Re: RPMs for 3.11 still missing from the official OpenShift Origin CentOS repo

[Joel Pearson]

It just detects. It checks the operating system type. You don’t even need
to change the inventory at all. As rpms are only supported on Centos and
containerised only on Atomic

On Mon, 7 Jan 2019 at 7:47 pm, mabi  wrote:

> ‐‐‐ Original Message ‐‐‐
> On Sunday, January 6, 2019 11:13 PM, Joel Pearson <
> japear...@agiledigital.com.au> wrote:
>
> It looks like the RPMs will eventually get the security fix according to
> the other reply from Daniel Comnea. But with containers you could have a
> fix within a day as opposed to waiting for new tag which still hasn’t
> happened yet and it’s been more than 1 month.
>
>
> That's good to know that it will eventually get fixed but with security
> vulnerabilities 1 month is already too long.
>
> The upgrade procedure is the same as RPMs, however you wouldn’t need to
> change the rpm repo.
>
>
> That's great! So this means that the OpenShift Ansible upgrade.yml
> playbook detects if the node is using CentOS+RPMs or Atomic Host+Docker and
> then upgrades using the correct way? or is there any special parameter I
> need for example in my Ansible inventory file to let the playbook know that
> I would be using Atomic Host?
>
>
> On Sun, 6 Jan 2019 at 07:03, mabi  wrote:
>>
>>> ‐‐‐ Original Message ‐‐‐
>>> On Saturday, January 5, 2019 3:57 PM, Daniel Comnea <
>>> comnea.d...@gmail.com> wrote:
>>>
>>> [DC]: i think you are a bit confused: there are 2 ways to get the rpms
>>> from CentOS yum repo: using the generic repo [1] which will always have the
>>> latest origin release OR [2] where i've mentioned that you can install
>>> *centos-release-openshift-origin3** rpm which will give you [3] yum repo
>>>
>>>
>>> Thank you for your precisions and yes I am confused because first of all
>>> the upgrading documentation on the okd.io website does not mention
>>> anything about having to manually change the yum repo.repos.d file to match
>>> a new directory for a new version of openshift.
>>>
>>> Then second, this mail (
>>> https://lists.openshift.redhat.com/openshift-archives/users/2018-November/msg7.html)
>>> has the following sentence, I quote:
>>>
>>> "Please note that due to ongoing work on releasing CentOS 7.6, the
>>> mirror.centos.org repo is in freeze mode - see [4] and as such we have
>>> not published the rpms to [5]. Once the freeze mode will end, we'll publish
>>> the rpms."
>>>
>>> So when is the freeze mode over for this repo? I read this should have
>>> happened after the CentOS 7.6 release but that was already one month ago
>>> and still no version 3.11 RPMs in the
>>> http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin/ repo...
>>>
>>> Finally, all I want to do is to upgrade my current okd version 3.10 to
>>> version 3.11 but I can't find any complete instructions documented
>>> correctly. The best I can find is
>>> https://docs.okd.io/3.11/upgrading/automated_upgrades.html which simply
>>> mentions running the following upgrade playbook:
>>>
>>> ansible-playbook \
>>> -i  \
>>> playbooks/byo/openshift-cluster/upgrades//upgrade.yml
>>>
>>> Again here there is no mention of having to modify a yum.repos.d file
>>> beforehand or having to install the centos-release-openshift-origin
>>> package...
>>>
>>> I would be glad if someone can clarify the full upgrade process and/or
>>> have the official documentation enhanced.
>>> ___
>>> users mailing list
>>> users@lists.openshift.redhat.com
>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>>
>>
>>
>> --
> Kind Regards,
>
> Joel Pearson
> Agile Digital | Senior Software Consultant
>
> Love Your Software™ | ABN 98 106 361 273
> p: 1300 858 277 | m: 0405 417 843 <0405417843> | w: agiledigital.com.au
>
>
> --
Kind Regards,

Joel Pearson
Agile Digital | Senior Software Consultant

Love Your Software™ | ABN 98 106 361 273
p: 1300 858 277 | m: 0405 417 843 <0405417843> | w: agiledigital.com.au
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: RPMs for 3.11 still missing from the official OpenShift Origin CentOS repo

[mabi]

‐‐‐ Original Message ‐‐‐
On Sunday, January 6, 2019 11:13 PM, Joel Pearson 
 wrote:

> It looks like the RPMs will eventually get the security fix according to the 
> other reply from Daniel Comnea. But with containers you could have a fix 
> within a day as opposed to waiting for new tag which still hasn’t happened 
> yet and it’s been more than 1 month.

