docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
docs/engine/release-notes/index.md

126 KiB
Raw Blame History

title description keywords toc_min toc_max skip_read_time redirect_from
Docker Engine release notes Learn about the new features, bug fixes, and breaking changes for Docker Engine - Community docker, docker engine, ce, whats new, release notes 1 2 true
/release-notes/docker-ce/

This document describes the latest changes, additions, known issues, and fixes for Docker Engine - Community.

Note: The client and container runtime are now in separate packages from the daemon in Docker Engine 18.09. Users should install and update all three packages at the same time to get the latest patch releases. For example, on Ubuntu: sudo apt install docker-ce docker-ce-cli containerd.io. See the install instructions for the corresponding linux distro for details.

Version 19.03

19.03.8

2020-03-10

Runtime

19.03.7

2020-03-03

Builder

Runtime

Client

19.03.6

2020-02-12

Builder

Networking

Runtime

19.03.5

2019-11-14

Builder

  • builder-next: Added entitlements in builder config. docker/engine#412
  • Fix builder-next: permission errors on using build secrets or ssh forwarding with userns-remap. docker/engine#420
  • Fix builder-next: copying a symlink inside an already copied directory. docker/engine#420

Packaging

  • Support RHEL 8 packages

Runtime

19.03.4

2019-10-17

Networking

  • Rollback libnetwork changes to fix DOCKER-USER iptables chain issue. docker/engine#404

Known Issues

Existing

  • In some circumstances with large clusters, Docker information might, as part of the Swarm section, include the error code = ResourceExhausted desc = grpc: received message larger than max (5351376 vs. 4194304). This does not indicate any failure or misconfiguration by the user, and requires no response.

  • Orchestrator port conflict can occur when redeploying all services as new. Due to many Swarm manager requests in a short amount of time, some services are not able to receive traffic and are causing a 404 error after being deployed.

    • Workaround: restart all tasks via docker service update --force.

  • CVE-2018-15664 symlink-exchange attack with directory traversal. Workaround until proper fix is available in upcoming patch release: docker pause container before doing file operations. moby/moby#39252

  • docker cp regression due to CVE mitigation. An error is produced when the source of docker cp is set to /.

  • Install Docker Engine - Enterprise fails to install on RHEL on Azure. This affects any RHEL version that uses an Extended Update Support (EUS) image. At the time of this writing, known versions affected are RHEL 7.4, 7.5, and 7.6.

19.03.3

2019-10-08

Security

Builder

  • Fix builder-next: resolve digest for third party registries. docker/engine#339

  • Fix builder-next: user namespace builds when daemon started with socket activation. docker/engine#373

  • Fix builder-next; session: release forwarded ssh socket connection per connection. docker/engine#373

  • Fix build-next: llbsolver: error on multiple cache importers. docker/engine#373

Client

  • Added support for Docker Template 0.1.6.

  • Mitigate against YAML files that have excessive aliasing. docker/cli#2119

Runtime

Known Issues

New

  • DOCKER-USER iptables chain is missing: docker/for-linux#810. Users cannot perform additional container network traffic filtering on top of this iptables chain. You are not affected by this issue if you are not customizing iptable chains on top of DOCKER-USER.
    • Workaround: Insert the iptables chain after the docker daemon starts. For example: 
      iptables -N DOCKER-USER
iptables -I FORWARD -j DOCKER-USER
iptables -A DOCKER-USER -j RETURN

Existing

  • In some circumstances with large clusters, docker information might, as part of the Swarm section, include the error code = ResourceExhausted desc = grpc: received message larger than max (5351376 vs. 4194304). This does not indicate any failure or misconfiguration by the user, and requires no response.

  • Orchestrator port conflict can occur when redeploying all services as new. Due to many swarm manager requests in a short amount of time, some services are not able to receive traffic and are causing a 404 error after being deployed.

    • Workaround: restart all tasks via docker service update --force.

  • CVE-2018-15664 symlink-exchange attack with directory traversal. Workaround until proper fix is available in upcoming patch release: docker pause container before doing file operations. moby/moby#39252

  • docker cp regression due to CVE mitigation. An error is produced when the source of docker cp is set to /.

  • Install Docker Engine - Enterprise fails to install on RHEL on Azure. This affects any RHEL version that uses an Extended Update Support (EUS) image. At the time of this writing, known versions affected are RHEL 7.4, 7.5, and 7.6.

19.03.2

2019-09-03

Builder

Client

  • Fix Windows absolute path detection on non-Windows docker/cli#1990

  • Fix to zsh completion script for docker login --username.

  • Fix context: produce consistent output on context create. docker/cli#1985

  • Fix support for HTTP proxy env variable. docker/cli#2059

Logging

Networking

  • Prevent panic on network attached to a container with disabled networking. moby/moby#39589

Runtime

  • Bump Golang to 1.12.8.

  • Fix a potential engine panic when using XFS disk quota for containers. moby/moby#39644

Swarm

Known issues

  • In some circumstances with large clusters, docker information might, as part of the Swarm section, include the error code = ResourceExhausted desc = grpc: received message larger than max (5351376 vs. 4194304). This does not indicate any failure or misconfiguration by the user, and requires no response.

  • Orchestrator port conflict can occur when redeploying all services as new. Due to many swarm manager requests in a short amount of time, some services are not able to receive traffic and are causing a 404 error after being deployed.

    • Workaround: restart all tasks via docker service update --force.

  • Traffic cannot egress the HOST because of missing Iptables rules in the FORWARD chain The missing rules are :

    /sbin/iptables --wait -C FORWARD -o docker_gwbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables --wait -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    • Workaround: Add these rules back using a script and cron definitions. The script must contain '-C' commands to check for the presence of a rule and '-A' commands to add rules back. Run the script on a cron in regular intervals, for example, every minutes.
    • Affected versions: 17.06.2-ee-16, 18.09.1, 19.03.0

  • CVE-2018-15664 symlink-exchange attack with directory traversal. Workaround until proper fix is available in upcoming patch release: docker pause container before doing file operations. moby/moby#39252

  • docker cp regression due to CVE mitigation. An error is produced when the source of docker cp is set to /.

  • Install Docker Engine - Enterprise fails to install on RHEL on Azure. This affects any RHEL version that uses an Extended Update Support (EUS) image. At the time of this writing, known versions affected are RHEL 7.4, 7.5, and 7.6.

19.03.1

2019-07-25

Security

  • Fixed loading of nsswitch based config inside chroot under Glibc. CVE-2019-14271

Known issues

  • In some circumstances, in large clusters, docker information might, as part of the Swarm section, include the error code = ResourceExhausted desc = grpc: received message larger than max (5351376 vs. 4194304). This does not indicate any failure or misconfiguration by the user, and requires no response.

  • Orchestrator port conflict can occur when redeploying all services as new. Due to many swarm manager requests in a short amount of time, some services are not able to receive traffic and are causing a 404 error after being deployed.

    • Workaround: restart all tasks via docker service update --force.

  • Traffic cannot egress the HOST because of missing Iptables rules in the FORWARD chain The missing rules are :

    /sbin/iptables --wait -C FORWARD -o docker_gwbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables --wait -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    • Workaround: Add these rules back using a script and cron definitions. The script must contain '-C' commands to check for the presence of a rule and '-A' commands to add rules back. Run the script on a cron in regular intervals, for example, every minutes.
    • Affected versions: 17.06.2-ee-16, 18.09.1, 19.03.0

  • CVE-2018-15664 symlink-exchange attack with directory traversal. Workaround until proper fix is available in upcoming patch release: docker pause container before doing file operations. moby/moby#39252

  • docker cp regression due to CVE mitigation. An error is produced when the source of docker cp is set to /.

