Red Hat Enterprise Linux 7.

3 Beta
7.3 Release Notes

Release Notes for Red Hat Enterprise Linux 7.3 Beta

Red Hat Customer Content Services

Red Hat Enterprise Linux 7.3 Beta 7.3 Release Notes

Release Notes for Red Hat Enterprise Linux 7.3 Beta

Red Hat Custo mer Co ntent Services
rhel-no tes@redhat.co m

Legal Notice
Co pyright 20 16 Red Hat, Inc.
This do cument is licensed by Red Hat under the Creative Co mmo ns Attributio n-ShareAlike 3.0
Unpo rted License. If yo u distribute this do cument, o r a mo dified versio n o f it, yo u must pro vide
attributio n to Red Hat, Inc. and pro vide a link to the o riginal. If the do cument is mo dified, all Red
Hat trademarks must be remo ved.
Red Hat, as the licenso r o f this do cument, waives the right to enfo rce, and agrees no t to assert,
Sectio n 4 d o f CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shado wman lo go , JBo ss, OpenShift, Fedo ra, the Infinity
lo go , and RHCE are trademarks o f Red Hat, Inc., registered in the United States and o ther
co untries.
Linux is the registered trademark o f Linus To rvalds in the United States and o ther co untries.
Java is a registered trademark o f Oracle and/o r its affiliates.
XFS is a trademark o f Silico n Graphics Internatio nal Co rp. o r its subsidiaries in the United
States and/o r o ther co untries.
MySQL is a registered trademark o f MySQL AB in the United States, the Euro pean Unio n and
o ther co untries.
No de.js is an o fficial trademark o f Jo yent. Red Hat So ftware Co llectio ns is no t fo rmally
related to o r endo rsed by the o fficial Jo yent No de.js o pen so urce o r co mmercial pro ject.
The OpenStack Wo rd Mark and OpenStack lo go are either registered trademarks/service
marks o r trademarks/service marks o f the OpenStack Fo undatio n, in the United States and o ther
co untries and are used with the OpenStack Fo undatio n's permissio n. We are no t affiliated with,
endo rsed o r spo nso red by the OpenStack Fo undatio n, o r the OpenStack co mmunity.
All o ther trademarks are the pro perty o f their respective o wners.

Abstract
The Release No tes pro vide high-level co verage o f the impro vements and additio ns that have
been implemented in Red Hat Enterprise Linux 7.3 Beta and do cument kno wn pro blems in this
release, as well as no table bug fixes, Techno lo gy Previews, deprecated functio nality, and o ther
details. No te: This do cument is under develo pment, is subject to substantial change, and is
pro vided o nly as a preview. The included info rmatio n and instructio ns sho uld no t be co nsidered
co mplete, and sho uld be used with cautio n.

T able of Cont ent s

T able of Contents
. .reface
P
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1. 2. . . . . . . . . .
. .hapt
C
. . . .er
. .1. .. O
. .verview
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1. 3. . . . . . . . . .
S ec urity
Id entity Manag ement
C o re Kernel
N etwo rking
P latfo rm Hard ware Enab lement
R eal-Time Kernel
S to rag e and File Sys tems
D es kto p
Internet o f Thing s
L inux Co ntainers

13
13
13
13
14
14
14
14
14
14

R ed Hat Ins ig hts

R ed Hat Ac c es s Lab s

15
15

. .hapt
C
. . . .er
. .2. .. Archit
. . . . . ect
. . . ures
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1. 6. . . . . . . . . .
. .art
P
. . .I.. New
. . . . Feat
. . . . ures
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1. 7. . . . . . . . . .
. .hapt
C
. . . .er
. .3.
. .G. eneral
. . . . . . Updat
. . . . . .es
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1. 8. . . . . . . . . .
New variab le fo r d is ab ling c o lo red o utp ut fo r s ys temd
18
s ys temd units c an no w b e enab led us ing alias es
18
New s ys temd o p tio n: Rand o miz ed DelaySec
18
. .hapt
C
. . . .er
. .4. .. Aut
. . . hent
. . . . icat
. . . .ion
. . . and
. . . .Int
. . eroperabilit
. . . . . . . . . . .y. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1. 9. . . . . . . . . .
Server p erfo rmanc e has imp ro ved in many areas
19
Enhanc ed Id M to p o lo g y manag ement
19
Simp lified rep lic a ins tallatio n
19
Id M no w s up p o rts s mart c ard authentic atio n fo r AD us ers
20
Id M no w s up p o rts TG S autho riz atio n d ec is io ns
20
s s s d no w p ro vid es o p tio nal two -fac to r authentic atio n
20
New SSSD c o ntro l and s tatus utility
21
SSSD c o nfig uratio n file valid atio n
21
New s s s _c ac he o p tio n to mark s ud o rules as exp ired
21
New p ac kag es : c us to d ia, p ytho n-jwc ryp to
New p ac kag e: p ytho n-g s s ap i
New p ac kag e: p ytho n-netifac es
New p ac kag e: mo d _auth_o p enid c
Id M no w s up p o rts DNS lo c atio ns
Id M no w s up p o rts es tab lis hing an external trus t to an AD d o main
Id M no w s up p o rts lo g g ing in with alternative UPNs
Id M no w s up p o rts s ub -CAs
SSSD no w s up p o rts auto matic Kerb ero s ho s t keytab renewal
Id M s up p o rts us er p rinc ip al alias es
SSSD c ac he up d ate p erfo rmanc e imp ro vement
SSSD no w s up p o rts s ud o rules s to red in the Id M s c hema
SSSD no w auto matic ally ad jus ts the ID rang es fo r AD c lients in enviro nments with hig h RID
numb ers
New s s s c tl o p tio n remo ve-c ac he
Pas s wo rd c hang es o n leg ac y Id M c lients
Red Hat Ac c es s p lug -in fo r Id M is d is c o ntinued
Intro d uc ing Red Hat Sing le Sig n-O n as a rep lac ement fo r the Ip s ilo n id entity p ro vid er

21
21
21
22
22
22
22
22
23
23
23
23
24
24
24
24
24

7 .3 Release Not es
SSSD no w read s o p tio nal * .c o nf files fro m /etc /s s s d /c o nf.d /

25

The Id M p as s wo rd p o lic y no w enab les never-exp iring p as s wo rd s

25

Samb a reb as ed to vers io n 4.4.4

25

New net ad s jo in o p tio n to p revent AD DNS up d ate

26

. .hapt
C
. . . .er
. .5.
. .Clust
. . . . .ering
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2. 7. . . . . . . . . .
A Pac emaker c lus ter res o urc e that is us ed to c reate a g ues t no d e may no w b e a memb er o f a
res o urc e g ro up
27
Sup p o rt fo r q uo rum d evic es in a Pac emaker c lus ter
27
. .hapt
C
. . . .er
. .6. .. Compiler
. . . . . . . . and
. . . . T. ools
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2. 8. . . . . . . . . .
i p utils reb as ed to vers io n 20 16 0 30 8
28
Lo g g ing c ap ab ilities o f the tftp s erver have b een enhanc ed
28
New o p tio n fo r arp watc h: -p
28
The c hrt utility no w has new o p tio ns
28
New c o mmand -line utility: ls ip c
28
Searc hing us ing lib mo unt and find mnt is no w mo re reliab le
28
New --family o p tio n fo r the alternatives utility
28
s o s reb as ed to vers io n 3.3
29
e thto o l reb as ed to vers io n 4.5
29
e lfutils reb as ed to vers io n 0 .16 6
p c p reb as ed to vers io n 3.11.3
s ys temtap reb as ed to vers io n 3.0

29
30
31

valg rind reb as ed to vers io n 3.11.0

O p enJDK 8 no w s up p o rts ECC

31
32

p yc url no w p ro vid es o p tio ns to req uire TLSv1.1 o r 1.2

Perl Net:SSLeay no w s up p o rts ellip tic c urve p arameters

32
32

Perl IO ::So c ket::SSL no w s up p o rts ECDHE

tc s h no w us es s ys tem allo c atio n func tio ns

32
32

P ytho n p erfo rmanc e enhanc ement

New c o nfig uratio n o p tio ns fo r SSL/TLS c ertific ate verific atio n fo r the HTTP c lients in the Pytho n
s tand ard lib rary

32

O Pro file s up p o rt fo r the Intel Skylake-SP s erver

O Pro file s up p o rt fo r Intel Harris o nVille

33
33

l ib p fm reb as ed to vers io n 4.7.0

g lib c no w s up p o rts BIG 5-HKSCS-20 0 8

33
33

m emtes t8 6 + reb as ed to vers io n 5.0 1

xz reb as ed to vers io n 5.2.2
G DB no w s up p o rts IBM z 13 features

34
34
34

r ub y reb as ed to vers io n 2.0 .0 .6 48

34

33

. .hapt
C
. . . .er
. .7. .. Deskt
. . . . . op
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
...........
New p ac kag es : p id g in
Sc ro ll wheel inc rement c o nfig urab le in G NO ME terminal

35
35

Vinag re us er exp erienc e imp ro vements

Cus to m titles fo r the terminal tab s o r wind o ws

35
35

Sep arate menu items fo r o p ening tab s and wind o ws res to red
Native G no me/G TK+ lo o k fo r Q t ap p lic atio ns

35
35

Rhythmb o x reb as e to vers io n 3.3.1

lib reo ffic e reb as ed to vers io n 5.0 .6 .2
l ib d vd nav reb as ed to vers io n 5.0 .3

35
36
36

G IMP reb as ed to vers io n 2.8 .16

36

. .hapt
C
. . . .er
. .8. .. Direct
. . . . . ory
. . . .Server
. . . . . .in
. .Red
. . . .Hat
. . . .Ent
. . .erprise
. . . . . . Linux
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
...........
A b o ut Direc to ry Server fo r Red Hat Enterp ris e Linux

38

T able of Cont ent s

A b o ut Direc to ry Server fo r Red Hat Enterp ris e Linux
The ld ap s earc h c o mmand c an no w return all o p eratio nal attrib utes

38
38

Inc reas ed ac c urac y o f lo g time s tamp s

New utility fo r d is p laying s tatus o f Direc to ry Server ins tanc es

38
39

New o p tio n to enab le us e o f q uo tes in s c hema

39

. .hapt
C
. . . .er
. .9. .. File
. . . .Syst
. . . .ems
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4. 0. . . . . . . . . .
XFS runtime s tatis tic s are availab le p er file s ys tem in the /s ys /fs / d irec to ry
40
A p ro g res s ind ic ato r has b een ad d ed to mkfs .g fs 2
fs c k.g fs 2 has b een enhanc ed to req uire c o ns id erab ly les s memo ry o n larg e file s ys tems

40
40

G FS2 has b een enhanc ed to allo w b etter s c alab ility o f its g lo c ks

xfs p ro g s reb as ed to vers io n 4.5.0

40
40

The CIFS kernel mo d ule reb as ed to vers io n 6 .4

41

. .hapt
C
. . . .er
. .1. 0. .. Hardware
. . . . . . . . .Enablement
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4. 2. . . . . . . . . .
Sup p o rt ad d ed fo r the CAPI flas h b lo c k ad ap ter
MMC kernel reb as ed to vers io n 4.5
Intel DIMM manag ement API

42
42
42

iWarp map p er s ervic e ad d ed

New p ac kag e: memkind

42
42

Per-p o rt MSI-X s up p o rt fo r the AHCI d river

42

. .hapt
C
. . . .er
. .1. 1. .. Inst
. . . .allat
. . . .ion
. . .and
. . . .Boot
. . . . ing
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4. 3. . . . . . . . . .
Imp ro ved lo g g ing when netwo rk traffic is b lo c ked d uring ins tallatio n
Sup p o rt fo r Memo ry Ad d res s Rang e Mirro ring

43
43

Default lo g g ing levels inc reas ed in Yum and Netwo rkManag er

Driver Up d ate Dis ks c an no w rep lac e lo ad ed mo d ules

43
43

. .hapt
C
. . . .er
. .1. 2. .. Kernel
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4. 4. . . . . . . . . .
c riu reb as ed to vers io n 2.3 and fully s up p o rted fo r c ertain ap p lic atio ns
The CAN p ro to c o l has b een enab led in the kernel

44
44

Pers is tent memo ry s up p o rt ad d ed to kexec -to o ls

l ib nd c tl - us ers p ac e nvd imm manag ement lib rary

44
44

New s ymb o ls fo r the kABI whitelis t to s up p o rt the hp vs a and hp d s a d rivers

c ras h reb as ed to vers io n 7.1.5

44
45

New p ac kag e: c ras h-p td ump -c o mmand

Sup p o rt o f 8 TB o f RAM
Amb ient c ap ab ilities are no w s up p o rted
c p uid utility is no w availab le

45
45
45
45

FC-FCo E s ymb o ls have b een ad d ed to KABI white lis ts

New p ac kag e: o p al-p rd fo r O p enPo wer s ys tems
New p ac kag e: lib c xl
Kernel s up p o rt fo r the newly ad d ed ip ro ute c o mmand s

46
46
46
46

Bac kp o rt o f the PID c g ro up c o ntro ller

mp t2s as and mp t3s as merg ed
Allo w multip le .ko files to b e s p ec ified in ks c
d rac ut up d ate
Red Hat Enterp ris e Linux 7 no w s up p o rts Wac o m Cintiq 27 Q HD

46
46
46
46
47

Full s up p o rt fo r O PA kernel d river

Cyc lites t --s mi o p tio n availab le fo r no n-ro o t us ers

47
47

. .hapt
C
. . . .er
. .1. 3.
. . Real. . . . .T. ime
. . . .Kernel
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4. 8. . . . . . . . . .
A b o ut Red Hat Enterp ris e Linux fo r Real Time Kernel
48
The c an-d ev mo d ule has b een enab led fo r the real-time kernel
48
. .hapt
C
. . . .er
. .1. 4. .. Net
. . . working
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4. 9. . . . . . . . . .

7 .3 Release Not es
. .hapt
C
. . . .er
. .1. 4. .. Net
. . . working
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4. 9. . . . . . . . . .
O p en vSwitc h no w us es kernel lig htweig ht tunnel s up p o rt
49
Bulking in the memo ry allo c ato r s ub s ys tem is no w s up p o rted
49
Netwo rkManag er no w s up p o rts LLDP
49
DHCP timeo ut in Netwo rkManag er is c o nfig urab le
Netwo rkManag er no w d etec ts d up lic ate IPv4 ad d res s es
N etwo rkManag er no w c o ntro ls the ho s t name us ing s ys temd -ho s tnamed
Sup p o rt fo r lates t Blueto o th, inc lud ing Blueto o th LE

49
49
49
49

Ad d itio nal p o lic ies fo r the PR-SCTP extens io n are no w s up p o rted

Man p ag es fo r tc filter ac tio ns were ad d ed to the ip ro ute p ac kag e
The ip c o mmand c an no w d is p lay b rid g e c o nfig uratio n
s s no w s up p o rts mo nito ring p er c o nnec tio n TCP re-trans mis s io n
iPXE p ac kag es reb as ed to s up p o rt IPv6 o n p hys ic al c o mp uters

49
50
50
50
50

New p ac kag es : lib vma

50

. .hapt
C
. . . .er
. .1. 5.
. . Securit
......y
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
...........
The SELinux us ers p ac e reb as ed to vers io n 2.5
s c ap -wo rkb enc h reb as ed to vers io n 1.1.2
o p ens c ap reb as ed to vers io n 1.2.10
firewalld reb as ed to vers io n 0 .4.3.2

51
51
51
51

a ud it reb as ed to vers io n 2.6 .5

MACs ec (IEEE 8 0 2.1AE) is no w s up p o rted
The rs ys lo g RELP mo d ule no w b ind s to a s p ec ific rule s et
r s ys lo g imfile mo d ule no w s up p o rts a wild c ard file name
Sys c alls in aud it.lo g are no w c o nverted to text

52
52
52
52
53

a ud it s ub s ys tem c an no w filter b y p ro c es s name

m o d _s ec urity_c rs reb as ed to vers io n 2.2.9
o p enc ryp to ki reb as ed to vers io n 3.5
g nutls no w us es the c entral c ertific ate s to re

53
53
53
53

The firewalld -c md c o mmand c an no w p ro vid e ad d itio nal d etails

l ib ic a reb as ed to vers io n 2.6 .2

53
54

. .hapt
C
. . . .er
. .1. 6. .. Servers
. . . . . . . and
. . . . Services
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
...........
PHP c URL mo d ule no w s up p o rts TLS 1.1 and TLS 1.2
55
s q uid reb as ed to vers io n 3.5.20
55
Do vec o t has tc p _wrap p ers s up p o rt enab led
55
Nec es s ary c las s es ad d ed to allo w lo g 4j as To mc at lo g g ing mec hanis m
55
M ySQ L-p ytho n reb as ed to vers io n 1.2.5
The BIND s erver no w s up p o rts CAA rec o rd s

56
56

. .hapt
C
. . . .er
. .1. 7. .. St
. . orage
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
...........
New kernel s ub s ys tem: lib nvd imm
57
New p ac kag es : nvml
57
S CSI no w s up p o rts multip le hard ware q ueues
57
The lvextend c o mmand no lo ng er attemp ts to res iz e a file s ys tem when the s iz e o f the lo g ic al
vo lume has no t c hang ed
57
Imp ro ved LVM lo c king infras truc ture
57
Sup p o rt fo r c ac hing thinly-p ro vis io ned lo g ic al vo lumes with limitatio ns
57
. .hapt
C
. . . .er
. .1. 8. .. Virt
. . . ualiz
. . . . .at. ion
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
...........
VT-d p o s ted interrup ts
58
G ues ts us ing an RBD vo lume no w us e an enc o d ed , enc ryp ted s tartup s ec ret
58
Hyp er-V s to rag e d river (s to rvs c ) up d ated
58
Hyp er-V c lo c k s o urc e c hang ed to us e the TSC p ag e
lib g ues tfs reb as ed to vers io n 1.32.6

58
58

T able of Cont ent s

virt-v2v and virt-p 2v ad d s up p o rt fo r lates t Wind o ws releas es

l ib virt ad minis tratio n API ad d ed

58
59

virt-p 2v is fully s up p o rted

WALinuxAg ent reb as ed to vers io n 2.1.5
New p ac kag e: lib virt-ns s
Intel Xeo n v5 p ro c es s o rs s up p o rted o n KVM g ues ts
VirtIO 1.0 full s up p o rt

59
59
59
59
60

l ib virt ip tab les rules c an b e manually manag ed fo r a s p ec ified netwo rk

60

. .hapt
C
. . . .er
. .1. 9. .. At
. . omic
. . . . .Host
. . . . .and
. . . .Cont
. . . .ainers
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6. 1. . . . . . . . . .
R ed Hat Enterp ris e Linux Ato mic Ho s t

61

. .hapt
C
. . . .er
. .2. 0. .. Red
. . . . Hat
. . . .Soft
. . . .ware
. . . . Collect
. . . . . . ions
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6. 2. . . . . . . . . .
. .art
P
. . .II.. .Not
. . .able
. . . . Bug
. . . . Fixes
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6. 3. . . . . . . . . .
. .hapt
C
. . . .er
. .2. 1. .. G
. .eneral
. . . . . .Updat
. . . . . es
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6. 4. . . . . . . . . .
Sho rtening o f lo ng netwo rk d evic e names
64
A fix fo r s ys temd to read the d evic e id entific atio n b ytes c o rrec tly
64
The value o f net.unix.max_d g ram_q len inc reas ed to 512
64
. .hapt
C
. . . .er
. .2. 2. .. Aut
. . . hent
. . . . .icat
. . .ion
. . . and
. . . . Int
. . .eroperabilit
. . . . . . . . . .y. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6. 5. . . . . . . . . .
The id map _has h mo d ule no w wo rks c o rrec tly when us ed with o ther mo d ules
65
. .hapt
C
. . . .er
. .2. 3.
. . Clust
. . . . .ering
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6. 6. . . . . . . . . .
The DLM no w d etec ts and rep o rts c o nnec tio n p ro b lems
66
Pac emaker c o rrec tly interp rets s ys temd res p o ns es and s ys temd s ervic es are s to p p ed in p ro p er
o rd er at c lus ter s hutd o wn
66
Pac emaker no w d is ting uis hes trans ient failures fro m fatal failures when lo ad ing s ys temd units
66
Pac emaker no w remo ves no d e attrib utes fro m its memo ry when p urg ing a no d e that has b een
remo ved fro m the c
66
Pac emaker no w c o rrec tly d etermines exp ec ted res ults fo r res o urc es that are in a g ro up o r d ep end
o n a c lo ne
66
Fenc ing no w o c c urs when DLM req uires it, even when the c lus ter its elf d o es no t
67
. .hapt
C
. . . .er
. .2. 4. .. Compiler
. . . . . . . . and
. . . .T
. .ools
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6. 8. . . . . . . . . .
Remo val o f p urp o s eles s warning mes s ag e fo r p hys ic ally no n-exis ting no d es
68
O rig in p lug -in ad d ed to the s o s p ac kag e
68
Selec tio n o f O p enJDK vers io n family no w rememb ered ac ro s s up d ates
68
RC4 is no w d is ab led b y d efault in O p enJDK 6 and O p enJDK 7
68
s ys tem-s witc h-java reb as ed to vers io n 1.7
z s h no lo ng er d ead lo c ks o n mallo c () exec utio n
SCSI d evic e typ es d es c rib ed us ing multip le wo rd s are no w hand led c o rrec tly
g d b s erver no w s up p o rts s eamles s d eb ug g ing o f p ro c es s es fro m c o ntainers

68
68
69
69

G DB no lo ng er rep o rts s p urio us SIG TRAP s ig nals o n the 6 4-b it ARM arc hitec ture
G DB no lo ng er kills running p ro c es s es with d eleted exec utab les
G DB no w g enerates s maller c o re files and res p ec ts c o re-d ump filtering
The o p rep o rt and o p anno te utilities no w p ro p erly analyz e arc hive d ata.
Events with id entic al numeric al unit mas ks are no w hand led b y their names

69
69
70
70
70

Mo re ac c urate PAPI_L1_DC* event o n IBM Po wer7 and IBM Po wer8 p latfo rms

70

. .hapt
C
. . . .er
. .2. 5.
. . Deskt
. . . . . op
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7. 1. . . . . . . . . .
Sp hinx b uild s HTML d o c umentatio n in FIPS mo d e p ro p erly
P o p p ler no lo ng er rend ers c ertain c harac ters inc o rrec tly
P o p p ler no lo ng er tries to ac c es s memo ry b ehind the array
p d fto c airo no lo ng er c ras hes when p ro c es s ing a PDF witho ut g ro up c o lo r s p ac e

71
71
71
71

7 .3 Release Not es

P o p p ler no lo ng er terminates unexp ec ted ly d uring text extrac tio n

71

p d finfo no lo ng er terminates unexp ec ted ly d ue to as s erting b ro ken enc ryp tio n info rmatio n
E vinc e no lo ng er c ras hes when viewing a PDF
Virtual mac hines s tarted b y G NO ME Bo xes are no lo ng er ac c es s ib le to every us er
FreeRDP no w rec o g niz es wild c ard c ertific ates

71
71
72
72

. .hapt
C
. . . .er
. .2. 6. .. Direct
. . . . . .ory
. . .Server
. . . . . .in
. . Red
. . . . Hat
. . . .Ent
. . .erprise
. . . . . . Linux
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7. 3. . . . . . . . . .
The c leanAllRUV tas k no lo ng er lo g s fals e attrlis t_rep lac e erro rs
73
Co nnec tio n o b jec ts no lo ng er d ead lo c k
Ab and o n req ues ts fo r s imp le p ag ed res ults s earc hes no lo ng er c aus e a c ras h
Simp le p ag ed res ults s earc h s lo ts are no w c o rrec tly releas ed after a failure
Deleting a b ac k end d atab as e no lo ng er c aus es d ead lo c ks
Deleting and ad d ing the s ame LDAP attrib ute no w c o rrec tly up d ates the eq uality ind ex

73
73
73
73
73

Ab and o n req ues ts in s imp le p ag ed res ults s earc hes no lo ng er c aus e d ead lo c ks
Simp le p ag ed res ults s earc hes no lo ng er return 0 ins tead o f the ac tual res ults
ACL p lug -in no lo ng er c ras hes d ue to mis s ing p b lo c k o b jec t
Pas s wo rd c o nvers io n fro m DES to AES no w wo rks p ro p erly

73
74
74
74

Failed rep lic atio n up d ates are no w retried c o rrec tly in the next s es s io n
The LICENSE file no w s ho ws c o rrec t lic ens e info rmatio n
Pas s wo rd s res et b y ad minis trato rs are no w s to red in p as s wo rd his to ry
Entries rejec ted b y multip le p lug -ins no lo ng er s ho w up in s earc hes

74
74
74
75

Running d b 2ind ex with no o p tio ns no lo ng er c aus es rep lic atio n failures

Pro mo ting a c o ns umer to a mas ter no lo ng er fails d ue to d up lic ate ID erro rs

75
75

n s s lap d no w c o rrec tly s ets its wo rking d irec to ry

75

. .hapt
C
. . . .er
. .2. 7. .. File
. . . .Syst
. . . .ems
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7. 6. . . . . . . . . .
The q uo ta RPC s ervic e is no lo ng er unavailab le

76

. .hapt
C
. . . .er
. .2. 8. .. Hardware
. . . . . . . . .Enablement
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7. 7. . . . . . . . . .
Primary b o nd interfac e no lo ng er takes o ver ac tive interfac es that d id no t fail

77

Remo ving a USB d evic e no lo ng er c aus es a rac e c o nd itio n

The kernel no w b o o ts o n AMD Turio n II s ys tems

77
77

Real-time s ys tems with many CPUs no lo ng er have larg e latenc ies d ue to run-q ueue lo c k
c o ntentio n
77
The kernel no lo ng er c ras hes when enab ling multi-q ueue s up p o rt with NVM Exp res s d evic e d river
The CPU freq uenc y no w reac hes the req ues ted value
77 77
The g et_c p u_lig ht/p ut_c p u_lig ht func tio n in FCo E c o d e has b een fixed
The p erfo rmanc e o f IBM Po wer Sys tems is no lo ng er d ec reas ed

77
78

The s ys tem no lo ng er c ras hes while s etting up the DMA trans fer
Kernel no lo ng er hang s d uring ho t-unp lug

78
78

Dis ab ling the Larg e Rec eive O fflo ad (LRO ) flag no w p ro p ag ates c o rrec tly

78

Switc hing p -s tates o n Intel Xeo n v5 p latfo rms no w s uc c eed s

The c p us c aling tes t no lo ng er fails

78
78

The g enwq e d river c an allo c ate memo ry even d uring memo ry p res s ure s ituatio ns

78

The c o ns o le no lo ng er hang s
LRO is no w d is ab led b y d efault in the ixg b e d river

79
79

The nx8 42 c o -p ro c es s o r fo r IBM Po wer Sys tems no lo ng er p ro vid es c o rrup ted d ata
The s ys tem no lo ng er c ras hes when c alling the mlx4_en_rec o ver_fro m_o o m() func tio n

79
79

i w d is p lays reg ulato ry info rmatio n c o rrec tly

79

. .hapt
C
. . . .er
. .2. 9. .. Inst
. . . .allat
. . . .ion
. . .and
. . . .Boot
. . . . ing
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8. 0. . . . . . . . . .
G rap hic s c ard s us ing the as t mo d ule c an no w b e us ed d uring ins tallatio n

80

Ins tallatio ns c an no w b e p erfo rmed o n d is ks c o ntaining invalid o r uns up p o rted p artitio n tab les .
Multip le ins t.d d o p tio ns are no w s up p o rted to lo ad d river d is ks
80 80
Help fo r the s ub s c rip tio n manag er s c reen d uring ins tallatio n

80

T able of Cont ent s

Help fo r the s ub s c rip tio n manag er s c reen d uring ins tallatio n
The Initial Setup utility s tarts c o rrec tly

80
80

VNC ins tallatio n us ing IPv6 wo rks c o rrec tly

80

Hyp erPAV alias es us ed d uring ins tallatio n are no w availab le o n the ins talled s ys tem
Imp ro ved s up p o rt fo r netwo rk b o o t o n EFI p latfo rms

80
80

Erro rs in c us to m p artitio ning are c o rrec tly d etec ted

Static ro utes c o nfig ured d uring ins tallatio n are no w auto matic ally c o nfig ured o n the ins talled
s ys tem
G RUB2 is no w c o rrec tly c o nfig ured when up g rad ing the kernel and red hat-releas e-*

81
81
81

Kic ks tart files valid fo r Red Hat Enterp ris e Linux 6 are no w c o rrec tly rec o g niz ed b y ks valid ato r
A nac o nd a no lo ng er c ras hes when ad d ing iSCSI d evic es
81 81
The Anac o nd a ins taller c o rrec tly allo ws ad jus tment o f a p ro b lematic d is k s elec tio n

81

The anac o nd a-us er-help p ac kag e is no w up g rad ed c o rrec tly

A wid er variety o f p artitio ns c an b e us ed as /b o o t

81
82

Inc o rrec t es c ap ing o f the ' /' c harac ter in s ys temd no lo ng er p revents the s ys tem fro m b o o ting
The d efault s iz e o f the /b o o t p artitio n is no w 1 G B

82
82

. .hapt
C
. . . .er
. .30
. . .. Kernel
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8. 3. . . . . . . . . .
A fix o f PT_NO TE entries that were p revio us ly c o rrup ted d uring c ras hd ump
83
Chang e o f the Red Hat Hard ware Certific atio n tes ts to avo id s ys tem hang c aus ed b y O p ro file

83

Remo val o f the s lub _d eb ug p arameter to s ave memo ry

Remo val o f a rac e c o nd itio n c aus ing a d ead lo c k when a new CPU was attac hed

83
83

Up d ate o f the kernel with hug ep ag e mig ratio n p atc hes fro m the up s tream
Bo o ting kernel with UEFI and the s ec ure b o o t enab led

83
83

New mic ro c o d e ad d ed into initramfs imag es fo r all ins talled kernels

84

Chang e o f d efault s etting s o n FCo E s ervers to reac h the c o rrec t func tio nality o f the kd ump
mec hanis m
Dump -c ap ture kernel memo ry freed when kd ump mec hanis m fails

84
84

The ks c utility no lo ng er fails to file b ug s d ue to the

84

ks c no w returns an erro r ins tead o f c ras hing when running witho ut mand ato ry arg uments

84

. .hapt
C
. . . .er
. .31
. . .. Net
. . . working
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8. 5. . . . . . . . . .
s c tp _ac c ep t() no lo ng er c aus es a d ead lo c k when c alled d uring a timeo ut event

85

. .hapt
C
. . . .er
. .32
. . .. Securit
......y
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8. 6. . . . . . . . . .
The SHA-3 imp lementatio n in nettle no w c o nfo rms to FIPS 20 2

86

. .hapt
C
. . . .er
. .33.
. . .Servers
. . . . . . .and
. . . .Services
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8. 7. . . . . . . . . .
The named s ervic e no w b ind s to all interfac es
87
Fix fo r to mc at-d ig es t to g enerate p as s wo rd has hes

87

To mc at c an no w us e s hell exp ans io n in c o nfig uratio n files within the new c o nf.d d irec to ry
Fix fo r the to mc at-js vc s ervic e unit to c reate two ind ep end ent To mc at s ervers

87
87

The d b us -d aemo n s ervic e no lo ng er b ec o mes unres p o ns ive d ue to leaking file d es c rip to rs

87

Up d ate fo r marking to mc at-ad min-web ap p s p ac kag e c o nfig ratio n files

