Origin Versions Save

Conformance test suite for OpenShift

v3.7.0-alpha.1

6 years ago

v3.6.0

6 years ago

This is the public release of OpenShift Origin v3.6.0.

Changes

Roadmap for the v3.6 release

v3.6.0 (2017-07-30) Full Changelog

See the earlier release notes for other features implemented in this release:

Component updates

Updates to Kubernetes
- 42038: Add backup-volfile-servers to mount option #15396
- 44756: Don't call spew unless we're logging #15520
- 48613: proxy/userspace: honor listen IP address as host IP if given #15174
- 48709: glusterfs: retry without auto_unmount only when it's not supported #15396
- 48813: maxinflight handle should let panicrecovery handler call NewLogged #15306
- 48884: Do not mutate pods on update #15190
- 48940: support fc volume attach and detach #15407
- 48960: No warning event for DNSSearchForming #15350
- 49111: Fix findmnt parsing in containerized kubelet #15372
- 49120: Modify podpreset lister to use correct namespace #15318
- 49127: Make definite mount timeout for glusterfs volume mount #15396
- 49230: use informers for quota calculation #15357
- 49353: Use specified ServerName in aggregator TLS validation #15388
- 49444: Do not spin forever if kubectl drain races with other removal #15436
- 49475: Fixed glusterfs mount options #15396
- 49688: Don't block watch cache Get/List on unready #15515
- Also expose gRPC metrics in kube storage #15517
- Carry a patch for reporting 429 metrics #15485
- Double the global timeout if performing a global list #15505

Features

Record the last snippet of build logs into the build API result

In many cases, the last few lines of the build log contain an accurate reason for a failing build. This adds a new field logSnippet to the build status and populates it with the last few lines of build logs when the build is marked as failed. This field is purely informational and may not be a complete representation of the final logs.

Grab a snippet of build logs for failing builds #15181

Bugs

build: Retry build push failures on a larger set of errors #15406
build: Only set the build timestamps the first time to avoid duplicate writes #15487
cli: Remove use of policy API from CLI #15196
cluster: Remove oc cluster up dependency on oc binary #15471
images: Fix panic when POSTing an image to the server #15541
rbac: Handle cleanup of individual authz objects in sync #15223
rbac: Update bootstrappolicy/dead addDeadClusterRole to include systemOnly annotation #15320
rbac: Reconcile controller roles at startup #15354
rbac: Update quota controller's role for Kube authorizer #15348
route: Fix panic when user sets edge TLS termination on a route #15550
router: Unconditionally remove proxy headers to prevent httpoxy #15146
router: Add an ENV to control ipv6 behavior in the router #15351
server: Set mutation limit proportional to read limit by default #15206
server: Make the master endpoint lease ttl configurable #15214
server: Run separate informers for api and controllers #15217
server: Register aggregator resources into scheme prior to starting any components #15226
server: Unable to authenticate to the controller process using the remote authorizer #15458
server: Add gRPC metrics for the API server's connection to etcd #15517
server: Make controller client rate limits proportional to the overall limit #15479

Release SHA256 Checksums

ecb0f52560ac766331052a0052b1de646011247f637c15063f4d74432e1ce389  ./openshift-origin-client-tools-v3.6.0-c4dd4cf-linux-64bit.tar.gz
c9565850257fd758585118c4b5e1be42ddcf133026c02adee2695191690f022e  ./openshift-origin-server-v3.6.0-c4dd4cf-linux-64bit.tar.gz
320dd318b4b094fea9aadee9473173054d1f11b97895b94315fe2f095f08b652  ./CHECKSUM
6ade4ce9b300b1a9ed4ccfa49f3476a0721c71b78e7dd43ca58f4752b29ab5f1  ./openshift-origin-client-tools-v3.6.0-c4dd4cf-mac.zip
6a45e7fe115dd4c8675ba06e8d958da6819b84a876ea6eb1c085a92b741e43f7  ./openshift-origin-client-tools-v3.6.0-c4dd4cf-windows.zip

v3.6.0-rc.0

6 years ago

This is the first release candidate for OpenShift 3.6.

Backwards Compatibility

Security Context Constraints migrated from older versions of OpenShift that have a null allowed volumes array will now default to ["none"]
- This will prevent future migration to PodSecurityPolicy from being ambiguous
- #14625
Deployment Configs no longer allow leading or trailing spaces on images
- Kubernetes 1.7 will tighten this validation and this will prevent future migrations from being necessary
- #14744
Users may now create routes with empty spec.tls.destinationCACertificate fields
- To preserve backwards compatibility, when the route is retrieved from the /oapi/v1/routes/* endpoint it will have a synthetic certificate injected. Retrieving the route from the new /apis/route.openshift.io/v1 endpoint will show the new empty value.
- #14818
When creating builds via the new /apis/build.openshift.io/v1 endpoint pruning will be automatically defaulted
- Builds created via the old API are unaffected. Callers may set the limit high to avoid pruning
- #14845

Changes

Roadmap for the v3.6 release

v3.6.0-rc.0 (2017-07-13) Full Changelog

API

The autoscaling v2alpha1 API - new in Kubernetes 1.6 - is disabled by default #15058
Image stream tags will now return labels from the parent image stream
- Sending an update to the tag with empty labels will not cause an error #15098

Component updates

Updated to Kubernetes v1.6.1-1-g5115d708d7 + patches
- Add the API aggregation code as a backport to 3.6 from Kubernetes 1.7
  - 43003: Separate discovery from the apiserver #14513
  - 44399: Add deregistration for aggregator paths #14513
  - 44408: Aggregator controller changes only #14513
  - 44466: Use our own serve mux that directs how we want #14513
  - 45247: Promote apiregistration from v1alpha1 to v1beta1 #14676
  - 45247: generated: Promote apiregistration from v1alpha1 to v1beta1 #14676
  - 45370: refactor names for the apiserver handling chain #14513
  - 45432: Use apiservice.status to break apart controller and handling concerns #14513
  - 46112: apimachinery: move unversioned registration to metav1 #14593
  - 46440: Fix api server handler routing (move CRD behind TPR) #14513
  - 46440: Fix api server handler routing (move CRD behind TPR) #14847
  - 46800: Separate group and version priority #14676
  - 47060: Fix etcd storage location for CRs #14499
  - 47347: Actually check for a live discovery endpoint before aggregating (part 2) #14881
  - 47347: Actually check for a live discovery endpoint before aggregating #14595
  - 47347: Actually check for a live discovery endpoint before aggregating #15022
- Add secret at rest encryption backport from Kubernetes 1.7
  - 46460: Add configuration for encryption providers #14798
  - 46916: Add AES-CBC and Secretbox encryption #14517
  - 47537: Fix typo in secretbox transformer prefix #14748
- Fixes:
  - 41758: Updated key.pm and cert.pm to remove error in setting up localhostCert pool #14847
  - 42835: Remove legacy insecure port options from genericapiserver #14513
  - 43878: Delete EmptyDir volume directly instead of renaming the directory #14549
  - 43982: Fix deletion of Gluster, Ceph and Quobyte volumes #14667
  - 44058: Make background garbage collection cascading #14907
  - 44115: Scheduler should not log an error when no fit #14714
  - 44746: Support for PodPreset in get command #15148
  - 44784: Handle vendored names in OpenAPI gen #14993
  - 44898: While calculating pod's cpu limits, need to count in init-container #14605
  - 44962: Remove misleading error from CronJob controller when it can't find parent #14899
  - 45049: Log an EBS vol's instance when attaching fails because VolumeInUse #14844
  - 45085: kube-apiserver: check upgrade header to detect upgrade connections #14676
  - 45349: Fix daemonsets to have correct tolerations for TaintNodeNotReady and TaintNodeUnreachable. #14653
  - 45637: --api-version on explain is not deprecated #14872
  - 45661: orphan when kubectl delete --cascade=false #14189
  - 45864: Fix unit tests for autoregister_controller.go reliable #14519
  - 46034: Event aggregation: include latest event message in aggregate event #14793
  - 46036: Retry clientCA post start hook on transient failures #14474
  - 46121: Fix kuberuntime GetPods #14290
  - 46771: Allow persistent-volume-binder to List Nodes/Zones Available in the Cluster #14899
  - 46796: Bump namespace controller to 10 workers #14806
  - 46852: Lookup no --no-headers flag safely in PrinterForCommand function #14472
  - 46968: bkpPortal should be initialized beforehand #14478
  - 46974: Avoid * in filenames #14477
  - 47003: Fix sorting of aggregate errors for golang 1.7. #14495
  - 47003: Remove duplicate errors from an aggregate error input. Helps Helps with some scheduler errors that fill the log enormously. #14495
  - 47078: HPA: only send updates when the status has changed #14529
  - 47270: kubectl drain errors if pod is already deleted #14663
  - 47274: Don't provision for PVCs with AccessModes unsupported by plugin #14705
  - 47281: Update devicepath with filepath.Glob result \into
  - 47367: Add client side event spam filtering #14747
  - 47450: Ignore 404s on evict #14690
  - 47462: Strip container id from events #14693
  - 47491: Image name must not have leading trailing whitespace #14691
  - 47516: Fix getInstancesByNodeNames for AWS #14669
  - 47605: Change Container permissions to Private for provisioned Azure Volumes #14733
  - 47701: Force protobuf to be stable in output #14723
  - 47740: Add websocket protocol authentication method #14716
  - 47740: Use websocket protocol authenticator in apiserver #14716
  - 47792: Fix rawextension decoding in update #14764
  - 47822: Separate serviceaccount and secret storage config #14838
  - 47823: Don't pass CRI error through to waiting state reason #14887
  - 47904: Prioritize messages for long steps in storage trace output #14911
  - 47919: Use %q formatter for error messages from the AWS SDK #14948
  - 47973: Include object fieldpath in event key #14869
  - 47975: Make protobuf time precision match json #14867
  - 48017: Plumb preferred version to nested object encoder #14865
  - 48085: Move iptables logging in kubeproxy #15096
  - 48261: Fix removing finalizer for gc #14956
  - 48343: Don't accept delete tokens that are waiting to be reaped #14978
  - 48354: Allow a deletestrategy to opt-out of GC #14988
  - 48394: Verify no-op updates against etcd always #15001
  - 48481: Protect against nil panic in apply #15066
  - 48578: Run should output message on container error #15090
  - 48582: Fixes oc delete ignoring --grace-period. #15091
  - 48624: kube-proxy logs abridged #15096
  - 48635: proxy/userspace: suppress "LoadBalancerRR: Removing endpoints" message #15166
  - 48733: Never prevent deletion of resources as part of namespace lifecycle #15123
- Carried fixes:
  - Disambiguate operation names for legacy discovery #14513
  - Lengthen too short timeouts on startup #15129
  - Support SCC FSType none #14625
  - Increase job re-list time in cronjob controller #14953
  - Update client namer rules for ambiguous output #14843
  - Increase SAControllerClientBuilder timeout #15085
  - Use internal service/endpoints informers in aggregator #14694
  - Deprecate --api-version in oc config set-cluster #14919
Updates to Docker distribution
- docker/distribution: 2299: Fix signaling Wait in regulator.enter #14581

Features

Support API aggregation in OpenShift

API aggregation is a key Kubernetes feature that will make it easier to extend Kubernetes clusters. The 3.6 release enables aggregation as tech preview and includes the Kubernetes 1.7 APIs. Its primary purpose in 3.6 is to support the service catalog.

#14513

Add `httpd` images and quickstart

The httpd image makes it easy to serve content to users, proxy, or extend with custom support for Apache modules. This image is added to the default image streams along with a quickstart template.

#14660

Enable schema2 by default for the integrated registry

Now that a significant fraction of all users have access to Docker 1.10, enable schema2 support in the registry by default. This will allow Docker 1.10+ engines to push images using the new schema and sets the stage for future improvements in images.

#13428

Deploy service catalog via `oc cluster up`

The --service-catalog flag on oc cluster up will deploy the new service catalog and configure the instance with support for the template broker and the new service catalog UI. This feature is tech preview in OpenShift 3.6.

#14630

Kubernetes objects can request image resolution

Kubernetes objects like Deployments and StatefulSets can now add an alpha annotation to request image stream resolution from any image field in their pod specs. If an image stream tag with matching name and tag exist, the value of the image will be replaced with the latest tag in that stream. Use oc set image-lookup to configure the flag.

