From 16a8bb6d87e31a14c759003df5b16b3fa7418bfa Mon Sep 17 00:00:00 2001 From: paigehargrave Date: Thu, 6 Jun 2019 10:48:38 -0400 Subject: [PATCH 01/19] Raw content addition --- engine/release-notes.md | 198 ++++++++++++++++++++++++++++++++++------ 1 file changed, 171 insertions(+), 27 deletions(-) diff --git a/engine/release-notes.md b/engine/release-notes.md index a494943744..cfc37e1cab 100644 --- a/engine/release-notes.md +++ b/engine/release-notes.md @@ -16,6 +16,163 @@ Docker EE is a superset of all the features in Docker CE. It incorporates defect that you can use in environments where new features cannot be adopted as quickly for consistency and compatibility reasons. +----DELETE BEFORE MERGING +From Andrew: +Per https://github.com/docker/docker-ce/blob/v19.03.0-rc2/CHANGELOG.md as of 6/6: +New stuff since 18.09 codeline +List is 97% complete, the features and bug fixes are 100% complete) +For questions - ask #engine-team +EE will be a superset with < 10 items added. +END OF DELETE BEFORE MERGING-------- + +## 19.03.0 +(2019-06-17) + +### Builder +* Fixed `COPY --from` to preserve ownership. [moby/moby#38599](https://github.com/moby/moby/pull/38599) +* builder-next: + - Updated buildkit to v0.5.0. [docker/engine#215](https://github.com/docker/engine/pull/215) + * This brings in inline cache support. `--cache-from` can now point to an existing image + if it was built with `--build-arg BUILDKIT_INLINE_CACHE=true` and contains the cache + metadata in the image config. + - Outputs configuration allowed. [moby/moby#38898](https://github.com/moby/moby/pull/38898) + - Fixed gcr workaround token cache. [docker/engine#212](https://github.com/docker/engine/pull/212) + - `stopprogress` called on download error. [docker/engine#215](https://github.com/docker/engine/pull/215) + - Buildkit now also uses systemd's `resolv.conf`. [docker/engine#260(https://github.com/docker/engine/pull/260). +* TODO: changes needed from BuildKit + +### Client +* Updated buildkit. [docker/cli#1804](https://github.com/docker/cli/pull/1804) +* Bumped google.golang.org/grpc to v1.20.1. [docker/cli#1884](https://github.com/docker/cli/pull/1884) +* CLI changed to pass driver specific options to `docker run`. [docker/cli#1767](https://github.com/docker/cli/pull/1767) +* Build: setting buildkit outputs now allowed. [docker/cli#1766](https://github.com/docker/cli/pull/1766) +* Added `--pids-limit` flag to `docker update`. [docker/cli#1765](https://github.com/docker/cli/pull/1765) +* Added systctl support for services. [docker/cli#1754](https://github.com/docker/cli/pull/1754) +* Added support for `template_driver` in composefiles. [docker/cli#1746](https://github.com/docker/cli/pull/1746) +* Bumped Golang 1.12.5. [docker/cli#1875](https://github.com/docker/cli/pull/1875) +* Fixed problem with labels copying value from environment variables. +[docker/cli#1671](https://github.com/docker/cli/pull/1671) +* `docker system info` output now segregates information relevant to the client and daemon. +[docker/cli#1638](https://github.com/docker/cli/pull/1638) +* (Experimental) When targeting Kubernetes, added support for `x-pull-secret: some-pull-secret` in +compose-files service configs. [docker/cli#1617](https://github.com/docker/cli/pull/1617) +* (Experimental) When targeting Kubernetes, added support for `x-pull-policy: ` +in compose-files service configs. [docker/cli#1617](https://github.com/docker/cli/pull/1617) +* Added support for maximum replicas per node without stack. [docker/cli#1612](https://github.com/docker/cli/pull/1612) +* Added `--device` support for Windows. [docker/cli#1606](https://github.com/docker/cli/pull/1606) +* Added basic framework for writing and running CLI plugins. [docker/cli#1564](https://github.com/docker/cli/pull/1564) +* Fixed tty initial size error. [docker/cli#1529](https://github.com/docker/cli/pull/1529) +* cp, save, export: Now preventing overwriting irregular files. [docker/cli#1515](https://github.com/docker/cli/pull/1515) +* Data Path Port configuration supported. [docker/cli#1509](https://github.com/docker/cli/pull/1509) +* Added fast context switch: commands. [docker/cli#1501](https://github.com/docker/cli/pull/1501) +* Support added for `--mount type=bind,bind-nonrecursive,...` [docker/cli#1430](https://github.com/docker/cli/pull/1430) +* Deprecated legacy overlay storage driver. [docker/cli#1425](https://github.com/docker/cli/pull/1425) +* Deprecated "devicemapper" storage driver. [docker/cli#1424](https://github.com/docker/cli/pull/1424) +* Build: add SSH agent socket forwarder (`docker build --ssh $SSHMOUNTID=$SSH_AUTH_SOCK`) +[docker/cli#1419](https://github.com/docker/cli/pull/1419) +* Added maximum replicas per node support to stack version 3.8. [docker/cli#1410](https://github.com/docker/cli/pull/1410) +* npipe volume type on stack file now allowed. [docker/cli#1195](https://github.com/docker/cli/pull/1195) +* Added option to pull images quietly. [docker/cli#882](https://github.com/docker/cli/pull/882) +* Added a separate `--domainname` flag. [docker/cli#1130](https://github.com/docker/cli/pull/1130) +* Added `--from` flag to `context create`. [docker/cli#1773](https://github.com/docker/cli/pull/1773) +* Added support for secret drivers in `docker stack deploy`. [docker/cli#1783](https://github.com/docker/cli/pull/1783) +* Added ability to use swarm `Configs` as `CredentialSpecs` on services. [docker/cli#1781](https://github.com/docker/cli/pull/1781) +* Added `--security-opt systempaths=unconfined` support. [docker/cli#1808](https://github.com/docker/cli/pull/1808) +* Cli-plugins: add concept of experimental plugin, only enabled in experimental mode. +[docker/cli#1898](https://github.com/docker/cli/pull/1898) +* Bumped Docker App to v0.8.0-beta1. [docker/docker-ce-packaging#324](https://github.com/docker/docker-ce-packaging/pull/324) + +### API +* Updated API version to v1.40. [moby/moby#38089](https://github.com/moby/moby/pull/38089) +* Added warnings to `/info` endpoint, and moved detection to the daemon. +[moby/moby#37502](https://github.com/moby/moby/pull/37502) +* Added HEAD support for `/_ping` endpoint. [moby/moby#38570](https://github.com/moby/moby/pull/38570) +* Added `Cache-Control` headers to disable caching `/_ping` endpoint. +[moby/moby#38569](https://github.com/moby/moby/pull/38569) +* Added `containerd`, `runc`, and `docker-init` versions to `/version`. +[moby/moby#37974](https://github.com/moby/moby/pull/37974) +* Added undocumented `/grpc` endpoint and registered BuildKit's controller. +[moby/moby#38990](https://github.com/moby/moby/pull/38990) + +### Experimental +* Enabled checkpoint/restore of containers with TTY. [moby/moby#38405](https://github.com/moby/moby/pull/38405) +* LCOW: Added support for memory and CPU limits. [moby/moby#37296](https://github.com/moby/moby/pull/37296) +* Windows: Experimental: Added ContainerD runtime. [moby/moby#38541](https://github.com/moby/moby/pull/38541) +* Windows: Experimental: LCOW now requires Windows RS5+. [moby/moby#39108](https://github.com/moby/moby/pull/39108) + +### Security +* mount: added BindOptions.NonRecursive (API v1.40). [moby/moby#38003](https://github.com/moby/moby/pull/38003) +* seccomp: whitelisted `io_pgetevents()`. [moby/moby#38895](https://github.com/moby/moby/pull/38895) +* seccomp: `ptrace(2)` for 4.8+ kernels now allowed. [moby/moby#38137](https://github.com/moby/moby/pull/38137) + +### Networking +* Added support for 'dangling' filter. [moby/moby#31551](https://github.com/moby/moby/pull/31551) +* Moved IPVLAN driver out of experimental. +[moby/moby#38983](https://github.com/moby/moby/pull/38983) / +[docker/libnetwork#2230](https://github.com/docker/libnetwork/pull/2230) +* Load balancer sandbox is now deleted when a service is updated with `--network-rm`. +[docker/engine#213](https://github.com/docker/engine/pull/213) +* Windows: Now forcing a nil IP specified in `PortBindings` to IPv4zero (0.0.0.0). +[docker/libnetwork#2376](https://github.com/docker/libnetwork/pull/2376) + +### Runtime +* Running `dockerd` as a non-root user (Rootless mode) is now allowed. +[moby/moby#380050](https://github.com/moby/moby/pull/38050) +* Rootless: optional support provided for `lxc-user-nic` SUID binary. +[docker/engine#208](https://github.com/docker/engine/pull/208) +* Added DeviceRequests to HostConfig to support NVIDIA GPUs. [moby/moby#38828](https://github.com/moby/moby/pull/38828) +* Windows credential specs can now be passed directly to the engine. +[moby/moby#38777](https://github.com/moby/moby/pull/38777) +* Added pids-limit support in docker update. [moby/moby#32519](https://github.com/moby/moby/pull/32519) +* Added support for exact list of capabilities. [moby/moby#38380](https://github.com/moby/moby/pull/38380) +* daemon: Now use 'private' ipc mode by default. [moby/moby#35621](https://github.com/moby/moby/pull/35621) +* daemon: switched to semaphore-gated WaitGroup for startup tasks. moby/moby#38301](https://github.com/moby/moby/pull/38301) +* Added --device support for Windows. [moby/moby#37638](https://github.com/moby/moby/pull/37638) +* Added `memory.kernelTCP` support for linux. [moby/moby#37043](https://github.com/moby/moby/pull/37043) +* Now use `idtools.LookupGroup` instead of parsing `/etc/group` file for docker.sock ownership to +fix: `api.go doesn't respect nsswitch.conf`. [moby/moby#38126](https://github.com/moby/moby/pull/38126) +* Fixed `docker --init` with /dev bind mount. [moby/moby#37665](https://github.com/moby/moby/pull/37665) +* cli: fixed images filter when using multi reference filter. [moby/moby#38171](https://github.com/moby/moby/pull/38171) +* Bumped Golang to 1.12.5. [docker/engine#209](https://github.com/docker/engine/pull/209) +* Bumped `containerd` to 1.2.6. [moby/moby#39016](https://github.com/moby/moby/pull/39016) +* Bumped `runc` to 1.0.0-rc8, opencontainers/selinux v1.2.2. [docker/engine#210](https://github.com/docker/engine/pull/210) +* Bumped `google.golang.org/grpc` to v1.20.1. [docker/engine#215](https://github.com/docker/engine/pull/215) +* The right device number is now fetched when greater than 255 and using the `--device-read-bps` option. +[moby/moby#39212](https://github.com/moby/moby/pull/39212) +* Fixed `Path does not exist` error when path definitely exists. [moby/moby#39251](https://github.com/moby/moby/pull/39251) +* Performance optimized in aufs and layer store for massively parallel container creation/removal. [moby/moby#39135](https://github.com/moby/moby/pull/39135) [moby/moby#39209](https://github.com/moby/moby/pull/39209) +* Root is now passed to chroot for chroot Tar/Untar (CVE-2018-15664) +[moby/moby#39292](https://github.com/moby/moby/pull/39292) + +### Swarm +* Added support for maximum replicas per node. [moby/moby#37940](https://github.com/moby/moby/pull/37940) +* Added support for GMSA CredentialSpecs from Swarmkit configs. [moby/moby#38632](https://github.com/moby/moby/pull/38632) +* Added support for sysctl options in services. [moby/moby#37701](https://github.com/moby/moby/pull/37701) +* Added support for filtering on node labels. [moby/moby#37650](https://github.com/moby/moby/pull/37650) +* Windows: Support added for named pipe mounts in docker service create + stack yml. +[moby/moby#37400](https://github.com/moby/moby/pull/37400) +* VXLAN UDP Port configuration now supported. [moby/moby#38102](https://github.com/moby/moby/pull/38102) +* Now using Service Placement Constraints in Enforcer. [docker/swarmkit#2857](https://github.com/docker/swarmkit/pull/2857) +* Increased max recv gRPC message size for nodes and secrets. +[docker/engine#256](https://github.com/docker/engine/pull/256) + +### Logging +* Enabled gcplogs driver on Windows. [moby/moby#37717](https://github.com/moby/moby/pull/37717) +* Added zero padding for RFC5424 syslog format. [moby/moby#38335](https://github.com/moby/moby/pull/38335) +* Added `IMAGE_NAME` attribute to `journald` log events. [moby/moby#38032](https://github.com/moby/moby/pull/38032) + +### Deprecation +* Removed v1 manifest support, and removed `--disable-legacy-registry`. +[moby/moby#37874](https://github.com/moby/moby/pull/37874) +* Removed v1.10 migrator. [moby/moby#38265](https://github.com/moby/moby/pull/38265) +* Now skipping deprecated storage-drivers in auto-selection. [moby/moby#38019](https://github.com/moby/moby/pull/38019) +* Deprecated AuFS storage driver, and added warning. [moby/moby#38090](https://github.com/moby/moby/pull/38090) + +### Known issues + +## 18.09.6 +2019-05-06 + > **Note**: > New in 18.09 is an aligned release model for Docker Engine - Community and Docker > Engine - Enterprise. The new versioning scheme is YY.MM.x where x is an incrementing @@ -29,10 +186,6 @@ consistency and compatibility reasons. > `sudo apt install docker-ce docker-ce-cli containerd.io`. See the install instructions > for the corresponding linux distro for details. -## 18.09.6 - -2019-05-06 - ### Builder * Fixed `COPY` and `ADD` with multiple `` to not invalidate cache if `DOCKER_BUILDKIT=1`.[moby/moby#38964](https://github.com/moby/moby/issues/38964) @@ -387,48 +540,40 @@ Ubuntu 14.04 "Trusty Tahr" [docker-ce-packaging#255](https://github.com/docker/d * Mask proxy credentials from URL when displayed in system info (docker/escalation#879) ## 18.03.1-ee-4 - - 2018-10-25 +2018-10-25 > **Note**: If you're deploying UCP or DTR, use Docker EE Engine 18.09 or higher. 18.03 is an engine only release. - #### Client +### Client +* Fixed help message flags on docker stack commands and child commands. [docker/cli#1251](https://github.com/docker/cli/pull/1251) +* Fixed typo breaking zsh docker update autocomplete. [docker/cli#1232](https://github.com/docker/cli/pull/1232) - * Fixed help message flags on docker stack commands and child commands. [docker/cli#1251](https://github.com/docker/cli/pull/1251) - * Fixed typo breaking zsh docker update autocomplete. [docker/cli#1232](https://github.com/docker/cli/pull/1232) +### Networking +* Added optimizations to reduce the messages in the NetworkDB queue. [docker/libnetwork#2225](https://github.com/docker/libnetwork/pull/2225) +* Fixed a very rare condition where managers are not correctly triggering the reconnection logic. [docker/libnetwork#2226](https://github.com/docker/libnetwork/pull/2226) +* Changed loglevel from error to warning for missing disable_ipv6 file. [docker/libnetwork#2224](https://github.com/docker/libnetwork/pull/2224) - ### Networking +### Runtime +* Fixed denial of service with large numbers in cpuset-cpus and cpuset-mems. [moby/moby#37967](https://github.com/moby/moby/pull/37967) +* Added stability improvements for devicemapper shutdown. [moby/moby#36307](https://github.com/moby/moby/pull/36307) [moby/moby#36438](https://github.com/moby/moby/pull/36438) - * Added optimizations to reduce the messages in the NetworkDB queue. [docker/libnetwork#2225](https://github.com/docker/libnetwork/pull/2225) - * Fixed a very rare condition where managers are not correctly triggering the reconnection logic. [docker/libnetwork#2226](https://github.com/docker/libnetwork/pull/2226) - * Changed loglevel from error to warning for missing disable_ipv6 file. [docker/libnetwork#2224](https://github.com/docker/libnetwork/pull/2224) - - #### Runtime - - * Fixed denial of service with large numbers in cpuset-cpus and cpuset-mems. [moby/moby#37967](https://github.com/moby/moby/pull/37967) - * Added stability improvements for devicemapper shutdown. [moby/moby#36307](https://github.com/moby/moby/pull/36307) [moby/moby#36438](https://github.com/moby/moby/pull/36438) - - #### Swarm Mode - - * Fixed the logic used for skipping over running tasks. [docker/swarmkit#2724](https://github.com/docker/swarmkit/pull/2724) - * Addressed unassigned task leak when a service is removed. [docker/swarmkit#2709](https://github.com/docker/swarmkit/pull/2709) +### Swarm Mode +* Fixed the logic used for skipping over running tasks. [docker/swarmkit#2724](https://github.com/docker/swarmkit/pull/2724) +* Addressed unassigned task leak when a service is removed. [docker/swarmkit#2709](https://github.com/docker/swarmkit/pull/2709) ## 18.03.1-ee-3 2018-08-30 #### Builder - * Fix: no error if build args are missing during docker build. [docker/engine#25](https://github.com/docker/engine/pull/25) * Ensure RUN instruction to run without healthcheck. [moby/moby#37413](https://github.com/moby/moby/pull/37413) #### Client - * Fix manifest list to always use correct size. [docker/cli#1156](https://github.com/docker/cli/pull/1156) * Various shell completion script updates. [docker/cli#1159](https://github.com/docker/cli/pull/1159) [docker/cli#1227](https://github.com/docker/cli/pull/1227) * Improve version output alignment. [docker/cli#1204](https://github.com/docker/cli/pull/1204) #### Runtime - * Disable CRI plugin listening on port 10010 by default. [docker/engine#29](https://github.com/docker/engine/pull/29) * Update containerd to v1.1.2. [docker/engine#33](https://github.com/docker/engine/pull/33) * Windows: Pass back system errors on container exit. [moby/moby#35967](https://github.com/moby/moby/pull/35967) @@ -436,7 +581,6 @@ Ubuntu 14.04 "Trusty Tahr" [docker-ce-packaging#255](https://github.com/docker/d * Register OCI media types. [docker/engine#4](https://github.com/docker/engine/pull/4) #### Swarm Mode - * Clean up tasks in dirty list for which the service has been deleted. [docker/swarmkit#2694](https://github.com/docker/swarmkit/pull/2694) * Propagate the provided external CA certificate to the external CA object in swarm. [docker/cli#1178](https://github.com/docker/cli/pull/1178) From bdbad4044147641b054b1e0ccdc1badc4e394bc5 Mon Sep 17 00:00:00 2001 From: paigehargrave Date: Sat, 8 Jun 2019 07:04:33 -0400 Subject: [PATCH 02/19] Deprecation notice for 17.09 --- engine/release-notes.md | 1 + 1 file changed, 1 insertion(+) diff --git a/engine/release-notes.md b/engine/release-notes.md index cfc37e1cab..f0912d92e6 100644 --- a/engine/release-notes.md +++ b/engine/release-notes.md @@ -167,6 +167,7 @@ fix: `api.go doesn't respect nsswitch.conf`. [moby/moby#38126](https://github.co * Removed v1.10 migrator. [moby/moby#38265](https://github.com/moby/moby/pull/38265) * Now skipping deprecated storage-drivers in auto-selection. [moby/moby#38019](https://github.com/moby/moby/pull/38019) * Deprecated AuFS storage driver, and added warning. [moby/moby#38090](https://github.com/moby/moby/pull/38090) +* Removed support for 17.09. ### Known issues From c5ab8e75f98db51a67ef56f0ffafbb219c6d182d Mon Sep 17 00:00:00 2001 From: paigehargrave Date: Tue, 11 Jun 2019 15:05:45 -0400 Subject: [PATCH 03/19] Added known issue info --- engine/release-notes.md | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/engine/release-notes.md b/engine/release-notes.md index f0912d92e6..43692f76ea 100644 --- a/engine/release-notes.md +++ b/engine/release-notes.md @@ -23,6 +23,12 @@ New stuff since 18.09 codeline List is 97% complete, the features and bug fixes are 100% complete) For questions - ask #engine-team EE will be a superset with < 10 items added. + +https://docker.atlassian.net/browse/ENGCORE-834 - should this be in known issues? +https://docker.atlassian.net/browse/ENGORC-1243 - should this be in known issues? +https://docker.atlassian.net/browse/ENGCORE-686 - should this be in known issues? +https://docker.atlassian.net/browse/ENGCORE-810 - added to UCP known issues +https://docker.atlassian.net/browse/ENGPGM-115 - Swarm info added to known issues END OF DELETE BEFORE MERGING-------- ## 19.03.0 @@ -170,6 +176,25 @@ fix: `api.go doesn't