From 9814ecd066f0c8e42d1f9f93582e8f0af59feacd Mon Sep 17 00:00:00 2001 From: libander Date: Thu, 16 Jun 2022 12:14:24 -0500 Subject: [PATCH] RHDEVDOCS-4109 - w kalexander-rh feedback v3 --- logging/cluster-logging-release-notes.adoc | 692 ++++++++++++++++++++- 1 file changed, 674 insertions(+), 18 deletions(-) diff --git a/logging/cluster-logging-release-notes.adoc b/logging/cluster-logging-release-notes.adoc index fffd7d2f3123..89df604d909a 100644 --- a/logging/cluster-logging-release-notes.adoc +++ b/logging/cluster-logging-release-notes.adoc @@ -11,29 +11,362 @@ toc::[] .Logging Compatibility The {logging-title} is provided as an installable component, with a distinct release cycle from the core {product-title}. The link:https://access.redhat.com/support/policy/updates/openshift#logging[Red Hat OpenShift Container Platform Life Cycle Policy] outlines release compatibility. -include::modules/cluster-logging-release-notes-5.4.z.adoc[leveloffset=+0] +[id="cluster-logging-release-notes-5-4-1"] +== Logging 5.4.1 +This release includes https://access.redhat.com/errata/RHSA-2022:2216[RHSA-2022:2216-OpenShift Logging Bug Fix Release 5.4.1]. -include::modules/cluster-logging-release-notes-5.4.0.adoc[leveloffset=+0] +[id="openshift-logging-5-4-1-bug-fixes"] +=== Bug fixes +* Before this update, the log file metric exporter only reported logs created while the exporter was running, which resulted in inaccurate log growth data. This update resolves this issue by monitoring `/var/log/pods`. (https://issues.redhat.com/browse/LOG-2442[LOG-2442]) + +* Before this update, the collector would be blocked because it continually tried to use a stale connection when forwarding logs to fluentd forward receivers. With this release, the `keepalive_timeout` value has been set to 30 seconds (`30s`) so that the collector recycles the connection and re-attempts to send failed messages within a reasonable amount of time. (https://issues.redhat.com/browse/LOG-2534[LOG-2534]) + +* Before this update, an error in the gateway component enforcing tenancy for reading logs limited access to logs with a Kubernetes namespace causing "audit" and some "infrastructure" logs to be unreadable. With this update, the proxy correctly detects users with admin access and allows access to logs without a namespace. (https://issues.redhat.com/browse/LOG-2448[LOG-2448]) + +* Before this update, the `system:serviceaccount:openshift-monitoring:prometheus-k8s` service account had cluster level privileges as a `clusterrole` and `clusterrolebinding`. This update restricts the service account` to the `openshift-logging` namespace with a role and rolebinding. (https://issues.redhat.com/browse/LOG-2437[LOG-2437]) + +* Before this update, Linux audit log time parsing relied on an ordinal position of a key/value pair. This update changes the parsing to use a regular expression to find the time entry. (https://issues.redhat.com/browse/LOG-2321[LOG-2321]) + + +[id="openshift-logging-5-4-1-CVEs"] +=== CVEs +.Click to expand CVEs +[%collapsible] +==== +* https://access.redhat.com/security/cve/CVE-2018-25032[CVE-2018-25032] +* https://access.redhat.com/security/cve/CVE-2021-4028[CVE-2021-4028] +* https://access.redhat.com/security/cve/CVE-2021-37136[CVE-2021-37136] +* https://access.redhat.com/security/cve/CVE-2021-37137[CVE-2021-37137] +* https://access.redhat.com/security/cve/CVE-2021-43797[CVE-2021-43797] +* https://access.redhat.com/security/cve/CVE-2022-0778[CVE-2022-0778] +* https://access.redhat.com/security/cve/CVE-2022-1154[CVE-2022-1154] +* https://access.redhat.com/security/cve/CVE-2022-1271[CVE-2022-1271] +* https://access.redhat.com/security/cve/CVE-2022-21426[CVE-2022-21426] +* https://access.redhat.com/security/cve/CVE-2022-21434[CVE-2022-21434] +* https://access.redhat.com/security/cve/CVE-2022-21443[CVE-2022-21443] +* https://access.redhat.com/security/cve/CVE-2022-21476[CVE-2022-21476] +* https://access.redhat.com/security/cve/CVE-2022-21496[CVE-2022-21496] +* https://access.redhat.com/security/cve/CVE-2022-21698[CVE-2022-21698] +* https://access.redhat.com/security/cve/CVE-2022-25636[CVE-2022-25636] +==== + + +[id="cluster-logging-release-notes-5-4-0"] +== Logging 5.4 +The following advisories are available for logging 5.4: +link:https://access.redhat.com/errata/RHSA-2022:1461[{logging-title-uc} Release 5.4] + +[id="openshift-logging-5-4-0-tech-prev"] +=== Technology Previews + +include::modules/cluster-logging-vector-tech-preview.adoc[leveloffset=+2] +include::modules/cluster-logging-loki-tech-preview.adoc[leveloffset=+2] + +[id="openshift-logging-5-4-0-bug-fixes"] +=== Bug fixes + +* Before this update, the `cluster-logging-operator` used cluster scoped roles and bindings to establish permissions for the Prometheus service account to scrape metrics. These permissions were created when deploying the Operator using the console interface but were missing when deploying from the command line. This update fixes the issue by making the roles and bindings namespace-scoped. (link:https://issues.redhat.com/browse/LOG-2286[LOG-2286]) + +* Before this update, a prior change to fix dashboard reconciliation introduced a `ownerReferences` field to the resource across namespaces. As a result, both the config map and dashboard were not created in the namespace. With this update, the removal of the `ownerReferences` field resolves the issue, and the OpenShift Logging dashboard is available in the console. (link:https://issues.redhat.com/browse/LOG-2163[LOG-2163]) + +* Before this update, changes to the metrics dashboards did not deploy because the `cluster-logging-operator` did not correctly compare existing and modified config maps that contain the dashboard. With this update, the addition of a unique hash value to object labels resolves the issue. (link:https://issues.redhat.com/browse/LOG-2071[LOG-2071]) + +* Before this update, the OpenShift Logging dashboard did not correctly display the pods and namespaces in the table, which displays the top producing containers collected over the last 24 hours. With this update, the pods and namespaces are displayed correctly. (link:https://issues.redhat.com/browse/LOG-2069[LOG-2069]) + +* Before this update, when the `ClusterLogForwarder` was set up with `Elasticsearch OutputDefault` and Elasticsearch outputs did not have structured keys, the generated configuration contained the incorrect values for authentication. This update corrects the secret and certificates used. (link:https://issues.redhat.com/browse/LOG-2056[LOG-2056]) + +* Before this update, the OpenShift Logging dashboard displayed an empty CPU graph because of a reference to an invalid metric. With this update, the correct data point has been selected, resolving the issue. (link:https://issues.redhat.com/browse/LOG-2026[LOG-2026]) + +* Before this update, the Fluentd container image included builder tools that were unnecessary at run time. This update removes those tools from the image.(link:https://issues.redhat.com/browse/LOG-1927[LOG-1927]) + +* Before this update, a name change of the deployed collector in the 5.3 release caused the logging collector to generate the `FluentdNodeDown` alert. This update resolves the issue by fixing the job name for the Prometheus alert. (link:https://issues.redhat.com/browse/LOG-1918[LOG-1918]) + +* Before this update, the log collector was collecting its own logs due to a refactoring of the component name change. This lead to a potential feedback loop of the collector processing its own log that might result in memory and log message size issues. This update resolves the issue by excluding the collector logs from the collection. (link:https://issues.redhat.com/browse/LOG-1774[LOG-1774]) + +* Before this update, Elasticsearch generated the error `Unable to create PersistentVolumeClaim due to forbidden: exceeded quota: infra-storage-quota.