Re: RPMs for 3.11 still missing from the official OpenShift Origin CentOS repo
Hi all, I don't think RPMs have a critical security vulnerability. The module in problem should be origin-control-plane [1], which is container running within OKD 3.11. I have two OKD 3.11 clusters , on each master node, I ran docker pull docker.io/openshift/origin-control-plane:v3.11 /usr/local/bin/master-restart api /usr/local/bin/master-restart controllers to pull newer image and gravitational/cve-2018-1002105:latest image shows no vulnerabilities. [1] https://github.com/openshift/origin/issues/21606#issuecomment-446974567 On Sun, Jan 6, 2019 at 11:29 AM Joel Pearson wrote: I think it's worth mentioning here that the RPMs at http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin311/ have a critical security vulnerability, I think it's unsafe to use the RPMs if you're planning on having your cluster available on the internet. https://access.redhat.com/security/cve/cve-2018-1002105 Unless you're going to be using the RedHat supported version of OpenShift, ie OCP, then I think the only safe option is to install OKD with Centos Atomic Host and the containerised version of OpenShift, ie not use the RPMs at all. The problem with the RPMs, is that you get no patches, only the version of OpenShift 3.11.0 as it was when it was released, however, the containerized version of OKD (only supported on Atomic Host) has a rolling tag (see https://lists.openshift.redhat.com/openshift-archives/users/2018-October/msg00049.html) and you'll notice that the containers were just rebuilt a few minutes ago: https://hub.docker.com/r/openshift/origin-node/tags It looks like the OKD images are rebuilt from the release-3.11 branch: https://github.com/openshift/origin/commits/release-3.11 You can see the CVE critical vulnerability was fixed in commits on December 4, however, the RPMs were built on the 5th of November so they certainly do not contain the critical vulnerability fixes. I am running OKD 3.11 on Centos Atomic Host on an OpenStack cluster and it works fine, and I can confirm from the OKD About page that I'm running a version of OpenShift that is patched: OpenShift Master: v3.11.0+d0a16e1-79 (which lines up with commits on December 31) However, the bad news for you is that an upgrade from RPMs to containerised would not be simple, and you couldn't reuse your nodes because you'd need to switch from Centos regular to Centos Atomic Host. It would probably be technically possible but not simple. I guess you'd upgrade your 3.10 cluster to the vulnerable version of 3.11 via RPMs, and then migrate your cluster to another cluster running on Atomic Host, I'm guessing there is probably some way to replicate the etcd data from one cluster to another. But it sounds like it'd be a lot of work, and you'd need some pretty deep skills in etcd and openshift. On Sun, 6 Jan 2019 at 07:03, mabi wrote: ‐‐‐ Original Message ‐‐‐ On Saturday, January 5, 2019 3:57 PM, Daniel Comnea wrote: [DC]: i think you are a bit confused: there are 2 ways to get the rpms from CentOS yum repo: using the generic repo [1] which will always have the latest origin release OR [2] where i've mentioned that you can install centos-release-openshift-origin3* rpm which will give you [3] yum repo Thank you for your precisions and yes I am confused because first of all the upgrading documentation on the okd.io website does not mention anything about having to manually change the yum repo.repos.d file to match a new directory for a new version of openshift. Then second, this mail (https://lists.openshift.redhat.com/openshift-archives/users/2018-November/msg7.html) has the following sentence, I quote: "Please note that due to ongoing work on releasing CentOS 7.6, the mirror.centos.org repo is in freeze mode - see [4] and as such we have not published the rpms to [5]. Once the freeze mode will end, we'll publish the rpms." So when is the freeze mode over for this repo? I read this should have happened after the CentOS 7.6 release but that was already one month ago and still no version 3.11 RPMs in the http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin/ repo... Finally, all I want to do is to upgrade my current okd version 3.10 to version 3.11 but I can't find any complete instructions documented correctly. The best I can find is https://docs.okd.io/3.11/upgrading/automated_upgrades.html which simply mentions running the following upgrade playbook: ansible-playbook \ -i \ playbooks/byo/openshift-cluster/upgrades//upgrade.yml Again here there is no mention of having to modify a yum.repos.d file beforehand or having to install the centos-release-openshift-origin package... I would be glad if someone can clarify the full upgrade process and/or have the official documentation enhanced. ___ users mailing list users lists openshift redhat com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