  • Install Docker Engine - Enterprise fails to install on RHEL on Azure. This affects any RHEL version that uses an Extended Update Support (EUS) image. At the time of this writing, known versions affected are RHEL 7.4, 7.5, and 7.6.

19.03.0

2019-07-22

Builder

Client

API

Experimental

Security

Runtime

Networking

Swarm

Logging

Deprecation

  • Deprecate image manifest v2 schema1 in favor of v2 schema2. Future version of Docker will remove support for v2 schema1 althogether. moby/moby#39365
  • Removed v1.10 migrator. moby/moby#38265
  • Now skipping deprecated storage-drivers in auto-selection. moby/moby#38019
  • Deprecated aufs storage driver and added warning. moby/moby#38090
  • Removed support for 17.09.
  • SLES12 is deprecated from Docker Enterprise 3.0, and EOL of SLES12 as an operating system will occur in Docker Enterprise 3.1. Upgrade to SLES15 for continued support on Docker Enterprise.
  • Windows 2016 is formally deprecated from Docker Enterprise 3.0. Only non-overlay networks are supported on Windows 2016 in Docker Enterprise 3.0. EOL of Windows Server 2016 support will occur in Docker Enterprise 3.1. Upgrade to Windows Server 2019 for continued support on Docker Enterprise.

For more information on deprecated flags and APIs, refer to https://docs.docker.com/engine/deprecated/ for target removal dates.

Known issues

  • In some circumstances with large clusters, docker information might, as part of the Swarm section, include the error code = ResourceExhausted desc = grpc: received message larger than max (5351376 vs. 4194304). This does not indicate any failure or misconfiguration by the user, and requires no response.

  • Orchestrator port conflict can occur when redeploying all services as new. Due to many swarm manager requests in a short amount of time, some services are not able to receive traffic and are causing a 404 error after being deployed.

    • Workaround: restart all tasks via docker service update --force.

  • Traffic cannot egress the HOST because of missing Iptables rules in the FORWARD chain The missing rules are :

    /sbin/iptables --wait -C FORWARD -o docker_gwbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables --wait -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    • Workaround: Add these rules back using a script and cron definitions. The script must contain '-C' commands to check for the presence of a rule and '-A' commands to add rules back. Run the script on a cron in regular intervals, for example, every minutes.
    • Affected versions: 17.06.2-ee-16, 18.09.1, 19.03.0

  • CVE-2018-15664 symlink-exchange attack with directory traversal. Workaround until proper fix is available in upcoming patch release: docker pause container before doing file operations. moby/moby#39252

  • docker cp regression due to CVE mitigation. An error is produced when the source of docker cp is set to /.

  • Install Docker Engine - Enterprise fails to install on RHEL on Azure. This affects any RHEL version that uses an Extended Update Support (EUS) image. At the time of this writing, known versions affected are RHEL 7.4, 7.5, and 7.6.

Older Docker Engine EE Release notes

18.03.1-ee-12

2019-11-14

Client

  • Fix potential out of memory in CLI when running docker image prune. docker/cli#1423

Logging

  • Fix jsonfile logger: follow logs stuck when max-size is set and max-file=1. moby/moby#39969

Runtime

  • Update to Go 1.12.12.
  • Seccomp: add sigprocmask (used by x86 glibc) to default seccomp profile. moby/moby#39824

18.03.1-ee-11

2019-09-03

Runtime

  • Fix CVE-2019-14271 loading of nsswitch based config inside chroot under Glibc.

  • Fix a potential engine panic when using XFS disk quota for containers. moby/moby#39644

  • Fix overlay2 storage driver getting "device or resource busy" on mount. moby/moby#37993

  • Update to Go 1.11.13.

Logging

Networking

Swarm

18.03.1-ee-10

2019-07-17

Runtime

  • Masked the secrets updated to the log files when running Docker Engine in debug mode. CVE-2019-13509: If a Docker engine is running in debug mode, and docker stack deploy is used to redeploy a stack which includes non-external secrets, the logs will contain the secret.

18.03.1-ee-9

2019-06-25

Client

  • Fixed annnotation on docker config create --template-driver. docker/cli#1769
  • Fixed annnotation on docker secret create --template-driver. docker/cli#1785

Runtime

18.03.1-ee-8

2019-03-28

Builder

  • Added validation for git ref to avoid misinterpreation as a flag. moby/moby#38944

Runtime

  • Fixed docker cp error for filenames greater than 100 characters. [moby/moby#38634]
  • Fixed layer/layer_store to ensure NewInputTarStream resources are released. [moby/moby#38413]

Swarm Mode

  • Fixed issue for swarm nodes not being able to join as masters if http proxy is set. [moby/moby#36951]

18.03.1-ee-7

2019-02-28

Runtime

  • Updated to Go version 1.10.8.
  • Updated to containerd version 1.1.6.
  • When copying existing folder, xattr set errors when the target filesystem doesn't support xattr are now ignored. moby/moby#38316
  • Fixed FIFO, sockets, and device files in userns, and fixed device mode not being detected. moby/moby#38758
  • Deleted stale containerd object on start failure. moby/moby#38364

Bug fixes

  • Fixed an issue to address the IPAM state from networkdb if manager is not attached to the overlay network. (docker/escalation#1049)

18.03.1-ee-6

2019-02-11

Security fixes for Docker Engine - Enterprise

  • Update runc to address a critical vulnerability that allows specially-crafted containers to gain administrative privileges on the host. CVE-2019-5736
  • Ubuntu 14.04 customers using a 3.13 kernel will need to upgrade to a supported Ubuntu 4.x kernel

18.03.1-ee-5

2019-01-09

Security fixes

  • Upgraded Go language to 1.10.6 to resolve CVE-2018-16873, CVE-2018-16874, and CVE-2018-16875.
  • Added /proc/asound to masked paths
  • Fixed authz plugin for 0-length content and path validation.

Fixes for Docker Engine - Enterprise

  • Disable kmem accounting in runc on RHEL/CentOS (docker/escalation#614, docker/escalation#692)
  • Fix resource leak on docker logs --follow moby/moby#37576
  • Mask proxy credentials from URL when displayed in system info (docker/escalation#879)

18.03.1-ee-4

2018-10-25

Note: If you're deploying UCP or DTR, use Docker EE Engine 18.09 or higher. 18.03 is an engine only release.

Client

  • Fixed help message flags on docker stack commands and child commands. docker/cli#1251
  • Fixed typo breaking zsh docker update autocomplete. docker/cli#1232

Networking

Runtime

Swarm Mode

18.03.1-ee-3

2018-08-30

Builder

Client

Runtime

Swarm Mode

  • Clean up tasks in dirty list for which the service has been deleted. docker/swarmkit#2694
  • Propagate the provided external CA certificate to the external CA object in swarm. docker/cli#1178

18.03.1-ee-2

2018-07-10

Important notes about this release

If you're deploying UCP or DTR, use Docker Engine EE 17.06 or 18.09. See Docker Compatibility Matrix for more information. {: .important}

Runtime

18.03.1-ee-1

2018-06-27

Important notes about this release

If you're deploying UCP or DTR, use Docker Engine EE 17.06 or 18.09. See Docker Compatibility Matrix for more information. {: .important}

Client

  • Update to docker-ce 18.03.1 client.
  • Add docker trust command for image signing and enabling the secure supply chain from development to deployment.
  • Add docker compose on Kubernetes.

