RHBA-2018:2549 - Bug Fix Advisory

Topic

Red Hat OpenShift Container Platform release 3.9.41 is now available with updates to packages and images that fix several bugs.

Description

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud ddeployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 3.9.41. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHBA-2018:2548

This update fixes the following bugs:

• This bug fix adds tasks to the upgrade playbooks to correctly upgrade the CRI-O RPMS. (BZ#1553213)
• Previously, groups associated with a user were not checked when performing access checks to look up the readiness of objects created by the templates. This resulted in a readiness failure at the template instance level. This bug fix passes the user's groups when performing the readiness check operation, not just when performing the object creation. (BZ#1562527)
• If CRI-O was enabled and /var/lib/docker was a mount point rather than a directory, the installation would fail with the error `Device or resource busy: '/var/lib/docker'`. The installation playbooks have been fixed to account for /var/lib/docker as a mount point. (BZ#1574887)
• If the Prometheus service account did not have the required permissions to access the metrics endpoint of the router, then Prometheus failed to scrape the router's metrics. This bug fix grants an additional role with permissions to access the metrics endpoint to the Prometheus service account. (BZ#1588010)
• Previously, the Ansible template did not quote the value in the selector. This created an invalid JSON file. This bug fix quotes the selector value, which allows the PVC with the selector to be created. (BZ#1601605)
• The 9100 port was previously blocked on all nodes by default. Prometheus could not scrape the node_exporter service running on the other nodes, which listen on port 9100. This bug fix modifies the firewall configurations to allow incoming TCP traffic for the 9000 - 1000 port range. (BZ#1603144)
• Previously, the underlying library that Fluentd used for reading in journal files did not correctly handle rolled over files. When a journal file was rolled over, Fluentd would hold these files even after it was done reading from them. This bug fix updated the code in the underlying fluent-plugin-systemd plugin and updated the version in the Fluentd Dockerfile. (BZ#1610678)
• This bug fix removed the `openshift_crio_use_rpm` variable and updated the installer tasks to only install CRI-O using RPMS. (BZ1614916)
• Previously, older versions of dnsmasq used privileged, lower-numbered source ports for outbound DNS queries. This caused outbound DNS queries to potentially be dropped. This bug fix configures dnsmasq using its `min-port` setting to set the minimum port number for outbound queries to 1024. (BZ#1614983)

All OpenShift Container Platform 3.9 users are advised to upgrade to these updated packages.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

See the following documentation, which will be updated shortly for release 3.9.41, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/3.9/release_notes/ocp_3_9_release_notes.html

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258.

Affected Products

• Red Hat OpenShift Container Platform 3.9 x86_64

Fixes

• BZ - 1553213 - Add CRI-O RPM upgrade to node upgrade playbooks in 3.9.z
• BZ - 1556773 - Deprecated env option DROP_SYN_DURING_RESTART for router
• BZ - 1562527 - [3.9] Provision call failed: deploymentconfigs is forbidden: User cannot get deploymentconfigs in project
• BZ - 1574887 - ansible instalation prerequisite.yml fails with FAILED! => {"changed": false, "msg": "rmtree failed: [Errno 16] Device or resource busy: '/var/lib/docker'"}
• BZ - 1588010 - Prometheus can't access router metrics
• BZ - 1599241 - Add securty content for hawkular-cassandra before openshift was updated to v3.10
• BZ - 1600041 - Process EventRouter template failed with default value
• BZ - 1601605 - openshift logging Ansible playbook installation while defining PVC manifest a match label selector should use value 'true' in quotes to avoid it to understandable as a Boolean value.
• BZ - 1602054 - Number of NVMe disks attachable is lower than max predefined count for EBS
• BZ - 1603144 - Installing prometheus should update iptable rules for node-exporter
• BZ - 1605152 - [3.9]failed to create fsnotify watcher: too many open files
• BZ - 1607538 - [3.9] IP failover doesn't react on router's pod being scaled down
• BZ - 1608092 - [3.9] Nodes losing IP address information in aws
• BZ - 1610678 - [3.9] Looks like fluentd is keeping open deleted journal files that have been rotated
• BZ - 1614916 - [3.9] Need to make crio installs rpm installs by default
• BZ - 1614983 - Intermittent dnsmasq outages
• BZ - 1617937 - [APB] mariadb-apb can not sync data to pv when using prod plan
• BZ - 1618525 - [3.9] Router pod image upgrade fails when disconnected registry url doesn't match openshift3/ose-

CVEs

(none)

References

(none)