Edition 4
1801 Varsity Drive
Raleigh, NC 27606-2072 USA
Phone: +1 919 754 3700
Phone: 888 733 4281
Fax: +1 919 754 3701
Abstract
Note
procfs
entries, sysfs
default values, boot parameters, kernel configuration options, or any noticeable behavior changes.
intel_idle.max_cstate
intel_idle.max_cstate
, has been added to specify the maximum depth of a C-state, or to disable intel_idle
and fall back to acpi_idle
. For more information, refer to the /usr/share/doc/kernel-doc-<version>
/Documentation/kernel-parameters.txt
file.
nobar
nobar
kernel
parameter, specific to the AMD64 / Intel 64 architecture, can be used to
not assign address space to the Base Address Registers (BARs) that were
not assigned by the BIOS.
noari
noari
kernel parameter can disable the use of PCIe Alternative Routing ID Interpretation (ARI).
state
filestate
file of an MD array component device (found in the /sys/block/md<md_number>
/md/dev-<device_name>
directory) can now contain additional device states. For more information, refer to the /usr/share/doc/kernel-doc-<version>
/Documentation/md.txt
file.
route_localnet
route_localnet
kernel parameter can be used to enable the use of 127/8 for local routing purposes. For more information, refer to the /usr/share/doc/kernel-doc-<version>
/Documentation/networking/ip-sysctl.txt
file.
pf_retrans
pf_retrans
kernel
parameter specifies the number of re-transmissions that will be
attempted on a given path before traffic is redirected to an alternate
transport (should one exist). For more information, refer to the /usr/share/doc/kernel-doc-<version>
/Documentation/networking/ip-sysctl.txt
file.
traceevent
traceevent
library, used by perf, uses the following sysfs control files:
/sys/kernel/debug/tracing/events/header_page /sys/kernel/debug/tracing/events/.../.../format /sys/bus/event_source/devices/<dev>
/format /sys/bus/event_source/devices/<dev>
/events /sys/bus/event_source/devices/<dev>
/type
/sys/kernel/fadump_*
/sys/kernel/fadump_enabled /sys/kernel/fadump_registered /sys/kernel/fadump_release_mem
/usr/share/doc/kernel-doc-<version>
/Documentation/powerpc/firmware-assisted-dump.txt
.
/sys/kernel/mm/transparent_hugepage symbolic
link, which points to /sys/kernel/mm/redhat_transparent_hugepage
, has been added for consistency purposes.
/usr/share/doc/kernel-doc-<version>
/Documentation/vm/transhuge.txt
vmbus_show_device_attr
attribute of the Hyper-V vmbus
driver shows the device attribute in sysfs. This is invoked when the /sys/bus/vmbus/devices/<busdevice>
/<attr_name>
file is read.
bna/pci_dev:<pci_name>
hierarchy (note that the debugfs file system must be mounted). The following debugging services are available for each pci_dev>
:
fwtrc
— used to collect current firmware trace.
fwsave
— used to collect last-saved firmware trace as a result of firmware crash.
regwr
— used to write one word to the chip register.
regrd
— used to read one or more words from the chip register.
iwlegacy
debug_level
iwlegacy
driver includes a new sysfs control file, /sys/bus/pci/drivers/iwl/debug_level
, to control per-device level of debugging. The CONFIG_IWLEGACY_DEBUG
option enables this feature.
iwlwifi
debug_level
iwlwifi
driver includes a new sysfs control file, /sys/class/net/wlan0/device/debug_level
, to control per-device level of debugging. The CONFIG_IWLWIFI_DEBUG
option enables this feature.
ie6xx_wdt
/sys/kernel/debug/ie6xx_wdt
file contains a value that determines whether the system was rebooted by watchdog.
supported_krb5_enctypes
/proc/fs/nfsd/supported_krb5_enctypes
proc file lists the encryption types supported by the kernel's gss_krb5
code.
usbmixer
/proc/asound/card<card_number>
/usbmixer
proc file has been added. It contains a mapping between the ALSA
control API and the USB mixer control units. This file can be used
debugging and problem diagnostics.
codec#<number>
/proc/asound/card<card_number>
/codec#<number>
proc files now contain information about the D3cold power state, the deepest power-saving state for a PCIe device. The codec#<number>
files now also contain additional power state information, specifically: reset status
, clock stop ok
, and power states error
. The following is an example output:
Power: setting=D0, actual=D0, Error, Clock-stop-OK, Setting-reset
cgroup.procs
cgroup.procs
file is now writable. Writing a TGID into the cgroup.procs file of a cgroup moves that thread group into that cgroup.
sysfs_dirent
sysfs_dirent
, which represents a single sysfs node, is now cached to improve scalability of the readdir
function.
iov
iov
sysfs directory was added under the ib
device. This directory is used to manage and examine the port P_Key and guid paravirtualization.
fcoe
driver via the fc_host
class object.
ltm_capable
/sys/bus/usb/devices/<device>
/ltm_capable
file has been added to show whether a device supports Latency Tolerance
Messaging (LTM). This file is present for both USB 2.0 and USB 3.0
devices.
fwdump_state
/sys/class/net/eth<number>
/device/fwdump_state
file has been added to determine whether the firmware dump feature is enabled or disabled.
flags
, registers
Commands in Q
item was added to the /sys/block/rssd<number>
/registers
file. This file's output was also re-formatted. Also, a new /sys/block/rssd<number>
/flags
file has been added. This read-only file dumps the flags in a port and driver data structure.
duplex
/sys/class/net/eth<number>
/duplex
file now reports unknown
when the NIC duplex state is DUPLEX_UNKNOWN
.
TCP_USER_TIMEOUT
TCP_USER_TIMEOUT
is a TCP level socket
option that specifies the maximum amount of time (in milliseconds) that
transmitted data may remain unacknowledged before TCP will forcefully
close the corresponding connection and return ETIMEDOUT to the application. If the value 0
is specified, TCP will continue to use the system default.
IPPROTO_ICMP
IPPROTO_ICMP
socket option makes it possible to send ICMP_ECHO
messages and receive the corresponding ICMP_ECHOREPLY
messages without any special privileges.
ST_MAX_TAPES
MAX_IO_APICS
).
modinfo <module>
command, for example, modinfo bna
.
kvm
module parameter:
module_param(min_timer_period_us, uint, S_IRUGO | S_IWUSR);
min_timer_period_us
—
Do not allow the guest to program periodic timers with small interval,
since the hrtimers are not throttled by the host scheduler, and allow
tuning the interval with this parameter. The default value is 500us
.
kvm-intel
module parameter:
module_param_named(eptad, enable_ept_ad_bits, bool, S_IRUGO);
enable_ept_ad_bits
— Parameter to control enabling/disabling A/D bits, if supported by CPU. The default value is enabled
.
ata_piix
module parameter:
module_param(prefer_ms_hyperv, int, 0);
prefer_ms_hyperv
— On
Hyper-V Hypervisors, the disks are exposed on both the emulated SATA
controller and on the paravirtualized drivers. The CD/DVD devices are
only exposed on the emulated controller. Request to ignore ATA devices
on this host. The default value is enabled
.
drm
module parameters:
module_param_named(edid_fixup, edid_fixup, int, 0400); module_param_string(edid_firmware, edid_firmware, sizeof(edid_firmware), 0644);
edid_fixup
— Minimum number of valid EDID header bytes (0-8). The default value is 6
.
edid_firmware
— Do not probe monitor, use specified EDID blob from built-in data or /lib/firmware
instead.
i915
module parameters:
module_param_named(lvds_channel_mode, i915_lvds_channel_mode, int, 0600); module_param_named(i915_enable_ppgtt, i915_enable_ppgtt, int, 0600); module_param_named(invert_brightness, i915_panel_invert_brightness, int, 0600);
nouveau
module parameter:
module_param_named(vram_type, nouveau_vram_type, charp, 0400);
radeon
module parameter:
module_param_named(lockup_timeout, radeon_lockup_timeout, int, 0444);
i2c-ismt
module parameters:
module_param(stop_on_error, uint, S_IRUGO); module_param(fair, uint, S_IRUGO);
iw-cxgb4
module parameters:
module_param(db_delay_usecs, int, 0644); module_param(db_fc_threshold, int, 0644);
mlx4_ib
module parameter:
module_param_named(sm_guid_assign, mlx4_ib_sm_guid_assign, int, 0444);
ib_qib
module parameter:
module_param_named(cc_table_size, qib_cc_table_size, uint, S_IRUGO);
bna
module parameter:
module_param(bna_debugfs_enable, uint, S_IRUGO | S_IWUSR);
cxgb4
module parameters:
module_param(dbfifo_int_thresh, int, 0644); module_param(dbfifo_drain_delay, int, 0644);
e1000e
module parameter:
module_param(debug, int, 0);
igb
module parameter:
module_param(debug, int, 0);
igbvf
module parameter:
module_param(debug, int, 0);
ixgbe
module parameter:
module_param(debug, int, 0);
ixgbevf
module parameter:
module_param(debug, int, 0);
hv_netvsc
module parameter:
module_param(ring_size, int, S_IRUGO);
mlx4_core
module parameter:
module_param(enable_64b_cqe_eqe, bool, 0444);
enable_64b_cqe_eqe
— Enable 64 byte CQEs/EQEs when the firmware supports this.
sfc
module parameters:
module_param(vf_max_tx_channels, uint, 0444); module_param(max_vfs, int, 0444);
ath5k
module parameter:
module_param_named(no_hw_rfkill_switch, ath5k_modparam_no_hw_rfkill_switch, bool, S_IRUGO);
iwlegacy
module parameters:
module_param(led_mode, int, S_IRUGO); module_param(bt_coex_active, bool, S_IRUGO);
wlcore
module parameter:
module_param(no_recovery, bool, S_IRUSR | S_IWUSR);
scm_block
module parameters:
module_param(nr_requests, uint, S_IRUGO); module_param(write_cluster_size, uint, S_IRUGO)
zfcp
module parameters:
module_param_named(no_auto_port_rescan, no_auto_port_rescan, bool, 0600); module_param_named(datarouter, enable_multibuffer, bool, 0400); module_param_named(dif, enable_dif, bool, 0400);
aacraid
module parameters:
module_param(aac_sync_mode, int, S_IRUGO|S_IWUSR); module_param(aac_convert_sgl, int, S_IRUGO|S_IWUSR);
be2iscsi
module parameter:
module_param(beiscsi_##_name, uint, S_IRUGO);
lpfc
module parameter:
module_param(lpfc_req_fw_upgrade, int, S_IRUGO|S_IWUSR);
megaraid_sas
module parameters:
module_param(msix_vectors, int, S_IRUGO); module_param(throttlequeuedepth, int, S_IRUGO); module_param(resetwaittime, int, S_IRUGO);
qla4xxx
module parameters:
module_param(ql4xqfulltracking, int, S_IRUGO | S_IWUSR); module_param(ql4xmdcapmask, int, S_IRUGO); module_param(ql4xenablemd, int, S_IRUGO | S_IWUSR);
hv_storvsc
module parameter:
module_param(storvsc_ringbuffer_size, int, S_IRUGO);
ehci-hcd
driver parameter:
module_param(io_watchdog_force, uint, S_IRUGO);
io_watchdog_force
— Force I/O watchdog to be ON for all devices.
ie6xx_wdt
module parameters:
module_param(timeout, uint, 0); module_param(nowayout, bool, 0); module_param(resetmode, byte, 0);
snd-ua101
module parameter:
module_param(queue_length, uint, 0644);
DASD
)
device driver has been updated to detect path configuration errors that
cannot be detected by hardware or microcode. Upon successful detection,
the device driver does not use such paths. With this feature, for
example, the DASD device driver detects paths that are assigned to a
specific subchannel but lead to different storage servers.
zfcp
device driver has been
updated to add data structures and error handling to support the
enhanced mode of the System z Fibre Channel Protocol (FCP) adapter card.
In this mode, the adapter passes data directly from memory to the SAN
(data routing) when memory on the adapter card is blocked by large and
slow I/O requests.
mtip32xx
driver has been updated to add support for the latest PCIe SSD drives.
lpfc
driver for Emulex Fibre Channel Host Bus Adapters has been updated to version 8.3.5.82.1p.
qla2xxx
driver for QLogic Fibre
Channel HBAs has been updated to version 8.04.00.04.06.4-k, which adds
support for QLogic's 83XX Converged Network Adapter (CNA), 16 GBps FC
support for QLogic adapters, and new Form Factor CNA for HP ProLiant
servers.
qla4xxxx
driver has been updated to version v5.03.00.00.06.04-k0, which adds change_queue_depth
API support, fixes a number of bugs, and introduces various enhancements.
ql2400-firmware
firmware for QLogic 4Gbps fibre channel HBA has been updated to version 5.08.00.
ql2500-firmware
firmware for QLogic 4Gbps fibre channel HBA has been updated to version 5.08.00.
ipr
driver for IBM Power Linux
RAID SCSI HBAs has been updated to version 2.5.4, which adds support for
the Power7 6Gb SAS adapters and enables SAS VRAID capability on these
adapters.
hpsa
driver has been updated to version 2.0.2-4-RH1 to add PCI-IDs for the HP Smart Array Generation 8 family of controllers.
bnx2i
driver for Broadcom
NetXtreme II iSCSI has been updated to version 2.7.2.2 with general
hardware support enablements. iSCSI and FCoE boot support on Broadcom
devices is now fully supported in Red Hat Enterprise Linux 6.4. These
two features are provided by the bnx2i and bnx2fc Broadcom drivers.
bnx2fc
driver for the Broadcom Netxtreme II 57712 chip has been updated to version 1.0.12.
mpt2sas
driver has been updated to version 13.101.00.00, which adds multi-segment mode support for the Linux BSG Driver.
bfa
Fibre Channel and
FCoE driver has been updated to version 3.0.23.0 which includes Brocade
1860 16Gbps Fibre Channel Adapter support, new hardware support in Dell
PowerEdge 12th Generation servers, and issue_lip
support. The bfa
firmware was updated to version 3.0.3.1.
be2iscsi
driver for
ServerEngines BladeEngine 2 Open iSCSI devices has been updated to
version 4.4.58.0r to add iSCSI netlink VLAN support.
qib
driver for TrueScale HCAs has been updated to the latest version with the following enhancements:
ahci
, md
/bitmap
, raid0
, raid1
, raid10
, and raid456
.
netxen_nic
driver for NetXen Multi port (1/10) Gigabit Network has been updated to version 4.0.80, which adds miniDIMM support. The netxen_nic
firmware has been updated to version 4.0.588.
bnx2x
driver has been updated to
the version 1.72.51-0 to include support for Broadcom
57800/57810/57811/57840 chips as well as general bug fixes and updated
firmware for Broadcom 57710/57711/57712 chips. This update also includes
the following enhancements:
be2net
driver for ServerEngines
BladeEngine2 10Gbps network devices has been updated to version
4.4.31.0r to add RDMA over Converged Ethernet (RoCE) support.
Additionally, the SR-IOV functionality of the Emulex be2net
driver is now fully supported in Red Hat Enterprise Linux 6.4. SR-IOV
runs on all Emulex-branded and OEM variants of BE3-based hardware (with
minimum firmware version 4.2.324.30), which all require the be2net
driver software.
ixgbevf
driver has been updated to version 2.6.0-k to include the latest hardware support, enhancements, and bug fixes.
cxgb4
driver for Chelsio
Terminator4 10G Unified Wire Network Controllers has been updated to add
support for Chelsio's T480-CR and T440-LP-CR adapters.
cxgb3
driver for the Chelsio T3 Family of network devices has been updated to version 1.1.5-ko.
ixgbe
driver for Intel 10
Gigabit PCI Express network devices has been updated to version 3.9.15-k
to include support for SR-IOV with Data Center Bridging (DCB) or
Receive-Side Scaling (RSS), PTP support as a Technology Preview, latest
hardware support, enhancements, and bug fixes.
iw_cxgb3
driver has been updated.
iw_cxgb4
driver has been updated.
e1000e
driver for Intel PRO/1000
network devices has been updated to add the latest hardware support,
features, and provide a number of bug fixes.
enic
driver for Cisco 10G Ethernet devices has been updated to version 2.1.1.39.
igbvf
driver (Intel Gigabit Virtual Function Network driver) has been updated to the latest upstream version.
igb
driver for Intel Gigabit
Ethernet Adapters has been updated to version 4.0.1 to add the latest
hardware support. Also, PTP support has been added to the igb
driver as a Technology Preview.
tg3
driver for Broadcom Tigon3
Ethernet devices has been updated to version 3.124 to add new hardware
support. Also, PTP support has been added to the tg3
driver as a Technology Preview.
qlcnic
driver for the HP NC-Series QLogic 10 Gigabit Server Adapters has been updated to version 5.0.29.
bna
driver for Brocade
10Gb PCIe Ethernet Controllers driver has been updated to version
3.0.23.0 to add new hardware support for Dell PowerEdge 12th Generation
servers, and enable the use of non-Brocade Twinax Copper cables. The bna
firmware was updated to version 3.0.3.1.
cnic
driver has been updated to version 2.5.13 to include new features, bug fixes, and support for new OEM platforms.
iwlwifi
driver for Intel wireless LAN adapters and the ath9k
driver for PCI/PCI-Express adapters with Atheros wireless LAN chipsets. Additionally, the rt2800pci
and rt2800usb
drivers have been added to support various USB and PCI/PCI-Express adapters with Ralink wireless LAN chipsets.
intel_idle
cpuidle driver for Intel processors has been updated to add support for Intel's Xeon E5-XXX V2 series of processors.
wacom
driver has been updated to
add support for the CTL-460 Wacom Bamboo Pen, the Wacom Intuos5 Tablet,
and the Wacom Cintiq 22HD Pen Display.
mlx4_en
driver has been updated to the latest upstream version.
mlx4_ib
driver has been updated to the latest upstream version.
mlx4_core
driver has been updated to the latest upstream version.
z90crypt
device driver has been updated to support the new Crypto Express 4 (CEX4) adapter card.
-s/--snapshot
option in the lvcreate
man page.
lvcreate(8)
man page.
lvmetad
daemon
is to eliminate the need for this scanning by dynamically aggregating
metadata information each time the status of a device changes. These
events are signaled to lvmetad
by udev
rules. If lvmetad
is not running, LVM performs a scan as it normally would.
use_lvmetad
parameter in the /etc/lvm/lvm.conf
file, and enable the lvmetad
daemon by configuring the lvm2-lvmetad
init script.
fsfreeze(8)
man page.
O_DIRECT
I/O. These applications may use the raw block device, or the XFS file system in O_DIRECT
mode. (XFS is the only file system that does not fall back to buffered
I/O when doing certain allocation operations.) Only applications
designed for use with O_DIRECT
I/O and DIF/DIX hardware should enable this feature.
Btrfs is still experimental
/etc/cluster.conf
configuration file to be used by pacemaker, rgmanager must be disabled. The risk of not doing this is high; after a successful conversion, it would be possible to start rgmanager and pacemaker on the same host, managing the same resources.
<rm disabled="1">
flag in /etc/cluster.conf
.
<rm disabled="1">
flag appears in /etc/cluster.conf
during a reconfiguration.
be2net
driver is considered a Technology Preview. You must meet the following
requirements to use the latest version of SR-IOV support:
be2net
driver software.
bnx2i
and bnx2fc
Broadcom drivers, remain a Technology Preview until further notice.
mpt2sas
driver is fully supported. However, when used in the lockless mode, the driver is a Technology Preview.
dm-thinp
targets, thin
and thin-pool
,
provide a device mapper device with thin-provisioning and scalable
snapshot capabilities. This feature is available as a Technology
Preview.
audit
subsystem in the Linux 2.6 kernel. Within the audispd-plugins
sub-package is a utility that allows for the transmission of audit
events to a remote aggregating machine. This remote audit logging
application, audisp-remote, is considered a Technology Preview in Red Hat Enterprise Linux 6.
fence_ipmilan
agent. This new Technology Preview is used to force a kernel dump of a
host if the host is configured to do so. Note that this feature is not a
substitute for the off
operation in a production cluster.
-cpu
flag must be set when using this feature.
numad
daemon for the best manual placement of an application. The numad package is considered a Technology Preview.
anaconda
component, BZ#895982anaconda
component, BZ#875644anaconda
component
ql4xdisablesysfsboot
to 1
may cause boot from SAN failures.
anaconda
component
zerombr
kickstart command. The --initlabel
option of the clearpart
command is not intended to serve this purpose.
anaconda
component, BZ#676025Skip Boot Loader Configuration
during the installation process. Boot loader configuration will need to
be completed manually after installation. This problem does not affect
users running Anaconda in the graphical mode (graphical mode also
includes VNC connectivity mode).
anaconda
component
/boot
volume on an encrypted volume.
anaconda
component
sdc
instead of sda
).
kernel
component
em1
is used instead of eth0
on new Dell machines). However, the previously used network interface
names are preserved on the system and the upgraded system will still use
the previously used interfaces. This is not the case for Yum upgrades.
anaconda
component
kdump default on
feature currently depends on Anaconda to insert the crashkernel=
parameter to the kernel parameter list in the boot loader's configuration file.
firstaidkit
component
anaconda
component, BZ#623261 clearpart --initlabel
kickstart command. Adding the --all
switch—as in clearpart --initlabel --all
—ensures disks are cleared correctly.
anaconda
component
yaboot
component, BZ#613929 anaconda
component
system-config-kickstart
component
subscription-manager
component
subscription-manager
component
subscription-manager
component
389-ds-base
component, BZ#878111 dirsrv-<instance>
log files in the /var/log/
directory due to incorrect permissions on the directory.
cpuspeed
component, BZ#626893 /proc/cpuinfo
or /sys/device/system/cpu/*/cpufreq
.
This is due to the firmware manipulating the CPU frequency without
providing any notification to the operating system. To avoid this ensure
that the HP Power Regulator
option in the BIOS is set to OS Control
. An alternative available on more recent systems is to set Collaborative Power Control
to Enabled
.
releng
component, BZ#644778 grub
component, BZ#695951BOOTX64
rather than bootx64
to boot the installer due to case sensitivity issues.
grub
component, BZ#698708 kernel
component
macvtap
driver, a kernel panic can occur on the host machine. This problem was
observed on machines using Broadcom, QLogic and Intel cards. To work
around the problem, disable LRO by running ethtool -K large-receive-offload off
.
kernel
component
/var/log/messages
file.
libvirt
component, BZ#888635qemu-kvm
component, BZ#894277numad
component, BZ#872524grubby
component, BZ#893390sync
command before turning the guest off.
kernel
component
kernel
component, BZ#874406kernel
component
kernel
component
quemu-kvm
component, BZ#871265lahfm_lm
CPU feature is ignored by Linux guests, even when the feature is
enabled. To work around this problem, use a different CPU model, for
example AMD Opteron G4.
qemu-kvm
component, BZ#860929CPU0: update failed (for patch_level=0x6000624)
virt-p2v
component, BZ#816930virt-p2v
component, BZ#808820virtio-win
component, BZ#615928 libvirt
component, BZ#622649 service libvirt reload
command to restore libvirt's additional iptables rules.
virtio-win
component, BZ#612801 qemu-kvm
component, BZ#720597qemu-kvm
component, BZ#612788 virt-v2v
component, BZ#618091 virt-v2v
component, BZ#678232 kernel
component
parted
component
lvm2
component, BZ#852812dracut
component
echo "options qla2xxx ql2xasynclogin=0" > /etc/modprobe.d/qla2xxx.conf mkinitrd /boot/initramfs-`uname -r`.img `uname -r` --force
lvm2
component, BZ#903411--thinpool
and --discards
options are specified on logical-volume creation. To work around this
problem, manually deactive all thin volumes related to the changed thin
pool prior to running the lvchange
command.
kernel
component
nfs
module can cause the system to terminate unexpectedly if the fsx utility was ran with NFSv4.1 before.
kernel
component
device-mapper-multipath
component
multipathd
service is not
running, failed devices will not be restored. However, the multipath
command gives no indication that multipathd is not running. Users can
unknowingly set up multipath devices without starting the multipathd
service, keeping failed paths from automatically getting restored. Make sure to start multipathing by
~]# mpathconf --enable ~]# service multipathd start
~]# chkconfig multipathd on ~]# service multipathd start
multipathd
will automatically start on boot, and multipath devices will automatically restore failed paths.
lvm2
component, BZ#837603lvmetad
daemon in the lvm.conf
file, but the daemon is still running, the cached metadata are remembered until the daemon is restarted. However, if the use_lvmetad
parameter in lvm.conf
is reset to 1
without an intervening lvmetad
restart, the cached metadata can be incorrect. Consequently, VG
metadata can be overwritten with previous versions. To work around this
problem, stop the lvmedat
daemon manually when disabling use_lvmetad
in lvm.conf
. The daemon can only be restarted after use_lvmetad
has been set to 1. To recover from an out-of-sync lvmetad
cache, execute the pvscan --cache
command or restart lvmetad
. To restore metadata to correct versions, use vgcfrestore with a corresponding file in /etc/lvm/archive
.
lvm2
component, BZ#563927~]$ lvcreate --type raid1 -m 1 -L 1G -n my_mirror my_vg
kernel
component, BZ#606260 lvm2
component pvmove
command cannot currently
be used to move mirror devices. However, it is possible to move mirror
devices by issuing a sequence of two commands. For mirror images, add a
new image on the destination PV and then remove the mirror image on the
source PV:
~]$lvconvert -m +1 <vg/lv> <new PV>
~]$lvconvert -m -1 <vg/lv> <old PV>
~]$lvconvert --mirrorlog core <vg/lv>
~]$lvconvert --mirrorlog disk <vg/lv> <new PV>
~]$lvconvert --mirrorlog mirrored <vg/lv> <new PV>
~]$lvconvert --mirrorlog disk <vg/lv> <old PV>
kernel
component
sysfs vport_delete
interface to
delete that NPIV port. This should be done before the root port is
destroyed. Users are advised to script the NPIV port deletion and
configure the system such that the script is executed before the fcoe
service is stopped, in the shutdown sequence.
kernel
component
bfa
driver to reset all FCoE targets which might lead to data corruption on LUN. To avoid these problems, do not use the bfa
driver with a Linux FCoE target.
