RHBA-2017:0017 - Bug Fix Advisory

Topic

Red Hat OpenShift Enterprise release 2.2.11 is now available with updated
packages that fix several bugs and add various enhancements.

Description

OpenShift Enterprise by Red Hat is the company's cloud computing
Platform-as-a-Service (PaaS) solution designed for on-premise or
private cloud deployments.

This update fixes the following bugs:

• The routing daemon (RD) can now be configured with multiple F5 BIG-IP hosts. During F5 configurations, the RD tries to connect to the first configured host. If it fails, it retries each successive host until it connects to a host or exhausts its host list. The RD now correctly sends a NACK response to ActiveMQ when operations fail. ActiveMQ redelivers the message, causing the RD to retry. The RD's communication with ActiveMQ, logging of errors, and handling of error responses from F5 BIG-IP improved. This enables the RD to continue operation with the F5 BIG-IP cluster even if the RD loses contact with the cluster, improving the RD's behavior when multiple instances are run in a clustered configuration. The RD is more resilient against losing contact with individual F5 BIG-IP hosts in a cluster of F5 BIG-IP hosts and functions better when run in a clustered configuration. The RD elicits fewer error responses from F5 BIG-IP and provides better logs, making error diagnosis easier. (BZ#1227472)
• Users can now allow the provided database connection helper functions mysql(), psql(), and mongo() to be overwritten. This allows users to overwrite the helper functions to easily connect to external databases. Users can now define mysql(), psql(), and mongo() functions in their $OPENSHIFT_DATA_DIR/.bash_profile, which can be used within an SSH connection to a gear. (BZ#1258033)
• HAProxy cookies were inconsistently named. Requests to an HA application were not always being routed to the correct gear. This fix changes the cookie naming logic so that the cookie name reflects which back-end gear is handling the request. As a result, all back-end HAProxy gears should now return the same cookie name and the requests should be properly routed to the correct back-end gear. (BZ#1377433)
• EWS Tomcat 7 can now be configured on nodes to use either EWS 2 or EWS 3 channels, allowing an administrator an option of what EWS version the EWS 2 cartridge deploys. This option was enabled to allow administrators to take advantage of the EWS 3 lifecycle and security or bug updates that it receives compared to the maintenance lifecycle that EWS 2 is currently receiving. Administrators have options or can mix and match EWS versions (with node profiles) on what Tomcat version is installed when an EWS 2 cartridge is created. (BZ#1394328)
• The new version of PIP (7.1.0) no longer accepted insecure (HTTP) mirrors. Also, PIP attempted to create and then write files into the .cache directory, which users do not have permission to create post-installation. As a result, Python dependencies failed to be installed.

The default PyPi mirror URL is now updated to use a secure connection (HTTPS). The directory .cache is created during installation in advance so it can be used later by PIP. With this fix, Python dependencies can be fetched from the PyPi mirror and installed properly. (BZ#1401120)

• When using a gear's UUID in the logical volume name, a grep in the oo-accept node caused oo-accept-node to fail. The grep was fixed with this update. Using the gear UUID in the logical volume name no longer causes oo-accept-node to fail. (BZ#1401124)
• Previously, moving a gear with many aliases reloaded Apache for each alias. The excess aliases caused the gear move to timeout and fail. With this fix, a gear move will now update Apache once with an array of of aliases instead of updating after each alias. (BZ#1401132)
• Previously, node-proxy did not specify to use cipher order, so the order did not matter when using a custom cipher order. This fix makes the node-proxy honor the cipher order. Custom cipher orders will now take the cipher order in account when choosing a cipher. (BZ#1401133)

All OpenShift Enterprise 2 users are advised to upgrade to these updated
packages.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

See the OpenShift Enterprise 2.2 Release Notes, which will be updated
shortly for release 2.2.11, for important instructions on how to fully
apply this asynchronous errata update:

https://access.redhat.com/documentation/en-US/OpenShift_Enterprise/2/html-single/2.2_Release_Notes/index.html#chap-Asynchronous_Errata_Updates

This update is available via the Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258.

Affected Products

• Red Hat OpenShift Enterprise Infrastructure 2.2 x86_64
• Red Hat OpenShift Enterprise Application Node 2.2 x86_64

Fixes

• BZ - 1258033 - Allow the override of pre-defined function for database connections
• BZ - 1377433 - haproxy configuration in HA gears sets inconsistent cookie values, breaking session affinity
• BZ - 1394328 - [RFE] EWS 2 cartridge should be able to use EWS 3 binaries.
• BZ - 1401120 - pip permission error prevents installing on python-2.7 cartridge
• BZ - 1401124 - oo-accept-node reports missing quota if filesystem name contains gear uuid
• BZ - 1401132 - Moving gears with many aliases causes excessive number of apache reloads

CVEs

(none)

References

(none)