Docker Engine - Enterprise release notes

This topic applies to Docker Enterprise.

The Docker Enterprise platform business, including products, customers, and employees, has been acquired by Mirantis, inc., effective 13-November-2019. For more information on the acquisition and how it may affect you and your business, refer to the Docker Enterprise Customer FAQ.

This document describes the latest changes, additions, known issues, and fixes for Docker Engine - Enterprise.

Docker Engine - Enterprise builds upon the corresponding Docker Engine - Community that it references. Docker Engine - Enterprise includes enterprise features as well as back-ported fixes (security-related and priority defects) from the open source. It also incorporates defect fixes for environments in which new features cannot be adopted as quickly for consistency and compatibility reasons.

Note

The client and container runtime are now in separate packages from the daemon since Docker Engine 18.09. Users should install and update all three packages at the same time to get the latest patch releases. For example, on Ubuntu: sudo apt-get install docker-ee docker-ee-cli containerd.io. See the install instructions for the corresponding linux distro for details.

Version 19.03

19.03.5

2019-11-14

Builder

  • builder-next: Added entitlements in builder config. docker/engine#412
  • Fix builder-next: permission errors on using build secrets or ssh forwarding with userns-remap. docker/engine#420
  • Fix builder-next: copying a symlink inside an already copied directory. docker/engine#420

Packaging

  • Support RHEL 8 packages

Runtime

19.03.4

2019-10-17

Networking

  • Rollback libnetwork changes to fix DOCKER-USER iptables chain issue. docker/engine#404

Known Issues

Existing

  • In some circumstances with large clusters, Docker information might, as part of the Swarm section, include the error code = ResourceExhausted desc = grpc: received message larger than max (5351376 vs. 4194304). This does not indicate any failure or misconfiguration by the user, and requires no response.
  • Orchestrator port conflict can occur when redeploying all services as new. Due to many Swarm manager requests in a short amount of time, some services are not able to receive traffic and are causing a 404 error after being deployed.
    • Workaround: restart all tasks via docker service update --force.
  • CVE-2018-15664 symlink-exchange attack with directory traversal. Workaround until proper fix is available in upcoming patch release: docker pause container before doing file operations. moby/moby#39252
  • docker cp regression due to CVE mitigation. An error is produced when the source of docker cp is set to /.

  • Install Docker Engine - Enterprise fails to install on RHEL on Azure. This affects any RHEL version that uses an Extended Update Support (EUS) image. At the time of this writing, known versions affected are RHEL 7.4, 7.5, and 7.6.

    • Workaround options:
      • Use an older image and don’t get updates. Examples of EUS images are here: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/rhel-images#rhel-images-with-eus.
      • Import your own RHEL images into Azure and do not rely on the Extended Update Support (EUS) RHEL images.
      • Use a RHEL image that does not contain a minor version in the SKU. These are not attached to EUS repositories. Some examples of those are the first three images (SKUs: 7-RAW, 7-LVM, 7-RAW-CI) listed here : https://docs.microsoft.com/en-us/azure/virtual-machines/linux/rhel-images#list-of-rhel-images-available.

19.03.3

2019-10-08

Security

Builder

  • Fix builder-next: resolve digest for third party registries. docker/engine#339

  • Fix builder-next: user namespace builds when daemon started with socket activation. docker/engine#373

  • Fix builder-next; session: release forwarded ssh socket connection per connection. docker/engine#373

  • Fix build-next: llbsolver: error on multiple cache importers. docker/engine#373

Client

  • Added support for Docker Template 0.1.6.

  • Mitigate against YAML files that have excessive aliasing. docker/cli#2119

Runtime

Known Issues

New

  • DOCKER-USER iptables chain is missing: docker/for-linux#810. Users cannot perform additional container network traffic filtering on top of this iptables chain. You are not affected by this issue if you are not customizing iptable chains on top of DOCKER-USER.
    • Workaround: Insert the iptables chain after the docker daemon starts. For example: 
      iptables -N DOCKER-USER
iptables -I FORWARD -j DOCKER-USER
iptables -A DOCKER-USER -j RETURN

Existing

  • In some circumstances with large clusters, docker information might, as part of the Swarm section, include the error code = ResourceExhausted desc = grpc: received message larger than max (5351376 vs. 4194304). This does not indicate any failure or misconfiguration by the user, and requires no response.
  • Orchestrator port conflict can occur when redeploying all services as new. Due to many swarm manager requests in a short amount of time, some services are not able to receive traffic and are causing a 404 error after being deployed.
    • Workaround: restart all tasks via docker service update --force.
  • CVE-2018-15664 symlink-exchange attack with directory traversal. Workaround until proper fix is available in upcoming patch release: docker pause container before doing file operations. moby/moby#39252
  • docker cp regression due to CVE mitigation. An error is produced when the source of docker cp is set to /.

  • Install Docker Engine - Enterprise fails to install on RHEL on Azure. This affects any RHEL version that uses an Extended Update Support (EUS) image. At the time of this writing, known versions affected are RHEL 7.4, 7.5, and 7.6.

    • Workaround options:
      • Use an older image and don’t get updates. Examples of EUS images are here: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/rhel-images#rhel-images-with-eus.
      • Import your own RHEL images into Azure and do not rely on the Extended Update Support (EUS) RHEL images.
      • Use a RHEL image that does not contain a minor version in the SKU. These are not attached to EUS repositories. Some examples of those are the first three images (SKUs: 7-RAW, 7-LVM, 7-RAW-CI) listed here : https://docs.microsoft.com/en-us/azure/virtual-machines/linux/rhel-images#list-of-rhel-images-available.

19.03.2

2019-09-03

Builder

Client

  • Fix Windows absolute path detection on non-Windows docker/cli#1990

  • Fix to zsh completion script for docker login --username.

  • Fix context: produce consistent output on context create. docker/cli#1985

  • Fix support for HTTP proxy env variable. docker/cli#2059

Logging

Networking

  • Prevent panic on network attached to a container with disabled networking. moby/moby#39589

Runtime

  • Bump Golang to 1.12.8.