#14795

Builds now support the `valueFrom` field to inject dynamic values into environment or labels

Builds, like pods, can use the valueFrom field on each label or environment variable to leverage data from the parent build. This allows some limited dynamic properties to be set into each build result.

#14749

Bugs

Add prometheus examples #14637
admin: Reverse the order of migrate output to match desired visual outcome #15002
admin: Tolerate deletion of resources during storage migration #15124
admin: Update oadm manage-node to support multiple output formats #14655
admin: oadm migrate storage was double counting when filtering #14724
admin: oadm migrate was double printing early exit error #15000
apiserver: Report better panic errors #15026
apiserver: Use Kubernetes apiserver extended arguments for enabling and disabling alpha versions #14941
audit: Add audit logging to apiserver startup #15027
auth: Allow websocket authentication via protocol header #14716
build: Better description on the webhook secret field #14879
build: Build containers are now automatically parented to the pod cgroup #14688
build: Report multiple build causes for image change triggers #14777
catalog: Enable pod preset admission, but default to off #14461
catalog: Enable podpresets with service catalog #14814
catalog: Put catalog and logging templates in a system namespace #14846
cli: Add the --api-version field back to oc explain for cross version output #14872
cli: Deprecate more uses of --api-version #14919
cli: Errors must be always shown in oc status #14849
cli: Recognize persistent volume claim in status #15013
cli: The --ports flag does not modify dc env variables #13816
cli: oc set triggers is displaying listed resources twice #14987
cluster: Check status of router, registry, metrics, logging, imagestreams in oc cluster status #14436
cluster: Fix check for available ports when docker is running in user namespace mode. #14169
cluster: Fix host volume share creation #15088
cluster: Fix the regular expression used to parse openshift version #15055
cluster: Replace fsouza go-docker client with engine-api client in cluster up #14729
cluster: Use admin commands on origin container to install router and registry #15087
controller: Disable ThirdPartyController #14969
controller: Fix leader election logging #14662
controller: Make service controller failure non-fatal again #14951
controller: Refactor openshift start to separate controllers and apiserver #14775
deploy: Add extended tests for DC ControllerRef #14880
deploy: Emit events when failing to create the deployment pod #14970
deploy: Ensure MinReadySeconds is correctly set in all cases on replication controllers #14936
deploy: Fix crash when deployer pod is unable to observe started pod from API #15056
deploy: Image change triggers were not firing on the second deployment #14773
deploy: Retry instantiate on conflicts #14902
deploy: Set ownerRef from RC to grouped API version #14582
deploy: Update lastTriggeredImage if not set when instantiating DCs #15145
diagnostic: Create network test projects with empty nodeselector #14686
diagnostic: Handle optional components like logging better #14991
diagnostics: Report the volume of etcd writes via a diagnostic #14604
dns: Node DNS should answer PTR records for stateful sets #14400
dns: ResolverConfig should be enabled so that host search path is inherited for node DNS #15030
doc: Add security definitions to Swagger and OpenAPI doc #14745
doc: Fix the OpenAPI docs to include new extension fields for Kube 1.6 #14993
egress: Add an HTTP proxy mode to egress router #13586
f5: Delete reencrypt routes correctly #14921
failover: Added IPv6 support for the ipfailover keepalived #14527
failover: Control preemption strategy #14947
gc: Allow templateinstance updates for GC #14918
gc: Ensure build configs create builds with the proper owners #14591
gc: Make GC mutation check ignore selfLink #15112
gc: Make sure that GC can delete privileged pods #14867
gc: Resources without GC on should not have GC finalizers #14988
hack: Correctly place script output at _output/scripts #14507
hack: Permit OS_GIT_VERSION to have a git hash longer than 7 characters - this occurs when 7 characters are not enough to uniquely describe a given commit #14438
hack: Script for building local images #14339
image: Add more default allowed registries #14850
image: Deleted image streams are never removed from controller queue #15099
imagepolicy: Do not resolve images on job/build/statefulset updates #15118
newapp: Retry git ls-remote in new-app when checking remote registry #14758
newapp: Throw error using --context-dir with a template #15019
newapp: oc new-app --build-env doesn't work on templates #14922
newapp: oc new-app displays correct error on missing context directory #14715
node: Add DefaultIOAccounting to all openshift services #14644
node: When CRI runtime is not docker, don't init docker socket #15063
node: add bind mount for /var/lib/dockershim #14828
oauth: Log errors that occur when verifying OAuth flow state #14692
performance: Bump default namespace controller workers to 10 #14806
performance: Increase default maxInFlightRequests to 1200 #15129
performance: Move deployments to use versioned Kubernetes informers #14728
performance: Prevent duplicate deployment informers #14568
performance: Reduce number of build caches #14679
performance: Refactor Build Controller to use Informers #14289
performance: Refactor BuildConfig controller to use Informers #14596
performance: Remove ImageStreamReferenceIndex from BuildInformer #14635
performance: Remove deployment legacy informers in favor of generated #14562
performance: Reuse the authorization and template shared informers for GC #14391
performance: Use generated informer with cluster resource quota #14567
performance: Use the generated informers for authorization #14564
proxy: honor BindAddress for the iptables proxy #14815
rbac: Add oadm migrate authorization to allow manual migration #14429
rbac: Normalize OpenShift roles when syncing to Kubernetes RBAC #14475
rbac: Relax restriction on binding to namespace roles #14547
rbac: Update the bootstrap/policy convertClusterRoles function to annotate systemOnly roles #14510
registry: Improve logs during image pruning #14405
registry: allow to override the DOCKER_REGISTRY_URL and default to in-cluster address #14882
reliability: Make the default quorum reads #14572
router: Add a diagnostic that runs extended validation on routes #14819
router: Allow router to bind to IPv6 by default #13663
router: Allow specifying haproxy SSL Cipher list #14505
router: Allow whilelisting valid route IPs #14536
router: Clean up the patternMatch template function #14552
router: Do not serve certificate content for Non-SSL routes #14621
router: Prevent POODLE vulnerability in HAProxy router #7638
router: Router metrics tests should use the configured port instead of a new port #14889
router: Support routes with mixedcase/uppercase hostnames #14157
rpm: Add bind mount for /etc/pki #14741
rpm: Build and ship ginkgo binary with extended tests #14839
rpm: Bump OVS version requirement to 2.6.1 #13370
rpm: Client package should require bash-completion #14753
scc: Print the original cause when logging a failed SCC check #14639
scc: Show SCC provider in error message. #13842
scc: When sorting SCCs by restrictions don't add a score if SCC allows volumes of projected type. #14548
sdn: Add better logging of ofport request failure #15023
sdn: Add the nodes local IP address to OVS rules #14924
sdn: Allow project admins to create/edit/delete NetworkPolicies #14830
sdn: Be a normal CNI plugin #14447
sdn: Change the MAC addresses to be generated based on IP #14685
sdn: Clean up writing cluster network CIDR to config.env #13726
sdn: Don't require netns on Update action #14446
sdn: During pod update, some SDN flow updates were missing #14892
sdn: Ensure CNI dir exists before writing openshift CNI configuration under CNI dir #15064
sdn: Kill containers that fail to update on node restart #14665
sdn: Require proxy-mode=iptables for NetworkPolicy plugin #14466
sdn: Segregate OpenShift's iptables rules #13465
sdn: Update NetworkPolicy support to be compatible with its GA semantics #14498
sdn: Use GC rather than refcounting for VNID policy rules #14560
security: Give the service catalog controller event CRUD #14750
security: Project admin and editor should be able to build images #14611
security: swagger.json should be accessible to anonymous users #15157
server: Do not force any selinux context on volumeDir #12942
storage: Add oadm migrate etcd-ttl which encodes upstream TTL migration #14559
storage: Add oadm migrate volumesource to detect deprecated fields #14810
storage: ClusterNetwork was using the wrong filter options #14853
storage: Don't prevent updates that only touch ownerrefs #14816
storage: Ensure OpenShift resources have a stable protobuf serialization #14723
storage: Get encryption configuration from a config and apply resource transformers. #14836
storage: Perform live client check only if scopes were added #15149
storage: Separate serviceaccount and secret storage config. #14838
storage: Tolerate not found when delete policybindings, remove roles on policybinding deletion #15142
template: Add template.openshift.io/expose annotation for use with service broker bind #14486
template: Allow templateinstance controller to instantiate non-v1 objects #14799
template: Don't start template informer unless templateservicebroker is configured #14579
template: Eliminate nil/empty distinction for new TemplateBinding field #14532
template: Give template instance controller admin permissions #14634
template: Improve error message when processing non-template resources #14757
template: Make templateinstance immutability message more understandable #14494
template: Make templateinstance secret optional #14848
template: Only list as required those template parameters which are marked required and which cannot be generated automatically #14488
template: Take template service broker forbidden error message friendlier #14538
template: remove template.openshift.io/namespace parameter from template service broker and use context object instead #14586
trigger: Deployments were not firing on triggers because of internal code mismatch #15025
trigger: Image change trigger must be able to create all build types #14792
web: Adding meta tag so the login screen renders correctly when IE is in intranet mode #15083
web: Show toast notifications for more things #1662, #1663, #1659, #1657, #1677, #1680, #1681, #1691, #1688, #1693, #1382, #1704
web: Enable sorting by keys in YAML editor #1642
web: Clarify GitHub webhook configuration #1660
web: Don't mark YAML editor as immediately changed #1666
web: Check services for bindability before creating bindings #1599
web: Set up pod presets during binding to applications #1672
web: Show Git commit on browse build page #1670
web: Bug 1459848 - Fix template confirm-on-exit prompt #1671
web: Bug 1460142 - Only use confirm-on-exit on some forms #1674
web: Bug 1459834 - Don't stop navigation when a user has blocked confirm dialogs #1675
web: Show process template errors as toasts #1678
web: Remove calls to AlertMessageService.getAlerts() / clearAlerts() #1679
web: Bug Fix 14660167 - View Quota does not work on Overview page #1683
web: Consistently display error details on failed requests #1690
web: Overide registryAnnotations directive to match the annotations directive #1136
web: Fix dist for build hook doc url #1694
web: Support for Gitlab and Bitbucket webhooks in the BC editor #1539
web: Removing popup directive as it's now in common #1676
web: Show application bindings on overview #1696
web: Increase specificity of css overflow: hidden rule so it doesn't clip kebab dropdown menu Fixes Bug https://bugzilla.redhat.com/show_bug.cgi?id=1460153 #1698
web: Init Containers Added to Pod Template #1560
web: Bumping registry-image-widgets to v0.0.10 to fix nav-tabs-pf bug #1700
web: Fix incorrect projectName references #1702
web: Hide error notifications on $scope destroy, not just cancel #1706
web: Update origin-web-catalog to v0.0.22 #1708
web: Add unbind action to provisioned services #1705
web: Adjust dropdown positioning when > 480, 480 - 768, < 769 #1718
web: Combine secrets page tables into one and group by type. Fixes https://github.com/openshift/origin-web-console/issues/1686 #1717
web: Don't show both toast and in-page alert for missing resources #1721
web: Enter key on forms for deploy image and process template #1722
web: Bug 1460990 - show underlying username in several places where user may look #1724
web: Don't show new builds in collapsed overview rows #1723
web: Change output of failed verify-dist to use git diff #1720
web: Bug 1462067 - Give options to delete pod without grace period #1727
web: Bug 1461771 - Switch empty project Add to Project to Browse Catalog #1729
web: Update to the logo icon font set to include mediawiki #1730
web: Show optional parameters in template dialog #1733
web: Bug 1462667 - Fix broken show generated parameters link on next steps page #1734
web: Deprovision to Delete Update #1735
web: Fix delete binding modal to show secret names #1728
web: Add link to controller on pod and replica set pages #1732
web: Only auto-start the landing page tour at appropriate window sizes #1741
web: Fix awkward overview message for new deployments #1745
web: Send propagationPolicy null so that instances and bindings can be deleted cleanly #1739
web: Bug fix where pod quota warning was misaligned on browse pages #1747
web: Extension point fix for navbar #1746
web: Bug 1462205 - Delete binding shouldn't show up when all bindings are pending deletion #1738
web: Watch for changes to the tab query parameter #1749
web: Show a "View Events" link when a deployment is running #1661
web: Sort bindingsByInstanceRef by first associated application (from sorted applications) #1742
web: Add username requester on bind for template broker #1744
web: Bug 1462781 - should show the image stream from reference when it exists instead of pushed image #1752
web: Bump origin-web-catalog to v0.0.25 #1754
web: Bug 1464397 and Bug 1461702 - problems with webhook trigger urls and display #1763
web: Adding global tech preview indicator for service catalog #1712
web: Show average pod metrics for all containers on overview #1756
web: Fixes visual defects around "Container:" labels #1757
web: Change create project redirect for new experience #1759
web: Make it easier to discover enabling TLS for routes #1761
web: Fix delete binding result message #1762
web: Utilizing openshift-logos-icon dependency #1743
web: Should only see actions for service cat resources in overview that the user can do #1768
web: Don't request instances and bindings if the user doesn't have watch rights #1769
web: Changing default icon for templates to fa-clone #1765
web: Removes border and margin from Labels section #1772
web: Updating kubernetes-container-terminal to fix terminal cursor bug #1775
web: Fixes several bugs in service instance row #1776
web: Upgrade versions of catalog (0.0.27) and common (0.0.39) #1777
web: Fixes bug where "Check events" link wrapped to two lines on deployments page #1778
web: Fix service instance object dump in bind app to service dialog #1779
web: Fixes issue where long empty-state-message titles are clipped at mobile #1783
web: Fixes bug where heading was unnecessarily truncated #1786
web: Bump origin-web-catalog and origin-web-common #1787
web: Bug 1467232 - Fix overview cluster quota warning #1789
web: Don't set propagationPolicy when deleting pod immediately #1792
web: Use config.local.js if present for grunt serve:dist #1796
web: Don't include Failed pods in count beside mini donut #1808
web: Revert kubernetes-container-terminal to 1.0.3 #1811
web: Update README to reference firefox instead of chrome for e2e tests #1816
web: Bug 1470010 - Use owner references to find deployment on replica set page #1832
web: Update mini donut total in $evalAsync block #1830
web: Don't fade "0 pods" text in mini donut #1835
web: Add additional API groups to security check whitelist #1837
web: Edit the YAML of deployments in the apps group #1839

