RHBA-2019:0328 - Bug Fix Advisory

Topic

Red Hat OpenShift Container Platform release 3.10.111 is now available with updates to packages and images that fix several bugs.

Description

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 3.10.111. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHBA-2019:0329

This update includes the following bugs:

• The default firewall settings blocked the router stats/metrics port. This prevented `Prometheus` from collecting the metrics from the OpenShift router. Now, the firewall will allow connections to the router stats port and `Prometheus` can collect metrics from the router. (BZ#1552235)
• All Docker related packages were not removed during the uninstallation process. Therefore, `docker` would not be reinstalled properly during the installation process, causing the `docker` CLI tasks to fail. Now, all related `docker` packages are removed successfully during the uninstallation, and a reinstall succeeds with the `Ansible` uninstall playbook. (BZ#1655684)
• The 'oa' code used the wrong data when checking SAN certificates using the `pyOpenSSL` library. As a result, `oa` would not find the SAN certificates. This would cause updates from 3.9 to 3.10 to fail. Now, the correct data type, `oa` finds the certificates for the SAN devices. 3.9 to 3.10 upgrades complete successfully. (BZ#1656526)
• The tasks that verify relevant API services have returned to service used the default `kubeconfig`, which may have been updated by the admin to use a user which does not have requisite permissions to verify those APIs. The tasks have been updated to use the admin `kubeconfig` in all situations, avoiding this issue. (BZ#1656645)
• The OpenShift SDN/OVS DaemonSets were upgraded during control plane upgrades with an `updateStrategy` of `RollingUpdate`; an upgrade of the pods in the entire cluster was performed. This caused unexpected network and application outages on nodes. This bug changed the `updateStrategy` for SDN/OVS pods to `OnDelete` in the template, affecting only new installations. Control plane upgrade tasks were added to modify SDN/OVS daemonsets to use `OnDelete` `updateStrategy`. Node upgrade tasks were added to delete all SDN/OVS pods while nodes are drained. Network outages for nodes should only occur during the node upgrade when nodes are drained. (BZ#1660880)
• Previously, `etcd` certificates were owned by root, as `etcd` was expected to run as root in a static pod co-located on master nodes. Environments running standalone `etcd` clusters that had upgraded from previous minor releases were experiencing permission denials when `etcd` tried to access, upgrade, or redeploy certificates. Now, upgrading standalone `etcd` clusters is possible by changing the owner of `etcd` if existing certificates have `etcd` as the owner. If `etcd` is running in a standalone cluster, certificates have owner and group owner listed as `etcd` and `etcd`, these certificates can be accessed, allowing upgrade or redeployment. (BZ#1664889)
• The `sysconfig` files located in `/etc/sysconfig` contained a broken link

to documentation. Those links are now updated. (BZ#1668221)

• The cluster role `system:image-pruner` was required for all DELETE

requests to the registry. As a result, the regular client could not cancel
its uploads, and the `S3 multipart` uploads were accumulating. Now, the
cluster role `system:image-pruner` will accept DELETE requests for uploads
from clients who are allowed to write into them. (BZ#1668411)

https://docs.openshift.com/container-platform/3.10/release_notes/ocp_3_10_release_notes.html

All OpenShift Container Platform 3.10 users are advised to upgrade to these updated packages and images.

Solution

Before applying this update, ensure all previously released errata relevant to your system have been applied.

See the following documentation, which will be updated shortly for release 3.10.111, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/3.10/release_notes/ocp_3_10_release_notes.html

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258.

Affected Products

• Red Hat OpenShift Container Platform 3.10 x86_64
• Red Hat OpenShift Container Platform for Power 3.10 ppc64le

Fixes

• BZ - 1552235 - Prometheus is unable to scrape hosted router components due to iptables rules from openshift-ansible
• BZ - 1593209 - The openshift exclude packages need update
• BZ - 1608279 - uninstall playbook fails after unfinished provision
• BZ - 1655684 - [3.10] uninstall will remove the all the docker related files and reinstall on the same cluster fails
• BZ - 1656526 - 3.9 to 3.10 upgrade results in /etc/etcd/peer.crt: permission denied when certs get redeployed.
• BZ - 1656645 - Upgrade fails on Check for apiservices/v1beta1.metrics.k8s.io registration
• BZ - 1659204 - Conntrack rule for UDP traffic is not removed when using NodePort
• BZ - 1660880 - 3.10.14 to v3.10.72 upgrade - control plane upgrade upgrades the ovs and sdn pods on all node network causing downtime on the nodes
• BZ - 1661841 - Redeployment of metrics fail for OCP v3.10
• BZ - 1664799 - Service Catalog readiness probe should be split from liveness probe
• BZ - 1664889 - Redeploy certificates playbook fails due to etcd related permissions issues
• BZ - 1667803 - Block PVC not getting Bound on OCP 3.10.101 and OCS 3.11.1
• BZ - 1668221 - Link to "Proxy configuration" in file /etc/origin/master/master.env show 404.
• BZ - 1668411 - [3.10] When using the oc new-app to create a new build, the builds are creating incomplete multipart uploads to S3 and incomplete uploads are not cleaned automatically
• BZ - 1669919 - [3.10] HostAlreadyClaimed route issue on path based route
• BZ - 1670390 - Openshift node problem detector ignores internal registries
• BZ - 1672454 - [3.10] oc_adm_router doesn't create router-metrics-tls secret

CVEs

(none)

References

(none)