That's good to know that it will eventually get fixed but with security 
vulnerabilities 1 month is already too long.

> The upgrade procedure is the same as RPMs, however you wouldn’t need to 
> change the rpm repo.

That's great! So this means that the OpenShift Ansible upgrade.yml playbook 
detects if the node is using CentOS+RPMs or Atomic Host+Docker and then 
upgrades using the correct way? or is there any special parameter I need for 
example in my Ansible inventory file to let the playbook know that I would be 
using Atomic Host?

>>> On Sun, 6 Jan 2019 at 07:03, mabi  wrote:
>>>
 ‐‐‐ Original Message ‐‐‐
 On Saturday, January 5, 2019 3:57 PM, Daniel Comnea 
  wrote:

> [DC]: i think you are a bit confused: there are 2 ways to get the rpms 
> from CentOS yum repo: using the generic repo [1] which will always have 
> the latest origin release OR [2] where i've mentioned that you can 
> install centos-release-openshift-origin3* rpm which will give you [3] yum 
> repo

 Thank you for your precisions and yes I am confused because first of all 
 the upgrading documentation on the okd.io website does not mention 
 anything about having to manually change the yum repo.repos.d file to 
 match a new directory for a new version of openshift.

 Then second, this mail 
 (https://lists.openshift.redhat.com/openshift-archives/users/2018-November/msg7.html)
  has the following sentence, I quote:

 "Please note that due to ongoing work on releasing CentOS 7.6, the 
 mirror.centos.org repo is in freeze mode - see [4] and as such we have not 
 published the rpms to [5]. Once the freeze mode will end, we'll publish 
 the rpms."

 So when is the freeze mode over for this repo? I read this should have 
 happened after the CentOS 7.6 release but that was already one month ago 
 and still no version 3.11 RPMs in the 
 http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin/ repo...

 Finally, all I want to do is to upgrade my current okd version 3.10 to 
 version 3.11 but I can't find any complete instructions documented 
 correctly. The best I can find is 
 https://docs.okd.io/3.11/upgrading/automated_upgrades.html which simply 
 mentions running the following upgrade playbook:

 ansible-playbook \
 -i  \
 playbooks/byo/openshift-cluster/upgrades//upgrade.yml

 Again here there is no mention of having to modify a yum.repos.d file 
 beforehand or having to install the centos-release-openshift-origin 
 package...

 I would be glad if someone can clarify the full upgrade process and/or 
 have the official documentation enhanced.
 ___
 users mailing list
 users@lists.openshift.redhat.com
 http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
> --
> Kind Regards,
>
> Joel Pearson
> Agile Digital | Senior Software Consultant
>
> Love Your Software™ | ABN 98 106 361 273
> p: [1300 858 277](tel:1300%20858%20277) | m: [0405 417 843](tel:0405417843) | 
> w: [agiledigital.com.au](http://agiledigital.com.au/)___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: RPMs for 3.11 still missing from the official OpenShift Origin CentOS repo

[Gripen Kwok]

Hi all,

I don't think RPMs have a critical security vulnerability. The module in 
problem should be origin-control-plane [1], which is container running within 
OKD 3.11. I have two OKD 3.11 clusters , on each master node, I ran 
docker pull docker.io/openshift/origin-control-plane:v3.11
/usr/local/bin/master-restart api
/usr/local/bin/master-restart controllers

to pull newer image and gravitational/cve-2018-1002105:latest image shows no 
vulnerabilities.


[1] https://github.com/openshift/origin/issues/21606#issuecomment-446974567



On Sun, Jan 6, 2019 at 11:29 AM Joel Pearson  
wrote:
I think it's worth mentioning here that the RPMs at 
http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin311/ have a 
critical security vulnerability, I think it's unsafe to use the RPMs if you're 
planning on having your cluster available on the internet.

https://access.redhat.com/security/cve/cve-2018-1002105

Unless you're going to be using the RedHat supported version of OpenShift, ie 
OCP, then I think the only safe option is to install OKD with Centos Atomic 
Host and the containerised version of OpenShift, ie not use the RPMs at all.

The problem with the RPMs, is that you get no patches, only the version of 
OpenShift 3.11.0 as it was when it was released, however, the containerized 
version of OKD (only supported on Atomic Host) has a rolling tag (see 
https://lists.openshift.redhat.com/openshift-archives/users/2018-October/msg00049.html)
 and you'll notice that the containers were just rebuilt a few minutes ago: 
https://hub.docker.com/r/openshift/origin-node/tags

It looks like the OKD images are rebuilt from the release-3.11 branch: 
https://github.com/openshift/origin/commits/release-3.11

You can see the CVE critical vulnerability was fixed in commits on December 4, 
however, the RPMs were built on the 5th of November so they certainly do not 
contain the critical vulnerability fixes.