Timer mig ratio n fo r realtime Tuned p ro file has b een d is ab led

87
87

r c u-no c b s no lo ng er mis s ing fro m kernel b o o t p arameters

The g lo b al limit o n ho w muc h time realtime s c hed uling may us e has b een remo ved in realtime
Tuned p ro file

88
88

. .hapt
C
. . . .er
. .34
. . .. Virt
. . . ualiz
. . . . at
. . ion
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8. 9. . . . . . . . . .
SMEP and SMAP b its mas ked to enab le s ec o nd ary vCPUs
89
Fo rc e Res et menu entry in Jap anes e lo c ale Virtual Mac hine Manag er trans lated c o rrec tly

89

Limited KSM d ed up lic atio n fac to r

VMDK imag es with s treamO p timiz ed s ub -fo rmat are ac c ep ted

89
89

Data layo ut o f VMDK imag es with s treamO p timiz ed s ub -fo rmat was inc o rrec t
b lo c kc o p y with --p ivo t o p tio n no lo ng er fails

89
89

7 .3 Release Not es
b lo c kc o p y with --p ivo t o p tio n no lo ng er fails

89

G ues t d is p lay p ro b lems after virt-v2v c o nvers io n have b een fixed

89

Mig rating MSR_TSC_AUX wo rks p ro p erly

Wind o ws g ues t virtual mac hine info rmatio n remo ved fro m d o c umentatio n

90
90

The lib virt API g enerates ad d res s es fo r USB d evic es

90

. .art
P
. . .III.
. . T. echnology
. . . . . . . . . . Previews
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9. 1. . . . . . . . . .
. .hapt
C
. . . .er
. .35.
. . .G. eneral
. . . . . . Updat
. . . . . .es
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9. 2. . . . . . . . . .
The s ys temd -imp o rtd VM and c o ntainer imag e imp o rt and exp o rt s ervic e
92
. .hapt
C
. . . .er
. .36
. . .. Aut
. . . hent
. . . . icat
. . . .ion
. . . and
. . . .Int
. . eroperabilit
. . . . . . . . . . .y. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9. 3. . . . . . . . . .
Id entity Manag ement in a c o ntainer no w availab le
93
SSSD in a c o ntainer no w availab le
Us e o f AD and LDAP s ud o p ro vid ers

93
93

DNSSEC availab le as Tec hno lo g y Preview in Id entity Manag ement

93

Sup p o rt fo r s ec rets as a s ervic e

The Ip s ilo n id entity p ro vid er s ervic e fo r fed erated s ing le s ing -o n

93
94

Id M web UI enab les s mart c ard lo g in

94

Id entity Manag ement JSO N-RPC API availab le as Tec hno lo g y Preview

94

. .hapt
C
. . . .er
. .37
. . .. Clust
. . . . .ering
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9. 5. . . . . . . . . .
Sup p o rt fo r c lufter, a to o l fo r trans fo rming and analyz ing c lus ter c o nfig uratio n fo rmats
95
. .hapt
C
. . . .er
. .38
. . .. Direct
. . . . . ory
. . . .Server
. . . . . .in
. .Red
. . . .Hat
. . . .Ent
. . .erprise
. . . . . . Linux
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9. 6. . . . . . . . . .
Nunc Stans event framewo rk availab le fo r Direc to ry Server
96
. .hapt
C
. . . .er
. .39
. . .. File
. . . .Syst
. . . .ems
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9. 7. . . . . . . . . .
The Cep hFS kernel c lient is no w availab le
97
ext4 and XFS file s ys tems no w s up p o rt DAX

97

p NFS Blo c k Layo ut Sup p o rt

O verlayFS

97
97

Sup p o rt fo r NFSv4 c lients with flexib le file layo ut

Btrfs file s ys tem

98
98

p NFS SCSI layo uts c lient and s erver s up p o rt is no w p ro vid ed

98

. .hapt
C
. . . .er
. .4. 0. .. Hardware
. . . . . . . . .Enablement
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9. 9. . . . . . . . . .
Runtime Ins trumentatio n fo r IBM Sys tem z

99

LSI Sync ro CS HA-DAS ad ap ters

99

. .hapt
C
. . . .er
. .4. 1. .. Inst
. . . .allat
. . . .ion
. . .and
. . . .Boot
. . . . ing
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.0. 0. . . . . . . . . .
Multi-thread ed xz c o mp res s io n in rp m-b uild

10 0

. .hapt
C
. . . .er
. .4. 2. .. Kernel
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.0. 1. . . . . . . . . .
Hetero g eneo us memo ry manag ement inc lud ed as a Tec hno lo g y Preview
Us er names p ac e

10 1
10 1

LPAR Watc hd o g fo r IBM Sys tem z

Sup p o rt fo r Diag 0 c o n IBM Sys tem z

10 1
10 1

10 G b E Ro CE Exp res s feature fo r RDMA

10 1

z EDC c o mp res s io n o n IBM Sys tem z

l ib o c rd ma Ro CE s up p o rt o n O c e141xx c ard s

10 1
10 1

No -IO MMU mo d e fo r VFIO d rivers

10 2

. .hapt
C
. . . .er
. .4. 3.
. . Real. . . . .T. ime
. . . .Kernel
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1. 0. 3. . . . . . . . . .
New s c hed uler c las s : SCHED_DEADLINE

10 3

. .hapt
C
. . . .er
. .4. 4. .. Net
. . . working
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.0. 4. . . . . . . . . .

T able of Cont ent s

Cis c o us NIC d river

Cis c o VIC kernel d river

10 4
10 4

Trus ted Netwo rk Co nnec t

10 4

SR-IO V func tio nality in the q lc nic d river

New p ac kag es : nftab les , lib nftnl

10 4
10 4

. .hapt
C
. . . .er
. .4. 5.
. . St
. . orage
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1. 0. 5. . . . . . . . . .
l vm2 no w s up p o rts RAID-level takeo ver
10 5
Multi-q ueue I/O s c hed uling fo r SCSI
Targ etd p lug -in fro m the lib Sto rag eMg mt API

10 5
10 5

DIF/DIX

10 5

. .hapt
C
. . . .er
. .4. 6. .. Virt
. . . ualiz
. . . . .at. ion
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.0. 6. . . . . . . . . .
Nes ted virtualiz atio n

10 6

USB 3.0 s up p o rt fo r KVM g ues ts

Selec t Intel netwo rk ad ap ters no w s up p o rt SR-IO V

10 6
10 6

Driver ad d ed fo r d evic es that c o nnec t o ver a PCI Exp res s b us in g ues t virtual mac hine und er Hyp erV
10 6
. .art
P
. . .IV.
. . Device
. . . . . . .Drivers
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.0. 7. . . . . . . . . .
. .hapt
C
. . . .er
. .4. 7. .. New
. . . . Drivers
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.0. 8. . . . . . . . . .
S to rag e Drivers
10 8
N etwo rk Drivers
G rap hic s Drivers and Mis c ellaneo us Drivers

10 8
110

. .hapt
C
. . . .er
. .4. 8. .. Updat
. . . . . .ed
. . Drivers
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.1. 2. . . . . . . . . .
S to rag e Driver Up d ates
112
N etwo rk Driver Up d ates

112

G rap hic s Driver and Mis c ellaneo us Driver Up d ates

114

. .hapt
C
. . . .er
. .4. 9. .. Deprecat
. . . . . . . . ed
. . .Funct
. . . . . ionalit
. . . . . .y. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1. 1. 5. . . . . . . . . .
s s lwrap () remo ved fro m Pytho n
Wind o ws g ues t virtual mac hine s up p o rt limited

115
115

l ib netlink is d ep rec ated

S 3 and S4 p o wer manag ement s tates fo r KVM are d ep rec ated

115
115

T he Certific ate Server p lug -in ud nPwd DirAuth is d is c o ntinued

115

R ed Hat Ac c es s p lug -in fo r Id M is d is c o ntinued

D ep rec ated Devic e Drivers

115
116

. .art
P
. . .V.. .Known
. . . . . . Issues
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.1. 8. . . . . . . . . .
. .hapt
C
. . . .er
. .50
. . .. G
. .eneral
. . . . . Updat
. . . . . .es
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.1. 9. . . . . . . . . .
The TAB key d o es no t exp and $ PWD b y d efault
g no me-d ic tio nary multilib p ac kag es c o nflic ts o c c ur

119
119

g no me-g etting -s tarted -d o c s -* mo ved to the O p tio nal c hannel

119

. .hapt
C
. . . .er
. .51
. . .. Aut
. . . hent
. . . . icat
. . . .ion
. . . and
. . . .Int
. . eroperabilit
. . . . . . . . . . .y. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.2. 0. . . . . . . . . .
Pro b lem with imp o rting a us er c ertific ate fro m CA o ver SSL
S ec urity warning when us ing ip a-kra-ins tall, ip a-c a-ins tall, o r ip a-rep lic a-ins tall

120
120

The Id M web UI d is p lays all c ertific ates o n o ne p ag e in the Certific ates tab le

120

SSSD fails to s tart when ld ap _us er_extra_attrs inc lud es mail

i p a c o mmand s fail when the us er d o es no t have a ho me d irec to ry in Id M

120
120

Dis p laying help fo r Id M c o mmand s takes lo ng er

121

p am_p kc s 11 o nly s up p o rts o ne to ken

Running c o mmand s o n s ervers with an earlier vers io n o f Id M takes unexp ec ted ly lo ng

121
121

7 .3 Release Not es
Tree-ro o t d o mains in a trus ted AD fo res t are no t marked as reac hab le thro ug h the fo res t ro o t
The Id M web UI d o es no t s ho w c ertific ates is s ued b y s ub -CAs

121
121

Third -p arty c ertific ate trus t flag s are res et after ins talling an external CA into Id M

121

The c ertmo ng er s ervic e fails to req ues t c ertific ates fro m Id M s ub -CAs
Ad d ing an Id M O TP to ken with a c us to m key d o es no t wo rk

122
122

Mac hines jo ined to a realm are no t ab le to res o lve c entrally manag ed s up p lementary g ro up s
SSSD d efault c o nfig uratio n fails to integ rate with o ther s ervic es

122
122

r ealmd fails to remo ve the c o mp uter ac c o unt fro m AD

123

s s s _o verrid e c o mmand s fail if an o verrid e was c reated witho ut -n o p tio n

The o ld realmd vers io n is s tarted when up d ating realmd while it is running

123
123

SSSD fails to manag e auto fs map p ing s fro m a LDAP tree

123

. .hapt
C
. . . .er
. .52
. . .. Compiler
. . . . . . . . and
. . . . T. ools
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1. 2. 5. . . . . . . . . .
Ac c es s ing Red Hat G lus ter Sto rag e o ver lib g fap i o n KVM g ues ts fails

125

. .hapt
C
. . . .er
. .53.
. . .Deskt
. . . . .op
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.2. 6. . . . . . . . . .
Clo s ing lap to p lid b reaks the G NO ME multi-d is p lay c o nfig uratio n

126

. .hapt
C
. . . .er
. .54
. . .. File
. . . .Syst
. . . .ems
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.2. 7. . . . . . . . . .
The d efault o p tio n s p ec ific atio n is no t o verrid d en b y the ho s t-s p ec ific o p tio n in /etc /exp o rts

127

. .hapt
C
. . . .er
. .55.
. . .Hardware
. . . . . . . . .Enablement
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.2. 8. . . . . . . . . .
Serial c o ns o le is no w c o nfig ured c o rrec tly o n Cavium Thund erX 6 4-b it ARM s ys tems
i 40 e no lo ng er is s ues warn_s lo wp ath warning s d uring b o o t

128
128

The netp rio _c g ro up s mo d ule is no w mo unted at b o o t

128

Setting up b o nd ing with q lc nic fails

Platfo rms relying o n DDF-b as ed RAID are no t s up p o rted

128
128

. .hapt
C
. . . .er
. .56
. . .. Inst
. . . .allat
. . . ion
. . . .and
. . . .Boot
. . . . ing
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.2. 9. . . . . . . . . .
Dell Latitud e E6 430 lap to p s s hut d o wn unexp ec ted ly
129
The Initial Setup utility' s text-b as ed interfac e s tarts c o rrec tly o n IBM Sys tem z
Fo rmatting DASDs wo rks c o rrec tly d uring a text-b as ed ins tallatio n

129
129

Ins uffic ient /b o o t p artitio n s iz e may p revent the s ys tem fro m up g rad ing

129

. .hapt
C
. . . .er
. .57
. . .. Kernel
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1. 30
...........
Red Hat Beta p ub lic key c ertific ate need s to b e lo ad ed manually

130

So me ext4 file s ys tems c anno t b e res iz ed

130
Hard lo c k-up o f the s c reen c an o c c ur o n lap to p s us ing integ rated g rap hic s in the 6 th G eneratio n
Intel Co re p ro c es s o rs
130
Multip le p ro b lems s o metimes o c c ur o n s ys tems with p ers is tent memo ry
Lo o king up trans p o rt o r as s o c iatio n c an lead to kernel p anic

130
131

d rac ut d is p lays a harmles s erro r mes s ag e ab o ut a no n-exis tent /etc /hb a.c o nf

131

Harmles s s o ft lo c kup in IBM PO WER8 g ues t kernel

131

. .hapt
C
. . . .er
. .58
. . .. Net
. . . working
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1. 32
...........
Verific atio n o f s ig natures us ing the MD5 has h alg o rithm is d is ab led in Red Hat Enterp ris e Linux 7
132
. .hapt
C
. . . .er
. .59
. . .. Securit
......y
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1. 33
...........
The o p ens c ap p ac kag es d o no t ins tall ato mic as a d ep end enc y
C IL d o es no t have a s ep arate mo d ule s tatement

133
133

. .hapt
C
. . . .er
. .6. 0. .. Servers
. . . . . . . and
. . . . Services
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1. 34
...........
ReaR c reates two ISO imag es ins tead o f o ne
134
. .hapt
C
. . . .er
. .6. 1. .. St
. . orage
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1. 35
...........
No s up p o rt fo r thin p ro vis io ning o n to p o f RAID in a c lus ter
135

10

T able of Cont ent s

No s up p o rt fo r thin p ro vis io ning o n to p o f RAID in a c lus ter

135

When us ing thin-p ro vis io ning , it is p o s s ib le to lo s e b uffered writes to the thin-p o o l if it reac hes
c ap ac ity

135

. .hapt
C
. . . .er
. .6. 2. .. Syst
. . . . em
. . . and
. . . . Subscript
. . . . . . . . .ion
. . . Management
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1. 36
...........
The s ub s c rip tio n-manag er refres h c o mmand fails , d is p laying an erro r

136

. .hapt
C
. . . .er
. .6. 3.
. . Virt
. . . ualiz
. . . . at
. . ion
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1. 37
...........
Mig ratio n o f c ertain g ues ts fro m Red Hat Enterp ris e Linux 7.2 to 7.3 ho s ts is no t p o s s ib le
numad c hang es Q EMU memo ry b ind ing s

137
137

. .hapt
C
. . . .er
. .6. 4. .. At
. . omic
. . . . .Host
. . . . .and
. . . .Cont
. . . .ainers
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1. 38
...........
SELinux p revents Do c ker fro m running a c o ntainer
138
. .ppendix
A
. . . . . . . A.
. . Component
. . . . . . . . . . . Versions
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1. 39
...........
. .ppendix
A
. . . . . . . B.
. . .Revision
. . . . . . . .Hist
. . . ory
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.4. 0. . . . . . . . . .

11

7 .3 Release Not es

Preface
Red Hat Enterprise Linux minor releases are an aggregation of individual security, enhancement,
and bug fix errata. The Red Hat Enterprise Linux 7.3 Beta Release Notes document describes the major
changes made to the Red Hat Enterprise Linux 7 operating system and its accompanying
applications for this minor release, as well as known problems and a complete list of all currently
available Technology Previews.
Capabilities and limits of Red Hat Enterprise Linux 7 as compared to other versions of the system are
available in the Red Hat Knowledgebase article available at https://access.redhat.com/articles/rhellimits.
For information regarding the Red Hat Enterprise Linux life cycle, refer to
https://access.redhat.com/support/policy/updates/errata/.

12

Chapt er 1 . O verview

Chapter 1. Overview
Se curit y
The SELinux userspace has been rebased and provides various enhancements and performance
improvements. Notably, the new SELinux module store supports priorities, and the SELinux
Common Intermediate Language (CIL) has been introduced.
OpenSCAP workbench now provides a new SCAP Security Guide integration dialog and enables
modification of SCAP policies using a graphical tool.
The OpenSCAP suite now includes support for scanning containers using the ato mi c scan
command.
Upgraded fi rewal l d starts and restarts significantly faster due to a new transaction model. It
also provides improved management of connections, interfaces, and sources, a new default
logging option, and i pset support.
The aud i t daemon introduces a new flush technique, which significantly improves performance.
Audit policy, configuration, and logging have been enhanced and now support a number of new
options.
Media Access Control Security (MACsec) encryption over Ethernet is now supported.
See Chapter 15, Security for more information on security enhancements.

Ide nt it y Manage m e nt
The highlighted new features and improvements related to Identity Management (IdM) include:
Improved performance of both IdM servers and clients in large customer environments
Enhanced topology management and replica installation
Extended smart card support for Active D irectory (AD ) users
Fine-grained configuration of one-time password (OTP) authentication
Improved troubleshooting capabilities of IdM clients.
For detailed information on changes in IdM, refer to Chapter 4, Authentication and Interoperability.

Co re Ke rne l
Support for Checkpoint/Restore in User space (CRIU) has been expanded to the the little-endian
variant of IBM Power Systems architecture.
Heterogeneous memory management (HMM) feature has been introduced as a Technology
Preview.
For more kernel features, refer to Chapter 12, Kernel. For information about Technology Previews
related to kernel, see Chapter 42, Kernel.

Ne t wo rking
Open vSwitch now uses kernel lightweight tunnel support.
Bulking in the memory allocator subsystem is now supported.

13

7 .3 Release Not es

N et wo rkMan ag er now supports new device types, improved stacking of virtual devices, LLD P,
stable privacy IPv6 addresses (RFC 7217), detects duplicate IPv4 addresses, and controls a host
name through systemd -ho stnamed . Additionally, the user can set a D HCP timeout property and
D NS priorities.
For more networking features, see Chapter 14, Networking.

Plat fo rm Hardware Enable m e nt

Support for the Coherent Accelerator Processor Interface (CAPI) flash block adapter has been
added. For detailed information, see Chapter 10, Hardware Enablement.

Re al-T im e Ke rne l
A new scheduler policy, SC HED _D EAD LINE has been introduced as Technology Preview. This
new policy is available in the upstream kernel and shows promise for certain Realtime use cases.
For details, see Chapter 43, Real-Time Kernel.

St o rage and File Syst e m s

Support for Non-Volatile D ual In-line Memory Module (NVD IMM) persistent memory architecture
has been added, which includes the addition of the l i bnvd i mm kernel subsystem. For details,
see Chapter 17, Storage and Chapter 12, Kernel. In addition, ext4 and XFS file systems now
support D irect Access (D AX) for NVD IMM devices as a Technology Preview. Refer to Chapter 39,
File Systems for more information.
A new Ceph File System (CephFS) kernel module, introduced as a Technology Preview, enables
Red Hat Enterprise Linux Linux nodes to mount Ceph File Systems from Red Hat Ceph Storage
clusters. For more information, see Chapter 39, File Systems.
Support for pNFS SCSI file sharing has been introduced as a Technology Preview. For details,
refer to Chapter 39, File Systems.
LVM2 support for RAID -level takeover, the ability to switch between RAID types, is now available
as a Technology Preview. See Chapter 45, Storage for more information.

De skt o p
A new instant messaging client, p id g in , has been introduced, which supports off-the-record
(OTR) messaging and the Microsoft Lync instant messaging application.
For more information regarding changes in desktop, refer to Chapter 7, Desktop.

Int e rne t o f T hings

Red Hat Enterprise Linux 7.3 provides latest Bluetooth support, including support for connecting
to Bluetooth Low Energy (LE) devices; see Chapter 10, Hardware Enablement.
Controller Area Network (CAN) device drivers are now supported, see Chapter 12, Kernel for more
information.
Red Hat Enterprise Linux 7 kernel is now able to use the embedded MMC (eMMC) interface version
5.0. For details, refer to Chapter 10, Hardware Enablement.

Linux Co nt aine rs
Identity Management (IdM) and System Security Services D aemon (SSSD ) containers are now

14

Chapt er 1 . O verview

available for Red Hat Enterprise Linux Atomic Host as Technology Preview. See Chapter 36,
Authentication and Interoperability for details.

Re d Hat Insight s
Since Red Hat Enterprise Linux 6.7, the Red Hat Insights service is available. Red Hat Insights is a
proactive service designed to enable you to identify, examine, and resolve known technical issues
before they affect your deployment. Insights leverages the combined knowledge of Red Hat Support
Engineers, documented solutions, and resolved issues to deliver relevant, actionable information to
system administrators.
The service is hosted and delivered through the customer portal at
https://access.redhat.com/insights/ or through Red Hat Satellite. To register your systems, follow the
Getting Started Guide for Insights. For further information, data security, and limits, refer to
https://access.redhat.com/insights/splash/.

Re d Hat Acce ss Labs

Red Hat Access Labs is a set of tools in a section of the Customer Portal available at
https://access.redhat.com/labs/. The applications in Red Hat Access Labs can help you improve
performance, quickly troubleshoot issues, identify security problems, and quickly deploy and
configure complex applications. Some of the most popular applications are:
Kickstart Configurator
Registration Assistant
NFS Helper
Linter for D ockerfile
Multipath Helper
iSCSI Helper
Code Browser

15

7 .3 Release Not es

Chapter 2. Architectures
Red Hat Enterprise Linux 7.3 Beta is available as a single kit on the following architectures: [1]
64-bit AMD
64-bit Intel
IBM POWER7+ and POWER8 (big endian) [2]
IBM POWER8 (little endian) [3]
IBM System z [4]

[1] No te that the Red Hat Enterp ris e Linux 7.3 Beta ins tallatio n is s up p o rted o nly o n 6 4-b it hard ware.
Red Hat Enterp ris e Linux 7.3 Beta is ab le to run 32-b it o p erating s ys tems , inc lud ing p revio us vers io ns
o f Red Hat Enterp ris e Linux, as virtual mac hines .
[2] Red Hat Enterp ris e Linux 7.3 Beta (b ig end ian) is c urrently s up p o rted as a KVM g ues t o n Red Hat
Enterp ris e Virtualiz atio n fo r Po wer, and o n Po werVM.
[3] Red Hat Enterp ris e Linux 7.3 Beta (little end ian) is c urrently s up p o rted as a KVM g ues t o n Red Hat
Enterp ris e Virtualiz atio n fo r Po wer, o n Po werVM and Po werNV (b are metal).
[4] No te that Red Hat Enterp ris e Linux 7.3 Beta s up p o rts IBM z Enterp ris e 19 6 hard ware o r later; IBM
Sys tem z 10 mainframe s ys tems are no lo ng er s up p o rted and will no t b o o t Red Hat Enterp ris e Linux 7.3
Beta.

16

P art I. New Feat ures

Part I. New Features

This part documents new features in Red Hat Enterprise Linux 7.3 Beta.

17

7 .3 Release Not es

Chapter 3. General Updates

New variable for disabling colored out put for systemd
This update introduces the SY ST EMD _C O LO R S environment variable for systemd , which enables
turning on or off systemd color output. SY ST EMD _C O LO R S should be set to a valid boolean value.
(BZ #1265749)
systemd unit s can now be enabled using aliases
The systemd init system uses aliases. Aliases are symbolic links to the service files, and can be
used in commands instead of the actual names of services. For example, the package providing the
/usr/l i b/systemd /system/nfs-server. servi ce service file also provides an alias
/usr/l i b/systemd /system/nfs. servi ce, which is a symbolic link to the nfsserver. servi ce. This enables, for example, using the systemctl status nfs. servi ce
command instead of systemctl status nfs-server. servi ce.
Previously, running the systemctl enabl e command using an alias instead of the real service
name failed with an error. With this update, the bug is fixed, and systemctl enabl e successfully
enables units referred to by their aliases. (BZ #1142378)

New systemd opt ion: R and o mi zed D el aySec

This update introduces the R and o mi zed D el aySec option for systemd timers, which schedules an
event to occur later by a random number of seconds. For example, setting the option to 10 will
postpone the event by a random number of seconds between 0 and 10. The new option is useful for
spreading workload over a longer time period to avoid several events executing at the same time.
(BZ #1305279)

18

Chapt er 4 . Aut hent icat ion and Int eroperabilit y

Chapter 4. Authentication and Interoperability

Server performance has improved in many areas
Some operations in Identity Management run much faster now. For example, this enhancement
enables better scalability in large deployments exceeding 50,000 users and hosts. Most notably, the
improvements include:
Faster adding of users and hosts
Faster Kerberos authentication for all commands
Faster execution of the i pa user-fi nd and i pa ho st-fi nd commands
For information on how to reduce the time required for provisioning of a large number of entries, see
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/htmlsingle/Linux_D omain_Identity_Authentication_and_Policy_Guide/index.html#performance-tuning
Note that to make the find operations faster, the i pa *-fi nd commands no longer show
membership by default. To display the membership, add the --al l option to i pa *-fi nd or,
alternatively, use the i pa *-sho w commands. (BZ #1298288)

Enhanced IdM t opology management

Information about the Identity Management (IdM) topology is now maintained at a central location in
the shared tree. As a result, you can now manage the topology from any IdM server using the
command line or the web UI.
Additionally, some topology management operations have been simplified, notably:
Topology commands have been integrated into the IdM command-line interface, so that you can
perform all replica operations using the native IdM command-line tools.
You can manage replication agreements in the web UI or from the command line using a new and
simplified workflow.
The web UI includes a graph of the IdM topology, which helps visualize the current state of replica
relationships.
IdM includes safety measures that prevent you from accidentally deleting the last certificate
authority (CA) master from the topology or isolating a server from the other servers.
Support for server roles as a simpler way of determining which server in the topology hosts which
services as well as installing these services onto a server.
For details, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7Beta/html-single/Linux_D omain_Identity_Authentication_and_Policy_Guide/index.html#managingtopology
Note that the new functionality requires raising the domain level to 1. See
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/htmlsingle/Linux_D omain_Identity_Authentication_and_Policy_Guide/index.html#domain-level
(BZ #1298848)

Simplified replica inst allat ion

19

7 .3 Release Not es

Installing a replica no longer requires you to log in to the initial server, use the D irectory Manager
(D M) credentials, and copy the replica information file from the initial server to the replica. For
example, this allows for easier provisioning using an external infrastructure management system,
while retaining a reasonable level of security.
In addition, the i pa-repl i ca-i nstal l utility can now also promote an existing client to a replica.
For details, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7Beta/html-single/Linux_D omain_Identity_Authentication_and_Policy_Guide/index.html#install-replica
Note that the new functionality requires raising the domain level to 1. See
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/htmlsingle/Linux_D omain_Identity_Authentication_and_Policy_Guide/index.html#domain-level
(BZ #837369)

IdM now support s smart card aut hent icat ion for AD users
This update extends smart card support in Identity Management (IdM). Users from a trusted Active
D irectory (AD ) can now authenticate using a smart card both remotely using ssh as well as locally.
The following methods are supported for local authentication:
Text console
Graphical console, such as the Gnome D isplay Manager (GD M)
Local authentication services, like su or sud o
Note that IdM only supports the above-mentioned local authentication services and ssh for smart
card authentication. Other services, such as FTP, are not supported.
The smart card certificate for AD users can be stored directly in AD , or in an IdM override object for
the AD user.
For details, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7Beta/html-single/Windows_Integration_Guide/index.html#smart-cards (BZ #1298966)

IdM now support s T GS aut horiz at ion decisions

In an Identity Management (IdM) environment, users can optionally log in using multi-factor
authentication. The Kerberos ticket from the ticket granting server (TGS) now contains an indicator if
two-factor authentication using a standard password in combination with a one-time password
(OTP) was used. This enables the administrator to set server-side policies for resources, and the
users are allowed to access based upon the type of their logins. For example, the administrator can
now allow the user to log in to the desktop either using one- or two-factor authentication, but require
two-factor authentication for virtual private networks (VPN) logins.
By default, all services accept all tickets. To activate this granularity, you have to manage the
policies in the IdM web user interface or use the i pa servi ce-* and i pa ho st-* commands.
(BZ #1224057)
sssd now provides opt ional t wo-fact or aut hent icat ion
The System Security Services D aemon (SSSD ) now allows users with two-factor authentication
enabled to authenticate to services either by using a standard password and a one-time password
(OTP), or using only a standard password. Optional two-factor authentication enables
administrators to configure local logins using a single factor, while other services, like access to VPN

20

Chapt er 4 . Aut hent icat ion and Int eroperabilit y

gateways, can request both factors. As a result, during the login, the user can enter either both
factors, or optionally only the password. The Kerberos ticket then uses authentication indicators to
list the used factors. (BZ #1325809)

New SSSD cont rol and st at us ut ilit y

The sssctl utility provides a simple and unified way to obtain information about the System
Security Services D aemon's (SSSD ) status. For example, you can query status information about
active server, auto-discovered servers, domains, and cached objects. Additionally, the sssctl utility
enables you to manage SSSD data files to troubleshoot SSSD in a safe way while the service is
running.
For more information about the features the utility provides, run sssctl --hel p.
For details, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7Beta/html-single/System-Level_Authentication_Guide/index.html#sssctl (BZ #879333)

SSSD configurat ion file validat ion

Previously, the System Security Services D aemon (SSSD ) did not provide a tool to manually check
the /etc/sssd /sssd . co nf file. As a consequence, the administrator had to find the problem in the
configuration file if the service failed to start. This update provides the co nfi g -check option of the
sssctl command to locate problems in the configuration file. Additionally, SSSD automatically
checks the validity of the configuration file after the service starts, and shows level 0 debug
messages for incorrect settings. (BZ #988207)

New sss_cache opt ion t o mark sudo rules as expired

This update enhances the sss_cache command from the System Security Services D aemon
(SSSD ). The options -r and -R have been added to mark one or all sud o rules as expired. This
enables the administrator to force a refresh of new rules on the next sud o lookup. Please note that
the sud o rules are refreshed using a different algorithm than the user and group entities. For more
information about the mechanism, see the sssd-sudo(5) man page. (BZ #1031074)

New packages: cust odia, pyt hon-jwcrypt o

This update adds the custodia packages and their dependency python-jwcrypto to Red Hat Enterprise
Linux 7.
Custodia is an HTTP-based pipeline to request and distribute secrets. It handles the authentication,
authorization, request handling, and storage stages of secrets management. Custodia is currently
only supported as an internal subsystem of Red Hat Identity Management.
The package python-jwcrypto is an implementation of the JavaScript object signing and encryption
(JOSE) web standards in Python. It is installed as a dependency of Custodia. (BZ #1206288)

New package: pyt hon-gssapi

This update adds the python-gssapi package to Red Hat Enterprise Linux 7. It provides a generic
security services API (GSSAPI) that is compatible with Python 2 and 3. Identity Management (IdM)
uses the package as a replacement for python-krbV and python-pykerberos, which only support
Python 2 (BZ #1292139)

New package: pyt hon-net ifaces

21

7 .3 Release Not es

This update adds the python-netifaces package to Red Hat Enterprise Linux 7. This Python module
makes it possible to read information about the system network interfaces from the operating system.
It has been added as a dependency for Red Hat Identity Management (IdM). (BZ #1303046)

New package: mod_aut h_openidc

This update adds the mod_auth_openidc package to Red Hat Enterprise Linux 7. It enables the Apache
HTTP server to act as an OpenID Connect Relying Party for single sign-on (SSO) or as an OAuth 2.0
Resource Server. Web applications can use the module to interact with a variety of OpenID Connect
server implementations including the Keycl o ak open source project and Red Hat Single Sign-On
(SSO) products. (BZ #1292561)

IdM now support s DNS locat ions

This update adds support for D NS location management to the Identity Management (IdM) integrated
D NS server to improve cross-site implementations. Previously, clients using D NS records to locate
IdM servers could not distinguish local servers from servers located in remote geographical
locations. This update enables clients using D NS discovery to find the nearest servers, and to use
the network in an optimized way. As a result, administrators can manage D NS locations and assign
servers to them in the IdM web user interface and from the command line.
For details, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7Beta/html-single/Linux_D omain_Identity_Authentication_and_Policy_Guide/index.html#dns-locations
(BZ #747612)

IdM now support s est ablishing an ext ernal t rust t o an AD domain

Red Hat Enterprise Linux Identity Management (IdM) now supports establishing an external trust to
an Active D irectory (AD ) domain in a forest. An external trust is non-transitive and can be established
to any domain in an AD forest. This allows to limit a trusted relationship to a specific domain rather
than trusting the whole AD forest. (BZ #1314786)

IdM now support s logging in wit h alt ernat ive UPNs

In an Active D irectory (AD ) forest it is possible to associate a different user principal name (UPN)
suffix with the user name instead of the default domain name. Identity Management (IdM) now allows
users from a trusted AD forest to log on with an alternative UPN.
When you add or remove UPN suffixes in a trusted AD forest, run i pa trust-fetch-d o mai ns on
an IdM master to refresh the information for the trusted forest in the IdM database.
For details, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7Beta/html-single/Windows_Integration_Guide/index.html#UPN-in-a-trust (BZ #1287194)

IdM now support s sub-CAs

Previously, Identity Management (IdM) only supported one certificate authority (CA) that was used to
sign all certificates issued within the IdM domain. Now, you can use lightweight sub-CAs for better
control over the purpose for which a certificate can be used. For example, a Virtual Private Network
(VPN) server can be configured to only accept certificates issued by a sub-CA created for that
purpose, rejecting certificates issued by other sub-CAs, such as a smart card CA.
To support this functionality, you can now specify an IdM lightweight sub-CA when requesting a
certificate with certmonger.

