diff --git a/ee/ucp/release-notes.md b/ee/ucp/release-notes.md index 1dfc3b523d..c330c0cd04 100644 --- a/ee/ucp/release-notes.md +++ b/ee/ucp/release-notes.md @@ -20,15 +20,43 @@ upgrade your installation to the latest release. * [Version 3.0](#version-30) * [Version 2.2](#version-22) -**Note**: For archived versions of UCP documentation, refer to [View the docs archives](https://docs.docker.com/docsarchive/). +**Note:** For archived versions of UCP documentation, [view the docs archives](https://docs.docker.com/docsarchive/). # Version 3.2 +## 3.2.2 +2019-10-08 + +### UI +* Fixes a UI issue that caused incorrect line breaks at pre-logon banner notification (ENGORC-2678) +* Users have an option to store sessionToken per window tab session. (ENGORC-2597) + +### Kubernetes +* Kubernetes has been upgraded to version 1.14.7. +* Enabled Kubernetes Node Authorizer Plugin. (ENGORC-2652) + +### Networking +* Interlock has been upgraded to version 3.0.0. (ENGCORE-792) + +### Bug fixes +* Upgraded RethinkDB Go Client to v5. (ENGORC-2704) +* Fixes an issue that caused slow response with increasing number of collections. (ENGORC-2638) + +### Components + +| Component | Version | +| --------------------- | ------- | +| UCP | 3.2.2 | +| Kubernetes | 1.14.7 | +| Calico | 3.8.2 | +| Interlock | 3.0.0 | +| Interlock NGINX proxy | 1.14.2 | + ## 3.2.1 2019-09-03 ### Bug fixes -* Fixed an issue where UCP did not install on GCP due to missing metadata.google.internal in /etc/hosts +* Fixes an issue where UCP did not install on GCP due to missing metadata.google.internal in /etc/hosts ### Kubernetes * Kubernetes has been upgraded to version 1.14.6. @@ -36,22 +64,24 @@ upgrade your installation to the latest release. than 1 replica by default. ### Networking -* Calico has been upgraded to version 3.8.2. For more information see the [Calico Release +* Calico has been upgraded to version 3.8.2. For more information, see the [Calico Release Notes](https://docs.projectcalico.org/v3.8/release-notes/). * Interlock has been upgraded to version 2.6.1. * The `azure-ip-count` variable is now exposed at install time, allowing a User to customize the number of IP addresses UCP provisions for each node. Additional information can be found - [here](/ee/ucp/admin/install/cloudproviders/install-on-azure/#adjust-the-ip-count-value) + [here](/ee/ucp/admin/install/cloudproviders/install-on-azure/#adjust-the-ip-count-value). ### Security * Upgraded Golang to 1.12.9. * Added CSP header to prevent cross-site scripting attacks (XSS) ### Bootstrap -* Fixed various issues in install, uninstall, backup and restore when UCP +* Fixes various issues in install, uninstall, backup, and restore when UCP Telemetry data had been disabled. (ENGORC-2593) +### Components + | Component | Version | | --------------------- | ------- | | UCP | 3.2.1 | @@ -112,21 +142,15 @@ more information see ### Deprecations The following features are deprecated in UCP 3.2: -- Collections - - The ability to create a nested collection of more than 2 layers deep within the root /Swarm/collection is - now deprecated and will not be included in future versions of the product. However, current nested collections - with more than 2 layers are still retained. - - Docker recommends a maximum of two layers when creating collections within UCP under the shared cluster - collection designated as /Swarm/. For example, if a production collection called /Swarm/production is created - under the shared cluster collection /Swarm/, only one level of nesting should be created, for - example, /Swarm/production/app/. See Nested collections for more details. -- UCP `stop` and `restart` - - Additional upgrade functionality has been included which eliminates the need for these commands. -- `ucp-agent-pause` - - `ucp-agent-pause` is no longer supported. To pause UCP reconciliation on a specific node, for example, when repairing unhealthy `etcd` or `rethinkdb` replicas, you can use swarm node labels as shown in the following example: - ``` - docker node update --label-add com.docker.ucp.agent-pause=true - ``` +#### Collections + +- The ability to create a nested collection of more than 2 layers deep within the root /Swarm/collection is now deprecated and will not be included in future versions of the product. However, current nested collections with more than 2 layers are still retained. +- Docker recommends a maximum of two layers when creating collections within UCP under the shared cluster collection designated as /Swarm/. For example, if a production collection called /Swarm/production is created under the shared cluster collection /Swarm/, only one level of nesting should be created, for example, /Swarm/production/app/. See Nested collections for more details. +- UCP `stop` and `restart`. Additional upgrade functionality has been included which eliminates the need for these commands. +- `ucp-agent-pause` is no longer supported. To pause UCP reconciliation on a specific node, for example, when repairing unhealthy `etcd` or `rethinkdb` replicas, you can use swarm node labels as shown in the following example: +``` +docker node update --label-add com.docker.ucp.agent-pause=true +``` - Windows 2016 is formally deprecated from Docker Enterprise 3.0. EOL of Windows Server 2016 support will occur in Docker Enterprise 3.1. Upgrade to Windows Server 2019 for continued support on Docker Enterprise. - Support for updating the UCP config with `docker service update ucp-manager-agent --config-add ...` @@ -138,87 +162,54 @@ Refer to [UCP backup information](/ee/admin/backup/back-up-ucp/) for detailed UC If your cluster has lost quorum and you cannot recover it on your own, please contact Docker Support. -- Browser support +#### Browser support + In order to optimize user experience and security, support for Internet Explorer (IE) version 11 is not provided for Windows 7 with UCP version 3.2. Docker recommends updating to a newer browser version if you plan to use UCP 3.2, or remaining on UCP 3.1.x or older until EOL of IE11 in January 2020. -- Kubernetes +### Kubernetes - - Integrated Kubernetes Ingress - - You can now dynamiclly deploy L7 routes for applications, scale out multi-tenant ingress for shared clusters, - and give applications TLS termination, path-based routing, and high-performance L7 load-balancing in a - centralized and controlled manner. +- Integrated Kubernetes Ingress +- You can now dynamically deploy L7 routes for applications, scale out multi-tenant ingress for shared clusters, and give applications TLS termination, path-based routing, and high-performance L7 load-balancing in a centralized and controlled manner. +- Updated Kubernetes to version 1.14. - - Updated Kubernetes to version 1.14. - - - Enhancements: - - PodShareProcessNamespace - - - The PodShareProcessNamespace feature, available by default, configures PID namespace sharing within a pod. See [Share Process Namespace between Containers in a Pod](https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/) for more information. - - https://github.com/kubernetes/kubernetes/pull/66507 - - Volume Dynamic Provisioning - - Combined `VolumeScheduling` and `DynamicProvisioningScheduling`. - - Added allowedTopologies description in kubectl. - - ACTION REQUIRED: The DynamicProvisioningScheduling alpha feature gate has been removed. The VolumeScheduling beta feature gate is still required for this feature. - https://github.com/kubernetes/kubernetes/pull/67432 - - TokenRequest and TokenRequestProjection - - Enable these features by starting the API server with the following flags: - * --service-account-issuer - * --service-account-signing-key-file - * --service-account-api-audiences - - https://github.com/kubernetes/kubernetes/pull/67349 - - Removed `--cadvisor-port