Skip to content
v1.3.0-alpha.3 Pre-release
Choose a tag to compare
@smarterclayton smarterclayton released this
· 21380 commits to master since this release

This is an alpha feature release towards OpenShift Origin 1.3.0

Backwards Compatibility

  • Image Streams
    • In order to tag an image from one image stream into another via oc tag or the API, you must have permission to pull the image, not just permission to view the source image stream. Running oadm policy reconcile cluster-roles will alter default roles so that tagging continues to work as normal.

API Changes

  • DNS:
    • SRV record responses have changed significantly to conform to new features enabled in Kubernetes 1.3. More details in the 1.3 release notes issue. Callers must now explicitly request the port by name and protocol to get the port info (e.g. dig @server _http._tcp.kubernetes.default.svc.cluster.local)
  • Builds:
    • Build Request API should return NotFound if the parent build config does not exist #9763
    • Reject ImageStreamTag references on builds and build configs that are not well formed as validation errors #9945
    • Support YAML payloads for generic webhooks #10031
    • Properly mark secrets field as not required in swagger #10038
    • Disallow build config LastVersion from getting smaller - clients will receive a validation error if status.latestVersion is a smaller integer than the stored value #9568
  • Secrets:
    • Secret data may now be specified in string form (rather than base64 encoded) via the new stringData map, which is write-only and takes precedence over keys with the same name specified in data #9663
  • PodSecurityPolicy Review API (alpha)
    • The review APIs have been updated to take a PodTemplateSpec struct instead of a PodSpec struct, so that annotations on the pod template can be validated. #10007

Component updates

  • Updated to Kubernetes 1.3.0 with patch set Origin stable-20160804
    • Backported a number of 1.3.x fixes, including a serious regression in parallel pod start performance with #10111
  • Updated to Docker distribution 2.4.0 with patch set 5594335


v1.3.0-alpha.3 (2016-08-07)
Full Changelog

PetSets and Init Containers

Kubernetes 1.3 includes two new features in alpha designed for running clustered software: PetSets and init containers. PetSets make it easy to run a consistent set of pods that have individual network identities and are able to have unique persistent volumes. Init containers are run sequentially before the other containers in a pod are started and allow pod authors to read and write volume data, download binaries, wait for other components to start, and other initialization style tasks.

The examples/pets directory contains a number of examples of how to use PetSets. As alpha features, no backwards compatibility in future Kubernetes or OpenShift versions is guaranteed and may change significantly. Please provide feedback on these features.

  • Enable petsets in origin #9972
  • Enable security limits around init containers #9973

Improvements to Jenkins

- clean up jenkins master/slave example [#9956]( - jenkins: Generate a password for Jenkins [#10163]( - jenkins: Use official maven image for slave pods in sample pipeline [#9807]( - console: addition of a dedicated Pipelines page ![pipelines_page]( - console: improvements to the pipeline visualization on the Overview ![pipeline_overview](

Upgrading to Docker Registry 2.4, cross-repository linking, and better usage tooling

This release contains an upgrade to Docker distribution 2.4 which contains many performance and usability improvements, including cross repo mounting when pushing images that already exist in the OpenShift registry. Support for the new schema2 storage format for images is now available, although it must be manually enabled in order to accept images pushed in the schema2 format (to preserve compatibility with older Docker versions).

  • registry: Check pull access when tagging imagestreams #10109
  • registry: Consider schema v2 layers when pruning #9713
  • registry: User can get only blobs he's able to see #9819
  • registry: Ensure that download access to registry blobs is controlled by access to the image stream #9593

Bearer token and anonymous access

The registry now supports the the Docker Token Authentication Specification, which enables bearer token authentication and anonymous access. Grant the system:image-puller role to the system:unauthenticated group to allow unauthenticated image pulls from a namespace:

oc policy add-role-to-group system:image-puller system:unauthenticated -n mynamespace
  • registry: Allow anonymous registry access #9887

Image usage reporting

A new top level administrative command oadm top has been added to support administrative insight into the images used by the platform. Using oadm top images will show you information about the top images in use and how much space is in use in your registry. oadm top imagestreams will show you more detail about the total referenced size of each image stream and the number of layers allocated.

