docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

edited and finalized docs for cs-engine 

Signed-off-by: Carol Fager-Higgins <carol.fager-higgins@docker.com>
This commit is contained in:
Carol Fager-Higgins 2016-01-05 18:11:30 -08:00
parent b87361fc1a
commit 532d3a6911
4 changed files with 188 additions and 310 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
install/install-csengine.md
View File

@ -1,7 +1,7 @@
+++
title = "Manually Install the CS Docker Engine"
description = "Install instructions for the commercially supported Docker Engine"
keywords = ["docker, documentation, about, technology, enterprise, hub, commercially supported Docker Engine, CS engine, registry"]
keywords = ["docker, documentation, about, technology, enterprise, hub, commercially supported Docker Engine, CS engine, registry, pin, patch, migrate"]
[menu.main]
parent="smn_dhe_install"
+++
@ -9,23 +9,20 @@ parent="smn_dhe_install"
# Manually Install the CS Docker Engine
This document describes the process of installing the Commercially Supported
Docker Engine (CS Engine). Installing the CS Engine is a prerequisite for
installing the Docker Trusted Registry. Use these instructions if you
are installing the CS Engine on physical or cloud infrastructures.
This document describes the process of installing the commercially supported
Docker engine (CS engine). Installing the CS engine is a prerequisite for
installing Docker Trusted Registry. Use these instructions if you
are installing the CS engine on physical or cloud infrastructures.
Note that you first install the CS Engine before you install Docker Trusted
Registry. If you are upgrading, you reverse that order and upgrade the Trusted
Registry first. To upgrade, see the [upgrade documentation](upgrade.md). You will need to install the latest version of the CS Engine to run with the latest
version of the Trusted Registry. You will also want to install the CS Engine on
You first install the CS engine before you install Docker Trusted Registry.
However, if you are upgrading, you reverse that order and upgrade the Trusted
Registry first. To upgrade, see the [upgrade documentation](upgrade.md). You will need to install the latest version of the CS engine to run with the latest
version of the Trusted Registry. You will also want to install the CS engine on
any clients, especially in your production environment.
If your cloud provider is AWS, you have the option of installing the CS Engine
If your cloud provider is AWS, you have the option of installing the CS engine
using an Amazon Machine Image (AMI). For more information, read the [installation overview](index.md) to understand your options.
## Prerequisites
You need a login to Docker Hub. If you have not already done so, go to Docker Hub and [sign up for an account](https://hub.docker.com). You do not need a license for the CS Engine, only for the Docker Trusted Registry.
## CentOS 7.1 & RHEL 7.0/7.1 (YUM-based systems)
@ -38,13 +35,13 @@ kernel.
2. Add Docker's public key for CS packages:
`$ sudo rpm --import "https://pgp.mit.edu/pks/lookup?op=get&search=0xee6d536cf7dc86e2d7d56f59a178ac6c6238f52e"`
`$ sudo rpm --import "https://sks-keyservers.net/pks/lookup?op=get&search=0xee6d536cf7dc86e2d7d56f59a178ac6c6238f52e"`
3. Install yum-utils if necessary:
`$ sudo yum install -y yum-utils`
4. Add the repository:
4. Add the repository. Notice in the following code that it gets the latest version of the CS engine. Each time you either install or upgrade, ensure that the you are requesting the version that you want.
```
$ sudo yum-config-manager --add-repo https://packages.docker.com/1.9/yum/repo/main/centos/7
@ -97,7 +94,7 @@ kernel.
2. Add Docker's public key for CS packages:
`$ curl -s 'https://pgp.mit.edu/pks/lookup?op=get&search=0xee6d536cf7dc86e2d7d56f59a178ac6c6238f52e' | sudo apt-key add --import`
`$ curl -s 'https://sks-keyservers.net/pks/lookup?op=get&search=0xee6d536cf7dc86e2d7d56f59a178ac6c6238f52e' | sudo apt-key add --import`
3. Install the HTTPS helper for apt (your system may already have it):
@ -113,7 +110,8 @@ kernel.