  • Fix a potential engine panic when using XFS disk quota for containers. moby/moby#39644

Swarm

Known issues

  • In some circumstances with large clusters, docker information might, as part of the Swarm section, include the error code = ResourceExhausted desc = grpc: received message larger than max (5351376 vs. 4194304). This does not indicate any failure or misconfiguration by the user, and requires no response.
  • Orchestrator port conflict can occur when redeploying all services as new. Due to many swarm manager requests in a short amount of time, some services are not able to receive traffic and are causing a 404 error after being deployed.
    • Workaround: restart all tasks via docker service update --force.
  • Traffic cannot egress the HOST because of missing Iptables rules in the FORWARD chain The missing rules are : 
       /sbin/iptables --wait -C FORWARD -o docker_gwbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
   /sbin/iptables --wait -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    • Workaround: Add these rules back using a script and cron definitions. The script must contain ‘-C’ commands to check for the presence of a rule and ‘-A’ commands to add rules back. Run the script on a cron in regular intervals, for example, every minutes.
    • Affected versions: 17.06.2-ee-16, 18.09.1, 19.03.0
  • CVE-2018-15664 symlink-exchange attack with directory traversal. Workaround until proper fix is available in upcoming patch release: docker pause container before doing file operations. moby/moby#39252
  • docker cp regression due to CVE mitigation. An error is produced when the source of docker cp is set to /.

  • Install Docker Engine - Enterprise fails to install on RHEL on Azure. This affects any RHEL version that uses an Extended Update Support (EUS) image. At the time of this writing, known versions affected are RHEL 7.4, 7.5, and 7.6.

    • Workaround options:
      • Use an older image and don’t get updates. Examples of EUS images are here: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/rhel-images#rhel-images-with-eus.
      • Import your own RHEL images into Azure and do not rely on the Extended Update Support (EUS) RHEL images.
      • Use a RHEL image that does not contain a minor version in the SKU. These are not attached to EUS repositories. Some examples of those are the first three images (SKUs: 7-RAW, 7-LVM, 7-RAW-CI) listed here : https://docs.microsoft.com/en-us/azure/virtual-machines/linux/rhel-images#list-of-rhel-images-available.

19.03.1

2019-07-25

Security

  • Fixed loading of nsswitch based config inside chroot under Glibc. CVE-2019-14271

Known issues

  • In some circumstances, in large clusters, docker information might, as part of the Swarm section, include the error code = ResourceExhausted desc = grpc: received message larger than max (5351376 vs. 4194304). This does not indicate any failure or misconfiguration by the user, and requires no response.
  • Orchestrator port conflict can occur when redeploying all services as new. Due to many swarm manager requests in a short amount of time, some services are not able to receive traffic and are causing a 404 error after being deployed.
    • Workaround: restart all tasks via docker service update --force.
  • Traffic cannot egress the HOST because of missing Iptables rules in the FORWARD chain The missing rules are : 
      /sbin/iptables --wait -C FORWARD -o docker_gwbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  /sbin/iptables --wait -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    • Workaround: Add these rules back using a script and cron definitions. The script must contain ‘-C’ commands to check for the presence of a rule and ‘-A’ commands to add rules back. Run the script on a cron in regular intervals, for example, every minutes.
    • Affected versions: 17.06.2-ee-16, 18.09.1, 19.03.0
  • CVE-2018-15664 symlink-exchange attack with directory traversal. Workaround until proper fix is available in upcoming patch release: docker pause container before doing file operations. moby/moby#39252
  • docker cp regression due to CVE mitigation. An error is produced when the source of docker cp is set to /.

  • Install Docker Engine - Enterprise fails to install on RHEL on Azure. This affects any RHEL version that uses an Extended Update Support (EUS) image. At the time of this writing, known versions affected are RHEL 7.4, 7.5, and 7.6.

    • Workaround options:
      • Use an older image and don’t get updates. Examples of EUS images are here: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/rhel-images#rhel-images-with-eus.
      • Import your own RHEL images into Azure and do not rely on the Extended Update Support (EUS) RHEL images.
      • Use a RHEL image that does not contain a minor version in the SKU. These are not attached to EUS repositories. Some examples of those are the first three images (SKUs: 7-RAW, 7-LVM, 7-RAW-CI) listed here : https://docs.microsoft.com/en-us/azure/virtual-machines/linux/rhel-images#list-of-rhel-images-available.

19.03.0

2019-07-22

Builder

Client

API

Experimental

Security

Runtime

Networking

Swarm

Logging

Deprecation

  • Deprecate image manifest v2 schema1 in favor of v2 schema2. Future version of Docker will remove support for v2 schema1 althogether. moby/moby#39365
  • Removed v1.10 migrator. moby/moby#38265
  • Now skipping deprecated storage-drivers in auto-selection. moby/moby#38019
  • Deprecated aufs storage driver and added warning. moby/moby#38090
  • Removed support for 17.09.
  • SLES12 is deprecated from Docker Enterprise 3.0, and EOL of SLES12 as an operating system will occur in Docker Enterprise 3.1. Upgrade to SLES15 for continued support on Docker Enterprise.
  • Windows 2016 is formally deprecated from Docker Enterprise 3.0. Only non-overlay networks are supported on Windows 2016 in Docker Enterprise 3.0. EOL of Windows Server 2016 support will occur in Docker Enterprise 3.1. Upgrade to Windows Server 2019 for continued support on Docker Enterprise.

For more information on deprecated flags and APIs, refer to https://docs.docker.com/engine/deprecated/ for target removal dates.

