# UCP Release Notes Here you can learn about new features, bug fixes, breaking changes and known issues for each UCP version. You can then use [the upgrade instructions](installation/upgrade.md), to upgrade your installation to the latest release. ## Version 1.1.3 Note: UCP 1.1.3 supports Docker Engine 1.12 but does not use the built-in orchestration capabilities provided by the Docker Engine on swarm mode. When installing this UCP version on a Docker Engine 1.12 host, UCP creates a cluster using Docker Swarm 1.2.5. **Security Update** Fixes a security issue by which a malicious user with limited privileges can perform unauthorized actions on the cluster via the API. **Features** * Core * Upgraded Docker Swarm to 1.2.5 * Non-admin users no longer have the ability to edit or delete UCP/DTR volumes and networks. * The Pull Image, Delete Image, Create Volume, Delete Volume, Create Network and Delete Network operations are now inaccessible to users with View Only default permissions or lower. **Bug Fixes** * Improved system performance when large numbers of overlay networks are deployed on the cluster. * Fixed an issue which affected container rescheduling on clusters with overlay networks. * Fixed an issue which affected synchronizing organization owners (admins) in LDAP when migrating from DTR 1.4.3 to 2.0.x * Fixed an issue where UCP/DTR integration config was not loaded when UCP controller was restarted. * Fixed an issue in the GUI where the sidebar does not display when first logging into UCP. * Fixed an issue where volumes created through the UCP GUI did not correctly populate the labels field. **Known Issues** * This version of UCP cannot be installed on Engine 1.12 host with swarm mode enabled, and is not compatible with swarm-mode based APIs, e.g. `docker service`. ## Version 1.1.2 Note: UCP 1.1.2 supports Docker Engine 1.12 but doesn't use the new clustering capabilities provided by the Docker swarm mode. When installing this UCP version on a Docker Engine 1.12, UCP creates a "classic" Docker Swarm 1.2.3 cluster. **Features** * Core * Upgraded etcd to version 2.3.6. * Upgraded rethinkDB to version 2.3.4. * The support dump generated by `dsinfo` now provides more information about the UCP deployment, that can be used by Docker support. * docker/ucp image * It's now possible to generate a support dump directly from the CLI using the `support` command. * It's now possible to tune how often UCP's key-value store takes snapshots using the `docker/ucp install --kv-snapshot-count` option. This can be used with the `--kv-timeout` flag to tune the performance of the key-value store. [Learn more about tuning the key-value store](https://github.com/coreos/etcd/blob/master/Documentation/v2/tuning.md#snapshots) * UI * The dashboard now notifies admin users when an update for UCP is available. * It's now possible to see which specific controllers need to have root CAs inserted in order to achieve high-availability. * It's now possible to filter images on the `Images` tab. **Bug Fixes** * Fixed an issue in which UCP failed to install in machines where the hostname has more than 41 characters. * Fixed an issue in which `ping` requests caused a memory leak in the `ucp-controller` and `ucp-kv` containers. * When installing in the CLI, UCP now displays the specified `ADMIN_USERNAME` variable rather than just "admin". * Fixed an issue where container owner label permissions took priority over access label permissions when displaying a list of containers. * Fixed an issue in which upgrading to UCP caused a user to still see an older version in the UI. **Known Issues** * This version of UCP can't be installed on Engine 1.12 swarm-mode based clusters, and is not compatible with swarm-mode based APIs, e.g. `docker service`. ## Version 1.1.1 **Features** * Core * Upgraded Docker Swarm to version 1.2.3. * An administrator can now reset their password. Use the `docker/ucp-auth passwd` command for this. * docker/ucp image * It's now possible to configure the election timeout of the UCP key-value store with the `docker/ucp install --kv-timeout` option. This is useful when running UCP across multiple regions. Note that the heartbeat interval will be 1/10th of the specified election timeout value. [Learn more](https://coreos.com/etcd/docs/latest/tuning.html) * It's now possible to skip TLS verification when joining new nodes to the cluster, using the `docker/ucp join --insecure-fingerprint` option. However, to ensure your cluster is secure, don't use this option for normal UCP deployments. * The restore operation now supports `--interactive, -i` flags, which require a backup file to be mounted in `/backup.tar` instead of streamed through `stdin`. * UI * When pulling images on the UCP UI, you can now provide login credentials for a private registry. * It's now possible to disable a user account, to make it easier to switch from managed authentication to LDAP and vice-versa. * Added a setting to submit usage reports without anonymizing data. * When failing to pull an image on the UCP UI, a feedback message is now displayed. * The Containers page now