`$ echo "deb https://packages.docker.com/1.9/apt/repo ubuntu-trusty main" | sudo tee /etc/apt/sources.list.d/docker.list`
**Note**: modify the "ubuntu-trusty" string for your flavor of ubuntu or debian.
You must modify the "ubuntu-trusty" string for your flavor of ubuntu or debian as seen in the following options.
* debian-jessie (Debian 8)
* debian-stretch (future release)
* debian-wheezy (Debian 7)
@ -127,7 +125,7 @@ kernel.
`$ sudo apt-get update && sudo apt-get install docker-engine`
7. Confirm the Docker daemon is running with `sudo service docker start`.
7. Confirm the Docker daemon is running:
$ sudo service docker start

54
install/upgrade.md
View File

@ -1,7 +1,7 @@
+++
title = "Upgrade Trusted Registry and the CS Engine"
description = "Upgrade Trusted Registry and the CS Engine"
keywords = ["docker, documentation, about, technology, hub, upgrade, enterprise"]
keywords = ["docker, documentation, about, technology, hub, upgrade, enterprise, pin, patch, migrate"]
[menu.main]
parent="smn_dhe_install"
+++
@ -12,25 +12,18 @@ parent="smn_dhe_install"
This document describes the process and steps necessary to upgrade Docker
Trusted Registry and the commercially supported engine (CS engine). When you
first install, the general order is to install the CS engine, then install the
Trusted Registry. However, when you upgrade, you reverse that order.
**Note**: Ensure when upgrading the Trusted Registry, that you also upgrade to the latest CS Engine.
Trusted Registry. However, when you upgrade, you reverse that order. Ensure when upgrading the Trusted Registry, that you also upgrade to the latest CS Engine.
The CS engine has two procedures for upgrading, from versions 1.6.x to 1.9.0
and from version 1.9.0 to 1.9.x which are described in this document.
The following are overall steps, which are explained in detail in this document:
* Upgrade to latest version of Docker Trusted Registry.
* Get the latest version of the CS engine.
* Turn off the Trusted Registry and restart it again with the latest CS engine.
* Make any changes in your configuration.
* Verify you have completed the upgrade process with no errors.
## Upgrade Docker Trusted Registry
Periodic upgrades to the Trusted Registry triggers a notification to appear in your Admin dashboard if you have enabled Upgrade checking in the
General > Settings section of the user interface (UI).
Periodic upgrades to the Trusted Registry trigger a notification to appear in
your Admin dashboard if you have enabled Upgrade checking. This is located in
the General > Settings section of the Trusted Registry Admin dashboard. To
perform this upgrade, you should schedule it during your downtime and allow
about 15 minutes.
To upgrade, perform the following steps:
@ -48,16 +41,12 @@ Available and an enabled button displays Update to version X.X.X.
The Dashboard displays a message that the upgrade successfully completed and that you need to upgrade to the latest CS Engine.
### What is updated?
### What is updated in the Trusted Registry?
* The Trusted Registry pulls new container images from Docker Hub.
* It then deploys those containers.
* It stops and removes the old containers.
The upgrade process requires a small amount of downtime to complete.
The Trusted Registry pulls new container images from Docker Hub. Then it deploys those containers. Finally, it stops and removes the old containers.
> **Note**: If the CS engine is upgraded first, then
> the Trusted Registry can still be upgraded from the command line by running the following command. Ensure to put the correct version that you want.
> the Trusted Registry can still be upgraded from a command line by running the following command. Ensure to put the correct version that you want.
>
> `$ sudo bash -c "$(sudo docker run docker/trusted-registry:1.3.3 upgrade 1.4.0)"`
@ -66,7 +55,7 @@ The upgrade process requires a small amount of downtime to complete.
The following steps describe how to upgrade from prior versions to 1.9.0.
>**Note**: The installation mechanism for versions prior to 1.9.0 are incompatible with 1.9.0. You must uninstall your earlier version before upgrading to a current version.
The installation mechanism for versions prior to 1.9.0 are incompatible with 1.9.0. Therefore, you must uninstall your earlier version before upgrading to a current version.