Known issues

  • In some circumstances with large clusters, docker information might, as part of the Swarm section, include the error code = ResourceExhausted desc = grpc: received message larger than max (5351376 vs. 4194304). This does not indicate any failure or misconfiguration by the user, and requires no response.
  • Orchestrator port conflict can occur when redeploying all services as new. Due to many swarm manager requests in a short amount of time, some services are not able to receive traffic and are causing a 404 error after being deployed.
    • Workaround: restart all tasks via docker service update --force.
  • Traffic cannot egress the HOST because of missing Iptables rules in the FORWARD chain The missing rules are : 
      /sbin/iptables --wait -C FORWARD -o docker_gwbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  /sbin/iptables --wait -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    • Workaround: Add these rules back using a script and cron definitions. The script must contain ‘-C’ commands to check for the presence of a rule and ‘-A’ commands to add rules back. Run the script on a cron in regular intervals, for example, every minutes.
    • Affected versions: 17.06.2-ee-16, 18.09.1, 19.03.0
  • CVE-2018-15664 symlink-exchange attack with directory traversal. Workaround until proper fix is available in upcoming patch release: docker pause container before doing file operations. moby/moby#39252
  • docker cp regression due to CVE mitigation. An error is produced when the source of docker cp is set to /.

  • Install Docker Engine - Enterprise fails to install on RHEL on Azure. This affects any RHEL version that uses an Extended Update Support (EUS) image. At the time of this writing, known versions affected are RHEL 7.4, 7.5, and 7.6.

    • Workaround options:
      • Use an older image and don’t get updates. Examples of EUS images are here: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/rhel-images#rhel-images-with-eus.
      • Import your own RHEL images into Azure and do not rely on the Extended Update Support (EUS) RHEL images.
      • Use a RHEL image that does not contain a minor version in the SKU. These are not attached to EUS repositories. Some examples of those are the first three images (SKUs: 7-RAW, 7-LVM, 7-RAW-CI) listed here : https://docs.microsoft.com/en-us/azure/virtual-machines/linux/rhel-images#list-of-rhel-images-available.

Version 18.09

Note

New in 18.09 is an aligned release model for Docker Engine - Community and Docker Engine - Enterprise. The new versioning scheme is YY.MM.x where x is an incrementing patch version. The enterprise engine is a superset of the community engine. They will ship concurrently with the same x patch version based on the same code base.

18.09.11

2019-11-14

Builder

Runtime

  • Bump Golang to 1.12.12.

Swarm

  • Fix update out of sequence and increase max recv gRPC message size for nodes and secrets. docker/swarmkit#2900
  • Fix for specifying --default-addr-pool for docker swarm init not picked up by ingress network. docker/swarmkit#2892

18.09.10

2019-10-08

Client

  • Fix client version not being pinned when set. docker/engine#118
  • Improve error message shown on Windows when daemon is not running or client does not have elevated permissions. docker/engine#343
  • Mitigate against YAML files that have excessive aliasing. docker/cli#2119

Runtime

18.09.9

2019-09-03

Client

  • Fix Windows absolute path detection on non-Windows. docker/cli#1990
  • Fix Docker refusing to load key from delegation.key on Windows. docker/cli#1968
  • Completion scripts updates for bash and zsh.

Logging

Networking

Runtime

  • Update to Go 1.11.13.
  • Fix a potential engine panic when using XFS disk quota for containers. moby/moby#39644

Swarm

18.09.8

2019-07-17

Runtime

  • Masked the secrets updated to the log files when running Docker Engine in debug mode. CVE-2019-13509: If a Docker engine is running in debug mode, and docker stack deploy is used to redeploy a stack which includes non-external secrets, the logs will contain the secret.

Client

  • Fixed rollback config type interpolation for parallelism and max_failure_ratio fields.

Known Issue

  • There are important changes to the upgrade process that, if not correctly followed, can have an impact on the availability of applications running on the Swarm during upgrades. These constraints impact any upgrades coming from any version before 18.09 to version 18.09 or later.

18.09.7

2019-06-27

Builder

  • Fixed a panic error when building dockerfiles that contain only comments. moby/moby#38487
  • Added a workaround for GCR authentication issue. moby/moby#38246
  • Builder-next: Fixed a bug in the GCR token cache implementation workaround. moby/moby#39183

Networking

  • Fixed an error where --network-rm would fail to remove a network. moby/moby#39174

Runtime

Logging

  • Added a fix that now allows large log lines for logger plugins. moby/moby#39038

Known Issue

  • There are important changes to the upgrade process that, if not correctly followed, can have an impact on the availability of applications running on the Swarm during upgrades. These constraints impact any upgrades coming from any version before 18.09 to version 18.09 or later.

18.09.6

2019-05-06

Builder

  • Fixed COPY and ADD with multiple <src> to not invalidate cache if DOCKER_BUILDKIT=1.moby/moby#38964

Networking

Known Issues

  • There are important changes to the upgrade process that, if not correctly followed, can have an impact on the availability of applications running on the Swarm during upgrades. These constraints impact any upgrades coming from any version before 18.09 to version 18.09 or later.

18.09.5

2019-04-11

Builder

Client

Networking

Runtime

Swarm Mode

Known Issues

  • There are important changes to the upgrade process that, if not correctly followed, can have an impact on the availability of applications running on the Swarm during upgrades. These constraints impact any upgrades coming from any version before 18.09 to version 18.09 or later.

18.09.4

2019-03-28

Builder

Runtime

Swarm Mode

  • Fixed nil pointer exception when joining node to swarm. moby/moby#38618
  • Fixed issue for swarm nodes not being able to join as masters if http proxy is set. [moby/moby#36951]

Known Issues

  • There are important changes to the upgrade process that, if not correctly followed, can have impact on the availability of applications running on the Swarm during upgrades. These constraints impact any upgrades coming from any version before 18.09 to version 18.09 or later.

