Synopsis

OpenShift Container Platform 3.9 bug fix update

Type/Severity

Bug Fix Advisory

Topic

Red Hat OpenShift Container Platform release 3.9.33 is now available with updates to packages and images that fix several bugs.

Description

Red Hat OpenShift Container Platform is the company's cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 3.9.33. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHBA-2018:2212

This update fixes the following bugs:

• The latest versions of *container-selinux* prevent pods from running systemd unless `container_manage_cgroup` is set to true. The installer now sets this boolean to `true` at install time ensuring that pods with systemd run as expected. (BZ#1589929)
• Port 10256 is now opened on hosts, which resolves an issue where service load balancer health checks failed because the port was not opened. (BZ#1594306)
• The defaults for the Searchguard index are set to autoexpand to the number of nodes minus 1. This causes the number of replicas for *_.searchguard_* indices to expand to the number of nodes in the cluster, but if any one node goes down, the cluster will never return to a green state without all nodes coming back. This bug fix uses the `sgadmin` tool to disable replica expansion, updates replicas to `0`, and modifies the index setting to allocate to a named node. As a result, the Searchguard index has auto replica expansion disabled, replicas set to `0`, and is allocated to a specific node. (BZ#1582232)
• The *fluent-plugin-elasticsearch* improperly handled bookkeeping of the records being submitted. This caused Fluentd to be stuck processing even though there was a valid request and response. This bug fix properly accounts for the records submitted to Elasticsearch. As a result, the pipeline no longer gets stuck. (BZ#1593310)
• The installer was creating an incorrect `spec` attribute for CPU and memory for logging. Additionally, it did not allow modifying the `cpu_limit` setting. This caused the values to be ignored. This bug fix conditionally patches in the `cpu_limit` setting if it is defined and corrects the attribute name used to specify CPU and memory requests. As a result, the values are now honored as expected. (BZ#1592551)
• Previously, enabling autoscaling from the *Add to project* -> *advanced options* page in the web console would not work correctly. The horizontal pod autoscaler would not correctly target the deployment configuration created for your application. This only was a problem when enabling autoscaling while creating the application; enabling autoscaling later worked correctly. This bug fixes updates the web console, and autoscaling is now correctly enabled from the application creation form. (BZ#1590936)
• Previously, the resource *Replication Controller Dummy* could appear in the types in the *Other Resources* page of the web console. This type would cause an error when it was selected. This bug fix removes this type from the list because it is not a real resource that users would create. (BZ#1589838)
• This bug fix ensures `spec` validations of service bindings do not include status, such that storage migrations during upgrade properly succeed. (BZ#1586135)

All OpenShift Container Platform 3.9 users are advised to upgrade to these updated packages and images.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For OpenShift Container Platform 3.9 see the following documentation, which will be updated shortly for release 3.9.33, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/3.9/release_notes/ocp_3_9_release_notes.html

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258.

Affected Products

• Red Hat OpenShift Container Platform 3.9 x86_64

Fixes

• BZ - 1557345 - some pods are scheduled to masters when openshift.io/node-selector="" in namespace
• BZ - 1582232 - The .searchguard indices end up with 2 replicas by default
• BZ - 1582875 - Secured Wildcard route takes over all unsecured routes in same subdomain
• BZ - 1583148 - [CNS][3.9] Installation failed due to GlusterFS pods try to pull image from docker.io
• BZ - 1583718 - [3.9] Service uses type ClusterIP and cloudprovider tries to create loadbalancer
• BZ - 1586135 - Upgrade from 3.7 to 3.9 fail at the Task [Upgrade all storage] for servicebinding (fix for 3.9.z)
• BZ - 1587996 - [3.9] OpenShift container registry is not able to use eu-west-3 for s3 storage.
• BZ - 1589838 - "Unknown resource: replicationcontrollerdummies/extensions/v1beta1"
• BZ - 1589929 - CFME httpd pod fail to get started after deployed on ocp-3.9
• BZ - 1590059 - Trigger a deploy of DC manually caused too much time to finish because of evicted pods.
• BZ - 1590936 - Hpa has incorrect ref apiversion if it is created with app creation
• BZ - 1591632 - master controllers edits the secret after upgrade to 3.9
• BZ - 1592551 - [3.9]openshift_logging_eventrouter_cpu_limit and openshift_logging_eventrouter_cpu_request don't take effect
• BZ - 1593310 - Fluent pipeline stuck because records in request do not equal response
• BZ - 1594306 - Service load balancers don't work on GCP (and others) that depend on health port being exposed

CVEs

(none)

References

(none)