First, stop the Trusted Registry prior to upgrading the CS engine.
@ -79,8 +68,7 @@ Next, following the instructions that are based on your operating system.
### CentOS 7.1 & RHEL 7.0/7.1 (YUM-based systems)
Perform the following commands in your terminal to remove your current CS
engine, and install the new version. When complete, restart the Trusted Registry
again.
engine, and install the new version.
1. Remove the current engine:
@ -88,7 +76,9 @@ again.
2. Add Docker's public key for CS packages:
`$ sudo rpm --import "https://pgp.mit.edu/pks/lookup?op=get&search=0xee6d536cf7dc86e2d7d56f59a178ac6c6238f52e"`
```
$ sudo rpm --import "https://sks-keyservers.net/pks/lookup?op=get&search=0xee6d536cf7dc86e2d7d56f59a178ac6c6238f52e"
```
3. Install yum-utils if necessary:
@ -111,7 +101,7 @@ again.
$ sudo systemctl start docker.service
```
7. Restart the Trusted Registry:
7. Restart the Trusted Registry.
```
$ sudo bash -c "$(sudo docker run docker/trusted-registry restart)"
@ -120,8 +110,7 @@ again.
### Ubuntu 14.04 LTS (APT-based systems)
Perform the following commands in your terminal to remove your current CS
engine, and install the new version. When complete, restart the Trusted Registry
again.
engine, and install the new version.
1. Remove the current engine:
@ -129,7 +118,9 @@ again.
2. Add Docker's public key for CS packages:
`$ curl -s 'https://pgp.mit.edu/pks/lookup?op=get&search=0xee6d536cf7dc86e2d7d56f59a178ac6c6238f52e' | sudo apt-key add --import`
```
$ curl -s 'https://sks-keyservers.net/pks/lookup?op=get&search=0xee6d536cf7dc86e2d7d56f59a178ac6c6238f52e' | sudo apt-key add --import
```
3. Install the HTTPS helper for apt (your system may already have it):
@ -145,7 +136,8 @@ again.
`$ echo "deb https://packages.docker.com/1.9/apt/repo ubuntu-trusty main" | sudo tee /etc/apt/sources.list.d/docker.list`
**Note**: modify the "ubuntu-trusty" string for your flavor of ubuntu or debian.
Modify the "ubuntu-trusty" string for your flavor of ubuntu or debian as seen in the following options.
* debian-jessie (Debian 8)
* debian-stretch (future release)
* debian-wheezy (Debian 7)
@ -167,7 +159,7 @@ again.
Upgrading minor versions of the CS engine, can solve potential issues or may
contain a needed feature. Docker has streamlined the upgrade path for upgrading
the CS engine. The steps are as follows:
the CS engine. Perform the following steps depending on your type of system.
### CentOS 7.1 & RHEL 7.0/7.1 (YUM-based systems)
1. Update your `docker-engine` package:

72
prior-release-notes.md
View File

@ -106,22 +106,36 @@ Customers who are currently using DHE 1.0 **must** follow the [upgrading instruc
## Commercially Supported Docker Engine
This section of the archived release notes pertains to issues, fixes, and new features regarding the commercially supported Docker engine.
### CS Docker Engine 1.6.2-cs7
(12 October 2015)
As part of our ongoing security efforts, <a href="http://blog.docker.com/2015/10/security-release-docker-1-8-3-1-6-2-cs7" target="_blank">a vulnerability was discovered</a> that affects the way content
is stored and retrieved within the Docker Engine and CS Docker Engine. Today we
are releasing a security update that fixes this issue in both Docker Engine 1.8.3 and CS Docker Engine 1.6.2-cs7. The <a href="https://github.com/docker/docker/blob/master/CHANGELOG.md#161-2015-10-12" target="_blank">change log for Docker Engine 1.8.3</a> has a complete list of all the changes incorporated into both the open source and commercially
supported releases.
We recommend that users upgrade to CS Docker Engine 1.6.2-cs7. If you are unable
to upgrade to CS Docker Engine 1.6.2-cs7 right away, remember to only pull
content from trusted sources.