respect nsswitch.conf`. [moby/moby#38126](https://github.co * Removed support for 17.09. ### Known issues +* In some circumstances, in large clusters, docker information might, as part of the Swarm section, +include the error `code = ResourceExhausted desc = grpc: received message larger than +max (5351376 vs. 4194304)`. This does not indicate any failure or misconfiguration by the user, +and requires no response. +* Attempts to deploy local PV fail with regular UCP configuration unless PV binder SA is binded to cluster admin role. +* Orchestrator port conflict can occur when redeploying all services as new. Due to many swarm manager +requests in a short amount of time, some services are not able to receive traffic and are causing a `404` +error after being deployed. +Workaround: restart all tasks via `docker service update --force`. + +* Traffic cannot egress the HOST because of missing Iptables rules in the FORWARD chain +The missing rules are : +``` +sbin/iptables --wait -C FORWARD -o docker_gwbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +/sbin/iptables --wait -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +``` +Workaround: Add these rules back using a script and cron definitions. The script must contain '-C' commands to check for the presence of a rule and '-A' commands to add rules back. Run the script on a cron in regular intervals, for example, every minutes. (Is there a recommendation for 'x'?) +(If Arko's workaround becomes available, the docs will be updated to direct customers to use that until we get it out in a patch.) +Affected versions: 17.06.2-ee-16, 18.09.1, 19.03.0 ## 18.09.6 2019-05-06 From 17fe71e6ca120790ac8c265ef17e51c6c5c5f96d Mon Sep 17 00:00:00 2001 From: paigehargrave Date: Tue, 11 Jun 2019 16:19:36 -0400 Subject: [PATCH 04/19] Known issues updates --- engine/release-notes.md | 29 ++++++++++++++++++++++++----- 1 file changed, 24 insertions(+), 5 deletions(-) diff --git a/engine/release-notes.md b/engine/release-notes.md index 43692f76ea..b0d16f79dd 100644 --- a/engine/release-notes.md +++ b/engine/release-notes.md @@ -180,11 +180,29 @@ fix: `api.go doesn't respect nsswitch.conf`. [moby/moby#38126](https://github.co include the error `code = ResourceExhausted desc = grpc: received message larger than max (5351376 vs. 4194304)`. This does not indicate any failure or misconfiguration by the user, and requires no response. -* Attempts to deploy local PV fail with regular UCP configuration unless PV binder SA is binded to cluster admin role. +* Attempts to deploy local PV fail with regular UCP configuration unless PV binder SA is bound to cluster admin role. + - Workaround: Create a `ClusterRoleBinding` that binds the `persistent-volume-binder` serviceaccount + to a `cluster-admin` `ClusterRole`, as shown in the following example: + ``` + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + labels: + subjectName: kube-system-persistent-volume-binder + name: kube-system-persistent-volume-binder:cluster-admin + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin + subjects: + - kind: ServiceAccount + name: persistent-volume-binder + namespace: kube-system + ``` * Orchestrator port conflict can occur when redeploying all services as new. Due to many swarm manager requests in a short amount of time, some services are not able to receive traffic and are causing a `404` error after being deployed. -Workaround: restart all tasks via `docker service update --force`. + - Workaround: restart all tasks via `docker service update --force`. * Traffic cannot egress the HOST because of missing Iptables rules in the FORWARD chain The missing rules are : @@ -192,9 +210,10 @@ The missing rules are : sbin/iptables --wait -C FORWARD -o docker_gwbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT /sbin/iptables --wait -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT ``` -Workaround: Add these rules back using a script and cron definitions. The script must contain '-C' commands to check for the presence of a rule and '-A' commands to add rules back. Run the script on a cron in regular intervals, for example, every minutes. (Is there a recommendation for 'x'?) -(If Arko's workaround becomes available, the docs will be updated to direct customers to use that until we get it out in a patch.) -Affected versions: 17.06.2-ee-16, 18.09.1, 19.03.0 + - Workaround: Add these rules back using a script and cron definitions. The script must contain '-C' commands +to check for the presence of a rule and '-A' commands to add rules back. Run the script on a cron in regular +intervals, for example, every minutes. + - Affected versions: 17.06.2-ee-16, 18.09.1, 19.03.0 ## 18.09.6 2019-05-06 From 6fcdb1ad21862ba85274766fc117be08264f2593 Mon Sep 17 00:00:00 2001 From: paigehargrave Date: Wed, 12 Jun 2019 07:20:01 -0400 Subject: [PATCH 05/19] Moving issue to UCP relnotes --- engine/release-notes.md | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/engine/release-notes.md b/engine/release-notes.md index b0d16f79dd..33375f7449 100644 --- a/engine/release-notes.md +++ b/engine/release-notes.md @@ -180,25 +180,6 @@ fix: `api.go doesn't respect nsswitch.conf`. [moby/moby#38126](https://github.co include the error `code = ResourceExhausted desc = grpc: received message larger than max (5351376 vs. 4194304)`. This does not indicate any failure or misconfiguration by the user, and requires no response. -* Attempts to deploy local PV fail with regular UCP configuration unless PV binder SA is bound to cluster admin role. - - Workaround: Create a `ClusterRoleBinding` that binds the `persistent-volume-binder` serviceaccount - to a `cluster-admin` `ClusterRole`, as shown in the following example: - ``` - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - subjectName: kube-system-persistent-volume-binder - name: kube-system-persistent-volume-binder:cluster-admin - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin - subjects: - - kind: ServiceAccount - name: persistent-volume-binder - namespace: kube-system - ``` * Orchestrator port conflict can occur when redeploying all services as new. Due to many swarm manager requests in a short amount of time, some services are not able to receive traffic and are causing a `404` error after being deployed. From 266e47c9ab696ac87bb819cfcb199a2d5eb08f7e Mon Sep 17 00:00:00 2001 From: paigehargrave Date: Wed, 12 Jun 2019 07:23:57 -0400 Subject: [PATCH 06/19] Added internal note for 686 --- engine/release-notes.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/engine/release-notes.md b/engine/release-notes.md index 33375f7449..cca62877e7 100644 --- a/engine/release-notes.md +++ b/engine/release-notes.md @@ -26,7 +26,7 @@ EE will be a superset with < 10 items added. https://docker.atlassian.net/browse/ENGCORE-834 - should this be in known issues? https://docker.atlassian.net/browse/ENGORC-1243 - should this be in known issues? -https://docker.atlassian.net/browse/ENGCORE-686 - should this be in known issues? +https://docker.atlassian.net/browse/ENGCORE-686 - should this be in known issues - MIGHT BE INTERNAL ONLY https://docker.atlassian.net/browse/ENGCORE-810 - added to UCP known issues https://docker.atlassian.net/browse/ENGPGM-115 - Swarm info added to known issues END OF DELETE BEFORE MERGING-------- From 1e86e2d902356e4172b6844b5f18d42c995f0ef5 Mon Sep 17 00:00:00 2001 From: paigehargrave Date: Wed, 12 Jun 2019 08:58:31 -0400 Subject: [PATCH 07/19] Updated with latest changelog info --- engine/release-notes.md | 170 +++++++++++++++++++++++----------------- 1 file changed, 97 insertions(+), 73 deletions(-) diff --git a/engine/release-notes.md b/engine/release-notes.md index cca62877e7..dd4d0edefb 100644 --- a/engine/release-notes.md +++ b/engine/release-notes.md @@ -9,55 +9,83 @@ redirect_from: - /release-notes/docker-ce/ --- -This document describes the latest changes, additions, known issues, and fixes -for Docker Engine Enterprise Edition (Docker EE) and Community Edition (CE). - -Docker EE is a superset of all the features in Docker CE. It incorporates defect fixes -that you can use in environments where new features cannot be adopted as quickly for -consistency and compatibility reasons. - ----DELETE BEFORE MERGING -From Andrew: -Per https://github.com/docker/docker-ce/blob/v19.03.0-rc2/CHANGELOG.md as of 6/6: -New stuff since 18.09 codeline -List is 97% complete, the features and bug fixes are 100% complete) -For questions - ask #engine-team -EE will be a superset with < 10 items added. - +Per https://github.com/docker/docker-ce/blob/v19.03.0-rc2/CHANGELOG.md as of 6/12: https://docker.atlassian.net/browse/ENGCORE-834 - should this be in known issues? https://docker.atlassian.net/browse/ENGORC-1243 - should this be in known issues? https://docker.atlassian.net/browse/ENGCORE-686 - should this be in known issues - MIGHT BE INTERNAL ONLY https://docker.atlassian.net/browse/ENGCORE-810 - added to UCP known issues https://docker.atlassian.net/browse/ENGPGM-115 - Swarm info added to known issues + +Are these no longer valid? + ### Client +* Deprecated legacy overlay storage driver. [docker/cli#1425](https://github.com/docker/cli/pull/1425) +* Deprecated "devicemapper" storage driver. [docker/cli#1424](https://github.com/docker/cli/pull/1424) +* Build: add SSH agent socket forwarder (`docker build --ssh $SSHMOUNTID=$SSH_AUTH_SOCK`) +[docker/cli#1419](https://github.com/docker/cli/pull/1419) END OF DELETE BEFORE MERGING-------- -## 19.03.0 -(2019-06-17) +This document describes the latest changes, additions, known issues, and fixes +for Docker Engine Enterprise (Docker EE). + +Docker EE builds upon the corresponding Docker CE that it +references. Docker EE includes enterprise features as well as back-ported fixes (security-related +and priority