RHBA-2016:0293 - Bug Fix Advisory

Topic

Updated atomic-openshift packages that fix several bugs are now available for Red Hat OpenShift Enterprise 3.1.

Description

OpenShift Enterprise by Red Hat is the company's cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments.

This update fixes the following bugs:

• Previously, secrets were updated for the internal OAuth clients on every startup. This caused problems when retrieving tokens in highly-available (HA) environments, yielding the error "Invalid status code (400): 400 Bad Request". This bug fix preserves existing client secrets and now OpenShift Enterprise updates only the challenge and redirect URI settings on startup. (BZ#1302946)
• Pods using the host network interface, such as the default HAProxy router, were getting the default IP from the node entry for their liveness probe. In some common misconfigurations, this IP would not actually be physically present on the node running the probes, and therefore would not be short-circuited to use the loopback interface. In those cases, the probes would fail unless a cluster administrator manually opened up port 1936 to allow the probe to pass. This bug fix updates the router to use localhost for liveness and readiness probes, and the OpenShift Enterprise installer now ensures that `openshift_hostname` variables in inventory files resolve to an IP address on the host in question. If it detects that the host name does not, it pauses the installation waiting for the user to abort or continue. This behavior can be overridden by setting `openshift_override_hostname_check=true`, which will simply pause the installation for 10 seconds then move on. (BZ#1293578)
• When restarting all masters in large clusters at the same time, one or all could fail with an "Unable to perform initial IP allocation check" error. This was due to a race condition between the service IP allocator and updates to services. This bug fix adds a retry loop on such conflicts, and as a result the master services can be started successfully. BZ#1294864)
• The default mode for the kubelet proxy on nodes was recently changed from userspace to iptables, causing the node to start in iptables mode by default. This bug fix adds the ability to configure this proxy mode by setting the `proxyArguments.proxy-mode` parameter in the node configuration file (/etc/origin/node/node-config.yaml) to either `iptables` or `userspace`. Restart the atomic-openshift-node service for any changes to take effect. (BZ#1308701)
• Previously, when an AWS EBS volume was detached from a pod, it could not be attached to different pod on the same node. This bug fix updates the AWS provider to ensure that when detaching an AWS volume it is removed from the internal cache of attached volumes. As a result, subsequent requests can attach it again. (BZ#1304752)

All OpenShift Enterprise 3 users are advised to upgrade to these updated packages.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

After ensuring all packages on each host have been updated, restart the atomic-openshift-master service on each master to complete this update.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258.

Affected Products

• Red Hat OpenShift Container Platform 3.1 x86_64

Fixes

• BZ - 1293578 - Ansible should open port '1936' in iptables
• BZ - 1294864 - atomic-openshift-master-api fails when all are restarted together
• BZ - 1302946 - Sometime can't get token when access token/request api in v3 stage env
• BZ - 1308701 - Kubelet proxy must be able to run in userspace and iptables mode

CVEs

(none)

References

• http://www.redhat.com/security/updates/classification/#normal