22

Chapt er 4 . Aut hent icat ion and Int eroperabilit y

For details, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7Beta/html-single/Linux_D omain_Identity_Authentication_and_Policy_Guide/index.html#lightweightsub-cas (BZ #1200731)

SSSD now support s aut omat ic Kerberos host keyt ab renewal

Previously, the System Security Services D aemon (SSSD ) did not support the automatic renewal of
Kerberos host keytab files in an Active D irectory (AD ). In environments that, for security reasons, do
not allow using passwords that never expire, the files had to be manually renewed. With this update,
SSSD is able to automatically renew Kerberos host keytab files.
SSSD checks once per day if the machine account password is older than the configured number of
days in the ad _maxi mum_machi ne_acco unt_passwo rd _ag e parameter of the
/etc/sssd /sssd . co nf file.
For details, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7Beta/html-single/System-Level_Authentication_Guide/index.html#sssd-auto-keytab-renewal
(BZ #1310877)

IdM support s user principal aliases

Previously, Identity Management (IdM) supported only the authentication using the user name.
However, in some environments it is a requirement to authenticate with an email address or alias
name. IdM was enhanced and now supports principal aliases.
To add the aliases ual i as and user@ exampl e. co m to the account user, run the following
command:
# ipa user-add-principal user ualias user\\@ example.com
Use the -C option to the ki ni t command when with an alias, and the -E option when using an
enterprise principal name:
# kinit -C ualias
# kinit -E user@ example.com
(BZ #1328552)

SSSD cache updat e performance improvement

Previously, the System Security Services D aemon (SSSD ) always updated all cached entries after
the cache validity timeout passed. This consumed unnecessarily resources on the client and the
server, for entries that have not been changed. SSSD has been enhanced and now checks if the
cached entry requires an update. The time stamp values are increased for unchanged entries and
stored in the new SSSD database /var/l i b/sss/d b/ti mestamps_$d o mai n. l d b. This
enhancement improves the performance for entries that rarely change on the server side, such as
groups. (BZ #1290380)

SSSD now support s sudo rules st ored in t he IdM schema

Previously, the System Security Services D aemon (SSSD ) used the o u= sud o ers container,
generated by the compatibility plug-in, to fetch sudo rules. SSSD has been enhanced to support
sudo rules in the cn= sud o container that are stored in the Identity Management (IdM) directory
schema.

23

7 .3 Release Not es

To enable this feature, unset the l d ap_sud o _search_base parameter in the

/etc/sssd /sssd . co nf file. (BZ #789477)

SSSD now aut omat ically adjust s t he ID ranges for AD client s in environment s
wit h high RID numbers
The automatic ID mapping mechanism included in the System Security Services D aemon (SSSD )
service is now able to merge ID range domains. The SSSD default size of ID ranges is 200,000. In
large Active D irectory (AD ) installations, the administrator had to manually adjust the ID range
assigned by SSSD if the Active D irectory relative ID (RID ) increased 200,000 to correspond with the
RID .
With this enhancement, for AD clients having ID mapping enabled, SSSD automatically adjusts the
ID ranges in the described situation. As a result, the administrator does not have to adjust the ID
range manually, and the default ID mapping mechanism works in large AD installations.
(BZ #1059972)

New sssct l opt ion remove-cache

This update adds the remo ve-cache option to the sssctl utility. The option removes the local
System Security Services D aemon's (SSSD ) database contents, and restarts the sssd service. This
enables the administrator to start from a clean state with SSSD and avoid the need to manually
remove cache files. (BZ #1007969)

Password changes on legacy IdM client s

Previously, Red Hat Enterprise Linux contained a version of slapi-nis that does not enable user to
change their passwords on legacy Identity Management (IdM) clients. As a consequence, users
logged in to clients via the slapi-nis compatibility tree could only update their password using the
IdM web UI or directly in Active D irectory (AD ). A patch has been applied to and as a result, users are
now able to change their password on legacy IdM clients. (BZ #1084018)

Red Hat Access plug-in for IdM is discont inued

The Red Hat Access plug-in for Identity Management (IdM) has been removed in Red Hat Enterprise
Linux 7.3. D uring the update, the redhat-access-plugin-ipa package is automatically uninstalled.
Features previously provided by the plug-in, such as Knowledgebase access and support case
engagement, are still available through the Red Hat Customer Portal. Red Hat recommends to explore
alternatives, such as the red hat-suppo rt-to o l tool. (BZ #1296140)

Int roducing Red Hat Single Sign-On as a replacement for t he Ipsilon ident it y
provider
Red Hat Single Sign-On (SSO) is now available as a single sign-on solution based on the Keycloak
community project. Red Hat SSO is intended to replace Ipsilon, which was offered as Technology
Preview for federated single sign-on in Red Hat Enterprise Linux 7.2.
Red Hat SSO provides more capabilities than Ipsilon, and Red Hat therefore recommends to use it
instead of Ipsilon.
For details, see:
Red Hat SSO product page: https://access.redhat.com/products/red-hat-single-sign-on

24

Chapt er 4 . Aut hent icat ion and Int eroperabilit y

Red Hat SSO Release Notes: https://access.redhat.com/documentation/en/red-hat-single-signon/7.0/release-notes/

Note that Red Hat does not plan to upgrade Ipsilon from Technology Preview to a fully supported
feature. The i psi l o n packages will be removed from Red Hat Enterprise Linux in a future minor
release. (BZ #1364891)

SSSD now reads opt ional *.conf files from /etc/sssd /co nf. d /
The System Security Services D aemon (SSSD ) has been enhanced to read *.conf files from the
/etc/sssd /co nf. d / directory. This enables you to use a general /etc/sssd /sssd . co nf file on
all clients and to add additional settings in further configuration files to suit individual clients. SSSD
first reads the common /etc/sssd /sssd . co nf file, and then in alphabetical order the other files in
/etc/sssd /co nf. d /. The daemon uses the last read configuration parameter if the same one
appears multiple times in different files. (BZ #790113)

T he IdM password policy now enables never-expiring passwords

Previously, all user passwords in Identity Management (IdM) were required to have an expiration
date defined. With this update, the administrator can configure user passwords to be valid
indefinitely by setting the password policy Max l i feti me value to 0 .
Note that new password policy settings apply to new passwords only. For the change to take effect,
existing users must update their passwords. (BZ #826790)

Samba rebased t o version 4 .4 .4

The samba packages have been upgraded to upstream version 4.4.4, which provides a number of
bug fixes and enhancements over the previous version:
The WINS nsswitch module now uses the l i bwbcl i ent library for WINS queries. Note that the
wi nbi nd daemon must be running to resolve WINS names that use the module.
The default value of the wi nbi nd expand g ro ups option has been changed from 1 to 0 .
The -u and -g options of the smbg et command have been replaced with the -U option to match
other Samba command's parameter. The -U option accepts a username[%passwo rd ] value.
Additionally, the username and passwo rd parameters in the smbg etrc configuration file have
been replaced with the user parameter.
The -P parameter of the smbg et command has been removed.
Printing using the C UP S back end with Kerberos credentials now requires to install the sambakrb5-printing package and to configure CUPS appropriately.
It is now possible to configure Samba as a print server by using the CUPS back end with
Kerberos credentials. To do so, install the samba-krb5-printing package and configure CUPS
appropriately.
Samba and CTD B header files are no longer installed automatically when you install samba.
Samba automatically updates its tdb database files when the smbd , nmbd , or wi nbi nd daemon
starts. Back up the databases files before starting Samba. Note that Red Hat does not support
downgrading tdb database files.
For further information about notable changes, read the upstream release notes before updating:

25

7 .3 Release Not es

https://www.samba.org/samba/history/samba-4.3.0.html
https://www.samba.org/samba/history/samba-4.4.0.html (BZ #1303076)

New net ad s jo i n opt ion t o prevent AD DNS updat e

The net ad s jo i n command now provides the --no -d ns-upd ates option that prevents
updating the D NS server with the machine name when joining a client to the Active D irectory (AD ).
This option enables the administrator to bypass the D NS registration if the D NS server does not
allow client updates and thus the D NS update would fail with an error message. (BZ #1263322)

26

Chapt er 5. Clust ering

Chapter 5. Clustering
A Pacemaker clust er resource t hat is used t o creat e a guest node may now
be a member of a resource group
Previous Pacemaker versions did not support including a guest node in a group. As of Red Hat
Enterprise Linux 7.3, a Pacemaker cluster resource such as Vi rtual D o mai n that is used to create a
guest node may now be a member of a resource group. This can be useful, for example, to associate
a virtual machine with its storage. (BZ #1303765)

Support for quorum devices in a Pacemaker clust er

As of Red Hat Enterprise Linux 7.3, you can configure a separate quorum device which acts as a
third-party arbitration device for the cluster. Its primary use is to allow a cluster to sustain more node
failures than standard quorum rules allow. A quorum device is recommended for clusters with an
even number of nodes and highly recommended for two-node clusters. For information on
configuring a quorum device, see the High Availability Add-On Reference. (BZ #1158805)

27

7 .3 Release Not es

Chapter 6. Compiler and Tools

iputils rebased t o version 20160308
The iputils packages have been upgraded to upstream version 20160308, which provides a number
of bug fixes and enhancements over the previous version. Notably, the pi ng command is now dual
stack aware. It can be used for probing both IPv4 and IPv6 addresses. The old pi ng 6 command is
now a symbolic link to the pi ng command and works the same way as before. (BZ #1273336)

Logging capabilit ies of t he tftp server have been enhanced

As a result of improved logging, the Trivial File Transfer Protocol (TFTP) server can now track
successes and failures. For example, a log event is now created when a client successfully finishes
downloading a file, or the fi l e no t fo und message is provided in case of a failure.
(BZ #1311092)

New opt ion for arpwat ch: -p

This update introduces option -p for the arpwatch command of the arpwatch network monitoring
tool. This option disables promiscuous mode. (BZ #1291722)

T he chrt ut ilit y now has new opt ions

This update introduces new command-line options for the chrt utility: --d ead l i ne, --sched runti me, --sched -peri o d , and --sched -d ead l i ne. These options take advantage of the
kernel SC HED _D EAD LINE scheduler and provide full control of deadline scheduling policy for
scripts and when using the command line. (BZ #1298384)

New command-line ut ilit y: l si pc

This update introduces the l si pc utility that lists information about inter-process communication
(IPC) facilities. In comparison with the old i pcs command, l si pc provides more details, is easier to
use in scripts, and is more user-friendly. This results into better control of the output on IPC
information for scripts and when using the command line. (BZ #1153770)

Searching using l i bmo unt and fi nd mnt is now more reliable

Overlay filesystem's st_d ev does not provide possibility for reliable searching to the l i bmo unt
library and the fi nd mnt utility. With this update, l i bmo unt and fi nd mnt search in mount tables
by other means than with st_d ev in some cases, achieving better reliability. (BZ #587393)

New --fami l y opt ion for t he al ternati ves ut ilit y

This update introduces the new --fami l y option for the al ternati ves utility. The software
packager can use this option to group similar alternative packages from the same group into
families. Families inside groups ensure that if the currently used alternative is removed, and it
belonged to a family, then the current alternative will change to package with the highest priority
within the same family, and not outside the family.
For example, a system has four packages installed in the same al ternati ves group: a1, a2, a3, b
(listed in increasing priority). Packages a1, a2, and a3 belong to the same family. a1 is the currently
used alternative. If a1 is removed, then the currently used alternative will change to a3. It will not be b,
because b is outside the family of a1, and it will not be a2, because a2 has lower priority than a3.

28

Chapt er 6 . Compiler and T ools

This option is useful when just setting priorities for each alternative is not enough. For example, all
openjdk packages can be put into the same family to ensure that if one of them is uninstalled, the
alternative will switch to another openjdk package, and not to the java-1.7.0-oracle package (if another
openjdk package is installed). (BZ #1291340)

sos rebased t o version 3.3

The sos package has been updated to upstream version 3.3, which provides a number of
enhancements, new features, and bug fixes, including:
Support for OpenShift Enterprise 3.x
Improved and expanded OpenStack plug-ins
Enhanced support for Open vSwitch
Enhanced Kubernetes data collection
Improved support for systemd journal collection
Enhanced display manager and 3D acceleration data capture
Improved support for Linux clusters, including Pacemaker
Expanded CPU and NUMA topology collection
Expanded mainframe (IBM System z) coverage
Collection of multipath topology (BZ #1293044)

ethtool rebased t o version 4 .5

The ethtool utility enables querying and changing settings such as speed, port, auto-negotiation,
PCI locations, and checksum offload on many network devices, especially Ethernet devices. The
package has been upgraded to upstream version 4.5. Notable improvements include:
SFP serial number and date are now included in EEPROM dump (option -m)
Added missing Advertised speeds, some combinations of 10GbE and 56GbE
Added register dump support for VMware vmxnet3 (option -d )
Added support for setting the default R x flow indirection table (option -X)
(BZ #1318316)

elfutils rebased t o version 0.166

The elfutils packages contain a number of utilities and libraries related to the creation and
maintenance of executable code. The package has been upgraded to version 0.166. Highlighted
improvements include:
strip, unstrip: these utilities can now handle ELF files with merged strtab/shstrtab tables.
elfcompress: a new utility to compress or decompress ELF sections.
readelf: a new -z,--d eco mpress option.

29

7 .3 Release Not es

new functions have been added to l i bel f and l i bd w to handle compressed ELF sections:
el f_co mpress, el f_co mpress_g nu, el f32_g etchd r, el f6 4 _g etchd r, and
g el f_g etchd r.
libdwelf: a new d wel f_scn_g nu_co mpressed _si ze() function.
New l i bel f and l i bd w pkgconfig (package configuration) files.
(BZ #1296313)

pcp rebased t o version 3.11.3

Performance Co-Pilot (PCP) is a suite of tools, services, and libraries for acquisition, archiving, and
analysis of system-level performance measurements. The package has been upgraded to version
3.11.3. Highlighted improvements include:
pcp-i pcs - new command to show inter-process communication
pcp-ato psar - new PMAPI sar command based on http://atoptool.nl
pcp-vmstat - wrapper for pmstat modified to more closely resemble vmstat
l i bpcp - new fetchg ro up API
pmd ami c - new PMD A for Intel MIC card metrics
pmd asl urm - new PMD A exporting HPC scheduler metrics
pmd api pe - command output event capture PMD A
pmd axfs - support for per-device XFS metrics
pmd avmware - updated to work with current VMWare Perl API
pmd aperfevent - variety of improvements surrounding derived metrics; added reference clock
cycles for NHM and WSM
pmd ao racl e - Oracle database metrics available and updated
pmd ad s389 - added normalized dn cache metrics
pmd al i nux - added metrics for per numa node memory bandwidth, shared memory segments,
IPC, MD driver stats, transparent-huge-page zero page alloc counters, NVME devices, IPv6
metrics
pmd ael asti csearch - restrict to local node metrics by default and adjust to el asti csearch
API change
pmd axfs - support for per-device XFS metrics
pmrep - powerful and versatile metric-reporting utility
pml o g co nf - support for automatic recording of Oracle database, nginx, elasticsearch,
memcache, and application metrics supplied by mmv
zbxpcp - Z abbix Agent loadable module for P C P metrics supporting Z abbix v2 and v3
simultaneously
pmcd - support for starting PMD As via pmd aro o t, allowing restart on PMD A failure without
restarting pmcd itself

30

Chapt er 6 . Compiler and T ools

sar2pcp - support for additional mem. uti l metrics and sysstat-11.0.1 commands
pmmg r - added general monitor-program launching option
pcp-ato p - updated with latest ato p features (especially NFS-related)
l i bpcp - allowed the name of a server certificate to be customized; added support for permanent,
global derived metrics, and multi-archive contexts
pmd apro c - cg ro up bl ki o throttle throughput and IOPS metrics
pcp-i o stat - added the -R flag for device-name matching using regular expressions and the G flag for sum, avg , mi n, or max stati sti cs
pmi eco nf - new rule to automate restarting of unresponsive PMD As
(BZ #1284307)

systemtap rebased t o version 3.0

The systemtap packages have been updated to upstream version 3.0, which provides a number of
bug fixes and enhancements. For example, the translator has been improved to require less memory,
produce faster code, support more function-callee probing, print improved diagnostics, include
language extensions for function overloading and private scoping, and introduce experimental -mo ni to r and --i nteracti ve modes. (BZ #1289617)

valgrind rebased t o version 3.11.0

Valgrind is an instrumentation framework that is used for debugging memory, detecting memory
leaks, and profiling applications. The package has been upgraded to upstream version 3.11.0.
Highlighted improvements include:
The JIT's register allocator is now significantly faster, making JIT-intensive activities, for example
program startup, approximately 5% faster.
Intel AVX2 support is now more complete for 64-bit targets. On AVX2-capable hosts, the simulated
CPUID will now indicate AVX2 support.
The default value for the --smc-check option has been changed from stack to al l -no n-fi l e
on targets that provide automatic D -I cache coherence. The result is to provide, by default,
transparent support for JIT generated and self-modifying code on all targets.
Highlighted new features in the Memcheck utility include:
The default value for the --l eak-check-heuri sti cs option has been changed from no ne to
al l . This helps to reduce the number of possibly lost blocks, in particular for C++ applications.
The default value for the --keep-stacktraces option has been changed from mal l o c-thenfree to mal l o c-and -free. This has a small cost in memory but allows Memcheck to show the
3 stack traces of a dangling reference: where the block was allocated, where it was freed, and
where it is accessed after being freed.
The default value for the --parti al -l o ad s-o k option has been changed from no to yes, to
avoid false-positive errors resulting from certain vectorised loops.
A new gdb monitor command xb [ad d r] [l en] shows the validity bits of [l en] bytes at
[ad d r]. The monitor command xb is easier to use than g et_vbi ts when you need to associate
byte data value with their corresponding validity bits.

31

7 .3 Release Not es

The bl o ck_l i st gdb monitor command has been enhanced: it can print a range of loss
records; it now accepts an optional argument, l i mi ted [max_bl o cks], to control the number
of printed blocks; if a block has been found using a heuristic, then bl o ck_l i st now shows the
heuristic after the block size; the loss records/blocks to print can be limited to the blocks found via
specified heuristics.
A new --expensi ve-d efi ned ness-checks= yes| no command-line option has been added.
This is useful for avoiding occasional invalid uninitialized-value errors in optimized code. Beware
of potential runtime degradation, as this can be up to 25% . The slowdown is highly applicationspecific though. The default value is no .
(BZ #1296318)
O penJD K 8 now support s ECC
With this update, support for Elliptic Curve Cryptography (ECC) and associated ciphers for TLS
connections has been added to O penJD K 8. In most cases, ECC is preferable to older cryptographic
solutions for establishing secure network connections. (BZ #1245810)
pycurl now provides opt ions t o require T LSv1.1 or 1.2
With this update, pycurl has been enhanced to support options that make it possible to require the
use of the 1.1 or 1.2 versions of the TLS protocol, which improves the security of communication.
(BZ #1260407)

Perl Net: SSLeay now support s ellipt ic curve paramet ers

Support for elliptic-curve parameters has been added to the Perl Net: SSLeay module, which
contains bindings to the OpenSSL library. Namely, the EC _KEY _new_by_curve_name(),
EC _KEY _free*(), SSL_C T X_set_tmp_ecd h(), and O BJ_txt2ni d () subroutines have been
ported from upstream. This is required for the support of the Elliptic Curve D iffieHellman Exchange
(ECD HE) key exchange in the IO : : So cket: : SSL Perl module. (BZ #1316379)

Perl IO : : So cket: : SSL now support s ECDHE

Support for Elliptic Curve D iffieHellman Exchange (ECD HE) has been added to the
IO : : So cket: : SSL Perl module. The new SSL_ecd h_curve option can be used for specifying a
suitable curve by the Object Identifier (OID ) or Name Identifier (NID ). As a result, it is now possible to
override the default elliptic curve parameters when implementing a TLS client using
IO : : So cket: SSL. (BZ #1316377)
tcsh now uses syst em allocat ion funct ions
The tcsh command language interpreter now uses allocation functions from the g l i bc library
instead of built-in allocation functions. This eliminates earlier problems with the mal l o c() library
call. (BZ #1315713)
P ytho n performance enhancement
The C P ytho n interpreter now uses computed g o to statements at the main swi tch statement, which
executes P ytho n bytecode. This enhancement allows the interpreter to avoid a bounds check that is
required by the C99 standard for the swi tch statement, and allows the CPU to perform more efficient
branch prediction, which reduces pipeline flushes. As a result of this enhancement, P ytho n code is
interpreted significantly faster than before. (BZ #1289277)

32

Chapt er 6 . Compiler and T ools

New configurat ion opt ions for SSL/T LS cert ificat e verificat ion for t he HT T P
client s in t he Pyt hon st andard library
New per-application and per-process configuration options for SSL/TLS certificate verification have
been added for the HTTP clients in the Python standard library. The options are described in the 493
Python Enhancement Proposal (https://www.python.org/dev/peps/pep-0493/). The default global
setting continues to be to not verify certificates. For details, see
https://access.redhat.com/articles/2039753. (BZ #1315758)

OProfile support for t he Int el Skylake-SP server

This update provides a more complete set of performance monitoring events for the Intel Skylake-SP
server. (BZ #1273755)

OProfile support for Int el HarrisonVille

This update provides a more complete set of performance monitoring events for Intel HarrisonVille
(D enverton SoC). (BZ #1273756)

libpfm rebased t o version 4 .7.0

The libpfm package has been rebased to version 4.7.0. This version provides support for the
following 32-bit AMD and Intel architectures:
Intel Skylake core PMU
Intel Haswell-EP uncore PMUs
Intel Broadwell-D E
Intel Broadwell (desktop core)
Intel Haswell-EP (core)
Intel Haswell-EP (core)
Intel ivyBridge-EP uncore PMUs (all boxes)
Intel Silvermont core PMU
Intel RAPL events support
Intel SNB, IVB, HSW event table updates
Major update on Intel event tables
AMD Fam15h Northbridge PMU
(BZ #1321051)
g l i bc now support s BIG5-HKSCS-2008
Previously, g l i bc supported an earlier version of the Hong Kong Supplementary Character Set,
BIG5-HKSCS-2004. The BIG5-HKSCS character set map has been updated to the HKSCS-2008
revision of the standard. This allows Red Hat Enterprise Linux customers to write applications
processing text that is encoded with this version of the standard. (BZ #1211823)

33

7 .3 Release Not es

memtest86+ rebased t o version 5.01

The memtest86+ package has been upgraded to upstream version 5.01, which provides a number of
bug fixes and enhancements over the previous version. Notable changes include the following:
Support for up to 2 TB of RAM on AMD 64 and Intel 64 CPUs
Support for new Intel and AMD CPUs, for example Intel Haswell
Experimental SMT support up to 32 cores
For detailed changes, see http://www.memtest.org/#change (BZ #1280352)

xz rebased t o version 5.2.2

The xz packages have been upgraded to upstream version 5.2.2, which provides several
optimization fixes, fixes for race conditions, translations, portability fixes, and also new stabilized API
previously available only for testing. Additionally, this update introduces a new experimental feature
controlled by the --fl ush-ti meo ut option (by default off). When compressing, if more than timeout
milliseconds (a positive integer) have passed since the previous flush and reading more input would
be blocked, all the pending input data is flushed from the encoder and made available in the output
stream. This can be useful if the xz utility is used for compressing data that is streamed over a
network. (BZ #1160193)

GDB now support s IBM z 13 feat ures

This update provides a GD B extension for debugging code utilizing IBM z13 features. This includes
disassembling extended IBM z13 instructions and supporting SIMD instructions using 128-bit wide
vector registers v0 -v31. Code optimized for IBM z13 can be now debugged by GD B displaying
correct instruction mnemonics, vector registers, and retrieving and passing vector register content
during inferior calls. (BZ #1182151)

ruby rebased t o version 2.0.0.64 8

The ruby packages have been upgraded to upstream version 2.0.0.648, which provides a number of
bug and security fixes. This is the last upstream stable release of R uby 2. 0 . 0 as it has been
deprecated in upstream. More recent versions of Ruby are available in Red Hat Software Collections.
(BZ #1197720)

34

Chapt er 7 . Deskt op

Chapter 7. Desktop
New packages: pidgin
This update adds the pidgin instant messaging client that supports off-the-record (OTR) messaging
and the Microsoft Lync instant messaging application. (BZ #1066457)

Scroll wheel increment configurable in GNOME t erminal

With this update, the _gnome-terminal packages have been upgraded so that the scroll wheel setting
is now configurable in the GNOME terminal. The scrolling preferences include a checkbutton and a
spinbutton, which allow to choose between dynamic or fixed scrolling increment. The default option
is dynamic scrolling increment, which is based on the number of visible rows. (BZ #1103380)

Vinagre user experience improvement s

The Vinagre remote desktop viewer introduces the following user experience enhancements:
A minimize button is available in the fullscreen toolbar, which makes access to custom options
easier.
It is now possible to scale Remote D esktop Protocol (RD P) sessions. You can set the session size
in the Connect dialog.
You can now use the secrets service to safely store and retrieve remote credentials. (BZ #1291275)

Cust om t it les for t he t erminal t abs or windows

This update allows users to set custom titles for terminal windows or tabs in g no me-termi nal . The
titles can be changed directly in the g no me-termi nal user interface. (BZ #1296110)

Separat e menu it ems for opening t abs and windows rest ored
This update restores separate menu items for opening tabs and windows in g no me-termi nal . It is
now easier to open a mix of tabs and windows without being familiar with keyboard shortcuts.
(BZ #1300826)

Nat ive Gnome/GT K+ look for Qt applicat ions

Previously, the default Qt style did not provide consistency for Qt applications, causing them not to fit
into Gnome desktop. A new ad wai ta-q t style has been provided for those applications and the
visual differences between the Qt and GTK+ applications are now minimal. (BZ #1306307)

Rhyt hmbox rebase t o version 3.3.1

Rhythmbox is the GNOME default music player. It is easy to use and includes features such as
playlists, podcast playback, and audio streaming. The rhythmbox packages have been upgraded to
upstream version 3.3.1. The most notable changes include:
Better support for Android devices
New task progress display below the track list
Support for the composer, disc, and track total tags

35

7 .3 Release Not es

New style for playback controls and the source list

A number of bug fixes for various warnings and unexpected termination errors (BZ #1298233)

libreoffice rebased t o version 5.0.6.2

The libreoffice packages have been upgraded to upstream version 5.0.6.2, which provides a number
of bug fixes and enhancements over the previous version, notably:
The status bar and various sidebar decks have been improved.
Various toolbars and context menus have been cleaned up or rearranged for better usability.
The color selector has been reworked.
New templates have been created.
Templates now appear directly in the Start Center and can be picked from there.
libreoffice now displays an information bar to indicate visibly when a document is being opened in
read-only mode.
The possibility to embed libreoffice in certain web browsers by using the deprecated NPAPI has
been removed.
It is possible to connect to SharePoint 2010 and 2013 and OneD rive directly from libreoffice.
Support for converting formulas into direct values, Master D ocument templates, reading Adobe
Swatch Exchange color palettes in the . ase format, importing Adobe PageMaker documents, and
for exporting digitally signed PD F files.
It is now possible to specify references to entire columns or rows using the A:A or 1:1 notation.
Interoperability with Microsoft Office document formats has been improved.
For a complete list of bug fixes and enhancements provided by this upgrade, see
https://wiki.documentfoundation.org/ReleaseNotes/4.4 and
https://wiki.documentfoundation.org/ReleaseNotes/5.0. (BZ #1290148)

libdvdnav rebased t o version 5.0.3

The l i bd vd nav library allows you to navigate D VD menus on any operating system. The libdvdnav
packages have been upgraded to version 5.0.3. The most notable changes include:
Fixed a bug on menu-less D VD s
Fixed playback issues on multi-angle D VD s
Fixed unexpected termination when playing a D VD from different region than currently set in the
D VD drive
Fixed memory bugs when reading certain D VD s (BZ #1068814)

GIMP rebased t o version 2.8.16

The GNU Image Manipulation Program (GIMP) has been upgraded to version 2.8.16, which provides
a number of bug fixes and enhancements over the previous version. Notable changes include the
following:

36

Chapt er 7 . Deskt op

Core:
More robust loading of XCF files
Improved performance and behavior when writing XCF files
GUI:
The widget direction automatically matches the direction of language set for GUI
Larger scroll area for tags
Fixed switching of dock tabs by drag and drop (D ND ) hovering
D ND works between images in one dockable
No unexpected termination problem in the save dialog
Plug-ins:
Improved security of the script-fu server
Fixed reading and writing of files in the BMP format
Fixed exporting of fonts in the PD F plug-in
Support of layer groups in OpenRaster files
Fixed loading of PSD files with layer groups (BZ #1298226)

37

7 .3 Release Not es

Chapter 8. Directory Server in Red Hat Enterprise Linux

About Direct ory Server for Red Hat Ent erprise Linux
This section describes changes in the main server component for Red Hat D irectory Server - the 389ds-base package, which includes the LD AP server itself and command line utilities and scripts for its
administration. This package is part of the Red Hat Enterprise Linux base subscription channel and
therefore available on all Red Hat Enterprise Linux Server systems due to Red Hat Identity
Management components which depend on it.
Additional Red Hat D irectory Server components, such as the D i recto ry Server C o nso l e, are
available in the rhel -7-server-rhd s-10 -rpms additional subscription channel. A subscription to
this channel is also required to obtain support for Red Hat D irectory Server. Changes to the
additional components in this channel are not described in this document.
Red Hat D irectory Server version 10.1 is available for Red Hat Enterprise Linux 7. See
https://access.redhat.com/products/red-hat-directory-server/get-started for information about getting
started with D irectory Server 10, and https://access.redhat.com/documentation/en/red-hat-directoryserver/?version=10 for full documentation.

