- Issued:
- 2019-07-05
- Updated:
- 2019-07-05
RHBA-2019:1642 - Bug Fix Advisory
Synopsis
OpenShift Container Platform 3.9 bug fix update
Type/Severity
Bug Fix Advisory
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
Red Hat OpenShift Container Platform release 3.9.85 is now available with
updates to packages and images that fix several bugs.
Description
Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
This advisory contains the RPM packages for Red Hat OpenShift Container
Platform 3.9.85. See the following advisory for the container images for
this release:
https://access.redhat.com/errata/RHBA-2019:1643
This update fixes the following bugs:
- During an upgrade from Red Hat OpenShift Enterprise 3.7 to 3.9, the `tuned-profiles-atomic-openshift-node` rpm was removed, as well as all tuned profiles. The `tuned` role was not being applied during an upgrade, but only during a fresh install. The `tuned` role is now applied during upgrades to ensure `tuned` profiles are applied appropriately. (BZ#1626558)
- When using CRI-O, Docker-based pods were stopped during the re-certification process. A check has been added to only restart Docker when `openshift_use_crio_only` is marked as `false`. As a result, Docker is not restarted if CRI-O is in use.
- Long running Jenkins agents and slave pods would experience defunct process errors, causing a high number of processes to appear in process listings until the pod is terminated. Now, dumb-init is deployed to clean up these defunct processes. (BZ#1700314)
- The environment variable `JOURNAL_READ_FROM_HEAD` was set to an empty string. This caused the default value of `read_from_head` for the journald input to be true. When Fluentd starts up for the first time on a node, it reads in the entire journal. This could result in hours of delays for system messages to show up in ElasticSearch and Kibana. Now, Fluentd will check if the value is set and is not empty, or will use the default value of false. Fluentd will read from the tail of the journal when it starts on a new node. (BZ#1707557)
- There was a missing `@` for an instance variable in the Fluentd remote syslog plugin code. In some cases, systemd-journald logged errant values. This resulted in rsyslog forwarding failures. Now, the variable has been corrected and remote logging completes successfully. (BZ#1707901)
- The script `99-origin-dns.sh` had a debug flag set to enabled, which would log debug level messages by default. This has been resolved and debug is now set to false. (BZ#178394)
- Playbooks were incorrectly checking `all-in-one` variables when labeling nodes, causing newly scaled up masters to be labelled as compute nodes. The node role playbook has been fixed to check for scaled up masters when adding compute labels. (BZ#1709004)
- IPtables rules were applied with an incorrect key name for conditional firewall configurations. As a result, firewall rules were not applied correctly. The key name was changed from `condition` to `cond` and firewall rules are now applied correctly based on conditions. (BZ#1715048)
- Updating metrics to include a node drain used incorrect variables and playbooks would fail with `l_kubelet_node_name` errors. Now, the `l_init_fact_hosts` variable has been replaced with the `oo_nodes_to_config` option. As a result, `l_kubelet_node_name` exists for all nodes. (BZ#1725002)
All OpenShift Container Platform 3.9 users are advised to upgrade to these
updated packages and images.
Solution
Before applying this update, ensure all previously released errata
relevant to your system have been applied.
For OpenShift Container Platform 3.9 see the following documentation, which
will be updated shortly for release 3.9.85, for important instructions on
how to upgrade your cluster and fully apply this asynchronous errata
update:
https://docs.openshift.com/container-platform/3.9/release_notes/ocp_3_9_release_notes.html
This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258.
