OpenShift Container Platform 3.4 Release Notes

Kubernetes has been updated to v1.4.

OpenShift Container Platform 3.4 requires Docker 1.12.

etcd has been updated to 3.1.0-rc.0.

Elasticsearch 2.4

Kibana 4.5

Fluentd 0.12

The deploymentConfig.spec.strategy.rollingParams.updatePercent field is removed in favor of deploymentConfig.spec.strategy.rollingParams.maxUnavailable and deploymentConfig.spec.strategy.rollingParams.maxSurge.

The pre-OpenShift Origin 1.0 compatibility fields for service spec.portalIP and pod spec.host have been removed from the API. Use spec.clusterIP for services and spec.nodeName for services. Clients that send these fields to the server will have those values ignored.

The oc whoami --token command is deprecated in favor of oc whoami -t, and oc whoami --context is deprecated in favor of oc whoami -c. The --token and --context options will be removed in a future release.

Support for OpenShift Container Platform 3.1 clients for deployment configurations is dropped. More specifically, the oc scale command will not work as expected.

It is no longer possible to set multiple environment variables or template parameters by passing a comma-separated list to single a --env, --param, or --value option. For example:

$ oc new-app mysql --param MYSQL_USER=user,MYSQL_PASSWORD=password

$ oc new-app mysql --param MYSQL_USER=user --param MYSQL_PASSWORD=password

Project visibility calculation failed if it encountered a role binding that referenced a missing role. Projects containing a role binding that referenced a missing role would not appear when listing projects via the API. This bug fix skips role bindings with invalid role references when evaluating project visibility. As a result, projects with invalid role bindings still appear in the projects list if another valid role binding exists that grants access. (BZ#1382393)

Pipeline strategies now support run policies: serial and parallel. Previously, pipeline builds were executed independently of the requested run policy associated with the build configuration, which resulted in confusion. With this enhancement, pipeline jobs running in Jenkins now respect the run policy that was specified by the OpenShift build configuration. (BZ#1356037)

Parameter references are now supported in non-string template fields. Previously, parameter references could not be used in non-string API fields such as replica count or port. With this enhancement, this is now supported by using the ${{PARAMETER}} syntax to reference a parameter within the template. (BZ#1383812)

When creating a build object through the REST API, the type of the from image was not checked and was assumed to be DockerImage. Build objects created with a Custom strategy referencing an ImageStreamTag as its from image resulted in failure or, potentially, a build using the wrong image. This bug fix checks the type of builder image when creating build objects, and if it is not DockerImage, the request is rejected as invalid. As a result, Custom builds with builder images specified as ImageStreamTag are rejected. (BZ#1384973)

The code that launches the build container in Source-to-Image was waiting indefinitely when an error occurred that was not a timeout error. This caused failed builds to hang indefinitely in Running state. This bug fix updates Source-to-Image to no longer wait for containers once an error is received. As a result, builds now fail as expected and no longer hang in Running state. (BZ#1390749)

Multiple Jenkins builds were being triggered for a single OpenShift build. This caused build details to appear to sync inconsistently. This bug fix ensures only a single Jenkins build is triggered for each OpenShift build. As a result, build details sync properly and the web console displays the pipeline properly. (BZ#1390865)

The oc start-build --follow command could return a timeout error if there were delays in scheduling the build. With this bug fix, oc start-build --follow now blocks until the build completes. (BZ#1368581)

NO_PROXY values can now be set for git clone operations in builds. Previously, cluster administrators could set HTTP_PROXY and HTTPS_PROXY values that would be used for all builds. Certain builds needed to access domains that could not be reached when going through those default proxies. Adding a NO_PROXY field allows the cluster administrators to set domains for which the default proxy value will not be used. With this enhancement, default proxies can now be bypassed when performing git clone operations against specific domains. (BZ#1384750)

The generic webhook build trigger would cause builds to run even when invalid content was POSTed in the request body. This behavior has been maintained for backwards compatibility reasons, but this bug fix adds a warning to make the situation clearer to whoever is calling the trigger. (BZ#1373330)

