🟠 High   ⏱ 5–30 min  Last verified: 25 May 2026
Affected versions: Oracle Linux 9

📖 ~4 min read  •  Source: Oracle Bug 34224821

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

On Oracle Linux 9 systems, Oracle Bug 34224821 documents the behaviour described in the title: KVM Virtual Machines Panic When Started on Oracle Linux 9 Hosts. The condition surfaces during install, boot, or normal operation depending on the affected subsystem. Operators see failed systemctl --failed output, abnormal entries in journalctl -xe, and — where the package is part of the serving path — degraded availability. On Oracle Linux 9 the impact ranges from a single service-restart loop to wider production incidents depending on host role and the criticality of KVM.

Environment & Reproduction

Reproduction targets Oracle Linux 9 running either the Red Hat Compatible Kernel (RHCK) or the Unbreakable Enterprise Kernel (UEK). Confirm release, kernel, and installed package:

cat /etc/oracle-release
uname -r
rpm -q KVM
dnf list installed KVM
dnf history list --reverse | head -20

Trigger the workflow that exposes KVM Virtual Machines Panic When Started on Oracle Linux 9 Hosts while collecting:

journalctl -u KVM -b --no-pager | tail -200
journalctl -xe --no-pager | tail -200
tail -200 /var/log/dnf.log
tail -200 /var/log/audit/audit.log

Root Cause Analysis

Root cause is tracked in the Oracle Linux release notes (Oracle Bug 34224821). The defect lives in a specific kernel, firmware, or userspace component shipped with the GA channel; Oracle has either shipped a fix in a later errata or documented a supported workaround. Correlate transaction history with system logs and SELinux audit entries to isolate the originating change:

dnf history list --reverse | head -30
dnf history info $(dnf history list | awk '/KVM/ {print $1; exit}')
ausearch -m AVC,USER_AVC -ts today | tail -100
cat /proc/sys/kernel/tainted   # non-zero = kernel modules / out-of-tree drivers loaded

Quick Triage

Run these checks on Oracle Linux 9 to confirm the failure mode and current state of KVM:

rpm -q KVM                              # installed version
rpm -V KVM                              # verify file integrity
dnf updateinfo info --security KVM     # any security advisories outstanding
systemctl --failed --no-pager
firewall-cmd --list-all 2>/dev/null || echo 'firewalld not running'
getenforce                                 # SELinux mode
# If KVM ships a systemd unit (unit name may differ from the pkg name,
# e.g. httpd pkg/unit match, but bind→named, postgresql-server→postgresql):
systemctl list-unit-files | grep -i KVM | head -5

Step-by-Step Diagnosis

  1. List failed units.

    systemctl --failed --no-pager

  2. Follow the journal for KVM and the system bus.

    journalctl -u KVM -f --no-pager
journalctl -xe -f --no-pager

  3. Check firewall posture (skip if firewalld is masked).

    firewall-cmd --list-all-zones --permanent
nft list ruleset 2>/dev/null | head -50

  4. Surface SELinux denials and translate them to a policy module if needed.

    ausearch -m AVC,USER_AVC -ts today
ausearch -m AVC -ts today | audit2allow -a -M /tmp/local-fix
# Inspect /tmp/local-fix.te before applying:
sudo semodule -i /tmp/local-fix.pp

  5. Verify KVM integrity and dependency closure.

    dnf check
rpm -V KVM
rpm -q --requires KVM | xargs -r rpm -q --whatprovides | head

  6. Correlate findings with /var/log/dnf.log, dnf history and Oracle Bug 34224821 to pin the change that introduced KVM Virtual Machines Panic When Started on Oracle Linux 9 Hosts.

Solution – Primary Fix

Apply the corrective dnf transaction referenced by Oracle Bug 34224821, reload affected systemd units, and reconcile firewalld / SELinux state:

sudo dnf clean expire-cache
sudo dnf -y update KVM
sudo systemctl daemon-reload
# If KVM ships a systemd unit (unit name may differ from pkg name):
sudo systemctl restart KVM
rpm -q KVM                       # confirm new NVR
systemctl is-active KVM          # confirm running (if a unit exists)

If the advisory says a reboot is required (kernel, glibc, systemd, openssl):

sudo needs-restarting -r           # reports kernel/init/glibc need
sudo systemctl reboot              # or: sudo shutdown -r now

Need help applying this fix at scale? Our IT Solutions & Services team rolls Oracle Linux patches across estates with zero-downtime change windows and Ksplice live-patching. Get in touch for a free consultation.

