RHBA-2019:0786 - Bug Fix Advisory

Topic

Red Hat OpenShift Container Platform release 3.10.139 is now available with
updates to packages and images that fix several bugs.

Description

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container
Platform 3.10.139. See the following advisory for the container images for
this release:

https://access.redhat.com/errata/RHBA-2019:0787

This update fixes the following bugs:

• The `node-config.yaml` file was not being back up and was overwritten when upgrading from OpenShift Container Platform 3.9 to 3.10, and downgrading was not possible. Now, the `node-config.yaml` file and `atomic-openshift` systemd files are backed up correctly and downgrading from OpenShift Container Platform 3.10 to 3.9 is now possible. (BZ#1609191)
• During the upgrade process, sanity checks were using inefficient code to validate variables. Sanity check time took several minutes on a large set of hosts. Now, `hostvars` are stored in the class, so they are not being copied on every check. As a result, the sanity checks take less time to complete and upgrades complete faster. (BZ#1685583)
• When a node was tainted, the `sync` daemonset would not run a pod on it. This lead to installation failures. Now, the `sync` DS pods tolerate all taints and tainted nodes are able to be upgraded. (BZ#1685952)
• The node system container did not properly mount `/var/lib/iscsi` as

read/write. Now, the `iscsi` mounts correctly with read/write permissions. (BZ#1686336)

• Upgrading from OpenShift Container Platform 3.9 to 3.10 would fail if variables were not used correctly or if custom API ports were used. Now, `api_port` and other API server-related variables are read during the upgrade process and complete successfully. (BZ#1689243)
• `oc cp` commands were not checking links from tar files used to copy

files between pods and user's workstations. The `oc cp` command could cause
a directory traversal and replace or delete files on a user's workstation.
Now, escaping links are not permitted. As a result, the `oc cp` command
verifies files copied between pods and workstations without allowing escape
from directories. (BZ#1693318)

• During previous upgrades, the `tuned` package and profiles could have been removed. The `tuned` role was not being applied during an upgrade, but only during a fresh install. Now, the `tuned` role is applied during upgrades to ensure `tuned` profiles are applied appropriately. (BZ#1694130)
• Director-deployed pods would stop in the `CrashLoopBackOff` state after a rolling reboot of a node. This was because the `READY` sequence would display a node before it had started. Now, the `READY` indicator allows components to come online before displaying as a ready state. (BZ#1698626)

All OpenShift Container Platform 3.10 users are advised to upgrade to these
updated packages and images.

Solution

Before applying this update, ensure all previously released errata relevant to your system are applied.

See the following documentation, which will be updated shortly for release 3.10.139, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/3.10/release_notes/ocp_3_10_release_notes.html

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258.

Affected Products

• Red Hat OpenShift Container Platform 3.10 x86_64
• Red Hat OpenShift Container Platform for Power 3.10 ppc64le

Fixes

• BZ - 1422393 - oc got hard-to-read message when the server is not available
• BZ - 1609191 - Need to backup node-config file during upgrade which is a must for downgrade
• BZ - 1620556 - [3.10.14] ovs Pods OOMKilled on baremetal nodes
• BZ - 1624475 - Calico requires a role be added that runs stand-alone kube-proxy and DNS
• BZ - 1685583 - [3.10] Slow Initialization During Upgrades
• BZ - 1685952 - sync daemonset should tolerate taints (3.10)
• BZ - 1686336 - [3.10] Failed to mount iscsi on atomic host
• BZ - 1689243 - Upgrade from 3.9 to 3.10 fails on openshift_control_plane: verify API server. Using wrong API port.
• BZ - 1690184 - [3.10] Pre-allocated PV not utilized on OSP
• BZ - 1690603 - Aggregated Logging installation does not add secret to serviceaccount [3.10.z]
• BZ - 1692418 - openshift-ansible fails with AnsibleUndefinedVariable: 'dict object' has no attribute 'annotations'"
• BZ - 1693043 - Fluentd doesn't output it's logs to STDOUT when LOGGING_FILE_PATH=console
• BZ - 1694130 - Tuned profiles are not applied to OpenShift clusters that get upgraded from 3.6
• BZ - 1695272 - [3.10] Wildcard routes get 503 intermittently
• BZ - 1696413 - Task failure restart docker while running redeploy-certificates
• BZ - 1697679 - [3.10][crio-tool] Installing or upgrading OCP 3.10 when using crio, keeps changing the crictl.yaml file with the incorrect pathvim
• BZ - 1698626 - OCP 3.10: pods end up in CrashLoopBackOff state after a rolling reboot of the node
• BZ - 1698820 - [3.10] HostAlreadyClaimed route issue on path based route
• BZ - 1699467 - Running redeploy CA and openshift redeploy certificates , causes all nodes to become notready.

CVEs

(none)

References

(none)