The Release Notes provide high-level coverage of the improvements and additions that have been implemented in Red Hat Enterprise Linux 7.3 and document known problems in this release, as well as notable bug fixes, Technology Previews, deprecated functionality, and other details.

Capabilities and limits of Red Hat Enterprise Linux 7 as compared to other versions of the system are available in the Red Hat Knowledgebase article available at https://access.redhat.com/articles/rhel-limits

Red Hat Enterprise Linux minor releases are an aggregation of individual security, enhancement, and bug fix errata. The Red Hat Enterprise Linux 7.3 Release Notes document describes the major changes made to the Red Hat Enterprise Linux 7 operating system and its accompanying applications for this minor release, as well as known problems and a complete list of all currently available Technology Previews.

is a set of tools in a section of the Customer Portal available at https://access.redhat.com/labs/ . The applications in Red Hat Customer Portal Labs can help you improve performance, quickly troubleshoot issues, identify security problems, and quickly deploy and configure complex applications. Some of the most popular applications are:

The service is hosted and delivered through the customer portal at https://access.redhat.com/insights/ or through Red Hat Satellite. To register your systems, follow the Getting Started Guide for Insights . For further information, data security, and limits, refer to https://access.redhat.com/insights/splash/

Since Red Hat Enterprise Linux 7.2, the Red Hat Insights service is available. Red Hat Insights is a proactive service designed to enable you to identify, examine, and resolve known technical issues before they affect your deployment. Insights leverages the combined knowledge of Red Hat Support Engineers, documented solutions, and resolved issues to deliver relevant, actionable information to system administrators.

The System Security Services Daemon (SSSD) container is now available for Red Hat Enterprise Linux Atomic Host as Technology Preview. See Chapter 37, Authentication and Interoperability for details.

Red Hat Enterprise Linux 7 kernel is now able to use the embedded MMC (eMMC) interface version 5.0. For details, refer to Chapter 10, Hardware Enablement

Controller Area Network (CAN) device drivers are now supported, see Chapter 12, Kernel for more information.

For more information regarding changes in desktop, refer to Chapter 8, Desktop

A new instant messaging client, pidgin , has been introduced, which supports off-the-record (OTR) messaging and the Microsoft Lync instant messaging application.

For more information on enhancements to the Red Hat High Availability Add-On, see Chapter 6, Clustering in the New Features Part and Chapter 38, Clustering in the Technology Previews part.

The ability to configure Pacemaker to manage stretch clusters using a separate quorum device (QDevice), which acts as a third-party arbitration device for the cluster. This functionality is provided as a Technology Preview, and its primary use is to allow a cluster to sustain more node failures than standard quorum rules allow.

The ability to configure Pacemaker to manage multi-site clusters across geo-locations for disaster recovery and scalability through the use of the Booth ticket manager. This feature is provided as a Technology Preview.

The ability to better configure and trigger notifications when the status of a managed cluster changes with the introduction of enhanced pacemaker alerts.

LVM2 support for RAID-level takeover, the ability to switch between RAID types, is now available as a Technology Preview. See Chapter 45, Storage for more information.

Support for pNFS SCSI file sharing has been introduced as a Technology Preview. For details, refer to Chapter 39, File Systems

A new Ceph File System (CephFS) kernel module, introduced as a Technology Preview, enables Red Hat Enterprise Linux Linux nodes to mount Ceph File Systems from Red Hat Ceph Storage clusters. For more information, see Chapter 39, File Systems

Support for Non-Volatile Dual In-line Memory Module (NVDIMM) persistent memory architecture has been added, which includes the addition of thekernel subsystem. NVDIMM memory can be accessed either as a block storage device, which is fully supported in Red Hat Enterprise Linux 7.3, or in Direct Access (DAX) mode, which is provided by the ext4 and XFS file systems as a Technology Preview in Red Hat Enterprise Linux 7.3. For more information, see Chapter 17, Storage and Chapter 12, Kernel in the New Features part, and Chapter 39, File Systems in the Technology Previews part.

A new scheduler policy,has been introduced as Technology Preview. This new policy is available in the upstream kernel and shows promise for certain Realtime use cases. For details, see Chapter 43, Real-Time Kernel

Support for the Coherent Accelerator Processor Interface (CAPI) flash block adapter has been added. For detailed information, see Chapter 10, Hardware Enablement

NetworkManager now supports new device types, improved stacking of virtual devices, LLDP, stable privacy IPv6 addresses (RFC 7217), detects duplicate IPv4 addresses, and controls a host name through systemd-hostnamed . Additionally, the user can set a DHCP timeout property and DNS priorities.

For more kernel features, refer to Chapter 12, Kernel . For information about Technology Previews related to kernel, see Chapter 42, Kernel

Support for Checkpoint/Restore in User space (CRIU) has been expanded to the the little-endian variant of IBM Power Systems architecture.

For detailed information on changes in IdM, refer to Chapter 5, Authentication and Interoperability

Entitlements to Red Hat Single Sign-On are currently available using Red Hat JBoss Middleware or OpenShift Container Platform subscriptions.

Note that Red Hat does not plan to upgrade Ipsilon from Technology Preview to a fully supported feature. The ipsilon packages will be removed from Red Hat Enterprise Linux in a future minor release.

Red Hat Enterprise Linux 7.2 introduced the Ipsilon identity provider service for federated single sign-on (SSO). Subsequently, Red Hat has released Red Hat Single Sign-On as a web SSO solution based on the Keycloak community project. Red Hat Single Sign-On provides greater capabilities than Ipsilon and is designated as the standard web SSO solution across the Red Hat product portfolio.

The audit daemon introduces a new flush technique, which significantly improves performance. Audit policy, configuration, and logging have been enhanced and now support a number of new options.

Upgraded firewalld starts and restarts significantly faster due to a new transaction model. It also provides improved management of connections, interfaces, and sources, a new default logging option, and ipset support.

The OpenSCAP suite now includes support for scanning containers using the atomic scan command.

OpenSCAP workbench now provides a new SCAP Security Guide integration dialog and enables modification of SCAP policies using a graphical tool.

The SELinux userspace has been rebased and provides various enhancements and performance improvements. Notably, the new SELinux module store supports priorities, and the SELinux Common Intermediate Language (CIL) has been introduced.

Red Hat Enterprise Linux 7.3 is available as a single kit on the following architectures:

0 - do nothing. This is the default behavior.

This value controls the hard lockup detector behavior regarding gathering further debug information. If enabled, arch-specific all-CPU stack dumping is initiated.

Sets maximum total number of pages that a non-privileged user can allocate for pipes before the pipe size gets limited to a single page. Once this limit is reached, new pipes are limited to a single page in size for this user in order to limit total memory usage. Trying to increase the total number of pages using the fcntl() function is denied until usage drops below the limit again. The default value allows to allocate up to 1024 pipes at their default size. When set to 0, no limit is applied.

Once this limit is reached, no new pipes can be allocated until usage returns below the limit again. When set to 0, no limit is applied, which is the default setting.

-1 - Allows use of all events by all users.

Controls use of the performance events system by unprivileged users who do not have CAP_SYS_ADMIN.

Per-cpu work queues are generally preferred because they have better performance due to cache locality, but they consume more power than unbound work queues. This kernel parameter makes the per-cpu work queues which were observed to contribute significantly to power consumption unbound, leading to significantly lower power usage at the cost of small performance overhead.

If CONFIG_WQ_WATCHDOG is configured, workqueue can warn stall conditions and dump internal state to help debugging. Value 0 disables workqueue stall detection. Otherwise, it is the stall threshold duration in seconds.The default value is 30 and it can be updated at runtime by writing to the corresponding sysfs file.

Sets maximum number of bytes to snoop in each USB Request Block ( URB ). The default value is 65536.

This feature incurs a small amount of overhead in the scheduler, but it is useful for debugging and performance tuning.

This value is used to set the frequency of hrtimer and NMI events and the soft and hard lockup thresholds. The default threshold is 10 seconds. The softlockup threshold is 2 * watchdog_thresh. Setting of this parameter to zero will disable lockup detection altogether.

To enable the watchdog on cores 0, 2, 3, and 4 use this command:

This value is used to set which CPUs are available for watchdog to run. The default cpumask is all possible cores, but if NO_HZ_FULL is enabled in the kernel config, and cores are specified with the nohz_full=boot argument, those cores are excluded by default. Offline cores can be included in this mask. If the core is later brought online, watchdog is started based on the mask value. This value can only be touched in the nohz_full case to re-enable cores that by default were not running watchdog, if a kernel lockup was suspected on those cores. The argument value is the standard cpulist format for cpumasks.

See Documentation/x86/intel_mpx.txt for more information about the feature.

Disables xsaves and xrstors used in saving and restoring x86 extended register state in compacted form of xsave area. The kernel falls back to use xsaveopt and xrstor to save and restore the states in standard form of xsave area. By using this parameter, xsave area per process can occupy more memory on xsaves enabled systems.

Disables xsaveopt used in saving x86 extended register states. The kernel falls back to use xsave to save the states. By using this parameter, performance of saving the states is lowered because xsave does not support modified optimization, while xsaveopt supports it on xsaveopt enabled systems.

The soft lockup detector and the NMI watchdog can also be disabled or enabled individually, using the soft_watchdog and nmi_watchdog parameters. If the watchdog parameter is read, for example by executing the cat /proc/sys/kernel/watchdog command, the output value of this command, which is 0 or 1, shows the logical OR of soft_watchdog and nmi_watchdog.

This parameter disables or enables the soft lockup detector and the hard lockup detector ensured by NMI watchdog at the same time.

Setting this value to zero causes the kernel to use whatever value is the default set by the layout driver. Any non-zero value sets the minimum interval in seconds between the transmissions of layout statistics.

Changes the rate at which the kernel sends the layout statistics to the pNFS metadata server.

Does not load a comma-separated list of modules. This feature is useful for debugging problem modules.

Marks specific memory as protected. Region of memory to be used, from ss to ss+nn. The memory region should be marked as e820 type 12 (0xc) and is NVDIMM or ADR memory.

