Node

BZ#1361305

When unidling, upgrading, or moving a gear, a small amount of free space must be available on the gear for the operation. Gears that are currently at or exceeding their file system usage quota are unable to be unidled, upgraded, or moved. This bug fix adds a small amount of additional file system space to the gear's quota during these operations. As a result, gears at or exceeding their quota can successfully be unidled, upgraded, and moved.

BZ#1196783

When updating memory_limit_in_bytes in the /etc/openshift/resource_limits.conf file, the new memory limit did not update the OPENSHIFT_GEAR_MEMORY_MB environment variable for current gears. Even when the memory limit was updated, current gears would have the same memory limit. This bug fix adds comments to the resource_limits.conf file to provide instructions to anyone updating the memory_limit_in_bytes variable.  As a result, users changing the file should now have instructions on how to properly apply the change to current gears.

You can also workaround this issue by running:

# for i in /var/lib/openshift/*/.env/OPENSHIFT_GEAR_MEMORY_MB; do echo 512 > "$i"; done

Replace `512` above with the new memory limit in megabytes; note that the two variables have different units.

BZ#1266239

The maximum number of environment variables users are able to add is now configurable on a per node basis. Some organizations may want to allow their users to create more than the default 50 allowed user variables. Administrators may want to set this maximum allowance to different values on each node or node profile. To configure this, set the USER_VARIABLE_MAX_COUNT field in the /etc/openshift/node.conf file on the node host to the desired value, and restart the ruby193-mcollective service.

BZ#1362666

Previously, a gear move did not take into consideration the amount of free space available on the node a gear is moved to. Gears could be moved to a node whose free space was less than what the gear required, resulting in gears on that node failing. This bug fix ensures that the gear move process considers the amount of free space on each node when determining to which node it should move the gear. As a result, gears are no longer moved to a node whose storage space is not adequate for the gear.

Cartridge

BZ#1361307

After the MySQL cartridge was successfully started, the log file mysql.log was automatically removed as a part of control script, with no way to recover it. If errors occurred before the cartridge was started, the error log was lost. This made the debugging process difficult. This bug fix removes the code that is responsible for log file removal. As a result, the log file persists after the cartridge is started.

BZ#1311722

The cartridge removal command `oo-admin-cartridge -a erase` removed all software versions for a given cartridge version from the cartridge repository. However, the command's `--help` output was not clear. This made it possible for users to accidentally delete all software versions for a given cartridge version. This bug fix adds more instructive `--help` output to ensure users are aware of the behavior. As a result, confusion over the command's behavior should be avoided.

BZ#1217403

Previously when using the Cron cartridge, Cron's system-level messages could get lost among the gear-level Cron logs, which could result in important messages being missed by system administrators. This enhancement ensures that Cron's system-level messages are now tagged as they are sent to syslog, allowing administrators to set up syslog rules that separate system-level Cron log messages from gear-level messages.

BZ#1282852

Previously when using the JBoss EWS cartridge, the Tomcat code did not correctly parse the spaces to be included in environment variables and did not sanitize the variables before using them. The parser split the information in variables incorrectly and caused the JVM command to fail due to incomplete or missing parameters. This bug fix adds the new method sh_split to the Tomcat code to sanitize the information in environment variables before parsing them.

Installer

BZ#1358938

The libcgroup dependencies provided in the OpenShift Enterprise 2.2 channels were out of date. This made updating to the latest libcgroup impossible due to a multilib dependency issue. This bug fix updates the libcgroup dependencies provided in these channels to match the libcgroup version shipped with the Red Hat Enterprise Linux base channel. As a result, new installations and updates to existing hosts are able to complete without issue.

Broker

BZ#1274852

In a highly available (HA) environment with a Nginx or F5 load balancer, when an HA gear was moved to another node, an update was not received by the load balancer and the gear's routing information was not modified by the routing daemon. This bug fix adds calls during the `oo-admin-move` command to publish and unpublish routing information. As a result, the routing daemon logs now contain information regarding the changes to an HA gear's routing information upon gear moves.

Routing

BZ#1361306

In the WebSocket handshake, several headers were not being passed through the node's proxy. Applications that depended on the information in the user-agent, X-Forwarded-For, and X-Client-IP headers did not receive the values of those headers. This bug fix configures the node proxy to properly send these headers in WebSocket connections. As a result, the user-agent, X-Forwarded-For, and X-Client-IP headers have proper values set that are available to the application.

Command Line Interface

BZ#1299095

When running the `oo-diagnostics` tool, several lines of code which are intended
to run on the node were added to a section of code that was only run on the
broker. This caused the node-related code to fail when it was run on the broker.
This bug fix separates the node-related code into a different test that is run
on the node instead of the broker. As a result, the test case that is intended
for the broker runs correctly and the `oo-diagnostics` tool no longer fails for
this reason.

BZ#1111456

The `rhc` code previously did not respect the gear size option during Jenkins
application deployment. When a user created an application using the `rhc`
command with `--enable-jenkins` and medium `--gear-size` options, the Jenkins
application was deployed into the default small gear size. This bug fix updates
`rhc` to now respect gear size option during the Jenkins application deployment
process to create a gear with the selected size.

BZ#1308722

There was a duplication of the start process call during Git deployment using
the `rhc --from-code` command. This caused the second start process call to fail
as the httpd port was already in use by the previous start process call,
resulting in a failure message. This bug fix adds a conditional check to the
code to verify the state of the application to identify whether the application
is already started. If it is already started, a restart process is called
instead of a start process. As a result, the failure message is no longer logged
in this scenario.

BZ#1308716

The `rhc snapshot` command did not check if a snapshot file already existed or
warn users before overwriting the file during the process of creating it. This
caused the previous snapshot file with the same name to be overwritten without
any warnings from the `rhc snapshot` command. This bug fix adds a new check to
`rhc snapshot` to verify whether a file with the same name already exists in the
directory. If it does, it prompts to user to ask if they want to overwrite the
file or not. As a result, `rhc snapshot` will no longer overwrite the existing
file unless the user allows it to do so.

BZ#1307174

The `rhc ssh <app>` command did not work in Windows unless ssh.exe was
copied from the C:\Program Files\Git\usr\bin folder to the C:\Program
Files\Git\bin folder. Also, the link to Git for Windows msysgit install was
broken. This bug fix adds C:\Program Files\Git\usr\bin to the search path for
ssh.exe. Users can also move ssh.exe to a custom location; as long as it is in
the Git path, `rhc` will find it. In addition, http://msysgit.github.io/ was
replaced with the updated URL https://git-for-windows.github.io/. As a result,
the `rhc ssh` command works as expected for Windows users.

BZ#1310841

Users using the `rhc` command with Zsh would previously get errors when
attempting to use autocompletion.  This bug fix updates the rhc_bash file to
properly work with Zsh and allow autocompletion without errors.

BZ#1279584

There were certain situations when a user could have a plan_id that that did not
have a defined plan in the get_plan function. This caused the `oo-admin-repair`
and `oo-admin-chk` commands to error out. This bug fix adds a check to see if
the plan is defined, and if it fails a default plan is used. As a result, these
commands no longer error out in this situation, and provide a warning (but not a
failure) that there is a plan_id with a plan that has not been defined.

BZ#1310810

Output from the `rhc app show <app> --gear quota` command was misleading
because the `du` command was used instead of the `quota` command. For example,
`quota` includes usage from files that have been deleted but their data blocks
are still being held by some process in the gear, and is therefore a more
accurate view of usage. Users expected `rhc app show <app> --gear quota`
to show the same values as running `rhc ssh <app>` then running `quota` on
the gear, but they were not due to `du` and `quota` differences. This bug fix
replaced `du` with `quota` in the `rhc app show` command, and as a result the
same values are now shown for `rhc app show <app> --gear quota` and for
`quota` while using SSH to connect to the gear.

BZ#1314535

Missing man pages have been added for the `oo-admin-ctl-iptables-port-proxy`,
`oo-admin-ctl-tc`, `oo-admin-repair-node`, and
`oo-admin-regenerate-gear-metadata` commands.

BZ#1140816

The `oo-admin-ctl-district` did not have an option to list all districts, and
the only way to display this information was to execute a command without any
arguments. The option `list-available` was poorly named, as it did not list
information about districts, but rather listed nodes that were not in districts.
The `oo-admin-ctl-region` command similarly displayed a list of regions only
when no options were selected. This bug fix adds a `list` option to the
`oo-admin-ctl-district` and `oo-admin-ctl-region` commands to list all available
districts or regions, respectively. The `list-available` option has also been
renamed `nodes-available` to avoid confusion. Also, if no arguments are given,
the command now displays a usage message. As a result, both commands now provide
all necessary options to display the appropriate information instead of the
ambiguous non-argument option.

Node

BZ#1294513

Checks for proper RPM packages, with el6op in the name, incorrectly expected the
nodejs-debug package to contain this tag. This caused a false error to be
reported from the `oo-diagnostics` command on up-to-date systems. This bug fix
updates `oo-diagnostics` to no longer expect nodejs-debug to contain the el6op
tag.

BZ#1160934

The `oo-admin-ctl-gears` command did not update the current state of the gear
after it successfully stopped an idled gear. The gear's status remained "idled"
even though it was stopped successfully. This bug fix updates the command to
change the status of the gear from "idled" to "stopped" if the gear is stopped
successfully. As a result, the correct status of the gear is now displayed in
this scenario.

BZ#1307175

Previously, the `oo-accept-node` script incorrectly verified that processes were
in cgroups procs.  Output from this script may have been misleading as the
script should have been checking that threads are in cgroup tasks. This bug fix
updates `oo-accept-node` to now correctly compare threads with cgroup tasks.

BZ#1265811

In order to check that file system quotas were enabled, the `oo-accept-node`
script used the output of the `df` command to determine the device and mount
point of the gear base directory. The script then specified this mount point to
the `repquota` command and expected to see the device in `repquota` output.
However, if the gear base directory was a loop mount, `df` printed the loop
image file name, whereas `repquota` prints the loop device. Thus,
`oo-accept-node` was looking for the wrong string in the `repquota` output. This
bug fix updates `oo-accept-node` to now use the `mount` command to determine
whether the file system is a loop mount, and, if it is, `oo-accept-node` now
parses the file system options to determine the loop device for the file system.
In addition, because using a loop mount degrades performance, `oo-accept-node`
now prints a warning if the gear base directory is a loop mount. As a result,
`oo-accept-node` will now print an error only if quotas really are disabled on
the file system, and `oo-accept-node` will print a warning if the file system is
a loop mount.

BZ#1265423

System administrators can now configure .gitconfig files for gears through the
use of skeleton files. This is needed to allow for an existing Git repository
with a large amount of data to be more easily used in OpenShift. Without this
change, some Git repositories could not be imported into OpenShift using
`--from-code`, due to their size or memory consumption during the clone process.
This enhancement allows for an administrator to use concepts from the
configuration in https://access.redhat.com/solutions/535653 as defined by
https://access.redhat.com/solutions/693593. It should be noted that when setting
up a custom .gitconfig that:

1) the .gitconfig file can now be overwritten by a .gitconfig file provided in
the user's Git repository.
2) the user-provided .gitconfig should contain the following options to ensure
the Git repository can be cloned when the gear is close to its memory limits:

[gc]
auto=100
[pack]
windowMemory = 10m
packSizeLimit = 20m

BZ#1310266

The Management Console previously had an intermediate "Certificate Chain" field.
The certificate files were then internally concatenated. SSL certificate
providers often issue a fullchain.pem file (or similar) that was confusing to
users who did not know whether to use this file or the non-concatenated files.
The `rhc` command to upload SSL certs, however, did not include a certificate
chain option. When using `rhc`, users have always been required to supply a
concatenated certificate file. Users were getting a "B rating" (per ssllabs.com)
and/or "chain incomplete" warning unless they used the fullchain.pem file. This
bug fix removes the SSL "Certificate Chain" field from the Management Console,
and as a result the Management Console now matches the `rhc` usage.

BZ#1308718

In scaled applications, the HAProxy cartridge in the head gear contained an SSH
wrapper that was set to quiet mode (the `-q` flag). If the user executed SSH
commands with invalid parameters, no errors were shown as they were suppressed
by the `-q` flag. This bug fix removes the SSH wrapper from the HAProxy
cartridge as it is no longer needed. The `oo-ssh` command now exists and the
node runtime either uses it or specifies the required flags wherever it invokes
SSH commands. SSH in head gears now use standard SSH from /usr/bin/ssh without a
`-q` flag. As a result, if an invalid SSH command is executed, a meaningful
error message will be reported to the user.

BZ#1283372

The man page for the `oo-admin-gear` command was incorrectly showing the short
flag for `--with-container-uuid` as `-u`. This bug fix updates the man page to
correctly show that the short flag is `-c`.

Cartridge

BZ#1314546

In the Python cartridge, the build process in the `control` script did not catch
all failed operations during the process of installing the required packages in
requirements.txt. If a required package installation failed, the deployment
process still continued. This bug fix updates the `control` script to catch all
failures that may occur during the build process. As a result, if a required
package fails to be installed, the deployment process is terminated.

BZ#1308720

The Drush component of Drupal applications cannot be installed using PEAR
anymore, causing the Drupal application to fail during installation. This bug
fix removes the PEAR package and Drush is now installed using composer instead.
As a result, Drupal applications now install successfully after Drush is
installed using composer.

BZ#1310247

Nodes may have multiple interfaces. Some administrators may need to specifically
control the traffic on all interfaces on a node, rather than just a single
interface. This enhancement enables the use of traffic control on multiple
network interfaces.

Broker

BZ#1168480

The `oo-admin-ctl-user --addgearsize <invalid_name>` command produced a
confusing error message with backtrace information. This bug fix clarifies and
removes the backtrace information from the error message.

BZ#1305688

Previously, the `oo-accept-broker` command did not filter single or double quote
characters from the MONGO_HOST_PORT variable before parsing it. This caused the
individual host and port parsed from MONGO_HOST_PORT to contain unwanted quote
characters. When `oo-accept-broker` attempted to access the broker using the
parsed value, it failed, generating a false failure result. This bug fix updates
the `oo-accept-broker` command to ensure unwanted quote characters from
MONGO_HOST_PORT are removed before parsing, and as a result the command now has
correct information about the broker's host and port to determine if the broker
is accessible.

Management Console

BZ#1169690

When adding a cartridge to a gear, if gear quota is over 90% used, warning
information was shown twice with two different quota values. This was confusing
to users as one warning reflected quota before cartridge addition and the other
reflected quota after cartridge addition. This bug fix removes the double
warning, and as a result users now only see one correct warning message when
trying to add a cartridge to a nearly full gear, for example "Warning: Gear
<app_name> is using 95.9% of disk quota."

REST API

BZ#1308739

Applications have a deploy mode that can be either binary or git. When
attempting to deploy using the REST API, the deploy mode was not checked,
allowing users to deploy using the incorrect method. This bug fix updates the
REST API to now check the git deploy mode and return an error if the deployment
attempt is not using the correct mode.

Security

BZ#1299014

Certain ciphers may need to be disabled or enabled depending on an
organization's security policies. This enhancement allows the cipher suite used
for the node web proxy to be configured. As a result, the cipher suite can now
be configured in the /etc/openshfit/node-web-proxy.json file.

Upgrade

BZ#1302787

Previously, the /etc/openshift/web-proxy-config.json configuration file for the
node web proxy was not marked as a configuration file upon installation. New
versions of the openshift-origin-node-proxy package would overwrite any changes
to the /etc/openshift/web-proxy-config.json file with the original version of
the file. This bug fix marks the /etc/openshift/web-proxy-config.json file as a
configuration file in the RPM spec, and as a result the file will not longer be
overwritten when openshift-origin-node-proxy is updated.

Command Line Interface

BZ#1155003

The `rhc server add` command was previously missing the `[--ssl-client-key-file FILE]` option in its summary and `--help` responses. The command also requires all three arguments (`[--ssl-ca-file FILE]`, `[--ssl-client-cert-file FILE]`, and `[--ssl-client-key-file FILE]`) in order to properly allow `rhc server add` to use the certificate information. However, there was no error message to inform the user when only one or two of the options were present. This was causing confusion on the proper way to use SSL certificate information with this command. This bug fix updates the usage statements for the `rhc server add` command to now include `[--ssl-client-key-file FILE]` in their argument list. There is also a check for when users included only one or two files, which will properly inform the user that all one commands are required. This should reduce confusion and provide much better feedback on the usage of the `rhc server add` command.

