‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Sunday, January 6, 2019 12:28 PM, Joel Pearson
<[email protected]> wrote:
> I think it's worth mentioning here that the RPMs at
> http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin311/ have a
> critical security vulnerability, I think it's unsafe to use the RPMs if
> you're planning on having your cluster available on the internet.
>
> https://access.redhat.com/security/cve/cve-2018-1002105
Thank you Joel for pointing this important security issue out. I was not aware
that the OpenShift RPMs on this official CentOS repository are not being
updated for security vulnerabilities. This is a total nogo for me as my cluster
is facing the internet.
> Unless you're going to be using the RedHat supported version of OpenShift, ie
> OCP, then I think the only safe option is to install OKD with Centos Atomic
> Host and the containerised version of OpenShift, ie not use the RPMs at all.
I will stick with OKD and try out CentOS Atomic Host instead of plain CentOS.
> However, the bad news for you is that an upgrade from RPMs to containerised
> would not be simple, and you couldn't reuse your nodes because you'd need to
> switch from Centos regular to Centos Atomic Host. It would probably be
> technically possible but not simple. I guess you'd upgrade your 3.10 cluster
> to the vulnerable version of 3.11 via RPMs, and then migrate your cluster to
> another cluster running on Atomic Host, I'm guessing there is probably some
> way to replicate the etcd data from one cluster to another. But it sounds
> like it'd be a lot of work, and you'd need some pretty deep skills in etcd
> and openshift.
As I am still trying out OKD I will simply trash my existing CentOS nodes and
re-install them all with CentOS Atomic Host. That shouldn't be a problem. I
just hope that installing OKD on Atomic Host is better documented than the
installation on plain CentOS, especially in regard of the upgrading procedure.
But If I understand correctly the upgrade procedure here should be simplified
as everything runs inside Docker containers.
Now I first have to figure out how to install my CentOS Atomic Host virtual
machines automatically with PXE and kickstart. It looks like I just need to
adapt my kickstart file for Atomic Host (rpm ostree) and I get Atomic Host
instead of plain CentOS...
> On Sun, 6 Jan 2019 at 07:03, mabi <[email protected]> wrote:
>
>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>> On Saturday, January 5, 2019 3:57 PM, Daniel Comnea <[email protected]>
>> wrote:
>>
>>> [DC]: i think you are a bit confused: there are 2 ways to get the rpms from
>>> CentOS yum repo: using the generic repo [1] which will always have the
>>> latest origin release OR [2] where i've mentioned that you can install
>>> centos-release-openshift-origin3* rpm which will give you [3] yum repo
>>
>> Thank you for your precisions and yes I am confused because first of all the
>> upgrading documentation on the okd.io website does not mention anything
>> about having to manually change the yum repo.repos.d file to match a new
>> directory for a new version of openshift.
>>
>> Then second, this mail
>> (https://lists.openshift.redhat.com/openshift-archives/users/2018-November/msg00007.html)
>> has the following sentence, I quote:
>>
>> "Please note that due to ongoing work on releasing CentOS 7.6, the
>> mirror.centos.org repo is in freeze mode - see [4] and as such we have not
>> published the rpms to [5]. Once the freeze mode will end, we'll publish the
>> rpms."
>>
>> So when is the freeze mode over for this repo? I read this should have
>> happened after the CentOS 7.6 release but that was already one month ago and
>> still no version 3.11 RPMs in the
>> http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin/ repo...
>>
>> Finally, all I want to do is to upgrade my current okd version 3.10 to
>> version 3.11 but I can't find any complete instructions documented
>> correctly. The best I can find is
>> https://docs.okd.io/3.11/upgrading/automated_upgrades.html which simply
>> mentions running the following upgrade playbook:
>>
>> ansible-playbook \
>> -i </path/to/inventory/file> \
>> playbooks/byo/openshift-cluster/upgrades/<version>/upgrade.yml
>>
>> Again here there is no mention of having to modify a yum.repos.d file
>> beforehand or having to install the centos-release-openshift-origin
>> package...
>>
>> I would be glad if someone can clarify the full upgrade process and/or have
>> the official documentation enhanced.
>> _______________________________________________
>> users mailing list
>> [email protected]
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
_______________________________________________
users mailing list
[email protected]
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