18.09.3

2019-02-28

Networking fixes

  • Windows: now avoids regeneration of network IDs to prevent broken references to networks. docker/engine#149
  • Windows: Fixed an issue to address - restart always flag on standalone containers not working when specifying a network. (docker/escalation#1037)
  • Fixed an issue to address the IPAM state from networkdb if the manager is not attached to the overlay network. (docker/escalation#1049)

Runtime fixes and updates

  • Updated to Go version 1.10.8.
  • Modified names in the container name generator. docker/engine#159
  • When copying an existing folder, xattr set errors when the target filesystem doesn’t support xattr are now ignored. docker/engine#135
  • Graphdriver: fixed “device” mode not being detected if “character-device” bit is set. docker/engine#160
  • Fixed nil pointer derefence on failure to connect to containerd. docker/engine#162
  • Deleted stale containerd object on start failure. docker/engine#154

Known Issues

  • There are important changes to the upgrade process that, if not correctly followed, can have impact on the availability of applications running on the Swarm during upgrades. These constraints impact any upgrades coming from any version before 18.09 to version 18.09 or greater.

18.09.2

2019-02-11

Security fixes for Docker Engine - Enterprise

  • Update runc to address a critical vulnerability that allows specially-crafted containers to gain administrative privileges on the host. CVE-2019-5736
  • Ubuntu 14.04 customers using a 3.13 kernel will need to upgrade to a supported Ubuntu 4.x kernel

For additional information, refer to the Docker blog post.

Known Issues

  • There are important changes to the upgrade process that, if not correctly followed, can have impact on the availability of applications running on the Swarm during upgrades. These constraints impact any upgrades coming from any version before 18.09 to version 18.09 or greater.

18.09.1

2019-01-09

Important notes about this release

In Docker versions prior to 18.09, containerd was managed by the Docker engine daemon. In Docker Engine 18.09, containerd is managed by systemd. Since containerd is managed by systemd, any custom configuration to the docker.service systemd configuration which changes mount settings (for example, MountFlags=slave) breaks interactions between the Docker Engine daemon and containerd, and you will not be able to start containers.

Run the following command to get the current value of the MountFlags property for the docker.service:

sudo systemctl show --property=MountFlags docker.service
MountFlags=

Update your configuration if this command prints a non-empty value for MountFlags, and restart the docker service.

Security fixes

Improvements

Fixes

Packaging

Known Issues

  • When upgrading from 18.09.0 to 18.09.1, containerd is not upgraded to the correct version on Ubuntu. Learn more.
  • There are important changes to the upgrade process that, if not correctly followed, can have impact on the availability of applications running on the Swarm during upgrades. These constraints impact any upgrades coming from any version before 18.09 to version 18.09 or greater.

18.09.0

2018-11-08

Important notes about this release

In Docker versions prior to 18.09, containerd was managed by the Docker engine daemon. In Docker Engine 18.09, containerd is managed by systemd. Since containerd is managed by systemd, any custom configuration to the docker.service systemd configuration which changes mount settings (for example, MountFlags=slave) breaks interactions between the Docker Engine daemon and containerd, and you will not be able to start containers.

Run the following command to get the current value of the MountFlags property for the docker.service:

sudo systemctl show --property=MountFlags docker.service
MountFlags=

Update your configuration if this command prints a non-empty value for MountFlags, and restart the docker service.

New features for Docker Engine EE

New features

Improvements

Fixes

Known Issues

  • There are important changes to the upgrade process that, if not correctly followed, can have impact on the availability of applications running on the Swarm during upgrades. These constraints impact any upgrades coming from any version before 18.09 to version 18.09 or greater.

  • With https://github.com/boot2docker/boot2docker/releases/download/v18.09.0/boot2docker.iso, connection is being refused from a node on the virtual machine. Any publishing of swarm ports in virtualbox-created docker-machine VM’s will not respond. This is occurring on macOS and Windows 10, using docker-machine version 0.15 and 0.16.

    The following docker run command works, allowing access from host browser:

    docker run -d -p 4000:80 nginx

    However, the following docker service command fails, resulting in curl/chrome unable to connect (connection refused):

    docker service create -p 5000:80 nginx

    This issue is not apparent when provisioning 18.09.0 cloud VM’s using docker-machine.

    Workarounds:

    • Use cloud VM’s that don’t rely on boot2docker.
    • docker run is unaffected.
    • For Swarm, set VIRTUALBOX_BOOT2DOCKER_URL=https://github.com/boot2docker/boot2docker/releases/download/v18.06.1-ce/boot2docker.iso.

    This issue is resolved in 18.09.1.

Deprecation Notices

  • As of EE 2.1, Docker has deprecated support for Device Mapper as a storage driver. It will continue to be supported at this time, but support will be removed in a future release. Docker will continue to support Device Mapper for existing EE 2.0 and 2.1 customers. Please contact Sales for more information.

    Docker recommends that existing customers migrate to using Overlay2 for the storage driver. The Overlay2 storage driver is now the default for Docker engine implementations.

  • As of EE 2.1, Docker has deprecated support for IBM Z (s390x). Refer to the Docker Compatibility Matrix for detailed compatibility information.

For more information on the list of deprecated flags and APIs, have a look at the deprecation information where you can find the target removal dates.

End of Life Notification

In this release, Docker has also removed support for TLS < 1.2 moby/moby#37660, Ubuntu 14.04 “Trusty Tahr” docker-ce-packaging#255 / docker-ce-packaging#254, and Debian 8 “Jessie” docker-ce-packaging#255 / docker-ce-packaging#254.

Older Docker Engine EE Release notes

18.03.1-ee-12

2019-11-14

Client

  • Fix potential out of memory in CLI when running docker image prune. docker/cli#1423

Logging

  • Fix jsonfile logger: follow logs stuck when max-size is set and max-file=1. moby/moby#39969

Runtime

  • Update to Go 1.12.12.
  • Seccomp: add sigprocmask (used by x86 glibc) to default seccomp profile. moby/moby#39824

18.03.1-ee-11

2019-09-03

Runtime

  • Fix CVE-2019-14271 loading of nsswitch based config inside chroot under Glibc.

  • Fix a potential engine panic when using XFS disk quota for containers. moby/moby#39644

  • Fix overlay2 storage driver getting “device or resource busy” on mount. moby/moby#37993

  • Update to Go 1.11.13.