Instead of specifying the amount of memory nn[KMGTPE] , users can specify "mirror" option. In case "mirror" option is specified, mirrored memory is used for non-movable allocations and remaining memory is used for movable pages. Both nn[KMGTPE] and "mirror" option are exclusive. Users are not allowed to specify nn[KMGTPE] and "mirror" option at the same time.

By default, extended context tables are supported if the hardware advertises that it has support both for the extended tables themselves, and also PASID support. With this option set, extended tables will not be used even on hardware which claims to support them.

Sets delay of N microseconds between assert and de-assert of APIC INIT to start processors. This delay occurs on every CPU online, such as boot, and resume from suspend.

none: External NMI is masked for all CPUs. This is useful so that a dump capture kernel will not be shot down by NMI .

all: External NMIs are broadcast to all CPUs as a backup of CPU 0.

This chapter provides system administrators with a summary of significant changes in the kernel shipped with Red Hat Enterprise Linux 7.3. These changes include added or updated proc entries, sysctl , and sysfs default values, boot parameters, kernel configuration options, or any noticeable behavior changes.

Part I. New Features

This part documents new features in Red Hat Enterprise Linux 7.3.

Chapter 5. Authentication and Interoperability Server performance has improved in many areas Some operations in Identity Management run much faster now. For example, this enhancement enables better scalability in large deployments exceeding 50,000 users and hosts. Most notably, the improvements include: Faster adding of users and hosts

Faster Kerberos authentication for all commands

Faster execution of the ipa user-find and ipa host-find commands For information on how to reduce the time required for provisioning of a large number of entries, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#performance-tuning ipa *-find commands no longer show membership by default. To display the membership, add the --all option to ipa *-find or, alternatively, use the ipa *-show commands. (BZ# Note that to make the find operations faster, thecommands no longer show membership by default. To display the membership, add theoption toor, alternatively, use thecommands. (BZ# 1298288 , BZ#1271321, BZ#1268449, BZ#1346321) Enhanced IdM topology management Information about the Identity Management (IdM) topology is now maintained at a central location in the shared tree. As a result, you can now manage the topology from any IdM server using the command line or the web UI. Additionally, some topology management operations have been simplified, notably: Topology commands have been integrated into the IdM command-line interface, so that you can perform all replica operations using the native IdM command-line tools.

You can manage replication agreements in the web UI or from the command line using a new and simplified workflow.

The web UI includes a graph of the IdM topology, which helps visualize the current state of replica relationships.

IdM includes safety measures that prevent you from accidentally deleting the last certificate authority (CA) master from the topology or isolating a server from the other servers.

Support for server roles as a simpler way of determining which server in the topology hosts which services as well as installing these services onto a server. For details, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#managing-topology 1 . See Note that the new functionality requires raising the domain level to. See https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#domain-level (BZ# 1298848 , BZ# 1199516 Simplified replica installation Installing a replica no longer requires you to log in to the initial server, use the Directory Manager (DM) credentials, and copy the replica information file from the initial server to the replica. For example, this allows for easier provisioning using an external infrastructure management system, while retaining a reasonable level of security. In addition, the ipa-replica-install utility can now also promote an existing client to a replica. For details, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#install-replica 1 . See Note that the new functionality requires raising the domain level to. See https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#domain-level (BZ# 837369 IdM now supports smart card authentication for AD users This update extends smart card support in Identity Management (IdM). Users from a trusted Active Directory (AD) can now authenticate using a smart card both remotely using ssh as well as locally. The following methods are supported for local authentication: Text console

Graphical console, such as the Gnome Display Manager (GDM)

Local authentication services, like su or sudo Note that IdM only supports the above-mentioned local authentication services and ssh for smart card authentication. Other services, such as FTP, are not supported. The smart card certificate for AD users can be stored directly in AD, or in an IdM override object for the AD user. For details, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Windows_Integration_Guide/index.html#smart-cards (BZ# 1298966 , BZ# 1290378 IdM now supports TGS authorization decisions In an Identity Management (IdM) environment, users can optionally log in using multi-factor authentication. The Kerberos ticket from the ticket granting server (TGS) now contains an indicator if two-factor authentication using a standard password in combination with a one-time password (OTP) was used. This enables the administrator to set server-side policies for resources, and the users are allowed to access based upon the type of their logins. For example, the administrator can now allow the user to log in to the desktop either using one- or two-factor authentication, but require two-factor authentication for virtual private networks (VPN) logins. ipa service-* and ipa host-* commands. (BZ# By default, all services accept all tickets. To activate this granularity, you have to manage the policies in the IdM web user interface or use theandcommands. (BZ# 1224057 , BZ# 1340304 , BZ# 1292153 sssd now provides optional two-factor authentication The System Security Services Daemon (SSSD) now allows users with two-factor authentication enabled to authenticate to services either by using a standard password and a one-time password (OTP), or using only a standard password. Optional two-factor authentication enables administrators to configure local logins using a single factor, while other services, like access to VPN gateways, can request both factors. As a result, during the login, the user can enter either both factors, or optionally only the password. The Kerberos ticket then uses authentication indicators to list the used factors. (BZ# 1325809 New SSSD control and status utility The sssctl utility provides a simple and unified way to obtain information about the System Security Services Daemon's (SSSD) status. For example, you can query status information about active server, auto-discovered servers, domains, and cached objects. Additionally, the sssctl utility enables you to manage SSSD data files to troubleshoot SSSD in a safe way while the service is running. The options supported by sssctl include client-data-backup and cache-remove to back up and remove the SSSD cache. Previously, when it was necessary to start SSSD without any cached data, the administrator had to remove the cache files manually. For more information about the features the utility provides, run sssctl --help . For details, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/System-Level_Authentication_Guide/index.html#sssctl (BZ#879333) SSSD configuration file validation /etc/sssd/sssd.conf file. As a consequence, the administrator had to find the problem in the configuration file if the service failed to start. This update provides the config-check option of the sssctl command to locate problems in the configuration file. Additionally, SSSD automatically checks the validity of the configuration file after the service starts, and shows level 0 debug messages for incorrect settings. (BZ# Previously, the System Security Services Daemon (SSSD) did not provide a tool to manually check thefile. As a consequence, the administrator had to find the problem in the configuration file if the service failed to start. This update provides theoption of thecommand to locate problems in the configuration file. Additionally, SSSD automatically checks the validity of the configuration file after the service starts, and shows level 0 debug messages for incorrect settings. (BZ# 988207 , BZ# 1072458 The pki cert-find command now supports revocation strings The pki cert-find command has been enhanced and now supports revocation reasons in string format. As a result, you can pass strings, such as Key_compromise , to the --revocationReason option, instead of the corresponding numeric values. For the list of supported revocation strings, see # pki cert-find --help (BZ#1224365) IdM now supports setting individual Directory Server options during server or replica installation The Identity Management (IdM) ipa-server-install and ipa-replica-install commands have been enhanced. The new --dirsrv-config-file parameter enables the administrator to change default Directory Server settings used during and after the IdM installation. For example, to disable secure LDAP binds in the mentioned situation: Create a text file with the setting in LDIF format: dn: cn=config changetype: modify replace: nsslapd-require-secure-binds nsslapd-require-secure-binds: off Start the IdM server installation by passing the --dirsrv-config-file parameter and file to the installation script: # ipa-server-install --dirsrv-config-file filename.ldif (BZ# 825391 IdM now enables the admin group and ipaservers host group Identity Management (IdM) now introduces two new groups: User group admins - Members have full administrative permissions in IdM.

