- Issued:
- 2018-06-06
- Updated:
- 2018-06-06
RHBA-2018:1796 - Bug Fix Advisory
Synopsis
OpenShift Container Platform 3.9 bug fix and enhancement update
Type/Severity
Bug Fix Advisory
Topic
Red Hat OpenShift Container Platform release 3.9.30 is now available with updates to packages and images that fix several bugs and add enhancements.
Description
Red Hat OpenShift Container Platform is the company's cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments.
This advisory contains the RPM packages for Red Hat OpenShift Container Platform 3.9.30. See the following advisory for the container images for this release:
https://access.redhat.com/errata/RHBA-2018:1797
This update fixes the following bugs:
- Jenkins no_proxy processing could not handle suffixes like ".svc". As a result, communication between a Jenkins k8s agent pod and the Jenkins master would attempt to go through a configured http_proxy and fail.
With this bug fix, the OpenShift Container Platform jenkins agent images are updated to automatically include the jenkins master and jnlp hosts in the no_proxy list. The Jenkins limitation for no_proxy processing is now circumvented.(BZ#1578989) - When creating the Elasticsearch server certificate, the external Elasticsearch host names were unconditionally added to the subjectAltName. Installation would fail because only host name components beginning with a letter are allowed in the subjectAltName, so hostnames like es.0xdeadbeef.com were disallowed and would cause an error. A warning is now issued if the Elasticsearch host name contains a component which does not begin with a letter, and it is not added to the subjectAltName. Logging installation now completes successfully. (BZ#1567767)
- The plug-in only caught the KubeException, but not more general exceptions. Therefore, consumers were stuck cycling until the API server could be contacted. Metadata fetch is now more relaxed and gracefully catches the exception, returning no metadata, and subsequently the record is orphaned. (BZ#1560170)
- logging-elasticsearch-ops was missing in the delete configmaps list in the openshift-ansible delete_logging role. The logging-elasticsearch-ops configmap still exists after running uninstall ansible playbook for logging. logging-elasticsearch-ops is added to the delete configmaps list. All of the logging configmaps including logging-elasticsearch-ops are now uninstalled by running the uninstall ansible playbook for logging. (BZ#1549220)
- The Create Project button was incorrectly displayed to users when they had no projects and self-provisioning had been disabled on the projects list page of the web console. The action would always fail, so the button should have been hidden. The bug is now fixed, and Create Project is now correctly hidden in the console when self-provisioning is disabled. (BZ#1577359)
- This bug fix addresses an issue pulling images from a private docker hub registry. (BZ#1578088)
- This bug fix addresseswhere cfs_quota might still be set on a pod even when cpu-cfs-quota is set to false on the node. (BZ#1581860)
This update includes the following enhancement:
- Users are now allowed to disable JSON payload parsing. Parsing each log message into JSON and attaching it to the final payload is an expensive operation. Fluentd can now be configured to disable parsing of message payloads. This is the initial configuration change to deprecating the feature from the fluent-plugin-kubernetes_metadata_filter. (BZ#1569825)
All OpenShift Container Platform 3.9 users are advised to upgrade to these updated packages and images.
Solution
Before applying this update, make sure all previously released errata relevant to your system have been applied.
For OpenShift Container Platform 3.9 see the following documentation, which will be updated shortly for release 3.9.30, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:
https://docs.openshift.com/container-platform/3.9/release_notes/ocp_3_9_release_notes.html
This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258.
Affected Products
- Red Hat OpenShift Container Platform 3.9 x86_64
Fixes
- BZ - 1549220 - configmap still exist after running uninstall playbook for logging
- BZ - 1550847 - s3 deployment via ansible fails as pvc doesn't get created
- BZ - 1554407 - [CRI-O] logging-fluentd throughput lower with CRI-O runtime vs Docker runtime
- BZ - 1557290 - Cannot allocate memory when redeploy logging
- BZ - 1559443 - Hawkular Metrics crashes with OutOfMemoryError under moderate load
- BZ - 1560170 - Fluentd unable to send logs to Elasticsearch with socket errors talking to Kube
- BZ - 1564847 - The image tag of cri-o should be v3.9 instead of 3.9 while openshift_release is specified
- BZ - 1565372 - The ES fluentd plugin appears to direct the elasticsearch-api to retry a failed request 5 times before bubbling up an error causing ES bulk queue overflows
- BZ - 1567250 - Metrics Casandra PV running out of space due to snapshots
- BZ - 1567767 - [3.9] openshift_logging : Run JKS generation script failed
- BZ - 1568361 - Rotate Elasticsearch log files on persistent volume, keeping a configured maximum
- BZ - 1569825 - JSON payload processing of the log message payload if abused can cause logging to slow to a crawl
- BZ - 1570540 - Vmware persistent volumes do not work because of missing clusterrolebinding with vsphere-cloud-provider service account.