During builds, comparison of the master host and port with that specified by the user failed when the user-specified URL did not contain the default port (when using 443). This caused builds to fail to trigger. This bug fix updates the comparison of the host and port to account for the default port. As a result, starting builds works when the master port is 443 and is using a self-signed certificate. (BZ#1373788)

The oc new-app --search command expected that the cluster could always reach registry-1.docker.io. When registry-1.docker.io was unreachable, as is the case when running a disconnected cluster, the command would always fail. With this bug fix, the command now prints a warning when registry-1.docker.io is unreachable and no longer fails with an error. As a result, the command is now usable in disconnected environments or in other circumstances when registry-1.docker.io is unreachable. (BZ#1378647)

An extra line of information caused invalid JSON or YAML output when using the oc set command. With this bug fix, the extra line of information is now output through stderr. As a result, valid JSON or YAML is now printed via the oc set command. (BZ#1390140)

The oc convert command failed to produce a YAML file with valid syntax when converting from multiple files in a directory. When converting from multiple files in a directory and piping the output to oc create, it would only create the first file converted. This bug fix updates the YAML syntax in the output of oc convert when converting multiple files. As a result, the output of oc convert can feed oc create properly. (BZ#1393230)

The oc adm prune images|builds|deployments commands ignored the --namespace parameter. This made cluster administrators unable to limit the scope of prune commands to particular namespaces. This bug fix makes the oc adm prune command aware of the --namespace parameter and limits the scope of pruning to the given namespace. As a result, cluster administrators are now able to limit the scope of the command to single namespace. When applied to images, none of the images will be removed, because images are non-namespaced. (BZ#1371511)

Docker versions earlier than 1.12 required IPv6, which made it impossible to run the docker daemon on a kernel with IPv6 disabled. This bug fix modifies the docker daemon to no longer require IPv6. (BZ#1354491)

The oc deploy --latest command previously updated latestVersion directly from the API, which made it impossible to separate between manual and automatic updates. This enhancement adds an instantiate endpoint for deployment configurations, allowing for distinction between these types of updates. As a result, the API call for a manual deployment is now distinguishable. (BZ#1371403)

A deployment configuration with multiple containers using the same ImageChangeTrigger would not be updated by the image change controller. This bug was fixed as part of redesigning the triggering mechanism, which removed the image change controller. (BZ#1381833)

The pause and resume operations are now handled using the PATCH method, which ensures the operation always succeeds for the user. (BZ#1388832)

When Autodeploy when: New image is available was unchecked in the web console’s Add to project page, the web console would not create an image change trigger on the new deployment configuration. This meant that users had to manually set an image using the oc set image command before deployments. Otherwise, all deployments would fail with image pull back-off errors.

This bug fix updates the web console to add an image change trigger with automatic: false. This prevents deployments from happening automatically when the image stream tag is updated, but allows users to run oc rollout commands, or use the Deploy action in the web console, without any additional configuration. (BZ#1383804)

It was impossible to specify when to start a deployment with the latest image. Triggers would cause each build to deploy. So triggers had to be disabled, then enabled once a deploy is desired. With this bug fix, a new endpoint and oc rollout latest that uses the endpoint and supersedes oc deploy --latest were added in OpenShift Container Platform 3.4 to enable manual deployments without the need to enable triggers. (BZ#1303938)

Various OpenShift sample templates included an expired, self-signed X.509 certificate and key for www.example.com. These unnecessary certificates and keys have been removed from the templates. (BZ#1312278)

The Jenkins Sync plug-in failed to consistently sync build changes from the OpenShift cluster. Builds created in OpenShift were therefore not observed and executed by the Jenkins server. This bug fix makes sync logic more robust to ensure changes are not missed. As a result, builds are now properly processed by the sync plug-in and executed in Jenkins. (BZ#1364948)