Affected Products
- Red Hat OpenShift Container Platform 3.9 x86_64
Fixes
- BZ - 1508378 - Can't deploy Node.js + MongoDB app
- BZ - 1626558 - Tuned profiles are not applied to OpenShift clusters that get upgraded from 3.6
- BZ - 1637389 - Connectivity problems from pod to pod : Network is unreachable
- BZ - 1666198 - [CRIO] crioctl inconsistent number of pods
- BZ - 1678372 - redeploy_certificates does not drain nodes and restart automatically docker
- BZ - 1700314 - jenkins-slave produce process defunct [ Jenkins "SLAVE" ]
- BZ - 1707557 - JOURNAL_READ_FROM_HEAD defaults to true
- BZ - 1707901 - [release-3.9] Fix typo of random_string that prevents forwarding to SYSLOG via UDP to fail
- BZ - 1708394 - the script 99-origin-dns.sh has the debug flag '-x' set to on
- BZ - 1709004 - Labeled "compute" role badly to new master added after scaleup.yml
- BZ - 1715048 - Contrail iptables rules are applied even though openshift_node_use_contrail is not set
- BZ - 1725002 - [3.9] Install metrics failed at TASK [Mark node unschedulable] when cri-o enabled
CVEs
(none)
References
(none)
Red Hat OpenShift Container Platform 3.9
SRPM | |
---|---|
atomic-openshift-3.9.85-1.git.0.e6c1395.el7.src.rpm | SHA-256: 335dd06e78ec89735466d3eb9400ab1df82fa0ea524b8e929d2936965c918cd6 |
atomic-openshift-web-console-3.9.85-1.git.1.688d6b7.el7.src.rpm | SHA-256: e822544de83acb30bf526897d89b84e80ed655610c8ae54fe9d84f59a511c938 |
cri-o-1.9.16-2.git858756d.el7.src.rpm | SHA-256: 135c1e57420079e47d5956cb3d1a5855b43711611e4b405a4b1d19401a7ffe67 |
golang-github-prometheus-node_exporter-3.9.85-1.git.1.de1fe97.el7.src.rpm | SHA-256: f2daef8a0ab9a0a7557f4cd126d7a31139b7d55ad3d33854dbbde7b4ef206ab4 |
openshift-ansible-3.9.86-1.git.0.84cc606.el7.src.rpm | SHA-256: 3d4ac63167f38c5bb15500e322384089e7bfc7e21e2cca1235d46c67b45a8790 |
python-docker-2.4.2-2.el7.src.rpm | SHA-256: 0d3459e4e5a1334376609e3d70043375362cab82d3bce0e49bb80ec140edfa0c |
x86_64 | |
atomic-openshift-3.9.85-1.git.0.e6c1395.el7.x86_64.rpm | SHA-256: efc37b2da3fda1bf533576088bd55bf0ac74cac15514282dc3a5f578a49472fa |
atomic-openshift-clients-3.9.85-1.git.0.e6c1395.el7.x86_64.rpm | SHA-256: e1772e115f8731417a3e28ec7fd3a87620538e22afe6dc7cff5f0c94f5c543f7 |
atomic-openshift-clients-redistributable-3.9.85-1.git.0.e6c1395.el7.x86_64.rpm | SHA-256: 63161e5cdaed7108e0363b1e2915d812f4de32ae9673de4aacfcff8b6c35b7ca |
atomic-openshift-cluster-capacity-3.9.85-1.git.0.e6c1395.el7.x86_64.rpm | SHA-256: 9b8f57041bc87abdfdc963881adfc1abdc71c328c38e863c02b5f2d105579733 |
atomic-openshift-docker-excluder-3.9.85-1.git.0.e6c1395.el7.noarch.rpm | SHA-256: 4981831f7b8b15a6341d90c7675a44dfb42f37ced34da775b5a16db28fd1710a |
atomic-openshift-dockerregistry-3.9.85-1.git.1.cd90a52.el7.x86_64.rpm | SHA-256: 45f35a5b2542553b09063298ff6f41906a0268133111c0a0c978a05b7bb3506c |