BZ#1139608

Due to lack of file name checking, the `rhc snapshot` command would previously overwrite the snapshot file of an application without warning the user. If the snapshot file already existed, it was written if `rhc snapshot` was executed on the same application. This bug fix adds proper file name checking to notify users if the same file name already exists. Then, it allows users to input their option to overwrite the file or not.

BZ#1177753

Security policies within an organization may dictate how SSH must be used, requiring a custom SSH executable to be created and used exclusively. This enhancement enables all `rhc` subcommands that must use an SSH implementation to use an SSH executable specified by the user. Otherwise, these subcommands continue as they did previously, usually using Ruby's Net::SSH implementation. The option `--ssh` is now added as a global option to all commands and is also available for use in the rhc `express.conf` configuration file.

BZ#1140766

The usage information for the `-i` flag to the `oo-admin-ctl-district` command did not explain the phrase "node identity". This bug fix updates the usage information to tell the reader that a node's server identity is its host name. In addition, the usage information was changed to mention that a comma-separated list or a regex enclosed in slashes may be specified with the `-i` flag.

Cartridge

BZ#1270660

Previously, the EWS cartridge started an application's gear and marked the application as "up" in HAProxy. If the application took some time to deploy, it caused an outage window as traffic was routed to the application. This was corrected either when HAProxy executed its next health check and disabled the application or when the deployment finished. As a result, it was possible for EWS cartridge deployments to be marked "up" and routable when in fact they were not yet ready to service requests. This bug fix introduces the OPENSHIFT_JBOSSEWS_START_DELAY EWS environment variable to allow application owners to delay the registration of there deployment with haproxy. Set this variable to include a delay (in seconds) which causes deployments to halt after a gear start in a similar manner to the EAP cartridge. The difference between the EWS and EAP cartridges is that Tomcat implements a sleep (or hang) because it does not have a management interface (https://access.redhat.com/solutions/901043) to interact with like EAP to check that deployments have finished. Using the OPENSHIFT_JBOSSEWS_START_DELAY variable can cause application deployments to take longer but it can be used to avoid outages with new deployments.

BZ#1265609

When using the Python cartridge, the pandas package had several dependencies that were not installed successfully using the setup.py method. This bug fix updates the cartridge to use the `pip install` method, which resolves the dependency issue and allows the pandas package to be installed properly. However, to avoid a regression issue, a marker `pip_install` is required to use `pip install`. Otherwise, the standard setup.py installation method is used instead.

BZ#1211526

In some cases, it was possible for a restart of a gear with an HAProxy cartridge to result in more than one HAProxy process running. This resulted in the HAProxy cartridge's process not being killed after a restart, and an HAProxy would be running without a proper pid file. Instead of determining the existence of an HAProxy process from the pid file, this bug fix updates the stop function to now check the process list. As a result, the HAProxy process is now properly killed if it still exists after the stop during a restart.

BZ#1277695

Particular locales trigger different definitions for regular expression character classes [a-z] and [A-Z] in Bash. This caused regex-based host name validation to fail when, for example, the Estonian locale "et_EE" was set in $LC_ALL, because the Estonian letter "u" falls outside of the [a-z] character class, and "rhcloud.com" has a "u" in it. This bug fix updates the `update-cluster` script to enforce use of the POSIX locale just for the locale-sensitive regex, and to restore the user's locale setting immediately afterwards. As a result, host name validation for the `update-cluster` script now works regardless of what locale may be specified by the user.

BZ#1280438

When a gear was almost at its quota limit, a warning message was returned from commands used by haproxy_ctld. This caused the haproxy_ctld log to incorrectly fill up with the quota warning message, which was not intended to be logged by haproxy_ctld. This bug fix filters the warning messages when logging for haproxy_ctld, and as a result quota limit warning messages are no longer logged to the haproxy_ctld log file.

Broker

BZ#1268080

Previously, pending operations failed to run and were added back to the job queue if the parent operation did not exist. When a parent operation was missing, child operations would never complete. This bug fix ensures that if a parent operation does not exist, the discrepancy is logged and the child operation moves on. As a result, if a parent operation is deleted or is otherwise missing, the remaining child operations are still be able to be completed.

BZ#1218872

If the MINIMUM_SSH_KEY_SIZE parameter was not set in the /etc/openshift/broker.conf file, a nil value was passed into a condition statement which failed due to lack of nil checking. This caused the `rhc` command to fail to upload the SSH key while creating a new domain. This bug fix updates the condition statement to handle a nil value and return the correct DEFAULT_MINIMUM_SSH_KEY_SIZE value. As a result, the `rhc` command can now successfully upload the SSH key in this scenario.

BZ#1111598

When an error was discovered from running the `oo-admin-check` command, the error output told the user to run the `oo-admin-repair tool` to fix them. However, a number of errors were possible that could not be resolved with `oo-admin-repair` tool, which caused misdirection on how to correctly address these errors. This bug fix updates individual error messages with relevant solutions or links to a Red Hat solutions page if available. The generic error message now directs the user to the `oo-admin-repair` man page to see if their problem is something that it may be able to resolve.

BZ#1110415

Prior to OpenShift Enterprise 2.1, the command to clear both the broker's and the console's cache was `oo-admin-broker-cache --clear --console`. As of OSE 2.1, `oo-admin-broker-cache` only clears the broker's cache, and it is necessary to use `oo-admin-console-cache` to clear the console's cache. However, running `oo-admin-broker-cache --clear --console` did not warn that the `--console` flag did nothing; instead, `oo-admin-broker-cache` would silently ignore the `--console` flag. This bug fix updates the `oo-admin-broker-cache` command to no longer ignore the `--console` flag; instead, specifying the flag now causes the command to print an error with usage information.

BZ#1101973

The `test_for_nonrpm_rubygems` test in the `oo-diagnostics` tool previously used shell globbing to search for gemspec files in several paths. However, shell globbing returns back the glob pattern (rather than an empty list) if the pattern does not match anything. The test failed to take this shell feature into account, instead interpreting a returned glob pattern as a file name. If one of the directories that the test searched was empty, the test would output spurious error messages such as "ls: cannot access /opt/rh/ruby193/root/usr/local/share/gems/specifications/*.gemspec: No such file or directory". This bug fix updates the `oo-diagnostics` tool to handle empty gemdirs. Specifically, the glob search in the `test_for_nonrpm_rubygems` was rewritten to perform the search using Ruby code rather than shell. Globbing in Ruby returns an empty list if the glob pattern does not match anything. As a result, the `oo-diagnostics` tool no longer prints spurious error messages for empty directories.

BZ#1264722

Previously, there was a conflict in the `oo-register-dns` command between the two `-h` options which were associated with both the `--help` and `--with-node-hostname` options. This caused the command to fail with getoptlong object errors. This bug fix updates the command, and the `--help` and `-?` options now show usage information while the `-h` options is only associated with the `--with- node-hostname` option. As a result, these errors no longer occur.

BZ#1272195

Previously, the `oo-admin-ctl-app` command did not check the min_limit on the group_overrides while it was removing a gear from an application. This made it possible for a gear to be removed from a scalable application beyond the min_limit. This bug fix updates the `oo-admin-ctl-app` command to check the min_limit before removing a gear from a scalable application. As a result, the `remove-gear` command now fails if the number of gears have already reached the min_limit.

BZ#1064039

The `oo-diagnostics` tool did not warn users if there were "Broker key authentication failed" errors in log files, which indicated potential key/salt inconsistencies. This is problematic because if gears are created with a mismatched key/salt, future gears become inaccessible due to "401 Unauthorized" errors. This bug fix adds a proper check to the `oo-diagnostics` tool to issue warnings if these errors are listed in log files. Also, a suggested fix is included in the warning message to help users rectify the issue.

Node

BZ#1271338

When restoring SELinux labels, the action was performed on a directory, which does not include hidden files. This caused SELinux labels to not be properly restored on hidden files within a gear directory if they were incorrect. This bug fix ensures that the SELinux label change is performed on all files within a directory, rather than the directory. As a result, hidden files in a gear now have the proper SELinux labels set when they are incorrect.

BZ#1045226

The `oo-auto-idler` man page incorrectly stated that the command replaced the `oo-last-access` command instead of the `oo-list-stale` command. This bug fix updates the man page to correctly state that the `oo-auto-idler` command replaces the `oo-list-stale` command.

BZ#1111501

By default, the REPORT_BUILD_ANALYTICS parameter in the /etc/openshift/node.conf file was set to `true`. With this default configuration, the OpenShift node attempted to notify the broker about application builds via a special REST API on the broker. However, the broker did not have this REST API in its default configuration which caused the node's attempt to result in the following spurious log message and a backtrace in the /var/log/openshift/broker/httpd/error_log file every time a user performed a `git push` to an application: 'Exception ActionController::RoutingError in Rack application object (No route matches [POST] "/broker/analytics")'. This bug fix changes the default value of the REPORT_BUILD_ANALYTICS parameter to `false.` As a result, the spurious log messages should no longer appear by default.

BZ#1054441

When the BROKER_HOST parameter in the /etc/openshift/node.conf file and OPENSHIFT_BROKER_HOST environment variables are inconsistent, some cartridges, such as Jenkins, fail to work as they use those variables. The same is true for CLOUD_DOMAIN variables. This bug fix adds a warning to the `oo-accept-node` command to notify administrators to fix such inconsistencies. As a result, a warning is now issued if these variables do not match.

REST API

BZ#1255426

Previously, setting a minimum scale of at least 2 on an application and then making the application highly-available (HA) caused configuration issues for the application. This caused the application to be unable to unset HA and set the minimum scale back down to 1. With this bug fix, when an application has HA disabled, the configuration now allows the application to be scaled back down to a single gear.

RFE

BZ#1238305

The author of a gear-placement plug-in may want to use the domain_id to determine where gears are placed. For example, applications in a particular domain may need to be isolated on a separate set of nodes in order to comply with requirements specified in external security policies. This enhancement expands the input parameters to gear-placement plug-ins to include the domain ID of the application, and as a result gear-placement plug-ins can now make placement decisions using applications' respective domain IDs.

BZ#1241675

Normally, when the routing daemon is configured with F5 BIG-IP®, the routing daemon checks for the `openshift_application_aliases` local traffic policy on startup and creates the policy if it does not exist. However, the routing daemon previously did not validate that any existing policy was configured properly. As a result, if the F5 administrator set up the policy manually and configured it incorrectly, or changed the policy's configuration later, the policy may no longer function properly. This enhancement changes the routing daemon's startup check to include validation of the policy. In particular, the routing daemon now checks that the policy is configured with the `forwarding` control and the `http` aspect, and it updates the policy's configuration if required.

Routing

BZ#1248439

The Nginx load balancer previously passed on the host name configured when balancing requests. This configured host name is the name of the pool in the configuration, which does not resolve to anything in DNS. Anything that uses the host header on the request may fail to resolve the proper host. This bug fix ensures that Nginx passes the gear's correct host name in the host header, and as a result any application that utilizes the value of the host header in a request can now resolve the application host name properly.

BZ#1282520

When the routing daemon is configured with F5 BIG-IP®, the routing daemon is supposed to check for the `openshift_application_aliases` local traffic policy on startup and create the policy if it does not exist. However, a logic error introduced with the release of routing-daemon-0.23.2.0-1 in OpenShift Enterprise 2.2.5 prevented this check from functioning properly. If the `openshift_application_aliases` policy did not already exist, this caused the routing daemon to fail to configure policy rules. This bug fix addresses the logic error in the routing daemon's initialization, and as a result the routing daemon now creates the `openshift_application_aliases` local traffic policy on startup if required.

Vulnerability

BZ#1239072

An implementation error related to the memory management of request and responses was found within HAProxy's buffer_slow_realign() function. An unauthenticated remote attacker could possibly use this flaw to leak certain memory buffer contents from a past request or session.

Command Line Interface

BZ#1216206

When running `rhc setup` for the first time, rhc must contact the OpenShift server. If the `always_auth` option must be set to something other than the default to connect to the OpenShift server, a ~/.openshift/express.conf file had to be manually created with the `always_auth` option set. This enhancement allows users to now pass the `--always_auth` global option to `rhc setup` so that a configuration file does not have to be manually created beforehand. Users can also use this option on any rhc command to overwrite the value in the rhc's configuration.

BZ#1130028

In the output of `rhc app-show <app> --gears`, cartridges for a scalable gear were previously listed by the endpoints they exposed. If a cartridge exposed multiple endpoints, it was listed multiple times in the output of `rhc app-show <app> --gears`. This bug fix updates rhc so that only unique values in the list of cartridges with exposed endpoints are considered, and as a result cartridges with multiple exposed endpoints are only listed once per gear.

BZ#1160699

When creating an application from an existing application, details regarding the HA configuration of the original application were not available. As a result, applications created from an existing HA application would not themselves be HA as one would expect. This bug fix extends the REST API to provide HA application configuration details. The `rhc app-create --from-app` command now clones HA status from the original application.

BZ#1229300

Previously, when moving a non-scaled application across node profiles, the proper quota for the new profile was not applied to the gear. The gear still used the quota from its previous gear size. Additionally, any additional gear storage was not added to the quota of the new gear. This bug fix ensures the new node profile's quota limits are used, taking into account additional storage the gear may have. As a result, gears moved across node profiles have the proper quota applied, and additional gear storage still exists after the move.

BZ#1128567

Previously, only cartridges that exposed endpoints were listed in the output of `rhc app show <app> --gears` for scalable applications. However, the jenkins-client cartridge does not expose any endpoints, and as a result for scalable applications with a jenkins-client cartridge, `rhc app show <app> --gears` would not show the jenkins-client cartridge on any gear. This bug fix updates rhc so that all cartridges are listed and those with endpoints are highlighted in green. The jenkins-client cartridge is now listed for a scaled application alongside other cartridges that do expose endpoints.

BZ#1232921

If environment variables are specified with rhc, but no environment variables were able to be parsed, the environment variables were previously ignored and errors were not reported when syntactically incorrect environment variables were provided. This led users to believe their environment variables were added when the application was created. This bug fixes updates rhc so that when the environment variable flag is specified, but no environment variables can be parsed, an error is reported.

Cartridge

BZ#1138522

The values for `MacClients` and `ServerLimit` were hard-coded into the httpd_nolog.conf file for the PHP cartridge. The load order specified to load httpd_nolog.conf last, so specifying a custom `MaxClients` or `ServerLimit` variable was not possible as these configurations would always be overwritten by httpd_nolog.conf. This bug fix updates the PHP cartridge to change how configuration files are passed to httpd from using `-C` (load before reading configuration files) to `-c` (load after reading configuration files). As a result, custom `MaxClients` and `ServerLimit` variables can now be defined in PHP cartridges.

BZ#1264210

Previously, a Node.js cartridge with hot_deploy disabled would not wait until the application is actually available when starting the application. On scaled Node.js applications where 20 to 30 seconds is required for the application to start, an outage was seen during the push while the Node.js applications started. For other cartridges (such as JBoss EAP), each start is blocked until the application is available so that gear rotation ensures no downtime is experienced. This bug fix updates the Node.js cartridge to now block until the HTTP port is available, with a maximum wait time of 60 seconds. As a result, scaled Node.js cartridges with hot_deploy disabled will properly update and start gears in rotation when pushing a new version of the application. This ensures no downtime is seen while pushing a new version.

BZ#1197576

Certain Jenkins plug-ins insist on a specific minimum version of Jenkins. As time passes, more and more Jenkins plug-ins will be unable to be upgraded or installed because the minimum version of Jenkins required is later than that provided by OpenShift. This enhancement upgrades the Jenkins cartridge to jenkins-1.609.1.

Logging

BZ#1264039

When reading configuration files, logshifter previously read each line using a newline as the separator. When no newline character or EOL character existed at the end of a configuration file whose last line was not empty, the last line of the configuration would be ignored. This bug fix updates logshifter to catch an EOF and ensure that if the EOF is on a non-empty line, the line is read into the configuration. As a result, all lines in the logshifter configuration file are read, whether they end with a newline or EOL character or not.

Broker

BZ#1171815

It is possible that when a Jenkins application fails to create and is rolled back, its domain environment variables still exist. These map to a non-existing gear component, and any new Jenkins applications cannot be created since the environment variables already exist. This bug fix updates the `oo-admin-repair` command to add the ability to clean up domains that have Jenkins environment variables with missing components. An administrator can use the `--orphaned-envs` switch with `oo-admin-repair` to clean environment variables from domains that do not have a related component. An administrator can also use `--domain <domain>` to specify a specific domain to repair.

