Red Hat OpenShift Application Runtimes Release Notes

Red Hat OpenShift Application Runtimes 1

For use with Red Hat OpenShift Application Runtimes

Red Hat Customer Content Services

Abstract

This Release Note contains important information related to Red Hat OpenShift Application Runtimes

Chapter 1. Supported Runtime Component Configurations and Integrations

The following resources define the support scope for RHOAR runtime components:

Chapter 2. Technology Preview

Red Hat does not provide support for Technology Preview components provided with this release of Red Hat OpenShift Application Runtimes. Items designated as Technology Preview in the sections below have limited supportability, as defined by the Technology Preview Features Support Scope.

Technology preview features and components provided with this release include:

Chapter 3. RHOAR Deployment Platforms

Container Development Kit

RHOAR runtimes have been tested on Red Hat Container Development Kit (CDK). CDK configures a pre-built Single-node OpenShift Cluster cluster on a local machine. CDK includes Minishift and the oc CLI tool. CDK provides users with a means of deploying Booster applications locally. CDK is available for download from the Red Hat Developer Portal. A free Red Hat developer account is required to access the download.

OpenShift Online Pro

RHOAR runtimes have been tested on OpenShift Online Pro.

OpenShift Online Starter

It is possible to use RHOAR on the zero-cost OpenShift Online Starter cluster, although issues may arise due to resource quotas for some boosters and for executing advanced commands (scale up, rolling upgrade, etc).

OpenShift Container Platform

RHOAR runtimes are fully supported on the OpenShift Container Platform.

Chapter 4. Required Infrastructure Component Versions

The following versions of infrastructure components are required for all runtimes distributed as part of a RHOAR release. Red Hat does not provide support for components listed below, with the exception of components explicitly designated as supported.

Component nameVersion

Fabric8 Maven Plugin

3.5.38

Maven

3.3.1 or later

Node.js v8[a]

8.11.2 LTS

Node.js v10[b]

10.1.0 LTS

Nodeshift

1.7.1

npm[c]

5.6.0

OpenShift Container Platform (OCP)[d]

3.9 or later

Minishift

1.16.1 or later

CDK[e]

3.4.0

JDK[f][g]

Java 8 JDK[h]

git

2.0 or later

oc command line tool

3.9 or later[i]

[a] The RHOAR Node.js v8 release is supported by Red Hat
[b] The RHOAR Node.js v10 release is supported by Red Hat
[c] Distributed with RHOAR as a supported RPM
[d] OCP is supported by Red Hat
[e] CDK is supported by Red Hat
[f] A full JDK installation is required, as JRE does not provide tools for compiling Java applications from source.
[g] Red Hat OpenJDK is supported by Red Hat
[h] All versions of Java 8 are supported. Runtimes provided with this release do not support Java 9.
[i] The version of the oc CLI tool should correspond to the version of OCP that you are using.

Chapter 5. Common RHOAR Components

5.1. Fabric8 Maven Plugin

5.1.1. Known Fabric8 Maven Plugin Issues

5.1.1.1. Error pulling image when redeploying an application on OpenShift 3.7

Description

When deploying an application on OpenShift, the initial deployment succeeds, but re-deploying application using the Fabric8 Maven plugin results in the pod becoming stuck in the ImgPullErr state for extended periods of time. After several retries, the re-deployment completes successfully. The issue occurs on OpenShift 3.7.

Workaround

Before applying this workaround, ensure that you are using Fabric8 Maven Plugin version 3.5.35 and above. After deploying your application using mvn fabric8:deploy, re-deploy it manually using:

mvn -Dfabric8.openshift.trimImageInContainerSpec=true fabric8:deploy

Chapter 6. Eclipse Vert.x

The Eclipse Vert.x runtime artifacts provided with this release of RHOAR are all based on community version 3.5.1.

6.1. Supported Maven Artifacts Provided with Eclipse Vert.x

GroupIDArtifactIDVersion

io.vertx

vertx-auth

3.5.1.redhat-004

io.vertx

vertx-auth-htdigest

3.5.1.redhat-004

io.vertx

vertx-jwt

3.5.1.redhat-004

io.vertx

vertx-auth-oauth2

3.5.1.redhat-004

io.vertx

vertx-circuit-breaker

3.5.1.redhat-004

io.vertx

vertx-config

3.5.1.redhat-004

io.vertx

vertx-config-kubernetes-configmap

3.5.1.redhat-004

io.vertx

vertx-config-yaml

3.5.1.redhat-004

io.vertx

vertx-core

3.5.1.redhat-004

io.vertx

vertx-grpc

3.5.1.redhat-004

io.vertx

vertx-health-check

3.5.1.redhat-004

io.vertx

vertx-infinispan

3.5.1.redhat-004

io.vertx

vertx-mongo-client

3.5.1.redhat-004

io.vertx

vertx-mqtt

3.5.1.redhat-004

io.vertx

vertx-jdbc-client

3.5.1.redhat-004

io.vertx

vertx-proton

3.5.1.redhat-004

io.vertx

vertx-rx

3.5.1.redhat-004

io.vertx

vertx-service-discovery

3.5.1.redhat-004

io.vertx

vertx-service-discovery-bridge-kubernetes

3.5.1.redhat-004

io.vertx

vertx-sockjs-service-proxy

3.5.1.redhat-004

io.vertx

vertx-web

3.5.1.redhat-004

io.vertx

vertx-web-client

3.5.1.redhat-004

io.vertx

vertx-web-templ-freemarker

3.5.1.redhat-004

io.vertx

vertx-web-templ-handlebars

3.5.1.redhat-004

6.2. Technology Preview Maven Artifacts Provided with Eclipse Vert.x

Red Hat provides limited support for Eclipse Vert.x artifacts designated as Technology Preview:

Group IDArtifact IDVersion

io.vertx

vertx-kafka-client

3.5.1.redhat-004

io.vertx

vertx-rx-java2

3.5.1.redhat-004

io.vertx

vertx-config-vault

3.5.1.redhat-004

io.vertx

vertx-micrometer-metrics

3.5.1.redhat-004

6.3. Eclipse Vert.x Maven Artifacts provided with Developer Support

The following artifacts are available with RHOAR Eclipse Vert.x within the Development Support scope for Red Hat products. Red Hat provides no support for use of the listed artifacts in production-level environments. Red Hat may provide a limited level of support for the use of these artifacts in application development. Such support is typically limited to providing knowledge about the component to the developer for the purposes of development only, and without any commitment to guarantee the functionality of the component in question outside of a development environment.

Group IDArtifact IDVersion

io.vertx

vertx-junit5

3.5.1.redhat-004

io.vertx

vertx-unit

3.5.1.redhat-004

6.4. Deprecated Eclipse Vert.x Maven Artifacts

Group IDArtifact IDVersion

io.vertx

vertx-rx-java

3.5.1.redhat-004

io.vertx

vertx-hawkular-metrics

3.5.1.redhat-004

6.5. New Eclipse Vert.x features introduced in this release

This release of RHOAR Eclipse Vert.x introduces the following new features and feature updates:

JBoss Data Grid Infinispan 8.5.0
The vertx-infinispan component provided with this release of RHOAR Eclipse Vert.x uses artifacts provided by the JBoss Data Grid 7.2. These components replace the community Infinispan that vertx-infinispan depended on in the previous releases of RHOAR Eclipse Vert.x.

6.6. Resolved Eclipse Vert.x Issues

The RHOAR Eclipse Vert.x 3.5.1 release serves as a replacement for RHOAR Eclipse Vert.x 3.4.2, and includes bug fixes and enhancements. For a detailed list of issues resolved in the community Eclipse Vert.x 3.5.1 release, see the community release notes.

6.6.1. CVE-2018-7489

Affected component
jackson-databind
Issue summary
Incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries.
Red Hat CVE database entry
CVE-2018-7489
Bugzilla Bug ID
1549276

6.7. Known Eclipse Vert.x Issues

6.7.1. False Connection reset by peer error messages when calling application endpoint

Description:

Making an HTTP request on an endpoint of a Vert.x application using either curl or a Java HTTP client, produces the following error in the logs after each request:

io.vertx.core.net.impl.ConnectionBase
SEVERE: java.io.IOException: Connection reset by peer

This behavior is caused by the interaction of the Netty application framework and the HAProxy load-balancer used by OpenShift. The error occurs due to existing HTTP connections being re-used by HAProxy without closing. Even though the error message is logged, no error condition occurs. HTTP requests are handled correctly and the application responds as expected.

6.7.2. Application build fails due to missing class definition for vertx-jdbc-client

Description

Build fails when deploying an application that uses vertx-jdbc-client to OpenShift.

Cause

Eclipse Vert.x 3.5.1.redhat-003 uses Agroal as the default JDBC connection pool, instead of c3p0 used in previous releases.

This change leads the following issues:

  1. Maven dependencies for Agroal are not defined in the Eclipse Vert.x BOM file. You must specify these dependencies manually in the pom.xml file of your project.
  2. The Agroal connection pool uses different property names than c3p0. You must update the JDBC client configuration to use the correct property names.
  3. After you resolve the issues listed above, the application builds and deploys correctly to OpenShift, but the pod logs show an HTTP error code 500. This is likely caused by a data source bug.

Workaround

Avoid using the Agroal connection pool in your application. Manually switch to using the c3p0 connection pool by setting the provider_class property to io.vertx.ext.jdbc.spi.impl.C3P0DataSourceProvider when configuring your JDBC client:

JsonObject config = new JsonObject()
.put("url", JDBC_URL)
.put("driver_class", "org.postgresql.Driver")
.put("user", JDBC_USER)
.put("password", JDBC_PASSWORD)
.put("castUUID", true)
.put("provider_class", "io.vertx.ext.jdbc.spi.impl.C3P0DataSourceProvider");

Chapter 7. WildFly Swarm

The WildFly Swarm runtime artifacts provided with this release of RHOAR are all based on upstream version 2018.3.3.

Important

The WildFly Swarm 7.1.0.redhat-77 productized rutime artifact BOM no longer imports the Red Hat JBoss Enterprise Application Platform runtime artifacts BOM (org.jboss.bom:eap-runtime-artifacts). To use the dependencies provided by the Red Hat JBoss Enterprise Application Platform runtime artifacts BOM in your application, import the BOM in the pom.xml file of your Maven project.

