Rancher Release - v2.2.9

Release v2.2.9

Important notes

  • This release comes with the latest Kubernetes versions, i.e. v1.13.12, v1.14.8, v1.15.5, for Rancher launched Kubernetes clusters to address the CVE-2019-11253 and CVE-2019-16276. Rancher recommends upgrading all Kubernetes clusters to these Kubernetes versions.
  • If you launch a single node Rancher install with the LetsEncrypt option, you must upgrade to this Rancher version to be able to get and renew certificates from LetsEncrypt. LetsEncrypt is rolling out the deprecation of their v1 API endpoints and the deprecation will be permanent starting Nov 1.
  • Recent changes to cert-manager require an upgrade if you have an HA install of Rancher using self-signed certificates. If you are using cert-manager older than v0.9.1, please see the documentation on how to upgrade cert-manager

As a result, the following versions are now latest and stable:

Type Rancher Version Docker Tag Helm Repo Helm Chart Version
Latest v2.3.1 rancher/rancher:latest server-charts/latest v2.3.1
Stable v2.2.9 rancher/rancher:stable server-charts/stable v2.2.9

Please review our version documentation for more details on versioning and tagging conventions.

Features and Enhancements

  • Added official support for Kubernetes 1.15 #23041
  • Upgraded nginx ingress controller used by Rancher provisioned clusters, to version 0.25.1 addressing several security vulnerabilities #22940
  • Added better protection against websocket buffering #22560
  • Added ap-east-1 and me-south-1 regions support for EKS clusters #23150

Major Bugs Fixed Since v2.2.8

  • Fixed an issue where standalone Rancher install with LetsEncrypt option was failing due to backend API deprecation #23391
  • Fixed an issue where rancher agents could hang when something went wrong in the middle of WebSocket Session Handshake #21555
  • Fixed an issue where provisioning Azure Disk with Azure node driver was failing #19749
  • Fixed an issue where worker nodes in Rancher provisioned cluster could get stuck in Unavailable state for a long time #23081
  • Fixed an issue where Pipeline execution was failing due to outdated Jenkins library use #22459
  • Fixed a UI issue where Azure and VMWare node templates were tagged to incorrect cloud credentials #18737
  • Fixed a UI issue where you couldn’t not edit the cluster when using private registry #21711
  • Fixed a UI issue where Multicluster app did not show correct template version on Edit app #23209
  • Fixed a UI issue where a catalog app was reusing older image during the upgrade 23115
  • Upgraded yaml library used by Rancher and RKE to v2.2.4 version containing CVE-2019-11253 fix

Other notes

Certificate expiry on Rancher provisioned clusters

In Rancher 2.0 and 2.1, the auto generated certificates for Rancher provisioned clusters have 1 year of expiry. It means if you created a Rancher provisioned cluster about 1 year ago, you need to rotate the certificates, otherwise the cluster will go into a bad state when the certificate expires. In Rancher 2.2.x, the rotation can be performed from Rancher UI, more details are here.

Additional Steps Required for Air Gap Installations and Upgrades

In v2.2.0, we’ve introduced a “system catalog” for managing micro-services that Rancher deploys for certain features such as Global DNS, Alerts, and Monitoring. These additional steps are documented as part of air gap installation instructions.

Known Major Issues

  • Cluster alerting and logging can get stuck in Updating state after upgrading Rancher. Workaround steps are provided in the issue [21480]
  • Certificate rotate for Rancher provisioned clusters will not work for the clusters which certificates had expired on Rancher versions v2.0.13 and earlier on 2.0.x release line, and 2.1.8 or earlier on 2.1.x release line. The issue won’t exist if the certificates expired on later versions of Rancher. Steps to workaround can be found in comments to [20381]
  • Catalog app revisions are not visible to the regular user; as a result regular user is not able to rollback the app [20204]
  • Global DNS entries are not properly updated when a node that was hosting an associated ingress becomes unavailable. A records to the unavailable hosts will remain on the ingress and in the DNS entry [#18932]
  • If you have Rancher cluster with OpenStack cloud provider having LoadBalancer set, and the cluster was provisioned on version 2.2.3 or less, the upgrade to the Rancher version v2.2.4 and up will fail. Steps to mitigate can be found in the comment to [20699]

Versions

Images

  • rancher/rancher:v2.2.9
  • rancher/rancher-agent:v2.2.9

Tools

System Charts Branch - For air gap installs

  • system charts branch - release-v2.2 - This is the branch used to populate the catalog items required for tools such as monitoring, logging, alerting and global DNS. To be able to use these features in an air gap install, you will need to mirror the system-charts repository to a location in your network that Rancher can reach and configure Rancher to use that repository.

Kubernetes

Upgrades and Rollbacks

Rancher supports both upgrade and rollback starting with v2.0.2. Please note the version you would like to upgrade or rollback to change the Rancher version.

Note: When rolling back, we are expecting you to rollback to the state at the time of your upgrade. Any changes post upgrade would not be reflected.