Skip to content

v3.6.0-rc.0

Pre-release
Pre-release
Compare
Choose a tag to compare
@smarterclayton smarterclayton released this 14 Jul 02:40
· 17355 commits to master since this release
v3.6.0-rc.0
98b3d56

This is the first release candidate for OpenShift 3.6.

Backwards Compatibility

  • Security Context Constraints migrated from older versions of OpenShift that have a null allowed volumes array will now default to ["none"]
    • This will prevent future migration to PodSecurityPolicy from being ambiguous
    • #14625
  • Deployment Configs no longer allow leading or trailing spaces on images
    • Kubernetes 1.7 will tighten this validation and this will prevent future migrations from being necessary
    • #14744
  • Users may now create routes with empty spec.tls.destinationCACertificate fields
    • To preserve backwards compatibility, when the route is retrieved from the /oapi/v1/routes/* endpoint it will have a synthetic certificate injected. Retrieving the route from the new /apis/route.openshift.io/v1 endpoint will show the new empty value.
    • #14818
  • When creating builds via the new /apis/build.openshift.io/v1 endpoint pruning will be automatically defaulted
    • Builds created via the old API are unaffected. Callers may set the limit high to avoid pruning
    • #14845

Changes

Roadmap for the v3.6 release

v3.6.0-rc.0 (2017-07-13) Full Changelog

API

  • The autoscaling v2alpha1 API - new in Kubernetes 1.6 - is disabled by default #15058
  • Image stream tags will now return labels from the parent image stream
    • Sending an update to the tag with empty labels will not cause an error #15098