7.1. Supported Maven Artifacts Provided with WildFly Swarm

Group IDArtifact IDVersion

org.wildfly.swarm

spi

7.1.0.redhat-77

org.wildfly.swarm

web

7.1.0.redhat-77

org.wildfly.swarm

undertow

7.1.0.redhat-77

org.wildfly.swarm

jaxrs-cdi

7.1.0.redhat-77

org.wildfly.swarm

cdi

7.1.0.redhat-77

org.wildfly.swarm

microprofile

7.1.0.redhat-77

org.wildfly.swarm

connector

7.1.0.redhat-77

org.wildfly.swarm

ejb

7.1.0.redhat-77

org.wildfly.swarm

transactions

7.1.0.redhat-77

org.wildfly.swarm

jaxrs-jsonp

7.1.0.redhat-77

org.wildfly.swarm

management

7.1.0.redhat-77

org.wildfly.swarm

cdi-config

7.1.0.redhat-77

org.wildfly.swarm

datasources

7.1.0.redhat-77

org.wildfly.swarm

jpa

7.1.0.redhat-77

org.wildfly.swarm

jsf

7.1.0.redhat-77

org.wildfly.swarm

jaxrs

7.1.0.redhat-77

org.wildfly.swarm

jmx

7.1.0.redhat-77

org.wildfly.swarm

topology-webapp

7.1.0.redhat-77

org.wildfly.swarm

jca

7.1.0.redhat-77

org.wildfly.swarm

keycloak

7.1.0.redhat-77

org.wildfly.swarm

bean-validation

7.1.0.redhat-77

org.wildfly.swarm

topology-openshift

7.1.0.redhat-77

org.wildfly.swarm

jaxrs-jaxb

7.1.0.redhat-77

org.wildfly.swarm

remoting

7.1.0.redhat-77

org.wildfly.swarm

hibernate-validator

7.1.0.redhat-77

org.wildfly.swarm

container

7.1.0.redhat-77

org.wildfly.swarm

logging

7.1.0.redhat-77

org.wildfly.swarm

request-controller

7.1.0.redhat-77

org.wildfly.swarm

jsonp

7.1.0.redhat-77

org.wildfly.swarm

naming

7.1.0.redhat-77

org.wildfly.swarm

security

7.1.0.redhat-77

org.wildfly.swarm

ee

7.1.0.redhat-77

org.wildfly.swarm

jaxrs-multipart

7.1.0.redhat-77

org.wildfly.swarm

topology

7.1.0.redhat-77

org.wildfly.swarm

msc

7.1.0.redhat-77

org.wildfly.swarm

jaxrs-validator

7.1.0.redhat-77

org.wildfly.swarm

io

7.1.0.redhat-77

org.wildfly.swarm

opentracing

7.1.0.redhat-77

org.wildfly.swarm

jaeger

7.1.0.redhat-77

7.2. Tested Maven Artifacts Provided with WildFly Swarm

Maven artifacts designated as Tested that are provided with a RHOAR WildFly Swarm release are not supported.

Group IDArtifact IDVersion

org.wildfly.swarm

hystrix

2018.3.3

org.wildfly.swarm

ribbon

2018.3.3

org.wildfly.swarm

ribbon-secured

2018.3.3

org.wildfly.swarm

ribbon-secured-client

2018.3.3

org.wildfly.swarm

archaius

2018.3.3

org.wildfly.swarm

arquillian

2018.3.3

7.3. Technology Preview Maven Artifacts Provided with WildFly Swarm

Red Hat provides limited support for WildFly Swarm artifacts designated as Technology Preview:

Group IDArtifact IDVersion

io.jaegertracing

jaeger-core

0.27.0.redhat-4

io.jaegertracing

jaeger-micrometer

0.27.0.redhat-4

io.jaegertracing

jaeger-parent

0.27.0.redhat-4

io.jaegertracing

jaeger-thrift

0.27.0.redhat-4

io.jaegertracing

jaeger-tracerresolver

0.27.0.redhat-4

io.opentracing

opentracing-api

0.31.0.redhat-7

io.opentracing

opentracing-mock

0.31.0.redhat-7

io.opentracing

opentracing-noop

0.31.0.redhat-7

io.opentracing

opentracing-util

0.31.0.redhat-7

io.opentracing

parent

0.31.0.redhat-7

io.opentracing.contrib

opentracing-tracerresolver

0.1.4.redhat-7

io.opentracing.contrib

opentracing-tracerresolver-parent

0.1.4.redhat-7

io.opentracing.contrib

opentracing-web-servlet-filter

0.1.0.redhat-26

io.opentracing.contrib

opentracing-web-servlet-filter-parent

0.1.0.redhat-26

org.keycloak

keycloak-authz-client

3.4.8.Final-redhat-6

7.4. Deprecated WildFly Swarm Maven Artifacts

Group IDArtifact IDVersion

org.wildfly.swarm

monitor

7.1.0.redhat-77

7.5. New WildFly Swarm features introduced in this release

This release of RHOAR WildFly Swarm introduces the following new features and feature updates:

MicroProfile 1.2
MicroProfile version 1.2 is included with this release of RHOAR WildFly Swarm.
Enterprise Application Platform 7.1.1.GA
EAP dependencies used by RHOAR WildFly Swarm have been updated and aligned with the 7.1.1.GA release of Red Hat JBoss Enterprise Application Platform.
Red Hat SSO 7.2.2.GA
This RHOAR WildFly Swarm release uses dependencies provided by Red Hat Single Sign-On release version 7.2.2.GA.
web hollow JAR file
WildFly Swarm now provides web application dependencies packaged as a standalone hollow JAR file.
microprofile hollow JAR file
WildFly Swarm provides MicroProfile dependencies packaged as a standalone hollow JAR file.

