Merge pull request #9647 from fredlf/release-notes-edits

Fixed errors in release notes
2014-12-13 17:34:23 -08:00 · 2014-12-13 17:34:23 -08:00 · 86c2cdf782
parent 8ca28a35c7 afc262cc3a
commit 86c2cdf782
1 changed files with 8 additions and 359 deletions
--- a/docs/sources/release-notes.md
+++ b/docs/sources/release-notes.md
@ -13,7 +13,7 @@ desired version from the drop-down list at the top right of this page.
 This release provides a number of new features, but is mainly focused on bug
 fixes and improvements to platform stability and security.
-For a complete list of patches, fixes, and other improvements, see <todo: link>
+For a complete list of patches, fixes, and other improvements, see the [merge PR on GitHub](https://github.com/docker/docker/pull/9345).
 *New Features*
@ -57,371 +57,20 @@ were not sufficiently validated. This created a vulnerability to path traversal
 attacks wherein malicious images or repository spoofing could lead to graph
 corruption and manipulation.
-Note that the above CVE's are also in Docker 1.3.3, which was released
+> **Note:** the above CVEs are also patched in Docker 1.3.3, which was released
-concurrently with 1.4.0.
+> concurrently with 1.4.0.
- 
+
 *Runtime fixes*
- 
+
 * Fixed an issue that caused image archives to be read slowly.
- 
+
 *Client fixes*
 * Fixed a regression related to STDIN redirection.
 * Fixed a regression involving `docker cp` when the current directory is the
 destination.
-> **Note**
+> **Note:**
 > Development history prior to version 1.0 can be found by
-> searching in [GitHub](https://github.com/docker/docker).
+> searching in the [Docker GitHub repo](https://github.com/docker/docker).
 ##Version 1.3.3
 (2014-12-11)
 This release fixes several security issues. In order to encourage immediate
 upgrading, this release also patches some critical bugs. All users are highly
 encouraged to upgrade as soon as possible.
 *Security fixes*
 Patches and changes were made to address the following vulnerabilities:
 * CVE-2014-9356: Path traversal during processing of absolute symlinks. 
 Absolute symlinks were not adequately checked for  traversal which created a
 vulnerability via image extraction and/or volume mounts.
 * CVE-2014-9357: Escalation of privileges during decompression of LZMA (.xz)
 archives. Docker 1.3.2 added `chroot` for archive extraction. This created a
 vulnerability that could allow malicious images or builds to write files to the
 host system and escape containerization, leading to privilege escalation.
 * CVE-2014-9358: Path traversal and spoofing opportunities via image
 identifiers. Image IDs passed either via `docker load` or registry communications
 were not sufficiently validated. This created a vulnerability to path traversal
 attacks wherein malicious images or repository spoofing could lead to graph
 corruption and manipulation.
 *Runtime fixes*
 * Fixed an issue that cause image archives to be read slowly.
 *Client fixes*
 * Fixed a regression related to STDIN redirection.
 * Fixed a regression involving `docker cp` when the current directory is the
 destination.
 ##Version 1.3.2
 (2014-11-24)
 This release fixes some bugs and addresses some security issues. We have also
 made improvements to aspects of `docker run`.
 *Security fixes*
 Patches and changes were made to address CVE-2014-6407 and CVE-2014-6408.
 Specifically, changes were made in order to:
 * Prevent host privilege escalation from an image extraction vulnerability (CVE-2014-6407).
 * Prevent container escalation from malicious security options applied to images (CVE-2014-6408).
 *Daemon fixes*
 The `--insecure-registry` flag of the `docker run` command has undergone
 several refinements and additions. For details, please see the
 [command-line reference](http://docs.docker.com/reference/commandline/cli/#run).
 * You can now specify a sub-net in order to set a range of registries which the Docker daemon will consider insecure.
 * By default, Docker now defines `localhost` as an insecure registry.
 * Registries can now be referenced using the Classless Inter-Domain Routing (CIDR) format.
 * When mirroring is enabled, the experimental registry v2 API is skipped.
 ##Version 1.3.1
 (2014-10-28)
 This release fixes some bugs and addresses some security issues.
 *Security fixes*
 Patches and changes were made to address [CVE-2014-5277 and CVE-2014-3566](https://groups.google.com/forum/#!topic/docker-user/oYm0i3xShJU).
 Specifically, changes were made to:
 * Prevent fallback to SSL protocols < TLS 1.0 for client, daemon and registry
 * Secure HTTPS connection to registries with certificate verification and without HTTP fallback unless [`--insecure-registry`](/reference/commandline/cli/#run) is specified.
 *Runtime fixes*
 * Fixed issue where volumes would not be shared.
 *Client fixes*
 * Fixed issue with `--iptables=false` not automatically setting
 `--ip-masq=false`.
 * Fixed docker run output to non-TTY stdout.
 *Builder fixes*
 * Fixed escaping `$` for environment variables.
 * Fixed issue with lowercase `onbuild` instruction in a `Dockerfile`.