ipaservers - Hosts in this group can be promoted to a replica by users without full administrative permissions. All IdM servers are members of this group. (BZ# Host group- Hosts in this group can be promoted to a replica by users without full administrative permissions. All IdM servers are members of this group. (BZ# 1211595 IdM now supports OTP generation in the Web UI Generate OTP check box in the Add host dialog. After adding the host, a window displays the generated OTP. You can use this password to join the host to the domain. This procedure simplifies the process and provides a strong OTP. To override the OTP, navigate to the host's details page, click, Action and select Reset One-Time-Password . (BZ# Identity Management (IdM) now supports one-time password (OTP) generation when adding a host in the Web UI. Select thecheck box in thedialog. After adding the host, a window displays the generated OTP. You can use this password to join the host to the domain. This procedure simplifies the process and provides a strong OTP. To override the OTP, navigate to the host's details page, click,and select. (BZ# 1146860 New sss_cache option to mark sudo rules as expired sss_cache command from the System Security Services Daemon (SSSD). The options -r and -R have been added to mark one or all sudo rules as expired. This enables the administrator to force a refresh of new rules on the next sudo lookup. Please note that the sudo rules are refreshed using a different algorithm than the user and group entities. For more information about the mechanism, see the sssd-sudo(5) man page. (BZ# This update enhances thecommand from the System Security Services Daemon (SSSD). The optionsandhave been added to mark one or allrules as expired. This enables the administrator to force a refresh of new rules on the nextlookup. Please note that therules are refreshed using a different algorithm than the user and group entities. For more information about the mechanism, see the sssd-sudo(5) man page. (BZ# 1031074 New packages: custodia , python-jwcrypto This update adds the custodia packages and their dependency python-jwcrypto to Red Hat Enterprise Linux 7. Custodia is an HTTP-based pipeline to request and distribute secrets. It handles the authentication, authorization, request handling, and storage stages of secrets management. Custodia is currently only supported as an internal subsystem of Red Hat Identity Management. The package python-jwcrypto is an implementation of the JavaScript object signing and encryption (JOSE) web standards in Python. It is installed as a dependency of Custodia. (BZ#1206288) New package: python-gssapi This update adds the python-gssapi package to Red Hat Enterprise Linux 7. It provides a generic security services API (GSSAPI) that is compatible with Python 2 and 3. Identity Management (IdM) uses the package as a replacement for python-krbV and python-pykerberos , which only support Python 2 (BZ#1292139) New package: python-netifaces This update adds the python-netifaces package to Red Hat Enterprise Linux 7. This Python module makes it possible to read information about the system network interfaces from the operating system. It has been added as a dependency for Red Hat Identity Management (IdM). (BZ#1303046) New package: mod_auth_openidc This update adds the mod_auth_openidc package to Red Hat Enterprise Linux 7. It enables the Apache HTTP server to act as an OpenID Connect Relying Party for single sign-on (SSO) or as an OAuth 2.0 Resource Server. Web applications can use the module to interact with a variety of OpenID Connect server implementations including the Keycloak open source project and Red Hat Single Sign-On (SSO) products. (BZ#1292561) IdM now supports DNS locations This update adds support for DNS location management to the Identity Management (IdM) integrated DNS server to improve cross-site implementations. Previously, clients using DNS records to locate IdM servers could not distinguish local servers from servers located in remote geographical locations. This update enables clients using DNS discovery to find the nearest servers, and to use the network in an optimized way. As a result, administrators can manage DNS locations and assign servers to them in the IdM web user interface and from the command line. For details, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#dns-locations (BZ# 747612 IdM now supports establishing an external trust to an AD domain Red Hat Enterprise Linux Identity Management (IdM) now supports establishing an external trust to an Active Directory (AD) domain in a forest. An external trust is non-transitive and can be established to any domain in an AD forest. This allows to limit a trusted relationship to a specific domain rather than trusting the whole AD forest. (BZ# 1314786 IdM now supports logging in with alternative UPNs In an Active Directory (AD) forest, it is possible to associate a different user principal name (UPN) suffix with the user name instead of the default domain name. Identity Management (IdM) now allows users from a trusted AD forest to log on with an alternative UPN. Additionally, the System Security Services Daemon (SSSD) now detects whether the IdM server supports alternative UPNs. If they are supported, SSSD activates this feature automatically on the client. When you add or remove UPN suffixes in a trusted AD forest, run ipa trust-fetch-domains on an IdM master to refresh the information for the trusted forest in the IdM database. For details, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Windows_Integration_Guide/index.html#UPN-in-a-trust (BZ# 1287194 , BZ#1211631) IdM now supports sub-CAs Previously, Identity Management (IdM) only supported one certificate authority (CA) that was used to sign all certificates issued within the IdM domain. Now, you can use lightweight sub-CAs for better control over the purpose for which a certificate can be used. For example, a Virtual Private Network (VPN) server can be configured to only accept certificates issued by a sub-CA created for that purpose, rejecting certificates issued by other sub-CAs, such as a smart card CA. To support this functionality, you can now specify an IdM lightweight sub-CA when requesting a certificate with certmonger. For details, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#lightweight-sub-cas (BZ# 1200731 , BZ# 1345755 SSSD now supports automatic Kerberos host keytab renewal Previously, the System Security Services Daemon (SSSD) did not support the automatic renewal of Kerberos host keytab files in an Active Directory (AD). In environments that, for security reasons, do not allow using passwords that never expire, the files had to be manually renewed. With this update, SSSD is able to automatically renew Kerberos host keytab files. SSSD checks once per day if the machine account password is older than the configured number of days in the ad_maximum_machine_account_password_age parameter of the /etc/sssd/sssd.conf file. For details, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/System-Level_Authentication_Guide/index.html#sssd-auto-keytab-renewal (BZ# 1310877 IdM supports user principal aliases Previously, Identity Management (IdM) supported only the authentication using the user name. However, in some environments it is a requirement to authenticate with an email address or alias name. IdM has been enhanced and now supports principal aliases. The System Security Services Daemon (SSSD) has also been updated to support this functionality. To add the aliases ualias and user@example.com to the account user , run the following command: # ipa user-add-principal user ualias user\\@example.com Use the -C option to the kinit command when with an alias, and the -E option when using an enterprise principal name: # kinit -C ualias # kinit -E user@example.com (BZ# 1328552 , BZ# 1309745 SSSD cache update performance improvement /var/lib/sss/db/timestamps_$domain.ldb . This enhancement improves the performance for entries that rarely change on the server side, such as groups. (BZ# Previously, the System Security Services Daemon (SSSD) always updated all cached entries after the cache validity timeout passed. This consumed unnecessarily resources on the client and the server, for entries that have not been changed. SSSD has been enhanced and now checks if the cached entry requires an update. The time stamp values are increased for unchanged entries and stored in the new SSSD database. This enhancement improves the performance for entries that rarely change on the server side, such as groups. (BZ# 1290380 SSSD now supports sudo rules stored in the IdM schema Previously, the System Security Services Daemon (SSSD) used the ou=sudoers container, generated by the compatibility plug-in, to fetch sudo rules. SSSD has been enhanced to support sudo rules in the cn=sudo container that are stored in the Identity Management (IdM) directory schema. ldap_sudo_search_base parameter in the /etc/sssd/sssd.conf file. (BZ# To enable this feature, unset theparameter in thefile. (BZ# 789477 SSSD now automatically adjusts the ID ranges for AD clients in environments with high RID numbers The automatic ID mapping mechanism included in the System Security Services Daemon (SSSD) service is now able to merge ID range domains. The SSSD default size of ID ranges is 200,000. In large Active Directory (AD) installations, the administrator had to manually adjust the ID range assigned by SSSD if the Active Directory relative ID (RID) increased 200,000 to correspond with the RID. With this enhancement, for AD clients having ID mapping enabled, SSSD automatically adjusts the ID ranges in the described situation. As a result, the administrator does not have to adjust the ID range manually, and the default ID mapping mechanism works in large AD installations. (BZ#1059972) New sssctl option remove-cache remove-cache option to the sssctl utility. The option removes the local System Security Services Daemon's (SSSD) database contents, and restarts the sssd service. This enables the administrator to start from a clean state with SSSD and avoid the need to manually remove cache files. (BZ# This update adds theoption to theutility. The option removes the local System Security Services Daemon's (SSSD) database contents, and restarts theservice. This enables the administrator to start from a clean state with SSSD and avoid the need to manually remove cache files. (BZ# 1007969 Password changes on legacy IdM clients slapi-nis that does not enable user to change their passwords on legacy Identity Management (IdM) clients. As a consequence, users logged in to clients via the slapi-nis compatibility tree could only update their password using the IdM web UI or directly in Active Directory (AD). A patch has been applied to and as a result, users are now able to change their password on legacy IdM clients. (BZ# Previously, Red Hat Enterprise Linux contained a version ofthat does not enable user to change their passwords on legacy Identity Management (IdM) clients. As a consequence, users logged in to clients via the slapi-nis compatibility tree could only update their password using the IdM web UI or directly in Active Directory (AD). A patch has been applied to and as a result, users are now able to change their password on legacy IdM clients. (BZ# 1084018 The ldapsearch command can now return all operational attributes LDAP searches can now return all operational attributes as described in IETF RFC 3673. Using the + character in a search will yield all operational attributes to which the bound Distinguished Name (DN) has access. The returned results may be limited depending on applicable Access Control Instructions (ACIs). An example search might look similar to the following: ldapsearch -LLLx -h localhost -p 10002 -b ou=people,dc=example,dc=com -s base '+' dn: ou=People,dc=example,dc=com See https://tools.ietf.org/html/rfc3673 for additional information about this feature. (BZ# 1290111 Increased accuracy of log time stamps This update increases the accuracy of time stamps in Directory Server logs from one second precision to nanosecond precision by default. This enhancement allows for a more detailed analysis of events in Directory Server, and enables external log systems to correctly rebuild and interweave logs from Directory Server. Previously, log entries contained time stamps as shown in the following example: [21/Mar/2016:12:00:59 +1000] conn=1 op=0 BIND dn="cn=Directory Manager" method=128 version=3 With this update, the same log entry contains a more accurate time stamp: [21/Mar/2016:12:00:59.061886080 +1000] conn=1 op=0 BIND dn="cn=Directory Manager" method=128 version=3 nsslapd-logging-hr-timestamps-enabled attribute to false in cn=config . (BZ# To revert to the old time stamp format, set theattribute toin. (BZ# 1273549 Changing a user password now always updates the shadowLastChange attribute passwordExpirationTime attribute but not the shadowLastChange attribute. Some systems which can interface with Directory Server, such as Active Directory, expect both attributes to be updated, and therefore this behavior could lead to synchronization errors. With this update, any change to a user password updates both attributes, and synchronization problems no longer occur. (BZ# Previously, some ways of changing a user's password could update theattribute but not theattribute. Some systems which can interface with Directory Server, such as Active Directory, expect both attributes to be updated, and therefore this behavior could lead to synchronization errors. With this update, any change to a user password updates both attributes, and synchronization problems no longer occur. (BZ# 1018944 ns-slapd now logs failed operations in the audit log Previously, ns-slapd only logged successful changes to the directory. This update adds support for also logging failed changes, their contents, and the reason for the failure. This allows for easier debugging of applications failing to alter directory content as well as detecting possible attacks. (BZ#1209094) New utility for displaying status of Directory Server instances Directory Server now provides the status-dirsrv command line utility, which outputs the status of one or all instances. Use the following command to obtain a list of all existing instances: status-dirsrv status-dirsrv(8) man page for additional details and a list of return codes. (BZ# To display the status of a specific instance, append the instance name to the command. See theman page for additional details and a list of return codes. (BZ# 1209128 IdM now supports up to 60 replicas Previously, Identity Management (IdM) supported up to 20 replicas per IdM domain. This update increases the support limit to 60 replicas per IdM domain. For detailed replica topology recommendations, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/replica-considerations.html#replica-topology-recommendations (BZ#1274524) SSSD now reads optional *.conf files from /etc/sssd/conf.d/ /etc/sssd/conf.d/ directory. This enables you to use a general /etc/sssd/sssd.conf file on all clients and to add additional settings in further configuration files to suit individual clients. SSSD first reads the common /etc/sssd/sssd.conf file, and then in alphabetical order the other files in /etc/sssd/conf.d/ . The daemon uses the last read configuration parameter if the same one appears multiple times in different files. (BZ# The System Security Services Daemon (SSSD) has been enhanced to read *.conf files from thedirectory. This enables you to use a generalfile on all clients and to add additional settings in further configuration files to suit individual clients. SSSD first reads the commonfile, and then in alphabetical order the other files in. The daemon uses the last read configuration parameter if the same one appears multiple times in different files. (BZ# 790113 New option to enable use of quotes in schema This update introduces the LDAP_SCHEMA_ALLOW_QUOTED environment variable which adds support for older style schema using quotes in the schema directory. To enable this functionality, set the following variable in the /etc/sysconfig/dirsrv-INSTANCE configuration file: LDAP_SCHEMA_ALLOW_QUOTED=on (BZ#1368484) OpenLDAP now supports SHA2 password hashes The OpenLDAP server in Red Hat Enterprise Linux 7.3 now provides a module for SHA2 support. To load the pw-sha2 module, add the following line to your /etc/openldap/slapd.conf file: moduleload pw-sha2 As a result, you can store passwords in OpenLDAP using the following hashes: SSHA-512