7.6. Known WildFly Swarm Issues

7.6.1. Swarm Arquillian adapter ignores mvn -s settings.xml

Issue Key:

SWARM-1546

NOTE: You do not have to log into JIRA to view this issue.

7.6.2. MicroProfile Fault Tolerance: CDI contexts not available in @Timeout methods

Description

If your application contains a @Timeout method that uses a contextual service , such as the @RequestScoped MyService shown in the example below, the contexts are not activated for that service.

@Inject
private MyService service;

@Timeout
public String doSomething() throws InterruptedException {
    return "Hello " + service.call();
}

The method is not @Asynchronous and should, therefore, be executed on the caller thread, which would make the CDI (Context and Dependency Injection) contexts available. However, the following debug message indicates that the contexts are not available:

2018-04-03 21:16:35,976 ERROR [io.undertow.request] (default task-1) UT005023: Exception handling request to /: org.jboss.weld.context.ContextNotActiveException: WELD-001303: No active contexts for scope type javax.enterprise.context.RequestScoped

Cause

This issue is caused by @Timeout methods always being invoked on a separate thread, even if they are not @Asynchronous.

Workaround

At the time of this release, there is no workaround available for this issue.

7.6.3. MicroProfile JWT: cannot use different roles for different methods with parameterized @Paths that share a common prefix

Description

Our implementation of MicroProfile JWT is unable to honor the @RolesAllowed annotations properly. This leads to a situation where separation of access roles to different endpoints does not work for methods with parameterized @Paths that share a common prefix.

Cause

The WildFly Swarm MicroProfile JWT implementation works by scanning for JAX-RS classes and converting the security annotations to <security-constraint> elements in the web.xml configuration file. If your endpoint contains a parameterized @Path, such as @Path("/my/{parameterized}/path"), a <security-constraint> element is created only for the prefix of the path, up to the first parameter. This, however, is insufficient to describe all JAX-RS possibilities.

Consider the following JAX-RS resource example:

@Path("/parameterized-paths")
public class ParameterizedPaths {
    @GET
    @Path("/my/{path}/admin")
    @RolesAllowed("admin")
    public String admin(@PathParam("path") String path) {
        return "Admin accessed " + path;
    }

    @GET
    @Path("/my/{path}/view")
    @RolesAllowed("view")
    public String view(@PathParam("path") String path) {
        return "View accessed " + path;
    }
}

The example above contains a valid JAX-RS endpoint definition with a parameterized path. The method to be called is selected by the full URL, not just by the prefix.

Workaround

At the time of this release, there is no workaround available for this issue.

7.6.4. MicroProfile JWT: cannot use different roles for different methods with the same @Path but different @Produces and/or @Consumes annnotations

Description

Our implementation of MicroProfile JWT is unable to honor the @RolesAllowed annotations properly. This leads to a situation where separation of access roles to different methods does not work for methods that share a common @Path, but have different @Produces and/or @Consumes annnotations.

Cause

The WildFly Swarm MicroProfile JWT implementation works by scanning for JAX-RS classes and converting the security annotations to <security-constraint> elements in the web.xml configuration file. This only allows distinguishing between requests based on the URL and HTTP method they use. This, however, is insufficient to describe all JAX-RS possibilities.

Consider the following JAX-RS resource example using the plain and web access roles:

@Path("/content-types")
public class ContentTypesResource {
    @GET
    @Produces(MediaType.TEXT_PLAIN)
    @RolesAllowed("plain")
    public String plain() {
        return "Hello, world!";
    }

    @GET
    @Produces(MediaType.TEXT_HTML)
    @RolesAllowed("web")
    public String web() {
        return "<html>Hello, world!</html>";
    }
}

The example above is a 100% valid JAX-RS. The method to be called is selected by URL and by the Accept header. This pattern is often used by people building more complex REST APIs, that allow them to serve the same resource in multiple representations.

Workaround

At the time of this release, there is no workaround available for this issue.

7.6.5. MicroProfile Metrics: Application metric behavior does not conform to metrics specification

Description

When you build and package your application and then run the resulting -swarm.jar uberjar, the application metric is not registered immediately upon deployment. The application metric is registered only after the monitored method is called.

For example, your WildFly Swarm application contains a simple application metric, such as:

@ApplicationScoped
public class HelloService {
    @Counted(monotonic = true, name = "hello", absolute = true, displayName = "HELLO", description = "Number of hello invocations")
    public String hello() {
        return "Hello from counted method";
    }
}
Note

You can test whether application metrics are registered by issuing an OPTIONS HTTP request to the /metrics REST endpoint. For example, localhost:8080/metrics, when running your application locally.

Cause

The implementation does not conform to the current version of the MicroProfile Metrics specification. The specification will likely change in the future to allow this behavior.