  • images: Provide an administrative image usage report tool #9587
$ oadm top imagestreams
openshift/mongodb   0MiB        0   0
openshift/nodejs    329.84MiB   2   53
openshift/mysql     310.39MiB   2   38
openshift/jenkins   0MiB        0   0
openshift/mariadb   195.33MiB   1   5
openshift/wildfly   1.67GiB     3   87
openshift/python    704.99MiB   4   104
openshift/php       426.87MiB   2   52
openshift/postgresql    0MiB        0   0
openshift/ruby      359.71MiB   3   78
openshift/perl      370.21MiB   2   53

$ oadm top images
NAME                                    IMAGESTREAMTAG              PARENTS                     USAGE           METADATA    STORAGE
sha256:56f808f1bd2b820df6bef53d959f84bebd77ddd86fa86cef4e402d42a517d861 openshift/perl (latest,5.20)        sha256:5a428b5b36d4cd98dce8603d5accb30ff014b7d4fb73c2bb895edda89cabbb3d,sha256:7b5846517492e69b6705c6f6a14f3eb0944bd564369439c539aa57882ea11c00,sha256:851ec2ace8a73a9cc3868edcbff1ac50d5f382d5079b7bfa4e7ff2bb531c171f,sha256:68a27d407fd1ead3b8a9e33aa2054c948ad3a54556d28bb4caaf704a0f651f96,sha256:091120a2f697d36898e3dde6fb5be64d694672111d78a77a340c827626f52f89,sha256:ae121ac0828f1a1ddf3c1c84c67eb663933d60ee73617b8dfa0da5b095f1f9bb,sha256:440bfdfabdd46b5cd18672e7354bf915384047bb074cd429c92db004095f3708,sha256:453d96efdaa1bab5f7d115037235df965a292070a1c6a2af30cb049f5674848e,sha256:e0ccc37251074051bb5d20a86756357bc261b87a6838a552e6304191dffdeed2,sha256:e757c402d95f047f2876e368271e9570b1904366ced49b6333f8a897b368e69d,sha256:a54e1612052715b0d3022c8146ff758bd566455750f1391946648de767a74c5b,sha256:212d8e093d50b44cf8dd3101d22e7efce6293d741a6dc30fced9cd27b70c7c22,sha256:cc561897aa2c64d61fcda5b5149fbd1fca133ceb8cc8ac448859d571a2bdbbd8,sha256:a08759ded47520de300096fea140e9020dc7ae9b7a163ec604baba38c15cd192,sha256:2375b645b83bff8ccf7e61346859cd9a23ac57af6d443b32b6392c1998d14c74,sha256:41da716a93a61a8958d360ac3f70387ece99af3ac4c3ce30dbb735dea41903dc,sha256:e87d875660454595a08287afe8bc121c924d87f93ea1db0f5ac12809d7473bb3,sha256:8c6c4ff3ae64a90ab1535a7ff33e685c63b3d51f7915722292c12e5ccb8f0a7f,sha256:c605bcbb3b290d02a380cf0488effcdbb96fad1fcdd5a1d237fe44237f6d71cd,sha256:e7d7d97f75d94f0b79e68057b1c276c5b8c64d4a1d9a447dd59001521d8720bd,sha256:b58b9ac6edd661668bafab79f10e24e20b4b1df3de77e010bea95cbfa59890cf,sha256:71ea884c14ff11865cec03c443ed9b887d35673e07122e7aea967b75e40b0f42,sha256:8b0055a02328f8d3d9e52112886e6f9272b880eee20ead761e631c3be2d37618,sha256:83c2fd8cc3258f1ec22f26b6f6c573460f43be28f7ab3073b912f7bc8b56d930                             yes     276.50MiB
sha256:97caf48a52438d60b567f25d5882c331c7c8d4679618b17b33ee8ec86c7ba5ec test/ruby (latest)          sha256:8c6c4ff3ae64a90ab1535a7ff33e685c63b3d51f7915722292c12e5ccb8f0a7f,sha256:212d8e093d50b44cf8dd3101d22e7efce6293d741a6dc30fced9cd27b70c7c22,sha256:e0ccc37251074051bb5d20a86756357bc261b87a6838a552e6304191dffdeed2,sha256:7b5846517492e69b6705c6f6a14f3eb0944bd564369439c539aa57882ea11c00,sha256:c605bcbb3b290d02a380cf0488effcdbb96fad1fcdd5a1d237fe44237f6d71cd,sha256:8b0055a02328f8d3d9e52112886e6f9272b880eee20ead761e631c3be2d37618,sha256:cc561897aa2c64d61fcda5b5149fbd1fca133ceb8cc8ac448859d571a2bdbbd8,sha256:b58b9ac6edd661668bafab79f10e24e20b4b1df3de77e010bea95cbfa59890cf,sha256:56f808f1bd2b820df6bef53d959f84bebd77ddd86fa86cef4e402d42a517d861,sha256:41da716a93a61a8958d360ac3f70387ece99af3ac4c3ce30dbb735dea41903dc,sha256:e7d7d97f75d94f0b79e68057b1c276c5b8c64d4a1d9a447dd59001521d8720bd,sha256:68a27d407fd1ead3b8a9e33aa2054c948ad3a54556d28bb4caaf704a0f651f96,sha256:ae121ac0828f1a1ddf3c1c84c67eb663933d60ee73617b8dfa0da5b095f1f9bb,sha256:453d96efdaa1bab5f7d115037235df965a292070a1c6a2af30cb049f5674848e,sha256:a08759ded47520de300096fea140e9020dc7ae9b7a163ec604baba38c15cd192,sha256:e757c402d95f047f2876e368271e9570b1904366ced49b6333f8a897b368e69d,sha256:091120a2f697d36898e3dde6fb5be64d694672111d78a77a340c827626f52f89,sha256:e87d875660454595a08287afe8bc121c924d87f93ea1db0f5ac12809d7473bb3,sha256:2375b645b83bff8ccf7e61346859cd9a23ac57af6d443b32b6392c1998d14c74,sha256:440bfdfabdd46b5cd18672e7354bf915384047bb074cd429c92db004095f3708,sha256:851ec2ace8a73a9cc3868edcbff1ac50d5f382d5079b7bfa4e7ff2bb531c171f,sha256:83c2fd8cc3258f1ec22f26b6f6c573460f43be28f7ab3073b912f7bc8b56d930,sha256:5a428b5b36d4cd98dce8603d5accb30ff014b7d4fb73c2bb895edda89cabbb3d,sha256:71ea884c14ff11865cec03c443ed9b887d35673e07122e7aea967b75e40b0f42,sha256:a54e1612052715b0d3022c8146ff758bd566455750f1391946648de767a74c5b Deployment: test/ruby-1 yes     156.09MiB