I am running OKD 3.11 on Centos Atomic Host on an OpenStack cluster and it 
works fine, and I can confirm from the OKD About page that I'm running a 
version of OpenShift that is patched: OpenShift Master: v3.11.0+d0a16e1-79 
(which lines up with commits on December 31)

However, the bad news for you is that an upgrade from RPMs to containerised 
would not be simple, and you couldn't reuse your nodes because you'd need to 
switch from Centos regular to Centos Atomic Host.  It would probably be 
technically possible but not simple.  I guess you'd upgrade your 3.10 cluster 
to the vulnerable version of 3.11 via RPMs, and then migrate your cluster to 
another cluster running on Atomic Host, I'm guessing there is probably some way 
to replicate the etcd data from one cluster to another. But it sounds like it'd 
be a lot of work, and you'd need some pretty deep skills in etcd and openshift. 

On Sun, 6 Jan 2019 at 07:03, mabi  wrote:
‐‐‐ Original Message ‐‐‐
On Saturday, January 5, 2019 3:57 PM, Daniel Comnea  
wrote:

[DC]: i think you are a bit confused: there are 2 ways to get the rpms from 
CentOS yum repo: using the generic repo [1] which will always have the latest 
origin release OR [2] where i've mentioned that you can install 
centos-release-openshift-origin3* rpm which will give you [3] yum repo

Thank you for your precisions and yes I am confused because first of all the 
upgrading documentation on the okd.io website does not mention anything about 
having to manually change the yum repo.repos.d file to match a new directory 
for a new version of openshift. 

Then second, this mail 
(https://lists.openshift.redhat.com/openshift-archives/users/2018-November/msg7.html)
 has the following sentence, I quote:

"Please note that due to ongoing work on releasing CentOS 7.6, the 
mirror.centos.org repo is in freeze mode - see [4] and as such we have not 
published the rpms to [5]. Once the freeze mode will end, we'll publish the 
rpms."

So when is the freeze mode over for this repo? I read this should have happened 
after the CentOS 7.6 release but that was already one month ago and still no 
version 3.11 RPMs in the 
http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin/ repo...

Finally, all I want to do is to upgrade my current okd version 3.10 to version 
3.11 but I can't find any complete instructions documented correctly. The best 
I can find is https://docs.okd.io/3.11/upgrading/automated_upgrades.html which 
simply mentions running the following upgrade playbook:

ansible-playbook \
-i  \
playbooks/byo/openshift-cluster/upgrades//upgrade.yml

Again here there is no mention of having to modify a yum.repos.d file 
beforehand or having to install the centos-release-openshift-origin package...

I would be glad if someone can clarify the full upgrade process and/or have the 
official documentation enhanced.
___
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: RPMs for 3.11 still missing from the official OpenShift Origin CentOS repo

[Joel Pearson]

On Mon, 7 Jan 2019 at 8:01 am, mabi  wrote:

> ‐‐‐ Original Message ‐‐‐
> On Sunday, January 6, 2019 12:28 PM, Joel Pearson <
> japear...@agiledigital.com.au> wrote:
>
> I think it's worth mentioning here that the RPMs at
> http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin311/ have a
> critical security vulnerability, I think it's unsafe to use the RPMs if
> you're planning on having your cluster available on the internet.
>
> https://access.redhat.com/security/cve/cve-2018-1002105
>
>
> Thank you Joel for pointing this important security issue out. I was not
> aware that the OpenShift RPMs on this official CentOS repository are not
> being updated for security vulnerabilities. This is a total nogo for me as
> my cluster is facing the internet.
>

It looks like the RPMs will eventually get the security fix according to
the other reply from Daniel Comnea. But with containers you could have a
fix within a day as opposed to waiting for new tag which still hasn’t
happened yet and it’s been more than 1 month.