Re: RPMs for 3.11 still missing from the official OpenShift Origin CentOS repo
On Mon, 7 Jan 2019 at 8:01 am, mabi wrote: > ‐‐‐ Original Message ‐‐‐ > On Sunday, January 6, 2019 12:28 PM, Joel Pearson < > japear...@agiledigital.com.au> wrote: > > I think it's worth mentioning here that the RPMs at > http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin311/ have a > critical security vulnerability, I think it's unsafe to use the RPMs if > you're planning on having your cluster available on the internet. > > https://access.redhat.com/security/cve/cve-2018-1002105 > > > Thank you Joel for pointing this important security issue out. I was not > aware that the OpenShift RPMs on this official CentOS repository are not > being updated for security vulnerabilities. This is a total nogo for me as > my cluster is facing the internet. > It looks like the RPMs will eventually get the security fix according to the other reply from Daniel Comnea. But with containers you could have a fix within a day as opposed to waiting for new tag which still hasn’t happened yet and it’s been more than 1 month. > Unless you're going to be using the RedHat supported version of OpenShift, > ie OCP, then I think the only safe option is to install OKD with Centos > Atomic Host and the containerised version of OpenShift, ie not use the RPMs > at all. > > > I will stick with OKD and try out CentOS Atomic Host instead of plain > CentOS. > > However, the bad news for you is that an upgrade from RPMs to > containerised would not be simple, and you couldn't reuse your nodes > because you'd need to switch from Centos regular to Centos Atomic Host. It > would probably be technically possible but not simple. I guess you'd > upgrade your 3.10 cluster to the vulnerable version of 3.11 via RPMs, and > then migrate your cluster to another cluster running on Atomic Host, I'm > guessing there is probably some way to replicate the etcd data from one > cluster to another. But it sounds like it'd be a lot of work, and you'd > need some pretty deep skills in etcd and openshift. > > > As I am still trying out OKD I will simply trash my existing CentOS nodes > and re-install them all with CentOS Atomic Host. That shouldn't be a > problem. I just hope that installing OKD on Atomic Host is better > documented than the installation on plain CentOS, especially in regard of > the upgrading procedure. But If I understand correctly the upgrade > procedure here should be simplified as everything runs inside Docker > containers. > The upgrade procedure is the same as RPMs, however you wouldn’t need to change the rpm repo. https://docs.okd.io/3.11/upgrading/automated_upgrades.html A word of warning about the next major version upgrade, v4.0, Atomic Host support is deprecated in favour of CoreOS (which RedHat recently acquired) however CoreOS is not supported for 3.11 so it looks like you’ll need to do a cluster rebuild for v4.0. But at least you’ll be able to get 3.11 patches in the meantime. > > > Now I first have to figure out how to install my CentOS Atomic > Host virtual machines automatically with PXE and kickstart. It looks like I > just need to adapt my kickstart file for Atomic Host (rpm ostree) and I get > Atomic Host instead of plain CentOS... > > > On Sun, 6 Jan 2019 at 07:03, mabi wrote: > >> ‐‐‐ Original Message ‐‐‐ >> On Saturday, January 5, 2019 3:57 PM, Daniel Comnea < >> comnea.d...@gmail.com> wrote: >> >> [DC]: i think you are a bit confused: there are 2 ways to get the rpms >> from CentOS yum repo: using the generic repo [1] which will always have the >> latest origin release OR [2] where i've mentioned that you can install >> *centos-release-openshift-origin3** rpm which will give you [3] yum repo >> >> >> Thank you for your precisions and yes I am confused because first of all >> the upgrading documentation on the okd.io website does not mention >> anything about having to manually change the yum repo.repos.d file to match >> a new directory for a new version of openshift. >> >> Then second, this mail ( >> https://lists.openshift.redhat.com/openshift-archives/users/2018-November/msg7.html) >> has the following sentence, I quote: >> >> "Please note that due to ongoing work on releasing CentOS 7.6, the >> mirror.centos.org repo is in freeze mode - see [4] and as such we have >> not published the rpms to [5]. Once the freeze mode will end, we'll publish >> the rpms." >> >> So when is the freeze mode over for this repo? I read this should have >> happened after the CentOS 7.6 release but that was already one month ago >> and still no version 3.11 RPMs in the >> http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin/ repo... >> >> Finally, all I want to do is to upgrade my current okd version 3.10 to >> version 3.11 but I can't find any complete instructions documented >> correctly. The best I can find is >> https://docs.okd.io/3.11/upgrading/automated_upgrades.html which simply >> mentions running the following upgrade playbook: >> >> ansible-playbook \ >> -i \ >>
