红帽全球峰会此内容没有您所选择的语言版本。
Chapter 10. RHSA-2014:1906 - OpenShift Enterprise 2.1.9 Bug Fix and Enhancement Update
OpenShift Enterprise 2.1.9 is now available with updates to packages that fix two security issues, several bugs, and introduce a feature enhancement. See the errata advisory at https://rhn.redhat.com/errata/RHSA-2014-1906.html for more information.
Important
See the following section of the OpenShift Enterprise 2.1 Release Notes for instructions on how to apply this asynchronous errata update:
This update addresses the following bug fixes and enhancement:
Broker
- BZ#1092045
By default, when an application or cartridge creation fails, the gear creation is rolled back and the failed gear is destroyed. This default behavior makes it difficult to troubleshoot the root cause of gear failures if the available platform logs do not provide enough information. This enhancement backports an OpenShift Enterprise 2.2 feature to add the ARCHIVE_DESTROYED_GEARS and ARCHIVE_DESTROYED_GEARS_DIR broker configuration parameters, which enable the archiving of destroyed gears by specifying a storage directory. When enabled, this provides additional troubleshooting options to administrators investigating failed gear creations.- BZ#1149837
With the introduction of xPaaS cartridges in OpenShift Enterprise 2.1.7, it is now legitimate to have different sets of cartridges available per gear profile. This bug fix backports an OpenShift Enterprise 2.2 fix to update the oo-accept-systems command. Cartridge integrity checks by the command are now improved, including checking that all nodes in a profile supply a consistent set of cartridges.
Cartridge
- BZ#1143991
Cartridge environment variables were created in new applications for TLS private ports but not for TLS public SNI proxy ports. This issue made it difficult to obtain application endpoint details that could be required by external services. This bug fix backports an OpenShift Enterprise 2.2 fix to expose the SNI proxy mapped ports as environment variables, and TLS public port information is now more readily available in new applications.
Installer
- BZ#1163502
When Red Hat Enterprise Linux (RHEL) Server 6.6 was released, the ose-upgrade tool required an update for compatibility with the latest subscription-manager RPM package. Because the ose-upgrade tool ships with the openshift-enterprise-release package, adding the dependency in that package causes problems for administrators that maintain their own stream of RHEL 6. This bug fix updates the openshift-enterprise-release package to remove the explicit dependency on the subscription-manager package. As a result, the ose-upgrade tool now works with all RHEL 6 versions of the subscription-manager package.
Node
- BZ#1159997
The oo-admin-ctl-iptables-port-proxy command uses the "iptables -L" command in several places, which by default attempts to reverse-resolve the IPs listed to host names. Because most of the IPs on an OpenShift Enterprise node are internal and have no host name associated, all configured name servers could be consulted once for each rule in the tables. If all name servers are appropriately configured, the "service openshift-iptables-port-proxy restart" command tends to take a few seconds. If any name servers are unreachable or slow in responding, resolving several thousand internal IPs was reported to take over an hour. This bug fix backports an OpenShift Enterprise 2.2 fix to add the -n flag to the iptables commands used by the oo-admin-ctl-iptables-port-proxy command. As a result, it no longer attempts to reverse-resolve IPs, which was unnecessary to begin with, and the "service openshift-iptables-port-proxy restart" command completes in sub-second timing under either condition.- BZ#1155794
Previously, there was a race condition when using the apache-vhost front-end server plug-in. If the "oo-httpd-singular graceful" command was run to incorporate one gear vhost update while another gear was creating its vhost configuration, the configuration was left in a bad state and the httpd service would not restart. As a result, the vhost configuration would cease being updated and newly-added gears would be unreachable via the vhost front-end server. If the httpd service was stopped, it would fail to start until the configuration was fixed. This bug fix backports an OpenShift Enterprise 2.2 fix to extend a lock around the call to the oo-httpd-singular command, and as a result the race condition no longer occurs.
Security
- BZ#1153319
OpenShift Enterprise brokers as well as nodes using the apache-mod-rewrite or apache-vhost front end plug-ins previously had SSLv3 enabled, making them susceptible to POODLE-style attacks. This bug fix backports an OpenShift Enterprise 2.2 fix to update these components to remove SSLv3 support, and as a result new installations are no longer susceptible to these issues.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}