Bug 1266150 - Backwards compatibility policy issue in 3.0.2
Backwards compatibility policy issue in 3.0.2
Product: OpenShift Container Platform
Classification: Red Hat
Component: Security (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Scott Dodson
weiwei jiang
Depends On:
  Show dependency treegraph
Reported: 2015-09-24 11:33 EDT by Scott Dodson
Modified: 2015-10-01 13:14 EDT (History)
8 users (show)

See Also:
Fixed In Version: openshift-
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-10-01 13:14:16 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Scott Dodson 2015-09-24 11:33:12 EDT
From https://github.com/openshift/origin/pull/4767

Backwards compatibility without policy updates is broken without this fix. Without this fix, old registry images against new openshift servers running with old policy (before oadm policy reconcile-cluster-roles), will suddenly start failing.

This is mitigated by running `oadm policy reconcile-cluster-roles` and reconciling differences.
Comment 3 Anping Li 2015-09-25 06:39:35 EDT
I am not sure these steps. please correct me if i am wrong.

1. yum update openshift-master
2. systemctl restart openshift-master
3 After that, oc start-build failed with 'docker push'; 'oc deploy' failed with binding.

1) oc start build failed as following
F0924 23:00:32.936764       1 builder.go:54] Build error: Failed to push image: Error pushing to registry: Authentication is required.

2) oc deploy failed as following
  FirstSeen	LastSeen	Count	From		SubobjectPath	Reason			Message
  19s		19s		1	{scheduler }			failedScheduling	Binding rejected: binding "cakephp-mysql-example-3-deploy" cannot be updated: pod cakephp-mysql-example-3-deploy 

3) replicationcontrollers  start pod failed as following.
  FirstSeen	LastSeen	Count	From		SubobjectPath	Reason			Message
  19s		19s		1	{scheduler }			failedScheduling	Binding rejected: binding "cakephp-mysql-example-3-deploy" cannot be updated: pod cakephp-mysql-example-3-deploy
Comment 4 Scott Dodson 2015-09-25 13:39:55 EDT
Sorry, I failed to merge in the fix. Updated the build.
Comment 5 Anping Li 2015-09-28 01:40:59 EDT
Can't create deploymentconfig before apply new policy.

[anli@openshift-111 ~]$ oc new-app --template=cakephp-example
[anli@openshift-111 ~]$ oc get events
FIRSTSEEN   LASTSEEN   COUNT     NAME                      KIND               SUBOBJECT   REASON         SOURCE         MESSAGE
4m          4m         1         cakephp-example-1-build   Pod                            scheduled      {scheduler }   Successfully assigned cakephp-example-1-build to openshift-112.lab.sjc.redhat.com
6m          39s        4         cakephp-example           DeploymentConfig               failedCreate   {deployer }    Couldn't create initial deployment: DeploymentConfig "cakephp-example" is invalid: triggers[0].imageChange.tag: invalid value 'latest', Details: no image recorded for u4p2/cakephp-example:latest
Comment 6 Anping Li 2015-09-28 08:25:29 EDT
Please ignore the comment 5. it is a Environment error.  and it can't be reproducable.

I did more test again both from v3.0.0.1 to v3.0.2.0 and from v3.0.1.0 to v3.0.2.0.  all the following task works well.

With old policy: 
 The app can be access via router
 The app can be access via service
 The delete pod can be started by rc
 The app can be redeployed.
 The app can be rebuilds
 New app can be created/build and deployed.
After deploy policy and finished the upgrade. the above task also works well.

So move bugs to verified.
Comment 8 errata-xmlrpc 2015-10-01 13:14:16 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.