defects) from the open source. It also incorporates defect fixes for environments +in which new features cannot be adopted as quickly for consistency and compatibility reasons. + +## 19.03.0 (2019-06-17) ### Builder + * Fixed `COPY --from` to preserve ownership. [moby/moby#38599](https://github.com/moby/moby/pull/38599) * builder-next: - - Updated buildkit to v0.5.0. [docker/engine#215](https://github.com/docker/engine/pull/215) - * This brings in inline cache support. `--cache-from` can now point to an existing image - if it was built with `--build-arg BUILDKIT_INLINE_CACHE=true` and contains the cache - metadata in the image config. - - Outputs configuration allowed. [moby/moby#38898](https://github.com/moby/moby/pull/38898) - - Fixed gcr workaround token cache. [docker/engine#212](https://github.com/docker/engine/pull/212) - - `stopprogress` called on download error. [docker/engine#215](https://github.com/docker/engine/pull/215) - - Buildkit now also uses systemd's `resolv.conf`. [docker/engine#260(https://github.com/docker/engine/pull/260). -* TODO: changes needed from BuildKit + + - Added inline cache support `--cache-from`. [docker/engine#215](https://github.com/docker/engine/pull/215) + - Outputs configuration allowed. [moby/moby#38898](https://github.com/moby/moby/pull/38898) + - Fixed gcr workaround token cache. [docker/engine#212](https://github.com/docker/engine/pull/212) + - `stopprogress` called on download error. [docker/engine#215](https://github.com/docker/engine/pull/215) + - Buildkit now uses systemd's `resolv.conf`. [docker/engine#260](https://github.com/docker/engine/pull/260). + - Setting buildkit outputs now allowed. [docker/cli#1766](https://github.com/docker/cli/pull/1766) + - Look for Dockerfile specific dockerignore file (for example, Dockerfile.dockerignore) for + ignored paths. [docker/engine#215](https://github.com/docker/engine/pull/215) + - Automatically detect if process execution is possible for x86, arm, and arm64 binaries. + [docker/engine#215](https://github.com/docker/engine/pull/215) + - Updated buildkit to 1f89ec1. [docker/engine#260](https://github.com/docker/engine/pull/260) + - Use Dockerfile frontend version `docker/dockerfile:1.1` by default. + [docker/engine#215](https://github.com/docker/engine/pull/215) + - No longer rely on an external image for COPY/ADD operations. + [docker/engine#215](https://github.com/docker/engine/pull/215) ### Client + +* Added `--pids-limit` flag to `docker update`. [docker/cli#1765](https://github.com/docker/cli/pull/1765) +* Added systctl support for services. [docker/cli#1754](https://github.com/docker/cli/pull/1754) +* Added support for `template_driver` in compose files. [docker/cli#1746](https://github.com/docker/cli/pull/1746) +* Added `--device` support for Windows. [docker/cli#1606](https://github.com/docker/cli/pull/1606) +* Added support for Data Path Port configuration. [docker/cli#1509](https://github.com/docker/cli/pull/1509) +* Added fast context switch: commands. [docker/cli#1501](https://github.com/docker/cli/pull/1501) +* Support added for `--mount type=bind,bind-nonrecursive,...` [docker/cli#1430](https://github.com/docker/cli/pull/1430) +* Added maximum replicas per node support to stack version 3.8. [docker/cli#1410](https://github.com/docker/cli/pull/1410) +* Added option to pull images quietly. [docker/cli#882](https://github.com/docker/cli/pull/882) +* Added a separate `--domainname` flag. [docker/cli#1130](https://github.com/docker/cli/pull/1130) +* Added `--from` flag to `context create`. [docker/cli#1773](https://github.com/docker/cli/pull/1773) +* Added support for secret drivers in `docker stack deploy`. [docker/cli#1783](https://github.com/docker/cli/pull/1783) +* Added ability to use swarm `Configs` as `CredentialSpecs` on services. +[docker/cli#1781](https://github.com/docker/cli/pull/1781) +* Added `--security-opt systempaths=unconfined` support. [docker/cli#1808](https://github.com/docker/cli/pull/1808) +* Added basic framework for writing and running CLI plugins. [docker/cli#1564](https://github.com/docker/cli/pull/1564) +* Cli-plugins: added concept of experimental plugin, only enabled in experimental mode. +[docker/cli#1898](https://github.com/docker/cli/pull/1898) +* Bumped Docker App to v0.8.0. [docker/docker-ce-packaging#341](https://github.com/docker/docker-ce-packaging/pull/341) +* Added support for Docker buildx. [docker/docker-ce-packaging#336](https://github.com/docker/docker-ce-packaging/pull/336) +* Added support for Docker Assemble v0.36.0. +* Added support for Docker Cluster v1.0.0-rc2. +* Added support for Docker Template v0.1.4. +* Added support for Docker Registry v0.1.0-rc1. * Updated buildkit. [docker/cli#1804](https://github.com/docker/cli/pull/1804) * Bumped google.golang.org/grpc to v1.20.1. [docker/cli#1884](https://github.com/docker/cli/pull/1884) * CLI changed to pass driver specific options to `docker run`. [docker/cli#1767](https://github.com/docker/cli/pull/1767) -* Build: setting buildkit outputs now allowed. [docker/cli#1766](https://github.com/docker/cli/pull/1766) -* Added `--pids-limit` flag to `docker update`. [docker/cli#1765](https://github.com/docker/cli/pull/1765) -* Added systctl support for services. [docker/cli#1754](https://github.com/docker/cli/pull/1754) -* Added support for `template_driver` in composefiles. [docker/cli#1746](https://github.com/docker/cli/pull/1746) * Bumped Golang 1.12.5. [docker/cli#1875](https://github.com/docker/cli/pull/1875) -* Fixed problem with labels copying value from environment variables. -[docker/cli#1671](https://github.com/docker/cli/pull/1671) * `docker system info` output now segregates information relevant to the client and daemon. [docker/cli#1638](https://github.com/docker/cli/pull/1638) * (Experimental) When targeting Kubernetes, added support for `x-pull-secret: some-pull-secret` in @@ -65,30 +93,14 @@ compose-files service configs. [docker/cli#1617](https://github.com/docker/cli/p * (Experimental) When targeting Kubernetes, added support for `x-pull-policy: ` in compose-files service configs. [docker/cli#1617](https://github.com/docker/cli/pull/1617) * Added support for maximum replicas per node without stack. [docker/cli#1612](https://github.com/docker/cli/pull/1612) -* Added `--device` support for Windows. [docker/cli#1606](https://github.com/docker/cli/pull/1606) -* Added basic framework for writing and running CLI plugins. [docker/cli#1564](https://github.com/docker/cli/pull/1564) -* Fixed tty initial size error. [docker/cli#1529](https://github.com/docker/cli/pull/1529) * cp, save, export: Now preventing overwriting irregular files. [docker/cli#1515](https://github.com/docker/cli/pull/1515) -* Data Path Port configuration supported. [docker/cli#1509](https://github.com/docker/cli/pull/1509) -* Added fast context switch: commands. [docker/cli#1501](https://github.com/docker/cli/pull/1501) -* Support added for `--mount type=bind,bind-nonrecursive,...` [docker/cli#1430](https://github.com/docker/cli/pull/1430) -* Deprecated legacy overlay storage driver. [docker/cli#1425](https://github.com/docker/cli/pull/1425) -* Deprecated "devicemapper" storage driver. [docker/cli#1424](https://github.com/docker/cli/pull/1424) -* Build: add SSH agent socket forwarder (`docker build --ssh $SSHMOUNTID=$SSH_AUTH_SOCK`) -[docker/cli#1419](https://github.com/docker/cli/pull/1419) -* Added maximum replicas per node support to stack version 3.8. [docker/cli#1410](https://github.com/docker/cli/pull/1410) * npipe volume type on stack file now allowed. [docker/cli#1195](https://github.com/docker/cli/pull/1195) -* Added option to pull images quietly. [docker/cli#882](https://github.com/docker/cli/pull/882) -* Added a separate `--domainname` flag. [docker/cli#1130](https://github.com/docker/cli/pull/1130) -* Added `--from` flag to `context create`. [docker/cli#1773](https://github.com/docker/cli/pull/1773) -* Added support for secret drivers in `docker stack deploy`. [docker/cli#1783](https://github.com/docker/cli/pull/1783) -* Added ability to use swarm `Configs` as `CredentialSpecs` on services. [docker/cli#1781](https://github.com/docker/cli/pull/1781) -* Added `--security-opt systempaths=unconfined` support. [docker/cli#1808](https://github.com/docker/cli/pull/1808) -* Cli-plugins: add concept of experimental plugin, only enabled in experimental mode. -[docker/cli#1898](https://github.com/docker/cli/pull/1898) -* Bumped Docker App to v0.8.0-beta1. [docker/docker-ce-packaging#324](https://github.com/docker/docker-ce-packaging/pull/324) +* Fixed tty initial size error. [docker/cli#1529](https://github.com/docker/cli/pull/1529) +* Fixed problem with labels copying value from environment variables. +[docker/cli#1671](https://github.com/docker/cli/pull/1671) ### API + * Updated API version to v1.40. [moby/moby#38089](https://github.com/moby/moby/pull/38089) * Added warnings to `/info` endpoint, and moved detection to the daemon. [moby/moby#37502](https://github.com/moby/moby/pull/37502) @@ -103,54 +115,58 @@ in compose-files service configs. [docker/cli#1617](https://github.com/docker/cl ### Experimental * Enabled checkpoint/restore of containers with TTY. [moby/moby#38405](https://github.com/moby/moby/pull/38405) * LCOW: Added support for memory and CPU limits. [moby/moby#37296](https://github.com/moby/moby/pull/37296) -* Windows: Experimental: Added ContainerD runtime. [moby/moby#38541](https://github.com/moby/moby/pull/38541) -* Windows: Experimental: LCOW now requires Windows RS5+. [moby/moby#39108](https://github.com/moby/moby/pull/39108) +* Windows: Added ContainerD runtime. [moby/moby#38541](https://github.com/moby/moby/pull/38541) +* Windows: LCOW now requires Windows RS5+. [moby/moby#39108](https://github.com/moby/moby/pull/39108) ### Security + * mount: added BindOptions.NonRecursive (API v1.40). [moby/moby#38003](https://github.com/moby/moby/pull/38003) * seccomp: whitelisted `io_pgetevents()`. [moby/moby#38895](https://github.com/moby/moby/pull/38895) * seccomp: `ptrace(2)` for 4.8+ kernels now allowed. [moby/moby#38137](https://github.com/moby/moby/pull/38137) -### Networking -* Added support for 'dangling' filter. [moby/moby#31551](https://github.com/moby/moby/pull/31551) -* Moved IPVLAN driver out of experimental. -[moby/moby#38983](https://github.com/moby/moby/pull/38983) / -[docker/libnetwork#2230](https://github.com/docker/libnetwork/pull/2230) -* Load balancer sandbox is now deleted when a service is updated with `--network-rm`. -[docker/engine#213](https://github.com/docker/engine/pull/213) -* Windows: Now forcing a nil IP specified in `PortBindings` to IPv4zero (0.0.0.0). -[docker/libnetwork#2376](https://github.com/docker/libnetwork/pull/2376) - ### Runtime + * Running `dockerd` as a non-root user (Rootless mode) is now allowed. [moby/moby#380050](https://github.com/moby/moby/pull/38050) * Rootless: optional support provided for `lxc-user-nic` SUID binary. [docker/engine#208](https://github.com/docker/engine/pull/208) * Added DeviceRequests to HostConfig to support NVIDIA GPUs. [moby/moby#38828](https://github.com/moby/moby/pull/38828) +* Added `--device` support for Windows. [moby/moby#37638](https://github.com/moby/moby/pull/37638) +* Added `memory.kernelTCP` support for linux. [moby/moby#37043](https://github.com/moby/moby/pull/37043) * Windows credential specs can now be passed directly to the engine. [moby/moby#38777](https://github.com/moby/moby/pull/38777) * Added pids-limit support in docker update. [moby/moby#32519](https://github.com/moby/moby/pull/32519) * Added support for exact list of capabilities. [moby/moby#38380](https://github.com/moby/moby/pull/38380) * daemon: Now use 'private' ipc mode by default. [moby/moby#35621](https://github.com/moby/moby/pull/35621) * daemon: switched to semaphore-gated WaitGroup for startup tasks. moby/moby#38301](https://github.com/moby/moby/pull/38301) -* Added --device support for Windows. [moby/moby#37638](https://github.com/moby/moby/pull/37638) -* Added `memory.kernelTCP` support for linux. [moby/moby#37043](https://github.com/moby/moby/pull/37043) * Now use `idtools.LookupGroup` instead of parsing `/etc/group` file for docker.sock ownership to fix: `api.go doesn't respect nsswitch.conf`. [moby/moby#38126](https://github.com/moby/moby/pull/38126) -* Fixed `docker --init` with /dev bind mount. [moby/moby#37665](https://github.com/moby/moby/pull/37665) * cli: fixed images filter when using multi reference filter. [moby/moby#38171](https://github.com/moby/moby/pull/38171) * Bumped Golang to 1.12.5. [docker/engine#209](https://github.com/docker/engine/pull/209) * Bumped `containerd` to 1.2.6. [moby/moby#39016](https://github.com/moby/moby/pull/39016) * Bumped `runc` to 1.0.0-rc8, opencontainers/selinux v1.2.2. [docker/engine#210](https://github.com/docker/engine/pull/210) * Bumped `google.golang.org/grpc` to v1.20.1. [docker/engine#215](https://github.com/docker/engine/pull/215) -* The right device number is now fetched when greater than 255 and using the `--device-read-bps` option. -[moby/moby#39212](https://github.com/moby/moby/pull/39212) -* Fixed `Path does not exist` error when path definitely exists. [moby/moby#39251](https://github.com/moby/moby/pull/39251) * Performance optimized in aufs and layer store for massively parallel container creation/removal. [moby/moby#39135](https://github.com/moby/moby/pull/39135) [moby/moby#39209](https://github.com/moby/moby/pull/39209) * Root is now passed to chroot for chroot Tar/Untar (CVE-2018-15664) [moby/moby#39292](https://github.com/moby/moby/pull/39292) +* Fixed `docker --init` with /dev bind mount. [moby/moby#37665](https://github.com/moby/moby/pull/37665) +* The right device number is now fetched when greater than 255 and using the `--device-read-bps` option. +[moby/moby#39212](https://github.com/moby/moby/pull/39212) +* Fixed `Path does not exist` error when path definitely exists. [moby/moby#39251](https://github.com/moby/moby/pull/39251) + +### Networking + +* Moved IPVLAN driver out of experimental. +[moby/moby#38983](https://github.com/moby/moby/pull/38983) +* Added support for 'dangling' filter. [moby/moby#31551](https://github.com/moby/moby/pull/31551) +[docker/libnetwork#2230](https://github.com/docker/libnetwork/pull/2230) +* Load balancer sandbox is now deleted when a service is updated with `--network-rm`. +[docker/engine#213](https://github.com/docker/engine/pull/213) +* Windows: Now forcing a nil IP specified in `PortBindings` to IPv4zero (0.0.0.0). +[docker/libnetwork#2376](https://github.com/docker/libnetwork/pull/2376) ### Swarm + * Added support for maximum replicas per node. [moby/moby#37940](https://github.com/moby/moby/pull/37940) * Added support for GMSA CredentialSpecs from Swarmkit configs. [moby/moby#38632](https://github.com/moby/moby/pull/38632) * Added support for sysctl options in services. [moby/moby#37701](https://github.com/moby/moby/pull/37701) @@ -163,19 +179,26 @@ fix: `api.go doesn't respect nsswitch.conf`. [moby/moby#38126](https://github.co [docker/engine#256](https://github.com/docker/engine/pull/256) ### Logging + * Enabled gcplogs driver on Windows. [moby/moby#37717](https://github.com/moby/moby/pull/37717) * Added zero padding for RFC5424 syslog format. [moby/moby#38335](https://github.com/moby/moby/pull/38335) * Added `IMAGE_NAME` attribute to `journald` log events. [moby/moby#38032](https://github.com/moby/moby/pull/38032) ### Deprecation -* Removed v1 manifest support, and removed `--disable-legacy-registry`. -[moby/moby#37874](https://github.com/moby/moby/pull/37874) + +* Removed v1 manifest support, and removed `--disable-legacy-registry`. Pushing v1 manifests to registries +is no longer possible, pushing schema v2 (or OCI) manifests is now the only possible option. However, +pulling v1 manifests is still possible. [moby/moby#37874](https://github.com/moby/moby/pull/37874) * Removed v1.10 migrator. [moby/moby#38265](https://github.com/moby/moby/pull/38265) * Now skipping deprecated storage-drivers in auto-selection. [moby/moby#38019](https://github.com/moby/moby/pull/38019) * Deprecated AuFS storage driver, and added warning. [moby/moby#38090](https://github.com/moby/moby/pull/38090) -* Removed support for 17.09. +* Removed support for 17.09. + +For more information on deprecated flags and APIs, refer to +https://docs.docker.com/engine/deprecated/ for target removal dates. ### Known issues + * In some circumstances, in large clusters, docker information might, as part of the Swarm section, include the error `code = ResourceExhausted desc = grpc: received message larger than max (5351376 vs. 4194304)`. This does not indicate any failure or misconfiguration by the user, @@ -195,7 +218,8 @@ sbin/iptables --wait -C FORWARD -o docker_gwbridge -m conntrack --ctstate RELATE to check for the presence of a rule and '-A' commands to add rules back. Run the script on a cron in regular intervals, for example, every minutes. - Affected versions: 17.06.2-ee-16, 18.09.1, 19.03.0 - +* [CVE-2018-15664](https://nvd.nist.gov/vuln/detail/CVE-2018-15664) symlink-exchange attack with directory traversal. Workaround until proper fix is available in upcoming patch release: `docker pause` container before doing file operations. [moby/moby#39252](https://github.com/moby/moby/pull/39252) + ## 18.09.6 2019-05-06 From ed460cdf8ea8266f17550f8ba922631704ce017e Mon Sep 17 00:00:00 2001 From: paigehargrave Date: Wed, 12 Jun 2019 13:21:01 -0400 Subject: [PATCH 08/19] Info for 839 --- engine/release-notes.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/engine/release-notes.md b/engine/release-notes.md index dd4d0edefb..c136f06bba 100644 --- a/engine/release-notes.md +++ b/engine/release-notes.md @@ -11,6 +11,7 @@ redirect_from: ----DELETE BEFORE MERGING Per https://github.com/docker/docker-ce/blob/v19.03.0-rc2/CHANGELOG.md as of 6/12: +https://docker.atlassian.net/browse/ENGCORE-839 https://docker.atlassian.net/browse/ENGCORE-834 - should this be in known issues? https://docker.atlassian.net/browse/ENGORC-1243 - should this be in known issues? https://docker.atlassian.net/browse/ENGCORE-686 - should this be in known issues - MIGHT BE INTERNAL ONLY @@ -219,6 +220,7 @@ to check for the presence of a rule and '-A' commands to add rules back. Run the intervals, for example, every minutes. - Affected versions: 17.06.2-ee-16, 18.09.1, 19.03.0 * [CVE-2018-15664](https://nvd.nist.gov/vuln/detail/CVE-2018-15664) symlink-exchange attack with directory traversal. Workaround until proper fix is available in upcoming patch release: `docker pause` container before doing file operations. [moby/moby#39252](https://github.com/moby/moby/pull/39252) +* `docker cp` regression due to CVE mitigation. An error is produced when the source of `docker cp` is set to `/`. ## 18.09.6 2019-05-06 From b1a01302fc61e3c60e74fb294b96b1ea4f5eab69 Mon Sep 17 00:00:00 2001 From: paigehargrave Date: Thu, 13 Jun 2019 16:33:42 -0400 Subject: [PATCH 09/19] Info for 850 --- engine/release-notes.