Logging

Networking

Swarm

18.03.1-ee-10

2019-07-17

Runtime

  • Masked the secrets updated to the log files when running Docker Engine in debug mode. CVE-2019-13509: If a Docker engine is running in debug mode, and docker stack deploy is used to redeploy a stack which includes non-external secrets, the logs will contain the secret.

18.03.1-ee-9

2019-06-25

Client

  • Fixed annnotation on docker config create --template-driver. docker/cli#1769
  • Fixed annnotation on docker secret create --template-driver. docker/cli#1785

Runtime

18.03.1-ee-8

2019-03-28

Builder

  • Added validation for git ref to avoid misinterpreation as a flag. moby/moby#38944

Runtime

  • Fixed docker cp error for filenames greater than 100 characters. [moby/moby#38634]
  • Fixed layer/layer_store to ensure NewInputTarStream resources are released. [moby/moby#38413]

Swarm Mode

  • Fixed issue for swarm nodes not being able to join as masters if http proxy is set. [moby/moby#36951]

18.03.1-ee-7

2019-02-28

Runtime

  • Updated to Go version 1.10.8.
  • Updated to containerd version 1.1.6.
  • When copying existing folder, xattr set errors when the target filesystem doesn’t support xattr are now ignored. moby/moby#38316
  • Fixed FIFO, sockets, and device files in userns, and fixed device mode not being detected. moby/moby#38758
  • Deleted stale containerd object on start failure. moby/moby#38364

Bug fixes

  • Fixed an issue to address the IPAM state from networkdb if manager is not attached to the overlay network. (docker/escalation#1049)

18.03.1-ee-6

2019-02-11

Security fixes for Docker Engine - Enterprise

  • Update runc to address a critical vulnerability that allows specially-crafted containers to gain administrative privileges on the host. CVE-2019-5736
  • Ubuntu 14.04 customers using a 3.13 kernel will need to upgrade to a supported Ubuntu 4.x kernel

18.03.1-ee-5

2019-01-09

Security fixes

  • Upgraded Go language to 1.10.6 to resolve CVE-2018-16873, CVE-2018-16874, and CVE-2018-16875.
  • Added /proc/asound to masked paths
  • Fixed authz plugin for 0-length content and path validation.

Fixes for Docker Engine - Enterprise

  • Disable kmem accounting in runc on RHEL/CentOS (docker/escalation#614, docker/escalation#692)
  • Fix resource leak on docker logs --follow moby/moby#37576
  • Mask proxy credentials from URL when displayed in system info (docker/escalation#879)

18.03.1-ee-4

2018-10-25

Note: If you’re deploying UCP or DTR, use Docker EE Engine 18.09 or higher. 18.03 is an engine only release.

Client

  • Fixed help message flags on docker stack commands and child commands. docker/cli#1251
  • Fixed typo breaking zsh docker update autocomplete. docker/cli#1232

Networking

Runtime

Swarm Mode

18.03.1-ee-3

2018-08-30

Builder

Client

Runtime

Swarm Mode

  • Clean up tasks in dirty list for which the service has been deleted. docker/swarmkit#2694
  • Propagate the provided external CA certificate to the external CA object in swarm. docker/cli#1178

18.03.1-ee-2

2018-07-10

Important notes about this release

If you’re deploying UCP or DTR, use Docker Engine EE 17.06 or 18.09. See Docker Compatibility Matrix for more information.

Runtime

18.03.1-ee-1

2018-06-27

Important notes about this release

If you’re deploying UCP or DTR, use Docker Engine EE 17.06 or 18.09. See Docker Compatibility Matrix for more information.

Client

  • Update to docker-ce 18.03.1 client.
  • Add docker trust command for image signing and enabling the secure supply chain from development to deployment.
  • Add docker compose on Kubernetes.
  • Fix error with merge compose file with networks docker/cli#983
  • Fix docker stack deploy re-deploying services after the service was updated with --force docker/cli#963
  • Fix docker version output alignment docker/cli#965
  • Simplify the marshaling of compose types.Config docker/cli#895
  • Add support for multiple composefile when deploying docker/cli#569
  • Fix broken Kubernetes stack flags docker/cli#831
  • Fix stack marshaling for Kubernetes docker/cli#890
  • Fix and simplify bash completion for service env, mounts and labels docker/cli#682
  • Fix before and since filter for docker ps moby/moby#35938
  • Fix --label-file weird behavior docker/cli#838
  • Fix compilation of defaultCredentialStore() on unsupported platforms docker/cli#872
  • Improve and fix bash completion for images docker/cli#717
  • Added check for empty source in bind mount docker/cli#824
  • Fix TLS from environment variables in client moby/moby#36270
  • docker build now runs faster when registry-specific credential helper(s) are configured docker/cli#840
  • Update event filter zsh completion with disable, enable, install and remove docker/cli#372
  • Produce errors when empty ids are passed into inspect calls moby/moby#36144
  • Marshall version for the k8s controller docker/cli#891
  • Set a non-zero timeout for HTTP client communication with plugin backend docker/cli#883
  • Add DOCKER_TLS environment variable for --tls option docker/cli#863
  • Add --template-driver option for secrets/configs docker/cli#896
  • Move docker trust commands out of experimental docker/cli#934 docker/cli#935 docker/cli#944

Builder

Runtime

Logging

Networking

Swarm Mode

17.06.2-ee-25

2019-11-19

Builder

Client

  • Fix potential out of memory in CLI when running docker image prune. docker/cli#1423
  • Fix compose file schema to prevent invalid properties in deploy.resources. docker/cli#455

Logging

  • Fix jsonfile logger: follow logs stuck when max-size is set and max-file=1. moby/moby#39969

Runtime

  • Update to Go 1.12.12.
  • Seccomp: add sigprocmask (used by x86 glibc) to default seccomp profile. moby/moby#39824
  • Fix “device or resource busy” error on container removal with devicemapper. moby/moby#34573
  • Fix daemon.json configuration default-ulimits not working. moby/moby#32547
  • Fix denial of service with large numbers in --cpuset-cpus and --cpuset-mems. moby/moby#37967
  • Fix for docker start creates host-directory for bind mount, but shouldn’t. moby/moby#35833
  • Fix OCI image media types. moby/moby#37359

Windows

17.06.2-ee-24

2019-09-03

Runtime

  • Fix CVE-2019-14271 loading of nsswitch based config inside chroot under Glibc.
  • Fix Fix a potential engine panic when using XFS disk quota for containers. moby/moby#39644
  • Update to Go 1.11.13.