Release SHA256 Checksums

553ce3edcfe4e0a5ec787fa7697713ff7c8cb49aa08d680e446eb8c02d786a1e  ./CHECKSUM
5808b3d29c72d04643c98ee1f51611222fa4c14fe420632d60812dc9b59755fd  ./openshift-origin-client-tools-v3.6.0-rc.0-98b3d56-linux-64bit.tar.gz
94b7c89ed9e177a31713392fcaf815c029c2bf8b7689d3a2b316a678cb990a34  ./openshift-origin-server-v3.6.0-rc.0-98b3d56-linux-64bit.tar.gz
454970d47bc4fef39e0835bd1a8806f6966f41515a5da269c15b871f98368263  ./openshift-origin-client-tools-v3.6.0-rc.0-98b3d56-mac.zip
11a8a94f96be56a66c73cb1ee6ed9365307c40136c5ea80beb4deeefb2ee1b23  ./openshift-origin-client-tools-v3.6.0-rc.0-98b3d56-windows.zip

v3.6.0-alpha.2

6 years ago

This is a feature release of OpenShift Origin.

Backwards Compatibility

The experimental command oc import docker-compose has been removed #13795
- Work has moved to the kompose project
The status.unavailableReplicas field on deployment configs no longer accepts negative numbers #14046
The extended certificate validation feature in the router is now much stricter #13897
- In order to ensure that buggy, malicious, or invalid certificates cannot crash a router the extended certificate feature now decodes and then re-encodes certificates from routes. Only a known set of allowed PEM blocks and certificate types will be accepted, including the common RSA and ECSDA variants of both public and private keys.
- If you are upgrading your cluster and have not disabled extended certification (on by default) you should start a test router instance and verify that all routes successfully load before completing your rollout.
- Routes that fail extended validation are taken out of rotation and have a status field message set indicating they are not accepted.

Changes

Roadmap for the v3.6 release

v3.6.0-alpha.2 (2017-06-07) Full Changelog

API

Add fields to builds that display the status of build results #13307
- A series of stages and steps are part of build status and populated by the builder.
Two fields are added to build config spec to control how many successful and failed builds are preserved on the cluster #13788
The spec.tls.destinationCACertificate field on a route is now optional - routers that don't allow defaulting will reject this route

Component updates

Updated to Kubernetes v1.6.1-1-g5115d708d7 + patches
- 39732: Fix issue #34242: Attach/detach should recover from a crash #14119
- 40423: Support for v1/v2/autoprobe openstack cinder blockstorage #14005
- 41498: cinder: Add support for the KVM virtio-scsi driver #14005
- 41634: Handle error event type #13939
- 41939: Add an AEAD encrypting transformer for storing secrets encrypted at rest. #14243
- 42033: fix TODO: find and add active pods for dswp #14119
- 42672: use separate scheme to serve the kube-aggregator #13974
- 42801: add local option to APIService #13974
- 42886: allow fallthrough handling from go-restful routes #13974
- 42900: rewire aggregation handling chain to be normal #13974
- 42911: combine kube-apiserver and kube-aggregator #13974
- 43076: allow combining API servers #13974
- 43141: Create controller to auto register TPRs with the aggregator #13974
- 43144: start informers as a post-start-hook #13974
- 43149: break kube-apiserver start into stages #13974
- 43170: Add ability to customize fed namespace for e2e #14106
- 43226: don't start controllers against unhealthy master #13974
- 43289: Attach/detach controller: fix potential race in constructor #14119
- 43301: add APIService conditions #14285
- 43375: Set permission for volume subPaths #13895
- 43377: only log stacks on server errors #14173
- 43383: proxy to IP instead of name, but still use host verification #13974
- 43396: iSCSI CHAP support #14112
- 43575: util/iptables: check for and use new iptables-restore 'wait' argument #14186
- 43922: prevent corrupted spdy stream after hijacking connection #13669
- 43945: Remove 'beta' from default storage class annotation #14427
- 44066: Improve federation e2e test setup #14106
- 44068: Use Docker API Version instead of docker version (fixup) #14335
- 44068: Use Docker API Version instead of docker version #14158
- 44072: Cleanup e2e framework for federation #14106
- 44073: Optionally retrieve fed e2e cluster config from secrets #14106
- 44082: use AvailabilityZone instead of Availability #14005
- 44221: validateClusterInfo: use clientcmdapi.NewCluster() #13653
- 44295: Azure disk: dealing with missing disk probe #14072
- 44406: CRI: Stop following container log when container exited. #14380
- 44439: controller: fix saturation check in Deployments #13890
- 44452: Implement LRU for AWS device allocator #14119
- 44462: 44489: fix selfLink for cluster-scoped resources #14001
- 44566: WaitForCacheSync before running attachdetach controller #14119
- 44570: Explicit namespace from kubeconfig should override in-cluster config #13653
- 44625: Retry secret reference addition on conflict #14033
- 44639: Set fed apiserver to bind to 8443 instead of 443 #14107
- 44730: Check for terminating Pod prior to launching successor in StatefulSet #13653
- 44760: Fix issue #44757: Flaky Test_AttachDetachControllerRecovery #14119
- 44781: Ensure desired state of world populator runs before volume reconstructor #14144
- 44798: Cinder: Automatically Generate Zone if Availability in Storage Class is not Configured #14159
- 44837: Fix Content-Type error of apis #14285
- 44859: e2e: handle nil ReplicaSet in checkDeploymentRevision #13653
- 44861: NotRegisteredErr for known kinds not registered in target GV #13653
- 44895: util/iptables: grab iptables locks if iptables-restore doesn't support --wait #14186
- 44939: don't HandleError on container start failure #14077
- 44970: CRI: Fix StopContainer timeout #13938
- 45100: node-controller: deflake TestUpdateNodeWithMultiplePods #13940
- 45105: taint-controller-tests: double 'a bit of time' to avoid flakes #13953
- 45171: Use groupName comment for listers/informers #13982
- 45235: remove bearer token from headers after we consume it #14007
- 45238: expose kubelet authentication and authorization builders #14011
- 45286: When pods are terminated we should detach the volume #14191
- 45304: increase the QPS for namespace controller #14274
- 45403: apiserver: injectable default watch cache size #14052
- 45413: Extend timeouts in timed_workers_test #14225
- 45427: 45897: GC controller improvements #14358
- 45496: fix pleg relist time #14282
- 45505: expose the controller initializers #14033
- 45515: Ignore openrc group #13964
- 45601: util/iptables: fix cross-build failures due to syscall.Flock() #14186
- 45623: Don't attempt to make and chmod subPath if it already exists #14193
- 45685: fix quota resync #14151
- 45741: Fix discovery version for autoscaling to be v1 #14255
- 45747: OwnerReferencesPermissionEnforcement ignores pods/status #14204
- 45826: prevent pods/status from touching ownerreferences #14204
- 45835: client-gen: honor groupName overrides in customArgs #14203
- 45894: Export BaseControllerRefManager #14322
- 45933: Use informers in scheduler / token controller (part 2, fixing tests) #14412
- 45933: Use informers in scheduler / token controller #14321
- 45940: apiserver: no Status in body for http 204 #14237
- 45977: kuberuntime: report StartedAt regardless of container states #14312
- 46020: Enable customization of federation image #14239
- 46037: NS controller: don't stop deleting GVRs on error #14275
- 46042: ResourceQuota admission control injects registry (federation) #14234
- 46042: ResourceQuota admission control injects registry #14234
- 46127: Return MethodNotSupported when accessing unwatcheable resource with ?watch=true #14260
- 46239: Log out from multiple target portals when using iscsi storage plugin #14457
- 46246: Fix kubelet event recording #14299
- 46247: Enable customization of federation etcd image #14239
- 46299: Fix in-cluster kubectl --namespace override #14307
- 46305: clear init container status annotations when cleared in status #14331
- 46315: Fix provisioned GCE PD not being reused if already exists #14329
- 46323: Use beta annotation for fed etcd pvc storage class #14239
- 46371: reset resultRun on pod restart #14332
- 46373: don't queue namespaces for deletion if the namespace isn't deleted #14347
- 46390: Require DeleteStrategy for all registry.Store #14337
- 46437: Up namespace controller workers to 5 #14352
- 46463: AWS: consider instances of all states in DisksAreAttached, not just "running" #14425
- 46500: Fix standardFinalizers - add missing metav1.FinalizerDeleteDependents (Note: it is in different files from upstream because they moved helpers.go into helper/helpers.go) #14322
- 46516: kubelet was sending negative allocatable values #14379
- 46608: fixes kubectl cached discovery on Windows #14399
- 46614: Add auto_unmount mount option for glusterfs fuse mount. #14443
- 46628: cleanup kubelet new node status test #14379
- 46640: Improve validation of active deadline seconds #14424
- 46751: Pre-generate SNI test certs #14412
- Fix to avoid REST API calls at log level 2. #13844
- add OpenShift resources to garbage collector ignore list #13653
- openapi test, patch in updated package name #13653
- Set the log level for iptables rule dump to 5 #14359
- disable apiserver loopback loop in generic context #13653
- kube-apiserver must not start aggregator #13974
- Integrate the kube-aggregator to support the service catalog #13974
- Consume the upstream authorizer #14006
- Continue to support extensions/v1beta1 version of HorizontalPodAutoscaler #14021
Updates to Docker distribution
- docker/distribution: 1757: Export storage.CreateOptions in top-level package #13653
- docker/distribution: 1857: Provide stat descriptor for Create method during cross-repo mount #13653
- docker/distribution: 2008: Honor X-Forwarded-Port and Forwarded headers #13653
- docker/distribution: 2140: Add 'ca-central-1' region for registry S3 storage driver #13653

Features

Tech preview of cluster federation

Cluster workload federation is nearing beta status in Kubernetes and is now part of the OpenShift distribution. The kubefed binary is built as part of Origin and will help stand up a tech preview cluster.

Enable preliminary support for origin federation #14239

Simulate cluster capacity

The cluster capacity command emulates the Kubernetes scheduler for a set of pod workloads and estimates how many pods can be scheduled on a cluster.