Runtime

  • Update to docker-ce 18.03.1 engine.
  • Add support for FIPS 140-2 on x86_64.
  • Add support for Microsoft Windows Server 1709 and 1803 with support for swarm ingress routing mesh, VIP service discovery, and named pipe mounting.
  • Add support for Ubuntu 18.04.
  • Windows opt-out telemetry stream.
  • Support for --chown with COPY and ADD in Dockerfile.
  • Added functionality for the docker logs command to include the output of multiple logging drivers.

17.06.2-ee-25

2019-11-19

Builder

Client

  • Fix potential out of memory in CLI when running docker image prune. docker/cli#1423
  • Fix compose file schema to prevent invalid properties in deploy.resources. docker/cli#455

Logging

  • Fix jsonfile logger: follow logs stuck when max-size is set and max-file=1. moby/moby#39969

Runtime

  • Update to Go 1.12.12.
  • Seccomp: add sigprocmask (used by x86 glibc) to default seccomp profile. moby/moby#39824
  • Fix "device or resource busy" error on container removal with devicemapper. moby/moby#34573
  • Fix daemon.json configuration default-ulimits not working. moby/moby#32547
  • Fix denial of service with large numbers in --cpuset-cpus and --cpuset-mems. moby/moby#37967
  • Fix for docker start creates host-directory for bind mount, but shouldn't. moby/moby#35833
  • Fix OCI image media types. moby/moby#37359

Windows

17.06.2-ee-24

2019-09-03

Runtime

  • Fix CVE-2019-14271 loading of nsswitch based config inside chroot under Glibc.
  • Fix Fix a potential engine panic when using XFS disk quota for containers. moby/moby#39644
  • Update to Go 1.11.13.

Logging

Networking

17.06.2-ee-23

2019-07-17

Runtime

  • Masked the secrets updated to the log files when running Docker Engine in debug mode. CVE-2019-13509: If a Docker engine is running in debug mode, and docker stack deploy is used to redeploy a stack which includes non-external secrets, the logs will contain the secret.

Known issues

  • When all Swarm managers are stopped at the same time, the swarm might end up in a split-brain scenario. Learn more.
  • Under certain conditions, swarm leader re-election may timeout prematurely. During this period, docker commands may fail. Also during this time, creation of globally-scoped networks may be unstable. As a workaround, wait for leader election to complete before issuing commands to the cluster.
  • It's recommended that users create overlay networks with /24 blocks (the default) of 256 IP addresses when networks are used by services created using VIP-based endpoint-mode (the default). This is because of limitations with Docker Swarm moby/moby#30820. Users should not work around this by increasing the IP block size. To work around this limitation, either use dnsrr endpoint-mode or use multiple smaller overlay networks.
  • Docker may experience IP exhaustion if many tasks are assigned to a single overlay network, for example if many services are attached to that network or because services on the network are scaled to many replicas. The problem may also manifest when tasks are rescheduled because of node failures. In case of node failure, Docker currently waits 24h to release overlay IP addresses. The problem can be diagnosed by looking for failed to allocate network IP for task messages in the Docker logs.
  • SELinux enablement is not supported for containers on IBM Z on RHEL because of missing Red Hat package.
  • If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A is not reachable until one of these 2 conditions happens:
  1. Container on A sends a packet out,
  2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).

17.06.2-ee-22

2019-06-27

Networking

  • Fixed a bug where if a service has the same number of host-mode published ports with PublishedPort 0, changes to the spec is not reflected in the service object. docker/swarmkit#2376

Runtime

  • Added performance optimizations in aufs and layer store that helps in the creation and removal of massively parallel containers. moby/moby#39107
  • Fixed CVE-2018-15664 symlink-exchange attack with directory traversal. moby/moby#39357
  • Windows: fixed support for docker service create --limit-cpu. moby/moby#39190

Known issues

  • When all Swarm managers are stopped at the same time, the swarm might end up in a split-brain scenario. Learn more.
  • Under certain conditions, swarm leader re-election may timeout prematurely. During this period, docker commands may fail. Also during this time, creation of globally-scoped networks may be unstable. As a workaround, wait for leader election to complete before issuing commands to the cluster.
  • It's recommended that users create overlay networks with /24 blocks (the default) of 256 IP addresses when networks are used by services created using VIP-based endpoint-mode (the default). This is because of limitations with Docker Swarm moby/moby#30820. Users should not work around this by increasing the IP block size. To work around this limitation, either use dnsrr endpoint-mode or use multiple smaller overlay networks.
  • Docker may experience IP exhaustion if many tasks are assigned to a single overlay network, for example if many services are attached to that network or because services on the network are scaled to many replicas. The problem may also manifest when tasks are rescheduled because of node failures. In case of node failure, Docker currently waits 24h to release overlay IP addresses. The problem can be diagnosed by looking for failed to allocate network IP for task messages in the Docker logs.
  • SELinux enablement is not supported for containers on IBM Z on RHEL because of missing Red Hat package.
  • If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A is not reachable until one of these 2 conditions happens:
  1. Container on A sends a packet out,
  2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).

17.06.2-ee-21

2019-04-11

Builder

  • Added validation for git ref so it can't be misinterpreted as a flag. moby/moby#38944

Runtime

  • Fixed docker cp error with filenames greater than 100 characters. moby/moby#38634
  • Removed temporary hot-fix and applied latest upstream patches for CVE-2019-5736. docker/runc#9
  • Fixed rootfs: umount all procfs and sysfs with --no-pivot. docker/runc#10

17.06.2-ee-20

2019-02-28

Bug fixes

  • Fixed an issue to address the IPAM state from networkdb if manager is not attached to the overlay network. (docker/escalation#1049)

Runtime

  • Updated to Go version 1.10.8.

Windows

  • Fixed failed to register layer bug on docker pull of windows images.

Known issues

  • When all Swarm managers are stopped at the same time, the swarm might end up in a split-brain scenario. Learn more.
  • Under certain conditions, swarm leader re-election may timeout prematurely. During this period, docker commands may fail. Also during this time, creation of globally-scoped networks may be unstable. As a workaround, wait for leader election to complete before issuing commands to the cluster.
  • It's recommended that users create overlay networks with /24 blocks (the default) of 256 IP addresses when networks are used by services created using VIP-based endpoint-mode (the default). This is because of limitations with Docker Swarm moby/moby#30820. Users should not work around this by increasing the IP block size. To work around this limitation, either use dnsrr endpoint-mode or use multiple smaller overlay networks.
  • Docker may experience IP exhaustion if many tasks are assigned to a single overlay network, for example if many services are attached to that network or because services on the network are scaled to many replicas. The problem may also manifest when tasks are rescheduled because of node failures. In case of node failure, Docker currently waits 24h to release overlay IP addresses. The problem can be diagnosed by looking for failed to allocate network IP for task messages in the Docker logs.
  • SELinux enablement is not supported for containers on IBM Z on RHEL because of missing Red Hat package.
  • If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A is not reachable until one of these 2 conditions happens:
  1. Container on A sends a packet out,
  2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).