> Unless you're going to be using the RedHat supported version of OpenShift,
> ie OCP, then I think the only safe option is to install OKD with Centos
> Atomic Host and the containerised version of OpenShift, ie not use the RPMs
> at all.
>
>
> I will stick with OKD and try out CentOS Atomic Host instead of plain
> CentOS.
>
> However, the bad news for you is that an upgrade from RPMs to
> containerised would not be simple, and you couldn't reuse your nodes
> because you'd need to switch from Centos regular to Centos Atomic Host.  It
> would probably be technically possible but not simple.  I guess you'd
> upgrade your 3.10 cluster to the vulnerable version of 3.11 via RPMs, and
> then migrate your cluster to another cluster running on Atomic Host, I'm
> guessing there is probably some way to replicate the etcd data from one
> cluster to another. But it sounds like it'd be a lot of work, and you'd
> need some pretty deep skills in etcd and openshift.
>
>
> As I am still trying out OKD I will simply trash my existing CentOS nodes
> and re-install them all with CentOS Atomic Host. That shouldn't be a
> problem. I just hope that installing OKD on Atomic Host is better
> documented than the installation on plain CentOS, especially in regard of
> the upgrading procedure. But If I understand correctly the upgrade
> procedure here should be simplified as everything runs inside Docker
> containers.
>

The upgrade procedure is the same as RPMs, however you wouldn’t need to
change the rpm repo.

https://docs.okd.io/3.11/upgrading/automated_upgrades.html

A word of warning about the next major version upgrade, v4.0, Atomic Host
support is deprecated in favour of CoreOS (which RedHat recently acquired)
however CoreOS is not supported for 3.11 so it looks like you’ll need to do
a cluster rebuild for v4.0.  But at least you’ll be able to get 3.11
patches in the meantime.

>
>
> Now I first have to figure out how to install my CentOS Atomic
> Host virtual machines automatically with PXE and kickstart. It looks like I
> just need to adapt my kickstart file for Atomic Host (rpm ostree) and I get
> Atomic Host instead of plain CentOS...
>
>
> On Sun, 6 Jan 2019 at 07:03, mabi  wrote:
>
>> ‐‐‐ Original Message ‐‐‐
>> On Saturday, January 5, 2019 3:57 PM, Daniel Comnea <
>> comnea.d...@gmail.com> wrote:
>>
>> [DC]: i think you are a bit confused: there are 2 ways to get the rpms
>> from CentOS yum repo: using the generic repo [1] which will always have the
>> latest origin release OR [2] where i've mentioned that you can install
>> *centos-release-openshift-origin3** rpm which will give you [3] yum repo
>>
>>
>> Thank you for your precisions and yes I am confused because first of all
>> the upgrading documentation on the okd.io website does not mention
>> anything about having to manually change the yum repo.repos.d file to match
>> a new directory for a new version of openshift.
>>
>> Then second, this mail (
>> https://lists.openshift.redhat.com/openshift-archives/users/2018-November/msg7.html)
>> has the following sentence, I quote:
>>
>> "Please note that due to ongoing work on releasing CentOS 7.6, the
>> mirror.centos.org repo is in freeze mode - see [4] and as such we have
>> not published the rpms to [5]. Once the freeze mode will end, we'll publish
>> the rpms."
>>
>> So when is the freeze mode over for this repo? I read this should have
>> happened after the CentOS 7.6 release but that was already one month ago
>> and still no version 3.11 RPMs in the
>> http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin/ repo...
>>
>> Finally, all I want to do is to upgrade my current okd version 3.10 to
>> version 3.11 but I can't find any complete instructions documented
>> correctly. The best I can find is
>> https://docs.okd.io/3.11/upgrading/automated_upgrades.html which simply
>> mentions running the following upgrade playbook:
>>
>> ansible-playbook \
>> -i  \
>> 

Re: RPMs for 3.11 still missing from the official OpenShift Origin CentOS repo

[mabi]

‐‐‐ Original Message ‐‐‐
On Sunday, January 6, 2019 12:28 PM, Joel Pearson 
 wrote:

> I think it's worth mentioning here that the RPMs at 
> http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin311/ have a 
> critical security vulnerability, I think it's unsafe to use the RPMs if 
> you're planning on having your cluster available on the internet.
>
> https://access.redhat.com/security/cve/cve-2018-1002105

Thank you Joel for pointing this important security issue out. I was not aware 
that the OpenShift RPMs on this official CentOS repository are not being 
updated for security vulnerabilities. This is a total nogo for me as my cluster 
is facing the internet.

> Unless you're going to be using the RedHat supported version of OpenShift, ie 
> OCP, then I think the only safe option is to install OKD with Centos Atomic 
> Host and the containerised version of OpenShift, ie not use the RPMs at all.

I will stick with OKD and try out CentOS Atomic Host instead of plain CentOS.

