Red Hat SummitCe contenu n'est pas disponible dans la langue sélectionnée.
Chapter 14. RHBA-2014:0999 - OpenShift Enterprise 2.1.4 Bug Fix and Enhancement Update
OpenShift Enterprise 2.1.4 is now available with updates to packages that fix several bugs and introduce a feature enhancement. See the errata advisory at https://rhn.redhat.com/errata/RHBA-2014-0999.html for more information.
Important
See the following section of the OpenShift Enterprise 2.1 Release Notes for instructions on how to apply this asynchronous errata update:
This update addresses the following bug fixes and enhancement:
Broker
- BZ#1118396
Previously, the output was not logged when the nsupdate command was executed by the DNS plug-in, which complicated diagnosing errors when application DNS records failed to be created or deleted. This bug fix updates the plug-in to log the standard output and errors of the nsupdate command to the broker application log (the /var/log/openshift/broker/production.log file, by default), and errors from the command are now easier to diagnose.
Previously, the output was not logged when the nsupdate command was executed by the DNS plug-in, which complicated diagnosing errors when application DNS records failed to be created or deleted. This bug fix updates the plug-in to log the standard output and errors of the nsupdate command to the broker application log (the /var/log/openshift/broker/production.log file, by default), and errors from the command are now easier to diagnose.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - BZ#1103145
If a developer was part of a global team but did not have the view_global_teams capability enabled on their account, they could add the global team as a member of their domain using the ID but not using the name. This issue was caused by the view_global_teams capability, which is only intended to control the ability to search and view global teams, unintentionally blocking the functionality. This bug fix updates this capability to allow the addition of global teams as domain members using either the ID or name as intended.
If a developer was part of a global team but did not have the view_global_teams capability enabled on their account, they could add the global team as a member of their domain using the ID but not using the name. This issue was caused by the view_global_teams capability, which is only intended to control the ability to search and view global teams, unintentionally blocking the functionality. This bug fix updates this capability to allow the addition of global teams as domain members using either the ID or name as intended.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - BZ#1111163
When the oo-accept-systems script attempted to get the list of cartridges, the test terminated silently because it was using a deprecated fact. This bug fix updates the logic to use the correct method of getting the list of cartridges, and the test now completes as intended.
When the oo-accept-systems script attempted to get the list of cartridges, the test terminated silently because it was using a deprecated fact. This bug fix updates the logic to use the correct method of getting the list of cartridges, and the test now completes as intended.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - BZ#1116124
Using the broker REST API directly, developers can now specify the region to which their application is deployed. This allows developers to reduce latency to target users or implement a highly-available application scheme. Developers can also now use the REST API directly to determine the region and zone(s) to which an existing application's gears were deployed. In addition, administrators can now use the DEFAULT_REGION_NAME parameter in the /etc/openshift/broker.conf file to set the default region for new applications. If the parameter is not set, then a region is chosen randomly.
Using the broker REST API directly, developers can now specify the region to which their application is deployed. This allows developers to reduce latency to target users or implement a highly-available application scheme. Developers can also now use the REST API directly to determine the region and zone(s) to which an existing application's gears were deployed. In addition, administrators can now use the DEFAULT_REGION_NAME parameter in the /etc/openshift/broker.conf file to set the default region for new applications. If the parameter is not set, then a region is chosen randomly.Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Cartridge
- BZ#1106559
When the node command was run in Node.js cartridges, users experienced "error while loading shared libraries" messages. This was because the LD_LIBRARY_PATH was missing the V8 path, which was necessary as V8 has become part of Red Hat Software Collections. This bug fix updates the path and, as a result, the errors no longer occur.
When the node command was run in Node.js cartridges, users experienced "error while loading shared libraries" messages. This was because the LD_LIBRARY_PATH was missing the V8 path, which was necessary as V8 has become part of Red Hat Software Collections. This bug fix updates the path and, as a result, the errors no longer occur.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - BZ#1120887
When an application is scaled, the OPENSHIFT_HAPROXY_GEAR_RATIO environment variable determines when th HAProxy load balancer gears remove collocated framework gears from rotation. However, this variable was not consulted during an application start or restart and the default value "3" was used instead, resulting in unintended gear rotations. This bug fix updates the control script to consult the variable at application start up, and scaled applications now have the expected load balancer configuration when restarted.