 * Restricted environment variable expansion to `ENV`, `ADD`, `COPY`, `WORKDIR`,
 `EXPOSE`, `VOLUME`, and `USER`
 ##Version 1.3.0
 This version fixes a number of bugs and issues and adds new functions and other
 improvements. The [GitHub 1.3milestone](https://github.com/docker/docker/issues?q=milestone%3A1.3.0+) has
 more detailed information. Major additions and changes include:
 ###New Features
 *New command: `docker exec`*
 The new `docker exec` command lets you run a process in an existing, active
 container. The command has APIs for both the daemon and the client. With `docker
 exec`, you'll be able to do things like add or remove devices from running
 containers, debug running containers, and run commands that are not part of the
 container's static specification. Details in the [command line reference](/reference/commandline/cli/#exec).
 *New command: `docker create`*
 Traditionally, the `docker run` command has been used to both create a container
 and spawn a process to run it. The new `docker create` command breaks this
 apart, letting you set up a container without actually starting it. This
 provides more control over management of the container lifecycle, giving you the
 ability to configure things like volumes or port mappings before the container
 is started. For example, in a rapid-response scaling situation, you could use
 `create` to prepare and stage ten containers in anticipation of heavy loads.
 Details in the [command line reference](/reference/commandline/cli/#create).
 *Tech preview of new provenance features*
 This release offers a sneak peek at new image signing capabilities that are
 currently under development. Soon, these capabilities will allow any image
 author to sign their images to certify they have not been tampered with. For
 this release, Official images are now signed by Docker, Inc. Not only does this
 demonstrate the new functionality, we hope it will improve your confidence in
 the security of Official images. Look for the blue ribbons denoting signed
 images on the [Docker Hub](https://hub.docker.com/). The Docker Engine has been
 updated to automatically verify that a given Official Repo has a current, valid
 signature. When pulling a signed image, you'll see a message stating `the image
 you are pulling has been verified`. If no valid signature is detected, Docker
 Engine will fall back to pulling a regular, unsigned image.
 ###Other improvements & changes*
 * We've added a new security options flag to the `docker run` command,
 `--security-opt`, that lets you set SELinux and AppArmor labels and profiles.
 This means you'll  no longer have to use `docker run --privileged` on kernels
 that support SE Linux or AppArmor. For more information, see the [command line
 reference](/reference/commandline/cli/#run).
 * A new flag, `--add-host`, has been added to `docker run` that lets you add
 lines to `/etc/hosts`. This allows you to specify different name resolution for
 the container than it would get via DNS. For more information, see the [command
 line reference](/reference/commandline/cli/#run).
 * You can now set a `DOCKER_TLS_VERIFY` environment variable to secure
 connections by default (rather than having to pass the `--tlsverify` flag on
 every call). For more information, see the [https guide](/articles/https).
 * Three security issues have been addressed in this release: [CVE-2014-5280,
 CVE-2014-5270, and
 CVE-2014-5282](https://groups.google.com/forum/#!msg/docker-announce/aQoVmQlcE0A/smPuBNYf8VwJ).
 ##Version 1.2.0
 This version fixes a number of bugs and issues and adds new functions and other
 improvements. These include:
 ###New Features
 *New restart policies*
 We added a `--restart flag` to `docker run` to specify a restart policy for your
 container. Currently, there are three policies available:
 * `no` – Do not restart the container if it dies. (default) * `on-failure` –
 Restart the container if it exits with a non-zero exit code. This can also
 accept an optional maximum restart count (e.g. `on-failure:5`). * `always` –
 Always restart the container no matter what exit code is returned. This
 deprecates the `--restart` flag on the Docker daemon.
 *New flags for `docker run`: `--cap-add` and `--cap-drop`*
 In previous releases, Docker containers could either be given complete
 capabilities or they could all follow a whitelist of allowed capabilities while
 dropping all others. Further, using `--privileged` would grant all capabilities
 inside a container, rather than applying a whitelist. This was not recommended
 for production use because it’s really unsafe; it’s as if you were directly in
 the host.
 This release introduces two new flags for `docker run`, `--cap-add` and
 `--cap-drop`, that give you fine-grain control over the specific capabilities
 you want grant to a particular container.
 *New `--device` flag for `docker run`*
 Previously, you could only use devices inside your containers by bind mounting
 them (with `-v`) in a `--privileged` container. With this release, we introduce
 the `--device flag` to `docker run` which lets you use a device without
 requiring a privileged container.
 *Writable `/etc/hosts`, `/etc/hostname` and `/etc/resolv.conf`*
 You can now edit `/etc/hosts`, `/etc/hostname` and `/etc/resolve.conf` in a
 running container. This is useful if you need to install BIND or other services
 that might override one of those files.
 Note, however, that changes to these files are not saved when running `docker
 build` and so will not be preserved in the resulting image. The changes will
 only “stick” in a running container.
 *Docker proxy in a separate process*
 The Docker userland proxy that routes outbound traffic to your containers now
 has its own separate process (one process per connection). This greatly reduces
 the load on the daemon, which increases stability and efficiency.