Workaround

At the time of this release, there is no workaround available for this issue.

7.6.6. Harmless error message in application log: Missing org.glassfish:javax.el-api:3.0.1.b08-redhat-1

Description

If your application, or any of its dependencies, depends on the Java Expression Language, it will display the following warning message during startup.

Failed downloading org/glassfish/javax.el-api/3.0.1.b08-redhat-1/javax.el-api-3.0.1.b08-redhat-1.pom from https://repository.jboss.org/nexus/content/groups/public/. Reason:
org.eclipse.aether.transfer.ArtifactNotFoundException: Could not find artifact org.glassfish:javax.el-api:pom:3.0.1.b08-redhat-1 in jboss-public-repository-group (https://repository.jboss.org/nexus/content/groups/public/)
Failed downloading org/glassfish/javax.el-api/3.0.1.b08-redhat-1/javax.el-api-3.0.1.b08-redhat-1.pom from http://repo.gradle.org/gradle/libs-releases-local/. Reason:
org.eclipse.aether.transfer.ArtifactNotFoundException: Could not find artifact org.glassfish:javax.el-api:pom:3.0.1.b08-redhat-1 in gradle (http://repo.gradle.org/gradle/libs-releases-local)
Failed downloading org/glassfish/javax.el-api/3.0.1.b08-redhat-1/javax.el-api-3.0.1.b08-redhat-1.pom from https://repo.maven.apache.org/maven2/. Reason:
org.eclipse.aether.transfer.ArtifactNotFoundException: Could not find artifact org.glassfish:javax.el-api:pom:3.0.1.b08-redhat-1 in central (https://repo.maven.apache.org/maven2)
Failed downloading org/glassfish/javax.el-api/3.0.1.b08-redhat-1/javax.el-api-3.0.1.b08-redhat-1.pom from http://repo1.maven.org/maven2/. Reason:
org.eclipse.aether.transfer.ArtifactNotFoundException: Could not find artifact org.glassfish:javax.el-api:pom:3.0.1.b08-redhat-1 in central (http://repo1.maven.org/maven2)

The message is harmless and does not impact the functionality of the application.

Cause

The likely cause of this issue is related to the way dependency resolution works in WildFly Swarm. During the dependency resolution phase, WildFly Swarm ignores dependency exclusions, and thus pulls in javax.el-api, despite javax.el-api being excluded in the EAP BOM. Since it is interpreted as a valid dependency, it is indicated as missing due to being absent form the repository, which causes the error messages displayed in the build log.

Workaround

At the time of this release, there is no workaround available for this issue.

7.6.7. Maven build fails on downloading the org.wildfly.swarm:config-api-runtime artifact

Description

When building your application, Maven fails to download the org.wildfly.swarm:config-api-runtime artifact, causing the build to fail. This issue occurs when you manage the dependency versions in the pom.xml file of your application manually, that is, without importing the BOM:

<dependency>
  <groupId>org.wildfly.swarm</groupId>
‎  <artifactId>microprofile-config</artifactId>
‎‎  <version>${version.org.wildfly.swarm}</version>
‎</dependency>
‎<dependency>
‎‎  <groupId>org.wildfly.swarm</groupId>
‎  ‎<artifactId>undertow</artifactId>
‎‎  <version>${version.org.wildfly.swarm}</version>
‎</dependency>

Cause

The microprofile-config fraction depends on org.wildfly.swarm:microprofile-config-api, which depends on an old version of org.wildfly.swarm:config-api-runtime.

The BOM contains the correct version of org.wildfly.swarm:config-api-runtime. If dependency versions are specified manually and the BOM is not imported, like in the example above, Maven tries to download an unreleased version of org.wildfly.swarm:config-api-runtime, which obviously fails.

Workaround

Using the BOM is a preferred method of consuming dependencies in WildFly Swarm application projects. To ensure that the correct version of org.wildfly.swarm:config-api-runtime is used in your build, ensure that you import the BOM in the pom.xml file of your application.

Chapter 8. Spring Boot

8.1. Removal of OpenTracing Artifacts

Warning

OpenTracing Maven artifacts have not been tested with the 1.5.13.RELEASE release of RHOAR Spring Boot. These artifacts are therefore not included with this release of RHOAR Spring Boot. If your application is based on an earlier RHOAR Spring Boot release and depends on any of the OpenTracing artifacts provided by that release, upgrading to Spring Boot version 1.5.13.RELEASE might impact the functionality of your application.

8.2. Name Change in Selected Spring Boot Runtime Components

Important

The following RHOAR Spring Boot components have been renamed to follow the Spring Cloud naming convention. The original component names have been removed from the RHOAR Spring Boot BOM file and are therefore no longer usable. If you are using these components as dependencies in your project, ensure that you update the component names in the pom.xml file of your project to match the name change. RHOAR dependencies referenced using an outdated component names will not resolve correctly.

Note

You can still access the components using their original names by specifying them as Spring Cloud dependencies. If you do so, you receive a deprecation notice about the name change. Note that dependencies referenced this way are part of Spring Cloud, not part of RHOAR, and are not included in the Supported Spring Boot configurations and integrations.

