Release v1.0.7 (1.1.0-rc1) · openshift/origin

OpenShift 1.0.7 (release candidate 1 for 1.1)

NOTE: Users should install release candidate 2 (1.0.8) instead of this release

This is the first release candidate for Origin 1.1 and OSE 3.1. Please see the migration notes and API changes when updating a live cluster.

Migrating from 1.0.x

Cluster roles have changed - please run:
```
$ oadm policy reconcile-cluster-roles
$ oadm policy reconcile-cluster-role-bindings
```
to review the changes, and pass --confirm to accept those changes.
v1beta3 is no longer supported as a storage version or API version
- If you are using v1beta3 as your Kubernetes or OpenShift storage version, you will receive an error when you try to restart the OpenShift masters because v1beta3 is no longer a valid storage version. You must update the values of etcdStorageConfig.kubernetesStorageVersion and etcdStorageConfig.openShiftStorageVersion to be v1 in your master-config.yaml file.
- You may also need to change the apiLevels field to remove references to v1beta3.

API Changes

v1beta3 is no longer supported as an API endpoint (/api/v1beta3 and /osapi/v1beta3 are now disabled).
- The CLI and golang client libraries can still convert v1beta3 objects to v1 via
```
$ oc export --raw --api-version=v1 -f FILENAME -o yaml
```
The value of the status.dockerImageRepository for an ImageStream now returns either the fully qualified pull spec for the stream on the integrated registry (if configured), or the value of spec.dockerImageRepository if no integrated registry has been set. The previous behavior was to use spec.dockerImageRepository if it was set, overriding the internal location, but that made it difficult for clients to generate a URL that allowed them to push to the image stream.
Builds marked only with the build label will no longer be considered part of their parent build config. You can see a list of affected builds by running oc get builds --all-namespaces and looking for builds that only have the build label, not openshift.io/build. See #3502.
The spec.rollingParams.updatePercent field on deployment configs will no longer be recognized. Use maxUnavailable and maxSurge instead.
Images can be edited to set fields like labels or annotations
Routes can now specify which port they wish to route to - by default, all callers that might point to multi-port services should set spec.port.targetPort to the port on the Pod (or external service) to target.
Builds now contain status.outputDockerImageReference which is the Docker location that the image will be pushed to.
Image streams now return the integrated registry's Docker spec in status.dockerImageRepository instead of showing the value of spec.dockerImageRepository. If no integrated registry is included, the value from spec will be used if set.
Logging and remote execution can now be performed over WebSockets for use from a browser client or languages without a SPDY library

Features

Updated to Kubernetes v1.2.0-1107-g4c8e6f4
- Job resources are now available in the extensions API group for managing tasks that must run to completion
- HorizontalPodAutoscalers allow deployment configs and replication controllers to be autoscaled based on their load
LDAP group synchronization added under oadm group-sync for enforcing group membership from external LDAP directories
Nodes
- Switch CPU quota to CFS by default, which enforces maximum CPU usage per container
- Out of memory conditions are the node are now controlled by the node agent, with OOMScoreAdjust and Restart policy set to ensure the node remains stable in overcommitted scenarios
Deployment hooks may now leverage volumes from the original pod
Add oc rsync, which can copy local directories into a remote pod. If rsync is not available in the pod or on the client, the command will fall back to a direct copy:

oc rsync ~/myfolder :/home/user/test
Pods may join the host PID or host IPC namespaces if they are granted appropriate access

Multi-tenant pod networks

The multi-tenant SDN plugin can be used to isolate projects from each other. Each project is isolated, and administrators can bind projects together with oadm pod-network join-project or expose the pods within a project to all other projects.

To enable the multi-tenant SDN plugin, in node-config.yaml change networkConfig.networkPluginName to redhat/openshift-ovs-multitenant.