17.06.2-ee-19

2019-02-11

Security fixes for Docker Engine - Enterprise

  • Update runc to address a critical vulnerability that allows specially-crafted containers to gain administrative privileges on the host. CVE-2019-5736
  • Ubuntu 14.04 customers using a 3.13 kernel will need to upgrade to a supported Ubuntu 4.x kernel

Known issues

  • When all Swarm managers are stopped at the same time, the swarm might end up in a split-brain scenario. Learn more.
  • Under certain conditions, swarm leader re-election may timeout prematurely. During this period, docker commands may fail. Also during this time, creation of globally-scoped networks may be unstable. As a workaround, wait for leader election to complete before issuing commands to the cluster.
  • It's recommended that users create overlay networks with /24 blocks (the default) of 256 IP addresses when networks are used by services created using VIP-based endpoint-mode (the default). This is because of limitations with Docker Swarm moby/moby#30820. Users should not work around this by increasing the IP block size. To work around this limitation, either use dnsrr endpoint-mode or use multiple smaller overlay networks.
  • Docker may experience IP exhaustion if many tasks are assigned to a single overlay network, for example if many services are attached to that network or because services on the network are scaled to many replicas. The problem may also manifest when tasks are rescheduled because of node failures. In case of node failure, Docker currently waits 24h to release overlay IP addresses. The problem can be diagnosed by looking for failed to allocate network IP for task messages in the Docker logs.
  • SELinux enablement is not supported for containers on IBM Z on RHEL because of missing Red Hat package.
  • If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A is not reachable until one of these 2 conditions happens:
  1. Container on A sends a packet out,
  2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).

17.06.2-ee-18

2019-01-09

Security fixes

  • Upgraded Go language to 1.10.6 to resolve CVE-2018-16873, CVE-2018-16874, and CVE-2018-16875.
  • Added /proc/asound to masked paths
  • Fixed authz plugin for 0-length content and path validation.

Fixes for Docker Engine Engine - Enterprise

  • Disable kmem accounting in runc on RHEL/CentOS (docker/escalation#614, docker/escalation#692)
  • Fix resource leak on docker logs --follow moby/moby#37576
  • Mask proxy credentials from URL when displayed in system info (docker/escalation#879)

Known issues

  • When all Swarm managers are stopped at the same time, the swarm might end up in a split-brain scenario. Learn more.
  • Under certain conditions, swarm leader re-election may timeout prematurely. During this period, docker commands may fail. Also during this time, creation of globally-scoped networks may be unstable. As a workaround, wait for leader election to complete before issuing commands to the cluster.
  • It's recommended that users create overlay networks with /24 blocks (the default) of 256 IP addresses when networks are used by services created using VIP-based endpoint-mode (the default). This is because of limitations with Docker Swarm moby/moby#30820. Users should not work around this by increasing the IP block size. To work around this limitation, either use dnsrr endpoint-mode or use multiple smaller overlay networks.
  • Docker may experience IP exhaustion if many tasks are assigned to a single overlay network, for example if many services are attached to that network or because services on the network are scaled to many replicas. The problem may also manifest when tasks are rescheduled because of node failures. In case of node failure, Docker currently waits 24h to release overlay IP addresses. The problem can be diagnosed by looking for failed to allocate network IP for task messages in the Docker logs.
  • SELinux enablement is not supported for containers on IBM Z on RHEL because of missing Red Hat package.
  • If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A is not reachable until one of these 2 conditions happens:
  1. Container on A sends a packet out,
  2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).

17.06.2-ee-17

2018-10-25

Networking

Plugins

Swarm mode

Known issues

  • When all Swarm managers are stopped at the same time, the swarm might end up in a split-brain scenario. Learn more.
  • Under certain conditions, swarm leader re-election may timeout prematurely. During this period, docker commands may fail. Also during this time, creation of globally-scoped networks may be unstable. As a workaround, wait for leader election to complete before issuing commands to the cluster.
  • It's recommended that users create overlay networks with /24 blocks (the default) of 256 IP addresses when networks are used by services created using VIP-based endpoint-mode (the default). This is because of limitations with Docker Swarm moby/moby#30820. Users should not work around this by increasing the IP block size. To work around this limitation, either use dnsrr endpoint-mode or use multiple smaller overlay networks.
  • Docker may experience IP exhaustion if many tasks are assigned to a single overlay network, for example if many services are attached to that network or because services on the network are scaled to many replicas. The problem may also manifest when tasks are rescheduled because of node failures. In case of node failure, Docker currently waits 24h to release overlay IP addresses. The problem can be diagnosed by looking for failed to allocate network IP for task messages in the Docker logs.
  • SELinux enablement is not supported for containers on IBM Z on RHEL because of missing Red Hat package.
  • If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A is not reachable until one of these 2 conditions happens:
  1. Container on A sends a packet out,
  2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).

17.06.2-ee-16

2018-07-26

Client

Networking

Packaging

  • Update packaging description and license to Docker EUSA.

Runtime

Swarm mode

Known issues

  • When all Swarm managers are stopped at the same time, the swarm might end up in a split-brain scenario. Learn more.
  • Under certain conditions, swarm leader re-election may timeout prematurely. During this period, docker commands may fail. Also during this time, creation of globally-scoped networks may be unstable. As a workaround, wait for leader election to complete before issuing commands to the cluster.
  • It's recommended that users create overlay networks with /24 blocks (the default) of 256 IP addresses when networks are used by services created using VIP-based endpoint-mode (the default). This is because of limitations with Docker Swarm moby/moby#30820. Users should not work around this by increasing the IP block size. To work around this limitation, either use dnsrr endpoint-mode or use multiple smaller overlay networks.
  • Docker may experience IP exhaustion if many tasks are assigned to a single overlay network, for example if many services are attached to that network or because services on the network are scaled to many replicas. The problem may also manifest when tasks are rescheduled because of node failures. In case of node failure, Docker currently waits 24h to release overlay IP addresses. The problem can be diagnosed by looking for failed to allocate network IP for task messages in the Docker logs.
  • SELinux enablement is not supported for containers on IBM Z on RHEL because of missing Red Hat package.
  • If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A is not reachable until one of these 2 conditions happens:
  1. Container on A sends a packet out,
  2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).

17.06.2-ee-15

2018-07-10

Runtime

Known issues

  • When all Swarm managers are stopped at the same time, the swarm might end up in a split-brain scenario. Learn more.
  • Under certain conditions, swarm leader re-election may timeout prematurely. During this period, docker commands may fail. Also during this time, creation of globally-scoped networks may be unstable. As a workaround, wait for leader election to complete before issuing commands to the cluster.
  • It's recommended that users create overlay networks with /24 blocks (the default) of 256 IP addresses when networks are used by services created using VIP-based endpoint-mode (the default). This is because of limitations with Docker Swarm moby/moby#30820. Users should not work around this by increasing the IP block size. To work around this limitation, either use dnsrr endpoint-mode or use multiple smaller overlay networks.
  • Docker may experience IP exhaustion if many tasks are assigned to a single overlay network, for example if many services are attached to that network or because services on the network are scaled to many replicas. The problem may also manifest when tasks are rescheduled because of node failures. In case of node failure, Docker currently waits 24h to release overlay IP addresses. The problem can be diagnosed by looking for failed to allocate network IP for task messages in the Docker logs.
  • SELinux enablement is not supported for containers on IBM Z on RHEL because of missing Red Hat package.
  • If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A is not reachable until one of these 2 conditions happens:
  1. Container on A sends a packet out,
  2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).