Add cluster capacity image to OpenShift #14258

Enable Garbage Collection on OpenShift resources

The garbage collection feature in Kubernetes is now stable and enabled in OpenShift. OpenShift controllers like deployment configs, build configs, and templates set owner references on the objects they create, which means deleting a deployment config will now automatically clean up the replication controllers and pods created by the deployment. The web console uses owner information to better organize resources and can now delete resources when they have changed. See the documentation for more on how to leverage garbage collection to manage cleanup.

Add DC controllerRef to RC #14322
web: Bug 1449908 - Group replica sets by owner reference #1553
web: Bug 1449949 - Group pods by owner reference #1538
orphan resources by default for SOME resourced under /oapi #14134
mark build->buildconfig ownerref as a controller #14250
shared GC #14358

Improvements to network egress policy

This release improves egress network policy (handled by an egress router) to make managing traffic leaving namespaces easier via DNS name support on destinations and also targeting multiple destinations.

sdn: Support DNS names for egress network policy #13002
egress: Allow multiple destinations in egress-router #13837

Use git references like tags and GitHub/GitLab pull request links in builds

Git branches and tags are both represented as "references" inside of a repository. GitHub adds references in Git for each pull request, but to use that reference in an OpenShift build we must first fetch the information from the remote server. The ref field on a build's Git source specification can now point to any valid Git reference and OpenShift will attempt to retrieve that ref, allowing pull requests to be spawned for a specific build.

builds: Allow the ref field on builds to point to any Git reference #13893
builds: Enable fetch from oc new-app, start-build, source lookup #14025
builds: Fix overlap between branch and ref names #14103

Reference OpenShift image streams from Kubernetes resources

OpenShift image streams make it easy to decouple image management from deployment. Image streams can now be used directly from Kubernetes resources like StatefulSets, Jobs, CronJobs, Deployments, or DaemonSets via the new lookupPolicy that has been added to image streams. The oc set image-lookup command allows you to mark an image stream within your project as being a local reference:

$ oc import-image mysql:latest
$ oc set image-lookup mysql

Now you can reference the image mysql:latest from within a Kubernetes controller and the corresponding image stream tag will be used:

$ oc run --image=mysql:latest --restart=OnFailure myjob
$ oc get pods

The pod created by the job will use the image tagged as latest in the image stream mysql. Builds, pods, jobs, replicasets, and replication controllers will all respect these settings, and administrators can configure their image policy to add new resources.

Extended test for local name resolution #13210

Trigger updates to Kubernetes deployments and daemon sets on image change

The image trigger controller has been upgraded and now supports updating deployments, stateful sets, daemon sets, and cron jobs whenever an image stream tag is updated. A new alpha annotation can be set on the resource to describe which image stream tag should cause an update.

To update a DaemonSet whenever the image stream tag 'image:latest' in namespace 'namespace1' changes, run:

$ oc set triggers daemonset/monitoring --from-image=namespace1/image:latest -c main

You can remove a trigger by adding the --remove flag. This allows you to run an OpenShift build or run a scheduled import to keep your applications up to date..

Trigger updates are alpha in 3.6.0.

Update Kubernetes resources on image change #13242

Build cleanup policy

Build configs now support two parameters to control how many successful and failed builds are retained. By default, no limit is set and all builds are retained. The fields are spec.failedBuildsHistoryLimit and spec.successfulBuildsHistoryLimit.

Cleanup policy for builds #13788

Unification with Kubernetes authorization and core code

The v3.6.0 release integrates a large number of changes the OpenShift team has contributed to Kubernetes around security, authorization, RBAC, and core code refactoring. While this will continue for several releases, the OpenShift and Kubernetes RBAC resources are being aligned and the primary API going forward for RBAC will be the Kubernetes version. The existing APIs will remain, especially those that expose features not yet supported in Kubernetes like scoped tokens.

Starting in this release, all OpenShift RBAC resources are automatically migrated to Kubernetes RBAC resources. Users should not see any change in behavior while these migrations occur.

Future releases will include migrating from SecurityContextConstraints to PodSecurityPolicy as well naming and policy updates to system managed policies.

Use upstream system:masters authorizer #14006
- Switch to policy watch #14194
Use upstream namespace cleanup controller #13587
Use bootstrap cluster roles from kube #14026
Use upstream x509 request header authenticator #14007
Use upstream initialization for most controllers #14126
Use upstream remote authentication and authorization #14011
Use upstream initialization for the replication controller #14033
Synchronize OpenShift RBAC to Kubernetes RBAC #14064
- Split resource and non-resource rules during conversion #14454

End to end TLS - never generate a certificate again!

The service serving certificate feature makes it easy to generate a valid TLS server certificate for your applications for securely serving HTTPS within a cluster. The router is now enabled to automatically reencrypt traffic to services that use these certificates for routes that specify a blank spec.tls.destinationCACertificate field. When a cluster is configured with a default wildcard certificate, this means that you can deploy applications to OpenShift that are secured end to end without having to generate or manage your own certificates.

See the Prometheus example for this in action. The service requests generation of a secret prometheus-tls containing a TLS serving certificate for prometheus.NAMESPACE.svc, and the route points to the service with the TLS type Reencrypt, but without a destinationCACertificate. The router will automatically fill in the service-ca.crt file, which is available in every pod.

Sign and verify image signatures

OpenShift has natively supported detached signing certificates on images for several releases, and this release adds a new CLI command to make it easy for an administrator to verify the signatures on images manually or as part of an automated image publish flow. This allows the web UI and CLI to show information to the end user about the state of the signature.

See oc adm verify-image-signature for more.

Verify signatures #13585
cli: do not require --expected-identity when removing all signatures #14125

Other Features

build: Display jenkins url for pipeline build #13979
registry: Add prometheus metrics for dockerregistry #12711
- Force to specify not empty secret for metrics endpoint #13884
route: Sanitize certificates from routes in the router #13897
storage: iSCSI CHAP support #14112
route: Allow controlling spec.host via a new permission #13905
prometheus: Make the Prometheus example a fully automated secure deployment #13782
ha: Enable leader election on endpoints for controllers #14094
router: Add defaults and env control of the fin timeouts in the router #14220
router: Make HAProxy's log format configurable #13029
sdn: Add an OPENSHIFT-ADMIN-OUTPUT-RULES chain for admins to use #14221
server: Prepare for API aggregation by supporting the new Kube aggregation endpoint #14285
router: Shuffle endpoints for routes #14008
web: Update overview to use toast notifications #1654
web: Add landing page tour #1508
web: Support filtering provisioned services on overview #1444
web: Only show service catalog resources when available #1573
web: disambiguate kinds on other resources by showing group #1478
web: Bug 1447997 - Show warning for unsupported resource versions #1512
web: Update the Other Resources Page to only show resources supporting the 'List' verb #1572

Bugs

admission: Support legacy admission configurations without kind fields set #14272
authn: Allow service account tokens to be used with WebSocket connections #13978
builds: Allow GIT_SSL_NO_VERIFY to be set on build pods via build defaulter #13797
builds: Apply build resource defaults to the build pod #13825
builds: Better API documentation for image source build behavior #13781
builds: Ensure build start time is always set #14131
builds: Fix potential hangs if the Docker daemon is overloaded #13817
builds: Retry build instantiation on conflict #13910
builds: Use credential provider to load image pull secrets #10608
cli: Add request-timeout val to oc login restclient #12062
cli: Don't show policy rules with attribute restrictions #14034
cli: Ensure more oc set commands support --dry-run and --local #14123
cli: Fix template objects describer #14207
cli: Improve output of oc adm manage-node --list-pods #12528
cli: oc status should display services of type ExternalName correctly #14448
clients: Fix deployclient imports #14203
clients: Generated clients for the images API group #14042
cluster: Set docker cgroup driver on kubelet config #13964
controllers: Refactor serviceaccount and rest of build controllers to new controller initialization #14293
controllers: Rename controller files to be easily distinguishable in logs #13699
deploy: Better deployment cancellation message #13813
deploy: Clean up log messages from deployment controllers #13762
deploy: Don't block triggering deployment when ICT is updated #13886
deploy: Suggest cancelling DC instead of RC in oc deploy #14019
deploy: rewire deployment controllers initialization to use a controller init func #13996
diagnostics: Perform network diagnostic checks if we are able to launch at least 50% of test pods. #13851
dns: Add node config option for a resolv.conf to read #14297
egress: Add backward compatibility for the old EgressNetworkPolicy "0.0.0.0/32" bug #13822
egress: Bug 1445694 Fix locking in syncEgressDNSPolicyRules() #13965
examples: Remove references to personal repositories #14178
image: Fix prioritizing of semver equal tags #14248
image: Set layer size whether it found in cache or not #14166
image: Add support for Node.js 6 (official) #13967
image: Use docker image reference from ImageStream #13639
namespace: Increase concurrency for namespace cleanup #14352
newapp: Triggers should not be set when creating new builds from docker images #13807
node: Error on connecting to Docker daemon was being silently dropped #14162
openid: Use correct base64 scheme to decode id_token #14420
project: Bug 1454535 - Use created project name over namespace name in project template #14344
proxy: Add locking around userspace map #13847
prune: Prefer secure registry connections when pruning from a registry #14114
prune: Prune external images by default #13900
quota: Controller was not checking for compensation at expected interval, quota was double counted #14151
quota: Separate image quota evaluation for admission versus reconciliation #14345
router: Add proxy protocol status to reload script output #14256
router: Fix panics from routes being out of order #14232
router: Increase max request size for HAProxy to be comparable to cloud LBs #13792
router: Match subpaths correctly when path contains trailing slash #13867
router: Prevent the router from deadlocking itself when calling Commit() #13717
router: Reduce log spam from default certificate check #13514
router: Simplify router template sections for edge and reencrypt routes #14242
router: Support reencrypt routes in F5 #13898
router: Syntax error in irule #14223
router: adding X-Forwarded-For header to reencrypt route #14142
scheduler: Include DefaultTolerationSeconds admission plugin in OpenShift #14118
sdn: Ensure multicast rules are cleaned up when net namespace is deleted #14231
sdn: Fix NATting of external traffic with ovs-networkpolicy #13877
sdn: Fix initialization order to prevent crash on node startup #13766
sdn: Fix service IP validation to handle "ClusterIP: None" #13765
sdn: Network policy pod watch should ignore pods with HostNetwork set to true #14030
sdn: Refactor ClusterNetwork creating/updating/validating #13951
sdn: Traffic leaking out of the cluster #13680
security: Add projected volume plugin into correct SCCs #14147
security: Give docker builders access to optimized image builds #14323
security: Prevent new project creation with openshift/kubernetes/kube prefixes #13673
security: Remove obsolete pod permissions from the deployment config controller #14288
security: Strip proxy credentials when logging proxy env variables #13751
security: Use a common function to populate user in subject access review correctly #14304
security: Allow most users to view StorageClasses #14209
server: Hold startup until etcd has stabilized cluster version #14095
server: Start using generated informers #13982
server: only log stacks on server errors #14173
template: Handle legacy groups better in template processing #13791
template: Ignore namespace when processing templates #13725
template: Make template service broker namespace(s) configurable #13872
template: Template broker checks permissions for users instead of impersonating #14216
tests: Add w.close for watch #14271
web: Fix error editing build config to push to new tag #1424
web: Fix runtime error on browse builds page for non-Git builds #1426
web: Hide "Start Build" actions for binary builds #1427
web: Always show latest deployment on overview #1429
web: Fix overview notifications #1430
web: Incorporation of UI animation effects for deployment transitions on overview. #1402
web: Set donut alignment based on whether metrics are shown and prevent deployment animation from overlaying alerts within expanded row #1441
web: Hide failed and cancelled deployments #1433
web: Switch to creating a DeploymentRequest to rollout a new deployment of a DC #1434
web: Improve layout of provisioned services on overview #1436
web: When maxSurge and maxUnavailable are numbers or not set, put right format into JSON before submitting #1442
web: Don't repeat overview "Other Resources" with multiple pipelines #1446
web: Improving copy-to-clipboard display #1451
web: Switch to code authorization flow #1342
web: Support creating templates in a dialog #1492
web: Remove some (now incorrect) warnings when deleting resources #1530
web: Improve delete dialog message #1544
web: Check existing storage quotas and adjust UI appropriately #1217
web: Sort deployments on the overview #1556
web: Add DC paused message to overview #1545
web: Fix details message for paused deployments #1577
web: Adding instructions on how to view the API token #1575
web: Bug 1451013 - Show Events on PVC detail page #1587
web: Don't switch selected pod log container on watch updates #1592
web: Remove now incorrect warning when deleting DCs #1619
web: Bug 1455105 - Correct quota / HPA donut warnings #1612
web: Handle project name being changed by project template when ordering template #1639
web: Fix single, unnamed port warning when editing routes #1623
web: Hide error notifications when form is resubmitted #1567
web: Prompt users when navigating away with unsaved changes #1104
web: Prevent cancel from submitting edit dc form #1656

Release SHA256 Checksums

9cc44e7890b39953303ad18f2187a6aac82cd3a6fe570b9432c47df982589075  openshift-origin-client-tools-v3.6.0-alpha.2-3c221d5-linux-64bit.tar.gz
a99e5f070d926ac996acf2db11f518463b661703b4712e5fca6a1f8d9504d2af  openshift-origin-client-tools-v3.6.0-alpha.2-3c221d5-mac.zip
b88c724fb6c54b12ffde296c736c2190a0459c52b6f6067552efccbe648f6694  openshift-origin-client-tools-v3.6.0-alpha.2-3c221d5-windows.zip
42a56ee6f66e39815874c8e03c1cee373e20ff3f1fd83c5829df043c8988ba0d  openshift-origin-server-v3.6.0-alpha.2-3c221d5-linux-64bit.tar.gz

v1.5.1

6 years ago

This is a patch release of OpenShift Origin.

