Chapter 6. RHBA-2015:0779 - OpenShift Enterprise 2.2.5 Bug Fix and Enhancement Update

Broker

BZ#1201485

The default gear placement algorithm did not properly distribute gear load in some district configurations. Some nodes would be ignored until other nodes filled up. This bug fix updates this logic, and gear load is now better distributed.

BZ#1206013

After starting the routing daemon service, operations using the oo-admin-ctl-routing tool would fail if the ruby193-rubygem-rest-client package was not installed. This was due to the rubygem-openshift-origin-routing-daemon package missing a dependency on the ruby193-rubygem-rest-client package. This bug fix updates the rubygem-openshift-origin-routing-daemon package to include this dependency, and the issue no longer occurs as a result.

BZ#1144894

Previously, application URLs were presented to developers as HTTP URLs only, for example when listing their applications using the client tools. This enhancement adds the ability for administrators to require that all applications advertise HTTPS URLs instead. This requires setting the APP_ADVERTISE_HTTPS parameter to "true" in the /etc/openshift/broker.conf file on brokers, then restarting the openshift-broker service.

BZ#1194035

This enhancement adds optional SSH key size validation for when developers add a new public key to their account. Administrators can configure this by setting the MINIMUM_SSH_KEY_SIZE parameter to the desired value in the /etc/openshift/broker.conf file on brokers, then restarting the openshift-broker service.

BZ#1182982

When using the oo-admin-move tool, attempting to move a gear failed and the operation was rolled back if the network interface eth0 on the node did not have an IP address. This bug fix updates Facter on nodes to ensure the interface specified in the EXTERNAL_ETH_DEV parameter in the /etc/openshift/node.conf file is identified as the active interface. As a result, gears are able to move successfully.

BZ#1202511

When checking for stale SSH keys and environment variables to repair, previously the oo-admin-repair tool on brokers did not check in user domains where there were no existing applications. This bug fix updates this logic so that domains without existing applications are now also checked, and as a result all stale SSH keys and environment variables are repaired as expected.

BZ#1199901

Previously if the routing daemon was configured for use with F5 BIG-IP LTM® and was configured to create monitors, errors occurred while creating scalable applications when the process attempted to create monitors. This was due to a bug in the routing daemon. This bug fix updates the routing daemon to address these issues, and as a result these errors no longer occur. Additionally, the routing daemon now reports error messages from F5 in more situations rather than generic failure messages.

BZ#1199904

Previously if the routing daemon was configured for use with F5 BIG-IP LTM®, attempting to delete pools using the oo-admin-ctl-routing tool failed. This was due to a bug in the routing daemon. This bug fix updates the routing daemon and oo-admin-ctl-routing tool to address these issues, and as a result these errors no longer occur. Additionally, new commands have been added for listing the monitors associated with a given pool, associating an existing monitor with a pool, or disassociating a monitor from a pool (without deleting either the pool or the monitor). The tool's usage and built-in help text has also been made clearer, and the daemon has been made more resilient when the administrator makes changes to monitors in F5's configuration while the daemon is running.

BZ#1199903

Previously if the routing daemon was configured for use with F5 BIG-IP LTM® and was configured to create monitors or assign an existing monitor to new pools, errors occurred while deleting a scalable application when the process attempted to delete the associated monitor. This was due to a bug in the routing daemon. This bug fix updates the routing daemon to address these issues, and as a result these errors no longer occur. Additionally, the routing daemon now reports error messages from F5 in more situations rather than generic failure messages.

Cartridge

BZ#1202509

This enhancement adds the OPENSHIFT_POSTGRESQL_CONFIG environment variable for the PostgreSQL cartridge, which allows developers to specify additional configuration lines for inclusion in the postgresql.conf file. For example, developers can now use this environment variable to enable execution statistics:

# rhc set-env OPENSHIFT_POSTGRESQL_CONFIG="shared_preload_libraries = 'pg_stat_statements';pg_stat_statements.track = all"

Note the required ";" separating each setting when listing multiple configuration lines. After applying this update, a cartridge upgrade is required. If enabling execution statistics, developers must also restart their application after setting OPENSHIFT_POSTGRESQL_CONFIG.

