On Mon, 7 Jan 2019 at 8:01 am, mabi <m...@protonmail.ch> wrote: > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > On Sunday, January 6, 2019 12:28 PM, Joel Pearson < > japear...@agiledigital.com.au> wrote: > > I think it's worth mentioning here that the RPMs at > http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin311/ have a > critical security vulnerability, I think it's unsafe to use the RPMs if > you're planning on having your cluster available on the internet. > > https://access.redhat.com/security/cve/cve-2018-1002105 > > > Thank you Joel for pointing this important security issue out. I was not > aware that the OpenShift RPMs on this official CentOS repository are not > being updated for security vulnerabilities. This is a total nogo for me as > my cluster is facing the internet. >
It looks like the RPMs will eventually get the security fix according to the other reply from Daniel Comnea. But with containers you could have a fix within a day as opposed to waiting for new tag which still hasn’t happened yet and it’s been more than 1 month. > Unless you're going to be using the RedHat supported version of OpenShift, > ie OCP, then I think the only safe option is to install OKD with Centos > Atomic Host and the containerised version of OpenShift, ie not use the RPMs > at all. > > > I will stick with OKD and try out CentOS Atomic Host instead of plain > CentOS. > > However, the bad news for you is that an upgrade from RPMs to > containerised would not be simple, and you couldn't reuse your nodes > because you'd need to switch from Centos regular to Centos Atomic Host. It > would probably be technically possible but not simple. I guess you'd > upgrade your 3.10 cluster to the vulnerable version of 3.11 via RPMs, and > then migrate your cluster to another cluster running on Atomic Host, I'm > guessing there is probably some way to replicate the etcd data from one > cluster to another. But it sounds like it'd be a lot of work, and you'd > need some pretty deep skills in etcd and openshift. > > > As I am still trying out OKD I will simply trash my existing CentOS nodes > and re-install them all with CentOS Atomic Host. That shouldn't be a > problem. I just hope that installing OKD on Atomic Host is better > documented than the installation on plain CentOS, especially in regard of > the upgrading procedure. But If I understand correctly the upgrade > procedure here should be simplified as everything runs inside Docker > containers. > The upgrade procedure is the same as RPMs, however you wouldn’t need to change the rpm repo. https://docs.okd.io/3.11/upgrading/automated_upgrades.html A word of warning about the next major version upgrade, v4.0, Atomic Host support is deprecated in favour of CoreOS (which RedHat recently acquired) however CoreOS is not supported for 3.11 so it looks like you’ll need to do a cluster rebuild for v4.0. But at least you’ll be able to get 3.11 patches in the meantime. > > > Now I first have to figure out how to install my CentOS Atomic > Host virtual machines automatically with PXE and kickstart. It looks like I > just need to adapt my kickstart file for Atomic Host (rpm ostree) and I get > Atomic Host instead of plain CentOS... > > > On Sun, 6 Jan 2019 at 07:03, mabi <m...@protonmail.ch> wrote: > >> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ >> On Saturday, January 5, 2019 3:57 PM, Daniel Comnea < >> comnea.d...@gmail.com> wrote: >> >> [DC]: i think you are a bit confused: there are 2 ways to get the rpms >> from CentOS yum repo: using the generic repo [1] which will always have the >> latest origin release OR [2] where i've mentioned that you can install >> *centos-release-openshift-origin3** rpm which will give you [3] yum repo >> >> >> Thank you for your precisions and yes I am confused because first of all >> the upgrading documentation on the okd.io website does not mention >> anything about having to manually change the yum repo.repos.d file to match >> a new directory for a new version of openshift. >> >> Then second, this mail ( >> https://lists.openshift.redhat.com/openshift-archives/users/2018-November/msg00007.html) >> has the following sentence, I quote: >> >> "Please note that due to ongoing work on releasing CentOS 7.6, the >> mirror.centos.org repo is in freeze mode - see [4] and as such we have >> not published the rpms to [5]. Once the freeze mode will end, we'll publish >> the rpms." >> >> So when is the freeze mode over for this repo? I read this should have >> happened after the CentOS 7.6 release but that was already one month ago >> and still no version 3.11 RPMs in the >> http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin/ repo... >> >> Finally, all I want to do is to upgrade my current okd version 3.10 to >> version 3.11 but I can't find any complete instructions documented >> correctly. The best I can find is >> https://docs.okd.io/3.11/upgrading/automated_upgrades.html which simply >> mentions running the following upgrade playbook: >> >> ansible-playbook \ >> -i </path/to/inventory/file> \ >> playbooks/byo/openshift-cluster/upgrades/<version>/upgrade.yml >> >> Again here there is no mention of having to modify a yum.repos.d file >> beforehand or having to install the centos-release-openshift-origin >> package... >> >> I would be glad if someone can clarify the full upgrade process and/or >> have the official documentation enhanced. >> _______________________________________________ >> users mailing list >> users@lists.openshift.redhat.com >> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >> > > > -- Kind Regards, Joel Pearson Agile Digital | Senior Software Consultant Love Your Software™ | ABN 98 106 361 273 p: 1300 858 277 | m: 0405 417 843 <0405417843> | w: agiledigital.com.au
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