Component updates

  • Updated to Kubernetes v1.6.1-1-g5115d708d7 + patches
    • Add the API aggregation code as a backport to 3.6 from Kubernetes 1.7
      • 43003: Separate discovery from the apiserver #14513
      • 44399: Add deregistration for aggregator paths #14513
      • 44408: Aggregator controller changes only #14513
      • 44466: Use our own serve mux that directs how we want #14513
      • 45247: Promote apiregistration from v1alpha1 to v1beta1 #14676
      • 45247: generated: Promote apiregistration from v1alpha1 to v1beta1 #14676
      • 45370: refactor names for the apiserver handling chain #14513
      • 45432: Use apiservice.status to break apart controller and handling concerns #14513
      • 46112: apimachinery: move unversioned registration to metav1 #14593
      • 46440: Fix api server handler routing (move CRD behind TPR) #14513
      • 46440: Fix api server handler routing (move CRD behind TPR) #14847
      • 46800: Separate group and version priority #14676
      • 47060: Fix etcd storage location for CRs #14499
      • 47347: Actually check for a live discovery endpoint before aggregating (part 2) #14881
      • 47347: Actually check for a live discovery endpoint before aggregating #14595
      • 47347: Actually check for a live discovery endpoint before aggregating #15022
    • Add secret at rest encryption backport from Kubernetes 1.7
      • 46460: Add configuration for encryption providers #14798
      • 46916: Add AES-CBC and Secretbox encryption #14517
      • 47537: Fix typo in secretbox transformer prefix #14748
    • Fixes:
      • 41758: Updated key.pm and cert.pm to remove error in setting up localhostCert pool #14847
      • 42835: Remove legacy insecure port options from genericapiserver #14513
      • 43878: Delete EmptyDir volume directly instead of renaming the directory #14549
      • 43982: Fix deletion of Gluster, Ceph and Quobyte volumes #14667
      • 44058: Make background garbage collection cascading #14907
      • 44115: Scheduler should not log an error when no fit #14714
      • 44746: Support for PodPreset in get command #15148
      • 44784: Handle vendored names in OpenAPI gen #14993
      • 44898: While calculating pod's cpu limits, need to count in init-container #14605
      • 44962: Remove misleading error from CronJob controller when it can't find parent #14899
      • 45049: Log an EBS vol's instance when attaching fails because VolumeInUse #14844
      • 45085: kube-apiserver: check upgrade header to detect upgrade connections #14676
      • 45349: Fix daemonsets to have correct tolerations for TaintNodeNotReady and TaintNodeUnreachable. #14653
      • 45637: --api-version on explain is not deprecated #14872
      • 45661: orphan when kubectl delete --cascade=false #14189
      • 45864: Fix unit tests for autoregister_controller.go reliable #14519
      • 46034: Event aggregation: include latest event message in aggregate event #14793
      • 46036: Retry clientCA post start hook on transient failures #14474
      • 46121: Fix kuberuntime GetPods #14290
      • 46771: Allow persistent-volume-binder to List Nodes/Zones Available in the Cluster #14899
      • 46796: Bump namespace controller to 10 workers #14806
      • 46852: Lookup no --no-headers flag safely in PrinterForCommand function #14472
      • 46968: bkpPortal should be initialized beforehand #14478
      • 46974: Avoid * in filenames #14477
      • 47003: Fix sorting of aggregate errors for golang 1.7. #14495
      • 47003: Remove duplicate errors from an aggregate error input. Helps Helps with some scheduler errors that fill the log enormously. #14495
      • 47078: HPA: only send updates when the status has changed #14529
      • 47270: kubectl drain errors if pod is already deleted #14663
      • 47274: Don't provision for PVCs with AccessModes unsupported by plugin #14705
      • 47281: Update devicepath with filepath.Glob result \into
      • 47367: Add client side event spam filtering #14747
      • 47450: Ignore 404s on evict #14690
      • 47462: Strip container id from events #14693
      • 47491: Image name must not have leading trailing whitespace #14691
      • 47516: Fix getInstancesByNodeNames for AWS #14669
      • 47605: Change Container permissions to Private for provisioned Azure Volumes #14733
      • 47701: Force protobuf to be stable in output #14723
      • 47740: Add websocket protocol authentication method #14716
      • 47740: Use websocket protocol authenticator in apiserver #14716
      • 47792: Fix rawextension decoding in update #14764
      • 47822: Separate serviceaccount and secret storage config #14838
      • 47823: Don't pass CRI error through to waiting state reason #14887
      • 47904: Prioritize messages for long steps in storage trace output #14911
      • 47919: Use %q formatter for error messages from the AWS SDK #14948
      • 47973: Include object fieldpath in event key #14869
      • 47975: Make protobuf time precision match json #14867
      • 48017: Plumb preferred version to nested object encoder #14865
      • 48085: Move iptables logging in kubeproxy #15096
      • 48261: Fix removing finalizer for gc #14956
      • 48343: Don't accept delete tokens that are waiting to be reaped #14978
      • 48354: Allow a deletestrategy to opt-out of GC #14988
      • 48394: Verify no-op updates against etcd always #15001
      • 48481: Protect against nil panic in apply #15066
      • 48578: Run should output message on container error #15090
      • 48582: Fixes oc delete ignoring --grace-period. #15091
      • 48624: kube-proxy logs abridged #15096
      • 48635: proxy/userspace: suppress "LoadBalancerRR: Removing endpoints" message #15166
      • 48733: Never prevent deletion of resources as part of namespace lifecycle #15123
    • Carried fixes:
      • Disambiguate operation names for legacy discovery #14513
      • Lengthen too short timeouts on startup #15129
      • Support SCC FSType none #14625
      • Increase job re-list time in cronjob controller #14953
      • Update client namer rules for ambiguous output #14843
      • Increase SAControllerClientBuilder timeout #15085
      • Use internal service/endpoints informers in aggregator #14694
      • Deprecate --api-version in oc config set-cluster #14919
  • Updates to Docker distribution
    • docker/distribution: 2299: Fix signaling Wait in regulator.enter #14581

Features

Support API aggregation in OpenShift

API aggregation is a key Kubernetes feature that will make it easier to extend Kubernetes clusters. The 3.6 release enables aggregation as tech preview and includes the Kubernetes 1.7 APIs. Its primary purpose in 3.6 is to support the service catalog.

#14513

Add httpd images and quickstart

The httpd image makes it easy to serve content to users, proxy, or extend with custom support for Apache modules. This image is added to the default image streams along with a quickstart template.

#14660

Enable schema2 by default for the integrated registry

Now that a significant fraction of all users have access to Docker 1.10, enable schema2 support in the registry by default. This will allow Docker 1.10+ engines to push images using the new schema and sets the stage for future improvements in images.

#13428

Deploy service catalog via oc cluster up

The --service-catalog flag on oc cluster up will deploy the new service catalog and configure the instance
with support for the template broker and the new service catalog UI. This feature is tech preview in OpenShift 3.6.