SSHA-384

SSHA-256

SHA-512

SHA-384

SHA-256 (BZ#1292568) The pki cert-request-find command now displays the serial number for completed revocation requests With this update, the pki subcommand cert-request-find now displays the certificate ID of revoked certificates for completed revocation requests. (BZ#1224642) The IdM password policy now enables never-expiring passwords Previously, all user passwords in Identity Management (IdM) were required to have an expiration date defined. With this update, the administrator can configure user passwords to be valid indefinitely by setting the password policy Max lifetime value to 0 . Note that new password policy settings apply to new passwords only. For the change to take effect, existing users must update their passwords. (BZ#826790) ipa-getkeytab can now automatically detect the IdM server ipa-getkeytab utility on an Identity Management (IdM) server, you are no longer required to specify the server name using the -s option. The ipa-getkeytab utility detects the IdM server automatically in this situation. (BZ# When running theutility on an Identity Management (IdM) server, you are no longer required to specify the server name using theoption. Theutility detects the IdM server automatically in this situation. (BZ# 768316 Enhanced sub-commands in the ipa-replica-manage utility The ipa-replica-manage utility has been enhanced and now additionally supports the o=ipaca back end in the following sub-commands: list-ruv

clean-ruv

abort-clean-ruv Additionally, the clean-dangling-ruv sub-command has been added to the ipa-replica-manage utility. This enables the administrator to automatically remove dangling replica update vectors (RUV). (BZ#1212713) samba rebased to version 4.4.4 The samba packages have been upgraded to upstream version 4.4.4, which provides a number of bug fixes and enhancements over the previous version: The WINS nsswitch module now uses the libwbclient library for WINS queries. Note that the winbind daemon must be running to resolve WINS names that use the module.

The default value of the winbind expand groups option has been changed from 1 to 0 .

The -u and -g options of the smbget command have been replaced with the -U option to match other Samba command's parameter. The -U option accepts a username[%password] value. Additionally, the username and password parameters in the smbgetrc configuration file have been replaced with the user parameter.

The -P parameter of the smbget command has been removed.

Printing using the CUPS back end with Kerberos credentials now requires to install the samba-krb5-printing package and to configure CUPS appropriately.

It is now possible to configure Samba as a print server by using the CUPS back end with Kerberos credentials. To do so, install the samba-krb5-printing package and configure CUPS appropriately.

Samba and CTDB header files are no longer installed automatically when you install samba . Samba automatically updates its tdb database files when the smbd , nmbd , or winbind daemon starts. Back up the databases files before starting Samba. Note that Red Hat does not support downgrading tdb database files. Note that using the Linux kernel CIFS module with SMB protocol 3.1.1 is currently experimental and the functionality is unavailable in kernels provided by Red Hat. For further information about notable changes, read the upstream release notes before updating: https://www.samba.org/samba/history/samba-4.3.0.html

https://www.samba.org/samba/history/samba-4.4.0.html (BZ# 1303076 New net ads join option to prevent AD DNS update The net ads join command now provides the --no-dns-updates option that prevents updating the DNS server with the machine name when joining a client to the Active Directory (AD). This option enables the administrator to bypass the DNS registration if the DNS server does not allow client updates and thus the DNS update would fail with an error message. (BZ#1263322) New realm join option to set NetBIOS name The realm join command now provides the --computer-name option to set an individual NetBIOS name. This enables the administrator to join a machine to a domain using a different name than the host name. (BZ#1293390) DRMTool renamed to KRATool The Data Recovery Manager (DRM) component of Certificate System (CS) is now called Key Recovery Authority (KRA). For consistency with this change, this update renames the DRMTool utility to KRATool. Note that to ease the transition, compatibility symbolic links are provided. The links help ensure that, for example, scripts referencing DRMTool continue working. (BZ# 1305622 Explicit dependency on OpenJDK 1.8.0 The current PKI code has only been verified to work with OpenJDK 1.8.0. Previously, PKI depended on a generic java link provided by alternatives and assumed that the link would point to OpenJDK 1.8.0. Since the alternatives settings could change for various reasons, it could cause some problems to PKI. jre_1.8.0_openjdk link which will always point to the latest update of OpenJDK 1.8.0 regardless of other Java installation. (BZ# To ensure that PKI always works properly, PKI has been changed to depend more specifically onlink which will always point to the latest update of OpenJDK 1.8.0 regardless of other Java installation. (BZ# 1347466 The ipa *-find commands no longer display member entries The new default setting in Identity Management (IdM) ipa *-find commands no longer displays member entries, such as for host groups. Resolving a large number of member entries is resource intensive and the output of the commands can get long and unreadable. As a result, the default was changed. To display members entries, use the --all option to the ipa *-find command. For example: # ipa hostgroup-find --all (BZ# 1354626 Certificate System now supports setting a start ID for CRL The Red Hat Certificate System now supports setting a start ID for certificate revocation lists (CRL) using the pki_ca_starting_crl_number option in the /etc/pki/default.cfg file. This enables administrators to migrate certificate authorities (CA) which already have CRLs issued to the Certificate System. (BZ#1358439) New pki-server subcommand to add the issuer DN to a certificate An enhancement in the Certificate Server now stores the issuer DN in new certificate records and the REST API certificate search enables support for filtering certificates by the issuer DN. To add the issuer DN to existing certificate records, run: # pki-server db-upgrade (BZ# 1305992 Certificate System now removes old CRLs Previously, if the file based certificate revocation list (CRL) publishing feature was enabled in the Certificate System, the service regularly created new CRL files without removing old ones. As a consequence, the system running Certificate System could eventually run out of space. To address the problem, two new configuration options were added to the /etc/pki/pki-tomcat/ca/CS.cfg file: maxAge - Sets the number of days after which files expire and be purged. Default is 0 (never).

maxFullCRLs - Sets the maximum number of CRLs to keep. When new files are published, the oldest file is purged. Default is 0 (no limit). As a result, you can now configure how the Certificate System handles old CRL files. (BZ# 1327683 Specifying certificate nick names in pkispawn configuration for cloning During clone installation, the clone imports the system certificates from the PKCS #12 file specified in the pki_clone_pkcs12_path parameter in the pkispawn configuration file. Previously, it was not necessary to specify the nick names of the certificates in the PKCS #12 file. Due to new IPA requirements, the certificate import mechanism had to be changed. With this update, to ensure that the certificates are imported with the proper trust attributes, the nick names of the CA signing certificate and the audit signing certificate in the PKCS #12 file have to be specified in the following parameters: pki_ca_signing_nickname

pki_audit_signing_nickname (BZ#1321491) Deploying the Certificate System using an existing CA certificate and key Previously, the Certificate System generated the key for the certificate authority (CA) certificate internally. With this update, the key generation is optional and the Certificate System now supports reusing an existing CA certificate and key which can be provided by using a PKCS#12 file or a hardware security module (HSM). This mechanism enables the administrator to migrate from an existing CA to the Certificate System. (BZ# 1289323 Separate cipher lists for instances acting as a client server.xml file was used when a Certificate System instance was acting as a server as well as a client. In some cases, certain ciphers could be not desired or did not work. This update gives administrators tighter control as it allows the administrator to specify an allowed list of SSL ciphers when the server is acting as a client for communication between two Certificate System subsystems. This cipher list is separate from the one stored on the server. (BZ# Prior to this feature, the cipher list specified in thefile was used when a Certificate System instance was acting as a server as well as a client. In some cases, certain ciphers could be not desired or did not work. This update gives administrators tighter control as it allows the administrator to specify an allowed list of SSL ciphers when the server is acting as a client for communication between two Certificate System subsystems. This cipher list is separate from the one stored on the server. (BZ# 1302136 Support for PKCS #7 certificate chains with the BEGIN/END PKCS7 label To comply with RFC 7468, PKI tools now accept and generate PKCS #7 certificate chains with the BEGIN/END PKCS7 label instead of the BEGIN/END CERTIFICATE CHAIN label. (BZ#1353005) krb5 rebased to version 1.14.1 krb5 packages have been updated to upstream version 1.14.1, which provides a number of enhancements, new features, and bug fixes. Notably, it implements authentication indicators support to increase security. For further details, see Thepackages have been updated to upstream version 1.14.1, which provides a number of enhancements, new features, and bug fixes. Notably, it implements authentication indicators support to increase security. For further details, see http://web.mit.edu/kerberos/krb5-latest/doc/admin/auth_indicator.html (BZ# 1292153 The Kerberos client now supports configuration snippets /etc/krb5.conf file now loads configuration snippets from the /etc/krb5.conf.d/ directory. This enables compliance with existing distribution configuration standards and crypto policies management. As a result, users can now split configuration files and store the snippets in the /etc/krb5.conf.d/ directory. (BZ# Thefile now loads configuration snippets from thedirectory. This enables compliance with existing distribution configuration standards and crypto policies management. As a result, users can now split configuration files and store the snippets in thedirectory. (BZ# 1146945 IdM rebased to version 4.4.0 The ipa* packages have been upgraded to upstream version 4.4.0, which provide a number of bug fixes and enhancements over the previous version: Improved Identity Management (IdM) server performance, such as faster provisioning, Kerberos authentication, and user and group operations with many members.

DNS locations to enable clients in a branch office to contact only local servers with the possibility to fall back to remote servers.

Central replication topology management.

The number of supported replication partners has been increased from 20 to 60 replicas.

Authentication indicator support for one-time passwords (OTP) and RADIUS. Authentication indicators can be enabled for hosts and services individually.

Sub-CA support enables the administrator to create individual certificate authorities to issue certificates for specific services.

