Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 10. RHSA-2014:1906 - OpenShift Enterprise 2.1.9 Bug Fix and Enhancement Update

OpenShift Enterprise 2.1.9 is now available with updates to packages that fix two security issues, several bugs, and introduce a feature enhancement. See the errata advisory at https://rhn.redhat.com/errata/RHSA-2014-1906.html for more information.

Important

See the following section of the OpenShift Enterprise 2.1 Release Notes for instructions on how to apply this asynchronous errata update:
https://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates
This update addresses the following bug fixes and enhancement:

Broker

BZ#1092045
By default, when an application or cartridge creation fails, the gear creation is rolled back and the failed gear is destroyed. This default behavior makes it difficult to troubleshoot the root cause of gear failures if the available platform logs do not provide enough information. This enhancement backports an OpenShift Enterprise 2.2 feature to add the ARCHIVE_DESTROYED_GEARS and ARCHIVE_DESTROYED_GEARS_DIR broker configuration parameters, which enable the archiving of destroyed gears by specifying a storage directory. When enabled, this provides additional troubleshooting options to administrators investigating failed gear creations.
BZ#1149837
With the introduction of xPaaS cartridges in OpenShift Enterprise 2.1.7, it is now legitimate to have different sets of cartridges available per gear profile. This bug fix backports an OpenShift Enterprise 2.2 fix to update the oo-accept-systems command. Cartridge integrity checks by the command are now improved, including checking that all nodes in a profile supply a consistent set of cartridges.

Cartridge

BZ#1143991
Cartridge environment variables were created in new applications for TLS private ports but not for TLS public SNI proxy ports. This issue made it difficult to obtain application endpoint details that could be required by external services. This bug fix backports an OpenShift Enterprise 2.2 fix to expose the SNI proxy mapped ports as environment variables, and TLS public port information is now more readily available in new applications.

Installer

BZ#1163502
When Red Hat Enterprise Linux (RHEL) Server 6.6 was released, the ose-upgrade tool required an update for compatibility with the latest subscription-manager RPM package. Because the ose-upgrade tool ships with the openshift-enterprise-release package, adding the dependency in that package causes problems for administrators that maintain their own stream of RHEL 6. This bug fix updates the openshift-enterprise-release package to remove the explicit dependency on the subscription-manager package. As a result, the ose-upgrade tool now works with all RHEL 6 versions of the subscription-manager package.

Node

BZ#1159997
The oo-admin-ctl-iptables-port-proxy command uses the "iptables -L" command in several places, which by default attempts to reverse-resolve the IPs listed to host names. Because most of the IPs on an OpenShift Enterprise node are internal and have no host name associated, all configured name servers could be consulted once for each rule in the tables. If all name servers are appropriately configured, the "service openshift-iptables-port-proxy restart" command tends to take a few seconds. If any name servers are unreachable or slow in responding, resolving several thousand internal IPs was reported to take over an hour. This bug fix backports an OpenShift Enterprise 2.2 fix to add the -n flag to the iptables commands used by the oo-admin-ctl-iptables-port-proxy command. As a result, it no longer attempts to reverse-resolve IPs, which was unnecessary to begin with, and the "service openshift-iptables-port-proxy restart" command completes in sub-second timing under either condition.
BZ#1155794
Previously, there was a race condition when using the apache-vhost front-end server plug-in. If the "oo-httpd-singular graceful" command was run to incorporate one gear vhost update while another gear was creating its vhost configuration, the configuration was left in a bad state and the httpd service would not restart. As a result, the vhost configuration would cease being updated and newly-added gears would be unreachable via the vhost front-end server. If the httpd service was stopped, it would fail to start until the configuration was fixed. This bug fix backports an OpenShift Enterprise 2.2 fix to extend a lock around the call to the oo-httpd-singular command, and as a result the race condition no longer occurs.

Security

BZ#1153319
OpenShift Enterprise brokers as well as nodes using the apache-mod-rewrite or apache-vhost front end plug-ins previously had SSLv3 enabled, making them susceptible to POODLE-style attacks. This bug fix backports an OpenShift Enterprise 2.2 fix to update these components to remove SSLv3 support, and as a result new installations are no longer susceptible to these issues.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.