What’s New?

• mvn clean is no longer run as part of S2I build process (and so it won’t fail)
• S2I builds force use of IPv4 by default

• DNS_PING protocol used for clustering is now replaced with KUBE_PING

  Warning

  For clustering to work, you must add the view role to the service account.

• Can now be used as a standalone builder image, e.g. oc new-app image~source
• JBoss EAP was updated to 6.4.3.GA
• Image version information is now printed on boot
• JAVA_OPTS_APPEND environment variable is supported and appended to the JAVA_OPTS variable upon container start-up
• Clean shutdown is now possible by sending the TERM signal
• S2I scripts have moved to /usr/local/s2i from /usr/local/sti

• A Maven mirror/repository manager can be configured via environment variables.
• A maven HTTP mirror can be configured, including optional authentication and host exclusions

• Image version information is now printed on boot

• Added support for using Kubernetes REST API to resolve service endpoints for mesh

  Warning

  For clustering to work, you must add the view role to the service account.

• S2I scripts have moved to /usr/local/s2i from /usr/local/sti

API

• The pods/exec endpoint is being moved to POST instead of GET. For backwards compatibility, GET continues to be supported. Clients will try to use POST, and if that fails, will try to use GET. If you have an existing deployment, the default policy will need to be updated prior to 1.1.0. See Issue #3717 for more information.
• The hostDir volume type has been renamed hostPath in all Pod and PodTemplate objects.
• Pod: The serviceAccount field changed to serviceAccountName. OpenShift will continue to accept and output both fields; serviceAccountName takes precedence.
• Pod: The host field changed to nodeName. OpenShift will continue to accept and output both fields; nodeName takes precedence.
• Service: The portalIP field changed to clusterIP. OpenShift will continue to accept and output both fields; clusterIP takes precedence.
• Service: The protocol for a port under a Service, Endpoint, or Container must be uppercased: TCP instead of tcp, and UDP instead of udp. OpenShift will continue to accept all case variations.

Stored Objects

• Build pods previously inherited the labels of the build. This resulted in pods from builds being accidentally being included in deployments that had similar labels. It was never intended that build pods should share labels with existing components, so this behavior has been removed. Queries that attempt to retrieve build pods by label will no longer work.

For Administrators

• Kubernetes was updated to v1.0.0.
• To make it easier to upgrade your cluster, the oadm reconcile-cluster-roles command has been added to update your cluster roles to match the internal default. Use this command to verify the cluster infrastructure users have the appropriate permissions.
• A new LDAP authentication identity provider has been added, allowing administrators to configure OpenShift to verify passwords and users against an LDAP server directly.
• The master’s CA certificate can be made available as a secret inside pods, making it easier to manage secure TLS inside the cluster. To enable this in an existing configuration, set the masterCA field in the master configuration file.
• The current version of the master is now shown on startup, and startup logging has been cleaned up.
• The ability to use host ports and the hostNetwork option is now properly secured by security context constraints (SCCs), and only restricted or higher users can use them.
• The RunAsNonRoot option for pod SCCs has been added. It is now possible to restrict users to running pods that are non-root (i.e., pods that have an explicit USER numeric value set in their Docker image or have specified the user ID on their pod SCC).

For Developers

• Output for oc status has been improved to make it easier to see the types of objects being presented.

• You can now search for images, templates, and other inputs for the oc new-app command using the --search and --list flags. For example, to find all of the images or templates that include PHP:

  $ oc new-app --search php

• The oc new-app command now always add an app=<name> label on the created objects when you do not specify labels with --labels. The name is inferred from --name or the name of the first component passed to the command. For example:

  $ oc new-app php

  adds a label app=php to all of objects it creates. You can then easily delete all of those components using:

  $ oc delete all -l app=php

• The oc rsh <pod> command has been added, which is a shortcut for:

  $ oc exec -itp POD -- bash

  The new command makes it easier to get a remote shell into your pods.

• Rolling updates can now be done by percentage: you can specify the percentage of pods to update by a negative or positive amount that adjusts the amount of replicas in chunks. If negative, old deployments are scaled down first. If positive, extra pods are created first. The rolling update works to keep the desired amount of pods running (100% of the old deployment size when a positive percentage or 100%-UpdatePercent when negative) as it goes.