T he l d apsearch command can now ret urn all operat ional at t ribut es
LD AP searches can now return all operational attributes as described in IETF RFC 3673. Using the +
character in a search will yield all operational attributes to which the bound D istinguished Name
(D N) has access. The returned results may be limited depending on applicable Access Control
Instructions (ACIs).
An example search might look similar to the following:
ldapsearch -LLLx -h localhost -p 10002 -b ou=people,dc=example,dc=com -s
base '+'
dn: ou=People,dc=example,dc=com
See https://tools.ietf.org/html/rfc3673 for additional information about this feature. (BZ #1290111)

Increased accuracy of log t ime st amps

This update increases the accuracy of time stamps in D irectory Server logs from one second
precision to nanosecond precision by default. This enhancement allows for a more detailed analysis
of events in D irectory Server, and enables external log systems to correctly rebuild and interweave
logs from D irectory Server.
Previously, log entries contained time stamps as shown in the following example:
[21/Mar/2016:12:00:59 +1000] conn=1 op=0 BIND dn="cn=Directory Manager"
method=128 version=3
With this update, the same log entry contains a more accurate time stamp:
[21/Mar/2016:12:00:59.061886080 +1000] conn=1 op=0 BIND dn="cn=Directory
Manager" method=128 version=3
To revert to the old time stamp format, set the nssl apd -l o g g i ng -hr-ti mestamps-enabl ed
attribute to fal se in cn= co nfi g . (BZ #1273549)

38

Chapt er 8 . Direct ory Server in Red Hat Ent erprise Linux

New ut ilit y for displaying st at us of Direct ory Server inst ances

D irectory Server now provides the status-d i rsrv command line utility, which outputs the status of
one or all instances. Use the following command to obtain a list of all existing instances:
status-dirsrv
To display the status of a specific instance, append the instance name to the command. See the
status-d i rsrv(8) man page for additional details and a list of return codes. (BZ #1209128)

New opt ion t o enable use of quot es in schema

This update introduces the LD AP _SC HEMA_ALLO W_Q UO T ED environment variable which adds
support for older style schema using quotes in the schema directory. To enable this functionality, set
the following variable in the /etc/sysco nfi g /d i rsrv-INST ANC E configuration file:
LDAP_SCHEMA_ALLOW_QUOTED=on
(BZ #1368484)

39

7 .3 Release Not es

Chapter 9. File Systems

XFS runt ime st at ist ics are available per file syst em in t he /sys/fs/ direct ory
The existing XFS global statistics directory has been moved from the /pro c/fs/xfs/ directory to
the /sys/fs/xfs/ directory while maintaining compatibility with earlier versions with a symbolic
link in /pro c/fs/xfs/stat. New subdirectories will be created and maintained for statistics per file
system in /sys/fs/xfs/, for example /sys/fs/xfs/sd b7/stats and
/sys/fs/xfs/sd b8/stats. Previously, XFS runtime statistics were available only per server. Now,
XFS runtime statistics are available per device. (BZ #1269281)

A progress indicat or has been added t o mkfs. g fs2

The mkfs. g fs2 tool now reports its progress when building journals and resource groups. As
mkfs. g fs2 can take some time to complete with large or slow devices, it was not previously clear if
mkfs.gfs2 was working correctly until a report was printed. A progress bar has been added to
mkfs. g fs2 indicate progress. (BZ #1196321)

fsck.gfs2 has been enhanced t o require considerably less memory on large

file syst ems
Prior to this update, the Global File System 2 (GFS2) file system checker, fsck.gfs2, required a large
amount of memory to run on large file systems, and running fsck.gfs2 on file systems larger than 100
TB was therefore impractical. With this update, fsck.gfs2 has been enhanced to run in considerably
less memory, which allows for better scalability and makes running fsck.gf2 practical to run on much
larger file systems. (BZ #1268045)

GFS2 has been enhanced t o allow bet t er scalabilit y of it s glocks

In the Global File System 2 (GFS2), opening or creating a large number of files, even if they are
closed again, leaves a lot of GFS2 cluster locks (glocks) in slab memory. When the number of glocks
was in the millions, GFS2 previously started to slow down, especially with file creates: GFS2 became
gradually slower to create files. With this update, the GFS2 has been enhanced to allow better
scalability of its glocks, and the GFS2 can now therefore maintain good performance across millions
of file creates. (BZ #1172819)

xfsprogs rebased t o version 4 .5.0

The xfsprogs packages have been upgraded to upstream version 4.5.0, which provides a number of
bug fixes and enhancements over the previous version. The Red Hat Enterprise Linux 7.3 kernel RPM
requires the upgraded version of xfsprogs because the new default on-disk format requires special
handling of log cycle numbers when running the xfs_repai r utility. Notable changes include:
Metadata cyclic redundancy checks (CRCs) and directory entry file types are now enabled by
default. To replicate the older mkfs on-disk format used in earlier versions of Red Hat Enterprise
Linux 7, use the -m crc= 0 -n ftype= 0 options on the mkfs. xfs command line.
The G ET NEXT Q UO T A interface is now implemented in xfs_q uo ta, which allows fast iteration
over all on-disk quotas even when the number of entries in the user database is extremely large.
Also, note the following differences between upstream and Red Hat Enterprise Linux 7.3:
The experimental sparse inode feature is not available.

40

Chapt er 9 . File Syst ems

The free inode btree (finobt) feature is disabled by default to ensure compatibility with earlier Red
Hat Enterprise Linux 7 kernel versions. (BZ #1309498)

T he CIFS kernel module rebased t o version 6.4

The Common Internet File System (CIFS) has been upgraded to upstream version 6.4, which provides
a number of bug fixes and enhancements over the previous version. Notably:
Support for Kerberos authentication has been added.
Support for MFSyml i nk has been added.
The mkno d and mkfi fo named pipes are now allowed.
Also, several memory leaks have been identified and fixed. (BZ #1337587)

41

7 .3 Release Not es

Chapter 10. Hardware Enablement

Support added for t he CAPI flash block adapt er
The Coherent Accelerator Processor Interface (CAPI) is a technology that enables I/O adapters to
coherently access host memory, and thus ensures improved performance. This update adds the
cxl fl ash driver, which provides support for IBM's CAPI flash block adapter. (BZ #1182021)

MMC kernel rebased t o version 4 .5

With this update, the Multimedia Card (MMC) kernel subsystem has been upgraded to upstream
version 4.5, which fixes multiple bugs and also enables the Red Hat Enterprise Linux 7 kernel to use
the embedded MMC (eMMC) interface version 5.0. In addition, the update improves the suspend and
resume functionality of MMC devices, as well as their general stability. (BZ #1297039)

Int el DIMM management API

An API has been added for configuring and managing Intel D ual Inline Memory Modules (D IMMs).
This enables the user to perform basic D IMM inventory, capacity provisioning, health monitoring,
and troubleshooting. (BZ #1270993)

iWarp mapper service added

This update adds support for the internet Wide Area RD MA Protocol (iWARP) mapper to Red Hat
Enterprise Linux 7. The iWARP mapper is a user-space service that enables the following iWARP
drivers to claim TCP ports using the standard socket interface:
Intel i40iw
NES
Chelsio cxgb4
Note that both the i w_cm and i b_co re kernel modules need to be loaded for the iWarp mapper
service (iwpmd) to start successfully. (BZ #1331651)

New package: memkind

This update adds the memkind package, which provides a user-extensible heap manager library,
built as an extension of the jemal l o c memory allocator. This library enables partitioning of the
memory heap located between memory types that are defined when the operating system policies are
applied to virtual address ranges. In addition, memkind enables the user to control memory partition
features and allocate memory with a specified set of memory features selected. (BZ #1210910)

Per-port MSI-X support for t he AHCI driver

The driver for the Advanced Host Controlled Interface (AHCI) has been updated for per-port messagesignaled interrupt (MSI-X) vectors. Note that this applies only to controllers that support the feature.
(BZ #1286946)

42

Chapt er 1 1 . Inst allat ion and Boot ing

Chapter 11. Installation and Booting

Improved logging when net work t raffic is blocked during inst allat ion
This update adds improved logging when attempting to connect to a network repository during
installation. Now, when there is a connection problem with a network repository during installation,
logs include more detailed information about what caused the problem. (BZ #1240379)

Support for Memory Address Range Mirroring

With this update, it is possible to configure Memory Address Range Mirroring on EFI-based systems
on compatible hardware, using the efi bo o tmg r utility with the new --mi rro r-bel o w-4 G and -mi rro r-abo ve-4 G options. (BZ #1271412)

Default logging levels increased in Y um and Netwo rkManag er

With this update, default logging levels were increased in the Y um and Netwo rkManag er utilities.
(BZ #1254368)

Driver Updat e Disks can now replace loaded modules

It is now possible to use a D river Update D isk to replace a module that is already loaded, provided
that the original module is not in use. (BZ #1265693)

43

7 .3 Release Not es

Chapter 12. Kernel

criu rebased t o version 2.3 and fully support ed for cert ain applicat ions
The criu packages have been upgraded to upstream version 2.3, which provides a number of bug
fixes and enhancements over the previous version. Notably, C heckpo i nt/R esto re i n Userspace (C R IU) is now supported on Red Hat Enterprise Linux for POWER, little endian in addition
to the existing support on the AMD 64 and Intel 64 architectures.
Additionally, CRIU has been moved from Technology Preview to full support for the following
applications running in a Red Hat Enterprise Linux 7 runc container:
vsftpd
apache httpd
sendmail
postgresql
mongodb
mariadb
mysql
tomcat
dnsmasq (BZ #1296578)

T he CAN prot ocol has been enabled in t he kernel

The Controller Area Network (CAN) protocol kernel modules have been enabled, providing the device
interface for CAN device drivers. CAN is a vehicle bus specification originally intended to connect the
various micro-controllers in automobiles and has since extended to other areas. CAN is also used in
industrial and machine controls where a high performance interface is required and other interfaces
such as RS-485 are not sufficient. The functions exported from the CAN protocol modules are used
by CAN device drivers to make the kernel aware of the devices and to allow applications to connect
and transfer data. Enablement of CAN in the kernel allows the use of third party CAN drivers and
applications to implement CAN based systems. (BZ #1311631)

Persist ent memory support added t o kexec-to o l s

The Linux kernel now supports E820_PRAM and E820_PMEM type for the Non-Volatile D ual In-line
Memory Module (NVD IMM) memory devices. A patch has been backported from the upstream, which
ensures that kexec-to o l s support these memory devices as well. (BZ #1282554)
l i bnd ctl - userspace nvd i mm management library
The l i bnd ctl userspace library has been added. It is a collection of C interfaces to the i o ctl and
sysfs entry points provided by the kernel l i bnvd i mm subsystem. The library enables higher level
management software for NVD IMM-enabled platforms and also provides a command-line interface for
managing NVD IMMs. (BZ #1271425)

New symbols for t he kABI whit elist t o support t he hpvsa and hpdsa drivers

44

Chapt er 1 2 . Kernel

This update adds a set of symbols to the kernel Application Binary Interface (kABI) whitelist, which
ensures the support for the hpvsa and hpdsa drivers.
The newly added symbols are:
scsi_add_device,
scsi_adjust_queue_depth
scsi_cmd_get_serial
scsi_dma_map
scsi_dma_unmap
scsi_scan_host (BZ #1274471)
crash rebased t o version 7.1.5
The crash packages have been upgraded to upstream version 7.1.5, which provides several bug
fixes and a number of enhancements over the previous version. Notably, this rebase adds new
options such as d i s -s, d i s -f, sys -i , l i st -l , new support for Quick Emulator (QEMU)
generated Executable and Linkable Format (ELF) vmcores on the 64-bit ARM architectures, and
several updates required for support of recent upstream kernels. It is safer and more efficient to
rebase the crash packages than to backport selectively the individual patches. (BZ #1292566)

New package: crash-pt dump-command

Crash-ptdump-command is a new rpm package which provides a crash extension module to add
ptdump subcommand to the crash utility. The ptdump subcommand retrieves and decodes the log
buffer generated by the Intel Processor Trace facility from the vmcore file and outputs to the files. This
new package is designed for EM64T and AMD 64 architectures. (BZ #1298172)

Support of 8 T B of RAM
With this update, the kernel is certified to support 8 TB of RAM. This new feature covers the advance
in memory technology and it provides the potential to meet technological requirements of future
servers that will be released in the life time of Red Hat Enterprise Linux 7. This feature is available for
AMD 64 and Intel 64 architectures. (BZ #727077)

Ambient capabilit ies are now support ed

Capabilities are per-thread attributes used by the Linux kernel to divide the privileges traditionally
associated with superuser privileges into multiple distinct units. This update adds support for
ambient capabilities to the kernel. Ambient capabilities are a set of capabilities that are preserved
when a program is executed using the execve() system call. Only capabilities which are permitted
and inheritable can be ambient. You can use the prctl () call to modify ambient capabilities. See
the capabi l i ti es(7) man page for more information about kernel capabilities in general, and the
prctl (2) man page for information about the prctl call. (BZ #1165316)

cpuid ut ilit y is now available

With this update, the cpuid utility is available in Red Hat Enterprise Linux. This utility dumps detailed
information about the CPU(s) gathered from the CPUID instruction, and also determines the exact
model of CPU(s). It supports Intel, AMD , and VIA CPUs. (BZ #1307043)

45

7 .3 Release Not es

FC-FCoE symbols have been added t o KABI whit e list s

With this update, a list of symbols belonging to the l i bfc and l i bfco e kernel modules has been
added to the kernel Application Binary Interface (KABI) white lists. This ensures that the Fibre
Channel over Ethernet (FCoE) driver, which depends on l i bfc and l i bfco e, can safely use the
newly added symbols. (BZ #1232050)

New package: opal-prd for OpenPower syst ems

The new opal-prd package contains a daemon that handles hardware-specific recovery processes,
and should be run as a background system process after boot. It interacts with OPAL firmware to
capture hardware error causes, log events to the management processor, and handles recoverable
errors where suitable. (BZ #1224121)

New package: libcxl

The new libcxl package contains the user-space library for applications in user space to access CAPI
hardware via kernel cxl functions. It is available on ppc6 4 and ppc6 4 l e architectures.
(BZ #1305080)

Kernel support for t he newly added i pro ute commands

This update adds kernel support to ensure the correct functionality of newly added i pro ute
commands. The provided patch set includes:
Extension of the IPsec interface, which allows prefixed policies to be hashed.
Inclusion of the hash prefixed policies based on preflen thresholds.
Configuration of policy hash table thresholds by netlink. (BZ #1222936)

Backport of t he P ID cgroup cont roller

This update adds the new Process Indentifier (PID ) controller. This controller accounts for the
processes per cgroup and allows a cgroup hierarchy to stop any new tasks from being forked or
cloned after a certain limit is reached. (BZ #1265339)

mpt 2sas and mpt 3sas merged

The source codes of mpt2sas and mpt3sas drivers have been merged. Unlike in upstream, Red Hat
Enterprise Linux 7 continues to maintain two binary drivers for compatibility reasons. (BZ #1262031)

Allow mult iple .ko files t o be specified in ksc

Previously, it was not possible to add multiple .ko files in a single run of the ksc utility. Consequently,
the drivers that contain multiple kernel modules were not passed to ksc in a single run. With this
update, the -k option can be specified multiple times in the same run. Thus single run of ksc can be
used to query symbols used by several kernel modules. As a result, one file with symbols used by all
modules is generated. (BZ #906659)
d racut updat e
The d racut initramfs generator has been updated with a number of bug fixes and enhancements
over the previous version. Notably:

46

Chapt er 1 2 . Kernel

d racut gained a new kernel command-line option rd . emerg ency=

[rebo o t| po wero ff| hal t], which specifies what action to execute in case of a critical failure.
When using rd . emerg ency= [rebo o t| po wero ff| hal t], the rd . shel l = 0 option should
also be specified.
The rebo o t, po wero ff, and hal t commands now work in the emergency shell of d racut.
d racut now supports multiple bond, bridge, and VLAN configurations on the kernel command
line.
The device timeout can now be specified on the kernel command line using the
rd . d evi ce. ti meo ut= <seco nd s> option.
D NS name servers specified on the kernel command line are now used in D HCP.
d racut now supports 20-byte MAC addresses.
Maximum Transmission Unit (MTU) and MAC addresses are now set correctly for D HCP and IPv6
Stateless Address AutoConfiguration (SLAAC).
The i p= kernel command line option now supports MAC addresses in brackets.
d racut now supports the NFS over RD MA (NFSoRD MA) module.
Support for kd ump has been added to Fibre Channel over Ethernet (FCoE) devices.
d racut now supports the --i nstal l -o pti o nal <fi l e l i st> option and the
i nstal l _o pti o nal _i tems+ = " <fi l e>[ <fi l e> . . . ] configuration file directive. The
new option and directive enable installing files if they exist without returning an error if they do
not.
d racut D HCP now recognizes the rfc34 4 2-cl assl ess-stati c-ro utes option, which
enables using classless network addresses. (BZ #1359144, BZ #1178497, BZ #1324454,
BZ #1194604, BZ #1282679, BZ #1282680, BZ #1332412, BZ #1319270, BZ #1271656,
BZ #1271656, BZ #1367374, BZ #1169672, BZ #1222529, BZ #1260955)

Red Hat Ent erprise Linux 7 now support s Wacom Cint iq 27 QHD
Previously, the Wacom Cintiq 27 QHD tablets were not supported in Red Hat Enterprise Linux 7. With
this update, Wacom Cintiq 27 QHD is supported in Red Hat Enterprise Linux 7. (BZ #1342989)

Full support for OPA kernel driver

Intel Omni-Path Architecture (OPA) kernel driver, previously available as a Technology Preview, is
now fully supported. Intel OPA provides Host Fabric Interconnect (HFI) hardware with initialization
and setup for high performance data transfers (high bandwidth, high message rate, low latency)
between compute and I/O nodes in a clustered environment.
For instructions on how to obtain Intel Omni-Path documentation, see
https://access.redhat.com/articles/2039623. (BZ #1374826)

Cyclit est --smi opt ion available for non-root users

With this update, it is possible to use the cyclictest program with the --smi option as a non-root
user, provided that the user also belongs to the real ti me group. On processors that support
system management interrupts (SMIs), --smi displays a report on the system's SMIs, which was
previously only available for root users. (BZ #1346771)

47

7 .3 Release Not es

Chapter 13. Real-Time Kernel

About Red Hat Ent erprise Linux for Real T ime Kernel
The Red Hat Enterprise Linux for Real Time Kernel is designed to enable fine-tuning for systems with
extremely high determinism requirements. The major increase in the consistency of results can, and
should, be achieved by tuning the standard kernel. The real-time kernel enables gaining a small
increase on top of increase achieved by tuning the standard kernel.
The real-time kernel is available in the rhel -7-server-rt-rpms repository. The Installation Guide
contains the installation instructions and the rest of the documentation is available at Product
D ocumentation for Red Hat Enterprise Linux for Real Time.

T he can-d ev module has been enabled for t he real-t ime kernel

The can-d ev module has been enabled for the real-time kernel, providing the device interface for
Controller Area Network (CAN) device drivers. CAN is a vehicle bus specification originally intended
to connect the various micro-controllers in automobiles and has since extended to other areas. CAN
is also used in industrial and machine controls where a high performance interface is required and
other interfaces such as RS-485 are not sufficient.
The functions exported from the can-d ev module are used by CAN device drivers to make the kernel
aware of the devices and to allow applications to connect and transfer data.
Enabling CAN in the real-time kernel allows the use of third party CAN drivers and applications to
implement CAN-based systems. (BZ #1328607)

48

Chapt er 1 4 . Net working

Chapter 14. Networking

Open vSwit ch now uses kernel light weight t unnel support
With this update, the Open vSwitch (OVS) implementation now uses kernel lightweight tunnel support
for VXLAN, GRE, and GENEVE tunnels. This allows to eliminate the duplicate functionality in the OVS
vpo rt implementation and also means OVS benefits from feature and performance improvements in
the base kernel such as destination caching support or hardware offloading. (BZ #1283886)

Bulking in t he memory allocat or subsyst em is now support ed

With this update, the kernel supports batching of memory allocation and memory freeing. Currently,
this performance optimization is used only in the networking stack to free consecutive network
packets. (BZ #1268334)

Net workManager now support s LLDP

With this update, NetworkManager can now listen for Link Layer D iscovery Protocol (LLD P)
messages on given interfaces and expose information about found neighbors through D -bus and
nmcli. This feature is disabled by default, but you can enable it through the co nnecti o n. l l d p
property or the LLD P variable in the i fcfg files. (BZ #1142898)

DHCP t imeout in Net workManager is configurable

The faster fallback in a D ynamic Host Configuration Protocol (D HCP) negotiation is useful in case a
server is not present. With this update, the user can set the value of the i pv4 . d hcp-ti meo ut
property or the IP V4 _D HC P _T IMEO UT option in the i fcfg files. As a result, NetworkManager waits
for a response from the D HCP server only for a given time. (BZ #1262922)

Net workManager now det ect s duplicat e IPv4 addresses

With this update, NetworkManager performs a check to detect duplicate IPv4 addresses when
activating a new connection. If the address in LAN is already assigned, the connection activation
fails. This feature is disabled by default, but you can enable it by the i pv4 . d ad -ti meo ut property
or the AR P ING _WAIT variable in the i fcfg files. (BZ #1259063)

NetworkManager now cont rols t he host name using systemd -ho stnamed
With this update, NetworkManager uses the systemd -ho stnamed service to read and write the static
host name, which is stored in the /etc/ho stname file. D ue to this change, manual modifications
done to the /etc/ho stname file are no longer picked up automatically by NetworkManager; users
should change the system host name through the ho stnamectl utility. Also, the use of the
HO ST NAME variable in the '/etc/sysconfig/network' file is now deprecated. (BZ #1367916)

Support for lat est Bluet oot h, including Bluet oot h LE

This update provides latest Bluetooth support, including support for connecting to Bluetooth Low
Energy (LE) devices. This helps to ensure proper functionality of Internet of Things (IoT) devices.
(BZ #1296707)

Addit ional policies for t he P R -SC T P ext ension are now support ed

49

7 .3 Release Not es

The Partially Reliable SCTP (PR-SCTP) extension defined in RFC3758 provides a generic method for
senders to abandon user messages. With this update, three additional P R -SC T P policies are
supported:
Timed Reliability: This allows the sender to specify a timeout for a user message. The SCTP stack
abandons the user message after the timeout expires.
Limited Retransmission Policy: Allows limitation of the number of retransmissions.
Priority Policy: Allows removal of lower-priority messages if space for higher-priority messages is
needed in the send buffer. (BZ #965453)

Man pages for tc filt er act ions were added t o t he iproute package
With this update, man pages for the i pro ute utility's tc filter actions have been added. Every tc
action has now a corresponding man page, which includes synopsis, options, and detailed
functional description. (BZ #1275426)

T he i p command can now display bridge configurat ion

With this update, you can use the i p tool instead of the brctl tool to display network bridge
configuration. (BZ #1270763)
ss now support s monit oring per connect ion T CP re-t ransmission
With this update, the ss command output includes the 'bytes_acked', 'bytes_received', 'segs_in, and
'segs_out' fields, unless they are null. This feature improves link quality monitoring. (BZ #1269051)

iPXE packages rebased t o support IPv6 on physical comput ers

The ipxe-bootimgs and ipxe-roms packages have been rebased to upstream commit 6366fa7a to
support network booting over IPv6 on physical installations of Red Hat Enterprise Linux 7.
(BZ #1298313)

New packages: libvma

libvma is a dynamically linked user space library for transparently enhancing the performance of T C P
and UD P networking-heavy applications over RD MA-capable network interface controllers. It allows
standard socket API applications to run with the full network stack bypass from user space, which
results in latency reduction, increased throughput, and packet rate. (BZ #1271624)

50

Chapt er 1 5. Securit y

Chapter 15. Security

T he SELinux userspace rebased t o version 2.5
The SELinux userspace packages have been upgraded to upstream version 2.5, which provides a
number of enhancements, bug fixes, and performance improvements over the previous version. The
most important new features in the SELinux userspace 2.5 include:
The new SELinux module store supports priorities. The priority concept provides an ability to
override a system module with a module of a higher priority.
SELinux Common Intermediate Language (CIL) provides clear and simple syntax that is easy to
read, parse, and to generate by high-level compilers, analysis tools, and policy generation tools.
Time-consuming SELinux operations, such as policy installations or loading new policy modules,
are now significantly faster.
Note: The default location of the SELinux modules remains in the /etc/sel i nux/ directory in Red
Hat Enterprise Linux 7, whereas the upstream version uses /var/l i b/sel i nux/. To change this
location for migration, set the sto re-ro o t= option in the /etc/sel i nux/semanag e. co nf file.
(BZ #1297815)

scap-workbench rebased t o version 1.1.2

The scap-workbench package has been rebased to version 1.1.2, which provides a new SCAP
Security Guide integration dialog. The dialog helps the administrator choose a product that needs to
be scanned instead of choosing content files. The new version also offers a number of performance
and user-experience improvements, including improved rule-searching in the tailoring window, the
possibility to fetch remote resources in SCAP content using the GUI, and the dry-run feature. The dryrun feature enables to user to get oscap command-line arguments to the diagnostics window instead
of running the scan. (BZ #1202854)

openscap rebased t o version 1.2.10

The OpenSCAP suite that enables integration of the Security Content Automation Protocol (SCAP)
line of standards has been rebased to version 1.2.10, the latest upstream version. The openscap
packages provide the OpenSCAP library and the o scap utility. Most notably, this update adds
support for scanning containers using the ato mi c scan command. In addition, this update
provides the following enhancements:
oscap-vm, a tool for offline scanning of virtual machines
oscap-chroot, a tool for offline scanning of file systems mounted at arbitrary paths
full support for Open Vulnerability and Assessment Language (OVAL) 5.11.1
native support for remote .xml.bz2 files
grouping HTML report results according to various criteria
HTML report improvements
verbose mode for debugging OVAL evaluation (BZ #1278147)

firewalld rebased t o version 0.4 .3.2

51

7 .3 Release Not es

The firewalld packages have been upgraded to upstream version 0.4.3.2 which provides a number of
enhancements and bug fixes over the previous version. Notable changes include the following:
Performance improvements: firewalld starts and restarts significantly faster thanks to the new
transaction model which groups together rules that are applied simultaneously. This model uses
the iptables restore commands. Also, the firewall-cmd, firewall-offline-cmd, firewall-config, and
firewall-applet tools have been improved with performance in mind.
The improved management of connections, interfaces and sources: The user can now control
zone settings for connections in NetworkManager. In addition, zone settings for interfaces are also
controlled by firewalld and in the i fcfg file.
D efault logging option: With the new LogD enied setting, the user can easily debug and log
denied packets.
ipset support: firewalld now supports ipsets used as zone sources, within rich and direct rules.
(BZ #1302802)

audit rebased t o version 2.6.5

The audit packages contain the user space utilities for storing and searching the audit records which
have been generated by the audit subsystem in the Linux kernel. The audit packages have been
upgraded to upstream version 2.6.5, which provides a number of enhancements and bug fixes over
the previous version. Notable changes include the following:
The aud i t daemon now includes a new flush technique called i ncremental _async, which
improves its performance approximately 90 times.
The aud i t system now has many more rules that can be composed into an aud i t policy. Some
of these new rules include support for the Security Technical Implementation Guide (STIG), PCI
D ata Security Standard, and other capabilities such as auditing the occurrence of 32-bit
syscalls, significant power usage, or module loading.
The aud i td . co nf configuration file and the aud i tctl command now support many new
options.
The aud i t system now supports a new log format called enri ched , which resolves UID , GID ,
syscall, architecture, and network addresses. This will aid in log analysis on a machine that
differs from where the log was generated. (BZ #1296204)

MACsec (IEEE 802.1AE) is now support ed

With this update, the Media Access Control Security (MACsec) encryption over Ethernet is supported.
MACsec encrypts and authenticates all traffic in LANs with the GCM-AES-128 algorithm.
(BZ #1104151)

T he rsyslog RELP module now binds t o a specific rule set

With this update, the rsyslog Reliable Event-Logging Protocol (RELP) module is now capable of
binding to specific rule set with each input instance. The i nput() instance rule set has higher
priority than the mo d ul e() rule set. (BZ #1223566)

rsyslog imfile module now support s a wildcard file name

52

Chapt er 1 5. Securit y

The rsyslog packages provide an enhanced, multi-threaded syslog daemon. With this update, the
rsyslog imfile module supports using wildcards inside file names and adding the actual file name to
the message's metadata. This is useful, when rsyslog needs to read logs under a directory and does
not know the names of files in advance. (BZ #1303617)

Syscalls in aud i t. l o g are now convert ed t o t ext

With this update, aud i td converts system call numbers to their names prior to forwarding them to
syslog daemon through the aud i spd event multiplexor. (BZ #1127343)

audit subsyst em can now filt er by process name

The user can now audit by executable name (with the -F exe= <path-to -executabl e> option),
which allows expression of many new audit rules. You can use this functionality to detect events
such as the bash shell opening a network connection. (BZ #1135562)

mod_security_crs rebased t o version 2.2.9

The mod_security_crs package has been upgraded to upstream version 2.2.9, which provides a
number of bug fixes and enhancements over the previous version. Notable changes include:
A new PHP rule (958977) to detect PHP exploits.
A JS o verri d es file to identify successful XSS probes.
New XSS detection rules.
Fixed session-hijacking rules. (BZ #1150614)

opencryptoki rebased t o version 3.5

The opencryptoki packages have been upgraded to version 3.5, which provides a number of bug
fixes and enhancements over the previous version.
Notable changes include:
The o penC rypto ki service automatically creates l o ck/ and l o g / directories, if not present.
The P KC S#11 API supports hash-based message authentication code (HMAC) with SHA hashes
in all tokens.
The o penC rypto ki library provides dynamic tracing set by the
O P ENC R Y P T O KI_T R AC E_LEVEL environment variable. (BZ #1185421)

gnutls now uses t he cent ral cert ificat e st ore

The gnutls packages provide the GNU Transport Layer Security (GnuTLS) library, which implements
cryptographic algorithms and protocols such as SSL, TLS, and D TLS. With this update, GnuTLS
uses the central certificate store of Red Hat Enterprise Linux through p11-kit packages. Certificate
Authority (CA) updates are now visible to applications at runtime. (BZ #1110750)

T he fi rewal l d -cmd command can now provide addit ional det ails
With this update, firewalld shows details of a service, zone, and IC MP type. Additionally, the user can
list the full path to the source XML file. The new options for fi rewal l d -cmd are:

53

7 .3 Release Not es

[--permanent] --info-zone=zone
[--permanent] --info-service=service
[--permanent] --info-icmptype=icmptype (BZ #1147500)

libica rebased t o version 2.6.2

The libica packages have been updated to upstream version 2.6.2, which provides a number of bug
fixes and enhancements over the previous version. Notably, this update adds support for generation
of pseudo random numbers, including enhanced support for D eterministic Random Bit Generator
(D RBG), according to updated security specification NIST SP 800-90A. (BZ #1274390)