When an application is scaled, the OPENSHIFT_HAPROXY_GEAR_RATIO environment variable determines when th HAProxy load balancer gears remove collocated framework gears from rotation. However, this variable was not consulted during an application start or restart and the default value "3" was used instead, resulting in unintended gear rotations. This bug fix updates the control script to consult the variable at application start up, and scaled applications now have the expected load balancer configuration when restarted.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - BZ#1103740
After stopping a scaled application and saving a snapshot, the head gear for the application remained stopped after restoring the snapshot, which was expected. However, secondary gears were started after the restore, which was not the expected behavior. This issue was caused by certain post restore logic not being applied to all gears in the application. This bug fix updates the post-restore logic, and secondary gears are now stopped along with the head gear after restoring a stopped application.
After stopping a scaled application and saving a snapshot, the head gear for the application remained stopped after restoring the snapshot, which was expected. However, secondary gears were started after the restore, which was not the expected behavior. This issue was caused by certain post restore logic not being applied to all gears in the application. This bug fix updates the post-restore logic, and secondary gears are now stopped along with the head gear after restoring a stopped application.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - BZ#1116817
Under certain race conditions or user actions, it was possible for multiple Node.js supervisor processes to be running for a Node.js cartridge. Because only one process could bind to the port, others would die, resulting in the supervisor continuously retrying to start them and consuming all of the gear's CPU. In addition to now checking whether a pidfile exists for another Node.js instance in the gear, this bug fix updates the start up logic to also check whether another supervisor or child is running before starting another. As a result, accidental second invocations of the supervisor starting now correctly exit. The oo-admin-upgrade command is required to upgrade existing gears after applying this fix. See the Solution section in the errata advisory for full details.
Under certain race conditions or user actions, it was possible for multiple Node.js supervisor processes to be running for a Node.js cartridge. Because only one process could bind to the port, others would die, resulting in the supervisor continuously retrying to start them and consuming all of the gear's CPU. In addition to now checking whether a pidfile exists for another Node.js instance in the gear, this bug fix updates the start up logic to also check whether another supervisor or child is running before starting another. As a result, accidental second invocations of the supervisor starting now correctly exit. The oo-admin-upgrade command is required to upgrade existing gears after applying this fix. See the Solution section in the errata advisory for full details.Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Management Console
- BZ#1114111
When the Management Console sent a session cookie to the client, the Management Console did not specify that the session cookie should be sent only over encrypted connections. If the client logged in and subsequently connected to the Management Console using an unencrypted connection, the client would have sent the session cookie in plain text before the Management Console redirected the client to a secure connection. If the cookie were intercepted, this could facilitate session hijacking or CSRF attacks. This bug fix ensures that the Management Console now specifies that the session cookie it sets must be sent only over encrypted connections. As a result, the difficulty of performing session hijacking or CSRF attacks is increased.
When the Management Console sent a session cookie to the client, the Management Console did not specify that the session cookie should be sent only over encrypted connections. If the client logged in and subsequently connected to the Management Console using an unencrypted connection, the client would have sent the session cookie in plain text before the Management Console redirected the client to a secure connection. If the cookie were intercepted, this could facilitate session hijacking or CSRF attacks. This bug fix ensures that the Management Console now specifies that the session cookie it sets must be sent only over encrypted connections. As a result, the difficulty of performing session hijacking or CSRF attacks is increased.Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Node
- BZ#1100351
The following administrative commands on node hosts did not display helpful usage information when run without options: oo-admin-ctl-gears, oo-admin-gear, oo-admin-repair-node, oo auto-idler, oo-devel-node. The gear command on gears also had the same issue. This bug fix updates these commands to display their help page when run without options.
The following administrative commands on node hosts did not display helpful usage information when run without options: oo-admin-ctl-gears, oo-admin-gear, oo-admin-repair-node, oo auto-idler, oo-devel-node. The gear command on gears also had the same issue. This bug fix updates these commands to display their help page when run without options.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - BZ#1121222
If /sbin/ip did not exist, the oo-accept-node script first printed a proper error message in the find_ext_net_dev test, but subsequently failed with an exception and backtrace in the check_node_public_resolution test. This bug fix updates the oo-accept-node script to gracefully handle the exceptions, and the script now prints clearer output when /sbin/ip does not exist.