- BZ - 1570982 - Large number of data_temp tables cause request timeouts and other performance problems
- BZ - 1572192 - [CRI-O] Containers created with cri-o allow non-privileged user to modify filesystem.
- BZ - 1577357 - [3.9] oadm prune images fails on invalid image reference
- BZ - 1577359 - Create Project button shows up on project listing even if you do not have permissions to create a project
- BZ - 1577877 - [3.9] .all alias not being updated with new indices after a certain date
- BZ - 1578088 - Secret created by `oc create secret docker-registry` cannot pull image from external private registry
- BZ - 1578989 - jenkins slave does not respect no_proxy 3.9
- BZ - 1579898 - changes introduced by bz 1416639 not working for registry on NFS
- BZ - 1581860 - [3.9] Limit ranges are being applied with cpu-cfs-quota set to false
- BZ - 1582190 - master scaleup failed due to 'openshift_is_atomic' is undefined"
CVEs
References
(none)
Note:
More recent versions of these packages may be available.
Click a package name for more details.
Red Hat OpenShift Container Platform 3.9
| SRPM | |
|---|---|
| atomic-openshift-3.9.30-1.git.0.dec1ba7.el7.src.rpm | SHA-256: 6496fc78df2f29e0bce0ad392d9b6b5a4d80df3f88ee41ae807a4e1240710e30 |
| atomic-openshift-web-console-3.9.30-1.git.245.4a3aade.el7.src.rpm | SHA-256: 80da2943dfd790cc6d1a81d4d52c78ce82a898b4a18f4430070549946a175e4b |
| cri-o-1.9.12-1.gitfa11beb.el7.src.rpm | SHA-256: dff402caa7dc2a74e3dc6431cd16b7ec36115181fd001543f4f6941685f79fa7 |
| cri-tools-1.0.0-5.rhaos3.9.git8e6013a.el7.src.rpm | SHA-256: b39e2a611b43e49644f09cbf4fb9052cd30ca3816ca53c38edc5adb818ef2d38 |
| golang-github-prometheus-node_exporter-3.9.30-1.git.890.7ea5173.el7.src.rpm | SHA-256: 4c66798db85c868318865ce75b33a2141573122b396cb360b46f298169262835 |
| openshift-ansible-3.9.30-1.git.7.46f8678.el7.src.rpm | SHA-256: 736c4bc5d760fb9c38d9b557ec84d32b699ea39b058ab547476e9919f69b5192 |
| rubygem-fluent-plugin-elasticsearch-1.16.1-1.el7.src.rpm | SHA-256: 82edbf42e08cf540d07af46ef721755365cfe1f479edb854ac09a03dc72063ce |
| rubygem-fluent-plugin-kubernetes_metadata_filter-1.0.3-1.el7.src.rpm | SHA-256: d409bd5c1b27b8fc51535dadf7655a57d0c536d89cfed662b73b5063d0e010b4 |
| x86_64 | |
| atomic-openshift-3.9.30-1.git.0.dec1ba7.el7.x86_64.rpm | SHA-256: 4b7402f8e9be5ca5167c3506bf1d13985a31aa6865999379b6d2b4a573143700 |
| atomic-openshift-clients-3.9.30-1.git.0.dec1ba7.el7.x86_64.rpm | SHA-256: 5f3426c13936d62885e1a4bd40e781c78403041519b91a987065ea417f932fd4 |
| atomic-openshift-clients-redistributable-3.9.30-1.git.0.dec1ba7.el7.x86_64.rpm | SHA-256: 6a431c2ccc2f32cfde1588481800e2f3d752f9c3a8734484a0324d5da45cb26c |
| atomic-openshift-cluster-capacity-3.9.30-1.git.0.dec1ba7.el7.x86_64.rpm | SHA-256: b838f0f0220abed024316333332f150abcb3aed72c21e7fce9a493e4faa6d418 |
| atomic-openshift-docker-excluder-3.9.30-1.git.0.dec1ba7.el7.noarch.rpm | SHA-256: 2e12e4a2665c2b82ae459752c4cd6271764d74983db85ace213492d7c7ffbfd4 |
| atomic-openshift-dockerregistry-3.9.30-1.git.349.8b7912c.el7.x86_64.rpm | SHA-256: 95e71b3167a425352e9cfa7b918920e69f7518191d07646f04625e10dadab27f |
| atomic-openshift-excluder-3.9.30-1.git.0.dec1ba7.el7.noarch.rpm | SHA-256: 17924f4aa8eca58b6b4e75101e6f78f1905177c80bdf0f8ed417c2e91e998723 |