flag` from kubelet - - - ACTION REQUIRED: The cAdvisor web UI that the kubelet started using `--cadvisor-port` was removed - in 1.12. If cAdvisor is needed, run it via a DaemonSet. - - https://github.com/kubernetes/kubernetes/pull/65707 - - Support for Out-of-tree CSI Volume Plugins (stable) with API - - - Allows volume plugins to be developed out-of-tree. - - Not require building volume plugins (or their dependencies) into Kubernetes binaries. - - Not requiring direct machine access to deploy new volume plugins (drivers). - - https://github.com/kubernetes/enhancements/issues/178 - - Server-side Apply leveraged by the UCP GUI for the yaml create page - - - Moved "apply" and declarative object management from kubectl to the apiserver. Added "field ownership". - - https://github.com/kubernetes/enhancements/issues/555 - - The PodPriority admission plugin - - - For `kube-apiserver`, the `Priority` admission plugin is now enabled by default when using `--enable-admission-plugins`. If using `--admission-control` to fully specify the set of admission plugins, the `Priority` admission plugin should be added if using the `PodPriority` feature, which is enabled by default in 1.11. - - The priority admission plugin: - - Allows pod creation to include an explicit priority field if it matches the computed - priority (allows export/import cases to continue to work on the same cluster, between - clusters that match priorityClass values, and between clusters where priority is unused - and all pods get priority:0) - - Preserves existing priority if a pod update does not include a priority value and the old - pod did (allows POST, PUT, PUT, PUT workflows to continue to work, with the admission-set value - on create being preserved by the admission plugin on update) - - https://github.com/kubernetes/kubernetes/pull/65739 - - Volume Topology - - - Made the scheduler aware of a Pod's volume's topology constraints, such as zone or node. - - https://github.com/kubernetes/enhancements/issues/490 - - Docs pr here: kubernetes/website#10736 - - Admin RBAC role and edit RBAC roles - - The admin RBAC role is aggregated from edit and view. The edit RBAC role is aggregated from a - separate edit and view. - - https://github.com/kubernetes/kubernetes/pull/66684 - - API - - `autoscaling/v2beta2` and `custom_metrics/v1beta2` implement metric selectors for Object and Pods - metrics, as well as allow AverageValue targets on Objects, similar to External metrics. - - https://github.com/kubernetes/kubernetes/pull/64097 - - Version updates - - Client-go libraries bump - - ACTION REQUIRED: the API server and client-go libraries support additional non-alpha-numeric - characters in UserInfo "extra" data keys. Both support extra data containing "/" characters or - other characters disallowed in HTTP headers. - - Old clients sending keys that were %-escaped by the user have their values unescaped by new API servers. - New clients sending keys containing illegal characters (or "%") to old API servers do not have their values unescaped. - - https://github.com/kubernetes/kubernetes/pull/65799 - - audit.k8s.io API group bump - - The audit.k8s.io API group has been bumped to v1. - - Deprecated element metav1.ObjectMeta and Timestamp are removed from audit Events in v1 version. - - Default value of option --audit-webhook-version and --audit-log-version are changed from `audit.k8s.io/v1beta1` to `audit.k8s.io/v1`. - - https://github.com/kubernetes/kubernetes/pull/65891 +#### Enhancements +- PodShareProcessNamespace + - The PodShareProcessNamespace feature, available by default, configures PID namespace sharing within a pod. See [Share Process Namespace between Containers in a Pod](https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/) for more information. [kubernetes #66507](https://github.com/kubernetes/kubernetes/pull/66507) +- Volume Dynamic Provisioning + - Combined `VolumeScheduling` and `DynamicProvisioningScheduling`. + - Added allowedTopologies description in kubectl. + - ACTION REQUIRED: The DynamicProvisioningScheduling alpha feature gate has been removed. The VolumeScheduling beta feature gate is still required for this feature. [kubernetes #67432](https://github.com/kubernetes/kubernetes/pull/67432) +- TokenRequest and TokenRequestProjection [kubernetes #67349](https://github.com/kubernetes/kubernetes/pull/67349) + - Enable these features by starting the API server with the following flags: + - `--service-account-issuer` + - `--service-account-signing-key-file` + - `--service-account-api-audiences` +- Removed `--cadvisor-port flag` from kubelet + - ACTION REQUIRED: The cAdvisor web UI that the kubelet started using `--cadvisor-port` was removed in 1.12. If cAdvisor is needed, run it via a DaemonSet. [kubernetes #65707](https://github.com/kubernetes/kubernetes/pull/65707) +- Support for Out-of-tree CSI Volume Plugins (stable) with API + - Allows volume plugins to be developed out-of-tree. + - Not requiring building volume plugins (or their dependencies) into Kubernetes binaries. + - Not requiring direct machine access to deploy new volume plugins (drivers). [kubernetes #178](https://github.com/kubernetes/enhancements/issues/178) +- Server-side Apply leveraged by the UCP GUI for the yaml create page + - Moved "apply" and declarative object management from kubectl to the apiserver. Added "field ownership". [kubernetes #555](https://github.com/kubernetes/enhancements/issues/555) +- The PodPriority admission plugin + - For `kube-apiserver`, the `Priority` admission plugin is now enabled by default when using `--enable-admission-plugins`. If using `--admission-control` to fully specify the set of admission plugins, the `Priority` admission plugin should be added if using the `PodPriority` feature, which is enabled by default in 1.11. + - Allows pod creation to include an explicit priority field if it matches the computed priority (allows export/import cases to continue to work on the same cluster, between clusters that match priorityClass values, and between clusters where priority is unused and all pods get priority:0) + - Preserves existing priority if a pod update does not include a priority value and the old pod did (allows POST, PUT, PUT, PUT workflows to continue to work, with the admission-set value on create being preserved by the admission plugin on update). [kubernetes #65739](https://github.com/kubernetes/kubernetes/pull/65739) +- Volume Topology + - Made the scheduler aware of a Pod's volume's topology constraints, such as zone or node. [kubernetes #490](https://github.com/kubernetes/enhancements/issues/490) + - Admin RBAC role and edit RBAC roles + - The admin RBAC role is aggregated from edit and view. The edit RBAC role is aggregated from a separate edit and view. [kubernetes #66684](https://github.com/kubernetes/kubernetes/pull/66684) +- API + - `autoscaling/v2beta2` and `custom_metrics/v1beta2` implement metric selectors for Object and Pods metrics, as well as allow AverageValue targets on Objects, similar to External metrics. [kubernetes #64097](https://github.com/kubernetes/kubernetes/pull/64097) +- Version updates + - Client-go libraries bump + - ACTION REQUIRED: the API server and client-go libraries support additional non-alpha-numeric characters in UserInfo "extra" data keys. Both support extra data containing "/" characters or other characters disallowed in HTTP headers. + - Old clients sending keys that were %-escaped by the user have their values unescaped by new API servers. New clients sending keys containing illegal characters (or "%") to old API servers do not have their values unescaped. [kubernetes #65799](https://github.com/kubernetes/kubernetes/pull/65799) + - audit.k8s.io API group bump. The audit.k8s.io API group has been bumped to