NetworkManager
component, BZ#896198 GATEWAY
setting in the /etc/sysconfig/network
file causes NetworkManager
to assign that gateway to all interfaces with static IP addresses, even
if their configuration did not specify a gateway or specified a
different gateway. Interfaces have the incorrect gateway information and
the wrong interface may have the default route. Instead of using GATEWAY
in /etc/sysconfig/network
to specify which interface receives the default route, set DEFROUTE=no
in each ifcfg
file that should not have the default route. Any interface connected using configuration from an ifcfg
file containing DEFROUTE=no
will never receive the default route.
kernel
component
Could not set up I/O space
kernel
component
fcoe-target
service while the Fibre Channel over Ethernet (FCoE) can lead to a
kernel crash. Please minimize FCoE traffic before stopping or restarting
this service.
fcoe-utils
component
ifconfig eth0 down ifconfig eth0 up sleep 5 dcbtool sc eth0 dcb on sleep 5 dcbtool sc eth0 pfc e:1 a:1 w:1 dcbtool sc eth0 app:fcoe e:1 a:1 w:1 service fcoe restart
fcoe-target-utils
component
targetcli
to configure the FCoE Target will fail with the message Could not create RTSRoot in configFS
. To prevent this, ensure that the fcoe-target
service is running by executing service fcoe-target start
.
libibverbs
component
ibv_ud_pingpong
command was used with a packet size of 2048 or greater. UD is limited
to no more than the smallest MTU of any point in the path between point A
and B, which is between 0 and 4096 given that the largest MTU supported
(but not the smallest nor required) is 4096. If the underlying Ethernet
is jumbo frame capable, and with a 4096 IB MTU on an RoCE device, the
max packet size that can be used with UD is 4012 bytes.
bind-dyndb-ldap
component
A/AAAA
records for the name server belonging to the new zone are created after this delay. Sometimes, BIND attempts to load this invalid zone and fails. In such a case, reload BIND by running either rndc reload
or service named restart
.
selinux-policy
component
nmbd
service from writing into the /var/
, which breaks NetBIOS name resolution and leads to SELinux AVC denials.
kernel
component
kernel
component
kernel
component
disable=1
module parameter, all of the IPv6 protocol handlers are disabled. This
includes any offload handlers that support TSO/GSO. The lack of handlers
results in the host dropping any TSO/GSO IPv6 packets it may receive
from the guest. This can cause problems with retransmission on the guest
and throughput. You can completely restore IPv6 network performance by:
disable_ipv6
module to 1
kernel
component
/etc/sysconfig/network-scripts/ifcfg-<interface>
file:
LINKDELAY=10
NetworkManager
component, BZ#758076samba
component
ldapsam_compat
back end. This back end was never designed to run a production LDAP and Samba environment for a long period of time. The ldapsam_compat
back end was created as a tool to ease migration from historical Samba
releases (version 2.2.x) to Samba version 3 and greater using the new ldapsam
back end and the new LDAP schema. The ldapsam_compat
back end lack various important LDAP attributes and object classes in
order to fully provide full user and group management. In particular, it
cannot allocate user and group IDs. In the Red Hat Enterprise Linux Reference Guide, it is pointed out that this back end is likely to be deprecated in future releases. Refer to Samba's documentation for instructions on how to migrate existing setups to the new LDAP schema.
ldapsam_compat
back end with their existing LDAP setup even when all the above restrictions apply.
kernel
component
/usr/share/doc/kernel-doc-<version>
/Documentation/networking/ip-sysctl.txt
and https://access.redhat.com/knowledge/solutions/53031.
selinux-policy
component
lvm2
component, BZ#814779lvmetad
at the moment. If global/use_lvmetad=1 is used together with
global/locking_type=3 configuration setting (clustered locking), the
use_lvmetad setting is automatically overriden to 0
and lvmetad
is not used in this case at all. Also, the following warning message is displayed:
WARNING: configuration setting use_lvmetad overriden to 0 due to locking_type 3. Clustered environment not supported by lvmetad yet.
luci
component, BZ#615898 luci
will not function with Red Hat Enterprise Linux 5 clusters unless each cluster node has ricci
version 0.12.2-14.
ipa
component, BZ#894388ipa
component, BZ#894378Add Automount Keys
permission which cannot be modified.
ipa
component, BZ#817080ipa-server-install --uninstall
command. This will cause a subsequent re-installation to fail with an unexpected error.
sssd
component, BZ#892604sssd
component, BZ#891647enumerate=true
value in the sssd.conf
file to access all users in the system. However, using enumerate=true
is not recommended in large environments as this can lead to high CPU
consumption. As a result, operations like login or logout can be slowed
down.
ipa
component, BZ#888579sssd
component, BZ#785877krb5
component
/dev/random
file and seed its internal random number generator (RNG). Clients which attempt to connect to the kadmin
service can time out and fail with a GSS-API or Kerberos error. After
the service completely finishes initializing itself, it will process
messages received from now-disconnected clients and can log clock-skew
or decrypt-integrity-check-failed errors for those connections. To work
around this problem, use a service such as rngd
to seed the system RNG using hardware sources of entropy.
ipa
component, BZ#887193guest_u:s0
) used when no
custom rule matches is too constraining. An Identity Management user
authenticating to Red Hat Enterprise Linux 6.4 can be assigned the too
constraining SELinux user in which case a login through graphical
session would always fail. To work around this problem, change a too
constraining default SELinux user in the Identity Management server from
guest_u:s0
to a more relaxed value unconfined_u:s0-s0:c0.c1023
:
kinit admin ipa config-mod --ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023
ipa
component, BZ#761574Certificate operation cannot be completed: Unable to communicate with CMS (Unauthorized)
~]# yum downgrade ipa-server libipa_hbac libipa_hbac-python ipa-python ipa-client ipa-admintools ipa-server-selinux
ipa
component, BZ#877324ipa user-mod <user>
--sshpubkey
.
sssd
component, BZ#880150sudoUser
specified as +netgroup
are always matched with the sssd sudoers plugin.
sssd
component
ldap_sasl_authid
is not configured in the sssd.conf
file, SSSD terminates unexpectedly with a segmentation fault. To avoid this problem, ensure that the option is configured.
ipa
component
upgrade.log
file:
/sbin/restorecon: lstat(/var/lib/pki-ca/publish*) failed: No such file or directory
sssd
component
user@DOMAIN
. The UPN can be changed to differ from the UPN in Active Directory, however only the default format, user@DOMAIN
, is supported.
sssd
component, BZ#805921getent group groupname
command. This can be caused by an incorrect ldap_schema
in the [domain/DOMAINNAME]
section of the sssd.conf
file. SSSD supports three LDAP schema types: RFC 2307, RFC 2307bis, and IPA. By default, SSSD
uses the more common RFC 2307 schema. The difference between RFC 2307
and RFC 2307bis is the way which group membership is stored in the LDAP
server. In an RFC 2307 server, group members are stored as the
multi-valued memberuid attribute which contains the name of the users
that are members. In an RFC2307bis server, group members are stored as
the multi-valued attribute member (or sometimes uniqueMember) which
contains the DN of the user or group that is a member of this group.
RFC2307bis allows nested groups to be maintained as well.
ldap_schema = rfc2307bis
in the sssd.conf
file,
/var/lib/sss/db/cache_DOMAINNAME.ldb
file,
ldap_group_member = uniqueMember
in the sssd.conf
file, delete the cache file and restart SSSD.
O=$REALM
, where $REALM
is the realm of the new Identity Management installation) is never
pulled. Consequently, the second stage of the installation process
always fails unless the --subject
option is specified. To work around this issue, add the following option for the second stage of the installation: --subject "O=$REALM"
where $REALM
is the realm of the new Identity Management installation. If a custom
subject was used for the first stage of the installation, use its value
instead. Using this work around, the certificate subject validation
procedure succeeds and the installation continues as expected.
ipa passwd
command. When reset, user's Kerberos credentials in the Directory
Server are properly generated and the user is able to log in using
Kerberos authentication.
ipa-client-install
setup script. To work around this issue, install the policycoreutils package manually:
~]# yum install policycoreutils
ipa-ldap-updater
fails with a traceback error when executed by a non-root user due to
the SASL EXTERNAL bind requiring root privileges. To work around this
issue, run the aforementioned command as the root user.
netgroup-find
option to search for external hosts.
filter
, subtree
,
and other options are used to target those entries which are writable.
Attributes define which part(s) of those entries are writable. As a
result, the list of attributes will be writable to members of the
permission.
sssd
component, BZ#808063ldap_disable_paging
option in the sssd-ldap
man page does not indicate that it accepts the boolean values True or
False, and defaulting to False if it is not explicitly specified.
sudo
commands are
not case sensitive. For example, executing the following commands will
result in the latter one failing due to the case insensitivity:
~]$ipa sudocmd-add /usr/bin/X
⋮ ~]$ipa sudocmd-add /usr/bin/x
ipa: ERROR: sudo command with name "/usr/bin/x" already exists
ipa-server-install
command should add a record to the static hostname lookup table in /etc/hosts
and enable further configuration of Identity Management integrated services. However, a record is not added to /etc/hosts
when an IP address is passed as an CLI option and not interactively.
Consequently, Identity Management installation fails because integrated
services that are being configured expect the Identity Management server
hostname to be resolvable. To work around this issue, complete one of
the following:
ipa-server-install
without the --ip-address
option and pass the IP address interactively.
/etc/hosts
before
the installation is started. The record should contain the Identity
Management server IP address and its full hostname (the hosts(5)
man page specifies the record format).
sssd
component
libldb
. This failure occurs when the SSSD cache contains internal entries whose distinguished name contains the \,
character sequence. The most likely example of this is for an invalid memberUID
entry to appear in an LDAP group of the form:
memberUID: user1,user2
memberUID
is a multi-valued attribute and should not have multiple users in the same attribute.
(Wed Nov 2 15:18:21 2011) [sssd] [ldb] (0): A transaction is still active in ldb context [0xaa0460] on /var/lib/sss/db/cache_<DOMAIN>.ldb
/var/lib/sss/db/cache_<DOMAIN>.ldb
file and restart SSSD.
Removing the /var/lib/sss/db/cache_<DOMAIN>.ldb
file
/var/lib/sss/db/cache_<DOMAIN>.ldb
file purges the cache of all entries (including cached credentials).
sssd
component, BZ#751314memberUID
values, SSSD fails to sanitize the values properly. The memberUID
value should only contain one username. As a result, SSSD creates incorrect users, using the broken memberUID
values as their usernames. This, for example, causes problems during cache indexing.
6ComputeNode
subscription.
sssd
component, BZ#741264 [domain/DOMAINNAME]
section of the /etc/sssd/sssd.conf
file:
ldap_referrals = false
kernel
component
fcoeadm -d eth0
command. To avoid these problems, do not use the bnx2fc driver with a Linux FCoE target.
kernel
component
kernel
component
kernel
component
sg_scan
command) or similar functionality. Please consult Brocade directly for a Brocade equivalent of this functionality.
kernel
componentbnx2i
and bnx2fc
Broadcom drivers, remain a Technology Preview until further notice.
kexec-tools
component
UUID/LABEL
resolving is not functional. Avoid using the UUID/LABEL
syntax when dumping core to Btrfs file systems.
trace-cmd
component
trace-cmd
service does start on 64-bit PowerPC and IBM System z systems because the sys_enter
and sys_exit
events do not get enabled on the aforementioned systems.
trace-cmd
component
report
, does not work on IBM System z systems. This is due to the fact that the CONFIG_FTRACE_SYSCALLS
parameter is not set on IBM System z systems.
libfprint
component
~]$ lsusb -v -d 147e:2016 | grep bcdDevice
kernel
component
lpfc
)
does support DH-CHAP authentication on Red Hat Enterprise Linux 5, from
version 5.4. Future Red Hat Enterprise Linux 6 releases may include
DH-CHAP authentication.
kernel
component
mpt2sas
driver is "Phase 5 firmware" (that is, with version number in the form 05.xx.xx.xx
).
Note that following this recommendation is especially important on
complex SAS configurations involving multiple SAS expanders.
kernel
component
/sys/device/system/cpu/cpu?/node*
to exist; however, kernel-2.6.32-358
or earlier does not include support for this sysfs node. To work around
this problem, use the irqbalance-0.55-35.el6_3 package or earlier.
kernel
component
?mem_max
are not symmetrical between two machines, the performance can be
negatively affected. To work around this problem, adjust the value of ?mem_max
to be equal across all Red Hat Enterprise Linux systems in the network.
kabi-whitelists
component
radix_tree_gang_lookup_slot
symbol. Consult Symantec should you require a workaround for this issue.
kernel
component
kabi-whitelists
component, BZ#871580vxfs
module did not work on the 6.3 kernel; a newer compiled version of the Red Hat Enterprise Linux 6.3 Veritas vxfs
module had to be used. In Red Hat Enterprise Linux 6.4, the kABI issue
has been fixed, and the Red Hat Enterprise Linux 6.3 Veritas vxfs
module works as expected. Refer to Table 4.1, “Functionality Matrix” for a summary of what versions of Red Hat Enterprise Linux 6 and vxfs
function as expected.
Table 4.1. Functionality Matrix
Red Hat Enterprise Linux Version (Kernel Version) | ||||
---|---|---|---|---|
6.2 GA (2.6.32-220.el6) | 6.3 GA (2.6.32-279.el6) | 6.4 pre-alpha (2.6.32-330.el6) | ||
vxfs Module Version
| 5.1.120.000-SP1PR2 | works | fails | works |
5.1.133.000-SP1RP3 | - | works | fail |
kernel
component
iscsi_firmware
parameter to grub's kernel command line. This will signal to dracut to boot from the iSCSI HBA.
kernel
component
vmalloc=256MB
kernel
component
open(2)
system call), then the device is closed (via the close(2)
system call), and the /dev/disk/by-id
link for the device may be removed. When the problem on the device that caused the error is resolved, the by-id
link is not re-created. To work around this issue, run the following command:
~]# echo 'change' > /sys/class/block/sdX/uevent
kernel
component
mpt2sas
driver is connected to a storage using an SAS switch LSI SAS 6160, the
driver may become unresponsive during Controller Fail Drive Fail (CFDF)
testing. This is due to faulty firmware that is present on the switch.
To fix this issue, use a newer version (14.00.00.00 or later) of
firmware for the LSI SAS 6160 switch.
kernel
component, BZ#745713nohpet
parameter or, alternatively, the clocksource=jiffies
parameter to the kernel command line of the guest. Or, if running under
Red Hat Enterprise Linux 5.7 or newer, locate the guest configuration
file for the guest and add the hpet=0
parameter in it.
kernel
component
WARNING: BIOS bug: CPU MTRRs don't cover all of memory, losing <number>MB of RAM
disable_mtrr_trim
kernel command line option.
kernel
component
perf record
command becomes unresponsive when specifying a tracepoint event and a hardware event at the same time.
kernel
component
~]# ./perf record -agT -e sched:sched_switch -F 100 -- sleep 3
kernel
component
select()
call. However, it is safe to increase the default hard limit; that way,
applications requiring a large amount of file descriptors can increase
their soft limit without needing root privileges and without any user
intervention.
kernel
component
bfa xxxx:xx:xx.x: Base port (WWN = xx:xx:xx:xx:xx:xx:xx:xx) lost fabric connectivity
bfa
driver.
kernel
component
scsi
devices. It is
usually triggered when a large amounts of I/O operations are pending on
the controller in the first kernel before performing a kdump.
kernel
component, BZ#679262/proc/kallsyms
and /proc/modules
show all zeros when accessed by a non-root user.
kernel
component
nomce
kernel boot option, which disables machine check error reporting, or the mce=ignore_ce
kernel boot option, which disables correctable machine check error reporting.
kernel
component
kernel: cciss0: <0x3230> at PCI 0000:1f:00.0 IRQ 71 using DAC … kernel: cciss1: <0x3230> at PCI 0000:02:00.0 IRQ 75 using DAC
pci=bfsort
parameter to the kernel command line, and check again.
kernel
component
netxen_nic
is 4.0.550. This includes the boot firmware which is flashed in option ROM on the adapter itself.
kernel
component
vmcore
. As a result, the second kernel is not loaded, and the system becomes unresponsive.
kernel
component
vmcore
through the network using the Intel 82575EB ethernet device in a 32 bit
environment causes the networking driver to not function properly in
the kdump kernel, and prevent the vmcore
from being captured.
kernel
component #!/bin/sh # Disable hyper-threading processor cores on suspend and hibernate, re-enable # on resume. # This file goes into /etc/pm/sleep.d/ case $1 in hibernate|suspend) echo 0 > /sys/devices/system/cpu/cpu1/online echo 0 > /sys/devices/system/cpu/cpu3/online ;; thaw|resume) echo 1 > /sys/devices/system/cpu/cpu1/online echo 1 > /sys/devices/system/cpu/cpu3/online ;; esac
kernel
component
nmi_watchdog
registers with the perf
subsystem. Consequently, during boot, the perf
subsystem grabs control of the performance counter registers, blocking
OProfile from working. To resolve this, either boot with the nmi_watchdog=0
kernel parameter set, or run the following command to disable it at run time:
echo 0 > /proc/sys/kernel/nmi_watchdog
nmi-watchdog
, use the following command
echo 1 > /proc/sys/kernel/nmi_watchdog
kernel
component, BZ#603911 BUG: NMI Watchdog detected LOCKUP
and have either ftrace_modify_code
or ipi_handler
in the backtrace. To work around this issue, disable NMI watchdog by setting the nmi_watchdog=0
kernel parameter, or using the following command at run time:
echo 0 > /proc/sys/kernel/nmi_watchdog
kernel
component
vmcore
via NFS. To work around this issue, utilize other kdump facilities, for
example dumping to the local file system, or dumping over SSH.
kernel
component, BZ#587909 kernel
component
nmi_watchdog=2
or nmi_watchdog=lapic
parameters. The parameter nmi_watchdog=1
is not supported.
kernel
component pci=noioapicquirk
,
is required when installing the 32-bit variant of Red Hat Enterprise
Linux 6 on HP xw9300 workstations. Note that the parameter change is not
required when installing the 64-bit variant.
Red_Hat_Enterprise_Linux-Release_Notes-6
componentRELEASE-NOTES-si-LK.html
file (provided by the Red_Hat_Enterprise_Linux-Release_Notes-6-si-LK
package) incorrectly points at the Beta online version of the 6.4
Release Notes. Because the si-LK language is no longer supported, the
link should correctly point to the en-US online 6.4 Release Notes
located at: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/6.4_Release_Notes/index.html.
libwacom
component
wacomcpl
package, BZ#769466acroread
component
kernel
component, BZ#681257 fprintd
component
evolution
component
anaconda
component
xorg-x11-server
component, BZ#623169 coolkey
component, BZ#906537 libreport
component
Wrong settings detected for Red Hat Customer Support [..]
Login=<rhn-user>
and Password=<rhn-password>
credentials in the /etc/libreport/plugins/rhtsupport.conf
will be used in the same way they are used by report-rhtsupport.
vlock
component
libreoffice
component
gnome-power-manager
component
rsyslog
component
SIGHUP
signal is issued. To reload the configuration, the rsyslog
daemon needs to be restarted:
~]# service rsyslog restart
parted
component
Lightweight Directory Access Protocol
(LDAP) server and command-line utilities for server administration.
Upgrade to an upstream version
Security Fixes
Bug Fixes
cn=config
suffix, when an attribute value was deleted and then added back in the same modify operation, error 53
was returned. Consequently, the configuration could not be reset. This
update allows delete operations to succeed if the attribute is added
back in the same modify operation and reset the configuration file as
expected.
logconv.pl
script used a connection number equal to 0 (conn=0
)
as a restart point, which caused the script to return incorrect restart
statistics. The underlying source code has been modified and 389 Directory Server is now configured to use connection number equal to 1 (conn=1
) as the restart point.
Windows Sync
feature uses the name in a search filter to perform an internal search to find an entry. Parentheses, “(” and “)” are special characters in the LDAP
protocol and therefore must be escaped. However, an attempt to synchronize an entry containing parentheses in the name from an Active Directory (AD) server failed with an error. With this update, 389 Directory Server properly escapes the parentheses and synchronization now proceeds correctly as expected.
Windows Sync
feature, the DS entry was deleted. This update adds the new winSyncMoveAction
DS attribute for the Windows Sync agreement entry, which allows the user to specify the behavior of out-of-scope AD entries. The value could be set to:
none
, which means that an out-of-scope AD entry does nothing to the corresponding DS entry;
delete
, which means that an out-of-scope AD entry deletes the corresponding DS entry;
unsync
, which means that an out-of-scope AD entry is unsynchronized with the corresponding DS entry and changes made to either entry are not synchronized.
none
, which fixes this bug.
disk full
error and shut down unexpectedly. This bug has been fixed by using the
correct error code and a directory server now no longer terminates due
to an invalid chaining of a configuration setting.
ldif
file
from a replica, which had older changes that other servers did not see
yet, could lead to these updates not being replicated to other replicas.
With this update, 389 Directory Server checks the Change Sequence Numbers (CSNs) and allows the older updates to be replicated. As a result, all replicas remain synchronized.
DB_LOCK_DEADLOCK
error messages appeared in the error log:
entryrdn-index - _entryrdn_put_data: Adding the parent link (XXX) failed: DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30994)These errors are common under these circumstances and there is no need to report them in the error log. With this update,
389 Directory Server
ensures that these errors are handled properly and no longer logs these messages in the error log.
Entry USN
plug-in, the delete operation was not replicated to the other masters. This update modifies the Entry USN
plug-in to prevent it from changing the delete operation into a delete
tombstone operation, and from removing the operation before it logs into
the change log to replay to other servers. As a result, the delete
operation is replicated to all servers as expected.
Managed Entry
plug-in in conjunction with other plug-ins, such as Distributed Numeric Assignment
(DNA), Member of
, and Auto Member
, led to problems with delete operations on entries that managed the Managed Entry
plug-in. The manager
entry was deleted, but the managed
entry was not. The deadlock retry handling has been improved so that
both entries are deleted during the same database operation.
Managed Entry
plug-in or the DNA
plug-in, the valgrind
tool reported memory errors and leaks. With this update, a patch has
been applied to prevent these problems, and memory is now used and
deleted correctly.
to-be-deleted
attribute was
already deleted by another master. Consequently, the conflict terminated
the server. This update improves error checks to prevent replication
conflicts from crashing the server.
LDAP Modify
operations, can cause the 389 Directory Server to modify internal attributes. For example, a BIND
operation can cause updates to password failure counters. In these cases, 389 Directory Server was updating attributes that could only be updated during an explicit LDAP Modify
operation, such as the modifyTimestamp
attribute. This update adds a new internal flag to skip the update of these attributes on other than Modify
operations.
Auto Memmber
plug-in, the directory server became unresponsive under certain
circumstances. With this update, the configuration file is validated,
invalid configurations are not allowed, and the server no longer hangs.
ldap
servers listed in the ldap-agent.conf
file. With this update, the buffer between ldap
servers no longer resets and 389 Directory Server starts up regardless of the number of ldap
servers listed in the configuration file.
dnaNextValue
counter was incremented in the pre-operation stage. Consequently, if the
operation failed, the counter was still incremented. This bug has been
fixed and the dnaNextValue
counter is not incremented if the operation fails.
logconv.pl
script did
not grab the correct search base, and as a consequence, the searching
statistics were invalid. A new hash has been created to store
connections and operation numbers from search operations. As a result, logconv.pl
now grabs the correct search base and no longer produces incorrect statistics.
Referential Integrity
plug-in, renaming a user DN did not rename the user's DN
in the user's groups, unless that case matched exactly. With this
update, case-insensitive comparisons or DN normalizations are performed,
so that the member attributes are updated when the user is renamed.
Attribute Uniqueness
plug-in did comparisons of un-normalized values. Consequently, using this plug-in and performing the LDAP RENAME
operation on an entry containing one of the attributes which were tested for uniqueness by this plug-in caused the LDAP RENAME
operation to fail with the following error:
Constraint Violation - Another entry with the same attribute value already exists.With this update,
Attribute Uniqueness
ensures that comparisons are performed between values which were normalized the same way, and LDAP RENAME
works as expected in this situation.
Referential Integrity
plug-in was used with a delay time greater than 0, and the LDAP RENAME
operation was performed on a user
entry with DN specified by one or more group
entries under the scope of the Referential Integrity
plug-in, the user entry DN in the group
entries did not change. The underlying source code has been modified and LDAP RENAME
operations work as expected in the described scenario.
DNA
plug-in could leak memory in certain cases for certain MODIFY
operations. This update applies a patch to fix this bug and the modifications are freed as expected with no memory leaks.
Memberof
plug-in
code executed redundant DN normalizations and therefore slowed down the
system. The underlying source code has been modified to eliminate
redundant DN normalizations.
nsds5ReplicaStripAttrs
attribute using the ldapmodify
operation. Consequently, the attribute could only be set manually in the dse.ldif
file when the server was shut down. With this update, the user is now able to set the nsds5ReplicaStripAttrs
attribute using the ldapmodify
operation.
nsds5ReplicaEnabled
feature which caused this feature to be disabled. With this update, 389 Directory Server checks if the attribute value for nsds5ReplicaEnabled
is valid and reports an error if it is not.
TLS/SSL
protocol, a server using client certificate-based authentication was
unable to connect and connection errors appeared in the error log. With
this update, the internal TLS/SSL and certificate setup is performed
correctly and communication between servers works as expected.
cleanallruv
task to the Windows WinSync replication agreements, the task became
unresponsive. With this update, the WinSync replication agreements are
ignored and the cleanallruv
task no longer hangs in the described scenario.
dirsrv
init script
always returned 0, even when one or all the defined instances failed to
start. This update applies a patch that improves the underlying source
code and dirsrv
no longer returns 0 if any of the defined instances failed.
Directory server
has several internal schemas which are not stored in the schema
directory. These schemas were lost after the schema reload task was
executed. Consequently, adding a posixAccount
class failed. With this update, the internal schemas are stashed in a
hash table and reloaded with external schemas. As result, adding a posixAccount
is successful.
Directory Manager
.
However, the Directory Manager should never have any limits. With this
update, Anonymous Resource Limits no longer apply to Directory Manager.
Windows Sync
feature prints out what version of Windows or AD it detects. Previously, if the feature detected Windows Server 2003 or later, it printed out the following message:
detected win2k3 peerThis message could be confusing for users who had a later version of Windows, such as Windows Server 2008. This update modifies the message and now the following message is printed out:
detected win2k3 or later peer
Entry USN
feature caused tombstone entry indexes to be processed incorrectly.
Consequently, the server could become unresponsive. This update fixes 389 Directory Server to process tombstone indexes correctly, so that the server no longer hangs in this situation.
DNA
plug-in attempted to dereference a NULL pointer value for the dnaMagicRegen
attribute. Consequently, if DNA
was enabled with no dnamagicregen
value specified in its configuration and an entry with an attribute
that triggered the DNA value generation was added, the server could
terminate unexpectedly. This update improves the 389 Directory Server to check for an empty dnamagicregen
value before it attempts to dereference this value. As a result, 389 Directory Server no longer crashes if no dnamagicregen
attribute is specified.
modrdn
operation to move an entry to a non-existing parent, the server
terminated unexpectedly. This update provides a patch that removes the
operator condition so that the check returns the “No such object” error even if the requester is an ordinary user, and the modrdn
operation performed to the non-existing parent successfully fails for any user.
idl_fetch
attribute and merged it to the ID list using the idl_union()
function. This process is slow, especially when the range search result size is large. With this update, 389 Directory Server switches to ALLID
mode by using the nsslapd-rangelookthroughlimit
switch instead of creating a complete ID list. As a result, the range search takes less time.
nsslapd-plugin-track-binddn
feature filled the value of the internalModifiersname
and internalCreatorsname
attributes with the original bind DN instead of the name of the actual
plug-in that modified or added the entry. This behavior is undesired;
thus the nsslapd-plugin-track-binddn
has been modified to always show the name of the actual plug-in that performed these operations.