atomic-openshift-excluder-3.9.85-1.git.0.e6c1395.el7.noarch.rpm | SHA-256: 0258bfecc6f0516154bca7eb8bf3736a9413bc2d26eedca4413d808c1387aabd |
atomic-openshift-federation-services-3.9.85-1.git.0.e6c1395.el7.x86_64.rpm | SHA-256: 4c4dc7a5a596500013caaad3a8a64cac2c861022f7dfa02e305e4781ba33c1fc |
atomic-openshift-master-3.9.85-1.git.0.e6c1395.el7.x86_64.rpm | SHA-256: 9e754adb05e40b8e5f7c718d7e2fdb962e78df647fa6788ed9dc174741bf700c |
atomic-openshift-node-3.9.85-1.git.0.e6c1395.el7.x86_64.rpm | SHA-256: 021233ca982904ee092a70ae319e4eec1a65e9ab9a9c6a578b8783be61041a88 |
atomic-openshift-pod-3.9.85-1.git.0.e6c1395.el7.x86_64.rpm | SHA-256: 1a31fa3a37b24e454fbda92de13b3064af0a4318134326cacc6327ef40af6dea |
atomic-openshift-sdn-ovs-3.9.85-1.git.0.e6c1395.el7.x86_64.rpm | SHA-256: e881534c61e414a926425b6e07faded6d96d2f858fd53fbe3a550a4ad04fae41 |
atomic-openshift-service-catalog-3.9.85-1.git.0.e6c1395.el7.x86_64.rpm | SHA-256: 6da0258ca07dd4000389994718af6b808728264c2bba974bd3b12312288c384b |
atomic-openshift-template-service-broker-3.9.85-1.git.0.e6c1395.el7.x86_64.rpm | SHA-256: 28a71a97cbc7a2efb96176f8874235b20bbb7e6077747724c61ffb49aa9cbc9f |
atomic-openshift-tests-3.9.85-1.git.0.e6c1395.el7.x86_64.rpm | SHA-256: d6e2264cc0a3cbfc60a6dd4e3b95d0cf57c7f1536e703a0476f1b2bf7d410fcb |
atomic-openshift-utils-3.9.86-1.git.0.84cc606.el7.noarch.rpm | SHA-256: 41cbe95d366b95b1d6eed1e7433197f88bbad449c66322c299af00fec5b28a67 |
atomic-openshift-web-console-3.9.85-1.git.1.688d6b7.el7.x86_64.rpm | SHA-256: d69cc2864a3d785d4a207a896d398c154ef5e286795fdfd49154e92187a55ff5 |
cri-o-1.9.16-2.git858756d.el7.x86_64.rpm | SHA-256: 18f9dd068b741b0d52edbd670f7355c198cd194e66ff2097d44350895fbfc47f |
cri-o-debuginfo-1.9.16-2.git858756d.el7.x86_64.rpm | SHA-256: 5b5af472de28f61d1dbfb1e855a02b527e0a92ebd51cc41db024a0bc5b5767dd |
openshift-ansible-3.9.86-1.git.0.84cc606.el7.noarch.rpm | SHA-256: 275be1dca9b8d33fbf1d10fed418ab27d23cc29c7ab8bda60b93f1f0c71767cb |
openshift-ansible-docs-3.9.86-1.git.0.84cc606.el7.noarch.rpm | SHA-256: 24a969199d11843057981a1767a1c6d42b345a5e16847b87b2bb31c830f759a6 |
openshift-ansible-playbooks-3.9.86-1.git.0.84cc606.el7.noarch.rpm | SHA-256: e75c1e8c77eedcb06e25f534a3ddf8e9c3b06d002ab92f6745528c90a18d0d30 |
openshift-ansible-roles-3.9.86-1.git.0.84cc606.el7.noarch.rpm | SHA-256: d71926ee32eac998095c5839aaa979a4c29579e16d3fd6bae09b275ff29d0539 |
prometheus-node-exporter-3.9.85-1.git.1.de1fe97.el7.x86_64.rpm | SHA-256: 378df204de4908b379966827d53856c2b2358a571d632ce257fc92f57cf0f118 |
python-docker-2.4.2-2.el7.noarch.rpm | SHA-256: 3dbd87166c14ab6183a4ffafe47d7e4d6e94adb6b5930b1a0e3478436d5f6049 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.