Chapter 3. Bug Fixes

OpenShift Enterprise 2.2 fixes the following bugs:
The /etc/openshift-enterprise-release file was not consistently updated when a host updated to a newer asynchronous release (for example, release 2.1.7). This was due to the openshift-enterprise-release RPM package, which provides the file, only being consistently updated for use during minor release upgrades (for example, upgrading from release 2.0 to 2.1). This issue led to confusion when trying to later determine the installed asynchronous release of an OpenShift Enterprise deployment. This bug fix updates the file to "OpenShift Enterprise 2.2.0" and future asynchronous releases will ensure that this file is updated accordingly.
OpenShift Enterprise (OSE) 2.1 was originally released on Red Hat Enterprise Linux (RHEL) 6.5.  In order for the mmopenshift plugin to work, the rsyslog7 package from RHEL 7 was shipped in the OSE 2.1 channel. Later, RHEL 6.6 shipped its own rsyslog7 package that was incompatible with the one from OSE. This created many edge cases for RPM conflicts and confusing configurations. This bug fix updates the rsyslog7-mmopenshift package for compatibility with RHEL 6.6. The installation script and the ose-upgrade tool used for upgrading from 2.1 to 2.2 have been updated to handle the configuration changes as well. The rsyslog7 package from RHEL 6.6 conflicts with the base rsyslog package. A manual upgrade can be done with the following steps:

# cp -f /etc/rsyslog7.d/* /etc/rsyslog.d/

# yum shell --disableplugin=priorities -y <<YUM
# erase rsyslog rsyslog7-7.4.7 rsyslog7-mmopenshift-7.4.7
# install rsyslog7 rsyslog7-mmopenshift
# transaction run

