Merge remote-tracking branch 'private/master' into engine-rel-notes

_config.yml

@@ -20,8 +20,8 @@ exclude: ["_scripts", "apidocs/layouts", "Gemfile", "hooks", "index.html", "404.
 # You can't have - characters in these for non-YAML reasons
 
 latest_engine_api_version: "1.40"
-docker_ce_version: "19.03"
-docker_ee_version: "19.03"
+docker_ce_version: "19.03.1"
+docker_ee_version: "19.03.1"
 compose_version: "1.24.1"
 compose_file_v3: "3.7"
 compose_file_v2: "2.4"

engine/release-notes.md

@@ -30,6 +30,43 @@ in which new features cannot be adopted as quickly for consistency and compatibi
 > `sudo apt install docker-ce docker-ce-cli containerd.io`. See the install instructions
 > for the corresponding linux distro for details.
 
+## 19.03.1
+2019-07-25
+
+### Security
+
+ * Fixed loading of nsswitch based config inside chroot under Glibc. [CVE-2019-14271](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14271)
+
+### Known issues
+
+ * In some circumstances, in large clusters, docker information might, as part of the Swarm section,
+ include the error `code = ResourceExhausted desc = grpc: received message larger than
+ max (5351376 vs. 4194304)`. This does not indicate any failure or misconfiguration by the user,
+ and requires no response.
+ * Orchestrator port conflict can occur when redeploying all services as new. Due to many swarm manager
+ requests in a short amount of time, some services are not able to receive traffic and are causing a `404`
+ error after being deployed.
+    - Workaround: restart all tasks via `docker service update --force`.
+
+ * Traffic cannot egress the HOST because of missing Iptables rules in the FORWARD chain
+ The missing rules are :
+     ```
+     sbin/iptables --wait -C FORWARD -o docker_gwbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+     /sbin/iptables --wait -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+     ```
+     - Workaround: Add these rules back using a script and cron definitions. The script
+     must contain '-C' commands to check for the presence of a rule and '-A' commands to add
+     rules back. Run the script on a cron in regular intervals, for example, every <x> minutes.
+     - Affected versions: 17.06.2-ee-16, 18.09.1, 19.03.0
+ * [CVE-2018-15664](https://nvd.nist.gov/vuln/detail/CVE-2018-15664) symlink-exchange attack with directory traversal. Workaround until proper fix is available in upcoming patch release: `docker pause` container before doing file operations. [moby/moby#39252](https://github.com/moby/moby/pull/39252)
+ * `docker cp` regression due to CVE mitigation. An error is produced when the source of `docker cp` is set to `/`.
+ * Install Docker Engine - Enterprise fails to install on RHEL on Azure. This affects any RHEL version that uses an Extended Update Support (EUS) image. At the time of this writing, known versions affected are RHEL 7.4, 7.5, and 7.6.
+
+     - Workaround options:
+         - Use an older image and don't get updates. Examples of EUS images are here: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/rhel-images#rhel-images-with-eus.
+         - Import your own RHEL images into Azure and do not rely on the Extended Update Support (EUS) RHEL images.
+         - Use a RHEL image that does not contain a minor version in the SKU. These are not attached to EUS repositories. Some examples of those are the first three images (SKUs: 7-RAW, 7-LVM, 7-RAW-CI) listed here : https://docs.microsoft.com/en-us/azure/virtual-machines/linux/rhel-images#list-of-rhel-images-available.
+
 ## 19.03.0
 2019-07-22
 
@@ -829,7 +866,6 @@ not reachable until one of these 2 conditions happens:
 
 As a workaround, send at least a packet out from each container like
 (ping, GARP, etc).
->>>>>>> master
 
 ## 17.06.2-ee-21
 2019-04-11