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/engine/release-notes.md b/engine/release-notes.md index c136f06bba..43790f3e1a 100644 --- a/engine/release-notes.md +++ b/engine/release-notes.md @@ -17,6 +17,7 @@ https://docker.atlassian.net/browse/ENGORC-1243 - should this be in known issues https://docker.atlassian.net/browse/ENGCORE-686 - should this be in known issues - MIGHT BE INTERNAL ONLY https://docker.atlassian.net/browse/ENGCORE-810 - added to UCP known issues https://docker.atlassian.net/browse/ENGPGM-115 - Swarm info added to known issues +https://docker.atlassian.net/browse/TAR-850 - added Are these no longer valid? ### Client @@ -221,6 +222,11 @@ intervals, for example, every minutes. - Affected versions: 17.06.2-ee-16, 18.09.1, 19.03.0 * [CVE-2018-15664](https://nvd.nist.gov/vuln/detail/CVE-2018-15664) symlink-exchange attack with directory traversal. Workaround until proper fix is available in upcoming patch release: `docker pause` container before doing file operations. [moby/moby#39252](https://github.com/moby/moby/pull/39252) * `docker cp` regression due to CVE mitigation. An error is produced when the source of `docker cp` is set to `/`. +* Install Docker Engine - Enterprise fails to install on RHEL 7.5 on Azure. + +- Workaround options: + - Use an older image and don't get updates. + - Import your own RHEL images into Azure and do not rely on the Extended Update Support (EUS) RHEL images. ## 18.09.6 2019-05-06 From 660e1a07dd658f243b1b5c3c45dbbede3c3117c0 Mon Sep 17 00:00:00 2001 From: paigehargrave Date: Thu, 13 Jun 2019 17:21:53 -0400 Subject: [PATCH 10/19] Updates for Jira 850 --- engine/release-notes.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/engine/release-notes.md b/engine/release-notes.md index 43790f3e1a..f9f91dc018 100644 --- a/engine/release-notes.md +++ b/engine/release-notes.md @@ -222,11 +222,12 @@ intervals, for example, every minutes. - Affected versions: 17.06.2-ee-16, 18.09.1, 19.03.0 * [CVE-2018-15664](https://nvd.nist.gov/vuln/detail/CVE-2018-15664) symlink-exchange attack with directory traversal. Workaround until proper fix is available in upcoming patch release: `docker pause` container before doing file operations. [moby/moby#39252](https://github.com/moby/moby/pull/39252) * `docker cp` regression due to CVE mitigation. An error is produced when the source of `docker cp` is set to `/`. -* Install Docker Engine - Enterprise fails to install on RHEL 7.5 on Azure. +* Install Docker Engine - Enterprise fails to install on RHEL on Azure. This affects any RHEL version that uses an Extended Update Support (EUS) image. At the time of this writing, known versions affected are RHEL 7.4, 7.5, and 7.6. - Workaround options: - - Use an older image and don't get updates. + - Use an older image and don't get updates. Examples of EUS images are here: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/rhel-images#rhel-images-with-eus. - Import your own RHEL images into Azure and do not rely on the Extended Update Support (EUS) RHEL images. + - Use a RHEL image that does not contain a minor version in the SKU. These are not attached to EUS repositories. Some examples of those are the first three images (SKUs: 7-RAW, 7-LVM, 7-RAW-CI) listed here : https://docs.microsoft.com/en-us/azure/virtual-machines/linux/rhel-images#list-of-rhel-images-available. ## 18.09.6 2019-05-06 From b2e23baafa23bede9db0334ae2996d6972822d84 Mon Sep 17 00:00:00 2001 From: paigehargrave Date: Sat, 15 Jun 2019 15:57:25 -0400 Subject: [PATCH 11/19] Known issues updates --- engine/release-notes.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/engine/release-notes.md b/engine/release-notes.md index f9f91dc018..bd384ad662 100644 --- a/engine/release-notes.md +++ b/engine/release-notes.md @@ -10,11 +10,11 @@ redirect_from: --- ----DELETE BEFORE MERGING -Per https://github.com/docker/docker-ce/blob/v19.03.0-rc2/CHANGELOG.md as of 6/12: +Contents include https://github.com/docker/docker-ce/blob/v19.03.0-rc2/CHANGELOG.md as of 6/12: https://docker.atlassian.net/browse/ENGCORE-839 -https://docker.atlassian.net/browse/ENGCORE-834 - should this be in known issues? -https://docker.atlassian.net/browse/ENGORC-1243 - should this be in known issues? -https://docker.atlassian.net/browse/ENGCORE-686 - should this be in known issues - MIGHT BE INTERNAL ONLY +https://docker.atlassian.net/browse/ENGCORE-834 +https://docker.atlassian.net/browse/ENGORC-1243 +https://docker.atlassian.net/browse/ENGCORE-686 MIGHT BE INTERNAL ONLY https://docker.atlassian.net/browse/ENGCORE-810 - added to UCP known issues https://docker.atlassian.net/browse/ENGPGM-115 - Swarm info added to known issues https://docker.atlassian.net/browse/TAR-850 - added From 3717af90ed050add2c061246a1bcc158a945b897 Mon Sep 17 00:00:00 2001 From: paigehargrave Date: Thu, 20 Jun 2019 06:58:06 -0400 Subject: [PATCH 12/19] Updated from 6/19 changelog updates --- engine/release-notes.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/engine/release-notes.md b/engine/release-notes.md index bd384ad662..9b23f7db35 100644 --- a/engine/release-notes.md +++ b/engine/release-notes.md @@ -155,6 +155,9 @@ fix: `api.go doesn't respect nsswitch.conf`. [moby/moby#38126](https://github.co * The right device number is now fetched when greater than 255 and using the `--device-read-bps` option. [moby/moby#39212](https://github.com/moby/moby/pull/39212) * Fixed `Path does not exist` error when path definitely exists. [moby/moby#39251](https://github.com/moby/moby/pull/39251) +* Fixed [CVE-2018-15664](https://nvd.nist.gov/vuln/detail/CVE-2018-15664) symlink-exchange attack with directory +traversal. [moby/moby#39357](https://github.com/moby/moby/pull/39357) + ### Networking @@ -190,7 +193,7 @@ fix: `api.go doesn't respect nsswitch.conf`. [moby/moby#38126](https://github.co * Removed v1 manifest support, and removed `--disable-legacy-registry`. Pushing v1 manifests to registries is no longer possible, pushing schema v2 (or OCI) manifests is now the only possible option. However, -pulling v1 manifests is still possible. [moby/moby#37874](https://github.com/moby/moby/pull/37874) +pulling v1 manifests is still possible. [moby/moby#39365](https://github.com/moby/moby/pull/39365) * Removed v1.10 migrator. [moby/moby#38265](https://github.com/moby/moby/pull/38265) * Now skipping deprecated storage-drivers in auto-selection. [moby/moby#38019](https://github.com/moby/moby/pull/38019) * Deprecated AuFS storage driver, and added warning. [moby/moby#38090](https://github.com/moby/moby/pull/38090) From daa68477bf15136b99d3e0d96ab80d207aa1ae5f Mon Sep 17 00:00:00 2001 From: paigehargrave Date: Thu, 20 Jun 2019 13:59:27 -0400 Subject: [PATCH 13/19] Updates for latest changelog --- engine/release-notes.md | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/engine/release-notes.md b/engine/release-notes.md index 9b23f7db35..2cca3d4ee0 100644 --- a/engine/release-notes.md +++ b/engine/release-notes.md @@ -35,7 +35,7 @@ references. Docker EE includes enterprise features as well as back-ported fixes and priority defects) from the open source. It also incorporates defect fixes for environments in which new features cannot be adopted as quickly for consistency and compatibility reasons. -## 19.03.0 (2019-06-17) +## 19.03.0 (2019-07-10) ### Builder @@ -148,16 +148,18 @@ fix: `api.go doesn't respect nsswitch.conf`. [moby/moby#38126](https://github.co * Bumped `containerd` to 1.2.6. [moby/moby#39016](https://github.com/moby/moby/pull/39016) * Bumped `runc` to 1.0.0-rc8, opencontainers/selinux v1.2.2. [docker/engine#210](https://github.com/docker/engine/pull/210) * Bumped `google.golang.org/grpc` to v1.20.1. [docker/engine#215](https://github.com/docker/engine/pull/215) -* Performance optimized in aufs and layer store for massively parallel container creation/removal. [moby/moby#39135](https://github.com/moby/moby/pull/39135) [moby/moby#39209](https://github.com/moby/moby/pull/39209) +* Performance optimized in aufs and layer store for massively parallel container creation/removal. +[moby/moby#39107](https://github.com/moby/moby/pull/39107) +* Fixed [CVE-2018-15664](https://nvd.nist.gov/vuln/detail/CVE-2018-15664) symlink-exchange attack with +directory traversal. [moby/moby#39357](https://github.com/moby/moby/pull/39357) +* Windows: Support provided for `docker service create --limit-cpu`. +[moby/moby#39190](https://github.com/moby/moby/pull/39190) * Root is now passed to chroot for chroot Tar/Untar (CVE-2018-15664) [moby/moby#39292](https://github.com/moby/moby/pull/39292) * Fixed `docker --init` with /dev bind mount. [moby/moby#37665](https://github.com/moby/moby/pull/37665) * The right device number is now fetched when greater than 255 and using the `--device-read-bps` option. [moby/moby#39212](https://github.com/moby/moby/pull/39212) * Fixed `Path does not exist` error when path definitely exists. [moby/moby#39251](https://github.com/moby/moby/pull/39251) -* Fixed [CVE-2018-15664](https://nvd.nist.gov/vuln/detail/CVE-2018-15664) symlink-exchange attack with directory -traversal. [moby/moby#39357](https://github.com/moby/moby/pull/39357) - ### Networking @@ -169,6 +171,9 @@ traversal. [moby/moby#39357](https://github.com/moby/moby/pull/39357) [docker/engine#213](https://github.com/docker/engine/pull/213) * Windows: Now forcing a nil IP specified in `PortBindings` to IPv4zero (0.0.0.0). [docker/libnetwork#2376](https://github.com/docker/libnetwork/pull/2376) +* Fixed changing host target port. If a service has the same number of host-mode published ports +with PublishedPort 0, changes to the spec now reflect in the service object. +[docker/swarmkit#2376](https://github.com/docker/swarmkit/pull/2376) ### Swarm From dd74c0e290747653ea0dee217de2a9cb17169e6f Mon Sep 17 00:00:00 2001 From: paigehargrave Date: Thu, 20 Jun 2019 15:53:19 -0400 Subject: [PATCH 14/19] Updates for older releases --- engine/release-notes.md | 46 +++++++++++++++++++++++++++++++++-------- 1 file changed, 37 insertions(+), 9 deletions(-) diff --git a/engine/release-notes.md b/engine/release-notes.md index 2cca3d4ee0..ae914ecf5b 100644 --- a/engine/release-notes.md +++ b/engine/release-notes.md @@ -149,11 +149,7 @@ fix: `api.go doesn't respect nsswitch.conf`. [moby/moby#38126](https://github.co * Bumped `runc` to 1.0.0-rc8, opencontainers/selinux