| atomic-openshift-federation-services-3.9.30-1.git.0.dec1ba7.el7.x86_64.rpm | SHA-256: 83c161e410f9317f73e1dabd29b83aabb5df22e30d60f00356c7d9b4133c43e0 |
| atomic-openshift-master-3.9.30-1.git.0.dec1ba7.el7.x86_64.rpm | SHA-256: 39d0a10b47b101d63a91d6cce0aeee91d82af0fbd91f31d767ea02f7a94c70ac |
| atomic-openshift-node-3.9.30-1.git.0.dec1ba7.el7.x86_64.rpm | SHA-256: a01bdd39b7ba7158a29919f7abdf8109adc31e86a78aec4a31edee7537ab54d2 |
| atomic-openshift-pod-3.9.30-1.git.0.dec1ba7.el7.x86_64.rpm | SHA-256: b78ee4dce695d35514806b43b95734f1832486e6ea32eb44c089be223f81812f |
| atomic-openshift-sdn-ovs-3.9.30-1.git.0.dec1ba7.el7.x86_64.rpm | SHA-256: 66883043f5fee3bc9682bc3f29f9ef998d844fb0dc63921287623c3ca2e9ab56 |
| atomic-openshift-service-catalog-3.9.30-1.git.0.dec1ba7.el7.x86_64.rpm | SHA-256: ed590ed3d641945ab732c4e662700f4780d56623a30d973826b4f27cb6c57564 |
| atomic-openshift-template-service-broker-3.9.30-1.git.0.dec1ba7.el7.x86_64.rpm | SHA-256: 417425faa02095b4822f7e9f414e16130e7ee3155a6730f9b439e383559a5577 |
| atomic-openshift-tests-3.9.30-1.git.0.dec1ba7.el7.x86_64.rpm | SHA-256: 37b6c73511bb55d324e7e95b6436634c1487a1e020ba4ef287da85b55532f04f |
| atomic-openshift-utils-3.9.30-1.git.7.46f8678.el7.noarch.rpm | SHA-256: 3dbf347ec51e3620c1da4933b776ad1e40f08fe3f8af326f02432a5c118df1b8 |
| atomic-openshift-web-console-3.9.30-1.git.245.4a3aade.el7.x86_64.rpm | SHA-256: 30503b628d6a67b6e67c4557588a09e6c8a104045273c1bb5b5139e172ba2f3d |
| cri-o-1.9.12-1.gitfa11beb.el7.x86_64.rpm | SHA-256: dab14c053bd3914066dcf5dfa528931dc298a74f2d7f78a2a9b0261a9171884b |
| cri-o-debuginfo-1.9.12-1.gitfa11beb.el7.x86_64.rpm | SHA-256: 378b5a5f114b698a9e76d785b172ad7e7e4c74b8e9666ad0cb20e859e9b4450d |
| cri-tools-1.0.0-5.rhaos3.9.git8e6013a.el7.x86_64.rpm | SHA-256: e041350770afb36ba57782398f8273de93b4d007b6a8eb2c33aa0a21b7462863 |
| cri-tools-debuginfo-1.0.0-5.rhaos3.9.git8e6013a.el7.x86_64.rpm | SHA-256: 6d703669a4360e373a1b04309a2e55686e0179162d883aa2867467f1276f7a3c |
| openshift-ansible-3.9.30-1.git.7.46f8678.el7.noarch.rpm | SHA-256: 4fa2ff526a917648cc1261a5748f77d682aa611ad4bf6917ece9a71f7dfa6121 |
| openshift-ansible-docs-3.9.30-1.git.7.46f8678.el7.noarch.rpm | SHA-256: eed5e7f7f342c4b30bcdfdc01e9f5764f4581296ec3906f1e6b4b88dacfc434c |
| openshift-ansible-playbooks-3.9.30-1.git.7.46f8678.el7.noarch.rpm | SHA-256: 87269bb693cca409b5af731f5a6d7200e7074e0e806e9ba1c33cde7740e48b90 |
| openshift-ansible-roles-3.9.30-1.git.7.46f8678.el7.noarch.rpm | SHA-256: a06ac1bea5c048e7166550796cb16b485b9934780b1e3cbd4c62fd140fee351c |
| prometheus-node-exporter-3.9.30-1.git.890.7ea5173.el7.x86_64.rpm | SHA-256: d0089e22656775fcb2702a2fdb82be8a4f413fe2f73abaf975f3138d722712de |
| rubygem-fluent-plugin-elasticsearch-1.16.1-1.el7.noarch.rpm | SHA-256: 77ce049372e468a4dcc7dddc661de4f64ca379edf9dc981cf15262fec0b9e91b |
| rubygem-fluent-plugin-elasticsearch-doc-1.16.1-1.el7.noarch.rpm | SHA-256: 9185242acc85c7f58dedafdedbe9486c5862fc7284cfe95328d7cd2e064873b1 |
| rubygem-fluent-plugin-kubernetes_metadata_filter-1.0.3-1.el7.noarch.rpm | SHA-256: 01dc04ee6b9cdfb1811ab9519c9003901986c3149e095d46204d2d69eedd27c9 |
| rubygem-fluent-plugin-kubernetes_metadata_filter-doc-1.0.3-1.el7.noarch.rpm | SHA-256: b85b21a71eb567ccf0e73a35b5e9299ab3edf1abc6282a15cea771b8a63b8c58 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.