BZ#1191283

When a cartridge was imported into the broker's database from two separate nodes within the same second, the second cartridge failed activation because the time stamp of the first cartridge was seen as the same as the current time. Instead of comparing the time stamps through the moped database query, which only compares seconds, this bug fix updates the logic to compare the Time objects with Ruby. As a result, the priority time stamps are compared to the milliseconds, allowing multiple cartridges from different nodes to be imported and activated within the same second.

BZ#1197123

When the base gear file storage limits (quota_blocks) were less than 1048576, converting this value to gigabytes previously returned 0. Calculating the total file limit from every gear in the application included dividing by the base gear file storage limits in GB, which when 0 caused a "divide by 0" error to be returned. This bug fix updates the behavior to round up all base gear file storage (quota_blocks) values to 1GB if they are less than 1GB. As a result, the base total file storage limit for an application can now be reported without error when storage limits are less than 1048576. Note that because we round up when the quota_blocks value is less than 1048576, storage values may be inaccurate for some applications.

BZ#1241750

The pin-php-to-host gear placement plug-in example configuration contained a typo where a configuration directive was named incorrectly, which caused the `slow_hosts` configuration directive to not be used. This bug fix renames the `SLOW_HOST` directive to `SLOW_HOSTS`, and as a result the `slow_hosts` configuration directive is parsed properly and used in the pin-php-to-host gear placement plug-in example.

BZ#1221931

When the `oo-admin-move` command failed to move a scalable application across districts, previously the exit code returned was 0, as if there was no failure. This bug fix updates the command to properly exit with a non-zero exit code upon failure.

BZ#1226061

The routing daemon previously did not check the exit status of `ssh` and `scp` commands for copying certificates and keys to and deleting the same from the F5 BIG-IP host. This caused some errors in copying keys to F5 BIG-IP to be ignored. This bug fix updates the routing daemon, and the F5 iControl REST API model now checks the exit status of `ssh` and `scp` commands and raises an exception if the exit status is not 0. As a result, the routing daemon now logs errors from the `ssh` and `scp` commands.

BZ#1228373

When determining which servers are available for gear placement, the least_preferred_servers variable could include all available servers. Additionally, the nodes only update their facts at a one minute interval. If all available nodes for a gear were passed in least_preferred_servers, the last server in the list would be chosen every time. Additionally, gears created for the same application within the same minute (such as through scaling a cartridge up numerous gears at a time) did not consider the placement of gears created within the same minute. These issues combined resulted in very uneven gear spreading for scaled applications. This bug fix updates OpenShift Enterprise so that if all available gears are passed into least_preferred_servers, least_preferred_servers is essentially ignored because all servers are least preferred. Gears now also will take into consideration the placement of the other gears in the application. As a result, spreading across nodes in districts and zones for scaled applications is now even. Scaling an application up multiple gears will result in the gears being spread evenly.

BZ#1152524

Previously, the `oo-accept-broker` command would hang indefinitely or timeout with unhelpful errors if it was unable to load the broker's Rails environment due to database connectivity issues. This enhancement updates the `oo-accept-broker` to now check for connectivity with the MongoDB database before attempting other functions that rely on the database. As a result, `oo-accept-broker` now catches DNS issues as well as MongoDB database connectivity issues and provides a useful error message when the database is unavailable.

Node

BZ#1232827

This enhancement updates the JBoss EAP cartridge to allow the usage of Java 8, which can be used by adding the "java8" marker.

BZ#1257757

When a scaled application is unidled, HAProxy is started first. Previously, HAProxy then made a blocking `curl` request to every gear in its configuration to unidle it. After HAProxy was finished, the rest of the gears received a 'start' from the broker. This caused a loop to be seen when unidling a scaled application that could cause delays and timeouts to be hit: HAProxy attempted to unidle all gears while the broker was already handling the unidling process, starting another unidling process for each gear. This bug fix removes HAProxy's logic where it attempts to unidle all gears in the application, as the broker already handles this operation. As a result, HAProxy no longer attempts to unidle all gears in an application, instead deferring this process to the broker, and unidling a scaled application takes much less time.

BZ#1264216

Previously, every gear on a node received an "unidle" call during a node start, which triggered an Apache reload for each gear, incurring significant overhead. This caused node start time to take longer than was necessary, and gears that started first were deprived of resources until the node settled. This bug fix ensures gears are only unidled on user start. As a result, unnecessary unidles no longer occur at node start, and node start time is reduced.

BZ#1225943

The `grep` method in which entries are pulled from the /etc/fstab file in the `oo-init-quota` command previously did not ignore commented lines. This could result in an error where the quota failed to initialize due to duplicate entries when a commented entry included the same file system mount as an un-commented entry. This bug fix updates the `grep` commands used in `oo-init-quota` to now ignore lines beginning with a '#' symbol. As a result, `oo-init-quota` now successfully initializes quotas on systems where a commented entry for the same file system where OpenShift gears will be stored exists.

BZ#1062253

Previously, the java-1.6.0-openjdk package was not listed as a requirement for the JBoss EAP and JBoss EWS cartridges. This caused the 'java6' marker to not work appropriately if java-1.6.0-openjdk was not already installed on the system by other packages. This bug fix adds java-1.6.0-openjdk as a requirement to these cartridges to correct this issue.

Routing

BZ#1217572

After performing updates to F5 BIG-IP, the routing daemon should call the F5 iControl REST API to synchronize F5 BIG-IP's configuration within a preconfigured device-group. This enables a system administrator to set up an F5 BIG-IP cluster (or "device group" in F5 terminology) for high availability and have configuration automatically synchronized within the cluster. This enhancement adds a new setting BIGIP_DEVICE_GROUP, and the F5 iControl REST API model was changed to read the value for this setting and, if a value is set, update the specified device group. The routing daemon can now be configured to initiate a configuration synchronization for a configured F5 BIG-IP device group. The routing daemon will initiate this synchronization at an interval specified with the existing UPDATE_INTERVAL setting (default value 5).

BZ#1227501

Although the routing daemon's F5 iControl REST API model used the value set for BIGIP_USERNAME in the routing daemon's configuration file for the `scp` command to upload temporary key and certificate files to the F5 BIG-IP host, it used the hard-coded user name "admin" for the `ssh` command to delete these temporary files. If a user name other than "admin" was configured for the F5 BIG-IP host, this caused the routing daemon to leave temporary files on the F5 BIG-IP host. This bug fix updates the F5 iControl REST API model to now consistently uses the value of the BIGIP_USERNAME setting for all `ssh` and `scp` commands. As a result, the routing daemon now deletes the temporary files that it creates on the F5 BIG-IP host.

Security

BZ#1205616

A flaw was found in the Jenkins API token-issuing service. The service was not properly protected against anonymous users, potentially allowing remote attackers to escalate privileges.

BZ#1205620

It was found that the combination filter Groovy script could allow a remote attacker to potentially execute arbitrary code on a Jenkins master.

BZ#1205622

It was found that when building artifacts, the Jenkins server would follow symbolic links, potentially resulting in disclosure of information on the server.

BZ#1205623

A denial of service flaw was found in the way Jenkins handled certain update center data. An authenticated user could provide specially crafted update center data to Jenkins, causing plug-in and tool installation to not work properly.

BZ#1205615

Two cross-site scripting (XSS) flaws were found in Jenkins. A remote attacker could use these flaws to conduct XSS attacks against users of an application using Jenkins.

BZ#1205625

It was found that Jenkins' XPath handling allowed XML External Entity (XXE) expansion. A remote attacker with read access could use this flaw to read arbitrary XML files on the Jenkins server.

BZ#1205627

It was discovered that the internal Jenkins user database did not restrict access to reserved names, allowing users to escalate privileges.

BZ#1205632

It was found that Jenkins' XML handling allowed XML External Entity (XXE) expansion. A remote attacker with the ability to pass XML data to Jenkins could use this flaw to read arbitrary XML files on the Jenkins server.

Cartridge

BZ#1212583

The Passenger rubygem previously prespawned on the local 127.0.0.1 IP address. As a result, an error was reported at startup in the Ruby log. This bug fix updates Passenger to connect in prespawn to the proper gear IP address, and as a result prespawn functions properly and no error is reported in the logs at startup.

Logging

BZ#1222953

If a blank line was inserted between options in the logshifter configuration file, any options after the first blank line were not parsed. This bug fix updates logshifter to allow for blank lines when reading configuration, and as a result configuration is parsed when blank lines are present.

Broker

BZ#1218049

Previously, when a node containing a head gear for a scaled application was lost and the gear could not be recovered, running the oo-admin-repair tool still attempted to recover the gear. The tool then reported an error and the gear was not recovered, but changes were made to the broker's database. As a result, running the tool again reported all gears had been recovered, even though the head gear still did not exist. This bug fix updates oo-admin-repair to distinguish applications with lost head gears from regular lost gears from scaled applications. The tool now offers to delete any applications with lost head gears, informing the administrator to first re-create such applications from source or recent backups and move any existing alias before proceeding.

BZ#1217588

When moving multiple gears with the oo-admin-move command, the command would previously fail if a single gear could not be found by the provided UUID. Additionally, failures and source server identities were not reported properly in JSON when the --json option was specified. This bug fix updates the command to report an error individually for each gear unable to be found. The rest of the valid gears are still moved properly. JSON output also now includes source server identities, and failures while the --json option is specified are reported in JSON.

BZ#1221786

When implementing a custom billing provider, the usage_account_id field must be set for tracked users. Previously, there was no tool to set the usage_account_id field, and the database had to be modified manually to set this field. With this enhancement, administrators can now use the oo-admin-ctl-user command with the --setusageaccountid option to set the usage_account_id field for users without direct modifications to the database.

BZ#1217587

Previously, all oo-admin-ctl-district commands required that the district name or UUID was specified. This made performing actions on multiple node hosts using oo-admin-ctl-district impossible if they were not in the same district. Additionally, finding the district a node host belonged to was difficult, requiring the administrator to sift through all district node hosts. This bug fix updates oo-admin-ctl-district to allow the district not to be specified for numerous actions; the district can still be specified manually with --uuid or --name options. As a result, the oo-admin-ctl-district command now searches for the correct district if no district is specified, and administrators can additionally perform actions on numerous node hosts across multiple districts.

BZ#1207300

In some cases, it is necessary to use cartridge IDs when activating or deactivating cartridges. As there was no easy way to obtain the cartridge IDs without directly accessing the broker's database, this enhancement updates the 'oo-admin-ctl-cartridge -c list' command to enable cartridge IDs to be displayed by using the --all option.

BZ#1191238

The oo-admin-ctl-app command did not allow specifying a namespace when performing actions on applications. If two applications owned by the same user under two different domains had the same name, it was impossible to perform actions on one of the applications using oo-admin-ctl-app. This bug fix updates oo-admin-ctl-app to allow the namespace of an application to be specified for actions. As a result, any application can be manipulated using oo-admin-ctl-app, even if another application exists under a different domain for the same user.

BZ#1212020

In the /etc/openshift/routing-daemon.conf file, if the MONITOR_TYPE parameter for the F5 routing daemon listener is set to 'https', an 'https-ecv' type monitor was created. When the monitor was to be deleted, a type of 'https' was expected when the type was actually 'https-ecv', returning a 400 error. This bug fix updates the routing daemon such that when 'https' is specified as the MONITOR_TYPE, it expects the monitor to be deleted to have a type of 'https-ecv'. As a result, monitors created with a configured MONITOR_TYPE of 'https' or any other type can be successfully deleted.

BZ#1145344

Previously, administrators could not manage domain membership and could only instruct users to perform domain membership actions themselves using the OpenShift client tools. This enhancement updates the oo-admin-ctl-domain command so that administrators can now use the add_member, remove_member, update_member, and list_members subcommands to manage domain membership for users directly.

BZ#1094454

When attempting to use an alternative cache store for the broker or console, the Gemfile must be modified. The Gemfile is not marked as a configuration file in the respective RPMs, and any changes can be overwritten on updates. This enhancement enables additional gems to be loaded into the broker or console Rails environments by utilizing the ADDITIONAL_GEMS parameter in the /etc/openshift/broker.conf or /etc/openshift/console.conf file, respectively. The broker or console service must be restarted for the change to take effect. As a result, additional gems can be loaded into the broker or console environments without the need to modify Gemfiles and without losing this configuration change upon update or upgrade.

BZ#1210489

A feature was previously added, but never fully implemented, to allow an application to be made highly-available (HA) at creation. When an application is made HA and MANAGE_HA_DNS=true in the /etc/openshift/broker.conf file, the HA routing DNS is created twice. Then, it is created again whenever another HAProxy instance is added. This works without issue when the nsupdate DNS plug-in is used because nsupdate has no problem updating an existing record to the same existing record. However, when other DNS plug-ins, such as a plug-in that makes HTTP requests to manage DNS, attempted to add the same entry twice, an error could be returned. Since the feature to allow an application to be made HA on creation was never fully implemented, the addition of a routing DNS during gear creation has been removed and disabled. As a result, the routing DNS is only registered once, when the application is made HA through the appropriate API call workflow.

Node

BZ#1216223

Administrators who wish to maintain a particular version of JBoss EAP can subscribe to version-specific channels (e.g., 6.4) using RHN Classic or Red Hat Subscription Management (RHSM). OpenShift Enterprise must support this configuration, and part of that includes validating that the correct channel subscription and priorities are set. This is automated by running the oo-admin-yum-validator tool, thus oo-admin-yum-validator must be updated to handle all available JBoss EAP channels typical for OpenShift Enterprise installations. This enhancement updates oo-admin-yum-validator, which can now automatically detect appropriate roles for systems that have particular JBoss EAP channel subscriptions enabled, and can automatically configure JBoss EAP 6.4 channel subscriptions when the --role=node-eap-6.4 argument is specified on the command line.

BZ#1216220

The oo-snapshot command, which is a wrapper for '/usr/bin/gear snapshot', reports an unhelpful error when used outside of a gear environment. This bug fix updates /usr/bin/gear to report an error stating it should only be run inside of a gear when necessary environment variables are not defined. As a result, oo-snapshot reports the same error when run outside of a gear.

BZ#1202705

When a message came through rsyslog from a gear with a new UID, the mmopenshift plug-in set the metadata keys and values in cache for each environment variable specified in the template. If an environment variable was not present at this time, the key would not be created and stored in the metadata cache. This bug fix updates the mmopenshift plug-in so that on every message, if a key expected to be present in the metadata cache is not present, the plug-in checks for the environment variable. If the environment variable exists, the plug-in sets the metadata key to the value of the environment variable. Otherwise, it checks again on the next message. As a result, new gears from a scaled application may report a NULL namespace a few times until the OPENSHIFT_NAMESPACE environment variable is defined. Additionally, any other environment variables in the template will have the same checks. Note that all environment variables specified in the template are expected to be present for all applications. If an environment variable is specified that does not exist for an application, a slight performance degradation may be seen as the environment variable will be checked for on every message.

BZ#1136425

An organization's standardized deployments may enforce password aging for users by default. This made it possible for users to be unable to SSH to their gears after the password expired for the gear users. This bug fix updates nodes to allow administrators to set the DISABLE_PASSWORD_AGING parameter in the /etc/openshift/node.conf file on each node to disable password aging when creating gear users.

BZ#1214832

Previously when a bonded NIC was configured as the external interface for a node host, the network service was not started when the openshift-tc service was started. This was due to bonded NICs depending on the network service to be started, which would not start until after the openshift-tc service. This bug fix modifies the priority of the openshift-tc service on nodes to start after the network service by default. As a result, the openshift-tc service is able to start successfully on boot when a bonded interface is configured as the external interface; the network service is started first, initializing the bonded interface.

Upgrade

BZ#1172055

The openshift-origin-cartridge-php upgrade script previously did not properly upgrade existing cartridges with a version greater than 0.0.17; the Composer directory was not created, which broke Composer functionality. This bug fix updates the upgrade script to perform Composer migration steps on any cartridge with a version less than that used in OpenShift Enterprise release 2.2.6 (i.e., version 0.0.26.1). As a result, PHP cartridges existing before Composer features were added are able to use Composer after an upgrade.

Broker

BZ#1201485

The default gear placement algorithm did not properly distribute gear load in some district configurations. Some nodes would be ignored until other nodes filled up. This bug fix updates this logic, and gear load is now better distributed.

BZ#1206013

After starting the routing daemon service, operations using the oo-admin-ctl-routing tool would fail if the ruby193-rubygem-rest-client package was not installed. This was due to the rubygem-openshift-origin-routing-daemon package missing a dependency on the ruby193-rubygem-rest-client package. This bug fix updates the rubygem-openshift-origin-routing-daemon package to include this dependency, and the issue no longer occurs as a result.

