SUSE-CU-2022:53-1: Security update of ses/7/cephcsi/csi-node-driver-registrar
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Tue Jan 25 07:52:20 UTC 2022
SUSE Container Update Advisory: ses/7/cephcsi/csi-node-driver-registrar
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2022:53-1
Container Tags : ses/7/cephcsi/csi-node-driver-registrar:v2.3.0 , ses/7/cephcsi/csi-node-driver-registrar:v2.3.0-rev1 , ses/7/cephcsi/csi-node-driver-registrar:v2.3.0-rev1-build3.426
Container Release : 3.426
Severity : critical
Type : security
References : 1027496 1029961 1113013 1122417 1125886 1134353 1161276 1162581
1169614 1171962 1172973 1172974 1174504 1174504 1177127 1178236
1179416 1180064 1180125 1183085 1183543 1183545 1183632 1183659
1184614 1184994 1184994 1185016 1185299 1185524 1186489 1186503
1186602 1186910 1187153 1187224 1187270 1187273 1187425 1187466
1187512 1187654 1187670 1187738 1187760 1187911 1187993 1188018
1188063 1188063 1188156 1188217 1188218 1188219 1188220 1188291
1188344 1188435 1188548 1188571 1188623 1188713 1188921 1189031
1189206 1189465 1189465 1189480 1189520 1189521 1189521 1189534
1189554 1189683 1189803 1189929 1189996 1190052 1190059 1190199
1190234 1190325 1190356 1190373 1190374 1190440 1190465 1190645
1190712 1190739 1190793 1190815 1190915 1190933 1190984 1191252
1191286 1191324 1191370 1191563 1191609 1191736 1191987 1192161
1192248 1192337 1192436 1192489 1192688 1192717 1193480 1193481
1193521 1193711 CVE-2016-10228 CVE-2019-20838 CVE-2020-14155
CVE-2020-29361 CVE-2021-20266 CVE-2021-20271 CVE-2021-22922 CVE-2021-22923
CVE-2021-22924 CVE-2021-22925 CVE-2021-22946 CVE-2021-22947 CVE-2021-33574
CVE-2021-33910 CVE-2021-33910 CVE-2021-3421 CVE-2021-35942 CVE-2021-36222
CVE-2021-3711 CVE-2021-3712 CVE-2021-3712 CVE-2021-37600 CVE-2021-37750
CVE-2021-38185 CVE-2021-38185 CVE-2021-39537 CVE-2021-43618
-----------------------------------------------------------------
The container ses/7/cephcsi/csi-node-driver-registrar was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-OU-2020:3026-1
Released: Fri Oct 23 15:35:49 2020
Summary: Optional update for the Public Cloud Module
Type: optional
Severity: moderate
References:
This update adds the Google Cloud Storage packages to the Public Cloud module (jsc#ECO-2398).
The following packages were included:
- python3-grpcio
- python3-protobuf
- python3-google-api-core
- python3-google-cloud-core
- python3-google-cloud-storage
- python3-google-resumable-media
- python3-googleapis-common-protos
- python3-grpcio-gcp
- python3-mock (updated to version 3.0.5)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:294-1
Released: Wed Feb 3 12:54:28 2021
Summary: Recommended update for libprotobuf
Type: recommended
Severity: moderate
References:
libprotobuf was updated to fix:
- ship the libprotobuf-lite15 on the basesystem module and the INSTALLER channel. (jsc#ECO-2911)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:656-1
Released: Mon Mar 1 09:34:21 2021
Summary: Recommended update for protobuf
Type: recommended
Severity: moderate
References: 1177127
This update for protobuf fixes the following issues:
- Add missing dependency of python subpackages on python-six. (bsc#1177127)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2404-1
Released: Tue Jul 20 14:21:30 2021
Summary: Security update for systemd
Type: security
Severity: moderate
References: 1184994,1188063,CVE-2021-33910
This update for systemd fixes the following issues:
- CVE-2021-33910: Fixed a denial of service in systemd via unit_name_path_escape() (bsc#1188063)
- Skip udev rules if 'elevator=' is used (bsc#1184994)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2439-1
Released: Wed Jul 21 13:46:48 2021
Summary: Security update for curl
Type: security
Severity: moderate
References: 1188217,1188218,1188219,1188220,CVE-2021-22922,CVE-2021-22923,CVE-2021-22924,CVE-2021-22925
This update for curl fixes the following issues:
- CVE-2021-22925: TELNET stack contents disclosure again. (bsc#1188220)
- CVE-2021-22924: Bad connection reuse due to flawed path name checks. (bsc#1188219)
- CVE-2021-22923: Insufficiently Protected Credentials. (bsc#1188218)
- CVE-2021-22922: Wrong content via metalink not discarded. (bsc#1188217)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2689-1
Released: Mon Aug 16 10:54:52 2021
Summary: Security update for cpio
Type: security
Severity: important
References: 1189206,CVE-2021-38185
This update for cpio fixes the following issues:
It was possible to trigger Remote code execution due to a integer overflow (CVE-2021-38185, bsc#1189206)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2763-1
Released: Tue Aug 17 17:16:22 2021
Summary: Recommended update for cpio
Type: recommended
Severity: critical
References: 1189465
This update for cpio fixes the following issues:
- A regression in last update would cause builds to hang on various architectures(bsc#1189465)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2780-1
Released: Thu Aug 19 16:09:15 2021
Summary: Recommended update for cpio
Type: recommended
Severity: critical
References: 1189465,CVE-2021-38185
This update for cpio fixes the following issues:
- A regression in the previous update could lead to crashes (bsc#1189465)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2800-1
Released: Fri Aug 20 10:43:04 2021
Summary: Security update for krb5
Type: security
Severity: important
References: 1188571,CVE-2021-36222
This update for krb5 fixes the following issues:
- CVE-2021-36222: Fixed KDC null deref on bad encrypted challenge. (bsc#1188571)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2830-1
Released: Tue Aug 24 16:20:18 2021
Summary: Security update for openssl-1_1
Type: security
Severity: important
References: 1189520,1189521,CVE-2021-3711,CVE-2021-3712
This update for openssl-1_1 fixes the following security issues:
- CVE-2021-3711: A bug in the implementation of the SM2 decryption code
could lead to buffer overflows. [bsc#1189520]
- CVE-2021-3712: a bug in the code for printing certificate details could
lead to a buffer overrun that a malicious actor could exploit to crash
the application, causing a denial-of-service attack. [bsc#1189521]
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2938-1
Released: Fri Sep 3 09:19:36 2021
Summary: Recommended update for openldap2
Type: recommended
Severity: moderate
References: 1184614
This update for openldap2 fixes the following issue:
- openldap2-contrib is shipped to the Legacy Module. (bsc#1184614)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2966-1
Released: Tue Sep 7 09:49:14 2021
Summary: Security update for openssl-1_1
Type: security
Severity: low
References: 1189521,CVE-2021-3712
This update for openssl-1_1 fixes the following issues:
- CVE-2021-3712: This is an update for the incomplete fix for CVE-2021-3712.
Read buffer overruns processing ASN.1 strings (bsc#1189521).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3001-1
Released: Thu Sep 9 15:08:13 2021
Summary: Recommended update for netcfg
Type: recommended
Severity: moderate
References: 1189683
This update for netcfg fixes the following issues:
- add submissions port/protocol to services file for message submission over TLS protocol [bsc#1189683]
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3030-1
Released: Tue Sep 14 09:27:45 2021
Summary: Recommended update for patterns-base
Type: recommended
Severity: moderate
References: 1189534,1189554
This update of patterns-base fixes the following issue:
- The fips pattern should also install 'openssh-fips' if 'openssh' is installed (bsc#1189554 bsc#1189534)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3182-1
Released: Tue Sep 21 17:04:26 2021
Summary: Recommended update for file
Type: recommended
Severity: moderate
References: 1189996
This update for file fixes the following issues:
- Fixes exception thrown by memory allocation problem (bsc#1189996)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3298-1
Released: Wed Oct 6 16:54:52 2021
Summary: Security update for curl
Type: security
Severity: moderate
References: 1190373,1190374,CVE-2021-22946,CVE-2021-22947
This update for curl fixes the following issues:
- CVE-2021-22947: Fixed STARTTLS protocol injection via MITM (bsc#1190374).
- CVE-2021-22946: Fixed protocol downgrade required TLS bypassed (bsc#1190373).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3348-1
Released: Tue Oct 12 13:08:06 2021
Summary: Security update for systemd
Type: security
Severity: moderate
References: 1134353,1171962,1184994,1188018,1188063,1188291,1188713,1189480,1190234,CVE-2021-33910
This update for systemd fixes the following issues:
- CVE-2021-33910: Fixed use of strdupa() on a path (bsc#1188063).
- logind: terminate cleanly on SIGTERM/SIGINT (bsc#1188018).
- Adopting BFQ to control I/O (jsc#SLE-21032, bsc#1134353).
- Rules weren't applied to dm devices (multipath) (bsc#1188713).
- Ignore obsolete 'elevator' kernel parameter (bsc#1184994, bsc#1190234).
- Make sure the versions of both udev and systemd packages are always the same (bsc#1189480).
- Avoid error message when udev is updated due to udev being already active when the sockets are started again (bsc#1188291).
- Allow the systemd sysusers config files to be overriden during system installation (bsc#1171962).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3385-1
Released: Tue Oct 12 15:54:31 2021
Summary: Security update for glibc
Type: security
Severity: moderate
References: 1186489,1187911,CVE-2021-33574,CVE-2021-35942
This update for glibc fixes the following issues:
- CVE-2021-35942: wordexp: handle overflow in positional parameter number (bsc#1187911)
- CVE-2021-33574: Use __pthread_attr_copy in mq_notify (bsc#1186489)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3444-1
Released: Fri Oct 15 09:03:07 2021
Summary: Security update for rpm
Type: security
Severity: important
References: 1179416,1183543,1183545,1183632,1183659,1185299,1187670,1188548,CVE-2021-20266,CVE-2021-20271,CVE-2021-3421
This update for rpm fixes the following issues:
Security issues fixed:
- CVE-2021-3421, CVE-2021-20271, CVE-2021-20266: Multiple header check improvements (bsc#1183543, bsc#1183545, bsc#1183632)
- PGP hardening changes (bsc#1185299)
- Fixed potential access of freed mem in ndb's glue code (bsc#1179416)
Maintaince issues fixed:
- Fixed zstd detection (bsc#1187670)
- Added ndb rofs support (bsc#1188548)
- Fixed deadlock when multiple rpm processes try tp acquire the database lock (bsc#1183659)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3454-1
Released: Mon Oct 18 09:29:26 2021
Summary: Security update for krb5
Type: security
Severity: moderate
References: 1189929,CVE-2021-37750
This update for krb5 fixes the following issues:
- CVE-2021-37750: Fixed KDC null pointer dereference via a FAST inner body that lacks a server field (bsc#1189929).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3480-1
Released: Wed Oct 20 11:24:10 2021
Summary: Recommended update for yast2-network
Type: recommended
Severity: moderate
References: 1185016,1185524,1186910,1187270,1187512,1188344,1190645,1190739,1190915,1190933
This update for yast2-network fixes the following issues:
- Don't crash when the interfaces table contains a not configured one (bnc#1190645, bsc#1190915).
- Fix the shown description using the interface friendly name when it is empty (bsc#1190933).
- Consider aliases sections as case insensitive (bsc#1190739).
- Display user defined device name in the devices overview (bnc#1190645).
- Don't crash when defined aliases in AutoYaST profile are not defined as a map (bsc#1188344).
- Support 'boot' and 'on' as aliases for the 'auto' startmode (bsc#1186910).
- Fix desktop file so the control center tooltip is translated (bsc#1187270).
- Use the linuxrc proxy settings for the HTTPS and FTP proxies (bsc#1185016).
- Don't crash at the end of installation when storing wifi configuration for NetworkManager (bsc#1185524, bsc#1187512).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3490-1
Released: Wed Oct 20 16:31:55 2021
Summary: Security update for ncurses
Type: security
Severity: moderate
References: 1190793,CVE-2021-39537
This update for ncurses fixes the following issues:
- CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3494-1
Released: Wed Oct 20 16:48:46 2021
Summary: Recommended update for pam
Type: recommended
Severity: moderate
References: 1190052
This update for pam fixes the following issues:
- Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638)
- Added new file macros.pam on request of systemd. (bsc#1190052)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3501-1
Released: Fri Oct 22 10:42:46 2021
Summary: Recommended update for libzypp, zypper, libsolv, protobuf
Type: recommended
Severity: moderate
References: 1186503,1186602,1187224,1187425,1187466,1187738,1187760,1188156,1188435,1189031,1190059,1190199,1190465,1190712,1190815
This update for libzypp, zypper, libsolv and protobuf fixes the following issues:
- Choice rules: treat orphaned packages as newest (bsc#1190465)
- Avoid calling 'su' to detect a too restrictive sudo user umask (bsc#1186602)
- Do not check of signatures and keys two times(redundant) (bsc#1190059)
- Rephrase vendor conflict message in case 2 packages are involved (bsc#1187760)
- Show key fpr from signature when signature check fails (bsc#1187224)
- Fix solver jobs for PTFs (bsc#1186503)
- Fix purge-kernels fails (bsc#1187738)
- Fix obs:// platform guessing for Leap (bsc#1187425)
- Make sure to keep states alives while transitioning. (bsc#1190199)
- Manpage: Improve description about patch updates(bsc#1187466)
- Manpage: Recommend the needs-rebooting command to test whether a system reboot is suggested.
- Fix kernel-*-livepatch removal in purge-kernels. (bsc#1190815)
- Fix crashes in logging code when shutting down (bsc#1189031)
- Do not download full files even if the checkExistsOnly flag is set. (bsc#1190712)
- Add need reboot/restart hint to XML install summary (bsc#1188435)
- Prompt: choose exact match if prompt options are not prefix free (bsc#1188156)
- Include libprotobuf-lite20 in products to enable parallel downloads. (jsc#ECO-2911, jsc#SLE-16862)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3510-1
Released: Tue Oct 26 11:22:15 2021
Summary: Recommended update for pam
Type: recommended
Severity: important
References: 1191987
This update for pam fixes the following issues:
- Fixed a bad directive file which resulted in
the 'securetty' file to be installed as 'macros.pam'.
(bsc#1191987)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3523-1
Released: Tue Oct 26 15:40:13 2021
Summary: Security update for util-linux
Type: security
Severity: moderate
References: 1122417,1125886,1178236,1188921,CVE-2021-37600
This update for util-linux fixes the following issues:
Update to version 2.33.2 to provide seamless update from SLE12 SP5 to SLE15 SP2:
- CVE-2021-37600: Fixed an integer overflow which could lead to a buffer overflow in get_sem_elements() in sys-utils/ipcutils.c (bsc#1188921).
- agetty: Fix 8-bit processing in get_logname() (bsc#1125886).
- mount: Fix 'mount' output for net file systems (bsc#1122417).
- ipcs: Avoid overflows (bsc#1178236)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3529-1
Released: Wed Oct 27 09:23:32 2021
Summary: Security update for pcre
Type: security
Severity: moderate
References: 1172973,1172974,CVE-2019-20838,CVE-2020-14155
This update for pcre fixes the following issues:
Update pcre to version 8.45:
- CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974).
- CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3799-1
Released: Wed Nov 24 18:07:54 2021
Summary: Recommended update for gcc11
Type: recommended
Severity: moderate
References: 1187153,1187273,1188623
This update for gcc11 fixes the following issues:
The additional GNU compiler collection GCC 11 is provided:
To select these compilers install the packages:
- gcc11
- gcc-c++11
- and others with 11 prefix.
to select them for building:
- CC='gcc-11'
- CXX='g++-11'
The compiler baselibraries (libgcc_s1, libstdc++6 and others) are being replaced by the GCC 11 variants.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3809-1
Released: Fri Nov 26 00:31:59 2021
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References: 1189803,1190325,1190440,1190984,1191252,1192161
This update for systemd fixes the following issues:
- Add timestamp to D-Bus events to improve traceability (jsc#SLE-21862, jsc#SLE-18102, jsc#SLE-18103)
- Fix IO scheduler udev rules to address performance issues (jsc#SLE-21032, bsc#1192161)
- shutdown: Reduce log level of unmounts (bsc#1191252)
- pid1: make use of new 'prohibit_ipc' logging flag in PID 1 (bsc#1189803)
- core: rework how we connect to the bus (bsc#1190325)
- mount-util: fix fd_is_mount_point() when both the parent and directory are network fs (bsc#1190984)
- virt: detect Amazon EC2 Nitro instance (bsc#1190440)
- Several fixes for umount
- busctl: use usec granularity for the timestamp printed by the busctl monitor command
- fix unitialized fields in MountPoint in dm_list_get()
- shutdown: explicitly set a log target
- mount-util: add mount_option_mangle()
- dissect: automatically mark partitions read-only that have a read-only file system
- build-sys: require proper libmount version
- systemd-shutdown: use log_set_prohibit_ipc(true)
- rationalize interface for opening/closing logging
- pid1: when we can't log to journal, remember our fallback log target
- log: remove LOG_TARGET_SAFE pseudo log target
- log: add brief comment for log_set_open_when_needed() and log_set_always_reopen_console()
- log: add new 'prohibit_ipc' flag to logging system
- log: make log_set_upgrade_syslog_to_journal() take effect immediately
- dbus: split up bus_done() into seperate functions
- machine-id-setup: generate machine-id from DMI product ID on Amazon EC2
- virt: if we detect Xen by DMI, trust that over CPUID
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3830-1
Released: Wed Dec 1 13:45:46 2021
Summary: Security update for glibc
Type: security
Severity: moderate
References: 1027496,1183085,CVE-2016-10228
This update for glibc fixes the following issues:
- libio: do not attempt to free wide buffers of legacy streams (bsc#1183085)
- CVE-2016-10228: Rewrite iconv option parsing to fix security issue (bsc#1027496)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3870-1
Released: Thu Dec 2 07:11:50 2021
Summary: Recommended update for libzypp, zypper
Type: recommended
Severity: moderate
References: 1190356,1191286,1191324,1191370,1191609,1192337,1192436
This update for libzypp, zypper fixes the following issues:
libzypp:
- Check log writer before accessing it (bsc#1192337)
- Zypper should keep cached files if transaction is aborted (bsc#1190356)
- Require a minimum number of mirrors for multicurl (bsc#1191609)
- Fixed slowdowns when rlimit is too high by using procfs to detect niumber of
open file descriptors (bsc#1191324)
- Fixed zypper incomplete messages when using non English localization (bsc#1191370)
- RepoManager: Don't probe for plaindir repository if the URL schema is a plugin (bsc#1191286)
- Disable logger in the child process after fork (bsc#1192436)
zypper:
- Fixed Zypper removing a kernel explicitely pinned that uses uname -r output format as name (openSUSE/zypper#418)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3872-1
Released: Thu Dec 2 07:25:55 2021
Summary: Recommended update for cracklib
Type: recommended
Severity: moderate
References: 1191736
This update for cracklib fixes the following issues:
- Enable build time tests (bsc#1191736)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3891-1
Released: Fri Dec 3 10:21:49 2021
Summary: Recommended update for keyutils
Type: recommended
Severity: moderate
References: 1029961,1113013,1187654
This update for keyutils fixes the following issues:
- Add /etc/keys/ and /usr/etc/keys/ directory (bsc#1187654)
keyutils was updated to 1.6.3 (jsc#SLE-20016):
* Revert the change notifications that were using /dev/watch_queue.
* Apply the change notifications that use pipe2(O_NOTIFICATION_PIPE).
* Allow 'keyctl supports' to retrieve raw capability data.
* Allow 'keyctl id' to turn a symbolic key ID into a numeric ID.
* Allow 'keyctl new_session' to name the keyring.
* Allow 'keyctl add/padd/etc.' to take hex-encoded data.
* Add 'keyctl watch*' to expose kernel change notifications on keys.
* Add caps for namespacing and notifications.
* Set a default TTL on keys that upcall for name resolution.
* Explicitly clear memory after it's held sensitive information.
* Various manual page fixes.
* Fix C++-related errors.
* Add support for keyctl_move().
* Add support for keyctl_capabilities().
* Make key=val list optional for various public-key ops.
* Fix system call signature for KEYCTL_PKEY_QUERY.
* Fix 'keyctl pkey_query' argument passing.
* Use keyctl_read_alloc() in dump_key_tree_aux().
* Various manual page fixes.
Updated to 1.6:
* Apply various specfile cleanups from Fedora.
* request-key: Provide a command line option to suppress helper execution.
* request-key: Find least-wildcard match rather than first match.
* Remove the dependency on MIT Kerberos.
* Fix some error messages
* keyctl_dh_compute.3: Suggest /proc/crypto for list of available hashes.
* Fix doc and comment typos.
* Add public key ops for encrypt, decrypt, sign and verify (needs linux-4.20).
* Add pkg-config support for finding libkeyutils.
* upstream isn't offering PGP signatures for the source tarballs anymore
Updated to 1.5.11 (bsc#1113013)
* Add keyring restriction support.
* Add KDF support to the Diffie-Helman function.
* DNS: Add support for AFS config files and SRV records
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3899-1
Released: Fri Dec 3 11:27:41 2021
Summary: Security update for aaa_base
Type: security
Severity: moderate
References: 1162581,1174504,1191563,1192248
This update for aaa_base fixes the following issues:
- Allowed ping and ICMP commands without CAP_NET_RAW (bsc#1174504).
- Add $HOME/.local/bin to PATH, if it exists (bsc#1192248).
- Fixed get_kernel_version.c to work also for recent kernels on the s390/X platform (bsc#1191563).
- Support xz compressed kernel (bsc#1162581)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3946-1
Released: Mon Dec 6 14:57:42 2021
Summary: Security update for gmp
Type: security
Severity: moderate
References: 1192717,CVE-2021-43618
This update for gmp fixes the following issues:
- CVE-2021-43618: Fixed buffer overflow via crafted input in mpz/inp_raw.c (bsc#1192717).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:4139-1
Released: Tue Dec 21 17:02:44 2021
Summary: Recommended update for systemd
Type: recommended
Severity: critical
References: 1193481,1193521
This update for systemd fixes the following issues:
- Revert 'core: rework how we connect to the bus' (bsc#1193521 bsc#1193481)
sleep-config: partitions can't be deleted, only files can
shared/sleep-config: exclude zram devices from hibernation candidates
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:4145-1
Released: Wed Dec 22 05:27:48 2021
Summary: Recommended update for openssl-1_1
Type: recommended
Severity: moderate
References: 1161276
This update for openssl-1_1 fixes the following issues:
- Remove previously applied patch because it interferes with FIPS validation (bsc#1161276)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:4154-1
Released: Wed Dec 22 11:02:38 2021
Summary: Security update for p11-kit
Type: security
Severity: important
References: 1180064,1187993,CVE-2020-29361
This update for p11-kit fixes the following issues:
- CVE-2020-29361: Fixed multiple integer overflows in rpc code (bsc#1180064)
- Add support for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER (bsc#1187993).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:4182-1
Released: Thu Dec 23 11:51:51 2021
Summary: Recommended update for zlib
Type: recommended
Severity: moderate
References: 1192688
This update for zlib fixes the following issues:
- Fix hardware compression incorrect result on z15 hardware (bsc#1192688)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:4192-1
Released: Tue Dec 28 10:39:50 2021
Summary: Security update for permissions
Type: security
Severity: moderate
References: 1174504
This update for permissions fixes the following issues:
- Update to version 20181225:
* drop ping capabilities in favor of ICMP_PROTO sockets (bsc#1174504)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:4-1
Released: Mon Jan 3 08:28:54 2022
Summary: Recommended update for libgcrypt
Type: recommended
Severity: moderate
References: 1193480
This update for libgcrypt fixes the following issues:
- Fix function gcry_mpi_sub_ui subtracting from negative value (bsc#1193480)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:93-1
Released: Tue Jan 18 05:11:58 2022
Summary: Recommended update for openssl-1_1
Type: recommended
Severity: important
References: 1192489
This update for openssl-1_1 fixes the following issues:
- Add RSA_get0_pss_params() accessor that is used by nodejs16 and provide openssl-has-RSA_get0_pss_params (bsc#1192489)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:94-1
Released: Tue Jan 18 05:13:24 2022
Summary: Recommended update for rpm
Type: recommended
Severity: important
References: 1180125,1193711
This update for rpm fixes the following issues:
- Add explicit requirement on python-rpm-macros (bsc#1180125, bsc#1193711)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:141-1
Released: Thu Jan 20 13:47:16 2022
Summary: Security update for permissions
Type: security
Severity: moderate
References: 1169614
This update for permissions fixes the following issues:
- Update to version 20181225: setuid bit for cockpit session binary (bsc#1169614).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:154-1
Released: Mon Jan 24 07:02:02 2022
Summary: Recommended update for ceph-csi, csi-external-attacher, csi-external-provisioner, csi-external-resizer, csi-external-snapshotter, csi-node-driver-registrar, rook
Type: recommended
Severity: moderate
References:
This update for ceph-csi, csi-external-attacher, csi-external-provisioner, csi-external-resizer, csi-external-snapshotter, csi-node-driver-registrar, rook fixes the following issues:
- Update to 3.4.0
Features:
Beta:
Below features have been lifted from its Alpha support to Beta
* Snapshot creation and deletion
* Volume restore from snapshot
* Volume clone support
* Volume/PV Metrics of File Mode Volume
* Volume/PV Metrics of Block Mode Volume
Alpha:
* rbd-nbd volume mounter
Enhancement:
* Restore RBD snapshot to a different Pool
* Snapshot schedule support for RBD mirrored PVC
* Mirroring support for thick PVC
* Multi-Tenant support for vault encryption
* AmazonMetadata KMS provider support
* rbd-nbd volume healer support
* Locking enhancement for improving POD deletion performance
* Improvements in lock handling for snap and clone operations
* Better thick provisioning support
* Create CephFS subvolume with VolumeNamePrefix
* CephFS Subvolume path addition in PV object
* Consumption of go-ceph APIs for various CephFS controller and node operations.
* Resize of the RBD encrypted volume
* Better error handling for GRPC
* Golang profiling support for debugging
* Updated Kubernetes sidecar versions to the latest release
* Kubernetes dependency update to v1.21.2
* Create storageclass and secrets using helm charts
CI/E2E
* Expansion of RBD encrypted volumes
* Update and addition of new static golang tools
* Kubernetes v1.21 support
* Unit tests for SecretsKMS
* Test for Vault with ServiceAccount per Tenant
* E2E for user secret based metadata encryption
* Update rook.sh and Ceph cluster version in E2E
* Added RBD test for testing sc, secret via helm
* Update feature gates setting from minikube.sh
* Add CephFS test for sc, secret via helm
* Add e2e for static PVC without imageFeature parameter
* Make use of snapshot v1 API and client sets in e2e tests
* Validate thick-provisioned PVC-PVC cloning
* Adding retry support for various e2e failure scenarios
* Refactor KMS configuration and usage
- Removed patch ceph-csi-locking.patch (got merged upstream)
- Update to v3.3.0
* Feature
* Add command line arguments to configure leader election options (#313, @RaunakShah)
* Adds mappings for PV access modes to new CSI access modes: SINGLE_NODE_SINGLE_WRITER and SINGLE_NODE_MULTI_WRITER. (#308, @chrishenzie)
* Updates Kubernetes dependencies to v1.22.0 (#321, @chrishenzie) [SIG Storage]
* Bug or Regression
* Fix a bug that the controller can panic crash when it receives DeletedFinalStateUnknown deletion event. (#304, @Jiawei0227)
* Other (Cleanup or Flake)
* Updates container-storage-interface dependency to v1.5.0 (#312, @chrishenzie)
* Reuse the same gRPC CSI client for all CSI driver calls (#318, @yeya24)
- Update to v3.2.1
- Get rid of vendoring
- Update version of go to 1.16
- Update to v3.0.2
- Update version to 3.0.0
* Feature
* Add command line arguments to configure leader election options (#643, @RaunakShah)
* Adds mappings for PV access modes to new CSI access modes: SINGLE_NODE_SINGLE_WRITER and SINGLE_NODE_MULTI_WRITER. (#630, @chrishenzie)
* The provisioner sidecar now has an argument called controller-publish-readonly which sets the value of CSI PV spec readonly field value based on the PVC access mode. If this flag is set to true and the PVC access mode only contains the ROX access mode, the controller automatically sets PersistentVolume.spec.CSIPersistentVolumeSource.readOnly field to true. (#469, @humblec)
* Updates Kubernetes dependencies to v1.22.0 (#660, @chrishenzie) [SIG Storage]
* Updates container-storage-interface dependency to v1.5.0 (#644, @chrishenzie)
* Bug or Regression
* Fix a bug that not being able to use block device mode when enable a storage capacity tracking mode. (#635, @bells17)
* Fix a data race in cloning protection controller (#651, @tksm)
* Fix capacity information updates when topology changes. Only affected central deployment and network attached storage, not deployment on each node. This broke in v2.2.0 as part of a bug fix for capacity informer handling. (#617, @bai3shuo4)
* Fix env name from POD_NAMESPACE to NAMESPACE for capacity-ownerref-level option. (#636, @bells17)
* Fixed reporting of metrics when a migratable CSI driver is used. (#620, @jsafrane)
* Newly provisioned CSI Migration enabled PV will have 'provisioned-by' annotation set to in-tree provisioner name instead of the CSI provisioner (#646, @wongma7)
- Update version to 2.2.2
- Get rid of vendoring
- Use go 1.16 for building
- Update version to 2.0.4
- Update to version 1.3.0
* Other (Cleanup or Flake)
* Updates Kubernetes dependencies to v1.22.0 (#165, @chrishenzie) [SIG Storage]
* Updates container-storage-interface dependency to v1.5.0 (#156, @chrishenzie)
* Feature
* Adds mappings for PV access modes to new CSI access modes: SINGLE_NODE_SINGLE_WRITER and SINGLE_NODE_MULTI_WRITER. (#151, @chrishenzie)
* leader-election-lease-duration, leader-election-renew-deadline and leader-election-retry-period were added to command line arguments to configure leader election options (#158, @RaunakShah)
- Update to version 1.2.0
- Get rid of vendoring
- Push go version to 1.16
- Update to version 1.0.1
- Update to version 4.2.0
* Feature
* Snapshot APIs
* The namespace of the referenced VolumeSnapshot is printed when printing a VolumeSnapshotContent. (#535, @tsmetana)
* Snapshot Controller
* retry-interval-start and retry-interval-max arguments are added to common-controller which controls retry interval of failed volume snapshot creation and deletion. These values set the ratelimiter for snapshot and content queues. (#530, @humblec)
* Add command line arguments leader-election-lease-duration, leader-election-renew-deadline, and leader-election-retry-period to configure leader election options for the snapshot controller. (#575, @bertinatto)
* Adds an operations_in_flight metric for determining the number of snapshot operations in progress. (#519, @ggriffiths)
* Introduced 'SnapshotCreated' and 'SnapshotReady' events. (#540, @rexagod)
* CSI Snapshotter Sidecar
* retry-interval-start and retry-interval-max arguments are added to csi-snapshotter sidecar which controls retry interval of failed volume snapshot creation and deletion. These values set the ratelimiter for volumesnapshotcontent queue. (#308, @humblec)
* Add command line arguments leader-election-lease-duration, leader-election-renew-deadline, and leader-election-retry-period to configure leader election options for CSI snapshotter sidecar. (#538, @RaunakShah)
* Bug or Regression
* Snapshot Controller
* Add process_start_time_seconds metric (#569, @saikat-royc)
* Adds the leader election health check for the snapshot controller at /healthz/leader-election (#573, @ggriffiths)
* Remove kube-system namespace verification during startup and instead list volumes across all namespaces (#515, @mauriciopoppe)
* Other (Cleanup or Flake)
* Updates Kubernetes dependencies to v1.22.0 (#570, @chrishenzie) [SIG Storage]
* Updates csi-lib-utils dependency to v0.10.0 (#574, @chrishenzie)
* Updates container-storage-interface dependency to v1.5.0 (#532, @chrishenzie)
* Snapshot Validation Webhook
* Changed the webhook image from distroless/base to distroless/static. (#550, @WanzenBug)
- Update to version 4.1.1
- Get rid of vendoring
- Update go-version to 1.16
- Update to version 3.0.2
- Update to version 2.3.0
* Dockerfile.Windows args changed to ADDON_IMAGE and BASE_IMAGE (#146, @mauriciopoppe)
* Updates Kubernetes dependencies to v1.22.0 (#159, @chrishenzie) [SIG Storage]
* Updates csi-lib-utils dependency to v0.10.0 (#160, @chrishenzie)
* New running modes, the kubelet-registration-probe mode checks if node-driver-registrar kubelet plugin registration succeeded. (#152, @mauriciopoppe)
* Updates container-storage-interface dependency to v1.5.0 (#151, @chrishenzie)
- Update to version 2.2.0
* Updated runtime (Go 1.16) and dependencies (#136, @pohly)
* Update image and tag names for Windows to have separate parameters for nanoserver and servercore (#111, @jingxu97)
- Update to v1.7.7
Rook v1.7.7 is a patch release limited in scope and focusing on small feature additions and bug fixes to the Ceph operator.
* docs: Support ephemeral volumes with Ceph CSI RBD and CephFS driver (#9055, @humblec)
* core: Allow downgrade of all daemons consistently (#9098, @travisn)
* core: Reconcile once instead of multiple times after the cluster CR is edited (#9091, @leseb)
* nfs: Add pool setting CR option (#9040, @leseb)
* ceph: Trigger 'CephMonQuorumLost' alert when mon quorum is down (#9068, @aruniiird)
* rgw: Updated livenessProbe and readinessProbe (#9080, @satoru-takeuchi)
* mgr: Do not set the balancer mode on pacific (#9063, @leseb)
* helm: Add appVersion property to the charts (#9051, @travisn)
* rgw: Read tls secret hint for insecure tls (#9020, @leseb)
* ceph: Ability to set labels on the crash collector (#9044, @leseb)
* core: Treat cluster as not existing if the cleanup policy is set (#9041, @travisn)
* docs: Document failover and failback scenarios for applications (#8411, @Yuggupta27)
* ceph: Update endpoint with IP for external RGW server (#9010, @thotz)
- Combined gomod.patch and gosum.patch to vendor.patch
* Patching module-files to match the SUSE build env
- Update to v1.7.6
Rook v1.7.6 is a patch release limited in scope and focusing on small feature additions and bug fixes to the Ceph operator.
* core: only merge stderr on error (#8995, @leseb)core: only merge stderr on error (#8995, @leseb)
* nfs: remove RADOS options from CephNFS and use .nfs pool (#8501, @josephsawaya)
* csi: fix comment for the provisioner and clusterID (#8990, @Madhu-1)
* mon: Enable mon failover for the arbiter in stretch mode (#8984, @travisn)
* monitoring: fixing the queries for alerts 'CephMgrIsAbsent' and 'CephMgrIsMissingReplicas' (#8985, @aruniiird)
* osd: fix kms auto-detection when full TLS (#8867, @leseb)
* csi: add affinity to csi version check job (#8965, @Rakshith-R)
* pool: remove default value for pool compression (#8966, @leseb)
* monitoring: handle empty ceph_version in ceph_mon_metadata to avoid raising misleading alert (#8947, @GowthamShanmugam)
* nfs: remove RADOS options from CephNFS and use .nfs pool (#8501, @josephsawaya)
* osd: print the c-v output when inventory command fails (#8971, @leseb)
* helm: remove chart content not in common.yaml (#8884, @BlaineEXE)
* rgw: replace period update --commit with function (#8911, @BlaineEXE)
* rgw: fixing ClientID of log-collector for RGW instance (#8889, @parth-gr)
* mon: run ceph commands to mon with timeout (#8939, @leseb)
* osd: do not hide errors (#8933, @leseb)
* rgw: use trace logs for RGW admin HTTP info (#8937, @BlaineEXE)
- Update to v1.7.5
Rook v1.7.5 is a patch release limited in scope and focusing on small feature additions and bug fixes to the Ceph operator.
* Update csi sidecar references to the latest versions (#8820, @humblec)
* No longer install the VolumeReplication CRDs from Rook (#8845, @travisn)
* Initialize rbd block pool after creation (#8923, @Rakshith-R)
* Close stdoutPipe for the discovery daemon (#8917, @subhamkrai)
* Add documentation to recover a pod from a lost node (#8742, @subhamkrai)
* Increasing the auto-resolvable alerts delay to 15m (#8896, @aruniiird)
* Change CephAbsentMgr to use 'up' query (#8882, @aruniiird)
* Adding 'namespace' field to the needed ceph queries (#8901, @aruniiird)
* Update period if period does not exist (#8828, @BlaineEXE)
* Do not fail on KMS keys deletion (#8868, @leseb)
* Do not build all the multus args to remote exec cmd (#8860, @leseb)
* Fix external script when passing monitoring list (#8807, @leseb)
* Use insecure TLS for bucket health check (#8712, @leseb)
* Add PVC privileges to the rook-ceph-purge-osd service account (#8833, @ashangit)
* Fix the example of local PVC-based cluster (#8846, @satoru-takeuchi)
* Add signal handling for log collector (#8806, @leseb)
* Prometheus rules format changes (#8774, @aruniiird)
* Add namespace to ceph node down query (#8793, @aruniiird)
- Added gomod.patch and gosum.patch
* Patching module-files to match the SUSE build env
- Update to v1.7.4
Rook v1.7.4 is a patch release limited in scope and focusing on small feature additions and bug fixes to the Ceph operator.
* Add missing error type check to exec (#8751, @BlaineEXE)
* Raise minimum supported version of Ceph-CSI to v3.3.0 (#8803, @humblec)
* Set the Ceph v16.2.6 release as the default version (#8743, @leseb)
* Pass region to newS3agent() (#8766, @thotz)
* Remove unnecessary CephFS provisioner permission (#8739, @Madhu-1)
* Configurable csi provisioner replica count (#8801, @Madhu-1)
* Allow setting the default storageclass for a filesystem in the helm chart (#8771, @kubealex)
* Retry object health check if creation fails (#8708, @BlaineEXE)
* Use the admin socket for the mgr liveness probe (#8721, @jmolmo)
* Correct the CephFS mirroring documentation (#8732, @leseb)
* Reconcile OSD PDBs if allowed disruption is 0 (#8698, @sp98)
* Add peer spec migration to upgrade doc (#8435, @BlaineEXE)
* Fix lvm osd db device check (#8267, @lyind)
* Refactor documentation to simplify for the Ceph provider (#8693, @travisn)
* Emphasize unit tests in the development guide (#8685, @BlaineEXE)
- Update to v1.7.3
Rook Ceph v1.7.3 is a patch release limited in scope and focusing on small feature additions and bug fixes.
* Cassandra and NFS have moved to their own repos. All improvements in this repo starting from this release will only be for the Ceph storage provider. (#8619, @BlaineEXE)
* Image list for offline installation can be found in images.txt (#8596, @subhamkrai)
* Add networking.k8s.io/v1 Ingress chart compatibility (#8666, @hall)
* Modify the log info when ok to continue fails (#8675, @subhamkrai)
* Print the output on errors from ceph-volume (#8670, @leseb)
* Add quota and capabilities configuration for CephObjectStore users (#8211, @thotz)
* Fix pool deletion when uninstalling a multus cluster configuration (#8659, @leseb)
* Use node externalIP if no internalIP defined (#8653, @JrCs)
* Fix CephOSDCriticallyFull and CephOSDNearFull monitoring alert queries (#8668, @Muyan0828)
* Fix CephMonQuorumAtRisk monitoring alert query (#8652, @anmolsachan)
* Allow an even number of mons (#8636, @travisn)
* Create a pod disruption budget for the Ceph mgr deployment when two mgrs are requested (#8593, @parth-gr)
* Fix error message in UpdateNodeStatus (#8629, @hiroyaonoe)
* Avoid multiple reconciles of ceph cluster due to the ipv4 default setting (#8638, @leseb)
* Avoid duplicate ownerReferences (#8615, @YZ775)
* Auto grow OSDs size on PVCs based on prometheus metrics (#8078, @parth-gr)
* External cluster configuration script fixed for backward compatibility with python2 (#8623, @aruniiird)
* Fix vault kv secret engine auto-detection (#8618, @leseb)
* Add ClusterID and PoolID mappings between local and peer cluster (#8626, @sp98)
* Set the filesystem status when mirroring is not enabled (#8609, @travisn)
- Update to v1.7.2
Rook v1.7.2 s a patch release limited in scope and focusing on small feature additions and bug fixes.
* Ceph
* Merge toleration for osd/prepareOSD pod if specified both places (#8566, @subhamkrai)
* Fix panic when recreating the csidriver object (#8582, @Madhu-1)
* Build with latest golang v1.16.7 (#8540, @BlaineEXE)
* Do not check ok-to-stop when OSDs are in CLBO (#8583, @leseb)
* Convert util.NewSet() to sets.NewString() (#8584, @parth-gr)
* Add support for update() from lib-bucket-provisioner (#8514, @thotz)
* Signal handling with context (#8441, @leseb)
* Make storage device config nullable (#8552, @BlaineEXE)
* Allow K8s version check on prerelease versions (#8561, @subhamkrai)
* Add permissions to rook-ceph-mgr role for osd removal in rook orchestator (#8568, @josephsawaya)
* Use serviceAccountName as the key in ceph csi templates (#8546, @humblec)
* Consolidate the calls to set mon config (#8590, @travisn)
* NFS
* Upgrade nfs-ganesha to 3.5 version (#8534, @kam1kaze)
- Update to v1.7.1
Rook v1.7.1 s a patch release limited in scope and focusing on small feature additions and bug fixes.
* Ceph
* Update Ceph CSI version to v3.4.0 (#8425, @Madhu-1)
* Add ability to specify the CA bundle for RGW (#8492, @degorenko)
* Remove unused mon timeout cli flags (#8489, @leseb)
* Add an option to enable/disable merge all placement (#8381, @subhamkrai)
* Refuse to failover the arbiter mon on stretch clusters (#8520, @travisn)
* Improve topology example of cluster on local pvc (#8491, @satoru-takeuchi)
- Update to v1.7.0
v1.7.0 is a minor release with features primarily for the Ceph operator.
K8s Version Support
Kubernetes supported versions: 1.11 and newer.
Upgrade Guides
If you are running a previous Rook version, please see the corresponding storage provider upgrade guide:
* Ceph
Breaking Changes
Ceph
Clusters with multiple filesystems will need to update their Ceph version to Pacific. The Operator configuration option ROOK_ALLOW_MULTIPLE_FILESYSTEMS has been removed in favor of simply verifying the Ceph version is at least Pacific where multiple filesystems are fully supported.
Features
Ceph
* Official Ceph images are now being published to quay.io. To pick up the latest version of Ceph, update your
CephCLuster spec field image must be updated to point to quay. See the example cluster.
* Add support for creating Hybrid Storage Pools.
* A hybrid storage pool creates a CRUSH rule for choosing the primary OSD for high performance
devices (ssd, nvme, etc) and the remaining OSD for low performance devices (hdd).
* See the design and Ceph docs for more details.
* Add support CephFS mirroring peer configuration. See the configuration for more details.
* Add support for Kubernetes TLS secrets for referring TLS certs needed for the Ceph RGW server.
* Stretch clusters are considered stable
* Ceph v16.2.5 or greater is required for stretch clusters
* The use of peer secret names in CephRBDMirror is deprecated. Please use CephBlockPool CR to configure peer secret names and import peers. See the mirroring section in the CephBlockPool spec for more details.
* Add user data protection when deleting Rook-Ceph Custom Resources. See the design for detailed information.
* A CephCluster will not be deleted if there are any other Rook-Ceph Custom resources referencing
it with the assumption that they are using the underlying Ceph cluster.
* A CephObjectStore will not be deleted if there is a bucket present. In addition to protection
from deletion when users have data in the store, this implicitly protects these resources from
being deleted when there is a referencing ObjectBucketClaim present.
Cassandra
* CRDs converted from v1beta1 to v1
* Schema is generated from the internal types for more complete validation
* Minimum K8s version for the v1 CRDs is K8s 1.16
NFS
* CRDs converted from v1beta1 to v1
* Schema is generated from the internal types for more complete validation
* Minimum K8s version for the v1 CRDs is K8s 1.16
- Update to v1.6.10
Rook v1.6.10 is a patch release limited in scope and focusing on small feature additions and bug fixes.
* Ceph
* Reconcile OSD PDB if allowed disruptions are 0 (#8698)
* Merge tolerations for the OSDs if specified in both all and osd placement (#8630)
* External cluster script compatibility with python2 (#8623)
* Do not check ok-to-stop when OSDs are in CLBO (#8583)
* Fix panic when recreating the csidriver object (#8582)
- Update to v1.6.9
Rook v1.6.9 s a patch release limited in scope and focusing on small feature additions and bug fixes.
* Ceph
* Make storage device config nullable (#8552)
* Build with latest golang v1.16.7 (#8540)
* Refuse to failover the arbiter mon on stretch clusters (#8520)
* Add an option to enable/disable merge all placement (#8381)
* Update ancillary monitoring resources (#8406)
* Updated mon health check goroutine for reconfiguring patch values (#8370)
* Releases for v1.6 are now based on Github actions instead of Jenkins (#8525 #8564)
- Update to v1.6.8
Rook v1.6.8 is a patch release limited in scope and focusing on small feature additions and bug fixes.
* Ceph
* Re-enable lvm mode for OSDs on disks. See details to know if your OSDs are affected by unexpected partitions (#8319)
* Update test to watch for v1 cronjob instead of v1beta1 (#8356)
* Update PodDisruptionBudget from v1beta1 to v1 (#7977)
* Add support for tls certs via k8s tls secrets for rgw (#8243)
* Create correct ClusterRoleBinding for helm chart in namespace other than rook-ceph (#8344)
* If two mgrs, ensure services are reconciled with the cluster (#8330)
* Proxy rbd commands when multus is enabled (#8339)
* Proxy ceph command when multus is configured (#8272)
* Ensure OSD keyring exists at OSD pod start (#8155)
* Add an example of a pvc-based ceph cluster on bare metal (#7969)
* Mount /dev for the OSD daemon on lv-backed pvc (#8304)
* Add ceph cluster context for lib bucket provisioning reconcile (#8310)
* Create PDBs for all rgw and cephfs (#8301)
* Always rehydrate the access and secret keys (#8286)
* Fix PDB of RGW instances (#8274)
* Ability to disable pool mirroring (#8215)
* Fetch rgw port from the CephObjectStore the OBC (#8244)
* Enable debug logging for adminops client log level is debug (#8208)
* Update blockPoolChannel before starting the mirror monitoring (#8222)
* Scaling down nfs deployment was failing (#8250)
- removed update-tarball.sh (_service file will be used instead)
- Update to v1.6.7
Rook v1.6.7 is a patch release limited in scope and focusing on small feature additions and bug fixes.
* Ceph
* Ignore atari partitions for OSDs when scanning disks.
This is a partial fix for multiple OSDs being created unexpectedly per disk,
causing OSD corruption. See details to know if your OSDs are affected (#8195)
* Update CSIDriver object from betav1 to v1 (#8029)
* Retry cluster reconcile immediately after cancellation (#8237)
* Avoid operator resource over-usage when configuring RGW pools and memory limits are applied (#8238)
* Remove k8s.io/kubernetes as a code dependency (#7913)
* Silence harmless errors if the operator is still initializing (#8227)
* If MDS resource limits are not set, assign mds_cache_memory_limit = resource requests * 0.8 (#8180)
* Do not require rgw instances spec for external clusters (#8219)
* Add tls support to external rgw endpoint (#8092)
* Stop overwriting shared livenessProbe when overridden (#8206)
* Update cluster-on-pvc example for proper OSD scheduling (#8199)
- Update to v1.6.6
Rook v1.6.6 is a patch release limited in scope and focusing on small feature additions and bug fixes.
* Ceph
* Update csi sidecar images to latest release (#8125)
* Update csi node-driver-registrar to latest release (#8190)
* Evict a mon if colocated with another mon (#8181)
* Enable logging in legacy LVM OSD daemons (#8175)
* Do not leak key encryption key to the log (#8173)
* Read and validate CSI params in a goroutine (#8140)
* Only require rgw-admin-ops user when an RGW endpoint is provided (#8164)
* Avoid unnecessary OSD restarts when multus is configured (#8142)
* Use cacert if no client cert/key are present for OSD encryption with Vault (#8157)
* Mons in stretch cluster should be assigned to a node when using dataDirHostPath (#8147)
* Support cronjob v1 for newer versions of K8s to avoid deprecated v1beta1 (#8114)
* Initialise httpclient for bucketchecker and objectstoreuse (#8139)
* Activate osd container should use correct host path for config (#8137)
* Set device class for already present osd deployments (#8134)
* No need for --force when creating filesystem (#8130)
* Expose enableCSIHostNetwork correctly in the helm chart (#8074)
* Add RBAC for mgr to create service monitor (#8118)
* Update operator internal controller runtime and k8s reference version (#8087)
- Update to v1.6.5
Rook v1.6.5 is a patch release limited in scope and focusing on small feature additions and bug fixes.
We are happy to announce the availability of a Helm chart to configure the CephCluster CR.
Please try it out and share feedback! We would like to declare it stable in v1.7.
* Ceph
* Experimental Helm chart for CephClusters (#7778)
* Disable insecure global id if no insecure clients are detected. If insecure clients are still required, see these instructions. (#7746)
* Enable host networking by default in the CSI driver due to issues with client IO hangs when the driver restarts (#8102)
* Add a disaster recovery guide for an accidentally deleted CephCluster CR (#8040)
* Do not fail prepareOSD job if devices are not passed (#8098)
* Ensure MDS and RGW are upgraded anytime the ceph image changes (#8060)
* External cluster config enables v1 address type when enabling v2 (#8083)
* Create object pools in parallel for faster object store reconcile (#8082)
* Fix detection of delete event reconciliation (#8086)
* Use RGW admin API for s3 user management (#7998)
- Update to v1.6.4
Rook v1.6.4 is a patch release limited in scope and focusing on small feature additions and bug fixes.
* Ceph
* Support for separate tolerations and affinities for rbd and cephfs CSI drivers (#8006)
* Update ceph version to 15.2.13 (#8004)
* External cluster upgrades fix for CRD schema (#8042)
* Build with golang 1.16 instead of 1.15 (#7945)
* Retry starting CSI drivers on initial failure (#8020)
* During uninstall stop monitoring rbd mirroring before cleanup (#8031)
* Update the backend path for RGW transit engine (#8008)
* If reducing mon count only remove one extra mon per health check (#8011)
* Parse radosgw-admin json properly for internal commands (#8000)
* Expand OSD PVCs only if the underlying storage class allow expansion (#8001)
* Allow the operator log level to be changed dynamically (#7976)
* Pin experimental volume replication to release-v0.1 branch (#7985)
* Remove '--site-name' arg when creating bootstrap peer token (#7986)
* Do not configure external metric endpoint if not present (#7974)
* Helm chart to allow multiple filesystems (#7930)
* Rehydrate the bootstrap peer token secret on monitor changes (#7935)
- Update to v1.6.3
Rook v1.6.3 is a patch release limited in scope and focusing on small feature additions and bug fixes.
* Ceph
* Ensure correct devices are started for OSDs after node restart (#7951)
* Write reconcile results to events on the CephCluster CR (#7222)
* Updated dashboard ingress example for networking v1 (#7933)
* Remove obsolete gateway type setting in object store CRD (#7919)
* Support specifying only public network or only cluster network or both (#7546)
* Generate same operator deployment for OKD as OCP (#7898)
* Ensure correct hostpath lock for OSD integrity (#7886)
* Improve resilience of mon failover if operator is restarted during failover (#7884)
* Disallow overriding the liveness probe handler function (#7889)
* Actively update the service endpoint for external mgr (#7875)
* Remove obsolete CSI statefulset template path vars from K8s 1.13 (#7877)
* Create crash collector pods after mon secret created (#7867)
* OSD controller only updates PDBs during node drains instead of any OSD down event (#7726)
* Allow heap dump generation when logCollector sidecar is not running (#7847)
* Add nullable to object gateway settings (#7857)
- Update to v1.6.2
Rook v1.6.2 is a patch release limited in scope and focusing on small feature additions and bug fixes.
* Ceph
* Set base Ceph operator image and example deployments to v16.2.2 (#7829)
* Update snapshot APIs from v1beta1 to v1 (#7711)
* Documentation for creating static PVs (#7782)
* Allow setting primary-affinity for the OSD (#7807)
* Remove unneeded debug log statements (#7526)
* Preserve volume claim template annotations during upgrade (#7835)
* Allow re-creating erasure coded pool with different settings (#7820)
* Double mon failover timeout during a node drain (#7801)
* Remove unused volumesource schema from CephCluster CRD (#7813)
* Set the device class on raw mode osds (#7815)
* External cluster schema fix to allow not setting mons (#7789)
* Add phase to the CephFilesystem CRD (#7752)
* Generate full schema for volumeClaimTemplates in the CephCluster CRD (#7631)
* Automate upgrades for the MDS daemon to properly scale down and scale up (#7445)
* Add Vault KMS support for object stores (#7385)
* Ensure object store endpoint is initialized when creating an object user (#7633)
* Support for OBC operations when RGW is configured with TLS (#7764)
* Preserve the OSD topology affinity during upgrade for clusters on PVCs (#7759)
* Unify timeouts for various Ceph commands (#7719)
* Allow setting annotations on RGW service (#7598)
* Expand PVC size of mon daemons if requested (#7715)
- Update to v1.6.1
Rook v1.6.1 is a patch release limited in scope and focusing on small feature additions and bug fixes.
* Ceph
* Disable host networking by default in the CSI plugin with option to enable (#7356)
* Fix the schema for erasure-coded pools so replication size is not required (#7662)
* Improve node watcher for adding new OSDs (#7568)
* Operator base image updated to v16.2.1 (#7713)
* Deployment examples updated to Ceph v15.2.11 (#7733)
* Update Ceph-CSI to v3.3.1 (#7724)
* Allow any device class for the OSDs in a pool instead of restricting the schema (#7718)
* Fix metadata OSDs for Ceph Pacific (#7703)
* Allow setting the initial CRUSH weight for an OSD (#7472)
* Fix object store health check in case SSL is enabled (#7331)
* Upgrades now ensure latest config flags are set for MDS and RGW (#7681)
* Suppress noisy RGW log entry for radosgw-admin commands (#7663)
- Update to v1.6.0
* Major Themes
v1.6.0 is a minor release with features primarily for the Ceph operator.
* K8s Version Support
Kubernetes supported versions: 1.11 and newer
* Upgrade Guides
If you are running a previous Rook version, please see the corresponding storage provider upgrade guide:
* Ceph
* Breaking Changes
* Removed Storage Providers
Each storage provider is unique and requires time and attention to properly develop and support.
After much discussion with the community, we have decided to remove three storage providers from
Rook in order to focus our efforts on storage providers that have active community support.
See the project status for more information. These storage providers have been removed:
* CockroachDB
* EdgeFS
* YugabyteDB
* Ceph
Support for creating OSDs via Drive Groups was removed. Please refer to the Ceph upgrade guide for migration instructions.
* Features
* Ceph
Ceph Pacific (v16) support, including features such as:
Multiple Ceph Filesystems
Networking dual stack
CephFilesystemMirror CRD to support mirroring of CephFS volumes with Pacific
Ceph CSI Driver
CSI v3.3.0 driver enabled by default
Volume Replication Controller for improved RBD replication support
Multus support
GRPC metrics disabled by default
Ceph RGW
Extended the support of vault KMS configuration
Scale with multiple daemons with a single deployment instead of a separate deployment for each rgw daemon
OSDs:
LVM is no longer used to provision OSDs as of Nautilus 14.2.14 Octopus 15.2.9, and Pacific 16.2.0, simplifying the OSDs on raw devices, except for encrypted OSDs and multiple OSDs per device.
More efficient updates for multiple OSDs at the same time (in the same failure domain) to speed up upgrades for larger Ceph clusters
Multiple Ceph mgr daemons are supported for stretch clusters and other clusters where HA of the mgr is critical (set count: 2 under mgr in the CephCluster CR)
Pod Disruption Budgets (PDBs) are enabled by default for Mon, RGW, MDS, and OSD daemons. See the disruption management settings.
Monitor failover can be disabled, for scenarios where maintenance is planned and automatic mon failover is not desired
CephClient CRD has been converted to use the controller-runtime library
The following package changes have been done:
- aaa_base-84.87+git20180409.04c9dae-3.52.1 updated
- cpio-2.12-3.9.1 updated
- cracklib-dict-small-2.9.7-11.6.1 updated
- cracklib-2.9.7-11.6.1 updated
- csi-node-driver-registrar-2.3.0-3.9.2 updated
- file-magic-5.32-7.14.1 updated
- glibc-2.26-13.62.1 updated
- krb5-1.16.3-3.24.1 updated
- libaugeas0-1.10.1-3.3.1 updated
- libblkid1-2.33.2-4.16.1 updated
- libcrack2-2.9.7-11.6.1 updated
- libcurl4-7.66.0-4.27.1 updated
- libfdisk1-2.33.2-4.16.1 updated
- libgcc_s1-11.2.1+git610-1.3.9 updated
- libgcrypt20-hmac-1.8.2-8.42.1 added
- libgcrypt20-1.8.2-8.42.1 updated
- libgmp10-6.1.2-4.9.1 updated
- libgnutls30-hmac-3.6.7-14.13.5 added
- libkeyutils1-1.6.3-5.6.1 updated
- libldap-2_4-2-2.4.46-9.58.1 updated
- libldap-data-2.4.46-9.58.1 updated
- libmagic1-5.32-7.14.1 updated
- libmount1-2.33.2-4.16.1 updated
- libncurses6-6.1-5.9.1 updated
- libopenssl1_1-hmac-1.1.1d-11.38.1 added
- libopenssl1_1-1.1.1d-11.38.1 updated
- libp11-kit0-0.23.2-4.13.1 updated
- libpcre1-8.45-20.10.1 updated
- libprotobuf-lite20-3.9.2-4.9.1 added
- libsmartcols1-2.33.2-4.16.1 updated
- libsolv-tools-0.7.20-9.2 updated
- libstdc++6-11.2.1+git610-1.3.9 updated
- libsystemd0-234-24.102.1 updated
- libudev1-234-24.102.1 updated
- libuuid1-2.33.2-4.16.1 updated
- libz1-1.2.11-3.24.1 updated
- libzypp-17.28.8-20.1 updated
- ncurses-utils-6.1-5.9.1 updated
- netcfg-11.6-3.3.1 updated
- pam-1.3.0-6.50.1 updated
- patterns-base-fips-20200124-4.12.1 added
- permissions-20181225-23.12.1 updated
- rpm-4.14.1-22.7.1 updated
- terminfo-base-6.1-5.9.1 updated
- util-linux-2.33.2-4.16.1 updated
- zypper-1.14.50-21.1 updated
- container:sles15-image-15.0.0-9.5.77 updated
More information about the sle-security-updates
mailing list