API server restarts caused the Jenkins sync plug-in to lose its connection to OpenShift. This caused pipeline builds to not be properly executed in the Jenkins server. This bug fix updates the sync plug-in to handle connection loss when the API server is restarted. As a result, builds are now properly processed by the sync plug-in and executed in Jenkins if the API server is restarted. (BZ#1364949)

New build configuration events were missed, causing associated Jenkins jobs to not be created. This bug fix ensures the order of resource watches is correct and periodically resyncs to prevent missing events. As a result, associated Jenkins jobs are now always created. (BZ#1392353)

The pipeline plug-in did not use an optimal endpoint for scaling. This made scaling beyond one replica problematic. This bug fix updates the pipeline plug-in to use an optimal endpoint, and uses can now scale a deployment configuration’s replication controller beyond one replica. (BZ#1392780)

Failure to use overrides methods in one area of the Jenkins plug-in caused job failures when namespace parameter was not set. This bug fix updates the plug-in, and namespace is now an optional parameter. (BZ#1396022)

This enhancement updates OpenShift Container Platform to allow multiple slashes in Docker image names and allows using external registries that support them. (BZ#1373281)

When importing a Docker image from a remote registry that is insecure, the pull-through capability did not work, causing pull failures. This bug fix ensures that these pulls now succeed for insecure registries. (BZ#1385855)

Previous versions of docker only checked for the existence of one layer digest in remote repositories before falling back to the full blob upload. However, each layer can have multiple digests associated depending on the docker version used to push images to a source registry. During an image push, the docker daemon could have picked up the wrong layer digest associated to a particular image layer, which did not existed in remote repository. It would then fall back to the full blob upload, even though the daemon knew another digest existing in the remote repository. With this bug fix, the docker daemon now sorts candidate layer digests by their similarity with the remote repository and iterates over a few of them before falling back to full blob re-upload. As a result, docker pushes are now faster when layers already exist in the remote registry. (BZ#1372065)

The installer generated a flannel configuration that was not compatible with the latest version of flannel available in Red Hat Enterprise Linux 7. The installer has been updated to produce configuration files compatible with both the new and old versions of flannel. (BZ#1391515)

Previously, openshift-ansible did not configure environments using Google Compute Engine (GCE) as multizone clusters. This prevented nodes from different zones registering against masters. With this bug fix, GCE-based clusters are multizone enabled, allowing nodes from other zones to register themselves. (BZ#1390160)

This enhancement moves the node scale-up workflow in the quick installer out of the install subcommand and into a separate scaleup subcommand. Users reported that having the scaleup workflow inside install was confusing, and a result scale-up now lives in its own space and users can access it directly. (BZ#1339621)

This feature provides the ability to add persistent node-labels to hosts. Rebooting hosts (such as in cloud environments) would not have the same labels applied after reboot. As a result, node-labels persist across reboot. (BZ#1359848)

The openshift-ansible NetworkManager configuration script was unconditionally restarting the dnsmasq service every time it ran. As a result, host name resolution would fail temporarily while the dnsmasq service restarted. The openshift-ansible NetworkManager configuration script now only restarts the dnsmasq service if a change was detected in the upstream DNS resolvers. As a result, host name resolution will continue to function as expected. (BZ#1374170)

Previously, the installer would re-run the metrics deployment steps if the configuration playbook was re-run. The playbooks are now updated to only run the metrics deployment tasks once. If a previous installation of metrics has failed, the administrator must manually resolve the issue or remove the metrics deployment and re-run the configuration playbook. See the cleanup instructions. (BZ#1383901)

The Ansible quiet output configuration was not set for non-install runs of atomic-openshift-installer. As a result, users would see full Ansible output rather than abbreviated step-by-step output. The Ansible quiet output configuration is now set as the default for all atomic-openshift-installer runs. With this fix, users see abbreviated output and can toggle back to verbose output with -v `or `--verbose. (BZ#1384294)

Previously, the quick installer would unnecessarily prompt for the name of a load balancer for non-HA installations. This question has been removed for single master environments. (BZ#1388754)

