RHBA-2021:1153 - Bug Fix Advisory

Topic

Red Hat OpenShift Container Platform release 4.6.25 is now available with
updates to packages and images that fix several bugs.

Description

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container
Platform 4.6.25. See the following advisory for the RPM packages for this
release:

https://access.redhat.com/errata/RHBA-2021:1154

Space precludes documenting all of the container images in this advisory.
See the following Release Notes documentation, which will be updated
shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html

You may download the oc tool and use it to inspect release image metadata
as follows:

(For x86_64 architecture)

$ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.6.25-x86_64

The image digest is sha256:7f26b56dc31547a26ce1f67eeb59ecee92dc07f3622e203c51e39fd6d7bcc930

(For s390x architecture)

$ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.6.25-s390x

The image digest is sha256:27bd878e25381a01107ec4182cb70159fcfde06bec74ea606ebd0e3b897cf420

(For ppc64le architecture)

$ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.6.25-ppc64le

The image digest is sha256:54f2d655def3d276aac9a00b3644d4503cfe6dfe89720146ffd66653db1265a0

All OpenShift Container Platform 4.6 users are advised to upgrade to these
updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift Console
or the CLI oc command. Instructions for upgrading a cluster are available
at
https://docs.openshift.com/container-platform/4.6/updating/updating-cluster-between-minor.html#understanding-upgrade-channels_updating-cluster-between-minor

Solution

For OpenShift Container Platform 4.6 see the following documentation, which
will be updated shortly for this release, for important instructions on how
to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html

Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html

Affected Products

• Red Hat OpenShift Container Platform 4.6 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform for Power 4.6 for RHEL 8 ppc64le
• Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.6 for RHEL 8 s390x

Fixes

• BZ - 1883916 - [4.6z] additional network + OVN network installation failed
• BZ - 1902008 - [sig-auth][Feature:LDAP][Serial] ldap group sync can sync groups from ldap
• BZ - 1904825 - Set vSphere hostname from guestinfo before NM starts
• BZ - 1908534 - Panic in machine-config-operator
• BZ - 1919272 - NM prepender script doesn't support systemd-resolved
• BZ - 1921193 - inconsistent ingresscontroller between fresh installed cluster and upgraded cluster
• BZ - 1926267 - registry.redhat.io/openshift4/ose-pod image dose not work
• BZ - 1927854 - Cluster upgrade fails because of vpa webhook
• BZ - 1929121 - Update plugins and Jenkins version to prepare openshift-sync-plugin 1.0.46 release
• BZ - 1930537 - [sig-arch] Managed cluster should have no crashlooping pods in core namespaces over four minutes
• BZ - 1931617 - [4.6z] Fresh UPI install on BM with bonding using OVN Kubernetes fails
• BZ - 1931857 - ServiceAccount Registry Authfiles Do Not Contain Entries for Public Hostnames
• BZ - 1931864 - LoadBalancer service check test fails during vsphere upgrade
• BZ - 1934652 - Improve the sb-db and nb-db readiness check to ensure it fails when cluster is not stable.
• BZ - 1935362 - API server is throwing 5xx error code for 42.11% of requests for LIST events
• BZ - 1935775 - [release-4.6] Gather info about unhealthy SAP pods
• BZ - 1936589 - Cluster DNS service caps TTLs too low and thus evicts from its cache too aggressively
• BZ - 1936984 - Image Registry pod enters CrashLoopBackoff State for extended periods of time after node reboot
• BZ - 1938922 - Router HAProxy config file template is slow to render due to repetitive regex compilations
• BZ - 1939059 - [release-4.6] sap license management logs gatherer
• BZ - 1939259 - [sig-instrumentation][Late] Alerts shouldn't report any alerts in firing state apart from Watchdog and AlertmanagerReceiversNotConfigured: Prometheus query error
• BZ - 1939640 - The server has asked for the client to provide credentials
• BZ - 1940141 - Permissive Egress NetworkPolicy (0.0.0.0/0) is blocking all traffic
• BZ - 1940453 - catalog operator causing CPU spikes and bad etcd performance
• BZ - 1940585 - Upgrading Vsphere UPI cluster from 4.6.20 to 4.7 fails with Failed to enable unit: Unit file nodeip-configuration.service does not exist.
• BZ - 1940649 - New CSV using ServiceAccount named "default" stuck in Pending during upgrade
• BZ - 1940681 - [VPA] Updater failed to trigger evictions due to "vpa-admission-controller" not found
• BZ - 1941563 - High RAM usage on machine api termination node system oom
• BZ - 1942457 - [Backport 4.6] Add memory and uptime metadata to IO archive
• BZ - 1942862 - kuryr-cni binds to wrong interface on machine with two interfaces
• BZ - 1944245 - CoreDNS caches NXDOMAIN responses for up to 900 seconds
• BZ - 1945725 - ovn-controller not ready due to error "ovs_list_is_empty(&f->list_node) failed in flood_remove_flows_for_sb_uuid"
• BZ - 1946694 - Backport tests from 4.7 to 4.6
• BZ - 1949040 - image-registry operator is Degraded when upgrade from 4.6.24 to 4.6.0-0.nightly-2021-04-09-145812

CVEs

• CVE-2021-3449

References

(none)