docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'public-repo/master'

This commit is contained in:
Dawn W Docker 2020-01-28 13:41:36 -08:00
parent 8c86b50d30 e9cea27661
commit 8ec4cb3d06
4 changed files with 99 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
_data/toc.yaml
View File

@ -1688,6 +1688,8 @@ manuals:
title: Set the user's session timeout
- path: /ee/ucp/admin/configure/ucp-configuration-file/
title: UCP configuration file
- path: /ee/ucp/admin/configure/kms-plugin/
title: KMS plugin support for UCP
- path: /ee/ucp/admin/configure/use-node-local-network-in-swarm/
title: Use a local node network in a swarm
- path: /ee/ucp/admin/configure/use-your-own-tls-certificates/

40
ee/dtr/release-notes.md
View File

@ -24,6 +24,21 @@ to upgrade your installation to the latest release.
# Version 2.7
## 2.7.5
(2020-01-28)
### Bug fixes
* Fixed the bug that caused the jobrunner logs to flood with `unable to cancel request: nil`. (docker/dhe-deploy #10807)
* Fixed the bug that resulted in added licenses not presenting in the UI prior to a page refresh. (docker/dhe-deploy #10815)
* Update offline license instructions, to direct users to hub.docker.com (and not store.docker.com). (docker/dhe-deploy #10835)
* Addition of more descriptive error messaging for a situation in which an advanced license for tag pruning and poll mirroring is missing. (docker/dhe-deploy #10827)
### Security
* Includes a new version of the security scanner which re-enables daily CVE database updates. Following the patch release upgrade, security scans will fail until a new version of the database is provided (if DTR is configured for online updates, this will occur automatically within 24 hours). To trigger an immediate update, (1) access the DTR UI, (2) go to the **Security** under **System** settings, and (3) click the **Sync database now** button.
If DTR is configured for offline updates, download the database for version 2.7.5 or higher. (docker/dhe-deploy #10845)
## 2.7.4
(2019-11-13)
@ -168,6 +183,19 @@ Refer to [DTR image vulnerabilities](https://success.docker.com/article/dtr-imag
# Version 2.6
## 2.6.12
(2020-01-28)
### Bug fixes
* Fixed the bug that caused the jobrunner logs to flood with `unable to cancel request: nil`. (docker/dhe-deploy #10805)
* Update offline license instructions, to direct users to hub.docker.com (and not store.docker.com). (docker/dhe-deploy #10836)
### Security
* Includes a new version of the security scanner which re-enables daily CVE database updates. Following the patch release upgrade, security scans will fail until a new version of the database is provided (if DTR is configured for online updates, this will occur automatically within 24 hours). To trigger an immediate update, (1) access the DTR UI, (2) go to the **Security** under **System** settings, and (3) click the **Sync database now** button. (docker/dhe-deploy #10847)
If DTR is configured for offline updates, download CVE Vulnerability Database for DTR version 2.6.12 or higher.
## 2.6.11
(2019-11-13)
@ -507,6 +535,18 @@ Refer to [DTR image vulnerabilities](https://success.docker.com/article/dtr-imag
>
> Upgrade path from 2.5.x to 2.6: Upgrade directly to 2.6.4.
## 2.5.16
(2020-01-28)
### Bug fixes
* When a repository is deleted the corresponding webhook metadata is also deleted. (docker/dhe-deploy #10830)
### Security
* Includes a new version of the security scanner which re-enables daily CVE database updates. Following the patch release upgrade, security scans will fail until a new version of the database is provided (if DTR is configured for online updates, this will occur automatically within 24 hours). To trigger an immediate update, (1) access the DTR UI, (2) go to the **Security** under **System** settings, and (3) click the **Sync database now** button.
If DTR is configured for offline updates, download CVE Vulnerability Database for DTR version 2.5.16 or higher. (docker/dhe-deploy #10849)
## 2.5.15
(2019-11-13)

33
ee/ucp/admin/configure/kms-plugin.md Normal file
View File

@ -0,0 +1,33 @@
---
title: KMS plugin support for UCP
description: Learn about the KMS plugin for UCP.
keywords: ucp, kms, kubernetes, plugin, configuration
---
>{% include enterprise_label_shortform.md %}
Docker Universal Control Plane (UCP) 3.2.5 adds support for a Key Management Service (KMS) plugin to allow access to third-party secrets management solutions, such as Vault. This plugin is used by UCP for access from Kubernetes clusters.
## Deployment
KMS must be deployed before a machine becomes a UCP manager or it may be considered unhealthy. UCP will not health check, clean up, or otherwise manage the KMS plugin.
## Configuration
KMS plugin configuration should be done through UCP. UCP will maintain ownership of the Kubernetes EncryptionConfig file, where the KMS plugin is configured for Kubernetes. UCP does not currently check this files contents after deployment.
UCP adds new configuration options to the cluster configuration table. These options are not exposed through the web UI, but can be configured via the [API](https://docs.docker.com/ee/ucp/admin/configure/ucp-configuration-file/).
The following table shows the configuration options for the KMS plugin. These options are not required.
| Parameter | Type | Description |
|------------------|------|------------------------------------------|
| `kms_enabled` | bool | Determines if UCP should configure a KMS plugin. |
| `kms_name` | string | Name of the KMS plugin resource (for example, “vault”). |
| `kms_endpoint` | string | Path of the KMS plugin socket. This path must refer to a UNIX socket on the host (for example, “/tmp/socketfile.sock”). UCP will bind mount this file to make it accessible to the API server. |
| `kms_cachesize` | int | Number of data encryption keys (DEKs) to be cached in the clear. |
## Where to go next
* [Using a KMS provider for data encryption](https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/)
* [Encrypting Secret Data at Rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/)
* [UCP API Documentation](https://docs.docker.com/reference/ucp/3.2/api/)

24
ee/ucp/release-notes.md
View File

@ -26,6 +26,30 @@ upgrade your installation to the latest release.
# Version 3.2
## 3.2.5
2020-01-28
### Known issues
* UCP currently turns on vulnerability information for images deployed within UCP by default for upgrades. This may cause clusters to fail due to performance issues. (ENGORC-2746)
* For Red Hat Enterprise Linux (RHEL) 8, if firewalld is running and `FirewallBackend=nftables` is set in `/etc/firewalld/firewalld.conf`, change this to `FirewallBackend=iptables`, or you can explicitly run the following commands to allow traffic to enter the default bridge (docker0) network:
```
firewall-cmd --permanent --zone=trusted --add-interface=docker0
firewall-cmd --reload
```
### Kubernetes
* Enabled support for a user-managed Kubernetes KMS plugin. See [KMS plugin support for UCP](/ee/ucp/admin/configure/kms-plugin.md) for more information.
### Components
| Component | Version |
| --------------------- | ------- |
| UCP | 3.2.5 |
| Kubernetes | 1.14.8 |
| Calico | 3.8.2 |
| Interlock | 3.0.0 |
| Interlock NGINX proxy | 1.14.2 |
## 3.2.4
2019-11-14