17.06.2-ee-14

2018-06-21

Client

  • Set a 30s timeout for HTTP client communication with plugin backend. docker/cli#883

Runtime

  • Fix Windows docker daemon crash when docker stats is used. moby/moby#35968

Swarm mode

  • Fix docker stack deploy --prune with empty name removes all swarm services. moby/moby#36776

Known issues

  • When all Swarm managers are stopped at the same time, the swarm might end up in a split-brain scenario. Learn more.
  • Under certain conditions, swarm leader re-election may timeout prematurely. During this period, docker commands may fail. Also during this time, creation of globally-scoped networks may be unstable. As a workaround, wait for leader election to complete before issuing commands to the cluster.
  • It's recommended that users create overlay networks with /24 blocks (the default) of 256 IP addresses when networks are used by services created using VIP-based endpoint-mode (the default). This is because of limitations with Docker Swarm moby/moby#30820. Users should not work around this by increasing the IP block size. To work around this limitation, either use dnsrr endpoint-mode or use multiple smaller overlay networks.
  • Docker may experience IP exhaustion if many tasks are assigned to a single overlay network, for example if many services are attached to that network or because services on the network are scaled to many replicas. The problem may also manifest when tasks are rescheduled because of node failures. In case of node failure, Docker currently waits 24h to release overlay IP addresses. The problem can be diagnosed by looking for failed to allocate network IP for task messages in the Docker logs.
  • SELinux enablement is not supported for containers on IBM Z on RHEL because of missing Red Hat package.
  • If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A is not reachable until one of these 2 conditions happens:
  1. Container on A sends a packet out,
  2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).

17.06.2-ee-13

2018-06-04

Networking

Known issues

  • When all Swarm managers are stopped at the same time, the swarm might end up in a split-brain scenario. Learn more.
  • Under certain conditions, swarm leader re-election may timeout prematurely. During this period, docker commands may fail. Also during this time, creation of globally-scoped networks may be unstable. As a workaround, wait for leader election to complete before issuing commands to the cluster.
  • It's recommended that users create overlay networks with /24 blocks (the default) of 256 IP addresses when networks are used by services created using VIP-based endpoint-mode (the default). This is because of limitations with Docker Swarm moby/moby#30820. Users should not work around this by increasing the IP block size. To work around this limitation, either use dnsrr endpoint-mode or use multiple smaller overlay networks.
  • Docker may experience IP exhaustion if many tasks are assigned to a single overlay network, for example if many services are attached to that network or because services on the network are scaled to many replicas. The problem may also manifest when tasks are rescheduled because of node failures. In case of node failure, Docker currently waits 24h to release overlay IP addresses. The problem can be diagnosed by looking for failed to allocate network IP for task messages in the Docker logs.
  • SELinux enablement is not supported for containers on IBM Z on RHEL because of missing Red Hat package.
  • If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A is not reachable until one of these 2 conditions happens:
  1. Container on A sends a packet out,
  2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).

17.06.2-ee-12

2018-05-29

Networking

Known issues

  • When all Swarm managers are stopped at the same time, the swarm might end up in a split-brain scenario. Learn more.
  • Under certain conditions, swarm leader re-election may timeout prematurely. During this period, docker commands may fail. Also during this time, creation of globally-scoped networks may be unstable. As a workaround, wait for leader election to complete before issuing commands to the cluster.
  • It's recommended that users create overlay networks with /24 blocks (the default) of 256 IP addresses when networks are used by services created using VIP-based endpoint-mode (the default). This is because of limitations with Docker Swarm moby/moby#30820. Users should not work around this by increasing the IP block size. To work around this limitation, either use dnsrr endpoint-mode or use multiple smaller overlay networks.
  • Docker may experience IP exhaustion if many tasks are assigned to a single overlay network, for example if many services are attached to that network or because services on the network are scaled to many replicas. The problem may also manifest when tasks are rescheduled because of node failures. In case of node failure, Docker currently waits 24h to release overlay IP addresses. The problem can be diagnosed by looking for failed to allocate network IP for task messages in the Docker logs.
  • SELinux enablement is not supported for containers on IBM Z on RHEL because of missing Red Hat package.
  • If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A is not reachable until one of these 2 conditions happens:
  1. Container on A sends a packet out,
  2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).

17.06.2-ee-11

2018-05-17

Client

Networking

Runtime

Known issues

  • When all Swarm managers are stopped at the same time, the swarm might end up in a split-brain scenario. Learn more.
  • Under certain conditions, swarm leader re-election may timeout prematurely. During this period, docker commands may fail. Also during this time, creation of globally-scoped networks may be unstable. As a workaround, wait for leader election to complete before issuing commands to the cluster.
  • It's recommended that users create overlay networks with /24 blocks (the default) of 256 IP addresses when networks are used by services created using VIP-based endpoint-mode (the default). This is because of limitations with Docker Swarm moby/moby#30820. Users should not work around this by increasing the IP block size. To work around this limitation, either use dnsrr endpoint-mode or use multiple smaller overlay networks.
  • Docker may experience IP exhaustion if many tasks are assigned to a single overlay network, for example if many services are attached to that network or because services on the network are scaled to many replicas. The problem may also manifest when tasks are rescheduled because of node failures. In case of node failure, Docker currently waits 24h to release overlay IP addresses. The problem can be diagnosed by looking for failed to allocate network IP for task messages in the Docker logs.
  • SELinux enablement is not supported for containers on IBM Z on RHEL because of missing Red Hat package.
  • If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A is not reachable until one of these 2 conditions happens:
  1. Container on A sends a packet out,
  2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).

17.06.2-ee-10

2018-04-27

Runtime

  • Fix version output to not have -dev.

Known issues

  • Under certain conditions, swarm leader re-election may timeout prematurely. During this period, docker commands may fail. Also during this time, creation of globally-scoped networks may be unstable. As a workaround, wait for leader election to complete before issuing commands to the cluster.
  • It's recommended that users create overlay networks with /24 blocks (the default) of 256 IP addresses when networks are used by services created using VIP-based endpoint-mode (the default). This is because of limitations with Docker Swarm moby/moby#30820. Users should not work around this by increasing the IP block size. To work around this limitation, either use dnsrr endpoint-mode or use multiple smaller overlay networks.
  • Docker may experience IP exhaustion if many tasks are assigned to a single overlay network, for example if many services are attached to that network or because services on the network are scaled to many replicas. The problem may also manifest when tasks are rescheduled because of node failures. In case of node failure, Docker currently waits 24h to release overlay IP addresses. The problem can be diagnosed by looking for failed to allocate network IP for task messages in the Docker logs.
  • SELinux enablement is not supported for containers on IBM Z on RHEL because of missing Red Hat package.
  • If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A is not reachable until one of these 2 conditions happens:
  1. Container on A sends a packet out,
  2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).

17.06.2-ee-9

2018-04-26

Runtime

  • Make Swarm manager Raft quorum parameters configurable in daemon config. moby/moby#36726
  • Windows: Ignore missing tombstone files when closing an image.
  • Windows: Fix directory deletes when a container sharing a base image is running.

