Issued:

2018-07-18

Updated:

2018-07-18

RHBA-2018:2213 - OpenShift Container Platform 3.9 bug fix update

Synopsis

OpenShift Container Platform 3.9 bug fix update

Type/Severity

Bug Fix Advisory None

Topic

Red Hat OpenShift Container Platform release 3.9.33 is now available with updates to packages and images that fix several bugs.

Description

Red Hat OpenShift Container Platform is the company's cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 3.9.33. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHBA-2018:2212

This update fixes the following bugs:

• The latest versions of container-selinux prevent pods from running systemd unless container_manage_cgroup is set to true. The installer now sets this boolean to true at install time ensuring that pods with systemd run as expected. (BZ#1589929)

• Port 10256 is now opened on hosts, which resolves an issue where service load balancer health checks failed because the port was not opened. (BZ#1594306)

• The defaults for the Searchguard index are set to autoexpand to the number of nodes minus 1. This causes the number of replicas for .searchguard indices to expand to the number of nodes in the cluster, but if any one node goes down, the cluster will never return to a green state without all nodes coming back. This bug fix uses the sgadmin tool to disable replica expansion, updates replicas to 0, and modifies the index setting to allocate to a named node. As a result, the Searchguard index has auto replica expansion disabled, replicas set to 0, and is allocated to a specific node. (BZ#1582232)

• The fluent-plugin-elasticsearch improperly handled bookkeeping of the records being submitted. This caused Fluentd to be stuck processing even though there was a valid request and response. This bug fix properly accounts for the records submitted to Elasticsearch. As a result, the pipeline no longer gets stuck. (BZ#1593310)

• The installer was creating an incorrect spec attribute for CPU and memory for logging. Additionally, it did not allow modifying the cpu_limit setting. This caused the values to be ignored. This bug fix conditionally patches in the cpu_limit setting if it is defined and corrects the attribute name used to specify CPU and memory requests. As a result, the values are now honored as expected. (BZ#1592551)

• Previously, enabling autoscaling from the Add to project -> advanced options page in the web console would not work correctly. The horizontal pod autoscaler would not correctly target the deployment configuration created for your application. This only was a problem when enabling autoscaling while creating the application; enabling autoscaling later worked correctly. This bug fixes updates the web console, and autoscaling is now correctly enabled from the application creation form. (BZ#1590936)

• Previously, the resource Replication Controller Dummy could appear in the types in the Other Resources page of the web console. This type would cause an error when it was selected. This bug fix removes this type from the list because it is not a real resource that users would create. (BZ#1589838)

• This bug fix ensures spec validations of service bindings do not include status, such that storage migrations during upgrade properly succeed. (BZ#1586135)

All OpenShift Container Platform 3.9 users are advised to upgrade to these updated packages and images.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For OpenShift Container Platform 3.9 see the following documentation, which will be updated shortly for release 3.9.33, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:

This page is not included, but the link has been rewritten to point to the nearest parent document.https://docs.openshift.com/container-platform/3.9/release_notes/ocp_3_9_release_notes.html

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258.

Affected Products

Updated Packages

• atomic-openshift-web-console-3.9.33-1.git.248.9592e57.el7.x86_64.rpm
• cri-o-debuginfo-1.9.13-1.git52a8e70.el7.x86_64.rpm
• atomic-openshift-dockerregistry-3.9.33-1.git.351.9526827.el7.x86_64.rpm
• atomic-openshift-utils-3.9.33-1.git.56.19ba16e.el7.noarch.rpm
• atomic-openshift-cluster-capacity-3.9.33-1.git.0.c35d02e.el7.x86_64.rpm
• atomic-openshift-pod-3.9.33-1.git.0.c35d02e.el7.x86_64.rpm
• atomic-openshift-tests-3.9.33-1.git.0.c35d02e.el7.x86_64.rpm
• atomic-openshift-sdn-ovs-3.9.33-1.git.0.c35d02e.el7.x86_64.rpm
• rubygem-fluent-plugin-elasticsearch-doc-1.17.0-1.el7.noarch.rpm
• atomic-openshift-3.9.33-1.git.0.c35d02e.el7.src.rpm
• prometheus-node-exporter-3.9.33-1.git.892.9737971.el7.x86_64.rpm
• atomic-openshift-federation-services-3.9.33-1.git.0.c35d02e.el7.x86_64.rpm
• openshift-ansible-3.9.33-1.git.56.19ba16e.el7.noarch.rpm
• atomic-openshift-node-3.9.33-1.git.0.c35d02e.el7.x86_64.rpm
• atomic-openshift-docker-excluder-3.9.33-1.git.0.c35d02e.el7.noarch.rpm
• golang-github-prometheus-node_exporter-3.9.33-1.git.892.9737971.el7.src.rpm
• atomic-openshift-clients-redistributable-3.9.33-1.git.0.c35d02e.el7.x86_64.rpm
• atomic-openshift-master-3.9.33-1.git.0.c35d02e.el7.x86_64.rpm
• cri-o-1.9.13-1.git52a8e70.el7.src.rpm
• rubygem-fluent-plugin-elasticsearch-1.17.0-1.el7.noarch.rpm
• atomic-openshift-clients-3.9.33-1.git.0.c35d02e.el7.x86_64.rpm
• openshift-ansible-3.9.33-1.git.56.19ba16e.el7.src.rpm
• cri-o-1.9.13-1.git52a8e70.el7.x86_64.rpm
• openshift-ansible-playbooks-3.9.33-1.git.56.19ba16e.el7.noarch.rpm
• openshift-ansible-roles-3.9.33-1.git.56.19ba16e.el7.noarch.rpm
• atomic-openshift-web-console-3.9.33-1.git.248.9592e57.el7.src.rpm
• atomic-openshift-template-service-broker-3.9.33-1.git.0.c35d02e.el7.x86_64.rpm
• jenkins-2.89.4.1528997057-1.el7.src.rpm
• jenkins-2.89.4.1528997057-1.el7.noarch.rpm
• atomic-openshift-3.9.33-1.git.0.c35d02e.el7.x86_64.rpm
• atomic-openshift-excluder-3.9.33-1.git.0.c35d02e.el7.noarch.rpm
• rubygem-fluent-plugin-elasticsearch-1.17.0-1.el7.src.rpm
• openshift-ansible-docs-3.9.33-1.git.56.19ba16e.el7.noarch.rpm
• atomic-openshift-service-catalog-3.9.33-1.git.0.c35d02e.el7.x86_64.rpm

Fixes

• This content is not included.BZ - 1557345
• This content is not included.BZ - 1582232
• This content is not included.BZ - 1582875
• This content is not included.BZ - 1583148
• This content is not included.BZ - 1583718
• This content is not included.BZ - 1586135
• This content is not included.BZ - 1587996
• This content is not included.BZ - 1589838
• This content is not included.BZ - 1589929
• This content is not included.BZ - 1590059
• This content is not included.BZ - 1590936
• This content is not included.BZ - 1591632
• This content is not included.BZ - 1592551
• This content is not included.BZ - 1593310
• This content is not included.BZ - 1594306

CVEs

(none)

References

(none)

Additional information

• The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
• Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.