Enhanced smart card support for Active Directory (AD) users enables the administrator to store smart card certificates in AD or IdM overrides.

IdM server API versioning.

Support for establishing external trusts with AD.

Alternative AD user principal names (UPN) suffixes. (BZ# 1292141 SSSD now enables fetching autofs maps from an AD server You can now use the autofs_provider=ad setting in the [domain] section of the /etc/sssd/sssd.conf file. With this setting, the System Security Services Daemon (SSSD) fetches autofs maps from an Active Directory (AD) server. Previously, when it was required to store autofs maps in AD, the AD server administrator had to use the autofs_provider=ldap setting and manually configure the LDAP provider, including the bind method, search base, and other parameters. With this update, it is only required to set autofs_provider=ad in sssd.conf . autofs maps stored in AD to follow the format defined in RFC2307: Note that SSSD expects themaps stored in AD to follow the format defined in RFC2307: https://tools.ietf.org/html/rfc2307 (BZ# 874985 The dyndns_server option enables specifying the DNS server to receive dynamic DNS updates The System Security Services Daemon (SSSD) now supports the dyndns_server option in the /etc/sssd/sssd.conf file. The option specifies the DNS server that is automatically updated with DNS records when the dyndns_update option is enabled. The option is useful, for example, in environments where the DNS server is different from the identity server. In such cases, you can use dyndnds_server to enable SSSD to update the DNS records on the specified DNS server. (BZ#1140022) SSSD now supports using full_name_format=%1$s to set the output name of AD trusted users to a shortname Previously, in trust setups, certain System Security Services Daemon (SSSD) features required using the default value for the full_name_format option in the /etc/sssd/sssd.conf file. Using full_name_format=%1$s to set the output format of trusted Active Directory (AD) users to a shortname broke other functionality. This update decouples the internal representation of a user name from the output format. You can now use full_name_format=%1$s without breaking other SSSD functionality. default_domain_suffix option is used in sssd.conf . (BZ# Note that the input name must still be qualified, except for when theoption is used in. (BZ# 1287209 Documentation now describes configuration and limitations of IdM clients using an AD DNS host name The Identity Management (IdM) documentation has been enhanced and now describes the configuration of IdM clients located in the DNS name space of a trusted Active Directory (AD) domain. Note that this is not a recommended configuration and has some limitations. For example, only password authentication is available to access these clients instead of single sign-on. Red Hat recommends to always deploy IdM clients in a DNS zone different from the ones owned by AD and access IdM clients through their IdM host names. For detailed information, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/ipa-in-ad-dns.html . (BZ# 1320838 Certificate System now supports setting SSL ciphers for individual installation Previously, if an existing Certificate Server had customized cipher set that did not overlap with the default ciphers used during the installation, a new instance could not be installed to work with existing instances. With this update, Certificate System enables you to customize the SSL cipher using a two-step installation, which avoids this problem. To set the ciphers during a Certificate System instance installation: 1. Prepare a deployment configuration file that includes the pki_skip_configuration=True option. 2. Pass the deployment configuration file to the pkispawn command to start the initial part of the installation. 3. Set the ciphers in the sslRangeCiphers option in the /var/lib/pki/<instance>/conf/server.xml file. 4. Replace the pki_skip_configuration=True option with pki_skip_installation=True in the deployment configuration file. pkispawn command to complete the installation. (BZ# 5. Run the samecommand to complete the installation. (BZ# 1303175 New attribute for configuring replica release timeout In a multi-master replication environment where multiple masters receive updates at the same time, it was previously possible for a single master to obtain exclusive access to a replica and hold it for a very long time due to problems such as a slow network connection. During this time, other masters were blocked from accessing the same replica, which considerably slowed down the replication process. nsds5ReplicaReleaseTimeout , which can be used to specify a timeout in seconds. After the specified timeout period passes, the master releases the replica, allowing other masters to access it and send their updates. (BZ# This update adds a new configuration attribute,, which can be used to specify a timeout in seconds. After the specified timeout period passes, the master releases the replica, allowing other masters to access it and send their updates. (BZ# 1349571

Chapter 6. Clustering Pacemaker now supports alert agents Pacemaker alert agents to take some external action when a cluster event occurs. The cluster passes information about the event to the agent by means of environment variables. Agents can do anything desired with this information, such as send an email message, log to a file, or update a monitoring system. For information on configuring alert agents, see the Red Hat Enterprise Linux 7 High Availability Add-On Reference: You can now createalert agents to take some external action when a cluster event occurs. The cluster passes information about the event to the agent by means of environment variables. Agents can do anything desired with this information, such as send an email message, log to a file, or update a monitoring system. For information on configuring alert agents, see the Red Hat Enterprise Linux 7 High Availability Add-On Reference: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/High_Availability_Add-On_Reference/index.html . (BZ#1315371) Pacemaker now supports SBD fencing configuration SBD daemon integrates with Pacemaker , a watchdog device, to arrange for nodes to reliably self-terminate when fencing is required. This update adds the pcs stonith sbd command to configure SBD in Pacemaker , and it is now also possible to configure SBD from the web UI. SBD fencing can be particularly useful in environments where traditional fencing mechanisms are not possible. For information on using SBD with Pacemaker , see the following Red Hat Knowledgebase article: Thedaemon integrates with, a watchdog device, to arrange for nodes to reliably self-terminate when fencing is required. This update adds thecommand to configurein, and it is now also possible to configurefrom the web UI.fencing can be particularly useful in environments where traditional fencing mechanisms are not possible. For information on usingwith, see the following Red Hat Knowledgebase article: https://access.redhat.com/articles/2212861 . (BZ# 1164402 Graceful migration of resources when the pacemaker_remote service is stopped on an active Pacemaker Remote node If the pacemaker_remote service is stopped on an active Pacemaker Remote node, the cluster will gracefully migrate resources off the node before stopping the node. Previously, Pacemaker Remote nodes were fenced when the service was stopped (including by commands such as yum update ), unless the node was first explicitly taken out of the cluster. Software upgrades and other routine maintenance procedures are now much easier to perform on Pacemaker Remote nodes. Note: All nodes in the cluster must be upgraded to a version supporting this feature before it can be used on any node. (BZ# 1288929 A Pacemaker cluster resource that is used to create a guest node may now be a member of a resource group Previous Pacemaker versions did not support including a guest node in a group. As of Red Hat Enterprise Linux 7.3, a Pacemaker cluster resource such as VirtualDomain that is used to create a guest node may now be a member of a resource group. This can be useful, for example, to associate a virtual machine with its storage. (BZ#1303765) pcsd now supports setting SSL options and ciphers pcsd service did not enable the user to easily disable a cipher or a particular version of the SSL or TSL protocol if a vulnerability was found of if the protocol version or the cipher was considered weak for some reason. With this update, the user can easily configure SSL options and ciphers in pcsd , and RC4 ciphers as well as TLS protocol version 1.1 and earlier are disabled by default. (BZ# Previously, theservice did not enable the user to easily disable a cipher or a particular version of the SSL or TSL protocol if a vulnerability was found of if the protocol version or the cipher was considered weak for some reason. With this update, the user can easily configure SSL options and ciphers in, and RC4 ciphers as well as TLS protocol version 1.1 and earlier are disabled by default. (BZ# 1315652 pcs now supports setting expected votes on a live cluster pcs quorum expected-votes command to set expected votes on a live cluster. (BZ# When nodes fail in a cluster, user sometimes needs to manually lower expected votes in order to recover the cluster. You can now use thecommand to set expected votes on a live cluster. (BZ# 1327739 Support added for configuring Pacemaker utilization attributes pcs command and the pcsd Web UI. This allows you to configure the capacity a particular node provides, the capacity a particular resource requires, and an overall strategy for placement of resources. For information on utilization and placement strategy, see You can now configure Pacemaker utilization attributes with thecommand and theWeb UI. This allows you to configure the capacity a particular node provides, the capacity a particular resource requires, and an overall strategy for placement of resources. For information on utilization and placement strategy, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/High_Availability_Add-On_Reference/index.html . (BZ# 1158500

Chapter 8. Desktop New packages: pidgin and pidgin-sipe This update adds: The pidgin instant messaging client, which supports off-the-record (OTR) messaging and the Microsoft Lync instant messaging application.

The pidgin-sipe plug-in, which contains a back-end code that implements support for Lync. The users need both the application and the plug-in to use Microsoft Lync. (BZ# 1066457 , BZ#1297461) Scroll wheel increment configurable in GNOME terminal With this update, the _gnome-terminal packages have been upgraded so that the scroll wheel setting is now configurable in the GNOME terminal. The scrolling preferences include a checkbutton and a spinbutton, which allow to choose between dynamic or fixed scrolling increment. The default option is dynamic scrolling increment, which is based on the number of visible rows. (BZ#1103380) Vinagre user experience improvements The Vinagre remote desktop viewer introduces the following user experience enhancements: A minimize button is available in the fullscreen toolbar, which makes access to custom options easier.

It is now possible to scale Remote Desktop Protocol (RDP) sessions. You can set the session size in the Connect dialog.

You can now use the secrets service to safely store and retrieve remote credentials. (BZ#1291275) Custom titles for the terminal tabs or windows gnome-terminal . The titles can be changed directly in the gnome-terminal user interface. (BZ# This update allows users to set custom titles for terminal windows or tabs in. The titles can be changed directly in theuser interface. (BZ# 1296110 Separate menu items for opening tabs and windows restored This update restores separate menu items for opening tabs and windows in gnome-terminal . It is now easier to open a mix of tabs and windows without being familiar with keyboard shortcuts. (BZ#1300826) Native Gnome/GTK+ look for Qt applications Previously, the default Qt style did not provide consistency for Qt applications, causing them not to fit into Gnome desktop. A new adwaita-qt style has been provided for those applications and the visual differences between the Qt and GTK+ applications are now minimal. (BZ#1306307) rhythmbox rebased to version 3.3.1 Rhythmbox is the GNOME default music player. It is easy to use and includes features such as playlists, podcast playback, and audio streaming. The rhythmbox packages have been upgraded to upstream version 3.3.1. The most notable changes include: Better support for Android devices

New task progress display below the track list

Support for the composer, disc, and track total tags

New style for playback controls and the source list

A number of bug fixes for various warnings and unexpected termination errors (BZ# 1298233 libreoffice rebased to version 5.0.6.2 The libreoffice packages have been upgraded to upstream version 5.0.6.2, which provides a number of bug fixes and enhancements over the previous version, notably: The status bar and various sidebar decks have been improved.