Support all Deployment features on DeploymentConfigs and add the oc rollout command

Alpha 3 adds a ton of new capabilities onto deployments. As of alpha 3, all options from Kubernetes Deployments are supported on deployment config objects, such as pausing, setting a "wait" period for readiness to stabilize after a deployment, and more information returned in the status of the deployment. In addition, oc rollout (history|pause|resume|undo) now supports both Kubernetes deployments and OpenShift deployment configs. Over time, oc deploy will be replaced by subcommands under oc rollout as Kubernetes deployments gain parity with OpenShift deployments.

Upstream deployments are now enabled for use (in beta) and future releases will add tools for easily converting between them (for when you want deployments that trigger on image changes or deployment hooks).

  • deployments: Return API errors on not found imagestreams/deploymentconfigs #9727
  • Enabled deployments from Kubernetes as a beta resource - future releases will contain tools for migrating between resources.
  • Add paused field in deployment config describer #10159
  • deploy: pin retries to a const and forget correctly in the dc loop #9756
  • deploy: set gracePeriodSeconds on deployer deletion #9802
  • deploy: move cli-related packages in cmd #9692
  • deployments: Ensure the test deployment invariant is maintained #9839
  • deploy: set gracePeriod on deployer creation rather than when deleting #9854
  • Add MinReadySeconds in deployment configs #9852
  • deployments: Handle forbidden errors (due to older permissions) in oc rollback #9889
  • Remove deployment trigger warning #9894
  • Pause the deployment config before deleting #9893
  • oc rollout
  • deploy: enqueue configs on pod events #9953
  • performance
  • Enable replicasets and deployments #10136
  • deployments: Collapse deployer into deployments controller #9691
  • deployments: Specifying an empty initial image will hold the first deployment until an image is tagged #9539

Support resizing remote terminals in the CLI (oc exec|rsh|debug) and the web console

The exec and attach commands (or more often used with oc rsh) are now resizable and correctly handle terminal information, which should improve working inside of containers. The web console also allows the terminal to be resized.

