v1.3.1

UPDATED: Mac client tools have been rebuilt on top of Go 1.7 to fix various issues related to the OS X Sierra update.

This is a patch release to Origin v1.3.x containing a security related fix. All users are recommended to upgrade to v1.3.1 who are on v1.3.0.

Bugs

v1.3.1 (2016-08-14)
Full Changelog

• Intermediate CA certificates were being improperly checked for authorization (CVE-2016-7075) #11308
• Tolerate caching delays when checking permissions for newly created namespaces #10932
• Properly default client rate limiting in controllers - very low values were being defaulted #10930
• Some non-resource URLs were being denied for the cluster infrastructure roles #10933
• Annotations used in cluster resource quota were not being properly validated #10929
• oc login should ignore some SSL related errors when using --insecure #11179
• Some roles should have access to the node's /spec endpoint #11047
• Fixed oc segfault seen in macOS Sierra (10.12) #11085

Release SHA256 Checksums

72ab655a7e5068bba654b774ef614715a7baba011e7305f6796bda829d59192e  openshift-origin-client-tools-v1.3.1-dad658de7465ba8a234a4fb40b5b446a45a4cee1-linux-32bit.tar.gz
2e25d7da6748562f10138a7616a7c027c3025086e08b42355978aebfed4da718  openshift-origin-client-tools-v1.3.1-dad658de7465ba8a234a4fb40b5b446a45a4cee1-linux-64bit.tar.gz
252ee8a1ff8a455a9b55aff82f6980dbf28bd75b601414765b4f06f6c1ec370e  openshift-origin-client-tools-v1.3.1-2748423-mac.zip
b90bc1249e7407717b0a0d7f92248ed6926ae0cd27d8fd038e054b866fa84baf  openshift-origin-client-tools-v1.3.1-dad658de7465ba8a234a4fb40b5b446a45a4cee1-windows.zip
ba5b9b1af3af19b7e4a01179e4a8af61486deeac6870c4cadfaf733322bc7181  openshift-origin-server-v1.3.1-dad658de7465ba8a234a4fb40b5b446a45a4cee1-linux-64bit.tar.gz

v1.4.0-alpha.0

This is Origin v1.3.0 rebased onto Kube v1.4.0-beta.3

Components

Kubernetes

• Commit openshift/kubernetes@d19513fe
• Upstream openshift/kubernetes@a0a9a282
• Carried patches

v1.3.0

This is OpenShift Origin 1.3.0!

Backwards Compatibility

Please see alpha.0 -> rc1 release notes for a full description of backwards compatibility changes.

• v1beta3 in storage is no longer supported - please see the release notes for a migration guide
• This is the last release that will support v1.0.0 API backwards compatibility, specifically:
  • The Service field spec.portalIP will no longer be returned in 1.4.0
  • The Pod field status.hostIP will no longer be returned in 1.4.0

Features

Release roadmap
v1.3.0 (2016-09-15)
Full Changelog
RC Changelog

Blog post coming soon - please see alpha.1, alpha.2, alpha.3, rc1 for more!

Bugs

• router: Properly clean up deleted routes in the router #10855
• cli: oc process was not properly handling parameter values with = in them #10880
• storage: Ensure the master side attach-detach function works successfully #10892
• quota: Ensure that the cluster resource quota annotation selector works for long annotation values #10896

Release SHA256 Checksums

05c83a3337ab995bad24b7359b876a3d2d3bdbdf09cc40949835c52d2fc0c659  openshift-origin-client-tools-v1.3.0-3ab7af3d097b57f933eccef684a714f2368804e7-linux-32bit.tar.gz
0d3b632fae9bc2747caee2dae7970865097a4bc1d83b84afb31de1c05b356054  openshift-origin-client-tools-v1.3.0-3ab7af3d097b57f933eccef684a714f2368804e7-linux-64bit.tar.gz
d47e36b6337af1622649311c965ddd6f0bf0d14d600ccf67376e2f0c4d4484b5  openshift-origin-client-tools-v1.3.0-3ab7af3d097b57f933eccef684a714f2368804e7-mac.zip
f678e16339adcf5967a8bac7c540572cc3fab7c0b2596f927dc8ff6ec269a6c6  openshift-origin-client-tools-v1.3.0-3ab7af3d097b57f933eccef684a714f2368804e7-windows.zip
fcdeeb5bed5faa606ec024b7b1e7c9d3e3303f8cb21df70c5a4da1b20340609c  openshift-origin-image-v1.3.0-3ab7af3d097b57f933eccef684a714f2368804e7-linux-64bit.tar.gz
cadb7408c45be8c19dde30c82e59f21cec1ba4f23f07131f9a6c8c20b22c3f73  openshift-origin-server-v1.3.0-3ab7af3d097b57f933eccef684a714f2368804e7-linux-64bit.tar.gz

v1.3.0-rc1

This is release candidate 1 of OpenShift Origin 1.3.0.