Re: RPMs for 3.11 still missing from the official OpenShift Origin CentOS repo
‐‐‐ Original Message ‐‐‐ On Sunday, January 6, 2019 12:28 PM, Joel Pearson wrote: > I think it's worth mentioning here that the RPMs at > http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin311/ have a > critical security vulnerability, I think it's unsafe to use the RPMs if > you're planning on having your cluster available on the internet. > > https://access.redhat.com/security/cve/cve-2018-1002105 Thank you Joel for pointing this important security issue out. I was not aware that the OpenShift RPMs on this official CentOS repository are not being updated for security vulnerabilities. This is a total nogo for me as my cluster is facing the internet. > Unless you're going to be using the RedHat supported version of OpenShift, ie > OCP, then I think the only safe option is to install OKD with Centos Atomic > Host and the containerised version of OpenShift, ie not use the RPMs at all. I will stick with OKD and try out CentOS Atomic Host instead of plain CentOS. > However, the bad news for you is that an upgrade from RPMs to containerised > would not be simple, and you couldn't reuse your nodes because you'd need to > switch from Centos regular to Centos Atomic Host. It would probably be > technically possible but not simple. I guess you'd upgrade your 3.10 cluster > to the vulnerable version of 3.11 via RPMs, and then migrate your cluster to > another cluster running on Atomic Host, I'm guessing there is probably some > way to replicate the etcd data from one cluster to another. But it sounds > like it'd be a lot of work, and you'd need some pretty deep skills in etcd > and openshift. As I am still trying out OKD I will simply trash my existing CentOS nodes and re-install them all with CentOS Atomic Host. That shouldn't be a problem. I just hope that installing OKD on Atomic Host is better documented than the installation on plain CentOS, especially in regard of the upgrading procedure. But If I understand correctly the upgrade procedure here should be simplified as everything runs inside Docker containers. Now I first have to figure out how to install my CentOS Atomic Host virtual machines automatically with PXE and kickstart. It looks like I just need to adapt my kickstart file for Atomic Host (rpm ostree) and I get Atomic Host instead of plain CentOS... > On Sun, 6 Jan 2019 at 07:03, mabi wrote: > >> ‐‐‐ Original Message ‐‐‐ >> On Saturday, January 5, 2019 3:57 PM, Daniel Comnea >> wrote: >> >>> [DC]: i think you are a bit confused: there are 2 ways to get the rpms from >>> CentOS yum repo: using the generic repo [1] which will always have the >>> latest origin release OR [2] where i've mentioned that you can install >>> centos-release-openshift-origin3* rpm which will give you [3] yum repo >> >> Thank you for your precisions and yes I am confused because first of all the >> upgrading documentation on the okd.io website does not mention anything >> about having to manually change the yum repo.repos.d file to match a new >> directory for a new version of openshift. >> >> Then second, this mail >> (https://lists.openshift.redhat.com/openshift-archives/users/2018-November/msg7.html) >> has the following sentence, I quote: >> >> "Please note that due to ongoing work on releasing CentOS 7.6, the >> mirror.centos.org repo is in freeze mode - see [4] and as such we have not >> published the rpms to [5]. Once the freeze mode will end, we'll publish the >> rpms." >> >> So when is the freeze mode over for this repo? I read this should have >> happened after the CentOS 7.6 release but that was already one month ago and >> still no version 3.11 RPMs in the >> http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin/ repo... >> >> Finally, all I want to do is to upgrade my current okd version 3.10 to >> version 3.11 but I can't find any complete instructions documented >> correctly. The best I can find is >> https://docs.okd.io/3.11/upgrading/automated_upgrades.html which simply >> mentions running the following upgrade playbook: >> >> ansible-playbook \ >> -i \ >> playbooks/byo/openshift-cluster/upgrades//upgrade.yml >> >> Again here there is no mention of having to modify a yum.repos.d file >> beforehand or having to install the centos-release-openshift-origin >> package... >> >> I would be glad if someone can clarify the full upgrade process and/or have >> the official documentation enhanced. >> ___ >> users mailing list >> users@lists.openshift.redhat.com >> http://lists.openshift.redhat.com/openshiftmm/listinfo/users___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