Original component nameNew component name

spring-cloud-starter-feign

spring-cloud-starter-openfeign

spring-cloud-starter-hystrix

spring-cloud-starter-netflix-hystrix

spring-cloud-starter-ribbon

spring-cloud-starter-netflix-ribbon

spring-cloud-starter-zuul

spring-cloud-starter-netflix-zuul

8.3. Tested and Verified Maven Artifacts Provided with Spring Boot

Group IDArtifact IDVersion

org.projectlombok

lombok

1.16.20

org.springframework.boot

spring-boot

1.5.13.RELEASE

org.springframework.boot

spring-boot-test

1.5.13.RELEASE

org.springframework.boot

spring-boot-test-autoconfigure

1.5.13.RELEASE

org.springframework.boot

spring-boot-actuator

1.5.13.RELEASE

org.springframework.boot

spring-boot-actuator-docs

1.5.13.RELEASE

org.springframework.boot

spring-boot-autoconfigure

1.5.13.RELEASE

org.springframework.boot

spring-boot-configuration-metadata

1.5.13.RELEASE

org.springframework.boot

spring-boot-configuration-processor

1.5.13.RELEASE

org.springframework.boot

spring-boot-devtools

1.5.13.RELEASE

org.springframework.boot

spring-boot-loader

1.5.13.RELEASE

org.springframework.boot

spring-boot-loader-tools

1.5.13.RELEASE

org.springframework.boot

spring-boot-starter

1.5.13.RELEASE

org.springframework.boot

spring-boot-starter-actuator

1.5.13.RELEASE

org.springframework.boot

spring-boot-starter-data-jpa

1.5.13.RELEASE

org.springframework.boot

spring-boot-starter-data-mongodb

1.5.13.RELEASE

org.springframework.boot

spring-boot-starter-data-rest

1.5.13.RELEASE

org.springframework.boot

spring-boot-starter-jdbc

1.5.13.RELEASE

org.springframework.boot

spring-boot-starter-test

1.5.13.RELEASE

org.springframework.boot

spring-boot-starter-logging

1.5.13.RELEASE

org.springframework.boot

spring-boot-starter-web

1.5.13.RELEASE

org.springframework.boot

spring-boot-starter-tomcat

1.5.13.RELEASE

org.springframework.boot

spring-boot-starter-websocket

1.5.13.RELEASE

org.aspectj

aspectjrt

1.8.13

org.aspectj

aspectjtools

1.8.13

org.aspectj

aspectjweaver

1.8.13

org.springframework

spring-aspects

4.3.17.RELEASE

org.springframework

spring-beans

4.3.17.RELEASE

org.springframework

spring-context

4.3.17.RELEASE

org.springframework

spring-core

4.3.17.RELEASE

org.springframework

spring-jdbc

4.3.17.RELEASE

org.springframework

spring-orm

4.3.17.RELEASE

org.springframework

spring-tx

4.3.17.RELEASE

org.springframework

spring-web

4.3.17.RELEASE

org.springframework

spring-webmvc

4.3.17.RELEASE

org.springframework.security

spring-security-crypto

4.2.6.RELEASE

org.springframework.