For Cluster Administrators

• The openshift start --print-ip command was added, which reports the IP that the master will use if no --master address is provided, then exits.
• OpenShift performance when idling has been improved by removing an inefficient timer loop.
• The router and internal registry now default to using the RollingUpdate strategy deployment. Red Hat recommends updating any existing router or registry installations if you plan on scaling them up to multiple pods.
• The oadm policy who-can command now shows additional information.
• Master startup no longer has a chance to generate certificates with duplicate serial numbers, which previously rendered them unusable.

For Developers

• For the oc new-app command:

  • Scala Git repositories are now detected.
  • A bug was fixed where explicit tags were being set on new image streams, which confused builds.
  • Ports are now exposed that were defined in the source Dockerfile when creating an application from a Git repository.
  • The FROM instruction in a Dockerfile can now point to an image stream or invalid image.
  • For any image that has volumes, emptyDir volumes are now created and the user is informed.
  • All ports defined on the image can now be exposed on the generated service.
  • The --name argument now also changes the name of the image stream.
  • Labels passed with --labels are now properly set onto the pod template and selector for the deployment.
• The oc status command now shows standalone replication controllers and a number of other warnings about issues.
• The timeout for log sessions and the oc exec and oc portforward commands has been increased from 5 minutes to 1 hour.
• Cleanup and improvements were made to the Browse pages in the web console, including a better layout at smaller resolutions.
• OpenShift now avoids writing excessive log errors on initial deployments when the image is not yet available.
• Quay.io registries are now supported by using cookies when importing images.
• Docker images of the form <registry>/<name> are now properly handled by the oc new-app command and the image import functionality.
• Secret volumes are now unique for push and pull secrets during builds.
• The oc secret commands now provide better usage errors.
• Builds are now filtered by completion time in the Overview page of the web console.
• A race condition was fixed when service accounts with .dockercfg files (for pull secrets) were deleted.
• When generating and adding secrets to a service account, the oc secrets add command now allows the user to specify which type of secret is being added: mount or pull.
• The custom builder build type now allows image output to be disabled instead of requiring it on input.
• WebSocket errors in the web console are now handled more effectively.
• The http_proxy and HTTP_PROXY environment variables can now be passed to builds.
• Routes now default to using the route name when creating a virtual host, not the service name.
• The oc expose command no longer defaults to creating routes, except when a service is exposed.
• More detail is now shown on the image streams page in the web console.
• Source code revision information is now shown in the oc describe build output.
• TLS termination output is now shown in oc describe route output.
• Image importing now works with registries that do not implement the whole Docker Registry API (e.g., Pulp read-only registries).
• Deployment configurations now trigger deployment when the metadata field of the pod template is changed, not just when the spec is changed.
• The project request template now allows Kubernetes objects as well as OpenShift objects.
• The oc volume command can now change the volume type when the --mount-path is unambiguous.
• Builds now properly cancel when the user requests them, rather than running to completion.
• The oc export command no longer fails when exporting image streams that do not have tags under their spec.
• Attempting to use the default PostgreSQL database service templates after using a default MySQL template failed with errors reporting "mysql" already exists. This was due to an incorrect value in the PostgreSQL templates, which has now been fixed. (BZ#1245559)
• Previously when creating from templates in the web console, the creation would fail if the template contained certain API object types, including persistent volume claims, secrets, and service accounts. This was due to the web console missing these types from its API type map. The type map has now been updated to include these missing types, and the web console also now gracefully handles unrecognized object types, reporting a relevant error message. (BZ#1244254)
• The web console previously produced errors when users attempted to create from templates that had a Custom build strategy. The errors obscured the template parameters from being shown or managed. The web console has now been updated to properly handle Custom and Docker build strategies in templates. As a result, the errors no longer occur, and template parameters can be viewed and managed. (BZ#1242312)
• If the nfs-utils package was not installed on a node host, when a user tried to add an NFS volume to an application, the mount operation would fail for the pod. This bug fix adds the nfs-utils package as a dependency for the openshift-node package so it is installed on all node hosts by default. (BZ#1238565)
• Previously, pruning images associated with an image stream that had been removed would fail. This bug fix updates layer pruning to always delete blobs from the registry, even if the image stream(s) that referenced the layer no longer exists. In the event that there are no longer any image streams referencing the layer, the blob can still be deleted, but not the registry image repository layer link files. (BZ#1237271)
• The Documentation link in the header of the web console previously linked to the latest OpenShift Origin documentation. It has been updated to now point to the OpenShift Enterprise documentation for the current version. (BZ#1233772)
• The Create page in the web console has been updated to make it more obvious that there are two options rather than one. The headings have been modified to "Create Using Your Code" and "Create Using a Template", and a separator has been added between the two options. (BZ#1233488)
• Previously using the CLI, labels could be set to empty values, and setting labels to invalid values produced an unfriendly error. This bug fix updates the CLI to no longer allow setting labels to empty values, and setting labels to invalid values produces a better error message. (BZ#1230581)