` if the PVC already existed. With this update, Elasticsearch checks for existing PVCs, resolving the issue. (link:https://issues.redhat.com/browse/LOG-2131[LOG-2131]) + +* Before this update, Elasticsearch was unable to return to the ready state when the `elasticsearch-signing` secret was removed. With this update, Elasticsearch is able to go back to the ready state after that secret is removed. (link:https://issues.redhat.com/browse/LOG-2171[LOG-2171]) + +* Before this update, the change of the path from which the collector reads container logs caused the collector to forward some records to the wrong indices. With this update, the collector now uses the correct configuration to resolve the issue. (link:https://issues.redhat.com/browse/LOG-2160[LOG-2160]) + +* Before this update, clusters with a large number of namespaces caused Elasticsearch to stop serving requests because the list of namespaces reached the maximum header size limit. With this update, headers only include a list of namespace names, resolving the issue. (link:https://issues.redhat.com/browse/LOG-1899[LOG-1899]) + +* Before this update, the *{product-title} Logging* dashboard showed the number of shards 'x' times larger than the actual value when Elasticsearch had 'x' nodes. This issue occurred because it was printing all primary shards for each Elasticsearch pod and calculating a sum on it, although the output was always for the whole Elasticsearch cluster. With this update, the number of shards is now correctly calculated. (link:https://issues.redhat.com/browse/LOG-2156[LOG-2156]) + +* Before this update, the secrets `kibana` and `kibana-proxy` were not recreated if they were deleted manually. With this update, the `elasticsearch-operator` will watch the resources and automatically recreate them if deleted. (link:https://issues.redhat.com/browse/LOG-2250[LOG-2250]) + +* Before this update, tuning the buffer chunk size could cause the collector to generate a warning about the chunk size exceeding the byte limit for the event stream. With this update, you can also tune the read line limit, resolving the issue. (link:https://issues.redhat.com/browse/LOG-2379[LOG-2379]) + +* Before this update, the logging console link in OpenShift web console was not removed with the ClusterLogging CR. With this update, deleting the CR or uninstalling the Cluster Logging Operator removes the link. (link:https://issues.redhat.com/browse/LOG-2373[LOG-2373]) + +* Before this update, a change to the container logs path caused the collection metric to always be zero with older releases configured with the original path. With this update, the plug-in which exposes metrics about collected logs supports reading from either path to resolve the issue. (link:https://issues.redhat.com/browse/LOG-2462[LOG-2462]) + +=== CVEs +[id="openshift-logging-5-4-0-CVEs"] +* link:https://access.redhat.com/security/cve/CVE-2022-0759[CVE-2022-0759] +** link:https://bugzilla.redhat.com/show_bug.cgi?id=2058404[BZ-2058404] +* link:https://access.redhat.com/security/cve/CVE-2022-21698[CVE-2022-21698] +** link:https://bugzilla.redhat.com/show_bug.cgi?id=2045880[BZ-2045880] + +//Z-stream Release Notes by Version +[id="cluster-logging-release-notes-5-3-7"] +== OpenShift Logging 5.3.7 +This release includes link:https://access.redhat.com/errata/RHSA-2022:2217[RHSA-2022:2217 OpenShift Logging Bug Fix Release 5.3.7] + +[id="openshift-logging-5-3-7-bug-fixes"] +=== Bug fixes +* Before this update, Linux audit log time parsing relied on an ordinal position of key/value pair. This update changes the parsing to utilize a regex to find the time entry. (https://issues.redhat.com/browse/LOG-2322[LOG-2322]) + +* Before this update, some log forwarder outputs could re-order logs with the same time-stamp. With this update, a sequence number has been added to the log record to order entries that have matching timestamps. (https://issues.redhat.com/browse/LOG-2334[LOG-2334]) + +* Before this update, clusters with a large number of namespaces caused Elasticsearch to stop serving requests because the list of namespaces reached the maximum header size limit. With this update, headers only include a list of namespace names, resolving the issue. (https://issues.redhat.com/browse/LOG-2450[LOG-2450]) + +* Before this update, `system:serviceaccount:openshift-monitoring:prometheus-k8s` had cluster level privileges as a `clusterrole` and `clusterrolebinding`. This update restricts the `serviceaccount` to the `openshift-logging` namespace with a role and rolebinding. (https://issues.redhat.com/browse/LOG-2481[LOG-2481)]) + +=== CVEs +[id="openshift-logging-5-3-7-CVEs"] +.Click to expand CVEs +[%collapsible] +==== +* https://access.redhat.com/security/cve/CVE-2018-25032[CVE-2018-25032] +* https://access.redhat.com/security/cve/CVE-2021-4028[CVE-2021-4028] +* https://access.redhat.com/security/cve/CVE-2021-37136[CVE-2021-37136] +* https://access.redhat.com/security/cve/CVE-2021-37137[CVE-2021-37137] +* https://access.redhat.com/security/cve/CVE-2021-43797[CVE-2021-43797] +* https://access.redhat.com/security/cve/CVE-2022-0759[CVE-2022-0759] +* https://access.redhat.com/security/cve/CVE-2022-0778[CVE-2022-0778] +* https://access.redhat.com/security/cve/CVE-2022-1154[CVE-2022-1154] +* https://access.redhat.com/security/cve/CVE-2022-1271[CVE-2022-1271] +* https://access.redhat.com/security/cve/CVE-2022-21426[CVE-2022-21426] +* https://access.redhat.com/security/cve/CVE-2022-21434[CVE-2022-21434] +* https://access.redhat.com/security/cve/CVE-2022-21443[CVE-2022-21443] +* https://access.redhat.com/security/cve/CVE-2022-21476[CVE-2022-21476] +* https://access.redhat.com/security/cve/CVE-2022-21496[CVE-2022-21496] +* https://access.redhat.com/security/cve/CVE-2022-21698[CVE-2022-21698] +* https://access.redhat.com/security/cve/CVE-2022-25636[CVE-2022-25636] +==== + +[id="cluster-logging-release-notes-5-3-6"] +== OpenShift Logging 5.3.6 +This release includes link:https://access.redhat.com/errata/RHBA-2022:1377[RHBA-2022:1377 OpenShift Logging Bug Fix Release 5.3.6] + +[id="openshift-logging-5-3-6-bug-fixes"] +=== Bug fixes +* Before this update, defining a toleration with no key and the existing Operator caused the Operator to be unable to complete an upgrade. With this update, this toleration no longer blocks the upgrade from completing. (link:https://issues.redhat.com/browse/LOG-2126[LOG-2126]) + +* Before this change, it was possible for the collector to generate a warning where the chunk byte limit was exceeding an emitted event. With this change, you can tune the readline limit to resolve the issue as advised by the upstream documentation. (link:https://issues.redhat.com/browse/LOG-2380[LOG-2380]) + +[id="cluster-logging-release-notes-5-3-5"] +== OpenShift Logging 5.3.5 +[role="_abstract"] +This release includes link:https://access.redhat.com/errata/RHSA-2022:0721[RHSA-2022:0721 OpenShift Logging Bug Fix Release 5.3.5] + +[id="openshift-logging-5-3-5-bug-fixes"] +=== Bug fixes +* Before this update, if you removed OpenShift Logging from {product-title}, the web console continued displaying a link to the *Logging* page. With this update, removing or uninstalling OpenShift Logging also removes that link. (link:https://issues.redhat.com/browse/LOG-2182[LOG-2182]) + +=== CVEs +[id="openshift-logging-5-3-5-CVEs"] +.Click to expand CVEs +[%collapsible] +==== +* link:https://access.redhat.com/security/cve/CVE-2020-28491[CVE-2020-28491] +* link:https://access.redhat.com/security/cve/CVE-2021-3521[CVE-2021-3521] +* link:https://access.redhat.com/security/cve/CVE-2021-3872[CVE-2021-3872] +* link:https://access.redhat.com/security/cve/CVE-2021-3984[CVE-2021-3984] +* link:https://access.redhat.com/security/cve/CVE-2021-4019[CVE-2021-4019] +* link:https://access.redhat.com/security/cve/CVE-2021-4122[CVE-2021-4122] +* link:https://access.redhat.com/security/cve/CVE-2021-4192[CVE-2021-4192] +* link:https://access.redhat.com/security/cve/CVE-2021-4193[CVE-2021-4193] +* link:https://access.redhat.com/security/cve/CVE-2022-0552[CVE-2022-0552] +==== + +[id="cluster-logging-release-notes-5-3-4"] +== OpenShift Logging 5.3.4 +[role="_abstract"] +This release includes link:https://access.redhat.com/errata/RHBA-2022:0411[RHBA-2022:0411 OpenShift Logging Bug Fix Release 5.3.4] + +[id="openshift-logging-5-3-4-bug-fixes"] +=== Bug fixes +* Before this update, changes to the metrics dashboards had not yet been deployed because the `cluster-logging-operator` did not correctly compare existing and desired config maps that contained the dashboard. This update fixes the logic by adding a unique hash value to the object labels. (link:https://issues.redhat.com/browse/LOG-2066[LOG-2066]) + +* Before this update, Elasticsearch pods failed to start after updating with FIPS enabled. With this update, Elasticsearch pods start successfully. (link:https://issues.redhat.com/browse/LOG-1974[LOG-1974]) + +* Before this update, elasticsearch generated the error "Unable to create PersistentVolumeClaim due to forbidden: exceeded quota: infra-storage-quota." if the PVC already existed. With this update, elasticsearch checks for existing PVCs, resolving the issue. (link:https://issues.redhat.com/browse/LOG-2127[LOG-2127]) + +=== CVEs +[id="openshift-logging-5-3-4-CVEs"] +.Click to expand CVEs +[%collapsible] +==== +* link:https://access.redhat.com/security/cve/CVE-2021-3521[CVE-2021-3521] +* link:https://access.redhat.com/security/cve/CVE-2021-3872[CVE-2021-3872] +* link:https://access.redhat.com/security/cve/CVE-2021-3984[CVE-2021-3984] +* link:https://access.redhat.com/security/cve/CVE-2021-4019[CVE-2021-4019] +* link:https://access.redhat.com/security/cve/CVE-2021-4122[CVE-2021-4122] +* link:https://access.redhat.com/security/cve/CVE-2021-4155[CVE-2021-4155] +* link:https://access.redhat.com/security/cve/CVE-2021-4192[CVE-2021-4192] +* link:https://access.redhat.com/security/cve/CVE-2021-4193[CVE-2021-4193] +* link:https://access.redhat.com/security/cve/CVE-2022-0185[CVE-2022-0185] +* link:https://access.redhat.com/security/cve/CVE-2022-21248[CVE-2022-21248] +* link:https://access.redhat.com/security/cve/CVE-2022-21277[CVE-2022-21277] +* link:https://access.redhat.com/security/cve/CVE-2022-21282[CVE-2022-21282] +* link:https://access.redhat.com/security/cve/CVE-2022-21283[CVE-2022-21283] +* link:https://access.redhat.com/security/cve/CVE-2022-21291[CVE-2022-21291] +* link:https://access.redhat.com/security/cve/CVE-2022-21293[CVE-2022-21293] +* link:https://access.redhat.com/security/cve/CVE-2022-21294[CVE-2022-21294] +* link:https://access.redhat.com/security/cve/CVE-2022-21296[CVE-2022-21296] +* link:https://access.redhat.com/security/cve/CVE-2022-21299[CVE-2022-21299] +* link:https://access.redhat.com/security/cve/CVE-2022-21305[CVE-2022-21305] +* link:https://access.redhat.com/security/cve/CVE-2022-21340[CVE-2022-21340] +* link:https://access.redhat.com/security/cve/CVE-2022-21341[CVE-2022-21341] +* link:https://access.redhat.com/security/cve/CVE-2022-21360[CVE-2022-21360] +* link:https://access.redhat.com/security/cve/CVE-2022-21365[CVE-2022-21365] +* link:https://access.redhat.com/security/cve/CVE-2022-21366[CVE-2022-21366] +==== + +[id="cluster-logging-release-notes-5-3-3"] +== OpenShift Logging 5.3.3 +This release includes link:https://access.redhat.com/errata/RHSA-2022:0227[RHSA-2022:0227 OpenShift Logging Bug Fix Release 5.3.3] + +[id="openshift-logging-5-3-3-bug-fixes"] +=== Bug fixes +* Before this update, changes to the metrics dashboards had not yet been deployed because the cluster-logging-operator did not correctly compare existing and desired configmaps containing the dashboard. This update fixes the logic by adding a dashboard unique hash value to the object labels.(link:https://issues.redhat.com/browse/LOG-2066[LOG-2066]) + +* This update changes the log4j dependency to 2.17.1 to resolve link:https://access.redhat.com/security/cve/CVE-2021-44832[CVE-2021-44832].(link:https://issues.redhat.com/browse/LOG-2102[LOG-2102]) + +=== CVEs +[id="openshift-logging-5-3-3-CVEs"] +.Click to expand CVEs +[%collapsible] +==== +* link:https://access.redhat.com/security/cve/CVE-2021-27292[CVE-2021-27292] +** link:https://bugzilla.redhat.com/show_bug.cgi?id=1940613[BZ-1940613] +* link:https://access.redhat.com/security/cve/CVE-2021-44832[CVE-2021-44832] +** link:https://bugzilla.redhat.com/show_bug.cgi?id=2035951[BZ-2035951] +==== + +[id="cluster-logging-release-notes-5-3-2"] +== OpenShift Logging 5.3.2 +This release includes link:https://access.redhat.com/errata/RHSA-2022:0044[RHSA-2022:0044 OpenShift Logging Bug Fix Release 5.3.2] + +[id="openshift-logging-5-3-2-bug-fixes"] +=== Bug fixes +* Before this update, Elasticsearch rejected logs from the Event Router due to a parsing error. This update changes the data model to resolve the parsing error. However, as a result, previous indices might cause warnings or errors within Kibana. The `kubernetes.event.metadata.resourceVersion` field causes errors until existing indices are removed or reindexed. If this field is not used in Kibana, you can ignore the error messages. If you have a retention policy that deletes old indices, the policy eventually removes the old indices and stops the error messages. Otherwise, manually reindex to stop the error messages. (link:https://issues.redhat.com/browse/LOG-2087[LOG-2087]) + +* Before this update, the OpenShift Logging Dashboard displayed the wrong pod namespace in the table that displays top producing and collected containers over the last 24 hours. With this update, the OpenShift Logging Dashboard displays the correct pod namespace. (link:https://issues.redhat.com/browse/LOG-2051[LOG-2051]) + +* Before this update, if `outputDefaults.elasticsearch.structuredTypeKey` in the `ClusterLogForwarder` custom resource (CR) instance did not have a structured key, the CR replaced the output secret with the default secret used to communicate to the default log store. With this update, the defined output secret is correctly used. (link:https://issues.redhat.com/browse/LOG-2046[LOG-2046]) + +[id="openshift-logging-5-3-2-CVEs"] +=== CVEs +.Click to expand CVEs +[%collapsible] +==== +* https://access.redhat.com/security/cve/CVE-2020-36327[CVE-2020-36327] +** https://bugzilla.redhat.com/show_bug.cgi?id=1958999[BZ-1958999] +* https://access.redhat.com/security/cve/CVE-2021-45105[CVE-2021-45105] +** https://bugzilla.redhat.com/show_bug.cgi?id=2034067[BZ-2034067] +* https://access.redhat.com/security/cve/CVE-2021-3712[CVE-2021-3712] +* https://access.redhat.com/security/cve/CVE-2021-20321[CVE-2021-20321] +* https://access.redhat.com/security/cve/CVE-2021-42574[CVE-2021-42574] +==== + +[id="cluster-logging-release-notes-5-3-1"] +== OpenShift Logging 5.3.1 +This release includes link:https://access.redhat.com/errata/RHSA-2021:5129[RHSA-2021:5129 OpenShift Logging Bug Fix Release 5.3.1] + +[id="openshift-logging-5-3-1-bug-fixes"] +=== Bug fixes +* Before this update, the Fluentd container image included builder tools that were unnecessary at