To keep up to date on all the latest Docker Security news, make sure you check
out our [Security page](http://www.docker.com/docker-security), subscribe to our mailing list, or find us in #docker-security.
### CS Docker Engine 1.6.2-cs6
(23 July 2015)
* Certifies support for CentOS 7.1.
### CS Docker Engine 1.6.2-cs5
(21 May 2015)
For customers running Docker Engine on [supported versions of RedHat Enterprise
Linux](https://www.docker.com/enterprise/support/) with SELinux
enabled, the `docker build` and `docker run`
commands will not have DNS host name resolution and bind-mounted volumes may
not be accessible.
As a result, customers with SELinux will be unable to use hostname-based network
access in either `docker build` or `docker run`, nor will they be able to
`docker run` containers
that use `--volume` or `-v` bind-mounts (with an incorrect SELinux label) in
their environment. By installing Docker
Engine 1.6.2-cs5, customers can use Docker as intended on RHEL with SELinux enabled.
For customers running Docker Engine on [supported versions of RedHat Enterprise Linux](https://www.docker.com/enterprise/support/) with SELinux enabled, the `docker build` and `docker run` commands will not have DNS host name resolution and bind-mounted volumes may not be accessible. As a result, customers with
SELinux will be unable to use hostname-based network access in either `docker build` or `docker run`, nor will they be able to `docker run` containers that use `--volume` or `-v` bind-mounts (with an incorrect SELinux label) in their environment. By installing Docker Engine 1.6.2-cs5, customers can use Docker as intended on RHEL with SELinux enabled.
For example, you see will failures like:
For example, you see will failures such as:
```
[root@dtr ~]# docker -v
@ -172,18 +186,16 @@ safe thing yum can do is fail. There are a few ways to work "fix" this:
[output truncated]
```
**Affected Versions**: All previous versions of Docker Engine when SELinux is
enabled.
**Affected Versions**: All previous versions of Docker Engine when SELinux
is enabled.
Docker **highly recommends** that all customers running previous versions of
Docker Engine update to this release.
Docker **highly recommends** that all customers running previous versions of Docker Engine update to this release.
#### **How to workaround this issue**
Customers who choose not to install this update have two options. The
first option is to disable SELinux. This is *not recommended* for production
systems where SELinux is typically required.
Customers who choose not to install this update have two options. The first
option is to disable SELinux. This is *not recommended* for production systems
where SELinux is typically required.
The second option is to pass the following parameter in to `docker run`.
@ -193,17 +205,17 @@ This parameter cannot be passed to the `docker build` command.
#### **Upgrade notes**
When upgrading, make sure you stop Docker Trusted Registry first, perform the Engine upgrade, and
then restart Docker Trusted Registry.
When upgrading, make sure you stop Docker Trusted Registry first, perform the Engine upgrade, and then restart Docker Trusted Registry.
If you are running with SELinux enabled, previous Docker Engine releases allowed
you to bind-mount additional volumes or files inside the container as follows:
$ docker run -it -v /home/user/foo.txt:/foobar.txt:ro <imagename>
`$ docker run -it -v /home/user/foo.txt:/foobar.txt:ro <imagename>`
In the 1.6.2-cs5 release, you must ensure additional bind-mounts have the correct
SELinux context. For example, if you want to mount `foobar.txt` as read-only
into the container, do the following to create and test your bind-mount:
In the 1.6.2-cs5 release, you must ensure additional bind-mounts have the
correct SELinux context. For example, if you want to mount `foobar.txt` as
read-only into the container, do the following to create and test your
bind-mount:
1. Add the `z` option to the bind mount when you specify `docker run`.
@ -222,8 +234,8 @@ into the container, do the following to create and test your bind-mount:
the contents of foobar appear
If you see the file's contents, your mount succeeded. If you receive a
`Permission denied` message and/or the `/var/log/audit/audit.log` file on
your Docker host contains an AVC Denial message, the mount did not succeed.