spring-amqp

1.7.6.RELEASE

org.spockframework

spock-core

1.0-groovy-2.4

org.spockframework

spock-spring

1.0-groovy-2.4

com.fasterxml

classmate

1.3.4

com.fasterxml.jackson.core

jackson-annotations

2.8.10

com.fasterxml.jackson.core

jackson-core

2.8.10

com.fasterxml.jackson.core

jackson-databind

2.8.10

com.fasterxml.jackson.dataformat

jackson-dataformat-yaml

2.8.10

com.fasterxml.jackson.jaxrs

jackson-jaxrs-json-provider

2.8.10

com.fasterxml.jackson.module

jackson-module-jaxb-annotations

2.8.10

commons-codec

commons-codec

1.10.0.redhat-5

com.h2database

h2

1.4.196

javax.servlet

jstl

1.2

org.apache.cxf

cxf-spring-boot-starter-jaxrs

3.1.12.redhat-1

ch.qos.logback

logback-core

1.1.11

ch.qos.logback

logback-classic

1.1.11

ch.qos.logback

logback-access

1.1.11

org.apache.httpcomponents

httpclient

4.5.5

org.apache.httpcomponents

httpcore

4.4.9

org.apache.httpcomponents

httpmime

4.5.5

org.codehaus.groovy

groovy

2.4.13

org.assertj

assertj-core

2.6.0

org.codehaus.groovy

groovy-json

2.4.13

org.codehaus.groovy

groovy-xml

2.4.13

org.hibernate

hibernate-validator

5.3.5.Final-redhat-2

org.hibernate

hibernate-core

5.1.10.Final-redhat-1

org.hibernate

hibernate-entitymanager

5.1.10.Final-redhat-1

net.bytebuddy

byte-buddy

1.6.14

org.hibernate.javax.persistence

hibernate-jpa-2.1-api

1.0.0.Final-redhat-2

antlr

antlr

2.7.7.redhat-7

org.jboss

jandex

2.0.0.Final

dom4j

dom4j

1.6.1.redhat-7

org.hibernate.common

hibernate-commons-annotations

5.0.1.Final-redhat-2

javax.enterprise

cdi-api

1.1

javax.el

el-api

2.2

javax.transaction

javax.transaction-api

1.2

javax.annotation

jsr250-api

1.0

javax.inject

javax.inject

1.0.0.redhat-6

org.javassist

javassist

3.21.0-GA

org.jboss.logging

jboss-logging

3.3.1.Final-redhat-1

org.json

json

20140107

org.slf4j

jul-to-slf4j

1.7.25

org.slf4j

slf4j-api

1.7.25

org.yaml

snakeyaml

1.17.0.redhat-1

xml-apis

xml-apis

1.4.01

io.dropwizard.metrics

metrics-core

3.1.5

io.dropwizard.metrics

metrics-ganglia

3.1.5

io.dropwizard.metrics

metrics-graphite

3.1.5

io.dropwizard.metrics

metrics-servlets

3.1.5

org.hsqldb

hsqldb

2.3.5

com.google.guava

guava

23.0

org.springframework.cloud

spring-cloud-sleuth-zipkin

1.3.2.RELEASE

org.springframework.cloud

spring-cloud-sleuth-zipkin-stream

1.3.2.RELEASE

org.springframework.cloud

spring-cloud-sleuth-stream

1.3.2.RELEASE

org.springframework.cloud

spring-cloud-kubernetes-core

0.2.0.RELEASE

org.springframework.cloud

spring-cloud-kubernetes-config

1.4.2.RELEASE

org.springframework.cloud

spring-cloud-kubernetes-discovery

0.2.0.RELEASE

org.springframework.cloud

spring-cloud-kubernetes-ribbon

0.2.0.RELEASE

org.springframework.cloud

spring-cloud-kubernetes-hystrix

0.2.0.RELEASE

org.springframework.cloud

spring-cloud-kubernetes-zipkin

0.2.0.RELEASE

org.springframework.cloud

spring-cloud-starter-config

1.4.2.RELEASE

org.springframework.cloud

spring-cloud-starter-hystrix

1.4.3.RELEASE

org.springframework.cloud

spring-cloud-starter-sleuth

1.3.2.RELEASE

org.springframework.cloud

spring-cloud-starter-stream-rabbit

1.2.1.RELEASE

org.springframework.cloud

spring-cloud-starter-netflix-archaius

0.2.0.RELEASE

org.springframework.cloud

spring-cloud-starter-netflix-atlas

0.2.0.RELEASE

org.springframework.cloud

spring-cloud-starter-netflix-eureka-client

0.2.0.RELEASE

org.springframework.cloud

spring-cloud-starter-netflix-eureka-server

0.2.0.RELEASE

org.springframework.cloud

spring-cloud-starter-openfeign

1.3.4.RELEASE

org.springframework.cloud

spring-cloud-starter-netflix-hystrix

1.4.3.RELEASE

org.springframework.cloud

spring-cloud-starter-netflix-hystrix-dashboard

1.4.3.RELEASE

org.springframework.cloud

spring-cloud-starter-netflix-ribbon

1.4.3.RELEASE

org.springframework.cloud

spring-cloud-starter-netflix-spectator

0.2.0.RELEASE

org.springframework.cloud

spring-cloud-starter-netflix-turbine

0.2.0.RELEASE

org.springframework.cloud

spring-cloud-starter-netflix-turbine-stream

0.2.0.RELEASE

org.springframework.cloud

spring-cloud-starter-netflix-zuul

1.3.4.RELEASE

org.springframework.cloud

spring-cloud-starter-kubernetes-all

0.2.0.RELEASE

org.springframework.cloud

spring-cloud-starter-kubernetes

0.2.0.RELEASE

org.springframework.cloud

spring-cloud-starter-kubernetes-config

0.2.0.RELEASE

org.springframework.cloud

spring-cloud-starter-kubernetes-netflix

0.2.0.RELEASE

org.springframework.cloud

spring-cloud-starter-kubernetes-zipkin

0.2.0.RELEASE

org.apache.tomcat.embed

tomcat-embed-core

8.5.20.redhat-6

org.apache.tomcat.embed

tomcat-embed-el

8.5.20.redhat-6

org.apache.tomcat.embed

tomcat-embed-jasper

8.5.20.redhat-6

org.apache.tomcat.embed

tomcat-embed-websocket

8.5.20.redhat-6

org.apache.tomcat

tomcat-jdbc

8.5.20.redhat-6

org.keycloak

keycloak-adapter-spi

2.5.14.Final-redhat-1

org.keycloak

keycloak-tomcat8-adapter

2.5.5.Final

org.keycloak

keycloak-spring-boot-adapter

2.5.5.Final

8.4. Technology Preview Maven Artifacts Provided with Spring Boot

Red Hat provides limited support for Spring Boot artifacts designated as Technology Preview:

Group IDArtifact IDVersion

org.keycloak

keycloak-authz-client

2.5.14.Final-redhat-1

8.5. Deploying Spring Boot applications on Red Hat JBoss Fuse

As a Technology Preview feature, RHOAR allows you to build and deploy Spring Boot applications packaged as JAR files on Red Hat JBoss Fuse, both in standalone mode and on OpenShift. For additional information, see Red Hat JBoss Fuse documentation.

8.6. Deploying Spring Boot Applications From WAR Files

RHOAR allows you to repackage your Spring Boot application as an executable WAR file. This feature is currently provided with the RHOAR release of Spring Boot as a Technology Preview and is not supported by Red Hat.