run time. This update removes those tools from the image. (link:https://issues.redhat.com/browse/LOG-1998[LOG-1998]) + +* Before this update, the Logging dashboard displayed an empty CPU graph because of a reference to an invalid metric. With this update, the Logging dashboard displays CPU graphs correctly. (link:https://issues.redhat.com/browse/LOG-1925[LOG-1925]) -[id="cluster-logging-technology-previews-5.4"] -== Logging 5.4 Technology Previews +* Before this update, the Elasticsearch Prometheus exporter plug-in compiled index-level metrics using a high-cost query that impacted the Elasticsearch node performance. This update implements a lower-cost query that improves performance. (link:https://issues.redhat.com/browse/LOG-1897[LOG-1897]) -include::modules/cluster-logging-vector-tech-preview.adoc[leveloffset=+3] -include::modules/cluster-logging-loki-tech-preview.adoc[leveloffset=+3] +[id="openshift-logging-5-3-1-CVEs"] +=== CVEs +.Click to expand CVEs +[%collapsible] +==== +* link:https://www.redhat.com/security/data/cve/CVE-2021-21409.html[CVE-2021-21409] +** link:https://bugzilla.redhat.com/show_bug.cgi?id=1944888[BZ-1944888] +* link:https://www.redhat.com/security/data/cve/CVE-2021-37136.html[CVE-2021-37136] +** link:https://bugzilla.redhat.com/show_bug.cgi?id=2004133[BZ-2004133] +* link:https://www.redhat.com/security/data/cve/CVE-2021-37137.html[CVE-2021-37137] +** link:https://bugzilla.redhat.com/show_bug.cgi?id=2004135[BZ-2004135] +* link:https://www.redhat.com/security/data/cve/CVE-2021-44228.html[CVE-2021-44228] +** link:https://bugzilla.redhat.com/show_bug.cgi?id=2030932[BZ-2030932] +* link:https://www.redhat.com/security/data/cve/CVE-2018-25009.html[CVE-2018-25009] +* link:https://www.redhat.com/security/data/cve/CVE-2018-25010.html[CVE-2018-25010] +* link:https://www.redhat.com/security/data/cve/CVE-2018-25012.html[CVE-2018-25012] +* link:https://www.redhat.com/security/data/cve/CVE-2018-25013.html[CVE-2018-25013] +* link:https://www.redhat.com/security/data/cve/CVE-2018-25014.html[CVE-2018-25014] +* link:https://www.redhat.com/security/data/cve/CVE-2019-5827.html[CVE-2019-5827] +* link:https://www.redhat.com/security/data/cve/CVE-2019-13750.html[CVE-2019-13750] +* link:https://www.redhat.com/security/data/cve/CVE-2019-13751.html[CVE-2019-13751] +* link:https://www.redhat.com/security/data/cve/CVE-2019-17594.html[CVE-2019-17594] +* link:https://www.redhat.com/security/data/cve/CVE-2019-17595.html[CVE-2019-17595] +* link:https://www.redhat.com/security/data/cve/CVE-2019-18218.html[CVE-2019-18218] +* link:https://www.redhat.com/security/data/cve/CVE-2019-19603.html[CVE-2019-19603] +* link:https://www.redhat.com/security/data/cve/CVE-2019-20838.html[CVE-2019-20838] +* link:https://www.redhat.com/security/data/cve/CVE-2020-12762.html[CVE-2020-12762] +* link:https://www.redhat.com/security/data/cve/CVE-2020-13435.html[CVE-2020-13435] +* link:https://www.redhat.com/security/data/cve/CVE-2020-14145.html[CVE-2020-14145] +* link:https://www.redhat.com/security/data/cve/CVE-2020-14155.html[CVE-2020-14155] +* link:https://www.redhat.com/security/data/cve/CVE-2020-16135.html[CVE-2020-16135] +* link:https://www.redhat.com/security/data/cve/CVE-2020-17541.html[CVE-2020-17541] +* link:https://www.redhat.com/security/data/cve/CVE-2020-24370.html[CVE-2020-24370] +* link:https://www.redhat.com/security/data/cve/CVE-2020-35521.html[CVE-2020-35521] +* link:https://www.redhat.com/security/data/cve/CVE-2020-35522.html[CVE-2020-35522] +* link:https://www.redhat.com/security/data/cve/CVE-2020-35523.html[CVE-2020-35523] +* link:https://www.redhat.com/security/data/cve/CVE-2020-35524.html[CVE-2020-35524] +* link:https://www.redhat.com/security/data/cve/CVE-2020-36330.html[CVE-2020-36330] +* link:https://www.redhat.com/security/data/cve/CVE-2020-36331.html[CVE-2020-36331] +* link:https://www.redhat.com/security/data/cve/CVE-2020-36332.html[CVE-2020-36332] +* link:https://www.redhat.com/security/data/cve/CVE-2021-3200.html[CVE-2021-3200] +* link:https://www.redhat.com/security/data/cve/CVE-2021-3426.html[CVE-2021-3426] +* link:https://www.redhat.com/security/data/cve/CVE-2021-3445.html[CVE-2021-3445] +* link:https://www.redhat.com/security/data/cve/CVE-2021-3481.html[CVE-2021-3481] +* link:https://www.redhat.com/security/data/cve/CVE-2021-3572.html[CVE-2021-3572] +* link:https://www.redhat.com/security/data/cve/CVE-2021-3580.html[CVE-2021-3580] +* link:https://www.redhat.com/security/data/cve/CVE-2021-3712.html[CVE-2021-3712] +* link:https://www.redhat.com/security/data/cve/CVE-2021-3800.html[CVE-2021-3800] +* link:https://www.redhat.com/security/data/cve/CVE-2021-20231.html[CVE-2021-20231] +* link:https://www.redhat.com/security/data/cve/CVE-2021-20232.html[CVE-2021-20232] +* link:https://www.redhat.com/security/data/cve/CVE-2021-20266.html[CVE-2021-20266] +* link:https://www.redhat.com/security/data/cve/CVE-2021-20317.html[CVE-2021-20317] +* link:https://www.redhat.com/security/data/cve/CVE-2021-22876.html[CVE-2021-22876] +* link:https://www.redhat.com/security/data/cve/CVE-2021-22898.html[CVE-2021-22898] +* link:https://www.redhat.com/security/data/cve/CVE-2021-22925.html[CVE-2021-22925] +* link:https://www.redhat.com/security/data/cve/CVE-2021-27645.html[CVE-2021-27645] +* link:https://www.redhat.com/security/data/cve/CVE-2021-28153.html[CVE-2021-28153] +* link:https://www.redhat.com/security/data/cve/CVE-2021-31535.html[CVE-2021-31535] +* link:https://www.redhat.com/security/data/cve/CVE-2021-33560.html[CVE-2021-33560] +* link:https://www.redhat.com/security/data/cve/CVE-2021-33574.html[CVE-2021-33574] +* link:https://www.redhat.com/security/data/cve/CVE-2021-35942.html[CVE-2021-35942] +* link:https://www.redhat.com/security/data/cve/CVE-2021-36084.html[CVE-2021-36084] +* link:https://www.redhat.com/security/data/cve/CVE-2021-36085.html[CVE-2021-36085] +* link:https://www.redhat.com/security/data/cve/CVE-2021-36086.html[CVE-2021-36086] +* link:https://www.redhat.com/security/data/cve/CVE-2021-36087.html[CVE-2021-36087] +* link:https://www.redhat.com/security/data/cve/CVE-2021-42574.html[CVE-2021-42574] +* link:https://www.redhat.com/security/data/cve/CVE-2021-43267.html[CVE-2021-43267] +* link:https://www.redhat.com/security/data/cve/CVE-2021-43527.html[CVE-2021-43527] +* link:https://www.redhat.com/security/data/cve/CVE-2021-45046.html[CVE-2021-45046] +==== -include::modules/cluster-logging-release-notes-5.3.z.adoc[leveloffset=-1] [id="cluster-logging-release-notes-5-3-0"] == OpenShift Logging 5.3.0 This release includes link:https://access.redhat.com/errata/RHSA-2021:4627[RHSA-2021:4627 OpenShift Logging Bug Fix Release 5.3.0] [id="openshift-logging-5-3-0-new-features-and-enhancements"] -==== New features and enhancements +=== New features and enhancements * With this update, authorization options for Log Forwarding have been expanded. Outputs may now be configured with SASL, username/password, or TLS. [id="openshift-logging-5-3-0-bug-fixes"] -==== Bug fixes +=== Bug fixes * Before this update, if you forwarded logs using the syslog protocol, serializing a ruby hash encoded key/value pairs to contain a '=>' character and replaced tabs with "#11". This update fixes the issue so that log messages are correctly serialized as valid JSON. (link:https://issues.redhat.com/browse/LOG-1494[LOG-1494]) * Before this update, application logs were not correctly configured to forward to the proper Cloudwatch stream with multi-line error detection enabled. (link:https://issues.redhat.com/browse/LOG-1939[LOG-1939]) @@ -47,7 +380,7 @@ This release includes link:https://access.redhat.com/errata/RHSA-2021:4627[RHSA- * Before