Hi all, I don't think RPMs have a critical security vulnerability. The module in problem should be origin-control-plane [1], which is container running within OKD 3.11. I have two OKD 3.11 clusters , on each master node, I ran docker pull docker.io/openshift/origin-control-plane:v3.11 /usr/local/bin/master-restart api /usr/local/bin/master-restart controllers
to pull newer image and gravitational/cve-2018-1002105:latest image shows no vulnerabilities. [1] https://github.com/openshift/origin/issues/21606#issuecomment-446974567 On Sun, Jan 6, 2019 at 11:29 AM Joel Pearson <japearson agiledigital com au> wrote: I think it's worth mentioning here that the RPMs at http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin311/ have a critical security vulnerability, I think it's unsafe to use the RPMs if you're planning on having your cluster available on the internet. https://access.redhat.com/security/cve/cve-2018-1002105 Unless you're going to be using the RedHat supported version of OpenShift, ie OCP, then I think the only safe option is to install OKD with Centos Atomic Host and the containerised version of OpenShift, ie not use the RPMs at all. The problem with the RPMs, is that you get no patches, only the version of OpenShift 3.11.0 as it was when it was released, however, the containerized version of OKD (only supported on Atomic Host) has a rolling tag (see https://lists.openshift.redhat.com/openshift-archives/users/2018-October/msg00049.html) and you'll notice that the containers were just rebuilt a few minutes ago: https://hub.docker.com/r/openshift/origin-node/tags It looks like the OKD images are rebuilt from the release-3.11 branch: https://github.com/openshift/origin/commits/release-3.11 You can see the CVE critical vulnerability was fixed in commits on December 4, however, the RPMs were built on the 5th of November so they certainly do not contain the critical vulnerability fixes. I am running OKD 3.11 on Centos Atomic Host on an OpenStack cluster and it works fine, and I can confirm from the OKD About page that I'm running a version of OpenShift that is patched: OpenShift Master: v3.11.0+d0a16e1-79 (which lines up with commits on December 31) However, the bad news for you is that an upgrade from RPMs to containerised would not be simple, and you couldn't reuse your nodes because you'd need to switch from Centos regular to Centos Atomic Host. It would probably be technically possible but not simple. I guess you'd upgrade your 3.10 cluster to the vulnerable version of 3.11 via RPMs, and then migrate your cluster to another cluster running on Atomic Host, I'm guessing there is probably some way to replicate the etcd data from one cluster to another. But it sounds like it'd be a lot of work, and you'd need some pretty deep skills in etcd and openshift. On Sun, 6 Jan 2019 at 07:03, mabi <mabi protonmail ch> wrote: ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Saturday, January 5, 2019 3:57 PM, Daniel Comnea <comnea dani gmail com> wrote: [DC]: i think you are a bit confused: there are 2 ways to get the rpms from CentOS yum repo: using the generic repo [1] which will always have the latest origin release OR [2] where i've mentioned that you can install centos-release-openshift-origin3* rpm which will give you [3] yum repo Thank you for your precisions and yes I am confused because first of all the upgrading documentation on the okd.io website does not mention anything about having to manually change the yum repo.repos.d file to match a new directory for a new version of openshift. Then second, this mail (https://lists.openshift.redhat.com/openshift-archives/users/2018-November/msg00007.html) has the following sentence, I quote: "Please note that due to ongoing work on releasing CentOS 7.6, the mirror.centos.org repo is in freeze mode - see [4] and as such we have not published the rpms to [5]. Once the freeze mode will end, we'll publish the rpms." So when is the freeze mode over for this repo? I read this should have happened after the CentOS 7.6 release but that was already one month ago and still no version 3.11 RPMs in the http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin/ repo... Finally, all I want to do is to upgrade my current okd version 3.10 to version 3.11 but I can't find any complete instructions documented correctly. The best I can find is https://docs.okd.io/3.11/upgrading/automated_upgrades.html which simply mentions running the following upgrade playbook: ansible-playbook \ -i </path/to/inventory/file> \ playbooks/byo/openshift-cluster/upgrades/<version>/upgrade.yml Again here there is no mention of having to modify a yum.repos.d file beforehand or having to install the centos-release-openshift-origin package... I would be glad if someone can clarify the full upgrade process and/or have the official documentation enhanced. _______________________________________________ users mailing list users lists openshift redhat com http://lists.openshift.redhat.com/openshiftmm/listinfo/users _______________________________________________ users mailing list users lists openshift redhat com http://lists.openshift.redhat.com/openshiftmm/listinfo/users Rgds, Gripen Kwok ------ Information Technology Services, The University of Hong Kong _______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
