Issued:

2017-09-08

Updated:

2017-09-08

RHBA-2017:2642 - OpenShift Container Platform 3.6.1 bug fix and enhancement update

Synopsis

OpenShift Container Platform 3.6.1 bug fix and enhancement update

Type/Severity

Bug Fix Advisory None

Topic

Red Hat OpenShift Container Platform releases 3.6.1 are now available with updates to packages and images that fix several bugs and add various enhancements.

Description

Red Hat OpenShift Container Platform is the company's cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 3.6.1. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHEA-2017:2644

This update fixes the following bugs:

• When the atomic-openshift-node service got restarted, all processes in its control group are terminated, including the glusterfs-mounted points. Each glusterfs volume in OpenShift corresponds to one mounted point. If all mounting points are lost, so are all of the volumes. Set the control group mode to terminate only the main process and leave the remaining glusterfs mounting points untouched. When the atomic-openshift-node service is restarted, no glusterfs mounting point is terminated. (BZ#1423640)

• A route can front up to four services that handle the requests. The load balancing strategy governs which endpoint gets each request. When round-robin is chosen, the portion of the requests that each service handles is governed by the weight assigned to the service. Each endpoint in the service gets a fraction of the service's requests. (BZ#1473736)

• When fluentd was reading from the journald and the output buffer queue wass full, the fluentd log was filled up with KubeClient messages. This is a bug in the fluentd filter_kubernetes_metadata plug-in. Ignore fluentd log messages from Kubeclient::Common::WatchNotice. (BZ#1476731)

• Previously, the Copy Service Labels link in the Create Route form did not correctly copy the labels from the service to the new route. It has been fixed to copy the selected service's labels. (BZ#1477933)

• Permissions on directories injected as a build input via the image source input mechanism have user-only access permissions. Therefore, the resulting application image cannot access the content when run as a random user ID. With this bug fix, the directories will be injected with group permissions, which will allow the user access to the container. (BZ#1479130)

• Kibana nodejs runtime was not the same as the version distributed by Elastic. With this bug fix, the versioning is updated. (BZ#1479928)

• Previously, the ScaleIO volume plug-in was missing in OpenShift Container Platform. With this bug fix, it is now fully enabled. (BZ#1482273)

• Namespaces that use reserved names and were not created by infrastructure components should be blocked, as they will cause the upgrade to fail. (BZ#1484958)

This update includes the following enhancement:

• There is now the ability to set reference policy with oc import-image. Set reference policy using the --reference-policy flag when invoking oc import-image. When importing all tags (using the --all flag), all tags will get passed to reference policy, including overwriting the already present one. (BZ#1420976)

All OpenShift Container Platform 3.6 users are advised to upgrade to these updated packages and images.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For OpenShift Container Platform 3.5, see the following documentation, which will be updated shortly for release 3.5.5.31, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:

This page is not included, but the link has been rewritten to point to the nearest parent document.https://docs.openshift.com/container-platform/3.5/release_notes/ocp_3_5_release_notes.html

For OpenShift Container Platform 3.4, see the following documentation, which will be updated shortly for release 3.4.1.44, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:

This page is not included, but the link has been rewritten to point to the nearest parent document.https://docs.openshift.com/container-platform/3.4/release_notes/ocp_3_4_release_notes.html

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258.

