Bug 1266150 - Backwards compatibility policy issue in 3.0.2
Summary: Backwards compatibility policy issue in 3.0.2
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Security
Version: 3.0.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: Scott Dodson
QA Contact: weiwei jiang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-09-24 15:33 UTC by Scott Dodson
Modified: 2015-10-01 17:14 UTC (History)
8 users (show)

Fixed In Version: openshift-3.0.2.0-0.git.12.b997e91.el7ose
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-10-01 17:14:16 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:1854 0 normal SHIPPED_LIVE Red Hat OpenShift Enterprise bug fix update 2015-10-01 21:13:57 UTC

Description Scott Dodson 2015-09-24 15:33:12 UTC
From https://github.com/openshift/origin/pull/4767

Backwards compatibility without policy updates is broken without this fix. Without this fix, old registry images against new openshift servers running with old policy (before oadm policy reconcile-cluster-roles), will suddenly start failing.

This is mitigated by running `oadm policy reconcile-cluster-roles` and reconciling differences.

Comment 3 Anping Li 2015-09-25 10:39:35 UTC
I am not sure these steps. please correct me if i am wrong.

1. yum update openshift-master
2. systemctl restart openshift-master
3 After that, oc start-build failed with 'docker push'; 'oc deploy' failed with binding.



1) oc start build failed as following
F0924 23:00:32.936764       1 builder.go:54] Build error: Failed to push image: Error pushing to registry: Authentication is required.

2) oc deploy failed as following
Events:
  FirstSeen	LastSeen	Count	From		SubobjectPath	Reason			Message
  19s		19s		1	{scheduler }			failedScheduling	Binding rejected: binding "cakephp-mysql-example-3-deploy" cannot be updated: pod cakephp-mysql-example-3-deploy 

3) replicationcontrollers  start pod failed as following.
Events:
  FirstSeen	LastSeen	Count	From		SubobjectPath	Reason			Message
  19s		19s		1	{scheduler }			failedScheduling	Binding rejected: binding "cakephp-mysql-example-3-deploy" cannot be updated: pod cakephp-mysql-example-3-deploy

Comment 4 Scott Dodson 2015-09-25 17:39:55 UTC
Sorry, I failed to merge in the fix. Updated the build.

Comment 5 Anping Li 2015-09-28 05:40:59 UTC
Can't create deploymentconfig before apply new policy.


 
[anli@openshift-111 ~]$ oc new-app --template=cakephp-example
[anli@openshift-111 ~]$ oc get events
FIRSTSEEN   LASTSEEN   COUNT     NAME                      KIND               SUBOBJECT   REASON         SOURCE         MESSAGE
4m          4m         1         cakephp-example-1-build   Pod                            scheduled      {scheduler }   Successfully assigned cakephp-example-1-build to openshift-112.lab.sjc.redhat.com
6m          39s        4         cakephp-example           DeploymentConfig               failedCreate   {deployer }    Couldn't create initial deployment: DeploymentConfig "cakephp-example" is invalid: triggers[0].imageChange.tag: invalid value 'latest', Details: no image recorded for u4p2/cakephp-example:latest

Comment 6 Anping Li 2015-09-28 12:25:29 UTC
Please ignore the comment 5. it is a Environment error.  and it can't be reproducable.

I did more test again both from v3.0.0.1 to v3.0.2.0 and from v3.0.1.0 to v3.0.2.0.  all the following task works well.

With old policy: 
 The app can be access via router
 The app can be access via service
 The delete pod can be started by rc
 The app can be redeployed.
 The app can be rebuilds
 New app can be created/build and deployed.
After deploy policy and finished the upgrade. the above task also works well.

So move bugs to verified.

Comment 8 errata-xmlrpc 2015-10-01 17:14:16 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2015:1854


Note You need to log in before you can comment on or make changes to this bug.