DNA
plug-in when the range of values was depleted caused the following error message to be returned:
ipa: ERROR: Operations error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.This message was missing all additional information in recent versions of the 389-ds-base packages. With this update, a patch is applied to provide the returned error message with additional information.
Enhancements
PAM Pass-through
plug-in to pass through the authentication process to different PAM
stacks, based on domain membership or some property of the user entry,
or both. Users now can login to Red Hat Directory Server using the
credentials and account data from the correct AD server.
automember
plug-in to check existing entries and writes out the changes which occur if these entries are added.
modifiersname
or modifystimestamp
attribute to be updated. This behavior led to unnecessary replication traffic. This enhancement introduces the new replication
feature to decrease replication traffic caused by BINDs.
Disk Monitoring
plug-in. When disk partitions fill up, Disk Monitoring
returns a warning.
Cleanallruv
feature.
Paged Results
search was allowed to perform only one request per connection. If the
user used one connection, multiple Paged Results requests were not
supported. This update adds support for multiple Paged Results requests.
CLEANRUV
operation, which removes them on a single supplier or master.
memberOf
plug-in to work across multiple back ends or suffixes.
Directory Server
schema has been updated with the nsTLS1
attribute to make TLS/SSL
configuration easier.
Directory Server
schema has been updated to include the DNA
plug-in attributes.
Access Control
feature to control the Directory Manager account.
modifiersname
attribute.
logconv.pl
script has been enhanced with the getopts()
function.
SO_KEEPALIVE
settings and connections could not be closed properly. This enhancement implements the SO_KEEPALIVE
settings to the DS connections.
passwordTrackUpdateTime
attribute has been added. This attribute records a timestamp when the password was last changed.
nsds5ReplicaEnabled
attribute to the replication agreement. If the replication agreement is
disabled, it appears to be removed, but can be easily re-enabled and
resumed.
Windows Sync
plug-in did not support the RFC 2307 and 2307bis types of POSIX schema which supports Windows Active Directory (AD). Under these circumstances, users had to synchronize data between AD and DS manually which could return errors. This enhancement changes the POSIX attributes to prevent these consequences.
Note
Directory Server
schema to allow setting up an access control for the nsslapd-readonly
attribute.
libreport
libraries provide an API
for reporting different problems in applications to different bug
targets like Bugzilla, ftp, and trac.
Upgrade to an upstream version
Bug Fixes
# abrt-cli rm sdfsdf 'sdfsdf' does not exist Can't connect to '/var/run/abrt/abrt.socket': Connection refused
/bin/sh: line 6: abrt-bodhi: command not found
abrtd: /bin/sh: dbus-send: command not found
'.' is not a problem directory
/bin/sh: line 4: reporter-bugzilla: command not found
Upgrade to an upstream version
Enhancement
Bug Fix
Bug fixes
ks:bd:<bios disk>:/ks.cfg
command-line option. As a consequence, BIOS storage devices could not
be found and the installation could fail. To fix this bug, a delay
algorithm for BIOS devices has been added to the code path used when
booting with ks:bd:<bios disk>:/ks.cfg
. As a result, Anaconda tries to wait for BIOS devices to initialize.
/etc/fstab
file with the new ext3 file system type. Consequently, after the
installation, the file system was mounted as an ext2 file system. With
this update, Anaconda properly sets the migrated file system type in /etc/fstab
. Thus, the file system is mounted as expected after installation.
unsupported_hardware
kickstart command has been added, which skips the interactive dialog
warning when installing a system on unsupported hardware without user
input.
/boot
partition was on a RAID
device, inconsistent messages were returned because it was not
supported to have this partition on such a device. These varied messages
were confusing. To fix this bug, the error messages have been corrected
to make sense and to not duplicate each other.
udev
device manager was not used to resolve kickstart raid --onpart
disk references. As a consequence, the /dev/disk/by-id/
path could not be used properly. With this update, the udev_resolve_devspec()
function is used to resolve the --onpart
command option. As a result, the raid --onpart
command can now use the /dev/disk/by-id/
paths as expected.
udev
device manager to resolve /dev/disk/by-id/
names. This meant the kickstart installation method did not work with /dev/disk/by-id/
names. To fix this bug, Anaconda is now using udev
to resolve /dev/disk/by-id/
names. As a result, kickstart installations using /dev/disk/by-id/
names work as expected.
modprobe
tool without the -b
argument that enabled blacklists. Consequently, modules were not
blacklisted. To fix this bug, the required argument has been added to
modprobe call. As a result, modules are blacklisted as expected.
boot=
parameter on the command line whenever the fips=1
parameter was used. With this update, Anaconda appends the boot=
parameter only when the fips=1
parameter is used and /boot
is on a separate partition.
Automatic neighbor discovery
) has been renamed to Automatic
;
it is the (SLAAC) automatic configuration with the option of using a
DHCPv6 server based on RA server configuration. The second option (Dynamic IP configuration (DHCPv6)
) was renamed to Automatic, DHCP only
,
which describes the actual configuration to be used more accurately.
These descriptions are now the same as those used by Network Manager. As
a result, it is now clearer that the third option (Automatic, DHCP only
) is using the DHCPv6 server exclusively.
fipvlan
command arguments have been fixed to use the new -f
option correctly. As a result, the installer now logs in to a FCoE
remote storage correctly, and can be used for installation purposes.
--hibernation
option was only added to the part
command. Consequently, --hibernation
did not work with the logvol
command. To fix this bug, support for --hibernation
has been added to the logvol
command. As a result, --hibernation
now works with the logvol
command.
linksleep
option used to be applied only for the ksdevice=
boot parameter using the value link. Consequently, when the ksdevice
boot parameter was supplied a value containing a device name or a MAC address, the linksleep
boot parameter did not take effect. Without waiting for the link, as required by the linksleep
boot parameter, the installer could fail. To fix this bug, the linksleep
boot parameter has been added to code paths where the to-be-activated device is specified. As a result, the linksleep
boot parameter is honored also for installation where the ksdevice
boot parameter is supplied a value containing a device name or a MAC address.
Enhancements
vlanid=boot
and --vlanid=kickstart
options can be used to allow users to set a virtual LAN ID (802.1q tag)
for a specified network device. By specifying either one of these
options, installation of the system can be done over a VLAN.
bond boot
, --bondslaves
and --bondopts kickstart
options can now be used to configure bonding as a part of the
installation process. For more information on how to configure bonding,
refer to the following parts of the Red Hat Enterprise Linux 6
Installation Guide: the Kickstart Options section and the Boot Options chapter.
fcoe kickstart
option, users can now specify, which Fibre Channel over Ethernet (FCoE)
devices should be activated automatically in addition to those
discovered by Enhanced Disk Drive (EDD) services. For more information,
refer to the Kickstart Options section in Red Hat Enterprise Linux 6 Installation Guide.
Bug Fixes
Bug Fixes
mount(nfs): no hosts available
Enhancements
Security Fix
Bug Fix
Bug Fixes
Enhancement
Upgrade to an upstream version
Upgrade to an upstream version
Bug Fixes
Enhancements
Bug Fixes
Bug Fixes
Upgrade to an upstream version
Bug Fixes
Enhancements
Upgrade to an upstream version
Security Fix
Bug Fix
Bug Fix
Upgrade to an upstream version
Bug Fixes
Bug Fixes
Enhancements
Bug Fixes
Bug Fixes
/usr/share/cluster/cluster.rng.in.head
RELAX NG schema.
master_wins
implementation of the qdiskd
daemon was not sufficiently fast to hand over the master status during
the ordered shutdown. Consequently, a temporary loss of quorum in the
cluster could have occurred. With this update, master_wins
has been modified to operate more quickly.
master_wins
implementation of the qdiskd
daemon did not check strictly for errors in the /etc/cluster/cluster.conf
file. Consequently, with several incorrect options in cluster.conf
, two quorate partitions could have been created at the same time. With this update, master_wins
has been modified to perform strict error checking to avoid the creation of multiple quorate partitions.
/etc/cluster/cluster.conf
file could cause a buffer overflow when running the fsck.gfs2
utility on a GFS2 file system with a corrupt super block. With this
update, the cluster name is truncated appropriately when the super block
is being rebuilt. Now, the buffer overflow condition no longer occurs
in the described case.
fenced
daemon created the /var/log/cluster/fenced.log
file with world readable permissions. With this update, fenced
has been modified to set more strict security permissions for its log
file. Also, permissions of an existing log file are automatically
corrected if necessary.
/etc/cluster/cluster.conf
configuration file. Consequently, a long entry in the file caused the corosync
utility to terminate unexpectedly with a segmentation fault. With this
update, the length limit has been extended. As a result, the
segmentation fault no longer occurs in this situation.
lock_nolock
option enabled, the cman cluster manager incorrectly checked the currently used resources. Consequently, cman failed to start. This bug has been fixed, and cman now starts successfully in the described case.
fenced
daemon polled an incorrect file descriptor from the cman cluster manager. Consequently, fenced
entered a loop and the cluster became unresponsive. This bug has been fixed, and the aforementioned error no longer occurs.
fenced
daemon is usually started before the messagebus
(D-BUS) service, which has no harmful operational effects. Previously, this behavior was recorded as an error message in the /var/log/cluster/fenced.log
file. To avoid confusion, this error message is now entered into /var/log/cluster/fenced.log
only when the log level is set to debugging.
mkfs.gfs2 -t
command accepted non-standard characters, like slash (/
),
in the lock table name. Consequently, only the first cluster node was
able to mount a GFS2 file system successfully. The next node attempting
to mount a GFS2 file system became unresponsive. With this update, a
more strict validation of lock table names has been introduced. As a
result, cluster nodes no longer hang when special characters are used in
lock table.
cman_stop_notification()
function after cman was already closed, the client terminated with the SIGPIPE
signal. With this update, the underlying source code has been modified to address this issue, and the MSG_NOSIGNAL
message is now displayed to warn the user in the described scenario.
Enhancements
bonding mode
options 0
, 1
, and 2
. Prior to this update, only bonding mode 1
was supported.
/etc/hosts
file are now accepted as cluster node names across cluster applications.
dlm_controld
daemon using the /etc/sysconfig/cman
file.
/etc/sysconfig/cman
file. The following parameters can be set in the /etc/sysconfig/cman
file:
DLM_LKBTBL_SIZE=<size_of_table>
DLM_RSBTBL_SIZE=<size_of_table>
DLM_DIRTBL_SIZE=<size_of_table>
/sys/kernel/config/dlm/cluster/lkbtbl_size /sys/kernel/config/dlm/cluster/rsbtbl_size /sys/kernel/config/dlm/cluster/dirtbl_size
DLM_TCP_PORT
configuration parameter has been added into the /etc/sysconfig/cman
file. As a result, the DLM TCP port can be manually configured.
rgmanager
daemon with the rrp_mode
option enabled.
multi-writer
option. This allows using VMDK-based storage with the multi-writer
option for clustered file systems such as GFS2.
Bug Fix
Bug Fixes
Enhancement
Table 6.2. Upgraded packages
Package name | Upstream version | BZ number |
---|---|---|
libXau | 1.0.6 | 835172 |
libXcomposite | 0.4.3 | 835183 |
libXdmcp | 1.1.1 | 835184 |
libXevie | 1.0.3 | 835186 |
libXinerama | 1.1.2 | 835187 |
libXmu | 1.1.1 | 835188 |
libXpm | 3.5.10 | 835190 |
libXres | 1.0.6 | 835191 |
libXScrnSaver | 1.2.2 | 835192 |
libXv | 1.0.7 | 835193 |
libXvMC | 1.0.7 | 835195 |
libXxf86dga | 1.1.3 | 835196 |
libXxf86misc | 1.0.3 | 835197 |
libXxf86vm | 1.1.2 | 835198 |
libdrm | 2.4.39 | 835202 |
libdmx | 1.1.2 | 835203 |
pixman | 0.26.2 | 835204 |
xorg-x11-proto-devel | 7.6 | 835206 |
xorg-x11-util-macros | 1.17 | 835207 |
xorg-x11-xtrans-devel | 1.2.7 | 835276 |
xkeyboard-config | 2.6 | 835284 |
libpciaccess | 0.13.1 | 843585 |
xcb-proto | 1.7 | 843593 |
libSM | 1.2.1 | 843641 |
Bug Fixes
_X_NONNULL
macro was incompatible with C89 compilers. Consequently, C89 applications could not be built in C89 mode if the X11/Xfuncproto.h
file was included. This update fixes the macro definition to be compatible with C89 mode.
%{dist}
macro in the Version tag. Although the standard Red Hat Enterprise
Linux build environment defines this macro, it does not need to be
defined. If it was not defined, %{dist}
appeared literally in the resulting RPM package's version string when
the package was rebuilt. The spec file has been corrected to use the
conditional %{?dist}
form, which expands to an empty string if %{dist}
is not defined.
Security Fix
Note
Bug Fixes
Enhancements
Bug Fix
Upgrade to an upstream version
Bug Fix
Enhancements
Upgrade to an upstream version
Bug Fix
Enhancements
Upgrade to an upstream version
Bug Fixes
cURL
utility for getting files from HTTP, FTP, FILE, LDAP, LDAPS, DICT,
TELNET, and TFTP servers, using any of the supported protocols. This
utility offers many useful capabilities, such as proxy support, user
authentication, FTP upload, HTTP post, and file transfer resume.
Bug Fixes
libssh2
library did not
sufficiently reflect its ABI extensions in its version, which prevented
the RPM dependency scanner from adding the correct dependency of libcurl
on an updated version of libssh2
. Consequently, if the user updated libcurl
without first updating libssh2
, the update ended with incorrect linkage of libcurl
and the user was then unable to update libssh2
using yum. An explicit dependency of libcurl
on an update version of libssh2
has been added and yum can now be used to update libcurl
.
libcurl
required
certificates loaded from files to have unique file base names due to
limitation of the legacy API of NSS (Network Security Services). Some
packages using libcurl
did not fulfil this requirement and caused nickname collisions within NSS. Now, libcurl
has been modified to use a newer API of NSS, which does not suffer from this limitation, and packages using libcurl
are now allowed to load certificates from files with unrestricted file names.
libcurl
misinterpreted the Content-Length HTTP header when receiving data using the chunked encoding. Consequently, libcurl
failed to read the last chunk of data and the transfer terminated
prematurely. An upstream patch has been applied to fix the handling of
the header and the chunked encoding in libcurl
now works as expected.
libssh2
, which prevented the curl
package from a successful build. An upstream patch has been applied on
cURL source files, which fixes the identifier collisions and the package
now builds as expected.
libcurl
and OpenLDAP on NSS initialization and shutdown. Consequently, applications that were using both libcurl
and OpenLDAP failed to establish SSL connections. This update modifies libcurl
to use the same NSS API as OpenLDAP, which prevents collisions from occurring. Applications using OpenLDAP and libcurl
can now connect to the LDAP server over SSL as expected.
CURLOPT_GSSAPI_DELEGATION
libcurl
option has been introduced in order to enable delegation explicitly
when applications need it. All applications using GSSAPI credential
delegation can now use this new libcurl
option to be able to run properly.
libcurl
if the selected NSS database was broken or invalid. This update modifies the code of libcurl
to initialize NSS without a valid database, which allows applications to establish SSL connections as expected.
libcurl
incorrectly checked return values of the SCP/SFTP write functions provided by libssh2
.
Negative values returned by those functions were treated as negative
download amounts, which caused applications to terminate unexpectedly.
With this update, all negative values are treated as errors and as such
are properly handled on the libcurl
level, thus preventing the crashes.
libcurl
used an obsolete libssh2
API for uploading files over the SCP protocol, which limited the
maximum size of files being transferred on 32-bit architectures.
Consequently, the 32-bit packages of libcurl
were unable to transfer large files over SCP. With this update, a new libssh2
API for SCP uploads is used, which does not suffer from this limitation, thus fixing this bug.
Enhancements
libcurl
provided only
HTTP status codes in error messages when reporting HTTP errors. This
could confuse users not familiar with HTTP. Now, libcurl
has been improved to include the HTTP reason phrase in error messages, thus providing more understandable output.
--delegation
, which enables Kerberos credential delegation in cURL.
Bug Fixes
kpartx
tool tried to delete a loop device that was previously created, and the udev utility had this loop device still open, the delete process would fail with the EBUSY
error and kpartx
did not attempt retry this operation. The kpartx
tool has been modified to wait for one second and then retry deleting up to three times after the EBUSY
error. As a result, loop devices created by kpartx
are now always deleted as expected.
multipathd
daemon only checked SCSI IDs when determining World Wide Identifiers (WWIDs) for devices. However, CCISS devices do not support SCSI IDs and could not be used by Device Mapper Multipath. With this update, multipathd
checks CCISS devices for CCISS IDs properly and the devices are detected as expected.
/usr/share/doc/device-mapper-multipath-0.X.X/multipath.conf.defaults
file were out of date. Consequently, if users copied those configurations into the /etc/multipath.conf
file, their devices would be misconfigured. The multipath.conf.defaults
file has been updated and users can now copy configurations from it
without misconfiguring their devices. Note that copying configurations
from the multipath.conf.defaults
file is not recommended as the configurations in that file are built into dm-multipath by default.
kpartx
device partitions, the multipath -f
option accepted only the device name, not the full pathname.
Consequently, an attempt to delete a mulitpath device by the full
pathname failed if the device had the kpartx
partitions. Device Mapper Mulitpath has been modified to except the full pathname, when removing kpartx
device partitions and deleting process no longer fails in the described scenario.
multipath -c
option
incorrectly listed SCSI devices, which were blacklisted by device type,
as valid mulitpath path devices. As a consequence, Device Mapper Multipath could remove the partitions from SCSI devices that never ended up getting multipathed. With this update, multipath -c
now checks if a SCSI device is blacklisted by device type, and reports it as invalid if it is.
user_friendly_names
parameter or a user-defined alias, Device Mapper Multipath would use its existing name instead of setting the WWID. Consequently, disabling user_friendly_names
did not cause the multipath device names to change back to WWIDs on reload. This bug has been fixed and Device Mapper Mulitpath now sets the device name to its WWID if no user_friendly_names
or user defined aliases are set. As a result, disabling user_friendly_names
now allows device names to switch back to WWIDs on reload.
DID_SOFT_ERROR
error, Device Mapper Multipath did not retry running the RDAC checker. This behavior caused Device Mapper Multipath to fail paths for transient issues that may have been resolved if it retried the checker. Device Mapper Multipath has been modified to retry the RDAC checker if it receives the DID_SOFT_ERROR
error and no longer fails paths due to this error.
multipathd
daemon and the kpartx
tool did not instruct the libdevmapper
utility to skip the device creation process and let udev create it. As a consequence, sometimes libdevmapper
created a block device in the /dev/mapper/
directory, and sometimes udev created a symbolic link in the same directory. With this update, multipathd
and kpartx
prevent libdevmapper
from creating a block device and udev always creates a symbolic link in the /dev/mapper/
directory as expected.
Enhancements
mpathpersist
utility. As a result, when path devices are added, persistent reservations are set up as well.
multipathd init
script to load the dm-multipathd
module, so that users do not have to do this manually in cases when no /etc/multipath.conf
file is present during boot. Note that it is recommended to create the multipath.conf
file by running the mpathconf --enable
command, which also loads the dm-multipath
module.
multipath.conf
file; the retain_attached_hw_hander
option and the detect_prio
option. By default, both of these options are are set to no
in the defaults section of the multipath.conf
file. However, they are set to yes
in the NETAPP/LUN device configuration file. If retain_attach_hw_handler
is set to yes
and the SCSI layer has attached a hardware handler to the device, Device Mapper Multipath sets the hardware as usual. If detect_prio
is set to yes
, Device Mapper Multipath will check if the device supports ALUA. If so, it automatically sets the prioritizer to the alua
value. If the device does not support ALUA, Device Mapper Multipath sets the prioritizer as usual. This behavior allows NETAPP devices to work in ALUA or non-ALUA mode without making users change to built-in config.
retain_attached_hw_handler
to work, the SCSI layer must have already attached the device handler. To do this, the appropriate scsi_dh_XXX
module, for instance scsi_dh_alua
,
must be loaded before the SCSI layer discovers the devices. To
guarantee this, add the following parameter to the kernel command line:
rdloaddriver=scsi_dh_XXX
Security Fix
Bug Fixes
Security Fix
Bug Fix
Enhancements
Bug Fix
Security Fixes
Bug Fix
Bug Fixes
Enhancements
Bug Fixes
Enhancement
Upgrade to an upstream version
Upgrade to an upstream version
Bug Fixes
Upgrade to an upstream version
Bug Fix
Security Fix
Bug Fixes
Bug Fixes
Enhancements
Upgrade to an upstream version
Bug Fix
Enhancement
Bug Fix
Bug Fixes
Enhancements
Bug Fixes
Enhancements
Enhancement
Bug Fixes
Security Fix
Note
Bug Fixes
Bug Fixes
gdm-simple-greeter[PID]: Gtk-WARNING: gtkwidget.c:5460: widget not within a GtkWindow
Enhancements
Bug Fixes
iconv()
function or the "iconv" command did not handle the invalid multibyte character 0xffff
>
when attempting to convert a file or sting that used the IBM-930 code
format to another format, such as UTF-8. As a consequence, a
segmentation fault occurred. This update modifies the conversion code
for the IBM-930 encoding to recognize this invalid character and handles
it now as an error.
fnmatch()
function failed with the return value -1 when the wildcard character "*" was part of the pattern argument and the filename argument
contained an invalid multibyte encoding. This update modifies the fnmatch()
code to recognize this case. Now, the invalid characters are treated as not matching and then the process proceeds.
FILE
offset was set incorrectly in wide character streams. As a consequence, the offset returned by ftell
was incorrect. In some cases, this could result in over-writing data. This update modifies the ftell
code to correctly set the internal FILE
offset field for wide characters. Now, ftell
and fseek
handle the offset as expected.
vfprintf
command returned the wrong error codes when encountering an overflow. As
a consequence, applications which checked return codes from vfprintf
could get unexpected values. This update modifies the error codes for overflow situations.
newlocale
flag relied entirely on failure of an underlying open() call to set the
errno variable for an incorrect locale name. As a consequence, the newlocale()
function did not set the errno
variable to an appropriate value when failing, if it has already been
asked about the same incorrect locale name. This update modifies the
logic in the loadlocale
call so that subsequent attempts to load a non-existent locale more than once always set the errno
variable appropriately.
NFS
file systems. As a consequence, users were confused when non-NFS
file systems triggered this error. This update modifies the error
message to apply the error message to all file systems that can trigger
this error.
/etc/resolv.conf
file contained IPV6
name servers. As a consequence, applications could, depending on the
exact contents of a nearby structure, abort. This update modifies the
underlying code to handle IPV6 name servers listed in /etc/resolv.conf
.
/etc/resolv.conf
into internal structures of glibc,
as well as the sorting and rotation of those structures to implement
the "options rotate" capability. Now, DNS names are resolved correctly
in glibc.
memcpy()
function with overlapping arguments. As a consequence, the applications
invoked undefined behavior and could fail. With this update, users with
32 bit applications which issue the memcpy
function with overlapping arguments can create the /etc/sysconfig/32bit_ssse3_memcpy_via_32bit_ssse3_memmove
. If this file exists, glibc redirects all calls to the SSSE3 memcpy copiers to the SSSE3 memmove copier, which is tolerant of overlapping arguments.
memcpy()
is a clear violation of the ANSI/ISO standards and Red Hat does not
provide binary compatibility for applications which violate these
standards.
strtod()
, strtof()
, and strtold()
functions to convert a string to a numeric representation in glibc
contained multiple integer overflow flaws, This caused stack-based
buffer overflows. As a consequence, these functions could cause an
application to abort or, under certain circumstances, execute arbitrary
code. This update modifies the underlying code to avoid these faults.
setlocale()
function failed to detect memory allocation problems. As a consequence, the setlocale()
function eventually core dumped, due to NULL pointers or uninitialized strings. This update modifies the setlocale
code to insure that memory allocation succeeded. Now, the setlocale()
function no longer core dumps.
expf()
function was considerably slowed down when saving and restoring the FPU
state. This update adds a hand optimized assembler implementation of the
expf()
function for Intel 64 and AMD64 platforms. Now, the expf()
function is considerably faster.
pthread_once
code did not correctly publish changes it made. As a consequence, the
changes were not visible to other threads at the right time. This update
adds release barriers to the appropriate thread code to ensure correct
synchronization of data between multiple threads.
MADV_DONTDUMP
and MADV_DODUMP
macros to the mman.h
file to compile code that uses these macros.
malloc()
function, due to an error in the memory management in glibc. As a consequence, nscd
could terminate unexpectedly, when handling groups with a large number
of members. This update ensures that memory allocated by the pool
allocator is no longer passed to free
. Instead, we allow the pool allocator's garbage collector to reclaim the memory.
IPTOS_CLASS
definition referenced the wrong object. As a consequence, applications that referenced the IPTOS_CLASS
definition from the ip.h
file did not build or failed to operate as expected. This update
modifies the definition to reference the right object and applications
that reference to the IPTOS_CLASS
definition.
Bug Fixes
A transaction that cannot be interrupted is running.
Bug Fixes
Bug Fixes
Enhancements
Bug Fixes
Bug Fixes
Enhancements
Bug Fixes
Bug Fixes
Security Fix
Note
Bug Fixes
Bug Fix
Security Fixes
Bug Fixes
[warn] worker [URL] already used by another workerThe level of this message has been changed from WARNING to INFO as it is not incorrect to proxy more than one URL to the same back-end server.
206
partial HTTP
responses correctly. This resulted in incorrect responses being
returned to clients if a cache was configured. With this update, mod_cache no longer caches 206
responses, thus ensuring correct responses are returned.
LDAP
authentication was used with a Novell eDirectory LDAP server, mod_ldap could return 500 Internal Server Error
response if the LDAP server was temporarily unavailable. This update fixes mod_ldap to retry LDAP requests if the server is unavailable, and the 500
errors will not be returned in this case.
DNS
queries when ProxyRemote
was configured. Consequently, in configurations with ProxyRemote
, mod_proxy_connect could either fail to connect, or be slow to connect to the remote server. This update changes mod_proxy to omit DNS queries if ProxyRemote
is configured. As a result, the proxy no longer fails in such configurations.