API

• If a deployment configuration is created without specifying the triggers field, the deployment now defaults to having a configuration change trigger.
• The new subjects field (a list of object references) is now available when creating role bindings. You can pass object references to User, SystemUser, Group, SystemGroup, or ServiceAccount when defining the binding. Passing a reference to a service account resolves the correct name, making it easier to grant access to service accounts in the current namespace. If users or groups are also specified, they take priority over values set in subjects.
• Template parameters now support displayName, which is an optional field to use from user interfaces when your template is shown.
• Secrets can now be added to custom builds and mounted at user-specified locations.

• Validation of the container.ports.name field was changed:

  • If specified, the value must be no more than 15 characters, have at least one letter [a-z] and contain only [a-z0-9-]. Hyphens cannot be leading or trailing characters, or adjacent to each other.
  • Resources generated by the web console, command line tooling, or templates were all updated to conform to the updated syntax.
  • Existing data may require manual modification to either remove the container.ports.name or update its value to conform to the new validation rules. Failure to do so may result in an inability to create pod resources that specify the invalid syntax.
  • A symptom of an invalid configuration would be the production of a large number of Event resources whose Event.Reason is failedCreate and whose Event.Message includes the string must be an IANA_SVC_NAME. Operators must edit the Event.InvolvedObject to address the invalid configuration by doing an oc edit command.

• Pending removal:

  • Support for v1beta3 from the API and from client commands will be removed in OpenShift Enterprise 3.1.

  • Builds marked only with the build label will no longer be considered part of their parent build configuration in OpenShift Enterprise 3.1. You can see a list of affected builds by running:

    $ oc get builds --all-namespaces

    Then look for builds that only have the build label and not openshift.io/build. See Issue #3502 for more information.

  • The spec.rollingParams.updatePercent field on deployment configurations will no longer be recognized in OpenShift Enterprise 3.1. Use maxUnavailable and maxSurge instead.

Security

• Secrets were previously limited to only being available in pods when the service account referenced them. To make it easier to use secrets in templates, this is now disabled by default. Cluster administrators can override this by setting the serviceAccountConfig.limitSecretReferences variable to true in the master configuration file to force this for the whole platform. Project administrators can also set the "kubernetes.io/enforce-mountable-secrets" annotation to "true" on a particular service account to require that check.

Platform

• Groups of users are now supported. Cluster administrators can use the oadm groups command to manage them.
• Service accounts are now more easily bound to roles through the new subjects field, as described in Backwards Compatibility above.

Web Console

• You can now deploy, rollback, retry, and cancel deployments from the web console.
• You can now cancel running builds from the web console.
• Improvements have been made to layout and readability at mobile resolutions.
• You can now customize the web console and login page.

Networking/Routing

• The --host-network flag has been added to the openshift router command to allow the router to run with the container network stack when set to false.
• The default host name for a route has been changed to the form <route-name>-<namespace>.<suffix>. This allows TLS wildcards on <suffix> to work properly.
• A new F5 BIG-IP® router plug-in has been added, allowing F5 routers to be dynamically configured.

• The router can now be configured to serve a subset of the routes in your deployment:

  • Pass --namespace to the router command to select routes in a single namespace.
  • Pass --labels=<selector> or --fields=<selector> to select only routes with the provided labels or fields.

  • Pass --project-labels=* to show routes in all labels that the router’s service account is granted access to, --project-labels=<selector> to filter that list by label, or --namespace-labels=<selector> to filter all labels when the router service account has that permission.

    Note

    The label list is updated every 10 minutes or when the router restarts, so new projects may not instantly get served.

