Chapter 1. {sandboxed-containers-first} 1.0 release notes
1.1. About this release
These release notes track the development of OpenShift sandboxed containers in Red Hat OpenShift Container Platform.
This product is currently in Technology Preview. OpenShift sandboxed containers is not intended for production use. For more information, see the Red Hat Customer Portal support scope for features in Technology Preview.
1.2. New features and enhancements
1.2.1. OpenShift sandboxed containers support on OpenShift Container Platform (Technology Preview)
OpenShift sandboxed containers 1.0.0 Technology Preview release introduces built-in support for running Kata Containers as an additional runtime. OpenShift sandboxed containers enables users to choose Kata Containers as an additional runtime to provide additional isolation for their workloads. The OpenShift sandboxed containers Operator automates the tasks of installing, removing, and updating Kata Containers. It allows for tracking the state of those tasks by describing the KataConfig
custom resource.
OpenShift sandboxed containers are only supported on bare metal. Red Hat Enterprise Linux CoreOS (RHCOS) is the only supported operating system for OpenShift sandboxed containers 1.0.0. Disconnected environments are not supported in OpenShift Container Platform 4.8.
For more information, see Understanding OpenShift sandboxed containers
1.3. Known issues
-
If you are using OpenShift sandboxed containers, you cannot use the
hostPath
volume in a OpenShift Container Platform cluster to mount a file or directory from the host node’s file system into your pod. As an alternative, you can use local persistent volumes. See Persistent storage using local volumes for more information. (BZ#1904609) If you are running Fedora on OpenShift sandboxed containers, you need a workaround to install some packages. Some packages, like
iputils
, require file access permission changes that OpenShift Container Platform does not grant to containers by default. To run containers that require such special permissions, it is necessary to add an annotation to the YAML file describing the workload, which tellsvirtiofsd
to accept such file permissions for that workload. The required annotations are:io.katacontainers.config.hypervisor.virtio_fs_extra_args: | [ "-o", "modcaps=+sys_admin", "-o", "xattr" ]
In the 4.8 release, adding a value to
kataConfgPoolSelector
by using the OpenShift Container Platform web console causesscheduling.nodeSelector
to be populated with an empty value. Pods that useRuntimeClass
with the value ofkata
might be scheduled to nodes that do not have the Kata Containers runtime installed.To work around this issue, specify the
nodeSelector
value manually in theRuntimeClass
kata
by running the following command:$ oc edit runtimeclass kata
The following is an example of a
RuntimeClass
with the correctnodeSelector
statement.apiVersion: node.k8s.io/v1 handler: kata kind: RuntimeClass metadata: creationTimestamp: "2021-06-14T12:54:19Z" name: kata overhead: podFixed: cpu: 250m memory: 350Mi scheduling: nodeSelector: custom-kata-pool: "true"
- The OpenShift sandboxed containers Operator details page on Operator Hub contains a few missing fields. The missing fields do not prevent you from installing the OpenShift sandboxed containers Operator in 4.8. (BZ#2019383)
-
Creating multiple
KataConfig
custom resources results in a silent failure. The OpenShift Container Platform web console does not provide a prompt to notify the user that creating more than one custom resource has failed. (BZ#2019381) - Sometimes the Operator Hub in the OpenShift Container Platform web console does not display icons for an Operator. (BZ#2019380)
1.4. Asynchronous errata updates
Security, bug fix, and enhancement updates for OpenShift sandboxed containers 1.0 are released as asynchronous errata through the Red Hat Network. All OpenShift Container Platform 4.8 errata is available on the Red Hat Customer Portal. See the OpenShift Container Platform Life Cycle for more information about asynchronous errata.
Red Hat Customer Portal users can enable errata notifications in the account settings for Red Hat Subscription Management (RHSM). When errata notifications are enabled, users are notified via email whenever new errata relevant to their registered systems are released.
Red Hat Customer Portal user accounts must have systems registered and consuming OpenShift Container Platform entitlements for OpenShift Container Platform errata notification emails to generate.
This section will continue to be updated over time to provide notes on enhancements and bug fixes for future asynchronous errata releases of OpenShift sandboxed containers 1.0.0.
1.4.1. RHBA-2021:3751 - OpenShift sandboxed containers 1.0.2 bug fix advisory
Issued: 2021-10-07
OpenShift sandboxed containers release 1.0.2 is now available. This advisory contains an update for OpenShift sandboxed containers with bug fixes.
The list of bug fixes that are included in the update is documented in the RHBA-2021:3751 advisory.
1.4.2. RHBA-2021:3552 - OpenShift sandboxed containers 1.0.1 bug fix advisory
Issued: 2021-09-16
OpenShift sandboxed containers release 1.0.1 is now available. This advisory contains an update for OpenShift sandboxed containers with bug fixes.
The list of bug fixes that are included in the update is documented in the RHBA-2021:3552 advisory.
1.4.3. RHEA-2021:2546 - OpenShift sandboxed containers 1.0.0 image release, bug fix, and enhancement advisory
Issued: 2021-07-29
The components for OpenShift sandboxed containers release 1.0.0 support for OpenShift Container Platform 4.8 are now available as a technology preview.
The list of bug fixes included in the update is documented in the RHEA-2021:3941 advisory.