Joel & all, On the CVE subject you are correct however if you read [1] you will better understand a) the PaaS sig process on how the Origin rpm is getting build (based on the Origin release tag) and b) what is holding on getting a new Origin v3.11 rpm out
Hope that helps a bit Dani [1] http://lists.openshift.redhat.com/openshift-archives/dev/2018-December/msg00015.html On Sun, Jan 6, 2019 at 11:29 AM Joel Pearson <japear...@agiledigital.com.au> wrote: > I think it's worth mentioning here that the RPMs at > http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin311/ have a > critical security vulnerability, I think it's unsafe to use the RPMs if > you're planning on having your cluster available on the internet. > > https://access.redhat.com/security/cve/cve-2018-1002105 > > Unless you're going to be using the RedHat supported version of OpenShift, > ie OCP, then I think the only safe option is to install OKD with Centos > Atomic Host and the containerised version of OpenShift, ie not use the RPMs > at all. > > The problem with the RPMs, is that you get no patches, only the version of > OpenShift 3.11.0 as it was when it was released, however, the containerized > version of OKD (only supported on Atomic Host) has a rolling tag (see > https://lists.openshift.redhat.com/openshift-archives/users/2018-October/msg00049.html) > and you'll notice that the containers were just rebuilt a few minutes ago: > https://hub.docker.com/r/openshift/origin-node/tags > > It looks like the OKD images are rebuilt from the release-3.11 branch: > https://github.com/openshift/origin/commits/release-3.11 > > You can see the CVE critical vulnerability was fixed in commits on > December 4, however, the RPMs were built on the 5th of November so they > certainly do not contain the critical vulnerability fixes. > > I am running OKD 3.11 on Centos Atomic Host on an OpenStack cluster and it > works fine, and I can confirm from the OKD About page that I'm running a > version of OpenShift that is patched: OpenShift Master: v3.11.0+d0a16e1-79 > (which lines up with commits on December 31) > > However, the bad news for you is that an upgrade from RPMs to > containerised would not be simple, and you couldn't reuse your nodes > because you'd need to switch from Centos regular to Centos Atomic Host. It > would probably be technically possible but not simple. I guess you'd > upgrade your 3.10 cluster to the vulnerable version of 3.11 via RPMs, and > then migrate your cluster to another cluster running on Atomic Host, I'm > guessing there is probably some way to replicate the etcd data from one > cluster to another. But it sounds like it'd be a lot of work, and you'd > need some pretty deep skills in etcd and openshift. > > On Sun, 6 Jan 2019 at 07:03, mabi <m...@protonmail.ch> wrote: > >> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ >> On Saturday, January 5, 2019 3:57 PM, Daniel Comnea < >> comnea.d...@gmail.com> wrote: >> >> [DC]: i think you are a bit confused: there are 2 ways to get the rpms >> from CentOS yum repo: using the generic repo [1] which will always have the >> latest origin release OR [2] where i've mentioned that you can install >> *centos-release-openshift-origin3** rpm which will give you [3] yum repo >> >> >> Thank you for your precisions and yes I am confused because first of all >> the upgrading documentation on the okd.io website does not mention >> anything about having to manually change the yum repo.repos.d file to match >> a new directory for a new version of openshift. >> >> Then second, this mail ( >> https://lists.openshift.redhat.com/openshift-archives/users/2018-November/msg00007.html) >> has the following sentence, I quote: >> >> "Please note that due to ongoing work on releasing CentOS 7.6, the >> mirror.centos.org repo is in freeze mode - see [4] and as such we have >> not published the rpms to [5]. Once the freeze mode will end, we'll publish >> the rpms." >> >> So when is the freeze mode over for this repo? I read this should have >> happened after the CentOS 7.6 release but that was already one month ago >> and still no version 3.11 RPMs in the >> http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin/ repo... >> >> Finally, all I want to do is to upgrade my current okd version 3.10 to >> version 3.11 but I can't find any complete instructions documented >> correctly. The best I can find is >> https://docs.okd.io/3.11/upgrading/automated_upgrades.html which simply >> mentions running the following upgrade playbook: >> >> ansible-playbook \ >> -i </path/to/inventory/file> \ >> playbooks/byo/openshift-cluster/upgrades/<version>/upgrade.yml >> >> Again here there is no mention of having to modify a yum.repos.d file >> beforehand or having to install the centos-release-openshift-origin >> package... >> >> I would be glad if someone can clarify the full upgrade process and/or >> have the official documentation enhanced. >> _______________________________________________ >> users mailing list >> users@lists.openshift.redhat.com >> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >> > > _______________________________________________ > users mailing list > users@lists.openshift.redhat.com > http://lists.openshift.redhat.com/openshiftmm/listinfo/users >
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