Logs

Additional filtering options are available on oc log - controlling the amount of logs displayed, show timestamps, view contents from a historical time (relative or by date)
The web console will show logs for pods and builds, allowing you to view the current or previous container's state

Metrics

The Kubelet now exposes statistics from cAdvisor securely via cluster permissions to view metrics
The web console will now display metrics from pods when metrics integration has been enabled

Web Console

Totally revamped and extended resource information available in the web console
Connect to a container via a remote shell in the web console
Scale deployments up and down from the web console
Added the topology view to the web console - see a graph of all your resources
Improve the layout and organization of the application create page
After creating a new application, display more information about next steps
Routes are displayed on the services list page with more info about security and paths available on their own pages
Pod resource limits and requested amounts are displayed on their respective objects

Command-line

Big improvements to oc new-app and oc new-build to display more information about what is happening when we generate apps:

$ oc new-app php
--> Found image dbaa6b2 (33 hours old) in image stream "php" under tag :latest for "php"
    * We will deploy this image in deployment config "php"
    * Port 8080/tcp will be load balanced by service "php"
--> Creating resources with label app=php ...
    DeploymentConfig "php" created
    Service "php" created
--> Success
    Run 'oc status' to view your app.

Improve Bash completions to better guide user input that is file based
Revamp the output that is displayed for deployments in oc get and oc describe
Add commands to validate node and master configuration - openshift ex validate master-config and openshift ex validate node-config
Delete tags from an image stream with oc tag TAG -d
When tagging one image stream tag into another, use the resolved image in the destination, and allow a reference to be created with --alias
On Windows, oc edit should no longer report file edit errors, and the edit output is now generated with Windows CR/LF line endings for proper display.
Support for installation of images via oc new-app - images that have the Docker label io.openshift.generate.job=true will prompt the user to install themselves.

Builds

The contents of a Dockerfile can be directly provided to a Docker build
- Specify Dockerfile contents on oc new-build via the -D flag, for example oc new-build -D $"FROM centos:7\nRUN yum install -y httpd"
- In a Build API object, set spec.source.dockerfile to the desired string value.
- The value of the Dockerfile will override a Dockerfile in the source Git repository if one is provided
A binary build can be triggered by passing a file, directory, or local Git repository path to the oc start-build command with --from-file, --from-dir, or --from-repo. The contents will be streamed to the builder and used as the input to the build instead of the current Git repository source. Note that a binary build cannot be rebuilt, since the server does not have access to the previous binary sent. Newly triggered builds will use the Git source if available.
Support SSH keys and basic authentication when pulling Git repositories during builds.
Environment variables defined in a Docker build are now added to the Dockerfile prior to building
When a build fails, information about that failure is recorded with the build and displayed in the CLI and UI
Build logs can now be displayed via oc logs build/<buildname> and oc logs bc/<buildconfig name>

Router

Send X-Forwarded-* headers as per RFC7239 on proxied HTTP and HTTPS requests to backends
Fixed a bug where router stats were not properly enabled when the router was installed
Display the HAProxy statistics page by default
Support partition paths in the F5 router
Display a 503 error page on missing backends in the HAProxy router, which can be customized by layering over the image.
Disable known insecure TLS cipher suites by default, using the Mozilla intermediate security suite by default, and provide examples for modern and legacy browser support.

Volumes

Supplemental groups for use with volumes are now allocated to each project, matching the range of UIDs. Volumes in a pod will be set to be owned by the first group in the range.
Ensure that volumes are assigned the pod SELinux context on startup

Security

If no certificate CA is set on the server, use the system root CAs
Support multiple server certificates on the master via SNI
Allow different identity mapper strategies for assigning user names to logged in users, giving more control to administrators
Add Keystone as an identity provider
Disable known insecure TLS cipher suites in the master and other HTTPS servers. An environment variable may be specified to enable older cipher suites.

Fixes

Cluster role checks are now available in openshift ex diagnostics
Retry deployment actions from the CLI when the deployment process simultaneously updates the deployment config
Improve output of deploy --cancel to be clearer about what has been canceled
Fix potential race conditions in node SDN setup
The PATCH operation was not allowed by policy - allow policy roles to allow it
The version of a server is exposed in the Prometheus /metrics endpoint, making it easier to know what versions are in a deployment
When using kubectl compatibility mode (via openshift kube or symlinking kubectl to oc), accept --kubeconfig for compatibility with upstream
Improve cluster stability and performance by increasing overly aggressive resync intervals for the node proxy.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

v1.0.7 (1.1.0-rc1)