Changes

v1.5.1 (2017-05-16) Full Changelog

Bugs

sdn: fix initialization order to prevent crash on node startup #13767
router: Match subpaths correctly when path contains trailing slash #13923

Release SHA256 Checksums

7d683132a1ea27806d7b2dfbeec4dd1b9d5b0b7db6b97ed05506365135453f55  openshift-origin-client-tools-v1.5.1-7b451fc-linux-32bit.tar.gz
1e5f73098c3e3bf6f887c8678c078f650e62c477eca255c0f131d6b6be805c6c  openshift-origin-client-tools-v1.5.1-7b451fc-linux-64bit.tar.gz
0cc3646f2cb2aafcde4bc5bc6890f1c78dabcda4b90ac0b891edef7d7b86bdfe  openshift-origin-client-tools-v1.5.1-7b451fc-mac.zip
06f320daef3539f0d7e4a526ec2cbdfdfbfa3a61022ca6fdc0ebcb1ed09ad3f7  openshift-origin-client-tools-v1.5.1-7b451fc-windows.zip
abe50d51aa2485cac9374026a46c30901335f86171d79b7a5747f289e26f9cd0  openshift-origin-server-v1.5.1-7b451fc-linux-64bit.tar.gz

v1.5.0

7 years ago

This is the release of OpenShift Origin 1.5.

Changes

Roadmap for the v1.5 release

v1.5.0 (2017-04-21) Full Changelog

Component updates

Additional patches to Kubernetes 1.5.2
- 37845: Azure disk volume fixes #13218
- 38925: Fix nil pointer issue when making mounts for container #13270
- 39751: Changed default scsi controller type #13314
- 39752: Fix panic in vSphere cloud provider #13314
- 39754: Fix fsGroup to vSphere #13314
- 39757: Fix space in volumePath in vSphere #13314
- 40066: Set custom PollingDelay of 5 seconds for Azure VirtualMachinesClient #13218
- 40417: Always detach volumes in operator executor #13251
- 40693: fix for vSphere DeleteVolume #13314
- 41217: Fix wrong VM name is retrieved by the vSphere Cloud Provider #13314
- 41226: Fix for detach volume when node is not present/ powered off #13314
- 41436: Fix bug in status manager TerminatePod #13377
- 42275: discovery restmapping should always prefer /v1 #13727
- 42622: Preserve custom etcd prefix compatibility for etcd3 #13299
- 42973: Fix selinux support in vsphere #13373
- 43460: Remove unused DockerManager daemon version #13513

Bugs

hack: Remove need for docker in build-images, use multi-tag #13394
images: Fix image pruning with both strong & weak refs #13677
images: Insecure istag allows for insecure transport #13274
install: Restrict packages from CentOS to OVS only #13684
install: Remove the excluders origin-excluder #13402
network: Fix service IP validation to handle "ClusterIP: None" #13787
network: Fix single-node-cluster local multicast delivery #13768
network: Fix race between ovsdb-server.service and node service #13418
router: Prevent the router from deadlocking itself when calling Commit() #13744
security: Update namespace finalizer to delete RoleBindingRestrictions #13588
Revert "Fix of BUG 1405440" #13348

Release SHA256 Checksums

7100e3c9324ddb31cd0bee1c0bc74d11f79aa580f7c8776eba321094029503ab  openshift-origin-client-tools-v1.5.0-031cbe4-linux-32bit.tar.gz
e928067175be0e8a5947c21ebbbf1359687846749e83411b7cd0b99759968605  openshift-origin-client-tools-v1.5.0-031cbe4-linux-64bit.tar.gz
8ea85801afbd464a1bb90346e31c3f3a3325ae93fc188c0d34bd49fc68fc7e16  openshift-origin-client-tools-v1.5.0-031cbe4-mac.zip
e4650d9a53678141c17147a98670fc842fc78049762877def4cb66e385aadee7  openshift-origin-client-tools-v1.5.0-031cbe4-windows.zip
e9bd3c92842acb17ab920b663dfb80f094707fbac8a92dde341631dbfdb13628  openshift-origin-server-v1.5.0-031cbe4-linux-64bit.tar.gz

v3.6.0-alpha.1

7 years ago

This is a feature release of OpenShift Origin.

Backwards Compatibility

The Jenkins v1 image is now deprecated - use the new v2 image which has access to the new Jenkins BlueOcean UI #13605
By default, new clusters will limit which image registries can be imported from by default #13313
Builds of i386 OpenShift have been temporarily removed due to bugs in Go 1.7 #13686

Changes

Roadmap for the v3.6 release

v3.6.0-alpha.1 (2017-04-12) Full Changelog

API

Deployments
- The securityContext field is now copied over to lifecycle hook pods, which means they will share user, group, fsGroup, and SELinux settings #12733
Authorization
- The attributeRestrictions field in subject access reviews is deprecated and will be removed in a future release, to be consistent with the new approach of having multiple resource types for access reviews. #13466
Networking:
- CIDRs that are provided to ClusterNetwork, HostSubnet, and EgressNetworkPolicy must now be valid and in canonical form to prevent accidental leaks of network info. #13508

Component updates

Updates to Kubernetes
- 37380: Improve error reporting in Ceph RBD provisioner #13017
- 42959: Delete host exec pods faster #13337
- 43762: refactor getPidsForProcess and change error handling #13597
- : add SeccompProfiles to SecurityContextConstraintsDescriber. #13509
- : update clientset generator for openshift groups #12953
Updates to Docker distribution

Features

Add a Service Broker for Templates

Templates allow users in OpenShift to easily define, share, and deploy precanned applications. The new service broker will allow any template to be exposed in the service catalog and then consumed by end users. The broker will initially support deploying the template inside of the user's project, but eventually allow templates to be used to deployed on other clusters and linked back to the end user.

To support the service broker, a new resource has been added to projects - the TemplateInstance. This lets you declaratively instantiate a template and then in the future update that template.

Template service broker is tech preview for OpenShift 3.6

Template service broker #12953

Add metrics to routers

The router has been upgraded to return Prometheus metrics for routes and the pods under those routes. New clusters will have the ROUTER_METRICS_TYPE environment variable set to haproxy and ROUTER_LISTEN_ADDR set to 0.0.0.0:1935, which turns on metrics on port 1935 (protected by the ROUTER_STATS_PASSWORD and user).

The exposed metrics describe per route, service, and pod information about the traffic flowing over the routers, and can be gathered by an Prometheus capable collector to report information about edge traffic.

Expose metrics in the router #13337

Support F5 partitions in the router

F5 BigIP servers allow for multiple active "partitions" to be managed for security and failure separation at the API level. This change adds support for targeting a partition from the F5 router management code and makes it possible for OpenShift to manage only a subset of a given F5 router.

Support F5 partition paths #13391

Add webhook support to builds for GitLab and BitBucket

Like the GitHub and generic web hooks, this allows users to create a webhook trigger with oc set triggers and then use that webhook from a GitLab or BitBucket repository. The hook supports extracting the commit message and author and adding it to the trigger cause.

Support gitlab and bitbucket webhooks #13389

Control which registries can be imported from

A new configuration flag has been added to the OpenShift config that limits which registries users can import images from by default. Administrators who can create images directly via the API can import any image, but regular users will receive an error if they import from an unsupported registry.

By default, the list of registries is set to the important publicly hosted registries.

Allow administrators to control which registries can be imported #13313

Send events when builds are started or complete

A new event is sent when a build starts running, and when it succeeds, fails, or is cancelled another event will be reported. This makes it easier to see the timeline of events in the CLI and web console.

Send events on builds #13660

Create and deploy applications with the service catalog in the web console

The service catalog is an important new component of OpenShift and Kubernetes and will be tech preview in 3.6. The web console will expose binding services provisioned in the catalog to existing applications, as well as deploying new components into a project from the console (via the template broker). More coming soon!

web: First prototype of creating service bindings from the console #1395
web: Add catalog to web console #1389

Bugs

admin: Use correct PEM header when generating key pairs #13498
auth: SelfSubjectAccessReview does not authorize with api groups #13715
build: Add a label to built images containing the name of the build #13703
build: Adding generic build failed reason when no specific error shows up #13590
build: Ensure next build is kicked off when a build completes #13670
cli: oc tag should not allow setting an alias tag across different image streams #13632
client: mark Image type +nonNamespaced=true #13525
cluster: Set DNS bind and IP address correctly for newer server versions #13539
cluster: Simplify the output of oc cluster up #13636
cluster: Use router suffix for router certificate hostnames #13647
deploy: Add owner reference to rc from the deployer #13582
deploy: Carry over the securityContext from the deployment config to lifecycle hook #12733
deploy: Retry pending deployments longer before failing them #13550
deploy: Retry scaling when the server's caches are not warmed up (prevent a race with namespace creation) #13279
deploy: Use patch API for pausing and resuming deployment config #13613
image: Ensure both strong and weak image refs prevent pruning #13671
image: Image imports should be considered long-running requests and allowed to take more than 30s to complete #13458
network: Port openshift-sdn-ovs script to go #12145
network: SDN egress policy should not firewall endpoints from global namespaces #13071
network: The IP reported for node by openshift-sdn can change on restart - make it stable #13645
network: Wait for namespaces to be loaded before setting VNID, which prevents temporary network unavailability in pods #13666
newapp: Address redundant line if new-app error output #13541
newapp: Fix extra lines in new-app output #13540
node: Fix mount propagation on rootfs for containerized node #13327
node: system container mounts /rootfs rslave #13499
perf: Used shared informer in build controllers #13510
registry: Add --fs-group and --supplementary-groups to oc adm registry #12951
router: Ensure that route creation and deletion does not panic by tracking routes by UID #13494
security: Correctly delete RoleBindingRestrictions when namespaces are deleted #13563
security: Refactor impersonation code to be easier to read and more specific #13630
security: The RestrictUsersAdmission admission controller should allow service account namespaces to be implicit #13649
template: Better error when an unrecognized type is found #13624
web: Allow more space on the nav bar for extensions that use a context switcher #1376
web: Fix wrapping issues with very long usernames #1377
web: Support a query param for expanding advanced builder options #1398
web: Fix "View Membership" from catalog project summary #1407
web: Split off next-steps into component #1400
web: Create a binding from a svc to an app #1414

Release SHA256 Checksums

38378daa2945bbba332c1af2d857ff09fded70420ee742d72a704fdd4d242043  openshift-origin-client-tools-v3.6.0-alpha.1-46942ad-linux-64bit.tar.gz
ea35585dcdd3719555396f2e58141cd68ba1a94c033b1bc89d72c4347b543267  openshift-origin-client-tools-v3.6.0-alpha.1-46942ad-mac.zip
a336cc57f1aad5c88cd5c453e9068831e00d6d052c9ace59770bdabd39413ba4  openshift-origin-client-tools-v3.6.0-alpha.1-46942ad-windows.zip
ac72399befd3a7f147d09d556853f6871a9a78bec0eb63f9a5e56fb01a094eb3  openshift-origin-server-v3.6.0-alpha.1-46942ad-linux-64bit.tar.gz

v3.6.0-alpha.0

7 years ago

This is a feature release towards OpenShift 3.6.