v1. + - Deprecated element metav1.ObjectMeta and Timestamp are removed from audit Events in v1 version. + - Default value of option `--audit-webhook-version` and `--audit-log-version` are changed from `audit.k8s.io/v1beta1` to `audit.k8s.io/v1`. [kubernetes #65891](https://github.com/kubernetes/kubernetes/pull/65891) ### Known issues @@ -361,7 +352,7 @@ In order to optimize user experience and security, support for Internet Explorer -testkit-4DA6F6-sles-2 Shutdown Complete 7 minutes ago ``` - 4. Switch cluster to run kubernetes workloads. Your cluster is now set to run iSCSI workloads. + 4. Switch cluster to run Kubernetes workloads. Your cluster is now set to run iSCSI workloads. ### Components @@ -375,6 +366,29 @@ In order to optimize user experience and security, support for Internet Explorer # Version 3.1 +## 3.1.11 +2019-10-08 + +### Bug fixes +* Upgraded RethinkDB Go Client to v5. (ENGORC-2704) +* Fixes an issue that caused slow response with increasing number of collections. (ENGORC-2638) + +### Kubernetes +* Enabled Kubernetes Node Authorizer Plugin. (ENGORC-2652) + +### Networking +* Interlock has been upgraded to version 3.0.0. (ENGCORE-792) + +### Components + +| Component | Version | +| --------------------- | ------- | +| UCP | 3.1.11 | +| Kubernetes | 1.11.10 | +| Calico | 3.8.2 | +| Interlock | 3.0.0 | +| Interlock NGINX proxy | 1.14.2 | + ## 3.1.10 2019-09-03 @@ -412,7 +426,7 @@ In order to optimize user experience and security, support for Internet Explorer ### Bug fixes * Added toleration to calico-node DaemonSet so it can run on all nodes in the cluster -* Fixed an issue where sensitive command line arguments provided to the UCP installer command were also printed in the debug logs. +* Fixes an issue where sensitive command line arguments provided to the UCP installer command were also printed in the debug logs. * Added a restrictive `robots.txt` to the root of the UCP API server. ### Known issues @@ -436,7 +450,7 @@ In order to optimize user experience and security, support for Internet Explorer | UCP | 3.1.9 | | Kubernetes | 1.11.10 | | Calico | 3.5.3 | -| Interlock (nginx) | 1.14.0 | +| Interlock (NGINX) | 1.14.0 | ## 3.1.8 2019-06-27 @@ -470,7 +484,7 @@ In order to optimize user experience and security, support for Internet Explorer ### Bug fixes * Added a migration logic to remove all actions on `pods/exec` and `pods/attach` Kubernetes subresource from the migrated UCP View-Only role. (ENGORC-2434) -* Fixed an issue that allows unauthenticated user to list directories. (ENGORC-2175) +* Fixes an issue that allows unauthenticated user to list directories. (ENGORC-2175) ### Deprecated platforms @@ -499,7 +513,7 @@ In order to optimize user experience and security, support for Internet Explorer | UCP | 3.1.8 | | Kubernetes | 1.11.10 | | Calico | 3.5.3 | -| Interlock (nginx) | 1.14.0 | +| Interlock (NGINX) | 1.14.0 | ## 3.1.7 2019-05-06 @@ -532,7 +546,7 @@ In order to optimize user experience and security, support for Internet Explorer | UCP | 3.1.7 | | Kubernetes | 1.11.9 | | Calico | 3.5.3 | -| Interlock (nginx) | 1.14.0 | +| Interlock (NGINX) | 1.14.0 | ## 3.1.6 2019-04-11 @@ -549,7 +563,7 @@ In order to optimize user experience and security, support for Internet Explorer ### Known issues * Upgrading from UCP `3.1.4` to `3.1.5` causes missing Swarm placement constraints banner for some Swarm services (ENGORC-2191). This can cause Swarm services to run unexpectedly on Kubernetes nodes. See https://www.docker.com/ddc-41 for more information. - Workaround: Delete any `ucp-*-s390x` Swarm services. For example, `ucp-auth-api-s390x`. -* There are important changes to the upgrade process that, if not correctly followed, can impact the availability of applications running on the Swarm during uprades. These constraints impact any upgrades coming from any Docker Engine version before 18.09 to version 18.09 or greater. For more information about about upgrading Docker Enterprise to version 2.1, see [Upgrade Docker](../upgrade). +* There are important changes to the upgrade process that, if not correctly followed, can impact the availability of applications running on the Swarm during upgrades. These constraints impact any upgrades coming from any Docker Engine version before 18.09 to version 18.09 or greater. For more information about about upgrading Docker Enterprise to version 2.1, see [Upgrade Docker](../upgrade). * To deploy Pods with containers using Restricted Parameters, the user must be an admin and a service account must explicitly have a **ClusterRoleBinding** with `cluster-admin` as the **ClusterRole**. Restricted Parameters on Containers include: * Host Bind Mounts * Privileged Mode @@ -568,7 +582,7 @@ In order to optimize user experience and security, support for Internet Explorer | UCP | 3.1.6 | | Kubernetes | 1.11.9 | | Calico | 3.5.3 | -| Interlock (nginx) | 1.14.0 | +| Interlock (NGINX) | 1.14.0 | ## 3.1.5 2019-03-28 @@ -588,13 +602,13 @@ In order to optimize user experience and security, support for Internet Explorer ### Bug fixes * Changed Interlock proxy service default `update-action-failure` to rollback. (ENGCORE-117) * Added validation for service configuration label values. (ENGCORE-114) -* Fixed an issue with continuous interlock reconciliation if `ucp-interlock` service image does not match expected version. (ENGORC-2081) +* Fixes an issue with continuous interlock reconciliation if `ucp-interlock` service image does not match expected version. (ENGORC-2081) ### Known issues * Upgrading from UCP 3.1.4 to 3.1.5 causes missing Swarm placement constraints banner for some Swarm services (ENGORC-2191). This can cause Swarm services to run unexpectedly on Kubernetes nodes. See https://www.docker.com/ddc-41 for more information. - Workaround: Delete any `ucp-*-s390x` Swarm services. For example, `ucp-auth-api-s390x`. -* There are important changes to the upgrade process that, if not correctly followed, can impact the availability of applications running on the Swarm during uprades. These constraints impact any upgrades coming from any Docker Engine version before 18.09 to version 18.09 or greater. For more information about about upgrading Docker Enterprise to version 2.1, see [Upgrade Docker](../upgrade) +* There are important changes to the upgrade process that, if not correctly followed, can impact the availability of applications running on the Swarm during upgrades. These constraints impact any upgrades coming from any Docker Engine version before 18.09 to version 18.09 or greater. For more information about about upgrading Docker Enterprise to version 2.1, see [Upgrade Docker](../upgrade). * To deploy Pods with containers using Restricted Parameters, the user must be an admin and a service account must explicitly have a **ClusterRoleBinding** with `cluster-admin` as the **ClusterRole**. Restricted Parameters on Containers include: * Host Bind Mounts * Privileged Mode @@ -613,7 +627,7 @@ In order to optimize user experience and security, support for Internet Explorer | UCP | 3.1.5 | | Kubernetes | 1.11.8 | | Calico | 3.5.2 | -| Interlock (nginx) | 1.14.0 | +| Interlock (NGINX) | 1.14.0 | ## 3.1.4 @@ -628,11 +642,11 @@ In order to optimize user experience and security, support for Internet Explorer ### Bug fixes * Bump the Golang version that is used to build UCP to version 1.10.8. (docker/orca#16068) -* Fixed an issue that caused UCP upgrade failure to upgrade with Interlock deployment. (docker/orca#16009) -* Fixed an issue that caused ucp-agent(s) on worker nodes to constantly reboot when audit logging is enabled. (docker/orca#16122) -* Fixed an issue to ensure that non-admin user actions (with the RestrictedControl role) against RBAC resources are read-only. (docker/orca#16121) -* Fixed an issue