this update, the `ClusterLogging` custom resource (CR) applied the value of the `totalLimitSize` field to the Fluentd `total_limit_size` field, even if the required buffer space was not available. With this update, the CR applies the lesser of the two `totalLimitSize` or 'default' values to the Fluentd `total_limit_size` field, resolving the issue. (link:https://issues.redhat.com/browse/LOG-1776[LOG-1776]) [id="openshift-logging-5-3-0-known-issues"] -==== Known issues +=== Known issues * If you forward logs to an external Elasticsearch server and then change a configured value in the pipeline secret, such as the username and password, the Fluentd forwarder loads the new secret but uses the old value to connect to an external Elasticsearch server. This issue happens because the Red Hat OpenShift Logging Operator does not currently monitor secrets for content changes. (link:https://issues.redhat.com/browse/LOG-1652[LOG-1652]) + As a workaround, if you change the secret, you can force the Fluentd pods to redeploy by entering: @@ -58,7 +391,7 @@ $ oc delete pod -l component=collector ---- [id="openshift-logging-5-3-0-deprecated-removed-features"] -==== Deprecated and removed features +=== Deprecated and removed features Some features available in previous releases have been deprecated or removed. Deprecated functionality is still included in OpenShift Logging and continues to be supported; however, it will be removed in a future release of this product and is not recommended for new deployments. @@ -79,7 +412,7 @@ Instead, use the following non-legacy methods: In OpenShift Logging 5.3, the legacy configuration mechanism for log forwarding is removed: You cannot forward logs using the legacy Fluentd method and legacy Syslog method. Use the standard log forwarding methods instead. [id="openshift-logging-5-3-0-CVEs"] -==== CVEs +=== CVEs .Click to expand CVEs [%collapsible] ==== @@ -192,7 +525,330 @@ In OpenShift Logging 5.3, the legacy configuration mechanism for log forwarding * link:https://www.redhat.com/security/data/cve/CVE-2021-42574.html[CVE-2021-42574] ==== -include::modules/cluster-logging-release-notes-5.2.z.adoc[leveloffset=0] +[id="cluster-logging-release-notes-5-2-10"] +== OpenShift Logging 5.2.10 +[role="_abstract"] +This release includes link:https://access.redhat.com/errata/[ OpenShift Logging Bug Fix Release 5.2.10]] + +[id="openshift-logging-5-2-10-bug-fixes"] +=== Bug fixes +* Before this update some log forwarder outputs could re-order logs with the same time-stamp. With this update, a sequence number has been added to the log record to order entries that have matching timestamps.(https://issues.redhat.com/browse/LOG-2335[LOG-2335]) + +* Before this update, clusters with a large number of namespaces caused Elasticsearch to stop serving requests because the list of namespaces reached the maximum header size limit. With this update, headers only include a list of namespace names, resolving the issue. (https://issues.redhat.com/browse/LOG-2475[LOG-2475]) + +* Before this update, `system:serviceaccount:openshift-monitoring:prometheus-k8s` had cluster level privileges as a `clusterrole` and `clusterrolebinding`. This update restricts the `serviceaccount` to the `openshift-logging` namespace with a role and rolebinding. (https://issues.redhat.com/browse/LOG-2480[LOG-2480]) + +* Before this update, the `cluster-logging-operator` utilized cluster scoped roles and bindings to establish permissions for the Prometheus service account to scrape metrics. These permissions were only created when deploying the Operator using the console interface and were missing when the Operator was deployed from the command line. This fixes the issue by making this role and binding namespace scoped. (https://issues.redhat.com/browse/LOG-1972[LOG-1972]) + +[id="openshift-logging-5-2-10-CVEs"] +=== CVEs +.Click to expand CVEs +[%collapsible] +==== +* link:https://access.redhat.com/security/cve/CVE-2018-25032[CVE-2018-25032] +* link:https://access.redhat.com/security/cve/CVE-2021-4028[CVE-2021-4028] +* link:https://access.redhat.com/security/cve/CVE-2021-37136[CVE-2021-37136] +* link:https://access.redhat.com/security/cve/CVE-2021-37137[CVE-2021-37137] +* link:https://access.redhat.com/security/cve/CVE-2021-43797[CVE-2021-43797] +* link:https://access.redhat.com/security/cve/CVE-2022-0778[CVE-2022-0778] +* link:https://access.redhat.com/security/cve/CVE-2022-1154[CVE-2022-1154] +* link:https://access.redhat.com/security/cve/CVE-2022-1271[CVE-2022-1271] +* link:https://access.redhat.com/security/cve/CVE-2022-21426[CVE-2022-21426] +* link:https://access.redhat.com/security/cve/CVE-2022-21434[CVE-2022-21434] +* link:https://access.redhat.com/security/cve/CVE-2022-21443[CVE-2022-21443] +* link:https://access.redhat.com/security/cve/CVE-2022-21476[CVE-2022-21476] +* link:https://access.redhat.com/security/cve/CVE-2022-21496[CVE-2022-21496] +* link:https://access.redhat.com/security/cve/CVE-2022-21698[CVE-2022-21698] +* link:https://access.redhat.com/security/cve/CVE-2022-25636[CVE-2022-25636] +==== + +[id="cluster-logging-release-notes-5-2-9"] +== OpenShift Logging 5.2.9 +[role="_abstract"] +This release includes link:https://access.redhat.com/errata/RHBA-2022:1375[RHBA-2022:1375 OpenShift Logging Bug Fix Release 5.2.9]] + +[id="openshift-logging-5-2-9-bug-fixes"] +=== Bug fixes +* Before this update, defining a toleration with no key and the existing Operator caused the Operator to be unable to complete an upgrade. With this update, this toleration no longer blocks the upgrade from completing. (link:https://issues.redhat.com/browse/LOG-2304[LOG-2304]) + +[id="cluster-logging-release-notes-5-2-8"] +== OpenShift Logging 5.2.8 + +This release includes link:https://access.redhat.com/errata/RHSA-2022:0728[RHSA-2022:0728 OpenShift Logging Bug Fix Release 5.2.8] + +[id="openshift-logging-5-2-8-bug-fixes"] +=== Bug fixes +* Before this update, if you removed OpenShift Logging from {product-title}, the web console continued displaying a link to the *Logging* page. With this update, removing or uninstalling OpenShift Logging also removes that link. (link:https://issues.redhat.com/browse/LOG-2180[LOG-2180]) + +[id="openshift-logging-5-2-8-CVEs"] +=== CVEs +.Click to expand CVEs +[%collapsible] +==== +* link:https://access.redhat.com/security/cve/CVE-2020-28491[CVE-2020-28491] +** link:https://bugzilla.redhat.com/show_bug.cgi?id=1930423[BZ-1930423] +* link:https://access.redhat.com/security/cve/CVE-2022-0552[CVE-2022-0552] +** link:https://bugzilla.redhat.com/show_bug.cgi?id=2052539[BG-2052539] +==== + +[id="cluster-logging-release-notes-5-2-7"] +== OpenShift Logging 5.2.7 + +This release includes link:https://access.redhat.com/errata/RHBA-2022:0478[RHBA-2022:0478 OpenShift Logging Bug Fix Release 5.2.7] + +[id="openshift-logging-5-2-7-bug-fixes"] +=== Bug fixes +* Before this update, Elasticsearch pods with FIPS enabled failed to start after updating. With this update, Elasticsearch pods start successfully. (link:https://issues.redhat.com/browse/LOG-2000[LOG-2000]) + +* Before this update, if a persistent volume claim (PVC) already existed, Elasticsearch generated an error, "Unable to create PersistentVolumeClaim due to forbidden: exceeded quota: infra-storage-quota." With this update, Elasticsearch checks for existing PVCs, resolving the issue. (link:https://issues.redhat.com/browse/LOG-2118[LOG-2118]) + +[id="openshift-logging-5-2-7-CVEs"] +=== CVEs +.Click to expand CVEs +[%collapsible] +==== +* link:https://access.redhat.com/security/cve/CVE-2021-3521[CVE-2021-3521] +* link:https://access.redhat.com/security/cve/CVE-2021-3872[CVE-2021-3872] +* link:https://access.redhat.com/security/cve/CVE-2021-3984[CVE-2021-3984] +* link:https://access.redhat.com/security/cve/CVE-2021-4019[CVE-2021-4019] +* link:https://access.redhat.com/security/cve/CVE-2021-4122[CVE-2021-4122] +* link:https://access.redhat.com/security/cve/CVE-2021-4155[CVE-2021-4155] +* link:https://access.redhat.com/security/cve/CVE-2021-4192[CVE-2021-4192] +* link:https://access.redhat.com/security/cve/CVE-2021-4193[CVE-2021-4193] +* link:https://access.redhat.com/security/cve/CVE-2022-0185[CVE-2022-0185] +==== + +[id="cluster-logging-release-notes-5-2-6"] +== OpenShift Logging 5.2.6 + +This release includes link:https://access.redhat.com/errata/RHSA-2022:0230[RHSA-2022:0230 OpenShift Logging Bug Fix Release 5.2.6] + +[id="openshift-logging-5-2-6-bug-fixes"] +=== Bug fixes +* Before this update, the release did not include a filter change which caused Fluentd to crash. With this update, the missing filter has been corrected. (link:https://issues.redhat.com/browse/LOG-2104[LOG-2104]) + +* This update changes the log4j dependency to 2.17.1 to resolve link:https://access.redhat.com/security/cve/CVE-2021-44832[CVE-2021-44832].(link:https://issues.redhat.com/browse/LOG-2101[LOG-2101]) + +[id="openshift-logging-5-2-6-CVEs"] +=== CVEs +.Click to expand CVEs +[%collapsible] +==== +* link:https://access.redhat.com/security/cve/CVE-2021-27292[CVE-2021-27292] +** link:https://bugzilla.redhat.com/show_bug.cgi?id=1940613[BZ-1940613] +* link:https://access.redhat.com/security/cve/CVE-2021-44832[CVE-2021-44832] +** link:https://bugzilla.redhat.com/show_bug.cgi?id=2035951[BZ-2035951] +==== + +[id="cluster-logging-release-notes-5-2-5"] +== OpenShift Logging 5.2.5 + +This release includes link:https://access.redhat.com/errata/RHSA-2022:0043[RHSA-2022:0043 OpenShift Logging Bug Fix Release 5.2.5] + +[id="openshift-logging-5-2-5-bug-fixes"] +=== Bug fixes +* Before this update, Elasticsearch rejected logs from the Event Router due to a parsing error. This update changes the data model to resolve the parsing error. However, as a result, previous indices might cause warnings or errors within Kibana. The `kubernetes.event.metadata.resourceVersion` field causes errors until existing indices are removed or reindexed. If this field is not used in Kibana, you can ignore the error messages. If you have a retention policy that deletes old indices, the policy eventually removes the old indices and stops the error messages. Otherwise, manually reindex to stop the error messages. link:https://issues.redhat.com/browse/LOG-2087[LOG-2087]) + + +[id="openshift-logging-5-2-5-CVEs"] +=== CVEs +.Click to expand CVEs +[%collapsible] +==== +* link:https://access.redhat.com/security/cve/CVE-2021-3712[CVE-2021-3712] +* link:https://access.redhat.com/security/cve/CVE-2021-20321[CVE-2021-20321] +* link:https://access.redhat.com/security/cve/CVE-2021-42574[CVE-2021-42574] +* link:https://access.redhat.com/security/cve/CVE-2021-45105[CVE-2021-45105] +==== + +[id="cluster-logging-release-notes-5-2-4"] +== OpenShift Logging 5.2.4 + +This release includes link:https://access.redhat.com/errata/RHSA-2021:5127[RHSA-2021:5127 OpenShift Logging Bug Fix Release 5.2.4] + +[id="openshift-logging-5-2-4-bug-fixes"] +=== Bug fixes + +* Before this update, records shipped via syslog would serialize a ruby hash encoding key/value pairs to contain a '=>' character, as well as replace tabs with "#11". This update serializes the message correctly as proper JSON. (link:https://issues.redhat.com/browse/LOG-1775[LOG-1775]) + +* Before this update, the Elasticsearch Prometheus exporter plug-in compiled index-level metrics using a high-cost query that impacted the Elasticsearch node performance. This update implements a lower-cost query that improves performance. (link:https://issues.redhat.com/browse/LOG-1970[LOG-1970]) + +* Before this update, Elasticsearch sometimes rejected messages when Log Forwarding was configured with multiple outputs. This happened because configuring one of the outputs modified message content to be a single message. With this update, Log Forwarding duplicates the messages for each output so that output-specific processing does not affect the other outputs. (link:https://issues.redhat.com/browse/LOG-1824[LOG-1824]) + + +[id="openshift-logging-5-2-4-CVEs"] +=== CVEs +.Click to expand CVEs +[%collapsible] +==== +* link:https://www.redhat.com/security/data/cve/CVE-2018-25009.html[CVE-2018-25009] +* link:https://www.redhat.com/security/data/cve/CVE-2018-25010.html[CVE-2018-25010] +* link:https://www.redhat.com/security/data/cve/CVE-2018-25012.html[CVE-2018-25012] +* link:https://www.redhat.com/security/data/cve/CVE-2018-25013.html[CVE-2018-25013] +* link:https://www.redhat.com/security/data/cve/CVE-2018-25014.html[CVE-2018-25014] +* link:https://www.redhat.com/security/data/cve/CVE-2019-5827.html[CVE-2019-5827] +* link:https://www.redhat.com/security/data/cve/CVE-2019-13750.html[CVE-2019-13750] +* link:https://www.redhat.com/security/data/cve/CVE-2019-13751.html[CVE-2019-13751] +* link:https://www.redhat.com/security/data/cve/CVE-2019-17594.html[CVE-2019-17594] +* link:https://www.redhat.com/security/data/cve/CVE-2019-17595.html[CVE-2019-17595] +* link:https://www.redhat.com/security/data/cve/CVE-2019-18218.html[CVE-2019-18218] +* link:https://www.redhat.com/security/data/cve/CVE-2019-19603.html[CVE-2019-19603] +* link:https://www.redhat.com/security/data/cve/CVE-2019-20838.html[CVE-2019-20838] +* link:https://www.redhat.com/security/data/cve/CVE-2020-12762.html[CVE-2020-12762] +* link:https://www.redhat.com/security/data/cve/CVE-2020-13435.html[CVE-2020-13435] +* link:https://www.redhat.com/security/data/cve/CVE-2020-14145.html[CVE-2020-14145] +* link:https://www.redhat.com/security/data/cve/CVE-2020-14155.html[CVE-2020-14155] +* link:https://www.redhat.com/security/data/cve/CVE-2020-16135.html[CVE-2020-16135] +* link:https://www.redhat.com/security/data/cve/CVE-2020-17541.html[CVE-2020-17541] +* link:https://www.redhat.com/security/data/cve/CVE-2020-24370.html[CVE-2020-24370] +* link:https://www.redhat.com/security/data/cve/CVE-2020-35521.html[CVE-2020-35521] +* link:https://www.redhat.com/security/data/cve/CVE-2020-35522.html[CVE-2020-35522] +* link:https://www.redhat.com/security/data/cve/CVE-2020-35523.html[CVE-2020-35523] +* link:https://www.redhat.com/security/data/cve/CVE-2020-35524.html[CVE-2020-35524] +* link:https://www.redhat.com/security/data/cve/CVE-2020-36330.html[CVE-2020-36330] +* link:https://www.redhat.com/security/data/cve/CVE-2020-36331.html[CVE-2020-36331] +* link:https://www.redhat.com/security/data/cve/CVE-2020-36332.html[CVE-2020-36332] +* link:https://www.redhat.com/security/data/cve/CVE-2021-3200.html[CVE-2021-3200] +* link:https://www.redhat.com/security/data/cve/CVE-2021-3426.html[CVE-2021-3426] +* link:https://www.redhat.com/security/data/cve/CVE-2021-3445.html[CVE-2021-3445] +* link:https://www.redhat.com/security/data/cve/CVE-2021-3481.html[CVE-2021-3481] +* link:https://www.redhat.com/security/data/cve/CVE-2021-3572.html[CVE-2021-3572] +* link:https://www.redhat.com/security/data/cve/CVE-2021-3580.html[CVE-2021-3580] +* link:https://www.redhat.com/security/data/cve/CVE-2021-3712.html[CVE-2021-3712] +* link:https://www.redhat.com/security/data/cve/CVE-2021-3800.html[CVE-2021-3800] +* link:https://www.redhat.com/security/data/cve/CVE-2021-20231.html[CVE-2021-20231] +* link:https://www.redhat.com/security/data/cve/CVE-2021-20232.html[CVE-2021-20232] +* link:https://www.redhat.com/security/data/cve/CVE-2021-20266.html[CVE-2021-20266] +* link:https://www.redhat.com