Synopsis

OpenShift Container Platform 3.9 bug fix update

Type/Severity

Bug Fix Advisory

Topic

Red Hat OpenShift Container Platform release 3.9.33 is now available with updates to packages and images that fix several bugs.

Description

Red Hat OpenShift Container Platform is the company's cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 3.9.33. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHBA-2018:2212

This update fixes the following bugs:

• The latest versions of *container-selinux* prevent pods from running systemd unless `container_manage_cgroup` is set to true. The installer now sets this boolean to `true` at install time ensuring that pods with systemd run as expected. (BZ#1589929)
  
• Port 10256 is now opened on hosts, which resolves an issue where service load balancer health checks failed because the port was not opened. (BZ#1594306)
  
• The defaults for the Searchguard index are set to autoexpand to the number of nodes minus 1. This causes the number of replicas for *_.searchguard_* indices to expand to the number of nodes in the cluster, but if any one node goes down, the cluster will never return to a green state without all nodes coming back. This bug fix uses the `sgadmin` tool to disable replica expansion, updates replicas to `0`, and modifies the index setting to allocate to a named node. As a result, the Searchguard index has auto replica expansion disabled, replicas set to `0`, and is allocated to a specific node. (BZ#1582232)
  
• The *fluent-plugin-elasticsearch* improperly handled bookkeeping of the records being submitted. This caused Fluentd to be stuck processing even though there was a valid request and response. This bug fix properly accounts for the records submitted to Elasticsearch. As a result, the pipeline no longer gets stuck. (BZ#1593310)
  
• The installer was creating an incorrect `spec` attribute for CPU and memory for logging. Additionally, it did not allow modifying the `cpu_limit` setting. This caused the values to be ignored. This bug fix conditionally patches in the `cpu_limit` setting if it is defined and corrects the attribute name used to specify CPU and memory requests. As a result, the values are now honored as expected. (BZ#1592551)
  
• Previously, enabling autoscaling from the *Add to project* -> *advanced options* page in the web console would not work correctly. The horizontal pod autoscaler would not correctly target the deployment configuration created for your application. This only was a problem when enabling autoscaling while creating the application; enabling autoscaling later worked correctly. This bug fixes updates the web console, and autoscaling is now correctly enabled from the application creation form. (BZ#1590936)
  
• Previously, the resource *Replication Controller Dummy* could appear in the types in the *Other Resources* page of the web console. This type would cause an error when it was selected. This bug fix removes this type from the list because it is not a real resource that users would create. (BZ#1589838)
  
• This bug fix ensures `spec` validations of service bindings do not include status, such that storage migrations during upgrade properly succeed. (BZ#1586135)
  

All OpenShift Container Platform 3.9 users are advised to upgrade to these updated packages and images.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For OpenShift Container Platform 3.9 see the following documentation, which will be updated shortly for release 3.9.33, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/3.9/release_notes/ocp_3_9_release_notes.html

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258.

Affected Products

• Red Hat OpenShift Container Platform 3.9 x86_64

Fixes

• BZ - 1557345 - some pods are scheduled to masters when openshift.io/node-selector="" in namespace
• BZ - 1582232 - The .searchguard indices end up with 2 replicas by default
• BZ - 1582875 - Secured Wildcard route takes over all unsecured routes in same subdomain
• BZ - 1583148 - [CNS][3.9] Installation failed due to GlusterFS pods try to pull image from docker.io
• BZ - 1583718 - [3.9] Service uses type ClusterIP and cloudprovider tries to create loadbalancer
• BZ - 1586135 - Upgrade from 3.7 to 3.9 fail at the Task [Upgrade all storage] for servicebinding (fix for 3.9.z)
• BZ - 1587996 - [3.9] OpenShift container registry is not able to use eu-west-3 for s3 storage.
• BZ - 1589838 - "Unknown resource: replicationcontrollerdummies/extensions/v1beta1"
• BZ - 1589929 - CFME httpd pod fail to get started after deployed on ocp-3.9
• BZ - 1590059 - Trigger a deploy of DC manually caused too much time to finish because of evicted pods.
• BZ - 1590936 - Hpa has incorrect ref apiversion if it is created with app creation
• BZ - 1591632 - master controllers edits the secret after upgrade to 3.9
• BZ - 1592551 - [3.9]openshift_logging_eventrouter_cpu_limit and openshift_logging_eventrouter_cpu_request don't take effect
• BZ - 1593310 - Fluent pipeline stuck because records in request do not equal response
• BZ - 1594306 - Service load balancers don't work on GCP (and others) that depend on health port being exposed