to prevent UCP users from updating services with a port that conflicts with the UCP controller port. (escalation#855) -* Fixed an issue to validate Calico certs expiration dates and update accordingly. (escalation#981) +* Fixes an issue that caused UCP upgrade failure to upgrade with Interlock deployment. (docker/orca#16009) +* Fixes an issue that caused ucp-agent(s) on worker nodes to constantly reboot when audit logging is enabled. (docker/orca#16122) +* Fixes an issue to ensure that non-admin user actions (with the RestrictedControl role) against RBAC resources are read-only. (docker/orca#16121) +* Fixes an issue to prevent UCP users from updating services with a port that conflicts with the UCP controller port. (escalation#855) +* Fixes an issue to validate Calico certs expiration dates and update accordingly. (escalation#981) * Kubelet no longer deletes images, starting with the oldest unused images, after exceeding 85% disk space utilization. This was an issue in air-gapped environments. (docker/orca#16082) ### Enhancements @@ -641,7 +655,7 @@ In order to optimize user experience and security, support for Internet Explorer ### Known issues * Newly added Windows node reports "Awaiting healthy status in classic node inventory". [Learn more](https://success.docker.com/article/newly-added-windows-node-reports-awaiting-healthy-status-in-classic-node-inventory). -* There are important changes to the upgrade process that, if not correctly followed, can impact the availability of applications running on the Swarm during uprades. These constraints impact any upgrades coming from any Docker Engine version before 18.09 to version 18.09 or greater. For more information about about upgrading Docker Enterprise to version 2.1, see [Upgrade Docker](../upgrade) +* There are important changes to the upgrade process that, if not correctly followed, can impact the availability of applications running on the Swarm during upgrades. These constraints impact any upgrades coming from any Docker Engine version before 18.09 to version 18.09 or greater. For more information about about upgrading Docker Enterprise to version 2.1, see [Upgrade Docker](../upgrade). * In the UCP web interface, LDAP settings disappear after submitting them. However, the settings are properly saved. (docker/orca#15503) * To deploy Pods with containers using Restricted Parameters, the user must be an admin and a service account must explicitly have a **ClusterRoleBinding** with `cluster-admin` as the **ClusterRole**. Restricted Parameters on Containers include: * Host Bind Mounts @@ -661,7 +675,7 @@ In order to optimize user experience and security, support for Internet Explorer | UCP | 3.1.4 | | Kubernetes | 1.11.7 | | Calico | 3.5.0 | -| Interlock (nginx) | 1.14.0 | +| Interlock (NGINX) | 1.14.0 | ## 3.1.3 @@ -676,14 +690,14 @@ In order to optimize user experience and security, support for Internet Explorer * Upgraded Calico to version 3.5. (#15884) ### Bug fixes - * Fixed system hang following UCP backup and docker daemon shutdown. (docker/escalation#841) + * Fixes system hang following UCP backup and docker daemon shutdown. (docker/escalation#841) * Non-admin users can no longer create `PersistentVolumes` using the `Local` Storage Class, as this allowed non-admins to by pass security controls and mount host directories. (docker/orca#15936) * Added support for the limit arg in `docker ps`. (docker/orca#15812) - * Fixed an issue with ucp-proxy health check. (docker/orca#15814, docker/orca#15813, docker/orca#16021, docker/orca#15811) - * Fixed an issue with manual creation of a **ClusterRoleBinding** or **RoleBinding** for `User` or `Group` subjects requiring the ID of the user, organization, or team. (docker/orca#14935) - * Fixed an issue in which Kube Rolebindings only worked on UCP User ID and not UCP username. (docker/orca#14935) + * Fixes an issue with ucp-proxy health check. (docker/orca#15814, docker/orca#15813, docker/orca#16021, docker/orca#15811) + * Fixes an issue with manual creation of a **ClusterRoleBinding** or **RoleBinding** for `User` or `Group` subjects requiring the ID of the user, organization, or team. (docker/orca#14935) + * Fixes an issue in which Kube Rolebindings only worked on UCP User ID and not UCP username. (docker/orca#14935) ### Known issue * By default, Kubelet begins deleting images, starting with the oldest unused images, after exceeding 85% disk space utilization. This causes an issue in an air-gapped environment. (docker/orca#16082) @@ -695,7 +709,7 @@ In order to optimize user experience and security, support for Internet Explorer | UCP | 3.1.3 | | Kubernetes | 1.11.5 | | Calico | 3.5.0 | -| Interlock (nginx) | 1.14.0 | +| Interlock (NGINX) | 1.14.0 | ## 3.1.2 @@ -732,7 +746,7 @@ now configurable within the UCP web interface. (#15466) | UCP | 3.1.2 | | Kubernetes | 1.11.5 | | Calico | 3.2.3 | -| Interlock (nginx) | 1.14.0 | +| Interlock (NGINX) | 1.14.0 | ## 3.1.1 @@ -747,7 +761,7 @@ now configurable within the UCP web interface. (#15466) | UCP | 3.1.1 | | Kubernetes | 1.11.5 | | Calico | 3.2.3 | -| Interlock (nginx) | 1.13.12 | +| Interlock (NGINX) | 1.13.12 | ## 3.1.0 @@ -764,35 +778,35 @@ now configurable within the UCP web interface. (#15466) ### New features -### Kubernetes +#### Kubernetes * Kubernetes is updated to version 1.11.2. * Kubernetes native RBAC feature manages access control for Kubernetes resources. Users can now create roles for Kubernetes APIs using Kubernetes `Role` and `ClusterRole` objects in the Kubernetes API. They can also grant permissions to users and service accounts with the `RoleBinding` and `ClusterRoleBinding` objects. The web interface for Kubernetes RBAC reflects these changes. Your old Kubernetes grants and roles will be automatically migrated during the UCP upgrade. -### Logging +#### Logging Admins can now enable audit logging in the UCP config. This logs all incoming user-initiated requests in the `ucp-controller` logs. Admins can choose whether to log only metadata for incoming requests or the full request body as well. For more information, see [Create UCP audit logs](https://docs.docker.com/ee/ucp/admin/configure/create-audit-logs/). -### Authentication +#### Authentication Admins can configure UCP to use a SAML-enabled identity provider for user authentication. If enabled, users who log into the UCP web interface are redirected to the identity provider's website to log in. Upon login, users are redirected back to the UCP web interface, authenticated as the user chosen. For more information, see [Enable SAML authentication](https://docs.docker.com/ee/ucp/admin/configure/enable-saml-authentication/). -### Metrics +#### Metrics * The `ucp-metrics` Prometheus server (used to render charts in the UCP interface) was engineered from a container on manager nodes to a Kubernetes daemonset. This lets admins change the daemonset's scheduling rules so that it runs on a set of worker nodes instead of manager nodes. Admins can designate certain UCP nodes to be metrics server nodes, freeing up resources on manager nodes. For more information, see [Collect UCP cluster metrics with Prometheus](https://docs.docker.com/ee/ucp/admin/configure/collect-cluster-metrics/). * The UCP controller has a `/metricsdiscovery` endpoint so users can connect their own Prometheus instances to scrape UCP metrics data. -### UCP web interface +#### UCP web interface * If you enable single sign-on for a DTR instance with UCP, the UCP web interface shows image vulnerability data for images in that DTR instance. Containers and services that use images from that DTR instance show any vulnerabilities DTR detects. * The UCP web interface is redesigned to offer larger views for viewing individual resources, with more information for