> However, the bad news for you is that an upgrade from RPMs to containerised 
> would not be simple, and you couldn't reuse your nodes because you'd need to 
> switch from Centos regular to Centos Atomic Host.  It would probably be 
> technically possible but not simple.  I guess you'd upgrade your 3.10 cluster 
> to the vulnerable version of 3.11 via RPMs, and then migrate your cluster to 
> another cluster running on Atomic Host, I'm guessing there is probably some 
> way to replicate the etcd data from one cluster to another. But it sounds 
> like it'd be a lot of work, and you'd need some pretty deep skills in etcd 
> and openshift.

As I am still trying out OKD I will simply trash my existing CentOS nodes and 
re-install them all with CentOS Atomic Host. That shouldn't be a problem. I 
just hope that installing OKD on Atomic Host is better documented than the 
installation on plain CentOS, especially in regard of the upgrading procedure. 
But If I understand correctly the upgrade procedure here should be simplified 
as everything runs inside Docker containers.

Now I first have to figure out how to install my CentOS Atomic Host virtual 
machines automatically with PXE and kickstart. It looks like I just need to 
adapt my kickstart file for Atomic Host (rpm ostree) and I get Atomic Host 
instead of plain CentOS...

> On Sun, 6 Jan 2019 at 07:03, mabi  wrote:
>
>> ‐‐‐ Original Message ‐‐‐
>> On Saturday, January 5, 2019 3:57 PM, Daniel Comnea  
>> wrote:
>>
>>> [DC]: i think you are a bit confused: there are 2 ways to get the rpms from 
>>> CentOS yum repo: using the generic repo [1] which will always have the 
>>> latest origin release OR [2] where i've mentioned that you can install 
>>> centos-release-openshift-origin3* rpm which will give you [3] yum repo
>>
>> Thank you for your precisions and yes I am confused because first of all the 
>> upgrading documentation on the okd.io website does not mention anything 
>> about having to manually change the yum repo.repos.d file to match a new 
>> directory for a new version of openshift.
>>
>> Then second, this mail 
>> (https://lists.openshift.redhat.com/openshift-archives/users/2018-November/msg7.html)
>>  has the following sentence, I quote:
>>
>> "Please note that due to ongoing work on releasing CentOS 7.6, the 
>> mirror.centos.org repo is in freeze mode - see [4] and as such we have not 
>> published the rpms to [5]. Once the freeze mode will end, we'll publish the 
>> rpms."
>>
>> So when is the freeze mode over for this repo? I read this should have 
>> happened after the CentOS 7.6 release but that was already one month ago and 
>> still no version 3.11 RPMs in the 
>> http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin/ repo...
>>
>> Finally, all I want to do is to upgrade my current okd version 3.10 to 
>> version 3.11 but I can't find any complete instructions documented 
>> correctly. The best I can find is 
>> https://docs.okd.io/3.11/upgrading/automated_upgrades.html which simply 
>> mentions running the following upgrade playbook:
>>
>> ansible-playbook \
>> -i  \
>> playbooks/byo/openshift-cluster/upgrades//upgrade.yml
>>
>> Again here there is no mention of having to modify a yum.repos.d file 
>> beforehand or having to install the centos-release-openshift-origin 
>> package...
>>
>> I would be glad if someone can clarify the full upgrade process and/or have 
>> the official documentation enhanced.
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: RPMs for 3.11 still missing from the official OpenShift Origin CentOS repo

[Daniel Comnea]

Joel & all,

On the CVE subject you are correct however if you read [1] you will better
understand a) the PaaS sig process on how the Origin rpm is getting build
(based on the Origin release tag) and b) what is holding on getting a new
Origin v3.11 rpm out

Hope that helps a bit
Dani

[1]
http://lists.openshift.redhat.com/openshift-archives/dev/2018-December/msg00015.html


On Sun, Jan 6, 2019 at 11:29 AM Joel Pearson 
wrote:

> I think it's worth mentioning here that the RPMs at
> http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin311/ have a
> critical security vulnerability, I think it's unsafe to use the RPMs if
> you're planning on having your cluster available on the internet.
>
> https://access.redhat.com/security/cve/cve-2018-1002105
>
> Unless you're going to be using the RedHat supported version of OpenShift,
> ie OCP, then I think the only safe option is to install OKD with Centos
> Atomic Host and the containerised version of OpenShift, ie not use the RPMs
> at all.
>
> The problem with the RPMs, is that you get no patches, only the version of
> OpenShift 3.11.0 as it was when it was released, however, the containerized
> version of OKD (only supported on Atomic Host) has a rolling tag (see
> https://lists.openshift.redhat.com/openshift-archives/users/2018-October/msg00049.html)
> and you'll notice that the containers were just rebuilt a few minutes ago:
> https://hub.docker.com/r/openshift/origin-node/tags
>
> It looks like the OKD images are rebuilt from the release-3.11 branch:
> https://github.com/openshift/origin/commits/release-3.11
>
> You can see the CVE critical vulnerability was fixed in commits on
> December 4, however, the RPMs were built on the 5th of November so they
> certainly do not contain the critical vulnerability fixes.
>
> I am running OKD 3.11 on Centos Atomic Host on an OpenStack cluster and it
> works fine, and I can confirm from the OKD About page that I'm running a
> version of OpenShift that is patched: OpenShift Master: v3.11.0+d0a16e1-79
> (which lines up with commits on December 31)
>
> However, the bad news for you is that an upgrade from RPMs to
> containerised would not be simple, and you couldn't reuse your nodes
> because you'd need to switch from Centos regular to Centos Atomic Host.  It
> would probably be technically possible but not simple.  I guess you'd
> upgrade your 3.10 cluster to the vulnerable version of 3.11 via RPMs, and
> then migrate your cluster to another cluster running on Atomic Host, I'm
> guessing there is probably some way to replicate the etcd data from one
> cluster to another. But it sounds like it'd be a lot of work, and you'd
> need some pretty deep skills in etcd and openshift.
>
> On Sun, 6 Jan 2019 at 07:03, mabi  wrote:
>
>> ‐‐‐ Original Message ‐‐‐
>> On Saturday, January 5, 2019 3:57 PM, Daniel Comnea <
>> comnea.d...@gmail.com> wrote:
>>
>> [DC]: i think you are a bit confused: there are 2 ways to get the rpms
>> from CentOS yum repo: using the generic repo [1] which will always have the
>> latest origin release OR [2] where i've mentioned that you can install
>> *centos-release-openshift-origin3** rpm which will give you [3] yum repo
>>
>>
>> Thank you for your precisions and yes I am confused because first of all
>> the upgrading documentation on the okd.io website does not mention
>> anything about having to manually change the yum repo.repos.d file to match
>> a new directory for a new version of openshift.
>>
>> Then second, this mail (
>> https://lists.openshift.redhat.com/openshift-archives/users/2018-November/msg7.html)
>> has the following sentence, I quote:
>>
>> "Please note that due to ongoing work on releasing CentOS 7.6, the
>> mirror.centos.org repo is in freeze mode - see [4] and as such we have
>> not published the rpms to [5]. Once the freeze mode will end, we'll publish
>> the rpms."
>>
>> So when is the freeze mode over for this repo? I read this should have
>> happened after the CentOS 7.6 release but that was already one month ago
>> and still no version 3.11 RPMs in the
>> http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin/ repo...
>>
>> Finally, all I want to do is to upgrade my current okd version 3.10 to
>> version 3.11 but I can't find any complete instructions documented
>> correctly. The best I can find is
>> https://docs.okd.io/3.11/upgrading/automated_upgrades.html which simply
>> mentions running the following upgrade playbook:
>>
>> ansible-playbook \
>> -i  \
>> playbooks/byo/openshift-cluster/upgrades//upgrade.yml
>>
>> Again here there is no mention of having to modify a yum.repos.d file
>> beforehand or having to install the centos-release-openshift-origin
>> package...
>>
>> I would be glad if someone can clarify the full upgrade process and/or
>> have the official documentation enhanced.
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> 

Re: RPMs for 3.11 still missing from the official OpenShift Origin CentOS repo

[Joel Pearson]

I think it's worth mentioning here that the RPMs at
http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin311/ have a
critical security vulnerability, I think it's unsafe to use the RPMs if
you're planning on having your cluster available on the internet.

https://access.redhat.com/security/cve/cve-2018-1002105

Unless you're going to be using the RedHat supported version of OpenShift,
ie OCP, then I think the only safe option is to install OKD with Centos
Atomic Host and the containerised version of OpenShift, ie not use the RPMs
at all.

The problem with the RPMs, is that you get no patches, only the version of
OpenShift 3.11.0 as it was when it was released, however, the containerized
version of OKD (only supported on Atomic Host) has a rolling tag (see
https://lists.openshift.redhat.com/openshift-archives/users/2018-October/msg00049.html)
and you'll notice that the containers were just rebuilt a few minutes ago:
https://hub.docker.com/r/openshift/origin-node/tags

It looks like the OKD images are rebuilt from the release-3.11 branch:
https://github.com/openshift/origin/commits/release-3.11

You can see the CVE critical vulnerability was fixed in commits on December
4, however, the RPMs were built on the 5th of November so they certainly do
not contain the critical vulnerability fixes.