Re: RPMs for 3.11 still missing from the official OpenShift Origin CentOS repo
Joel & all, On the CVE subject you are correct however if you read [1] you will better understand a) the PaaS sig process on how the Origin rpm is getting build (based on the Origin release tag) and b) what is holding on getting a new Origin v3.11 rpm out Hope that helps a bit Dani [1] http://lists.openshift.redhat.com/openshift-archives/dev/2018-December/msg00015.html On Sun, Jan 6, 2019 at 11:29 AM Joel Pearson wrote: > I think it's worth mentioning here that the RPMs at > http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin311/ have a > critical security vulnerability, I think it's unsafe to use the RPMs if > you're planning on having your cluster available on the internet. > > https://access.redhat.com/security/cve/cve-2018-1002105 > > Unless you're going to be using the RedHat supported version of OpenShift, > ie OCP, then I think the only safe option is to install OKD with Centos > Atomic Host and the containerised version of OpenShift, ie not use the RPMs > at all. > > The problem with the RPMs, is that you get no patches, only the version of > OpenShift 3.11.0 as it was when it was released, however, the containerized > version of OKD (only supported on Atomic Host) has a rolling tag (see > https://lists.openshift.redhat.com/openshift-archives/users/2018-October/msg00049.html) > and you'll notice that the containers were just rebuilt a few minutes ago: > https://hub.docker.com/r/openshift/origin-node/tags > > It looks like the OKD images are rebuilt from the release-3.11 branch: > https://github.com/openshift/origin/commits/release-3.11 > > You can see the CVE critical vulnerability was fixed in commits on > December 4, however, the RPMs were built on the 5th of November so they > certainly do not contain the critical vulnerability fixes. > > I am running OKD 3.11 on Centos Atomic Host on an OpenStack cluster and it > works fine, and I can confirm from the OKD About page that I'm running a > version of OpenShift that is patched: OpenShift Master: v3.11.0+d0a16e1-79 > (which lines up with commits on December 31) > > However, the bad news for you is that an upgrade from RPMs to > containerised would not be simple, and you couldn't reuse your nodes > because you'd need to switch from Centos regular to Centos Atomic Host. It > would probably be technically possible but not simple. I guess you'd > upgrade your 3.10 cluster to the vulnerable version of 3.11 via RPMs, and > then migrate your cluster to another cluster running on Atomic Host, I'm > guessing there is probably some way to replicate the etcd data from one > cluster to another. But it sounds like it'd be a lot of work, and you'd > need some pretty deep skills in etcd and openshift. > > On Sun, 6 Jan 2019 at 07:03, mabi wrote: > >> ‐‐‐ Original Message ‐‐‐ >> On Saturday, January 5, 2019 3:57 PM, Daniel Comnea < >> comnea.d...@gmail.com> wrote: >> >> [DC]: i think you are a bit confused: there are 2 ways to get the rpms >> from CentOS yum repo: using the generic repo [1] which will always have the >> latest origin release OR [2] where i've mentioned that you can install >> *centos-release-openshift-origin3** rpm which will give you [3] yum repo >> >> >> Thank you for your precisions and yes I am confused because first of all >> the upgrading documentation on the okd.io website does not mention >> anything about having to manually change the yum repo.repos.d file to match >> a new directory for a new version of openshift. >> >> Then second, this mail ( >> https://lists.openshift.redhat.com/openshift-archives/users/2018-November/msg7.html) >> has the following sentence, I quote: >> >> "Please note that due to ongoing work on releasing CentOS 7.6, the >> mirror.centos.org repo is in freeze mode - see [4] and as such we have >> not published the rpms to [5]. Once the freeze mode will end, we'll publish >> the rpms." >> >> So when is the freeze mode over for this repo? I read this should have >> happened after the CentOS 7.6 release but that was already one month ago >> and still no version 3.11 RPMs in the >> http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin/ repo... >> >> Finally, all I want to do is to upgrade my current okd version 3.10 to >> version 3.11 but I can't find any complete instructions documented >> correctly. The best I can find is >> https://docs.okd.io/3.11/upgrading/automated_upgrades.html which simply >> mentions running the following upgrade playbook: >> >> ansible-playbook \ >> -i \ >> playbooks/byo/openshift-cluster/upgrades//upgrade.yml >> >> Again here there is no mention of having to modify a yum.repos.d file >> beforehand or having to install the centos-release-openshift-origin >> package... >> >> I would be glad if someone can clarify the full upgrade process and/or >> have the official documentation enhanced. >> ___ >> users mailing list >> users@lists.openshift.redhat.com >>