SSL
request failed and the -v 2
option was used, the ApacheBench (ab) benchmarking tool tried to free a certificate twice. Consequently, ab terminated unexpectedly due to a double free()
error. The ab tool has been fixed to free certificates only once. As a
result, the ab tool no longer crashes in the scenario described.
SSLProxyMachineCertificateFile
. Consequently, httpd
terminated unexpectedly if the private key had been set before the
certificate in SSLProxyMachineCertificateFile. This update improves mod_ssl to check if the private key is set before the certificate. As a result, mod_ssl no longer crashes in this situation and prints an error message instead.
flush
message from a Java application server if received before the HTTP
response headers had been sent. Consequently, users could receive a
truncated response page without the correct HTTP headers. This update
fixes mod_proxy_ajp to ignore flush
messages before the HTTP response headers have been sent. As a result,
truncated responses are no longer sent in scenario described.
description
string was received from the origin server, for a non-standard status code, such as the 450
status code, a 500 Internal Server Error
would be returned to the client. This bug has been fixed so that the original response line is returned to the client.
${cookie}C
in the LogFormat
directive's definition matched substrings of cookie. Consequently, a
bad cookie could be printed if its name contained a substring of the
name defined in LogFormat
using the ${cookie}C
string. With this update, the code is improved so that cookie names are
now matched exactly. As a result, a proper cookie is returned even when
there are other cookies with its substring in their name.
/etc/pki/tls/private/localhost.key
file was a valid key prior to running the %post
script for the mod_ssl package. Consequently, when /etc/pki/tls/certs/localhost.crt
did not exist and localhost.key
was present but invalid, upgrading the Apache HTTP Server daemon (httpd) with mod_ssl failed. The %post
script has been fixed to test for an existing SSL
key. As a result, upgrading httpd with mod_ssl now proceeds as expected.
304 Not Modified
response from the origin server when refreshing a cache entry.
Consequently, in some cases an empty page was returned to a client
requesting an entity which already existed in the cache. This update
fixes handling of 304 Not Modified
responses in mod_cache and as a result no empty pages will be displayed in the scenario described.
304
response, the headers were served incorrectly. Consequently, compressed
data could be returned to the client without the cached headers to
indicate the data was compressed. An upstream patch has been applied to
merge response and cached headers before data from the cache is served
to the client. As a result, cached data is now correctly interpreted by
the client.
Enhancements
rotatelogs
-p
option to execute a custom program after each log rotation.
rotatelogs
-c
option to create log files for each set interval, even if empty.
LDAPReferrals
configuration directive has been added, as an alias for the existing LDAPChaseReferrals
directive.
htcacheclean
daemon has been added.
failonstatus
parameter has been added for balancer configuration in mod_proxy.
LDAP
attributes, but only by LDAP authentication, not by LDAP authorization. Consequently, if the mod_authnz_ldap module was used to enable LDAP for authorization but not authentication, the AUTHORIZE_
environment variables were not populated. This update applies a patch to implement setting of AUTHORIZE_
environment variables using LDAP authorization. As a result, other
methods of authentication can be used while using LDAP authorization for
setting environment variables for all configured LDAP attributes.
/etc/sysconfig/httpd-disable-posttrans
exists, the scriptlet will not restart the daemon.
httpd -S
now includes configured alias names for each virtual host.
-L
option to create a hard link from the current log to a specified path.
_DN_userID
suffix, such as SSL_CLIENT_S_DN_userID
, which uses the commonly used object identifier (OID) definition of userID
, OID 0.9.2342.19200300.100.1.1.
chunk-size
or chunk-extension
value of 32 bytes or more. Consequently, when such a POST request was
made the server did not respond. An upstream patch has been applied and
the problem no longer occurs.
Enhancements
Upgrade to an upstream version
Bug Fix
Bug Fixes
ip link
command was called before the master device was properly set. Consequently, the slaves could be in the unknown
state. This has been fixed by calling ip link
for master after the device is installed properly, and all slaves are
up. As a result, all slaves are in the expected state and connected to
the master device.
ifdown
utility failed to work with descriptively-named interfaces. To fix this bug, the name format check has been removed and ifdown
now works as expected.
/etc/sysconfig/network-scripts/ifup-aliases
file, which caused the duplicate check to fail. The typo has been corrected and the check works again.
BONDING_OPTS
variable was applied by the ifup
utility on a slave interface, even if the master was already on and had
active slaves. This caused an error message to be returned by ifup
. To address this bug, it is now checked whether the master does not have any active slaves before applying BONDING_OPTS
, and no error messages are returned.
arping
utility, which checks for IP address duplicates in the network, failed
when the parent device was not up. Consequently, the failure was handled
the same way as finding of a second IP address in the network. To fix
this bug, ifup-aliases
files have been
set to be checked whether the master device is up before the duplicity
check is run. As a result, no error messages are returned when the
parent device is down in the described scenario.
rename_device.c
file did not
correspond with VLAN interfaces, and thus could lead to improperly named
physical interfaces. A patch has been provided to address this bug and
interfaces are now named predictably and properly.
vgchange -a y
command instead of vgchange -a ay
on the netfs
interface by the rc.sysinit
daemon, all volumes were activated. This update provides a patch to fix
this bug. Now, only the volumes declared to be activated are actually
activated. If the list is not declared, all volumes are activated by
default.
BONDING_OPTS
variables are set before the master interface is brought up, which is the correct order of setting.
/etc/init.d/halt
script tried to kill all processes currently using the file system,
including the script itself. Consequently, the system became
unresponsive during reboot. With this update, shutdown script PIDs are
excluded from the kill command, which enables the system to reboot
normally.
ifup
utility was used to set up a master interface, the BONDING_OPTS
variables were not applied. Consequently, bonding mode configuration done through the ifcfg
utility had no effect. A patch has been provided to fix this bug. BONDING_OPTS
are now applied and bonding mode works in the described scenario.
udev
daemon is an event-driven hot-plug agent. Previously, an udev
event for serial console availability was emitted only on boot. If
runlevels were changed, the process was not restarted, because the event
had already been processed. Consequently, the serial console was not
restarted when entering and then exiting runlevel 1. With this update,
the fedora.serial-console-available
event is emitted on the post-stop of the serial console, and the console is now restarted as expected.
init
utility tried
to add a bond device even if it already existed. Consequently, a warning
message was returned. A patch that checks whether a bond device already
exists has been provided and warning messages are no longer returned.
crypttab(5)
manual page did not describe handling white spaces in passwords. Now,
the manual page has been updated and contains information concerning a
password with white spaces.
crypttab (5)
manual page contained a typografic error (crypptab insted of crypttab), which has now been corrected.
/init/tty.conf
and /init/serial.conf
files and this information was not returned in error messages. With
this update, the information has been added to the aforementioned files
and is now returned via an error message.
/dev/shm
file system was mounted by the dracut
utility without attributes from the /etc/fstab
file. To fix this bug, /dev/shm
is now remounted by the rc.sysinit
script. As a result, /dev/shm
now contains the attributes from /etc/fstab
.
sysconfig.txt
file instructed users to put the VLAN=yes
option in the global configuration file. Consequently, interfaces with
names containing a dot were recognized as VLAN interfaces. The sysconfig.txt
file
has been changed so that the VLAN describing line instructs users to
include the VLAN option in the interface configuration file, and the
aforementioned devices are no longer recognized as VLAN interfaces.
sysconfig.txt
file advised users to use the saslauthd -a
command instead of saslauthd -v
, which caused the command to fail with an error message. In sysconfig.txt
, the error in the command has been corrected and the saslauthd
utility now returns expected results.
ifup
utility initiated VLAN interfaces, the sysctl
values were not used. With this update, ifup
rereads the sysctl
values in the described scenario and VLAN interfaces are configured as expected.
Enhancements
brctl
daemon is used to connect two Ethernet segments in a protocol-independent way, based on an Ethernet address, rather than an IP address. In order to provide a simple and centralized bridge configuration, bridge options can now be used via BRIDGING_OPTS
. As a result, a space-separated list of bridging options for either a bridge device or a port device can be added when the ifup
utility is used.
halt.local
file has been
enhanced with new variables to reflect the character of call. This
change leaves users with better knowledge of how halt.local
was called during a halt sequence.
Upgrade to an upstream version
Security Fix
Bug Fixes
Enhancements
Bug Fix
Enhancement
Upgrade to an upstream version
Bug Fixes
Bug Fixes
Enhancements
Upgrade to an upstream version
Bug Fixes
Upgrade to an upstream version
Bug Fixes
Bug Fix
Enhancement
Enhancements
Bug Fixes
Security Fixes
Bug Fixes
Multicast hash table maximum reached, disabling snooping: vnet1, 512With this update, the hash table value is correctly compared to the hash_max value, and the error message no longer occurs under these circumstances.
Enhancements
Note
procfs
entries, sysfs
default values, boot parameters, kernel configuration options, or any noticeable behavior changes, refer to Chapter 1, Important Changes to External Kernel Parameters.
/sbin/kexec
binary and ancillary utilities that form the user-space component of the kernel's kexec feature.
Bug Fixes
cat: /sys/block/vda/device/model: No such file or directory cat: /sys/block/vda/device/type: No such file or directory
hwclock: can't open '/dev/misc/rtc': No such file or directory
dd: /dev/mem: Operation not permitted
Enhancements
Upgrade to an upstream version
Bug Fixes
Bug Fixes
Enhancement
Upgrade to an upstream version
Bug Fixes
Enhancement
Bug Fix
Bug Fixes
resize2fs -M
command and an error due to lack of free space occurred, the returned
error message was incorrect and could confuse the user. With this
update, a proper error message is returned instead.
virt-ls --checksum
command and the following error message was returned:
libguestfs: error: checksum: path: parameter cannot be NULLThe underlying source code has been modified and
virt-ls --checksum
now works as expected.
guestfs_inspect_get_hostname()
function, the libguestfs
-based commands did not work properly when an empty /etc/HOSTNAME
file was created on a Linux guest. This update applies a patch to fix this bug and the libguestfs
based commands now work in the described scenario.
libguestfs
library did not handle the /dev/disk/by-id/*
paths. Consequently, it was impossible to examine a guest using
commands with such a path and an error message was returned. With this
update, a patch has been applied to fix this bug and the libguestfs
library no longer returns error in this situation.
qcow2
format could cause silent data loss. The underlying source code has
been modified to prevent this behavior and writing to disks in the qcow2
format now works as expected.
guestmount
and the fusermount
tools, unmouting and then immediately using a disk image was not safe
and could cause data loss or memory corruption. This update adds the new
--pid-file
option for guestmount
to avoid the race condition between these tools and attempts to use
disk images immediately after unmounting can no longer cause data loss
or memory corruption.
libguestfs
library
limited the total size of downloaded hive files from a Windows Registry
to 100 MB. Consequently, an attempt to inspect systems with large amount
of hive files caused libguestfs
to return an error message. With this update, the limit was increased to 300 MB and libguestfs
can now inspect a larger Widows Registry properly.
file
utility
to detect the format of a disk image could produce different output for
different versions of this utility. The underlying source code has been
modified and output is now the same for all versions of the file
utility.
virt-inspector
tool failed to work with certain Windows guests. This update applies a patch to fix this bug and virt-inspector
now supports all Windows guests as expected.
libguestfs
library could not be installed with the new version of the iptables
tool. The underlying source code has been modified to fix this bug and the installation of libguestfs
works as expected.
libguestfs
library detected the Red Hat Enterprise Linux 5.1 guests as NetBSD guests. This update applies a patch to fix this bug and libguestfs
now detects Red Hat Enterprise Linux 5.1 guest correctly.
virt-df
command with -a
or -d
arguments works correctly only with a single guest. An attempt to use this command with multiple arguments, such as virt-df -a RHEL-Server-5.9-32-pv.raw -a opensuse.img
, caused the disk image names to be displayed incorrectly. With this update, the plus sign (“+”) is displayed for each additional disk, so that the user can easily recognize them. In addition, the correct usage of the virt-df
command has been described in the virt-df(1)
man page.
Enhancements
Enhancement
Upgrade to an upstream version
Bug Fix
Enhancement
Upgrade to an upstream version
Bug Fix
Upgrade to an upstream version
Bug Fix
Bug Fixes
Bug Fixes
Upgrade to an upstream version
Bug Fixes
Upgrade to an upstream version
Upgrade to an upstream version
Upgrade to an upstream version
Bug Fixes
Bug Fixes
Upgrade to an upstream version
Bug Fix
libvirt
library which is a C API for managing and interacting with the
virtualization capabilities of Linux and other operating systems. In
addition, libvirt
provides tools for remote management of virtualized systems.
Upgrade to an upstream version
Open vSwitch
, a new API for detailed CPU statistics, improved support of LXC method including the sVirt
technology, improvements of the virsh edit
command, improved APIs for listing various objects and support for pinning and tuning emulator threads. (BZ#836934)
Security Fixes
Bug Fixes
libvirt
library was issuing the PAUSED
event before the QEMU processor emulator really paused. Consequently, a
domain could be reported as paused before it was actually paused, which
could confuse a management application using the libvirt
library. With this update, the PAUSED
event is started after QEMU is stopped on a monitor and the management application is no longer confused by libvirt
.
libvirtd
daemon and a client, such as the virsh
utility, was 65536 bytes. However, this limit was not always sufficient
and messages that were longer than that could be dropped, leaving a
client unable to fetch important data. With this update, the buffer for
incoming messages has been made dynamic and both sides, a client and libvirtd
, now allocate as much memory as is needed for a given message, thus allowing to send much bigger messages.
libvirtd
daemon to lock up unexpectedly. The bug in the code for locking remote
drivers has been fixed and repeated tunnelled migrations of domains now
work as expected.
libvirt
API calls were needed to determine the full list of guests on a host controlled by the libvirt
library. Consequently, a race condition could occur when a guest
changed its state between two calls that were needed to enumerate
started and stopped guests. This behavior caused the guest to disappear
from both of the lists, because the time of enumeration was not
considered to be a part of the lists. This update adds a new API
function allowing to gather the guest list in one call while the driver
is locked. This guarantees that no guest changes its state before the
list is gathered so that guests no longer disappear in the described
scenario.
libvirt
did not report
many useful error messages that were returned by external programs such
as QEMU and only reported a command failure. Consequently, certain
problems, whose cause or resolution could be trivial to discover by
looking at the error output, were difficult to diagnose. With this
update, if any external command run by libvirt
exits with a failure, its standard error output is added to the system log as a libvirt
error. As a result, problems are now easier to diagnose, because better information is available.
libvirt
used an unsuitable detection procedure to detect NUMA
and processor topology of a system. Consequently, topology of some
advanced multi-processor systems was detected incorrectly and management
applications could not utilize the full potential of the system. Now,
the detection has been improved and the topology is properly recognized
even on modern systems.
libvirt
library had
hooks for calling a user-written script when a guest was started or
stopped, but had no hook to call a script for each guest when the libvirtd
daemon itself was restarted. Consequently, certain custom setups that required extra operations not directly provided by libvirt
could fail when libvirtd
was restarted. For example, packet forwarding rules installed to
redirect incoming connections to a particular guest could be overridden
by libvirt
's “refresh” of its own iptables packet forwarding rules, breaking the connection forwarding that had been set up. This update improves libvirt
with a new “reconnect” hook; the QEMU hook script is called with a type of “reconnect” for every active guest each time libvirtd
is restarted. Users can now write scripts to recognize the “reconnect”
event, and for example reload the user-supplied iptables forwarding
rules when this event occurs. As a result, incoming connections continue
to be forwarded correctly, even when libvirtd
is restarted.
libvirt
failed to process and expose the NUMA topology, sometimes leading to performance degradation. With this update, libvirt
can parse and expose the NUMA topology on such machines and makes the
correct CPU placement, thus avoiding performance degradation.
virsh undefine
command supports
deleting volumes associated with a domain. When using this command, the
volumes are passed as additional arguments and if the user adds any
trailing string after the basic command, the string is interpreted as a
volume to be deleted. Previously, the volumes were checked after the
guest was deleted, which could lead to user's errors. With this update,
the check of the volume arguments is performed before the deleting
process so that errors can be reported sensibly. As a result, the
command with an incorrect argument fails before it attempts to delete a
guest and the host system stays in a sane state.
SPICE
server needs certain time
at the end of the migration process to transfer an internal state to a
destination guest. Previously, the libvirt
library could kill the source QEMU and the SPICE
server before the internal state was transmitted. This behavior caused
the destination client to be unresponsive. With this update, libvirt
waits until the end of SPICE
migration. As a result, the SPICE
server no longer becomes unresponsive in this situation.
sanlock
daemon for
locking resources used by a domain, if such a resource was read-only,
the locking attempt failed. Consequently, it was impossible to start a
domain with a CD-ROM drive. This bug has been fixed and sanlock
can now be properly used with read-only devices.
libvirt
library did
not support the S4 (Suspend-to-Disk) event on QEMU domains.
Consequently, management applications could not register whether a guest
was suspended to disk or powered off. With this update, support for S4
event has been added and management applications can now request
receiving S4 events.
vdsm
daemon, the libvirt
library was reconfigured and under certain conditions, libvirt
was searching for a non-existing option when used outside of vdsm
. Consequently, using the virsh
utility on such a machine caused the system to terminate with a
segmentation fault. The underlying source code has been modified to fix
this bug and users can now use virsh
on machines configured by vdsm
as expected.
virsh
utility reported that this check failed even if it was successful and
vice versa. This update applies a patch to fix this bug and success and
failure of this check are reported correctly now.
qemuMonitorAddDrive()
call is followed by the qemuMonitorAddDevice()
call. When the first part succeeded but the second one failed, libvirt
failed to roll back the first part and the device remained in use even
though the disk hot plug failed. With this update, the rollback for the
drive addition is properly performed in the described scenario and disk
hot plug now works as expected.
SIGINT
signal was not blocked when the virDomainGetBlockJobInfo()
function was performed. Consequently, an attempt to abort a process initialized by a command with the --wait
option specified using the CTRL+C shortcut did not work properly. This update applies a patch to block SIGINT
during virDomainGetBlockJobInfo()
and aborting processes using the CTRL+C shortcut now works as expected.
VIR_ERR_AGENT_UNRESPONSIVE
error code and fixes the error message. As a result, management applications now can recognize why the guest agent hangs.
libvirt
code,
two mutually exclusive cases could occur. In the first case, a guest
operating system could fail do detect that it was being suspended
because the suspend routine is handled by hypervisor. In the second
case, the cooperation of the guest operating system was required, for
example during synchronization of the time after the resume routine.
Consequently, it was possible to successfully call the suspend routine
on a domain with the pmsuspended
status and libvirt
returned success on operation, which in fact failed. This update adds an additional check to prevent libvirt
from suspending a domain with the pmsuspended
status.
macvtap
driver in passthrough mode, and from there is connected to an 802.1Qbh
-capable switch. Previously, when shutting down the guest, libvirt
erroneously set SR-IOV device's physical function (PF) instead of VF and the PF offline rather than setting the VF offline. Here is an example of the type of an interface that could be affected:
<interface type='direct'> <source dev='eth7' mode='passthrough'/> <virtualport type='802.1Qbh'> <parameters profileid='test'/> </virtualport> </interface>Consequently, if PF was being used by the host for its own network connectivity, the host networking would be adversely affected, possibly completely disabled, whenever the guest was shut down, or when the guest's network device was detached. The underlying source code has been modified to fix this bug and the PF associated with the VF used by the
macvtap
driver now continues to work in the described scenario.
block copy
feature before the upstream version of QEMU. Since then, several
improvements were made to the upstream version of this feature.
Consequently, previous versions of the libvirt
library were unable to fully manage the block copy
feature in current release of QEMU. With this update, the block copy
feature has been updated to upstream versions of QEMU and libvirt
. As a result, libvirt
is able to manage all versions of the block copy
feature.
libvirt
put the default
USB controller into the XML configuration file during the live
migration to Red Hat Enterprise Linux 6.1 hosts. These hosts did not
support USB controllers in the XML file. Consequently, live migration to
these hosts failed. This update prevents libvirt
from including the default USB controller in the XML configuration file
during live migration and live migration works properly in the
described scenario.
libvirt
,
a clean-up operation frees some internal structures and locks. However,
since users can destroy QEMU processes at the same time, libvirt
holds the QEMU driver mutex to protect the list of domains and their
states, among other things. Previously, a function tried to lock up the
QEMU driver mutex when it was already locked, creating a deadlock. The
code has been modified to always check if the mutex is free before
attempting to lock it up, thus fixing this bug.
host_uuid
option was present in the libvirtd.conf
file, the augeas libvirt
lens was unable to parse the file. This bug has been fixed and the augeas libvirt
lens now parses libvirtd.conf
as expected in the described scenario.
libvirt
has been modified to allow duplicate MAC addresses in all cases and to
check a unique PCI address in order to distinguish between multiple
devices with the same MAC address.
libvirt
called the qemu-kvm -help
command every time it started a guest to learn what features were
available for use in QEMU. On a machine with a number of guests, this
behavior caused noticeable delays in starting all of the guests. This
update modifies libvirt
to store information cache about QEMU until the QEMU time stamp is changed. As a result, libvirt
is faster when starting a machine with various guests.
ESX 5.1
server was not fully tested. Consequently, connecting to ESX 5.1
caused a warning to be returned. The ESX 5.1
server has been properly tested and connecting to this server now works as expected.
iohelper
process failed to write data to disk while saving a domain and kernel did not report an out-of-space error (ENOSPC
). With this update, libvirt
calls the fdatasync()
function in the described scenario to force the data to be written to
disk or catch a write error. As a result, if a write error occurs, it is
now properly caught and reported.
libvirt
can
be done only when a domain is paused to prevent data corruption.
However, if a resuming operation failed, the management application was
not notified since no event was sent. This update introduces the VIR_DOMAIN_EVENT_SUSPENDED_API_ERROR
event and management applications can now keep closer track of domain states and act accordingly.
libvirt
could not find a
suitable CPU model for a host CPU, it failed to provide the CPU topology
in host capabilities even though the topology was detected correctly.
Consequently, applications that work with the host CPU topology but not
with the CPU model could not see the topology in host capabilities. With
this update, the host capabilities XML description contains the host
CPU topology even if the host CPU model is unknown.
libvirt
supported the emulatorpin
option to set the CPU affinity for a QEMU domain process. However, this behavior overrode the CPU affinity set by the vcpu placement="auto"
setting when creating a cgroup hierarchy for the domain process. This CPU affinity is set with the advisory nodeset from the numad
daemon. With this update, libvirt
does not allow emulatorpin
option to change the CPU affinity of a domain process if the vcpu placement
setting is set to auto
. As a result, the numad
daemon is supported as expected.
libvirt
library allows users to
cancel an ongoing migration. Previously, if an attempt to cancel the
migration was made in the migration preparation phase, QEMU missed the
request and the migration was not canceled. With this update, the virDomainAbortJob()
function sets a flag when a cancel request is made and this flag is
checked before the main phase of the migration starts. As a result, a
migration can now be properly canceled even in the preparation phase.
libvirt
processor topology detection code was not able to detect these modules. Consequently, libvirt
reported the actual number of processors twice. This bug has been fixed
by reporting a topology that adds up to the total number of processors
reported in the system. However, the actual topology has to be checked
in the output of the virCapabilities()
function. Additionally, documentation for the fallback output has been provided.
Note
virStorageBackendLogicalCreateVol()
function, the setting of the volume type was removed. Consequently,
logical volumes were treated as files without any format and libvirt
was unable to clone them. This update provides a patch to set the volume type and libvirt
clones logical volumes as expected.
virFileWrapperFdCatchError()
function was called with a NULL
argument. Consequently, the libvirtd
daemon terminated unexpectedly due to a NULL pointer dereference. With this update, the virFileWrapperFdCatchError()
function is called only when the file is open and instead of crashing, the daemon now reports an error.
virDomainGetXMLDesc()
function was executed on an unresponsive domain, the call also became unresponsive. With this update, QEMU sends the BALLOON_CHANGE
event when memory usage on a domain changes so that virDomainGetXMLDesc()
no longer has to query an unresponsive domain. As a result, virDomainGetXMLDesc()
calls no longer hang in the described scenario.
Enhancements
libvirt
could apply
packet filters, among others the anti-spoofing filter, to guest network
connections using the nwfilter subsystem. However, these filter rules
required manually entering the IP address of a guest into the guest
configuration. This process was not effective when guests were acquired
their IP addresses via the DHCP
protocol; the network needed a manually added static host
entry for each guest and the guest's network interface definition
needed that same IP address to be added to its filters. This enhancement
improves libvirt
to automatically learn IP and MAC addresses used by a guest network connection by monitoring the connection's DHCP
and ARP
traffic in order to setup host-based guest-specific packet filtering
rules that block traffic with incorrect IP or MAC addresses from the
guests. With this new feature, nwfilter packet filters can be written to
use automatically detected IP and MAC addresses, which simplifies the
process of provisioning a guest.
libvirt
library
could create block snapshots, but could not clean them up. For a
long-running guest, creating a large number of snapshots led to
performance issues as the QEMU process emulator had to traverse longer
chains of backing images. This enhancement improves the libvirt
library to control the feature of the QEMU process emulator which is
responsible for committing the changes in a snapshot image back into the
backing file and the backing chain is now kept at a more manageable
length.
SPICE
and VNC
protocols started on the port number 5900. With this update, the starting port for SPICE
and VNC
is configurable by users.
libvirt
API. This enhancement improves the libvirt
library to support three new events of the QEMU Monitor Protocol
(QMP): the SUSPEND
, WAKEUP
, and DEVICE_TRAY_MOVED
event. These events let a management application know that the guest status or the tray status has been changed:
SUSPEND
event is emitted, the domain status is changed to pmsuspended
;
WAKEUP
event is emitted, the domain status is changed to running
;
DEVICE_TRAY_MOVED
event is emitted for a disk device, the current tray status for the disk is reflected to the libvirt
XML file, so that management applications do not start the guest with
the medium inserted while the medium has been previously ejected inside
the guest.
TSC-Deadline timer
mode for guests that are running on the Intel 64 architecture. This enhancement improves the libvirt
library with this feature's flag to stay synchronized with QEMU.