I am running OKD 3.11 on Centos Atomic Host on an OpenStack cluster and it
works fine, and I can confirm from the OKD About page that I'm running a
version of OpenShift that is patched: OpenShift Master: v3.11.0+d0a16e1-79
(which lines up with commits on December 31)

However, the bad news for you is that an upgrade from RPMs to containerised
would not be simple, and you couldn't reuse your nodes because you'd need
to switch from Centos regular to Centos Atomic Host.  It would probably be
technically possible but not simple.  I guess you'd upgrade your 3.10
cluster to the vulnerable version of 3.11 via RPMs, and then migrate your
cluster to another cluster running on Atomic Host, I'm guessing there is
probably some way to replicate the etcd data from one cluster to another.
But it sounds like it'd be a lot of work, and you'd need some pretty deep
skills in etcd and openshift.

On Sun, 6 Jan 2019 at 07:03, mabi  wrote:

> ‐‐‐ Original Message ‐‐‐
> On Saturday, January 5, 2019 3:57 PM, Daniel Comnea 
> wrote:
>
> [DC]: i think you are a bit confused: there are 2 ways to get the rpms
> from CentOS yum repo: using the generic repo [1] which will always have the
> latest origin release OR [2] where i've mentioned that you can install
> *centos-release-openshift-origin3** rpm which will give you [3] yum repo
>
>
> Thank you for your precisions and yes I am confused because first of all
> the upgrading documentation on the okd.io website does not mention
> anything about having to manually change the yum repo.repos.d file to match
> a new directory for a new version of openshift.
>
> Then second, this mail (
> https://lists.openshift.redhat.com/openshift-archives/users/2018-November/msg7.html)
> has the following sentence, I quote:
>
> "Please note that due to ongoing work on releasing CentOS 7.6, the
> mirror.centos.org repo is in freeze mode - see [4] and as such we have
> not published the rpms to [5]. Once the freeze mode will end, we'll publish
> the rpms."
>
> So when is the freeze mode over for this repo? I read this should have
> happened after the CentOS 7.6 release but that was already one month ago
> and still no version 3.11 RPMs in the
> http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin/ repo...
>
> Finally, all I want to do is to upgrade my current okd version 3.10 to
> version 3.11 but I can't find any complete instructions documented
> correctly. The best I can find is
> https://docs.okd.io/3.11/upgrading/automated_upgrades.html which simply
> mentions running the following upgrade playbook:
>
> ansible-playbook \
> -i  \
> playbooks/byo/openshift-cluster/upgrades//upgrade.yml
>
> Again here there is no mention of having to modify a yum.repos.d file
> beforehand or having to install the centos-release-openshift-origin
> package...
>
> I would be glad if someone can clarify the full upgrade process and/or
> have the official documentation enhanced.
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: RPMs for 3.11 still missing from the official OpenShift Origin CentOS repo

[mabi]

‐‐‐ Original Message ‐‐‐
On Saturday, January 5, 2019 3:57 PM, Daniel Comnea  
wrote:

> [DC]: i think you are a bit confused: there are 2 ways to get the rpms from 
> CentOS yum repo: using the generic repo [1] which will always have the latest 
> origin release OR [2] where i've mentioned that you can install 
> centos-release-openshift-origin3* rpm which will give you [3] yum repo

Thank you for your precisions and yes I am confused because first of all the 
upgrading documentation on the okd.io website does not mention anything about 
having to manually change the yum repo.repos.d file to match a new directory 
for a new version of openshift.

Then second, this mail 
(https://lists.openshift.redhat.com/openshift-archives/users/2018-November/msg7.html)
 has the following sentence, I quote:

"Please note that due to ongoing work on releasing CentOS 7.6, the 
mirror.centos.org repo is in freeze mode - see [4] and as such we have not 
published the rpms to [5]. Once the freeze mode will end, we'll publish the 
rpms."

So when is the freeze mode over for this repo? I read this should have happened 
after the CentOS 7.6 release but that was already one month ago and still no 
version 3.11 RPMs in the 
http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin/ repo...