8.7. Resolved Spring Boot Issues

Community Bug Fixes

The RHOAR Spring Boot 1.5.13 release serves as a replacement for RHOAR Spring Boot 1.5.12, and includes bug fixes and enhancements. The following issues have been resolved in the Pivotal™ release and are incorporated by productized RHOAR Spring Boot components. See the links to the public Spring by Pivotal™ Spring Boot JIRA project and upstream Spring Boot Git Hub projects below for detailed issue descriptions:

Spring Framework 4.3.16

Spring Framework 4.3.17

Spring Boot 1.5.13

Spring Security 4.2.6

8.7.1. CVE-2018-1257

Security Fixes

Issue summary
ReDoS Attack with spring-messaging
Pivotal CVE database entry
CVE-2018-1257

8.7.2. CVE-2018-1259

Issue summary
XXE with Spring Data’s XMLBeam integration
Pivotal CVE database entry
CVE-2018-1259

8.7.3. CVE-2018-1260

Issue summary
Remote Code Execution with spring-security-oauth2
Pivotal CVE database entry
CVE-2018-1260

8.7.4. CVE-2018-1261

Issue summary
Unsafe Unzip with spring-integration-zip
Pivotal CVE database entry
CVE-2018-1261

8.7.5. CVE-2018-8014

Affected component
tomcat
Issue summary
Insecure defaults in CORS filter enable 'supportsCredentials' for all origins
Red Hat CVE database entry
CVE-2018-8014
Bugzilla Bug ID
1579611

8.8. Known Spring Boot Issues

8.8.1. Missing APR/native library in the openshift-openjdk image

Issue Key:

SB-379

NOTE: You do not have to log into JIRA to view this issue.

Chapter 9. Node.js

9.1. Supported Node.js Base Images

Table 9.1. Node.js 8 LTS

Node.js base imageVersion

registry.access.redhat.com/rhoar-nodejs/nodejs-8

8.11.2 or later LTS

Table 9.2. Node.js 10 LTS

Node.js base imageVersion

registry.access.redhat.com/rhoar-nodejs/nodejs-10

10.1.0 or later LTS

9.2. Supported Node.js RPM Packages

Table 9.3. Node.js 8 LTS

Package nameArchitecture/TypeVersionDescription

rhoar-nodejs-8.11.2-1.el7.src.rpm

SRPMS

8.11.2

RHOAR Node.js 8 (LTS) sources

rhoar-nodejs-docs-8.11.2-1.el7.noarch.rpm

noarch

8.11.2

RHOAR Node.js 8 API documentation

npm-5.6.0-1.8.11.2.1.el7.x86_64.rpm

x86_64

5.6.0

npm package manager

rhoar-nodejs-8.11.2-1.el7.x86_64.rpm

x86_64

8.11.2

RHOAR Node.js (LTS) 8 binaries

rhoar-nodejs-debuginfo-8.11.2-1.el7.x86_64.rpm

x86_64

8.11.2

debug information for the RHOAR Node.js 8 package

Table 9.4. Node.js 10 LTS

Package nameArchitecture/TypeVersionDescription

rhoar-nodejs-10.1.0-1.el7.src.rpm

SRPMS

10.1.0

RHOAR Node.js 10 (LTS) sources

rhoar-nodejs-docs-10.1.0-1.el7.noarch.rpm

noarch

10.1.0

RHOAR Node.js 10 API documentation

npm-5.6.0-1.10.1.0.1.el7.x86_64.rpm

x86_64

5.6.0

npm package manager

rhoar-nodejs-10.1.0-1.el7.x86_64.rpm

x86_64

10.1.0

RHOAR Node.js 10 (LTS) binaries

rhoar-nodejs-debuginfo-10.1.0-1.el7.x86_64.rpm

x86_64

10.1.0

debug information for the RHOAR Node.js 10 package

9.3. Community Node.js npm modules

The RHOAR Node.js base image allows you to develop a Node.js application for OpenShift using any of the community Node.js modules available through npm. Community npm modules are not supported by Red Hat.

9.4. Resolved Node.js Issues

Node.js 8.11.2

The RHOAR Node.js release is a Red Hat product release aligned with the community Node.js LTS release version 8.11.2. The current productized release contains aggregated bug fixes and enhancements introduced in community versions 8.9.4 through 8.11.2. For a list of issues resolved in this release, see the Node.js 8.11.2 changelog.

Node.js 10.1.0

The RHOAR Node.js release is a Red Hat product release aligned with the community Node.js LTS release version 10.1.0. For a list of issues resolved in this release, see the Node.js 10.1.0 changelog.

Security Bug Fixes

The following bug fixes apply to both Node.js versions: 8.11.2 and 10.1.0.

9.4.1. CVE-2018-3639

Affected component
kernel
Issue summary
speculative store bypass
Red Hat CVE database entry
CVE-2018-3639
Bugzilla Bug ID
1566890

9.5. Known Node.js Issues

9.5.1. Deployment fails when an npm dependency specifies a git repository.

Description:

If a package.json file contains dependencies that specify a git repository, a deployment error occurs when packaging and deploying the application to OpenShift.

Workaround:

Install the rh-git29-git package available from Red Hat Software Collections.

Legal Notice

Copyright © 2018 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.