`Permission denied` message and/or the `/var/log/audit/audit.log` file on your
Docker host contains an AVC Denial message, the mount did not succeed.
type=AVC msg=audit(1432145409.197:7570): avc: denied { read } for pid=21167 comm="cat" name="foobar.txt" dev="xvda2" ino=17704136 scontext=system_u:system_r:svirt_lxc_net_t:s0:c909,c965 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
@ -247,7 +259,7 @@ may only be exploited by a malicious Dockerfile or image. Users are advised to
run their own images and/or images built by trusted parties, such as those in
the official images library.
Please send any questions to security@docker.com.
Send any questions to security@docker.com.
#### **[CVE-2015-3629](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3629) Symlink traversal on container respawn allows local privilege escalation**
@ -322,5 +334,5 @@ Because this addition is preventative, no CVE-ID is requested.
### CS Docker Engine 1.6.0-cs2
(23 Apr 2015)
- First release, please see the [Docker Engine 1.6.0 Release notes](http://docs.docker.com/v1.6/release-notes/)
First release, see the [Docker Engine 1.6.0 Release notes](http://docs.docker.com/v1.6/release-notes/)
for more details.

202
release-notes.md
View File

@ -16,20 +16,20 @@ This document describes the latest changes, additions, known issues, and fixes f
These notes refer to the current and immediately prior releases of Docker
Trusted Registry and the commercially supported Docker Engine. For notes on
older versions of these, see the [prior release notes archive](prior-release-notes.md).
older versions, see the [prior release notes archive](prior-release-notes.md).
# Docker Trusted Registry 1.4.2
(21 December 2015)
Release notes for the Trusted Registry contain the following sections:
* New feature
* Additional storage backend
* Fixed or updated with this release
### New feature
## Additional storage backend
This release introduces using Openstack Swift as a storage backend. Refer to the [configuration documentation](configuration.md) for details on the Swift driver.
### Fixed or updated with this release
## Fixed or updated with this release
This release addresses the following issues in Docker Trusted Registry 1.4.1.
* Updated the registry from version 2.2.0 to 2.2.1 to ensure that the backend storage Swift driver works correctly.
@ -57,7 +57,7 @@ interface.
# Docker Trusted Registry 1.4.1
(24 November 2015)
### Fixed with this release
## Fixed with this release
This release addresses the following issues in Docker Trusted Registry 1.4.0.
* Trusted Registry administrators previously could not pull unlisted repositories in any authorization mode.
@ -75,7 +75,7 @@ Settings > Auth to perform the sync.
```
## Docker Trusted Registry 1.4
# Docker Trusted Registry 1.4
(12 November 2015)
Release notes for the Trusted Registry contain the following sections:
@ -110,7 +110,7 @@ documentation.
* There are new APIs for accessing repositories, account management, indexing, searching, and reindexing.
* You can also view an API and using the Swagger UI, click the "Try it out button to perform the action. This might be useful, for example, if you need to reindex.
* You can also view an API and using the Swagger UI, click the Try it out button to perform the action. This might be useful, for example, if you need to reindex.
* Different repository behavior. A repository must first exist before you can push an image to it. This means you must explicitly create (or have it performed for you if you don't have the correct permissions) a repository. This behavior is different than how you would perform this in a free and open-source software registry.
@ -127,7 +127,7 @@ This release corrects the following issues in Docker Trusted Registry 1.3.3.
Registry to allow for more fine grained access control. Team member lists can be
synced with a group in LDAP.
* An "Admin Password" is required. Use this password to log in as the
* The system requires an "Admin Password". Use this password to log in as the
user admin in case the Trusted Registry is unable to authenticate you using
your LDAP server. This account can be used to log in to the Trusted Registry and manage identity and authentication settings.