The a-o-i package was considering extra hosts when determining if the target HA environment is a mix of installed and uninstalled hosts. As a result, the comparison failed and incorrectly reported that a fully installed environment was actually a mix of installed and uninstalled. With this fix, non-masters and non-nodes were removed from the comparison and installed HA environments are correctly detected. (BZ#1390064)

Previously, the dnsmasq configuration included strict-order, meaning that dnsmasq would iterate through the host’s nameservers in order. This meant that if the first nameserver had failed, a lengthy timeout would be observed while dnsmasq waited before moving on to the next nameserver. By removing the strict-order option, dnsmasq prefers nameservers that it knows to be up over those that are unresponsive, ensuring faster name resolution. If you wish to add this or any other option, use the advanced installer option openshift_node_dnsmasq_additional_config_file, which allows you to provide the path to a dnsmasq configuration file that will be deployed on all nodes. (BZ#1399577)

Previously, the NetworkManager dispatcher script did not correctly update /etc/resolv.conf after a host was rebooted. The script has been updated to ensure that /etc/resolv.conf is updated on reboot, ensuring proper use of dnsmasq. (BZ#1401425)

The openshift-ansible advanced install method now alters the Registry Console’s IMAGE_PREFIX value to match the oreg_url prefix when openshift_examples_modify_imagestreams=true, allowing users to install from a registry other than registry.access.redhat.com. (BZ#1384772)

openshift_facts `was parsing full package versions from `openshift version. The parsed versions do not match actual yum package versions. With this fix, openshift_facts is updated to remove`commit offset` strings from parsed versions. Parsed versions now match actual yum package versions. (BZ#1389137)

Previously, if hosts defined in the advanced installation inventory had multiple inventory names defined for the same hosts, the installer would fail with an error when creating /etc/ansible/facts.d. This race condition has been resolved, preventing this problem from happening. (BZ#1385449)

This feature adds the ability to define eviction thresholds for imagefs. Pods are evicted when the node is running low on disk. As a result, the disk is reclaimed and the node remains stable. (BZ#1337470)

This bug fixes an issue with the OpenShift master when the OpenStack cloud provider is used. If the master service controller is unable to connect with the LBaaS API, it prevents the master from starting. With this fix, the failure is treated as non-fatal. Services with type LoadBalancer will not work, as the master is able to create the load balancer in the cloud provider, but the master functions normally. (BZ#1389205)

This feature adds the ability to detect local disk pressure and reclaim resources. To maintain stability of the node, the operator is able to set eviction thresholds that, when crossed, will cause the node to reclaim disk resource by pruning images, or evicting pods. As a result, the node is able to recover from disk pressure. (BZ#1352390)

Previously, it was possible to configure resource (CPU, memory) eviction thresholds (hard and soft) to a negative value and the kubelet started successfully. As eviction thresholds can not be negative, this erroneous behavior is now fixed. The kubelet now fails to start if a negative eviction threshold is configured. (BZ#1357825)

The pod container status field ImageID was previously populated with a string of the form docker://SOME_ID. This displayed an image ID, which was not usable to correlate the image running in the pod with an image stored on a registry. Now, the ImageID field is populated with a string of the form docker-pullable://sha256@SOME_ID. This image ID may be used to identify and pull the running image from the registry unambiguously. (BZ#1389183)

The oc logs command was using a wrapped word writer that could, in some cases, modify input such that the length of output was not equal to the length of input. This could cause a ErrShortWrite (short write) error. This change restores oc logs to use Golang’s standard output writer. (BZ#1389464)

The default directory for the location of Seccomp profile JSON files on the node was not set properly. As a result, there was an issue when using the Seccomp profile annotation in a pod definition. With this fix, the default Seccomp profile directory is appropriately set to /var/lib/kubelet/seccomp. (BZ#1392749)