BZ#1197873

For applications using the Cron cartridge, cron jobs have a default timeout of 20 minutes. This enhancement adds the ability for administrators to configure this global timeout value. Administrators can configure this by creating a /etc/openshift/cron/limits file on each node, and setting a MAX_RUN_TIME parameter in that file to the desired value, such as "10m" for ten minutes. The format of the value must be in a format acceptable to the timeout command: use "s" for seconds, "m" for minutes, "h" for hours, or "d" for days. After applying this update, a cartridge upgrade is required.

BZ#1202507

Previously in applications with a PostgreSQL cartridge, the PostgreSQL server would fail to start if the OPENSHIFT_POSTGRESQL_SSL_ENABLED environment variable was set to "true" and the server.key and server.crt files were not located in the $PGDATA/data directory. This bug fix updates the PostgreSQL cartridge to check these file locations during start up if OPENSHIFT_POSTGRESQL_SSL_ENABLED is set to "true". If they exist, SSL is enabled. Otherwise, the PostgreSQL server starts up normally but SSL is not enabled. After applying this update, a cartridge upgrade is required.

BZ#1176649

When running the "git push" command for applications with a Jenkins Client cartridge, it was possible for developers to experience "502 Proxy Error" and "Deployment Halted" messages during the build process, even when the deployment actually succeeded. These messages were potentially confusing to developers trying to investigate the issue. This bug fix updates the Jenkins Client cartridge to use the Ruby Net::HTTP library to easily retry requests and correctly interpret responses. As a result, the Jenkins Client cartridge now gracefully handles errors and provides more informative messages. After applying this update, a cartridge upgrade is required.

BZ#1202510

When using the Ruby cartridge, environment variables and their values were displayed on error pages to users when Phusion Passenger failed, containing potentially sensitive information. These pages are known as "friendly error pages", and by default in Passenger are not supposed to be revealed when the Rails environment is set to "staging" or "production". However, even though the cartridge default was set to "production", these pages still appeared. This bug fix updates the Ruby cartridge to include additional logic to ensure that the friendly error pages are disabled by default, unless the Rails environment has been set specifically to "development". After applying this update, a cartridge upgrade is required.

BZ#1202499

This enhancement adds the OPENSHIFT_MYSQL_MAX_ALLOWED_PACKET environment variable for the MySQL cartridge, which allows developers to optionally set the max_allowed_packet MySQL variable. After applying this update, a cartridge upgrade is required. Developers must also restart their application for any changes made using OPENSHIFT_MYSQL_MAX_ALLOWED_PACKET to take effect.

BZ#1202514

Previously, when using the "--from-code=empty" option to create an application with an empty Git repository, the application would fail to create if a database cartridge was also specified in the request. This bug fix updates the creation logic, and as a result applications can be successfully created in this scenario.

BZ#1202500

For applications using the PHP cartridge, previously the apc.shm_size value was calculated incorrectly. Memory was being divided by 16 instead of by 8. This bug fix updates the PHP cartridge, and as a result the apc.shm_size value is now calculated correctly. After applying this update, a cartridge upgrade is required.

Command Line Interface

BZ#1187806

When using a client certificate configuration on brokers, such as mutual SSL or x509 authentication, REST API requests to the broker from the client tools would fail. This was due to the requests not including authentication credentials, as the client tool had the "no_auth" request variable hard-coded to "true". This bug fix updates the client tools to add the "always_auth" option to the client tools configuration file (the ~/.openshift/express.conf or ~/.openshift/servers.yml file). This option defaults to "false", yielding the original behavior; when set to "true", the client tools use an authenticated connection for all requests. As a result, this allows the client tools to now fully communicate with the broker as expected when using a client certificate configuration on brokers.