Please note that we have updated the version numbering scheme for OpenShift to be consistent with the OpenShift version history to minimize impact to the installer and other related documentation and web links. OpenShift 3.6 replaces version number 1.6, and will be based on Kubernetes 1.6.

Changes

Roadmap for the 3.6 release

v3.6.0-alpha.0 (2017-03-21) Full Changelog

API

Move OpenShift API resources to their own API groups

API groups in Kubernetes allow extension of core APIs and better separation of unrelated API types. In this release we are introducing API groups for all OpenShift API resources so that in the future they can be used as extensions to a base Kubernetes distribution. These resources continue to be available at /oapi/v1, but clients should begin using the new paths.

New API groups are available from the OpenShift API server at:

/apis/apps.openshift.io/v1: DeploymentConfigs
/apis/authorization.openshift.io/v1: OpenShift role based access control
/apis/build.openshift.io/v1: Build configs and builds
/apis/image.openshift.io/v1: Images, ImageStreams, and other supporting resources
/apis/oauth.openshift.io/v1: OpenShift OAuth resources like ClientAuthorization and Tokens
/apis/network.openshift.io/v1: Network policy for openshift-sdn and NetworkEgressPolicy
/apis/project.openshift.io/v1: Projects and project requests for role based access to namespaces
/apis/quota.openshift.io/v1: ClusterQuota and supporting namespaced resources
/apis/route.openshift.io/v1: Routes
/apis/security.openshift.io/v1: PodSecurityPolicyReview resources
/apis/template.openshift.io/v1: Templates
/apis/user.openshift.io/v1: User and group resources

Stored templates, configuration, and client code intended for use with 3.6 and above can substitute the apiVersion field for an object with GROUP/v1. CLI code will continue to generate objects with the legacy apiVersion v1 to enable working with older versions. On many commands you can use --output-version to indicate the new version

API groups #12986
- image: mutate group admission attributes to ensure grouped resources are captured #13421
- cli: Fix bulk generator to prefer legacy group #13457
Builds
- All fields related to extended builds have been marked as deprecated and will be removed in a future release #13063
- Build webhooks return structured data including the created build name #12573

Component updates

Kubernetes:
- vSphere driver fixes:
- 39752: Fix panic in vSphere cloud provider #13159
- 39754: Fix fsGroup for vSphere #13159
- 39757: Fix space in volumePath in vSphere #13159
- 40693: Fix for vSphere DeleteVolume #13159
- 41217: Fix wrong VM name retrieval from the vSphere Cloud Provider #13159
- 42973: Fix selinux support in vSphere #13374
- Other fixes
  - 36774: Allow auth proxy to set groups and extra info #12803
  - 38818: Add sequential allocator for device names in AWS #13130
  - 38925: Fix nil pointer issue when making mounts for container #13269
  - 39751: Changed default SCSI controller type #13159
  - 40080: Fix unit tests for Update action when AllowUnconditionalUpdate is false #12541
  - 40301: Serve request header certificate CA #13163
  - 40935: Include subresource in subjectaccessreview #13085
  - 41226: Fix for detach volume when node is not present / powered off #13159
  - 41436: Fix bug in status manager TerminatePod #13378
  - 41455: Fix AWS device allocator to only use valid device names #13130
  - 41814: Add client-ca to configmap in kube-public #13217
  - 42275: API Discovery should always prefer /v1 #13152
  - 42337: Plumb cipher/tls version serving options #13167
  - 42491: Make the system:authenticated group addition smarter #13247
  - 42622: Ensure etcd custom prefixes are not lost when upgrading to etcd3 #13298
  - : Allow use of '*' as a capability in Security Context Constraints. #12875
  - : Add appliedclusterresourcequotas to ignoredGroupVersionResources in namespace controller #12986
  - : Admission namespace isAccessReview, remove post 1.7 rebase #13128
  - : Wait for loopback permissions, remove after updating loopback authenticator #13217
  - revert: add ExtraClientCACerts to SecureServingInfo" #13163

Features

Redesigned OpenShift Web Console Overview #1335

The web console has been heavily revised with a focus on showing the relationships between services and deployments, with significant enhancements to layout and information presentation.

Other changes:

web: Add fullscreen terminal support #1167
web: Additional checks for security concerns during Import YAML and Template process #1321

Support environment variables as input to Jenkins Pipeline builds and build args to Docker builds

This makes it easier to parameterize these two classes of builds

builds: Add env var support to the pipeline strategy #12323
- Allow build request override of pipeline strategy envs #13160
builds: Support build args on Docker builds #12439, #13257

Other Features

admin: Add a new network diagnostic pod image #12982
- admin: Use DefaultImagePrefix instead of hardcoded 'openshift/origin' for network diagnostic image. #13107
documentation: Describe networking requirements for vendors replacing openshift-sdn #12981
image: Support reference-policy on oc import-image #13339
jenkins: Support automatic use of 32 vs. 64 bit JVMs with the integrated Jenkins for more efficient memory use #13032
registry: Allow control over TLS version and ciphers for docker-registry #13258
security: The privileged SCC should be able to use all capabilities, even those not yet defined #12875
security: Add a client for SCC review #12478
- security: Fix issue in SCC review defaulting #13044
security: Make ciphers/tls version configurable #13167
tests: Bundle test files with the extended.test binary in the RPM so tests can be run anywhere #13361

Bugs

builds: Add parent BuildConfig to Build OwnerReferences #12961
builds: Prevent build updates from reverting the build phase #13048
builds: No failure reason displayed when build failed using invalid contextDir #13203
builds: Work around docker race condition when running build post commit hooks #13100
builds: Retry pulling an image if the build fails #13380
cli: Don't print odd command names when the binary is symlinked #12781
clusterup: Switch to nip.io from xip.io for default cluster up wildcard DNS #13023
clusterup: Warn on error parsing Docker version #13201
clusterup: Use loopback interface for nodename and default server IP #13112
deploy: Prevent rolling back to the same dc version #13104
etcd: Wait on startup for etcd to stabilize in v3 mode #13261
ha: Sync etcd endpoints during lease acquisition in case of failover #13082
image: ImageStreamImage references are not being resolved #13089
image: Pruning could fail if some security configuration is not provided #13072
image: Ensure all remote layers are checked when someone pulls an image #13001
image: Support insecure flag on image import #13114
image: Allow import rate to be set to unlimited #13315
install: Change logging deployer image name from 'logging-deployment' to 'logging-deployer' #13151
install: Changes required to support Docker versions beyond 1.12, including oc cluster up #13016
install: Install ceph-common pkg to support RBD provisioning #12896
login: Suggest a different port on login #12654
network: Increase default ARP cache size on nodes for the router #13034
network: Add validation to SDN objects with invalid name funcs #13124
network: Output VXLAN multicast flow in sorted order #13061
network: Improve SDN validation messages and error messages #13154
network: make /var/lib/cni persistent to ensure IPAM allocations stick around across node restart #13231
network: Attempt to handle fragmented packets when processing service traffic #13162
network: Fix race between ovsdb-server.service and node service #13417
newapp: Enhance new-app circular test to handle ImageStreamImage refs #13233
newapp: Make new-app report better errors #12978
node: Node should default to controller attach/detach #12726
- controllers: Provide event recorder to attach/detach controller #13175
registry: Tolerate upstreams for pullthrough that don't support all content headers #13283
release: Enable release repository by default #13473
router: Fix cookies for reencrypt routes with InsecureEdgeTerminationPolicy "Allow" #13221
router: Use a TCP socket check for the router liveness probe to avoid connection starvation #13121
router: Set timeout http-keep-alive when timeout http-request is used to prevent short sessions #13051
router: Improve whitespace in the generated router config #13358
security: Add stateful sets permissions to disruption controller #13187
security: Switch personal SAR to upstream selfsubjectaccessreviews.authorization.k8s.io #13256
security: Use more of the upstream authorizer #13259, #13287, #13296, #13415
security: Add a cluster role for external PV provisioners #13333
- Add list events permission to pv-provisioner cluster role #13420
security: Improve descriptions of SCCs #13404
security: Add conversions from RBAC resources to origin resources #13334
upgrade: Add an image migration script for keys affected by v1.4.0 #13059, #13117
web: Fix orderBy calls that were passed hashes so we dont get errors with ang 1.5 #1250
web: Eliminate kve bookkeeping in controllers #1090
web: Enable truncation of long labels within table cell. Fixes https://github.com/openshift/origin-web-console/issues/1230 #1231
web: Fix bug searching builders with tags that reference other tags #1243
web: Removing an inappropriate class used to wrap inline radio form controls. And switch inline margin from left to right side to allow for alignment left. Fixes https://github.com/openshift/origin-web-console/issues/1240 Fixes https://github.com/openshift/origin-web-console/issues/1234 #1239
web: Removing orphaned Settings templates and controller #1255
web: Removing orphaned environments directive #1257
web: Relax SHA prefix regular expression for PodsService.getImageIDs #1265
web: Fix extra space before comma in build status message #1268
web: Only show admitted routes as links #1271
web: Make route services pie chart responsive #1275
web: Fix missing "Create Source Secret" link #1280
web: Remove emptyMessage var if its not changing #1203
web: Updating PatternFly and Angular-PatternFly to v3.21.0 #1284
web: Bug 1425728 - Fix cancel from add config files page #1286
web: Bug 1425686 - Make "Add Item" and "Remove Item" headline case #1285
web: Aligning kebab styles with PatternFly #1263
web: Resolve bug where list-view-item top border disappeared #1288
web: Fix problem with add to project from Git repository #1290
web: Bump openshift-jvm to 1.1.6 #1292
web: Making rule less specific so it applies even if another node (ng) #1293
web: Fix bug where margin is inconsistent on .table inside .table-responsive #1254
web: Don't resize log viewer before visible #1294
web: Fix bug 1426118, ignore namespace except for service account #1295
web: Include vendor prefixes required for consistent styling of placeholder text Fixes https://github.com/openshift/origin-web-console/issues/1259 #1260
web: Set larger label-filter default input click targets based on statdard media query widths #1216
web: Switch Secrets 404 message from Alert header to Blank Slate body #1298
web: Change needed to allow multiple labels to display inline, but also truncate if parent width dictates Fixes https://github.com/openshift/origin-web-console/issues/1297 #1299
web: Removing top margin causing unnecessary above the .log-header on the monitoring page. Adding class to adjust spacing when ui-select is shown Fixes https://github.com/openshift/origin-web-console/issues/1233 #1238
web: Addition of truncate class to tile headers and when no deployments have started. And add word-break to empty-dc and empty-rc Fixes https://github.com/openshift/origin-web-console/issues/1175 #1188
web: Lock bootstrap-switch to version 3.3.3 #1302
web: Bug 1421097 - Fix problems with secret links on build config page #1304
web: Make Project Creation promise-compliant #1300
web: Bug 1427084 - Fix problem showing project usage for cluster quota #1307
web: Bug 1427289 - Fix log updates when switching containers #1310
web: Bug 1427360 - Correctly handle 0 values in MetricsService #1312
web: Include conditional style to set spacing for ui-select Fixes https://github.com/openshift/origin-web-console/issues/1309 #1314
web: Replace common services with imports from origin-web-common #1308
web: Bug 1421097: Fix create secret link for build secrets #1317
web: es6 updates #1289
web: Toggle link positioning for truncation directive Fixes https://github.com/openshift/origin-web-console/issues/1277 #1316
web: Minor style updates for consistency #1323
web: Update addTemplateModal fn to class, extract to separate file #1327
web: Reduce the mac protractor config by using a clone of base config #1333
web: Automatically use Protractor conf for mac if running grunt on mac #1332
web: Update DataService.list in deployment controller #1330
web: Update createRoute ctrl to use new DataService.list #1329
web: Update attachPVC controller to use new DataService.list #1328
web: Addition of grid width class to the status column so that message doesn't overlap adjacent column Fixes https://github.com/openshift/origin-web-console/issues/1324 #1338
web: Update edit/buildConfig DataService.list #1348
web: Removing pficon variables (overrides) #1349
web: Metrics can be defined with IDs which are different than the metric name. We need to use the ID and not name for the dataset ID. #1344
web: Make browseCategory Promise Compliant #1354
web: Make Autoscaler Promise Compliant #1355
web: Make Deployment Config Promise Compliant #1356
web: Make edit/Route controller promise compliant #1357
web: Make Other Resources controller promise compliant #1358
web: Make quota controller promise compliant #1359
web: Make Secrets promise compliant #1360
web: Make replicaSets promise compliant #1362
web: Make Set Limits Promise Compliant #1361
web: Make create/createFromImage promise compliant #1363
web: Correctly hide overview metrics when unavailable #1366
web: Hide service weight slider when all weights are 0 #1367
web: Improve pods table performance #1369