Kubernetes resources. -### Configs +#### Configs * UCP now stores its configurations in its internal key-value store instead of in a Swarm configuration so changes can propagate across the cluster more quickly. * You can now use the `custom_api_server_headers` field in the UCP configuration to set arbitrary headers that are included with every UCP response. -### API updates +#### API updates There are several backward-incompatible changes in the Kubernetes API that may affect user workloads. They are: @@ -801,11 +815,11 @@ There are several backward-incompatible changes in the Kubernetes API that may a * Change `node.alpha.kubernetes.io/notReady` to `node.kubernetes.io/not-ready` * Change `node.alpha.kubernetes.io/unreachable` to `node.kubernetes.io/unreachable` For more information about taints and tolerations, see [Taints and Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/). -* JSON configuration used with `kubectl create -f pod.json` containing fields with incorrect casing are no longer valid. You must correct these files before upgrading. When specifying keys in JSON resource definitions during direct API server communication, the keys are case-sensitive. A bug introduced in Kubernetes 1.8 caused the API server to accept a request with incorrect case and coerce it to correct case, but this behaviour has been fixed in 1.11 so the API server will again enforce correct casing. During this time, the `kubectl` tool continued to enforce case-sensitive keys, so users that strictly manage resources with `kubectl` will be unaffected by this change. +* JSON configuration used with `kubectl create -f pod.json` containing fields with incorrect casing are no longer valid. You must correct these files before upgrading. When specifying keys in JSON resource definitions during direct API server communication, the keys are case-sensitive. A bug introduced in Kubernetes 1.8 caused the API server to accept a request with incorrect case and coerce it to correct case, but this behavior has been fixed in 1.11 so the API server will again enforce correct casing. During this time, the `kubectl` tool continued to enforce case-sensitive keys, so users that strictly manage resources with `kubectl` will be unaffected by this change. * If you have a pod with a subpath volume PVC, there’s a chance that after the upgrade, it will conflict with some other pod; see [this pull request](https://github.com/kubernetes/kubernetes/pull/61373). It’s not clear if this issue will just prevent those pods from starting or if the whole cluster will fail. ### Known issues -* There are important changes to the upgrade process that, if not correctly followed, can impact the availability of applications running on the Swarm during uprades. These constraints impact any upgrades coming from any Docker Engine version before 18.09 to version 18.09 or greater. For more information about about upgrading Docker Enterprise to version 2.1, see [Upgrade Docker](../upgrade) +* There are important changes to the upgrade process that, if not correctly followed, can impact the availability of applications running on the Swarm during upgrades. These constraints impact any upgrades coming from any Docker Engine version before 18.09 to version 18.09 or greater. For more information about about upgrading Docker Enterprise to version 2.1, see [Upgrade Docker](../upgrade). * In the UCP web interface, LDAP settings disappear after submitting them. However, the settings are properly saved. (#15503) * You must use the ID of the user, organization, or team if you manually create a **ClusterRoleBinding** or **RoleBinding** for `User` or `Group` subjects. (#14935) * For the `User` subject Kind, the `Name` field contains the ID of the user. @@ -843,10 +857,31 @@ The following features are deprecated in UCP 3.1. | UCP | 3.1.0 | | Kubernetes | 1.11.2 | | Calico | 3.2.3 | -| Interlock (nginx) | 1.13.12 | +| Interlock (NGINX) | 1.13.12 | # Version 3.0 +## 3.0.15 +2019-10-08 + +### Bug fixes +* Upgraded RethinkDB Go Client to v5. (ENGORC-2704) +* Fixes an issue that caused slow response with increasing number of collections. (ENGORC-2638) + +### Kubernetes +* Enabled Kubernetes Node Authorizer Plugin. (ENGORC-2652) +* Kube-dns is now deployed with 2 replicas. (ENGORC-1816) + +### Components + +| Component | Version | +| --------------------- | ------- | +| UCP | 3.0.15 | +| Kubernetes | 1.8.15 | +| Calico | 3.8.2 | +| Interlock | 2.6.1 | +| Interlock NGINX proxy | 1.14.2 | + ## 3.0.14 2019-09-03 @@ -882,7 +917,7 @@ The following features are deprecated in UCP 3.1. ### Bug fixes -* Fixed an issue that caused sensitive command line arguments provided to the UCP installer command to also print in debug logs. +* Fixes an issue that caused sensitive command line arguments provided to the UCP installer command to also print in debug logs. * Added a restrictive robots.txt to the root of the UCP API server. ### Components @@ -892,7 +927,7 @@ The following features are deprecated in UCP 3.1. | UCP | 3.0.13 | | Kubernetes | 1.8.15 | | Calico | 3.0.8 | -| Interlock (nginx) | 1.13.12 | +| Interlock (NGINX) | 1.13.12 | ## 3.0.12 @@ -901,7 +936,7 @@ The following features are deprecated in UCP 3.1. ### Bug fixes * Added migration logic to remove all actions on `pods/exec` and `pods/attach` Kubernetes subresource from the migrated UCP View-Only role. (ENGORC-2434) -* Fixed an issue that allows unauthenticated user to list directories. (ENGORC-2175) +* Fixes an issue that allows unauthenticated user to list directories. (ENGORC-2175) ### Deprecated platforms @@ -915,7 +950,7 @@ The following features are deprecated in UCP 3.1. | UCP | 3.0.12 | | Kubernetes | 1.8.15 | | Calico | 3.0.8 | -| Interlock (nginx) | 1.13.12 | +| Interlock (NGINX) | 1.13.12 | ## 3.0.11 2019-05-06 @@ -930,7 +965,7 @@ The following features are deprecated in UCP 3.1. | UCP | 3.0.11 | | Kubernetes | 1.8.15 | | Calico | 3.0.8 | -| Interlock (nginx) | 1.13.12 | +| Interlock (NGINX) | 1.13.12 | ## 3.0.10 @@ -939,7 +974,7 @@ The following features are deprecated in UCP 3.1. ### Bug fixes * Bump the Golang version that is used to build UCP to version 1.10.8. * Prevent UCP users from updating services with a port that conflicts with the UCP controller port. (escalation#855) -* Fixed an issue that causes UCP fail to upgrade with Interlock deployment. (docker/orca/#16009) +* Fixes an issue that caused UCP fail to upgrade with Interlock deployment. (docker/orca/#16009) * Validate Calico certs expiration date and update accordingly. (escalation#981) ### Components @@ -949,7 +984,7 @@ The following features are deprecated in UCP 3.1. | UCP | 3.0.10 | | Kubernetes | 1.8.15 | | Calico | 3.0.8 | -| Interlock (nginx) | 1.13.12 | +| Interlock (NGINX) | 1.13.12 | ## 3.0.9 @@ -975,7 +1010,7 @@ The following features are deprecated in UCP 3.1. | UCP | 3.0.9 | | Kubernetes | 1.8.15 | | Calico | 3.0.8 | -| Interlock (nginx) | 1.13.12 | +| Interlock (NGINX) | 1.13.12 | ## 3.0.8 @@ -990,7 +1025,7 @@ The following features are deprecated in UCP 3.1. * UCP backend will now complain when a service is created/updated if the `com.docker.lb.network` label is not correctly specified. (docker/orca#15015) * LDAP group member attribute is now case insensitive. (docker/escalation#917) - * Fixed an issue that caused a system hang after UCP backup and the attempted shutdown of the Docker daemon to perform a swarm backup. /dev/shm is now unmounted when starting the kubelet container. (docker/orca#15672, docker/escalation#841) + * Fixes an issue that caused a system hang after UCP backup and the attempted shutdown of the Docker daemon to perform a swarm backup. /dev/shm is now unmounted when starting the kubelet container. (docker/orca#15672, docker/escalation#841) * Interlock * Interlock