v1.2.2. [docker/engine#210](https://github.com/docker/engine/pull/210) * Bumped `google.golang.org/grpc` to v1.20.1. [docker/engine#215](https://github.com/docker/engine/pull/215) * Performance optimized in aufs and layer store for massively parallel container creation/removal. -[moby/moby#39107](https://github.com/moby/moby/pull/39107) -* Fixed [CVE-2018-15664](https://nvd.nist.gov/vuln/detail/CVE-2018-15664) symlink-exchange attack with -directory traversal. [moby/moby#39357](https://github.com/moby/moby/pull/39357) -* Windows: Support provided for `docker service create --limit-cpu`. -[moby/moby#39190](https://github.com/moby/moby/pull/39190) +[moby/moby#39135](https://github.com/moby/moby/pull/39135) [moby/moby#39209](https://github.com/moby/moby/pull/39209) * Root is now passed to chroot for chroot Tar/Untar (CVE-2018-15664) [moby/moby#39292](https://github.com/moby/moby/pull/39292) * Fixed `docker --init` with /dev bind mount. [moby/moby#37665](https://github.com/moby/moby/pull/37665) @@ -171,9 +167,6 @@ directory traversal. [moby/moby#39357](https://github.com/moby/moby/pull/39357) [docker/engine#213](https://github.com/docker/engine/pull/213) * Windows: Now forcing a nil IP specified in `PortBindings` to IPv4zero (0.0.0.0). [docker/libnetwork#2376](https://github.com/docker/libnetwork/pull/2376) -* Fixed changing host target port. If a service has the same number of host-mode published ports -with PublishedPort 0, changes to the spec now reflect in the service object. -[docker/swarmkit#2376](https://github.com/docker/swarmkit/pull/2376) ### Swarm @@ -198,7 +191,7 @@ with PublishedPort 0, changes to the spec now reflect in the service object. * Removed v1 manifest support, and removed `--disable-legacy-registry`. Pushing v1 manifests to registries is no longer possible, pushing schema v2 (or OCI) manifests is now the only possible option. However, -pulling v1 manifests is still possible. [moby/moby#39365](https://github.com/moby/moby/pull/39365) +pulling v1 manifests is still possible. [moby/moby#37874](https://github.com/moby/moby/pull/37874) * Removed v1.10 migrator. [moby/moby#38265](https://github.com/moby/moby/pull/38265) * Now skipping deprecated storage-drivers in auto-selection. [moby/moby#38019](https://github.com/moby/moby/pull/38019) * Deprecated AuFS storage driver, and added warning. [moby/moby#38090](https://github.com/moby/moby/pull/38090) @@ -551,6 +544,25 @@ Ubuntu 14.04 "Trusty Tahr" [docker-ce-packaging#255](https://github.com/docker/d ## Older Docker Engine EE Release notes +## 18.03.1-ee-9 + +2019-06-25 + +### Client + +* Fixed annnotation on `docker config create --template-driver`. [docker/cli#1769](https://github.com/docker/cli/pull/1769) +* Fixed annnotation on `docker secret create --template-driver`. [docker/cli#1785](https://github.com/docker/cli/pull/1785) + +### Runtime + +* Performance optimized in aufs and layer store for massively parallel container creation/removal. +[moby/moby#39107](https://github.com/moby/moby/pull/39107) +* Windows: fixed support for `docker service create --limit-cpu`. +[moby/moby#39190](https://github.com/moby/moby/pull/39190) +* Now using original process spec for execs. [moby/moby#38871](https://github.com/moby/moby/pull/38871) +* Fixed [CVE-2018-15664](https://nvd.nist.gov/vuln/detail/CVE-2018-15664) symlink-exchange attack +with directory traversal. [moby/moby#39357](https://github.com/moby/moby/pull/39357) + ## 18.03.1-ee-8 2019-03-28 @@ -687,6 +699,22 @@ Ubuntu 14.04 "Trusty Tahr" [docker-ce-packaging#255](https://github.com/docker/d + Support for `--chown` with `COPY` and `ADD` in `Dockerfile`. + Added functionality for the `docker logs` command to include the output of multiple logging drivers. +## 17.06.2-ee-22 +2019-06-25 + +### Networking + +* Fixed changing host target port. Fixes a bug where if a service has the same number of host-mode published ports with PublishedPort 0, changes to the spec would not reflect in the service object. [docker/swarmkit#2376](https://github.com/docker/swarmkit/pull/2376) + +### Runtime + +* Performance optimized in aufs and layer store for massively parallel container creation/removal. +[moby/moby#39107](https://github.com/moby/moby/pull/39107) +* Fixed [CVE-2018-15664](https://nvd.nist.gov/vuln/detail/CVE-2018-15664) symlink-exchange attack with +directory traversal. [moby/moby#39357](https://github.com/moby/moby/pull/39357) +* Windows: provided support for `docker service create --limit-cpu`. +[moby/moby#39190](https://github.com/moby/moby/pull/39190) + ## 17.06.2-ee-21 2019-04-11 From ceef32af036a4326fb76311036d8418b28b525a0 Mon Sep 17 00:00:00 2001 From: paigehargrave Date: Sat, 22 Jun 2019 07:31:58 -0400 Subject: [PATCH 15/19] Added 18.09.7 updates --- engine/release-notes.md | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/engine/release-notes.md b/engine/release-notes.md index ae914ecf5b..63fdcf0c6a 100644 --- a/engine/release-notes.md +++ b/engine/release-notes.md @@ -229,7 +229,33 @@ intervals, for example, every minutes. - Use an older image and don't get updates. Examples of EUS images are here: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/rhel-images#rhel-images-with-eus. - Import your own RHEL images into Azure and do not rely on the Extended Update Support (EUS) RHEL images. - Use a RHEL image that does not contain a minor version in the SKU. These are not attached to EUS repositories. Some examples of those are the first three images (SKUs: 7-RAW, 7-LVM, 7-RAW-CI) listed here : https://docs.microsoft.com/en-us/azure/virtual-machines/linux/rhel-images#list-of-rhel-images-available. - + +## 18.09.7 +2019-06-25 + +### Builder + +* Fixed panic when building dockerfiles containing only comments. +[moby/moby#38487](https://github.com/moby/moby/pull/38487) +* Builder: added workaround for gcr auth issue. [moby/moby#38246](https://github.com/moby/moby/pull/38246) +* Builder-next: fixed gcr workaround token cache. [moby/moby#39183](https://github.com/moby/moby/pull/39183) + +### Runtime + +* Performance optimized in aufs and layer store for massively parallel container creation/removal. +[moby/moby#39107](https://github.com/moby/moby/pull/39107) +* Updated to containerd 1.2.6. [moby/moby#39016](https://github.com/moby/moby/pull/39016) +* Fixed [CVE-2018-15664](https://nvd.nist.gov/vuln/detail/CVE-2018-15664) symlink-exchange attack with +directory traversal. [moby/moby#39357](https://github.com/moby/moby/pull/39357) +* Windows: fixed support for `docker service create --limit-cpu`. +[moby/moby#39190](https://github.com/moby/moby/pull/39190) +* Daemon: fixed mirrors validation. [moby/moby#38991](https://github.com/moby/moby/pull/38991) +* Stopped sorting uid and gid ranges in id maps. [moby/moby#39288](https://github.com/moby/moby/pull/39288) + +### Logging + +* Large log lines now allowed for logger plugins. [moby/moby#39038](https://github.com/moby/moby/pull/39038) + ## 18.09.6 2019-05-06 From bcd23de596b6b0630fa84a02be2c7080d04a0636 Mon Sep 17 00:00:00 2001 From: paigehargrave Date: Sat, 22 Jun 2019 07:39:52 -0400 Subject: [PATCH 16/19] Added deprecation info --- engine/release-notes.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/engine/release-notes.md b/engine/release-notes.md index 63fdcf0c6a..947a0a833d 100644 --- a/engine/release-notes.md +++ b/engine/release-notes.md @@ -196,6 +196,11 @@ pulling v1 manifests is still possible. [moby/moby#37874](https://github.com/mob * Now skipping deprecated storage-drivers in auto-selection. [moby/moby#38019](https://github.com/moby/moby/pull/38019) * Deprecated AuFS storage driver, and added warning. [moby/moby#38090](https://github.com/moby/moby/pull/38090) * Removed support for 17.09. +* SLES12 is deprecated from Docker Enterprise 3.0, and EOL of SLES12 as an operating system will occur +in Docker Enterprise 3.1. Upgrade to SLES15 for continued support on Docker Enterprise. +* Windows 2016 is formally deprecated from Docker Enterprise 3.0. Only non-overlay networks are supported +on Windows 2016 in Docker Enterprise 3.0. EOL of Windows Server 2016 support will occur in Docker +Enterprise 3.1. Upgrade to Windows Server 2019 for continued support on Docker Enterprise. For more information on deprecated flags and APIs, refer to https://docs.docker.com/engine/deprecated/ for target removal dates. From 9154fc76289b0cdb3dfd4583e2f50deb9127098a Mon Sep 17 00:00:00 2001 From: paigehargrave Date: Tue, 25 Jun 2019 08:15:15 -0400 Subject: [PATCH 17/19] Minor syntax fix --- engine/release-notes.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/engine/release-notes.md b/engine/release-notes.md index 947a0a833d..c42b5f6d52 100644 --- a/engine/release-notes.md +++ b/engine/release-notes.md @@ -222,9 +222,9 @@ The missing rules are : sbin/iptables --wait -C FORWARD -o docker_gwbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT /sbin/iptables --wait -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT ``` - - Workaround: Add these rules back using a script and cron definitions. The script must contain '-C' commands -to check for the presence of a rule and '-A' commands to add rules back. Run the script on a cron in regular -intervals, for example, every minutes. + - Workaround: Add these rules back using a script and cron definitions. The script must contain '-C' + commands to check for the presence of a rule and '-A' commands to add rules back. Run the script on a + cron in regular intervals, for example, every minutes. - Affected versions: 17.06.2-ee-16, 18.09.1, 19.03.0 * [CVE-2018-15664](https://nvd.nist.gov/vuln/detail/CVE-2018-15664) symlink-exchange attack with directory traversal. Workaround until proper fix is available in upcoming patch release: `docker pause` container before doing file operations. [moby/moby#39252](https://github.com/moby/moby/pull/39252) * `docker cp` regression due to CVE mitigation. An error is produced when the source of `docker cp` is set to `/`. From 5d1c57932ed2d243795b64c5bfd8913e0562433f Mon Sep 17 00:00:00 2001 From: paigehargrave Date: Tue, 25 Jun 2019 08:19:21 -0400 Subject: [PATCH 18/19] Minor syntax fixes --- engine/release-notes.