#14630

Kubernetes objects can request image resolution

Kubernetes objects like Deployments and StatefulSets can now add an alpha annotation to request image stream resolution from any image field in their pod specs. If an image stream tag with matching name and tag exist, the value of the image will be replaced with the latest tag in that stream. Use oc set image-lookup to configure the flag.

#14795

Builds now support the valueFrom field to inject dynamic values into environment or labels

Builds, like pods, can use the valueFrom field on each label or environment variable to leverage data from the parent build. This allows some limited dynamic properties to be set into each build result.

#14749

Bugs

  • Add prometheus examples #14637
  • admin: Reverse the order of migrate output to match desired visual outcome #15002
  • admin: Tolerate deletion of resources during storage migration #15124
  • admin: Update oadm manage-node to support multiple output formats #14655
  • admin: oadm migrate storage was double counting when filtering #14724
  • admin: oadm migrate was double printing early exit error #15000
  • apiserver: Report better panic errors #15026
  • apiserver: Use Kubernetes apiserver extended arguments for enabling and disabling alpha versions #14941
  • audit: Add audit logging to apiserver startup #15027
  • auth: Allow websocket authentication via protocol header #14716
  • build: Better description on the webhook secret field #14879
  • build: Build containers are now automatically parented to the pod cgroup #14688
  • build: Report multiple build causes for image change triggers #14777
  • catalog: Enable pod preset admission, but default to off #14461
  • catalog: Enable podpresets with service catalog #14814
  • catalog: Put catalog and logging templates in a system namespace #14846
  • cli: Add the --api-version field back to oc explain for cross version output #14872
  • cli: Deprecate more uses of --api-version #14919
  • cli: Errors must be always shown in oc status #14849
  • cli: Recognize persistent volume claim in status #15013
  • cli: The --ports flag does not modify dc env variables #13816
  • cli: oc set triggers is displaying listed resources twice #14987
  • cluster: Check status of router, registry, metrics, logging, imagestreams in oc cluster status #14436
  • cluster: Fix check for available ports when docker is running in user namespace mode. #14169
  • cluster: Fix host volume share creation #15088
  • cluster: Fix the regular expression used to parse openshift version #15055
  • cluster: Replace fsouza go-docker client with engine-api client in cluster up #14729
  • cluster: Use admin commands on origin container to install router and registry #15087
  • controller: Disable ThirdPartyController #14969
  • controller: Fix leader election logging #14662
  • controller: Make service controller failure non-fatal again #14951
  • controller: Refactor openshift start to separate controllers and apiserver #14775
  • deploy: Add extended tests for DC ControllerRef #14880
  • deploy: Emit events when failing to create the deployment pod #14970
  • deploy: Ensure MinReadySeconds is correctly set in all cases on replication controllers #14936
  • deploy: Fix crash when deployer pod is unable to observe started pod from API #15056
  • deploy: Image change triggers were not firing on the second deployment #14773
  • deploy: Retry instantiate on conflicts #14902
  • deploy: Set ownerRef from RC to grouped API version #14582
  • deploy: Update lastTriggeredImage if not set when instantiating DCs #15145
  • diagnostic: Create network test projects with empty nodeselector #14686
  • diagnostic: Handle optional components like logging better #14991
  • diagnostics: Report the volume of etcd writes via a diagnostic #14604
  • dns: Node DNS should answer PTR records for stateful sets #14400
  • dns: ResolverConfig should be enabled so that host search path is inherited for node DNS #15030
  • doc: Add security definitions to Swagger and OpenAPI doc #14745
  • doc: Fix the OpenAPI docs to include new extension fields for Kube 1.6 #14993
  • egress: Add an HTTP proxy mode to egress router #13586
  • f5: Delete reencrypt routes correctly #14921
  • failover: Added IPv6 support for the ipfailover keepalived #14527
  • failover: Control preemption strategy #14947
  • gc: Allow templateinstance updates for GC #14918
  • gc: Ensure build configs create builds with the proper owners #14591
  • gc: Make GC mutation check ignore selfLink #15112
  • gc: Make sure that GC can delete privileged pods #14867
  • gc: Resources without GC on should not have GC finalizers #14988
  • hack: Correctly place script output at _output/scripts #14507
  • hack: Permit OS_GIT_VERSION to have a git hash longer than 7 characters - this occurs when 7 characters are not enough to uniquely describe a given commit #14438
  • hack: Script for building local images #14339
  • image: Add more default allowed registries #14850
  • image: Deleted image streams are never removed from controller queue #15099
  • imagepolicy: Do not resolve images on job/build/statefulset updates #15118
  • newapp: Retry git ls-remote in new-app when checking remote registry #14758
  • newapp: Throw error using --context-dir with a template #15019
  • newapp: oc new-app --build-env doesn't work on templates #14922
  • newapp: oc new-app displays correct error on missing context directory #14715
  • node: Add DefaultIOAccounting to all openshift services #14644
  • node: When CRI runtime is not docker, don't init docker socket #15063
  • node: add bind mount for /var/lib/dockershim #14828
  • oauth: Log errors that occur when verifying OAuth flow state #14692
  • performance: Bump default namespace controller workers to 10 #14806
  • performance: Increase default maxInFlightRequests to 1200 #15129
  • performance: Move deployments to use versioned Kubernetes informers #14728
  • performance: Prevent duplicate deployment informers #14568
  • performance: Reduce number of build caches #14679
  • performance: Refactor Build Controller to use Informers #14289
  • performance: Refactor BuildConfig controller to use Informers #14596
  • performance: Remove ImageStreamReferenceIndex from BuildInformer #14635
  • performance: Remove deployment legacy informers in favor of generated #14562
  • performance: Reuse the authorization and template shared informers for GC #14391
  • performance: Use generated informer with cluster resource quota #14567
  • performance: Use the generated informers for authorization #14564
  • proxy: honor BindAddress for the iptables proxy #14815
  • rbac: Add oadm migrate authorization to allow manual migration #14429
  • rbac: Normalize OpenShift roles when syncing to Kubernetes RBAC #14475
  • rbac: Relax restriction on binding to namespace roles #14547
  • rbac: Update the bootstrap/policy convertClusterRoles function to annotate systemOnly roles #14510
  • registry: Improve logs during image pruning #14405
  • registry: allow to override the DOCKER_REGISTRY_URL and default to in-cluster address #14882
  • reliability: Make the default quorum reads #14572
  • router: Add a diagnostic that runs extended validation on routes #14819
  • router: Allow router to bind to IPv6 by default #13663
  • router: Allow specifying haproxy SSL Cipher list #14505
  • router: Allow whilelisting valid route IPs #14536
  • router: Clean up the patternMatch template function #14552
  • router: Do not serve certificate content for Non-SSL routes #14621
  • router: Prevent POODLE vulnerability in HAProxy router #7638
  • router: Router metrics tests should use the configured port instead of a new port #14889
  • router: Support routes with mixedcase/uppercase hostnames #14157
  • rpm: Add bind mount for /etc/pki #14741
  • rpm: Build and ship ginkgo binary with extended tests #14839
  • rpm: Bump OVS version requirement to 2.6.1 #13370
  • rpm: Client package should require bash-completion #14753
  • scc: Print the original cause when logging a failed SCC check #14639
  • scc: Show SCC provider in error message. #13842
  • scc: When sorting SCCs by restrictions don't add a score if SCC allows volumes of projected type. #14548
  • sdn: Add better logging of ofport request failure #15023
  • sdn: Add the nodes local IP address to OVS rules #14924
  • sdn: Allow project admins to create/edit/delete NetworkPolicies #14830
  • sdn: Be a normal CNI plugin #14447
  • sdn: Change the MAC addresses to be generated based on IP #14685
  • sdn: Clean up writing cluster network CIDR to config.env #13726
  • sdn: Don't require netns on Update action #14446
  • sdn: During pod update, some SDN flow updates were missing #14892
  • sdn: Ensure CNI dir exists before writing openshift CNI configuration under CNI dir #15064
  • sdn: Kill containers that fail to update on node restart #14665
  • sdn: Require proxy-mode=iptables for NetworkPolicy plugin #14466
  • sdn: Segregate OpenShift's iptables rules #13465
  • sdn: Update NetworkPolicy support to be compatible with its GA semantics #14498
  • sdn: Use GC rather than refcounting for VNID policy rules #14560
  • security: Give the service catalog controller event CRUD #14750
  • security: Project admin and editor should be able to build images #14611
  • security: swagger.json should be accessible to anonymous users #15157
  • server: Do not force any selinux context on volumeDir #12942
  • storage: Add oadm migrate etcd-ttl which encodes upstream TTL migration #14559
  • storage: Add oadm migrate volumesource to detect deprecated fields #14810
  • storage: ClusterNetwork was using the wrong filter options #14853
  • storage: Don't prevent updates that only touch ownerrefs #14816
  • storage: Ensure OpenShift resources have a stable protobuf serialization #14723
  • storage: Get encryption configuration from a config and apply resource transformers. #14836
  • storage: Perform live client check only if scopes were added #15149
  • storage: Separate serviceaccount and secret storage config. #14838
  • storage: Tolerate not found when delete policybindings, remove roles on policybinding deletion #15142
  • template: Add template.openshift.io/expose annotation for use with service broker bind #14486
  • template: Allow templateinstance controller to instantiate non-v1 objects #14799
  • template: Don't start template informer unless templateservicebroker is configured #14579
  • template: Eliminate nil/empty distinction for new TemplateBinding field #14532
  • template: Give template instance controller admin permissions #14634
  • template: Improve error message when processing non-template resources #14757
  • template: Make templateinstance immutability message more understandable #14494
  • template: Make templateinstance secret optional #14848
  • template: Only list as required those template parameters which are marked required and which cannot be generated automatically #14488
  • template: Take template service broker forbidden error message friendlier #14538
  • template: remove template.openshift.io/namespace parameter from template service broker and use context object instead #14586
  • trigger: Deployments were not firing on triggers because of internal code mismatch #15025
  • trigger: Image change trigger must be able to create all build types #14792
  • web: Adding meta tag so the login screen renders correctly when IE is in intranet mode #15083
  • web: Show toast notifications for more things #1662, #1663, #1659, #1657, #1677, #1680, #1681, #1691, #1688, #1693, #1382, #1704
  • web: Enable sorting by keys in YAML editor #1642
  • web: Clarify GitHub webhook configuration #1660
  • web: Don't mark YAML editor as immediately changed #1666
  • web: Check services for bindability before creating bindings #1599
  • web: Set up pod presets during binding to applications #1672
  • web: Show Git commit on browse build page #1670
  • web: Bug 1459848 - Fix template confirm-on-exit prompt #1671
  • web: Bug 1460142 - Only use confirm-on-exit on some forms #1674
  • web: Bug 1459834 - Don't stop navigation when a user has blocked confirm dialogs #1675
  • web: Show process template errors as toasts #1678
  • web: Remove calls to AlertMessageService.getAlerts() / clearAlerts() #1679
  • web: Bug Fix 14660167 - View Quota does not work on Overview page #1683
  • web: Consistently display error details on failed requests #1690
  • web: Overide registryAnnotations directive to match the annotations directive #1136
  • web: Fix dist for build hook doc url #1694
  • web: Support for Gitlab and Bitbucket webhooks in the BC editor #1539
  • web: Removing popup directive as it's now in common #1676
  • web: Show application bindings on overview #1696
  • web: Increase specificity of css overflow: hidden rule so it doesn't clip kebab dropdown menu Fixes Bug https://bugzilla.redhat.com/show_bug.cgi?id=1460153 #1698
  • web: Init Containers Added to Pod Template #1560
  • web: Bumping registry-image-widgets to v0.0.10 to fix nav-tabs-pf bug #1700
  • web: Fix incorrect projectName references #1702
  • web: Hide error notifications on $scope destroy, not just cancel #1706
  • web: Update origin-web-catalog to v0.0.22 #1708
  • web: Add unbind action to provisioned services #1705
  • web: Adjust dropdown positioning when > 480, 480 - 768, < 769 #1718
  • web: Combine secrets page tables into one and group by type. Fixes openshift/origin-web-console#1686 #1717
  • web: Don't show both toast and in-page alert for missing resources #1721
  • web: Enter key on forms for deploy image and process template #1722