/security/data/cve/CVE-2021-20317.html[CVE-2021-20317] +* link:https://www.redhat.com/security/data/cve/CVE-2021-21409.html[CVE-2021-21409] +* link:https://www.redhat.com/security/data/cve/CVE-2021-22876.html[CVE-2021-22876] +* link:https://www.redhat.com/security/data/cve/CVE-2021-22898.html[CVE-2021-22898] +* link:https://www.redhat.com/security/data/cve/CVE-2021-22925.html[CVE-2021-22925] +* link:https://www.redhat.com/security/data/cve/CVE-2021-27645.html[CVE-2021-27645] +* link:https://www.redhat.com/security/data/cve/CVE-2021-28153.html[CVE-2021-28153] +* link:https://www.redhat.com/security/data/cve/CVE-2021-31535.html[CVE-2021-31535] +* link:https://www.redhat.com/security/data/cve/CVE-2021-33560.html[CVE-2021-33560] +* link:https://www.redhat.com/security/data/cve/CVE-2021-33574.html[CVE-2021-33574] +* link:https://www.redhat.com/security/data/cve/CVE-2021-35942.html[CVE-2021-35942] +* link:https://www.redhat.com/security/data/cve/CVE-2021-36084.html[CVE-2021-36084] +* link:https://www.redhat.com/security/data/cve/CVE-2021-36085.html[CVE-2021-36085] +* link:https://www.redhat.com/security/data/cve/CVE-2021-36086.html[CVE-2021-36086] +* link:https://www.redhat.com/security/data/cve/CVE-2021-36087.html[CVE-2021-36087] +* link:https://www.redhat.com/security/data/cve/CVE-2021-37136.html[CVE-2021-37136] +* link:https://www.redhat.com/security/data/cve/CVE-2021-37137.html[CVE-2021-37137] +* link:https://www.redhat.com/security/data/cve/CVE-2021-42574.html[CVE-2021-42574] +* link:https://www.redhat.com/security/data/cve/CVE-2021-43267.html[CVE-2021-43267] +* link:https://www.redhat.com/security/data/cve/CVE-2021-43527.html[CVE-2021-43527] +* link:https://www.redhat.com/security/data/cve/CVE-2021-44228.html[CVE-2021-44228] +* link:https://www.redhat.com/security/data/cve/CVE-2021-45046.html[CVE-2021-45046] +==== + +[id="cluster-logging-release-notes-5-2-3"] +== OpenShift Logging 5.2.3 + +This release includes link:https://access.redhat.com/errata/RHSA-2021:4032[RHSA-2021:4032 OpenShift Logging Bug Fix Release 5.2.3] + +[id="openshift-logging-5-2-3-bug-fixes"] +=== Bug fixes + +* Before this update, some alerts did not include a namespace label. This omission does not comply with the OpenShift Monitoring Team's guidelines for writing alerting rules in {product-title}. With this update, all the alerts in Elasticsearch Operator include a namespace label and follow all the guidelines for writing alerting rules in {product-title}. (link:https://issues.redhat.com/browse/LOG-1857[LOG-1857]) + +* Before this update, a regression introduced in a prior release intentionally disabled JSON message parsing. This update re-enables JSON parsing. It also sets the log entry `level` based on the `level` field in parsed JSON message or by using regex to extract a match from a message field. (link:https://issues.redhat.com/browse/LOG-1759[LOG-1759]) + +[id="openshift-logging-5-2-3-CVEs"] +=== CVEs +.Click to expand CVEs +[%collapsible] +==== +* link:https://access.redhat.com/security/cve/CVE-2021-23369[CVE-2021-23369] +** link:https://bugzilla.redhat.com/show_bug.cgi?id=1948761[BZ-1948761] +* link:https://access.redhat.com/security/cve/CVE-2021-23383[CVE-2021-23383] +** link:https://bugzilla.redhat.com/show_bug.cgi?id=1956688[BZ-1956688] +* link:https://access.redhat.com/security/cve/CVE-2018-20673[CVE-2018-20673] +* link:https://access.redhat.com/security/cve/CVE-2019-5827[CVE-2019-5827] +* link:https://access.redhat.com/security/cve/CVE-2019-13750[CVE-2019-13750] +* link:https://access.redhat.com/security/cve/CVE-2019-13751[CVE-2019-13751] +* link:https://access.redhat.com/security/cve/CVE-2019-17594[CVE-2019-17594] +* link:https://access.redhat.com/security/cve/CVE-2019-17595[CVE-2019-17595] +* link:https://access.redhat.com/security/cve/CVE-2019-18218[CVE-2019-18218] +* link:https://access.redhat.com/security/cve/CVE-2019-19603[CVE-2019-19603] +* link:https://access.redhat.com/security/cve/CVE-2019-20838[CVE-2019-20838] +* link:https://access.redhat.com/security/cve/CVE-2020-12762[CVE-2020-12762] +* link:https://access.redhat.com/security/cve/CVE-2020-13435[CVE-2020-13435] +* link:https://access.redhat.com/security/cve/CVE-2020-14155[CVE-2020-14155] +* link:https://access.redhat.com/security/cve/CVE-2020-16135[CVE-2020-16135] +* link:https://access.redhat.com/security/cve/CVE-2020-24370[CVE-2020-24370] +* link:https://access.redhat.com/security/cve/CVE-2021-3200[CVE-2021-3200] +* link:https://access.redhat.com/security/cve/CVE-2021-3426[CVE-2021-3426] +* link:https://access.redhat.com/security/cve/CVE-2021-3445[CVE-2021-3445] +* link:https://access.redhat.com/security/cve/CVE-2021-3572[CVE-2021-3572] +* link:https://access.redhat.com/security/cve/CVE-2021-3580[CVE-2021-3580] +* link:https://access.redhat.com/security/cve/CVE-2021-3778[CVE-2021-3778] +* link:https://access.redhat.com/security/cve/CVE-2021-3796[CVE-2021-3796] +* link:https://access.redhat.com/security/cve/CVE-2021-3800[CVE-2021-3800] +* link:https://access.redhat.com/security/cve/CVE-2021-20231[CVE-2021-20231] +* link:https://access.redhat.com/security/cve/CVE-2021-20232[CVE-2021-20232] +* link:https://access.redhat.com/security/cve/CVE-2021-20266[CVE-2021-20266] +* link:https://access.redhat.com/security/cve/CVE-2021-22876[CVE-2021-22876] +* link:https://access.redhat.com/security/cve/CVE-2021-22898[CVE-2021-22898] +* link:https://access.redhat.com/security/cve/CVE-2021-22925[CVE-2021-22925] +* link:https://access.redhat.com/security/cve/CVE-2021-23840[CVE-2021-23840] +* link:https://access.redhat.com/security/cve/CVE-2021-23841[CVE-2021-23841] +* link:https://access.redhat.com/security/cve/CVE-2021-27645[CVE-2021-27645] +* link:https://access.redhat.com/security/cve/CVE-2021-28153[CVE-2021-28153] +* link:https://access.redhat.com/security/cve/CVE-2021-33560[CVE-2021-33560] +* link:https://access.redhat.com/security/cve/CVE-2021-33574[CVE-2021-33574] +* link:https://access.redhat.com/security/cve/CVE-2021-35942[CVE-2021-35942] +* link:https://access.redhat.com/security/cve/CVE-2021-36084[CVE-2021-36084] +* link:https://access.redhat.com/security/cve/CVE-2021-36085[CVE-2021-36085] +* link:https://access.redhat.com/security/cve/CVE-2021-36086[CVE-2021-36086] +* link:https://access.redhat.com/security/cve/CVE-2021-36087[CVE-2021-36087] +==== + +[id="cluster-logging-release-notes-5-2-2"] +== OpenShift Logging 5.2.2 + +This release includes link:https://access.redhat.com/errata/RHBA-2021:3747[RHBA-2021:3747 OpenShift Logging Bug Fix Release 5.2.2] + +[id="openshift-logging-5-2-2-bug-fixes"] +=== Bug fixes + +* Before this update, the `ClusterLogging` custom resource (CR) applied the value of the `totalLimitSize` field to the Fluentd `total_limit_size` field, even if the required buffer space was not available. With this update, the CR applies the lesser of the two `totalLimitSize` or 'default' values to the Fluentd `total_limit_size` field, resolving the issue.(link:https://issues.redhat.com/browse/LOG-1738[LOG-1738]) + +* Before this update, a regression introduced in a prior release configuration caused the collector to flush its buffered messages before shutdown, creating a delay to the termination and restart of collector pods. With this update, Fluentd no longer flushes buffers at shutdown, resolving the issue. (link:https://issues.redhat.com/browse/LOG-1739[LOG-1739]) + +* Before this update, an issue in the bundle manifests prevented installation of the Elasticsearch Operator through OLM on {product-title} 4.9. With this update, a correction to bundle manifests re-enables installation and upgrade in 4.9.