Various toolbars and context menus have been cleaned up or rearranged for better usability.

The color selector has been reworked.

New templates have been created.

Templates now appear directly in the Start Center and can be picked from there.

libreoffice now displays an information bar to indicate visibly when a document is being opened in read-only mode.

The possibility to embed libreoffice in certain web browsers by using the deprecated NPAPI has been removed.

It is possible to connect to SharePoint 2010 and 2013 and OneDrive directly from libreoffice .

Support for converting formulas into direct values, Master Document templates, reading Adobe Swatch Exchange color palettes in the .ase format, importing Adobe PageMaker documents, and for exporting digitally signed PDF files.

It is now possible to specify references to entire columns or rows using the A:A or 1:1 notation.

Interoperability with Microsoft Office document formats has been improved. For a complete list of bug fixes and enhancements provided by this upgrade, see https://wiki.documentfoundation.org/ReleaseNotes/4.4 and https://wiki.documentfoundation.org/ReleaseNotes/5.0 . (BZ# 1290148 GNOME boxes support for Windows Server 2012 R2, Windows 10, and Windows 8.1 GNOME boxes now supports creating virtual machines with Windows Server 2012 R2, Windows 10, and Windows 8.1. (BZ# 1257865 , BZ# 1257867 , BZ# 1267869 The vmware graphics driver now supports 3D acceleration in VMware Workstation 12 vmware graphics driver in Red Hat Enterprise Linux did not support 3D acceleration in VMware Workstation 12 virtual machines (VM). As a consequence, the GNOME desktop was rendered on the host's CPU instead of the GPU. The driver has been updated to support the VMware Workstation 12 virtual graphics adapter. As a result, the GNOME desktop is now rendered using 3D acceleration. (BZ# Previously, thegraphics driver in Red Hat Enterprise Linux did not support 3D acceleration in VMware Workstation 12 virtual machines (VM). As a consequence, the GNOME desktop was rendered on the host's CPU instead of the GPU. The driver has been updated to support the VMware Workstation 12 virtual graphics adapter. As a result, the GNOME desktop is now rendered using 3D acceleration. (BZ# 1263120 libdvdnav rebased to version 5.0.3 The libdvdnav library allows you to navigate DVD menus on any operating system. The libdvdnav packages have been upgraded to version 5.0.3. The most notable changes include: Fixed a bug on menu-less DVDs

Fixed playback issues on multi-angle DVDs

Fixed unexpected termination when playing a DVD from different region than currently set in the DVD drive

Fixed memory bugs when reading certain DVDs (BZ# 1068814 GIMP rebased to version 2.8.16 The GNU Image Manipulation Program (GIMP) has been upgraded to version 2.8.16, which provides a number of bug fixes and enhancements over the previous version. Notable changes include the following: Core: More robust loading of XCF files

Improved performance and behavior when writing XCF files GUI: The widget direction automatically matches the direction of language set for GUI

Larger scroll area for tags

Fixed switching of dock tabs by drag and drop (DND) hovering

DND works between images in one dockable

No unexpected termination problem in the save dialog Plug-ins: Improved security of the script-fu server

Fixed reading and writing of files in the BMP format

Fixed exporting of fonts in the PDF plug-in

Support of layer groups in OpenRaster files

Fixed loading of PSD files with layer groups (BZ# 1298226 gimp-help rebased to version 2.8.2 gimp-help package has been upgraded to upstream version 2.8.2, which provides a number of bug fixes and enhancements over the previous version. Notably, it also implements a complete translation to Brazilian Portuguese. (BZ# Thepackage has been upgraded to upstream version 2.8.2, which provides a number of bug fixes and enhancements over the previous version. Notably, it also implements a complete translation to Brazilian Portuguese. (BZ# 1370595 Qt5 added to Red Hat Enterprise Linux 7 A new version of the Qt library (Qt5) has been added to Red Hat Enterprise Linux 7. This version of Qt brings number of features for developers as well as support for mobile devices, which was missing in the previous version. (BZ#1272603) Improved UI message when setting a new language in system-config-language Previously, if you selected a new language to install in the Language graphical tool (the system-config-language package), and the selected language group was not available, the error message that was displayed was not clear enough. For example, if you selected Italian (Switzerland) , the message displayed was: Due to comps cleanup italian-support group got removed and no longer exists. Therefore only setting the default system language With this update, the message is updated and will look similar to the following example: Due to comps cleanup, italian-support group no longer exists and its language packages will not be installed. Therefore only setting Italian as the default system language. The new message means that the new language has been enabled without having to install any new packages. After the next reboot, the system will boot in the selected language. (BZ# 1328068 New packages: pavucontrol This update adds the pavucontrol packages, which contain PulseAudio Volume Control, a GTK-based volume control application for the PulseAudio sound server. This application enables to send the output of different audio streams to different output devices, such as headsets or speakers. Individual routing is impossible with the default audio control panel, which sends all audio streams to the same output device. (BZ#1210846) libdvdread rebased to version 5.0.3 The libdvdread packages have been rebased to version 5.0.3. The most notable changes include: Fixes for numerous crashes, assertions and corruptions

Fixed compilation in C++ applications

Removed the unused feature to remap .MAP files

Removed the dvdnavmini library

Added the DVDOpenStream API Because of API change, .so version also changed. Third-party software dependent on libdvdread needs to be recompiled against this new version. (BZ# 1326238 New weather service for gnome-weather gnome-weather application used the METAR services provided by the National Oceanic and Atmospheric Administration (NOAA). However, NOAA stopped to provide the METAR service. This update introduces a new METAR service provided by the Aviation Weather Center (AWC) and gnome-weather now works as expected. (BZ# Previously, theapplication used the METAR services provided by the National Oceanic and Atmospheric Administration (NOAA). However, NOAA stopped to provide the METAR service. This update introduces a new METAR service provided by the Aviation Weather Center (AWC) andnow works as expected. (BZ# 1371550 libosinfo rebased to version 0.3.0 The libosinfo packages have been updated to version 0.3.0. Notable changes over the previous version include improving operating system data for several recent versions of Red Hat Enterprise Linux and Ubuntu, and fixing several memory leaks. (BZ#1282919)

Chapter 9. File Systems XFS runtime statistics are available per file system in the /sys/fs/ directory The existing XFS global statistics directory has been moved from the /proc/fs/xfs/ directory to the /sys/fs/xfs/ directory while maintaining compatibility with earlier versions with a symbolic link in /proc/fs/xfs/stat . New subdirectories will be created and maintained for statistics per file system in /sys/fs/xfs/ , for example /sys/fs/xfs/sdb7/stats and /sys/fs/xfs/sdb8/stats . Previously, XFS runtime statistics were available only per server. Now, XFS runtime statistics are available per device. (BZ#1269281) A progress indicator has been added to mkfs.gfs2 mkfs.gfs2 tool now reports its progress when building journals and resource groups. As mkfs.gfs2 can take some time to complete with large or slow devices, it was not previously clear if mkfs.gfs2 was working correctly until a report was printed. A progress bar has been added to mkfs.gfs2 indicate progress. (BZ# Thetool now reports its progress when building journals and resource groups. Ascan take some time to complete with large or slow devices, it was not previously clear if mkfs.gfs2 was working correctly until a report was printed. A progress bar has been added toindicate progress. (BZ# 1196321 fsck.gfs2 has been enhanced to require considerably less memory on large file systems Prior to this update, the Global File System 2 (GFS2) file system checker, fsck.gfs2, required a large amount of memory to run on large file systems, and running fsck.gfs2 on file systems larger than 100 TB was therefore impractical. With this update, fsck.gfs2 has been enhanced to run in considerably less memory, which allows for better scalability and makes running fsck.gf2 practical to run on much larger file systems. (BZ# 1268045 GFS2 has been enhanced to allow better scalability of its glocks In the Global File System 2 (GFS2), opening or creating a large number of files, even if they are closed again, leaves a lot of GFS2 cluster locks (glocks) in slab memory. When the number of glocks was in the millions, GFS2 previously started to slow down, especially with file creates: GFS2 became gradually slower to create files. With this update, the GFS2 has been enhanced to allow better scalability of its glocks, and the GFS2 can now therefore maintain good performance across millions of file creates. (BZ#1172819) xfsprogs rebased to version 4.5.0 The xfsprogs packages have been upgraded to upstream version 4.5.0, which provides a number of bug fixes and enhancements over the previous version. The Red Hat Enterprise Linux 7.3 kernel RPM requires the upgraded version of xfsprogs because the new default on-disk format requires special handling of log cycle numbers when running the xfs_repair utility. Notable changes include: Metadata cyclic redundancy checks (CRCs) and directory entry file types are now enabled by default. To replicate the older mkfs on-disk format used in earlier versions of Red Hat Enterprise Linux 7, use the -m crc=0 -n ftype=0 options on the mkfs.xfs command line.

The GETNEXTQUOTA interface is now implemented in xfs_quota , which allows fast iteration over all on-disk quotas even when the number of entries in the user database is extremely large. Also, note the following differences between upstream and Red Hat Enterprise Linux 7.3: The experimental sparse inode feature is not available.

The free inode btree (finobt) feature is disabled by default to ensure compatibility with earlier Red Hat Enterprise Linux 7 kernel versions. (BZ# 1309498 The CIFS kernel module rebased to version 6.4 The Common Internet File System (CIFS) has been upgraded to upstream version 6.4, which provides a number of bug fixes and enhancements over the previous version. Notably: Support for Kerberos authentication has been added.

Support for MFSymlink has been added.