headers can now be hidden. (docker/escalation#833) @@ -1007,7 +1042,7 @@ The following features are deprecated in UCP 3.1. | UCP | 3.0.8 | | Kubernetes | 1.8.15 | | Calico | 3.0.8 | -| Interlock (nginx) | 1.13.12 | +| Interlock (NGINX) | 1.13.12 | ## 3.0.7 @@ -1022,7 +1057,7 @@ The following features are deprecated in UCP 3.1. | UCP | 3.0.7 | | Kubernetes | 1.8.15 | | Calico | 3.0.8 | -| Interlock (nginx) | 1.13.12 | +| Interlock (NGINX) | 1.13.12 | ## 3.0.6 @@ -1033,18 +1068,18 @@ The following features are deprecated in UCP 3.1. * Core * Updated Kubernetes to version 1.8.15. * Resolved an issue where LDAP sync jobs terminated when processing an org admin search result that did not correspond to an existing user. (docker/escalation#784 #docker/escalation#888) - * Fixed an issue that caused RethinkDB client lock contention. (docker/escalation#902 and docker/escalation#906) - * Fixed an issue that caused Azure IPAM to not release addresses. (docker/escalation#815) - * Fixed an issue that caused unsuccessful installation of UCP on Azure. (docker/escalation#863) - * Fixed an issue that caused the Interlock proxy service to keep restarting. (docker/escalation#814) - * Fixed an issue that caused Kubernetes DNS to not work. (#14064, #11981) - * Fixed an issue that caused "Missing swarm placement constraints" warning banner to appear unnecessarily. (docker/orca#14539) + * Fixes an issue that caused RethinkDB client lock contention. (docker/escalation#902 and docker/escalation#906) + * Fixes an issue that caused Azure IPAM to not release addresses. (docker/escalation#815) + * Fixes an issue that caused unsuccessful installation of UCP on Azure. (docker/escalation#863) + * Fixes an issue that caused the Interlock proxy service to keep restarting. (docker/escalation#814) + * Fixes an issue that caused Kubernetes DNS to not work. (#14064, #11981) + * Fixes an issue that caused "Missing swarm placement constraints" warning banner to appear unnecessarily. (docker/orca#14539) * Security - * Fixed `libcurl` vulnerability in RethinkDB image. (docker/orca#15169) + * Fixes `libcurl` vulnerability in RethinkDB image. (docker/orca#15169) * UI - * Fixed an issue that prevented "Per User Limit" on Admin Settings from working. (docker/escalation#639) + * Fixes an issue that prevented "Per User Limit" on Admin Settings from working. (docker/escalation#639) ### Components @@ -1053,7 +1088,7 @@ The following features are deprecated in UCP 3.1. | UCP | 3.0.6 | | Kubernetes | 1.8.15 | | Calico | 3.0.8 | -| Interlock (nginx) | 1.13.12 | +| Interlock (NGINX) | 1.13.12 | ## 3.0.5 @@ -1062,7 +1097,7 @@ The following features are deprecated in UCP 3.1. ### Bug fixes * Security - * Fixed a critical security issue to prevent UCP from accepting certificates from + * Fixes a critical security issue to prevent UCP from accepting certificates from the system pool when adding client CAs to the server that requires mutual authentication. ### Known Issue @@ -1081,7 +1116,7 @@ The following features are deprecated in UCP 3.1. | UCP | 3.0.5 | | Kubernetes | 1.8.11 | | Calico | 3.0.8 | -| Interlock (nginx) | 1.13.12 | +| Interlock (NGINX) | 1.13.12 | ## 3.0.4 @@ -1090,7 +1125,7 @@ The following features are deprecated in UCP 3.1. ### Bug fixes * Security - * Fixed a critical security issue where the LDAP bind username and password were stored in cleartext on UCP hosts. Please refer to [this KB article](https://success.docker.com/article/upgrading-to-ucp-2-2-12-ucp-3-0-4/) for proper implementation of this fix. + * Fixes a critical security issue where the LDAP bind user name and password were stored in clear text on UCP hosts. Please refer to [this KB article](https://success.docker.com/article/upgrading-to-ucp-2-2-12-ucp-3-0-4/) for proper implementation of this fix. ### Known Issue @@ -1103,7 +1138,7 @@ The following features are deprecated in UCP 3.1. | UCP | 3.0.4 | | Kubernetes | 1.8.11 | | Calico | 3.0.8 | -| Interlock (nginx) | 1.13.12 | +| Interlock (NGINX) | 1.13.12 | ## 3.0.3 @@ -1119,14 +1154,14 @@ The following features are deprecated in UCP 3.1. ### Bug fixes * Core - * Optimize swarm service read api calls through UCP + * Optimize swarm service read API calls through UCP * Fixes an issue where some UCP Controller API calls may hang indefinitely. * Default Calico MTU set to 1480 * Calico is upgraded to 3.0.8 * Compose for Kubernetes logging improvements * Fixes an issue where backups would fail if UCP was not licensed. * Fixes an issue where DTR admins are missing the Full Control Grant against /Shared Collection even though they have logged in at least once to the web interface. - * Add support for bind mount volumes to kubernetes stacks and fixes sporadic errors in kubernetes stack validator that would incorrectly reject stacks. + * Add support for bind mount volumes to Kubernetes stacks and fixes sporadic errors in Kubernetes stack validator that would incorrectly reject stacks. ### Components @@ -1135,7 +1170,7 @@ The following features are deprecated in UCP 3.1. | UCP | 3.0.3 | | Kubernetes | 1.8.11 | | Calico | 3.0.8 | -| Interlock (nginx) | 1.13.12 | +| Interlock (NGINX) | 1.13.12 | ## 3.0.2 @@ -1154,10 +1189,10 @@ Azure Disk when installing UCP with the `--cloud-provider` option. ### Bug fixes * Core - * Fixed an issue for anonymous volumes in Compose for Kubernetes. - * Fixed an issue where a fresh install would have an initial per-user session + * Fixes an issue for anonymous volumes in Compose for Kubernetes. + * Fixes an issue where a fresh install would have an initial per-user session limit of unlimited rather than the expected limit of 10 minutes. - * Added separate resource types for Kubernetes subresources (e.g. pod/log) + * Added separate resource types for Kubernetes subresources (for example, pod/log) so that users can get separate permissions for those resources, as with the built-in Kubernetes RBAC authorizer. If you had a custom role with (for instance) Pod Get permissions, you may need to create a new custom @@ -1170,7 +1205,7 @@ Azure Disk when installing UCP with the `--cloud-provider` option. behavior) instead of a 404. * UI/UX - * Fixed an issue that causes LDAP configuration UI to not work properly. + * Fixes an issue that caused LDAP configuration UI to not work properly. ### Components @@ -1179,7 +1214,7 @@ Azure Disk when installing UCP with the `--cloud-provider` option. | UCP | 3.0.2 | | Kubernetes | 1.8.11 | | Calico | 3.0.1 | -| Interlock (nginx) | 1.13.8 | +| Interlock (NGINX) | 1.13.8 | ## 3.0.1 @@ -1192,19 +1227,19 @@ Azure Disk when installing UCP with the `--cloud-provider` option. This port must be in the `NodePort` range. * Kubernetes API server port is now configurable via `--kube-apiserver-port` flag at install or `cluster_config.kube_apiserver_port` in UCP config. - * Fixed an issue where upgrade fails due to missing `ucp-kv` snapshots. - * Fixed an issue where upgrade fails due to layer 7 routing issues. + * Fixes an issue where upgrade fails due to missing `ucp-kv` snapshots. + * Fixes an issue where upgrade fails due to layer 7 routing issues. * `ucp-interlock-proxy` no longer tries to schedule components on Windows nodes. - * Fixed an issue where a Kubernetes networking failure would not stop UCP from + * Fixes an issue where a Kubernetes networking failure would not stop UCP from installing successfully. - * Fixed an issue where encrypted overlay networks could not communicate on + * Fixes an issue where encrypted overlay networks could not communicate on firewalled hosts. - * Fixed an issue where Pod CIDR and Node IP values could conflict at install + * Fixes an issue where Pod CIDR and Node IP values could conflict at install Installation no longer fails if an empty `PodCIDR` value is set in the UCP