Issued:
2018-06-06
Updated:
2018-06-06

RHBA-2018:1796 - Bug Fix Advisory

Synopsis

OpenShift Container Platform 3.9 bug fix and enhancement update

Type/Severity

Bug Fix Advisory

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Red Hat OpenShift Container Platform release 3.9.30 is now available with updates to packages and images that fix several bugs and add enhancements.

Description

Red Hat OpenShift Container Platform is the company's cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 3.9.30. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHBA-2018:1797

This update fixes the following bugs:

  • Jenkins no_proxy processing could not handle suffixes like ".svc". As a result, communication between a Jenkins k8s agent pod and the Jenkins master would attempt to go through a configured http_proxy and fail.

With this bug fix, the OpenShift Container Platform jenkins agent images are updated to automatically include the jenkins master and jnlp hosts in the no_proxy list. The Jenkins limitation for no_proxy processing is now circumvented.(BZ#1578989)

  • When creating the Elasticsearch server certificate, the external Elasticsearch host names were unconditionally added to the subjectAltName. Installation would fail because only host name components beginning with a letter are allowed in the subjectAltName, so hostnames like es.0xdeadbeef.com were disallowed and would cause an error. A warning is now issued if the Elasticsearch host name contains a component which does not begin with a letter, and it is not added to the subjectAltName. Logging installation now completes successfully. (BZ#1567767)
  • The plug-in only caught the KubeException, but not more general exceptions. Therefore, consumers were stuck cycling until the API server could be contacted. Metadata fetch is now more relaxed and gracefully catches the exception, returning no metadata, and subsequently the record is orphaned. (BZ#1560170)
  • logging-elasticsearch-ops was missing in the delete configmaps list in the openshift-ansible delete_logging role. The logging-elasticsearch-ops configmap still exists after running uninstall ansible playbook for logging. logging-elasticsearch-ops is added to the delete configmaps list. All of the logging configmaps including logging-elasticsearch-ops are now uninstalled by running the uninstall ansible playbook for logging. (BZ#1549220)
  • The Create Project button was incorrectly displayed to users when they had no projects and self-provisioning had been disabled on the projects list page of the web console. The action would always fail, so the button should have been hidden. The bug is now fixed, and Create Project is now correctly hidden in the console when self-provisioning is disabled. (BZ#1577359)
  • This bug fix addresses an issue pulling images from a private docker hub registry. (BZ#1578088)
  • This bug fix addresseswhere cfs_quota might still be set on a pod even when cpu-cfs-quota is set to false on the node. (BZ#1581860)

This update includes the following enhancement:

  • Users are now allowed to disable JSON payload parsing. Parsing each log message into JSON and attaching it to the final payload is an expensive operation. Fluentd can now be configured to disable parsing of message payloads. This is the initial configuration change to deprecating the feature from the fluent-plugin-kubernetes_metadata_filter. (BZ#1569825)

All OpenShift Container Platform 3.9 users are advised to upgrade to these updated packages and images.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For OpenShift Container Platform 3.9 see the following documentation, which will be updated shortly for release 3.9.30, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/3.9/release_notes/ocp_3_9_release_notes.html

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258.

Affected Products

  • Red Hat OpenShift Container Platform 3.9 x86_64

Fixes

  • BZ - 1549220 - configmap still exist after running uninstall playbook for logging
  • BZ - 1550847 - s3 deployment via ansible fails as pvc doesn't get created
  • BZ - 1554407 - [CRI-O] logging-fluentd throughput lower with CRI-O runtime vs Docker runtime
  • BZ - 1557290 - Cannot allocate memory when redeploy logging
  • BZ - 1559443 - Hawkular Metrics crashes with OutOfMemoryError under moderate load
  • BZ - 1560170 - Fluentd unable to send logs to Elasticsearch with socket errors talking to Kube
  • BZ - 1564847 - The image tag of cri-o should be v3.9 instead of 3.9 while openshift_release is specified
  • BZ - 1565372 - The ES fluentd plugin appears to direct the elasticsearch-api to retry a failed request 5 times before bubbling up an error causing ES bulk queue overflows
  • BZ - 1567250 - Metrics Casandra PV running out of space due to snapshots
  • BZ - 1567767 - [3.9] openshift_logging : Run JKS generation script failed
  • BZ - 1568361 - Rotate Elasticsearch log files on persistent volume, keeping a configured maximum
  • BZ - 1569825 - JSON payload processing of the log message payload if abused can cause logging to slow to a crawl
  • BZ - 1570540 - Vmware persistent volumes do not work because of missing clusterrolebinding with vsphere-cloud-provider service account.
  • BZ - 1570982 - Large number of data_temp tables cause request timeouts and other performance problems
  • BZ - 1572192 - [CRI-O] Containers created with cri-o allow non-privileged user to modify filesystem.
  • BZ - 1577357 - [3.9] oadm prune images fails on invalid image reference
  • BZ - 1577359 - Create Project button shows up on project listing even if you do not have permissions to create a project
  • BZ - 1577877 - [3.9] .all alias not being updated with new indices after a certain date
  • BZ - 1578088 - Secret created by `oc create secret docker-registry` cannot pull image from external private registry
  • BZ - 1578989 - jenkins slave does not respect no_proxy 3.9
  • BZ - 1579898 - changes introduced by bz 1416639 not working for registry on NFS
  • BZ - 1581860 - [3.9] Limit ranges are being applied with cpu-cfs-quota set to false
  • BZ - 1582190 - master scaleup failed due to 'openshift_is_atomic' is undefined"

