RHBA-2023:0827 - Bug Fix Advisory

Topic

Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.10.10 on Red Hat Enterprise Linux 8 from Red Hat Container Registry.

Description

Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Data Foundation. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. In addition to persistent storage, Red Hat OpenShift Data Foundation provisions a multicloud data management service with an S3 compatible API.

• Previously, the listing operations would fail depending on the number of objects in the bucket due to incorrect mapping of indexes in the Multicloud Object Gateway database (MCG DB). This incorrect mapping caused certain queries to take longer time than needed and fails the specific actions as a result. With this fix, the indexes are updated to fix the listing queries. (BZ#2150005)
• Previously, in some environments, the `ceph-osd` did not run as `PID 1` which resulted in a non-random nonce value used for starting the OSD. When an OSD was restarted after a node restart, the OSD stays "down" in Ceph instead of coming back online as it looks like the stale OSD. With this update, the nonce number is ensured to be randomized now by setting the environment variable CEPH_USE_RANDOM_NONCE on the OSD pods, to ensure Ceph always knows ODF is running in a containerized environment and to randomize the nonce values. This allows the OSDs to start properly after node restart. (BZ#2150411)
• Previously, services running without the TLS were problematic if security was the main concern for the customers. This was due to a Liveness sidecar container deployed with the CSI pods to check if the CSI driver is responding appropriately or not without TLS. With this fix, the Liveness container in all Ceph CSI pods is disabled and as a result, no service runs in the Ceph CSI pods without TLS, and one less container in Ceph CSI pods. (BZ#2142902)
• Previously, the `rook-ceph-osd-prepare` job sometimes would be stuck in `CrashLoopBackOff` (CLBO) state and would never come up. This was due to the deletion of OSD deployment in an encrypted cluster backed by CSI provisioned PVC which caused the `rook-ceph-osd-prepare` job for that OSD

to be stuck in `CrashLoopBackOff` state. With this fix, the `rook-ceph-osd-prepare` job removes the stale encrypted device and opens it again avoiding the CLBO state. As a result, the `rook-ceph-osd-prepare` job runs as expected and the OSD comes up. (BZ#2153695)

All Red Hat OpenShift Data Foundation users are advised to upgrade to these
updated images that provide these bug fixes.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat OpenShift Data Foundation 4 for RHEL 8 x86_64
• Red Hat OpenShift Data Foundation for IBM Power, little endian 4 for RHEL 8 ppc64le
• Red Hat OpenShift Data Foundation for IBM Z and LinuxONE 4 for RHEL 8 s390x

Fixes

• BZ - 2135632 - Do not use rook master tag in job template [4.10.z]
• BZ - 2142902 - Disable Liveness container in csi pods
• BZ - 2150005 - [Backport to 4.10.z] [GSS] Bucket list operations are failing with 504 Gateway time out
• BZ - 2153695 - [KMS] rook-ceph-osd-prepare pod in CLBO state after deleting rook OSD deployment
• BZ - 2168565 - Include at ODF 4.10 container images the RHEL8 CVE fix on "sudo"

CVEs

• CVE-2021-46848
• CVE-2022-35737
• CVE-2022-40303
• CVE-2022-40304
• CVE-2022-42010
• CVE-2022-42011
• CVE-2022-42012
• CVE-2022-43680
• CVE-2023-22809

References

(none)