config at install time. Instead, it falls back to default CIDR. * UI/UX - * Fixed an issue where UCP banners redirected to older UCP 2.2 documentation. + * Fixes an issue where UCP banners redirected to older UCP 2.2 documentation. ### Known issues @@ -1221,7 +1256,7 @@ Azure Disk when installing UCP with the `--cloud-provider` option. networking disruption for pods on each node during the upgrade process, depending on how quickly `calico-node` gets upgraded on those nodes. * `ucp-interlock-proxy` may fail to start when two or more services are - configured with two or more backend hosts. [You can use this workaround](https://success.docker.com/article/how-do-i-ensure-the-ucp-routing-mesh-ucp-interlock-proxy-continues-running-in-the-event-of-a-failed-update). + configured with two or more back-end hosts. [You can use this workaround](https://success.docker.com/article/how-do-i-ensure-the-ucp-routing-mesh-ucp-interlock-proxy-continues-running-in-the-event-of-a-failed-update). ### Components @@ -1230,7 +1265,7 @@ Azure Disk when installing UCP with the `--cloud-provider` option. | UCP | 3.0.1 | | Kubernetes | 1.8.11 | | Calico | 3.0.1 | -| Interlock (nginx) | 1.13.8 | +| Interlock (NGINX) | 1.13.8 | ## 3.0.0 2018-04-17 @@ -1293,7 +1328,7 @@ will be available in future releases. * You can now create custom roles with Kubernetes API permissions. Default roles include Kubernetes API permissions based on their access type. As an example, View-Only contains Swarm and Kubernetes read-only API permissions. - * In addition to collections, grants can now use Kubernetes Namespaces as + * In addition to collections, grants can now use Kubernetes namespaces as a resource set type. * Admins can now link a Kubernetes namespace to a collection of nodes in order to isolate users and workloads between different nodes. @@ -1387,10 +1422,18 @@ deprecated. Deploy your applications as Swarm services or Kubernetes workloads. | UCP | 3.0.1 | | Kubernetes | 1.8.11 | | Calico | 3.0.1 | -| Interlock (nginx) | 1.13.8 | +| Interlock (NGINX) | 1.13.8 | # Version 2.2 +## Version 2.2.22 +2019-10-08 + +### Bug fixes +* Upgraded RethinkDB Go Client to v5. (ENGORC-2704) +* Now UI timeout is obeyed with browser tab open or closed. (ENGORC-2576) +* Fixes an issue that caused slow response with increasing number of collections. (ENGORC-2638) + ## Version 2.2.21 2019-09-03 @@ -1402,8 +1445,7 @@ deprecated. Deploy your applications as Swarm services or Kubernetes workloads. 2019-07-17 ### Bug fixes - -* Fixed an issue that caused sensitive command line arguments provided to the UCP installer command to also print in debug logs. +* Fixes an issue that caused sensitive command line arguments provided to the UCP installer command to also print in debug logs. * Added a restrictive robots.txt to the root of the UCP API server. ### Known issues @@ -1428,7 +1470,7 @@ instead of the correct image for the worker architecture. ### Bug fixes -* Fixed an issue that allows unauthenticated user to list directories. (ENGORC-2175) +* Fixes an issue that allows unauthenticated user to list directories. (ENGORC-2175) ### Known issues @@ -1528,7 +1570,7 @@ instead of the correct image for the worker architecture. * Significantly reduced database load in environments with a lot of concurrent and repeated API requests by the same user. * Added the ability to set custom HTTP response headers to be returned by the UCP Controller API Server. * Web interface - * Fixed stack creation for non admin user when UCP uses a custom controller port. + * Fixes stack creation for non-admin user when UCP uses a custom controller port. ### Known issues @@ -1555,10 +1597,10 @@ instead of the correct image for the worker architecture. * Core * Resolved an issue where LDAP sync jobs terminated when processing an org admin search result that did not correspond to an existing user. (docker/escalation#784 #docker/escalation#888) - * Fixed an issue that caused RethinkDB client lock contention. (docker/escalation#902 and docker/escalation#906) + * Fixes an issue that caused RethinkDB client lock contention. (docker/escalation#902 and docker/escalation#906) * Web Interface - * Fixed an issue that prevented "Per User Limit" on Admin Settings from working. (docker/escalation#639) + * Fixes an issue that prevented "Per User Limit" on Admin Settings from working. (docker/escalation#639) ### Known issues @@ -1584,7 +1626,7 @@ instead of the correct image for the worker architecture. ### Bug fixes * Security - * Fixed a critical security issue to prevent UCP from accepting certificates from + * Fixes a critical security issue to prevent UCP from accepting certificates from the system pool when adding client CAs to the server that requires mutual authentication. ### Known issues @@ -1611,7 +1653,7 @@ instead of the correct image for the worker architecture. ### Bug fixes * Security - * Fixed a critical security issue where the LDAP bind username and password + * Fixes a critical security issue where the LDAP bind user name and password were stored in cleartext on UCP hosts. Please refer to the following KB article https://success.docker.com/article/upgrading-to-ucp-2-2-12-ucp-3-0-4/ for proper implementation of this fix. @@ -1643,19 +1685,19 @@ instead of the correct image for the worker architecture. ### Bug fixes * Security - * Fixed an issue that causes some security headers to not be added to all API responses. + * Fixes an issue that caused some security headers to not be added to all API responses. * Core * Optimized swarm service read API calls through UCP. * Upgraded `RethinkDB` image to address potential security vulnerabilities. - * Fixee an issue where removing a worker node from the cluster would cause an etcd member to be removed on a manager node. + * Fixes an issue where removing a worker node from the cluster would cause an etcd member to be removed on a manager node. * Upgraded `etcd` version to 2.3.8. - * Fixed an issue that causes classic Swarm to provide outdated data. - * Fixed an issue that raises `ucp-kv` collection error with unnamed volumes. + * Fixes an issue that caused classic Swarm to provide outdated data. + * Fixes an issue that raises `ucp-kv` collection error with unnamed volumes. * UI - * Fixed an issue that causes the web interface to not parse volume options correctly. - * Fixed an issue that prevents the user from deploying stacks through the web interface. + * Fixes an issue that caused the web interface to not parse volume options correctly. + * Fixes an issue that prevents the user from deploying stacks through the web interface. ### Known issues @@ -1686,9 +1728,9 @@ instead of the correct image for the worker architecture. * UI * Users can now set log driver name and options on both create and update service screens. - * Fixed an issue that causes legacy collections on services to break the web interface. Now + * Fixes an issue that caused legacy collections on services to break the web interface. Now legacy collections are properly prepended with "/Shared/Legacy/". - * Fixed an issue that causes service counts in status summary to be shown + * Fixes an issue that caused service counts in status summary to be shown incorrectly. * Authentication/Authorization @@ -1696,14 +1738,14 @@ instead of the correct image for the worker architecture. previously logged in. * The logic which reconciles collection labels is now skipped if the node already has an access label. - * Fixed an issue where LDAP syncs would always search against the last server + * Fixes an issue where LDAP syncs would always search against the last server in the list of additional domains if the search base DN matched any of those domains. * Core * UCP can now be displayed in an iframe for pages hosted on the same