I think it's worth mentioning here that the RPMs at http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin311/ have a critical security vulnerability, I think it's unsafe to use the RPMs if you're planning on having your cluster available on the internet.
https://access.redhat.com/security/cve/cve-2018-1002105 Unless you're going to be using the RedHat supported version of OpenShift, ie OCP, then I think the only safe option is to install OKD with Centos Atomic Host and the containerised version of OpenShift, ie not use the RPMs at all. The problem with the RPMs, is that you get no patches, only the version of OpenShift 3.11.0 as it was when it was released, however, the containerized version of OKD (only supported on Atomic Host) has a rolling tag (see https://lists.openshift.redhat.com/openshift-archives/users/2018-October/msg00049.html) and you'll notice that the containers were just rebuilt a few minutes ago: https://hub.docker.com/r/openshift/origin-node/tags It looks like the OKD images are rebuilt from the release-3.11 branch: https://github.com/openshift/origin/commits/release-3.11 You can see the CVE critical vulnerability was fixed in commits on December 4, however, the RPMs were built on the 5th of November so they certainly do not contain the critical vulnerability fixes. I am running OKD 3.11 on Centos Atomic Host on an OpenStack cluster and it works fine, and I can confirm from the OKD About page that I'm running a version of OpenShift that is patched: OpenShift Master: v3.11.0+d0a16e1-79 (which lines up with commits on December 31) However, the bad news for you is that an upgrade from RPMs to containerised would not be simple, and you couldn't reuse your nodes because you'd need to switch from Centos regular to Centos Atomic Host. It would probably be technically possible but not simple. I guess you'd upgrade your 3.10 cluster to the vulnerable version of 3.11 via RPMs, and then migrate your cluster to another cluster running on Atomic Host, I'm guessing there is probably some way to replicate the etcd data from one cluster to another. But it sounds like it'd be a lot of work, and you'd need some pretty deep skills in etcd and openshift. On Sun, 6 Jan 2019 at 07:03, mabi <m...@protonmail.ch> wrote: > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > On Saturday, January 5, 2019 3:57 PM, Daniel Comnea <comnea.d...@gmail.com> > wrote: > > [DC]: i think you are a bit confused: there are 2 ways to get the rpms > from CentOS yum repo: using the generic repo [1] which will always have the > latest origin release OR [2] where i've mentioned that you can install > *centos-release-openshift-origin3** rpm which will give you [3] yum repo > > > Thank you for your precisions and yes I am confused because first of all > the upgrading documentation on the okd.io website does not mention > anything about having to manually change the yum repo.repos.d file to match > a new directory for a new version of openshift. > > Then second, this mail ( > https://lists.openshift.redhat.com/openshift-archives/users/2018-November/msg00007.html) > has the following sentence, I quote: > > "Please note that due to ongoing work on releasing CentOS 7.6, the > mirror.centos.org repo is in freeze mode - see [4] and as such we have > not published the rpms to [5]. Once the freeze mode will end, we'll publish > the rpms." > > So when is the freeze mode over for this repo? I read this should have > happened after the CentOS 7.6 release but that was already one month ago > and still no version 3.11 RPMs in the > http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin/ repo... > > Finally, all I want to do is to upgrade my current okd version 3.10 to > version 3.11 but I can't find any complete instructions documented > correctly. The best I can find is > https://docs.okd.io/3.11/upgrading/automated_upgrades.html which simply > mentions running the following upgrade playbook: > > ansible-playbook \ > -i </path/to/inventory/file> \ > playbooks/byo/openshift-cluster/upgrades/<version>/upgrade.yml > > Again here there is no mention of having to modify a yum.repos.d file > beforehand or having to install the centos-release-openshift-origin > package... > > I would be glad if someone can clarify the full upgrade process and/or > have the official documentation enhanced. > _______________________________________________ > users mailing list > users@lists.openshift.redhat.com > http://lists.openshift.redhat.com/openshiftmm/listinfo/users >
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