Swarm mode

Known issues

  • Under certain conditions, swarm leader re-election may timeout prematurely. During this period, docker commands may fail. Also during this time, creation of globally-scoped networks may be unstable. As a workaround, wait for leader election to complete before issuing commands to the cluster.
  • It's recommended that users create overlay networks with /24 blocks (the default) of 256 IP addresses when networks are used by services created using VIP-based endpoint-mode (the default). This is because of limitations with Docker Swarm moby/moby#30820. Users should not work around this by increasing the IP block size. To work around this limitation, either use dnsrr endpoint-mode or use multiple smaller overlay networks.
  • Docker may experience IP exhaustion if many tasks are assigned to a single overlay network, for example if many services are attached to that network or because services on the network are scaled to many replicas. The problem may also manifest when tasks are rescheduled because of node failures. In case of node failure, Docker currently waits 24h to release overlay IP addresses. The problem can be diagnosed by looking for failed to allocate network IP for task messages in the Docker logs.
  • SELinux enablement is not supported for containers on IBM Z on RHEL because of missing Red Hat package.
  • If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A is not reachable until one of these 2 conditions happens:
  1. Container on A sends a packet out,
  2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).

17.06.2-ee-8

2018-04-17

Runtime

Networking

Packaging

  • Ensure the graphdriver dir is a shared mount within docker systemd service.

Known issues

  • Under certain conditions, swarm leader re-election may timeout prematurely. During this period, docker commands may fail. Also during this time, creation of globally-scoped networks may be unstable. As a workaround, wait for leader election to complete before issuing commands to the cluster.
  • It's recommended that users create overlay networks with /24 blocks (the default) of 256 IP addresses when networks are used by services created using VIP-based endpoint-mode (the default). This is because of limitations with Docker Swarm moby/moby#30820. Users should not work around this by increasing the IP block size. To work around this limitation, either use dnsrr endpoint-mode or use multiple smaller overlay networks.
  • Docker may experience IP exhaustion if many tasks are assigned to a single overlay network, for example if many services are attached to that network or because services on the network are scaled to many replicas. The problem may also manifest when tasks are rescheduled because of node failures. In case of node failure, Docker currently waits 24h to release overlay IP addresses. The problem can be diagnosed by looking for failed to allocate network IP for task messages in the Docker logs.
  • SELinux enablement is not supported for containers on IBM Z on RHEL because of missing Red Hat package.
  • If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A is not reachable until one of these 2 conditions happens:
  1. Container on A sends a packet out,
  2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).

17.06.2-ee-7

2018-03-19

Important notes about this release

  • The overlay2 detection has been improved in this release. On Linux distributions where devicemapper was the default storage driver, overlay2 is now used by default, if the kernel supports it.

Logging

Networking

Packaging

Runtime

  • Golang bumped to 1.8.7
  • Fix issue where network inspect does not show created time in swarm scope moby/moby#36095

Swarm mode

Known issues

  • It's recommended that users create overlay networks with /24 blocks (the default) of 256 IP addresses when networks are used by services created using VIP-based endpoint-mode (the default). This is because of limitations with Docker Swarm moby/moby#30820. Users should not work around this by increasing the IP block size. To work around this limitation, either use dnsrr endpoint-mode or use multiple smaller overlay networks.
  • Docker may experience IP exhaustion if many tasks are assigned to a single overlay network, for example if many services are attached to that network or because services on the network are scaled to many replicas. The problem may also manifest when tasks are rescheduled because of node failures. In case of node failure, Docker currently waits 24h to release overlay IP addresses. The problem can be diagnosed by looking for failed to allocate network IP for task messages in the Docker logs.
  • SELinux enablement is not supported for containers on IBM Z on RHEL because of missing Red Hat package.
  • If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A is not reachable until one of these 2 conditions happens:
  1. Container on A sends a packet out,
  2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).

17.06.2-ee-6

2017-11-27

Runtime

Swarm mode

Known issues

  • It's recommended that users create overlay networks with /24 blocks (the default) of 256 IP addresses when networks are used by services created using VIP-based endpoint-mode (the default). This is because of limitations with Docker Swarm moby/moby#30820. Users should not work around this by increasing the IP block size. To work around this limitation, either use dnsrr endpoint-mode or use multiple smaller overlay networks.
  • Docker may experience IP exhaustion if many tasks are assigned to a single overlay network, for example if many services are attached to that network or because services on the network are scaled to many replicas. The problem may also manifest when tasks are rescheduled because of node failures. In case of node failure, Docker currently waits 24h to release overlay IP addresses. The problem can be diagnosed by looking for failed to allocate network IP for task messages in the Docker logs.
  • SELinux enablement is not supported for containers on IBM Z on RHEL because of missing Red Hat package.
  • If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A is not reachable until one of these 2 conditions happens:
  1. Container on A sends a packet out,
  2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).

17.06.2-ee-5

2017-11-02

Important notes about this release

  • Starting with Docker EE 17.06.2-ee-5, Ubuntu, SLES, RHEL packages are also available for IBM Power using the ppc64le architecture.

  • Docker EE 17.06.2-ee-5 now enables the telemetry plugin by default on all supported Linux distributions. For more details, including how to opt out, see the documentation.

Client

Logging

Networking

Packaging

  • Add telemetry plugin for all linux distributions
  • Fix install of docker-ee on RHEL7 s390x by removing dependency on container-selinux

Runtime

  • Add support for Windows version filtering on pull of docker image moby/moby#35090

Swarm mode

  • Increase gRPC request timeout to 20 seconds for sending snapshots to prevent context deadline exceeded errors docker/swarmkit#2391
  • When a node is removed, delete all of its attachment tasks so networks used by those tasks can be removed docker/swarmkit#2414

Known issues

  • It's recommended that users create overlay networks with /24 blocks (the default) of 256 IP addresses when networks are used by services created using VIP-based endpoint-mode (the default). This is because of limitations with Docker Swarm moby/moby#30820. Users should not work around this by increasing the IP block size. To work around this limitation, either use dnsrr endpoint-mode or use multiple smaller overlay networks.
  • Docker may experience IP exhaustion if many tasks are assigned to a single overlay network, for example if many services are attached to that network or because services on the network are scaled to many replicas. The problem may also manifest when tasks are rescheduled because of node failures. In case of node failure, Docker currently waits 24h to release overlay IP addresses. The problem can be diagnosed by looking for failed to allocate network IP for task messages in the Docker logs.
  • SELinux enablement is not supported for containers on IBM Z on RHEL because of missing Red Hat package.
  • If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A is not reachable until one of these 2 conditions happens:
  1. Container on A sends a packet out,
  2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).

17.06.2-ee-4

2017-10-12

Client

  • Fix idempotence of docker stack deploy when secrets or configs are used docker/cli#509

Logging

Networking

Known issues

If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A is not reachable until one of these 2 conditions happens:

  1. Container on A sends a packet out,
  2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).

17.06.2-ee-3

2017-09-22

Swarm mode

Known issues

If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A is not reachable until one of these 2 conditions happens:

  1. Container on A sends a packet out,
  2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).

17.06.1-ee-2

2017-08-24

Client

  • Enable TCP Keep-Alive in Docker client #415

Networking

  • Lock goroutine to OS thread while changing NS #1911

Runtime

  • devmapper: ensure that UdevWait is called after calls to setCookie #33732
  • aufs: ensure diff layers are correctly removed to prevent leftover files from using up storage #34587

Swarm mode

  • Ignore PullOptions for running tasks #2351

Known issues

If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A is not reachable until one of these 2 conditions happens:

  1. Container on A sends a packet out,
  2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).

17.06.1-ee-1

2017-08-16

Important notes about this release

  • Starting with Docker EE 17.06.1, Ubuntu, SLES, RHEL packages are also available for IBM Z using the s390x architecture.

  • Docker EE 17.06.1 includes a new telemetry plugin which is enabled by default on Ubuntu hosts. For more details, including how to opt out, see [the documentation(/enterprise/telemetry/).