References

(none)

Red Hat OpenShift Container Platform 3.9

SRPM
atomic-openshift-3.9.30-1.git.0.dec1ba7.el7.src.rpm SHA-256: 6496fc78df2f29e0bce0ad392d9b6b5a4d80df3f88ee41ae807a4e1240710e30
atomic-openshift-web-console-3.9.30-1.git.245.4a3aade.el7.src.rpm SHA-256: 80da2943dfd790cc6d1a81d4d52c78ce82a898b4a18f4430070549946a175e4b
cri-o-1.9.12-1.gitfa11beb.el7.src.rpm SHA-256: dff402caa7dc2a74e3dc6431cd16b7ec36115181fd001543f4f6941685f79fa7
cri-tools-1.0.0-5.rhaos3.9.git8e6013a.el7.src.rpm SHA-256: b39e2a611b43e49644f09cbf4fb9052cd30ca3816ca53c38edc5adb818ef2d38
golang-github-prometheus-node_exporter-3.9.30-1.git.890.7ea5173.el7.src.rpm SHA-256: 4c66798db85c868318865ce75b33a2141573122b396cb360b46f298169262835
openshift-ansible-3.9.30-1.git.7.46f8678.el7.src.rpm SHA-256: 736c4bc5d760fb9c38d9b557ec84d32b699ea39b058ab547476e9919f69b5192
rubygem-fluent-plugin-elasticsearch-1.16.1-1.el7.src.rpm SHA-256: 82edbf42e08cf540d07af46ef721755365cfe1f479edb854ac09a03dc72063ce
rubygem-fluent-plugin-kubernetes_metadata_filter-1.0.3-1.el7.src.rpm SHA-256: d409bd5c1b27b8fc51535dadf7655a57d0c536d89cfed662b73b5063d0e010b4
x86_64
atomic-openshift-3.9.30-1.git.0.dec1ba7.el7.x86_64.rpm SHA-256: 4b7402f8e9be5ca5167c3506bf1d13985a31aa6865999379b6d2b4a573143700
atomic-openshift-clients-3.9.30-1.git.0.dec1ba7.el7.x86_64.rpm SHA-256: 5f3426c13936d62885e1a4bd40e781c78403041519b91a987065ea417f932fd4
atomic-openshift-clients-redistributable-3.9.30-1.git.0.dec1ba7.el7.x86_64.rpm SHA-256: 6a431c2ccc2f32cfde1588481800e2f3d752f9c3a8734484a0324d5da45cb26c
atomic-openshift-cluster-capacity-3.9.30-1.git.0.dec1ba7.el7.x86_64.rpm SHA-256: b838f0f0220abed024316333332f150abcb3aed72c21e7fce9a493e4faa6d418
atomic-openshift-docker-excluder-3.9.30-1.git.0.dec1ba7.el7.noarch.rpm SHA-256: 2e12e4a2665c2b82ae459752c4cd6271764d74983db85ace213492d7c7ffbfd4
atomic-openshift-dockerregistry-3.9.30-1.git.349.8b7912c.el7.x86_64.rpm SHA-256: 95e71b3167a425352e9cfa7b918920e69f7518191d07646f04625e10dadab27f
atomic-openshift-excluder-3.9.30-1.git.0.dec1ba7.el7.noarch.rpm SHA-256: 17924f4aa8eca58b6b4e75101e6f78f1905177c80bdf0f8ed417c2e91e998723
atomic-openshift-federation-services-3.9.30-1.git.0.dec1ba7.el7.x86_64.rpm SHA-256: 83c161e410f9317f73e1dabd29b83aabb5df22e30d60f00356c7d9b4133c43e0
atomic-openshift-master-3.9.30-1.git.0.dec1ba7.el7.x86_64.rpm SHA-256: 39d0a10b47b101d63a91d6cce0aeee91d82af0fbd91f31d767ea02f7a94c70ac
atomic-openshift-node-3.9.30-1.git.0.dec1ba7.el7.x86_64.rpm SHA-256: a01bdd39b7ba7158a29919f7abdf8109adc31e86a78aec4a31edee7537ab54d2
atomic-openshift-pod-3.9.30-1.git.0.dec1ba7.el7.x86_64.rpm SHA-256: b78ee4dce695d35514806b43b95734f1832486e6ea32eb44c089be223f81812f