The mknod and mkfifo named pipes are now allowed. Also, several memory leaks have been identified and fixed. (BZ#1337587) quota now supports suppressing warnings about NFS mount points with unavailable quota RPC service quota tool, and the local system mounted a network file system with an NFS server that did not provide the quota RPC service, the quota tool returned the error while getting quota from server error message. Now, the quota tools can distinguish between unreachable NFS server and a reachable NFS server without the quota RPC service, and no error is reported in the second case. (BZ# If a user listed disk quotas with thetool, and the local system mounted a network file system with an NFS server that did not provide theRPC service, thetool returned theerror message. Now, thetools can distinguish between unreachable NFS server and a reachable NFS server without theRPC service, and no error is reported in the second case. (BZ# 1155584 The /proc/ directory now uses the red-black tree implementation to improve the performance Previously, the /proc/ directory entries implementation used a single linked list, which slowed down the manipulation of directories with a large number of entries. With this update, the single linked list implementation has been replaced by a red-black tree implementation, which improves the performance of directory entries manipulation. (BZ#1210350)

Chapter 10. Hardware Enablement Support added for the CAPI flash block adapter The Coherent Accelerator Processor Interface (CAPI) is a technology that enables I/O adapters to coherently access host memory, and thus ensures improved performance. This update adds the cxlflash driver, which provides support for IBM's CAPI flash block adapter. (BZ#1182021) MMC kernel rebased to version 4.5 With this update, the Multimedia Card (MMC) kernel subsystem has been upgraded to upstream version 4.5, which fixes multiple bugs and also enables the Red Hat Enterprise Linux 7 kernel to use the embedded MMC (eMMC) interface version 5.0. In addition, the update improves the suspend and resume functionality of MMC devices, as well as their general stability. (BZ#1297039) iWarp mapper service added This update adds support for the internet Wide Area RDMA Protocol (iWARP) mapper to Red Hat Enterprise Linux 7. The iWARP mapper is a user-space service that enables the following iWARP drivers to claim TCP ports using the standard socket interface: Intel i40iw

NES

Chelsio cxgb4 Note that both the iw_cm and ib_core kernel modules need to be loaded for the iWarp mapper service (iwpmd) to start successfully. (BZ#1331651) New package: memkind This update adds the memkind package, which provides a user-extensible heap manager library, built as an extension of the jemalloc memory allocator. This library enables partitioning of the memory heap located between memory types that are defined when the operating system policies are applied to virtual address ranges. In addition, memkind enables the user to control memory partition features and allocate memory with a specified set of memory features selected. (BZ#1210910) Per-port MSI-X support for the AHCI driver The driver for the Advanced Host Controlled Interface (AHCI) has been updated for per-port message-signaled interrupt (MSI-X) vectors. Note that this applies only to controllers that support the feature. (BZ#1286946) Runtime Instrumentation for IBM z Systems is now fully supported The Runtime Instrumentation feature, previously available as a Technology Preview, is now fully supported in Red Hat Enterprise Linux 7 on IBM z Systems. Runtime Instrumentation enables advanced analysis and execution for a number of user-space applications available with the IBM zEnterprise EC12 system. (BZ#1115947)

Chapter 11. Installation and Booting Improved logging when network traffic is blocked during installation This update adds improved logging when attempting to connect to a network repository during installation. Now, when there is a connection problem with a network repository during installation, logs include more detailed information about what caused the problem. (BZ#1240379) Support for Memory Address Range Mirroring With this update, it is possible to configure Memory Address Range Mirroring on EFI-based systems on compatible hardware, using the efibootmgr utility with the new --mirror-below-4G and --mirror-above-4G options. (BZ#1271412) Default logging levels increased in Yum and NetworkManager With this update, default logging levels were increased in the Yum and NetworkManager utilities. (BZ#1254368) Driver Update Disks can now replace loaded modules It is now possible to use a Driver Update Disk to replace a module that is already loaded, provided that the original module is not in use. (BZ#1101653)

Chapter 12. Kernel The protobuf-c packages are now available for the little-endian variant of IBM Power Systems architecture This update adds the protobuf-c packages for the little-endian variant of IBM Power Systems architecture. The protobuf-c packages provide C bindings for Google's Protocol Buffer and are a prerequisite for the criu packages on the above mentioned architecture. The criu packages provide the Checkpoint/Restore in User space (CRIU) function, which provides the possibility to checkpoint and restore processes or groups of processes. (BZ#1289666) The CAN protocol has been enabled in the kernel The Controller Area Network (CAN) protocol kernel modules have been enabled, providing the device interface for CAN device drivers. CAN is a vehicle bus specification originally intended to connect the various micro-controllers in automobiles and has since extended to other areas. CAN is also used in industrial and machine controls where a high performance interface is required and other interfaces such as RS-485 are not sufficient. The functions exported from the CAN protocol modules are used by CAN device drivers to make the kernel aware of the devices and to allow applications to connect and transfer data. Enablement of CAN in the kernel allows the use of third party CAN drivers and applications to implement CAN based systems. (BZ#1311631) Persistent memory support added to kexec-tools The Linux kernel now supports E820_PRAM and E820_PMEM type for the Non-Volatile Dual In-line Memory Module (NVDIMM) memory devices. A patch has been backported from the upstream, which ensures that kexec-tools support these memory devices as well. (BZ#1282554) libndctl - userspace nvdimm management library The libndctl userspace library has been added. It is a collection of C interfaces to the ioctl and sysfs entry points provided by the kernel libnvdimm subsystem. The library enables higher level management software for NVDIMM-enabled platforms and also provides a command-line interface for managing NVDIMMs. (BZ#1271425) New symbols for the kABI whitelist to support the hpvsa and hpdsa drivers This update adds a set of symbols to the kernel Application Binary Interface (kABI) whitelist, which ensures the support for the hpvsa and hpdsa drivers. The newly added symbols are: scsi_add_device

scsi_adjust_queue_depth

scsi_cmd_get_serial

scsi_dma_map

scsi_dma_unmap

scsi_scan_host (BZ#1274471) crash rebased to version 7.1.5 crash packages have been upgraded to upstream version 7.1.5, which provides several bug fixes and a number of enhancements over the previous version. Notably, this rebase adds new options such as dis -s , dis -f , sys -i , list -l , new support for Quick Emulator (QEMU) generated Executable and Linkable Format (ELF) vmcores on the 64-bit ARM architectures, and several updates required for support of recent upstream kernels. It is safer and more efficient to rebase the crash packages than to backport selectively the individual patches. (BZ# Thepackages have been upgraded to upstream version 7.1.5, which provides several bug fixes and a number of enhancements over the previous version. Notably, this rebase adds new options such as, new support for Quick Emulator (QEMU) generated Executable and Linkable Format (ELF) vmcores on the 64-bit ARM architectures, and several updates required for support of recent upstream kernels. It is safer and more efficient to rebase thepackages than to backport selectively the individual patches. (BZ# 1292566 New package: crash-ptdump-command Crash-ptdump-command is a new rpm package which provides a crash extension module to add ptdump subcommand to the crash utility. The ptdump subcommand retrieves and decodes the log buffer generated by the Intel Processor Trace facility from the vmcore file and outputs to the files. This new package is designed for EM64T and AMD64 architectures. (BZ#1298172) Ambient capabilities are now supported Capabilities are per-thread attributes used by the Linux kernel to divide the privileges traditionally associated with superuser privileges into multiple distinct units. This update adds support for ambient capabilities to the kernel. Ambient capabilities are a set of capabilities that are preserved when a program is executed using the execve() system call. Only capabilities which are permitted and inheritable can be ambient. You can use the prctl() call to modify ambient capabilities. See the capabilities(7) man page for more information about kernel capabilities in general, and the prctl(2) man page for information about the prctl call. (BZ#1165316) cpuid is now available With this update, the cpuid utility is available in Red Hat Enterprise Linux. This utility dumps detailed information about the CPU(s) gathered from the CPUID instruction, and also determines the exact model of CPU(s). It supports Intel, AMD, and VIA CPUs. (BZ#1307043) FC-FCoE symbols have been added to KABI white lists With this update, a list of symbols belonging to the libfc and libfcoe kernel modules has been added to the kernel Application Binary Interface (KABI) white lists. This ensures that the Fibre Channel over Ethernet (FCoE) driver, which depends on libfc and libfcoe , can safely use the newly added symbols. (BZ#1232050) New package: opal-prd for OpenPower systems The new opal-prd package contains a daemon that handles hardware-specific recovery processes, and should be run as a background system process after boot. It interacts with OPAL firmware to capture hardware error causes, log events to the management processor, and handles recoverable errors where suitable. (BZ#1224121) New package: libcxl The new libcxl package contains the user-space library for applications in user space to access CAPI hardware via kernel cxl functions. It is available on IBM Power Systems and the little-endian variant of IBM Power Systems architecture. (BZ#1305080) Kernel support for the newly added iproute commands This update adds kernel support to ensure the correct functionality of newly added iproute commands. The provided patch set includes: Extension of the IPsec interface, which allows prefixed policies to be hashed.

Inclusion of the hash prefixed policies based on preflen thresholds.

Configuration of policy hash table thresholds by netlink. (BZ#1222936) Backport of the PID cgroup controller This update adds the new Process Identifier (PID) controller. This controller accounts for the processes per cgroup and allows a cgroup hierarchy to stop any new tasks from being forked or cloned after a certain limit is reached. (BZ#1265339) mpt2sas and mpt3sas merged The source codes of mpt2sas and mpt3sas drivers have been merged. Unlike in upstream, Red Hat Enterprise Linux 7 continues to maintain two binary drivers for compatibility reasons. (BZ#1262031) Allow multiple .ko files to be specified in ksc Previously, it was not possible to add multiple .ko files in a single run of the ksc utility. Consequently, the drivers that contain multiple kernel modules were not passed to ksc in a single run. With this update, the -k option can be specified multiple times in the same run. Thus single run of ksc can be used to query symbols used by several kernel modules. As a result, one file with symbols used by all modules is generated. (BZ#906659) dracut update The dracut initramfs generator has been updated with a number of bug fixes and enhancements over the previous version. Notably: dracut gained a new kernel command-line option rd.emergency=[reboot|poweroff|halt] , which specifies what action to execute in case of a critical failure. When using rd.emergency=[reboot|poweroff|halt] , the rd.shell=0 option should also be specified.

