RHBA-2019:1589 - Bug Fix Advisory

Topic

Red Hat OpenShift Container Platform release 4.1.3 is now available with
updates to packages and images that fix several bugs.

Description

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.1.3. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHBA-2019:1590

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.1/release_notes/ocp-4-1-release-notes.html

You may download the oc tool and use it to inspect release image metadata
as follows:

$ oc adm release info quay.io/openshift-release-dev/ocp-release:4.1.3

The image digest is sha256: f852f9d8c2e81a633e874e57a7d9bdd52588002a9b32fc037dba12b67cf1f8b0

This update fixes the following bugs:

• In OpenShift Docker builds, `.dockerignore` files were not processed before content was sent to the Docker daemon. As a result, images included content that should have been excluded. Now, the engine for building container images was switched to `buildah` and `.dockerignore` files in source repositories are respected during Docker strategy builds. (BZ#1487356)
• A white screen with no error message would appear in the web console if trying to create an operator resource immediately after installing an operator through Operator Hub. Now, an error message is presented in the web console if trying to create a resource before it is available. (BZ#1709964)
• Environment variables were not properly escaped in the source-to-image generated Dockerfile. As a result, source strategy builds, which included shell variables, would fail. Now, environment variables are properly escaped when the Dockerfile is consumed by buildah. Builds can now use shell variables as an environment variable value. (BZ#1713681)
• Previously, the web console `NetworkPolicy` YAML template `api-allow-http-and-https` was incorrect and couldn't be created without modifications. This has been fixed, and the template now works as intended. (BZ#1717996)
• The web console `NetworkPolicy` YAML template `web-allow-production` had incorrect indentation, preventing it from being created successfully. The indentation has been fixed, and the YAML template now works as intended. (BZ#1717997)
• A race condition existed between the MCO and the growpart service. As a result, bootstrapping would fail. Now, the growpart service has been updated to start before `kubelet.service` and the race condition is averted. (BZ#1720872)

All OpenShift Container Platform 4.1 users are advised to upgrade to these
updated packages and images.

Solution

Before applying this update, ensure all previously released errata
relevant to your system have been applied.

For OpenShift Container Platform 4.1 see the following documentation, which
will be updated shortly for release 4.1.3, for important instructions on
how to upgrade your cluster and fully apply this asynchronous errata
update:

https://docs.openshift.com/container-platform/4.1/release_notes/ocp-4-1-release-notes.html

This update is available via Red Hat Subscription Management (RHSM)
service. Details on how to access this content are available at
https://access.redhat.com/articles/11258.

Affected Products

• Red Hat OpenShift Container Platform 4.1 for RHEL 7 x86_64

Fixes

• BZ - 1487356 - docker strategy builds handle .dockerignore inconsistently
• BZ - 1685399 - [REF] Should prompt error when do build using incorrect Config build.config.openshift.io/cluster
• BZ - 1707631 - On smaller mobile screens, the Monitoring UI graph controls don't fit in the graph container.
• BZ - 1709907 - MCD logs are spammed with "controller syncing started"
• BZ - 1709964 - Missing button to create Cluster Logging CR after initial install of Cluster Logging operator
• BZ - 1712986 - cluster-network-operator overwrites status field with third-party operators (4.1 backport)
• BZ - 1713039 - etcd quorum guard test does not correctly make nodes unschedulable
• BZ - 1713157 - Cannot scale default machineset us-west-2d provisioned by installer
• BZ - 1713681 - [4.1.z] Unable to use shell variable in build config environment variable section when variable name includes a '.'
• BZ - 1717627 - OLM installed operators are not getting new version numbers in the release pipeline
• BZ - 1717738 - clusteroperator/machine-config does not define enough related resources
• BZ - 1717996 - api-allow-http-and-https network policy example incorrect
• BZ - 1717997 - Bad indendation in web-allow-production network policy example YAML
• BZ - 1718163 - Docs about Exposing the Openshift internal registry are not correct for 4.1.0
• BZ - 1718379 - jenkins-slave produce process defunct [ Jenkins "SLAVE" ]
• BZ - 1718731 - Can't create csv elasticsearch-operator.v4.1.1 because of "spec.customresourcedefinitions.owned.specDescriptors.description in body is required"
• BZ - 1720872 - Openshift 4.1.1/4.1.2 Bare Metal Install Fails due to MCO not starting
• BZ - 1721566 - [4.1.z] Kube-scheduler-operator entering a permanent degraded state

CVEs

• CVE-2019-11477
• CVE-2019-11478
• CVE-2019-11479

References

(none)