v1.0.8

OpenShift 1.0.8 (release candidate 2 for 1.1)

We recommend users running 1.0.7 upgrade to 1.0.8 due to several significant performance issues.

Major fixes

• #5774 Preserve very large integers when serializing and deserializing JSON - resulted in hangs on the server
• #5778 When running a containerized node, the ca.crt passed into the container is wrong
• #5720 Deleting projects could encounter significant slow downs due repeated invocations
• #5722 The oc command should automatically use the service account when used inside a container
• #5706 Deployment config can indefinitely accumulate error messages, leading to failures in deployment config updates and significant CPU use
• #5737 Significant CPU slowdown when creating new projects
• #5537 Better support viewing very large logs in the UI
• #5581 Update cAdvisor version, fixing a memory leak and Docker connection leak on the node
• #5585 Use of rsh and exec on could occasionally timeout due to unfair frame handling in SPDY
• #5613 DNS name resolution of services was triggering multiple false timeouts due to recursion - names should now resolve in a few milliseconds.

Features

• It is now possible to order security context constraints via the priority field, which applies pod security defaults from the highest priority group first. This allows cluster administrators to run pods as root by default. To restore the prior security behavior, set a higher priority on the SCC you wish to apply defaults.
• Supplemental groups for filesystem access are allocated per project, and access to shared filesystems can be controlled via the supplemental group on Docker 1.8 or later
• Build logs and deployment logs now supported via oc log dc/NAME and oc log build/NAME, with all log options on those types also supported
• When running hooks from a deployment, display the hook logs as part of the deployment pod logs

Fixes

• Kubelet reacts much faster to status changes in pods and communicates important status changes to the master more effectively
• Disable TCP keep-alive on liveness probes, which was causing false negatives on liveness because of Go's connection pooling
• Attaching to a pod with only stdin should terminate the attach when stdin is closed, not when the pod exits (fixed in go-dockerclient)
• Better error output when Gluster and iSCSI volumes cannot be mounted
• horizontalpodautoscaler and job resources are now available in the extensions/v1beta1 API, with policy that allows end users to access them
• Deleting pods that have the phase failed or succeeded should complete immediately, rather than waiting for the Kubelet to acknowledge the delete
• oc import-image should not require the image stream to have dockerImageRepository set, now that individual spec tags can reference different Docker image repositories
• Update documentation to properly identify all_squash as NOT being necessary when using NFS persistent volumes
• It should be possible to specify the amount of lines of a pod log to tail while also following the log
• Username taken from a build secret should override a username in the source URL
• Ensure service node ports are properly released when deleted
• When upgrading the master before nodes are upgraded, ensure the master handles graceful deletion for those old nodes
• Some timeouts in the kube proxy were too short, and have been lengthened to better handle failures failing over backends
• /etc/hosts is now managed by the Kubelet instead of Docker, to ensure that all search domains and name servers are properly resolved
• Mirror pods can now be logged
• It is possible to serialize image pulls on the node by setting a config value - this bypasses issues encountered in Docker 1.8 with simultaneous pulls
• Memory allocation in the apiserver is much reduced during normal operation
• Set context directory properly in the new-app and new-build commands when specifying source code using the ~ operator

v1.0.7 (1.1.0-rc1)

OpenShift 1.0.7 (release candidate 1 for 1.1)

NOTE: Users should install release candidate 2 (1.0.8) instead of this release

This is the first release candidate for Origin 1.1 and OSE 3.1. Please see the migration notes and API changes when updating a live cluster.

Migrating from 1.0.x

• Cluster roles have changed - please run:

  $ oadm policy reconcile-cluster-roles
  $ oadm policy reconcile-cluster-role-bindings
  

  to review the changes, and pass --confirm to accept those changes.

• v1beta3 is no longer supported as a storage version or API version

  • If you are using v1beta3 as your Kubernetes or OpenShift storage version, you will receive an error when you try to restart the OpenShift masters because v1beta3 is no longer a valid storage version. You must update the values of etcdStorageConfig.kubernetesStorageVersion and etcdStorageConfig.openShiftStorageVersion to be v1 in your master-config.yaml file.
  • You may also need to change the apiLevels field to remove references to v1beta3.

API Changes

• v1beta3 is no longer supported as an API endpoint (/api/v1beta3 and /osapi/v1beta3 are now disabled).

  • The CLI and golang client libraries can still convert v1beta3 objects to v1 via

    $ oc export --raw --api-version=v1 -f FILENAME -o yaml
    

• The value of the status.dockerImageRepository for an ImageStream now returns either the fully qualified pull spec for the stream on the integrated registry (if configured), or the value of spec.dockerImageRepository if no integrated registry has been set. The previous behavior was to use spec.dockerImageRepository if it was set, overriding the internal location, but that made it difficult for clients to generate a URL that allowed them to push to the image stream.
• Builds marked only with the build label will no longer be considered part of their parent build config. You can see a list of affected builds by running oc get builds --all-namespaces and looking for builds that only have the build label, not openshift.io/build. See #3502.
• The spec.rollingParams.updatePercent field on deployment configs will no longer be recognized. Use maxUnavailable and maxSurge instead.
• Images can be edited to set fields like labels or annotations
• Routes can now specify which port they wish to route to - by default, all callers that might point to multi-port services should set spec.port.targetPort to the port on the Pod (or external service) to target.
• Builds now contain status.outputDockerImageReference which is the Docker location that the image will be pushed to.
• Image streams now return the integrated registry's Docker spec in status.dockerImageRepository instead of showing the value of spec.dockerImageRepository. If no integrated registry is included, the value from spec will be used if set.
• Logging and remote execution can now be performed over WebSockets for use from a browser client or languages without a SPDY library

Features

• Updated to Kubernetes v1.2.0-1107-g4c8e6f4

  • Job resources are now available in the extensions API group for managing tasks that must run to completion
  • HorizontalPodAutoscalers allow deployment configs and replication controllers to be autoscaled based on their load

• LDAP group synchronization added under oadm group-sync for enforcing group membership from external LDAP directories

• Nodes

  • Switch CPU quota to CFS by default, which enforces maximum CPU usage per container
  • Out of memory conditions are the node are now controlled by the node agent, with OOMScoreAdjust and Restart policy set to ensure the node remains stable in overcommitted scenarios

• Deployment hooks may now leverage volumes from the original pod

• Add oc rsync, which can copy local directories into a remote pod. If rsync is not available in the pod or on the client, the command will fall back to a direct copy:

  oc rsync ~/myfolder :/home/user/test

• Pods may join the host PID or host IPC namespaces if they are granted appropriate access

Multi-tenant pod networks

The multi-tenant SDN plugin can be used to isolate projects from each other. Each project is isolated, and administrators can bind projects together with oadm pod-network join-project or expose the pods within a project to all other projects.

To enable the multi-tenant SDN plugin, in node-config.yaml change networkConfig.networkPluginName to redhat/openshift-ovs-multitenant.

Logs

• Additional filtering options are available on oc log - controlling the amount of logs displayed, show timestamps, view contents from a historical time (relative or by date)
• The web console will show logs for pods and builds, allowing you to view the current or previous container's state
  

Metrics

• The Kubelet now exposes statistics from cAdvisor securely via cluster permissions to view metrics
• The web console will now display metrics from pods when metrics integration has been enabled
  

Web Console

• Totally revamped and extended resource information available in the web console
  
• Connect to a container via a remote shell in the web console
  
• Scale deployments up and down from the web console
  
• Added the topology view to the web console - see a graph of all your resources
  
• Improve the layout and organization of the application create page
  
• After creating a new application, display more information about next steps
  
• Routes are displayed on the services list page with more info about security and paths available on their own pages
• Pod resource limits and requested amounts are displayed on their respective objects

Command-line

• Big improvements to oc new-app and oc new-build to display more information about what is happening when we generate apps:

  $ oc new-app php
  --> Found image dbaa6b2 (33 hours old) in image stream "php" under tag :latest for "php"
      * We will deploy this image in deployment config "php"
      * Port 8080/tcp will be load balanced by service "php"
  --> Creating resources with label app=php ...
      DeploymentConfig "php" created
      Service "php" created
  --> Success
      Run 'oc status' to view your app.
  

• Improve Bash completions to better guide user input that is file based

• Revamp the output that is displayed for deployments in oc get and oc describe

• Add commands to validate node and master configuration - openshift ex validate master-config and openshift ex validate node-config

• Delete tags from an image stream with oc tag TAG -d

• When tagging one image stream tag into another, use the resolved image in the destination, and allow a reference to be created with --alias

• On Windows, oc edit should no longer report file edit errors, and the edit output is now generated with Windows CR/LF line endings for proper display.

• Support for installation of images via oc new-app - images that have the Docker label io.openshift.generate.job=true will prompt the user to install themselves.

Builds

• The contents of a Dockerfile can be directly provided to a Docker build
  • Specify Dockerfile contents on oc new-build via the -D flag, for example oc new-build -D $"FROM centos:7\nRUN yum install -y httpd"
  • In a Build API object, set spec.source.dockerfile to the desired string value.
  • The value of the Dockerfile will override a Dockerfile in the source Git repository if one is provided
• A binary build can be triggered by passing a file, directory, or local Git repository path to the oc start-build command with --from-file, --from-dir, or --from-repo. The contents will be streamed to the builder and used as the input to the build instead of the current Git repository source. Note that a binary build cannot be rebuilt, since the server does not have access to the previous binary sent. Newly triggered builds will use the Git source if available.
• Support SSH keys and basic authentication when pulling Git repositories during builds.
• Environment variables defined in a Docker build are now added to the Dockerfile prior to building
• When a build fails, information about that failure is recorded with the build and displayed in the CLI and UI
• Build logs can now be displayed via oc logs build/<buildname> and oc logs bc/<buildconfig name>

Router

• Send X-Forwarded-* headers as per RFC7239 on proxied HTTP and HTTPS requests to backends
• Fixed a bug where router stats were not properly enabled when the router was installed
• Display the HAProxy statistics page by default
• Support partition paths in the F5 router
• Display a 503 error page on missing backends in the HAProxy router, which can be customized by layering over the image.
• Disable known insecure TLS cipher suites by default, using the Mozilla intermediate security suite by default, and provide examples for modern and...

v1.0.6

UPDATE: Added a v1.0.6 binary for linux/386. Has not been tested, please report any issues.

Migrating from 1.0.x

• Origin v1.0.6 recommends the use of Docker v1.7.2+ due to bugs in docker exec that can result in hangs.
• Cluster roles have changed - please run oadm policy reconcile-cluster-roles --confirm after you upgrade if you see an error like OpenShift client error: User "system:serviceaccount:test:builder" cannot create localsubjectaccessreviews in project "test"

API Changes

• The Template parameters now support displayName which is an optional field to use from user interfaces when your template is shown
• Secrets can now be added to custom builds and mounted at user-specified locations

Pending removal

• Support for v1beta3 from the API and from client commands will be removed in 1.0.7 (1.1 rc0)
• Builds marked only with the build label will no longer be considered part of their parent build config in 1.0.7. You can see a list of affected builds by running oc get builds --all-namespaces and looking for builds that only have the build label, not openshift.io/build. See #3502.
• The spec.rollingParams.updatePercent field on deployment configs will no longer be recognized in 1.0.7. Use maxUnavailable and maxSurge instead.

Routing

• The default hostname for a route has been changed to be <route-name>-<namespace>.<suffix> - this allows TLS wildcards on <suffix> to properly work
• A new F5 BigIP router plugin has been added, allowing F5 routers to be dynamically configured. Documentation coming soon!
• The router can be configured to serve a subset of the routes in your deployment
  • Pass --namespace to the router command to select routes in a single namespace
  • Pass --labels=<selector> or --fields=<selector> to select only routes with the provided labels or fields
  • Pass --project-labels=* to show routes in all labels the router's service account is granted access to, --project-labels=<selector> to filter that list by label, or --namespace-labels=<selector> to filter all labels (when the router service account has that permission)
    • Note: the label list is updated every 10 minutes or when the router restarts, so new projects may not instantly get served
• Both the F5 and template routers now allow only the first route (by creation timestamp) with a given host or generated host (when you omit the Host field) to claim that route name. If multiple routes with the same host but different paths are defined, all routes in the same namespace as the oldest route with that host will be included. If the oldest route is deleted, and the next oldest route is in a different namespace, only routes in that other namespace will be served.

Builds

• oc start-build --commit=<commit> will trigger a build of the exact Git commit specified.
• Add --env var support to oc new-build, allowing you to set environment variables on your S2I builds.
• Add --wait to oc start-build, allowing you to wait for the build completion without viewing the logs.

Remote execution

• oc rsh now accepts commands and arguments after the pod is specified, like

oc rsh <pod> <command> [<arguments>]

The behavior more closely mimics the ssh command. A TTY is automatically allocated if your current shell passes one, otherwise you can specify -t to force a TTY or -T to disable it.

• A number of stability and hangs have been resolved with oc exec and oc rsh. However, Docker 1.6.2 has a known issue with hangs to remote shells via docker exec, so we recommend upgrading your Docker to a 1.7 or 1.8 build.

Web Console

• Deploy, rollback, retry, and cancel deployments from the web console
• Cancel running builds from the web console
• Improvements to layout and readability at mobile resolutions
• Allow the login page to be customized

Fixes

• Upgraded the integrated etcd to v2.1.2
• Upgraded the internal Docker registry v2.0.1
• Fixed hangs when using oc exec without a TTY
• Node IP can be passed as a config option on the node, allowing it to be set distinct from the node hostname for listening on other interfaces
• Add the Kubernetes master service address (the first address in the service CIDR range) to the generated certificates to allow pods to verify TLS connections to the API
• Preserve permissions during image builds
• Recover panics in the API server instead of allowing the server to crash
• Make the OpenShift SDN MTU configurable
• Fix a panic in oc import-image when an error occurs
• Suggest --search and --list when calling oc new-app with no arguments
• When running oc scale against a deployment config with no deployments, set the replicas directly

v1.0.5

API Changes

• If a deployment config is created without specifying the triggers field, the deployment will default to having a ConfigChange trigger.
• A new field subjects (a list of object references) is available when creating role bindings. You may pass object references to User, SystemUser, Group, SystemGroup, or ServiceAccount when defining the binding. Passing a reference to a service account will resolve the correct name, making it easier to grant access to service accounts in the current namespace. If users or groups are also specified, they will take priority over values set in subjects

Features

Security

• Secrets were previously limited to only being available in pods when the service account referenced them. To make it easier to use secrets in templates, this is now disabled by default. Administrators can set a config variable to force this for the whole platform, and in a project you can set the "kubernetes.io/enforce-mountable-secrets" annotation to "true" on a particular serivce account to require that check.

High Availability

• Master processes can now be started separately as API server and controllers via openshift start master api and openshift start master controllers. Added support for controller leader election - set controllerLeaseTTL to a value between 10 and 300 seconds to control the expiration of a lease (a good default is 30 or 60s). When controllers lose their lease they will exit and expect to be restarted by a process manager.

Platform

• Added support for groups of users. Introduced oc groups command to manage them.
• Service accounts are more easily bound to roles through the new subjects field (described in API Changes above)

Networking/Routing

• Added multitenant SDN support to isolate pods based on which project they belong to.
• Added --host-network flag to openshift router command to allow router to run with container network stack (when set to false)

Images

• Importing and pulling from V2 registries is now supported.
• The import-image command can now create image streams with the --from flag specifying the repo you want to import.
• When you tag an image with 'oc tag' into an image stream that does not exist, an image stream can now be automatically created.

Storage

• The volume command now lists by default, and shows you additional information about each volume type.
  • Persistent volume claims show whether they are provisioned or not, their size, and details about their bound persistent volume. The volume command can also create a new persistent volume claim for you if you specify --claim-size=
• Added support for CephFS volumes

CLI

• Added a --list flag to oc new-app to display list of available images and templates
• Added --short or -q flag to oc project command to only display project name

Builds

• Custom builds now allow a forcePull flag to indicate that the custom builder image must be pulled.
• Multiple image change triggers are now allowed in BuildConfigs

Templates

• Added required attribute to template parameters. Templates now cannot be instantiated without supplying a value for all required parameters.

Fixes

Platform

• Projects can now be updated using oc edit - project admins can change display name and description.

Web Console

• Updated the set of labels generated when creating a new app from source just as in the CLI.
• Improved display of builds in web console.

Builds

• Builds in which a pod is not created are no longer marked as successful.
• Prevent starting S2I builds that may run as root based on security context constraints on the builder service account.
• Prevent remote shell access to builder containers.

CLI

• Builds are now listed according to creation timestamp
• Builds from new-app are started immediately with ConfigChange trigger
• Fixed help text for oc get projects

Networking/Routing

• Trigger SDN node event when node ip changes
• Rolling update strategy is used for router deploy
• Added mode http to HA proxy frontend SNI definition

v1.0.4

Upgrading:

• To make it easier to upgrade, the oadm reconcile-cluster-roles command has been added to update your cluster roles to match the internal default. Use this command to verify the cluster infrastructure users have the appropriate permissions.

Features:

• Split the oc binary from the OpenShift binary - now much smaller (40m!)

• Display the current version on startup of the master, cleanup some startup logging

• Rolling updates can now be done by percentage - you can specify the percentage of pods to update by a negative or positive amount that adjusts the amount of replicas in chunks. If negative, old deployments will be scaled down first - if positive, extra pods are created first. The rolling update will work to keep the desired amount of pods running (100% of the old deployment size when a positive percentage, or 100%-UpdatePercent when negative) as it goes

• Even more information available in oc status - make it easier to see the types of resources that are being represented by the output

• Search for images, templates, and other inputs for oc new-app with the --search and --list flags. To find out what is available, run:

  $ oc new-app --search php
  

  which will show you all of the images or templates that include PHP

• oc new-app will now always add an app=<name> label on the created resources when you don't specify labels with --labels. The name is inferred from --name, or the name of the first component passed to the command (for instance, oc new-app php will add a label app=php to all of the resources it creates). You can then easily delete all of those components using oc delete all -l app=php.

• The ability to use host ports and the hostNetwork option is now properly secured by security context constraints, and only restricted or higher users can use them.

• The RunAsNonRoot option for pod security constraints has been added - it is now possible to restrict users to running pods that are non-root (have an explicit USER numeric value set in their Docker image, or have specified the user id on their pod security context)

• Add an oc rsh POD command that is a shortcut for oc exec -itp POD -- bash to make it easier to get a remote shell into your pods.

Fixes:

• Routes should default to using the route name when creating a virtual host, not the service name
• The oc expose command should not default to creating routes except when a service is exposed
• More detail shown on image streams page in the web console
• Display source code revision info in the build describe output
• Display TLS termination output in route describe output
• Allow image import to work with registries that don't implement the whole Docker Registry API (Pulp read only registries)
• Deployment configs should trigger deployment when the metadata field of the pod template is changed, not just when the spec is changed.
• When using oc new-app --name=foo, the --name argument should also change the name of the image stream
• The project request template should allow Kubernetes resources as well as OpenShift resources
• Allow oc volume to change the volume type when the mount-path is unambiguous
• Builds now properly cancel when the user requests them, rather than running to completion.
• Master startup no longer has a chance to generate certs with duplicate serial numbers (rendering them unusable)
• oc new-app will now properly set the labels passed with --labels onto the pod template and selector for the deployment
• oc export should no longer fail when exporting image streams that have no tags under their spec

v1.0.3

Backwards compatibility:

• Stored objects
  • Build pods previously inherited the labels of the build. This resulted in pods from builds being accidentally being included in deployments that had similar labels. It was never intended that build pods should share labels with existing components, so this behavior has been removed. Queries that attempt to retrieve build pods by label will no longer work
• API
  • The pods/exec endpoint is being moved to POST instead of GET. For backwards compatibility, GET continues to be supported. Clients will try to use POST, and if that fails, will try to use GET. If you have an existing deployment, the default policy will need to be updated prior to 1.1.0. See #3717 for more.
  • The hostDir volume type has been renamed hostPath in all Pods and PodTemplates.

Fixes:

• Updated to Kubernetes v1.0.0
• oc status now displays standalone replication controllers and a number of other warnings about issues
• openshift start --print-ip which reports the IP that the master will use if no --master address is provided
• Fixed a race condition when certificates were created on startup (duplicate serial)
• The timeout for exec, portforward and log sessions has been increased from 5 minutes to 1 hour.
• Improved performance of OpenShift when idling by removing an inefficient timer loop

v1.0.2

Backwards compatibility:

• API - Kube v1
  • Pod
    • The serviceAccount field changed to serviceAccountName. OpenShift will continue to accept and output both fields - serviceAccountName takes precedence
    • The host field changed to nodeName. OpenShift will continue to accept and output both fields - nodeName takes precedence
  • Service
    • The portalIP field changed to clusterIP. OpenShift will continue to accept and output both fields - clusterIP takes precedence
  • The protocol for a port under a Service, Endpoint, or Container must be uppercased - TCP instead of tcp, and UDP instead of udp. OpenShift will continue to accept all case variations

Features

• A new LDAP identity provider has been added, allowing you to configure OpenShift to verify passwords and users against an LDAP server directly
• The master's CA cert can be made available as a secret inside pods, making it easier to manage secure TLS inside the cluster. To enable this in an existing configuration, set the masterCA field in the master configuration file.

Fixes

• Upgrade to Kubernetes v0.22
• Cleanup and improvements to the browse pages in the web console, better layout at smaller resolutions, and lots of little cleanup
• Avoid writing excessive log errors on initial deployments when the image is not yet available
• Router and registry should default to using the RollingUpdate strategy deployment
  • We recommend you update any existing router or registry installations if you plan on scaling them up to multiple pods
• Support quay.io registries by using cookies when importing images
• Lots of improvements to oc status to display warnings when problems are detected
• Docker images of the form [registry]/[name] are now properly handled by oc new-app and the image import functionality
• Detect Scala git repositories from oc new-app

v1.0.1

Incompatible changes from v1.0.0:

• Setting a lower case port protocol type for services did not work properly - now, lower case port protocols ("tcp" or "udp") are rejected by validation - #3258

Bug fixes:

• Make secret volumes unique for push/pull secrets during builds
• Give better usage errors from the oc secret commands
• In oc new-app:
  • fix a bug where explicit tags were being set on new image streams (which confused builds)
  • expose ports that were defined in the source Dockerfile when creating an app from a Git repo
  • allow Dockerfile FROM to point to an image stream or invalid image
  • create emptyDir volumes for any image that has volumes, and inform the user the volumes are created
  • allow all ports defined on the image to be exposed on the generated service
• Filter builds by completion time in the overview page of the web console
• When SELinux was disabled, emptyDir volumes were not properly created
• Show additional information in oadm policy who-can
• Fix a race condition when service accounts with .dockercfg files (for pull secrets) were deleted
• When generating and adding secrets to a service account, oc secrets add now allows the user to specify which type of secret is being added (mountable, image pull, etc)
• The custom builder build type now allows image output to be disabled instead of requiring it on input
• Handle websocket errors in the console more effectively
• Ensure http_proxy and HTTP_PROXY env vars can be passed to builds

v1.0.0

OpenShift Origin 1.0 provides powerful tools for development teams to build and manage cloud native applications on top of Docker and Kubernetes. OpenShift offers:

Deploy

• A simple and easy ramp up experience - run OpenShift as a container and try it out before deploying multiple nodes, then use the Ansible installer to spin up a full cluster.
• Run and deploy any application built out of Docker images; set up automated or manual rolling deployments with integrated canary testing; or run your own custom deployment workflows inside your own containers
• A set of reusable building block images for all the major development platforms that leverage best practices for running in a cloud environment
• Integrate with the Kubernetes runtime environment and use health checks, persistent network attached volumes, service discovery, integrated DNS, and a resilient host infrastructure to keep your containers running.
• Benefit from easy container networking by leveraging our integrated software defined networking setup, or use your existing network infrastructure

Develop

• Easily build and rebuild images using Docker or Source-to-Image builds; chain builds together to automatically occur, manage the flow of images from dev to test to production, and integrate external CI systems into your deployment workflows.
• Painless web serving with our integrated router plugins for HAProxy and F5 - one click and your application has a publicly visible DNS name.
• Create reusable application building blocks out of templates that can be deployed to many environments and publish those templates for others to use, or integrate with a config management system

Manage

• Use the oc command line or our integrated Web console to create and manage your applications on Windows, Mac, and Linux
• Secure your environment from end to end with private source builds and image security, fully encrypted server to server communication, easy user integration with external systems, and a customizable policy engine and service accounts for controlling how applications talk to each other.
• As an administrator, create projects and assign flexible security policies and resource usage controls to the teams in your organization. Ensure containers run in secure sandboxes on your cluster or relax those restrictions for specific teams to run high privilege containers.

For a full list of features, see the public documentation.

Get involved with the ongoing development of OpenShift - help us make it the best way to run applications anywhere. The "Lucky" release is just the first step!