@ -180,7 +180,6 @@ the following steps:
for tag in `sudo docker images | grep my.dtr.host/devops_nginx | awk '{print $2}'`
do sudo docker tag my.dtr.host/devops_nginx:$tag my.dtr.host/devops/nginx:$tag
done
```
5. Push the newly tagged version back to the Trusted Registry as seen in the following example:
@ -188,15 +187,39 @@ the following steps:
## Commercially Supported Docker Engine
Commercially Supported (CS) Docker Engine is a packaged release that identifies
a release of Docker Engine for which you can receive support from Docker or one
of its partners. This release is functionally equivalent to the corresponding
Docker Engine release that it references. However, a commercially supported
release also includes back-ported fixes (security-related and priority defects)
from the open source. It incorporates defect fixes that you can use in
The commercially Supported (CS) Docker Engine is a packaged release that
identifies a release of Docker Engine for which you can receive support from
Docker or one of its partners. This release is functionally equivalent to the
corresponding Docker Engine release that it references. However, a commercially
supported release also includes back-ported fixes (security-related and priority
defects) from the open source. It incorporates defect fixes that you can use in
environments where new features cannot be adopted as quickly for consistency and
compatibility reasons.
### Commercially Supported Docker Engine 1.9.1-cs3
(6 January 2016)
This release addresses the following issues:
* The commercially supported engine 1.9.1-cs3 now supports multi-host networking
for all the kernels that the base CS engine is supported on.
>**Note**: Centos 7 has its firewall enabled by default and it prevents the VXLAN tunnel from communicating. If this applies to you, then after installing the CS engine, execute the following command in the Linux host:
`sudo firewall-cmd --zone=public --permanent --add-port=4789/udp`
* Corrected an issue where Docker didn't remove the Masquerade NAT rule from `iptables` when the network was removed. This caused the gateway address to be
incorrectly propagated as the source address of a connection.
* Fixed an issue where if the daemon started multiple containers concurrently, then the `/etc/hosts` files were incompletely populated. This issue occurred randomly.
* Corrected an issue where the same IP address for different Docker containers resulted in network connection inconsistencies. Now each container has a separate IP address.
* Corrected an issue where the IPv6 gateway was not created when using custom networks although the network had a configured gateway.
* Fixed an issue where users might have experienced a panic error if the daemon was started with the `—cluster-store` option, but without the `—cluster-advertise` option.
### Commercially Supported Docker Engine 1.9.1-cs2
(4 December 2015)
@ -234,151 +257,4 @@ source with three releases under support at one time. This means youll be abl
to take advantage of the latest and greatest features and you wont have to wait
for a supported release to take advantage of a specific feature.
Refer to the detailed list of all changes since the release of CS Engine 1.6.
https://github.com/docker/docker/releases.
### CS Docker Engine 1.6.2-cs7
(12 October 2015)
As part of our ongoing security efforts, <a href="http://blog.docker.com/2015/10/security-release-docker-1-8-3-1-6-2-cs7" target="_blank">a vulnerability was discovered</a> that
affects the way content is stored and retrieved within the Docker Engine and CS
Docker Engine. Today we are releasing a security update that fixes this
issue in both Docker Engine 1.8.3 and CS Docker Engine 1.6.2-cs7. The <a
href="https://github.com/docker/docker/blob/master/CHANGELOG.md#161-2015-10-12"
target="_blank">change log for Docker Engine 1.8.3</a> has a complete list of
all the changes incorporated into both the open source and commercially
supported releases.
We recommend that users upgrade to CS Docker Engine 1.6.2-cs7.
If you are unable to upgrade to CS Docker Engine 1.6.2-cs7 right away, remember to only pull content from trusted sources.
To keep up to date on all the latest Docker Security news, make sure you check
out our [Security page](http://www.docker.com/docker-security), subscribe to our
mailing list, or find us in #docker-security.
### CS Docker Engine 1.6.2-cs6
(23 July 2015)
* Certifies support for CentOS 7.1.
### CS Docker Engine 1.6.2-cs5
(21 May 2015)
For customers running Docker Engine on [supported versions of RedHat Enterprise
Linux](https://www.docker.com/enterprise/support/) with SELinux
enabled, the `docker build` and `docker run`
commands will not have DNS host name resolution and bind-mounted volumes may
not be accessible.