Backwards Compatibility

• HAProxy router template format has changed
  • As part of the expanded features added to the HAProxy router in 1.3, a configuration file format change was necessary to the internal structure used by the router config template (the haproxy.config.template) file. Instructions for adapting to the new format are located here
• Jenkins auto-deployment has been disabled - see #10260 for more

API Changes

• Networking
  • Many of the network API objects have much stricter validation. #10466
• Routes
  • All backends in a route may be set to have zero weight, which means no traffic should be sent to that backend. #10428

Component updates

• Updated to Kubernetes 1.3.5 + patches
  • 32000: Update node status instead of node in kubelet #10790
  • 31730: Fixes for attach-detach controller enablement on existing nodes #10748
  • 30690: Don't bind pre-bound pvc & pv if size request not satisfied #10522
  • 31627: make deep copy of quota objects before mutations #10704
  • 31396: Fixed integer overflow bug in rate limiter #10646
  • 31047: Close websocket stream when client closes #10550
  • 25308: fix rollout nil panic issue #10543
  • 29093: Fix panic race in scheduler cache from 28886 #10518
  • 30839: queueActionLocked requires write lock #10504
  • 30624: Node controller deletePod return true if there are pods pending deletion #10503
  • 30731: Always return command output for exec probes and kubelet RunInContainer #10494
  • 30796: Quota usage checking ignores unrelated resources #10493
  • 28234: Make sure --record=false is acknowledged when passed to commands #10486
  • 30736: Close websocket watch when client closes #10475
  • 29639:: Fix default resource limits (node allocatable) for downward api volumes and env vars #10467
  • 27541: Attach init container #10427
  • 30510: Endpoint controller logs errors during behavior #10415
  • 30626: prevent RC hotloop on denied pods #10414
  • 30533: Validate involvedObject.Namespace matches event.Namespace #10392
  • 30313: remove duplicate errors from aggregate error outputs #10317
  • 29212: hpa: ignore scale targets whose replica count is 0 #10305
  • 29982: Fix PVC.Status.Capacity and AccessModes after binding #10268
  • 30162: return err on oc run --image with invalid value #10250
  • 31446: fix delay establishing log streaming connection #10617
  • 31353: fix duplicate validation/field/errors #10613
  • Additional bulk picks #10247, #10385, #10541
• Updated Docker distribution
  • Fix pushing to GCS storage #10640

Features

v1.3.0-rc1 (2016-08-07)
Full Changelog

Add setting and viewing route weights from the CLI

The A/B route balancing feature now has a CLI command to manage it oc set route-backends and route weights show up in the oc get and oc describe commands for the route.
Routes may have one or more optional backend services with weights controlling how much traffic flows to each service. Traffic is assigned proportional to the combined weights
of each backend. A weight of zero means that the backend will receive no traffic. If all weights are zero the route will not send traffic to any backends.

You can bulk set route backends by specifying their name and weight:

$ oc set route-backends myroute prod=99 canary=1

Which will send 99% of traffic to the prod service and 1% to the canary service. If the service does not exist no traffic will be sent. You can keep the service listed as
a backend but not send traffic to it by specifying weight 0:

$ oc set route-backends myroute prod=1 canary=0

See the help for more advanced incremental adjustments (--adjust canary=+10%).

• Add CLI support for routes with multiple backends #10551.

Support bare-metal, highly available IPs for services

For users deploying onto bare metal without a cloud provider, access to highly available TCP load balancing can be difficult. OpenShift 1.3 extends the supported ip-failover
router HA solution to also enable HA Kube services with failover. Administrators would configure HA router nodes and then ensure that a block of IPs is routed to those nodes
in the IP failover configuration. That block would then be configured in the OpenShift master-config.yaml:

networkConfig:
  ingressIPNetworkCIDR: 172.46.0.0/16

This is the default behavior, and can be disabled by setting the value equal to 0.0.0.0/32. When a service of type=LoadBalancer is created, a new IP would be assigned to the
service and traffic would flow to that service. Note that running with a cloud provider disables this feature since the providers native service load balancer is used.

• Support network ingress on arbitrary IPs #9454
• Add a default ingress ip range #10500

Image Policy API

Image policy allows you to manage which images are allowed to run on the cluster and perform resolution of image tags to image digests on demand (to lock the executed version).
Policy allows:

• Block images outside of the integrated registry from being used in pods
• Require the presence of an annotation on the underlying image (not settable by end users) to run the image
• Allow integrators to perform security scans of images and then block the image from being executed on the platform.

The default configuration will block images that are annotated in the internal registry - if the annotation images.openshift.io/deny-execution is set on an image referenced
by a pod to true, OpenShift will prevent that image from being run. This can be used by an external scanner to block certain images from being used.

See the image policy documentation for more on configuring policy.

• Add image policy enforcement #8995

Build integrations with the cluster more easily

The new oc observe command is an experimental tool for reacting to changes in your Kubernetes cluster and building scripted interactions. It allows you to easily
get notified of changes to a particular resource type (like services, deployments, namespaces, persistent volumes) and invoke a command.

For example, if you want to send an email to your admin every time a node stops being reachable, create a script that takes

$ cat mail.sh
#!/bin/sh
if [[ $2 != 'False' ]]; then
  touch "/tmp/ready/$1"
  exit 0
fi
if [[ -f "/tmp/ready/$1" ]]; then
  echo mail -s "$1 went DOWN!" [email protected] "We're down at $(datetime)"
fi
rm "/tmp/ready/$1"

$ oc observe node -a '{{ range .status.conditions }}{{ if eq .type "Ready" }}{{ .status }}{{ end }}{{ end }}' --output gotemplate -- ./mail.sh

Whenever a node transitions from having condition Ready with status True to status False, an email will be sent to your admin. See the oc observe help for
more suggestions and explanation of how observe can help you build simple integrations.

You can get observe as a Docker image via docker pull openshift/observe:latest - the oc observe command is the entrypoint and you can bind mount a kubeconfig file
to /root/.kube/config.

• Observe command #4196

Improve the OAuth Grant page

OpenShift embeds a full featured OAuth server for managing access to cluster resources. The OAuth authorization grant page has been improved to describe the scopes being
requested, the impact those scopes might have, and to warn users of any potential security risks. In addition, the grant page now allows the user to select which scopes
to grant.

• Improve OAuth Grant page and allow partial scope approval #10321

Other Features

• project: Respect scope rules in li...

v1.3.0-alpha.3

This is an alpha feature release towards OpenShift Origin 1.3.0

Backwards Compatibility

• Image Streams
  • In order to tag an image from one image stream into another via oc tag or the API, you must have permission to pull the image, not just permission to view the source image stream. Running oadm policy reconcile cluster-roles will alter default roles so that tagging continues to work as normal.

API Changes

• DNS:
  • SRV record responses have changed significantly to conform to new features enabled in Kubernetes 1.3. More details in the 1.3 release notes issue. Callers must now explicitly request the port by name and protocol to get the port info (e.g. dig @server _http._tcp.kubernetes.default.svc.cluster.local)
• Builds:
  • Build Request API should return NotFound if the parent build config does not exist #9763
  • Reject ImageStreamTag references on builds and build configs that are not well formed as validation errors #9945
  • Support YAML payloads for generic webhooks #10031
  • Properly mark secrets field as not required in swagger #10038
  • Disallow build config LastVersion from getting smaller - clients will receive a validation error if status.latestVersion is a smaller integer than the stored value #9568
• Secrets:
  • Secret data may now be specified in string form (rather than base64 encoded) via the new stringData map, which is write-only and takes precedence over keys with the same name specified in data #9663
• PodSecurityPolicy Review API (alpha)
  • The review APIs have been updated to take a PodTemplateSpec struct instead of a PodSpec struct, so that annotations on the pod template can be validated. #10007

Component updates

• Updated to Kubernetes 1.3.0 with patch set Origin stable-20160804
  • Backported a number of 1.3.x fixes, including a serious regression in parallel pod start performance with #10111
• Updated to Docker distribution 2.4.0 with patch set 5594335

Features

v1.3.0-alpha.3 (2016-08-07)
Full Changelog

PetSets and Init Containers

Kubernetes 1.3 includes two new features in alpha designed for running clustered software: PetSets and init containers. PetSets make it easy to run a consistent set of pods that have individual network identities and are able to have unique persistent volumes. Init containers are run sequentially before the other containers in a pod are started and allow pod authors to read and write volume data, download binaries, wait for other components to start, and other initialization style tasks.

The examples/pets directory contains a number of examples of how to use PetSets. As alpha features, no backwards compatibility in future Kubernetes or OpenShift versions is guaranteed and may change significantly. Please provide feedback on these features.

• Enable petsets in origin #9972
• Enable security limits around init containers #9973

Improvements to Jenkins

- clean up jenkins master/slave example [#9956](https://github.com//pull/9956) - jenkins: Generate a password for Jenkins [#10163](https://github.com//pull/10163) - jenkins: Use official maven image for slave pods in sample pipeline [#9807](https://github.com//pull/9807) - console: addition of a dedicated Pipelines page  - console: improvements to the pipeline visualization on the Overview 

Upgrading to Docker Registry 2.4, cross-repository linking, and better usage tooling

This release contains an upgrade to Docker distribution 2.4 which contains many performance and usability improvements, including cross repo mounting when pushing images that already exist in the OpenShift registry. Support for the new schema2 storage format for images is now available, although it must be manually enabled in order to accept images pushed in the schema2 format (to preserve compatibility with older Docker versions).

• registry: Check pull access when tagging imagestreams #10109
• registry: Consider schema v2 layers when pruning #9713
• registry: User can get only blobs he's able to see #9819
• registry: Ensure that download access to registry blobs is controlled by access to the image stream #9593

Bearer token and anonymous access

The registry now supports the the Docker Token Authentication Specification, which enables bearer token authentication and anonymous access. Grant the system:image-puller role to the system:unauthenticated group to allow unauthenticated image pulls from a namespace:

oc policy add-role-to-group system:image-puller system:unauthenticated -n mynamespace

• registry: Allow anonymous registry access #9887

Image usage reporting

A new top level administrative command oadm top has been added to support administrative insight into the images used by the platform. Using oadm top images will show you information about the top images in use and how much space is in use in your registry. oadm top imagestreams will show you more detail about the total referenced size of each image stream and the number of layers allocated.

• images: Provide an administrative image usage report tool #9587

$ oadm top imagestreams
NAME            STORAGE     IMAGES  LAYERS
openshift/mongodb   0MiB        0   0
openshift/nodejs    329.84MiB   2   53
openshift/mysql     310.39MiB   2   38
openshift/jenkins   0MiB        0   0
openshift/mariadb   195.33MiB   1   5
openshift/wildfly   1.67GiB     3   87
openshift/python    704.99MiB   4   104
openshift/php       426.87MiB   2   52
openshift/postgresql    0MiB        0   0
openshift/ruby      359.71MiB   3   78
openshift/perl      370.21MiB   2   53

$ oadm top images
NAME                                    IMAGESTREAMTAG              PARENTS                     USAGE           METADATA    STORAGE
sha256:56f808f1bd2b820df6bef53d959f84bebd77ddd86fa86cef4e402d42a517d861 openshift/perl (latest,5.20)        sha256:5a428b5b36d4cd98dce8603d5accb30ff014b7d4fb73c2bb895edda89cabbb3d,sha256:7b5846517492e69b6705c6f6a14f3eb0944bd564369439c539aa57882ea11c00,sha256:851ec2ace8a73a9cc3868edcbff1ac50d5f382d5079b7bfa4e7ff2bb531c171f,sha256:68a27d407fd1ead3b8a9e33aa2054c948ad3a54556d28bb4caaf704a0f651f96,sha256:091120a2f697d36898e3dde6fb5be64d694672111d78a77a340c827626f52f89,sha256:ae121ac0828f1a1ddf3c1c84c67eb663933d60ee73617b8dfa0da5b095f1f9bb,sha256:440bfdfabdd46b5cd18672e7354bf915384047bb074cd429c92db004095f3708,sha256:453d96efdaa1bab5f7d115037235df965a292070a1c6a2af30cb049f5674848e,sha256:e0ccc37251074051bb5d20a86756357bc261b87a6838a552e6304191dffdeed2,sha256:e757c402d95f047f2876e368271e9570b1904366ced49b6333f8a897b368e69d,sha256:a54e1612052715b0d3022c8146ff758bd566455750f1391946648de767a74c5b,sha256:212d8e093d50b44cf8dd3101d22e7efce6293d741a6dc30fced9cd27b70c7c22,sha256:cc561897aa2c64d61fcda5b5149fbd1fca133ceb8cc8ac448859d571a2bdbbd8,sha256:a08759ded47520de300096fea140e9020dc7ae9b7a163ec604baba38c15cd192,sha256:2375b645b83bff8ccf7e61346859cd9a23ac57af6d443b32b6392c1998d14c74,sha256:41da716a93a61a8958d360ac3f70387ece99af3ac4c3ce30dbb735dea41903dc,sha256:e87d875660454595a08287afe8bc121c924d87f93ea1db0f5ac12809d7473bb3,sha256:8c6c4ff3ae64a90ab1535a7ff33e685c63b3d51f7915722292c12e5ccb8f0a7f,sha256:c605bcbb3b290d02a380cf0488effcdbb96fad1fcdd5a1d237fe44237f6d71cd,sha256:e7d7d97f75d94f0b79e68057b1c276c5b8c64d4a1d9a447dd59001521d8720bd,sha256:b58b9ac6edd661668bafab79f10e24e20b4b1df3de77e010bea95cbfa59890cf,sha256:71ea884c14ff11865cec03c443ed9b887d35673e07122e7aea967b75e40b0f42,sha256:8b0055a02328f8d3d9e52112886e6f9272b880eee20ead761e631c3be2d37618,sha256:83c2fd8cc3258f1ec22f26b6f6c573460f43be28f7ab3073b912f7bc8b56d930                             yes     276.50MiB
sha256:97caf48a52438d60b567f25d5882c331c7c8d4679618b17b33ee8ec86c7ba5ec test/ruby (latest)          sha256:8c6c4ff3ae64a90ab1535a7ff33e685c63b3d51f7915722292c12e5ccb8f0a7f,sha256:212d8e093d50b44cf8dd3101d22e7efce6293d741a6dc30fced9cd27b70c7c22,sha256:e0ccc37251074051bb5d20a86756357bc261b87a6838a552e6304191dffdeed2,sha256:7b5846517492e69b6705c6f6a14f3eb0944bd564369439c539aa57882ea11c00,sha256:c605bcbb3b290d02a380cf0488effcdbb96fad1fcdd5a1...

v1.2.1

This is a security hotfix to Origin v1.2.x. All users are recommended to upgrade to v1.2.1 who are on v1.2.0

Bugs

v1.2.1 (2016-07-14)
Full Changelog

• Fix a security issue where some users can escalate privileges via the watch API. Workaround: disable namespaced watch access to end users or limit the ability for untrusted users to access the API
• Correct an issue with how nodes are started up.

Release SHA256 Checksums

1c914f59916402e63ed1a87fa6c6eed03b557bdb56b27af5640c7056ea638e80  openshift-origin-client-tools-v1.2.1-5e723f6-linux-32bit.tar.gz
50af8fc25295cebaf7a77d4cfe41ef19adc9d3bbecf57719ff4bdd9bb173b5d9  openshift-origin-client-tools-v1.2.1-5e723f6-linux-64bit.tar.gz
486b7478d17a83dd18256ffcb55e56d10d2811d83f101f68e0ca973edd3ecf5f  openshift-origin-client-tools-v1.2.1-5e723f6-mac.zip
5c5e5d86ddcc940773da44f020355c380c669e58936f25a41afa800faf71b58c  openshift-origin-client-tools-v1.2.1-5e723f6-windows.zip
3215682df346fff7715557e99351f6c2a2c2d75944ac85a213426006dc373d0d  openshift-origin-image-v1.2.1-5e723f6-linux-64bit.tar.gz
0d61a749d742929d65d7557865de9f1a00daa400d9b748dfce7a91ad761db707  openshift-origin-server-v1.2.1-5e723f6-linux-64bit.tar.gz

v1.3.0-alpha.2

This is an alpha feature release towards OpenShift Origin 1.3.0.

Backwards Compatibility

No changes.

API Changes

• Updating the route spec.host field is now prohibited. You must create a new route with a new host - #9325, #8677, #9425
• Allow deployments with an image change trigger to specify an empty string for their container image to force deployment to wait until the image become available #9167
• Make project watch work for namespace deletion #9204
• Add an API for checking whether pod templates would be allowed via the user's SecurityContextConstraints #8941

Component updates

None.

Features

v1.3.0-alpha.2 (2016-06-20)
Full Changelog

Jenkins Pipeline Improvements

The web console overhaul continues - this release more deeply embeds Jenkins pipeline, while also exposing more information about the state of your applications in summary form. (to try it out yourself read the example guide)

The build details page now shows a detailed breakdown of the stages in each build using the information provided by Jenkins.

Since the overview page looks best with metrics, you can now install cluster metrics with oc cluster up --metrics (you'll want an extra ~1GB of memory available for the full component set) #9310

Other improvements

• authentication: Allow impersonation of groups as well as users #9062
• authentication: Mount a ca.crt into all pods that verifies auto-generated service secrets #9044
• builds: Simplify the amount of log output during a build #8924
• builds: Simplify image progress reporting #9212
• builds: The builder service account is now allowed to push to non-existent image streams (which auto-creates the stream) #9066
• cli: Add a new command to list all projects, oc projects #9199
• cli: Add a new command to set build hooks on build configs, oc set build-hooks #9194
• cli: Add a new command to set deployment hooks on deployment configs, oc set deployment-hooks #9187
• cli: Add an experimental openshift ex config patch command to make modifying master-config.yaml easier #9165
• cli: In oc cluster up, if --public-hostname is an IP use it for server IP #9103
• cli: Add describe output for OAuth tokens #9032
• deployments: Allow deployment configs to be paused by setting the paused boolean to true #9086
• gitserver: allow specifying build strategy #9031
• import: Import app.json to OpenShift applications #8819
• ipfailover: Add liveness and readiness probes for the ipfailover dc. #9215
• network: Allow the node to be configured to auto-detect the networking plugin in use via the API #9147
• performance: Enable the etcd watch cache for all OpenShift types #9057
• registry: Enable GCS storage for the registry #9211
• registry: atomic-registry via systemd #9200
• router: Add the both ROUTER_SERVICE*SNI_PORT #9175
• router: Make route name and namespace available to templates #9159

Bugs

• builds: When multiple build configs target the image stream tag, display better output in oc status #9308
• builds: Make git cloning more tolerant to failures and retry at increasing intervals in the event the repository cannot eb cloned #9124
• builds: The new dockerbuild command should only pull the :latest image if no tag specified #9104
• builds: Validation message when updating builds was vague #9164
• cli: Scale command was improperly ignoring non-conflict errors, hiding real failures #9228
• cli: In oc cluster up print last 10 error lines on container failures #9256
• cli: --container-port actually work for expose #9178
• cli: oc get --show-labels was not correct for OpenShift resources #9152
• cli: Fix panic when describing some resources #9097
• cli: Warn during import docker-compose if a docker compose service has no ports #9009
• controllers: Retry service account update on conflict #9250
• deployments: Remove deployer pods when they are canceled - avoids leaving unscheduled pods around #9291
• deployments: Update deployment config image at most once when trigger automatic=false #9096
• deployments: Deployments in oc deploy were not listed correctly #9196
• deployments: If lastTriggeredImage was set when creating a deployment config, it could prevent the initial deployment #9177
• gitserver: allow anonymous access when using uid/pwd auth #9125
• images: Image stream tags that follow another tag were not being updated properly #9258
• images: Update DockerImageReferences when tagging across image streams #9238
• images: Fix import-image --all #9163
• ipfailover: IPFailover was broken for alpha.1 #9102
• ldap: Add validation to prevent filters on dn lookups #9134
• quota: Ensure that updates to pods correctly apply / revert quota charges #9141
• registry: Don't enforce quota in registry by default #9400
• router: Defend against slowloris attacks via a tunable ROUTER_SLOWLORIS_TIMEOUT environment variable #9003

Release SHA256 Checksums

e2eda88bdc734d0d4acd651e8b997fabea2d7ff0bce8bc2b48e728ea9b78e9ea  openshift-origin-client-tools-v1.3.0-alpha.2-983578e-linux-32bit.tar.gz
afff3f46c609758de1638d3979bdf2e2de80b61a877476dc46af5fb2e9403102  openshift-origin-client-tools-v1.3.0-alpha.2-983578e-linux-64bit.tar.gz
b1bbd0a96833300291ed35c1a120ad1d873b2845c09f2de3cc51b52d6a4525ae  openshift-origin-client-tools-v1.3.0-alpha.2-983578e-mac.zip
653673900e4c6bba2cd9571deab53be2d420956fd0042f63440f502c0a137120  openshift-origin-client-tools-v1.3.0-alpha.2-983578e-windows.zip
28bc86b5fc4658e8247e9ac6e4185d45c190d959c7b62cb3c0ffb0db202557d7  openshift-origin-server-v1.3.0-alpha.2-983578e-linux-64bit.tar.gz

v1.3.0-alpha.1

This is an alpha feature release towards OpenShift Origin 1.3.0

Backwards Compatibility

• Origin now must be compiled on Go 1.6 or newer. Support for building and testing against Go 1.4 has been removed.
• The v1beta3 API is now no longer supported. Any cluster that is using v1beta3 resources should immediately upgrade them, as all support will be dropped for 1.3.0

API Changes

• Support watch on projects #8755

Component updates

• Updated to Kubernetes 1.3.0-alpha.1-331 with patch set Origin stable-20160411
• Updated to etcd v2.3.0

Features

v1.3.0-alpha.1 (2016-05-24)
Full Changelog

Spin up local clusters easily with oc cluster up

This new command makes it easy to launch a new cluster inside of a Docker container. The command will use your existing Docker connection by default to launch the container, ensuring all the preconditions for a simple all-in-one server are in place before starting the server. It will then install the router, registry, default image streams, and standard templates before creating a user account for you.

$ oc cluster up
-- Checking Docker client ... OK
-- Checking for existing OpenShift container ... OK
-- Checking for openshift/origin:3c2e3b2 image ... OK
-- Checking Docker daemon configuration ... OK
-- Checking for available ports ... OK
-- Checking type of volume mount ... 
   Using nsenter mounter for OpenShift volumes
-- Checking Docker version ... OK
-- Creating volume share ... OK
-- Finding server IP ... 
   Using 172.18.0.96 as the server IP
-- Starting OpenShift container ... 
   Creating initial OpenShift configuration
   Starting OpenShift using container 'origin'
   Waiting for API server to start listening
   OpenShift server started
-- Installing registry ... OK
-- Installing router ... OK
-- Importing image streams ... OK
-- Importing templates ... OK
-- Login to server ... OK
-- Creating initial project "myproject" ... OK
-- Server Information ... 
   OpenShift server started.
   The server is accessible via web console at:
       https://172.18.0.96:8443

   You are logged in as:
       User:     developer
       Password: developer

   To login as administrator:
       oc login -u system:admin

$ oc status

You can use the --version=v1.2.0 flag to select an alternate image to use.

Jenkins Pipeline integration

A core goal of any application platform must be to help developers manage change in their applications (after all, if it's not changing there probably aren't any developers). As part of OpenShift Origin 1.3 we are deeply integrating Jenkins as a Service to bring developers an out of the box, easy to consume CI and CD pipeline.

The first pieces of this integration have been delivered via integration with OpenShift builds. When you start a Jenkinsfile build type (which is new) a Jenkins instance will be spun up in your project that will execute the build using the Jenkins 2.0 pipeline and Jenkinsfile checked into your Git repo.

$ oc cluster up
$ oc new-project pipelineproject
$ oc new-app -f https://raw.githubusercontent.com/openshift/origin/master/examples/jenkins/pipeline/jenkinstemplate.json

You should see your Jenkins instance spun up in the web console, and then be able to jump into the web console via the router. At this point you'll need to perform some manual steps to enable things in Jenkins - see https://github.com/openshift/origin/blob/master/examples/jenkins/pipeline/README.md for more.

There is a ton of exciting work with CI/CD in the works - stay tuned!

Automatically sync local changes to the server with oc rsync --watch #8268

oc rsync now supports a --watch flag which will cause it to continuously monitor the local filesystem and sync changes to the pod as they occur. This makes it easy to work from an editor or IDE and have those changes show up live in your pods.

Build run policy - serial, parallel, or latest-only #8453

The build run policy describes the order in which the builds created from a build configuration should run. There are several out of the box policies:

• Serial - runs each build in the order they were created (the new default)
• Parallel - start builds as soon as they are created (was the previous default)
• SerialLatestOnly - if multiple builds have been created when the last build completes, only build the latest and mark the older ones as skipped

You can change the build policy via the spec.runPolicy field on build configurations.

Improving custom deployments #8787

Custom deployments can now reuse the existing build logic but install custom hooks in any image you want. See this mailing list post for more details.

In addition, the output of deployments has been greatly streamlined:

$ oc logs dc/custom
--> pre: Running hook pod ...
my hook pod ran
--> pre: Success
--> Scaling deployment-2 from 0 to 5
    Scaling deployment-2 up to 3
    Scaling deployment-1 down to 2
--> Scaling deployment-2 from 3 to 5
    Scaling deployment-2 up to 5
    Scaling deployment-1 down to 0
--> Success

Importing docker-compose.yaml files (Experimental)

This release includes an experimental command oc import docker-compose that can convert a docker-compose.yaml file into the Kubernetes and OpenShift equivalent, setting up your build pipelines on the cluster as well as all of the deployment artifacts. It can even identify when containers should be colocated into pods so you can leverage local disk and local network.

$ git clone https://github.com/docker-library/docs.git
$ oc import docker-compose -f wordpress/docker-compose.yml

OpenShift will warn you if any machine specific or Docker specific concepts that don't translate well to a containerized cluster are being used.

Note that many compose files may assume they can run as root - if you are trying out a new compose application on OpenShift you may want to grant access to run as root to get things working:

$ oadm policy add-scc-to-user anyuid -z default 

Please experiment with this feature and open issues if things don't work quite right - we want to make it as easy as possible to bring your containerized applications to OpenShift!

Squashed docker builds (Experimental)

Dockerfiles create an image layer for each instruction. However, these extra layers take time to commit and are often not useful when deploying applications in production. This release of OpenShift adds a new oc ex dockerbuild command that processes a Dockerfile like the docker build command, but skips committing layers in between each instruction in the Dockerfile. This can lead to significant speed ups in build times and smaller image sizes.

$ oc ex dockerbuild . myimage:latest

This feature is experimental while we ensure it has compatibility with dockerbuild. In future releases it will be possible to launch Docker builds on OpenShift that use this feature to squash the built output by default.

To see it in action, check out the OpenShift Origin images on the hub:

$ docker history openshift/origin:v1.3.0-alpha.1
IMAGE               CREATED             CREATED BY                                      SIZE                COMMENT
de3ae06bc719        47 minutes ago      sleep 86400                                     138.1 MB            
8cf7dbcd9db7        7 hours ago         /bin/sh -c #(nop) LABEL io.k8s.display-name=O   0 B                 
39788598877c        7 hours ago         /bin/sh -c INSTALL_PKGS="which git tar wget h   78.58 MB            
ec3ffe3554ef        7 hours ago         /bin/sh -c yum update -y nss openssl-libs &&    1.671 MB            
60d7ec21aa96        8 days ago          /bin/sh -c #(nop) CMD ["/bin/bash"]             0 B                 
f0e1cf3be051        8 days ago          /bin/sh -c #(nop) LABEL name=CentOS Base Imag   0 B                 
ebe253abc97d        8 days ago          /bin/sh -c #(nop) ADD file:deb8ef25b4d805246a   196.7 MB            
1544084fad81        8 months ago        /bin/sh -c #(nop) MAINTAINER The CentOS Proje   0 B  

Security

Scoped Access Tokens #8393

Allows the creation of a token that identifies as the user, but only allows a subset of the user's permissions. Scopes are restrictive, so a viewer who makes a scoped token with edit rules still only has view rights. A common use for scoped tokens is to give to a third party the ability to act on your behalf (like a build systems) via the API, but to limit what they can actually do.