BZ#1144894

Previously, application URLs were presented to developers as HTTP URLs only, for example when listing their applications using the client tools. This enhancement adds the ability for administrators to require that all applications advertise HTTPS URLs instead. This requires setting the APP_ADVERTISE_HTTPS parameter to "true" in the /etc/openshift/broker.conf file on brokers, then restarting the openshift-broker service.

BZ#1194035

This enhancement adds optional SSH key size validation for when developers add a new public key to their account. Administrators can configure this by setting the MINIMUM_SSH_KEY_SIZE parameter to the desired value in the /etc/openshift/broker.conf file on brokers, then restarting the openshift-broker service.

BZ#1182982

When using the oo-admin-move tool, attempting to move a gear failed and the operation was rolled back if the network interface eth0 on the node did not have an IP address. This bug fix updates Facter on nodes to ensure the interface specified in the EXTERNAL_ETH_DEV parameter in the /etc/openshift/node.conf file is identified as the active interface. As a result, gears are able to move successfully.

BZ#1202511

When checking for stale SSH keys and environment variables to repair, previously the oo-admin-repair tool on brokers did not check in user domains where there were no existing applications. This bug fix updates this logic so that domains without existing applications are now also checked, and as a result all stale SSH keys and environment variables are repaired as expected.

BZ#1199901

Previously if the routing daemon was configured for use with F5 BIG-IP LTM® and was configured to create monitors, errors occurred while creating scalable applications when the process attempted to create monitors. This was due to a bug in the routing daemon. This bug fix updates the routing daemon to address these issues, and as a result these errors no longer occur. Additionally, the routing daemon now reports error messages from F5 in more situations rather than generic failure messages.

BZ#1199904

Previously if the routing daemon was configured for use with F5 BIG-IP LTM®, attempting to delete pools using the oo-admin-ctl-routing tool failed. This was due to a bug in the routing daemon. This bug fix updates the routing daemon and oo-admin-ctl-routing tool to address these issues, and as a result these errors no longer occur. Additionally, new commands have been added for listing the monitors associated with a given pool, associating an existing monitor with a pool, or disassociating a monitor from a pool (without deleting either the pool or the monitor). The tool's usage and built-in help text has also been made clearer, and the daemon has been made more resilient when the administrator makes changes to monitors in F5's configuration while the daemon is running.

BZ#1199903

Previously if the routing daemon was configured for use with F5 BIG-IP LTM® and was configured to create monitors or assign an existing monitor to new pools, errors occurred while deleting a scalable application when the process attempted to delete the associated monitor. This was due to a bug in the routing daemon. This bug fix updates the routing daemon to address these issues, and as a result these errors no longer occur. Additionally, the routing daemon now reports error messages from F5 in more situations rather than generic failure messages.

Cartridge

BZ#1202509

This enhancement adds the OPENSHIFT_POSTGRESQL_CONFIG environment variable for the PostgreSQL cartridge, which allows developers to specify additional configuration lines for inclusion in the postgresql.conf file. For example, developers can now use this environment variable to enable execution statistics:

# rhc set-env OPENSHIFT_POSTGRESQL_CONFIG="shared_preload_libraries = 'pg_stat_statements';pg_stat_statements.track = all"

Note the required ";" separating each setting when listing multiple configuration lines. After applying this update, a cartridge upgrade is required. If enabling execution statistics, developers must also restart their application after setting OPENSHIFT_POSTGRESQL_CONFIG.

BZ#1197873

For applications using the Cron cartridge, cron jobs have a default timeout of 20 minutes. This enhancement adds the ability for administrators to configure this global timeout value. Administrators can configure this by creating a /etc/openshift/cron/limits file on each node, and setting a MAX_RUN_TIME parameter in that file to the desired value, such as "10m" for ten minutes. The format of the value must be in a format acceptable to the timeout command: use "s" for seconds, "m" for minutes, "h" for hours, or "d" for days. After applying this update, a cartridge upgrade is required.

BZ#1202507

Previously in applications with a PostgreSQL cartridge, the PostgreSQL server would fail to start if the OPENSHIFT_POSTGRESQL_SSL_ENABLED environment variable was set to "true" and the server.key and server.crt files were not located in the $PGDATA/data directory. This bug fix updates the PostgreSQL cartridge to check these file locations during start up if OPENSHIFT_POSTGRESQL_SSL_ENABLED is set to "true". If they exist, SSL is enabled. Otherwise, the PostgreSQL server starts up normally but SSL is not enabled. After applying this update, a cartridge upgrade is required.

BZ#1176649

When running the "git push" command for applications with a Jenkins Client cartridge, it was possible for developers to experience "502 Proxy Error" and "Deployment Halted" messages during the build process, even when the deployment actually succeeded. These messages were potentially confusing to developers trying to investigate the issue. This bug fix updates the Jenkins Client cartridge to use the Ruby Net::HTTP library to easily retry requests and correctly interpret responses. As a result, the Jenkins Client cartridge now gracefully handles errors and provides more informative messages. After applying this update, a cartridge upgrade is required.

BZ#1202510

When using the Ruby cartridge, environment variables and their values were displayed on error pages to users when Phusion Passenger failed, containing potentially sensitive information. These pages are known as "friendly error pages", and by default in Passenger are not supposed to be revealed when the Rails environment is set to "staging" or "production". However, even though the cartridge default was set to "production", these pages still appeared. This bug fix updates the Ruby cartridge to include additional logic to ensure that the friendly error pages are disabled by default, unless the Rails environment has been set specifically to "development". After applying this update, a cartridge upgrade is required.

BZ#1202499

This enhancement adds the OPENSHIFT_MYSQL_MAX_ALLOWED_PACKET environment variable for the MySQL cartridge, which allows developers to optionally set the max_allowed_packet MySQL variable. After applying this update, a cartridge upgrade is required. Developers must also restart their application for any changes made using OPENSHIFT_MYSQL_MAX_ALLOWED_PACKET to take effect.

BZ#1202514

Previously, when using the "--from-code=empty" option to create an application with an empty Git repository, the application would fail to create if a database cartridge was also specified in the request. This bug fix updates the creation logic, and as a result applications can be successfully created in this scenario.

BZ#1202500

For applications using the PHP cartridge, previously the apc.shm_size value was calculated incorrectly. Memory was being divided by 16 instead of by 8. This bug fix updates the PHP cartridge, and as a result the apc.shm_size value is now calculated correctly. After applying this update, a cartridge upgrade is required.

Command Line Interface

BZ#1187806

When using a client certificate configuration on brokers, such as mutual SSL or x509 authentication, REST API requests to the broker from the client tools would fail. This was due to the requests not including authentication credentials, as the client tool had the "no_auth" request variable hard-coded to "true". This bug fix updates the client tools to add the "always_auth" option to the client tools configuration file (the ~/.openshift/express.conf or ~/.openshift/servers.yml file). This option defaults to "false", yielding the original behavior; when set to "true", the client tools use an authenticated connection for all requests. As a result, this allows the client tools to now fully communicate with the broker as expected when using a client certificate configuration on brokers.

BZ#1203435

Previously when running the "rhc setup" command with the "--ssl-client-key-file" option, the configuration for the SSL client key file was not written to the ~/.openshift/servers.yml file. Additionally, while using the "rhc server add" command with the "--ssl-client-key-file" option successfully wrote the key file to the servers.yml file, the output for the "rhc server list" command did not list the key file information. This bug fix updates the client tools to ensure the key file configuration is written and listed in these scenarios, and as a result adding key files with the client tools now works as expected.

Installer

BZ#1198409

Previously, the package dependency version specifier for the NodeJS mkdirp package was too specific. This caused the nodejs010-nodejs-express package to not install on systems where the NodeJS mkdirp package would satisfy the dependency, but which had a more recent version than what was specified in the package dependencies. This prevented the NodeJS cartridge dependencies from being satisfied, thus preventing the NodeJS cartridge from installing. This bug fix changes the NodeJS mkdirp dependency version specifier to correctly include versions greater than or equal to 0.3.4. As a result, the nodejs010-nodejs-express package no longer fails to install, and the NodeJS cartridge now installs properly.

Node

BZ#1202515

In certain situations, such as pre- and post-receive hooks, the presence of gems in a gear's $GEM_HOME environment variable previously could break /usr/bin/gear subcommands. This was due to the user-supplied gems in $GEM_HOME overriding the OpenShift-provided ones, potentially causing exceptions. This bug fix updates the node logic to explicitly set GEM_HOME to '' for the /usr/bin/gear command and Ruby SDK to protect them from running with user-supplied gems. As a result, exceptions are no longer raised during a "git push" in this scenario.

BZ#1134206

Previously, Jenkins slave (or builder) gears were incorrectly restarted by Watchman after 15 minutes, or after the interval set in the STATE_CHANGE_DELAY parameter in the /etc/sysconfig/watchman file on nodes. This was due to Watchman not including the builder processes in its gear process list. This bug fix adds a condition to prevent Watchman from excluding the builder processes, and as a result Jenkins slave gears are no longer incorrectly restarted in this way.

BZ#1202512

Previously, gears stopped by administrators using the "oo-admin-ctl-gears stopgear" command would always be restarted by a subsequent "oo-admin-ctl-gears startall" command or the next time the node was rebooted. In certain situations, this could be undesirable depending on the node capacity. This enhancement adds an additional command, "oo-admin-ctl-gears stoplockgear", which allows administrators to stop a gear and add a .stop_lock file. The presence of a .stop_lock file ensures that the gear does not start during operations that take .stop_lock files into account, such as "oo-admin-ctl-gears startall", or after a node reboot. A message explaining the reason why the gear should not be started in the future can written to the .stop_lock file using the "--message" option with the command as well.

BZ#1202513

Watchman's JBoss plug-in would previously fail with an "invalid byte sequence in UTF-8" error if a JBoss log contained ISO-8859-1 bytes which were not valid UTF-8, such as the string "\xe9". This was due to the plug-in opening files in a way that only worked as long as the byte sequences were valid UTF-8. This bug fix updates the plug-in to instead open files in binary mode, which supports regex matching on all encodings. As a result, the plug-in no longer produces these errors.

BZ#1179006

Previously, it was possible for the MCO cartridge_list RPC call to fail with an "Invalid Request Data" error when custom cartridges were installed. This was due to erroneous cartridge index entries being created. This bug fix updates the node logic, and as a result the RPC call now returns as expected.

BZ#1200096

When gear archiving was enabled on nodes using the ARCHIVE_DESTROYED_GEARS parameter, previously archives could be erroneously deleted during the archiving process if it encountered a "recoverable" error. For example, this could happen if a file changed while it was being archived. Additionally, gear archiving could fail if the default compression algorithm, bz2, exceeded the MCollective agent timeout value. This bug fix updates the archiving logic to not delete broken archives, and adds the ARCHIVE_DESTROYED_GEARS_COMPRESSION parameter to the /etc/openshift/node.conf file on nodes. This new parameter allows administrators to set their preferred compression algorithm; valid options are "bzip2", "gzip", or "none". As a result, broken archives are still available for debugging purposes, and timeouts while archiving are less likely to occur.

Broker

BZ#1185456

Gear UUID validation errors prevented gear upgrades when using predictable UUIDs, causing gear upgrades to fail due to UUID validation rules. This bug fix updates UUID validation rules to account for predictable UUIDs. As a result, gears using predictable UUIDs are now upgraded properly.

BZ#1172495

The oo-accept-broker command did not test DNS using absolute domain names, for example those ending in ".". Under certain DNS configurations, this issue could produce incorrect test results. This bug fix updates the oo-accept-broker command to now test for absolute domain names, avoiding problems associated with relative DNS search results. As a result, the oo-accept-broker command's DNS tests are now more accurate.

BZ#1134578

RPM packaging did not ghost log files properly. Removing the broker, node, or console packages would remove log files. This bug fix updates RPM packaging to ensure that log files are not removed when the packages are removed. As a result, log files are preserved when removing broker, node, or console packages.

BZ#1168994

The required routing notifications were not sent when an application deployment was rolled back. This issue meant HA routing tier nginx configurations could be left in a broken state. This bug fix ensures that the required routing notifications are now sent when an application deployment is rolled back. As a result, application deployment roll backs now safely remove nginx configuration items.

BZ#1186171

A bug in the HA routing daemon prevented certificates from being copied to F5 BIG-IP LTM hosts. This bug fix updates the routing daemon to properly copy certificates to BIG-IP LTM hosts.

BZ#1163917

RPM packaging did not properly mark the /var/www/openshift/broker/httpd/broker.conf and /var/www/openshift/broker/httpd/httpd.conf files as configuration files. As a result, these files were overwritten on broker upgrades, losing local changes. This bug fix updates RPM packaging to now mark these files as a configuration files. If an administrator has modified the contents of these files, those changes are preserved in files suffixed with ".rpmsave". However, Red Hat advises against modifying these files.

BZ#1187047

The "oo-admin-ctl-routing delete-alias" command did not delete SSL certificates, and alias certificates were not removed when deleting an alias as a result. This bug fix updates the command to now remove alias certificates, and this issue no longer occurs as a result.

Cartridge

BZ#1170136

Zend OPcache is now enabled by the PHP 5.4 cartridge by default. This enhancement significantly improves PHP execution time by storing compiled PHP bytecode in memory. As a result, PHP applications now execute more quickly and the PHP OPcache can consume up to 1/8th of the gear memory. This can be adjusted using the OPENSHIFT_PHP_OPCACHE_MEMORY_CONSUMPTION setting.

BZ#1185453

A bug in environment variable parsing led to JBoss EAP and JBoss EWS server.xml files being removed when environment variables contained white space. This issue caused Tomcat to fail to start up. This bug fix updates environment variable handling to handle white space properly. As a result, environment variables with white space no longer break JBoss EAP and JBoss EWS applications.

BZ#1157767

The Perl cartridge would not deploy when a module was included in an application that was neither pre-installed nor in CPAN. This issue caused Perl applications with local modules to not deploy properly. This bug fix updates the Perl cartridge to warn when a requested module is not pre-installed or available from CPAN. As a result, applications with local modules deploy properly if the module is provided in the application repository.

BZ#1181916

Configuration templates did not account for the max_prepared_transactions PostgreSQL setting, which caused the setting to not be set when using the OPENSHIFT_POSTGRESQL_MAX_PREPARED_TRANSACTIONS environment variable. This bug fix updates configuration templates to ensure the PostgreSQL configuration matches the environment variable. As a result, if the environment variable is set, the PostgreSQL configuration honors that value at restart. If the environment variable is not set, the value is zero.

BZ#1176507

Previously, the JBoss EAP cartridge incorrectly removed the Maven settings.xml file during a "force clean build". This bug fix updates the JBoss EAP cartridge to no longer remove this file during a "force clean build", and the Maven configuration is no longer lost as a result.

BZ#1176491

The PHP cartridge attempts to update PHP Pear channels on application deployment. This issue caused nodes that could not reach PHP Pear channels to fail to deploy PHP applications. This bug fix ensures that PHP Pear channel updates are no longer treated as critical errors blocking deployment, and nodes that cannot reach PHP Pear channels now deploy PHP applications as expected.

Installer

BZ#1181705

The yum-plugin-priorities package available in the OpenShift Enterprise Node and Infrastructure channels was out of date compared to other yum-utils packages. This bug fix updates the yum-plugin-priorities package, and the package is now in sync with other yum-utils packages.

Administration Console

BZ#1153287

The Administration Console was not capable of displaying multiple applications with the same alias. This bug fix updates the Administration Console to display all applications with the same alias. As a result, applications with the same alias are now displayed properly.

Node

BZ#1172548

The oo-last-access command created a table of known gears to assess by looking for entries that looked like gear UUIDs in the /var/lib/openshift directory. However, gears with UUIDs created with the USE_PREDICTABLE_GEAR_UUIDS="true" setting were not added to the table, and their log entries were therefore not counted. This issue caused the idler to count these gears as idle, despite recent activity, and stop them. This bug fix updates the logic for populating the table of gears to now include all gears. As a result, web access prevents gears from idling as intended.

BZ#1122141

HA applications erroneously created front end entries for the application FQDN. This issue caused the oo-accept-node command to fail and entries to not be cleaned up on application deletion. This bug fix ensures that, rather than creating a front end entry, an alias is now created to the second HA front end. As a result, the oo-accept-node command no longer fails and there is no need to clean up additional front end entries on application deletion.