As a result, customers with SELinux will be unable to use hostname-based network
access in either `docker build` or `docker run`, nor will they be able to
`docker run` containers
that use `--volume` or `-v` bind-mounts (with an incorrect SELinux label) in
their environment. By installing Docker Engine 1.6.2-cs5, customers can use
Docker as intended on RHEL with SELinux enabled.
For example, you see will failures such as:
```
[root@dtr ~]# docker -v
Docker version 1.6.0-cs2, build b8dd430
[root@dtr ~]# ping dtr.home.org.au
PING dtr.home.org.au (10.10.10.104) 56(84) bytes of data.
64 bytes from dtr.home.gateway (10.10.10.104): icmp_seq=1 ttl=64 time=0.663 ms
^C
--- dtr.home.org.au ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.078/0.370/0.663/0.293 ms
[root@dtr ~]# docker run --rm -it debian ping dtr.home.org.au
ping: unknown host
[root@dtr ~]# docker run --rm -it debian cat /etc/resolv.conf
cat: /etc/resolv.conf: Permission denied
[root@dtr ~]# docker run --rm -it debian apt-get update
Err http://httpredir.debian.org jessie InRelease
Err http://security.debian.org jessie/updates InRelease
Err http://httpredir.debian.org jessie-updates InRelease
Err http://security.debian.org jessie/updates Release.gpg
Could not resolve 'security.debian.org'
Err http://httpredir.debian.org jessie Release.gpg
Could not resolve 'httpredir.debian.org'
Err http://httpredir.debian.org jessie-updates Release.gpg
Could not resolve 'httpredir.debian.org'
[output truncated]
```
or when running a `docker build`:
```
[root@dtr ~]# docker build .
Sending build context to Docker daemon 11.26 kB
Sending build context to Docker daemon
Step 0 : FROM fedora
---> e26efd418c48
Step 1 : RUN yum install httpd
---> Running in cf274900ea35
One of the configured repositories failed (Fedora 21 - x86_64),
and yum doesn't have enough cached data to continue. At this point the only
safe thing yum can do is fail. There are a few ways to work "fix" this:
[output truncated]
```
**Affected Versions**: All previous versions of Docker Engine when SELinux
is enabled.
Docker **highly recommends** that all customers running previous versions of
Docker Engine update to this release.
#### **How to workaround this issue**
Customers who choose not to install this update have two options. The
first option is to disable SELinux. This is *not recommended* for production
systems where SELinux is typically required.
The second option is to pass the following parameter in to `docker run`.
--security-opt=label:type:docker_t
This parameter cannot be passed to the `docker build` command.
#### **Upgrade notes**
When upgrading, make sure you stop Docker Trusted Registry first, perform the Engine upgrade, and
then restart Docker Trusted Registry.
If you are running with SELinux enabled, previous Docker Engine releases allowed
you to bind-mount additional volumes or files inside the container as follows:
$ docker run -it -v /home/user/foo.txt:/foobar.txt:ro <imagename>
In the 1.6.2-cs5 release, you must ensure additional bind-mounts have the correct
SELinux context. For example, if you want to mount `foobar.txt` as read-only
into the container, do the following to create and test your bind-mount:
1. Add the `z` option to the bind mount when you specify `docker run`.
$ docker run -it -v /home/user/foo.txt:/foobar.txt:ro,z <imagename>
2. Exec into your new container.
For example, if your container is `bashful_curie`, open a shell on the
container:
$ docker exec -it bashful_curie bash
3. Use `cat` to check the permissions on the mounted file.
$ cat /foobar.txt
the contents of foobar appear
If you see the file's contents, your mount succeeded. If you receive a
`Permission denied` message and/or the `/var/log/audit/audit.log` file on
your Docker host contains an AVC Denial message, the mount did not succeed.
type=AVC msg=audit(1432145409.197:7570): avc: denied { read } for pid=21167 comm="cat" name="foobar.txt" dev="xvda2" ino=17704136 scontext=system_u:system_r:svirt_lxc_net_t:s0:c909,c965 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
Recheck your command line to make sure you passed in the `z` option.
Refer to the [detailed list](https://github.com/docker/docker/releases) of all changes since the release of CS Engine 1.6.