
Previously, the
sar command could crash when loading a corrupted system activity data due to
localtime() function calls not being properly checked in
sysstat. This bug has been fixed and corrupted system activity data files no longer crash
sar. (BZ#
887231)
pidstat no longer outputs values above 100% for certain fields
Previously, pidstat could potentially run out of preallocated space for PIDs on systems with many short-lived processes. This could cause pidstat to output nonsensical values (values larger than 100%) in the %CPU, %user, and %sys fields. With this update, pidstat now automatically reallocates space for PIDs, and outputs correct values for all fields. (BZ#1224878)
curl no longer requires both private and public SSH keys
Previously, the
curl tool required a
full pair of a private and a public SSH keys for user authentication. If
you only provided a private SSH key, which is common when using certain
tools such as
scp, user authentication failed. An upstream patch has been applied on
curl source code to improve SSH user authentication so that the public key does not need to be specified, and
curl can now authenticate using only a private SSH key. (BZ#
1260742)
NSS no longer reuses TLS sessions for servers with different host names
Previously, Network Security Services (NSS) could incorrectly reuse an
existing TLS session to connect to a server with a different host name.
This caused some HTTPS servers to refuse requests made within that
session and to respond with HTTP code 400 (
Bad Request). A patch which prevents reusing TLS sessions for different servers has been applied to
libcurl
source code, allowing NSS to successfully communicate with servers
which require the HTTP host name to match the TLS session host name.
(BZ#
1269660)
Fixed a memory leak in libcurl
DNS cache implementation in libcurl
could previously fail to remove cache entries which were no longer used.
This resulted in a memory leak in applications using this library while
resolving host names. This bug has been fixed, and libcurl-based
applications no longer leak memory while resolving host names.
(BZ#1302893)
Enhancements to abrt reporting workflow
The problem reporting workflow in abrt has been enhanced to improve the overall crash reporting experience and customer case creation. The enhancements include:
The Provide additional information
screen now allows you to select whether the problem happens repeatedly,
and also contains an additional input field for providing steps to
reproduce the problem.
A new reporting workflow Submit anonymous report, which should be used when the reported problem is not critical and no Red Hat support team assistance is required.
New tests have been added to the internal logic to should ensure
that users open cases only for critical problems and software released
by Red Hat.
Additionally, the client identifier has been updated to abrt_version: 2.0.8.1. (BZ#1258474)
pmap no longer reports incorrect totals
With the introduction of
VmFlags in the kernel
smaps interface, the
pmap tool could no longer reliably process the content due to format differences of the
VmFlags entry. As a consequence,
pmap reported incorrect totals. The underlying source code has been patched, and
pmap now works as expected. (BZ#
1262870)
Fixes in free output
With the introduction of the human readable ("-h") switch in the
free
tool, the layout generator had to be modified to support the new
feature. This, however, affected printing of values longer than the
column width. The values were truncated to prevent the layout from
breaking when the values became longer than the reserved space in the
columns. At the same time, the change caused
free
to insert an unwanted space character at the end of each line. Due to
these two changes, the output could not be used in custom scripts. With
this update, values longer than the column width are no longer
truncated, no extra spaces are inserted at line ends, and the output of
the
free tool can now be processed without problems. (BZ#
1246379)
Fixed a race condition when processing of detected problems in abrtd
This update fixes a race condition in the
abrtd service which was causing a loss of detected problem data, filling system logs with repeated error messages, and causing
abrt core dumper processes to hang, which in turn prevented dumped programs from being restarted. (BZ#
1245893)
Chapter 16. Virtualization
Hyper-V guests work properly with VHDX files
Previously, when running Red Hat Enterprise Linux as a guest on a
Microsoft Hyper-V hypervisor with a large dynamic Hyper-V virtual hard
disk (VHDX) attached and using the ext3 file system, a call trace in
some cases appeared and made it impossible to shut down the guest. With
this update, Red Hat Enterprise Linux guests on Windows Hyper-V handle
VHDX files correctly, and the described problem no longer occurs.