CVEs

(none)

References

(none)

Red Hat OpenShift Container Platform 3.9

SRPM
atomic-openshift-3.9.33-1.git.0.c35d02e.el7.src.rpm	SHA-256: b12aaa3612e868787a5549d0231b250ad886a5c374722d21fbd6f88b8415cdfb
atomic-openshift-web-console-3.9.33-1.git.248.9592e57.el7.src.rpm	SHA-256: 8c082562b1fa4085b800ffc335e5849e2c3e065ea7bf69c5cd71422e732748d2
cri-o-1.9.13-1.git52a8e70.el7.src.rpm	SHA-256: 2ece8fddfacdc7a92bed957f819cab90f928283155d71216d3b5dab721419149
golang-github-prometheus-node_exporter-3.9.33-1.git.892.9737971.el7.src.rpm	SHA-256: 792feaae3669bc448df078658e50fa7617e275cab8f1da347c0b95be40e89726
jenkins-2.89.4.1528997057-1.el7.src.rpm	SHA-256: 0334d70779dd8f4911bf1277b150e13045bee353bc5124baba976aea0e3df82b
openshift-ansible-3.9.33-1.git.56.19ba16e.el7.src.rpm	SHA-256: 1faa020f7fa1a6ccf355cefb1b80a362d33182bda6484c6e921749366380d260
rubygem-fluent-plugin-elasticsearch-1.17.0-1.el7.src.rpm	SHA-256: 81c8adee63445c2c6b39eeb243588631f3dae94560bccc75da92e93cb4afe610
x86_64
atomic-openshift-3.9.33-1.git.0.c35d02e.el7.x86_64.rpm	SHA-256: 2efb617c2f22e1e14adac14dc11b205b13962266bfd1263e58b3dc7f972cc2c1
atomic-openshift-clients-3.9.33-1.git.0.c35d02e.el7.x86_64.rpm	SHA-256: 65b0e86b2fb3da514a1f4d0ae11ed21d60fbf2a870ab7a28ca36c6515bbadbcf
atomic-openshift-clients-redistributable-3.9.33-1.git.0.c35d02e.el7.x86_64.rpm	SHA-256: 58d99a00e1c88d8d120cfae9b1463943343747b04225bab55f7fffbef81a2da5
atomic-openshift-cluster-capacity-3.9.33-1.git.0.c35d02e.el7.x86_64.rpm	SHA-256: f85840486575324d99b82943b3fb8b5887384b1b17a9ee5a638374fd0a601755
atomic-openshift-docker-excluder-3.9.33-1.git.0.c35d02e.el7.noarch.rpm	SHA-256: c24d94b883b706db420333cd00bb4092467b91a097cb70adea542706ca12f19e
atomic-openshift-dockerregistry-3.9.33-1.git.351.9526827.el7.x86_64.rpm	SHA-256: 8560914c266956b9d32de1a14fcd1cdc4d831a6ee2b7cee08ae6bf5d2d958f18
atomic-openshift-excluder-3.9.33-1.git.0.c35d02e.el7.noarch.rpm	SHA-256: 7f083681c6206027ef4356a646dd5192420e56a682e90e1f2b7a032e14227bf3
atomic-openshift-federation-services-3.9.33-1.git.0.c35d02e.el7.x86_64.rpm	SHA-256: 863693ae48f215bd1da67e28522a2892cd40f336220647d1174bcc12db1145fb
atomic-openshift-master-3.9.33-1.git.0.c35d02e.el7.x86_64.rpm	SHA-256: e42ea17399dcfb7c038c67f702b80eb4babbb55b72643be9ca76312d8e0b81d9
atomic-openshift-node-3.9.33-1.git.0.c35d02e.el7.x86_64.rpm	SHA-256: 90c626757ffe95fba7ad3892653f6aae5edf3ae9a3e430a6bcae4922db4f7265