  • Docker 17.06 by default disables communication with legacy (v1) registries. If you require interaction with registries that have not yet migrated to the v2 protocol, set the --disable-legacy-registry=false daemon option.

Builder

  • Add --iidfile option to docker build. It allows specifying a location where to save the resulting image ID
  • Allow specifying any remote ref in git checkout URLs #32502
  • Add multi-stage build support #31257 #32063
  • Allow using build-time args (ARG) in FROM #31352
  • Add an option for specifying build target #32496
  • Accept -f - to read Dockerfile from stdin, but use local context for building #31236
  • The values of default build time arguments (e.g HTTP_PROXY) are no longer displayed in docker image history unless a corresponding ARG instruction is written in the Dockerfile. #31584
  • Fix setting command if a custom shell is used in a parent image #32236
  • Fix docker build --label when the label includes single quotes and a space #31750
  • Disable container logging for build containers #29552
  • Fix use of **/ in .dockerignore #29043
  • Fix a regression, where ADD from remote URL's extracted archives #89
  • Fix handling of remote "git@" notation #100
  • Fix copy --from conflict with force pull #86

Client

  • Add --format option to docker stack ls #31557
  • Add support for labels in compose initiated builds #32632 #32972
  • Add --format option to docker history #30962
  • Add --format option to docker system df #31482
  • Allow specifying Nameservers and Search Domains in stack files #32059
  • Add support for read_only service to docker stack deploy #docker/cli/73
  • Adjusted docker stats memory output #docker/cli/80
  • Add --mount flag to docker run and docker create #32251
  • Add --type=secret to docker inspect #32124
  • Add --format option to docker secret ls #31552
  • Add --filter option to docker secret ls #30810
  • Add --filter scope=<swarm|local> to docker network ls #31529
  • Add --cpus support to docker update #31148
  • Add label filter to docker system prune and other prune commands #30740
  • docker stack rm now accepts multiple stacks as input #32110
  • Improve docker version --format option when the client has downgraded the API version #31022
  • Prompt when using an encrypted client certificate to connect to a docker daemon #31364
  • Display created tags on successful docker build #32077
  • Cleanup compose convert error messages #32087
  • Sort docker stack ls by name #31085
  • Flags for specifying bind mount consistency #31047
  • Output of docker CLI --help is now wrapped to the terminal width #28751
  • Suppress image digest in docker ps #30848
  • Hide command options that are related to Windows #30788
  • Fix docker plugin install prompt to accept "enter" for the "N" default #30769
  • Add truncate function for Go templates #30484
  • Support expanded syntax of ports in stack deploy #30476
  • Support expanded syntax of mounts in stack deploy #30597 #31795
  • Add --add-host for docker build #30383
  • Add .CreatedAt placeholder for docker network ls --format #29900
  • Update order of --secret-rm and --secret-add #29802
  • Add --filter enabled=true for docker plugin ls #28627
  • Add --format to docker service ls #28199
  • Add publish and expose filter for docker ps --filter #27557
  • Support multiple service IDs on docker service ps #25234
  • Allow swarm join with --availability=drain #24993
  • Docker inspect now shows "docker-default" when AppArmor is enabled and no other profile was defined #27083
  • Make pruning volumes optional when running docker system prune, and add a --volumes flag #109
  • Show progress of replicated tasks before they are assigned #97
  • Fix docker wait hanging if the container does not exist #106
  • If docker swarm ca is called without the --rotate flag, warn if other flags are passed #110
  • Fix API version negotiation not working if the daemon returns an error #115
  • Print an error if "until" filter is combined with "--volumes" on system prune #154

Contrib

  • Add support for building docker debs for Ubuntu 17.04 Zesty on amd64 #32435

Daemon

  • Fix --api-cors-header being ignored if --api-enable-cors is not set #32174
  • Cleanup docker tmp dir on start #31741
  • Deprecate --graph flag in favor or --data-root #28696

Distribution

  • Select digest over tag when both are provided during a pull #33214

Logging

  • Add monitored resource type metadata for GCP logging driver #32930
  • Add multiline processing to the AWS CloudWatch logs driver #30891
  • Add support for logging driver plugins #28403
  • Add support for showing logs of individual tasks to docker service logs, and add /task/{id}/logs REST endpoint #32015
  • Add --log-opt env-regex option to match environment variables using a regular expression #27565
  • Implement optional ring buffer for container logs #28762
  • Add --log-opt awslogs-create-group=<true|false> for awslogs (CloudWatch) to support creation of log groups as needed #29504
  • Fix segfault when using the gcplogs logging driver with a "static" binary #29478
  • Fix stderr logging for journald and syslog #95
  • Fix log readers can block writes indefinitely #98
  • Fix awslogs driver repeating last event #151

Networking

  • Add Support swarm-mode services with node-local networks such as macvlan, ipvlan, bridge, host #32981
  • Pass driver-options to network drivers on service creation #32981
  • Isolate Swarm Control-plane traffic from Application data traffic using --data-path-addr #32717
  • Allow user to replace, and customize the ingress network #31714
  • Fix UDP traffic in containers not working after the container is restarted #32505
  • Fix files being written to /var/lib/docker if a different data-root is set #32505
  • Check parameter --ip, --ip6 and --link-local-ip in docker network connect #30807
  • Added support for dns-search #30117
  • Added --verbose option for docker network inspect to show task details from all swarm nodes #31710
  • Add anonymous container alias to service record on attachable network docker/libnetwork#1651
  • Support for com.docker.network.container_interface_prefix driver label docker/libnetwork#1667
  • Improve network list performance by omitting network details that are not used #30673
  • Fix issue with driver options not received by network drivers #127

Packaging

  • Rely on container-selinux on Centos/Fedora/RHEL when available #32437

Plugins

  • Make plugin removes more resilient to failure #91

Runtime

  • Add build & engine info prometheus metrics #32792
  • Update containerd to d24f39e203aa6be4944f06dd0fe38a618a36c764 #33007
  • Update runc to 992a5be178a62e026f4069f443c6164912adbf09 #33007
  • Add option to auto-configure blkdev for devmapper #31104
  • Add log driver list to docker info #32540
  • Add API endpoint to allow retrieving an image manifest #32061
  • Do not remove container from memory on error with forceremove #31012
  • Add support for metric plugins #32874
  • Return an error when an invalid filter is given to prune commands #33023
  • Add daemon option to allow pushing foreign layers #33151
  • Fix an issue preventing containerd to be restarted after it died #32986
  • Add cluster events to Docker event stream. #32421
  • Add support for DNS search on windows #33311
  • Prevent a containerd crash when journald is restarted #33007
  • Fix healthcheck failures due to invalid environment variables #33249
  • Prevent a directory to be created in lieu of the daemon socket when a container mounting it is to be restarted during a shutdown #30348
  • Prevent a container to be restarted upon stop if its stop signal is set to SIGKILL #33335
  • Ensure log drivers get passed the same filename to both StartLogging and StopLogging endpoints #33583
  • Remove daemon data structure dump on SIGUSR1 to avoid a panic #33598
  • Ensure health probe is stopped when a container exits #32274
  • Handle paused container when restoring without live-restore set #31704
  • Do not allow sub second in healthcheck options in Dockerfile #31177
  • Support name and id prefix in secret update #30856
  • Use binary frame for websocket attach endpoint #30460
  • Fix linux mount calls not applying propagation type changes #30416
  • Fix ExecIds leak on failed exec -i #30340
  • Prune named but untagged images if danglingOnly=true #30330
  • Add daemon flag to set no_new_priv as default for unprivileged containers #29984
  • Add daemon option --default-shm-size #29692
  • Support registry mirror config reload #29650
  • Ignore the daemon log config when building images #29552
  • Move secret name or ID prefix resolving from client to daemon #29218
  • Add the ability to specify extra rules for a container device cgroup devices.allow mechanism #22563
  • Fix cpu.cfs_quota_us being reset when running systemd daemon-reload #31736
  • Prevent a goroutine leak when healthcheck gets stopped #90
  • Do not error on relabel when relabel not supported #92
  • Limit max backoff delay to 2 seconds for GRPC connection #94
  • Fix issue preventing containers to run when memory cgroup was specified due to bug in certain kernels #102
  • Fix container not responding to SIGKILL when paused #102
  • Improve error message if an image for an incompatible OS is loaded #108
  • Fix a handle leak in go-winio #112
  • Fix issue upon upgrade, preventing docker from showing running containers when --live-restore is enabled #117
  • Fix bug where services using secrets would fail to start on daemons using the userns-remap feature #121
  • Fix error handling with not-exist errors on remove #142
  • Fix REST API Swagger representation cannot be loaded with SwaggerUI #156