# sed -i 's/rsyslog7.d/rsyslog.d/' /etc/rsyslog.conf
# service rsyslog start
When the EXTERNAL_ETH_DEV parameter in the /etc/openshift/node.conf file was set to a device that did not have a globally scoped IPv4 address, such as "lo", the oo-iptables-port-proxy command failed with unhelpful output. As a result, after an application creation failed because of this issue, it was difficult to determine the root cause when investigating logs on a node host. This bug fix adds logic to the oo-iptables-port-proxy command to produce better logs when a device does not have a globally scoped IPv4 address, and the logs when investigating this type of issue are now more clear.
Previously, attempting to use the client tools with OpenShift Enterprise (OSE) environments that had SSLv3 disabled resulted in connection errors. This was due to an issue with the rubygem-httpclient and ruby193-rubygem-httpclient packages prior to version 2.4, which were what shipped in OSE channels. This bug fix updates the rubygem-httpclient package in the OSE Client Tools channel and the ruby193-rubygem-httpclient package in the OSE Broker Infrastructure channel both to version 2.4. As a result, the client tools now connect successfully with OSE environments that have SSLv3 disabled.
The oo-diagnostics tool did not verify the source of the package dependencies for the python-3.3 cartridge as it did for the python-2.7 cartridge. As a result, it was possible for these packages to be missed during the tool's RPM test if they were installed from an unsupported source. This bug fix adds the relevant packages to the tool's RPM test and the python-3.3 cartridge dependencies are now properly verified.
For applications using a PostgreSQL cartridge, any configuration changes made to the ~/postgresl/data/postgresql.conf file were overwritten when the cartridge was restarted. However, some applications require certain values for the datestyle and locale settings in this file in order to run correctly. This bug fix adds the OPENSHIFT_POSTGRESQL_DATESTYLE and OPENSHIFT_POSTGRESQL_LOCALE environment variables for the PostgreSQL cartridges, and users can now set these values persistently.
Previously, when attempting to quit while using the oo-install installation utility, the installation process instead continued. This bug fix updates the utility to ensure quitting while configuring the deployment successfully returns to the main menu and quitting from the main menu exits the utility completely. Configuration values are still saved in the ~/.openshift/oo-install-cfg.yml file.
When stopping an application that used a JBoss EWS cartridge, cartridge log files did not show any information related to the stop action. This issue was due to the cartridge sending a SIGKILL to the processes instead of a SIGTERM. This bug fix updates the JBoss EWS cartridge control logic, and cartridge logs for these applications now show information relates to the stop action.
When adding an invalid SSL certificate to an existing application alias, the Management Console did not show any information regarding the validity of the certificate file or key or the success of the operation. The client tools, however, did show this information for the same operation. This bug fix updates the Management Console to show the same error messages as the client tools when adding invalid SSL certificates to existing aliases.
The HAProxy cartridge did not consider a "401 unauthenticated" status code valid for health checks. As a result, when a scaled application required HTTP Basic Authentication, the HAProxy health checks failed and marked the server as down, resulting in a 503 internal server error response from the application. This bug fix updates the HAProxy cartridge to add 401 to the default expected status codes for health checks, and applications requiring HTTP Basic Authentication can now work in scaled mode. This bug fix also provides the ability for administrators and users to change the expected status code list and the health check URI values using the OPENSHIFT_HAPROXY_HTTPCHK_EXPECT_RSTATUS and OPENSHIFT_HAPROXY_HTTPCHK_URI environment variables.
On a node host, placing any files in the /var/lib/openshift/.cartridge_repository directory that were not cartridge directories and restarting the MCollective service caused MCollective to fail. A warning message was reported in logs, and the process continued without error, however no messages were serviced or sent. This bug fix updates this logic to allow for any files in the .cartridge_repository directory, and MCollective now operates correctly in this scenario.
Previously, the PostgreSQL cartridges were missing dates and time stamps in their logs. This bug fix updates these cartridges, and their logs now include dates and timestamps.
After using the Management Console to add a SSL certificate with a separate certificate chain file to an application alias, some browsers reported the site as untrusted. This was due to a bug in the Management Console's logic to strip certificate content when appending a chain file. This bug fix updates this logic, and SSL certificates added using this method now validate correctly.
OpenShift Enterprise node web proxies previously had SSLv3 enabled, making them susceptible to POODLE-style attacks. This bug fix updates the node web proxies to remove SSLv3 support, and as a result they are no longer susceptible to these issues.
The oo-iptables-port-proxy command had a typo in its usage output. This bug fix updates the usage "showproxies" to instead show the correct usage "showproxy".
Previously, incomplete deployments that had never been activated caused the broker to no longer update the deployments list for the application. This created a situation where the user would be unable to rollback a failed deployment if the last successful deployment was after an incomplete one. This bug fix updates node logic to skip incomplete deployments when reporting to the broker, and as a result users can successfully rollback deployments in this scenario.
Previously, background requests made to the broker from the Management Console were performed under a hard-coded timeout of 10 seconds. As a result, it was possible to hit this timeout under certain conditions, for example due to users having a high number of domains and gears or network latency. This bug fix adds the BACKGROUND_REQUEST_TIMEOUT parameter to the /etc/openshift/broker.conf file on broker hosts, and this timeout is now a configurable value (in seconds).
If a gear size is already in use, for example by being an allowed size for a user domain, an administrator later removing that size from the VALID_GEAR_SIZES list in the /etc/openshift/broker.conf file can cause validation problems during subsequent operations. For example, an error would occur while attempting to add a new gear size to an existing user domain where the removed size was still allowed. This bug fix updates the oo-admin-chk tool to check for inconsistencies in allowed gear sizes between domains in MongoDB records and the valid gear sizes in the broker configuration. This bug fix also adds the --gear-size option to the oo-admin-repair tool which fixes such inconsistencies by removing all invalid gear sizes from the allowed sizes list of all domains.
The Management Console did not display vendor names when multiple cartridges had the same name, while the client tools did make this distinction. This bug fix updates the Management Console to show the vendor of a cartridge when more than one cartridge has the same name. As a result, it now easier to distinguish between cartridges in the Management Console in these scenarios.
This release updates the version of HAProxy provided by the haproxy15side package to 1.5.4.
Previously, there was a race condition when using the apache-vhost front-end server plug-in. If the "oo-httpd-singular graceful" command was run to incorporate one gear vhost update while another gear was creating its vhost configuration, the configuration was left in a bad state and the httpd service would not restart. As a result, the vhost configuration would cease being updated and newly-added gears would be unreachable via the vhost front-end server. If the httpd service was stopped, it would fail to start until the configuration was fixed. This bug fix extends a lock around the call to the oo-httpd-singular command, and as a result the race condition no longer occurs.
The oo-admin-ctl-iptables-port-proxy command uses the "iptables -L" command in several places, which by default attempts to reverse-resolve the IPs listed to host names. Since most of the IPs on a node are internal and have no host name associated, all configured name servers may be consulted once for each rule in the tables. If all nameservers are appropriately configured, "service openshift-iptables-port-proxy restart" tends to take a few seconds. If any name servers are unreachable or slow in responding, resolving several thousand internal IPs was reported to take over an hour. This bug fix adds the -n flag to the iptables command used by oo-admin-ctl-iptables-port-proxy command so that it does not attempt to reverse-resolve IPs, which was unnecessary to begin with. As a result, the "service openshift-iptables-port-proxy restart" command completes in sub-second timing under either condition.