OpenShift uses fsGroup in the pod specification to set volume permissions in unprivileged pods. The S_ISGID bit is set on all directories in the volume so that new files inherit the group ID. However, the bit is also set for files, for which it has a different meaning of mandatory file locking, see stat(2). This fix ensures that the S_ISGID bit is now only set on directories. (BZ#1387306)

This bug fix corrects an issue on the OpenShift master when using the Openstack cloud provider. The LBaaS version check was done improperly, causing failures when using v2 of the LBaaS plug-in. This fix corrects the check so that v2 is detected properly. (BZ#1391837)

While autoscaling, the reason for the failed` --max` flag validation was unclear. This fix divides reasons into * value not provided or too low* or value of max is lower than value of min. (BZ#1336632)

Piping to oc volume from oc process would not create the deployment configuration (DC) as it did before. As a result, the deployer would provide output stating that the DC that would be generated did not exist, and would fail. With this fix, the output of oc volume to oc create is properly piped. As a result, you can create the missing DC with the PVC mount when you have the deployer attaching PVC to ES upon creation. The deployer no longer fails. (BZ#1396366)

A JavaScript bug caused the HTML page to not refresh after deleting the route in Camel. This fix addresses the JavaScript bug and the HTML page is refreshed after deleting the route. (BZ#1392416)

Tables with label filters will persist the current filter into the URL. Clicking directly into a pre-filtered pod list, clicking somewhere else, and then hitting Back took you back to the entire pod list instead of the filtered one. This behavior was not expected. Now, the latest filtering state a page is on will be persisted into the URL and work with browser history. (BZ#1365304)

Previously, the deployment configuration on the Overview page was not shown when it had not yet run a deployment. With this update, a tile is shown for the deployment configuration. If the deployment configuration has an image change trigger, a link to the image stream of the tag it will trigger on is shown. (BZ#1367379)

The web console would not show any errors on the Overview page when metrics were configured, but not working. It would quietly fall back to the behavior when metrics were not set up. The web console now shows an error message with a link to the metrics status URL to help diagnose problems such as invalid certificates. The alert can be permanently dismissed for users who do not want to see it. (BZ#1382728)

In some cases, the Y-axis values would not adjust to fit the data when looking at metrics for a pod. The Y-axis now scales appropriately to fit the data as usage increases. (BZ#1386708)

If you deleted a pod and created a new pod with the same name, you would see metrics for the previous pod when viewing metrics. Only metrics for the new pod are now shown. (BZ#1386838*)

When a pod had more than one container, the web console was incorrectly showing total memory and CPU usage for all containers in the pod on the metrics page rather than only the selected container. This could make it appear that memory usage exceeded the limit set for the container. The web console now correctly shows the memory and CPU usage only for the selected container. (BZ#1387274)

The logo and documentation links must be changed for each release. This was not yet completed, so the logo and documentation links represented OpenShift Origin instead of OpenShift Container Platform. The appropriate logo and links for the release were added and are now correct. (BZ#1388798)

Previously, you could select Push Secret and Pull Secret on the DC editor page and on the Create From Image page. These options are not helpful on these pages because they are using integrated registry. Therefore, the Push Secret and Pull Secret select boxes are now removed from the DC editor and Create From Image pages and users can no longer select these options. (BZ#1388884)

Routes popover warning messages were being truncated at the end of the string. Before the relevant portion of the warning message could be displayed, the certificate content results in the warning message were being truncated. After the bug fix, the truncation of the warning message was changed from truncating at the end of the string to truncating in the middle of the string. As a result, the relevant portion of the warning message is now visible. (BZ#1389658)

Camel route diagrams had a typo that, on hover, route component showed Totoal. As a result of this bug fix, on hover the route component shows Total. (BZ#1392330)

The password field was set as type text, and therefore the password was visible. In this bug fix, the password field type was set to password. As a result, the password is not visible. (BZ#1393290)

Previously, the BuildConfig editor displayed a blank section. The BuildConfig editor now shows a message when there are no editable source types for a BuildConfig. (BZ#1393803)