Finally, all I want to do is to upgrade my current okd version 3.10 to version 
3.11 but I can't find any complete instructions documented correctly. The best 
I can find is https://docs.okd.io/3.11/upgrading/automated_upgrades.html which 
simply mentions running the following upgrade playbook:

ansible-playbook \
-i  \
playbooks/byo/openshift-cluster/upgrades//upgrade.yml

Again here there is no mention of having to modify a yum.repos.d file 
beforehand or having to install the centos-release-openshift-origin package...

I would be glad if someone can clarify the full upgrade process and/or have the 
official documentation enhanced.___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: RPMs for 3.11 still missing from the official OpenShift Origin CentOS repo

[Daniel Comnea]

On Sat, Jan 5, 2019 at 10:03 AM mabi  wrote:

> ‐‐‐ Original Message ‐‐‐
> On Saturday, January 5, 2019 10:57 AM, Daniel Comnea <
> comnea.d...@gmail.com> wrote:
>
> The specific openshift release directory been present for a long time.
> Saying that i'll work next week in pushing v3.11 rpms to
> http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin/ too
>
>
> Aha, so it is indeed still missing from this specific repo which is in use
> by the openshift-ansible playbook...
>
> That would be great if you can push the missing RPMs to that directory too
> because the openshift-ansible playbooks do rely on this specific directory
> having the right version available as far as I know.
>
[DC]: i think you are a bit confused: there are 2 ways to get the rpms from
CentOS yum repo: using the generic repo [1] which will always have the
latest origin release OR [2] where i've mentioned that you can install
*centos-release-openshift-origin3** rpm which will give you [3] yum repo

[1] http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin/
[2]
http://lists.openshift.redhat.com/openshift-archives/users/2018-November/msg7.html
[3] http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin311/
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: RPMs for 3.11 still missing from the official OpenShift Origin CentOS repo

[mabi]

‐‐‐ Original Message ‐‐‐
On Saturday, January 5, 2019 10:57 AM, Daniel Comnea  
wrote:

> The specific openshift release directory been present for a long time.
> Saying that i'll work next week in pushing v3.11 rpms to 
> http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin/ too

Aha, so it is indeed still missing from this specific repo which is in use by 
the openshift-ansible playbook...

That would be great if you can push the missing RPMs to that directory too 
because the openshift-ansible playbooks do rely on this specific directory 
having the right version available as far as I know.___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: RPMs for 3.11 still missing from the official OpenShift Origin CentOS repo

[Daniel Comnea]

The specific openshift release directory been present for a long time.
Saying that i'll work next week in pushing v3.11 rpms to
http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin/ too


Dani

On Fri, Jan 4, 2019 at 10:41 PM mabi  wrote:

> ‐‐‐ Original Message ‐‐‐
> On Friday, January 4, 2019 11:15 PM, Erik McCormick <
> emccorm...@cirrusseven.com> wrote:
>
> Change it to use:
> http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin311/
>
>
> I see, so now there is one directory per version released and not all
> versions in the same openshift-origin directory like in the past...
>
> As I will be using the upgrade openshift-ansible playbook do I need to
> manually change my yum repo.d file for the new 311 repo directory or does
> the upgrade ansible playbook take care of that?
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: RPMs for 3.11 still missing from the official OpenShift Origin CentOS repo

[mabi]

‐‐‐ Original Message ‐‐‐
On Friday, January 4, 2019 11:15 PM, Erik McCormick 
 wrote:

> Change it to use:
> http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin311/

I see, so now there is one directory per version released and not all versions 
in the same openshift-origin directory like in the past...

As I will be using the upgrade openshift-ansible playbook do I need to manually 
change my yum repo.d file for the new 311 repo directory or does the upgrade 
ansible playbook take care of that?___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: RPMs for 3.11 still missing from the official OpenShift Origin CentOS repo

[Erik McCormick]

On Fri, Jan 4, 2019, 4:30 PM mabi  Hello,
>
> I am currently running an OKD 3.10 cluster on a few CentOS 7.6 nodes and
> would like to upgrade to 3.11. Unfortunately I noticed that the official
> CentOS 7 paas repo (
> http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin/) still
> does not contain the RPMs for version 3.11. I read that the 3.11 RPMs
> should have been released to the repos after CentOS 7.6 has been out but
> that was already beginning of December and still nothing happened... Am I
> missing something?
>

Change it to use:
http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin311/


> Here is the relevant repo of my yum repo file
> (/etc/yum.repos.d/CentOS-OpenShift-Origin.repo):
>
> [centos-openshift-origin]
> name=CentOS OpenShift Origin
> baseurl=http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin/
> enabled=1
> 
> gpgcheck=1
> gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-PaaS
>
> Regards,
> Mabi
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users


-Erik

>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users