RHBA-2017:0224 - Bug Fix Advisory

Topic

Updated atomic-openshift-utils and openshift-ansible packages that fix several bugs are now available for OpenShift Container Platform 3.4, 3.3, and 3.2.

Description

Red Hat OpenShift Container Platform is the company's cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments.

The atomic-openshift-utils and openshift-ansible packages contain the installation utility and Ansible requirements for installing and upgrading OpenShift Container Platform 3.

This update fixes the following bugs:

• Previously, an OpenShift Ansible failure on one node would cause installation to fail entirely when verifying node registration with the master. OpenShift Ansible will now continue running on nodes that have not failed and will only ensure that passing hosts have been registered. (BZ#1377619)
• The common/openshift-master/config.yml playbook was configured to add several IPtables rules by default. Therefore, several ports were opened in the firewall, which were not necessary for default deployments. The common/openshift-master/config.yml playbook was updated to remove the unneeded rules and logic was added to only open ports required for etcd when ectd was an embedded install. This reduced the number of open ports for default installs. (BZ#1386329)
• The expiry role was not checking for emebdded etcd environments. Therefore, the health of embedded etcd certificates were not evaluated.

This fix ensures that the openshift_cert_expiry module correctly identifies embedded etcd environments. The health of embedded etcd certificates are now evaluated. (BZ#1389264)

• The installation summary was only printing etcd hosts if they were also masters. As a result, dedicated etcd hosts were not appearing in the installation summary. This fix removed the check for masters prior to the check for etcd hosts. The installation summary is now correct. (BZ#1389649)
• Node certificates created by openshift-ansible had duplicate serial numbers. This was a concern for IPsec encryption, which requires that the certificate serials are unique. This fix corrects the duplication. (BZ#1414537, BZ#1414542, BZ#1414570)
• When attempting to upgrade OpenShift Container Platform from 3.3.1 to 3.4.1, the upgrade failed when trying evacuate the node with command `oc adm manage-node <node_ID> --drain --force`. An error message indicated that an unsupported command was used. This fix addresses the issue. (BZ#1414707)

All OpenShift Container Platform 3.4, 3.3, and 3.2 users are advised to upgrade to these updated packages.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

To apply this update, run the following on all hosts where you intend to initiate Ansible-based installation or upgrade procedures:

# yum update atomic-openshift-utils

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258.

Affected Products

• Red Hat OpenShift Container Platform 3.4 x86_64
• Red Hat OpenShift Container Platform 3.3 x86_64

Fixes

• BZ - 1377619 - [3.3] ansible playbooks continue running after get error
• BZ - 1386329 - [3.4] Installer creating rules/opening up ports in iptables that are not needed.
• BZ - 1389264 - [3.4] openshift_certificate_expiry missed embeded-etcd's cert check
• BZ - 1389649 - [3.4] [quick install]Installation summary is not correct when specifying a dedicated etcd in installer.cfg.yml
• BZ - 1414537 - [3.4] Node certificate serials are not unique
• BZ - 1414542 - [3.3] Node certificate serials are not unique
• BZ - 1414570 - [3.2] Node certificate serials are not unique
• BZ - 1414707 - [3.4] failed to evacuate node due to unknown flag drain used in upgrade_nodes.yml

CVEs

(none)

References

(none)