54

Chapt er 1 6 . Servers and Services

Chapter 16. Servers and Services

PHP cUR L module now support s T LS 1.1 and T LS 1.2
Support for the TLS protocol version 1.1 and 1.2, which was previously made available in the curl
library, has been added to the PHP cUR L extension. (BZ #1291667)

squid rebased t o version 3.5.20

Squid is a fully-featured HTTP proxy, which offers a rich access control, authorization and logging
environment to develop web proxy and content serving applications. The squid packages have been
upgraded to version 3.5.20. The most notable changes include:
Support for l i becap version 1.0
Authentication helper query extensions
Support for named services
Upgraded the sq ui d cl i ent utility
Helper support for concurrency channels
Native FTP Relay
Receive PROXY protocol, versions 1 and 2
SSL server certificate validator
Note directive for annotating transactions
TPROXY support for BSD systems
spo o f_cl i ent_i p directive for managing TPROXY spoofing
Various Access Control updates
Support for the OK, ERR, and BH response codes and the kv-pai r options from any helper
Improved pipeline queue configuration.
Multicast D NS (BZ #1273942)

Dovecot has tcp_wrappers support enabled

D ovecot is an IMAP server, primarily written with security in mind. It also contains a small P O P 3
server and supports e-mail in either the Mai l d i r or Mbo x format.
In this update, D ovecot is built with tcp_wrappers support enabled. You can now limit network access
to D ovecot using tcp_wrappers as an additional layer of security. (BZ #1229164)

Necessary classes added t o allow l o g 4 j as T omcat logging mechanism

D ue to missing to mcat-jul i . jar and to mcat-jul i -ad apters. jar files, the l o g 4 j utility
could not be used as Tomcat logging mechanism. The necessary classes have been added and
l o g 4 j can now be used for logging. (BZ #1133070)

55

7 .3 Release Not es

MySQL-python rebased t o version 1.2.5

The MySQL-python packages have been upgraded to upstream version 1.2.5, which provides a
number of bug fixes and enhancements over the previous version. Notably, a bug causing
R eso urceC l o sed Erro r in neutro n and ci nd er services has been fixed. (BZ #1266849)

T he BIND server now support s CAA records

Certification Authority Authorization (CAA) support has been added to the Berkeley Internet Name
D omain (BIND ) server. Now, users can restrict Certification Authorities by specifying the D NS record.
(BZ #1306610)

56

Chapt er 1 7 . St orage

Chapter 17. Storage

New kernel subsyst em: l i bnvd i mm
This update adds l i bnvd i mm, a kernel subsystem responsible for the detection, configuration, and
management of Non-Volatile D ual Inline Memory Modules (NVD IMMs). As a result, if NVD IMMs are
present in the system, they are exposed through the /d ev/pmem* device nodes and can be
configured using the nd ctl utility. (BZ #1269626)

New packages: nvml

The nvml packages contain the Non-Volatile Memory Library (NVML), a collection of libraries for
using memory-mapped persistence, optimized specifically for persistent memory. (BZ #1274541)
SC SI now support s mult iple hardware queues
The nr_hw_q ueues field is now present in the Scsi _Ho st structure, which allows drivers to use the
field. (BZ #1308703)

T he lvext end command no longer at t empt s t o resiz e a file syst em when t he

siz e of t he logical volume has not changed
Previously, if the l vextend command was not able to resize a logical volume, the size of the logical
volume did not change but an attempt was made to resize the file system. With this fix, if a logical
volume does not change size, the l vextend command does not try to resize the file system. As a
result, the exit code returned from the command has also changed in this circumstance.
(BZ #1354396)

Improved LVM locking infrast ruct ure

l vml o ckd is a next generation locking infrastucture for LVM. It allows LVM to safely manage shared
storage from multiple hosts, using either the d l m or sanl o ck lock managers. sanl o ck allows
l vml o ckd to coordinate hosts through storage-based locking, without the need for an entire cluster
infrastructure. For more information, see the l vml o ckd (8) man page.
This feature was originally introduced in Red Hat Enterprise Linux 7.2 as a Technology Preview. In
Red Hat Enterprise Linux 7.3, 'lvmlockd' is fully supported. (BZ #1299977)

Support for caching t hinly-provisioned logical volumes wit h limit at ions

Red Hat Enterpirse Linux 7.3 provides the ability to cache thinly provisioned logical volumes. This
brings caching benefits to all the thin logical volumes associated with a particular thin pool.
However, when thin pools are set up in this way, it is not currently possible to grow the thin pool
without removing the cache layer first. This also means that thin pool auto-grow features are
unavailable. Users should take care to monitor the fullness and consumption rate of their thin pools
to avoid running out of space. Refer to the lvmthin(7) man page for information on thinly-provisioned
logical volume and the lvmcache(7) man page for information on LVM cache volumes. (BZ #1371597)

57

7 .3 Release Not es

Chapter 18. Virtualization

VT -d post ed int errupt s
Red Hat Enterprise Linux now supports the Intel Virtualization Technology for D irected I/O (VT-d) in
CPU-side posted interrupts. With the VT-d posted interrupts feature enabled, external interrupts from
direct-assigned devices can be delivered to guests without the need for assistance by the Virtual
Machine Manager, even when the guests are running in non-root mode. (BZ #1172351)

Guest s using an RBD volume now use an encoded, encrypt ed st art up secret
Previously, when libvirt generated the QEMU command line arguments for guests using an
authenticated Rados Block D evice (RBD ) volume, the password to the RBD server would encoded as
an argument allowing for the possibility for that password to be decoded. In the current release, the
password is provided as an encoded, encrypted object that QEMU decrypts based on a shared,
encrypted domain key that is valid only while the guest is running. Usage of this form of secret
handling provides the capability for a more secure environment. Subsequent domain restarts will
always generate a unique shared private key between libvirt and QEMU. (BZ #1182074)

Hyper-V st orage driver (st orvsc) updat ed

The Hyper-V storage driver (storvsc) was updated from upstream. This provides moderate
performance improvement of I/O operations when using Hyper-V storvsc driver for certain workloads.
(BZ #1287040)

Hyper-V clock source changed t o use t he T SC page

With this update, the Time Stamp Counter (TSC) page is used as the Hyper-V clock source. The TSC
page provides a more efficient way of computing the per-guest reference counter value than the
previously used model-specific register (MSR). As a result, kernel operations that involve reading
time stamps are now faster. (BZ #1300325)

libguest fs rebased t o version 1.32.6

The libguestfs packages have been upgraded to upstream version 1.32.6, which provides a number
of bug fixes and enhancements over the previous version. Notable changes include the following:
The vi rt-g et-kernel utility has been added, which can be used to extract the kernel and initial
RAM file system (initramfs) from a disk image file. For details, see the virt-get-kernel(1) man page.
The vi rt-d i b utility has been added. Its capabilities include building disk image files and
ramdisks. For more information, see the virt-dib(1) man page.
Multiple options have been added for the vi rt-custo mi ze, vi rt-bui l d er, and vi rtsystprep utilities. (BZ #1218766)
vi rt-v2v and vi rt-p2v add support for lat est Windows releases
The vi rt-v2v utility now includes support for converting virtual machines that use Windows 8, 8.1
and 10, and Windows Server 2012 and 2012R2 from the VMWare hypervisor to run on KVM, Red Hat
Enterprise Virtualization, and OpenStack. In addition, the vi rt-p2v utility now includes support for
converting physical machines that use the mentioned Windows systems to virtual machines
compatible with KVM, Red Hat Enterprise Virtualization, and OpenStack. (BZ #1190669)

58

Chapt er 1 8 . Virt ualiz at ion

libvirt administ rat ion API added

This update enables an administration interface for the l i bvi rtd service. Unlike persistent
l i bvi rtd configuration, which can be adjusted using the l i bvi rtd . co nf file and requires
daemon restart each time it is modified, the administration interface enables users to change the
daemon settings at any time. In addition, the administration interface provides multiple means of
monitoring current daemon settings.
Specifically, the operations that the API enables include the following:
Listing all daemon servers
Listing all client connections
Providing detailed information about a client connection
Closing individual client connections in a forceful manner
Reconfiguration of the limits to number of allowed clients and active worker threads on the host.
The administration interface can be controlled using the virt-admin" tool, which is based on the
existing vi rsh client. For more information, see the virt-admin(1) man page. (BZ #735385)
vi rt-p2v is fully support ed
The vi rt-p2v tool, introduced in Red Hat Enterprise Linux 7.2 as a Technology Preview, is now fully
supported. It enables converting physical machines to virtual machines compatible with the KVM
hypervisor, and was previously available as a Technology Preview.
vi rt-p2v is provided as an ISO image that contains a minimal Red Hat Enterprise Linux distribution
and the tool itself. To convert a physical machine, burn the ISO image to a CD and use it to boot the
physical machine. PXE booting and USB booting are also supported. Afterwards, follow the onscreen instructions to perform a manual conversion or activate the automated conversion.
For further information, install the virt-v2v package and see the virt-p2v(1) manual page.
(BZ #1358332)

WALinuxAgent rebased t o version 2.1.5

The Windows Azure Linux Agent has been upgraded to upstream version 2.1.5, which provides a
number of bug fixes and enhancements over the previous version. This agent supports the
provisioning and running of Linux Virtual Machines in the Windows Azure cloud and should be
installed on Linux images that are built to run in the Windows Azure environment. The WALinuxAgent
package is provided in the Extras channel. (BZ #1296359)

New package: libvirt-nss

Red Hat Enterprise Linux 7.3 adds the libvirt-nss package, which enables you to use the libvirt Network
Security Services (NSS) module. This module makes it easier to connect to guests with TLS, SSL,
SSH, as well as other remote login services. In addition, it benefits utilities that use host name
translation, such as pi ng . For more information, see the Red Hat Enterprise Linux 7 Virtualization
D eployment and Administration Guide. (BZ #1325996)

Int el Xeon v5 processors support ed on KVM guest s

59

7 .3 Release Not es

Support for Intel Xeon v5 processors has now been added to the KVM hypervisor and kernel code,
and to the l i bvi rt API. This enables KVM guest virtual machines to use the following features:
MPX, XSAVEC, XGETBV1. (BZ #1327599)

Virt IO 1.0 full support

VirtIO 1.0 devices, introduced in Red Hat Enterprise Linux 7.2 as a Technology Preview, are now fully
supported. This enables a number of virtualization features when using the Intel Q35 Express
Chipset on the guest. These features include PCI Express (PCIe) chipset and ports, Advanced Host
Controlled Interface (AHCI), and PCI device assignment to PCIe ports. Note that certain Q35 Express
Chipset features remain unsupported, such as legacy PCI bridges and legacy PCI devices.
(BZ #1227339)
l i bvi rt ipt ables rules can be manually managed for a specified net work
l i bvi rt automatically generates and applies iptables rules appropriate for each type of network it
creates. The rules are controlled by fo rward mo d e in the configuration of each network. Previously,
there was no way for users to disable these automatically generated iptables rules and manually
manage the iptables rules. In the current release, the o pen network fo rward mo d e was added.
When specified for a network, l i bvi rt does not generate any iptables rules for the network. As a
result, iptables rules added outside the scope of l i bvi rt are not disrupted and users can manually
manage iptables rules. (BZ #846810)

60

Chapt er 1 9 . At omic Host and Cont ainers

Chapter 19. Atomic Host and Containers

Red Hat Ent erprise Linux At omic Host
Red Hat Enterprise Linux Atomic Host is a secure, lightweight, and minimal-footprint operating system
optimized to run Linux containers. See the Atomic Host and Containers Release Notes for the latest
new features, known issues, and Technology Previews.

61

7 .3 Release Not es

Chapter 20. Red Hat Software Collections

Red Hat Software Collections is a Red Hat content set that provides a set of dynamic programming
languages, database servers, and related packages that you can install and use on all supported
releases of Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7 on AMD 64 and Intel 64
architectures.
D ynamic languages, database servers, and other tools distributed with Red Hat Software Collections
do not replace the default system tools provided with Red Hat Enterprise Linux, nor are they used in
preference to these tools. Red Hat Software Collections uses an alternative packaging mechanism
based on the scl utility to provide a parallel set of packages. This set allows for optional use of
alternative package versions on Red Hat Enterprise Linux. By using the scl utility, users can pick
and choose which package version they want to run at any time.
Red Hat D eveloper Toolset is now a part of Red Hat Software Collections. It is included as a separate
Software Collection. Red Hat D eveloper Toolset is designed for developers working on the Red Hat
Enterprise Linux platform. It provides current versions of the GNU Compiler Collection, GNU
D ebugger, Eclipse development platform, and other development, debugging, and performance
monitoring tools.

Important
Red Hat Software Collections has a shorter life cycle and support term than Red Hat
Enterprise Linux. For more information, see the Red Hat Software Collections Product Life
Cycle.
See the Red Hat Software Collections documentation for the components included in the set, system
requirements, known problems, usage, and specifics of individual Software Collections.
See the Red Hat D eveloper Toolset documentation for more information about the components
included in this Software Collection, installation, usage, known problems, and more.

62

P art II. Not able Bug Fixes

Part II. Notable Bug Fixes

This part describes bugs fixed in Red Hat Enterprise Linux 7.3 Beta that have a significant impact on
users.

63

7 .3 Release Not es

Chapter 21. General Updates

Short ening of long net work device names
Previously, some network devices had unacceptably long names. This was due to certain firmware
reporting meaningless data, such as the device's o nbo ard i nd ex value, which the kernel passed
to user-space. This resulted in problems with maximum name length, especially with VLANs. With this
update, systemd rejects unacceptably long names and falls back to a different naming scheme. As a
result, long network device names will no longer appear.
IMPORTANT: This means that names on existing installations might change. (BZ #1230210)

A fix for syst emd t o read t he device ident ificat ion byt es correct ly
D ue to an endianness problem, the version of systemd in Red Hat Enterprise Linux 7.2 read the
device identification bytes in a wrong order, causing the d ev/d i sk/by-i d /wwn-* symbolic links
to be generated incorrectly. A patch has been applied to put the device identification bytes in the
correct order and the symbolic links are now generated correctly. Any reference that depends on the
value obtained from /d ev/d i sk/by-i d /wwn-* needs to be modified to work correctly in Red Hat
Enterprise Linux 7.3 and later. (BZ #1308795)

T he value of net. uni x. max_d g ram_q l en increased t o 512

Previously, the default value of the net. uni x. max_d g ram_q l en kernel option was 16. As a
consequence, when the network traffic was too high, certain services could terminate unexpectedly.
This update sets the value to 512, thus preventing this problem. Users need to reboot the machine to
apply this change. (BZ #1267707)

64

Chapt er 2 2 . Aut hent icat ion and Int eroperabilit y

Chapter 22. Authentication and Interoperability

T he i d map_hash module now works correct ly when used wit h ot her modules
Previously, the i d map_hash module worked incorrectly when it was used together with other
modules. As a consequence, user and group ID s were not mapped properly. A patch has been
applied to skip already configured modules. Now, the hash module can be used as the default idmap
configuration back end and ID s are resolved correctly. (BZ #1316899)

65

7 .3 Release Not es

Chapter 23. Clustering

T he DLM now det ect s and report s connect ion problems
Previously, the D istributed Lock Manager (D LM) used for cluster communications expected TCP/IP
packet delivery and waited for responses indefinitely. As a consequence, if a D LM connection was
lost, there was no notification of the problem. With this update, the D LM detects and reports when
cluster communications are lost. As a result, D LM communication problems can be identified, and
cluster nodes that become unresponsive can be restarted once the problems are resolved.
(BZ #1267339)

Pacemaker correct ly int erpret s syst emd responses and syst emd services
are st opped in proper order at clust er shut down
Previously, when a Pacemaker cluster was configured with systemd resources and the cluster was
stopped, Pacemaker could mistakenly assume that a systemd service had stopped before it actually
had stopped. As a consequence, services could be stopped out of order, potentially leading to stop
failures. With this update, Pacemaker now correctly interprets systemd responses and systemd
services are stopped in the proper order at cluster shutdown. (BZ #1286316)

Pacemaker now dist inguishes t ransient failures from fat al failures when
loading syst emd unit s
Previously, Pacemaker treated all errors loading a systemd unit as fatal. As a consequence,
Pacemaker would not start a systemd resource on a node where it could not load the systemd unit,
even if the load failed due to transient conditions such as CPU load. With this update, Pacemaker
now distinguishes transient failures from fatal failures when loading systemd units. Logs and cluster
status now show more appropriate messages, and the resource can start on the node once the
transient error clears. (BZ #1346726)

Pacemaker now removes node at t ribut es from it s memory when purging a

node t hat has been removed from t he c
luster
Previously, Pacemaker's node attribute manager removed attribute values from its memory but not
the attributes themselves when purging a node that had been removed from the cluster. As a result, if
a new node was later added to the cluster with the same node ID , attributes that existed on the
original node could not be set for the new node. With this update, Pacemaker now purges the
attributes themselves when removing a node and a new node with the same ID encounters no
problems with setting attributes. (BZ #1338623)

Pacemaker now correct ly det ermines expect ed result s for resources t hat are
in a group or depend on a clone
Previously, when restarting a service, Pacemaker's crm_reso urce tool (and thus the pcs
reso urce restart command) could fail to properly determine when affected resources successfully
started. As a result, the command could fail to restart a resource that is a member of a group, or the
command could hang indefinitely if the restarted resource depended on a cloned resource that
moved to another node. With this update, the command now properly determines expected results for
resources that are in a group or depend on a clone. The desired service is restarted, and the
command returns. (BZ #1337688)

66

Chapt er 2 3. Clust ering

Fencing now occurs when DLM requires it , even when t he clust er it self does
not
Previously, D LM could require fencing due to quorum issues, even when the cluster itself did not
require fencing, but would be unable to initiate it, As a consequence, D LM and D LM-based services
could hang waiting for fencing that never happened. With this fix, the o cf: pacemaker: co ntro l d
resource agent now checks whether D LM is in this state, and requests fencing if so. Fencing now
occurs in this situation, allowing D LM to recover. (BZ #1268313)

67

7 .3 Release Not es

Chapter 24. Compiler and Tools

Removal of purposeless warning message for physically non-exist ing nodes
Previously, when the numa_node_to_cpus() function was called on a node which did not have an
entry in the sysfs directory, the libnuma library always printed a warning message about an invalid
sysfs. Consequently, libnuma printed the confusing warning message also for physically nonexisting nodes (for example, for non-contiguous node numbers) and this warning could not be
overridden when the function was called using the dlsym interface. With this update, the mentioned
warning message is printed just for NUMA nodes that were found during an initial scan but then did
not appear in sysfs. As a result, users of libnuma no longer receive the warning message for noncontiguous node numbers. (BZ #1270734)
O ri g i n plug-in added t o t he sos package
The o ri g i n plug-in has been added to the sos package. The plug-in collects information about
O penShi ft O ri g i n and related products, such as Ato mi c P l atfo rm or O penShi ft
Enterpri se 3 and higher. This allows users to gather information about O penShi ft O ri g i n
deployments. (BZ #1246423)

Select ion of OpenJDK version family now remembered across updat es

Prior to this update, when a user had multiple JD Ks installed, yum upd ate always updated to the
newest JD K even if the user had previously selected some lower-prioritized JD K. This update
introduces the --fami l y switch for chkco nfi g , which makes sure that the selected JD K remains in
the version 'family' after system updates. (BZ #1296413)

RC4 is now disabled by default in OpenJDK 6 and OpenJDK 7

Earlier OpenJDK packages allowed the RC4 cryptographic algorithm to be used when making secure
connections using Transport Layer Security (TLS). This algorithm is no longer secure, and it has
been disabled in this release. To retain its use, it is necessary to revert to the earlier setting of the
jd k. tl s. d i sabl ed Al g o ri thms of SSLv3, D H keySi ze < 76 8. This can be done
permanently in the <java. ho me>/jre/l i b/securi ty/java. securi ty file or by adding the
following line:
jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768
to a new text file and passing the location of that file to Java on the command line using the D java. securi ty. pro perti es= <path to fi l e> argument. (BZ #1302385)

system-switch-java rebased t o version 1.7

The system-switch-java package, which provides an easy-to-use tool to select the default Java toolset
for the system, has been updated to version 1.7. The new version has been rewritten to support
modern JD K packages. The main enhancements include support for multiple Java installations,
addition of -debug packages, and support for JD K 9. (BZ #1283904)
zsh no longer deadlocks on mal l o c() execut ion
Previously, if the zsh process received a signal during the execution of a memory allocation function
and the signal handler attempted to allocate or free memory, zsh entered a deadlock and became
unresponsive. With this update, signal handlers are no longer enabled while handling the global

68

Chapt er 2 4 . Compiler and T ools

state of zsh or while using the heap memory allocator. This ensures that the described deadlock no
longer occurs. (BZ #1267912)

SCSI device t ypes described using mult iple words are now handled correct ly
Prior to this update, the rescan-scsi -bus. sh tool misinterpreted SCSI device types that were
described using more than one word, for example, Med i um C hang er or O pti cal D evi ce.
Consequently, when the script was run on systems that had such device types attached, the script
printed multiple misleading error messages. With this update, device types described with multiple
words are handled correctly, and the proper device-type description is returned to the user without
any errors. (BZ #1298739)
g d bserver now support s seamless debugging of processes from cont ainers
Prior to this update, when G D B was executing inside a Super-Privileged Container (SPC) and
attached to a process that was running in another container on Red Hat Enterprise Linux Atomic
Host, G D B did not locate the binary images of the main executable or any shared libraries loaded by
the process to be debugged.
As a consequence, G D B may have displayed error messages relating to files not being present, or
being present but mismatched. Also, G D B may have seemed to attach correctly, but subsequent
commands may have failed or displayed corrupted information.
In Red Hat Enterprise Linux 7.3, g d bserver has been extended for seamless support of debugging
processes from containers. The Red Hat Enterprise Linux 7.3 version of g d bserver newly supports
the q Xfer: exec-fi l e: read and vFi l e: setfs packets. However, the Red Hat Enterprise Linux
7.3 version of g d b cannot use these packets. The Red Hat D eveloper Toolset 4.1 (or higher) version
of g d b is recommended for use with containers and with Red Hat Enterprise Linux 7.3 g d bserver.
The Red Hat D eveloper Toolset version of g d bserver can be used as well.
Red Hat Enterprise Linux 7.3 g d b can now suggest using g d bserver when run with the -p
parameter (or the attach command) and when, at the same time, it detects that the process being
attached is from a container. Red Hat Enterprise Linux 7.3 g d b now also suggests the explicit use of
the fi l e command to specify the location of the process executable in the container being
debugged. The fi l e command does not need to be entered when the Red Hat D eveloper Toolset
version of g d b is being used instead.
With this update, Red Hat Enterprise Linux 7.3 g d bserver provides seamless debugging of
processes from containers together with Red Hat D eveloper Toolset 4.1 (or higher) g d b. Additionally,
Red Hat Enterprise Linux 7.3 g d b guides the user through the debugging of processes from
containers when Red Hat D eveloper Toolset g d b is not available. (BZ #1186918)
G D B no longer report s spurious SIGT RAP signals on t he 64 -bit ARM

archit ect ure

Prior to this update, G D B reported spurious SIG T R AP signals when a false watchpoint was detected
by the processor on the 64-bit ARM architecture. G D B can now detect a hardware reason why the
SIGTRAP signal occurred, and spurious SIG T R AP signals are no longer reported when hardware
watchpoints are in use. (BZ #1261564)
G D B no longer kills running processes wit h delet ed execut ables
Prior to this update, G D B attempting to attach to a running process with a deleted executable would
accidentally kill the process. This bug has been fixed, and G D B no longer erroneously kills
processes with deleted executables. (BZ #1326476)

69

7 .3 Release Not es

G D B now generat es smaller core files and respect s core-dump filt ering
The g co re command, which provides G D B with its own core-dumping functionality, has been
updated to more closely simulate the function of the Linux kernel core-dumping code, thus
generating smaller core-dump files. G D B now also respects the /pro c/P ID /co red ump_fi l ter file,
which controls what memory segments are written to core-dump files. (BZ #1265351)

T he o prepo rt and o panno te ut ilit ies now properly analyz e archive dat a.
Previously, when using o parchi ve to store data, the associated samples were not included in the
archive. In addition, the o pro fi l e utilities selected data in the current working o pro fi l e_d ata
directory rather than in the archive. Consequently, the o prepo rt and o panno te utilities were unable
to properly analyze data in an archive generated by o parchi ve. This update provides a fix for
storing the profiling samples in the archive and selecting them for use with archives, and o prepo rt
and o panno te now work as expected. (BZ #1264443)

Event s wit h ident ical numerical unit masks are now handled by t heir names
The 5th-generation Core i3, i5, and i7 Intel processors have some events that have multiple unit
masks with the same numerical value. As a consequence, some events' default unit masks were not
found and selected. This update changes the events to use a name rather than a numerical value for
the default unit mask, thus fixing this bug. (BZ #1272136)

More accurat e P AP I_L1_D C * event on IBM Power7 and IBM Power8 plat forms
Previously, the PAPI event presets for cache events incorrectly computed derived values for various
IBM Power7 and Power8 processors. Consequently, the P AP I_L1_D C R , P AP I_L1_D C W, and
P AP I_L1_D C A event values were incorrect. The preset computations have been fixed and the
mentioned events are now more accurate. (BZ #1263666)

70

Chapt er 2 5. Deskt op

Chapter 25. Desktop

Sphinx builds HT ML document at ion in FIPS mode properly
Previously, the Python Sphinx generator failed to build documentation in the HTML format on
systems with FIPS mode activated. With this update,the use of the md5() function has been fixed by
setting the used _fo r_securi ty parameter to to fal se. As a result, Sphinx now builds HTML
documentation as expected. (BZ #966954)
P o ppl er no longer renders cert ain charact ers incorrect ly
Previously, the P o ppl er library did not map correctly to character code. As a consequence,
P o ppl er showed the 'fi' string instead of showing the correct glyph, or nothing, if the font did not
contain necessary glyphs. With this update, the characters previously replaced with the 'fi' string are
shown correctly. (BZ #1298616)
P o ppl er no longer t ries t o access memory behind t he array
Memory corruption due to exceeding the length of array caused the P o ppl er library to terminate
unexpectedly. A fix has been applied to not allow P o ppl er to try to access memory behind the array,
and P o ppl er no longer crashes in the described situation. (BZ #1299506)
pd fto cai ro no longer crashes when processing a PDF wit hout group color

space
Previously, the P o ppl er library tried to access a non-existing object when processing a PD F
without group color space. As a consequence, the P o ppl er library terminated unexpectedly with a
segmentation fault. A patch has been applied to verify if group color space exists. As a result,
P o ppl er no longer crashes, and the pd fto cai ro utility works as expected in the described
situation. (BZ #1299479)
P o ppl er no longer t erminat es unexpect edly during t ext ext ract ion
Previously, a writing after the end of the lines array could cause a memory corruption. As a
consequence, the P o ppl er library could terminate unexpectedly. A patch has been applied and
array is now always relocated when an item is added. As a result, P o ppl er no longer crashes in the
described situation. (BZ #1299481)
pd fi nfo no longer t erminat es unexpect edly due t o assert ing broken

encrypt ion informat ion

Previously, Poppler tried to obtain broken encryption owner information. As a consequence, the
pd fi nfo utility to terminate unexpectedly. A fix has been applied to fix this bug, and P o ppl er no
longer asserts broken encryption information. As a result, pd fi nfo no longer crashes in the
described situation. (BZ #1299500)
Evi nce no longer crashes when viewing a PDF
Previously, screen annotation and form fields passed a NULL pointer to _po ppl er_acti o n_new,
and P o ppl er created a false P o ppl erActi o n when viewing certaing PD Fs in the Evi nce
application. As a consequence, Evi nce terminated unexpectedly with a segmentation fault. A patch
has been applied to modify _po ppl er_anno t_scren_new and

71

7 .3 Release Not es

po ppl er_fo rm_fi el d _g et_acti o n to pass P o ppl erD o cument instead of NULL. As a result,
Evi nce no longer crashes in the described situation. (BZ #1299503)

Virt ual machines st art ed by GNOME Boxes are no longer accessible t o every
user
Previously, virtual machines started by GNOME Boxes were listening on a local TCP socket. As a
consequence, any user could connect to any virtual machine started by another user. A patch has
been applied and GNOME Boxes no longer opens such sockets by default. As a result the virtual
machines are now accessible through SPICE only to the user who owns the virtual machine.
(BZ #1043950)
FreeR D P now recogniz es wildcard cert ificat es
Previously, wildcard certificates support was not implemented in FreeRD P. As a consequence,
wildcard certificates were not recognized by FreeR D P , and the following warning was displayed
when connecting:
WARNING: CERTIFICATE NAME MISMATCH!
Missing functionality has been backported from upstream and code for comparing host names was
improved. As a result, the mentioned prompt is no longer shown if a valid wildcard certificate is used.
(BZ #1275241)

72

Chapt er 2 6 . Direct ory Server in Red Hat Ent erprise Linux

Chapter 26. Directory Server in Red Hat Enterprise Linux

T he cl eanAl l R UV t ask no longer logs false attrl i st_repl ace errors
A memory corruption bug in the cl eanAl l R UV task was causing attrl i st_repl ace error
messages to be logged by mistake. The task has been updated to use a different function for memory
copying, and it no longer writes false error messages to logs. (BZ #1288229)

Connect ion object s no longer deadlock

Previously, an unnecessary lock was sometimes acquired on a connection object, which could then
cause a deadlock. A patch has been applied to remove the unnecessary locking, and the deadlock
no longer occurs. (BZ #1278755)

Abandon request s for simple paged result s searches no longer cause a

crash
Prior to this update, D irectory Server could receive an abandon request for a simple paged results
search after the abandon check was completed but before the results were fully sent. In this case, the
abandon request was processed while the results were being sent, which caused D irectory Server to
crash. This update adds a lock which prevents abandon requests from being processed while the
results are already being sent, and the crash no longer occurs. (BZ #1278567)

Simple paged result s search slot s are now correct ly released aft er a failure
Previously, if a simple paged results search failed in the back end, the simple paged results slot was
not released. Consequently, multiple simple paged results slots could be accumulated in a
connection object. With this update, the simple paged results slot is released correctly when a search
fails, and unused simple paged results slots are no longer left in a connection object. (BZ #1290242)

Delet ing a back end dat abase no longer causes deadlocks

Transaction information was previously not passed to one of the database helper functions during
back end deletion. Consequently, a deadlock occurred if a plug-in attempted to access data in the
area locked by the transaction. This update ensures that transaction information is passed to all
necessary database helper functions, and the deadlock no longer occurs. (BZ #1273555)

Delet ing and adding t he same LDAP at t ribut e now correct ly updat es t he
equalit y index
Previously, when several values of the same LD AP attribute were deleted using the l d apmo d i fy
command, and at least one of them was added again during the same operation, the equality index
was not updated. As a consequence, an exact search for the re-added attribute value did not return
that entry. The logic of the index code has been modified to update the index if at least one of the
values in the entry changes, and the exact search for the re-added attribute value now returns the
correct entry. (BZ #1290600)

Abandon request s in simple paged result s searches no longer cause

deadlocks

73

7 .3 Release Not es

An exclusive connection lock was previously added as part of a bug fix related to abandon requests
in simple paged results searches. However, in specific circumstances, this new lock causes a selfdeadlock. This update makes the lock reentrant, and self-deadlocks no longer occur during simple
paged results searches. (BZ #1295947)

Simple paged result s searches no longer ret urn 0 inst ead of t he act ual
result s
Previously, when a simple paged results slot in a connection was discarded due to an error such as
SIZELIMIT _EXC EED ED , the discarded slot was not cleaned up properly. Subsequent searches
which reused this slot then always returned 0 . With this update, discarded simple paged results slots
are cleaned up correctly, and searches return correct results even with reused slots. (BZ #1331343)

