- Issued:
- 2020-05-18
- Updated:
- 2020-05-18
RHBA-2020:2133 - Bug Fix Advisory
Synopsis
OpenShift Container Platform 4.4.4 bug fix update
Type/Severity
Bug Fix Advisory
Topic
Red Hat OpenShift Container Platform release 4.4.4 is now available with
updates to packages and images that fix several bugs.
Description
Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
This advisory contains the container images for Red Hat OpenShift Container
Platform 4.4.4. See the following advisory for the RPM packages for this
release:
https://access.redhat.com/errata/RHBA-2020:2132
Space precludes documenting all of the container images in this advisory.
See the following Release Notes documentation, which will be updated
shortly for this release, for details about these changes:
https://docs.openshift.com/container-platform/4.4/release_notes/ocp-4-4-release-notes.html
You may download the oc tool and use it to inspect release image metadata
as follows:
$ oc adm release info quay.io/openshift-release-dev/ocp-release:4.4.4
The image digest is sha256:baa687f29b0ac155d8f4c6914056d36d68f343feb9c1e82b46eef95819d00be5
This update fixes the following bugs:
- Some Red Hat OpenStack environments could enforce a policy where VMs were unable to boot with ephemeral disks and need to boot from a Cinder volume. As a result, it was impossible to install OpenShift Container Platform with IPI because the bootstrap node would be unavailable. Now, the bootstrap node follows the rootVolume setting from the controlPlane machine pool. OpenShift Container Platform with IPI will now install successfully. (BZ#1828238)
- Cluster-network-operator on Kuryr bootstrapping had no logic to remove deprecated security group rules when they were replaced by new ones. The security group rules were left in place, causing incorrect security settings on environments updated from OpenShift Container Platform 4.3 to 4.4. Now, cluster-network-operator removes the old security group rules and pods are updated correctly. (BZ#1832899)
- On high incoming log rates Fluentd could flood the node's filesystem because the buffer queues were not limited. A node under disk pressure could crash the nodes and applications would be rescheduled as a result. Now, The Fluentd buffer queue per output is limited to fixed amount of chunks (default 32), reducing node disk pressure. (BZ#1826861)
- A code change removed variables set by the `ENV` statement in a Dockerfile from the internal list of variables to use when later resolving arguments in the Dockerfile. Now, the code has been updated to add variables defined by the `ENV` statement into the internal list of variables. (BZ#1817175)
- SVG errors were logged in the browser console due to incorrect attributes. Now, the patternfly and react-charts packages have been updated from upstream and SVG errors are no longer present. (BZ1765074)
All OpenShift Container Platform 4.4 users are advised to upgrade to these
updated packages and images.
Solution
For OpenShift Container Platform 4.4 see the following documentation, which
will be updated shortly for release 4.4.4, for important instructions on
how to upgrade your cluster and fully apply this asynchronous errata
update:
https://docs.openshift.com/container-platform/4.4/release_notes/ocp-4-4-release-notes.html
Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.4/updating/updating-cluster-cli.html.
Affected Products
- Red Hat OpenShift Container Platform 4.4 for RHEL 8 x86_64
- Red Hat OpenShift Container Platform 4.4 for RHEL 7 x86_64
Fixes
- BZ - 1765074 - Lots of svg errors in the browser console
- BZ - 1779208 - Capacity breakdown card should show absolute values and not hourly averaged values
- BZ - 1809738 - [ovn-kubernetes] When a node gets deleted, the Chassis record for that node is not deleted from the sbdb.
- BZ - 1811140 - Clusters of several matrix/versions hit ovs pod log "unix#... connection dropped (Connection reset by peer)"
- BZ - 1817175 - [4.4.z] buildah is not expanding env vars in file paths
- BZ - 1821753 - Cloud init custom script data seem not to get applied on the imported VM
- BZ - 1822667 - [4.4][OSP] [BUG] Controllers don't seem to respect 'ignore-volume-az = true'
- BZ - 1823807 - Cannot add CD-ROM on VM details page
- BZ - 1824006 - ES pod stuck in CrashLoopBackOff status after upgraded from 4.3 to 4.4 -- Could not resolve placeholder 'POD_IP'
- BZ - 1825215 - [4.4] 504 error for Prometheus API in administrator console with kuryr network
- BZ - 1825281 - oc logs does not forward errors from server correctly
- BZ - 1825987 - KCM doesn't get new client certs on recovery flow
- BZ - 1826820 - OCP/OSP install (v16.1/v4.3.10) using kuryr to deploy octavia results in listeners starting in disabled state
- BZ - 1826861 - DiskPressure due to 80 GB /var/lib/fluentd
- BZ - 1827821 - Operator update is failing due to missing replace field in Operator CSV
- BZ - 1828238 - [OCP4.2 on OSP][IPI] does not deploy bootstrap node using volume boot
- BZ - 1828388 - NPs on svc not enforced when exposed port and target are different
- BZ - 1829035 - OLM installation with with a stage build failed due to invalid url (space in url name)
- BZ - 1829833 - Metering has significant performance issues when using Ansible 2.9.6 and above.
- BZ - 1830102 - 4.4 MachineSet with 4.2 or earlier bootimages fails to scale up because old CRI-O chokes on new CRI-O config
- BZ - 1830361 - Remove gosec from image registry operator tests
- BZ - 1830510 - cluster-etcd-operator: peer cert DNS SAN is populated incorrectly
- BZ - 1831245 - Image triggers do not work on v1 StatefulSets
- BZ - 1832899 - Old SG rules created by CNO on Kuryr bootstrap not removed on upgrade
- BZ - 1832919 - etcd-operator spuriously reconciles in response to global configmap watch events
CVEs
- CVE-2017-18595
- CVE-2018-9251
- CVE-2018-14404
- CVE-2018-18074
- CVE-2018-20060
- CVE-2018-20337
- CVE-2018-20852
- CVE-2019-1547
- CVE-2019-1549
- CVE-2019-1563
- CVE-2019-3825
- CVE-2019-5094
- CVE-2019-5436
- CVE-2019-5481
- CVE-2019-5482
- CVE-2019-8457
- CVE-2019-11236
- CVE-2019-11324
- CVE-2019-12447
- CVE-2019-12448
- CVE-2019-12449
- CVE-2019-13752
- CVE-2019-13753
- CVE-2019-14822
- CVE-2019-14834
- CVE-2019-14973
- CVE-2019-15847
- CVE-2019-16056
- CVE-2019-18934
- CVE-2019-19126
- CVE-2019-19768
- CVE-2019-19923
- CVE-2019-19924
- CVE-2019-19925
- CVE-2019-19959
- CVE-2019-1010180
- CVE-2020-10711
- CVE-2020-11008
- CVE-2020-11501
References
(none)
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.