If /sbin/ip did not exist, the oo-accept-node script first printed a proper error message in the find_ext_net_dev test, but subsequently failed with an exception and backtrace in the check_node_public_resolution test. This bug fix updates the oo-accept-node script to gracefully handle the exceptions, and the script now prints clearer output when /sbin/ip does not exist.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - BZ#1121203
The oo-accept-node script did not check that the external network device (as specified by the EXTERNAL_ETH_DEV parameter in the /etc/openshift/node.conf file, or the default, eth0) had a globally scoped IPv4 address. If a node host's external network device were not properly configured, such misconfiguration might not have been detected until the platform tried to perform certain operations. For example, creating a scalable application fails in the port-proxy code if the node cannot find a globally scoped IPv4 address on its external network device. This bug fix adds a new test, check_ext_net_dev_addr, to the oo-accept-node script, and the script now fails if the external network device does not have a globally scoped IPv4 address.
The oo-accept-node script did not check that the external network device (as specified by the EXTERNAL_ETH_DEV parameter in the /etc/openshift/node.conf file, or the default, eth0) had a globally scoped IPv4 address. If a node host's external network device were not properly configured, such misconfiguration might not have been detected until the platform tried to perform certain operations. For example, creating a scalable application fails in the port-proxy code if the node cannot find a globally scoped IPv4 address on its external network device. This bug fix adds a new test, check_ext_net_dev_addr, to the oo-accept-node script, and the script now fails if the external network device does not have a globally scoped IPv4 address.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - BZ#1100766
In certain scenarios, gears were not properly throttled due to an issue in Watchman's ThrottlerPlugin. This bug fix addresses the issue in the plug-in, and CPU usage is now more accurately reflected as a result. A restart of the openshift-watchman service is required after applying this fix.
In certain scenarios, gears were not properly throttled due to an issue in Watchman's ThrottlerPlugin. This bug fix addresses the issue in the plug-in, and CPU usage is now more accurately reflected as a result. A restart of the openshift-watchman service is required after applying this fix.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - BZ#1121266
The oo-diagnostics script did not check whether a node host's clock was in sync with the associated broker host's clock. MCollective ignores messages where the sender's timestamps on its messages are more than 60 seconds behind the recipient's clock at the time it receives the message, and communications between the broker and node hosts could be lost. This bug fix updates the oo-diagnostics script to add the test_node_clock_in_synch_with_broker check, which sends an HTTP request to the broker (as specified by the BROKER_HOST parameter in the /etc/openshift/node.conf file) and compares the time in the "Date:" header in the response with the node host's clock. As a result, the oo-diagnostics script now warns if the clocks are out of sync by five or more seconds, and it fails if the clocks are out of sync by 55 or more seconds.
The oo-diagnostics script did not check whether a node host's clock was in sync with the associated broker host's clock. MCollective ignores messages where the sender's timestamps on its messages are more than 60 seconds behind the recipient's clock at the time it receives the message, and communications between the broker and node hosts could be lost. This bug fix updates the oo-diagnostics script to add the test_node_clock_in_synch_with_broker check, which sends an HTTP request to the broker (as specified by the BROKER_HOST parameter in the /etc/openshift/node.conf file) and compares the time in the "Date:" header in the response with the node host's clock. As a result, the oo-diagnostics script now warns if the clocks are out of sync by five or more seconds, and it fails if the clocks are out of sync by 55 or more seconds.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - BZ#1096863
Previously, Watchman's frequency for checking gear state was hard-coded in the tool, and it could consume too much CPU as a result. This bug fix adds many additional configuration parameters along with documentation to the /etc/sysconfig/watchman file, and administrators now have access to more tuning options when using Watchman.
Previously, Watchman's frequency for checking gear state was hard-coded in the tool, and it could consume too much CPU as a result. This bug fix adds many additional configuration parameters along with documentation to the /etc/sysconfig/watchman file, and administrators now have access to more tuning options when using Watchman.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - BZ#1096789
When unidling scaled applications using the `oo-admin-ctl-gears idle` command or an HTTP request, the head gear was unidled, but secondary gears were left idle. This was because the unidle logic used a local gear start only affecting the head gear. This bug fix updates the logic to instead use a broker REST call to start the entire application when unidling, which affects all gears. As a result, head gears and secondary gears are all unidled as expected.
When unidling scaled applications using the `oo-admin-ctl-gears idle` command or an HTTP request, the head gear was unidled, but secondary gears were left idle. This was because the unidle logic used a local gear start only affecting the head gear. This bug fix updates the logic to instead use a broker REST call to start the entire application when unidling, which affects all gears. As a result, head gears and secondary gears are all unidled as expected.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - BZ#1105225
In certain scenarios when using the Watchman OOM plug-in, gears would fail to be restarted after running out of memory. This bug fix addresses several Watchman issues, and Watchman now restarts gears that have run out of memory, as expected.