  • cli: Support terminal resizing for exec/attach/run #9878

seccomp profiles for all containers and allow admin policy on their use

seccomp is a Linux kernel feature that restricts the types of system calls that applications can make. Kubernetes and Docker have added profiles that prohibit access for containers by default and significantly reduce the possibility of new vulnerabilities in the kernel being exploited by malicious containers. OpenShift enables this restrictive policy by default, and administrators can allow less restrictive profiles for highly privileged applications via the SecurityContextConstraint API.

  • security: Enable seccomp in SecurityContextConstraints #9715

Extended builds (alpha)

Support for internal communication using Protobuf and general performance improvements

The Kubernetes and OpenShift APIs now support an alternate serialization format to JSON: Protobuf. Protobuf is a binary format that requires less CPU and memory to encode and decode and offers significant benefits when internal components of the cluster are interacting. Clients may request Protobuf responses by specifying an Accept HTTP header with the value application/vnd.kubernetes.protobuf.

$ curl -H "Accept: application/vnd.kubernetes.protobuf" https://localhost:8443/api/v1/pods | hexdump -C

By default, all cluster internal communication will use Protobuf, but it must be enabled via configuration. Instructions for upgrading are described here: openshift/openshift-ansible#2214.

The Protobuf format is considered internal-only at this point and is not recommended for widespread client use.

  • Add protobuf to OpenShift types #9793
  • Enable protobuf in Origin for server-to-server #9814

Other significant performance improvements occurred in this release, including a number of memory usage reductions in the API server and controllers.

Enhancements to the imagebuilder library

The imagebuilder library for building squashed Dockerfiles has added a secret mount facility that allows builds to mount in secrets for the duration of the build that are not committed into the final Docker image. The --mount SRC:DST flag is now supported on oc ex dockerbuild and has the same behavior as docker run -v. Mount secrets are only supported on Docker 1.10 or newer.

  • Allow a mounted repository to be injected into yum #9947

In addition, the library has now been moved to its own GitHub repository at

  • Switch to using #10216

Service Serving Cert Signer (alpha)

If your service needs to serve TLS as TLS enabled, OpenShift can automatically generate and sign a serving certificate that is valid for your service's DNS name. The signing CA certificate is injected into pods, so any pod in the cluster can communicate with your service and confirm that it is properly secured. See openshift/openshift-docs#2324 for details.

Scoped tokens for service accounts that act as OAuth clients

If your service needs to confirm the identity of a user on the OpenShift platform and/or perform actions on their behalf, you can now leverage our OAuth server to request scoped tokens for a user. See for details.

Support for quota that spans multiple projects and performance improvements (alpha)

If you need to constrain the number of resources that particular user can create, but don't want to restrict individual projects, you can create a new ClusterResourceQuota resource that can select multiple projects based on a labels or annotations. See openshift/openshift-docs#2596 for details.

A number of other performance improvements have been made to quota for clusters with thousands of individual quotas.

  • add oc create clusterquota #9588
  • project clusterresourcequota into applicable namespaces #9609
  • add a clusterquota reconciliation controller #9658
  • add project annotation selectors to cluster quota #9757
  • make clusterquota/status endpoint #9898
  • UPSTREAM: 29133: use a separate queue for initial quota calculation #9915
  • perf improvements
  • UPSTREAM: 29134: Improve quota controller performance #9937
  • cluster quota to namespace mapping controller #9558
  • UPSTREAM: 28351: Add support for kubectl create quota command #10054

Allow template authors to provide a post-creation message to end users

Templates now have a message field that will be displayed to users in the CLI or web console after creating an object from a template. The field will have the same parameterization rules applied as the objects in the template, so you can inject generated fields into a human readable message.

  • Adding a field to templates to allow them to deliver a user message w… #9708
  • Adding template instructional message to new-app output #9806

Split traffic between multiple backend services from a route

The HAProxy router now supports splitting the traffic coming to a route across multiple back end services via weighting. The web console has been updated to allow users to set the weighting and show balance between them.