allows showing and hiding columns. * The Containers page now allows filtering for running, stopped, and system containers. **Bug Fixes** * Fixed an issue that prevented new nodes to be joined to a cluster, after upgrading UCP from an older version to 1.1.0. * Fixed an issue that prevented UCP from integrating with DTR for single-sign-on when pushing/pulling images. * When upgrading, configurations for user, teams, and organizations are now preserved. * When upgrading, version labels are correctly added to the containers. * Improved error logs generated by the UP key-value store. * The restore command now ensures the backup is not corrupt, that the UCP cluster is healthy and is running the same or later version of UCP before restoring. * The restore command now works correctly on a freshly installed instance of UCP, assuming the same host IP and a correct backup file. * LDAP domain names are now case-insensitive for easier syncing. * Fixed an issue that caused LDAP syncs to run every minute, after upgrading UCP from an older version to 1.1.0. * Fixed error by which user could get an "access denied" message when deploying a container from the UI due to cached permission labels. * Fixed issue where environment variables were not being passed to new containers when "Allow users to deploy containers on UCP controllers" setting was disabled. **Misc** * Since container rescheduling has reached GA on Docker Swarm, you can use it without having to install UCP with the `--swarm-experimental-flag`. * UCP now requires a minimum of 2 GB of RAM per node, instead of 1.5 GB. * During installation, UCP now warns you to only restart the Docker Engine after joining all controller nodes to the cluster. **Known Issues** * When using UCP with a Docker Engine prior to 1.11.1-cs2, containers with a restart policy set to `restart=always` and using an overlay network, may not resume properly when the Docker daemon is restarted. Upgrade the Docker Engine on your nodes to version 1.11.1-cs2 to fix this. This is especially important when running UCP and DTR on the same nodes, and with high-availability. * When attempting to restore a v1.1.0 backup on a new cluster installed with the `fresh-install` flag, the restore operation may fail due to engine-discovery configuration issues. You should create new backups after upgrading to v1.1.1. * UCP fails to install in machines where the hostname has more than 41 characters. This will be fixed in a future release. (Fixed in UCP 1.1.2) ## Version 1.1.0 **Features** * Core * UCP and DTR are now using a unified authentication service. * Users and teams created in UCP are displayed in DTR under the 'Datacenter' organization. * All controllers joined to the cluster now have replicated CAs. For this, you need to copy the root key material to controllers joined to the cluster, * All UCP components were compiled with Go 1.5.4 and 1.6 to address a security vulnerability in Go. * When joining nodes to the cluster, UCP automatically runs 'engine-discovery' to configure the Docker Engine for multi-host networking. * If you're using Docker Engine 1.11 with default configurations, when joining new nodes to the cluster multi-host networking is automatically configured without needing to restart the Docker daemon. * docker/ucp image * Added the 'backup' command to create backups of controller nodes. * Added the 'restore' command, to restore a controller node from a backup. * Added the 'regen-certs' command, to regenerate keys and certificates used on a controller node. You can use this for changing the SANS on the certificates or in case a CA is compromised. * Added the 'stop' and 'restart' commands, to stop and start UCP containers. ​ * UI * Now you can deploy apps from the UI using a docker-compse.yml file. * There's a new setting to prevent users from deploying containers to the UCP controller nodes. * Improved usability of LDAP configuration settings. * Images page no longer shows the sha256 id of each image ID. * User profiles now display default permissions. * Improved feedback when creating users and teams with invalid characters. * Added horizontal scrollbar to wide pages. **Bug Fixes** * Improved messages when installing UCP on a host with firewall rules. * Images page no longer shows images generated from intermediate builds. * Images page no longer hangs when pulling an image. * Scaling a container from the UI now preserves parameters like 'net' and 'privileged'. * Fixed `docker ps --filter` to filter containers correctly. **Misc** * All UCP containers now have the 'com.docker.ucp.version' label with their upstream version or UCP version. * When running docker/ucp in interactive mode, the parameters and environment variables passed to the command are displayed. * Renamed 'external-ucp-ca' flag to 'external-server-cert' for clarity. The former name is deprecated but still available. * UCP is automatically configured to use overlay networking. Make sure ports 4789 and 7946 are open for this to work. * The new authentication service requires ports 12383-12386 to be open. **Known Issues** * After upgrading to version `1.1.0`, if you join new nodes to the cluster, a success message is displayed, but that node will not be part of the cluster. As a workaround, join new controller nodes before upgrading, or perform a fresh installation of UCP 1.1.0. * If you have an active login session in UCP and do an upgrade, you should force refresh the browser or you may run into UI errors. * When joining replicas to the cluster, you may be prompted to restart the Docker daemon on that node. For a faster installation, only restart the Docker daemon after joining all replicas. * When deploying applications from the UI, using the `host` network option might cause errors. If this happens, deploy the application from the CLI. * UCP 1.1.0 may not integrate correctly with DTR for purposes of single-sign-on for pushing/pulling images. It is recommended to upgrade to UCP 1.1.1 for this. **Component Versions** UCP 1.1.0 uses: * cfssl 1.2.0 * Docker Compose 1.7.0 * Docker Swarm: 1.1.3 * etcd 2.2.5 * RethinkDB 2.3.0 ## Version 1.0.4 **Security update** Fixes a security issue by which a user can can obtain unauthorized access to UCP via LDAP authentication. ## Version 1.0.3 Fixes a bug introduced by version 1.0.2 that was causing problems when a user navigated to their profile page. ## Version 1.0.2 **Security update** Fixes a security issue by which a non-admin user account can gain admin-level privileges via the UCP API. **Known Issues** Non-admin users might have an error when navigating to their profile page. This happens when the user is part of a team that has a label applied to it. ## Version 1.0.1 **Features** * Core * Upgraded Swarm to 1.1.3 * Improved support for `docker cp` * System CA pool fallback for secure DTR connections * Added `--swarm-experimental` option during UCP install * UI * Can provide one-time credentials to deploy a container from a private registry in UI * Added checkbox to select all containers in Containers screen * Removed click handlers from UI elements containing checkboxes * Usernames and team names now need to be url-compatible * Several usability improvements to Team screen * Messages now display team name, instead of Id * Added support for Growl style notifications * Improved usability of Applications page, when there are no applications deployed * Several improvements to form validations * Improved error messages displayed when users try to pull an image with no name * Don't allow creating teams with the same name * Non-admin users can no longer see cluster overview in Dashboard screen * Page size control is no longer displayed when the list has few elements * Renamed 'Roles' to 'Permissions' **Bug fixes** * Users that are on a team and have permission set to 'None', can no longer see containers * Volume driver options are now being correctly sent to Docker Engine * Fix bug with visibility to User containers with the owner the same as a label ## Version 1.0.0 **Features** * Core * License is now required to add nodes * Improved access control system * /\_ping endpoint now checks the state of datastore and Swarm * Use mutual TLS in CFSSL * Improved access control for Docker Engine proxy * Added support for custom server certificates and user bundles * Users can now launch "private" containers if default permission is Restricted Control or greater * UI * Pages for Containers, Images, and Applications are now consistent * Improved usability of LDAP configuration page * Logs are displayed during LDAP configuration * Users can now see their permissions and teams on their profile page * Improved license configuration * Improved error messages for restricted operations * Support for enabling and disabling DTR integration **Bug fixes** * Users only see volumes, images, and networks if they have permissions * User default role now setup properly with LDAP authentication * Fixed container privilege escalation in access control * Fixed UI issue that caused errors in Safari **Misc** * UCP now uses a vendored UCP Swarm image * Removed timestamps from controller logs * Switched from 'Full Control' to 'Restricted Control' for managing non-container resources **Known issues** In version 1.0.0 it's not possible to create containers on user-defined bridge networks, using the UCP web app. This happens because the UCP web app is using the \/\ syntax, which is not supported. As a workaround, create the containers using the CLI and: * Use only \, and let Swarm find the node with that network, or * Use the network ID instead. **Upgrade notes** It's not possible to upgrade from previous versions to v1.0. If you've participated in the Docker UCP beta program, you need to uninstall the beta version, before installing v1.0. To ensure a smooth transition process, start by uninstalling UCP from the regular nodes, followed by the controller nodes. Also, make sure you use `ucp uninstall` command from version 1.0: docker run --rm -it --name ucp -v /var/run/docker.sock:/var/run/docker.sock docker/ucp:1.0.0 uninstall -i After uninstalling, you can [Install UCP on a sandbox](install-sandbox.md), or [Install UCP for production](installation/install-production.md).