BZ#1165719

If a downloaded cartridge used the same name as a cartridge in the node repository, the oo-accept-node command did not properly validate downloaded cartridges. Because of this issue, downloaded cartridges could not be added to Jenkins servers if the name matched a cartridge in the repository. This bug fix updates the oo-accept-node command to inspect the installed cartridge rather than the cartridge from the repository. As a result, downloaded cartridges are now configured properly for Jenkins installation.

BZ#1168418

The disable_auto_scaling marker does not take effect until the HAProxy has been restarted, meaning auto-scaling is not actually disabled until the HAProxy gear has been restarted. To avoid confusion for users, this bug fix adds a notice which is provided to users when pushing the disable_auto_scaling marker. As a result, users are now advised that they must restart their HAProxy gear to properly disable auto-scaling using a marker.

BZ#1171002

A bug in UUID validation prevented gears using predictable UUIDs from being relocated from non-districted nodes to districted nodes. This issue meant that gears using predictable UUIDs did not properly relocate. This bug fix updates UUID validation to account for predictable UUID logic, and as a result gears using predictable UUIDs can now be relocated from non-districted nodes to districted nodes.

BZ#889539

Because node hosts require several tuning changes in order to achieve best performance,	a tuned profile called "openshift-node" is now available. This enhancement allows administrators to apply baseline tuning requirements by installing the tuned-profiles-openshift-node package on node hosts.

Broker

BZ#1165775

Previously, the oo-admin-ctl-team command did not parse uniqueMember LDAP attributes correctly. As a result, the command failed when administrators provided a full DN when specifying uniqueMember attributes. This bug fix updates the oo-admin-ctl-team command to split uniqueMember attributes at the first ',' character, and uniqueMember attributes can now contain a full DN.

BZ#1163473

Previously, binary deployments using an artifact_url with special characters in the URL would fail due to the artifact_url not being properly decoded. This bug fix updates the deployment process so that the artifact_url is properly URI encoded, and as a result this deployment scenario now works as expected.

Cartridge

BZ#1089967

The Ruby Bundler for ruby18 applications was out of date and had compatibility issues with rubygems.org. This issue caused ruby18 applications that used 'bundle install' to take prohibitively long to deploy. This bug fix updates Ruby Bundler, and as a result 'bundle install' now completes in a timely manner.

BZ#1170789

The Node.js cartridge was not configured properly on all possible cartridge upgrade paths. This issue made it possible for environments skipping intermediate updates to not have a properly configured Node.js deployment. This bug fix updates the Node.js cartridge so that all upgrade paths configure Node.js properly, and as a result this issue no longer occurs.

BZ#1170784

Due to a bug in the MySQL cartridge, the OPENSHIFT_MYSQL_VERSION environment variable was previously not set during MySQL cartridge updates in all cases. As a result, gears trying to use the variable may not have the expected value. This bug fix updates the MySQL cartridge to ensure that the variable is set in all cases, and as a result the variable now contains the expected value.

Command Line Interface

BZ#1154344

A node host's root user must have SSH keys in place in order to clone an application from a Git repository over SSH. However, it is not common for developers who are deploying applications to have the ability to deploy SSH keys to the root user. As a result, cloning applications over SSH is not supported. This bug fix updates the node logic to provide a more appropriate error message in this scenario indicating the developer should clone over a non-SSH protocol.

Installer

BZ#1166277

The subscription-manager package version 1.10.7 and higher now incorporates the "content override" feature, which typically requires network communication with a back-end server. As a result, certain oo-admin-yum-validator functions related to subscription-manager, which had previously only operated on the local file system in older subscription-manager versions, could now raise unhandled exceptions due to network failures. This bug fix wraps routines depending on subscription-manager in exception-handling blocks, and scripts which depend on the oo-admin-yum-validator command can now detect that it failed due to network errors. Administrators are now presented with a relevant error message instead of a confusing stack trace.

BZ#1167247

In a previous release, changes were made so that certain messages, in particular "exclude" suggestions made by the oo-admin-yum-validator command, contained improperly quoted portions. This issue could lead administrators to break their RHN configurations. This bug fix updates the logic for quoting parameters so that it can be enabled only when appropriate. As a result, these suggestions generated by the oo-admin-yum-validator command are now accurate.

BZ#1174486

Previously, attempting to upgrade puppet to version 3.x on node hosts would fail with dependency errors related to the version of facter shipped in the OpenShift Enterprise Node channel. This bug fix updates the oo-admin-yum-validator command's yum configuration suggestions to exclude the facter package, which is no longer used by OpenShift Enterprise. As a result, puppet can now be upgraded to version 3.x on node hosts.

Node

BZ#1171254

Watchman logs were previously named cgroups.log and cgroups-trace.log. This feature renames these files to watchman.log and watchman-trace.log, respectively, for increased clarity.

BZ#1169303

Previously, Watchman did not clean up empty front end configuration directories for scalable database gears. As a result, empty directories remained in place after applications had been deleted. This bug fix updates Watchman to now properly remove these directories in this case.

BZ#1173246

Previously, the Watchman OOM plug-in waited unnecessarily for pkill to exit, which could take a long time and block other tasks. This bug fix updates Watchman to now run pkill tasks in the background. As a result, Watchman now continues processing other tasks while pkill operations are processed in the background.

BZ#1173026

Previously, Watchman deleted front end configuration directories for secondary gears before the gears were removed. As a result, Watchman could yield a broken front end configuration. This bug fix updates Watchman to now only remove configuration directories which have no references in other configuration files, and Watchman no longer prematurely removes front end configurations for secondary gears.

BZ#1171257

The oo-admin-cartridge command did not return a proper exit status after cartridge installation failures. Scripted cartridge installation may have failed silently as a result. This bug fix updates the oo-admin-cartridge command to now only return 0 if at least one cartridge installed properly. As a result, scripts installing a single cartridge can now handle installation failures properly.

Broker

BZ#1168036

When using the routing daemon with an nginx router, requests made to the router at '/' were forwarded to the first configured high-availability application. This was due to a bug in the routing daemon. This bug fix updates the routing daemon to ensure such requests instead return a 404 status, and the requests are no longer incorrectly forwarded.

BZ#1168034

When using the routing daemon with an nginx router, duplicate entries pointing to the same endpoint could be created in the nginx routing configuration. This issue occured when multiple applications with the same name were created under different domains, and was due to a bug in the routing daemon. As a result, "duplicate location" errors were reported when restarting the nginx service. This bug fix updates the routing daemon to no longer create /<app_name> endpoints in the nginx routing configuration. As a result, the nginx service no longer reports these errors when restarting.

BZ#1167707

When using the routing daemon, if the ActiveMQ service is restarted, the routing daemon did not reconnect to ActiveMQ automatically. The openshift-routing-daemon service had to be restarted as a result. This bug fix updates the routing daemon to now attempt to reconnect automatically after losing its ActiveMQ connection, and as a result this scenario no longer requires manual intervention.

BZ#1167625

When multiple hosts were specified with the ACTIVEMQ_HOST parameter in the /etc/openshift/routing-daemon.conf file, the routing daemon failed to start if ports were not specified along with the hosts. This was due to a bug in the routing daemon. This bug fix updates the routing daemon to define the ports for multiple ActiveMQ hosts whether specified with the ACTIVEMQ_HOST parameter or the ACTIVE_MQ_PORT parameter. As a result, the routing daemon now restarts successfully in this scenario.

BZ#1166729

When upgrading from OpenShift Enterprise 2.1 to 2.2, the Management Console was configured for the OpenShift Origin product branding instead of for OpenShift Enterprise. This bug fix updates the upgrade tool to set product branding configuration values properly, and as a result the OpenShift Enterprise branding is now used when upgrading to 2.2.

BZ#1166600

When using the routing daemon, duplicate entries were created in the nginx routing configuration when creating more than one scalable application. This was due to a bug in the routing daemon, and as a result, "duplicate location" errors were reported when restarting the nginx service. This bug fix updates the routing daemon to ensure these duplicate entries are no longer created, and the nginx service no longer reports these errors when restarting.

BZ#1166593

When using the routing daemon with an nginx router, duplicate nginx configuration files were created if a user uploaded a SSL certificate for an existing application alias. This was due to a bug in the routing daemon, and as a result, the application's SSL certificate was marked not trusted and nginx reported "conflicting server name" warnings. This bug fix updates the routing daemon to ensure these duplicate files are no longer created, and the issues no longer occur.

BZ#1166518

The openshift-routing-daemon service requires functions from the ruby-openshift-origin-common package, however the rubygem-openshift-origin-routing-daemon package previously did not have its dependencies set accordingly. As a result, the openshift-routing-daemon service failed to start when the ruby-openshift-origin-common package was not installed. This bug fix updates the rubygem-openshift-origin-routing-daemon package to require the ruby-openshift-origin-common package, and as a result the service starts successfully.

BZ#1165606

The routing plug-in and routing daemon now support SSL connections to ActiveMQ. This allows administrators to encrypt ActiveMQ traffic to provide a higher level of security by enabling SSL connectivity between ActiveMQ and both the routing daemon and the routing plug-in. See the OpenShift Enterprise Deployment Guide for configuration details.

BZ#1158704

Due a bug in the broker's controller library, DNS entries for high-availability applications were not created properly at creation time when using the broker REST API. This was inconsistent with the behavior when creating an application then performing the enable-ha or make-ha action on the existing application. This bug fix updates the controller, as a result the DNS entries are created properly. After applying this update, the openshift-broker service must be restarted.

BZ#1158773

Previously, starting the openshift-routing-daemon service always returned successfully, which could be confusing to administrators under certain conditions. For example, if the routing daemon was configured to use nginx but nginx was not yet installed, the openshift-routing-daemon service would still start successfully, then report "no instances running" when checking the service's status. This was due to a bug in the routing daemon in which the exit code was not reported correctly. This bug fix updates the routing daemon to handle several edge cases, and the service now reports exit codes correctly. After applying this update, the openshift-routing-daemon service must be restarted.

BZ#1159277

Previously, administrators could set the SSL certificate capability for user accounts using the oo-admin-ctl-user tool with the --allowprivatesslcertificates option, but there was no default configuration setting for this capability. This enhancement adds the DEFAULT_ALLOW_PRIVATE_SSL_CERTIFICATES parameter to the /etc/openshift/broker.conf file on broker hosts. This parameter defaults to "false", but when "true" adds the SSL certificate capability to newly created user accounts. After applying this update, the openshift-broker service must be restarted for any changes to the DEFAULT_ALLOW_PRIVATE_SSL_CERTIFICATES parameter to take effect.

BZ#1159182

When using the routing daemon with an nginx router, nginx configuration files were created for non-scalable applications. However, these files were not necessary as the routing daemon only routes for scalable applications. In addition, a hard-coded prefix of "ha-" was added to configuration files for scalable applications when they did not have an alias configured, which could cause confusion. This bug fix updates the routing daemon to no longer create nginx configuration files for non-scalable applications. In addition, the /etc/openshift/routing-daemon.conf file now includes the HA_DNS_PREFIX parameter, which allows administrators to define a prefix for scalable applications, if desired. This prefix must match the prefix that is set in the HA_DNS_PREFIX parameter in the /etc/openshift/broker.conf file, as well.

BZ#1160860

Because nginx in Red Hat Software Collections 1.2 has been updated to version 1.6, this enhancement updates the routing daemon configuration defaults for nginx 1.6.

BZ#1155290

Due to a bug in broker gear placement during gear moves, the oo-admin-move command could fail at random by selecting a destination node in a different region than the gear started in. This bug fix updates the oo-admin-move command to filter potential destination nodes correctly by region.

Cartridge

BZ#1136706

The Jenkins cartridge requires that the unzip package be installed on the node host when creating a Jenkins Server application. Attempting to create the application with the unzip package not installed caused the creation to fail. This bug fix updates the Jenkins cartridge package to add the unzip package to its dependencies so that both packages are installed. As a result, creating Jenkins Server applications no longer fails in this way.

BZ#1155766

If a gear hosting the git repository for an application moves to another node, subsequent Jenkins clones will fail. This was due to the Jenkins git SSH wrapper checking Known Hosts. This bug fix updates the related call to remove Known Host checking. Other security methods built in to git provide sufficient protection against tampering. As a result, gears can now be moved freely and Jenkins builds are able to be triggered successfully. After applying this update, a cartridge upgrade is required.

BZ#1153666

An update to Python 2.7 dependencies cause some dependencies using C extensions to not run properly when using the Python 2.7 cartridge, and applications using the cartridge could return an Internal Server Error. This bug fix updates the Python cartridge to set the WSGIApplicationGroupdirective to %{GLOBAL}, which forces a WSGI application to run within the first interpreter. As a result, applications using the cartridge are once again accessible. After applying this update, a cartridge upgrade is required.

BZ#1158851

Due to a bug in the cron cartridge, environment variables were not properly quoted. This could result in variables being set incorrectly when loaded by gear cron jobs. This bug fix updates the cron cartridge script that handles running the jobs, and as a result, variables are now set correctly. After applying this update, a cartridge upgrade is required.

Management Console

BZ#1156605

Previously, after adding a team as a "view" member to a domain, "admin" members for the same domain could not view the team in the Management Console. This bug fix updates the Management Console to address this issue, and as a result "admin" members of a domain can now view teams that are a member of the same domain in the Management Console.

Node

BZ#1161244

Previously, when determining the last access time for a gear, the oo-last-access command did not count access via application aliases. This caused the command to return inaccurate last access information. This bug fix updates the oo-last-access command to also check for access via application aliases, and as a result the command output is now more accurate.

BZ#1161623

Apache vhost configuration creation was not always handled in an atomic manner. In environments with a high number of concurrent front end modifications, invalid configuration files could be created. This bug fix makes Apache vhost configurations  atomic by ensuring that concurrent modifications do not result in broken configuration files. As a result, concurrent application creation, updates, and deletion no longer results in broken Apache vhost configuration files. Additionally, a Watchman plug-in has been added to check for this type of error.

BZ#1163406

Apache vhost definitions for high-availability applications were not created on the second node front end. Requests to the second node host would not be routed to the application, resulting in 404 errors. This bug fix updates the Apache vhost plug-in to ensure definitions are now created for high-availability applications on the second node front end. As a result, requests to the second node host are now routed properly to the application.

BZ#1154763

Previously, the polyinstanciated /tmp directory could be removed by running the "rhc app tidy" command, causing the /tmp directory to no longer function properly. This bug fix updates the pam_openshift module to prevent this command from removing gear /tmp directories. The module also now ensures that permissions are correctly set on gear /tmp directories. After applying this update, the ruby193-mcollective service must be restarted.

BZ#1154063

Previously, attempting to restart a gear from within an SSH session failed with a permission error. This issue was due to the gear restart process using the oo-exec-ruby command, which used the rpm command to check the Ruby version. This bug fix updates the oo-exec-ruby command to use the "/usr/bin/ruby --version" command instead of the rpm command, and as a result gears can now be restarted successfully from within an SSH session.

BZ#1154649

While restoring a snapshot for a JBoss EWS or JBoss EAP application, it was possible for the restoration to time out due to unnecessary content being stored in the snapshot. This bug fix updates the JBoss EWS and JBoss EAP cartridges to ensure that temporary artifacts are no longer snapshotted to save space and time. As a result, the time outs no longer occur. After applying this update, a cartridge upgrade is required.

BZ#1154157

Due to a bug in the broker MCollective plug-in, confusing output was displayed to administrators when running the oo-admin-move command during a gear move. Specifically, the application name was used in output where the gear UUID should have been displayed. This bug fix updates the plug-in to properly display the gear UUID, and the confusing output is no longer displayed. After applying this update, the openshift-broker service must be restarted.

BZ#1162192

A bug in the oo-admin-ctl-gears tool prevented the forcestopgear command from killing all gear processes. As a result, the forcestopgear command could leave processes running. This bug fix updates the oo-admin-ctl-gears to ensure all processes are killed successfully.

BZ#1160562

Restarting the openshift-sni-proxy service did not call the oo-rebuild-haproxy-sni-proxy function, which is required to rebuild the HAProxy configuration. As a result, if SNI proxy plug-in configuration changes had been made, they were not reflected on a service restart. This bug fix updates the SNI proxy plug-in and now a rebuild of the configuration is initiated prior to startup when either starting or restarting the openshift-sni-proxy service.

BZ#1108254

Due to a bug in the node runtime, if a user hit the maximum number of environment variables set, they would no longer be able to update the variables. This bug fix improves error handling, and users can now update environment variables in this scenario. After applying this update, the ruby193-mcollective service must be restarted.