ACL plug-in no longer crashes due t o missing pbl o ck object

When a persistent search (" psearch" ) was launched by a bi nd user without sufficient permissions,
the access permissions object in cache failed to reset to point the initial pbl o ck structure to the
permanent structure. As a consequence, the access control list (ACL) plug-in could crash the server
due to a missing pbl o ck object. This update ensures that the initial object is reset to the permanent
structure, and D irectory Server no longer crashes in this situation. (BZ #1302823)

Password conversion from D ES t o AES now works properly

D uring the upgrade from Red Hat Enterprise Linux 7.1 to 7.2, the encryption algorithm used by the
R eversi bl e P asswo rd P l ug -i n was changed from D ES to AES. D irectory Server automatically
converted all passwords to the new algorithm upon upgrade. However, password conversion failed
with an erro r 32 if any defined back end was missing the top entry. Additionally, even if the
conversion failed, 389-ds-base still disabled the D ES plug-in, which caused existing passwords to fail
to decode.
This bug has been fixed, 389-ds-base now ignores errors when searching back ends for passwords
to convert, and the D ES plug-in is now only disabled after all passwords are successfully converted
to AES. (BZ #1320715)

Failed replicat ion updat es are now ret ried correct ly in t he next session
If a replica update failed on the consumer side and was followed by another update that succeeded,
the consumer's replication status was updated by the successful update, which caused the
consumer to seem as if it was up to date. Consequently, the failed update was never retried, leading
to data loss. With this update, a replication failure closes the connection and stops the replication
session. This prevents further updates from changing the consumer's replication status, and allows
the supplier to retry the failed operation in the next session, avoiding data loss. (BZ #1310848)

T he LIC ENSE file now shows correct license informat ion

Previously, the output of the rpm -q i 389 -d s-base command displayed an incorrect License field
with an earlier license, G P Lv2 wi th excepti o ns. This problem has been fixed and the 389-dsbase package now provides the correct license information (the G P Lv3+ license) in its LIC ENSE file.
(BZ #1315893)

Passwords reset by administ rat ors are now st ored in password hist ory
When a user password was reset by an administrator, the old password was previously not stored in
the user's password history. This allowed the user to reuse the same password after the reset. With

74

Chapt er 2 6 . Direct ory Server in Red Hat Ent erprise Linux

this update, passwords reset manually by administrators are stored in password history, and the
user must use a different password. (BZ #1332709)

Ent ries reject ed by mult iple plug-ins no longer show up in searches

Previously, when an entry was rejected by multiple back end transaction plug-ins (for example, Auto
Membershi p or Manag ed Entry) at the same time, the entry cache was left in an inconsistent state.
This allowed a search to return the entry even though it was not added. With this update, the entry
cache which stores the D istinguished Name (D N) of the entry is properly cleaned up when an ad d
operation fails, and rejected entries are no longer returned by l d apsearch. (BZ #1304682)

Running d b2i nd ex wit h no opt ions no longer causes replicat ion failures
When running the d b2i nd ex script with no options, the script failed to handle on-disk Replica
Update Vector (RUV) entries because these entries have no parent entries. The existing RUV was
skipped and a new one was generated instead, which subsequently caused the next replication to
fail due to an ID mismatch. This update fixes handling of RUV entries in d b2i nd ex, and running this
script without specifying any options no longer causes replication failures. (BZ #1340307)

Promot ing a consumer t o a mast er no longer fails due t o duplicat e ID errors

Previously, when a consumer instance was promoted to master, a new element was appended to the
end of the replica update vector (RUV). However, when attempting to replicate from the newly
promoted master, the remote checked the first element of the RUV instead of the last one, which
caused it to abort the replication session due to a duplicate ID . With this update, the RUV is
reordered when promoting a replica to a master, and replication from masters which were previously
replicas no longer fails. (BZ #1278987)
nssl apd now correct ly set s it s working direct ory
A regression introduced in an earlier bug fix caused nssl apd to skip setting its working directory
(the nssl apd -wo rki ng d i r attribute) by default when it was started by systemd . This bug has
been fixed and the working directory is being set during startup again. (BZ #1360447)

75

7 .3 Release Not es

Chapter 27. File Systems

T he q uo ta RPC service is no longer unavailable
After upgrading the nfs-uti l s packages, the nfs-rq uo tad . servi ce systemd service was
previously unavailable on the system after starting the q uo ta Remote Procedure Call (RPC) service.
To fix this bug, the q uo ta packages now include a new rpc-rq uo tad . servi ce *systemd* service,
which provides the q uo ta RPC service that allows querying and setting disk quotas over a network.
The service can be configured in the /etc/sysco nfi g /rpc-rq uo tad file. The nfs-rq uo tad
service alias is also provided to ensure compatibility with earlier versions. As a result, the q uo ta
RPC service is now available on Red Hat Enterprise Linux 7 as expected in the described situation.
(BZ #1207239)

76

Chapt er 2 8 . Hardware Enablement

Chapter 28. Hardware Enablement

Primary bond int erface no longer t akes over act ive int erfaces t hat did not
fail
The primary_reselect=failure bond parameter previously worked incorrectly. The primary interface
was always taking over even if others did not fail. With this update, the parameter works as expected
and the primary bond interface only takes over if the current non-primary active interface fails.
(BZ #1301451)

Removing a USB device no longer causes a race condit ion

Previously, removing a USB device caused a problem in synchronization, which could lead to a race
condition. With this update, the timer is initialized early enough, which prevents the possibility of a
race condition. (BZ #1290202)

T he kernel now boot s on AMD T urion II syst ems

Previously, because of a livelock in the tick broadcast code, AMD Turion II systems locked up and
became unresponsive during boot. With this update, the livelock is fixed, and the kernel now boots
on AMD Turion II systems. (BZ #1265283)

Real-t ime syst ems wit h many CPUs no longer have large lat encies due t o runqueue lock cont ent ion
Previously, on real-time systems, multiple CPUs tried to take an rq lock, which resulted in lock
contention and a latency. The latency was multiplied by the number of CPUs, which caused the
systems with many CPUs to have large latencies. With this update, systems with more than 32 cores
use the \" push\" approach rather than \" pull\" , which prevents long lists of CPUs in critical areas. As
a result, real-time systems with many CPUs no longer have large latencies due to run-queue lock
contention. (BZ #1209987)

T he kernel no longer crashes when enabling mult i-queue support wit h NVM
Express device driver
Previously, there was a bug in the core block device code that could lead to the kernel terminating
unexpectedly when enabling multi-queue support on the Nonvolatile Memory (NVM) Express
(*nvme*) device driver. Though that issue was observed with the nvme driver, other block devices
could also be affected, which could also cause the kernel to crash. With this update, this bug has
been fixed, and the kernel works as expected. (BZ #1303255)

T he CPU frequency now reaches t he request ed value

Previously, the CPU frequency numbers were rounded incorrectly by the i ntel _pstate driver.
Consequently, the CPU frequency was lower than the user requested. With this update, the rounding
errors have been fixed, and the CPU frequency now reaches the requested value. (BZ #1279617)

T he g et_cpu_l i g ht/put_cpu_l i g ht funct ion in FCoE code has been fixed

77

7 .3 Release Not es

Previously, in the Fibre Channel over Ethernet (FCoE) code in the real-time kernel, the
g et_cpu_l i g ht/put_cpu_l i g ht function had an imbalance in pairing. Consequently,
preemption was disabled, and BUG : sched ul i ng whi l e ato mi c happened in the FCoE code.
With this update, the g et_cpu_l i g ht/put_cpu_l i g ht function has been fixed, and the bug no
longer occurs. (BZ #1258295)

T he performance of IBM Power Syst ems is no longer decreased

Previously, due to a regression, the Non-Uniform Memory Access (NUMA) node was not reported for
PCI adapters. This caused significant decrease in the performance of every IBM Power System
deployed with Red Hat Enterprise Linux 7. With this update, the regression has been fixed, and the
system performance is no longer decreased in this situation. (BZ #1273978)

T he syst em no longer crashes while set t ing up t he DMA t ransfer

D ue to the inconsistencies in the page size of Input/Output Memory Management Unit (IOMMU), the
Nonvolatile Memory Express (NVMe) device, and the kernel, the BUG_ON signal previously occurred
in the nvme_setup_prps() function. This lead to the system crash while setting up the D irect Memory
Access (D MA) transfer. With this update, the default NVMe page size is set to 4k, and the system crash
no longer occurs. (BZ #1245140)

Kernel no longer hangs during hot -unplug

D ue to retry-able command errors, the NVMe driver previously leaked I/O descriptors and dma
mappings. As a consequence, the kernel could become unresponsive during the hot-unplug
operation if a drive was removed. This update fixes the driver memory leak bug on command retries,
and the kernel no longer hangs in this situation. (BZ #1271860)

Disabling t he Large Receive Offload (LRO) flag now propagat es correct ly

Previously, disabling the Large Receive Offload (LRO) flag was not propagated downwards from
above devices in vlan and bond hierarchy. Consequently, the flow of traffic broke. With this update,
the problem has been fixed and disabling of LRO flags now propagates correctly. (BZ #1266578)

Swit ching p-st at es on Int el Xeon v5 plat forms now succeeds

Previously, on Intel Xeon v5 platforms, the processor frequency was always tied to the highest
possible frequency. As a consequence, switching p-states on these client platforms failed. This
update sets the idle frequency, busy frequency, and processor frequency values by determining the
range and adjusting the minimum and maximum percent limits values. As a result, switching p-states
on these client platforms now succeeds. (BZ #1264990)

T he cpuscal i ng t est no longer fails

The cpuscal i ng test of the certification test suite previously failed due to a number rounding bug in
the i ntel -pstate driver. This bug has been fixed and the cpuscal i ng test now passes.
(BZ #1263866)

T he genwqe driver can allocat e memory even during memory pressure

sit uat ions

78

Chapt er 2 8 . Hardware Enablement

The genwqe device driver was previously using the G FP _AT O MIC flag for allocating consecutive
memory pages from the kernel's atomic memory pool - even in non-atomic situations. This could lead
to allocation failures during memory pressure. With this update, the genwqe driver's memory
allocations use the G FP _KER NEL flag, and the driver can allocate memory even during memory
pressure situations. (BZ #1270244)

T he console no longer hangs

Previously, in the real-time kernel, the ho tpl ug lock and the console semaphore could be acquired
in an incorrect order. This could lead to a deadlock causing the system console to become
unresponsive. With this update, the locks are acquired in the correct order, and console no longer
hangs. (BZ #1269647)

LRO is now disabled by default in t he i xg be driver

Because Large Receive Offload (LRO) is incompatible with forwarding and bridging and can cause
performance problems and instability, it is now disabled by default in the i xg be driver.
To enable LRO:
# ethtool -K ethX lro on
Replace ethX with the name of the interface. (BZ #1266948)

T he nx84 2 co-processor for IBM Power Syst ems no longer provides

corrupt ed dat a
Previously, the nx842 co-processor for IBM Power Systems could in some circumstances provided
invalid data. This was caused by a data corruption bug that occured during uncompression. With
this update, all compression and uncompression calls to the nx842 co-processor contain a cyclic
redundancy check (CRC) flag. This forces all compression and uncompression operations to check
data integrity and prevents the co-processor from providing corrupted data. (BZ #1264905)

T he syst em no longer crashes when calling t he ml x4 _en_reco ver_fro m_o o m()

funct ion
Previously, when the ml x4 _en_reco ver_fro m_o o m() function was invoked under heavy TCP
stream by the ml x4 _en drive, the operating system crashed. This update fixes the bug, and the
system no longer crashes in this scenario. (BZ #1258136)
i w displays regulat ory informat ion correct ly
Previously, the i w utility did not correctly display the regulatory country after it was set with the i w
reg set command. This update adjusts the i w code to match the Red Hat Enterprise Linux wireless
code more closely. As a result, i w displays the regulatory country information as expected.
(BZ #1324096)

79

7 .3 Release Not es

Chapter 29. Installation and Booting

Graphics cards using t he ast module can now be used during inst allat ion
D ue to missing dependencies for the ast module in the installation system, graphics cards that rely
on this module were unable to be used during installation of Red Hat Enterprise Linux 7. These
dependencies have now been added. (BZ #1272658)

Inst allat ions can now be performed on disks cont aining invalid or
unsupport ed part it ion t ables.
Previously, when attempting to install Red Hat Enterprise Linux 7 on a disk with a corrupt or
unsupported partition table, the installation failed, most commonly when attempting to write to the
disk. Support for the removal of invalid and unsupported partition tables has been added, and
installations can now be performed on disks with such partition tables. (BZ #1266199)

Mult iple i nst. d d opt ions are now support ed t o load driver disks
The job for loading driver disks based on the i nst. d d option was scheduled with a unique option.
When multiple i nst. d d sources were specified as boot options, only the last one was actually
loaded and applied. This update ensures the job is no longer called as unique. As a result, multiple
i nst. d d boot options can now be specified to provide drivers via multiple driver update images
from different sources. (BZ #1268792)

Help for t he subscript ion manager screen during inst allat ion
The installer's built-in help system now includes information regarding the subscription manager
screen. (BZ #1260071)

T he Ini ti al Setup ut ilit y st art s correct ly

D ue to a race condition between the i ni ti al -setup-text service and the i ni ti al -setupg raphi cal service, the interface of the Ini ti al Setup utility sometimes started incorrectly. The
two services have now been combined into a single service, i ni ti al -setup. The original services
are still available for compatibility, but are not used by default. As a result, the interface now displays
correctly. (BZ #1249598)

VNC inst allat ion using IPv6 works correct ly

D ue to an error in the processing of IPv6 addresses, IPv6 address lookup failed. Consequently, it
was not possible to install through VNC using IPv6. This bug has been fixed. (BZ #1267872)

HyperPAV aliases used during inst allat ion are now available on t he inst alled
syst em
Previously, HyperPAV aliases activated during installation were not correctly configured on the
installed system. HyperPAV handling has now been improved, and any HyperPAV aliases used
during installation are now automatically configured on the installed system. (BZ #1031589)

Improved support for net work boot on EFI plat forms

80

Chapt er 2 9 . Inst allat ion and Boot ing

D ue to a bug related to handling certain implementations of Simple Networking Protocol (SNP),

network boot using PXE failed on some EFI-based platforms. This bug has been fixed and network
boot on these platforms now works. (BZ #1273974)

Errors in cust om part it ioning are correct ly det ect ed

Previously, errors in custom partitioning were not displayed to the user properly, allowing the
installation to continue with an invalid custom partition configuration, leading to unexpected
behavior. This bug has been fixed and errors in custom partitioning are now correctly reported to the
user so they can be adjusted before continuing the installation. (BZ #1269195)

St at ic rout es configured during inst allat ion are now aut omat ically
configured on t he inst alled syst em
Previously, static route configuration files were not copied from the installation environment to the
installed system. Consequently, static route configuration during installation was lost after the
installation finished. These files are now copied, and static routes configured during installation are
automatically configured on the installed system. (BZ #1255801)
G R UB2 is now correct ly configured when upgrading t he kernel and redhat-

release-*
Previously, if a redhat-release-* package and a kernel package were present in the same Y um
transaction, the G R UB2 boot loader was reconfigured incorrectly. As a consequence, G R UB2 failed to
boot the newly installed kernel. With this upate, G R UB2 is now correctly reconfigured and can boot
the new kernel in this situation. (BZ #1289314)

Kickst art files valid for Red Hat Ent erprise Linux 6 are now correct ly
recogniz ed by ksval i d ato r
Previously, when using the ksval i d ato r utility to validate a Kickstart file made for Red Hat
Enterprise Linux 6 that uses the l o g vo l command with the --reserved -percent option,
ksval i d ato r incorrectly stated that --reserved -percent is not a valid option. This bug has
been fixed. (BZ #1290244)
Anaco nd a no longer crashes when adding iSCSI devices
Previously, the Anaco nd a installer terminated unexpectedly when attempting to add certain iSCSI
devices using the Ad d a d i sk button in the Sto rag e screen. This bug has now been fixed.
(BZ #1255280)

T he Anaco nd a inst aller correct ly allows adjust ment of a problemat ic disk

select ion
Previously, if a problem occurred with the selection of disks during installation of Red Hat Enterprise
Linux 7, an error was displayed after the installation started, and thus caused the installation to fail.
With this update, a warning is displayed at the proper time, allowing the disk selection to be adjusted
before proceeding. (BZ #1265330)

T he anaconda-user-help package is now upgraded correct ly

81

7 .3 Release Not es

The anaconda-user-help package was not upgraded correctly when upgrading from Red Hat
Enterprise Linux 7.1. This has been fixed and the package is now upgraded correctly. (BZ #1275285)

A wider variet y of part it ions can be used as /bo o t

Previously, the GRUB2 boot loader only supported 8-bit device node minor numbers. Consequently,
boot loader installation failed on device nodes with minor numbers larger than 255. All valid Linux
device node minor numbers are now supported, and as a result a wider variety of partitions can be
used as /bo o t partitions. (BZ #1279599)

Incorrect escaping of t he '/' charact er in systemd no longer prevent s t he

syst em from boot ing
Previously, systemd incorrectly handled the LABEL= / option in the initial RAM disk (initrd). As a
consequence, the label was not found, and the system failed to boot when the root partition LABEL
included the '/' character. With this update, '/' is escaped correctly in the described situation, and the
system no longer fails to boot. Updating to a higher minor version of Red Hat Enterprise Linux
updates the kernel and rebuilds the i ni trd . You can also rebuild the i ni trd by running the
d racut -f command. (BZ #1306126)

T he default siz e of t he /bo o t part it ion is now 1 GB

In previous releases of Red Hat Enterprise Linux 7, the default size of the /bo o t partition was set to
500 MB. This could lead to problems on systems with multiple kernels and additional packages such
as kernel-debuginfo installed. The /bo o t partition could become full or almost full in such scenario,
which then prevented the system from upgrading and required manual cleanup to free additional
space.
In Red Hat Enterprise Linux 7.3, the default size of the /bo o t partition is increased to 1 GB, and
these problems no longer occur on newly installed systems. Note that installations made with
previous versions will not have their /bo o t partitions resized, and may still require manual cleanup
in order to upgrade. (BZ #1369837)

82

Chapt er 30 . Kernel

Chapter 30. Kernel

A fix of PT _NOT E ent ries t hat were previously corrupt ed during crashdump
On some HP servers, a kernel crash could lead to the corruption of PT_NOTE entries because of a
kernel code defect. As a consequence, the kernel crash dump utility failed to initialize. The provided
patch aligns the allocation of PT_NOTE entries so that they are inside one physical page, and thus
written and read data is identical. As a result, kernel crash dump now works as expected in the
described situation. (BZ #1073651)

Change of t he Red Hat Hardware Cert ificat ion t est s t o avoid syst em hang
caused by Oprofile
Previously, when Oprofile was run on an HP server with 480 CPUs, repeated CPU stalls or soft
lockups occurred. Several unknown Non-Maskable Interrupts (NMI) were hitting multiple processors
that triggered the hpwd t driver to handle them and call the panic. One of the CPU calling panic could
initiate a crashkernel boot and successful dump, but more often the first kernel activity continued on
the same console as the crashkernel boot. Consequently, the crashkernel boot hung, or the panic
did not initiate a crashkernel boot thus blocking the Red Hat Hardware Certification tests. With this
update, the hardware certification tests have been fixed, so they now pass on the mentioned
hardware as expected. (BZ #1138935)

Removal of t he sl ub_d ebug paramet er t o save memory

The sl ub_d ebug parameter enables debugging of the SLUB allocator, which makes each object
consume extra memory. If the sl ub_d ebug kernel parameter was used, not enough memory was
allocated to the kd ump capture kernel by the automatic setting on 128 GB systems. Consequently,
various tasks from the kd ump init script terminated with an Out Of Memory (OOM) error message and
no crash dump was saved. The provided patch removes the sl ub_d ebug parameter, and crash
dump is now saved as expected in the aforementioned scenario. (BZ #1180246)

Removal of a race condit ion causing a deadlock when a new CPU was
at t ached
Previously, when a new CPU was attached, a race condition between the CPU hotplug and the
stop_two_cpus() function could occur causing a deadlock if that migration thread on the new CPU
was already marked as acti ve but not enabl ed . A set of patches has been applied which removes
this race condition. As a result, systems with attached new CPUs now run as intended. (BZ #1252281)

Updat e of t he kernel wit h hugepage migrat ion pat ches from t he upst ream
Previously, several types of bugs including the kernel panic could occur with the hugepage
migration. A set of patches from the upstream has been backported which fix these bugs. The
updated kernel is now more stable and hugepage migration is automatically disabled in
architectures other than AMD 64 and Intel 64. (BZ #1287322)

Boot ing kernel wit h UEFI and t he secure boot enabled

When the Unified Extensible Firmware Interface (UEFI) was used and the secure boot was enabled,
the operating system failed to boot for all kernels before kernel 3.10.0-327.4.4.el7. With the update to
the aforementioned kernel and newer versions the system boots up as expected after disabling the
secure boot. (BZ #1290441)

83

7 .3 Release Not es

New microcode added int o init ramfs images for all inst alled kernels
Previously, when the microcode_ctl package was installed, the postinstall scriptlet rebuilt the initramfs
file only for the running kernel and not for any other installed kernels. Consequently, when the build
completed, there was an initramfs file for a kernel that was not even installed. The provided fix adds
new microcode into initramfs images for all installed kernels. As a result, the superfluous initramfs file
is no longer generated. (BZ #1292158)

Change of default set t ings on FCoE servers t o reach t he correct

funct ionalit y of t he kdump mechanism
D isks on Fibre Channel over Ethernet (FCoE) servers use the multipath storage system, which allows
the disks to connect to system from a different interface. Several logical disks are present in the
system, but they are mapped to only one real disk. Consequently, with the default settings, the FCoE
servers are not able to start on a kdump kernel. To reach the correct functionality of the kdump
mechanism, users are advised to specify the Universally Unique Identifier (UUID ) of the FCoE disks.
Users are also advised to enable the mul ti path option so that disks can be managed in a more
efficient way. (BZ #1293520)

Dump-capt ure kernel memory freed when kdump mechanism fails

When crashkernel memory was allocated using the ,hi g h and ,l o w syntax, there were cases where
the reservation of the high portion succeeded but with the reservation of the low portion the kdump
mechanism failed. This failure could occur especially on large systems for several reasons. The
manually specified crashkernel low memory was too large and thus an adequate memblock region
was not found. The kexec utility could load the dump-capture kernel successfully, but booting the
dump-capture kernel failed, as there was no low memory. The provided patch set reserves low
memory for the dump-capture kernel after the high memory portion has been allocated. As a result,
the dump-capture kernel memory is freed if the kdump mechanism fails. The user thus has a chance
to take measures accordingly. (BZ #1241236)

T he ksc ut ilit y no longer fails t o file bugs due t o t he

unavailable kabi-whitelists component
In an earlier update, the kabi -whi tel i sts component was changed to the kabi -whi tel i sts
sub-component of the kernel component. Consequently, the ksc utility was not able to file bugs, as
the kabi -whi tel i sts component value was not active, and the following error message was
generated:
Could not create bug.<Fault 32000:" The component value 'kabi-whitelists'is not active" >
With this update, the correct sub-component of the kernel component is kabi-whitelisted, and ksc files
bugs as expected. (BZ #1328384)

ksc now ret urns an error inst ead of crashing when running wit hout
mandat ory argument s
Previously, the ksc tool terminated unexpectedly when running without the mandatory arguments.
With this update, ksc returns an error message and exits gracefully in the described situation.
(BZ #1272348)

84

Chapt er 31 . Net working

Chapter 31. Networking

sctp_accept() no longer causes a deadlock when called during a t imeout event
Previously, when sctp_accept() was called by a user during a heartbeat timeout event after the 4way handshake, a deadlock could occur. With this update, the bug has been fixed by giving the
asso c->base. sk pointer to make sure SC T P correctly locks and unlocks the listening socket.
(BZ #1270586)

85

7 .3 Release Not es

Chapter 32. Security

T he SHA-3 implement at ion in nettle now conforms t o FIPS 202
nettle is a cryptographic library that is designed to fit easily in almost any context. With this update,
the Secure Hash Algorithm 3 (SHA-3) implementation has been updated to conform the final Federal
Information Processing Standard (FIPS) 202 draft. (BZ #1252936)

86

Chapt er 33. Servers and Services

Chapter 33. Servers and Services

T he named service now binds t o all int erfaces
With this update, BIND is able to react to situations when a new IP address is added to an interface.
If the new address is allowed by the configuration, BIND will automatically start to listen on that
interface. (BZ #1294506)

Fix for to mcat-d i g est t o generat e password hashes

When using the to mcat-d i g est utility to create an SHA hash of Tomcat passwords, the command
terminated unexpectedly with the C l assNo tFo und Excepti o n Java exception. A patch has been
provided to fix this bug and to mcat-d i g est now generates password hashes as expected.
(BZ #1240279)

T omcat can now use shell expansion in configurat ion files wit hin t he new
co nf. d direct ory
Previously, the /etc/sysco nfi g /to mcat and /etc/to mcat/to mcat. co nf files were loaded
without shell expansion, causing the application to terminate unexpectedly. This update provides a
mechanism for using shell expansion in the Tomcat configuration files by adding a new
configuration directory, /etc/to mcat/co nf. d . Any files placed in the new directory may now
include shell variables. (BZ #1221896)

Fix for t he to mcat-jsvc service unit t o creat e t wo independent T omcat

servers
When trying to start multiple independent Tomcat servers, the second server failed to start due to the
jsvc service returning an error. This update fixes the jsvc systemd service unit as well as the
handling of the TOMCAT_USER variable. (BZ #1201409)

T he d bus-d aemo n service no longer becomes unresponsive due t o leaking file

descript ors
Previously, the d bus-d aemo n service incorrectly handled multiple messages containing file
descriptors if they were received in a short time period. As a consequence, d bus-d aemo n leaked file
descriptors and became unresponsive. A patch has been applied to correctly handle multiple file
descriptors from different messages inside d bus-d aemo n. As a result, d bus-d aemo n closes and
passes file descriptors correctly and no longer becomes unresponsive in the described situation.
(BZ #1325870)

Updat e for marking t omcat -admin-webapps package configrat ion files

Previously, the tomcat-admin-webapps web. xml files were not marked as the configuration files.
Consequently, upgrading the tomcat-admin-webapps package overwrote the
/usr/share/to mcat/webapps/ho st-manag er/WEB-INF/web. xml and
/usr/share/to mcat/webapps/manag er/WEB-INF/web. xml files, causing custom user
configuration to be automatically removed. This update fixes classification of these files, thus
preventing this problem. (BZ #1208402)

T imer migrat ion for realt ime T uned profile has been disabled

87

7 .3 Release Not es

Previously, the realtime Tuned profile that is included in the tuned-profiles-realtime package set the
value of the kernel . ti mer_mi g rati o n variable to 1. As a consequence, realtime applications
could be negatively affected. This update disables the timer migration in the realtime profile.
(BZ #1323283)
rcu-no cbs no longer missing from kernel boot paramet ers
Previously the rcu_no cbs kernel parameter was not set in the real ti me-vi rtual -ho st and
real ti me-vi rtual -g uest tuned profiles. With this update, rcu-no cbs is set as expected.
(BZ #1334479)

T he global limit on how much t ime realt ime scheduling may use has been
removed in realt ime T uned profile
Prior to this update, the Tuned utility configuration for the kernel . sched _rt_runti me_us sysctl
variable in the realtime profile included in the tuned-profiles-realtime package was incorrect. As a
consequence, creating a virtual machine instance caused an error due to incompatible scheduling
time. Now, the value of kernel . sched _rt_runti me_us is set to -1 (no limit), and the described
problem no longer occurs. (BZ #1346715)

88

Chapt er 34 . Virt ualiz at ion

Chapter 34. Virtualization

SMEP and SMAP bit s masked t o enable secondary vCPUs
Previously, disabling Extended Page Table (EPT) on a host that supported Supervisor Mode
Execution Protection (SMEP) or Supervisor Mode Access Protection (SMAP) resulted in guests being
restricted to a single vCPU. This update masks SMEP and SMAP bits on the host side when
necessary. As a result, secondary vCPUs start and can be used by the guest virtual machine.
(BZ #1273807)
Fo rce R eset menu ent ry in Japanese locale Virt ual Machine Manager t ranslat ed

correct ly
Previously, the Fo rce R eset menu entry was translated incorrectly in the Japanese locale Virtual
Machine Manager. In this update the Fo rce R eset menu entry is translated correctly.
(BZ #1282276)

Limit ed KSM deduplicat ion fact or

Previously, the kernel same-page merging (KSM) deduplication factor was not explicitly limited,
which caused Red Hat Enterprise Linux hosts to have performance problems or become
unresponsive in case of high workloads. This update limits the KSM deduplication factor, and thus
eliminates the described problems with virtual memory operations related to KSM pages.
(BZ #1298618)

VMDK images wit h st reamOpt imiz ed sub-format are accept ed

Previously, a Virtual Machine D isk (VMD K) image with a streamOptimized sub-format created by the
qemu-img tool was rejected by Elastic Sky X (ESX) services, because the version number of the VMD K
image was too low. In this update, the sub-format number of streamOptimized VMD K images are
automatically increased. This results in the VMD K image being accepted by ESX services.
(BZ #1299116)

Dat a layout of VMDK images wit h st reamOpt imiz ed sub-format was incorrect
Previously, the data layout of a Virtual Machine D isk (VMD K) image with a streamOptimized subformat created by the qemu-img tool was incorrect. This prevented the VMD K image from being
bootable when imported to ESX servers. In this update, the image is converted to a valid VMD K
streamOptimized image. This results in the VMD K image being bootable. (BZ #1299250)
bl o ckco py wit h --pi vo t opt ion no longer fails
Previously, bl o ckco py always failed when the --pi vo t option was specified. With this release, the
libvirt package was updated to prevent this issue. bl o ckco py can now be used with the --pi vo t
option. (BZ #1197592)

Guest display problems aft er vi rt-v2v conversion have been fixed

Previously, the video card driver setting of a guest converted with the vi rt-v2v utility was ignored,
causing various display problems in the guest. This update ensures that vi rt-v2v generates the
libvirt XML file for the converted guest properly. As a result, the video card setting is preserved, and
the guest can take full advantage of graphical capabilities after the conversion. (BZ #1225789)

89

7 .3 Release Not es

Migrat ing MSR_T SC_AUX works properly

Previously, the contents of the MSR_TSC_AUX file were sometimes not migrated correctly during
guest migration. As a consequence, the guest terminated unexpectedly after the migration finished.
This update ensures that the contents of MSR_TSC_AUX are migrated as expected, and the
described crashes no longer occur. (BZ #1265427)

Windows guest virt ual machine informat ion removed from document at ion
In this update, all references to Windows guest virtual machines have been removed from the
documentation. The information was moved to the following knowledgebase article:
https://access.redhat.com/articles/2470791 (BZ #1262007)

T he l i bvi rt API generat es addresses for USB devices

With this update, l i bvi rt generates addresses for USB devices. These devices, along with the
l i bvi rt-generated address children can be found in the domain XML file. This ensures that future
start, restore, and migrate operations have a consistent address for the guests' USB devices. As a
result, you can migrate virtual machines to which USB devices have been hot-plugged.
(BZ #1215968)

90

P art III. T echnology Previews

Part III. Technology Previews

This part provides an overview of Technology Previews introduced or updated in Red Hat
Enterprise Linux 7.3 Beta.
For more information on Red Hat Technology Preview features support scope, see
https://access.redhat.com/support/offerings/techpreview/.