Affected Products

Updated Packages

• atomic-openshift-tests-3.6.173.0.21-1.git.0.f95b0e7.el7.x86_64.rpm
• kibana-4.6.4-3.el7.x86_64.rpm
• rubygem-fluent-plugin-viaq_data_model-0.0.5-1.el7.noarch.rpm
• rubygem-systemd-journal-1.3.0-1.el7.noarch.rpm
• rubygem-cool.io-debuginfo-1.5.1-1.el7.x86_64.rpm
• atomic-openshift-master-3.6.173.0.21-1.git.0.f95b0e7.el7.x86_64.rpm
• atomic-openshift-service-catalog-3.6.173.0.21-1.git.0.f95b0e7.el7.x86_64.rpm
• tuned-profiles-atomic-openshift-node-3.6.173.0.21-1.git.0.f95b0e7.el7.x86_64.rpm
• rubygem-systemd-journal-1.3.0-1.el7.src.rpm
• atomic-openshift-federation-services-3.6.173.0.21-1.git.0.f95b0e7.el7.x86_64.rpm
• fluentd-doc-0.12.39-2.el7.noarch.rpm
• kibana-debuginfo-4.6.4-3.el7.x86_64.rpm
• rubygem-excon-0.58.0-1.el7.src.rpm
• rubygem-fluent-plugin-kubernetes_metadata_filter-0.29.0-1.el7.src.rpm
• rubygem-fluent-plugin-viaq_data_model-0.0.5-1.el7.src.rpm
• rubygem-i18n-0.8.6-1.el7.noarch.rpm
• atomic-openshift-clients-3.6.173.0.21-1.git.0.f95b0e7.el7.x86_64.rpm
• atomic-openshift-docker-excluder-3.6.173.0.21-1.git.0.f95b0e7.el7.noarch.rpm
• atomic-openshift-node-3.6.173.0.21-1.git.0.f95b0e7.el7.x86_64.rpm
• atomic-openshift-cluster-capacity-3.6.173.0.21-1.git.0.f95b0e7.el7.x86_64.rpm
• atomic-openshift-sdn-ovs-3.6.173.0.21-1.git.0.f95b0e7.el7.x86_64.rpm
• rubygem-excon-doc-0.58.0-1.el7.noarch.rpm
• rubygem-cool.io-1.5.1-1.el7.src.rpm
• atomic-openshift-clients-redistributable-3.6.173.0.21-1.git.0.f95b0e7.el7.x86_64.rpm
• rubygem-faraday-0.13.0-1.el7.src.rpm
• rubygem-cool.io-doc-1.5.1-1.el7.noarch.rpm
• rubygem-faraday-doc-0.13.0-1.el7.noarch.rpm
• atomic-openshift-excluder-3.6.173.0.21-1.git.0.f95b0e7.el7.noarch.rpm
• fluentd-0.12.39-2.el7.noarch.rpm
• rubygem-cool.io-1.5.1-1.el7.x86_64.rpm
• atomic-openshift-pod-3.6.173.0.21-1.git.0.f95b0e7.el7.x86_64.rpm
• jenkins-2-plugins-3.7.1502412812-1.el7.src.rpm
• fluentd-0.12.39-2.el7.src.rpm
• rubygem-faraday-0.13.0-1.el7.noarch.rpm
• rubygem-fluent-plugin-kubernetes_metadata_filter-0.29.0-1.el7.noarch.rpm
• rubygem-fluent-plugin-viaq_data_model-doc-0.0.5-1.el7.noarch.rpm
• rubygem-i18n-doc-0.8.6-1.el7.noarch.rpm
• atomic-openshift-dockerregistry-3.6.173.0.21-1.git.0.f95b0e7.el7.x86_64.rpm
• atomic-openshift-3.6.173.0.21-1.git.0.f95b0e7.el7.src.rpm
• kibana-4.6.4-3.el7.src.rpm
• rubygem-systemd-journal-doc-1.3.0-1.el7.noarch.rpm
• atomic-openshift-3.6.173.0.21-1.git.0.f95b0e7.el7.x86_64.rpm
• rubygem-excon-0.58.0-1.el7.noarch.rpm
• jenkins-2-plugins-3.7.1502412812-1.el7.noarch.rpm
• rubygem-i18n-0.8.6-1.el7.src.rpm
• rubygem-fluent-plugin-kubernetes_metadata_filter-doc-0.29.0-1.el7.noarch.rpm

Fixes

• This content is not included.BZ - 1420976
• This content is not included.BZ - 1423640
• This content is not included.BZ - 1473736
• This content is not included.BZ - 1476731
• This content is not included.BZ - 1477223
• This content is not included.BZ - 1477933
• This content is not included.BZ - 1479130
• This content is not included.BZ - 1479928
• This content is not included.BZ - 1481251
• This content is not included.BZ - 1482273
• This content is not included.BZ - 1484958

CVEs

• CVE-2017-1000085
• CVE-2017-1000089
• CVE-2017-1000092
• CVE-2017-1000096

References

(none)

Additional information

• The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
• Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.