DHCP
lease.
libvirt
library, certain form of authentication could be required and if so,
interactive prompts were presented to the user. However, in certain
cases, the interactive prompts cannot be used, for example when
automating background processes. This enhancement improves libvirt
to use the auth.conf
file located in the $HOME/.libvirt/
directory to supply authentication credentials for connections. As a
result, these credentials are pre-populated, thus avoiding the
interactive prompts.
libvirt
to support connection of virtual guest network devices to Open vSwitch
bridges, which provides a more fully-featured replacement for the
standard Linux Host Bridge. Among other features, Open vSwitch bridges
allow setting more connections to a single bridge, transparent VLAN tagging, and better management using the Open Flow standard. As a result, libvirt
is now able to use an already existing Open vSwitch bridge, either
directly in the interface definition of a guest, or as a bridge in a libvirt
network. Management of the bridge must be handled outside the scope of libvirt
, but guest network devices can be attached and detached, and VLAN tags and interface IDs can be assigned on a per-port basis.
virsh dump
command is now supported for domains with passthrough devices. As a result, these domains can be dumped with an additional --memory-only
option.
libvirt
library has already supported pinning and limiting QEMU threads associated with virtual CPUs, but other threads, such as the I/O thread, could not be pinned and limited separately. This enhancement improves libvirt
to support pinning and limiting of both CPU threads and other emulator threads separately.
libvirt
library to be able to configure Discretionary Access Control (DAC) for each domain, so that certain domains can access different resources.
libvirtd
daemon, that is the one that is running as the root user, could set up a
guest network connection using a tap device and host bridge. A “session instance”, that is the one that is running as a non-root user, was only able to use QEMU's limited “user mode”
networking. User mode network connection have several limitations; for
example, they do not allow incoming connections, or ping in either
direction, and are slower than a tap-device based network connection.
With this enhancement, libvirt
has been updated to support QEMU's new SUID “network helper”, so that non-privileged libvirt
users are able to create guest network connections using tap devices
and host bridges. Users who require this behavior need to set the
interface type to bridge
in the virtual machine's configuration, libvirtd
then automatically notices that it is running as a non-privileged user,
and notifies QEMU to set up the network connection using its “network helper”.
Note
bridge
, and does not work with the network
interface type even if the specified network uses a bridge device.
dumpCore
option has been added to control whether guest's memory should be included in a core dump. When this option is set to off
, core dumps are reduced by the size of the guest's memory.
libvirt
library to set the World Wide Name (WWN), which provides stable device paths, for IDE and SCSI disks.
libvirt
library. This change allows the user to utilize the full potential of new features, such as 16c
, fma
, and tbm
.
libvirt
library. The next generation supports the following features: fma
, pcid
, movbe
, fsgsbase
, bmi1
, hle
, avx2
, smep
, bmi2
, erms
, invpcid
, and rtm
, compared to the previous Intel Xeon Processor E5-XXXX and Intel Xeon Processor E5-XXXX V2 family of processors.
libvirt
virtual network, it was necessary to restart the network for these changes to take effect. This enhancement adds a new virsh net-update
command that allows certain parts of a network configuration to be
modified, and the changes to be applied immediately without requiring a
restart of the network and disconnecting of guests. As a result, it is
now possible to add static host entries to and remove them from a
network's dhcp section; change the range of IP addresses dynamically
assigned by the DHCP server; modify, add, and remove portgroup elements;
and add and remove interfaces from a forward element's pool of
interfaces, all without restarting the network. Refer to the virsh(1)
man page for more details about the virsh net-update
command.
--help
option for all its commands and displays appropriate documentation.
libvirt
library can now control the hv_relaxed
feature. This feature makes a Windows guest more tolerant to long periods of inactivity.
libvirt
library added several capabilities related to snapshots. Among these was
the ability to create an external snapshot, whether the domain was
running or was offline. Consequently, it was also necessary to improve
the user interface to support those features in the virsh program. With this update, these snapshot-related improvements were added to virsh to provide full support of these features.
libvirt
to support a new sgio
attribute. Setting this attribute to unfiltered
allows trusted guests to invoke all supported SCSI commands.
libvirtd
daemon must be restarted using the service libvirtd restart
command for this update to take effect.
Enhancement
Upgrade to an upstream version
Bug Fixes
Enhancement
Bug Fixes
/etc/cluster/cluster.conf
configuration file that contained non-standard characters, like hash (#
), question mark (?
), or slash (/
), were not properly handled by the luci application. Consequently, when processing such configuration file, luci failed with the following message:
Error 500 We're sorry but we weren't able to process this request.
fence
instance was configured with the delay
attribute in the /etc/cluster/cluster.conf
file, the luci application ignored the subsequently enabled unfence
instance that was configured without the delay
attribute. The unfence status was incorrectly displayed as disabled in the luci
interface, but unfencing was performed without complications. With this
update, the underlying source code has been modified to address this
issue. As a result, unfence is now properly reported in luci
.
/etc/cluster/cluster.conf
file did not pass the schema validation check. The bug has been fixed,
and a warning message is now displayed to prevent users from setting
invalid device names in the /etc/cluster/cluster.conf
file.
ricci
applications could have been dropped without notification to the user. Also, the following message could occur in the /var/log/luci/luci.log
file:
No object (name: translator) has been registered for this thread
A resource named "<name>" already exists
max_restarts
, __max_restarts
, and __max_failures
variables to be set without setting their corresponding timeout variables (restart_expire_time
, __restart_expire_time
, __failure_expire_time
),
and in the opposite way. This behavior has been changed, and an error
is now issued in case the corresponding variables are not set.
luci
interface, the corresponding entry in the /etc/cluster/cluster.conf
file was written incorrectly. A value was assigned in the form of self_fence="on"
instead of self_fence="1"
or self_fence="yes"
. Consequently, fencing actions failed. The bug has been fixed, and self_fence is now assigned with the correct value. As a result, fencing now works properly when enabled with luci.
1
or 0
, on
or off
, yes
or no
, true
or false
. With this update, only the values 1
or 0
are accepted in attributes that use boolean input.
unfence
option, this unfence
instance was not updated with the new name and referred to a non-existent device. This bug has been fixed, and an unfence
reference is now correctly updated when a fencing device was renamed.
oracletype
attribute instead of type
when processing the /etc/cluster/cluster.conf
file. Consequently, the oracledb attribute was always displayed as Default
in the luci interface, regardless of its actual assigned value. This bug has been fixed, and oracletype
type is now correctly displayed by luci.
Enhancements
privlvl
(privilege level) attribute used by the fence_ipmilan fencing agent has been added to the luci application. As a result, privlvl
can now be successfully configured by luci.
nfsrestart
option for the file system and cluster file system resource agents has been added to the luci application. This option provides a way to forcefully restart NFS servers and allow a clean unmount of an exported file system.
Bug fixes
--regionsize(-R)
option (used with the lvcreate
command) was not specified, LVs larger than 2 TB could not be created
or extended. Consequently, creating or extending such volumes caused
errors. With this update, the region size is automatically adjusted upon
creation or extension and large LVs can now be created.
issue_discards=1
configuration option was used or configured in the /etc/lvm/lvm.conf
file, moving Physical Volumes via the pvmove
command resulted in data loss. The problem has been fixed with this update.
blkdeactivate
script along with blk-availability
shutdown script have been provided. These scripts unmount and
deactivate any existing device-mapper devices before deactivating and
detaching the underlying devices on shutdown or reboot. As a result,
there are no I/O errors or hangs if using attached storage that detaches
itself during the shutdown or reboot procedure.
noflush
flag. This flag allows the kernel to re-queue I/O requests that need to
be retried. Because the kernel was not allowed to re-queue the
requests, it had no choice but to return the I/O as errored. This bug
has been corrected by allowing the log to be repaired first, thus, the
top-level mirror's log can be completed successfully. As a result, the
mirror is now properly suspended with the noflush
flag.
lvmetad
daemon (global/use_lvmetad=1
LVM2 configuration option) while processing LVM2 commands in a cluster environment (global/locking_type=3
),
the LVM2 commands did not work correctly and issued various error
messages. With this update, if clustered locking is set, the lvmetad
daemon is disabled automatically as this configuration is not yet
supported with LVM2. As a result, there is now a fallback to non-lvmetad
operation in LVM2, if clustered locking is used and a warning message
is issued:
WARNING: configuration setting theuse_lvmetad
parameter overriden to 0 due to thelocking_type 3
parameter. Clustered environment is not supported by thelvmetad
daemon yet.
lvconvert -repair
command) must know the sync status of the array and can only get that when the array is active.
lvmetad
daemon occasionally caused LVM commands to fail intermittently, failing
to find a VG that was being updated at the same time by another command.
With this update, the race condition does no longer occur.
issue_discards
option was enabled in the configuration file and the lvremove
command ran against a partial Logical Volume where Physical Volumes were missing, the lvremove
command terminated unexpectedly. This bug has been fixed. Also, the new p
attribute in the LVS command output is set when the Logical Volume is partial.
vgcfgrestore
command failed with a "Floating point exception"
error, because the command attempted to divide by zero. A proper check
for this condition has been added to prevent the error and now, after
using the vgcfgrestore
command, VG metadata is successfully written.
"lvrename Cannot rename <volume_name>: name format not recognized for internal LV <pool_name>"This bug is now fixed and the user can successfully rename thin Logical Volumes.
lvconvert --repair <vg>/<LV>
command.
volume_list
parameter in the configuration file (lvm.conf
),
the LV could not be activated. This affected High Availability LVM
(HA-LVM) and without the ability to add or remove tags while a device
was missing, RAID LVs in HA-LVM configuration could not be used. This update allows vgchange
and lvchange
to alter the LVM metadata for a limited set of options while PVs are
missing. The "- --[add|del]" tag is included and the set of allowable
options do not cause changes to the device-mapper kernel target and do
not alter the structure of the LV.
lvmetad
daemon, the command could cause the system to terminate unexpectedly
with a segmentation fault. Currently, LVM commands work properly with lvmetad
and crashes no longer occur even if there is a malformed response from lvmetad
.
lvmetad
daemon and non-lvmetad modes of operation and this caused the LVM
process to terminate unexpectedly with a segmentation fault when polling
for the result of running lvconvert
operation. With this update, the segmentation fault no longer occurs.
clvmd
daemon consumed a lot of
memory resource to process every request. Each request invoked a
thread, and by default each thread allocated approximately 9 MB of RAM
for stack. To fix this bug, the default thread's stack size has been
reduced to 128 KB which is enough for the current version of LVM to
handle all tasks. This leads to massive reduction of memory used during
runtime by the clvmd
daemon.
udev
synchronisation caused udev
verification to be constantly enabled, ignoring the actual user-defined setting. Consequently, libdevmapper
/LVM2 incorrectly bypassed udev
when processing relevant nodes. The libdevmapper
library has been fixed to honor the actual user's settings for udev
verification. As a result, udev
works correctly even in case the udev
verification and udev
synchronization are disabled at the same time.
lvmetad
daemon, passing the --test
argument to commands occasionally caused inconsistencies in the lvmetad
cache that lvmetad
maintains. Consequently, disk corruption occurred when shared disks
were involved. An upstream patch has been applied to fix this bug.
dmeventd
daemon is enabled to watch for pool overfill.
lvremove
command exited successfully even though it had failed to operate the LV. With this update, lvremove
returns the right exit code in the described scenario.
pvs
,
could incorrectly display the PV as being an orphan due to the order of
processing individual PV in the VG. With this update, the processing of
PVs in a VG has been fixed to properly account for PVs with ignored
metadata areas so that the order of processing is no longer important,
and LVM commands now always give the same correct result, regardless of
PVs with ignored metadata areas.
vgscan --cache
command (to refresh the lvmetad
daemon) did not remove data about Physical Volumes or Volume Groups
that no longer existed — it only updated metadata of existing entities.
With this update, the vgscan --cache
command removes all metadata that are no longer relevant.
lvmetad
daemon could deadlock and cause other LVM commands to stop responding. This behavior was caused by a race condition in lvmetad's
multi-threaded code. The code has been improved and now the parallel commands succeed and no deadlocks occur.
S
when an invalid snapshot occurred, whereas this value in the first
position is supposed to indicate a merging snapshot. Invalid snapshot is
normally indicated by capitalizing the fifth Logical Volume attribute
character. This bug has been fixed and the lvs
utility no longer capitalizes the first LV attribute character for invalid snapshots but the fifth, as required.
pvmove
utility was inconsistent and returned a misleading message for RAID. To fix this bug, pvmove
has been disallowed from operating on RAID LVs. Now, if it is necessary to move a RAID LV's components from one device to another, the lvconvert --replace <old_pv> <vg>/<lv> <new_pv>
command is used.
lvm
utility attempts to perform it has been added. Now, the error message
returns an explicit error message stating that the feature is not
supported.
cling
allocation policy was applied and an LV could be successfully created
or extended even though there was not enough space on a single Physical
Volume and no additional PV was defined in the lvm.conf
file. This update corrects the behavior of the cling
allocation policy and any attempts to create or extend an LV under these circumstances now fail as expected.
lvmetad
could have lead to unexpected and undesirable results. Also, updates to the "filter" settings while the lvmetad
daemon was running did not force lvmetad
to forget the devices forbidden by the filter. Since the normal "filter" setting in the lvm.conf
file is often used on the command line, a new option has been added to lvm.conf
(global_filter) which also applies to lvmetad
. The traditional "filter" settings only applies at the command level and does not affect device visibility to lvmetad
. The options are documented in more detail in the example configuration file.
lvrename
utility did not work with thin provisioning (pool, metadata, or
snapshots) correctly. This bug has been fixed by implementing full
support for stacked devices. Now, lvrename
handles all types of thin Logical Volumes as expected.
lvcreate
command with the --thinpool
and --mirror
options, the thinpool
flag was ignored and a regular Logical Volume was created. With this update, use of the --thinpool
option with the --mirror
option is no longer allowed and the lvcreate
command fails with a proper error message under these circumstances.
lvm_percent_to_float()
function declared in the lvm2app.h
header file did not have an implementation in the lvm2app
library. Any program, which tried to use this function, failed at linking time. A patch for lvm2app.h
has been applied to fix this bug and lvm_percent_to_float()
now works as expected.
use_lvmetad = 1
option was set in the lvm.conf
file. This has been fixed and warning messages are no longer issued during boot.
<data_percent>
property for the lvm2app
library, incorrect value -1
was returned for thin volumes. This bug has been fixed by adding proper support for the lvm_lv_get_property(lv, <data_percent>)
function. Now, lvm2app
returns correct values.
--config "global{use_lvmetad=0"}
option). This bug occurred only when an LVM command was run with lvmetad
cache daemon running. The bug has been fixed and LVM no longer aborts.
pvscan --cache
command failed to read part of LVM1 metadata. As a consequence, when using LVM1 (legacy) metadata and the lvmetad
daemon together, LVM commands could run into infinite loops when invoked. This bug has been fixed and LVM1 and lvmetad
now work together as expected.
lvm2app
library support, incorrect values for thin snapshots origin
field were reported. A patch has been updated to return the correct response to the lvm_lv_get_property(lv, "origin")
function.
lvs
command output. This information is now included under the heading that has been changed from Copy%
to Cpy%Sync
. Users can now request the Cpy%Sync
information directly via lvs
with either the lvs -o copy_percent
or the lvs -o sync_percent
option.
lvmetad
as lvmetad
caches VG metadata and thus avoids taking the exclusive lock. As a
consequence, numerous PVs commands reading VG metadata can be run in
parallel without the need for the exclusive lock.
striped
instead of linear
,
was returned. The messages have been updated to provide correct
information and only messages with correct and relevant content are now
returned under these circumstances.
create
command of a RAID Logical Volume resulted in failure even though the process itself succeeded without the --test
argument of the command. With this update, a test run of the create
command now properly indicates success if the command is successful.
--nosync
option, an attribute with this information is attached to the LV. Previously, a RAID1
LV did not clear this attribute when the LV was converted to a linear
LV and back, even though it underwent a complete resynchronization in
the process. With this update, --nosync
has been fixed and the attribute is now properly cleared after the LV conversion.
lvchange --resync
command has been added on a RAID LV, which makes the LV undergo complete resynchronization.
Internal error: Handler needs existing VGWith this update, cached VG metadata are used instead of relying on an absent MDA content of the last discovered PV. As a result, the aforementioned error no longer occurs.
mirror
utility caused a minor memory leak. To fix this bug, all resources
taken in the function have been released, and memory leaks for longterm
living processes (such as the dmeventd
daemon) no longer occur.
lvmetad
daemon. As a consequence, Logical Volume Manager (LVM) commands trying to talk to lvmetad
became unrepsonsive. The nested lock has been removed, and the deadlock no longer occurs.
lvconvert
utility handled the -y
and -f
command line options inconsistently when repairing mirror or RAID volumes. Whereas the -f
option alone worked correctly, when used along with the -y
option, the -f
option was ignored. With this update, lvconvert
handles the -f
option correctly as described in the manual page.
vgchange -ay
command failed to activate any Logical Volumes and the following error message was returned:
/dev/dasdf1: open failed: Read-only file system device-mapper: reload ioctl failed: Invalid argument 1 logical volume(s) in volume group "v-9c0ed7a0-1271-452a-9342-60dacafe5d17" now activeHowever, this error message did not reflect the nature of the bug. With this update, the command has been fixed and Volume Group can now be activated on a read-only disk.
--alloc anywhere
option to occasionally fail. RAID 4/5/6 systems were particularly
affected. The bug was fixed to avoid picking already-full areas for RAID
devices.
Enhancements
device-mapper
driver UUIDs could have been used to create the /dev
content with the udev
utility. If mangling was not enabled, udev
created incorrect entries for UUIDs containing unsupported characters. With this update, character-mangling support in the libdevmapper
library and the dmsetup
utility for characters not on the udev-supported whitelist has been enhanced to process device-mapper
UUIDs the same way as device-mapper
names are. The UUIDs and names are now always controlled by the same mangling mode, thus the existing --manglename dmsetup
option affects UUIDs as well. Furthermore, the dmsetup info -c -o
command has new fields to display: mangled_uuid
and unmangled_uuid
.
vgchange/lvchange -ay
on the command line. This update adds the autoactivation feature, LVM2
now lets the user specify precisely which Logical Volumes should be
activated at boot time and which ones should remain inactive. Currently,
the feature is supported only on non-clustered and complete VGs. Note
that to activate the feature, lvmetad
must be enabled (global/use_lvmetad=1
LVM2 configuration option).
lvconvert
utility has been updated with new supported options for conversion of existing volumes into a thin pool.
lvconvert
utility is easier to use in these cases, lvconvert
has been enhanced to support conversion of pre-formatted LVs into a thin pool volume. With the --thinpool data_lv_name
and --poolmetadata metadata_lv_name
options, the user may use a pre-formatted LV to construct a thin pool as with the lvcreate
utility.
lvmetad
) is available as part of this LVM2 update, along with udev
integration for device scanning. Repeated scans of all block devices in
the system with each LVM command are avoided if the daemon is enabled.
The original behavior can be restored at any time by disabling lvmetad
in the lvm.conf
file.
passdown
is default and allows to pass-through discard requests to the thin pool backing device; nopassdown
processes allows discards only on the thin pool level and requests are not passed to the backing device; ignore
allows ignoring of discard request.
~]# lvcreate --type raid10 -m 1 -i 2 -L 1G -n lv vg
Note that the -m
and -i
arguments behave in the same way they would for other segment types. That is, -i
is the total number of stripes while -m
is the number of (additional) copies (that is, -m 1 -i 2
gives 2 stripes on the top of 2-way mirrors).
lvm2app
library now reports
the data_percent field which indicates how full snapshots, thin pools
and volumes are. The Logical Volume needs to be active to obtain this
information.
-l
option has been added to the lvmetad
daemon to allow logging of wire traffic and more detailed information on internal operation to the standard error
stream. This new feature is mainly useful for troubleshooting and debugging.
--mirrors
command for RAID5. Consequently, erroneous and unexpected results were
produced. With this update, invalid arguments are caught and reported.
lvmdump
utility has been extended to include a dump of the internal lvmetad
daemon state, helping with troubleshooting and analysis of lvmetad
-related problems.
DM_DISABLE_UDEV
environment
variable is now recognized and takes precedence over other existing
setting when using LVM2 tools, dmsetup and libdevmapper to fallback to
non-udev operation. Setting the DM_DISABLE_UDEV
environment variable provides a more convenient way of disabling udev
support in libdevmapper, dmsetup and LVM2 tools globally without a need
to modify any existing configuration settings. This is mostly useful if
the system environment does not use udev
.
Bug Fixes
Bug Fixes
fattach()
function was missing. This update adds the fattach(2)
manual page.
recvmmsg()
call was missing. This update adds the recvmmsg(2)
manual page.
cciss
and hpsa
utilities were missing. This update adds the cciss(4)
and hpsa(4)
manual pages.
host.conf(5)
manual page contained a description for the unsupported order
keyword. This update removes the incorrect description.
clock_gettime(2)
, clock_getres(2)
, and clock_nanosleep(2)
manual pages did not mention the -lrt
option. With this update, the description of the -lrt
option has been added to the aforementioned manual pages.
single-request-reopen
to the resolv.conf(5)
manual page.
SSSD
in the nsswitch.conf
file is now described in the nsswitch.conf(5)
manual page.
UMOUNT_NOFOLLOW
flag is described in the umount(2)
manual page.
sendmmsg()
function was missing. This update adds the sendmmsg(2)
manual page.
db(3)
manual page was pointing to the non-existent dbopen(3)
manual page. When the man db
command was issued, the following error message was returned:
fopen: No such file or directory.With this update, the
db(3)
manual page is removed.
TCP_CONGESTION
socket option to the tcp(7)
manual page.
ip(7)
manual page. This update adds these descriptions to the ip(7)
manual page.
shmat(2)
manual page was missing the description for the EIDRM
error code. With this update, this description has been added to the shmat(2)
manual page.
bdflush(2)
system call manual page was missing information that this system call is obsolete. This update adds this information to the bdflush(2)
manual page.
nscd.conf(5)
manual page was not listing “services” among valid services. With this update, “services” are listed in the nscd.conf(5)
manual page as expected.
nsswitch.conf(5)
manual page lacked information on the search mechanism, particularly about the notfound
status. This update provides an improved manual page with added description of notfound
.
connect()
call with the local address set to the INADDR_ANY
wildcard address was insufficiently described in the ip(7)
manual page. Possible duplication of the local port after the call was
not acknowledged. With this update, the documentation has been reworked
in order to reflect the behavior of the connect()
call correctly.
getdents()
function in the getdents(2)
manual page, the risk of using this function directly was not clear
enough. The description has been extended with a warning to prevent
incorrect usage of the getdents()
function.
nscd.conf(5)
manual page was
missing descriptions and contained several duplicate entries. With this
update, the text has been clarified and redundant entries have been
removed.
tzset(3)
manual
page contained an incorrect interval in the description of the start and
end format for Daylight Saving Time. Consequently, users thought the
number was 1-based rather than 0-based when not using the J
option. With this update, the manual page has been corrected. The
Julian day can be specified with an interval of 0 to 365 and February 29
is counted in leap years when the J
option is not used.
/proc/sys/fs/file-nr
file in the proc(5)
manual page was outdated. This update adds the current information to this manual page.
connect(2)
manual page in the Error section listed EAGAIN
error code instead of EADDRNOTAVAIL
error code. This update amends the manual page with correct information.
Enhancements
Bug Fix
Upgrade to an upstream version
Bug Fixes
Enhancement
Upgrade to an upstream version
Bug Fixes
Upgrade to an upstream version
Bug Fixes
Enhancements
Bug Fix
Enhancements
Bug Fix
Enhancements
Bug Fix
Bug Fix
Bug Fix
netstat
utility which uses SNMP, and a Tk/Perl Management Information Base (MIB) browser.
Bug Fixes
exec
entries in the /etc/snmp/snmpd.conf
congiguration file. With more than 50 such entries in the file, the snmpd
daemon reported the following error message:
Error: No further UCD-compatible entriesWith this update, the fixed limit has been removed, and there can now be any number of
exec
entries in /etc/snmp/snmpd.conf
.
libnetsnmpmibs.so.20
and libnetsnmphelpers.so.20
libraries did not contain an RPATH entry to the libperl.so package for embedding Perl. This could cause problems when linking custom SNMP applications or modules. An upstream patch, which adds RPATH for the Perl libraries, has been provided, and all libperl.so references are now resolved.
snmpd
daemon ignored the trapsess -e <engineID>
configuration option in the /etc/snmp/snmpd.conf
file and sent a default engineID string even if trapsess
was configured with an explicit engineID value. An upstream patch has been provided to fix this bug and snmpd
now sends outgoing traps with an engineID string as specified in /etc/snmp/snmpd.conf
.
snmpd
daemon could fail to count some processes when filling in the UCD-SNMP-MIB::prTable
table. With this update, the underlying source code has been adapted to
prevent such a race condition, so that all processes are now counted as
expected.
snmpd
daemon ignored the port number of the clientaddr
option when specifying the source address of outgoing SNMP requests. As a consequence, the system assigned a random port number to the udp
socket. This update introduces a new configuration option clientaddrUsesPort
, which, if set to yes
, allows to specify both the port number and the source IP address in the clientaddr
option. Now, administrators can increase security with firewall rules
and SELinux policies by configuring a specific source port of outgoing
traps and other requests.
snmpd
daemon was shutting down during processing of internal queries, a request was neither marked as failed nor finished, and snmpd
waited indefinitely for the request to be processed. With this update, snmpd
marks all internal queries as failed during shutdown.
UCD-SNMP-MIB::extCommand
variable in the snmpd
daemon reported only names of the executable parameters, missing all other command line parameters. With this update, UCD-SNMP-MIB::extCommand
has been fixed and snmpd
returns the full command line output.
snmptrapd(8)
manual page did not properly describe how to load multiple configuration files using the -c
option. With this update, the manual page has been fixed and describes
that multiple configuration files must be separated by the comma
character.
HOST-RESOURCES-MIB::hrStorageTable
table was rewritten and devices with CentraVision File System (CVFS) and OpenVZ container file systems (simfs
) were not reported. With this update, the snmpd
daemon properly recognizes CVFS
and simfs
devices and reports them in HOST-RESOURCES-MIB::hrStorageTable
.
snmpd
daemon was not able to expand 32-bit counter provided by the operating system to 64-bits, as required by SNMP standards, the snmpd
daemon occasionally reported the following error messages:
c64 32 bit check failed
Error expanding XXX to 64bits
looks like a 64bit wrap, but prev!=newThese messages were in fact harmless but confusing. This update suppresses them and they are no longer returned in the described scenario.
snmpd
daemon reported an error message to system log files when it could not open the following files: /proc/net/if_inet6
, /proc/net/snmp6
, /proc/net/ipv6_route
, /proc/net/tcp6
, and /proc/net/udp6
.
These files are typically missing on machines with disabled IPv6
networking, and thus reporting such error messages for them is
meaningless. With this update, the error messages are suppressed, and
the system log files are not filled with redundant messages.
net-snmp
utility failed to read the diskIOLA1
, diskIOLA5
, and diskIOLA15
object variables of the UCD-DISKIO-MIB object, as these variables were
not implemented on the Linux operating system. Consequently, the snmptable
utility failed to return values of the three variables correctly. With
this update, these objects are implemented and their values are now
displayed in the UCD-DISKIO-MIB::diskIOTable
table as expected.
snmpd
daemon was updated to send an SNMP response to broadcast requests from the same interface, on which a SNMP response had been received. However, this update also introduced a bug which prevented snmpd
from sending responses to unicast request on multihomed machines. This update fixes this bug, so the snmpd
daemon is now able to both answer unicast requests on multihomed
machines and send responses to broadcast requests from the same
interface, on which the request has been received.
snmptrapd
daemon terminated the embedded Perl interpreter immediately after the TERM
signal was received, regardless of whether embedded Perl code was still being used. Consequently, snmptrapd
could rarely terminate unexpectedly during shutdown. With this update,
the embedded Perl interpreter is destroyed later during the snmptrapd
shutdown, when all Perl processing is finished.