(link:https://issues.redhat.com/browse/LOG-1780[LOG-1780]) + +[id="openshift-logging-5-2-2-CVEs"] +=== CVEs +.Click to expand CVEs +[%collapsible] +==== +* link:https://www.redhat.com/security/data/cve/CVE-2020-25648.html[CVE-2020-25648] +* link:https://www.redhat.com/security/data/cve/CVE-2021-22922.html[CVE-2021-22922] +* link:https://www.redhat.com/security/data/cve/CVE-2021-22923.html[CVE-2021-22923] +* link:https://www.redhat.com/security/data/cve/CVE-2021-22924.html[CVE-2021-22924] +* link:https://www.redhat.com/security/data/cve/CVE-2021-36222.html[CVE-2021-36222] +* link:https://www.redhat.com/security/data/cve/CVE-2021-37576.html[CVE-2021-37576] +* link:https://www.redhat.com/security/data/cve/CVE-2021-37750.html[CVE-2021-37750] +* link:https://www.redhat.com/security/data/cve/CVE-2021-38201.html[CVE-2021-38201] +==== + +[id="cluster-logging-release-notes-5-2-1"] +== OpenShift Logging 5.2.1 + +This release includes link:https://access.redhat.com/errata/RHBA-2021:3550[RHBA-2021:3550 OpenShift Logging Bug Fix Release 5.2.1] + +[id="openshift-logging-5-2-1-bug-fixes"] +=== Bug fixes + +* Before this update, due to an issue in the release pipeline scripts, the value of the `olm.skipRange` field remained unchanged at `5.2.0` instead of reflecting the current release number. This update fixes the pipeline scripts to update the value of this field when the release numbers change. (link:https://issues.redhat.com/browse/LOG-1743[LOG-1743]) + +[id="openshift-logging-5-2-1-CVEs"] +=== CVEs + +(None) + [id="cluster-logging-release-notes-5-2-0"] == OpenShift Logging 5.2.0 @@ -233,23 +889,23 @@ To see these metrics, open the *Administrator* perspective in the {product-title * The `priorityclasses.v1beta1.scheduling.k8s.io` was removed in 1.22 and replaced by `priorityclasses.v1.scheduling.k8s.io` (`v1beta1` was replaced by `v1`). Before this update, `APIRemovedInNextReleaseInUse` alerts were generated for `priorityclasses` because `v1beta1` was still present . This update resolves the issue by replacing `v1beta1` with `v1`. The alert is no longer generated. (link:https://issues.redhat.com/browse/LOG-1385[LOG-1385]) -* Previously, the OpenShift Elasticsearch Operator and Red Hat OpenShift Logging Operator did not have the annotation that was required for them to appear in the {product-title} web console list of operators that can run in a disconnected environment. This update adds the `operators.openshift.io/infrastructure-features: '["Disconnected"]'` annotation to these two operators so that they appear in the list of operators that run in disconnected environments. (link:https://issues.redhat.com/browse/LOG-1420[LOG-1420]) +* Previously, the OpenShift Elasticsearch Operator and Red Hat OpenShift Logging Operator did not have the annotation that was required for them to appear in the {product-title} web console list of Operators that can run in a disconnected environment. This update adds the `operators.openshift.io/infrastructure-features: '["Disconnected"]'` annotation to these two Operators so that they appear in the list of Operators that run in disconnected environments. (link:https://issues.redhat.com/browse/LOG-1420[LOG-1420]) -* Before this update, Red Hat OpenShift Logging Operator pods were scheduled on CPU cores that were reserved for customer workloads on performance-optimized single-node clusters. With this update, cluster logging operator pods are scheduled on the correct CPU cores. (link:https://issues.redhat.com/browse/LOG-1440[LOG-1440]) +* Before this update, Red Hat OpenShift Logging Operator pods were scheduled on CPU cores that were reserved for customer workloads on performance-optimized single-node clusters. With this update, cluster logging Operator pods are scheduled on the correct CPU cores. (link:https://issues.redhat.com/browse/LOG-1440[LOG-1440]) * Before this update, some log entries had unrecognized UTF-8 bytes, which caused Elasticsearch to reject the messages and block the entire buffered payload. With this update, rejected payloads drop the invalid log entries and resubmit the remaining entries to resolve the issue. (link:https://issues.redhat.com/browse/LOG-1499[LOG-1499]) * Before this update, the `kibana-proxy` pod sometimes entered the `CrashLoopBackoff` state and logged the following message `Invalid configuration: cookie_secret must be 16, 24, or 32 bytes to create an AES cipher when pass_access_token == true or cookie_refresh != 0, but is 29 bytes.` The exact actual number of bytes could vary. With this update, the generation of the Kibana session secret has been corrected, and the kibana-proxy pod no longer enters a `CrashLoopBackoff` state due to this error. (link:https://issues.redhat.com/browse/LOG-1446[LOG-1446]) -* Before this update, the AWS CloudWatch Fluentd plugin logged its AWS API calls to the Fluentd log at all log levels, consuming additional {product-title} node resources. With this update, the AWS CloudWatch Fluentd plugin logs AWS API calls only at the "debug" and "trace" log levels. This way, at the default "warn" log level, Fluentd does not consume extra node resources. (link:https://issues.redhat.com/browse/LOG-1071[LOG-1071]) +* Before this update, the AWS CloudWatch Fluentd plug-in logged its AWS API calls to the Fluentd log at all log levels, consuming additional {product-title} node resources. With this update, the AWS CloudWatch Fluentd plug-in logs AWS API calls only at the "debug" and "trace" log levels. This way, at the default "warn" log level, Fluentd does not consume extra node resources. (link:https://issues.redhat.com/browse/LOG-1071[LOG-1071]) -* Before this update, the Elasticsearch OpenDistro security plugin caused user index migrations to fail. This update resolves the issue by providing a newer version of the plugin. Now, index migrations proceed without errors. (link:https://issues.redhat.com/browse/LOG-1276[LOG-1276]) +* Before this update, the Elasticsearch OpenDistro security plug-in caused user index migrations to fail. This update resolves the issue by providing a newer version of the plug-in. Now, index migrations proceed without errors. (link:https://issues.redhat.com/browse/LOG-1276[LOG-1276]) * Before this update, in the *Logging* dashboard in the {product-title} console, the list of top 10 log-producing containers lacked data points. This update resolves the issue, and the dashboard displays all data points. (link:https://issues.redhat.com/browse/LOG-1353[LOG-1353]) * Before this update, if you were tuning the performance of the Fluentd log forwarder by adjusting the `chunkLimitSize` and `totalLimitSize` values, the `Setting queued_chunks_limit_size for each buffer to` message reported values that were too low. The current update fixes this issue so that this message reports the correct values. (link:https://issues.redhat.com/browse/LOG-1411[LOG-1411]) -* Before this update, the Kibana OpenDistro security plugin caused user index migrations to fail. This update resolves the issue by providing a newer version of the plugin. Now, index migrations proceed without errors. (link:https://issues.redhat.com/browse/LOG-1558[LOG-1558]) +* Before this update, the Kibana OpenDistro security plug-in caused user index migrations to fail. This update resolves the issue by providing a newer version of the plug-in. Now, index migrations proceed without errors. (link:https://issues.redhat.com/browse/LOG-1558[LOG-1558]) * Before this update, using a namespace input filter prevented logs in that namespace from appearing in other inputs. With this update, logs are sent to all inputs that can accept them. (link:https://issues.redhat.com/browse/LOG-1570[LOG-1570])