Logging

Networking

17.06.2-ee-23

2019-07-17

Runtime

  • Masked the secrets updated to the log files when running Docker Engine in debug mode. CVE-2019-13509: If a Docker engine is running in debug mode, and docker stack deploy is used to redeploy a stack which includes non-external secrets, the logs will contain the secret.

Known issues

  • When all Swarm managers are stopped at the same time, the swarm might end up in a split-brain scenario. Learn more.
  • Under certain conditions, swarm leader re-election may timeout prematurely. During this period, docker commands may fail. Also during this time, creation of globally-scoped networks may be unstable. As a workaround, wait for leader election to complete before issuing commands to the cluster.
  • It’s recommended that users create overlay networks with /24 blocks (the default) of 256 IP addresses when networks are used by services created using VIP-based endpoint-mode (the default). This is because of limitations with Docker Swarm moby/moby#30820. Users should not work around this by increasing the IP block size. To work around this limitation, either use dnsrr endpoint-mode or use multiple smaller overlay networks.
  • Docker may experience IP exhaustion if many tasks are assigned to a single overlay network, for example if many services are attached to that network or because services on the network are scaled to many replicas. The problem may also manifest when tasks are rescheduled because of node failures. In case of node failure, Docker currently waits 24h to release overlay IP addresses. The problem can be diagnosed by looking for failed to allocate network IP for task messages in the Docker logs.
  • SELinux enablement is not supported for containers on IBM Z on RHEL because of missing Red Hat package.
  • If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A is not reachable until one of these 2 conditions happens:
  1. Container on A sends a packet out,
  2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).

17.06.2-ee-22

2019-06-27

Networking

  • Fixed a bug where if a service has the same number of host-mode published ports with PublishedPort 0, changes to the spec is not reflected in the service object. docker/swarmkit#2376

Runtime

  • Added performance optimizations in aufs and layer store that helps in the creation and removal of massively parallel containers. moby/moby#39107
  • Fixed CVE-2018-15664 symlink-exchange attack with directory traversal. moby/moby#39357
  • Windows: fixed support for docker service create --limit-cpu. moby/moby#39190

Known issues

  • When all Swarm managers are stopped at the same time, the swarm might end up in a split-brain scenario. Learn more.
  • Under certain conditions, swarm leader re-election may timeout prematurely. During this period, docker commands may fail. Also during this time, creation of globally-scoped networks may be unstable. As a workaround, wait for leader election to complete before issuing commands to the cluster.
  • It’s recommended that users create overlay networks with /24 blocks (the default) of 256 IP addresses when networks are used by services created using VIP-based endpoint-mode (the default). This is because of limitations with Docker Swarm moby/moby#30820. Users should not work around this by increasing the IP block size. To work around this limitation, either use dnsrr endpoint-mode or use multiple smaller overlay networks.
  • Docker may experience IP exhaustion if many tasks are assigned to a single overlay network, for example if many services are attached to that network or because services on the network are scaled to many replicas. The problem may also manifest when tasks are rescheduled because of node failures. In case of node failure, Docker currently waits 24h to release overlay IP addresses. The problem can be diagnosed by looking for failed to allocate network IP for task messages in the Docker logs.
  • SELinux enablement is not supported for containers on IBM Z on RHEL because of missing Red Hat package.
  • If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A is not reachable until one of these 2 conditions happens:
  1. Container on A sends a packet out,
  2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).

17.06.2-ee-21

2019-04-11

Builder

  • Added validation for git ref so it can’t be misinterpreted as a flag. moby/moby#38944

Runtime

  • Fixed docker cp error with filenames greater than 100 characters. moby/moby#38634
  • Removed temporary hot-fix and applied latest upstream patches for CVE-2019-5736. docker/runc#9
  • Fixed rootfs: umount all procfs and sysfs with --no-pivot. docker/runc#10

17.06.2-ee-20

2019-02-28

Bug fixes

  • Fixed an issue to address the IPAM state from networkdb if manager is not attached to the overlay network. (docker/escalation#1049)

Runtime

  • Updated to Go version 1.10.8.
  • Added cgroup namespace support. docker/runc#7

Windows

  • Fixed failed to register layer bug on docker pull of windows images.

Known issues

  • When all Swarm managers are stopped at the same time, the swarm might end up in a split-brain scenario. Learn more.
  • Under certain conditions, swarm leader re-election may timeout prematurely. During this period, docker commands may fail. Also during this time, creation of globally-scoped networks may be unstable. As a workaround, wait for leader election to complete before issuing commands to the cluster.
  • It’s recommended that users create overlay networks with /24 blocks (the default) of 256 IP addresses when networks are used by services created using VIP-based endpoint-mode (the default). This is because of limitations with Docker Swarm moby/moby#30820. Users should not work around this by increasing the IP block size. To work around this limitation, either use dnsrr endpoint-mode or use multiple smaller overlay networks.
  • Docker may experience IP exhaustion if many tasks are assigned to a single overlay network, for example if many services are attached to that network or because services on the network are scaled to many replicas. The problem may also manifest when tasks are rescheduled because of node failures. In case of node failure, Docker currently waits 24h to release overlay IP addresses. The problem can be diagnosed by looking for failed to allocate network IP for task messages in the Docker logs.
  • SELinux enablement is not supported for containers on IBM Z on RHEL because of missing Red Hat package.
  • If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A is not reachable until one of these 2 conditions happens:
  1. Container on A sends a packet out,
  2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).

17.06.2-ee-19

2019-02-11

Security fixes for Docker Engine - Enterprise

  • Update runc to address a critical vulnerability that allows specially-crafted containers to gain administrative privileges on the host. CVE-2019-5736
  • Ubuntu 14.04 customers using a 3.13 kernel will need to upgrade to a supported Ubuntu 4.x kernel

Known issues

  • When all Swarm managers are stopped at the same time, the swarm might end up in a split-brain scenario. Learn more.
  • Under certain conditions, swarm leader re-election may timeout prematurely. During this period, docker commands may fail. Also during this time, creation of globally-scoped networks may be unstable. As a workaround, wait for leader election to complete before issuing commands to the cluster.
  • It’s recommended that users create overlay networks with /24 blocks (the default) of 256 IP addresses when networks are used by services created using VIP-based endpoint-mode (the default). This is because of limitations with Docker Swarm moby/moby#30820. Users should not work around this by increasing the IP block size. To work around this limitation, either use dnsrr endpoint-mode or use multiple smaller overlay networks.
  • Docker may experience IP exhaustion if many tasks are assigned to a single overlay network, for example if many services are attached to that network or because services on the network are scaled to many replicas. The problem may also manifest when tasks are rescheduled because of node failures. In case of node failure, Docker currently waits 24h to release overlay IP addresses. The problem can be diagnosed by looking for failed to allocate network IP for task messages in the Docker logs.
  • SELinux enablement is not supported for containers on IBM Z on RHEL because of missing Red Hat package.
  • If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A is not reachable until one of these 2 conditions happens:
  1. Container on A sends a packet out,
  2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).

17.06.2-ee-18

2019-01-09

Security fixes

  • Upgraded Go language to 1.10.6 to resolve CVE-2018-16873, CVE-2018-16874, and CVE-2018-16875.
  • Added /proc/asound to masked paths
  • Fixed authz plugin for 0-length content and path validation.

Fixes for Docker Engine Engine - Enterprise

  • Disable kmem accounting in runc on RHEL/CentOS (docker/escalation#614, docker/escalation#692)
  • Fix resource leak on docker logs --follow moby/moby#37576
  • Mask proxy credentials from URL when displayed in system info (docker/escalation#879)

Known issues

  • When all Swarm managers are stopped at the same time, the swarm might end up in a split-brain scenario. Learn more.
  • Under certain conditions, swarm leader re-election may timeout prematurely. During this period, docker commands may fail. Also during this time, creation of globally-scoped networks may be unstable. As a workaround, wait for leader election to complete before issuing commands to the cluster.
  • It’s recommended that users create overlay networks with /24 blocks (the default) of 256 IP addresses when networks are used by services created using VIP-based endpoint-mode (the default). This is because of limitations with Docker Swarm moby/moby#30820. Users should not work around this by increasing the IP block size. To work around this limitation, either use dnsrr endpoint-mode or use multiple smaller overlay networks.
  • Docker may experience IP exhaustion if many tasks are assigned to a single overlay network, for example if many services are attached to that network or because services on the network are scaled to many replicas. The problem may also manifest when tasks are rescheduled because of node failures. In case of node failure, Docker currently waits 24h to release overlay IP addresses. The problem can be diagnosed by looking for failed to allocate network IP for task messages in the Docker logs.
  • SELinux enablement is not supported for containers on IBM Z on RHEL because of missing Red Hat package.
  • If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A is not reachable until one of these 2 conditions happens:
  1. Container on A sends a packet out,
  2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).

17.06.2-ee-17

2018-10-25

Networking

Plugins

Swarm mode

Known issues

  • When all Swarm managers are stopped at the same time, the swarm might end up in a split-brain scenario. Learn more.
  • Under certain conditions, swarm leader re-election may timeout prematurely. During this period, docker commands may fail. Also during this time, creation of globally-scoped networks may be unstable. As a workaround, wait for leader election to complete before issuing commands to the cluster.
  • It’s recommended that users create overlay networks with /24 blocks (the default) of 256 IP addresses when networks are used by services created using VIP-based endpoint-mode (the default). This is because of limitations with Docker Swarm moby/moby#30820. Users should not work around this by increasing the IP block size. To work around this limitation, either use dnsrr endpoint-mode or use multiple smaller overlay networks.
  • Docker may experience IP exhaustion if many tasks are assigned to a single overlay network, for example if many services are attached to that network or because services on the network are scaled to many replicas. The problem may also manifest when tasks are rescheduled because of node failures. In case of node failure, Docker currently waits 24h to release overlay IP addresses. The problem can be diagnosed by looking for failed to allocate network IP for task messages in the Docker logs.
  • SELinux enablement is not supported for containers on IBM Z on RHEL because of missing Red Hat package.
  • If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A is not reachable until one of these 2 conditions happens:
  1. Container on A sends a packet out,
  2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).

17.06.2-ee-16

2018-07-26

Client

Networking

Packaging

  • Update packaging description and license to Docker EUSA.

Runtime

Swarm mode

Known issues

  • When all Swarm managers are stopped at the same time, the swarm might end up in a split-brain scenario. Learn more.
  • Under certain conditions, swarm leader re-election may timeout prematurely. During this period, docker commands may fail. Also during this time, creation of globally-scoped networks may be unstable. As a workaround, wait for leader election to complete before issuing commands to the cluster.
  • It’s recommended that users create overlay networks with /24 blocks (the default) of 256 IP addresses when networks are used by services created using VIP-based endpoint-mode (the default). This is because of limitations with Docker Swarm moby/moby#30820. Users should not work around this by increasing the IP block size. To work around this limitation, either use dnsrr endpoint-mode or use multiple smaller overlay networks.
  • Docker may experience IP exhaustion if many tasks are assigned to a single overlay network, for example if many services are attached to that network or because services on the network are scaled to many replicas. The problem may also manifest when tasks are rescheduled because of node failures. In case of node failure, Docker currently waits 24h to release overlay IP addresses. The problem can be diagnosed by looking for failed to allocate network IP for task messages in the Docker logs.
  • SELinux enablement is not supported for containers on IBM Z on RHEL because of missing Red Hat package.
  • If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A is not reachable until one of these 2 conditions happens:
  1. Container on A sends a packet out,
  2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).