A bug in the communication between the Web console and Jolokia endpoint caused an error on the server when activating tracing. This bug fix changed the default value of Apache Camel configuration. As a result, the error is resolved. (BZ#1401509)

A bug in the processing of Apache Camel routes defined in XML caused an error in the Apache Camel application. This bug fix corrected the XML by adding expected namespaces, resolving the error in the Apache Camel application. (BZ#1401511)

On the Web Console’s BuildConfig edit screen, the Learn more link next to Triggers gave a 404 Not Found error. The help link in the console contained the .org suffix instead of .com, therefore the build triggers help link would return a 404 because the requested page did not exist under the https://docs.openshift.org website. In the bug fix, the help link was updated to the correct URL. The help link now loads the correct help documentation for OpenShift Container Platform. (BZ#1390890)

A bug in the JavaScript code prevented the profile page from showing expected content. The bug was fixed and the profile page displays the expected content. (BZ#1392341)

A bug in the JavaScript code prevented message from changing after the Camel route source update. The bug was fixed and the message changes after the Camel route source update. (BZ#1392376)

A bug in the JavaScript code prevented the delete header button from functioning. The bug fix enabled the delete header button. (BZ#1392931)

A bug in the JavaScript code prevented content from being displayed in the OSGi Configuration tab. As a result of the bug fix, content is displayed appropriately on the OSGi Configuration tab. (BZ#1393693)

A bug in the JavaScript code prevented content from being displayed in the OSGi Server tab. As a result of the bug fix, content is displayed appropriately on the OSGi Server tab. (BZ#1393696)

The OSGi Bundles tab showed “TypeError: t.bundles.sortBy is not a function”. The error was a result of the function sortBy of Sugar JavaScript library not being included in the application. This bug fix changed the reference to Sugar JavaScript library to an equivalent function in Lodash library. As a result, content is displayed appropriately on the OSGi Bundles tab. (BZ#1393711)

The scripts used to check if a deployment was successful did not properly handle the situation with dynamically provisioned storage and would cause an error message to be displayed after the metric components were deployed. The deployer would exit in an error status and display an error message in the logs. The metrics components would still deploy and function properly, it did not affect any functionality. In this bug fix, the scripts used to check if the deployment was successfully deployed were updated to support dynamically provisioned volumes when used on GCE. As a result, new deployments to GCE with DYNAMICALLY_PROVISIONED_STORAGE set to true will no longer result in an error message. (BZ#1371464)

Previously, nodes in an OpenShift cluster using openshift-sdn would occasionally report readiness and start assigned pods before networking was fully configured. Nodes now only report readiness after networking is fully configured. (BZ#1384696)

When trying to merge the network between different projects, the wrong field was passed to UpdatePod. The network namespace was not correctly merged because the string passed was invalid. With this bug fix, the field to be passed was corrected. The network namespaces are now correctly merged. (BZ#1389213)

The Docker service adds rules to the iptables configuration to support proper network functionality for running containers. If the service is started before the iptables, these rules are not properly created. Ensure iptables are started prior to starting Docker. (BZ#1390835)

Sometimes with the presence of a pod, OpenShift would perform unnecessary cleanup steps. However the default networking plugin assumed it would only be called to do cleanup when there was cleanup to be done. This would occasionally cause Nodes to log the error "Failed to teardown network for pod" when there was no actual error. Typically, this error would only be noticed in the logs by users who were trying to find the cause of a pod failure. With this bug fix, the default networking plugin now recognizes when it has been called after the pod networking state has already been cleaned up successfully. And as a result, no spurious error message is logged. (BZ#1359240)

The Python image was overly restrictive about allowing host connections by default, causing readiness probes to fail because they could not connect from localhost. With this bug fix, the defaults were changed to allow connections from any host, including localhost. As a result, the readiness probe is able to connect from localhost and the readiness probe will succeed. (BZ#1391145)