Broker

BZ#1092045

By default, when an application or cartridge creation fails, the gear creation is rolled back and the failed gear is destroyed. This default behavior makes it difficult to troubleshoot the root cause of gear failures if the available platform logs do not provide enough information. This enhancement backports an OpenShift Enterprise 2.2 feature to add the ARCHIVE_DESTROYED_GEARS and ARCHIVE_DESTROYED_GEARS_DIR broker configuration parameters, which enable the archiving of destroyed gears by specifying a storage directory. When enabled, this provides additional troubleshooting options to administrators investigating failed gear creations.

BZ#1149837

With the introduction of xPaaS cartridges in OpenShift Enterprise 2.1.7, it is now legitimate to have different sets of cartridges available per gear profile. This bug fix backports an OpenShift Enterprise 2.2 fix to update the oo-accept-systems command. Cartridge integrity checks by the command are now improved, including checking that all nodes in a profile supply a consistent set of cartridges.

Cartridge

BZ#1143991

Cartridge environment variables were created in new applications for TLS private ports but not for TLS public SNI proxy ports. This issue made it difficult to obtain application endpoint details that could be required by external services. This bug fix backports an OpenShift Enterprise 2.2 fix to expose the SNI proxy mapped ports as environment variables, and TLS public port information is now more readily available in new applications.

Installer

BZ#1163502

When Red Hat Enterprise Linux (RHEL) Server 6.6 was released, the ose-upgrade tool required an update for compatibility with the latest subscription-manager RPM package. Because the ose-upgrade tool ships with the openshift-enterprise-release package, adding the dependency in that package causes problems for administrators that maintain their own stream of RHEL 6. This bug fix updates the openshift-enterprise-release package to remove the explicit dependency on the subscription-manager package. As a result, the ose-upgrade tool now works with all RHEL 6 versions of the subscription-manager package.

Node

BZ#1159997

The oo-admin-ctl-iptables-port-proxy command uses the "iptables -L" command in several places, which by default attempts to reverse-resolve the IPs listed to host names. Because most of the IPs on an OpenShift Enterprise node are internal and have no host name associated, all configured name servers could be consulted once for each rule in the tables. If all name servers are appropriately configured, the "service openshift-iptables-port-proxy restart" command tends to take a few seconds. If any name servers are unreachable or slow in responding, resolving several thousand internal IPs was reported to take over an hour. This bug fix backports an OpenShift Enterprise 2.2 fix to add the -n flag to the iptables commands used by the oo-admin-ctl-iptables-port-proxy command. As a result, it no longer attempts to reverse-resolve IPs, which was unnecessary to begin with, and the "service openshift-iptables-port-proxy restart" command completes in sub-second timing under either condition.

BZ#1155794

Previously, there was a race condition when using the apache-vhost front-end server plug-in. If the "oo-httpd-singular graceful" command was run to incorporate one gear vhost update while another gear was creating its vhost configuration, the configuration was left in a bad state and the httpd service would not restart. As a result, the vhost configuration would cease being updated and newly-added gears would be unreachable via the vhost front-end server. If the httpd service was stopped, it would fail to start until the configuration was fixed. This bug fix backports an OpenShift Enterprise 2.2 fix to extend a lock around the call to the oo-httpd-singular command, and as a result the race condition no longer occurs.

Security

BZ#1153319

OpenShift Enterprise brokers as well as nodes using the apache-mod-rewrite or apache-vhost front end plug-ins previously had SSLv3 enabled, making them susceptible to POODLE-style attacks. This bug fix backports an OpenShift Enterprise 2.2 fix to update these components to remove SSLv3 support, and as a result new installations are no longer susceptible to these issues.

Broker

BZ#1140378

Previously, domain environment variables were not removed after an application failed during creation or if the operation was canceled by the user. As a result, attempting to later create an application with the same name would fail because MongoDB records still existed for the failed application. This bug fix updates the pending operations logic to remove domain environment variables and SSH keys for an application if the creation fails or is canceled.

BZ#1108762

The broker requires V8, which is provided by Red Hat Software Collections (SCL). While the Management Console and Administration Console plug-ins packaged this requirement, the openshift-origin-broker packages did not. As a result, if an administrator followed the manual installation instructions for a broker host, the broker service would fail to start unless either of the console plug-ins were also installed. This bug fix updates the openshift-origin-broker packages to require V8, and manual installations now work as intended.

BZ#1121243

It was previously possible for the oo-admin-chk and oo-admin repair tools to incorrectly notify administrators of stale domain SSH keys for users that had multiple domains. This was due to a logic error in how the list of keys was gathered for validation. This bug fix updates this logic, and the tools no longer report these false positives.

Cartridge

BZ#1106450

The control script "start" routine for the MySQL cartridge was configured to check the mysqld service 10 times, wait 1 second between each check, and time out if the service did not become available within that time. During periods of high I/O load, and under certain other conditions, the mysqld service might fail to start before all 10 checks have been performed. This caused the deployment or scale-up operation to fail. This bug fix increases the number of checks to 45 for a minimum timeout duration of 45 seconds. It also introduces the OPENSHIFT_MYSQL_START_TIMEOUT and OPENSHIFT_MYSQL_STOP_TIMEOUT environment variables which users can set using the client tools to specify the number of retries for the control "start" and "stop" routines, respectively. The MySQL cartridge is now more tolerant to high latency system conditions by default, and can be manipulated by the user to successfully deploy under a variety of system load and latency scenarios. After applying this fix, a cartridge upgrade is required.

BZ#1116819

Previously, the Jenkins client cartridge did not define a character encoding for builds. As a result, builds reported "InvalidByteSequenceError" failures in some cases, although the build was actually successful. This bug fix updates the Jenkins client cartridge to define a default character set of UTF-8, and the error message no longer appears during builds.

BZ#1112139

Due to an incompatibility between Red Hat Software Collections (SCL) packages, the mysql gem, and the Ruby cartridge, gem installations would fail in applications with Ruby and mysql-5.5 cartridges. This bug fix introduces a workaround to the Ruby cartridge that points bundler to the correct version of libmysqlclient until the MySQL 5.5 SCL is updated. After applying this fix, a cartridge upgrade is required.

BZ#1125430

Because JBoss EAP 6.1 no longer requires modules index files, the jboss-eap6-index package became obsolete. This bug fix removes the jboss-eap6-index package dependency from the JBoss EAP cartridge. Administrators can decide whether or not to remove this package from all node hosts. It is likely that the upgrade process to OpenShift Enterprise 2.2 will perform this step automatically.

Node

BZ#1131139

The oo-mco script is installed on node hosts during initial deployment due to an RPM configuration, however the SCL mco client executable is not installed. This caused attempts to run the oo-mco command on node hosts to fail with an unhelpful error message. This bug fix adds a more helpful error message to the oo-mco script for this scenario, and administrators attempting to run the oo-mco command on a node host are now informed that "/opt/rh/ruby193/root/usr/sbin/mco does not exist. mco client is likely not installed from scl."

BZ#1134034

Because node host administrators may want to have logging consolidated via Syslog while gear users may wish to have logs written to the application root directory, nodes now support log delivery to both Syslog and file output types at the same time. Administrators can set the 'outputType' in the /etc/openshift/logshifter.conf file on node hosts to 'multi', which results in logs being written to both 'file' and 'syslog'.

BZ#1135617

When using the apache-vhost front-end server plug-in, the systemu Ruby library attempted to create temporary files that were blocked by SELinux. This resulted in an AVC denial in the /var/log/audit/audit.log file, though no functionality was actually affected. Because the systemu library is redundant, this bug fix updates nodes to use the OpenShift library that provides the same utility in the rest of the node runtime. As a result, the AVC denials no longer occur.

BZ#1139359

Node platform log entries are built with attributes from the arguments of the MCollective call that caused them. In the case of the execute_parallel action, the arguments are structured differently. With application and gear context enabled for node platform logs, attributes were previously not logged for the execute_parallel actions, which include adding SSH keys and cartridges. This bug fix ensures that the arguments are now gathered from either argument structure, if present. As a result, all known actions with the relevant MCollective call arguments are logged with the appropriate context attributes.

Upgrade

BZ#1102138

The ose-upgrade tool coordinates running a number of scripts to perform an OpenShift Enterprise version upgrade. When running the scripts, the tool previously displayed script output only after completion, even though several steps of the upgrade can take a long time, for example while updating RPMs or waiting on another host to complete its steps. This meant that administrators had no method for verifying what the tool was doing or whether something had gone wrong while the scripts were running. This enhancement updates the tool to display ongoing output from the scripts while they are running, and administrators are now able to better check the status of the scripts being run.

Broker

BZ#1138334

As administrators become increasingly likely to install different sets of cartridges using different gear profiles, for example to set aside profiles for JBoss EAP and future xPaaS cartridges, the process to import cartridge manifests becomes more complex. To accommodate this scenario, this enhancement adds the import-profile subcommand to the oo-admin-ctl-cartridge command on the broker host, which finds a representative node from one, several, or all profiles and imports the latest cartridge manifests from all representative nodes.

BZ#1122271

Previously, sparse files were not preserved when gears moved between nodes, which caused unnecessary disk usage. This bug fix adds the proper flags to related rsync operations which help prevent the issue going forward. After applying this fix, a cartridge migration is required and the MCollective service must be restarted. See https://access.redhat.com/solutions/1179673 for steps to fix existing gears previously using sparse files that have exceeded their quota as a result of this issue.

BZ#1132295

The oo-admin-upgrade, oo-admin-usage, and oo-admin-ctl-domain tools did not normalize user name parameters that were passed in, and the tools could fail to find the intended user name that was normalized in MongoDB. This bug fix updates the tools to now correctly normalize user names before searching for them.

BZ#1131317

Previously, it was possible to define a login normalization that was not idempotent, meaning that when run twice on a given login, the second normalization returned a different value than the first. In certain situations, a normalized login might be re-normalized to no longer match the original normalization, causing the intended user not to be found. Creating an authorization token during the 'rhc setup' process is one such case. To ensure that this does not happen, this bug fix updates the normalization process to repeat until it no longer changes the login, effectively forcing it to be idempotent. As a result, there should no longer be edge cases with a non-idempotent normalization, and 'rhc setup' process runs successfully even under these conditions.

BZ#1065048

The MCollective client configuration settings used a default timeout value which caused the broker to wait for a prolonged period of time when attempting to connect to ActiveMQ. When ActiveMQ was unreachable, the broker waited and eventually failed as if the requests had timed out without displaying helpful error messages. This bug fix updates the client configuration to set a reasonable default timeout value, and broker requests now time out faster and helpful error messages are displayed when ActiveMQ is unreachable. This configuration change is made only in the installation utility and scripts; see the OpenShift Enterprise 2.1 Release Notes for instructions on applying this fix to existing installations.

Cartridge

BZ#1130362

A race condition in the Python cartridge's start method caused the pid file to be written incorrectly in certain situations. This could lead to problems when stopping applications. This bug fix updates the Python cartridge to address the race condition, and the issue no longer occurs as a result. After applying this fix, a cartridge migration is required.

Command Line Interface

BZ#1124094

The oo-admin-upgrade tool previously only upgraded existing gears that included cartridges provided by Red Hat; specifically, only cartridges that defined "redhat" as the vendor in its manifest were affected. This bug fix updates the tool to also support upgrading gears that include any cartridge that exists in a node's cartridge repository, including custom cartridges and those provided by other vendors.

Node

BZ#1112446

Previously, the oo-accept-node tool incorrectly performed mod_rewrite configuration checks on nodes which were configured to use the apache-vhost front-end plug-in. These checks were unnecessary because the apache-mod-rewrite and apache-vhost plug-ins are mutually exclusive. This bug fix updates the tool to only perform the mod_rewrite checks when the apache-mod-rewrite plug-in is in use.

BZ#1127714

Due to a bug in the Watchman code, the Watchman Throttler plug-in had a memory leak which caused the Watchman service to consume too much memory and time out when attempting a restart. This bug fix updates the plug-in to resolve the memory leak, and these issues no longer occur as a result. After applying this fix, the openshift-watchman service must be restarted.

BZ#1135062

The MongoDB cartridge did not properly include the PATH and LD_LIBRARY_PATH entries provided by Red Hat Software Collections (SCL) in the cartridge environment, and did not publish the appropriate PATH elements for scaled cartridges. This caused the appropriate PATH and LD_LIBRARY_PATH entries for the mongo support binaries provided by SCL, such as mongoimport, to not be set, and were therefore not available to gear action hooks. This bug fix updates the MongoDB cartridge to include the appropriate PATH and LD_LIBRARY_PATH entries for non-scaled cartridges. It also provides a new connection hook that publishes OPENSHIFT_MONGODB_LD_LIBRARY_PATH_ELEMENT and OPENSHIFT_MONGODB_PATH_ELEMENT, included by scaled cartridges in the primary cartridge's PATH and LD_LIBRARY_PATH environment variable. As a result, the correct mongo binaries are now available from the command line and gear action hooks for scaled and non-scaled applications. See https://access.redhat.com/articles/1179613 for instructions on applying this fix to existing gears.

BZ#1133936

Previous releases of OpenShift Enterprise shipped a single example /etc/openshift/resource_limits.conf configuration file on nodes for a gear profile called "small". This enhancement adds additional configuration files based on other example gear profiles and host types. For example, files for "medium" and "large" example profiles are included, as well as an "xpaas" profile for use on nodes hosting xPaaS cartridges in future OpenShift Enterprise releases. The contents in the example configuration files have also been rearranged to make it easier for administrators to find commonly customized settings.

Specifying a profile of "small", "medium", "large", or "xpaas" when installing a node using the installation scripts now causes the corresponding example configuration file to be deployed. Custom profiles can be used in this way as well, as long as a corresponding configuration file is present during installation.

BZ#1131031

If a node failed and all that was left was the gear storage, metadata such as /etc/passwd entries, gear cgroup configurations, and limits.d files previously had to be recreated manually. This enhancement adds the new oo-admin-regenerate-metadata tool which can now perform these actions automatically.

BZ#1136983

The default /etc/openshift/node.conf file on node hosts contained gear UID and port settings that are no longer used as described and did not contain the actual settings for those purposes. This made it confusing when trying to change the port range, starting gear UID, or ports per gear. This bug fix updates this default file for new installations to remove the unused options. It also adds notes for options that should not be changed that must remain for historical purposes, and introduces accurate settings (PORTS_PER_USER and PORT_BEGIN) with helpful comments regarding restrictions on changing them. This file on existing installations is unaffected.

BZ#1104072

The shell function wrapper for the mongo binary improperly quoted command line arguments. The command name and the first argument were passed to the scl environment wrapper as a single token with the remaining arguments unquoted, causing the scl wrapper to look for a non-existent path prefix file, for example '/etc/scl/prefixes/mongo -u'. This bug fix updates the mongo function in the rhcsh environment script, and the entire command passed to the scl environment wrapper is now properly quoted.

Broker

BZ#1123743

If regions did not exist in an OpenShift Enterprise environment, a confusing error message was displayed to users after creating an application. This was due to a bug in the broker's controller library. This bug fix updates the controller logic and now the broker checks to see if regions exist before displaying the error.

BZ#1083380

The broker previously handled logins with different letter cases as distinct user accounts. For example, the broker would store separate accounts for the logins "JDoe" and "jdoe". This issue caused confusion for users when applications were created under different accounts, among other problems. This enhancement allows administrators to enable a selection of default or custom methods on the broker to enforce user login normalization. When normalization methods are set, the broker now handles logins based on these settings. See the OpenShift Enterprise Administration Guide for more information.

BZ#1123944

When the oo-app-info command was used to search for an application by its fully-qualified domain name (FQDN), the domain for the FQDN was assumed to be "rhcloud.com". As a result, the search did not work outside of the OpenShift Online environment. This bug fix updates the search to be generalized for any cloud domain, and searching for an application by its FQDN now works as expected.

BZ#1123353

When the 'oo-admin-ctl-app -c set-multiplier' command was run for the web framework cartridge of a scalable application with only one gear, the MongoDB record for the application was broken, making the application unscalable. This bug fix updates the application model code in the controller, and MongoDB records for applications are no longer susceptible to this issue as a result.

BZ#1109549

The oo-admin-ctl-app command now has the --alias option which allows administrators to add or remove an alias from an application.

BZ#1120825

Previously, domain environment variables were not set when running cartridge install and setup scripts. This was due to a bug in the broker's Application model object. This bug fix updates the Application model, and environment variables are now correctly set before running the install and setup scripts.

BZ#1122496

When creating an application, it was possible in certain situations for a user without the additional storage capability to add storage within a domain. This occurred because the additional storage capability was checked for the wrong user account, which was due to a bug in the broker's controller library. This bug fix updates the controller library and now the domain owner's capabilities are correctly checked.

BZ#1108575

Previously, when users removed additional storage from an application while specifying the HAProxy cartridge, the action completed successfully but the storage removal was not accurately reported. This bug fix updates the broker's controller logic and now storage is accurately reported in this scenario.

BZ#1122935

Previously, if a scalable application was made highly available, gears were removed during scale down events in reverse order of creation without consideration for whether the HAProxy cartridge minimum or HAProxy multiplier were maintained. This issue made it possible for a highly-available application to remove more HAProxy gears than it should when scaling down, potentially rendering the application no longer highly available. This bug fix updates the controller logic, and the gear selected for removal is now chosen to maintain the proper constraints.

Cartridge

BZ#1106414

The rhcsh command that is used for interactive gear logins had a bug in the psql function. This function wraps the actual command-line tool to automatically provide database access credentials, but it always returned exit code 0, even when the command had actually failed. This issue could confuse scripts using the function. This bug fix updates the rhcsh command to preserve the exit code correctly, and the psql function exits as expected as a result. Users must reconnect to their gear using SSH to pick up the new function after applying this fix.

BZ#1105107

A bug in the MySQL and PostgreSQL cartridges prevented the PATH from being set correctly. As a result, the wrong versions of executables could be loaded. This bug fix updates the publish-ld-library-path-info hook to correctly set the PATH. A cartridge upgrade is required after applying this fix.

BZ#1123077

The HAProxy cartridge was missing locking in its reload logic, and a race condition could lead to multiple HAProxy processes inside a gear. This bug fix updates the HAproxy cartridge to add proper locking, and this issue no longer occurs as a result. A cartridge upgrade is required after applying this fix.

BZ#1118275

A bug in the JBoss EWS cartridge caused broken symlinks to be created if configuration files did not exist in a JBoss EWS binary deployment, which caused the application to be unable to deploy. This bug fix updates the control script for the JBoss EWS cartridge to handle scenarios where a deployment archive does not contain configuration files. A cartridge upgrade is required after applying this fix.

BZ#1112152

Default ruby-1.8 applications contained an unnecessary library inclusion, which could result in 503 errors when the library was not available in some environments. This bug fix updates the Ruby cartridge to remove the library reference, and these errors no longer occur on new gears that are created after applying this fix. A workaround for existing gears is to manually remove the library.

BZ#1084950

The PostgreSQL cartridge was not configured properly. Administrators could be confused by an incorrect IPv6 IP range, and the configuration for limiting PostgreSQL connections to only the local socket was incorrect. This bug fix updates the PostgreSQL cartridge, and both of these issues are resolved for the purpose of hardening security. Other security measures prevent these problems from posing actual risk. A cartridge upgrade is required after applying this fix.

BZ#1116823

Due to a default Jenkins setting, an error message appeared in Jenkins logs in environments where UDP was disabled. This bug fix adds a new marker file to disable UDP for Jenkins by default, because it is not required for OpenShift Enterprise, and the errors no longer appear as a result. A cartridge upgrade is required after applying this fix.

BZ#1117949

After adding a customized haproxy_ctld.rb file to a scalable application, the application continued to use the customized file for automatic scaling even after the file had been removed from the application's Git repository. This was due to a bug in the HAProxy cartridge. This bug fix updates the HAProxy cartridge control script to handle the removal of customized haproxy_ctld.rb files, and applications now return to using the default file for automatic scaling after a customized file has been removed. A cartridge upgrade is required after applying this fix.

BZ#1125295

Due to a race condition in the JBoss EWS cartridge control script, the parent EWS process was killed before the child processes in certain situations, causing the control script to report an error. This bug fix improves the fallback process clean-up logic to handle this error, and the issue no longer occurs as a result. A cartridge upgrade is required after applying this fix.

Client Tools

BZ#1006068

Previous versions of the client tools were configured for use with a single OpenShift server at a time. The configuration settings in the ~/.openshift/express.conf file would be overwritten each time the client tools were configured for use with a new server. This enhancement enables the client tools shipped with OpenShift Enterprise to be configured for use with multiple servers, which is useful when using a single workstation to manage different applications hosted across multiple servers. See the OpenShift Enterprise User Guide for more information.

BZ#1109382

Previously, the 'rhc app-show <app_name> --gears' command reported HAProxy cartridges on every gear if the application was scalable. This reporting was not accurate, as each gear in the list should report only the cartridges actually on the gear. This bug fix updates the client tools, and HAProxy cartridges on gears are now accurately reported.

BZ#1128986

The --ssl-client-key-file option was missing in the --help output for the 'rhc server add' and 'rhc server configure' commands. This bug fix updates the --help output for these rhc commands, and the option is now shown as expected.

Node

BZ#1108653

Attempting to scale a custom, non-web-framework cartridge previously resulted in an exception trying to create a web endpoint registry. This bug fix avoids this unnecessary step, and the exceptions no longer occur as a result.

BZ#1108910

Due to a bug in the OpenShift Enterprise runtime, quota settings were not removed when gears were deleted. This bug fix updates the gear deletion logic to include quota configuration removal, and quota settings are now correctly removed when gears are deleted.

BZ#1097748

Previously, it was difficult to distinguish between debug and trace log output on nodes because both log types were written using the local0 facility. This bug fix adds new settings to allow for better distinction between log types. Logs are now written using the facility defined by the PLATFORM_SYSLOG_FACILITY setting (default: LOG_LOCAL0), and, if trace logging is enabled, trace logs are now written using the facility defined by the PLATFORM_SYSLOG_TRACE_FACILITY setting (default: LOG_LOCAL1). Administrators can change these settings from their defaults by adding and defining them in the /etc/openshift/node.conf file.

BZ#1112445

Due to a bug in the Watchman Gear State plug-in, idled applications could not be properly stopped. This bug fix updates the Gear State plug-in to unidle an application's front end before stopping to ensure the proper final state. As a result, idled applications can now be properly stopped.

Management Console

BZ#1111419

The Management Console contained a typo when referring to the client tools option for creating a scalable application. This bug fix updates the Management Console, and the correct client tools option, --scaling, is now shown.

Broker

BZ#1118396

Previously, the output was not logged when the nsupdate command was executed by the DNS plug-in, which complicated diagnosing errors when application DNS records failed to be created or deleted. This bug fix updates the plug-in to log the standard output and errors of the nsupdate command to the broker application log (the /var/log/openshift/broker/production.log file, by default), and errors from the command are now easier to diagnose.

BZ#1103145

If a developer was part of a global team but did not have the view_global_teams capability enabled on their account, they could add the global team as a member of their domain using the ID but not using the name. This issue was caused by the view_global_teams capability, which is only intended to control the ability to search and view global teams, unintentionally blocking the functionality. This bug fix updates this capability to allow the addition of global teams as domain members using either the ID or name as intended.

BZ#1111163

When the oo-accept-systems script attempted to get the list of cartridges, the test terminated silently because it was using a deprecated fact. This bug fix updates the logic to use the correct method of getting the list of cartridges, and the test now completes as intended.

BZ#1116124

Using the broker REST API directly, developers can now specify the region to which their application is deployed. This allows developers to reduce latency to target users or implement a highly-available application scheme. Developers can also now use the REST API directly to determine the region and zone(s) to which an existing application's gears were deployed. In addition, administrators can now use the DEFAULT_REGION_NAME parameter in the /etc/openshift/broker.conf file to set the default region for new applications. If the parameter is not set, then a region is chosen randomly.

Cartridge

BZ#1106559

When the node command was run in Node.js cartridges, users experienced "error while loading shared libraries" messages. This was because the LD_LIBRARY_PATH was missing the V8 path, which was necessary as V8 has become part of Red Hat Software Collections. This bug fix updates the path and, as a result, the errors no longer occur.

BZ#1120887

When an application is scaled, the OPENSHIFT_HAPROXY_GEAR_RATIO environment variable determines when th HAProxy load balancer gears remove collocated framework gears from rotation. However, this variable was not consulted during an application start or restart and the default value "3" was used instead, resulting in unintended gear rotations. This bug fix updates the control script to consult the variable at application start up, and scaled applications now have the expected load balancer configuration when restarted.

BZ#1103740

After stopping a scaled application and saving a snapshot, the head gear for the application remained stopped after restoring the snapshot, which was expected. However, secondary gears were started after the restore, which was not the expected behavior. This issue was caused by certain post restore logic not being applied to all gears in the application. This bug fix updates the post-restore logic, and secondary gears are now stopped along with the head gear after restoring a stopped application.

BZ#1116817

Under certain race conditions or user actions, it was possible for multiple Node.js supervisor processes to be running for a Node.js cartridge. Because only one process could bind to the port, others would die, resulting in the supervisor continuously retrying to start them and consuming all of the gear's CPU. In addition to now checking whether a pidfile exists for another Node.js instance in the gear, this bug fix updates the start up logic to also check whether another supervisor or child is running before starting another. As a result, accidental second invocations of the supervisor starting now correctly exit.

The oo-admin-upgrade command is required to upgrade existing gears after applying this fix. See the Solution section in the errata advisory for full details.

Management Console

BZ#1114111

When the Management Console sent a session cookie to the client, the Management Console did not specify that the session cookie should be sent only over encrypted connections. If the client logged in and subsequently connected to the Management Console using an unencrypted connection, the client would have sent the session cookie in plain text before the Management Console redirected the client to a secure connection. If the cookie were intercepted, this could facilitate session hijacking or CSRF attacks. This bug fix ensures that the Management Console now specifies that the session cookie it sets must be sent only over encrypted connections. As a result, the difficulty of performing session hijacking or CSRF attacks is increased.

Node

BZ#1100351

The following administrative commands on node hosts did not display helpful usage information when run without options: oo-admin-ctl-gears, oo-admin-gear, oo-admin-repair-node, oo auto-idler, oo-devel-node. The gear command on gears also had the same issue. This bug fix updates these commands to display their help page when run without options.

BZ#1121222

If /sbin/ip did not exist, the oo-accept-node script first printed a proper error message in the find_ext_net_dev test, but subsequently failed with an exception and backtrace in the check_node_public_resolution test. This bug fix updates the oo-accept-node script to gracefully handle the exceptions, and the script now prints clearer output when /sbin/ip does not exist.

BZ#1121203

The oo-accept-node script did not check that the external network device (as specified by the EXTERNAL_ETH_DEV parameter in the /etc/openshift/node.conf file, or the default, eth0) had a globally scoped IPv4 address. If a node host's external network device were not properly configured, such misconfiguration might not have been detected until the platform tried to perform certain operations. For example, creating a scalable application fails in the port-proxy code if the node cannot find a globally scoped IPv4 address on its external network device. This bug fix adds a new test, check_ext_net_dev_addr, to the oo-accept-node script, and the script now fails if the external network device does not have a globally scoped IPv4 address.

BZ#1100766

In certain scenarios, gears were not properly throttled due to an issue in Watchman's ThrottlerPlugin. This bug fix addresses the issue in the plug-in, and CPU usage is now more accurately reflected as a result. A restart of the openshift-watchman service is required after applying this fix.

BZ#1121266

The oo-diagnostics script did not check whether a node host's clock was in sync with the associated broker host's clock. MCollective ignores messages where the sender's timestamps on its messages are more than 60 seconds behind the recipient's clock at the time it receives the message, and communications between the broker and node hosts could be lost. This bug fix updates the oo-diagnostics script to add the test_node_clock_in_synch_with_broker check, which sends an HTTP request to the broker (as specified by the BROKER_HOST parameter in the /etc/openshift/node.conf file) and compares the time in the "Date:" header in the response with the node host's clock. As a result, the oo-diagnostics script now warns if the clocks are out of sync by five or more seconds, and it fails if the clocks are out of sync by 55 or more seconds.

BZ#1096863

Previously, Watchman's frequency for checking gear state was hard-coded in the tool, and it could consume too much CPU as a result. This bug fix adds many additional configuration parameters along with documentation to the /etc/sysconfig/watchman file, and administrators now have access to more tuning options when using Watchman.

BZ#1096789

When unidling scaled applications using the `oo-admin-ctl-gears idle` command or an HTTP request, the head gear was unidled, but secondary gears were left idle. This was because the unidle logic used a local gear start only affecting the head gear. This bug fix updates the logic to instead use a broker REST call to start the entire application when unidling, which affects all gears. As a result, head gears and secondary gears are all unidled as expected.

BZ#1105225

In certain scenarios when using the Watchman OOM plug-in, gears would fail to be restarted after running out of memory. This bug fix addresses several Watchman issues, and Watchman now restarts gears that have run out of memory, as expected.

BZ#1119489

The /etc/sysconfig/watchman file could be created and used as a configuration file for Watchman, however a default file did not exist. The OpenShift Enterprise Administration Guide mentioned this file, which caused confusion when it was missing. This bug fix creates a default /etc/sysconfig/watchman file, and the file now exists as expected.

BZ#1117004

Often when a cartridge starts a runtime in a gear, the cartridge stores the pid of the runtime's process in a pidfile. Later, the cartridge may use the process_running function to determine whether that process is still running in the gear by checking whether any running process has a pid matching the pid saved in the pidfile. However, if the runtime's process had terminated and the operating system had subsequently assigned the same pid to a new process, the process_running function could return a false positive, interfering with cartridge control actions. This bug fix updates the process_running function to use the pgrep command with the -u option to restrict its search to processes belonging to the gear. As a result, the process_running function now has a much lower probability of returning a false positive.

BZ#1112448

The oo-accept-node script compared the list of cgroup subsystems in use against a hard-coded, default list. However, a custom list could be set using the OPENSHIFT_CGROUP_SUBSYSTEMS parameter in the /etc/openshift/node.conf file. When a custom list was in use, the script failed when the custom list differed from the hard-coded, default list. This bug fix updates the oo-accept -node script to make these comparisons using the custom list in the OPENSHIFT_CGROUP_SUBSYSTEMS parameter, if set, and the script no longer fails in this way.

BZ#1084606

The oo-diagnostics script read the SELinux context of the mcollectived process using the ps command, but the output of ps varies depending on whether the mcstransd daemon from the mcstrans package ("SELinux Translation Daemon") is running. Therefore, the script reported a test failure in the test_mcollective_context check if mcstransd were running, even if the SELinux context of the mcollectived process were correct. This bug fix updates the script to read the SELinux context of mcollectived using the /proc filesystem, which is unaffected by mcstransd. As a result, the script no longer reports a test failure in situations where the SELinux context of the mcollectived process is correct but the mcstransd daemon is running.

Broker

BZ#1102430

When the sample routing plug-in was configured with an array of ActiveMQ brokers, the broker service would not start properly. This bug fix adds support to interpret the ACTIVEMQ_HOST parameter in the /etc/openshift/plugins.d/openshift-origin-routing-activemq.conf file as a comma-separated list of host:port pairs, and use this list of hosts when connecting to ActiveMQ for redundancy. The broker service now starts properly, and the sample routing plug-in can now be configured with more than one ActiveMQ broker.

BZ#1084292

If a customized gear placement plug-in was incorrectly configured and returned an invalid node host name, creating a new application reported a communication error when it could not find the node on which to place gears. However, a record for the failed application was created in the MongoDB datastore, even though related gears did not exist on any nodes. This bug fix adds logic to validate the node host name returned by the gear placement plug-in. If the validation fails, the application creation is rolled back completely and datastore records for failed applications are no longer created.

BZ#1100169

After a custom SSL certificate for an alias was added to an application, the oo-diagnostics tool reported warning messages that the permissions on configuration files were not correct. This was due to the oo-diagnostics tool running a test that checked for more than was actually required. This bug fix updates the oo-diagnostics tool to only check files that Apache actually reads at runtime, and the warnings no longer occur for alias certificates.

BZ#1102303

If an authorization token was created containing scopes for multiple domains, it was possible for the domain scopes to interfere with each other and cause queries using the token to not return the full list of authorized applications. This bug fix adds logic to ensure that queries are accurately returned when using authorization tokens with multiple domain scopes.

Cartridge

BZ#1044980

A change to Passenger caused applications using Ruby 1.8 or 1.9 cartridges to report pre-starting errors, and applications would only start after a first request was made. The issue was fixed for Ruby 1.9 cartridges in an earlier release of OpenShift Enterprise; this bug fix updates Passenger to correct the issue for Ruby 1.8 cartridges as well. Pre-starting now functions properly for both Ruby cartridges, and the previous errors no longer occur.