Re: RPMs for 3.11 still missing from the official OpenShift Origin CentOS repo
I think it's worth mentioning here that the RPMs at http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin311/ have a critical security vulnerability, I think it's unsafe to use the RPMs if you're planning on having your cluster available on the internet. https://access.redhat.com/security/cve/cve-2018-1002105 Unless you're going to be using the RedHat supported version of OpenShift, ie OCP, then I think the only safe option is to install OKD with Centos Atomic Host and the containerised version of OpenShift, ie not use the RPMs at all. The problem with the RPMs, is that you get no patches, only the version of OpenShift 3.11.0 as it was when it was released, however, the containerized version of OKD (only supported on Atomic Host) has a rolling tag (see https://lists.openshift.redhat.com/openshift-archives/users/2018-October/msg00049.html) and you'll notice that the containers were just rebuilt a few minutes ago: https://hub.docker.com/r/openshift/origin-node/tags It looks like the OKD images are rebuilt from the release-3.11 branch: https://github.com/openshift/origin/commits/release-3.11 You can see the CVE critical vulnerability was fixed in commits on December 4, however, the RPMs were built on the 5th of November so they certainly do not contain the critical vulnerability fixes. I am running OKD 3.11 on Centos Atomic Host on an OpenStack cluster and it works fine, and I can confirm from the OKD About page that I'm running a version of OpenShift that is patched: OpenShift Master: v3.11.0+d0a16e1-79 (which lines up with commits on December 31) However, the bad news for you is that an upgrade from RPMs to containerised would not be simple, and you couldn't reuse your nodes because you'd need to switch from Centos regular to Centos Atomic Host. It would probably be technically possible but not simple. I guess you'd upgrade your 3.10 cluster to the vulnerable version of 3.11 via RPMs, and then migrate your cluster to another cluster running on Atomic Host, I'm guessing there is probably some way to replicate the etcd data from one cluster to another. But it sounds like it'd be a lot of work, and you'd need some pretty deep skills in etcd and openshift. On Sun, 6 Jan 2019 at 07:03, mabi wrote: > ‐‐‐ Original Message ‐‐‐ > On Saturday, January 5, 2019 3:57 PM, Daniel Comnea > wrote: > > [DC]: i think you are a bit confused: there are 2 ways to get the rpms > from CentOS yum repo: using the generic repo [1] which will always have the > latest origin release OR [2] where i've mentioned that you can install > *centos-release-openshift-origin3** rpm which will give you [3] yum repo > > > Thank you for your precisions and yes I am confused because first of all > the upgrading documentation on the okd.io website does not mention > anything about having to manually change the yum repo.repos.d file to match > a new directory for a new version of openshift. > > Then second, this mail ( > https://lists.openshift.redhat.com/openshift-archives/users/2018-November/msg7.html) > has the following sentence, I quote: > > "Please note that due to ongoing work on releasing CentOS 7.6, the > mirror.centos.org repo is in freeze mode - see [4] and as such we have > not published the rpms to [5]. Once the freeze mode will end, we'll publish > the rpms." > > So when is the freeze mode over for this repo? I read this should have > happened after the CentOS 7.6 release but that was already one month ago > and still no version 3.11 RPMs in the > http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin/ repo... > > Finally, all I want to do is to upgrade my current okd version 3.10 to > version 3.11 but I can't find any complete instructions documented > correctly. The best I can find is > https://docs.okd.io/3.11/upgrading/automated_upgrades.html which simply > mentions running the following upgrade playbook: > > ansible-playbook \ > -i \ > playbooks/byo/openshift-cluster/upgrades//upgrade.yml > > Again here there is no mention of having to modify a yum.repos.d file > beforehand or having to install the centos-release-openshift-origin > package... > > I would be glad if someone can clarify the full upgrade process and/or > have the official documentation enhanced. > ___ > users mailing list > users@lists.openshift.redhat.com > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users