Because the finalization mechanism only read the preferred resources available in cluster, ScheduledJobs were not removed during project deletion. This bug fix enforces read all resources for finalization and garbage collection, not just the preferred. ScheduledJobs are now removed during project deletion. (BZ#1391827)

Active jobs were mistakenly counted during synchronization. This caused the active calculation to be wrong, which led to new jobs not being scheduled when concurrencyPolicy was set to Replace. This bug fix corrected how active jobs for a ScheduledJob are calculated. As a result, concurrencyPolicy should work as expected when set to Replace. (BZ#1386463)

Generated hostnames with more than 63 characters caused DNS to fail. This bug fix added more stringent validation of the generated names. As a result, the error is caught for the user when the route is processed by the router, and provide a clear explanation why the route will not work. (BZ#1337322)

By default extended certificate validation was not enabled, so bad certificates in routes could crash the router. In this bug fix, the default in oc adm router was changed to turn on extended validation when a router is created. Now bad certificates are caught and the route they are associated with is not used, and an appropriate status is set. (BZ#1379701)

The clusterrole has always been able to list the services in a cluster. With this bug fix the role was enabled cluster-wide. The tests that were using this role in limited scope have been fixed to use it across the cluster. (BZ#1380669)

The extended certificate validation code would not allow some certificates that should be considered valid. Self-signed, expired, or not yet current certificates that were otherwise well-formed would be rejected. The extended validation was changed to allow those cases. Those types of certificates are now allowed. (BZ#1389165)

When a volume fails to detach for any reason, the delete operation is retried forever, whereas the detach operation does not seem to try to detach more than once. This causes the delete to fail each time with a “VolumeInUse” error. OpenShift makes requests to delete volumes without any sort of exponential back off. Making too many requests to the cloud provider can exhaust the API quota. This bug fix implemented exponential backoff when trying to delete a volume. OpenShift now uses exponential backoff when it tries to delete a volume, and it does not overshoot the API quota easily. (BZ#1399800)

Using hostPath for storage could lead to running out of disk space, causing OpenShift root disk could become full and unusable. This bug fix added support for pod eviction based on disk space. As a result, a pod using hostPath consumes too much space it may be evicted from the node. (BZ#1349311)

The cloud provider was not initializing properly, causing features that require cloud provider API access, such as PersistentVolumeClaim creation, to fail. With this bug fix, the cloud provider is initialized in node. Features that require cloud provider API access no longer fail. (BZ#1390758) (BZ#1379600)

Previously the upgrade playbook would inadvertently upgrade etcd when it should not have. If this upgrade triggered an upgrade to etcd3 then the upgrade would fail as etcd would become unavailable. With this bug fix, etcd no longer updates when it is not necessary ensuring upgrades proceed successfully. (BZ#1393187)

An error in the etcd backup routine run during upgrade could incorrectly interpret a separate etcd host as embedded. The etcd backup would fail and the upgrade would exit prematurely, before making any changes on the cluster. This bug fix changed the variable to correctly detect embedded versus separate etcd. The etcd backup will now complete successfully allowing the upgrade to proceed. (BZ#1398549)

The metrics deployer image shipped in OpenShift Container Platform 3.3.0 had an outdated version of the client included in the image. As a result the the deployer failed with an error when run in the refresh mode. That image has been rebuilt and the deployer no longer fails. (BZ#1372350)

Kubernetes Deployments Support

Pod Disruption Budgets

OpenShift Pipelines

Extended Builds

Service Serving Certificate Secrets

Dynamic Storage Provisioning

Init containers

Cron Jobs

Previously, upgrading from OpenShift Container Platform 3.3 to 3.4 caused all user identities to disappear, though they were still present in etcd, and OAuth-based users could no longer log in. New 3.4 installations were also affected. This was caused by an unintentional change in the etcd prefix for user identities; egressnetworkpolicies were similarly affected.

An etcd performance issue has been discovered on new and upgraded OpenShift Container Platform 3.4 clusters. See the following Knowledgebase Solution for further details: