This is an alpha feature release towards OpenShift Origin 1.3.0

Backwards Compatibility

• Origin now must be compiled on Go 1.6 or newer. Support for building and testing against Go 1.4 has been removed.
• The v1beta3 API is now no longer supported. Any cluster that is using v1beta3 resources should immediately upgrade them, as all support will be dropped for 1.3.0

API Changes

• Support watch on projects #8755

Component updates

• Updated to Kubernetes 1.3.0-alpha.1-331 with patch set Origin stable-20160411
• Updated to etcd v2.3.0

Features

v1.3.0-alpha.1 (2016-05-24)
Full Changelog

Spin up local clusters easily with oc cluster up

This new command makes it easy to launch a new cluster inside of a Docker container. The command will use your existing Docker connection by default to launch the container, ensuring all the preconditions for a simple all-in-one server are in place before starting the server. It will then install the router, registry, default image streams, and standard templates before creating a user account for you.

$ oc cluster up
-- Checking Docker client ... OK
-- Checking for existing OpenShift container ... OK
-- Checking for openshift/origin:3c2e3b2 image ... OK
-- Checking Docker daemon configuration ... OK
-- Checking for available ports ... OK
-- Checking type of volume mount ... 
   Using nsenter mounter for OpenShift volumes
-- Checking Docker version ... OK
-- Creating volume share ... OK
-- Finding server IP ... 
   Using 172.18.0.96 as the server IP
-- Starting OpenShift container ... 
   Creating initial OpenShift configuration
   Starting OpenShift using container 'origin'
   Waiting for API server to start listening
   OpenShift server started
-- Installing registry ... OK
-- Installing router ... OK
-- Importing image streams ... OK
-- Importing templates ... OK
-- Login to server ... OK
-- Creating initial project "myproject" ... OK
-- Server Information ... 
   OpenShift server started.
   The server is accessible via web console at:
       https://172.18.0.96:8443

   You are logged in as:
       User:     developer
       Password: developer

   To login as administrator:
       oc login -u system:admin

$ oc status

You can use the --version=v1.2.0 flag to select an alternate image to use.

Jenkins Pipeline integration

A core goal of any application platform must be to help developers manage change in their applications (after all, if it's not changing there probably aren't any developers). As part of OpenShift Origin 1.3 we are deeply integrating Jenkins as a Service to bring developers an out of the box, easy to consume CI and CD pipeline.

The first pieces of this integration have been delivered via integration with OpenShift builds. When you start a Jenkinsfile build type (which is new) a Jenkins instance will be spun up in your project that will execute the build using the Jenkins 2.0 pipeline and Jenkinsfile checked into your Git repo.

$ oc cluster up
$ oc new-project pipelineproject
$ oc new-app -f https://raw.githubusercontent.com/openshift/origin/master/examples/jenkins/pipeline/jenkinstemplate.json

You should see your Jenkins instance spun up in the web console, and then be able to jump into the web console via the router. At this point you'll need to perform some manual steps to enable things in Jenkins - see https://github.com/openshift/origin/blob/master/examples/jenkins/pipeline/README.md for more.

There is a ton of exciting work with CI/CD in the works - stay tuned!

Automatically sync local changes to the server with oc rsync --watch #8268

oc rsync now supports a --watch flag which will cause it to continuously monitor the local filesystem and sync changes to the pod as they occur. This makes it easy to work from an editor or IDE and have those changes show up live in your pods.

Build run policy - serial, parallel, or latest-only #8453

The build run policy describes the order in which the builds created from a build configuration should run. There are several out of the box policies:

• Serial - runs each build in the order they were created (the new default)
• Parallel - start builds as soon as they are created (was the previous default)
• SerialLatestOnly - if multiple builds have been created when the last build completes, only build the latest and mark the older ones as skipped

You can change the build policy via the spec.runPolicy field on build configurations.

Improving custom deployments #8787

Custom deployments can now reuse the existing build logic but install custom hooks in any image you want. See this mailing list post for more details.

In addition, the output of deployments has been greatly streamlined:

$ oc logs dc/custom
--> pre: Running hook pod ...
my hook pod ran
--> pre: Success
--> Scaling deployment-2 from 0 to 5
    Scaling deployment-2 up to 3
    Scaling deployment-1 down to 2
--> Scaling deployment-2 from 3 to 5
    Scaling deployment-2 up to 5
    Scaling deployment-1 down to 0
--> Success

Importing docker-compose.yaml files (Experimental)

This release includes an experimental command oc import docker-compose that can convert a docker-compose.yaml file into the Kubernetes and OpenShift equivalent, setting up your build pipelines on the cluster as well as all of the deployment artifacts. It can even identify when containers should be colocated into pods so you can leverage local disk and local network.

$ git clone https://github.com/docker-library/docs.git
$ oc import docker-compose -f wordpress/docker-compose.yml

OpenShift will warn you if any machine specific or Docker specific concepts that don't translate well to a containerized cluster are being used.

Note that many compose files may assume they can run as root - if you are trying out a new compose application on OpenShift you may want to grant access to run as root to get things working:

$ oadm policy add-scc-to-user anyuid -z default 

Please experiment with this feature and open issues if things don't work quite right - we want to make it as easy as possible to bring your containerized applications to OpenShift!

Squashed docker builds (Experimental)

Dockerfiles create an image layer for each instruction. However, these extra layers take time to commit and are often not useful when deploying applications in production. This release of OpenShift adds a new oc ex dockerbuild command that processes a Dockerfile like the docker build command, but skips committing layers in between each instruction in the Dockerfile. This can lead to significant speed ups in build times and smaller image sizes.

$ oc ex dockerbuild . myimage:latest

This feature is experimental while we ensure it has compatibility with dockerbuild. In future releases it will be possible to launch Docker builds on OpenShift that use this feature to squash the built output by default.

To see it in action, check out the OpenShift Origin images on the hub:

$ docker history openshift/origin:v1.3.0-alpha.1
IMAGE               CREATED             CREATED BY                                      SIZE                COMMENT
de3ae06bc719        47 minutes ago      sleep 86400                                     138.1 MB            
8cf7dbcd9db7        7 hours ago         /bin/sh -c #(nop) LABEL io.k8s.display-name=O   0 B                 
39788598877c        7 hours ago         /bin/sh -c INSTALL_PKGS="which git tar wget h   78.58 MB            
ec3ffe3554ef        7 hours ago         /bin/sh -c yum update -y nss openssl-libs &&    1.671 MB            
60d7ec21aa96        8 days ago          /bin/sh -c #(nop) CMD ["/bin/bash"]             0 B                 
f0e1cf3be051        8 days ago          /bin/sh -c #(nop) LABEL name=CentOS Base Imag   0 B                 
ebe253abc97d        8 days ago          /bin/sh -c #(nop) ADD file:deb8ef25b4d805246a   196.7 MB            
1544084fad81        8 months ago        /bin/sh -c #(nop) MAINTAINER The CentOS Proje   0 B  

Security

Scoped Access Tokens #8393

Allows the creation of a token that identifies as the user, but only allows a subset of the user's permissions. Scopes are restrictive, so a viewer who makes a scoped token with edit rules still only has view rights. A common use for scoped tokens is to give to a third party the ability to act on your behalf (like a build systems) via the API, but to limit what they can actually do.

Scopes include (but are not limited to)

• user:info - gives information about who I am
• user:check-access - see what I can do
• role:edit:my-ns (token has the edit role in the my-ns namespace)

Impersonation #8672, #8824

Allows a user with the "impersonate" permission on a particular user or serviceaccount, the ability to make a request "as" that other person. A sudoer role was added to allow a user to impersonate "system:admin" so they don't have to have cluster-admin rights all the time.

Delete a project as the cluster admin

$ oc delete project/foo --as system:admin

Retrieve pods for the current project as the default service account

$ oc get pods --as system:serviceaccount:my-ns:default

Allowing Service Accounts to act as OAuth clients #8878

Some containers in a cluster may want to provide services for end users or other containers. Our standard solution for that is OAuth, but it's often difficult to make an OAuth client as a regular user. This feature enables all service accounts to act as OAuth clients, where the secret of the client is the same as the service account token. When a service account tries to request tokens, those tokens will be scoped to the service account namespace.

Add a simple audit record #8815

OpenShift will now log audit information about requests made to the API server to the default logger when the config flag auditConfig.enabled is set to true. This includes the user, their action, and whether it succeeded or not.

Other security changes

• Improve provider selection page #8286
• add system:image-auditor #8455
• add oc create policybinding #8428
• add what-can-i-do endpoint #8675
• Add create helpers for users, identities, and mappings from the CLI #8715
• Add grant_type=password support to GitLab/OpenID identity providers #8732
• do not force drop KILL cap on anyuid SCC #8621
• Default role reconciliation to additive-only #8603
• Add reconcile protection for roles #8774
• allow project request limits on system users and service accounts #8766
• Separate build strategy permissions into distinct roles #8528

Other improvements

• Allow a user to pass --as-user or --as-root=false to oc debug to control who to run as - #8929
• Specify an istag to oc debug to create a new pod from an image #8742
• Add oc set volume support for configmaps #8720
• Add oc create deploymentconfig #8712
• Add the service load balancer controller so that cloud providers can create services of type LoadBalancer #8633
• Enable webhooks with multiple sources #8580
• Allow oc new-app params to contain template replacements to make creating templates easier #8535
• Improve oc cancel-build command #8509
• Add option to reverse buildchains #8460
• Allow parameters on generic webhook build trigger call #8477
• Add labels and annotations from buildrequest to resulting build #8405
• oc describe build output improvements #8293
• oc rsh now supports specifying deploymentconfig or replicationcontroller to make it easier to get into a pod #8279

Bugs

Lots of improvements to how deployments are processed, cutting latency and reducing spurious warnings and messages:

• Fix timing issue scaling deployments #8763
• Make the trigger controllers cooperate instead of race #8746
• Prevent deployer pod creation conflicts #8588
• deployment controller: cancel deployers on new cancelled deployments #8418
• deployer controller: ensure phase direction #8417
• Bug 1338679: emit events on failure to create a deployer pod #8978
• Ensure that deployments trigger from the latest image change trigger value when the first deployment runs #8892
• Bug 1329138: stop emitting events on update conflicts #8652
• Prevent concurrent deployer pod creation #8478

Other fixes:

• Prevent a panic when proxying the Kubernetes API (when running on top of Kubernetes) #8896
• Prevent concurrent modification to router config that may not include all routes #8893
• Remove gaps from build chart for deleted builds #8804
• Remove the old deployments resource from roles #8783
• PLEG: reinspect pods that failed prior inspections #8778
• Show newlines and links in template descriptions in the web console #8769
• Disable UI scaling for in progress deployment #8761
• Clarify 'oc delete' help info, add 'oc delete all -l app=appName' example #8757
• Increase default web console log line limit to 5000 #8697
• Block s2i from doing ONBUILD operations #8679
• Handle null items array from bad api responses #8662
• Add openshift.io/deployer-pod.type label #8632
• HAProxy Cookie ID should not provide info about the underlying software #8615
• Improve parsing of semantic version for git tag #8608
• Remove deprecated --nodes flag #8598
• All image references should be using full semantic version #8592
• Add default resource requests to router creation #8495
• Support path routes with port number in Host header #8490
• Enforce overview scaling rules for deployments without a service #8476
• Enable recursive resolution of DNS to be consistent with upstream Kubernetes and support MUSL based images #8474
• Read insecure annotation on an image stream when import-image is invoked #8456
• Remove prompts from commented examples #8454
• Improve wording in sample-app README #8445
• Add ability to specify allowed CNs for RequestHeader proxy client cert #8443
• Add flag to disable dynamic provisioning #8426
• UPSTREAM: 23894: OOM errors when processes exit rapidly #8412
• UPSTREAM: 23793: Make ConfigMap volume readable as non-root #8411
• git server: add documentation and enable build start on push #8394
• UPSTREAM: 23746: A pod never terminated if a container image registry was unavailable #8378
• Display a relevant error message when hostname is missing #8369
• Add basic validation for route TLS configuration - checks that input is "syntactically" valid. #8366
• Set service account correctly in oadm registry, deprecate --credentials #8296
• builds: use proxy specified in source strategy environment for s2i script download #8265
• networking: Add a mutex to registry.podsByIP
• networking: Handle race conditions in the host IP allocator
• networking: Ignore malformed IP in Node object
• networking: Simplify ID management and prevent leaks

Release SHA256 Checksums

e0ae0da9a33d131daae156d5e58d68617114f4cfaf26431d125c015785b654dd  openshift-origin-client-tools-v1.3.0-alpha.1-6e83535-linux-32bit.tar.gz
5afc5d9eebe10c2dc909547ed6b7ec4808416972e234bbd4c7be1fdd8ed0548d  openshift-origin-client-tools-v1.3.0-alpha.1-6e83535-linux-64bit.tar.gz
681d7867086a1da1c6548d6bb4042a7da785277eb7eac60da63a26bc12374254  openshift-origin-client-tools-v1.3.0-alpha.1-6e83535-mac.zip
d5f2a8533822e7313805004392b8866854eae73caf008bb88ca762d32e0fcab7  openshift-origin-client-tools-v1.3.0-alpha.1-6e83535-windows.zip
78a7fb09a2f240ac30bfce486e6b91810e4ebbef059683226695faeb858887c1  openshift-origin-server-v1.3.0-alpha.1-6e83535-linux-64bit.tar.gz