RHBA-2021:1015 - Bug Fix Advisory

Topic

Red Hat OpenShift Container Platform release 4.5.37 is now available with
updates to packages and images that fix several bugs.

Description

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container
Platform 4.5.37. See the following advisory for the RPM packages for this
release:

https://access.redhat.com/errata/RHSA-2021:1016

Space precludes documenting all of the container images in this advisory.
See the following Release Notes documentation, which will be updated
shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.5/release_notes/ocp-4-5-release-notes.html

This update fixes the following bug among others:

• Previously, when an OpenShift router created an invalid HAProxy config that caused router reloads to fail, the `HAProxyReloadFail` Prometheus alert only lasted for approximately 5 minutes, regardless of the actual duration of the reload outage. With this release, the router `template_router_reload_fails` counter metric is replaced with the new `template_router_reload_failure` gauge metric. The `HAProxyReloadFail` alert now fires based on the boolean status of the `template_router_reload_failure` metric, and the `HAProxyReloadFail` metric lasts the entire time that HAProxy reloads are failing. (BZ#1896186)

You may download the oc tool and use it to inspect release image metadata
as follows:

(For x86_64 architecture)

$ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.5.37-x86_64

The image digest is sha256:037ed15c79bbd6bee6f0d524d91790d2b368cba945e7ae6d64c984dc0f162b82

(For s390x architecture)

$ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.5.37-s390x

The image digest is sha256:95fae93c3388529c5e454f09711445d0c0c096f2b9041b8940b9376ff645189b

(For ppc64le architecture)

$ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.5.37-ppc64le

The image digest is sha256:77b4582724e27a9339b17252401b9ef81cb660d373c385383de503247edbb529

All OpenShift Container Platform 4.5 users are advised to upgrade to these
updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift Console
or the CLI oc command. Instructions for upgrading a cluster are available
at
https://docs.openshift.com/container-platform/4.5/updating/updating-cluster-between-minor.html#understanding-upgrade-channels_updating-cluster-between-minor

Solution

For OpenShift Container Platform 4.5 see the following documentation, which
will be updated shortly for this release, for important instructions on how
to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.5/release_notes/ocp-4-5-release-notes.html

Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.5/updating/updating-cluster-cli.html

Affected Products

• Red Hat OpenShift Container Platform 4.5 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform 4.5 for RHEL 7 x86_64
• Red Hat OpenShift Container Platform for Power 4.5 for RHEL 8 ppc64le
• Red Hat OpenShift Container Platform for Power 4.5 for RHEL 7 ppc64le
• Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.5 for RHEL 8 s390x
• Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.5 for RHEL 7 s390x

Fixes

• BZ - 1857478 - cluster-version-operator does not fail over to store-openshift-official-release-mirror if store-openshift-official-release is unreachable
• BZ - 1896168 - HAProxyReloadFail alert only briefly fires in the event of a broken HAProxy config
• BZ - 1939318 - cluster-etcd-operator is leaking transports
• BZ - 1940651 - New CSV using ServiceAccount named "default" stuck in Pending during upgrade
• BZ - 1941604 - Cluster unstable replacing an unhealthy etcd member

CVEs

• CVE-2019-19532
• CVE-2020-0427
• CVE-2020-7053
• CVE-2020-14351
• CVE-2020-25211
• CVE-2020-25645
• CVE-2020-25656
• CVE-2020-25705
• CVE-2020-27827
• CVE-2020-28374
• CVE-2020-29661
• CVE-2020-35498
• CVE-2021-20265

References

(none)