Synopsis

OpenShift Container Platform 3.5, 3.4, 3.3, and 3.2 bug fix update

Type/Severity

Bug Fix Advisory

Topic

Red Hat OpenShift Container Platform releases 3.5.5.8, 3.4.1.18, 3.3.1.20, and 3.2.1.31 are now available with updates to packages and images that fix several bugs.

Description

Red Hat OpenShift Container Platform is the company's cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 3.5.5.8, 3.4.1.18, 3.3.1.20, and 3.2.1.31. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHBA-2017:1130

This update fixes the following bugs:

• Manifest verification did not pay attention to non-local layers. Therefore, verification failed if pull-through was enabled. This bug fix uses pull-through to verify remote layers. Manifest verification is now successful. (BZ#1411161)
• The master API investigated the wrong object to determine the Docker image reference of a new image stream mapping when the referenced image already existed. Therefore, the created image stream tag contained misleading information about the image's location. It pointed to the original image stream. With this bug fix, the master API now properly determines the Docker image reference for new image stream mappings. (BZ#1427441)
• When quickly and repeatedly adding and deleting a route with same name in a namespace, the router pod panics with an error of "invalid state transition: Deleted -> ADDED". Now, adding the objects UID to the event queue key generation function addresses the issue. (BZ#1429823)
• When searching images eligible for pruning, a logic error was identified in how weak and strong references are. Some images having both strong and weak references in the pruning graph could be removed during pruning. This bug fix corrected the logic responsible for finding which images have strong references. Pruning now correctly recognizes and prunes images. (BZ#1433721)
• Builds that quickly progress from running to complete did not trigger the logic that sets the build start time. Builds would miss the build start time. Now, if a build completes without having the start time set, the start time is set equal to the completion time. (BZ#1436395)
• When the RestrictUsersAdmission admission control plug-in is enforcing role binding restrictions and examines a role binding with a service account subject, the plug-in requires that the subject have an explicit namespace that matches some role binding restriction in order to be admitted. When an application template contains a role binding with a service account subject, typically the subject's namespace is left blank in the template so that the namespace will be defaulted to the namespace in which the role binding is created. This happens only after admission control is performed. Role binding restrictions cannot match against role bindings, so the plug-in rejects these role bindings. The plug-in now treats a blank namespace in a service account subject as implicitly matching the namespace of the role binding restriction and admits the role bindings. (BZ#1439859)
• With the serial policy, the failure of a build was not triggering the logic to check for the next build to run. After a failed build, a delay of up to two minutes could occur before the next build would start, when using a serial build policy. This bug fix ensures the next build is triggered immediately after a build fails. Now, the next build starts immediately after a build fails (or otherwise completes). (BZ#1440147)
• OpenShift Container Platform (OCP) logic for persistent volume attach/detach logic on AWS queried status of each attach/detach operation using separate API calls for each persistent volume. OCP could run out of AWS API call quota and be throttled by AWS. As a result, attach/detach operations could slow when multiple volumes were attached/detached at the same time. With this bug fix, OCP uses bulk query to determine status of all attach/detach operations at once. Attaching and detaching volumes is now faster. (BZ#1441748)

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For OpenShift Container Platform 3.5, see the following documentation, which will be updated shortly for release 3.5.5.8, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/3.4/release_notes/ocp_3_5_release_notes.html

For OpenShift Container Platform 3.4, see the following documentation, which will be updated shortly for release 3.4.1.18, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/3.4/release_notes/ocp_3_4_release_notes.html

For OpenShift Container Platform 3.3, see the following documentation, which will be updated shortly for release 3.3.1.20, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/3.3/release_notes/ocp_3_3_release_notes.html

For OpenShift Container Platform 3.2, see the following documentation, which will be updated shortly for release 3.2.1.31, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/enterprise/3.2/release_notes/ose_3_2_release_notes.html

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258.

Affected Products

• Red Hat OpenShift Container Platform 3.5 x86_64
• Red Hat OpenShift Container Platform 3.4 x86_64
• Red Hat OpenShift Container Platform 3.3 x86_64

Fixes

• BZ - 1371375 - Race condition during aws ebs/cinder volume detach and delete
• BZ - 1397293 - It takes too long to show log entries on Kibana with journald log driver after scale up ES
• BZ - 1411161 - [3.3] Fail to push built image to registry due to "manifest blob unknown: blob unknown to registry" without define output image via oc new-build
• BZ - 1415112 - [3.5] [networking_public_407] the router configuration not reloaded after the namespace label changed
• BZ - 1426511 - Failed to fit node if nodeselector sepecified when upgrade logging stacks via ansible
• BZ - 1427441 - [3.4][Backport] ImageStream references same image in another project
• BZ - 1429823 - [3.5.x] Observed a panic: "Invalid state transition: DELETED -> ADDED" (Invalid state transition: DELETED -> ADDED) - default router
• BZ - 1433721 - Missing images, streams and tags for running PODs and DCs
• BZ - 1436395 - Some build failures do not show STARTED value
• BZ - 1439859 - cannot create jenkins pipeline buildConfig when no jenkins server preinstall
• BZ - 1440147 - Failed builds delay start of next build + don't have a completion time
• BZ - 1440977 - [3.4] Router hangs on deadlock
• BZ - 1441748 - AWS quota problems in Openshift 3.5
• BZ - 1442859 - [3.3] Router hangs on deadlock
• BZ - 1442860 - [3.5] Router hangs on deadlock
• BZ - 1443665 - [3.4] HAProxy router's request buffer is too small

CVEs

(none)

References

(none)