91

7 .3 Release Not es

Chapter 35. General Updates

T he systemd -i mpo rtd VM and cont ainer image import and export service
Latest systemd version now contains the systemd -i mpo rtd daemon that was not enabled in the
earlier build, which caused the machi nectl pul l -* commands to fail. Note, that the systemd i mpo rtd daemon is offered as a Technology Preview and should not be considered stable.
(BZ #1284974)

92

Chapt er 36 . Aut hent icat ion and Int eroperabilit y

Chapter 36. Authentication and Interoperability

Ident it y Management in a cont ainer now available
Identity Management (IdM) in a container is provided as a Technology Preview. This update is
available for Red Hat Enterprise Linux Atomic Host.
To install this new image, use the ato mi c i nstal l rhel 7/i pa-server command.
(BZ #1283777)

SSSD in a cont ainer now available

The System Security Services D aemon (SSSD ) in a container is provided as a Technology Preview
to allow Red Hat Enterprise Linux Atomic Host authentication subsystem to be connected to central
identity providers like Red Hat Identity Management and Microsoft Active D irectory.
To install this new image, use the ato mi c i nstal l rhel 7/sssd command. (BZ #1200143)

Use of AD and LDAP sudo providers

The Active D irectory (AD ) provider is a back end used to connect to an AD server. In Red Hat
Enterprise Linux 7.2, using the AD sudo provider together with the LD AP provider is supported as a
Technology Preview. To enable the AD sudo provider, add the sud o _pro vi d er= ad setting in the
[domain] section of the sssd . co nf file. (BZ #1068725)

DNSSEC available as T echnology Preview in Ident it y Management

Identity Management servers with integrated D NS now support D NS Security Extensions (D NSSEC),
a set of extensions to D NS that enhance security of the D NS protocol. D NS zones hosted on Identity
Management servers can be automatically signed using D NSSEC. The cryptographic keys are
automatically generated and rotated.
Users who decide to secure their D NS zones with D NSSEC are advised to read and follow these
documents:
D NSSEC Operational Practices, Version 2: http://tools.ietf.org/html/rfc6781#section-2
Secure D omain Name System (D NS) D eployment Guide: http://dx.doi.org/10.6028/NIST.SP.80081-2
D NSSEC Key Rollover Timing Considerations:
http://tools.ietf.org/html/rfc7583
Note that Identity Management servers with integrated D NS use D NSSEC to validate D NS answers
obtained from other D NS servers. This might affect the availability of D NS zones that are not
configured in accordance with recommended naming practices described in the Red Hat Enterprise
Linux Networking Guide: https://access.redhat.com/documentation/enUS/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/ch-Configure_Host_Names.html#secRecommended_Naming_Practices. (BZ #1115294)

Support for secret s as a service

93

7 .3 Release Not es

This update adds responder secrets as a Technology Preview to the System Security Services
D aemon (SSSD ). This responder allows an application to communicate with SSSD over a UNIX
socket using the Custodia API. This enables SSSD to store secrets in its local database or to forward
them to a remote Custodia server. (BZ #1311056)

T he Ipsilon ident it y provider service for federat ed single sing-on

The ipsilon packages were introduced as Technology Preview in Red Hat Enterprise Linux 7.2. Ipsilon
links authentication providers and applications or utilities to allow for SSO.
Red Hat does not plan to upgrade Ipsilon from Technology Preview to a fully supported feature. The
i psi l o n packages will be removed from Red Hat Enterprise Linux in a future minor release.
Note that Red Hat Single Sign-On (SSO) is now available, which is intended to replace Ipsilon and is
the recommended solution for single sing-on. For details, see the description for Red Hat SSO in the
New Features part of these Release Notes. (BZ #1365388)

IdM web UI enables smart card login

The Identity Management (IdM) web UI enables users to log in using smart cards. Note that this
feature is experimental and not supported. (BZ #1317379)

Ident it y Management JSON-RPC API available as T echnology Preview

An API is available for Identity Management (IdM). To view the API, IdM also provides an API browser
as Technology Preview.
In Red Hat Enterprise Linux 7.3, the IdM API has been enhanced to enable multiple versions of API
commands. Previously, enhancements could change the behavior of a command in an incompatible
way. Users are now able to continue using existing tools and scripts even if the IdM API changes.
This enables:
Administrators to use previous or later versions of IdM on the server than on the managing client.
D evelopers to use a specific version of an IdM call, even if the IdM version changes on the server.
In all cases, the communication with the server is possible, regardless if one side uses, for example, a
newer version that introduces new options for a feature. (BZ #1298286)

94

Chapt er 37 . Clust ering

Chapter 37. Clustering

Support for cl ufter, a t ool for t ransforming and analyz ing clust er
configurat ion format s
The clufter package, available as a Technology Preview in Red Hat Enterprise Linux 7, provides a
tool for transforming and analyzing cluster configuration formats. It can be used to assist with
migration from an older stack configuration to a newer configuration that leverages Pacemaker. For
information on the capabilities of cl ufter, see the cl ufter(1) man page or the output of the
cl ufter -h command. (BZ #1212909)

95

7 .3 Release Not es

Chapter 38. Directory Server in Red Hat Enterprise Linux

Nunc St ans event framework available for Direct ory Server
A new Nunc Stans event framework to handle multiple simultaneous connections has been added as
Technology Preview. The framework allows supporting several thousand active connections with no
performance degradation. It is disabled by default. (BZ #1206301)

96

Chapt er 39 . File Syst ems

Chapter 39. File Systems

T he CephFS kernel client is now available
Starting with Red Hat Enterprise Linux 7.3, the Ceph File System (CephFS) kernel module enables, as
a Technology Preview, Red Hat Enterprise Linux nodes to mount Ceph File Systems from Red Hat
Ceph Storage clusters. The kernel client in Red Hat Enterprise Linux is a more efficient alternative to
the Filesystem in Userspace (FUSE) client included with Red hat Ceph Storage. Note that the kernel
client currently lacks support for CephFS quotas. For more information, see the Ceph File System
Guide for Red Hat Ceph Storage 2: https://access.redhat.com/documentation/en/red-hat-cephstorage/2/single/ceph-file-system-guide-technology-preview (BZ #1205497)

ext 4 and XFS file syst ems now support DAX

Starting with Red Hat Enterprise Linux 7.3, D irect Access (D AX) provides, as a Technology Preview, a
means for an application to directly map persistent memory into its address space. To use D AX, a
system must have some form of persistent memory available, usually in the form of one or more NonVolatile D ual In-line Memory Modules (NVD IMMs), and a file system that supports D AX must be
created on the NVD IMM(s). Also, the file system must be mounted with the d ax mount option. Then,
an mmap of a file on the dax-mounted file system results in a direct mapping of storage into the
application's address space. (BZ #1274459)

pNFS Block Layout Support

As a Technology Preview, the upstream code has been backported to the Red Hat Enterprise Linux
client to provide pNFS block layout support.
In addition, Red Hat Enterprise Linux 7.3 includes the Technology Preview of the pNFS SCSI layout.
This feature is similar to pNFS block layout support, but limited only to SCSI devices, so it is easier to
use. Therefore, Red Hat recommends the evaluation of the pNFS SCSI layout rather than the pNFS
block layout for most use cases. (BZ #1111712)

OverlayFS
OverlayFS is a type of union file system. It allows the user to overlay one file system on top of
another. Changes are recorded in the upper file system, while the lower file system remains
unmodified. This allows multiple users to share a file-system image, such as a container or a D VD ROM, where the base image is on read-only media. Refer to the kernel file
D ocumentation/filesystems/overlayfs.txt for additional information.
OverlayFS remains a Technology Preview in Red Hat Enterprise Linux 7.3 under most circumstances.
As such, the kernel will log warnings when this technology is activated.
Full support is available for OverlayFS when used with D ocker under the following restrictions:
OverlayFS is only supported for use as a D ocker graph driver. Its use can only be supported for
container COW content, not for persistent storage. Any persistent storage must be placed on nonOverlayFS volumes to be supported. Only default D ocker configuration can be used; that is, one
level of overlay, one lowerdir, and both lower and upper levels are on the same file system.
Only XFS is currently supported for use as a lower layer file system.

97

7 .3 Release Not es

SELinux must be enabled and in enforcing mode on the physical machine, but must be disabled
in the container when performing container separation; that is, /etc/sysconfig/docker must not
contain --selinux-enabled. SELinux support for OverlayFS is being worked on upstream, and is
expected in a future release.
The OverlayFS kernel ABI and userspace behavior are not considered stable, and may see
changes in future updates.
In order to make the yum and rpm utilities work properly inside the container, the user should be
using the yum-plugin-ovl packages.
Note that OverlayFS provides a restricted set of the POSIX standards. Test your application
thoroughly before deploying it with OverlayFS.
Note that XFS file systems must be created with the -n ftype= 1 option enabled for use as an
overlay. With the rootfs and any file systems created during system installation, set the -mkfso pti o ns= -n ftype= 1 parameters in the Anaconda kickstart. When creating a new file system
after the installation, run the # mkfs -t xfs -n ftype= 1 /P AT H/T O /D EVIC E command. To
determine whether an existing file system is eligible for use as an overlay, run the # xfs_i nfo
/P AT H/T O /D EVIC E | g rep ftype command to see if the ftype= 1 option is enabled.
There are also several known issues associated with OverlayFS as of Red Hat Enterprise Linux 7.3
release. For details, see 'Non-standard behavior' in the D ocumentation/filesystems/overlayfs.txt file.
(BZ #1206277)

Support for NFSv4 client s wit h flexible file layout

Support for flexible file layout on NFSv4 clients was first introduced in Red Hat Enterprise Linux 7.2
as a Technology Preview. This technology enables advanced features such as non-disruptive file
mobility and client-side mirroring, which provides enhanced usability in areas such as databases,
big data and virtualization. This feature has been updated in Red Hat Enterprise Linux 7.3, and it is
still offered as a Technology Preview.
See https://datatracker.ietf.org/doc/draft-ietf-nfsv4-flex-files/ for detailed information about NFS flexible
file layout. (BZ #1217590)

Bt rfs file syst em

The Btrfs (B-Tree) file system is supported as a Technology Preview in Red Hat Enterprise Linux 7.3.
This file system offers advanced management, reliability, and scalability features. It enables users to
create snapshots, it enables compression and integrated device management. (BZ #1205873)

pNFS SCSI layout s client and server support is now provided

Client and server support for parallel NFS (pNFS) SCSI layouts is provided as a Technology Preview
starting with Red Hat Enterprise Linux 7.3. Building on the work of block layouts, the pNFS layout is
defined across SCSI devices and contains sequential series of fixed-size blocks as logical units that
must be capable of supporting SCSI persistent reservations. The Logical Unit (LU) devices are
identified by their SCSI device identification, and fencing is handled through the assignment of
reservations. (BZ #1305092)

98

Chapt er 4 0 . Hardware Enablement

Chapter 40. Hardware Enablement

Runt ime Inst rument at ion for IBM Syst em z
Support for the Runtime Instrumentation feature is available as a Technology Preview in Red Hat
Enterprise Linux 7.2 on IBM System z. Runtime Instrumentation enables advanced analysis and
execution for a number of user-space applications available with the IBM zEnterprise EC12 system.
(BZ #1115947)

LSI Syncro CS HA-DAS adapt ers

Red Hat Enterprise Linux 7.1 included code in the megaraid_sas driver to enable LSI Syncro CS
high-availability direct-attached storage (HA-D AS) adapters. While the megaraid_sas driver is fully
supported for previously enabled adapters, the use of this driver for Syncro CS is available as a
Technology Preview. Support for this adapter is provided directly by LSI, your system integrator, or
system vendor. Users deploying Syncro CS on Red Hat Enterprise Linux 7.2 are encouraged to
provide feedback to Red Hat and LSI. For more information on LSI Syncro CS solutions, please visit
http://www.lsi.com/products/shared-das/pages/default.aspx. (BZ #1062759)

99

7 .3 Release Not es

Chapter 41. Installation and Booting

Mult i-t hreaded xz compression in rpm-build
Compression can take long time for highly parallel builds as it currently uses only one core. This is
problematic especially for continuous integration of large projects that are built on hardware with
many cores.
This feature enables multi-threaded xz compression for source and binary packages when setting
the %_so urce_payl o ad or %_bi nary_payl o ad macros to the wLT X. xzd i o pattern . In it, L
represents the compression level, which is 6 by default, and X is the number of threads to be used
(may be multiple digits), for example w6T12.xzdio. This can be done by editing the
/usr/l i b/rpm/macro s file or by declaring the macro within the spec file or at the command line.
(BZ #1278924)

100

Chapt er 4 2 . Kernel

Chapter 42. Kernel

Het erogeneous memory management included as a T echnology Preview
Red Hat Enterprise Linux 7.3 offers the heterogeneous memory management (HMM) feature as a
Technology Preview. This feature has been added to the kernel as a helper layer for devices that
want to mirror a process address space into their own memory management unit (MMU). Thus a nonCPU device processor is able to read system memory using the unified system address space. To
enable this feature, add experi mental _hmm= enabl e to the kernel command line. (BZ #1230959)

User namespace
This feature provides additional security to servers running Linux containers by providing better
isolation between the host and the containers. Administrators of a container are no longer able to
perform administrative operations on the host, which increases security. (BZ #1138782)

LPAR Wat chdog for IBM Syst em z

An enhanced watchdog driver for IBM System z is available as a Technology Preview. This driver
supports Linux logical partitions (LPAR) as well as Linux guests in the z/VM hypervisor, and provides
automatic reboot and automatic dump capabilities if a Linux system becomes unresponsive.
(BZ #1088540)

Support for Diag0c on IBM Syst em z

As a Technology Preview, Red Hat Enterprise Linux 7.2 and later provide support for the D iag0c
feature on IBM System z. D iag0c support makes it possible to read the CPU performance metrics
provided by the z/VM hypervisor, and allows obtaining the management time for each online CPU of
a Linux guest where the diagnose task is executed. (BZ #1182292)

10GbE RoCE Express feat ure for RDMA

As a Technology Preview, Red Hat Enterprise Linux 7.2 and later include the 10GbE RD MA over
Converged Ethernet (RoCE) Express feature. This makes it possible to use Ethernet and Remote
D irect Memory Access (RD MA), as well as the D irect Access Programming Library (D APL) and
OpenFabrics Enterprise D istribution (OFED ) APIs, on IBM System z.
Before using this feature on an IBM z13 system, ensure that the minimum required service is applied:
z/VM APAR UM34525 and HW ycode N98778.057 (bundle 14). (BZ #1182169)

z EDC compression on IBM Syst em z

Red Hat Enterprise Linux 7.2 and later provide the Generic Workqueue (GenWQE) engine device
driver as a Technology Preview. The initial task of the driver is to perform zlib-style compression and
decompression of the RFC1950, RFC1951 and RFC1952 formats, but it can be adjusted to accelerate
a variety of other tasks. (BZ #1182302)

libocrdma RoCE support on Oce14 1xx cards

As a Technology Preview, the o crd ma module and the libocrdma package support the Remote D irect
Memory Access over Converged Ethernet (RoCE) functionality on all network adapters in the
Oce141xx family. (BZ #1334675)

101

7 .3 Release Not es

No-IOMMU mode for VFIO drivers

As a Technology Preview, this update adds No-IOMMU mode for virtual function I/O (VFIO) drivers.
The No-IOMMU mode provides the user with full user-space I/O (UIO) access to a direct memory
access (D MA)-capable device without a I/O memory management unit (IOMMU). Note that in addition
to not being supported, using this mode is not secure due to the lack of I/O management provided by
IOMMU. (BZ #1299662)

102

Chapt er 4 3. Real- T ime Kernel

Chapter 43. Real-Time Kernel

New scheduler class: SC HED _D EAD LINE
This update introduces the SC HED _D EAD LINE scheduler class for the real-time kernel as a
Technology Preview. The new scheduler enables predictable task scheduling based on application
deadlines. SC HED _D EAD LINE benefits periodic workloads by reducing application timer
manipulation. (BZ #1297061)

103

7 .3 Release Not es

Chapter 44. Networking

Cisco usNIC driver
Cisco Unified Communication Manager (UCM) servers have an optional feature to provide a Cisco
proprietary User Space Network Interface Controller (usNIC), which allows performing Remote D irect
Memory Access (RD MA)-like operations for user-space applications. The libusnic_verbs driver, which
is supported as a Technology Preview, makes it possible to use usNIC devices via standard
InfiniBand RD MA programming based on the Verbs API. (BZ #916384)

Cisco VIC kernel driver

The Cisco VIC Infiniband kernel driver, which is supported as a Technology Preview, allows the use
of Remote D irectory Memory Access (RD MA)-like semantics on proprietary Cisco architectures.
(BZ #916382)

T rust ed Net work Connect

Trusted Network Connect, supported as a Technology Preview, is used with existing network access
control (NAC) solutions, such as TLS, 802.1X, or IPsec to integrate endpoint posture assessment;
that is, collecting an endpoint's system information (such as operating system configuration settings,
installed packages, and others, termed as integrity measurements). Trusted Network Connect is used
to verify these measurements against network access policies before allowing the endpoint to access
the network. (BZ #755087)

SR-IOV funct ionalit y in t he qlcnic driver

Support for Single-Root I/O virtualization (SR-IOV) has been added to the qlcnic driver as a
Technology Preview. Support for this functionality will be provided directly by QLogic, and customers
are encouraged to provide feedback to QLogic and Red Hat. Other functionality in the qlcnic driver
remains fully supported. (BZ #1259547)

New packages: nftables, libnftnl

As a Technology Preview, this update adds the nftables and libnftnl packages. nftables provides a
packet-filtering tool, with numerous improvements in convenience, features, and performance. It is the
designated successor to iptables, ip6tables, arptables and ebtables. (BZ #1332581)

104

Chapt er 4 5. St orage

Chapter 45. Storage

l vm2 now support s RAID-level t akeover
RAID -level takeover, the ability to switch between RAID types, is now available as a Technology
Preview. With RAID -level takeover, the user can decide based on their changing hardware
characteristics what type of RAID configuration best suits their needs and make the change without
having to deactivate the logical volume. For example, if a stri ped logical volume is created, it can
be later converted to a RAID 4 logical volume if an additional device is available.
Starting with Red Hat Enterprise Linux 7.3, the following conversions are available as a Technology
Preview:
striped <-> RAID 4
linear <-> RAID 1
mirror <-> RAID 1 (mirror is a legacy type, but still supported) (BZ #1191630)

Mult i-queue I/O scheduling for SCSI

Red Hat Enterprise Linux 7 includes a new multiple-queue I/O scheduling mechanism for block
devices known as blk-mq. The scsi-mq package allows the Small Computer System Interface (SCSI)
subsystem to make use of this new queuing mechanism. This functionality is provided as a
Technology Preview and is not enabled by default. To enable it, add scsi _mo d . use_bl k_mq = Y to
the kernel command line. (BZ #1109348)

T arget d plug-in from t he libSt orageMgmt API

Since Red Hat Enterprise Linux 7.1, storage array management with libStorageMgmt, a storage array
independent API, has been fully supported. The provided API is stable, consistent, and allows
developers to programmatically manage different storage arrays and utilize the hardwareaccelerated features provided. System administrators can also use libStorageMgmt to manually
configure storage and to automate storage management tasks with the included command-line
interface.
The Targetd plug-in is not fully supported and remains a Technology Preview. (BZ #1119909)

DIF/DIX
D IF/D IX is a new addition to the SCSI Standard. It is fully supported in Red Hat Enterprise Linux 7.2
for the HBAs and storage arrays specified in the Features chapter, but it remains in Technology
Preview for all other HBAs and storage arrays.
D IF/D IX increases the size of the commonly used 512 byte disk block from 512 to 520 bytes, adding
the D ata Integrity Field (D IF). The D IF stores a checksum value for the data block that is calculated
by the Host Bus Adapter (HBA) when a write occurs. The storage device then confirms the checksum
on receipt, and stores both the data and the checksum. Conversely, when a read occurs, the
checksum can be verified by the storage device, and by the receiving HBA. (BZ #1072107)

105

7 .3 Release Not es

Chapter 46. Virtualization

Nest ed virt ualiz at ion
As a Technology Preview, Red Hat Enterprise Linux 7 offers nested virtualization. This feature
enables KVM to launch guests that can act as hypervisors and create their own guests. For more
information, see the Red Hat Enterprise Linux 7 Virtualization D eployment and Administration Guide.
(BZ #1187762)

USB 3.0 support for KVM guest s

USB 3.0 host adapter (xHCI) emulation for KVM guests remains a Technology Preview in Red Hat
Enterprise Linux 7.3. (BZ #1103193)

Select Int el net work adapt ers now support SR-IOV

In this update for Red Hat Enterprise Linux guest virtual machines running on Hyper-V, a new PCI
passthrough driver adds the ability to use the single-root I/O virtualization (SR-IOV) feature for Intel
network adapters supported by the ixgbevf driver. This ability is enabled when the following
conditions are met:
SR-IOV support is enabled for the network interface controller (NIC)
SR-IOV support is enabled for the virtual NIC
SR-IOV support is enabled for the virtual switch
The virtual function (VF) from the NIC is attached to the virtual machine.
The feature is currently supported with Microsoft Windows Server 2016 Technical Preview 5.
(BZ #1348508)

Driver added for devices t hat connect over a PCI Express bus in guest virt ual
machine under Hyper-V
In this update, a new driver was added that exposes a root PCI bus when a devices that connects
over a PCI Express bus is passed through to a Red Hat Enterprise Linux guest virtual machine
running on the Hyper-V hypervisor. The feature is currently supported with Microsoft Windows Server
2016 Technical Preview 5. (BZ #1302147)

106

P art IV. Device Drivers

Part IV. Device Drivers

This part provides a comprehensive listing of all device drivers which were updated in Red Hat
Enterprise Linux 7.3 Beta.

107

7 .3 Release Not es

Chapter 47. New Drivers

St o rage Drive rs
cxgbit
libnvdimm
mpt2sas
nd_blk
nd_btt
nd_e820
nd_pmem
nvme

Ne t wo rk Drive rs
ath10k_core
ath10k_pci
bnxt_en
brcmfmac
brcmsmac
brcmutil
btbcm
btcoexist
btintel
btrtl
c_can
c_can_pci
c_can_platform
can-dev
cc770
cc770_platform
ems_pci
ems_usb
esd_usb2
fjes

108

Chapt er 4 7 . New Drivers

geneve
hfi1
i40iw
iwl3945
iwl4965
iwldvm
iwlegacy
iwlmvm
iwlwifi
kvaser_pci
kvaser_usb
macsec
mwifiex
mwifiex_pcie
mwifiex_sdio
mwifiex_usb
mwl8k
peak_pci
peak_usb
plx_pci
qed
qede
rdmavt
rt2800lib
rt2800mmio
rt2800pci
rt2800usb
rt2x00lib
rt2x00mmio
rt2x00pci
rt2x00usb
rt61pci

109

7 .3 Release Not es

rt73usb
rtl_pci
rtl_usb
rtl8187
rtl8188ee
rtl8192c-common
rtl8192ce
rtl8192cu
rtl8192de
rtl8192ee
rtl8192se
rtl8723-common
rtl8723ae
rtl8723be
rtl8821ae
rtlwifi
sja1000
sja1000_platform
slcan
softing
uas
usb_8dev
vcan

Graphics Drive rs and Misce llane o us Drive rs

amdgpu
amdkfd
gp2ap002a00f
gpio-ich
gpio-viperboard
idma64
int3400_thermal

110

Chapt er 4 7 . New Drivers

leds-lt3593
ledtrig-gpio
nfit
pci-hyperv
pwm-lpss
qat_c3xxx
qat_c3xxxvf
qat_c62x
qat_c62xvf
qat_dh895xccvf
rotary_encoder
rtsx_usb
rtsx_usb_sdmmc
sht15
tpm_st33zp24
tpm_st33zp24_i2c
virt-dma
virtio-gpu
zram

111

7 .3 Release Not es

Chapter 48. Updated Drivers

St o rage Drive r Updat e s
The 3w-9xxx driver has been updated to version 2.26.02.014.rh1.
The aacraid driver has been updated to version 1.2-1[41066]-ms.
The be2iscsi driver has been updated to version 11.0.0.0.
The bfa driver has been updated to version 3.2.25.0.
The bnx2fc driver has been updated to version 2.10.3.
The cxgb3i driver has been updated to version 2.0.1-ko.
The cxgb4i driver has been updated to version 0.9.5-ko.
The libcxgbi driver has been updated to version 0.9.1-ko.
The fnic driver has been updated to version 1.6.0.21.
The hpsa driver has been updated to version 3.4.14-0-RH1.
The isci driver has been updated to version 1.2.0.
The lpfc driver has been updated to version 0:11.1.0.2.
The megaraid_sas driver has been updated to version 06.811.02.00-rh1.
The mt2sas driver has been updated to version 20.102.00.00.
The mt3sas driver has been updated to version 13.100.00.00.
The qla2xxx driver has been updated to version 8.07.00.33.07.3-k.
The vmw_pvscsi driver has been updated to version 1.0.6.0-k.
The cxgbit driver has been updated to version 1.0.0-ko.
The nvme driver has been updated to version 1.0.

Ne t wo rk Drive r Updat e s
The bpa10x driver has been updated to version 0.11.
The btbcm driver has been updated to version 0.1.
The btintel driver has been updated to version 0.1.
The btrtl driver has been updated to version 0.1.
The btusb driver has been updated to version 0.8.
The hci_uart driver has been updated to version 2.3.
The hci_vhci driver has been updated to version 1.5.
The hfi1 driver has been updated to version 0.9-294.
The i40iw driver has been updated to version 0.5.123.

112

Chapt er 4 8 . Updat ed Drivers

The ocrdma driver has been updated to version 11.0.0.0.

The ib_srp driver has been updated to version 2.0.
The bnx2x driver has been updated to version 1.712.30-0.
The bnxt_en driver has been updated to version 1.2.0.
The cnic driver has been updated to version 2.5.22.
The enic driver has been updated to version 2.3.0.20.
The be2net driver has been updated to version 11.0.0.0r.
The e1000e driver has been updated to version 3.2.6-k.
The i40e driver has been updated to version 1.5.10-k.
The i40evf driver has been updated to version 1.5.10-k.
The igb driver has been updated to version 5.3.0-k.
The ixgbe driver has been updated to version 4.4.0-k-rh7.3.
The ixgbevf driver has been updated to version 2.12.1-k-rh7.3.
The qed driver has been updated to version 8.7.1.20.
The qede driver has been updated to version 8.7.1.20.
The qlcnic driver has been updated to version 5.3.64.
The fjes driver has been updated to version 1.1.
The geneve driver has been updated to version 0.6.
The vmxnet driver has been updated to version 1.4.7.0-k.
The iwl3945 driver has been updated to version in-tree:ds.
The iwl4965 driver has been updated to version in-tree:d.
The iwlegacy driver has been updated to version in-tree:.
The mwifiex driver has been updated to version 1.0.
The mwifiex_pcie driver has been updated to version 1.0.
The mwifiex_sdio driver has been updated to version 1.0.
The mwifiex_usb driver has been updated to version 1.0.
The mwl8k driver has been updated to version 0.13.
The rt2800lib driver has been updated to version 2.3.0.
The rt2800mmio driver has been updated to version 2.3.0.
The rt2800pci driver has been updated to version 2.3.0.
The rt2800usb driver has been updated to version 2.3.0.
The rt2x00lib driver has been updated to version 2.3.0.

113

7 .3 Release Not es

The rt2x00mmio driver has been updated to version 2.3.0.

The rt2x00pci driver has been updated to version 2.3.0.
The rt2x00usb driver has been updated to version 2.3.0.
The rt61pci driver has been updated to version 2.3.0.
The rt73usb driver has been updated to version 2.3.0.

Graphics Drive r and Misce llane o us Drive r Updat e s

The tpm_st33zp24 driver has been updated to version 1.3.0.
The tpm_st33zp24_i2c driver has been updated to version 1.3.0.
The qat_c3xxx driver has been updated to version 0.6.0.
The qat_c62x driver has been updated to version 0.6.0.
The intel_qat driver has been updated to version 0.6.0.
The qat_dh895xcc driver has been updated to version 0.6.0.
The qat_dh895xccvf driver has been updated to version 0.6.0.
The amdkfd driver has been updated to version 0.7.2.
The qat_dh895xccvf driver has been updated to version 0.6.0.
The vmwgfx driver has been updated to version 2.10.0.0.
The vmw_balloon driver has been updated to version 1.4.0.0-k.

114

Chapt er 4 9 . Deprecat ed Funct ionalit y

Chapter 49. Deprecated Functionality

This chapter provides an overview of functionality that has been deprecated in all minor releases of
Red Hat Enterprise Linux 7 up to Red Hat Enterprise Linux 7.3 Beta.
D eprecated functionality continues to be supported until the end of life of Red Hat Enterprise Linux 7.
D eprecated functionality will likely not be supported in future major releases of this product and is
not recommended for new deployments. For the most recent list of deprecated functionality within a
particular major release, refer to the latest version of release documentation.
D eprecated hardware components are not recommended for new deployments on the current or future
major releases. Hardware driver updates are limited to security and critical fixes only. Red Hat
recommends replacing this hardware as soon as reasonably feasible.
A package can be deprecated and not recommended for further use. Under certain circumstances, a
package can be removed from a product. Product documentation then identifies more recent
packages that offer functionality similar, identical, or more advanced to the one deprecated, and
provides further recommendations.
ssl wrap() removed from Pyt hon
The ssl wrap() function has been removed from Pyt h o n 2.7. After the 466 Python Enhancement
Proposal was implemented, using this function resulted in a segmentation fault. The removal is
consistent with upstream. Red Hat recommends using the ssl . wrap_so cket() function instead.

Windows guest virt ual machine support limit ed

As of Red Hat Enterprise Linux 7, Windows guest virtual machines are supported only under specific
subscription programs, such as Advanced Mission Critical (AMC).

libnet link is deprecat ed

The l i bnetl i nk library contained in the iproute-devel package has been deprecated. The user
should use the l i bnl and l i bmnl libraries instead.

S3 and S4 power management st at es for KVM are deprecat ed

Native KVM support for the S3 (suspend to RAM) and S4 (suspend to disk) power management states
has been discontinued. This feature was previously available as a Technology Preview.

T he Cert ificat e Server plug-in udnPwdDirAut h is discont inued

The ud nP wd D i rAuth authentication plug-in for the Red Hat Certificate Server has been removed in
Red Hat Enterprise Linux 7.3. Profiles using the plug-in are no longer supported. Certificates created
with a profile using the ud nP wd D i rAuth plug-in are still valid if they have been approved.

Red Hat Access plug-in for IdM is discont inued

The Red Hat Access plug-in for Identity Management (IdM) has been removed in Red Hat
Enterprise Linux 7.3. D uring the update, the redhat-access-plugin-ipa package is automatically
uninstalled. Features previously provided by the plug-in, such as Knowledgebase access and
support case engagement, are still available through the Red Hat Customer Portal. Red Hat
recommends to explore alternatives, such as the red hat-suppo rt-to o l tool.