Release SHA256 Checksums

7a353841eb0edd28f0a4ab86279e79992804456a95f53125bdffae4daf8a5090  openshift-origin-client-tools-v3.6.0-alpha.0-0343989-linux-32bit.tar.gz
60e2cc967086acbba0fee1e6c98ed5792bde5af80d64ddaaa6727e835848d421  openshift-origin-client-tools-v3.6.0-alpha.0-0343989-linux-64bit.tar.gz
4583a8dfebd04d7d193f635629dd03113c0ba199f1b14c945928274982540bfb  openshift-origin-client-tools-v3.6.0-alpha.0-0343989-mac.zip
f38b393e7bdcf8f11077ce04c931b274a4c83ccb53513fd7cb14e1f0b575436f  openshift-origin-client-tools-v3.6.0-alpha.0-0343989-windows.zip
6607b727d3db21fa211240a41bd399573018bc76e54f265ba9d5632add9ba87a  openshift-origin-server-v3.6.0-alpha.0-0343989-linux-64bit.tar.gz

v1.5.0-rc.0

7 years ago

This is the first release candidate for OpenShift Origin v1.5.

Changes

Roadmap for the v1.5.0 release

v1.5.0-rc.0 (2017-03-09) Full Changelog

API

Routes
- Change "." to "-" in generated hostnames for routes #12976

Component updates

37093: Endpoints with TolerateUnready annotation should list Pods in state terminating #13134
38746: recognize eu-west-2 region #13056
38818: Add sequential allocator for device names in AWS #13131
38855: Fix variable shadowing in exponential backoff when deleting volumes #13084
38909: Add path exist check in getPodVolumePathListFromDisk #13058
39825: Make PDBs represent percentage in StatefulSet #13143
40301: present request header cert CA #13145
40497: Make HandleError prevent hot-loops #13088
40553: Adjust global log limit to 1ms #13088
40625: controller: old pods should block deployment completeness #13133
40903: Set docker opt separator correctly for SELinux options #13141
40935: Plumb subresource through subjectaccessreview #13086
41196: Fix for Premature iSCSI logout #12990
41366: Change default reconciler sync period to 1 minute #13132
41455: Fix AWS device allocator to only use valid device names #13131
41864: Allow 'kubectl drain --force' to remove orphaned pods #13123
42097: Enqueue controllers after minreadyseconds when all pods are ready #13140
42178: stop spamming logs on restart of server #13126
42294: fix rsListerSynced and podListerSynced for DeploymentController #13173
42337: Plumb cipher/tls version serving options #13198
40301: present request header cert CA #13145
40903: Set docker opt separator correctly for SELinux options #13141

Bugs

Ensure RPMs are only build from clean git trees #13000
Add missing newlines in oc tag #12948
Origin image was creating a file at /usr/local/bin with imagebuilder #13009
Generated changes #13015
Backported redistributable logic to Origin specfile #12969
Removed line breaks in glog messages #12962
Only report no running pods once #13022
Install ceph-common pkg on origin to support rbd provisioning #13060
Add PodSecurityPolicyReview client #13045
Bug 1425706 - protect from nil tlsConfig. #13073
Prevent build updates from reverting the build phase #13075
Bug 1422376: Fix resolving ImageStreamImage latest tag #13090
tito: generate man pages #13078
Don't overwrite /usr/local/bin with a file #13092
update guest profile with new arp tuning missed in https://github.com/openshift/origin/pull/13034 #13103
Verify manifest with remote layers #13099
Use DefaultImagePrefix instead of hardcoded 'openshift/origin' for network diagnostic image. #13062
backup and remove keys during migration #13118
Update the reconciler sync period in master_config_test #13132
Necessary origin updates #13145
provider recorder to attach detach controller #13150
Use posttrans for docker-excluder (#1404193) #13148
Change logging deployer image name from 'logging-deployment' to 'logging-deployer' #13165
Add stateful sets permissions to disruption controller #13199
Output VXLAN multicast flow in sorted order #13200
cluster up: warn on error parsing Docker version #13204
No failure reason displayed when build failed using invalid contextDir #13206
Work around docker race condition when running build post commit hooks. #13196
make ciphers/tls version configurable #13198
sdn: make /var/lib/cni persistent to ensure IPAM allocations stick around across node restart #13236
Fix cookies for reencrypt routes with InsecureEdgeTerminationPolicy "Allow" #13250
Allow control over TLS version and ciphers for docker-registry #13260
Fix of BUG 1405440 #13273
CGO_ENABLED prevents build cache reuse #13325
Add addExtension helper #1195
Fix duplicates in a repeater error for missing child services #1269

Release SHA256 Checksums

f8e1b6da0fe766a203f9cc454608eaa17eadf64da623466f1d8e1c39e2639997  openshift-origin-client-tools-v1.5.0-rc.0-49a4a7a-linux-32bit.tar.gz
1796f5131d253591c4649ee316b0f6d7a0b48b70010c56b0c0017e081475d284  openshift-origin-client-tools-v1.5.0-rc.0-49a4a7a-linux-64bit.tar.gz
60c8c174a6078382cd347dd75f8a4d362c19d5b2c9cc0e21baf6f86a6a56b6f3  openshift-origin-client-tools-v1.5.0-rc.0-49a4a7a-mac.zip
5d257629dc09ebd6e674ac7cb719ef423ec2d6ae6c237e251c8fa68160102ec5  openshift-origin-client-tools-v1.5.0-rc.0-49a4a7a-windows.zip
5c3475fa31d278efbb6a3f350eefd15d0ce2cb938043d11ac3c673250d9b39ab  openshift-origin-server-v1.5.0-rc.0-49a4a7a-linux-64bit.tar.gz

v1.5.0-alpha.3

7 years ago

This is a development release of OpenShift Origin towards v1.5.0.

Backwards Compatibility

The --credentials flag is now removed from oadm router and oadm registry #10830
- service accounts are the preferred way to set secrets
The groups field on the User object has been deprecated #12870
- Instead, create a Group object and reference the user by name.

Changes

v1.5.0-alpha.3 (2017-02-19) Full Changelog

API

templates: Allow namespace specification via parameter in templates #12918
- If you specify a parameter replacement in the namespace field of a template object, it will be preserved:
```
kind: Template
apiVersion: v1
parameters:
- name: NAMESPACE
objects:
- kind: Service
  metadata:
    namespace: foo # ignored
- kind: PersistentVolumeClaim
  metadata:
    namespace: "${NAMESPACE}" # will be set to the value of NAMESPACE
```
- Static values for namespace will continue to be ignored to prevent breaking old templates that included those fields

Component updates

Patches on top of Kubernetes v1.5.2
- 35436: Add a package for handling version numbers (including non-semvers) #12448
- 37228: kubelet: storage: teardown terminated pod volumes #12669
- 37846: error in setNodeStatus func should not abort node status update #12570
- 37986: Add clusterid, an optional parameter to storageclass. #12556
- 38378: glusterfs: properly check gidMin and gidMax values from SC individually #12556
- 38527: Fail kubelet if runtime is unresponsive for 30 seconds #12776
- 38579: Let admin configure the volume type and parameters for gluster DP volumes #12556
- 39831: Check if error is Status in result.Stream() #12610
- 39842: Remove duplicate calls to DescribeInstance during volume operations #12740
- 39844: fix bug not using volumetype config in create volume #12556
- 39998: Cinder volume attacher: use instanceID instead of NodeID when verifying attachment #12955
- 40023: Allow setting copyright header file for generated completions #12613
- 40763: reduce log noise when aws cannot find public-ip4 metadata #12760
- 40859: PV binding: send an event when there are no PVs to bind #12796
- 41043: allow setting replace patchStrategy for structs #12731
- 41147: Add debug logging to eviction manager #12876
- 41329: stop senseless negotiation #12938
- 41658: Fix cronjob controller panic on status update failure #13005
- :41034: use instance's Name to attach gce disk #12835
- : Change docker security opt separator to be compatible with 1.11+ #12831
- : kubelet: change image-gc-high-threshold below docker dm.min_free_space #12762
- : Workaround etcd310 / gprc version conflict with CRI #12600
- : request logs when attaching to a container #12648

Features

The OpenShift 1.5 release added a few new features for templates, including the ability to have integer, boolean, array, or map inputs (using the ${{PARAMETER}} syntax). This alpha also allows templates to span namespaces if you parameterize the namespace field of your objects. Previously, all namespace fields were stripped, but a template object with a namespace that references a parameter will now be filled in, allowing you to instantiate cluster scoped resources that refer to a named resource in the template. oc process --local has been added to allow you to locally transform a template for use with a regular Kubernetes server - the transformation is performed on the client instead of requesting the server do the transformation.

templates: Allow namespace specification via parameter in templates #12918
templates: Allow templates to be processed locally with --local #12996

Ingress objects in the HAProxy router (tech preview)

The HAProxy router can be configured to expose Kubernetes Ingress objects. This feature is still under development and may change as more security protections are put into place. Not all features supported by Routes are available, including some advanced annotations.

router: Support Ingress resources with the HAProxy router (tech preview) #12416
router: Allow restricting Ingress objects from changing their hostname values #12653
router: Fix Ingress compatibility with f5 #12843

Multicast and NetworkPolicy support for OpenShift SDN (tech preview)

Multicast and NetworkPolicy support are now available in OpenShift SDN for testing. Please see the documentation for more info on how to enable them.

sdn: Implement NetworkPolicies with PodSelectors #12448
sdn: Support multicast #12494
sdn: Filter disallowed outbound multicast #12650
sdn: Allow multicast for VNID 0 #12839
sdn: Fixed the multicast CIDR (was 224.0.0.0/3 not /4) #12852

Node bootstrap (tech preview)

For the last several releases Kubernetes and OpenShift have been preparing to allow nodes to "self-register" in cloud environments where nodes can be spun up or down dynamically. In the v1.5.0 release the new experimental --bootstrap flag is available on nodes and will have the node request a client certificate from the master, then request a serving certificate, then download its node configuration from a config map. Cloud VM images can be "baked" with an account capable of self registration and the new oc adm certificate approve command can be used to approve the client and serving certificate requests.

This feature is still experimental and may change in future releases.

cluster: Support a simple bootstrap mode for nodes in preparation for self-join #9547

Basic monitoring

oc cluster up now installs a Prometheus and Heapster template to the kube-system namespace - as an administrator you can switch to that namespace and easily install them for monitoring your cluster.

Prometheus can monitor your nodes, apiserver, and services labelled with the appropriate annotations and record metrics or fire alerts. Launch and expose Prometheus with:

$ oc project kube-system
$ oc new-app prometheus
$ oc expose svc/prometheus

See the Prometheus website for more info.

To use a standalone Heapster instance with no historical metrics, run:

$ oc project kube-system
$ oc new-app heapster-standalone

Autoscaling should now be enabled for your cluster. This is useful for smaller clusters where you don't need historical data as provided by Hawkular.

clusterup: Install Prometheus and Heapster templates to the kube-system namespace on cluster up #12844
examples: Add a standalone Heapster example #12812
examples: Add a Prometheus example #12793

Debugging the masters

In order to make it easier to capture profiles and other debug information about a running cluster, the /debug/pprof endpoints are exposed on apiservers, controllers, and nodes, but protected via a new cluster-debugger role. Since the debug endpoint can extract sensitive information from the cluster, you should only give that role to trusted actors.