 ###Other improvements & changes
 * When using `docker rm -f`, Docker now kills the container (instead of stopping
 it) before removing it . If you intend to stop the container cleanly, you can
 use `docker stop`.
 * Added support for IPv6 addresses in `--dns`
 * Added search capability in private registries
 ##Version 1.1.0
 ###New Features
 *`.dockerignore` support*
 You can now add a `.dockerignore` file next to your `Dockerfile` and Docker will
 ignore files and directories specified in that file when sending the build
 context to the daemon. Example:
 https://github.com/docker/docker/blob/master/.dockerignore
 *Pause containers during commit*
 Doing a commit on a running container was not recommended because you could end
 up with files in an inconsistent state (for example, if they were being written
 during the commit). Containers are now paused when a commit is made to them. You
 can disable this feature by doing a `docker commit --pause=false <container_id>`
 *Tailing logs*
 You can now tail the logs of a container. For example, you can get the last ten
 lines of a log by using `docker logs --tail 10 <container_id>`. You can also
 follow the logs of a container without having to read the whole log file with
 `docker logs --tail 0 -f <container_id>`.
 *Allow a tar file as context for docker build*
 You can now pass a tar archive to `docker build` as context. This can be used to
 automate docker builds, for example: `cat context.tar | docker build -` or
 `docker run builder_image | docker build -`
 *Bind mounting your whole filesystem in a container*
 `/` is now allowed as source of `--volumes`. This means you can bind-mount your
 whole system in a container if you need to. For example: `docker run -v
 /:/my_host ubuntu:ro ls /my_host`. However, it is now forbidden to mount to /.
 ###Other Improvements & Changes
 * Port allocation has been improved. In the previous release, Docker could
 prevent you from starting a container with previously allocated ports which
 seemed to be in use when in fact they were not. This has been fixed.
 * A bug in `docker save` was introduced in the last release. The `docker save`
 command could produce images with invalid metadata. The command now produces
 images with correct metadata.
 * Running `docker inspect` in a container now returns which containers it is
 linked to.
 * Parsing of the `docker commit` flag has improved validation, to better prevent
 you from committing an image with a name such as  `-m`. Image names with dashes
 in them potentially conflict with command line flags.
 * The API now has Improved status codes for  `start` and `stop`. Trying to start
 a running container will now return a 304 error.
 * Performance has been improved overall. Starting the daemon is faster than in
 previous releases. The daemon’s performance has also been improved when it is
 working with large numbers of images and containers.
 * Fixed an issue with white-spaces and multi-lines in Dockerfiles.
 ##Version 1.1.0
 ###New Features
 *`.dockerignore` support*
 You can now add a `.dockerignore` file next to your `Dockerfile` and Docker will
 ignore files and directories specified in that file when sending the build
 context to the daemon. Example:
 https://github.com/dotcloud/docker/blob/master/.dockerignore
 *Pause containers during commit*
 Doing a commit on a running container was not recommended because you could end
 up with files in an inconsistent state (for example, if they were being written
 during the commit). Containers are now paused when a commit is made to them. You
 can disable this feature by doing a `docker commit --pause=false <container_id>`
 *Tailing logs*
 You can now tail the logs of a container. For example, you can get the last ten
 lines of a log by using `docker logs --tail 10 <container_id>`. You can also
 follow the logs of a container without having to read the whole log file with
 `docker logs --tail 0 -f <container_id>`.
 *Allow a tar file as context for docker build*
 You can now pass a tar archive to `docker build` as context. This can be used to
 automate docker builds, for example: `cat context.tar | docker build -` or
 `docker run builder_image | docker build -`
 *Bind mounting your whole filesystem in a container*
 `/` is now allowed as source of `--volumes`. This means you can bind-mount your
 whole system in a container if you need to. For example: `docker run -v
 /:/my_host ubuntu:ro ls /my_host`. However, it is now forbidden to mount to /.
 ###Other Improvements & Changes
 * Port allocation has been improved. In the previous release, Docker could
 prevent you from starting a container with previously allocated ports which
 seemed to be in use when in fact they were not. This has been fixed.
 * A bug in `docker save` was introduced in the last release. The `docker save`
 command could produce images with invalid metadata. The command now produces
 images with correct metadata.
 * Running `docker inspect` in a container now returns which containers it is
 linked to.
 * Parsing of the `docker commit` flag has improved validation, to better prevent
 you from committing an image with a name such as  `-m`. Image names with dashes
 in them potentially conflict with command line flags.
 * The API now has Improved status codes for  `start` and `stop`. Trying to start
 a running container will now return a 304 error.
 * Performance has been improved overall. Starting the daemon is faster than in
 previous releases. The daemon’s performance has also been improved when it is
 working with large numbers of images and containers.
 * Fixed an issue with white-spaces and multi-lines in Dockerfiles.
 ##Version 1.0.0
 First production-ready release. Prior development history can be found by
 searching in [GitHub](https://github.com/docker/docker).