Command Line Interface

BZ#1102736

The client tools RPM package that shipped with OpenShift Enterprise release 2.1 did not include full support for managing teams. Team management was previously only available using the upstream client tools gem or using the REST API. This bug fix adds full team management support to the RPM package starting in rhc-1.24.3.1-1.el6op; see the following section of the OpenShift Enterprise User Guide for more usage information:

https://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/User_Guide/index.html#sect-Team_Management

BZ#1007454

Previously, using the oo-admin-ctl-app command with the `-c status` option only returned the state of the application and any of its add-on cartridges, for example whether they were running or stopped. This bug fix updates the oo-admin-ctl-app command and now the `-c status` option also returns the application UUID and each of its gear UUIDs.

Installer

BZ#1097844

The oo-admin-yum-validator tool that shipped with OpenShift Enterprise release 2.1 did not automatically detect the installed product version, which is the default behavior when run without any arguments. Because the oo-diagnostics tool runs the oo-admin-yum-validator tool without any arguments, running the oo-diagnostics tool on release 2.1 reported a warning that it could not detect the product version. This bug fix adds this detection back into the oo-admin-yum-validator tool for release 2.1, and the oo-diagnostics tool no longer reports the warning.

Management Console

BZ#1100507

When choosing an application type to create on the /console/application_types page of the Management Console, the JBoss Enterprise Application Platform 6 cartridge is placed in the "Other types" group instead of in the "Java" group. This was due to how tags were parsed for cartridges with multiple tags. This bug fix improves application type grouping and the JBoss EAP 6 cartridge now appears in the "Java" group.

Node

BZ#1070629

If quotas were not set for a gear, the oo-accept-node command reported the issue without any suggested solutions. This bug fix updates the oo-accept-node command to provide in these cases a suggested oo-devel-node command, either based on quota settings in the /etc/openshift/resource_limits.conf file or default values, that can be run to address the issue.

BZ#1103138

Starting the openshift-node-web-proxy service under certain conditions, in particular when using the oo-install installation utility, caused the service to be immediately killed when the user ended their session. This bug fix corrects this issue and the service now starts normally, including when using the installation utility.

BZ#1102325

When using the apache-vhost front-end proxy plug-in on nodes, the application was unreachable for a short period of time when changes were pushed using Git, caused by the Apache back end being temporarily disabled. This bug fix updates the plug-in to ensure that the back end is not disabled in these cases, and applications are now immediately reachable after changes are pushed.

While this bug fix applies to any newly created gears, for the updated package to take effect for existing gears, the following commands must be run on affected node hosts. These steps are recommended only for systems where the rubygem-openshift-origin-frontend-apache-vhost package is installed. Please note that this will cause a node outage, and should be performed during a planned broker maintenance outage. See the OpenShift Enterprise Administration Guide for full documentation on modifying the front-end proxy server plug-in configuration.

# oo-frontend-plugin-modify --save > filename
# oo-frontend-plugin-modify --delete
# oo-frontend-plugin-modify --restore < filename

BZ#1101524

Deploying a downloadable cartridge that had a malformed manifest to an application reported an error, however the cartridge was still added to the application. As a result, the application could no longer be deleted using the client tools. This bug fix updates manifest validation when adding cartridges; adding a downloadable cartridge with a malformed manifest now provides better information on problematic entries and the cartridge is no longer added to the application.

BZ#1103294

If the /var/log/openshift/node/ruby193-mcollective.log file on a node host was missing, the oo-diagnostics tool hung during the test_node_mco_log check. This bug fix updates the oo-diagnostics tool to fail gracefully when the file is missing and report the error, and the tool no longer hangs as a result.

BZ#1107840

The rsyslog7 RPM package did not have an explicit version set for its libestr dependency, which caused problems if the build time version was not available at runtime. This bug fix adds an explicit version dependency of "libestr >= 0.1.9" for the rsyslog7 RPM package and these issues no longer occur.

Broker

BZ#1040257

By default, users were restricted from creating custom domain name aliases in the cloud domain of their applications to prevent confusion or possible name collisions. This enhancement adds a new ALLOW_ALIAS_IN_DOMAIN setting in the /etc/openshift/broker.conf file on the broker host that allows users to create aliases within the cloud domain. However, the alias must not be in the form <name>-<name>.<cloud-domain>. Aliases taking this standard form of application names are rejected to prevent conflicts. See the OpenShift Enterprise Administration Guide for more information.

BZ#1057153

The broker host now allows configurable default templates for new applications without requiring custom cartridges, enabling administrators to customize the initial application experience for users. For example, initial JBoss EWS configuration files can be customized with organization defaults, and all default applications can have the organization name and logo. Set the new DEFAULT_APP_TEMPLATES setting in the /etc/openshift/broker.conf file on the broker host to specify default Git URLs for any web cartridge using a space-separated list of elements in the form <cartridge-name>|<git-url>. These URLs are used rather than any Git template included in the cartridge. Configure all broker hosts with the same values and restart the broker service.

BZ#1027122

The lokkit tool removed critical iptables rules required by OpenShift Enterprise, resulting in node outages. This bug fix updates the oo-diagnostics tool to detect if the lokkit or system-config-firewall tools are used, and advises the user not to use lokkit. If lokkit is required by the user, oo-diagnostics also provides a snippet that users can add to their lokkit configuration to allow interoperation with OpenShift Enterprise. Outages due to conflicting iptables configurations are now reduced.

BZ#1056899

Authorization tokens were not properly distributed between HAProxy gears in the same application. As a result, attempting to scale up an application from a secondary HAProxy gear failed. This bug fix adds logic to replicate broker authorization tokens between HAProxy gears in the same application. The following command must be run on the broker host after applying this fix:

# rm -rf /tmp/oo-upgrade
# oo-admin-upgrade upgrade-node --version=2.0.3

See the Solution section in the errata advisory for full details.

BZ#1062844

Attempting to create an application using an invalid manifest produced an unhelpful error message. This bug fix improves the exception handling so that a more helpful error message is displayed when an invalid manifest is used.

BZ#1048139

The VALID_SSH_KEY_TYPES setting was not documented in the /etc/openshift/broker.conf file on the broker host. The file now documents the setting and its defaults for greater visibility.

BZ#1061941

OpenShift Enterprise DNS commands assumed DNS keys were created using the HMAC-MD5 algorithm, causing calls to the nsupdate utility to fail when the DNS key did not use HMAC-MD5. This bug fix adds support to the nsupdate plugin and the oo-accept-broker tool to include the key algorithm when nsupdate is called. DNS key algorithms other than HMAC-MD5 are now supported by OpenShift Enterprise tools.

Node

BZ#1061422

Previously, the validation for metadata.json files caused confusing error messages when empty metadata.json files were loaded during certain operations. This bug fix improves file validation to account for zero-length metadata.json files, and these errors no long occur. The MCollective service must be restarted on each node host after applying this fix.

BZ#1040824

The openshift-iptables-port-proxy service compared the count of existing NAT rules against the number asserted by OpenShift Enterprise. As a result, adding any custom NAT rules to a node host caused the openshift-iptables-port-proxy service to incorrectly report a problem with the NAT table. This bug fix updates the NAT table comparison to verify that the count of rules in the NAT table is equal to or greater than the expected number. Additional NAT rules can now be specified without any error messages from the openshift-iptables-port-proxy service.

BZ#1055675

The environment variable handling in the MCollective service has been optimized for efficiency.

BZ#1059322

Existing vhost templates referenced a variable that is only available when using the mod-rewrite front-end proxy plug-in. Therefore, gear server names were not logged in the /var/log/httpd/openshift_log file, causing disruptions in gear idling functions. This bug fix improves the custom access log format to ensure the server name is included, and gear idling functions are no longer impacted. These steps are recommended only for systems where the rubygem-openshift-origin-frontend-apache-vhost package is installed. For the updated package to take effect, the following commands must be run on affected node hosts. Please note that this will cause a node outage, and must be done with care. See the OpenShift Enterprise Administration Guide for full documentation on modifying the front-end proxy server plug-in configuration.

# oo-frontend-plugin-modify --save > filename
# oo-frontend-plugin-modify --delete
# oo-frontend-plugin-modify --restore < filename

BZ#1045972

The MOTD_FILE setting in the /etc/openshift/node.conf file on the node host contained an extraneous white space at the beginning of the quoted string. If this setting was used as provided, the MOTD file was not read correctly. This bug fix removes the leading white space in the quoted string, and the supplied example MOTD_CONF setting now works correctly.

BZ#1054944

When an application deployment is performed using the git push command, a REST API call registers the new deployment with the broker. If this call fails for any reason, the HAProxy cartridge in a scalable application is not correctly restarted, and the application is unavailable until the HAProxy cartridge is restarted. This bug fix adds logic to allow the HAProxy cartridge to restart during the deployment even if the registration failed. Therefore, in the event that the registration fails, the application is correctly deployed and remains available. Because all known deployments are reported each time, the broker receives a fully updated list after the next successful deployment registration.

BZ#1032798

Previously, when a node host attempted to insert an iptables rule without first verifying that the target table existed, a scalable application could not be created where iptables rules were not defined. This bug fix adds logic to the oo-diagnostics tool to check for missing iptables rules. The oo-admin-ctl-iptables-port-proxy tool has been updated to confirm that the expected tables exist before modifying them, and to provide useful warning messages when the table is missing in the active configuration.

BZ#988756

Previously, cartridge scripts that depend on the bc package for calculating various JVM parameters failed due to a missing requirement in the JBoss EAP and JBoss EWS packages. This bug fix adds the bc package requirement to the cartridges, and these failures no long occur.

Cartridge

BZ#1061424

The --hot-deploy option was ignored when deploying an application using the binary deployment method. This bug fix adds the missing handling for the --hot-deploy option to the binary deployment logic and the option is now recognized. The MCollective service must be restarted on each node host after applying this fix.

BZ#1057956

While successfully creating or scaling an application, the scale_events.log file on HAProxy cartridges displayed this error message: "Failed to get information from haproxy". This occurred due to common HAProxy operations and was potentially confusing because there was no actual problem. This bug fix suppresses the messages during such operations and now the logs do not show extraneous error messages. The following command must be run on the broker host after applying this fix:

# rm -rf /tmp/oo-upgrade
# oo-admin-upgrade upgrade-node --version=2.0.3

See the Solution section in the errata advisory for full details.

BZ#1054916

Administrators can now provide additional, custom httpd configurations to cartridges that are based on httpd without requiring custom cartridges. The custom configurations are read after the rest of the configurations for each gear, effectively overriding or expanding most gear httpd configurations. See https://access.redhat.com/site/articles/726143 for more details.

BZ#1057183

Previously, the way the HAProxy cartridge determined when to scale an application was not optimal because it checked the number of connections against a fixed threshold, which could impact stability or performance. This enhancement improves the HAProxy cartridge so that it uses a moving average of the number of current connections and provides a configurable threshold. The following command must be run on the broker host after applying this fix:

# rm -rf /tmp/oo-upgrade
# oo-admin-upgrade upgrade-node --version=2.0.3

See the Solution section in the errata advisory for full details.

BZ#1061423

After restoring an application snapshot, gears with the hot_deploy marker did not restart. This bug fix updates the marker logic and gears with the hot_deploy marker now restart correctly. The MCollective service must be restarted on each node host after applying this fix.

BZ#1056394

Attempts to restore an application snapshot would fail when restoring from a snapshot that was created after a cartridge was moved, due to empty deployments what were created during the move. This bug fix corrects the cartridge move logic and the empty deployments are no longer created. Note that this only applies to gears created after applying this fix. For existing applications experiencing this issue, the ~/app-deployments/ directory must be searched for any empty directories, which then must be removed with the rmdir command.

BZ#1057447

During a restart, the Ruby cartridge attempted to modify a file in the {OPENSHIFT_REPO_DIR}/tmp directory, which in some cases did not exist. Therefore, the Ruby cartridge would fail to restart on gears that were missing this directory.  This bug fix adds a test to ensure ${OPENSHIFT_REPO_DIR}/tmp exists before creating or modifying any files in that directory. The following command must be run on the broker host after applying this fix:

# rm -rf /tmp/oo-upgrade
# oo-admin-upgrade upgrade-node --version=2.0.3

See the Solution section in the errata advisory for full details.

BZ#1051190

Users can now create a new action hook that makes automatic scaling decisions for a specific application using a customized haproxy_ctld.rb script. See the OpenShift Enterprise User Guide for more information.

Client Tools

BZ#1063769

Rollbacks initiated by the OpenShift Enterprise client tools only occurred on the head gear due to an incompatibility between the client tools and the deployment API. This bug fix updates the client tools so that the correct deployment API is called, and rollbacks now work correctly.

BZ#1059900

The OpenShift Enterprise client tools depended on the Ruby method Array#sort_by!, which is not implemented in Ruby 1.8.7, causing an error when attempts were made to generate the domain members list. This bug fix updates the client tools to use the Ruby method Array#sort_by, which is defined in Ruby 1.8.7, and errors no longer occur when generating the domain members list.

Management Console

BZ#1056905

The Management Console has been updated to include improved error message highlighting when adding a non-existent member to a domain. The openshift-console service must be restarted after applying this fix.

Broker

BZ#1049566

Routing SPI messages are now updated to include gear UUIDs, which allows administrators to address specific gears within an application. This is useful, for example, for adding dynamic DNS entries or adding gears to a load balancing pool. These updates, along with other changes pertaining to the sample ActiveMQ routing plug-in, are now documented in the OpenShift Enterprise Deployment Guide.

BZ#1048943

The oo-admin-ctl-user tool would only allow administrators to edit user information for one user at a time. This has been fixed and administrators can now update user information for multiple users at a time. See the OpenShift Enterprise Administration Guide for more information on how to use the oo-admin-ctl-user tool.

BZ#1017656

Users experienced failures when attempting to create multiple domains in the Management Console because a required method was missing from the code base. This issue has been fixed and users are now able to create multiple domains with the Management Console.

BZ#1049741

When users clicked “Share this link” while creating a new application with a custom cartridge manifest in the Management Console, a name in the “Public URL” field was generated that incorrectly included the suffix from the URL or path of the manifest. This issue has been fixed so that suggested names are generated without these suffixes.

BZ#1050179

The page title for the OpenShift Enterprise Administration Console was incorrectly labeled OpenShift Origin. This has been fixed and the correct product name is now displayed.

BZ#1038558

When creating domains in the Management Console, the invalid input field was highlighted when an invalid domain name was specified. However, the corresponding error message was not highlighted, causing confusion for users because the error was not immediately recognized. This has been fixed and the corresponding error message is now highlighted when an invalid domain name is specified.

BZ#1034647

Invalid UTF-8 characters were accepted as values for environment variables, causing errors during operations that utilized those variables. The input validation for environment variables that are configured by users now includes UTF-8 encoding, and as a result invalid UTF-8 characters are now rejected.

Node

BZ#1033146

The MAVEN_ARGS environment variable could not be set with JBoss EWS cartridges because it would reset to the default value of the cartridge when application changes were pushed. This fix updates the build script for the JBoss EWS cartridge so that the default value of the cartridge is only used if MAVEN_ARGS is not defined. If it is defined, the user configuration is used.

BZ#1047440

Jenkins builds could not access the ./perl/perl5lib/lib/perl5/ directory due to missing symlinks in the managed_files.yml file of the Perl cartridge. This fix adds the required symlinks to the managed_files.yml file so that new applications that are deployed with the updated Perl cartridge are correctly built in Jenkins. Note that the ruby193-mcollective service must be restarted on node hosts after applying this fix.

BZ#1032920

The Python cartridge included files and directories from the upstream community cartridge that were not applicable to OpenShift Enterprise. The unnecessary community files and directories have been removed from the current version of the Python cartridge.

BZ#998995

When a cartridge was installed with the oo-admin-cartridge tool, the SELinux contexts were preserved on files installed with the cartridge instead of being set to the appropriate context for the install destination. This caused a mismatch between broker and node hosts because the cartridge list was not updated correctly on node hosts. This issue has been fixed and the SELinux contexts are now set correctly, allowing the cartridge list to be correctly updated, and the mismatch between broker and node hosts no longer occurs.

BZ#1048952

While logged into a gear, if a file was edited with vim, vim would attempt to write to the ~/.viminfo file. However, users would receive an error message because they did not have write permissions to that file. This fix points the .vimrc file to ~/data/.viminfo, and this error message no longer occurs because users are able to write to that file.