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/engine/release-notes.md b/engine/release-notes.md index c42b5f6d52..74d7bf49de 100644 --- a/engine/release-notes.md +++ b/engine/release-notes.md @@ -218,22 +218,22 @@ error after being deployed. * Traffic cannot egress the HOST because of missing Iptables rules in the FORWARD chain The missing rules are : -``` -sbin/iptables --wait -C FORWARD -o docker_gwbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -/sbin/iptables --wait -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -``` - - Workaround: Add these rules back using a script and cron definitions. The script must contain '-C' - commands to check for the presence of a rule and '-A' commands to add rules back. Run the script on a - cron in regular intervals, for example, every minutes. + ``` + sbin/iptables --wait -C FORWARD -o docker_gwbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + /sbin/iptables --wait -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + ``` + - Workaround: Add these rules back using a script and cron definitions. The script + must contain '-C' commands to check for the presence of a rule and '-A' commands to add + rules back. Run the script on a cron in regular intervals, for example, every minutes. - Affected versions: 17.06.2-ee-16, 18.09.1, 19.03.0 * [CVE-2018-15664](https://nvd.nist.gov/vuln/detail/CVE-2018-15664) symlink-exchange attack with directory traversal. Workaround until proper fix is available in upcoming patch release: `docker pause` container before doing file operations. [moby/moby#39252](https://github.com/moby/moby/pull/39252) * `docker cp` regression due to CVE mitigation. An error is produced when the source of `docker cp` is set to `/`. * Install Docker Engine - Enterprise fails to install on RHEL on Azure. This affects any RHEL version that uses an Extended Update Support (EUS) image. At the time of this writing, known versions affected are RHEL 7.4, 7.5, and 7.6. -- Workaround options: - - Use an older image and don't get updates. Examples of EUS images are here: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/rhel-images#rhel-images-with-eus. - - Import your own RHEL images into Azure and do not rely on the Extended Update Support (EUS) RHEL images. - - Use a RHEL image that does not contain a minor version in the SKU. These are not attached to EUS repositories. Some examples of those are the first three images (SKUs: 7-RAW, 7-LVM, 7-RAW-CI) listed here : https://docs.microsoft.com/en-us/azure/virtual-machines/linux/rhel-images#list-of-rhel-images-available. + - Workaround options: + - Use an older image and don't get updates. Examples of EUS images are here: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/rhel-images#rhel-images-with-eus. + - Import your own RHEL images into Azure and do not rely on the Extended Update Support (EUS) RHEL images. + - Use a RHEL image that does not contain a minor version in the SKU. These are not attached to EUS repositories. Some examples of those are the first three images (SKUs: 7-RAW, 7-LVM, 7-RAW-CI) listed here : https://docs.microsoft.com/en-us/azure/virtual-machines/linux/rhel-images#list-of-rhel-images-available. ## 18.09.7 2019-06-25 From 227793a1cbd87b19f21fe4c317a0a168a65f82c6 Mon Sep 17 00:00:00 2001 From: Adrian Plata <51415348+adrian-plata@users.noreply.github.com> Date: Tue, 2 Jul 2019 17:01:06 -0700 Subject: [PATCH 19/19] Updated release notes --- engine/release-notes.md | 33 +++++---------------------------- 1 file changed, 5 insertions(+), 28 deletions(-) diff --git a/engine/release-notes.md b/engine/release-notes.md index cb1ffc80f4..44e9575e78 100644 --- a/engine/release-notes.md +++ b/engine/release-notes.md @@ -9,24 +9,6 @@ redirect_from: - /release-notes/docker-ce/ --- -----DELETE BEFORE MERGING -Contents include https://github.com/docker/docker-ce/blob/v19.03.0-rc2/CHANGELOG.md as of 6/12: -https://docker.atlassian.net/browse/ENGCORE-839 -https://docker.atlassian.net/browse/ENGCORE-834 -https://docker.atlassian.net/browse/ENGORC-1243 -https://docker.atlassian.net/browse/ENGCORE-686 MIGHT BE INTERNAL ONLY -https://docker.atlassian.net/browse/ENGCORE-810 - added to UCP known issues -https://docker.atlassian.net/browse/ENGPGM-115 - Swarm info added to known issues -https://docker.atlassian.net/browse/TAR-850 - added - -Are these no longer valid? - ### Client -* Deprecated legacy overlay storage driver. [docker/cli#1425](https://github.com/docker/cli/pull/1425) -* Deprecated "devicemapper" storage driver. [docker/cli#1424](https://github.com/docker/cli/pull/1424) -* Build: add SSH agent socket forwarder (`docker build --ssh $SSHMOUNTID=$SSH_AUTH_SOCK`) -[docker/cli#1419](https://github.com/docker/cli/pull/1419) -END OF DELETE BEFORE MERGING-------- - This document describes the latest changes, additions, known issues, and fixes for Docker Engine Enterprise (Docker EE). @@ -67,24 +49,21 @@ in which new features cannot be adopted as quickly for consistency and compatibi * Added support for Data Path Port configuration. [docker/cli#1509](https://github.com/docker/cli/pull/1509) * Added fast context switch: commands. [docker/cli#1501](https://github.com/docker/cli/pull/1501) * Support added for `--mount type=bind,bind-nonrecursive,...` [docker/cli#1430](https://github.com/docker/cli/pull/1430) -* Added maximum replicas per node support to stack version 3.8. [docker/cli#1410](https://github.com/docker/cli/pull/1410) +* Added maximum replicas per node. [docker/cli#1612](https://github.com/docker/cli/pull/1612) * Added option to pull images quietly. [docker/cli#882](https://github.com/docker/cli/pull/882) * Added a separate `--domainname` flag. [docker/cli#1130](https://github.com/docker/cli/pull/1130) -* Added `--from` flag to `context create`. [docker/cli#1773](https://github.com/docker/cli/pull/1773) * Added support for secret drivers in `docker stack deploy`. [docker/cli#1783](https://github.com/docker/cli/pull/1783) * Added ability to use swarm `Configs` as `CredentialSpecs` on services. [docker/cli#1781](https://github.com/docker/cli/pull/1781) * Added `--security-opt systempaths=unconfined` support. [docker/cli#1808](https://github.com/docker/cli/pull/1808) * Added basic framework for writing and running CLI plugins. [docker/cli#1564](https://github.com/docker/cli/pull/1564) -* Cli-plugins: added concept of experimental plugin, only enabled in experimental mode. -[docker/cli#1898](https://github.com/docker/cli/pull/1898) + [docker/cli#1898](https://github.com/docker/cli/pull/1898) * Bumped Docker App to v0.8.0. [docker/docker-ce-packaging#341](https://github.com/docker/docker-ce-packaging/pull/341) * Added support for Docker buildx. [docker/docker-ce-packaging#336](https://github.com/docker/docker-ce-packaging/pull/336) * Added support for Docker Assemble v0.36.0. * Added support for Docker Cluster v1.0.0-rc2. * Added support for Docker Template v0.1.4. * Added support for Docker Registry v0.1.0-rc1. -* Updated buildkit. [docker/cli#1804](https://github.com/docker/cli/pull/1804) * Bumped google.golang.org/grpc to v1.20.1. [docker/cli#1884](https://github.com/docker/cli/pull/1884) * CLI changed to pass driver specific options to `docker run`. [docker/cli#1767](https://github.com/docker/cli/pull/1767) * Bumped Golang 1.12.5. [docker/cli#1875](https://github.com/docker/cli/pull/1875) @@ -94,7 +73,6 @@ in which new features cannot be adopted as quickly for consistency and compatibi compose-files service configs. [docker/cli#1617](https://github.com/docker/cli/pull/1617) * (Experimental) When targeting Kubernetes, added support for `x-pull-policy: ` in compose-files service configs. [docker/cli#1617](https://github.com/docker/cli/pull/1617) -* Added support for maximum replicas per node without stack. [docker/cli#1612](https://github.com/docker/cli/pull/1612) * cp, save, export: Now preventing overwriting irregular files. [docker/cli#1515](https://github.com/docker/cli/pull/1515) * npipe volume type on stack file now allowed. [docker/cli#1195](https://github.com/docker/cli/pull/1195) * Fixed tty initial size error. [docker/cli#1529](https://github.com/docker/cli/pull/1529) @@ -189,12 +167,11 @@ fix: `api.go doesn't respect nsswitch.conf`. [moby/moby#38126](https://github.co ### Deprecation -* Removed v1 manifest support, and removed `--disable-legacy-registry`. Pushing v1 manifests to registries -is no longer possible, pushing schema v2 (or OCI) manifests is now the only possible option. However, -pulling v1 manifests is still possible. [moby/moby#37874](https://github.com/moby/moby/pull/37874) +* Deprecate image manifest v2 schema1 in favor of v2 schema2. Future version of Docker will remove +support for v2 schema1 althogether. [moby/moby#39365](https://github.com/moby/moby/pull/39365) * Removed v1.10 migrator. [moby/moby#38265](https://github.com/moby/moby/pull/38265) * Now skipping deprecated storage-drivers in auto-selection. [moby/moby#38019](https://github.com/moby/moby/pull/38019) -* Deprecated AuFS storage driver, and added warning. [moby/moby#38090](https://github.com/moby/moby/pull/38090) +* Deprecated `aufs` storage driver and added warning. [moby/moby#38090](https://github.com/moby/moby/pull/38090) * Removed support for 17.09. * SLES12 is deprecated from Docker Enterprise 3.0, and EOL of SLES12 as an operating system will occur in Docker Enterprise 3.1. Upgrade to SLES15 for continued support on Docker Enterprise.