Bug Fixes
Enhancements
Bug Fix
Bug Fixes
Bug Fixes
Upgrade to an upstream version
Bug Fixes
Bug Fix
Bug Fixes
Enhancement
Bug Fix
Enhancement
Upgrade to an upstream version
Security Fix
Bug Fixes
Bug Fix
Bug Fixes
smbk5pwd
overlay was
enabled in an OpenLDAP server and a user changed their password, the
Microsoft NT LAN Manager (NTLM) and Microsoft LAN Manager (LM) hashes
were not computed correctly. Consequently, the sambaLMPassword
and sambaNTPassword
attributes were updated with incorrect values, preventing the user from
logging in using a Windows-based client or a Samba client. With this
update, the smbk5pwd
overlay is linked
against OpenSSL. As such, the NTLM and LM hashes are computed correctly
and password changes work as expected when using smbk5pwd
.
TLS_CACERTDIR
configuration option used a prefix, which specified a Mozilla NSS database type, such as sql:
,
and when a TLS operation was requested, the certificate database failed
to open. This update provides a patch, which removes the database type
prefix when checking the existence of a directory with certificate
database, and the certificate database is now successfully opened even
if the database type prefix is used.
TLS_CACERTDIR
was set to use a Mozilla NSS certificate database, the PEM certificate
failed to load. With this update, the certificate is first looked up in
the Mozilla NSS certificate database and if not found, the PEM file is
used as a fallback. As a result, PEM certificates are now properly
loaded in the described scenario.
libldap
library incorrectly expected that filenames of all hashed certificates end with the .0
suffix. Consequently, even though any numeric suffix is allowed, only certificates with .0
suffix were loaded. This update provides a patch that properly checks
filenames in OpenSSL CA certificate directory and now all certificates
that are allowed to be in that directory are loaded with libldap
as expected.
rwm
overlay and a client sent the modrdn
operation, which included the newsuperior
attribute matching the current superior
attribute of the entry being modified, the slapd
server terminated unexpectedly with a segmentation fault. With this update, slapd
is prevented from accessing uninitialized memory in the described
scenario, the crashes no longer occur, and the client operation now
finishes successfully.
slapd
server configuration database (cn=config
) was configured with replication in mirror mode and the replication configuration (olcSyncrepl
) was changed, the cn=config
database was silently removed from mirror mode and could not be futher modified without restarting the slapd
daemon. With this update, changes in replication configuration are
properly handled so that the state of mirror mode is now properly
preserved and the cn=config
database can be modified in the described scenario.
AAAA
(IPv6) DNS record while resolving the server IP address even if IPv6
was disabled on the host, which could cause extra delays when
connecting. With this update, the AI_ADDRCONFIG
flag is set when resolving the remote host address. As a result, the OpenLDAP library no longer looks up for the AAAA
DNS record when resolving the server IP address and IPv6 is disabled on the local system.
Enhancements
libldap
was configured to use
TLS, not all TLS ciphers supported by the Mozilla NSS library could be
used. This update provides all missing ciphers supported by Mozilla NSS
to the internal list of ciphers in libldap
, thus improving libldap
security capabilities.
Upgrade to an upstream version
Security Fix
Note
Bug Fixes
Enhancements
Bug Fixes
Upgrade to an upstream version
Bug Fixes
Enhancements
Bug Fix
Security Fixes
pam_env
module parsed users' ~/.pam_environment
files. If an application's PAM configuration contained "user_readenv=1"
(this is not the default), a local attacker could use this flaw to
crash the application or, possibly, escalate their privileges.
pam_env
module expanded certain environment variables. If an application's PAM configuration contained user_readenv=1
(this is not the default), a local attacker could use this flaw to cause the application to enter an infinite loop.
Bug Fixes
/etc/limits.d/90-nproc.conf
file to 1024 processes even for the root account. Consequently, root processes confined with SELinux, such as the prelink utility started from the crond
daemon, failed to start if there were more than 1024 processes running with UID
0 on the system. The limit for root processes has been set to unlimited
and the confined processes are no longer blocked in the described
scenario.
require_selinux
option handling in the pam_namespace
module was broken. As a consequence, when SELinux was disabled, it was not possible to prevent users from logging in with the pam_namespace
module. This option has been fixed and PAM works as expected now.
pam_get_authtok_verify()
function did not save the PAM_AUTHTOK_TYPE PAM
item properly. Consequently, the authentication token type, as specified with the authtok_type
option of the pam_cracklib
module, was not respected in the “Retype new password” message. The pam_get_authtok_verify()
function has been fixed to properly save the PAM_AUTHTOK_TYPE
item and PAM now works correctly in this case.
remember
option was used, the pam_unix
module was matching usernames incorrectly while searching for the old password entries in the /etc/security/opasswd
file. Due to this bug, the old password entries could be mixed; the
users whose usernames were a substring of another username could have
the old passwords entries of another user. With this update, the
algorithm that is used to match usernames has been fixed. Now only the
exact same usernames are matched and the old password entries are no
longer mixed in the described scenario.
pam_pwhistory
module caused an error to occur when the root user was changing user's
password. It was not possible to choose any password that was in user's
password history as the new password. With this update, the root user
can change the password regardless of whether it is in the user's
history or not.
Enhancements
pam_cracklib
module now supports the enforce_for_root
option, which enforces the complexity restrictions on new passwords even for the root account.
pam_cracklib
module now also allows to specify the maximum allowed number of
consecutive characters of the same class (lowercase, uppercase, number,
and special characters) in a password.
maxsequence
option.
pam_lastlog
module, which allows users to lock accounts after a configurable number of days.
Bug Fixes
Upgrade to an upstream version
Security Fix
Bug Fixes
Bug Fix
Upgrade to an upstream version
Bug Fixes
Bug Fix
Security Fixes
Bug Fixes
var_export()
function, the function returned an unsigned index ID. With this update,
the function has been modified to process negative array index values
correctly.
setDate()
, setISODate()
and setTime()
functions did not work correctly when the corresponding DateTime
object was created from the timestamp. This bug has been fixed and the aforementioned functions now work properly.
strcpy()
function, called by the extract_sql_error_rec()
function in the unixODBC API, overwrote a guard variable in the pdo_odbc_error()
function. Consequently, a buffer overflow occurred. This bug has been fixed and the buffer overflow no longer occurs.
$this
object became corrupted, and behaved as a non-object. A test with the is_object()
function remained positive, but any attempt to access a member variable of $this
resulted in the following warning:
Notice: Trying to get property of non-object
$this
no longer becomes corrupted.
stat
interface from the stream wrapper. Consequently, when used with a
stream object, the Fileinfo extension failed with the following message:
file not found
file
and phar
stream wrappers support the stat interface in PHP 5.3.3.
DISABLE_AUTHENTICATOR
parameter of the imap_open()
function was specified as an array, it ignored the array input.
Consequently, a GSSAPI warning was shown. This bug has been fixed and DISABLE_AUTHENTICATOR
now processes the array input correctly.
Enhancements
Bug Fixes
Security Fix
Bug Fixes
Enhancements
Upgrade to an upstream version
Bug Fixes
Enhancements
Upgrade to an upstream version
Bug Fixes
Upgrade to an upstream version
Bug Fixes
Bug Fixes
Enhancement
Bug Fixes
Enhancement
Upgrade to an upstream version
Bug Fixes
cannot decode Basic Constraints
Enhancement
Bug Fix
Upgrade to an upstream version
Bug Fixes
Upgrade to an upstream version
Enhancement
Bug Fix
Bug Fixes
Bug Fix
Enhancements
Upgrade to an upstream version
Bug Fixes
Enhancements
Upgrade to an upstream version
Upgrade to an upstream version
Security Fixes
Bug Fixes
Enhancement
Bug Fixes
Enhancement
Bug Fixes
Enhancements
Note
Bug Fixes
status
action in the netfs interface failed to write any output to the /var/log/cluster/rgmanager.log
file. Consequently, it was not possible to verify if the status check
of an NFS mount was successful. The bug has been fixed, and results of
the status check are now properly stored in the log file.
/boot/initrd.img
file, which is used during the boot process, must be synchronized with the /etc/lvm/lvm.conf
file. Previously, the HA-LVM startup failed when lvm.conf
was changed without updating initrd.img
.
With this update, this behavior has been modified. A warning message is
now displayed, but the startup is no longer terminated in the described
case.
clvmd
variant of the HA-LVM service on multiple nodes in a cluster at the same time. The start of an HA-LVM resource coincided with another node initializing that same HA-LVM
resource. With this update, a patch has been introduced to synchronize
the initialization of both resources. As a result, services no longer
fail due to the simultaneous initialization.
status
argument, it restarted the database after checking its status without any notification to the rgmanager application. This bug has been fixed, and the unwanted restart no longer occurs.
rg_test
command occasionally failed with the following message:
too many arguments
/proc/mounts
file changed during a status check operation of the file system resource
agent, the status check could incorrectly detect a missing mount and
mark the service as failed. This bug has been fixed and rgmanager's file system resource agent no longer reports false failures in the described scenario.
/proc/mounts
file contained trailing slashes. With this update, a patch has been
introduced to remove trailing slashes from device names when reading the
contents of /proc/mounts
. As a result, CIFS mounts are now recognized properly.
ulimit -n
), the maximum stack size (ulimit -s
), and the maximum size of data segments (ulimit -d
). With this update, the SAPInstance agent has been modified to accept limits specified in the /usr/sap/services
file. As a result, system resources limits can now be specified manually.
Enhancements
nfsrestart
option has been added to both the fs and clusterfs
resource agents. This option provides a way to forcefully restart NFS
servers and allow a clean unmount of an exported file system.
prefer_interface
parameter has been added to the rgmanager ip.sh
resource agent. This parameter is used for adding an IP address to a
particular network interface when a cluster node has multiple active
interfaces with IP addresses on the same subnetwork.
Bug Fixes
Bug Fixes
Enhancement
Bug Fixes
Enhancement
Bug Fixes
Enhancement
Bug Fixes
Enhancements
Bug Fixes
Bug Fixes
Enhancements
Upgrade to an upstream version
Security Fix
Bug Fix
Upgrade to an upstream version
/etc/samba/smb.conf
file:
max protocol = SMB2
smbd
) version. You cannot downgrade to an older Samba version unless you have backups of the TDB files. (BZ#649479)
Warning
smb.conf
man page and the individual IDMAP backend man pages.
Bug Fixes
PAM_USER_UNKNOWN
is always returned in case Winbind fails to authenticate a user. As a
result, users successfully authenticated by another PAM module can log
in as expected.
smbd
)
stopped with an error. The NDR parser has been fixed to correctly parse
printing entries from Samba 3.5. As a result, printers are correctly
migrated from 3.5 TDB to the 3.6 registry.
winbindd
) could not find them. The original behavior for resolving the domain local groups has been restored. As a result, the ID
command resolves domain local groups in its own domain correctly again.
DNS
domain the system has joined.
Enhancements
Bug Fixes
Enhancements
Bug Fixes
SSH
client. The SELinux policy rules have been updated to allow the user to log in to the system in the described scenario.
OpenMPI
job, parallel universe in Red Hat Enterprise Linux MRG Grid, failed and was unable to access files in the /var/lib/condor/execute/
directory. New SELinux policy rules have been added for OpenMPI
jobs to allow a job to access files in this directory.
ssh_sysadm_login
variable was set to OFF
in MLS. To fix this bug, the ssh_sysadm_login
SELinux boolean has been corrected to prevent the root user to log in when this variable is set to OFF
.
system-config-kdump
utility on the IBM System z architecture, the following error message was returned:
error opening /etc/zipl.conf for read: Permission deniedThis error was caused by missing SELinux policy rules. With this update, the respective rules have been updated to allow
system-config-kdump
to access the /etc/zipl.conf
file, and the error messages are no longer returned.
cron
daemon jobs were set to run in the cronjob_t
domain when the SELinux MLS policy was enabled. As a consequence, users could not run their cron
jobs. The relevant policy rules have been modified and cron
jobs now run in the user domain, thus fixing this bug.
/var/lib/openshift
file and executed the quotacheck -cmug /var/lib/openshift
command, the process resulted in AVC messages logged in the /var/log/audit/audit.log
file. With this update, the quota system can manage openshift_var_lib_t
directories to make the command work as expected.
SSSD
system daemon to perform user authentication, the passwd
utility was not allowed to read the /var/lib/sss/mc/
directory. This update fixes the security context for /var/lib/sss/mc/
to allow passwd
to read this directory as expected.
/sbin/unix_chkpwd
file to verify its hash. Consequently, users could not log in to the
system. The appropriate SELinux policy rules have been updated and a FIPS mode boolean has been added to resolve this bug.
system-config-kdump
utility was unable to handle the kdump
service when SELinux was in enforcing mode for 64-bit PowerPC. To fix this bug, the security context for the /usr/lib/yaboot/addnote
binary file has been changed to the bin_t type. With this update, system-config-kdump
handles kdump
as expected.
krb5.conf
file in Identity Manager and installed a server in permissive mode, it generated numerous AVC
messages because a number of processes were not able to read the
contents of the included directory. This update adds rules to allow
domains that can read the sssd_public_t type to also list this directory.
named
daemon terminated unexpectedly in enforcing mode. This update adapts the relevant SELinux policy to make sure the named
daemon can be started in the described scenario.
rhnsd
daemon was handled by the rhsmcertd
SELinux domain, which caused an AVC denial message to be returned. With this update, rhnsd
has its own SELinux policy domain called rhnsd_t
, thus preventing these messages.
SANLOCKOPTS="-w 0"
option was enabled in the /etc/sysconfig/sanlock
configuration file, AVC denial messages were generated by the service sanlock restart
command. The SELinux rules have been updated to allow the sanlock
daemon to be restarted correctly without any AVC messages.
libselinux
library did not support setting the context based on the contents of /etc/selinux/targeted/logins/$username/
directories. Consequently, central management of SELinux limits did not work properly. With this update, the /etc/selinux/targeted/logins/
directory is now handled by the selinux-policy packages as expected.
openswan
service with FIPS enabled caused AVC denial messages to be logged to the /var/log/audit/audit.log
file. This update fixes the relevant SELinux policy rules and openswan
no longer produces AVC messages.
/mnt/
directory successfully.
SSSD
daemon writes SELinux configuration files into the /etc/selinux/<policy>/logins/
directory. The SELinux PAM
module then uses this information to set the correct context for a
remote user trying to log in. Due to a missing policy for this feature, SSSD
could not write into this directory. With this update, a new security context for /etc/selinux/<[policy]/logins/
has been added together with appropriate SELinux policy rules.
heartbeat
subsystem was incorrectly treated by the corosync
SELinux policy. Consequently, AVC messages were generated and heartbeat
was unusable by default. To fix this bug, heartbeat
is now handled by the rgmanager
SELinux policy and AVC messages are no longer returned.
clamscan
utility did not work correctly as a backup server in the amavisd-new
interface, which resulted in AVC messages to be returned if clamscan
could not access amavis
spool files. This update corrects the SELinux policy to grant clamscan
the necessary permission in the described scenario.
ABRT
(Automatic Bug Reporting Tool) utility to use the inotify
subsystem on the /var/spool/abrt-upload/
directory. Consequently, when the user set up the WatchCrashdumpArchiveDir
option in the ABRT
utility, the abrtd
daemon failed on restart. To fix this bug, a SELinux policy rule has been added to allow ABRT
to use inotify
on /var/spool/abrt-upload/
with the daemon working correctly.
saslauthd
daemon process could not work properly if the MECH=shadow
option was specified in the /etc/sysconfig/saslauthd
file. This update fixes the relevant SELinux policy rules and allows saslauthd
to use the MECH=shadow
configuration option.
crontab
utility on an NFS (Network File System) home directory, AVC messages were written to the audit.log file. The relevant SELinux policy has been updated to allow user_r processes to run the crontab
utility, thus fixing the bug.
MAILDIR=$HOME/Maildir
option was enabled either in the /etc/procmailrc
or in dovecot
configuration files, the procmail
and dovecot
services were not able to access a Maildir directory located in the
home directory. This update fixes relevant SELinux policy rules to allow
the procmail
/dovecot
service to read the configured MAILDIR
option in /etc/procmailrc
.
vsftpd
daemon is being stopped, it terminates all child vsftpd
processes by sending the SIGTERM signal to them. When the parent process dies, the child process gets the SIGTERM signal. Previously, this signal was blocked by SELinux. This update fixes the relevant SELinux policy rules to allow vsftpd
to terminate its child processes properly.
/var/lib/pgsql/.ssh/
directory had an incorrect security context. With this update, the security context has been changed to the ssh_home_t label, which is required by the PostgreSQL
system backup.
libvirtd
daemon from starting the dnsmasq
server with the --pid-file=/var/run/libvirt/network/default.pid
option and AVC denial messages were returned. The updated SELinux rules allow the libvirtd
daemon to start correctly with dnsmasq
support.
sysadm_t
type at the s0-s15:c0.c1023 level, was not able to execute the tar --selinux -zcf wrk.tar.gz /wrk
command. These updated SELinux rules allow administrators to run the command in the described scenario.
/var/named/chroot/lib64/
directory, AVC messages could be returned when working with the named
daemon. To fix this bug, the missing SELinux security context for /var/named/chroot/lib64/
has been added.
dovecot-imap
and dovecot-lda
utilities were not allowed access to the Maildir files and directories with the mail_home_rw_t security context. These updated SELinux rules allow dovecot-imap
and dovecot-lda
to access Maildir home directories.
automount
utility erroneously returned the mount.nfs4: access denied by a server
error message when instructed to perform a mount operation, which included a context=
parameter. Mount operations in NFS v3 were not affected. Now, SELinux policy rules have been updated to allow automount
to work correctly in the described scenario.
smartd
daemon was not able to create the megaraid_sas_ioctl_node
device with the correct SELinux security context. Consequently, monitoring of some disks on a MegaRAID controller using smartd
was prevented. This update provides SELinux rules that allow monitoring of disks on a MegaRAID controller using smartd
.
/etc/openldap/cacerts/
and /etc/openldap/certs/
directories was provided by SELinux policy, which caused various
unnecessary AVCs to be returned. To fix this bug, these directories have
been labeled with the slapd_cert_t SELinux security label. Now, no redundant AVCs are returned.
internal-sftp
subsystem configured together with the Chroot
option, users with the unconfined_t SELinux type were unable to connect using the sftp
utility. This update fixes the SELinux policy to allow users to utilize sftp
successfully in the described scenario.
snmpd
daemon service was unable to connect to the corosync
service using a Unix stream socket, which resulted in AVC messages being logged in the /var/log/audit/audit.log
file. To fix this bug, a set of new rules has been added to the SELinux policy to allow the snmpd
daemon to connect to corosync
.
/var/run/amavisd/clamd.pid
file was empty, thus any attempt to restart the clamd.amavisd
daemon failed. Stopping the service failed because of the empty PID
file and starting it failed because the socket was already in use or
still being used. These updated SELinux rules allow clamd.amavisd
to write to the PID file as expected.
/var/run/cachefilesd.pid
file. With this update, SELinux policy rules and the security context have been fixed to get the cachefilesd_var_run_t label for the file.
rsync
daemon, which served an automounted home NFS directory, was not able to write files in this directory. To fix this bug, the rsync
daemon has been changed into a home manager to allow the needed access permissions.
unbound
service from working correctly. To fix this bug, the 8953/tcp port has been associated with the rndc_port_t SELinux port type.
syslog()
function instead of using its own logging code (BZ#747894). To reflect this change, the SELinux policy rules have been updated for the spice-vdagent policy to allow the use of syslog()
.
pam_oddjob_mkhomedir.so
module attempted to create a home directory on an NFS mounted volume. SELinux policy rules have been updated to allow pam_oddjob_mkhomedir
to use NFS and user home directories can now be created in enforcing mode as well.
.forward
file was configured by the user on NFS, AVC messages were returned. Consequently, Postfix
was not able to access the script in the aforementioned file. These updated SELinux rules allow to properly set up .forward
in the described scenario.
fence_virtd
daemon was unconfined by SELinux, which caused the service to run in the initrc_t type SELinux domain. To fix this bug, the fenced_exec_t security context has been added for the fence_virtd
daemon, and this service now runs in the fenced_t SELinux domain.
setroubleshootd
daemon was not able to read the /proc/irq
file. Consequently, AVC messages were returned. This update provides SELinux rules, which allow setroubleshootd
to read /proc/irq
, and AVC messages are no longer returned.
fence_vmware_soap
binary did not work correctly. Consequently, fencing failed, services did not failover, and AVC denial messages were written to the audit.log
file. This update fixes the relevant policy to make the fence_vmware_soap
binary work correctly.
/usr/lib/mozilla/plugins/libflashplayer.so
file was missing. Consequently, executing the mozilla-plugin-config -i
command caused the following error to be returned:
*** NSPlugin Viewer *** ERROR: /usr/lib/mozilla/plugins/libflashplayer.so: cannot restore segment prot after reloc: Permission deniedThe security context has been updated, and the command now works as expected.
/etc/mtab
file with a correct security context. To fix this bug, a new SELinux transition from the virtd_t to mount_t SELinux domain has been added.
SSH
and RSync
protocols failed to work with PostgreSQL. To resolve this bug, the postgresql_can_rsync
SELinux boolean has been added to allow PostgreSQL to run the rsync
utility and interact with SSH.
pulse
utility failed to start the Internet Protocol Video Security (IPVS
) sync daemon at startup. SELinux policy rules have been updated to allow pulse
start the daemon as expected.
chkconfig SERVICE on/off
commands to enable or disable a service on the system. This update fixes the relevant SELinux policy to allow the sysadm_r SELinux role to use these commands to enable or disable the service.
type=AVC msg=audit(1348602155.821:530): avc: denied { write } for pid=23129 comm="kadmind" path="anon_inode:[eventfd]" dev=anon_inodefs ino=3647 scontext=unconfined_u:system_r:kadmind_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=fileWith this update, the
kadmind
utility has been allowed to access anon_inode file descriptors to fix the AVC message.
cimprovag
utility to connect to the cman_client socket.
/var/nmbd/
directory was labeled as var_t
,
which caused issues with Samba services which needed to access this
directory. The security context has been updated and Samba can now
access this directory as expected. Furthermore, SELinux can prevent the nmbd
service from writing into the /var/
repository, which causes problems with NetBIOS name resolution and leads to SELinux AVC denial messages.
rsyslog
utility to use the Generic Security Services Application Program Interface (GSSAPI). However, AVC messages were returned as a consequence. This update fixes relevant SELinux policy rules to allow the rsyslog
utility to use Kerberos tickets on the client side.
fail2ban
service was restarted and fail2ban
was not able to execute the ldconfig
and iptables
commands, it resulted in SELinux AVC denial messages being returned. This update fixes the relevant SELinux policy rules to allow fail2ban
to execute ldconfig
and also fix security contexts for iptables
binaries.
/opt/sartest
file, data could not be written to this location by the sadc
utility running from a root cron
daemon job. The security context has been updated and now sadc
running from a root cron
job can write data to this location.
clamdscan
utility was called by a Sendmail filter, the clamd
daemon was not able to scan all files on the system. This update adds the clamscan_can_scan_system
variable to allow all antivirus programs to scan all files on the system.
restorecon
utility disregarded custom rules for symbolic links. These updated SELinux rules allow restorecon
to properly handle custom rules for symlinks.
freshclam
utility was not able to update databases through the HTTP proxy
daemon when run by the cron
daemon. To fix this bug, the relevant SELinux policy rules have been updated. As a result, freshclam
now updates databases as expected in the described scenario.
IPSec+L2TP
VPN, SELinux prevented the pppd
daemon from accessing some needed components after connecting to the VPN server with the following error message:
pppd needs to be allowed also to "read" and "write" operations on l2tpd_t:socketThis update adds the missing SELinux policy to make sure all
pppd
actions are enabled by SELinux.
/etc/selinux/targeted/contexts/files/file_contexts
file contained typo errors. Some patterns matched the 32-bit path, but
the same pattern for the 64-bit path was missing. Consequently,
different security contexts were assigned to these paths. With this
update, the relevant file context specifications have been corrected so
that there are no more differences between these paths.
munin
plug-in domain with SELinux in enforcing mode. To fix this bug, the unconfined_munin_plugin_t SELinux type has been added to the SELinux policy to cover all unconfined munin
plug-ins. As a result, munin
plug-ins can now run unconfined.
ipactl
restart command caused AVC denial messages to be returned. This update fixes the relevant SELinux policy rules and the command no longer produces AVC messages.
sanlock
utility which could not access files and directories on the FUSE file system. To fix this bug, the sanlock_use_fusefs
SELinux boolean variable has been added and installing from an ISO image on a VM now succeeds.
corosync
utility. Consequently, corosync
failed to reboot. To fix this bug, corosync
has been allowed to use 1229/udp
and 1228/udp
ports to make auto-join a cluster ring after power fencing. As a
result, a machine re-joins the cluster after fencing and reboots as
expected.
nfs_export_all_rw
boolean variable was needed no longer and has been removed from the
policy, thus fixing the bug. NFS clients now cannot access shares in the
described scenario.
restorecon
utility on /ect/multipath*
directories and files, the security context was reset. This update
fixes relevant SELinux policy rules and adds updated SELinux security
context for these directories and files.
piranha-web
utility was unable to connect to the windbind
daemon using Unix stream sockets. Consequently, AVC messages were returned. To fix this bug, a set of new rules has been added to the SELinux policy to allow the piranha-web
service to connect to windbind
.
git_read_generic_system_content_files()
interface, the git-daemon
and httpd
daemons could not serve the same directory. To fix this bug, the git_read_generic_system_content_files()
interface has been updated to allow git-daemon
and httpd
to serve the same directory.
/var/log/
directory which were processed by the logrotate
utility. To fix this bug, the file context specifications have been updated and the files and directories processed by logrotate
now have correct labels.
munin-node
agent
lacked necessary SELinux rules for reading Exim log files. Consequently,
multiple bundled exim plug-ins were prevented from working and munin-node
terminated unexpectedly. This update fixes the relevant SELinux policy rules to allow munin-node
to read exim log files to make exim Munin plug-ins working correctly.
munin_stats
Munin plug-in, it caused AVC messages to be returned. To fix this bug, updated SELinux policy rules have been provided and munin_stats
now works as expected.
dovecot
utility, an AVC message was returned. This update fixes relevant SELinux policy rules and adds updated SELinux rules to allow dovecot
to start the /bin/bash
file. Now, AVC messages are no longer returned.
gpg-agent
daemon from reading the /dev/random
file. The claws-mail
client using the smime
utility was affected by this bug. Now, SELinux policy rules have been updated to allow SELinux confined users to decrypt S/MIME emails.
check_icmp
Munin plug-in, AVC messages were returned. With this update, a corrected SELinux policy has been provided for check_icmp
, thus fixing the bug.
rsync
daemon to log directly to a specific file, missing SELinux policy rules
let the user create the log file, but did not allow to append to it.