• Both the F5 and HAProxy routers now allow only the first route (by creation timestamp) with a given host or generated host (when you omit the Host field) to claim that route name. If multiple routes with the same host but different paths are defined, all routes in the same namespace as the oldest route with that host will be included. If the oldest route is deleted, and the next oldest route is in a different namespace, only routes in that other namespace will be served.

Images

• Importing or creating a new app with an image from Docker v2 registries is now supported.
• The oc import-image command can now create image streams with the --from flag, specifying the image repository you want to import.
• When you tag an image with oc tag into an image stream that does not exist, an image stream can now be automatically created.

Storage

• The oc volume command now lists by default and shows you additional information about each volume type.
• Persistent volume claims now show whether they are provisioned or not, their size, and details about their bound persistent volume. The oc volume command can also now create a new persistent volume claim for you if you specify the --claim-size flag.

CLI

• The --list flag has been added to the oc new-app command to display list of available images and templates.
• The --short and -q flags have been added to the oc project command to only display the project name.

Builds

• Custom builds now allow a forcePull flag to indicate that the custom builder image must be pulled.
• Multiple image change triggers are now allowed in build configurations.
• The --commit=<commit> flag has been added to oc start-build, which triggers a build of the exact Git commit specified.
• The --env flag has been added to oc new-build, allowing you to set environment variables on your S2I builds.
• The --wait flag has been added to oc start-build, allowing you to wait for the build completion without viewing the logs.

Templates

• The required attribute has been added to template parameters. Templates now cannot be instantiated without supplying a value for all required parameters.

Remote Execution

• The oc rsh command now accepts commands and arguments after the pod is specified:

  oc rsh <pod> <command> [<arguments>]

  This behavior more closely mimics the ssh command. A TTY is automatically allocated if your current shell passes one, otherwise you can specify -t to force a TTY or -T to disable it.

• A number of stability and hanging issues have been resolved with oc exec and oc rsh. However, Docker 1.6.2 has a known issue with hangs to remote shells via docker exec, so Red Hat recommends upgrading Docker to a 1.7 or 1.8 build.

For Developers

• The web console now allows users to specify the Git reference (branch or tag) from which their build will be created. (BZ#1250153)
• Users may now specify the replica count by adjusting the scale of a deployment configuration. This is useful for setting the replica count before a replication controller has been created so that the value will be used for replication controllers created in the future. (BZ#1250652)
• Docker client libraries were updated, and OpenShift can now import images from authenticated Docker v2 registries.(BZ#1255502)
• Git URI parsing has been updated to account for git:// style URIs, and as a result builds using these URIs no longer fail. (BZ#1261449)
• Project administrators can now change a project’s display name and description by updating the project using oc edit.
• Updated the set of labels generated when creating a new application from source in the web console, just as in the CLI with oc new-app.
• Improved the display of builds in the web console.
• Builds in which a pod is not created are no longer marked as successful in the web console.
• S2I builds that may run as root are now prevented from starting, based on security context constraints on the builder service account.
• Remote shell access to builder containers is now prevented.
• Builds are now listed in the CLI according to creation timestamp.
• Builds from oc new-app are now started immediately with the configuration change trigger.
• The help text for oc get projects has been fixed.
• Hangs when using oc exec without a TTY no longer occur.
• The oc import-image command no longer panics when an error occurs.
• The --search and --list options are now suggested when calling oc new-app with no arguments.
• When running oc scale against a deployment configuration with no deployments, the replicas are now set directly.

For Cluster Administrators

• Administrators can now configure the IP address used for SDN traffic. Passing node IPs as a configuration option on the node allows it to be set distinct from the node host name for listening on other interfaces. (BZ#1253596)
• SDN node events are now triggered when a node IP changes.
• The Rolling deployment strategy is now used for router deployments.
• The mode http configuration has been added to the HAProxy front end SNI definition.
• Upgraded the integrated etcd to v2.1.2.
• Upgraded the internal Docker registry to v2.0.1.
• The Kubernetes master service address (the first address in the service CIDR range) has been added to the generated certificates to allow pods to verify TLS connections to the API.
• Permissions are now preserved during image builds.
• Panics in the API server are now recovered instead of allowing the server to crash.
• The OpenShift SDN MTU is now configurable.