Security

  • Allow personality with UNAME26 bit set in default seccomp profile #32965
  • Allow setting SELinux type or MCS labels when using --ipc=container: or --ipc=host #30652
  • Redact secret data on secret creation #99

Swarm mode

  • Add an option to allow specifying a different interface for the data traffic (as opposed to control traffic) #32717
  • Allow specifying a secret location within the container #32571
  • Add support for secrets on Windows #32208
  • Add TLS Info to swarm info and node info endpoint #32875
  • Add support for services to carry arbitrary config objects #32336, #docker/cli/45,#33169
  • Add API to rotate swarm CA certificate #32993
  • Service digest pining is now handled client side #32388, #33239
  • Placement now also take platform in account #33144
  • Fix possible hang when joining fails #docker-ce/19
  • Fix an issue preventing external CA to be accepted #33341
  • Fix possible orchestration panic in mixed version clusters #swarmkit/2233
  • Avoid assigning duplicate IPs during initialization #swarmkit/2237
  • Add update/rollback order for services (--update-order / --rollback-order) #30261
  • Add support for synchronous service create and service update #31144
  • Add support for "grace periods" on healthchecks through the HEALTHCHECK --start-period and --health-start-period flag to docker service create, docker service update, docker create, and docker run to support containers with an initial startup time #28938
  • docker service create now omits fields that are not specified by the user, when possible. This allows defaults to be applied inside the manager #32284
  • docker service inspect now shows default values for fields that are not specified by the user #32284
  • Move docker service logs out of experimental #32462
  • Add support for Credential Spec and SELinux to services to the API #32339
  • Add --entrypoint flag to docker service create and docker service update #29228
  • Add --network-add and --network-rm to docker service update #32062
  • Add --credential-spec flag to docker service create and docker service update #32339
  • Add --filter mode=<global|replicated> to docker service ls #31538
  • Resolve network IDs on the client side, instead of in the daemon when creating services #32062
  • Add --format option to docker node ls #30424
  • Add --prune option to docker stack deploy to remove services that are no longer defined in the docker-compose file #31302
  • Add PORTS column for docker service ls when using ingress mode #30813
  • Fix unnescessary re-deploying of tasks when environment-variables are used #32364
  • Fix docker stack deploy not supporting endpoint_mode when deploying from a docker compose file #32333
  • Proceed with startup if cluster component cannot be created to allow recovering from a broken swarm setup #31631
  • Add Service logs formatting #31672
  • Fix service logs API to be able to specify stream #31313
  • Add --stop-signal for service create and service update #30754
  • Add --read-only for service create and service update #30162
  • Renew the context after communicating with the registry #31586
  • (experimental) Add --tail and --since options to docker service logs #31500
  • (experimental) Add --no-task-ids and --no-trunc options to docker service logs #31672
  • Do not add duplicate platform information to service spec #107
  • Cluster update and memory issue fixes #114
  • Changing get network request to return predefined network in swarm #150

Windows

  • Block pulling Windows images on non-Windows daemons #29001

Deprecation

  • Disable legacy registry (v1) by default #33629
  • Deprecate --api-enable-cors daemon flag. This flag was marked deprecated in Docker 1.6.0 but not listed in deprecated features #32352
  • Remove Ubuntu 12.04 (Precise Pangolin) as supported platform. Ubuntu 12.04 is EOL, and no longer receives updates #32520

Known issues

If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A is not reachable until one of these 2 conditions happens:

  1. Container on A sends a packet out,
  2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).

Docker EE 17.03.2-ee-8

2017-12-13

  • Handle cleanup DNS for attachable container to prevent leak in name resolution docker/libnetwork#1999
  • When a node is removed, delete all of its attachment tasks so networks used by those tasks can be removed docker/swarmkit#2417
  • Increase gRPC request timeout to 20 seconds for sending snapshots to prevent context deadline exceeded errors docker/swarmkit#2406
  • Avoid using a map for log attributes to prevent panic moby/moby#34174
  • Fix "raw" mode with the Splunk logging driver moby/moby#34520
  • Don't unmount entire plugin manager tree on remove moby/moby#33422
  • Redact secret data on secret creation moby/moby#33884
  • Sort secrets and configs to ensure idempotence and prevent docker stack deploy from useless restart of services docker/cli#509
  • Automatically set may_detach_mounts=1 on startup to prevent device or resource busy errors moby/moby#34886
  • Don't abort when setting may_detach_mounts moby/moby#35172
  • Protect health monitor channel to prevent engine panic moby/moby#35482

Docker EE 17.03.2-ee-7

2017-10-04

Docker EE 17.03.2-ee-6

2017-08-24

Docker EE 17.03.2-ee-5

20 Jul 2017

  • Add more locking to storage drivers #31136
  • Prevent data race on docker network connect/disconnect #33456
  • Improve service discovery reliability #1796 #18078
  • Fix resource leak in swarm mode #2215
  • Optimize docker system df for volumes on NFS #33620
  • Fix validation bug with host-mode ports in swarm mode #2177
  • Fix potential crash in swarm mode #2268
  • Improve network control-plane reliability #1704
  • Do not error out when selinux relabeling is not supported on volume filesystem #33831
  • Remove debugging code for aufs ebusy errors #31665
  • Prevent resource leak on healthchecks #33781
  • Fix issue where containerd supervisor may exit prematurely #32590
  • Fix potential containerd crash #2
  • Ensure server details are set in client even when an error is returned #33827
  • Fix issue where slow/dead docker logs clients can block the container #33897
  • Fix potential panic on Windows when running as a service #32244

Docker EE 17.03.2-ee-4

2017-06-01

Refer to the detailed list of all changes since the release of Docker EE 17.03.1-ee-3

Note: This release includes a fix for potential data loss under certain circumstances with the local (built-in) volume driver.

Docker EE 17.03.1-ee-3

2017-03-30

  • Fix an issue with the SELinux policy for Oracle Linux #31501

Docker EE 17.03.1-ee-2

2017-03-28

Refer to the detailed list of all changes since the release of Docker EE 17.03.0-ee-1

Docker EE 17.03.0-ee-1 (2 Mar 2017)

Initial Docker EE release, based on Docker CE 17.03.0

  • Optimize size calculation for docker system df container size #31159