With this update, SELinux policy rules have been added to allow rsync
to append to a specific log file.
spamd
daemon process updating Razor configuration files resulted in a permission to be denied and an AVC message to be generated. This update fixes relevant SELinux policy rules to allow spamd
processes to update Razor configuration files in the described scenario.
getattr()
function access when starting VMs from Red Hat Enterprise
Virtualization Manager hosted on a Red Hat Storage (RHS) storage domain.
This update fixes relevant SELinux policy rules to allow the QEMU-KVM getattr()
access.
sepolicy
utility from Fedora to provide better SELinux manual pages for each SELinux domain.
wdmd
watchdog daemon used the /etc/wdmd.d/checkquorum.wdmd
script, both provided by the sanlock
package, for checking out the cluster state. Consequently, with SELinux
enabled, this detection failed resulting in a self-resetting loop. To
fix this bug, the SELinux support for the watchdog
script from the sanlock
utility has been added, and the detection no longer fails.
Enhancements
libvirt
library in turn launches a QEMU process as the unprivileged qemu
user. New qemu:///session
URIs introduced to libvirt
attempted to allow the unprivileged user to start KVM guests and have
the QEMU process execute as the same unprivileged user but failed since
the CAP_NET_ADMIN
capability is required to
use TUN/TAP networking. To fix this bug from the SELinux perspective, a
new SELinux policy has been added for a networking helper program that
QEMU can invoke.
pacemaker
service.
numad
service.
bcfg2-server
service.
rhnsd
service.
antivirus
attribute to consolidate all anti-virus programs on the system. The
module also allows to manage files and directories labeled with the antivirus_db_t file type.
xl2tpd
service.
svnserve
service.
glusterd
daemon.
slpd
daemon.
ovs-vswitchd
and ovs-brcompatd
Open vSwitch services.
qemu-ga
(guest agent) daemon. This daemon runs on the guest and executes
commands on behalf of processes running on the host. This update
provides a new SELinux policy for a new qemu-ga
(guest agent) daemon.
sencord
service.
rpc.rstatd
and rpc.rusersd
daemons to prevent them from running in the initrc_t
SELinux domain. Now, these services run in the rpcd_t
SELinux domain.
cpglockd
service.
/usr/share/ovirt-guest-agent/ovirt-guest-agent.py
file has been added to these updated packages.
Bug Fixes
Bug Fixes
Upgrade to an upstream version
Bug Fixes
sos
utility was
incomplete or in a different format than expected by RHN Satellite
developers. The module has now been extended to use the RHN Satellite
script (spacewalk-debug
) to collect
information when present, and the RHN Satellite components now supply a
debug script that is able to collect more detailed diagnostic data.
gluster
module made use of gluster
CLI
commands to obtain state dump information. This caused cluster-wide
locks to be taken, potentially blocking other nodes for the duration of
data collection. The module has been set to directly issue a signal to
the local gluster
processes and collect
the generated files. Now, full state dump data is collected without
causing side effects to other hosts in the environment.
psacct
(BSD Process Accounting) module collected all process accounting files
present on the system, which could, under certain configurations, lead
to a very large number of archived files in the process accounting
directory. This has been fixed by changing psacct
collecting only the most recent accounting file by default. The all
option has been added to the module which allows the user to request
the original behavior if required. As a result, reports generated on
hosts with many archived accounting files no longer include this large
set of additional data.
/etc/
or /var/lib/
directories. Consequently, the previous versions of sos did not capture files stored in this location. The devicemapper
module has been extended to include the /etc/multipath/
directory contents as well, to allow more consistent SELinux labeling
of multipath files. The complete bindings file is now captured on hosts
using the new directory layout.
sosreport
networking module collected various data from the sysctl
configuration found in the /proc/sys/net/
directory. Certain legacy paths in this directory have been deprecated
upstream and scheduled for removal in future releases but are maintained
for compatibility reasons. Nevertheless, running sosreport
on systems having deprecated sysctls
configuration generated warning messages as the sos
utility accessed these paths. This bug has been fixed by including sos
to a blacklist for forbidden paths of this directory. Now, diagnostic
information is no longer lost as the content of these files is now
provided under different parameter names that are already included in
the report. Thus, full diagnostic information is now collected from the /proc/sys/net/
directory without generating unnecessary warning messages in system logs.
sosreport
utility did not recognize interfaces named by BIOS, using the biosdevname
utility. Consequently, Ethernet network devices were constrained to the conventional ethN
naming scheme and the ifconfig
command, in some cases, did not identify correctly interface types. To address this issue, the sos
networking module was set to use the ip
command from the iproute
package to generate lists of network interfaces. As a result,
information for these network interfaces is now correctly captured and
is available in generated reports.
sosreport
command has been modified to remove this additional character when
present, thus fixing this bug. File capture is now consistent between sos versions in Red Hat Enterprise Linux 5 and 6, thus simplifying comparison of diagnostic data captured on these two releases.
sos
to
generate invalid file system paths and fail to generate a report. With
this update, invalid characters are filtered out of system hostnames and
the sosreport
command now works correctly
on systems having characters disallowed in file system paths present in
the hostname, thus fixing this bug.
sos
utility failed to validate the --name
parameter correctly. Consequently, the report was generated with a file
name containing an empty name field. To fix this bug, a default name
has been substituted when the provided report name is empty or invalid
and files are now generated with names following a consistent pattern.
sos
utility did not log errors when attempting to collect output from
external commands. Consequently, no message was written to the sos
log file when an external command could not be executed. This update ensures that the logging is carried out in the core
plug-in code and a failure to execute an external program is now correctly logged.
sos
utility passed an unescaped double tilde (~~
)
character sequence to a command executed by the system shell. On some
systems, the expansion of this sequence resulted in an error message
when the shell home directory expansion attempted a lookup for an
account named ~
. The sequence is now
correctly double-quoted to disable shell expansion of the string and no
spurious account lookup or log message is triggered in the described
scenario.
watchdog
device to protect their recovery. Previous versions of sos did not include support for collecting sanlock
diagnostic data. A new module has been added to collect configuration
and log files for this component so that diagnostic information relating
to the sanlock
service would be captured in generated reports.
PostgreSQL
is a popular open-source database in Red Hat Enterprise Linux. Prior versions of sos did not include support for collecting information about installed postgres
instances, and thus no diagnostic information was collected for this component. The psql
module that obtains information from the database has been included in this release. Now, when psql
is enabled, diagnostic data is captured on appropriately configured
systems, and optional parameters such as database name and
authentication may be specified in order to collect more detailed
information.
pagetypeinfo
file contains additional information relevant to external fragmentation of kernel memory. Previous versions of sos only collected the related buddyinfo
data. Consequently, less detailed information was available regarding
the fragmentation state of the kernel page allocator. The pagetypeinfo
file has been included in the generated report and detailed
fragmentation debugging data is now collected by default, thus avoiding
manual effort to obtain this information.
Enhancements
/proc/ioports
file detailing registered I/O port regions in use. The /proc/iomem
file additionally describes regions of physical system memory and their
use of memory, firmware data, and device I/O traffic. As this data may
be important in debugging certain hardware and device-driver problems,
both ioports
and iomem
data have been made available within generated reports.
subscription-manager
utility output for diagnostic purposes. The output of subscription-manager
is now included in generated reports.
Upgrade to an upstream version
Bug Fixes
--spice-disable-effects
option and an invalid value, spice-gtk did not print any error message, which could confuse users. This bug is now fixed and QEMU exits when an invalid value is encountered.
main-1:0: SSL_connect: error:00000001:lib(0):func(0):reason(1)This code made debugging of connections failures cumbersome. With this update, the corresponding error message is printed for each of the different scenarios.
--spice-color-value
option with an invalid value, an error message is displayed. However,
previously, the message was not clear enough. After the update, when
using the --spice-color-value
option with an invalid value, SPICE returns an error message including a suggestion of the value.
Spice-Warning **: ssl_verify.c:484:openssl_verify: ssl: subject '' verification failedWith this update, when no host subject is specified, remote-viewer treats it like an empty host subject and verifies a common name
CN=
from the subject field with hostname.
/usr/share/polkit-1/actions/org.spice-space.lowlevelusbaccess.policy
file have been made to allow access to the raw USB device without
prompting for a password. A warning about the security implications of
this have been included in the documentation.
channel_reset()
function can rely on the state accurately, reflecting the USB state.
00
scan codes to virtual machines, which resulted in the unknown key pressed
error messages being printed by the client. After this update, SPICE no longer sends the 00
scan codes to the spice-server.
Enhancements
Upgrade to an upstream version
Enhancement
Upgrade to an upstream version
Bug Fixes
Enhancements
Upgrade to an upstream version
Enhancements
Bug Fixes
Security Fixes
Bug Fixes
ConnStateData::noteMoreBodySpaceAvailable()
function, child processes of Squid terminated upon encountering a
failed assertion. An upstream patch has been provided and Squid child
processes no longer terminate.
Proxy-Connection
to Connection
, the NTLM pass-through authentication does not work, thus preventing login. This update adds the new http10
option to the squid.conf
file, which can be used to enable the change in the patch. This option is set to off
by default. When set to on
, the NTLM pass-through authentication works properly, thus allowing login attempts to succeed.
6
. This bug has been fixed and such requests are now handled as expected.
wbpriv
group did not include Squid. Consequently, NTLM authentication calls
failed. Now, Squid correctly adds itself into the wbpriv group if samba-winbind is installed before Squid, thus fixing this bug.
AAAA
record, Squid delayed due to long DNS requesting time. This update introduces the dns_v4_first
option to squid.conf
. If the dns_timeout
value of this option is properly set, Squid sends the A
and AAAA
queries in parallel and the delays no longer occur.
ident
value to a URL rewriter that was configured using the url_rewrite_program
directive. Consequently, the URL rewriter received the dash character (-
)
as the user value instead of the correct user name. Now, the URL
rewriter receives the correct user name in the described scenario.
*
) or an unknown protocol namespace URI. Consequently, an Invalid URL
error message was logged to access.log
during reload. This update ensures that http://
is always used in transparent proxy URLs, and the error message is no longer logged in this scenario.
Upgrade to an upstream version
Security Fixes
Bug Fixes
Connection to SSSD failed: Timer ExpiredAs a consequence, the user could not log in. After this update, pending requests are canceled after disconnection and the user is able to log in when the pam responder reconnects.
Enhancements
Bug Fixes
Enhancement
Upgrade to an upstream version
Upgrade to an upstream version
Bug Fixes
Enhancements
Upgrade to an upstream version
/etc/sudo.conf
configuration file for the sudo utility front-end configuration (plug-in path, coredumps, debugging and so on) has been added.
/etc/sudo.conf
file.
-D
flag in the sudo utility has been replaced with a more general debugging framework that is configured in the /etc/sudo.conf
file.
noexec_file
sudoers option is no longer supported.
noexec
functionality has been moved out of the sudoers policy plug-in and into the sudo utility front end, which matches the behavior documented in the plug-in writer's guide. As a result, the path to the /user/libexec/sudo_noexec.so
file is now specified in the /etc/sudo.conf
file instead of the /etc/sudoers
file.
sudoers
file, the command now allowed
error message is now logged instead of the previously used <N>
incorrect password attempts
. Likewise, the mail_no_perms
sudoers
option now takes precedence over the mail_badpass
option.
sudoers
file, he will no longer be prompted for a password even if the -k
option is specified with the executed command. This makes the sudo -k
command consistent with the behavior one would get if running the sudo -k
command immediately before executing another command.
-g
option that matches the target user's group in the password database, it is now allowed even if no groups are present in the Runas_Spec
.
%#gid
) can now be specified in the User_List
or Runas_List
files. Likewise, for non-Unix groups the syntax is %:#gid
.
-f
option is specified.
Bug fixes
tty
of a suspended process was not saved by the sudo
utility. Thus, the code handling the resume operation could not restore
it correctly. Consequently, resume was not enabled to a suspended
process run through the sudo
utility. This bug has been fixed by rebasing to a new upstream version.
As a result, suspending and resuming works correctly again.
defaults
option was added to restore the old behavior. Since the execution
method has been implemented to correctly handle PAM session handling,
I/O logging, SELinux support, and the plug-in policy close
functionality, these features do not work correctly if the
newly-implemented option is used. To apply this option, add the
following line to the /etc/sudoers
file:
Defaults cmnd_no_waitAs a result, if the newly-implemented option is used, commands will be executed directly by the sudo utility.
pam_end_sessions()
function was called. As a consequence, dependent modules could fail to
iniciate at session close in order to release resources or make
important administrative changes. This bug has been fixed by rebasing to
a newer upstream version, which uses the PAM API correctly (for
example, initializes one PAM handle and uses it in all related PAM API
function calls). As a result, PAM sessions are now closed correctly.
/etc/sudo-ldap.conf
file and missing examples in the same file led to an inconsistency with
documentation provided by Red Hat. With this update, file permissions
have been corrected and example configuration lines have been added. As a
result, /etc/sudo-ldap.conf
is now consistent with the documentation.
RLIMIT_NPROC
resource limit to the parents value of this limit if both the soft (current) and hard (maximum) values of RLIMIT_NPROC
were not limited. An upstream patch has been provided to address this bug and RLIMIT_NPROC
can now be set to "unlimited".
/etc/ldap.conf
file, the hash ('#') character could not be used as part of a
configuration value, for example in a password. It was understood as a
beginning of a comment and everything following the # character was
ignored. Now, the parser has been fixed to interpret the # character as a
beginning of a comment only if it is at the beginning of a line. As a
result, the '#' character can be used as part of a password, or any
other value if needed.
Enhancements
sudo
utility is able to consult the /etc/nsswitch.conf
file for sudoers entries and look them up in files or via LDAP
(Lightweight Directory Access Protocol). Previously, when a match was
found in the first database of sudoers entries, the look-up operation
still continued in other databases. In Red Hat Enterprise Linux 6.4, an
option has been added to the /etc/nsswitch.conf
file that allows users to specify a database after which a match of the
sudoer's entry is sufficient. This eliminates the need to query any
other databases; thus improving the performance of sudoer's entry look
up in large environments. This behavior is not enabled by default and
must be configured by adding the [SUCCESS=return]
string after a selected database. When a match is found in a database
that directly precedes this string, no other databases are queried.
Bug Fix
Bug Fixes
Enhancement
Enhancement
Bug Fixes
Upgrade to an upstream version
Bug Fixes
Bug Fixes
Bug Fixes
Bug Fixes
Bug Fixes
Enhancement
Upgrade to an upstream version
Bug Fixes
Enhancement
Bug Fixes
Bug Fixes
Enhancement
Bug Fixes
Bug Fixes
Enhancement
Upgrade to an upstream version
Bug Fixes
Enhancement
Security Fix
mount
command reported errors. A local attacker could use this flaw to
determine the existence of files and directories they do not have access
to.
Bug Fixes
/sys
file system. This resulted in unexpected SELinux alerts and unnecessary open()
calls. Now, the lsblk utility does not perform unnecessary opening operations and no longer reads the information from the /sys
file system.
lscpu
command failed unexpectedly with a segmentation fault and a core dump was generated. After this update, when executing the lscpu
command on such a configuration, the correct result is printed and no core dump is generated.
lscpu
command failed unexpectedly with a segmentation fault and a core dump was generated. This bug is now fixed and the lscpu
command now works as expected on this configuration.
hwclock --systz
command
to reset the system time based on the current time zone caused the clock
to be incorrectly adjusted by one hour. This was because hwclock did not adjust the system time during boot according to the "warp clock" semantic described in the settimeofday(2)
man page. With this update, hwclock correctly sets the system time when required.
/etc/fstab
file and on the command line, mounting failed and the kernel logged the following error upon running dmesg:
SELinux: duplicate or incompatible mount optionsThe handling of SElinux options has been changed so that options on the command line now replace options given in the
/etc/fstab
file and as a result, devices can be mounted successfully.
/etc/fstab
file, the mount
command returned a device before a directory. With this update, the search order has been modified and mount
now works as expected.
/var/run/utmp
file to increase by one record on the telnetd machine. As a consequence, the /var/run/utmp
file grew without a limit. As a result of trying to search though a huge /var/run/utmp
file, the machine running telnetd
could experience more severe side-effects over time. For example, the telnetd
process could become unresponsive or the overall system performance could degrade. The telnetd
now creates a proper record in /var/run/utmp
before starting the logging process. As a result, the /var/run/utmp
does not grow without a limit on each new login or logout sequence of a telnet session.
Enhancements
--compare
option for hwclock
to compare the offset between system time and hardware clock has been added due to a discontinued distribution of adjtimex in Red Hat Enterprise Linux 6.0 and later, which had previously provided this option.
lsblk
command now supports a new option, --inverse
,
used to print dependencies between block devices in reverse order. This
feature is required to properly reboot or shut down systems with a
configured cluster.
lscpu(1)
and chcpu(8)
man pages.
Upgrade to an upstream version
Bug Fixes
Enhancement
Bug Fix
Bug Fixes
inflate
and deflate
requests. As a consequence, a stop error could occur when several
requests were executed simultaneously. This update uses a dedicated
thread instead of work items to process the inflate
and deflate
requests sequentially.
resume
routine. As a consequence, ports could not handle the read request requests correctly. This update adds the correct virtual queue for re-initialization when resuming after hibernation.
inflate
and deflate
requests. As a consequence, the inflate
and deflate
requests could be executed simultaneously with PnP and Power management
handlers. This update uses a dedicated thread instead of work items to
process the PnP and PM requests only after all other pending requests
are completed.
Enhancements
Bug Fixes
Enhancement
Bug Fixes
Enhancements
Bug Fixes
Enhancement
libvirt
and is intended as a replacement for traditional VNC or SPICE clients.
Bug Fixes
remote-viewer
and the virt-viewer
tools, both use the same constant to print their usage message.
Consequently, when the user used an unknown command option with the remote-viewer
command, the error message referred to the virt-viewer --help
command instead of the remote-viewer --help
command. With this update, the remote-viewer
and virt-viewer
code has been modified so that the commands now return the correct error message when used with an unknown option.
virt-viewer -v
command and the console was closed, the command prompt was printed at
the end of the last line instead of the new line. This update fixes this
bug and the command prompt is printed correctly.
virt-viewer
did not treat the string as a wildcard address and did not create an
appropriate remote host address as expected. Consequently, an attempt to
connect to a remote host with such an address led to the connection
failure. This update modifies the underlying source code to treat the
aforementioned characters as wildcards and virt-viewer
now successfully connects to a remote host in the described scenario.
virt-viewer
stopped working with the new spice-gtk
module. With this update, the virt-viewer packages have been rebuilt to work properly with this new version of spice-gtk
.
remote-viewer
client. When disabling and then re-enabling the automatic window size,
the resized window was smaller then expected. This update provides a
patch to fix this bug and the automatic window resize option now works
properly.
virt-viewer
client was sized to the full screen, the virt-viewer size resolution
could not be set to a higher resolution than the monitor's native
resolution. With this update, the user is now able to set a higher
resolution than the monitor's native resolution.
virt-viewer
tool terminated unexpectedly. This update modifies the underlying code so that virt-viewer
no longer crashes in the described scenario.
remote-viewer
client was started from the XPI
plug-in, the client terminated unexpectedly with a segmentation fault.
This update modifies the underlying code and applies a patch to fix this
bug so that remote-viewer
now works as expected in this situation.
remote-viewer
to display multiple screens of a virtual machine with multiple physical displays, under certain circumstances, remote-viewer
could display only one screen in single remote-viewer
window and the other screens were disconnected. With this update, the
underlying code has been modified so that all physical displays are now
properly displayed in the respective remote-viewer
windows.
Enhancements
--title
option which allows the user to specify a title displayed in the remote-viewer window title bar.
virt-viewer
tool supports the SpiceMonitorsConfig
display message.
virt-viewer
tool is now able to
handle requests from the Red Hat Enterprise Virtualization portal to
enable or disable passing of the Ctrl+Alt+Delete key combination to the
guest operating system.
Enhancement
Bug Fixes
SubscriptionManagerError: No such file or directory Error in communication with candlepin, trying to recover Unable to read certificate, system is not registered or you are not root
AttributeError: HyperV instance has no attribute 'ping'
Enhancements
Bug Fix
Enhancement
2012-10-01 10:13:44 ERROR -1: Malformed status line.
Bug Fixes
Enhancement
Bug Fix
Bug Fix
Bug Fixes
Enhancement
Security Fix
Bug Fixes
Table 6.3. Upgraded packages
PACKAGE NAME | UPSTREAM VERSION | BZ NUMBER |
---|---|---|
xorg-x11-drv-acecad | 1.5.0 | 835212 |
xorg-x11-drv-aiptek | 1.4.1 | 835215 |
xorg-x11-drv-elographics | 1.4.1 | 835222 |
xorg-x11-drv-fpit | 1.4.0 | 835229 |
xorg-x11-drv-hyperpen | 1.4.1 | 835233 |
xorg-x11-drv-keyboard | 1.6.2 | 835237 |
xorg-x11-drv-mouse | 1.8.1 | 835242 |
xorg-x11-drv-mutouch | 1.3.0 | 835243 |
xorg-x11-drv-penmount | 1.5.0 | 835248 |
xorg-x11-drv-void | 1.4.0 | 835264 |
Upgrade to an upstream version
Upgrade to an upstream version
Upgrade to an upstream version
Upgrade to an upstream version
Upgrade to an upstream version
Bug Fixes
Upgrade to an upstream version
Upgrade to an upstream version
Upgrade to an upstream version
Bug Fixes
Enhancements
Upgrade to an upstream version
Bug Fixes
Table 6.4. Upgraded packages
Package name | Upstream version | BZ number |
---|---|---|
xorg-x11-drv-apm | 1.2.5 | 835216 |
xorg-x11-drv-ast | 0.97.0 | 835217 |
xorg-x11-drv-cirrus | 1.5.1 | 835219 |
xorg-x11-drv-dummy | 0.3.6 | 835220 |
xorg-x11-drv-fbdev | 0.4.3 | 835228 |
xorg-x11-drv-geode | 2.11.13 | 835230 |
xorg-x11-drv-glint | 1.2.8 | 835231 |
xorg-x11-drv-i128 | 1.3.6 | 835234 |
xorg-x11-drv-i740 | 1.3.4 | 835235 |
xorg-x11-drv-mach64 | 6.9.3 | 835239 |
xorg-x11-drv-mga | 1.6.1 | 835240 |
xorg-x11-drv-neomagic | 1.2.7 | 835244 |
xorg-x11-drv-nv | 2.1.20 | 835246 |
xorg-x11-drv-openchrome | 0.3.0 | 835247 |
xorg-x11-drv-r128 | 6.9.1 | 835250 |
xorg-x11-drv-rendition | 4.2.5 | 835251 |
xorg-x11-drv-s3virge | 1.10.6 | 835252 |
xorg-x11-drv-savage | 2.3.6 | 835253 |
xorg-x11-drv-siliconmotion | 1.7.7 | 835254 |
xorg-x11-drv-sis | 0.10.7 | 835255 |
xorg-x11-drv-sisusb | 0.9.6 | 835256 |
xorg-x11-drv-tdfx | 1.4.5 | 835258 |
xorg-x11-drv-v4l | 0.2.0 | 835260 |
xorg-x11-drv-trident | 1.3.6 | 835259 |
xorg-x11-drv-vesa | 2.3.2 | 835261 |
xorg-x11-drv-vmware | 12.0.2 | 835263 |
xorg-x11-drv-voodoo | 1.2.5 | 835265 |
xorg-x11-drv-xgi | 1.6.0 | 835267 |
xorg-x11-drivers | 7.3 | 835285 |
Upgrade to an upstream version
Bug Fix
Enhancement
Bug Fix
Bug Fixes
Bug Fixes
Bug Fixes
yum localinstall
command, various requires, obsoletes, and conflicts situations were not handled properly and resulted in inconsistent package installations using different Yum commands. The underlying source code has been modified and Yum resolves all the aforementioned situations properly.
yum update --skip-broken
command on the command line, the package dependency resolution never
ended. This bug is now fixed and dependencies are resolved successfully
after executing the yum update --skip-broken
command.
yum history stats
command failed with a traceback instead of reporting an actual error. This bug is now fixed and when the yum history stats
command fails after creating a new yum history file, it displays an error message.
yum makecache
command, followed by the yum -C updateinfo
command, the second command failed to execute because although the updateinfo file had been downloaded by yum makecache
it was uncompressed and treated as unavailable by yum -C updateinfo
. This bug is now fixed and yum -C updateinfo
works as expected in this scenario.
yum upgrade
command failed to execute, Yum displayed a misleading Protected multilib versions error message instead of the accurate one. This bug is now fixed and if Yum fails, it displays the correct error message.
createrepo --update
command took significantly longer. This update reduces the time for executing the createrepo --update
command.
yum updateinfo
command, provided by the yum-security plug-in, was used, Yum
did not merge the version information from multiple repositories. This
could prevent the latest version of a package that was present in
multiple repositories to not be installed. Now, when installing packages
from multiple repositories, Yum installs only the latest packages available.
yum-debug-restore
command was used to restore multiple installonly packages, Yum
tried to keep a limit of packages that were installed simultaneously
and removed packages that were present in the system. Also, Yum restored multiple packages but assumed that just one would be installed. Yum's installonly_limit
configuration now determines what to install and remove correctly when
multiple items are installed at once. This is most noticeable when using
commands like yum shell
and yum-debug-restore
.
yum.yumBase().update()
function to specify a package name, version, and/or release of a
certain package, the function terminated and failed to update the
aforementioned variables. This bug is now fixed and the yum.yumBase().update()
function can be used successfully to specify a package name, version, and release.
yum update
command. After this update, the yum update
command now handles packages with obsoleting dependencies as expected.