atomic-openshift-pod-3.9.33-1.git.0.c35d02e.el7.x86_64.rpm	SHA-256: 6a4eeb5254960d9ae24cbe8e90c7e2c4573fd077d5f459865cdd1622c416217f
atomic-openshift-sdn-ovs-3.9.33-1.git.0.c35d02e.el7.x86_64.rpm	SHA-256: ae0fb5fabba4068390e7f38cf485dae40be76e872c970e0a46faa787b4fe08cd
atomic-openshift-service-catalog-3.9.33-1.git.0.c35d02e.el7.x86_64.rpm	SHA-256: 9ce898a5b4cecdb890cd6c6a329abfbcbf41e24d2b14bf7966e9bc9435576046
atomic-openshift-template-service-broker-3.9.33-1.git.0.c35d02e.el7.x86_64.rpm	SHA-256: 6a1fe74c8cd9219990010f8d68bde0bd417c138d811489f302347cff6cb367fa
atomic-openshift-tests-3.9.33-1.git.0.c35d02e.el7.x86_64.rpm	SHA-256: 9a512c32025b88dee85315a3adb8815dc3aff5225c75c51a473c899d3d38c979
atomic-openshift-utils-3.9.33-1.git.56.19ba16e.el7.noarch.rpm	SHA-256: 973ac8bcbc910c19f2facbc907dd415d63b0984f863423bb064e4921635f83a4
atomic-openshift-web-console-3.9.33-1.git.248.9592e57.el7.x86_64.rpm	SHA-256: d7498da22ec592b7c161f4bb8f02a47f3f2c95a59fdd3316ea9fdd72717980ca
cri-o-1.9.13-1.git52a8e70.el7.x86_64.rpm	SHA-256: afcadec52a6ea831ed535f1e2032b0e3b70fa44f7c9bb99d3d706d3359f7c8c3
cri-o-debuginfo-1.9.13-1.git52a8e70.el7.x86_64.rpm	SHA-256: 27d123fa109dc7554da08a544c9fbd2f9e29b7fc51660a7632c71e47be0239e0
jenkins-2.89.4.1528997057-1.el7.noarch.rpm	SHA-256: 814ded8cd39af30aa0e2ec37555bdce48034bbc79d7983bde6811a5f9f09e1f2
openshift-ansible-3.9.33-1.git.56.19ba16e.el7.noarch.rpm	SHA-256: 24102746a66a55306646f0bf939ae5bff4b27aff68e5313687c1ef4239db6424
openshift-ansible-docs-3.9.33-1.git.56.19ba16e.el7.noarch.rpm	SHA-256: eea2f9fd61c25090723341e4bdb6f38e99e39467ac9ad6b6241782afacd743d0
openshift-ansible-playbooks-3.9.33-1.git.56.19ba16e.el7.noarch.rpm	SHA-256: 65992b56d1b1eda336ba7f70f539960ad5a674ccf44d1874404e59d37516c399
openshift-ansible-roles-3.9.33-1.git.56.19ba16e.el7.noarch.rpm	SHA-256: 181369a51591370e5e8ca07393d1d46b5568efa2d6173ce1c4e1a63bc29c1f1c
prometheus-node-exporter-3.9.33-1.git.892.9737971.el7.x86_64.rpm	SHA-256: 24f17b209a7335bdafa024c8eefd6c10610488ff88d5a8d4f9fa55b6141b6d95
rubygem-fluent-plugin-elasticsearch-1.17.0-1.el7.noarch.rpm	SHA-256: c6ede63d2c3eab0b1302e06afe94a358372e38f3666b96186863b532bc86a0e9
rubygem-fluent-plugin-elasticsearch-doc-1.17.0-1.el7.noarch.rpm	SHA-256: e087d2c9f5cdb771e4088666842237283026728dfbeb4d16aa71737a4108bd03