The API field for balancing is spec.alternateBackends on the route and can be an array of 0..3 services to spread traffic across. The weight of the normal backend (the field) defaults to 100, and the combined value of all the weights sets the relative proportions of traffic.

  • routes: Add A/B definitions to routes #9119
  • router: Allow round-robin algorithm as a choice in passthrough/reencrypt #9710
  • console: visualization of alternate backends and ability to add and edit multiple backends for a route.


Router enhancements to defend against DDOS attacks

The router has been hardened to provide more protection against DDOS attacks. Administrators can set configuration flags on the router to apply blanket policy on connections across all routes, as well as configure a few routes specifically.

  • router: Implement basic DDOS protections in the HAProxy template router #9810
  • router: Allow for configurable server side timeouts on routes #9671
  • router: Allow rate-limits on the router to be defaulted #10125

Egress Firewalls for namespaces

A new resource EgressNetworkPolicy has been added which controls how traffic exits a namespace. Administrators can use these as outbound firewalls when using the multi-tenant SDN network. Each rule can be an allow or deny rule, and targets a CIDR. Since policy can only be changed by administrators, you can update your out of the box project template to include a firewall policy that applies to individual namespaces, and then later change to be more permissive.

Enable Kerberos authentication in the CLI

oc login now allows Kerberos authentication against a KDC as a supported authentication mode on Linux.

  • Add krb5-devel to build release image #9716
  • Load versioned gssapi libs #9820

Web console improvements

  • New primary and secondary navigation within a project
  • Dedicated monitoring page to follows logs and metrics for your builds/deployments/pods all at once. Includes a collapsable Events sidebar. Includes improved metrics charts for deployments with individual lines per pod (up to 5 pods).
  • New page that shows the details for an ImageStreamTag
  • Added environment variable editing to the existing Environment tabs.

New supported versions for popular languages

PostgreSQL 9.5, Ruby 2.3, Python 3.5, NodeJS 4, MariaDB 10.1, MongoDB 3.2

  • add new SCL version imagestreams #9610
  • add nodejs 4 imagestream and bump templates to use latest imagestreams #9823

Generate man pages for all CLI commands

Man pages have been created for all CLI commands and added to the RPM packaging that include the command help.

  • Fix manpage directory structure #9612
  • Fix manpage formatting for list items #9659
  • Remove deprecated man pages #9694

CentOS PaaS Special Interest Group

OpenShift is involved in the CentOS PaaS SIG and work is ongoing to enable a fast moving build stream in their CI infrastructure. See the QuickStart guide for some initial steps.

  • Add Dockerfiles.centos7 and job-id files for CentOS image building #9864

Other Features

  • bootstrap: oc cluster up now starts the release corresponding to your binary #10022
  • builds: Reduce the amount of output displayed by default in builds #9905
  • builds: allow git\_ssl\_no\_verify env variable in build pods #9875
  • cli: Allow multiple include and exclude patterns in oc rsync #10146
  • cli: oc new-project --skip-config-write will not alter the user's config when creating a new project #10057
  • cli: Include information about container volume mounts in oc describe for all pod based objects #9891
  • cli: Display oc and kube server versions as part of oc version #9785
  • cli: Display more information about environment variables using the downward API in 'oc env --list' #9718
  • cli: Sort oc projects alphabetically #9675
  • cli: Improve oc projects output #9590
  • cli: Improve oc status output for all build types #9559
  • dockercompose: Support the env\_file option when importing Docker compose files #9950
  • frameworks: Add mirror env var option support for many of the framework images #9754
  • images: Sort tags for image streams more consistently in the CLI #9606
  • network: Allow CNI network plugins to be used as the node network plugin #9747
  • newapp: Allow a template to be passed from STDIN via oc new-app --template=- #10149
  • newapp: Support namespaced lookups for templates with oc new-app --template=myns/mytemplate #10026
  • newapp: Allow multiline parameters to be defined on the CLI for templates #9942
  • oauth: Control how OAuth grants are performed at a per-client granularity #9616
  • server: Allow custom configuration to be passed to the scheduler for setting the default scheduler and failure domains #10064