atomic-openshift-sdn-ovs-3.9.30-1.git.0.dec1ba7.el7.x86_64.rpm SHA-256: 66883043f5fee3bc9682bc3f29f9ef998d844fb0dc63921287623c3ca2e9ab56
atomic-openshift-service-catalog-3.9.30-1.git.0.dec1ba7.el7.x86_64.rpm SHA-256: ed590ed3d641945ab732c4e662700f4780d56623a30d973826b4f27cb6c57564
atomic-openshift-template-service-broker-3.9.30-1.git.0.dec1ba7.el7.x86_64.rpm SHA-256: 417425faa02095b4822f7e9f414e16130e7ee3155a6730f9b439e383559a5577
atomic-openshift-tests-3.9.30-1.git.0.dec1ba7.el7.x86_64.rpm SHA-256: 37b6c73511bb55d324e7e95b6436634c1487a1e020ba4ef287da85b55532f04f
atomic-openshift-utils-3.9.30-1.git.7.46f8678.el7.noarch.rpm SHA-256: 3dbf347ec51e3620c1da4933b776ad1e40f08fe3f8af326f02432a5c118df1b8
atomic-openshift-web-console-3.9.30-1.git.245.4a3aade.el7.x86_64.rpm SHA-256: 30503b628d6a67b6e67c4557588a09e6c8a104045273c1bb5b5139e172ba2f3d
cri-o-1.9.12-1.gitfa11beb.el7.x86_64.rpm SHA-256: dab14c053bd3914066dcf5dfa528931dc298a74f2d7f78a2a9b0261a9171884b
cri-o-debuginfo-1.9.12-1.gitfa11beb.el7.x86_64.rpm SHA-256: 378b5a5f114b698a9e76d785b172ad7e7e4c74b8e9666ad0cb20e859e9b4450d
cri-tools-1.0.0-5.rhaos3.9.git8e6013a.el7.x86_64.rpm SHA-256: e041350770afb36ba57782398f8273de93b4d007b6a8eb2c33aa0a21b7462863
cri-tools-debuginfo-1.0.0-5.rhaos3.9.git8e6013a.el7.x86_64.rpm SHA-256: 6d703669a4360e373a1b04309a2e55686e0179162d883aa2867467f1276f7a3c
openshift-ansible-3.9.30-1.git.7.46f8678.el7.noarch.rpm SHA-256: 4fa2ff526a917648cc1261a5748f77d682aa611ad4bf6917ece9a71f7dfa6121
openshift-ansible-docs-3.9.30-1.git.7.46f8678.el7.noarch.rpm SHA-256: eed5e7f7f342c4b30bcdfdc01e9f5764f4581296ec3906f1e6b4b88dacfc434c
openshift-ansible-playbooks-3.9.30-1.git.7.46f8678.el7.noarch.rpm SHA-256: 87269bb693cca409b5af731f5a6d7200e7074e0e806e9ba1c33cde7740e48b90
openshift-ansible-roles-3.9.30-1.git.7.46f8678.el7.noarch.rpm SHA-256: a06ac1bea5c048e7166550796cb16b485b9934780b1e3cbd4c62fd140fee351c
prometheus-node-exporter-3.9.30-1.git.890.7ea5173.el7.x86_64.rpm SHA-256: d0089e22656775fcb2702a2fdb82be8a4f413fe2f73abaf975f3138d722712de
rubygem-fluent-plugin-elasticsearch-1.16.1-1.el7.noarch.rpm SHA-256: 77ce049372e468a4dcc7dddc661de4f64ca379edf9dc981cf15262fec0b9e91b
rubygem-fluent-plugin-elasticsearch-doc-1.16.1-1.el7.noarch.rpm SHA-256: 9185242acc85c7f58dedafdedbe9486c5862fc7284cfe95328d7cd2e064873b1
rubygem-fluent-plugin-kubernetes_metadata_filter-1.0.3-1.el7.noarch.rpm SHA-256: 01dc04ee6b9cdfb1811ab9519c9003901986c3149e095d46204d2d69eedd27c9
rubygem-fluent-plugin-kubernetes_metadata_filter-doc-1.0.3-1.el7.noarch.rpm SHA-256: b85b21a71eb567ccf0e73a35b5e9299ab3edf1abc6282a15cea771b8a63b8c58

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.