RHBA-2017:2900 - Bug Fix Advisory

Topic

Updated atomic-openshift-utils and openshift-ansible packages that fix several bugs and add enhancements are now available for OpenShift Container Platform 3.6, 3.5, 3.4, and 3.3.

Description

Red Hat OpenShift Container Platform (OCP) is the company's cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments.

The atomic-openshift-utils and openshift-ansible packages contain the installation utility and Ansible requirements for installing and upgrading OpenShift Container Platform 3.

This update fixes the following bugs:

• The `nodeSelector` and `supplementalGroups` parameters from existing deployments were ignored because they should be defined in the inventory file. There was no way to define values for each deployment configuration (DC), which hinders the use case where a deployment is using host mount volumes. As a result, the `nodeSelector` and `supplementalGroups` parameters were replaced with those defined in the inventory file. Use `nodeSelector` and `supplementalGroups` from logging facts if they exist for a given DC. The `nodeSelector` and `supplementalGroups` parameters are now retained when applied changes. (BZ#1478771, BZ#1482661)
• With Ansible 2.3, warnings are issued when using Jinja delimiters in 'when' conditions. The delimiters have been removed from the code base to avoid these warnings. (BZ#1480129, BZ#1488359, BZ#1488360, BZ#1488361, BZ#1488363)
• The docker_image_availability Ansible health check did not apply any intelligence for when registries are not reachable, and also did not search for images in the local index with all fully qualified names. This check takes a long time to run in disconnected installs if not all of the required images are imported and tagged a certain way. This causes it to consult the default registry, which is not reachable and takes a long time to timeout for each image. This bug fix updates docker_image_availability check to:

1. Check correctly for the image in the docker index (using all registry names).
2. Inspect registries in the order configured, to enable finding required images in a local registry before consulting a public one.
3. Probe for connectivity to registries and do not continue to inspect ones that cannot be reached.
4. Retry failed registry inspections to add robustness, in case of transient network problems.
With this bug fix, the check is more robust and performance in disconnected scenarios is improved. (BZ#1480195)

• The installer does not default a value for PVC size. Therefore, the storage provisioner is unable to bind a PV to the PVC for glusterfs because no requested size is provided. This bug fix defaults a value so that the PVC is created using a default value when requesting a dynamic PVC. (BZ#1480878)
• The service account was not being added for the `admin` role. Therefore, the service account did not have correct permissions. With this bug fix, the service account was added for the `admin` role and the service account now has correct permissions. (BZ#1487648)
• The flannel network was previously defined using the same subnet as the kubernetes services subnet. This caused a conflict between services and SDN networks. The flannel network is now correctly defined by the `osm_cluster_network_cidr` variable. (BZ#1491412, BZ#1491413)

The update includes the following enhancements:

• The installer now allows you to specify the variables `oreg_auth_user` and `oreg_auth_password` to specify the credentials used to pull infrastructure images from an authenticated registry that is defined by setting `oreg_url`. Your environment may require credentials to pull infrastructure images from your private registry defined via `oreg_url`.

OCP may now pull images from a private registry requiring user name and password credentials. (BZ#1316341, BZ#1484063, BZ#1484068)

• .NET Core 2.0 image streams have been added to the install and upgrade playbooks for OCP 3.5 and 3.6. (BZ#1492618)

All OpenShift Container Platform users are advised to upgrade to these updated packages.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

To apply this update, run the following on all hosts where you intend to initiate Ansible-based installation or upgrade procedures:

# yum update atomic-openshift-utils

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat OpenShift Container Platform 3.6 x86_64
• Red Hat OpenShift Container Platform 3.5 x86_64
• Red Hat OpenShift Container Platform 3.4 x86_64
• Red Hat OpenShift Container Platform 3.3 x86_64

Fixes

• BZ - 1316341 - [3.6] installer need provide a way to add docker auth to kubelet for auto pulling infra image from an authenticated registry
• BZ - 1471322 - Default image tags for logging components allow new images to deploy without required configmap or deploymentconfig changes
• BZ - 1478771 - We do not preserve the security context and node selector for the elasticsearch dc after running ansible-playbook /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/openshift-logging.yml after upgade to OCP 3.5
• BZ - 1480129 - [3.2] "when statements should not include jinja2 templating delimiters" warning is shown when running installer with ansible-2.3.1.0-3.el7.noarch
• BZ - 1480195 - docker_image_availability check fails in disconnected environment
• BZ - 1480878 - Logging does not deploy dynamic PVC when volume size is not specified
• BZ - 1482661 - We do not preserve the security context and node selector for the elasticsearch dc after running ansible-playbook /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/openshift-logging.yml after upgade
• BZ - 1484063 - [3.5] installer need provide a way to add docker auth to kubelet for auto pulling infra image from an authenticated registry
• BZ - 1484068 - [3.4] installer need provide a way to add docker auth to kubelet for auto pulling infra image from an authenticated registry
• BZ - 1487648 - Installer does not add management-admin service account to management-infra project admin role
• BZ - 1488359 - [3.3] "when statements should not include jinja2 templating delimiters" warning is shown when running installer with ansible-2.3.1.0-3.el7.noarch
• BZ - 1488360 - [3.4] "when statements should not include jinja2 templating delimiters" warning is shown when running installer with ansible-2.3.1.0-3.el7.noarch
• BZ - 1488361 - [3.5] "when statements should not include jinja2 templating delimiters" warning is shown when running installer with ansible-2.3.1.0-3.el7.noarch
• BZ - 1488363 - [3.6] "when statements should not include jinja2 templating delimiters" warning is shown when running installer with ansible-2.3.1.0-3.el7.noarch
• BZ - 1491412 - [3.6] Installer does not configure flannel correctly for openstack installs.
• BZ - 1491413 - [3.5] Installer does not configure flannel correctly for openstack installs.
• BZ - 1492618 - [3.5] New .NET Core 2.0 imagestreams/templates for OpenShift Container Platform

CVEs

(none)

References

(none)