115

7 .3 Release Not es

Deprecat ed Device Drivers

3w-9xxx
3w-sas
mptbase
mptctl
mptsas
mptscsih
mptspi
qla3xxx
The following controllers from the meg arai d _sas driver have been deprecated:
D ell PERC5, PCI ID 0x15
SAS1078R, PCI ID 0x60
SAS1078D E, PCI ID 0x7C
SAS1064R, PCI ID 0x411
VERD E_Z CR, PCI ID 0x413
SAS1078GEN2, PCI ID 0x78
The following Ethernet adapter controlled by the be2net driver has been deprecated:
TIGERSHARK NIC, PCI ID 0x0700
The following controllers from the be2i scsi driver have been deprecated:
Emulex OneConnect 10Gb iSCSI Initiator (generic), PCI ID 0x212
OCe10101, OCm10101, OCe10102, OCm10102 BE2 adapter family, PCI ID 0x702
OCe10100 BE2 adapter family, PCI ID 0x703
The following Emulex boards from the l pfc driver have been deprecated:
B lad eEn g in e 2 ( B E2) D evices
TIGERSHARK FCOE, PCI ID 0x0704
F ib re C h an n el ( FC ) D evices
FIREFLY, PCI ID 0x1ae5
PROTEUS_VF, PCI ID 0xe100
BALIUS, PCI ID 0xe131
PROTEUS_PF, PCI ID 0xe180
RFLY, PCI ID 0xf095

116

Chapt er 4 9 . Deprecat ed Funct ionalit y

PFLY, PCI ID 0xf098

LP101, PCI ID 0xf0a1
TFLY, PCI ID 0xf0a5
BSMB, PCI ID 0xf0d1
BMID , PCI ID 0xf0d5
Z SMB, PCI ID 0xf0e1
Z MID , PCI ID 0xf0e5
NEPTUNE, PCI ID 0xf0f5
NEPTUNE_SCSP, PCI ID 0xf0f6
NEPTUNE_D CSP, PCI ID 0xf0f7
FALCON, PCI ID 0xf180
SUPERFLY, PCI ID 0xf700
D RAGONFLY, PCI ID 0xf800
CENTAUR, PCI ID 0xf900
PEGASUS, PCI ID 0xf980
THOR, PCI ID 0xfa00
VIPER, PCI ID 0xfb00
LP10000S, PCI ID 0xfc00
LP11000S, PCI ID 0xfc10
LPE11000S, PCI ID 0xfc20
PROTEUS_S, PCI ID 0xfc50
HELIOS, PCI ID 0xfd00
HELIOS_SCSP, PCI ID 0xfd11
HELIOS_D CSP, PCI ID 0xfd12
Z EPHYR, PCI ID 0xfe00
HORNET, PCI ID 0xfe05
Z EPHYR_SCSP, PCI ID 0xfe11
Z EPHYR_D CSP, PCI ID 0xfe12
To check the PCI ID s of the hardware on your system, run the l spci -nn command.
Note that other controllers from the mentioned drivers that are not listed here remain unchanged.

117

7 .3 Release Not es

Part V. Known Issues

This part documents known problems in Red Hat Enterprise Linux 7.3 Beta.

118

Chapt er 50 . G eneral Updat es

Chapter 50. General Updates

T he T AB key does not expand $ PWD by default
When working in CLI in Red Hat Enterprise Linux 6, pressing the TAB key expanded $P WD / to the
current directory. In Red Hat Enterprise Linux 7, CLI does not have the same behavior. Users can
achieve this behavior by putting the following lines into the $HOME/.bash_profile file:
if ((BASH_VERSINFO[0] >= 4)) & & ((BASH_VERSINFO[1] >= 2)); then
shopt -s direxpand
fi
(BZ #1185416)

gnome-dictionary mult ilib packages conflict s occur

When both the 32-bit and 64-bit packages of the gnome-dictionary multilib packages are installed,
upgrading from Red Hat Enterprise Linux 7.2 to Red Hat Enterprise Linux 7.3 fails. To work around
this problem, uninstall the 32-bit package before upgrading. (BZ #1360338)

gnome-getting-started-docs-* moved t o t he Opt ional channel

As of Red Hat Enterprise Linux 7.3, the gnome-getting-started-docs-* packages have been moved from
the Base channel to the Optional channel. Consequently, upgrading from an earlier version of Red
Hat Enterprise Linux 7 fails, if these packages were previously installed. To work around this
problem, uninstall gnome-getting-started-docs-* prior to upgrading to Red Hat Enterprise Linux 7.3.
(BZ #1350802)

119

7 .3 Release Not es

Chapter 51. Authentication and Interoperability

Problem wit h import ing a user cert ificat e from CA over SSL
The pki user-cert-ad d command provides an option to import a user certificate directly from CA.
D ue to incorrect client library initialization, when the command is executed over an SSL port, the
command fails with the following error message:
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated.
To work around this problem, download the certificate from CA into a file using the pki cert-sho w
command. Then, upload the certificate from the file using the pki user-cert-ad d command. With
the workaround, the user certificate is added correctly. (BZ #1246635)

Securit y warning when using i pa-kra-i nstal l , i pa-ca-i nstal l , or i pa-repl i cai nstal l
When using the i pa-kra-i nstal l , i pa-ca-i nstal l , and i pa-repl i ca-i nstal l commands
to install an additional key recovery authority (KRA) component, certificate authority, or replica, the
following warning appears:
SecurityWarning: Certificate has no `subjectAltName`,
falling back to check for a `commonName` for now.
This feature is being removed by major browsers and deprecated by RFC
2818.
The error occurs due to RFC 2818, which deprecates the practice of carrying the subject host name
in the subject D N common name (CN) field. However, the commands succeed. Therefore, you can
ignore the warning message. (BZ #1358457)

T he IdM web UI displays all cert ificat es on one page in t he Cert ificat es t able
The Certificates table, available under the Authentication tab in the Identity Management (IdM) web
UI, ignores the page size limit of 20 entries. When more than 20 certificates are available, the table
displays all the certificates on one page, instead of only displaying 20 certificates per page.
(BZ #1358836)

SSSD fails t o st art when l d ap_user_extra_attrs includes mai l

System Security Services D aemon (SSSD ) now fetches the mai l attribute by default. When the
l d ap_user_extra_attrs option in the /etc/sssd /sssd . co nf file also lists the mai l attribute,
SSSD warns the user about the duplicate email address and fails to start.
To work around this problem, set a fictional attribute name in the l d ap_user_emai l attribute in the
d o mai n section of sssd . co nf. This ensures that the two obtained email addresses are different
and that SSSD starts successfully. (BZ #1362023)
i pa commands fail when t he user does not have a home direct ory in IdM
When IdM cannot create a cache directory at ~ /. cache/i pa in the home directory, all i pa
commands fail. This situation can occur for example when the user does not have a home directory.

120

Chapt er 51 . Aut hent icat ion and Int eroperabilit y

To work around this problem, make sure a home directory is configured for the user, for example by
installing the Identity Management (IdM) client with the --mkho med i r option, which ensures that a
home directory is created for every user at first login. (BZ #1364113)

Displaying help for IdM commands t akes longer

When the user runs an Identity Management (IdM) command with the --hel p option, IdM gathers the
required information from plug-ins and commands. Previously, the plug-ins and commands were
Python modules. With this update, IdM must generate the plug-ins and commands based on a
schema downloaded from the server. Because of this, displaying the help takes significantly longer
than in the previous version of IdM, especially if the help includes lists of topics and commands.
(BZ #1356146)
pam_pkcs11 only support s one t oken
The PKCS#11 modules in the opensc and coolkey packages provide support for various types of
smart cards. However the pam_pkcs11 module only supports one of them at a time. As a
consequence, you cannot use PKCS#15 and CAC tokens using the same configuration. To work
around the problem, install one of the following:
the opensc package for PKCS#15 and PIV support
the coolkey package for CAC, Coolkey, and PIV support (BZ #1367919)

Running commands on servers wit h an earlier version of IdM t akes

unexpect edly long
When a user on an Identity Management (IdM) client running IdM version 4.4 runs a command, IdM
checks if the server contacted by the client supports the new command schema. Because this
information is not cached, the check is performed every time the client contacts the server, which
prolongs the time required to invoke commands on servers running an earlier version of IdM. If the
user runs a new command introduced in IdM 4.4, it might even seem that the operation will not
complete, because the server does not recognize the command. (BZ #1357488)

T ree-root domains in a t rust ed AD forest are not marked as reachable

t hrough t he forest root
When an Active D irectory (AD ) forest contains tree-root domains (a separate D NS domain), Identity
Management (IdM) might fail to correctly route authentication requests to the tree-root domain's
domain controllers. As result, users from a tree-root domain might fail to authenticate against
services hosted in IdM. (BZ #1318169)

T he IdM web UI does not show cert ificat es issued by sub-CAs

To display the certificates issued by a certificate authority (CA), the web UI uses the i pa cert-fi nd
command to query the CA name, and then the i pa cert-sho w command with the CA name added.
However, i pa cert-fi nd command currently does not return the CA name. As a consequence, an
attempt to display the details page for a certificate issued by a sub-CA fails with an error in the web
UI. Note that certificates issued by the IdM CA are displayed as expected. (BZ #1368424)

T hird-part y cert ificat e t rust flags are reset aft er inst alling an ext ernal CA
int o IdM

121

7 .3 Release Not es

The i pa-ca-i nstal l --external -ca command, used to install an external certificate authority
(CA) into an existing Identity Management (IdM) domain, generates a certificate signing request
(CSR) that the user must submit to the external CA.
When using a previously installed third-party certificate to sign the CSR, the third-party certificate
trust flags in the NSS database are reset. Consequently, the certificate is no longer marked as
trusted. In addition, checks performed by the mod_nss module fail, and the httpd.service fails to start.
The CA installation fails with the following message in this situation:
CA failed to start after 300 seconds
As a workaround, after this message appears, reset the third-party certificate flags to their previous
state and restart httpd.service. For example, if the ca1 certificate previously had the C ,, trust flags:
# certutil -d /etc/httpd/alias -n 'ca1' -M -t C,,
# systemctl restart httpd.service
This restores the system to the correct state. (BZ #1318616)

T he cert monger service fails t o request cert ificat es from IdM sub-CAs
The certmonger service uses incorrect API calls to request certificates from IdM sub-CAs. As a
consequence, the sub-CA setting is ignored and the certificate is always issued by the IdM root CA.
There is currently no known workaround. (BZ #1367683)

Adding an IdM OT P t oken wit h a cust om key does not work

When the user runs the i pa o tpto ken-ad d command with the --key option to add a new one-time
password (OTP) token, the Identity Management (IdM) command line converts the token key provided
by the user incorrectly. Consequently, the OTP token created in IdM in this situation is invalid.
Attempts to authenticate using the OTP token fail. (BZ #1368981)

Machines joined t o a realm are not able t o resolve cent rally managed
supplement ary groups
Installing an Identity Management (IdM) server or client does not add the sss option to the
i ni tg ro ups lookup entry in the /etc/nsswi tch. co nf file. As a consequence, looking up
secondary groups for users managed by SSSD does not work as expected. As a work around,
remove or comment out the line starting with i ni tg ro ups in the /etc/nsswi tch. co nf file before
the installation. This ensures that machines joined to the realm resolve centrally managed
supplementary groups as expected. (BZ #1366569)

SSSD default configurat ion fails t o int egrat e wit h ot her services
The System Security Services D aemon's (SSSD ) /usr/l i b6 4 /sssd /co nf/sssd . co nf default
configuration file uses a auto-configured domain to proxy all requests to the /etc/passwd and
/etc/g ro ups files. On systems having SELinux disabled or running in permi ssi ve mode, SSSD
copies the default configuration to /etc/sssd /sssd . co nf if this file does not exist when the
daemon is being started. However, the proxy configuration fails to integrate with tools like real md or
i pa-cl i ent-i nstal l . To work around this problem, modify the /etc/sssd /sssd . co nf file and
remove:
shad o wuti l s from the d o mai ns parameter

122

Chapt er 51 . Aut hent icat ion and Int eroperabilit y

the [d o mai n/shad o wuti l s] section

As a result, tools using SSSD work correctly. (BZ #1369118)

realmd fails t o remove t he comput er account from AD

Red Hat Enterprise Linux uses Samba as default back end for Active D irectory (AD ) domain
memberships. In this case, if you manually set a computer name using the --co mputer-name option
with the real m jo i n command, the account cannot be removed from AD when you leave the
domain. To work around this problem, do not use the --co mputer-name option and instead add
the computer name to the /etc/real md . co nf file. For example:
[domain.example.com]
computer-name = host_name
With the workaround, the host is successfully joined to the domain and the account is automatically
removed if you leave the domain using the real m l eave --remo ve command. (BZ #1293390)
sss_o verri d e commands fail if an override was creat ed wit hout -n opt ion
Red Hat Enterprise Linux 7.3 introduced local overrides to the System Security Services D aemon
(SSSD ). However, a known issue in the sss_o verri d e command currently causes all export, find,
and show operations for users and groups to fail if one or more records in the cache do not contain
a name record. If you encounter this problem, delete the override which is missing the name record.
For example:
# sss_override user-del user_name
Alternatively, you can clear the SSSD cache manually to remove all overrides:
# systemctl stop sssd
# rm -f /var/lib/sss/db/*
# systemctl stop sssd
To avoid this problem, always add the -n option to the sss_o verri d e command when you create
an override. For example:
# sss_override user-add user_name -s /bin/bash -n user_name
As a result, all sss_o verri d e operations are working. (BZ #1373420)

T he old realmd version is st art ed when updat ing realmd while it is running
The real md daemon starts only when requested, then performs a given action, and after some time it
times out. When real md is updated while it is still running, the old version of real md starts upon a
next request because real md is not restarted after the update. To work around this problem, make
sure that reaml d is not running before updating it. (BZ #1274368)

SSSD fails t o manage aut ofs mappings from a LDAP t ree

123

7 .3 Release Not es

Previously, the System Security Services D aemon (SSSD ) implemented incorrect default values for
autofs mappings when using the R FC 230 7 LD AP schema. A patch has been applied, which fixed the
defaults to match the schema. However, users connecting to LD AP servers that contain mappings
with the schema SSSD previously used, are not able to load the autofs attributes. Affected users see
the following error reported in the /var/l o g /messag es log file:
Your configuration uses the autofs provider with schema set to rfc2307
and default attribute mappings. The default map has changed in this
release, please make sure the configuration matches the server
attributes.
To work around this problem, modify the /etc/sssd /sssd . co nf file and set your domain to use
the existing attribute mappings:
[domain/EXAMPLE]
...
ldap_autofs_map_object_class
ldap_autofs_map_name
ldap_autofs_entry_object_class
ldap_autofs_entry_key
ldap_autofs_entry_value

=
=
=
=
=

automountMap
ou
automount
cn
automountInformation

As a result, SSSD is able to load autofs mappings from the attributes. (BZ #1372814)

124

Chapt er 52 . Compiler and T ools

Chapter 52. Compiler and Tools

Accessing Red Hat Glust er St orage over l i bg fapi on KVM guest s fails
When using a KVM guest virtual machine, accessing Red Hat Gluster Storage with the l i bg fapi
service, for example by running the q emu-i mg or q emu-systems-x86 _6 4 command on the host
machine, fails with an i nval i d arg ument error. There is currently no known workaround.
(BZ #1356372)

125

7 .3 Release Not es

Chapter 53. Desktop

Closing lapt op lid breaks t he GNOME mult i-display configurat ion
When using a laptop with the GNOME graphical environment that is connected to one or more
external displays, closing the lid to suspend the laptop sometimes causes windows and icons to be
moved between displays and the display layout to be reset when the system is resumed. To work
around this problem, open the GNOME D isplays interface, which causes the display configuration to
be reloaded. (BZ #1360906)

126

Chapt er 54 . File Syst ems

Chapter 54. File Systems

T he default opt ion specificat ion is not overridden by t he host -specific
opt ion in /etc/expo rts
The 'sec=sys' is used in the default option section of the /etc/expo rts file, and the following option
list is not parsed correctly. As a consequence, the default option cannot be overridden by the hostspecific option. (BZ #1359042)

127

7 .3 Release Not es

Chapter 55. Hardware Enablement

Serial console is now configured correct ly on Cavium T hunderX 64 -bit ARM
syst ems
Previously, Cavium ThunderX (CN88XX series) ARM systems did not set up a serial console by default
due to a firmware problem. Now, the problem in firmware has been fixed, and serial console is now
configured correctly. (BZ #1268193)
i 4 0 e no longer issues warn_sl o wpath warnings during boot
Previously, the i 4 0 e driver was issuing warn_sl o wpath warnings during a ring size change
because the code was cloning the rx_ri ng struct but not zeroing out the pointers before allocating
new memory. With this update, the bug is fixed, and the warnings are no longer shown.
(BZ #1272833)

T he netpri o _cg ro ups module is now mount ed at boot

Previously, systemd mounted the /sys/fs/cg ro up/ directory as read-only, which prevented
mounting of the /sys/fs/cg ro up/net_pri o / directory during the initial system setup.
Consequently, the netpri o _cg ro ups module was not mounted at boot. With this update, this
problem has been fixed, and the netpri o _cg ro ups module is now mounted at boot. (BZ #1262204)

Set t ing up bonding wit h q l cni c fails

Prior to this update, certain bonding modes, such as bal ance-tl b or bal ance-al b, set a MAC
address that was not properly stored. This MAC address was not restored when tearing down the
bond, leaving a duplicate MAC in place. Consequently, re-establishing a bond failed, because the
original MAC address was not present. This update improves the code to properly restore the MAC
addresses when the bonding is taken down. As a result, bonding with q l cni c devices works as
expected. (BZ #1265058)

Plat forms relying on DDF-based RAID are not support ed

D isk D ata Format (D D F)-based BIOS RAID is currently not supported in Red Hat Enterprise Linux.
This includes systems using the LSI BIOS, which require the meg asr proprietary driver.
However, on certain systems, such as IBM System z servers with the ServeRAID adapter, it is possible
to disable RAID in the BIOS. To do this, enter the \" UEFI\" menu and navigate through the \" System
Settings and D evices\" and \" I/O Ports\" menus to the \" Configure the onboard SCU\" submenu. Then
change the SC U setting from R AID to no nR AID . Save your changes and reboot the system. In this
mode, the storage is configured using an open-source non-RAID LSI driver available in Red Hat
Enterprise Linux, such as mptsas, mpt2sas, or mpt3sas.
To obtain the meg asr driver for IBM systems refer to the IBM support page:
http://www-947.ibm.com/support/entry/portal/support
Note that the described restriction does not apply to LSI adapters that use the meg arai d driver, as
such adapters implement RAID functions in firmware. (BZ #1067292)

128

Chapt er 56 . Inst allat ion and Boot ing

Chapter 56. Installation and Booting

Dell Lat it ude E64 30 lapt ops shut down unexpect edly
When booting a D ell Latitude E6430 laptop with an Nvidia graphics card and Nvidia Optimus
enabled in the BIOS, as soon as the system attempts to use the Nvidia GPU, the system shuts down.
The BIOS then incorrectly displays a system bo ard thermal tri p error at next boot. To work
around this problem, use the no uveau. runpm= 0 parameter when booting. However, note that using
no uveau. runpm= 0 can increase power consumption. (BZ #1349827)

T he Ini ti al Setup ut ilit y's t ext -based int erface st art s correct ly on IBM
Syst em z
An update to the Ini ti al Setup utility introduced a bug which prevented its text-based interface
from starting on IBM System z. This bug has been fixed. (BZ #1366776)

Format t ing DASDs works correct ly during a t ext -based inst allat ion
Previously, a bug prevented D ASD s from being correctly formatted during a text-based installaton.
As a consequence, D ASD s that were unformatted or incorrectly formatted had to be manually
formatted before use. This bug has been fixed, and the installer can now format D ASD s when
performing a text-based installation. (BZ #1259437)

Insufficient /bo o t part it ion siz e may prevent t he syst em from upgrading
The /bo o t partition, which contains installed kernels and initial ram disks, may become full if
multiple kernels and additional packages such as kernel-debug are installed. This is caused by the
default size of this partition being set to 500 MB during installation, and prevents the system from
being upgraded.
As a workaround, use yum to remove older kernels if you do not need them.
This known issue only affects installation made with Red Hat Enterprise Linux 7.2 and earlier. In Red
Hat Enterprise Linux 7.3, the default size of the /bo o t partition is increased to 1 GB, which avoids
this problem in future upgrades. (BZ #1270883)

129

7 .3 Release Not es

Chapter 57. Kernel

Red Hat Bet a public key cert ificat e needs t o be loaded manually
The system administrator can use the machine owner key (MOK) mechanism to load the
corresponding Red Hat Beta public key certificate which is needed to authenticate the kernel
included in a Red Hat Enterprise Linux Beta release. The enrollment of the Red Hat Certificate
Authority (CA) Beta public key is a one-time procedure for any system on which Red Hat Enterprise
Linux 7.3 Beta will be run with UEFI Secure Boot enabled:
1. Turn UEFI Secure Boot off and install Red Hat Enterprise Linux 7.3 Beta.
2. Install the kernel-doc package if it is not already installed. It provides a certificate file that contains
the Red Hat CA public Beta key in the file: /usr/share/doc/kernel-keys/<kernel-ver>/kernel-signingca.cer, where <kernel-ver> is the kernel version string without the platform architecture suffix, for
example, 3.10.0-314.el7.
3. Manually request enrollment of the public key to the Machine Owner Key (MOK) list on the system
using the mokutil utility. Run the following command as the root user:
mo kuti l --i mpo rt /usr/share/d o c/kernel -keys/<kernel -ver>/kernel -si g ni ng ca. cer
You will be asked to supply a password for the enrollment request.
4. On the next boot of the system, you will be prompted on the system console to complete the
enrollment of the MOK request. You will need to respond to the prompts and supply the password that
you provided to mokutil in step 3.
5. When you complete the MOK enrollment, the system will be reset and will reboot. You can re-enable
UEFI Secure Boot on that reboot, or on any subsequent reboot of the system. (BZ #1261767)

Some ext 4 file syst ems cannot be resiz ed

D ue to a bug in the ext4 code, it is currently impossible to resize ext4 file systems that have 1 kilobyte
block size and are smaller than 32 megabytes. (BZ #1172496)

Hard lock-up of t he screen can occur on lapt ops using int egrat ed graphics
in t he 6t h Generat ion Int el Core processors
Situations causing this bug include:
moving the cursor between the edges of the monitor
moving the cursor between multiple monitors
changing any aspect of the monitor configuration
docking or undocking the machine
plugging or unplugging a monitor (BZ #1341633)

Mult iple problems somet imes occur on syst ems wit h persist ent memory

130

Chapt er 57 . Kernel

The following problems can occur during boot on systems with persistent memory, either real NonVolatile D ual In-line Memory Modules (NVD IMMs) or emulated NVD IMMs using the memmap= X! Y
kernel command-line parameter:
the onlining of persistent memory causes the following messages to be displayed for every block
(128 MB) of pmem devices:
Built 2 zonelists in Zone order, mobility grouping on.
8126731Policy zone: Normal

Total pages:

the system becomes unresponsive

the following BUG message is displayed:
BUG: unable to handle kernel paging request at ffff88007b7eef70
(BZ#1367257)

Looking up t ransport or associat ion can lead t o kernel panic

D ue to a use-after-free bug, the kernel's stream control transmission protocol (SCTP) implementation
does not hold the pointer to the transport path while it is in use. As a consequence, another CPU can
free the pointer, access the memory which should be unavailable, and a kernel panic occurs. Work to
address this issue is being tracked in https://bugzilla.redhat.com/show_bug.cgi?id=1368884.
(BZ #1368884)
d racut displays a harmless error message about a non-exist ent /etc/hba. co nf
When d racut creates an initial RAM file system (initramfs) with Fibre Channel over Ethernet (FCoE)
support, if the /etc/hba. co nf file does not exist, d racut displays an error message. You can
safely ignore this message. (BZ #1373129)

Harmless soft lockup in IBM POWER8 guest kernel

D ue to an incorrect value in the virtual time base (VTB) register, the kernel of an IBM POWER8 guest
in some cases incorrectly detects a soft lockup condition, logs a call trace, and reports the following
error:
MI watchdog: BUG: soft lockup - CPU#x stuck for XXs
This error does not have any harmful effect and can be safely ignored. To remove the error message,
disable dynamic hyper-threading by loading the kvm-hv kernel module with the following command:
modprobe kvm-hv dynamic_mt_modes=0 target_smt_mode=1
(BZ #1350719)

131

7 .3 Release Not es

Chapter 58. Networking

Verificat ion of signat ures using t he MD5 hash algorit hm is disabled in Red
Hat Ent erprise Linux 7
It is not possible to connect to any Wi-Fi Protected Access (WPA) Enterprise Access Point (AP) that
requires MD 5 signed certificates. To work around this problem, copy the wpa_supplicant.service file
from the /usr/lib/systemd/system/ directory to the /etc/systemd/system/ directory and add the following
line to the Service section of the file:
Environment=OPENSSL_ENABLE_MD5_VERIFY=1
Then run the systemctl d aemo n-rel o ad command as root to reload the service file.
Important: Note that MD 5 certificates are highly insecure and Red Hat does not recommend using
them. (BZ #1062656)

132

Chapt er 59 . Securit y

Chapter 59. Security

T he openscap packages do not inst all atomic as a dependency
The OpenSCAP suite enables integration of the Security Content Automation Protocol (SCAP) line of
standards. The current version adds the ability to scan containers using the ato mi c scan and
o scap-d o cker commands. However, when you install only the openscap, openscap-utils, and
openscap-scanner packages, the atomic package is not installed by default. As a consequence, any
container scan command fails with an error message. To work around this problem, install the atomic
package by running the yum i nstal l ato mi c command as root. (BZ #1356547)
C IL does not have a separat e module st at ement
The new SELinux userspace uses SELinux Common Intermediate Language (CIL) in the module
store. CIL treats files as modules and does not have a separate module statement, the module is
named after the file name. As a consequence, this can cause confusion when a policy module has a
name that is not the same as its base filename, and the semo d ul e -l command does not show the
module version. Additionaly, semo d ul e -l does not show disabled modules. To work around this
problem, list all modules using the semo d ul e --l = ful l command. (BZ #1345825)

133

7 .3 Release Not es

Chapter 60. Servers and Services

ReaR creat es t wo ISO images inst ead of one
In ReaR, the O UT P UT _UR L directive enables specifying location for the ISO image containing the
rescue system. Currently, with this directive set, ReaR creates two copies of the ISO image: one in the
specified directory and one in the /var/l i b/rear/o utput/ default directory. This requires
additional space for the image. This is especially important if a full-system backup is included into
the ISO image (using the BAC KUP = NET FS and BAC KUP _UR L= i so : ///backup/ configuration).
To work around this behavior, delete the extra ISO image once ReaR has finished working or, to
avoid having a period of time with double storage consumption, create the image in the default
directory and then move it to the desired location manually.
There is a request for enhancement to change this behavior and make ReaR create only one copy of
the ISO image. (BZ #1320552)

134

Chapt er 6 1 . St orage

Chapter 61. Storage

No support for t hin provisioning on t op of RAID in a clust er
While RAID logical volumes and thinly provisioned logical volumes can be used in a cluster when
activated exclusively, there is currently no support for thin provisioning on top of RAID in a cluster.
This is the case even if the combination is activated exclusively. Currently this combination is only
supported in LVM's single machine non-clustered mode. (BZ #1014758)

When using t hin-provisioning, it is possible t o lose buffered writ es t o t he

t hin-pool if it reaches capacit y
If a thin-pool is filled to capacity, it may be possible to lose some writes even if the pool is being
grown at that time. This is because a resize operation (even an automated one) will attempt to flush
outstanding I/O to the storage device prior to the resize being performed. Since there is no room in
the thin-pool, the I/O operations must be errored first to allow the grow to succeed. Once the thin pool
has grown, the logical volumes associated with the thin-pool will return to normal operation.
As a workaround to this problem, set 'thin_pool_autoextend_threshold' and
'thin_pool_autoextend_percent' appropriately for your needs in the lvm.conf file. D o not set the
threshold so high or the percent so low that your thin-pool will reach full capacity so quickly that it
does not allow enough time for it to be auto-extended (or manually extended if you prefer). If you are
not using over-provisioning (creating logical volumes in excess of the size of the backing thin-pool),
then be prepared to remove snapshots as necessary if the thin-pool begins to near capacity.
(BZ #1274676)

135

7 .3 Release Not es

Chapter 62. System and Subscription Management

T he subscri pti o n-manag er refresh command fails, displaying an error
D ue to a bug caused by changes in the API used by the subscri pti o n-manag er utility, executing
the subscri pti o n-manag er refresh command results in an error. There is no workaround at
this point. (BZ #1366301)

136

Chapt er 6 3. Virt ualiz at ion

Chapter 63. Virtualization

Migrat ion of cert ain guest s from Red Hat Ent erprise Linux 7.2 t o 7.3 host s is
not possible
Prior to this update, the PCI address of any USB controller that did not have an explicitly specified
mo d el value was ignored on IBM Power guest virtual machines. This bug has been fixed, but as a
consequence of the fix, it is not possible to perform a live migration of guests that use the described
USB controllers from a Red Hat Enterprise Linux 7.2 host to a Red Hat Enterprise Linux 7.3 host, due
to the different PCI addresses of the USB controller.
To work around this problem, edit the guest XML file and add a mo d el attribute with the pci -o hci
value to the USB <controller> element, for example as follows:
<controller type='usb' model='pci-ohci' index='0'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x05'
function='0x0'/>
</controller>
Afterwards, shut down the guest and start it again for the changes to take effect. As a result, the guest
can be migrated from Red Hat Enterprise Linux 7.2 to 7.3. (BZ #1357468)

numad changes QEMU memory bindings

Currently, the numad daemon cannot distinguish between memory bindings that numad sets and
memory bindings set explicitly by the memory mappings of a process. As a consequence, numad
changes QEMU memory bindings, even when the NUMA memory policy is specified in the QEMU
command line. To work around this problem, if manual NUMA bindings are specified in the guest,
disable numad . This ensures that manual bindings configured in virtual machines are not changed
by numad . (BZ #1360584)

137

7 .3 Release Not es

Chapter 64. Atomic Host and Containers

SELinux prevent s Docker from running a cont ainer
D ue to a missing label for the /usr/bi n/d o cker-current binary file, D ocker is prevented from
running a container by SELinux. (BZ #1358819)

138

Appendix A. Component Versions

Appendix A. Component Versions

This appendix is a list of components and their versions in the Red Hat Enterprise Linux 7.3 Beta
release.
T ab le A.1. C o mp o n en t Versio n s
C o mp o n en t

Versio n

Kernel
QLogic q l a2xxx driver
QLogic q l a4 xxx driver
Emulex l pfc driver
iSCSI initiator utils
D M-Multipath
LVM

3.10.0-493
8.07.00.33.07.3-k
5.04.00.00.07.02-k0
0:11.1.0.2
iscsi-initiator-utils-6.2.0.873-34
device-mapper-multipath-0.4.9-96
lvm2-2.02.163-1

139

7 .3 Release Not es

Appendix B. Revision History

R evisio n 0.0- 9
Fri Sep 23 2016
Len ka p ako v
Various additions and updates, namely to D eprecated Functionality.
R evisio n 0.0- 8
Mo n Sep 19 2016
Various additions and updates.

Len ka p ako v

R evisio n 0.0- 7
T u e Sep 13 2016
Various additions and updates.

Len ka p ako v

R evisio n 0.0- 6
Mo n Sep 12 2016
Various additions and updates.

Len ka p ako v

R evisio n 0.0- 5
Fri Sep 09 2016
Various additions and updates.

Len ka p ako v

R evisio n 0.0- 4
Wed Au g 31 2016
Various additions and updates.

Len ka p ako v

R evisio n 0.0- 3
T h u Au g 25 2016
Len ka p ako v
Release of the Red Hat Enterprise Linux 7.3 Beta Release Notes.

14 0