# Retrieve and process a heap dump from the master as a cluster-debugger
$ oc get --raw /debug/pprof/heap > /tmp/heap
$ go tool pprof PATH_TO_OPENSHIFT_BINARY /tmp/heap

# Capture a 30s CPU profile from the master as a cluster-debugger
$ oc get --raw /debug/pprof/profile > /tmp/cpuprofile
$ go tool pprof PATH_TO_OPENSHIFT_BINARY /tmp/cpuprofile

admin: Add a new cluster-debugger role and enable debugging on masters #12895
admin: Allow controller to be debugged using OpenShift credentials #12907

Other Features

builds: Cancel binary builds if they hang #12484
builds: Record built image digest in the build status #12407
cli: Adding wildcardpolicy flag to oc create route and a column for the wildcardpolicy to `oc get route' #12713
cli: Improve namespace and resource completions #12630
deploy: Add support for dc --dry-run to rollout undo #12729
dns: Allow nodes to be configured to start local DNS and bind to alternate addresses and ports #12805
ipfailover: Allow multiple ipfailover configs on same node #12472
registry: Add audit log #12586
router: Allow routes to claim non-overlapping hosts (+ paths) and wildcards across namespace boundaries #12441
security: Add descriptions to roles to better explain their purpose. #11328
security: Add headers that provide extra security protection in browsers #12521
server: By default, use protobuf to store server resources #11971
storage: Enable Azure dynamic provisioner #12756
web: Let users pause rollouts when editing deployment configs #1129
web: Support volume mount subpaths and read-only flag #1108
web: Improve searches for projects on create from URL page #1145
web: Add Stateful Sets to monitoring page #1163
web: Add namespace picker to service account tab on membership page #1213

Bugs

admin: Normalize server url before writing to new kubeconfig file #12591
admin: Stop generating router/registry client certs #10830
admin: Support -z on oadm policy add-cluster-role-to-user #12902
build: Take referencePolicy into account when resolving istag #12767
builds: Adjust the build duration recorded to be more accurate #12569
builds: Don't create two copies of the context dir contents accidentally #12891
builds: Ensure controllers stop retrying certain known errors #12842
builds: Ensure the build reason is not removed if it races with controllers #12873
builds: Ensure we don't miss any build creation events in the controller #12702
builds: Improve performance by only running handleBuildCompletion on completed builds #12856
builds: Reduce the number of times the build controller attempts to load builds #12623
builds: Replace utilruntime.HandleError with glog #12658
builds: Start the next serial build immediately after a build is canceled #12699
builds: Treat binary buildconfig instantiate requests as long running #12679
builds: Use correct context dir during s2i build #12628
cli: Add option '--insecure-policy' when creating passthrough and reencrypt route #12725
cli: Check image metadata for command line when using oc debug #12585
cli: Improve output of oc idle #12718
cli: Improve scale, process, and get help output #12724
cli: Inform user that port is required as part of set-probe error when port missing #12759
cli: Prevent project change from failing on server err #12571
cli: Remove special handling of --token and --context for whoami #12872
cli: Update "no projects" warning in oc status #12328
clusterup: Add instructions for accessing the registry from Docker #12826
clusterup: Fix port checking and Mac startup #12745
clusterup: Mount host /dev into origin container #12565
clusterup: Remove hard-coded docker root mount #12744
clusterup: add brew install instructions #12827
deploy: Restart controller watch if the resource was out of date #12910
diagnostics: Print master config error on each failed test #12832
drain: Prevent Normalize from running twice on oadm drain #12651
examples: Add examples to quickstarts that use persistent volumes #12682
examples: Change MEMORY_LIMIT parameter to be required for databases #12742
examples: Fix connection URL in postgresql examples #12664
examples: Use secrets in sample templates #12757
idle: Increased the time the proxy will hold connections when unidling #12754
image: Add replace patch strategy for DockerImageMetadata to better support oc edit istag/NAME #12731
images: Add oc tag --reference-policy to control whether pullthrough images are resolved to local tags #12862
images: Bug 1415440: Check image history for zero size #12609
images: Prune images correctly with the schema2 manifest #12566
jobs: Store Jobs in version batch/v1 instead of deprecated extensions/v1beta1 #12517
newapp: Report a useful error when wide mode is used with new-app/new-build #12836
newapp: Return partial matches when default latest tag is unavailable #12878
node: Set the default image garbage collection policy to 85% of disk, not 90% #12762
observe: Fix a deadlock when skipping certain resources #12980
projects: Sort Projects when requested via the API #12881
registry: Ensure images that already exist are given the correct reference on push #12525
registry: Return the correct HTTP status for error and remove dead code #12675
router: Allow HAProxy logging to be configured via environment variable #12795
router: Ensure that route backend weighting works without having to specify an annotation for load balancing #12752
router: Fix Ingress handling of nil rule value #12941
router: Fix reported invalid certificate errors to not contain special characters #12670
router: Increase maxconn default and make the value easily configurable #12716
router: Make some verbose logging even higher level #12785
router: Only set the load balancer cookie to insecure when insecureEdgeTerminationPolicy is Allow #12802
router: Perform both http and https checks for monitoring f5 pools #12764
router: Prevent F5 router from failing to publish routes with empty paths #12944
router: Small code fixes #12575
sdn: Fix NetworkPolicies allowing from all to some (not all) #12972
sdn: Fix OVS connection tracking in networkpolicy plugin #12837
server: Disable the admission plugin LimitPodHardAntiAffinityTopology by default. #12782
server: Ensure file and directory validation errors are output on startup #12761
server: Ensure the master binds to the configured address in some cases #12779
servingcert: Recreate generated service cert secret when deleted #12853
storage: Use the correct etcd paths for user identities and egress network policies in storage #12607
web: Switch empty extension files to return 200 with Content-Length zero #12644
web: Show storage class type and zone, even if no description #1141
web: Use block syntax for stages in examples #1142
web: Fix dangling "none" on statefulset template #1143
web: Don't show full editor for one-line post-commit scripts #1146
web: Look for kubernetes.io/description on storage classes #1147
web: Exclude stateful sets from other resources #1149
web: Fix always-visible build config warning #1150
web: Test if metrics are available on StatefulSet page #1148
web: Bug 1414709 - stateful sets page has no label filter #1152
web: Fix StatefulSets breadcrumbs & label display #1153
web: Hide storage classes select when there are none #1156
web: Bug 1415083 - Make build hook fields required for selected type #1157
web: Bug 1415087 - Fix persistent "Scaling to..." message for stateful sets #1159
web: Bug 1415058 - Fix events on stateful sets #1158
web: Avoid race condition on pod metrics page load #1160
web: Bug 1414691 - Fix name validation for several resources #1155
web: Fix Stateful sets replicas count #1165
web: Switch to a specific class .icon-wrap instead of :first-child selector for icon-row Fixes https://github.com/openshift/origin-web-console/pull/1144#issuecomment-273819621 #1164
web: Correcting word-break-all comment #1170
web: Bug 1415602: Fix next steps for deploy image #1169
web: Update membership role filter to use new annotation #1172
web: Better conflict handling for env var edits #1171
web: Add EnvironmentService unit tests #1173
web: Retry initial terminal sizing until we have a bounding box #1176
web: Add golang category #1168
web: Correct the right alignment of the log viewer go to end button by adjusting it to match middle container edge. Fixes https://github.com/openshift/origin-web-console/issues/1162 #1177
web: Fixing issue where long, unbroken strings in URLs breaks layout #1166
web: Improve placeholder and description for build hook commands #1181
web: Make empty msg for stateful sets consistant with other ones #1179
web: Fix error changing route termination to passthrough #1183
web: Let users specify insecureEdgeTerminationPolicy for other termination types #1184
web: Show builders and templates that match no subcategory #1193
web: Show router canonical hostname on route page #1194
web: Don't link to image stream tags that haven't synced yet #1202
web: Correct alignment/spacing of 'loading log' message when waiting for logs. Fixes https://github.com/openshift/origin-web-console/issues/1190 #1196
web: Correct controller names in ngdocs #1204
web: Turn off capitalization and autocorrect for some inputs #1208
web: Don't zoom on iOS when focusing a textarea #1210
web: Add tech preview header to StatefulSets list & detail page #1198
web: Don't add input-group class when hiding copy to clipboard button #1211
web: Add note for storage class used on PVC grid #1200
web: Make verify-dist print what files are failing #1214
web: Dont show advanced option link for Custom deployment strategy #1215
web: Warn when editing YAML did not change the object #1222
web: Don't show failed pods in pod donut #1223
web: Remove old routes watcher in the Services controller #1226
web: Bug 1419887 - Validate advanced form inputs that are hidden #1228
web: Fix membership addRoleToUser() fn, check namespace w/subject before asserting subject already has role #1229
web: History for an image stream tag can't be shown #1246
web: Fix sample pipeline button #1248
web: Bug 1413516: Correctly handle suffix k in usageValue filter #1249

Release SHA256 Checksums

ba77489cfaba0b699aae4145a934bd974f3370de33698452f9b167bfadd0d798  openshift-origin-client-tools-v1.5.0-alpha.3-cf7e336-linux-32bit.tar.gz
cd126aee3a2ed9734724b483adb4256035c8de840ae409f11adbafa0ec3d2042  openshift-origin-client-tools-v1.5.0-alpha.3-cf7e336-linux-64bit.tar.gz
36e03331b2d434ebc26a4004080fb07d14308f7f2af619ff9eb366120dfbc58e  openshift-origin-client-tools-v1.5.0-alpha.3-cf7e336-mac.zip
0bf59816e8a1c235bc76f443961fb4d6ef387432005ecea139684ed9b69b90c3  openshift-origin-client-tools-v1.5.0-alpha.3-cf7e336-windows.zip
4c67e4bb982ab3fa80f85fb26f2b0f6a1e4c728cc62ee12dd25f4065a81131fc  openshift-origin-server-v1.5.0-alpha.3-cf7e336-linux-64bit.tar.gz

Origin Versions Save

v3.7.0-alpha.1

v3.6.0

Changes

Component updates

Features

Record the last snippet of build logs into the build API result

Bugs

Release SHA256 Checksums

v3.6.0-rc.0

Backwards Compatibility

Changes

API

Component updates

Features

Support API aggregation in OpenShift

Add httpd images and quickstart

Enable schema2 by default for the integrated registry

Deploy service catalog via oc cluster up

Kubernetes objects can request image resolution

Builds now support the valueFrom field to inject dynamic values into environment or labels

Bugs

Release SHA256 Checksums

v3.6.0-alpha.2

Backwards Compatibility

Changes

API

Component updates

Features

Tech preview of cluster federation

Simulate cluster capacity

Enable Garbage Collection on OpenShift resources

Improvements to network egress policy

Use git references like tags and GitHub/GitLab pull request links in builds

Reference OpenShift image streams from Kubernetes resources

Trigger updates to Kubernetes deployments and daemon sets on image change

Build cleanup policy

Unification with Kubernetes authorization and core code

End to end TLS - never generate a certificate again!

Sign and verify image signatures

Other Features

Bugs

Release SHA256 Checksums

v1.5.1

Changes

Bugs

Release SHA256 Checksums

v1.5.0

Changes

Component updates

Bugs

Release SHA256 Checksums

v3.6.0-alpha.1

Backwards Compatibility

Changes

API

Component updates

Features

Add a Service Broker for Templates

Add metrics to routers

Support F5 partitions in the router

Add webhook support to builds for GitLab and BitBucket

Control which registries can be imported from

Send events when builds are started or complete

Create and deploy applications with the service catalog in the web console

Bugs

Release SHA256 Checksums

v3.6.0-alpha.0

Changes

API

Move OpenShift API resources to their own API groups

Component updates

Features

Redesigned OpenShift Web Console Overview #1335

Support environment variables as input to Jenkins Pipeline builds and build args to Docker builds

Other Features

Bugs

Release SHA256 Checksums

v1.5.0-rc.0

Changes

Add `httpd` images and quickstart

Deploy service catalog via `oc cluster up`

Builds now support the `valueFrom` field to inject dynamic values into environment or labels