  • authn: The node should use the new remote authentication endpoint #9808
  • authn: Add debug logging to ldap search bind errors #9706
  • authn: Don't fallback to cert when given invalid token #9617
  • bootstrap: Support shared volumes for oc cluster up on Mac and Windows #10199
  • bootstrap: Handle filesystem permissions correctly in oc cluster up #10137
  • bootstrap: Fix oc cluster up for new Docker for Mac beta by using port forwarding #9809
  • builds: Run all parallel builds when a serial build finishes #9969
  • builds: Handle new "already pushed" messages returned by Docker registries #9966
  • builds: When build configs are deleted, exit out earlier in controllers #9828
  • builds: Retry failed attempts to create builds on the server more cleanly #9770
  • builds: Better s2i and docker push image error messages #9705
  • cli: Allow oc get -w to correctly watch resources that have not been changed in a long time #10213
  • cli: oc debug should not return an error if one of the containers in a pod exits (while the others continue) #10175
  • cli: Ensure errors that occur during cleanup of oc debug are shown #10140
  • cli: Fix oc to not try to fetch OpenShift API objects when connecting to a Kubernetes server #10062
  • cli: On older servers tolerate missing API discovery information #10058
  • cli: Better errors on oc login when existing kubeconfig file is not writable #9968
  • cli: oc start-build should allow -F and -w for --follow and --wait #9963
  • cli: Start oc rsync daemon in the foreground to prevent zombie processes #9939
  • cli: oc annotate should allow use of --resource-version flag with single resource #9917
  • cli: Add --insecure-policy for oc create route edge #9890
  • cli: oc debug should not have 15s timeout #9867
  • cli: Enforce --tty=false flag for "oc debug" #9637
  • cli: Update generic oc get error messages to be more explicit when no input #9735
  • cli: Don't attempt to rewrite kubeconfig files the user doesn't have access to #9700
  • cli: Fix oc convert examples #9695
  • cli: Fix usage for oc set probe and oc debug #9693
  • cli: Reject build requests for binary builds if not providing binary inputs #9679
  • cli: Better warning for users when the buildconfig is of type binary #9678
  • cli: Ensure client can delete a buildconfig with no associated builds, eve… #9657
  • cli: Limit the number of events and deployments displayed in deployment config describer #9633
  • cli: Allow --show-events=false for build configs and deployment configs #9631
  • cli: Note that oc new-app --env flag doesn't apply to templates #9583
  • cli: Fix oc set env --overwrite=false with multiple resources #9552
  • dockercompose: Be more careful about relative paths in docker-compose import #9816
  • images: Use the new dockerImageLayers field of images to speed up pruning images #10012
  • ipfailover: Prevent panics if an invalid IP range is passed to the failover image #10204
  • metrics: Remove redundant labels in Prometheus metrics #10036
  • newapp: Prevent invalid arguments for build type in oc new-app #9805
  • newapp: Display a warning if Git not installed when creating applications or builds #10226
  • newapp: Give applications created from templates an app label based on their template name #10192
  • newapp: When Git is not available, oc new-app should treat directories as inputs for binary builds #10135
  • node: Network plugins could report the wrong podIP to clients #10141
  • node: Report an error if older versions of devicemapper are in use which could lead to data corruption #10227
  • quota: Quota was not counting services with multiple nodeports properly #10089
  • registry: Set reasonable default resource requests on the registry #9934
  • server: Tolerate failures when initializing default cluster roles and policies #10099
  • volumes: Ensure that persistent volumes with region and zone labels result in pods being properly scheduled for AWS / GCE #9822

Release SHA256 Checksums

497b48735ff0dfaa247ba9226c37624ca4d6fa48213a16eef9ce230ab10fc7c5  openshift-origin-client-tools-v1.3.0-alpha.3-7998ae4-linux-32bit.tar.gz
fd13badb78951dab9d468c81e16698ef7ac34218324d70e086110ead820e4be9  openshift-origin-client-tools-v1.3.0-alpha.3-7998ae4-linux-64bit.tar.gz
a0d23a48194f420265f0a426e438828baca2c657a2bdf55036ce74db5ce98e26  openshift-origin-server-v1.3.0-alpha.3-7998ae4-linux-64bit.tar.gz