Enhancements
Bug Fix
Enhancement
Revision History | ||||
---|---|---|---|---|
Revision 1-1.0 | Thu Feb 21 2013 | |||
|
Liber Liber 2023 -
Authors
abati
- abba
- abbate
- accademia_degli_intronati
- accati
- accetto
- acerbi
- adami
- agabiti
- agamennone
- aganoor
- agaraff
- agostini
- agraives
- agresti
- agrippa
- alamanni
- albergati_capacelli
- albert
- albertazzi
- albertelli
- alberti
- alberti_leandro
- alberti_tommaso
- albini
- albinoni
- albori_della_vita_italiana
- alcott
- aleardi
- alfa
- alfieri
- algarotti
- ali
- alighieri
- alighieri_jacopo
- allen
- aloysius
- amabile
- amalteo
- amari
- amati
- ambrogini
- amidei
- amodeo
- andersen
- anderson
- andrea_da_barberino
- andreis
- angiolieri
- angiolini
- anile
- anonimo
- antiquarie_prospettiche_romane
- antoccia
- antona_traversi
- antonelli
- appelius
- apuleius
- aragona
- arbib
- archinti
- arenskij
- aretino
- ariosto
- aristoteles
- armaroli
- aroldi
- arouet
- arrhenius
- arrieta
- arrighi
- arrigoni
- arsinov
- artom
- artusi
- atlante
- auber
- audran
- auto_da_fe_in_bologna
- avancini
- azeglio
- bacci
- baccini
- bacci_peleo
- bach
- bachi
- bachi_riccardo
- bachofen
- bach_carl_philipp_emanuel
- bach_johann_bernhard
- bach_johann_ludwig
- bach_wilhelm_friedemann
- bacigalupo
- badia_y_leblich
- baffo
- bakunin
- balakirev
- balbo
- balbo_italo
- baldacci
- balsamo
- balzac
- balzani
- banchieri
- bandello
- bandi
- baratono
- baratono_adelchi
- barbagallo
- barbaranelli
- barbarani
- barbarich
- barberini
- barbiera
- barbieri
- barbieri_francisco
- barbusse
- barella
- bargiacchi
- baricelli
- barla
- barni
- barrie
- barrili
- bartok
- bartoli
- bartoli_daniello
- barzini
- basile
- bassano
- bassano_anthony
- bastianelli
- baudelaire
- baunard
- bazzero
- bazzoni
- becattini
- beccari
- beccaria
- beccaria_antonella
- beckford
- beethoven
- belgioioso
- belgiojoso
- bellacchi
- bellani
- belli
- bellini
- belloc_lowndes
- bellone
- belo
- beltrame
- beltramelli
- bembo
- benaglio
- benamozegh
- benco
- benco_delia
- benedetti
- benelli
- beolco
- berchet
- berchet_guglielmo
- berg
- berlioz
- bernard
- bernardino_da_siena
- berneri
- berneri_camillo
- berneri_maria_luisa
- berni
- bersezio
- bertacchi
- bertacchi_cosimo
- bertelli
- berti
- bertinetti
- bertini
- bertola
- bertoni
- bertoni_brenno
- bertoni_luigi
- berwald
- besana
- bestiario_moralizzato
- betteloni
- betti
- bettinelli
- bettoni
- bevilacqua
- beyle
- bhagavad_gita
- biagi
- bianchi
- bianchi_giovini
- bianco
- bianconi
- bianconi_giovanni_lodovico
- bibbia
- bibbiena
- biber
- biffoli
- binazzi
- bini
- biografie_e_ritratti_d_illustri_siciliani
- bisciola
- bisi
- bizet
- bizzarri
- bizzozero
- blackwood
- blake
- blanch
- blanchard
- blaserna
- boccaccio
- boccalini
- boccardi
- boccardo
- boccherini
- bocchi
- bodrero
- boerio
- boghen_conegliani
- boiardo
- boieldieu
- boine
- boito
- boito_a
- bolza
- bon
- bonacini
- bonaparte
- bonarelli
- bonatelli
- bonaventura
- bonaventura_enzo
- bond
- bonfadini
- bonghi
- bonizzi
- bonola
- bonomo
- bonvesin_de_la_riva
- bordenave
- borgese
- borgese_giuseppe
- borghi
- borghi_armando
- borodin
- borri
- bortolotti
- boschetti_alberti
- boscovich
- bosio
- bossi
- botta
- bottazzi
- bottero
- bouchardy
- bourcet
- bourdet
- bouvier
- bovio
- bovio_libero
- bozzano
- bozzini
- bracco
- brahms
- brancaccio
- brera
- bresadola
- breton
- brocchi
- brofferio
- broglio
- bronte
- bronzino
- bruch
- bruckner
- bruna
- brunelli
- brunetti
- bruni
- bruni_giuseppe
- bruno
- brusoni
- bufardeci
- buia
- buonaiuti
- buonarroti
- buonarroti_il_giovane
- buoninsegni
- buozzi
- burchiello
- burckhardt
- burke
- burnaby
- burroughs
- burzio
- buschi
- busetto
- busoni
- butti
- buxtehude
- buzzanca
- byrne
- byron
- caccianiga
- cacciatore
- caccini
- cafiero
- cagna
- cagni
- cajkovskij
- calandra
- calcagno
- caldarella
- calestani
- calvo
- calza
- camillo
- camis
- cammarano
- camoes
- campana
- campanella
- campolonghi
- campra
- canestrini
- canestrini_alessandro
- canina
- cannabich
- cannizzaro
- cantalupo
- cantoni
- cantoni_giovanni
- canto_gregoriano
- cantu
- capasso
- capefigue
- capella
- capocci
- capparoni
- capponi
- capranica
- caprile
- capuana
- carabellese
- caracciolo
- caracciolo_enrichetta
- carafa_capecelatro
- carcano
- cardano
- cardile
- carducci
- carlyle
- carmina_burana
- carnevali
- carocci
- carpenter
- carrera
- carroll
- carubia
- casadei
- casanova
- casas
- cassini
- castelli
- castelli_david
- castelnuovo
- castelvetro
- casti
- castiglione
- castiglioni
- catalani
- caterina_da_siena
- cather
- cattaneo
- cava
- cavalcanti
- cavallotti
- cavara
- caversazzi
- caviglia
- cefali
- celesia
- cellini
- celoria
- cena
- cenni
- cennini
- cerlone
- cernysevskij
- cerro
- cervantes
- cervesato
- cesarotti
- cesi
- chabrier
- chanson_de_roland
- chapi
- charpentier
- chaucer
- chausson
- chelli
- cherubini
- cherubini_eugenio
- chesterton
- cheyney
- chiabrera
- chiara
- chiarelli
- chiaretti
- chiarini
- chiesa
- chigi
- chiocchetti
- chiosso
- chiurlo
- chopin
- christiansen
- chueca
- ciaceri
- ciamician
- ciampoli
- cian
- ciano
- cicero
- cicogna
- cielo
- cifra
- cimarosa
- cinelli
- cipriani
- cittadella
- claps
- clarke
- clementi
- club_alpino_italiano
- cocchi
- codemo
- coffa_caruso
- coglitore
- colagrossi
- colajanni
- coleridge
- collenuccio
- colletta
- collins
- collodi
- colombe
- colombo_fernando
- colombo_michele
- colonna
- colonna_vittoria
- colorni
- columba
- cominelli
- compagni
- compagnia_del_mantellaccio
- comparetti
- confucius
- contessa_lara
- conti
- coperario
- coppi
- corano
- corbino
- cordelia
- corelli
- coresio
- corio
- cornaro
- cornelius
- cornoldi
- corradini
- cortesi
- cosmi
- cossa
- costa
- costa_andrea
- coster
- couperin
- crawford
- crawford_morris
- cremonese
- crispi
- croce
- crocella
- croce_benedetto
- croce_enrico
- cronica_vita_di_cola_di_rienzo
- cucca
- cummins
- cuneo
- cuoco
- cuomo
- curiel
- curti
- curti_pier_ambrogio
- cusani
- cyrano_de_bergerac
- dadone
- dall_ongaro
- dalmasso
- dandrieu
- danti
- darwin
- darwin_erasmus
- daudet
- dauli
- da_ponte
- da_porto
- da_verona
- debay
- debenedetti
- debussy
- deledda
- delibes
- delius
- della_casa
- della_chiesa
- della_porta
- della_seta
- della_valle
- della_valle_pietro
- delpino
- del_lungo
- del_lungo_carlo
- dering
- desanctis
- descalzo
- descartes
- descuret
- despres
- devienne
- dewey
- de_amicis
- de_angelis
- de_astis
- de_blasio
- de_boni
- de_bosis
- de_cesare
- de_cleyre
- de_filippi
- de_foe
- de_franchi
- de_gamerra
- de_giovanni
- de_gubernatis
- de_marchi
- de_maria
- de_orestis
- de_paoli
- de_pellegrini
- de_pretto
- de_quincey
- de_roberto
- de_rubris
- de_ruggiero
- de_sanctis
- de_vries
- diabelli
- diamante
- dickens
- diderot
- difensore_degli_ebrei
- dini
- dito
- dittersdorf
- di_blasi
- di_genio
- di_giacomo
- di_giovanni
- di_giovanni_alessio
- di_grazia
- di_monaco
- di_san_giusto
- dolce
- domenichi
- donati
- donaver
- doni
- donizetti
- dorso
- dossi
- dostoevskij
- douhet
- doyle
- draeseke
- driesch
- drigo
- drosso
- ducati
- dukas
- dumas
- dunant
- duparc
- durante
- du_mage
- dvorak
- d_albert
- d_ambra
- d_ancona
- d_andrea
- d_annunzio
- d_arzo
- d_emilio
- d_india
- eco
- economisti_del_cinque_e_seicento
- eisner
- electronic_frontier_foundation
- elgar
- elia
- emanuelli
- emerson
- emiliani_giudici
- emma
- emmanuel
- engels
- enriques
- epictetus
- epicurus
- erasmus_roterodamus
- eredia
- ermacora
- errante
- errera
- euclides
- fabbri
- fabiani
- fabula_de_etc
- faldella
- fanciullacci
- fanciulli
- fanfani
- fantazzini
- fantoni
- farga
- fargion
- farina
- farinelli
- farnaby
- faure
- favaro
- fazello
- federici
- fernandez_caballero
- fernandez_guardia
- ferrabosco_il_giovane
- ferrari
- ferrari_carlotta
- ferrari_giuseppe
- ferrari_giuseppe_1720
- ferrari_paolo
- ferrari_pietro
- ferrari_pio_vittorio
- ferrari_severino
- ferrer
- ferrero
- ferretti
- ferri
- ferrieri
- ferri_dina
- ferri_giustino
- ferroni
- ferruggia
- feuerbach
- fiacchi
- fibich
- figner
- figuier
- filicaia
- filippi
- fillak
- filopanti
- finella
- fioravanti
- fioretti_di_san_francesco
- fiore_di_leggende_cantari_antichi_etc
- fiorini
- firenzuola
- flammarion
- flaubert
- fletcher
- flies
- florenzi
- florio
- flotow
- fogazzaro
- folengo
- folgore
- fontana
- fontanarosa
- fontane
- fontefrancesco
- fontenelle
- formichi
- fornaciari
- forteguerri
- fortis
- foscolo
- fraccacreta
- fracchia
- france
- francesco_d_assisi
- franchetti
- franck
- franco
- frari
- freud
- frezzi
- frugoni
- fucini
- fugassa
- funck_brentano
- gabetti
- gabrieli
- gabrieli_giovanni
- galassi
- galiani
- galilei
- gallaccini
- galleani
- galleria_palatina
- gallina
- gallo
- galuppi
- gamberi
- gandhi
- ganot
- gargiulo
- garibaldi
- garrone
- gatti
- gautier
- geminiani
- gentile
- gentile_iginio
- gerard
- geremicca
- gerli
- german
- gershwin
- gervasoni
- gherardi
- ghersi
- ghislanzoni
- ghisleri
- giaccani
- giacometti
- giacosa
- giamboni
- gianelli
- giannone
- gibbon
- gibellini
- gide
- gigli
- giglioli
- gille
- gilles
- ginzburg
- gioberti
- giolitti
- giordana
- giordano
- giornale_per_i_bambini
- giostra_delle_virtu_e_dei_vizi
- giovannetti
- giovannitti
- giovio
- giraud
- giraudoux
- giretti
- giribaldi
- giuseppe_da_forio
- giusta_idea
- giusti
- glazunov
- glinka
- gluck
- gobetti
- goethe
- gogol
- goldoni
- goldsmith
- golgi
- goll
- gomes
- gonin
- gori
- gori_pietro_1854_1930
- gorkij
- gossec
- gothein
- gounod
- gozzano
- gozzi
- gozzi_gasparo
- graf
- gramsci
- granados
- grande
- grandi
- grassi
- grasso
- grave
- gray
- graziani
- gregorovius
- gretry
- grieg
- grimaldi
- grimm_jakob
- grippa
- grossi
- grossi_vincenzo
- groto
- guadagnoli
- gualandris
- gualdo
- guardione
- guareschi
- guarini
- guelfi
- guerrazzi
- guerrini
- guglielminetti
- guglielmotti
- guicciardini
- guidetti
- guidi
- guidiccioni
- guidi_michelangelo
- guiducci
- gulli
- guy
- haeckel
- haendel
- hamsun
- harding
- hasse
- hauptmann
- hawthorne
- haydn
- heron
- herschel
- hewlett
- heywood
- hichens
- historia_di_papa
- holborne
- holst
- homerus
- hubay
- huch
- hugo
- hummel
- humperdinck
- huxley
- iacopone_da_todi
- iacopo_da_sanseverino
- iberti
- ibn_gubayr
- ibn_miskawayh
- ibsen
- imbriani
- indy
- ingrassia
- innocentius_papa_12
- intorcetta
- invernizio
- ippolita_comunita_di_scriventi
- ippolitov_ivanov
- issel
- istoria_critica
- italia
- jacobsen
- james
- janacek
- jarro
- jatta
- jeans
- jefferson
- jenna
- jennings
- jerome
- johansson
- johnson
- joinville
- jolanda
- joplin
- jovine
- joyce
- juvalta
- kaffka
- kahn
- kalevala
- kalidasa
- kant
- karr
- keynes
- kipling
- kleist
- kollo
- komzak
- kovalevskaja
- kropotkin
- labriola
- ladenarda
- lady_gregory
- lafargue
- lagerlof
- lalande
- lalli
- lalo
- lancillotti
- lando
- landriani
- lanzalone
- lao_tzu
- lasca
- laser
- lasso
- latini
- lattes
- lattes_dante
- lavater
- lawrence
- lazzarelli
- lazzaretti
- lazzeri
- la_boetie
- la_fontaine
- la_lumia
- leetherland
- leggenda_di_tristano
- legouve
- lehar
- leibniz
- leitgeb
- lemery
- lemonnier
- lenti_boero
- leonardo
- leoncavallo
- leoni
- leopardi
- leroux
- lesca
- lessig
- lessona
- lettera_a_diogneto
- levati
- levi
- levi_adolfo
- levi_giulio_augusto
- lewis
- libri_piu_letti
- libro_della_cucina
- liebig
- liesegang
- liguria
- linati
- lipparini
- lippi
- liszt
- littre
- lizio_bruno
- ljadov
- lleo
- locatelli
- lockyer
- lodi
- lomazzo
- lombardini
- lombroso
- lombroso_gina
- london
- longo
- longus_sophista
- lopez
- lorentz
- lorenzo
- lorenzoni
- lori
- loria
- lortzing
- lo_valvo
- lucatelli
- lucchesini
- lucianus
- lucini
- lucretius
- luigini_federico
- luini
- lully
- luna
- lupo
- lusitania
- luther_blissett
- luzio
- macaulay
- maccrie
- machiavelli
- mackay
- maes
- maeterlinck
- maffei
- magalotti
- maggi
- mahler
- maineri
- maistre
- malamani
- malatesta
- malinverni
- malon
- malpassuti
- mameli
- mamiani
- mannarino
- manni
- manno
- mannu
- mantegazza
- manucci
- manzoni
- marais
- marcelli
- marcello
- marchand
- marchesani
- marchesa_colombi
- marchetti
- marchi
- marconi
- maresca
- mariani
- marinelli
- marinetti
- marino
- mario
- marrama
- marselli
- marsili
- martello
- martineau
- martinelli
- martinelli_vincenzo
- martinetti
- martini
- martini_ferdinando
- martoglio
- martucci
- marugi
- marx
- mascagni
- masci
- masi
- massarani
- massenet
- massimi
- mastriani
- mastro_titta
- mattei
- matteucci
- mattirolo
- maupassant
- mazzarino
- mazzini
- medici
- medici_ferdinando_i
- medici_lorenzino
- mehul
- meli
- melville
- mendelssohn
- menghini
- mengozzi
- merlini
- merlino
- messa_di_requiem
- messina
- metastasio
- meyer
- meyerbeer
- meyrink
- micanzio
- michaelis
- michel
- michelstaedter
- mieli
- milani
- mill
- mille_e_una_notte
- milton
- mioni
- mirbeau
- misasi
- misefari
- moderata_fonte
- modigliani
- molinari
- molnar
- mommsen
- monchablon
- mondaini
- moneta
- mongai
- mongitore
- monicelli
- monnier
- montanelli
- montesquieu
- montessori
- monteverde
- monteverdi
- monti
- monti_achille
- montpensier
- moore
- morandi
- morandi_carlo
- morando
- morasso
- more
- moresco
- moretti
- morra
- morris
- morselli
- morselli_ercole
- mosca
- moscardelli
- mosso
- mozart
- mozzoni
- mudge
- mulazzi
- mule
- mule_bertolo
- munthe
- mura
- muratori
- muratori_lodovico
- murger
- murri
- musorgskij
- mussolini
- musumeci
- muzzi
- nagy
- nardini
- narrazione_critico_storica_etc
- natale
- navigazione_di_san_brandano
- nazioni_unite
- neera
- negri
- negri_ada
- negri_francesco
- negri_gaetano
- nencioni
- nerucci
- nettlau
- nibby
- nibelunghi
- niccolini
- nicolai
- nicolaus_cusanus
- nielsen
- nieri
- nietzsche
- nievo
- nivers
- nobili
- nordau
- nordhoff
- norsa
- nota
- notari
- notturno_napoletano
- novacek
- novaro
- novaro_mario
- novatore
- novella_del_grasso_legnajuolo
- novelle_cinesi
- novelle_indo_americane
- novelle_italiane_dalle_origini_al_cinquecento
- novellino
- nucera_abenavoli
- nuovi_misteri_del_chiostro_napoletano_etc
- offenbach
- ojetti
- olper_monis
- omodeo
- onesto
- oppenheim
- orestano
- oriani
- orsi
- orsini
- ortolani
- pachelbel
- pacini
- pacioli
- padoa
- padula
- pagani
- paganini
- pagliaro
- pailleron
- paisiello
- palazzi
- paleologue
- palladio
- pallavicini
- pallavicino
- palli_bartolommei
- palma
- palmeri
- palomba
- pananti
- pani
- pannocchieschi
- panzacchi
- panzini
- paolieri
- pareto
- parini
- paris
- parlatore
- parmeggiani
- pascal
- pascal_carlo
- pascarella
- pascoli
- pasinetti
- pasolini
- paterno
- pausanias
- pavese
- peano
- pellico
- pellizzari
- penzig
- pepoli
- percoto
- pergolesi
- perlman
- perodi
- perrault
- petrarca
- petrocchi
- petruccelli_della_gattina
- piave
- piazza
- piazza_antonio
- piazzi
- pico_della_mirandola
- pierantoni_mancini
- pieri
- pierne
- pigafetta
- pignata
- pinamonti
- pinchetti
- pindemonte
- pino
- pintor
- pinza
- pioda
- piola
- pirandello
- pisacane
- piscel
- pissilenko
- pitre
- piva
- pizzagalli
- pizzigoni
- pizzigoni_giuseppina
- pizzirani
- planche
- plato
- plinius_caecilius_saecundus
- podesta
- podrecca
- poe
- poli
- polidori
- polidori_francesco
- polimanti
- poliziano
- polo
- polybius
- pompilj
- ponchielli
- popper
- porati
- porta
- pov_ray_team
- pozzi
- pozzi_antonia
- praetorius
- praga
- praga_marco
- prati
- previati
- prevost
- prose_e_poesie_giapponesi
- proudhon
- proust
- prunas
- puccini
- puini
- pulci
- purcell
- purgotti
- puskin
- puviani
- quadrio
- quel_libro_nel_cammino_della_mia_vita
- quevedo
- rabelais
- rabizzani
- raccolta_di_lettere_ecc
- racconti_popolari_dell_ottocento_ligure
- rachmaninov
- racquet
- radcliffe
- raffaello_sanzio
- raga
- ragazzoni
- rajberti
- rajna
- ramazzini
- rameau
- ramusio
- randi
- ranieri
- rapisardi
- rastrelli
- ravagli
- ravel
- razzaguta
- reclus
- redi
- regaldi
- regalia
- reger
- reghini
- regina_di_luanto
- regnani
- regno_d_italia_1805_1814
- reinecke
- relazione_dell_atto_della_fede_etc
- renan
- renier_michiel
- rensi
- repubblica_romana_1849
- respighi
- retif_de_la_bretonne
- reuze
- reyer
- rezzonico
- ricchi
- ricchieri
- ricci
- ricci_paterno_castello
- ricci_umberto
- riccoboni
- righetti
- righi
- rignano
- rilke
- rimatori_siculo_toscani_del_dugento
- rime_dei_memoriali_bolognesi
- rimini
- rimskij_korsakov
- rinaldini
- ringhieri
- ripa
- ripamonti
- rizzatti
- roberti
- robida
- rocca
- roccatagliata_ceccardi
- rocca_enrico
- rocco
- roggero
- rohlfs
- rolando
- romagnoli
- romagnoli_augusto
- romani
- roma_e_la_opinione_etc
- romberg
- romussi
- roncaglia_gino
- rosa
- rosadi
- rosa_daniele
- rose
- rosetti
- rosi
- rosmini
- rosselli_carlo
- rosselli_nello
- rossi
- rossini
- rossi_emanuele
- rossi_giovanni
- rostand
- rousseau
- roussel
- rovani
- rovetta
- rubinstejn
- ruffini
- ruffini_francesco
- russo
- russolo
- ruzzante
- ryner
- sabatini
- sabatini_rafael
- sabbadini
- sacchetti
- sacchetti_roberto
- sacchi
- sacheli
- sacher_masoch
- saffi
- saffi_antonio
- saint_evremond
- saint_saens
- salanitro
- salfi
- salgari
- salimbene_da_parma
- sallustius
- salucci
- saluzzo_roero
- sangiorgio
- sannazaro
- santucci
- sanudo
- sanvittore
- sarasate
- sardegna_regno
- saredo
- sarno
- sarpi
- satta
- savarese
- savasta
- savinio
- savio
- savioli
- savi_lopez
- savonarola
- scarfoglio
- scarlatti
- scarpetta
- scarpetta_maria
- scartabellati
- schein
- schiaparelli
- schiavini
- schicchi
- schiller
- schioppa
- schmid
- schmidt
- schopenhauer
- schubert
- schumann
- schutz
- schwarz
- scilla
- scina
- scott
- scrofani
- scuto
- sebastian
- secchi
- sella
- seneca
- serafini
- serafino_aquilano
- serao
- sercambi
- serena
- serge
- sergi
- serra
- servi
- settembrini
- sfinge
- sforza
- shakespeare
- shaw
- shelley
- sicilia
- siciliani
- sidrac
- sienkiewicz
- sigonio
- siliprandi
- silva
- simpson
- sinding
- sismondi
- skrjabin
- slataper
- smetana
- sobrero
- sobrero_mario
- socci
- soler
- solera
- solmi
- solovev
- sommerfeld
- sonzogno
- sophocles
- sorbelli
- spampanato
- spaventa
- spaventa_filippi
- sperani
- speroni
- spinazzola
- spinelli
- spinoso
- spinoza
- spohr
- spontini
- stacpoole
- stael
- stampa
- statius
- stefanoni
- stein
- steiner
- stendhal
- stenhammar
- steno
- stephens
- sterne
- stevenson
- stewart
- stirner
- stoker
- storia_dei_paladini_di_francia
- storia_di_fra_michele_minorita
- stowe
- straparola
- strauss
- strauss_josef
- strauss_jr
- strauss_richard
- strenna_di_ascolti_per_il_natale
- stromboli
- suk
- sullivan
- supino
- suppe
- supplica_degli_stampatori_e_etc
- suzzara_verdi
- svendsen
- svevo
- swift
- sylos_labini
- synge
- szanto
- szymanowski
- tagore
- tanini
- tanini_alighiero
- tarabotti
- tarchetti
- targioni_tozzetti
- tartaglia
- tartini
- tartufari
- tassini
- tasso
- tassoni
- telemann
- teloni
- tempio
- tenca
- terentius
- tesoro_di_scienze_etc
- tessa
- testoni
- tettoni
- theuriet
- tholozan
- thomas
- thoreau
- thorpe
- thouar
- thovez
- thucydides
- tigri
- tilgher
- timmermans
- timpanaro
- tiraboschi
- titelouze
- tocco
- tolstoj
- tomei
- tommaseo
- torelli
- torelli_luigi
- torricelli
- tosco
- tosti
- tozzi
- traina
- trebbi
- treitschke
- trentin
- tresca
- trilussa
- trimmer
- troya
- tucci
- tumiati
- turco
- turgenev
- ubaldini
- uccellini
- uda
- ughetti
- ultimi_fatti_di_milano
- unesco
- unione_europea
- untersteiner
- urgnani
- vailati
- valera
- valery
- vallardi
- valles
- valletta
- valli
- valvason
- vannicola
- vanzetti
- varthema
- varvaro
- vasari
- vassallo
- vaticano
- venerandi
- venexiana
- veneziani
- venier
- veniero
- venosta
- venturi
- venturini
- venturi_adolfo
- verdi
- verdinois
- verdi_de_suzzara
- veresaev
- verga
- vergilius
- verne
- veronese
- verri_alessandro
- verri_pietro
- vertua
- vettori
- viaggi_di_gio_da_mandavilla
- viani
- vico
- vieuxtemps
- vigoni
- villa
- villabianca
- villani
- villani_matteo
- villari
- villiers_de_l_isle_adam
- vinci
- violante
- viotti
- viriglio
- viscnu_sarma
- vismara
- vitali
- vita_delitti
- vita_italiana_nel_cinquecento
- vita_italiana_nel_rinascimento
- vita_italiana_nel_risorgimento
- vita_italiana_nel_seicento
- vita_italiana_nel_settecento
- vita_italiana_nel_trecento
- vitruvius
- vivaldi
- vivante
- vivanti
- vives
- viviani
- viviani_raffaele
- vogue_melchior_de
- volin
- volpi
- volta
- voltaire
- volterra
- wagenaar
- wagner
- waldteufel
- wallace
- wallace_edgar
- wallace_lewis
- walpole
- wassermann
- weber
- wells
- wessely
- white_mario
- widmann
- wieniawski
- wilde
- wolf
- wolf_ferrari
- woolf
- world_wide_web_consortium
- wundt
- wu_ming
- wu_ming_1
- wu_ming_2
- wu_ming_5
- yambo
- yeats
- yriarte
- zagarrio
- zanazzo
- zandonai
- zanella
- zanghi
- zanotelli
- zavattero
- zena
- zhuang_zi
- zola
- zuccoli
-