(BZ#982542)
The hv_netvsc module works correctly with Hyper-V
Due to a race condition, the hv_netvsc
module previously in some cases terminated unexpectedly when it was
unloading. This caused a kernel crash on Red Hat Enterprise Linux guests
running on the Microsoft Hyper-V hypervisor. The race condition has
been removed, which prevents the described kernel crashes from
occurring. (BZ#1118163)
Guests shut down correctly when processing interrupts
Prior to this update, if processes that generate interrupts were
active during the guest shut down sequence, the virtio driver in some
cases did not correctly clear the interrupts. As a consequence, the
guest kernel became unresponsive, which prevented the shut down from
completing. With this update, the virtio driver processes interrupts
more effectively, and guests now shut down reliably in the described
scenario. (BZ#1199155)
Consistent save times for taking guest snapshots
Prior to this update, saving a KVM guest snapshot involved overwriting
the state of the virtual machine using copy-on-write operations. As a
consequence, taking every snapshot after the first one took an excessive
amount of time. Now, the guest state written in the active layer is
discarded after the snapshot is taken, which avoids the need for
copy-on-write operations. As a result, saving subsequent snapshots is
now as quick as saving the first one. (BZ#
1219908)
The at program works correctly with virt-sysprep
When using the
virt-sysprep utility to create a Red Hat Enterprise Linux guest template, the
at program in the resulting guest could not be used. This update ensures that
virt-sysprep does not delete
/var/spool/at/.SEQ files in these guests, and
at now works as expected. (BZ#
1229305)
Failed logical volume creation no longer deletes existing volumes
Previously, when attempting to create a logical volume in a
logical-volume pool that already contained a logical volume with the
specified name, libvirt in some cases deleted the existing logical
volume. This update adds more checks to determine the cause of failure
when creating logical volumes, which prevents libvirt from incorrectly
removing existing logical volumes in the described circumstances. (BZ#
1232170)
Domain information from LIBVIRT-MIB.txt is loaded correctly
Previously, the LIBVIRT-MIB.txt file in the libvirt-snmp
package did not fully comply with the formatting rules of the Simple
Network Management Protocol (SNMP). As a consequence, SNMP software
could not load the file and thus failed to read the domain information
it provides, such as exposed variables, their ranges, or certain named
values. This update ensures that LIBVIRT-MIB.txt is fully compliant with SNMP formatting rules, and the file is now loaded as expected. (BZ#1242320)
System log is no longer flooded with error messages about missing metadata
Prior to this update, the libvirt library was logging the VIR_ERR_NO_DOMAIN_METADATA error code with the error
priority, rather than the 'debug' severity usual for this kind of
message. As a consequence, if the metadata APIs were used heavily while
metadata entries were missing, the system log was flooded with
irrelevant messages. With this update, the severity of VIR_ERR_NO_DOMAIN_METADATA has been lowered to debug, thus fixing this problem. (BZ#1260864)
Guests with strict NUMA pinning boot more reliably
When starting a virtual machine configured with strict Non-Uniform
Memory Access (NUMA) pinning, the KVM module could not allocate memory
from the Direct Memory Access (DMA) zones if the NUMA nodes were not
included in the configured limits set by the libvirt daemon. This led to
a Quick Emulator (QEMU) process failure, which in turn prevented the
guest from booting. With this update, the cgroup limits are applied
after the KVM allocates the memory, and the QEMU process, as well as the
guest, now starts as expected. (BZ#
1263263)
Kernel panics caused by struct kvm handling are fixed
When creating a KVM guest, the struct kvm
data structure corresponding to the virtual machine was in some cases
not handled properly. This caused corruption in the kernel memory and
triggered a kernel panic on the host. Error conditions during guest
creation are now treated properly, which prevents the described kernel
panic from occurring. (BZ#1270791)
Limited KSM deduplication factor
Previously, the kernel same-page merging (KSM) deduplication factor
was not explicitly limited, which caused Red Hat Enterprise Linux hosts
to have performance problems or become unresponsive in case of high
workloads. This update limits the KSM deduplication factor, and thus
eliminates the described problems with virtual memory operations related
to KSM pages. (BZ#1262294)
Hyper-V daemon services are no longer unavailable on slowly-booting Red Hat Enterprise Linux 6 guests
Prior to this update, if a Red Hat Enterprise Linux 6 guest running on a Hyper-V hypervisor took a long time to boot, the hypervkvpd, hypervvssd, and hypervfcopy
Hyper-V daemons in some cases failed to start due to a negotiation
timeout. As a consequence, the guest could not use the services provided
by these daemons, including online backup, file copy, and network
settings. This update ensures that the Hyper-V daemons start properly in
the described scenario, which makes the affected services available as
expected. (BZ#1216950)
Starting guests when using macvtap and Cisco VM-FEX no longer fails
Prior to this update, on hosts using macvtap connections to Cisco
Virtual Machine Fabric Extender (VM-FEX) network cards, starting a
virtual machine failed with the following error message:
internal error missing IFLA_VF_INFO in netlink response
This bug has been fixed, and starting guests on the described hosts now works as expected. (BZ#1251532)
Faster startup for virt-manager on hosts with many network interfaces
On hosts with very large numbers of bridged, VLAN, or bond interfaces, starting the virt-manager utility previously took a very long time. This update optimizes the netcf query that caused this delay, which significantly improves the start-up speed of virt-manager on the described systems. (BZ#1235959)