domain. - * Fixed an issue that prevents non-admin users to do `docker build` on UCP. - * Fixed an issue where a node's status may be reported incorrectly in node + * Fixes an issue that prevents non-admin users to do `docker build` on UCP. + * Fixes an issue where a node's status may be reported incorrectly in node listings. * UCP can now be installed on a system with more than 127 logical CPU cores. * Improved the performance of UCP's local and global health checks. @@ -1734,12 +1776,12 @@ instead of the correct image for the worker architecture. ### Bug fixes * Security - * Fixed an issue that allows users to incorrectly interact with local volumes. - * Fixed an issue where setting minimum TLS version causes `ucp-agent` to + * Fixes an issue that allows users to incorrectly interact with local volumes. + * Fixes an issue where setting minimum TLS version caused `ucp-agent` to keep restarting on worker nodes. * Core - * Fixed an issue that causes container fail to start with `container ID not found` + * Fixes an issue that caused container fail to start with `container ID not found` during high concurrent API calls to create and start containers. ### Known issues @@ -1769,7 +1811,7 @@ is always used, regardless of which one is actually the best match. ### Bug fixes -* Fixed an issue where the minimum TLS version setting is not correctly handled, +* Fixes an issue where the minimum TLS version setting is not correctly handled, leading to non-default values causing `ucp-controller` and `ucp-agent` to keep restarting. @@ -1814,14 +1856,14 @@ is always used, regardless of which one is actually the best match. * Core * The HRM service is no longer deployed with constraints that might prevent the service from ever getting scheduled. - * Fixed a problem causing the HRM service to be restarted multiple times. + * Fixes an issue that caused the HRM service to restart multiple times. * The `ucp-agent` service is now deployed without adding extra collection labels. This doesn't change the behavior of the service. - * Fixed problem causing a healthy `ucp-auth-store` component to be reported as + * Fixes an issue that caused a healthy `ucp-auth-store` component to be reported as unhealthy. - * Fixed a race condition causing the labels for the UCP controller container + * Fixes a race condition causing the labels for the UCP controller container to be reset. - * Fixed an issue causing the `ucp-agent` service to be deployed with the wrong + * Fixes an issue causing the `ucp-agent` service to be deployed with the wrong architecture on Windows nodes. * RBAC * Role-based access control can now be enforced for third-party volume plugins, @@ -1831,16 +1873,16 @@ is always used, regardless of which one is actually the best match. to go onto each node and clean up those resources directly. * When upgrading from UCP 2.1, inactive user accounts are no longer migrated to the new RBAC model. - * Fixed an issue preventing users from seeing a collection when they have + * Fixes an issue preventing users from seeing a collection when they have permissions to deploy services on a child collection. * Grants are now deleted when deleting an organization whose teams have grants. * UI - * Fixed a problem in the Settings page that would cause Docker to stop when + * Fixes a issue in the Settings page that caused Docker to stop when you made changes to UCP settings and a new manager node is promoted to leader. - * Fixed bug causing the Grants list page not to render after deleting an + * Fixes a bug causing the Grants list page not to render after deleting an organization mentioned used on a grant. - * Fixed a problem that would intermittently cause settings not to be persisted. - * Fixed an issue that prevented users from being able to change LDAP settings. + * Fixes an issue that intermittently caused settings not to be persisted. + * Fixes an issue that prevented users from being able to change LDAP settings. ### Known issues @@ -1924,7 +1966,7 @@ for volumes. * Additional translations added for internationalization. * UI for adding users to teams simplified. * The grant list can now sorted and pagination in the grants view has been improved. The grants view previously had glitches on systems with many grants. - * Fixed problem where the web interface would hang when pulling images. + * Fixes an issue where the web interface would hang when pulling images. * "Max failure ratio" and "Failure action" re-introduced in service definitions. These settings were not available in UCP 2.2, but were available in previous UCP versions. * Collection labels are no longer applied to UCP system services. UCP previously auto-applied labels, which was confusing. @@ -1966,7 +2008,7 @@ for volumes. * Windows nodes are no longer displayed in the DTR install UI. * DTR settings state in UCP is now preserved when switching tabs. Previously, un-saved state was lost when switching tabs. - * Fixed problem where first manager node may have IP address `0.0.0.0`, + * Fixes an issue where the first manager node may have IP address `0.0.0.0`, causing dashboard to not update. * UI for adding Windows nodes improved to include full join instructions. * Node Task UI fixed. Displaying tasks for a node previously did not work. @@ -2005,24 +2047,24 @@ for volumes. ### Bug fixes * Core - * Fixed an issue that caused timeouts during install, preventing UCP 2.2.1 from + * Fixes an issue that caused timeouts during install, preventing UCP 2.2.1 from being released. - * Fixed a number of issues in which access control labels and roles could not + * Fixes a number of issues in which access control labels and roles could not be upgraded to their new format, when upgrading UCP. [Learn more](https://success.docker.com/KBase/Auth_system_migration_errors). - * Fixed an issue that caused an upgrade with multiple manager nodes to fail + * Fixes an issue that caused an upgrade with multiple manager nodes to fail with RethinkDB startup errors. - * Fixed an issue that caused upgrades to fail due to UCP being unable to + * Fixes an issue that caused upgrades to fail due to UCP being unable to remove and replace older UCP containers. - * Fixed an issue in which upgrade timed out due to lack of available disk space. - * Fixed an issue in which rescheduling of containers not belonging in services + * Fixes an issue in which upgrade timed out due to lack of available disk space. + * Fixes an issue in which rescheduling of containers not belonging in services could fail due to a request for a duplicate IP address. * DTR containers are no longer omitted from `docker ps` commands. * UI/UX - * Fixed known issue from 2.2.0 where config changes (including LDAP/AD) take + * Fixes known issue from 2.2.0 where config changes (including LDAP/AD) take an extended period to update after making changes in the UI settings. - * Fixed an issue where the `/apidocs` url redirected to the login page. - * Fixed an issue in which the UI does not redirect to a bad URL immediately + * Fixes an issue where the `/apidocs` url redirected to the login page. + * Fixes an issue in which the UI does not redirect to a bad URL immediately after an upgrade. * Config and API docs now show the correct LDAP sync cron schedule format. * docker/ucp image @@ -2103,7 +2145,7 @@ and the API is fully interactive within the UCP web interface. * Redesigned dashboard with time-series historical graphs for usage metrics. * Compact layout to more easily view resource information at a glance. * Detail panels for resources no longer slide out and cover the main panel. - * Filtering mechanism to display related items (e.g. resources in a collection or stack). + * Filtering mechanism to display related items (for example, resources in a collection or stack). ### Known issues