In certain scenarios when using the Watchman OOM plug-in, gears would fail to be restarted after running out of memory. This bug fix addresses several Watchman issues, and Watchman now restarts gears that have run out of memory, as expected.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - BZ#1119489
The /etc/sysconfig/watchman file could be created and used as a configuration file for Watchman, however a default file did not exist. The OpenShift Enterprise Administration Guide mentioned this file, which caused confusion when it was missing. This bug fix creates a default /etc/sysconfig/watchman file, and the file now exists as expected.
The /etc/sysconfig/watchman file could be created and used as a configuration file for Watchman, however a default file did not exist. The OpenShift Enterprise Administration Guide mentioned this file, which caused confusion when it was missing. This bug fix creates a default /etc/sysconfig/watchman file, and the file now exists as expected.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - BZ#1117004
Often when a cartridge starts a runtime in a gear, the cartridge stores the pid of the runtime's process in a pidfile. Later, the cartridge may use the process_running function to determine whether that process is still running in the gear by checking whether any running process has a pid matching the pid saved in the pidfile. However, if the runtime's process had terminated and the operating system had subsequently assigned the same pid to a new process, the process_running function could return a false positive, interfering with cartridge control actions. This bug fix updates the process_running function to use the pgrep command with the -u option to restrict its search to processes belonging to the gear. As a result, the process_running function now has a much lower probability of returning a false positive.
Often when a cartridge starts a runtime in a gear, the cartridge stores the pid of the runtime's process in a pidfile. Later, the cartridge may use the process_running function to determine whether that process is still running in the gear by checking whether any running process has a pid matching the pid saved in the pidfile. However, if the runtime's process had terminated and the operating system had subsequently assigned the same pid to a new process, the process_running function could return a false positive, interfering with cartridge control actions. This bug fix updates the process_running function to use the pgrep command with the -u option to restrict its search to processes belonging to the gear. As a result, the process_running function now has a much lower probability of returning a false positive.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - BZ#1112448
The oo-accept-node script compared the list of cgroup subsystems in use against a hard-coded, default list. However, a custom list could be set using the OPENSHIFT_CGROUP_SUBSYSTEMS parameter in the /etc/openshift/node.conf file. When a custom list was in use, the script failed when the custom list differed from the hard-coded, default list. This bug fix updates the oo-accept -node script to make these comparisons using the custom list in the OPENSHIFT_CGROUP_SUBSYSTEMS parameter, if set, and the script no longer fails in this way.
The oo-accept-node script compared the list of cgroup subsystems in use against a hard-coded, default list. However, a custom list could be set using the OPENSHIFT_CGROUP_SUBSYSTEMS parameter in the /etc/openshift/node.conf file. When a custom list was in use, the script failed when the custom list differed from the hard-coded, default list. This bug fix updates the oo-accept -node script to make these comparisons using the custom list in the OPENSHIFT_CGROUP_SUBSYSTEMS parameter, if set, and the script no longer fails in this way.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - BZ#1084606
The oo-diagnostics script read the SELinux context of the mcollectived process using the ps command, but the output of ps varies depending on whether the mcstransd daemon from the mcstrans package ("SELinux Translation Daemon") is running. Therefore, the script reported a test failure in the test_mcollective_context check if mcstransd were running, even if the SELinux context of the mcollectived process were correct. This bug fix updates the script to read the SELinux context of mcollectived using the /proc filesystem, which is unaffected by mcstransd. As a result, the script no longer reports a test failure in situations where the SELinux context of the mcollectived process is correct but the mcstransd daemon is running.The oo-diagnostics script read the SELinux context of the mcollectived process using the ps command, but the output of ps varies depending on whether the mcstransd daemon from the mcstrans package ("SELinux Translation Daemon") is running. Therefore, the script reported a test failure in the test_mcollective_context check if mcstransd were running, even if the SELinux context of the mcollectived process were correct. This bug fix updates the script to read the SELinux context of mcollectived using the /proc filesystem, which is unaffected by mcstransd. As a result, the script no longer reports a test failure in situations where the SELinux context of the mcollectived process is correct but the mcstransd daemon is running.Copy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}