v1.2.0-rc1

This is the first release candidate for OpenShift Origin 1.2

v1.2.0-rc1 (2016-04-20)
Full Changelog

Changes requiring administrative action

• Separate build strategy permissions into distinct roles #8528. Admins who have denied access to docker, source, or custom builds will now need to assign users or groups to those roles by default.

Component Updates

• Updated openshift-sdn to 9f1f602 to address a panic and reuse of pod IPs #8468

Features

• Improve the output of oc describe build #8293

Fixed Bugs

• Performance: Enable the etcd watch cache for Kube resources, reducing memory use and duplicate watches #8395
• Change RunOnce pod duration restrictor to act as a limit instead of override #8304
• Guarantee partially completed builds are cleaned up when cancelled #8306
• Check claimRef UID when processing a recycled PV to prevent races #8100
• Build config edit form should be marked dirty when deleting environment variables #8380
• ProjectRequestLimit plugin: ignore projects in terminating state #8400
• Make ConfigMap volume readable as non-root #8411
• Memory leak: Wrap oauth/login requests to clear in-memory session #8435
• Add system:image-auditor role for managing image registry #8455
• UPSTREAM: 23894: OOM errors when processes exit rapidly #8412
• Allow dynamic volume provisioning to be disabled #8426
• Deployment pods should be cancelled when deployments are cancelled in all cases new cancelled deployments #8418
• Deployer controller should ensure deployments that are cancelled can't become completed #8417
• Prevent concurrent deployer pod creation #8478
• A pod would never terminate if the registry it pulls images from was unavailable #8378
• Fix precision of cpu to millicore and memory to Mi in the UI #8409
• HAProxy router should obfuscate the pod IP in when using cookies for session affinity #8334

Release SHA256 Checksums

49d9fd999b0105bad56edd9a4894ea938c7fc51c91cf05264da7d19ccc81377e  openshift-origin-client-tools-v1.2.0-rc1-061e6d4-linux-32bit.tar.gz
cd28b3e8240523b6108f290d2bbe68a0f6d6ba1e6799fba9632405a0d2eb46b1  openshift-origin-client-tools-v1.2.0-rc1-061e6d4-linux-64bit.tar.gz
71186d509fdae0e5f38e7a00f3345ff45d98648f56cba4b647d76b22ebefcbce  openshift-origin-client-tools-v1.2.0-rc1-061e6d4-mac.zip
350467bebb8eb058a246e339c843e34a3067f125a373664a5331cd36aa27f9da  openshift-origin-client-tools-v1.2.0-rc1-061e6d4-windows.zip
8d0309682a9da490de1762cef1c3b9aed6510dfdd50cd76dfd70339a6eae7e1f  openshift-origin-server-v1.2.0-rc1-061e6d4-linux-64bit.tar.gz

v1.1.6

This is a bug fix release on top of Origin 1.1.x and is the first release candidate (rc1) for 1.2.0

Component updates

• Updated to Kubernetes 1.2.1

Features

• Support multiple web login providers
• Distinguish pods being pulled or terminating in the pod status output, and show the size of images with other pod info
• Improve the layout and display of logs in the web console
• Show a prettier router error page when an app doesn't exist yet

Fixed Bugs

• PVC should not be blocked by the default SCC policy for users
• Continue to support host ports on oadm router, user can disable them with --host-ports=false when --host-network=false is also set.
• Emit events when cancellation of a deployment fails
• When invoking a binary build, retry if the input image stream tag does not exist yet (since it may be in the process of being imported)
• Fix a race condition in Kubernetes where endpoints might be partially updated (only have some pods) when the controller is restarted
• Docker containers do not allow CPU quota less than 10m, so set the minimum value
• Don't sync daemonsets that match all pods.
• oc new-build should not fail when creating a binary build on a Git repo that doesn't have an upstream remote set
• Fix a race condition between scaled up routers where some changes might be ignored

Release SHA256 Checksums

9f161c6b43a38ee6d78612a1f9b16562cb4148657f2dd78e985d7fd03a0a9e92  openshift-origin-client-tools-v1.1.6-ef1caba-linux-32bit.tar.gz
3fb3bdf9ea58bbf4f9b653edb5b881e9d1e86fc1a0c5eb6eca8ec891d7ac80b3  openshift-origin-client-tools-v1.1.6-ef1caba-linux-64bit.tar.gz
fde96dfc625593cee1a86e7791b7cb8978dea664d941e5a38706b6c92c971228  openshift-origin-client-tools-v1.1.6-ef1caba-mac.zip
517e5b32cf9c592a6a4a10b43766410d9e3234807a9746b0cd0abbba15660350  openshift-origin-client-tools-v1.1.6-ef1caba-windows.zip
e32c09bdec5df148c978396370fc9fe9ee08583e1b0a53f29082859f80cde81c  openshift-origin-server-v1.1.6-ef1caba-linux-64bit.tar.gz

v1.1.5

IMPORTANT: Issue #8297 prevents regular users from accessing PVCs if you reconcile-cluster-roles. Upgrade to v1.1.6

---

This is a bug fix release on top of Origin 1.1.x.

Backwards Compatibility

• Origin v1.1.5 is now compiled on Go 1.6, which may result in changes to runtime GC behavior that may require tuning at high densities and load.
• Origin v1.1.5 requires Docker 1.8.3 or 1.9.1-23 or higher due to bugs with cGroup limits and systemd.
• The name of the generator for oc run that creates DeploymentConfigs changed from run/v1 to deploymentconfig/v1 for compatibility with kubectl

Component updates

• Updated to Kubernetes 1.2.0

Features

• The new Kubernetes 1.2 ConfigMap resource is now usable. You must run oadm policy reconcile-cluster-roles to grant access to use it for end users.
• Limits, quotas, and quota scopes are now displayed in the web console

Security and Admin

• Add quota support to emptydirs - when the quota is enabled on an XFS system, nodes will limit the amount of space any given namespace can use on a node to a fixed upper bound. The quota is tied to the FSGroup of the namespace - administrators can control this value by editing the namespace directly or allowing users to set FSGroup via security context constraints.
• DaemonSet is now limited to cluster admins because pods running under a daemonset are considered to have higher priority than regular pods, and for regular users on the cluster this could be a security issue.
• Administrators can prevent clients from accessing the API by their User-Agent header the new userAgentMatching config setting
• Access to set externalIP on services is now disabled by default, to prevent malicious users from creating services that impersonate other IP addresses in the cluster. Administrators can selectively enable the field for specific IP ranges.
• The NO_PROXY environment variable will now accept a CIDR in a number of places in the code for controlling which IP ranges bypass the default HTTP proxy settings.
• Administrators can now enforce the readOnlyRootFilesystem flag via security contexts to require users run without being able to modify the container image
• Administrators can now limit what volume types users can use directly from within a Pod - by default, regular users are now forbidden from directly mounting any of the remote volume type (they must use a PVC)

Bugs

• Fixed a performance regression in cAdvisor that resulted in long pauses on Kubelet startup
• oc edit was not properly displaying all errors when saving an edited resource failed
• Show more information about persistent volume claims and persistent volumes in a number of places in the CLI and web console
• Some commands that used the API PATCH command could fail intermittently when they were executed on the server and another user edited at the same time.
• Warn when trying to import a non-existent tag in oc import-image
• Show singular pods in the oc status output
• Router
  • Show more information from the router reload command in the router logs
  • Routes that changed at the same time could compete for being exposed if they were in different namespaces. Made the check for which route gets exposed predictable.
  • Use the health check when restarting the router to ensure the new process is correctly running before continuing
• Better error in the web console when JavaScript is disabled.
• Failed deployments should update the status of the deployment config more rapidly, reducing the time before the old deployment is scaled back up

Release SHA256 Checksums

f32db04d5f96eb5ea12bf1866069760bfdcc8d9ec0066c742dc17b5499e144e7  openshift-origin-client-tools-v1.1.5-847f337-linux-32bit.tar.gz
6e7a3a9de046e0de5efda0f024e958651cdd45b12e04b053b6da90332388dc82  openshift-origin-client-tools-v1.1.5-847f337-linux-64bit.tar.gz
a1d1eb484424dffbb857147b85233ad35773b49e7c6ee7c48e7570156b93f01f  openshift-origin-client-tools-v1.1.5-847f337-mac.zip
b4e44d3a2de1fd002c4d9bbdc5f545cc13c6561febd9fa6d4618630676e50ba3  openshift-origin-client-tools-v1.1.5-847f337-windows.zip
3570cd90f4094269acb9d733bfb2571d40287f6a2e75d7a7e99b735764432e4c  openshift-origin-server-v1.1.5-847f337-linux-64bit.tar.gz

v1.1.4

This is a feature and bug fix release on top of OpenShift Origin v1.1.x.

API Changes

• oc rsh now launches /bin/sh, not /bin/bash. To have the old behavior, run oc rsh NAME -- /bin/bash

Features

Upstream components

• Updated Kubernetes to v1.2.0 pre-beta.0 62e5743
• Updated etcd to v2.2.5

Command-line usability

• Add oc create service account to make it easier to create a new service account
• Add a new "oc debug" command that makes it easy to get a shell in a misbehaving pod - clones the exact environment of the running deployment config, replication controller, or pod, but replaces the run command with a shell.
• Add a command for updating deployment and build config triggers - oc set trigger
• Add a command for updating liveness and readiness probes on deployment config - oc set probe
• Display more information about liveness and readiness probes in the oc status and oc describe commands
• Improve oc describe deploymentconfig/NAME to show more useful info
• Allow build configuration environment variables to be set with oc set env bc/NAME, like deployment configs
• oc status will now warn when a build config is missing one or more of the image streams it depends on

Web Console

• More detailed pod status on all pages
• Better status and alert messages
• Show events on more objects and allow the events table to be filtered and sorted
• Improve Dockerfile build keyword highlighting when editing builds
• Display more accurate information about routes based on which addresses the router exposed them under

Administration

• Support service accounts on router and registry
  • The router can now be created without specifying --credentials and it will use the router service account in the current namespace
  • The registry will also use a service account if --credentials is not provided. Otherwise, it will set the values from the --credentials file as environment on the generated deployment config.
• Add support for security context constraints in oc describe
• Increase the default HostSubnetLength value for OpenShift SDN to 9 (allowing 512 nodes by default) and broaden the default ClusterNetworkCIDR to 10.128.0.0/14 to allow 512 pods each for those 512 nodes.
• Increase the default MaxPodsPerNode setting to 110 to reflect updated capacity.
• Allow extended user attributes to be set by an authenticating proxy
• The diagnostics command has graduated from experimental and now appears as oadm diagnostics
• The HAProxy router allows the public HTTP and HTTPS ports it serves on to be overriden
• The FSGroup for the namespace is now enforced and defaulted on all pods created, and the user in the container should be a member of that group.

Bug fixes

• Fixes to dynamic provisioners to prevent creating multiple volumes for one claim
• Host value should be written to rejected route status by the routers
• Use the correct HOME directory on Windows in the CLI
• Rolling deployments with no surge and a maxUnavailable less than 100% will now preserve at least one pod during a rolling update (if scale is > 1)
• If a node is started and Docker is not available or would likely fail to connect, print more information to help a user debug why.
• Remove invalid flags from oc, oadm, and openshift binary bash tab-completion scripts
• oc new-app could fail when Docker environment variables were set but Docker was not available
• Increase binary build timeout from 1 minute to 5 minutes to allow pods to schedule more effectively
• On some Linux kernel versions, HAProxy could lose track of some connections that were pending on its socket while a graceful reload was happening. Setting the DROP_SYN_DURING_RESTART environment variable on the HAProxy router to 1 will drop SYN packets while HAProxy is in the process of reloading, ensuring the client retries the connection. Future kernel versions will remove the need for this workaround.
• Rapid router reloads could cause temporary unavailability of some routes - now wait for reload until the new HAProxy process is completely started
• If an image import failed, oc import-image would sometimes be unable to reimport another image.
• oc apply was broken when passed a List of objects, so commands like oadm registry -o yaml | oc apply -f - would fail.

Release SHA256 checksums

c6f16a023b5c685932b0a525e09d086de7253610c135e492e35b3f255f3b190c  openshift-origin-client-tools-v1.1.4-3941102-linux-32bit.tar.gz
da1061193596ca760dd1fea15858a44122e5524c2cba057275257e234d1999bd  openshift-origin-client-tools-v1.1.4-3941102-linux-64bit.tar.gz
a8f4d1fe1e8ab555d4072f1b3f8efcdae472dc53795262906c9671d5294bfb24  openshift-origin-client-tools-v1.1.4-3941102-mac.zip
b05877aab75004cc30181f25960cfc3c09b5336678fc1cbad80c51848ed15a0f  openshift-origin-client-tools-v1.1.4-3941102-windows.zip
fd183fbcdcfa12f28f69bf5b23dd2a5006c316906a88655d01286d6547b69280  openshift-origin-server-v1.1.4-3941102-linux-64bit.tar.gz

v1.1.3

This is a feature and bug fix release on the Origin 1.1.x stream.

API Changes

• ImageStreamTags now return the spec tag tag, the current status conditions, and latest status generation generation, so clients can get an accurate view of the current tag.
• ImageStreamTags can be updated via PUT to set their spec tag in a single call.
• DeploymentConfig hooks now default the container name if there is only a single container in the deployment config.

Included projects

• Update to Kubernetes v1.2.0-dev.6 (openshift/kubernetes@9caf0a7)
• Update to etcd v2.2.4

Features

• The administrative commands are now exposed via oc adm so you have access to them in a client context - oadm will still work but will be a symlink to the oc binary.

• IPFailover supports a router id offset, supporting multiple ipfailover setups per cluster

• Allow the master to support recursive DNS resolution via a new master config flag allowRecursiveQueries, defaults to false

• The userspace node proxy can be enabled on nodes for users who want to continue using it over the iptables proxy via

  proxyArguments:
    proxy-mode:
    - userspace
  

• oc explain now works for Origin types - try oc explain dc.spec.test

• The web console will now display more error and warning information about routes, their configuration, and their use in the system

• Routers now report back status to the master about whether routes are accepted, rejected, or conflict with other users. The CLI will now display that error information, allowing users to know that the route isn't being served.

• The SETUID and SETGID capabilities have been added back to the anyuid SCC, which ensures that programs that start as root and then drop to a lower permission level will work by default.

• Deployment hooks can now tag the most recent container image into another image stream on success - use a "test" deployment to validate the deployment succeeds, and then tag the resulting image into an image stream tag for others to use

• Trigger a user provided command after a build succeeds but before the push - users can set shell (to run a shell script), command, or args to run a command in the working directory of the built image. All s2i builders set the user's source repo as the working directory, so commands like bundle exec rake test should work.

• Administrators can enforce a ratio on pod requests and limits for CPU and memory via the new ClusterResourceOverride for users on the platform.

Bugs

• Improve the web console's performance when displaying many deployments or builds
• Router unique host check should not reprocess routes that did not change
• Add the AlwaysPull admission controller to prevent users from being able to run images that others have already pulled to the node
• Fix oc edit when editing multiple items in a list form
• The recycler for persistent volumes now uses a service account and has proper access to restricted content
• Support the block profiler in pprof
• Handle additional cGroup locations when constraining builds
• Handle scratch images from new-app
• Add support for paged LDAP queries

v1.1.2

This is a feature release on the OpenShift Origin 1.1.x stream.

Compatibility with previous releases

API Changes

• Due to a change in the upstream JSON serialization path used in Kubernetes, some fields that were previously accepted case-insensitively are no longer accepted. Please validate that your API objects have the correct case for all attributes
• When creating a deployment config, omitting the spec.selector will default that value to the pod template labels

Features

Updated to Kubernetes 1.2.0-dev from late January

This release includes an update to be based on Kubernetes 1.2.0 dev openshift/kubernetes@9caf0a7 (thanks @deads2k, @liggitt, and @soltysh)

Highlighted features:

• Addition of kubectl create namespace and kubectl create secrets, making it easier to create those resources directly. oc secrets will be replaced over time with additions to oc create secrets.
• Secrets can now be injected as environment variables using the secretKeyRef field making consumption of secrets in applications easier.
• DaemonSets are enabled in Origin now that the API has been stabilized.

We anticipate one more rebase prior to 1.2.0 Origin onto 1.2.0 Kube rc0.

Updated etcd to v2.2.2

Carries performance improvements.

Build secrets and image sources

• Edit build configurations directly from the web console
  
• Builds can now be supplied with input files from unrelated images. Previously all input to a build had to come from the builder image itself, or a git repository. It is now possible to specify additional images and paths within those images to use as an input to a build for things like external dependencies.

Use the --source-image=IMAGE and --source-image-path=SRC:DST flags to oc new-build to specify images.

The example shown below will inject the /usr/lib/jenkins/jenkins.war file out of the image currently tagged with jenkins:latest into the installed-apps directory of the build input.

apiVersion: v1
kind: BuildConfig
metadata:
  name: imagedockerbuild
spec:
  source:
    images:
    - from:
        kind: ImageStreamTag
        name: jenkins:latest
      paths:
      - destinationDir: installed-apps/
        sourcePath: /usr/lib/jenkins/jenkins.war

Be sure to set an image change trigger for jenkins:latest if you want to rebuild every time that image is updated.

• Builds can now be supplied with secrets for use during the build prcoess. Previously secrets could be used for git cloning but now secrets can also be made available to the build process itself so that build operations such as maven packaging can use a secret for credentials.
• Builds now properly use Git submodules when checking out the source repository - thanks to @paralin
• When a build configuration is deleted (via oc delete), all associated Builds are now deleted as well. To prevent this behavior, specify --cascade=false.
• Custom build configurations can now specify the API version to use. This API version will determine the schema version used for the serialized build configuration supplied to the custom build pod in the BUILD environment variable.
• Resource limits are now enforced on the container launched by S2I builds, and also on the operations performed within containers as part of a docker build of a Dockerfile. (Previously the resource limit only applied to the build pod itself and not the containers spawned by the build process)

Import images with authentication, schedule image import, and image pullthrough

• You can now import images from Docker v2 registries that are authenticated via Basic or Token credentials. To import, create a secret in your project based on a .docker/config.json or .dockercfg file:

$ oc secrets new hub .dockerconfigjson=$HOME/.docker/config.json
Created secret/hub
$ oc import-image auth-protected/image-from-dockerhub
The import completed successfully.

Name:       image-from-dockerhub
Created:    Less than a second ago

Tag     Spec                                 Created
latest  default/image-from-dockerhub:latest  Less than a second ago ...

When importing, all secrets in your project of those types will be checked. To exclude a secret from being a candidate for importing, use the openshift.io/image.excludeSecret annotation set to true:

$ oc annotate secret/hub openshift.io/image.excludeSecret=true

• Image stream tags can be set to be automatically imported from remote repositories when they change (public or private). OpenShift will periodically query the remote registry and check for updates depending on the configuration the administrator sets. By default, images will be checked every 15 minutes.

To set an image to be imported automatically, used the --scheduled flag with the oc tag command:

$ oc tag --source=docker redis:latest myredis:latest --scheduled
Tag myredis:latest set to import redis:latest periodically.

You can see which images are being scheduled using oc describe is myredis.

Administrators can control whether scheduling is enabled, the polling interval, and the rate at which images can be imported via the imagePolicyConfig section in the master configuration.

• The integrated Docker registry now supports "image pullthrough", allowing you to tag a remote image into OpenShift and directly pull it from the integrated registry as if it were already pushed to the OpenShift registry. If the remote registry is configured to use content-offload (sending back a temporary redirect URL to the actual binary contents), that value will be passed through the OpenShift registry and down to the Docker daemon, avoiding the need to proxy the binary contents.

To try pullthrough, tag an image from the DockerHub and then pull it from the integrated registry:

$ oc tag --source=docker redis:latest redis:local
$ oc get is redis
NAME      DOCKER REPO                     TAGS     UPDATED
mysql     172.30.1.5:5000/default/redis   local    Less than a second ago

# log into your local docker registry
$ docker pull 127.30.1.5:5000/default/redis:local
Using default tag: local
Trying to pull repository 127.30.1.5:5000/default/redis ... latest: Pulling from 127.30.1.5:5000/default/redis
47d44cb6f252: Pull complete 
838c1c5c4f83: Pull complete 
5764f0a31317: Pull complete 
60e65a8e4030: Pull complete 
449f8db3c25a: Pull complete 
a6b6487c42f6: Pull complete 
Digest: sha256:c541c66a86b0715bfbb89c5515929268196b642551beccf8fbd452bb00170cde
Status: Downloaded newer image for 127.30.1.5:5000/default/redis:local

You can use pullthrough with private images - the integrated registry will use the same secret you imported the image with to fetch content from the remote registry.

• Imported images now contain the size of the image as well as the individual layers and size of each layer and report that in describe
• When importing an entire remote repository, only the first 5 tags will be imported by default. OpenShift will preferentially import the latest tag and the highest semantically versioned tag (tags in the form v5, 5.0, or 5.0.1). You can import the remaining tags directly. Lists of tags will be sorted with the latest tag on top, followed by the highest major semantic tag, in descending order.

Integrated Docker registry

• The integrated registry now supports Azure Blob Storage, OpenStack Swift, and Amazon CloudFront as storage backends
• A readiness and health check have been added to the integrated registry to ensure new instances do not serve traffic until they are fully initialized.

Test deployments and improvements to the Recreate strategy

• It is now possible to create a "test" deployment that will scale itself down to zero when a deployment is complete. This deployment can be used to verify that an image will be correctly rolled out without requiring the pods to be running all the time. To create a test deployment, use the --as-test flag on oc new-app or set the spec.test field of a deployment config to true via oc edit.

The deployment will trigger like any other deployment config, scaling up to the current spec.replicas value when triggered, and then once the deployment has completed (success or failure) it will be scaled down to zero. You can use deployment hooks to test or verify the deployment - since hooks run as part of the deployment process, a test suite running in your hook can ensure your application is correct and pass or fail the deployment. You can add a local database or other test container to the deployment pod template, and have your application code verify itself before passing to the next step.

Scaling a test deployment will only affect the next deployment.

• The Recreate strategy now supports mid hooks which run while all old pods have been scaled down and before any new pods are scaled up - use it to run migrations or config changes that can only happen while the application is completely shut down.
• The Recreate strategy now has the same behavior as the Rolling strategy - requiring the pod to be "ready" before continuing with the deployment. A new field timeoutSeconds was added to the strategy that is the maximum allowed interval between pods becoming ready - it defaults to 120s.

Web console

• The console theme has been updated and refined.
  
• Display limits and quota information in the web console for all resources, including fine grained control on each container![resource-limits](https://cloud.githubusercontent.com/assets/1163175/12870417/dd...

v1.1.1.1 - Hotfix for OpenShift SDN

This release contains a single fix:

• #6684 - Ensure that the OpenShift SDN component does not report an error on startup if the master has not yet started. Manifested as flaky or broken network on some machines.

v1.1.1

This is a bug fix and feature release on top of v1.1 Origin.

API Changes

• Allow deleting a tag via DELETE /oapi/v1/namespaces/NAMESPACE/imagestreamtags/STREAM:TAG
• It is no longer valid to set route TLS configuration without also specifying a termination type. A default has been set for type to be terminate if the user provided TLS certificates
• Docker builds can now be configured with custom Dockerfile paths

Dynamic provisioning of persistent volumes

Dynamic provisioning of persistent volumes was implemented for AWS, GCE, and OpenStack, with 1 provisioner per cloud provider. PersistentVolumes of those types can be made on-the-fly in response to a PersistentVolumeClaim with a specific annotation ("volume.alpha.kubernetes.io/storage-class"). This feature is experimental and may change in future releases. Having multiple provisioners at once is not currently supported.

Web Console

• Allow build config environment variables to be edited from the web console
• Show build trends on the build config overview page
• Individual build configs and deployments can be deleted
• Allow any object in the web console to be edited like oc edit with a direct YAML editor, for when you need to tweak rarely used fields
• Improve the experience around web console scaling with more information
• Show empty replication controllers in the overview when they are not part of a service
• Users can dismiss web console alerts

Command line

• oc status now shows suggestions and warnings about conditions it detects in the current project
• oc start-build now allows environment and log-level to be passed as arguments
• oc secret allows custom secret types to be created
  • Accept the new dockercfg format in the oc secrets commands
• oc new-build now supports the --to flag, which allows you to specify which image stream tag you want to push a build to. You can pass --to-docker to push to an external image registry. If you only want to test the build, pass --no-output which will just ensure the build passes.
• Support some of the global rsync flags on oc rsync for displaying progress information - not supported on all rsync backends (like tar)

Security

• The user name of the person requesting a project be created is now available to parameterize the initial project template as the parameter PROJECT_REQUESTING_USER
• When creating a new application from a Docker image, warn if the image does not specify a user that administrators may have disabled running as root inside of containers.
• Add a new role system:image-pusher that allows pushing images to the integrated registry.
• Deleting a cluster role from the command line will now delete all role bindings associated to that role unless you pass --cascade=false
• Deleting users and groups cascades to delete their role bindings across the cluster.
• Run the Docker registry as a non-root user

Misc features

• Update to the 2.2.1 version of the Docker registry
• Use the new iptables kube-proxier instead of the userspace proxier for a big improvement in speed and reduction in CPU
• Promote the LDAP group prune and sync commands out of experimental into oadm groups
• More tests and config warnings in openshift ex diagnostics
• Builds are updated with the Git commit used in a build after the build completes.
• Routers now support overriding the host value in a route at startup - you can start multiple routers and serve the same route over different wildcards (with different configurations). See the help for openshift-router

Bug fixes

• Remove deployer pods when pruning failed deployments
• Various improvements to tab-autocompletion scripts on the command line
  • Fix autocompletion of build config names
  • Fix autocompletion of flags used by all commands
• When filewalld is restarted, reload proxy rules
• Give router instances a readiness check and update their liveness check to always use /healthz (which is now exposed)
• Do not export service account secrets that can't be used in other environments (service account tokens are namespace specific)
• Allow the streaming connection timeout in the kubelet to be configured via kubelet extended parameters, instead of being hardcoded
• Validate the remote repository to be cloned in builds using git ls-remote which is more accurate when using certain Git clone specs
• When using source code authentication in builds, if the password exceeds 255 characters (which is not supported by Git correctly) we now use a local proxy
• oc start-build --from-webhook could fail when not passing Git info
• On Windows, oc now uses the correct home directory for its operations
• The Jenkins template no longer identifies Jenkins as a DB
• When generating applications using new-app or builds with new-build, prevent accidental circular references (don't push the build output to the same tag that is used as the input to the build)
• Make oc env more tolerant of the background status updates the node generates (less conflict failures from the CLI)
• Improve deployment scaling behavior by making oc scale dc/foo more reliable and predictable.
• When running oc new-app, allow the local Docker daemon to be contacted over TLS if the user has specified the normal Docker client environment variables.
• Websocket watches were not being closed cleanly, resulting in hangs on some browsers
• DNS in the cluster is now served via the kube-proxy on the Kubernetes master port 53, which ensures that in an HA setup DNS continues to respond.
• systemd start notifications were not properly being delivered in some cases, resulting in services being restarted
• oc expose is updated to work with services that use port names (instead of numbers) when creating routes
• Importing of Docker images into image streams now correctly works when using a proxy via HTTPS_PROXY
• In a clustered etcd deployment, wait for access tokens to propagate to all cluster members before returning the token to the user
• Setting a node IP in the Kubelet config no longer overrides the node hostname.

v1.1.0.1 - Security Update to v1.1

This release contains a security fix for OpenShift and Kubernetes. We recommend all users upgrade to v1.1.0.1.

NOTE: The binaries delivered as part of the release have been updated into client-tools (containing the oc binary) and a server package for linux-64bit. Please report any issues encountered.

v1.1

This is the official release of OpenShift Origin v1.1. Please see 1.0.7 rc1 and 1.0.8 rc2 for a list of features added in 1.1

Fixes

• Fix volume recycler image to run as a service account and properly handle different permission sets
• Add openshift/origin-node image, which can be used for containerized installs
• Deployer pod runs as a non-root user, making it easier to run under alternate security policies
• Show deployment status (failed or cancelled) in the web console next to the deployment
• Docker registry service is now set to use session affinity - reduces the likelihood of NFS caching problems when using NFS as the backing registry store
• Add deployment logs to the web console
• Allow templates to generate a wider range of output values