Scopes include (but are not limited to)

• user:info - gives information about who I am
• user:check-access - see what I can do
• role:edit:my-ns (token has the edit role in the my-ns namespace)

Impersonation #8672, #8824

Allows a user with the "impersonate" permission on a particular user or serviceaccount, the ability to make a request "as" that other person. A sudoer role was added to allow a user to impersonate "system:admin" so they don't have to have cluster-admin rights all the time.

Delete a project as the cluster admin

$ oc delete project/foo --as system:admin

Retrieve pods for the current project as the default service account

$ oc get pods --as system:serviceaccount:my-ns:default

Allowing Se...

v1.2.0

This is the the official release of OpenShift Origin 1.2.

v1.2.0 (2016-05-24)
Full Changelog

Docker 1.9 / 1.10 and Origin

OpenShift Origin 1.2 depends on Docker 1.9. As a consequence of the recent change to the DockerHub to stop supporting pull-by-digest for images pushed by newer Docker clients, users of OpenShift running Docker 1.10 may experience problems pulling images from the Hub. We are working on addressing this issue in an upcoming patch release.

Fixed Bugs

• Ensure that the router locks access to the internal map before generating config, to prevent race conditions #8993
• Prevent users from mutating the status of PVCs and PVs - Kubernetes #24924
• Enabling the etcd watch cache resulted in watch timeout errors being reported differently, causing issues for the web console - Kubernetes #25369
• Importing images that had previously failed to import could result in occasional panics - #8599
• Remove the possibility of console CSRF issues via the API proxy - #8958

Release SHA256 Checksums

8e903e6a81e9a8415532c6d7fbc86ab4c84818a4dad8fcf118776fa90424e95c  openshift-origin-client-tools-v1.2.0-2e62fab-linux-32bit.tar.gz
62d309592b27e42a84102a950d92a8c1b6b61ea488f7c2f3433bf38f64cea68b  openshift-origin-client-tools-v1.2.0-2e62fab-linux-64bit.tar.gz
a911c918426fd474330d60c5ec651308385b54fd0f0866e888328f38d8ee7671  openshift-origin-client-tools-v1.2.0-2e62fab-mac.zip
3df3d7f31d5f50fa49f94312883107ebee1a0877b598eada32dce1b029f6c3f2  openshift-origin-client-tools-v1.2.0-2e62fab-windows.zip
f6e46dec27f166a7f05554bd6b9364cead8c36a39836f75e16e16ee29b9e1a2f  openshift-origin-server-v1.2.0-2e62fab-linux-64bit.tar.gz

v1.2.0-rc2

This is the second release candidate for OpenShift Origin 1.2

v1.2.0-rc2 (2016-04-25)
Full Changelog

Component Updates

• Updated openshift-sdn to ba3087a to address a race condition assigning pod IPs in the multi tenant plugin #8614

Fixed Bugs

• Retry import of images from the DockerHub when receiving a 401 Unauthorized in the first attempt to download the image, due to a race condition in the DockerHub #8574 and #8612
• Prevent incorrect quota allocation of pods when deployments conflict and the user is close to their quota limit by fetching the latest state first #8588

Release SHA256 Checksums

75ab7bb0c1201796f168a82fdb2f17ab1912e5a748cbb68064989aa12a56b754  openshift-origin-client-tools-v1.2.0-rc2-642f0af-linux-32bit.tar.gz
bc6e6c8131df30bbf649cd1bf15103bc14dbc6a86331432694d5c35666328147  openshift-origin-client-tools-v1.2.0-rc2-642f0af-linux-64bit.tar.gz
6ac1189c5b3cf23203f0cd7b01fd3a5217b127b5af795aab7dff105dc753f454  openshift-origin-client-tools-v1.2.0-rc2-642f0af-mac.zip
321d4e03a06fa142cf22ea1a50eb96a01b382aa34fba817b7413cf50ee121724  openshift-origin-client-tools-v1.2.0-rc2-642f0af-windows.zip
7df32ac018f1bb9e012ce2e1c0c609656dedbae59772e9547a1c8052c7116c97  openshift-origin-server-v1.2.0-rc2-642f0af-linux-64bit.tar.gz