The reboot , poweroff , and halt commands now work in the emergency shell of dracut .

dracut now supports multiple bond, bridge, and VLAN configurations on the kernel command line.

The device timeout can now be specified on the kernel command line using the rd.device.timeout=<seconds> option.

DNS name servers specified on the kernel command line are now used in DHCP.

dracut now supports 20-byte MAC addresses.

Maximum Transmission Unit (MTU) and MAC addresses are now set correctly for DHCP and IPv6 Stateless Address AutoConfiguration (SLAAC).

The ip= kernel command line option now supports MAC addresses in brackets.

dracut now supports the NFS over RDMA (NFSoRDMA) module.

Support for kdump has been added to Fibre Channel over Ethernet (FCoE) devices. The configuration of FCoE devices is compiled in kdump initramfs . Kernel crash dumps can now be saved to FCoE devices.

dracut now supports the --install-optional <file list> option and the install_optional_items+= <file>[ <file> ...] configuration file directive. If you use the new option or directive, the files are installed if they exist, and no error is returned if they do not exist.

dracut DHCP now recognizes the rfc3442-classless-static-routes option, which enables using classless network addresses. (BZ# DHCP now recognizes theoption, which enables using classless network addresses. (BZ# 1359144 , BZ# 1178497 , BZ# 1324454 , BZ# 1194604 , BZ# 1282679 , BZ# 1282680 , BZ# 1332412 , BZ#1319270, BZ# 1271656 , BZ# 1271656 , BZ# 1367374 , BZ#1169672, BZ# 1222529 , BZ#1260955) Support for Wacom Cintiq 27 QHD The Wacom Cintiq 27 QHD tablets are now supported in Red Hat Enterprise Linux 7. (BZ#1342989) Full support for Intel® Omni-Path Architecture (OPA) kernel driver Intel® Omni-Path Architecture (OPA) kernel driver, previously available as a Technology Preview, is now fully supported. Intel® OPA provides Host Fabric Interconnect (HFI) hardware with initialization and setup for high performance data transfers (high bandwidth, high message rate, low latency) between compute and I/O nodes in a clustered environment. For instructions on how to obtain Intel® Omni-Path Architecture documentation, see https://access.redhat.com/articles/2039623 . (BZ#1374826) Cyclitest --smi option available for non-root users --smi option as a non-root user, provided that the user also belongs to the realtime group. On processors that support system management interrupts (SMIs), --smi displays a report on the system's SMIs, which was previously only available for root users. (BZ# With this update, it is possible to use the cyclictest program with theoption as a non-root user, provided that the user also belongs to thegroup. On processors that support system management interrupts (SMIs),displays a report on the system's SMIs, which was previously only available for root users. (BZ# 1346771 Support added for the new Smart Array storage adapters In Red Hat Enterprise Linux 7.2 and older versions, the new Smart Array storage adapters were not officially supported. However, these adapters were detected by the aacraid driver and the system appeared to work correctly. With this update, the new Smart Array storage adapters are properly supported by the new smartpqi driver. Note that when you update, the driver name for these adapters will change. (BZ#1273115) The Linux kernel now supports trusted virtual function (VF) concept The upstream code has been backported into the Linux kernel to provide support for trusted virtual function (VF) concept. As a result, the trusted VFs are now permitted to enable multicast promiscuous mode which allows them to have more than 30 IPv6 addresses assigned. The trusted VFs are also permitted to overwrite media access control (MAC) addresses. (BZ#1302101) Seccomp mode 2 is now supported on IBM Power Systems This update adds support for seccomp mode 2 on IBM Power Systems. Seccomp mode 2 involves the parsing of Berkeley Packet Filter (BPF) configuration files to define system call filtering. This mode provides notable security enhancements, which are essential for the adoption of containers in Linux on IBM Power Systems. (BZ#1186835) Memory Bandwidth Monitoring has been added This update adds Memory Bandwidth Monitoring (MBM) into the Linux kernel. MBM is a CPU feature included in the family of platform quality of service (QoS) feature that is used to track memory bandwidth usage for a specific task, or group of tasks, associated with an Resource Monitoring ID (RMID). (BZ#1084618) brcmfmac now supports Broadcom wireless cards The brcmfmac kernel driver has been updated to support Broadcom BCM4350 and BCM43602 wireless cards. (BZ#1298446) The autojoin option has been added to the ip addr command to allow multicast group join or leave Previously, there was no method to indicate Internet Group Management Protocol (IGMP) membership to Ethernet switches that do multicast pruning. Consequently, those switches did not replicate packets to the host's port. With this update, the ip addr command has been extended with the autojoin option, which enables a host to join or leave a multicast group. (BZ#1267398) Open vSwitch now supports NAT This update adds Network Address Translation (NAT) support to the Open vSwitch kernel module. (BZ#1297465) The page tables are now initialized in parallel Previously, the page tables were initiallized serially on Non-Uniform Memory Access (NUMA) systems, based on Intel EM64T, Intel 64, and AMD64 architectures. Consequently, large servers could perform slowly at boot time. With this update, a set of patches has been backported to ensure that memory initialization is mostly done in parallel by node-local CPUs as a part of node activation. As a result, systems with the memory of 16TB to 32TB now boot about two times faster compared to the previous version. (BZ#727269) The Linux kernel now supports Intel MPX This update adds the support of Intel Memory Protection Extensions (MPX) into the Linux kernel. Intel MPX is a set of extensions to the Intel 64 architectures. Intel MPX together with a compiler, runtime library and operating system support increase the robustness and security of software by checking pointer references whose compile-time normal intentions can be maliciously exploited due to buffer overflows. (BZ#1138650) ftrace now prints command names as expected When the trylock() function did not successfully acquire a lock, saving a command name in the ftrace kernel tracer failed. As a consequence, ftrace did not properly print command names in the /sys/kernel/debug/tracing file. With this update, recording of the command names has been fixed, and ftrace now prints command names as expected. Users are also now able to set the number of stored commands by setting the saved_cmdlines_size kernel configuration parameter. (BZ#1117093) The shared memory that was swapped out is now visible in /proc/<pid>/smaps Prior to this update, swapped-out shared memory appeared neither in the /proc/<pid>/status file, nor in the /proc/<pid>/smaps file. This update adds per-process accounting of swapped-out shared memory, including sysV shm , shared anonymous mapping and mapping to a tmpfs file. Swapped-out shared memory now appears in /proc/<pid>/smaps . However, swapped-out shared memory is not reflected in /proc/<pid>/status , and swapped-out shmem pages therefore remain invisible in certain tools such as procps . (BZ#838926) Kernel UEFI support update The Unified Extensible Firmware Interface (UEFI) support in the kernel has been updated with a set of selected patches from the upstream kernel. This set provides a number of bug fixes and enhancements over the previous version. (BZ#1310154) Mouse controller now works on guests with Secure Boot Red Hat Enterprise Linux now supports a mouse controller on guest virtual machines that have the Secure Boot feature enabled. This ensures mouse functionality on Red Hat Enterprise Linux guests running on hypervisors that enable secure boot by default. (BZ#1331578) The RealTek RTS520 card reader is now supported This update adds support for the RealTek RTS520 card reader. (BZ#1280133) Tunnel devices now support lockless xmit Previously, tunnel devices, which used the pfifo_fast queue discipline by default, required the serialization lock for the tx path. With this update, per-CPU variables are used for statistic accounting, and a serialization lock on the tx path is not required. As a result, the user space is now allowed to configure a noqueue queue discipline with no lock required on the xmit path, which significantly improves tunnel device xmit performance. (BZ#1328874) Update of Chelsio drivers Chelsio NIC, iWARP, vNIC and iSCSI drivers have been updated to their most recent versions, which add several bug fixes and enhancements over the previous versions. The most notable enhancements include: ethtool support to get adapter statistics

ethtool support to dump channel statistics

ethtool to dump loopback port statistics

debugfs entry to dump CIM MA logic analyzer logs

debugfs entry to dump CIM PIF logic analyzer contents

debugfs entry to dump channel rate

debugfs entry to enable backdoor access

debugfs support to dump meminfo

MPS tracing support

hardware time stamp support for RX

device IDs for T6 adapters (BZ#1275829) Support for 25G, 50G and 100G speed modes for Chelsio drivers With this update, a set of patches has been backported into the Linux kernel that add definitions for 25G, 50G and 100G speed modes for Chelsio drivers. This patch set also adds the link mode mask API to the cxgb4 and cxgb4vf drivers. (BZ#1365689) mlx5 now supports NFSoRDMA With this update, the mlx5 driver supports export of Network File System over Remote Direct Memory Access (NFSoRDMA). As a result, customers can now mount NFS shares over RDMA and perform the following actions from the client computer: list files on the NFS share using the ls command

use the touch command on new files This feature allows some jobs to run from a shared storage, which is useful when you have large, InfiniBand-connected grids running that keep growing in size. (BZ#1262728) I2C has been enabled on 6th Generation Intel Core Processors Starting from this update, the I2C devices that are controlled by a kernel driver are supported on 6th Generation Intel Core Processors. (BZ#1331018) mlx4 and mlx5 now support RoCE This update adds the support of Remote Direct Memory Access Over Converged Ethernet (RoCE) network protocol timespanning to the mlx4 and mlx5 drivers. RoCE is a mechanism to provide efficient server-to-server data transfer through Remote Direct Memory Access (RDMA) with very low latencies on lossless Ethernet networks. RoCE encapsulates InfiniBand (IB) transport in one of two Ethernet packets: - RoCEv1 - dedicated ether type (0x8915) - RoCEv2 - User Datagram Protocol (UDP) and dedicated UDP port (4791). Both RoCE versions are now supported for mlx4 and mlx5 . Starting from this update, mlx4 supports RoCE Virtual function Link Aggregation protocol, which provides failover and link aggregation capabilities to mlx4 device physical ports. Only IB port that represents the two physical ports is exposed to the application layer. (BZ#1275423, BZ#1275187, BZ#1275209) (BZ#1275423) Support of cross-channel synchronization Starting from this update, the Linux kernel supports cross-channel synchronization on AMD64 and Intel 64, IBM P