BZ#1203435

Previously when running the "rhc setup" command with the "--ssl-client-key-file" option, the configuration for the SSL client key file was not written to the ~/.openshift/servers.yml file. Additionally, while using the "rhc server add" command with the "--ssl-client-key-file" option successfully wrote the key file to the servers.yml file, the output for the "rhc server list" command did not list the key file information. This bug fix updates the client tools to ensure the key file configuration is written and listed in these scenarios, and as a result adding key files with the client tools now works as expected.

Installer

BZ#1198409

Previously, the package dependency version specifier for the NodeJS mkdirp package was too specific. This caused the nodejs010-nodejs-express package to not install on systems where the NodeJS mkdirp package would satisfy the dependency, but which had a more recent version than what was specified in the package dependencies. This prevented the NodeJS cartridge dependencies from being satisfied, thus preventing the NodeJS cartridge from installing. This bug fix changes the NodeJS mkdirp dependency version specifier to correctly include versions greater than or equal to 0.3.4. As a result, the nodejs010-nodejs-express package no longer fails to install, and the NodeJS cartridge now installs properly.

Node

BZ#1202515

In certain situations, such as pre- and post-receive hooks, the presence of gems in a gear's $GEM_HOME environment variable previously could break /usr/bin/gear subcommands. This was due to the user-supplied gems in $GEM_HOME overriding the OpenShift-provided ones, potentially causing exceptions. This bug fix updates the node logic to explicitly set GEM_HOME to '' for the /usr/bin/gear command and Ruby SDK to protect them from running with user-supplied gems. As a result, exceptions are no longer raised during a "git push" in this scenario.

BZ#1134206

Previously, Jenkins slave (or builder) gears were incorrectly restarted by Watchman after 15 minutes, or after the interval set in the STATE_CHANGE_DELAY parameter in the /etc/sysconfig/watchman file on nodes. This was due to Watchman not including the builder processes in its gear process list. This bug fix adds a condition to prevent Watchman from excluding the builder processes, and as a result Jenkins slave gears are no longer incorrectly restarted in this way.

BZ#1202512

Previously, gears stopped by administrators using the "oo-admin-ctl-gears stopgear" command would always be restarted by a subsequent "oo-admin-ctl-gears startall" command or the next time the node was rebooted. In certain situations, this could be undesirable depending on the node capacity. This enhancement adds an additional command, "oo-admin-ctl-gears stoplockgear", which allows administrators to stop a gear and add a .stop_lock file. The presence of a .stop_lock file ensures that the gear does not start during operations that take .stop_lock files into account, such as "oo-admin-ctl-gears startall", or after a node reboot. A message explaining the reason why the gear should not be started in the future can written to the .stop_lock file using the "--message" option with the command as well.

BZ#1202513

Watchman's JBoss plug-in would previously fail with an "invalid byte sequence in UTF-8" error if a JBoss log contained ISO-8859-1 bytes which were not valid UTF-8, such as the string "\xe9". This was due to the plug-in opening files in a way that only worked as long as the byte sequences were valid UTF-8. This bug fix updates the plug-in to instead open files in binary mode, which supports regex matching on all encodings. As a result, the plug-in no longer produces these errors.

BZ#1179006

Previously, it was possible for the MCO cartridge_list RPC call to fail with an "Invalid Request Data" error when custom cartridges were installed. This was due to erroneous cartridge index entries being created. This bug fix updates the node logic, and as a result the RPC call now returns as expected.

BZ#1200096

When gear archiving was enabled on nodes using the ARCHIVE_DESTROYED_GEARS parameter, previously archives could be erroneously deleted during the archiving process if it encountered a "recoverable" error. For example, this could happen if a file changed while it was being archived. Additionally, gear archiving could fail if the default compression algorithm, bz2, exceeded the MCollective agent timeout value. This bug fix updates the archiving logic to not delete broken archives, and adds the ARCHIVE_DESTROYED_GEARS_COMPRESSION parameter to the /etc/openshift/node.conf file on nodes. This new parameter allows administrators to set their preferred compression algorithm; valid options are "bzip2", "gzip", or "none". As a result, broken archives are still available for debugging purposes, and timeouts while archiving are less likely to occur.