Solution – Alternative Approaches

If the primary fix is not viable, choose from these alternatives:

  • Roll back the offending dnf transaction:

    sudo dnf history list --reverse
sudo dnf history undo <id>

  • Pin KVM with the versionlock plugin:

    sudo dnf install -y python3-dnf-plugin-versionlock
sudo dnf versionlock add KVM
sudo dnf versionlock list | grep KVM

  • Downgrade to a known-good NVR from the repo cache or vault:

    sudo dnf --showduplicates list KVM
sudo dnf -y downgrade KVM-<older-NVR>

  • Switch firewalld backend (nftables ↔ iptables) for compatibility:

    sudo sed -i 's/^FirewallBackend=.*/FirewallBackend=iptables/' /etc/firewalld/firewalld.conf
sudo systemctl restart firewalld

  • If SELinux is suspected, switch to permissive briefly, capture denials, and author a custom module before re-enforcing:

    sudo setenforce 0                                    # do NOT leave permissive
# reproduce the failure
sudo ausearch -m AVC -ts recent | audit2allow -a -M mylocal
sudo semodule -i mylocal.pp
sudo setenforce 1

  • Where the advisory has Ksplice coverage, live-patch without reboot (Oracle Linux Premier Support):

    sudo uptrack-show                # current live patches
sudo uptrack-upgrade -y          # apply all available
uptrack-uname -r                 # effective kernel after live patching

Verification & Acceptance Criteria

All of these should pass after the fix:

rpm -q KVM                                       # shows the expected fixed NVR
dnf updateinfo list --security installed | head    # no security advisories pending for us
systemctl is-active KVM 2>/dev/null              # active (if a unit exists)
journalctl -u KVM --since "5 minutes ago" --no-pager  # no new errors
firewall-cmd --list-services                        # required services present
getenforce                                          # intended mode (Enforcing/Permissive)

The original reproduction for KVM Virtual Machines Panic When Started on Oracle Linux 9 Hosts must not trigger across two consecutive runs.

Rollback Plan

Capture state before any change:

rpm -qa > /root/rpm-pre.txt
dnf history list --reverse > /root/dnf-history-pre.txt
# LVM snapshot of the root LV (size to ~10% of root):
sudo lvcreate -L 4G -s -n root_pre_patch /dev/mapper/$(lvs --noheadings -o lv_path | grep -m1 root | xargs basename)

To revert if the patch is bad:

sudo dnf history undo <id>
# Or downgrade just KVM to the previous NVR:
sudo dnf -y downgrade KVM
sudo systemctl daemon-reload
# For SELinux module additions:
sudo semodule -r mylocal
# Reboot only if kernel/initramfs/glibc were rolled back:
sudo systemctl reboot

For kernel rollbacks, select the previous entry from the GRUB menu or set it as default with grubby --set-default /boot/vmlinuz-<older>.

Prevention & Hardening

Prevent recurrence on Oracle Linux 9 hosts running KVM:

  • Enable scheduled security updates via dnf-automatic:

    sudo dnf install -y dnf-automatic
# Edit /etc/dnf/automatic.conf:
# upgrade_type = security
# apply_updates = yes
sudo systemctl enable --now dnf-automatic.timer

  • Subscribe to the Oracle Linux Errata RSS / mailing list at linux.oracle.com/security.

  • Mirror through a local yum/dnf repository:

    sudo dnf install -y dnf-utils createrepo_c
sudo reposync --download-metadata --downloadcomps -p /srv/repos -m --repo=ol9_baseos_latest
sudo createrepo_c /srv/repos/ol-baseos

  • Pin sensitive packages so they cannot be auto-upgraded:

    sudo dnf install -y python3-dnf-plugin-versionlock
sudo dnf versionlock add KVM

  • Snapshot the root LV before every upgrade window:

    sudo lvcreate -L 4G -s -n root_pre_$(date +%Y%m%d) /dev/<vg>/<root-lv>

  • Monitor file integrity with AIDE:

    sudo dnf install -y aide
sudo aide --init && sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
sudo aide --check

  • Lock down with SELinux audit rules in /etc/audit/rules.d/:

    # /etc/audit/rules.d/90-cp.rules
-w /etc/passwd  -p wa -k identity
-w /etc/shadow  -p wa -k identity
-w /etc/sudoers -p wa -k privilege
-a always,exit -F arch=b64 -S execve -k exec

  • Where licensed, enable Oracle Ksplice for live kernel and userspace patching:

    sudo dnf install -y uptrack ksplice-tools
sudo uptrack-upgrade -y
sudo systemctl enable --now uptrack

Issues that commonly surface alongside KVM Virtual Machines Panic When Started on Oracle Linux 9 Hosts: dnf transaction lock contention, systemd unit ordering cycles, SELinux AVC bursts, firewalld zone drift, and kernel taint flags. Triage with:

cat /proc/sys/kernel/tainted
systemd-analyze critical-chain
ausearch -m AVC -ts today | tail
firewall-cmd --get-active-zones
dnf history list --reverse | head

View all oracle-linux-9 tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Primary reference: Oracle Bug 34224821. Useful manual pages on Oracle Linux 9:

man dnf
man dnf.conf
man systemctl
man journalctl
man firewall-cmd
man semanage
man audit2allow
man grubby

Other resources: Oracle Linux 9 Administrator’s Guide at docs.oracle.com, the upstream Red Hat CVE database at access.redhat.com/security/cve, the Oracle Ksplice known-fixes feed, and /usr/share/doc/KVM/ for component-specific notes implicated in KVM Virtual Machines Panic When Started on Oracle Linux 9 Hosts.