  • web: Bug 1460990 - show underlying username in several places where user may look #1724
  • web: Don't show new builds in collapsed overview rows #1723
  • web: Change output of failed verify-dist to use git diff #1720
  • web: Bug 1462067 - Give options to delete pod without grace period #1727
  • web: Bug 1461771 - Switch empty project Add to Project to Browse Catalog #1729
  • web: Update to the logo icon font set to include mediawiki #1730
  • web: Show optional parameters in template dialog #1733
  • web: Bug 1462667 - Fix broken show generated parameters link on next steps page #1734
  • web: Deprovision to Delete Update #1735
  • web: Fix delete binding modal to show secret names #1728
  • web: Add link to controller on pod and replica set pages #1732
  • web: Only auto-start the landing page tour at appropriate window sizes #1741
  • web: Fix awkward overview message for new deployments #1745
  • web: Send propagationPolicy null so that instances and bindings can be deleted cleanly #1739
  • web: Bug fix where pod quota warning was misaligned on browse pages #1747
  • web: Extension point fix for navbar #1746
  • web: Bug 1462205 - Delete binding shouldn't show up when all bindings are pending deletion #1738
  • web: Watch for changes to the tab query parameter #1749
  • web: Show a "View Events" link when a deployment is running #1661
  • web: Sort bindingsByInstanceRef by first associated application (from sorted applications) #1742
  • web: Add username requester on bind for template broker #1744
  • web: Bug 1462781 - should show the image stream from reference when it exists instead of pushed image #1752
  • web: Bump origin-web-catalog to v0.0.25 #1754
  • web: Bug 1464397 and Bug 1461702 - problems with webhook trigger urls and display #1763
  • web: Adding global tech preview indicator for service catalog #1712
  • web: Show average pod metrics for all containers on overview #1756
  • web: Fixes visual defects around "Container:" labels #1757
  • web: Change create project redirect for new experience #1759
  • web: Make it easier to discover enabling TLS for routes #1761
  • web: Fix delete binding result message #1762
  • web: Utilizing openshift-logos-icon dependency #1743
  • web: Should only see actions for service cat resources in overview that the user can do #1768
  • web: Don't request instances and bindings if the user doesn't have watch rights #1769
  • web: Changing default icon for templates to fa-clone #1765
  • web: Removes border and margin from Labels section #1772
  • web: Updating kubernetes-container-terminal to fix terminal cursor bug #1775
  • web: Fixes several bugs in service instance row #1776
  • web: Upgrade versions of catalog (0.0.27) and common (0.0.39) #1777
  • web: Fixes bug where "Check events" link wrapped to two lines on deployments page #1778
  • web: Fix service instance object dump in bind app to service dialog #1779
  • web: Fixes issue where long empty-state-message titles are clipped at mobile #1783
  • web: Fixes bug where heading was unnecessarily truncated #1786
  • web: Bump origin-web-catalog and origin-web-common #1787
  • web: Bug 1467232 - Fix overview cluster quota warning #1789
  • web: Don't set propagationPolicy when deleting pod immediately #1792
  • web: Use config.local.js if present for grunt serve:dist #1796
  • web: Don't include Failed pods in count beside mini donut #1808
  • web: Revert kubernetes-container-terminal to 1.0.3 #1811
  • web: Update README to reference firefox instead of chrome for e2e tests #1816
  • web: Bug 1470010 - Use owner references to find deployment on replica set page #1832
  • web: Update mini donut total in $evalAsync block #1830
  • web: Don't fade "0 pods" text in mini donut #1835
  • web: Add additional API groups to security check whitelist #1837
  • web: Edit the YAML of deployments in the apps group #1839

Release SHA256 Checksums

553ce3edcfe4e0a5ec787fa7697713ff7c8cb49aa08d680e446eb8c02d786a1e  ./CHECKSUM
5808b3d29c72d04643c98ee1f51611222fa4c14fe420632d60812dc9b59755fd  ./openshift-origin-client-tools-v3.6.0-rc.0-98b3d56-linux-64bit.tar.gz
94b7c89ed9e177a31713392fcaf815c029c2bf8b7689d3a2b316a678cb990a34  ./openshift-origin-server-v3.6.0-rc.0-98b3d56-linux-64bit.tar.gz
454970d47bc4fef39e0835bd1a8806f6966f41515a5da269c15b871f98368263  ./openshift-origin-client-tools-v3.6.0-rc.0-98b3d56-mac.zip
11a8a94f96be56a66c73cb1ee6ed9365307c40136c5ea80beb4deeefb2ee1b23  ./openshift-origin-client-tools-v3.6.0-rc.0-98b3d56-windows.zip
Assets 7