17.06.2-ee-15

2018-07-10

Runtime

Known issues

  • When all Swarm managers are stopped at the same time, the swarm might end up in a split-brain scenario. Learn more.
  • Under certain conditions, swarm leader re-election may timeout prematurely. During this period, docker commands may fail. Also during this time, creation of globally-scoped networks may be unstable. As a workaround, wait for leader election to complete before issuing commands to the cluster.
  • It’s recommended that users create overlay networks with /24 blocks (the default) of 256 IP addresses when networks are used by services created using VIP-based endpoint-mode (the default). This is because of limitations with Docker Swarm moby/moby#30820. Users should not work around this by increasing the IP block size. To work around this limitation, either use dnsrr endpoint-mode or use multiple smaller overlay networks.
  • Docker may experience IP exhaustion if many tasks are assigned to a single overlay network, for example if many services are attached to that network or because services on the network are scaled to many replicas. The problem may also manifest when tasks are rescheduled because of node failures. In case of node failure, Docker currently waits 24h to release overlay IP addresses. The problem can be diagnosed by looking for failed to allocate network IP for task messages in the Docker logs.
  • SELinux enablement is not supported for containers on IBM Z on RHEL because of missing Red Hat package.
  • If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A is not reachable until one of these 2 conditions happens:
  1. Container on A sends a packet out,
  2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).

17.06.2-ee-14

2018-06-21

Client

Runtime

Swarm mode

  • Fix docker stack deploy --prune with empty name removes all swarm services. moby/moby#36776

Known issues

  • When all Swarm managers are stopped at the same time, the swarm might end up in a split-brain scenario. Learn more.
  • Under certain conditions, swarm leader re-election may timeout prematurely. During this period, docker commands may fail. Also during this time, creation of globally-scoped networks may be unstable. As a workaround, wait for leader election to complete before issuing commands to the cluster.
  • It’s recommended that users create overlay networks with /24 blocks (the default) of 256 IP addresses when networks are used by services created using VIP-based endpoint-mode (the default). This is because of limitations with Docker Swarm moby/moby#30820. Users should not work around this by increasing the IP block size. To work around this limitation, either use dnsrr endpoint-mode or use multiple smaller overlay networks.
  • Docker may experience IP exhaustion if many tasks are assigned to a single overlay network, for example if many services are attached to that network or because services on the network are scaled to many replicas. The problem may also manifest when tasks are rescheduled because of node failures. In case of node failure, Docker currently waits 24h to release overlay IP addresses. The problem can be diagnosed by looking for failed to allocate network IP for task messages in the Docker logs.
  • SELinux enablement is not supported for containers on IBM Z on RHEL because of missing Red Hat package.
  • If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A is not reachable until one of these 2 conditions happens:
  1. Container on A sends a packet out,
  2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).

17.06.2-ee-13

2018-06-04

Networking

Known issues

  • When all Swarm managers are stopped at the same time, the swarm might end up in a split-brain scenario. Learn more.
  • Under certain conditions, swarm leader re-election may timeout prematurely. During this period, docker commands may fail. Also during this time, creation of globally-scoped networks may be unstable. As a workaround, wait for leader election to complete before issuing commands to the cluster.
  • It’s recommended that users create overlay networks with /24 blocks (the default) of 256 IP addresses when networks are used by services created using VIP-based endpoint-mode (the default). This is because of limitations with Docker Swarm moby/moby#30820. Users should not work around this by increasing the IP block size. To work around this limitation, either use dnsrr endpoint-mode or use multiple smaller overlay networks.
  • Docker may experience IP exhaustion if many tasks are assigned to a single overlay network, for example if many services are attached to that network or because services on the network are scaled to many replicas. The problem may also manifest when tasks are rescheduled because of node failures. In case of node failure, Docker currently waits 24h to release overlay IP addresses. The problem can be diagnosed by looking for failed to allocate network IP for task messages in the Docker logs.
  • SELinux enablement is not supported for containers on IBM Z on RHEL because of missing Red Hat package.
  • If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A is not reachable until one of these 2 conditions happens:
  1. Container on A sends a packet out,
  2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).

17.06.2-ee-12

2018-05-29

Networking

Known issues

  • When all Swarm managers are stopped at the same time, the swarm might end up in a split-brain scenario. Learn more.
  • Under certain conditions, swarm leader re-election may timeout prematurely. During this period, docker commands may fail. Also during this time, creation of globally-scoped networks may be unstable. As a workaround, wait for leader election to complete before issuing commands to the cluster.
  • It’s recommended that users create overlay networks with /24 blocks (the default) of 256 IP addresses when networks are used by services created using VIP-based endpoint-mode (the default). This is because of limitations with Docker Swarm moby/moby#30820. Users should not work around this by increasing the IP block size. To work around this limitation, either use dnsrr endpoint-mode or use multiple smaller overlay networks.
  • Docker may experience IP exhaustion if many tasks are assigned to a single overlay network, for example if many services are attached to that network or because services on the network are scaled to many replicas. The problem may also manifest when tasks are rescheduled because of node failures. In case of node failure, Docker currently waits 24h to release overlay IP addresses. The problem can be diagnosed by looking for failed to allocate network IP for task messages in the Docker logs.
  • SELinux enablement is not supported for containers on IBM Z on RHEL because of missing Red Hat package.
  • If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A is not reachable until one of these 2 conditions happens:
  1. Container on A sends a packet out,
  2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).

17.06.2-ee-11

2018-05-17

Client

  • Fix presentation of published “random” host ports. docker/cli#404

Networking

Runtime

Known issues

  • When all Swarm managers are stopped at the same time, the swarm might end up in a split-brain scenario. Learn more.
  • Under certain conditions, swarm leader re-election may timeout prematurely. During this period, docker commands may fail. Also during this time, creation of globally-scoped networks may be unstable. As a workaround, wait for leader election to complete before issuing commands to the cluster.
  • It’s recommended that users create overlay networks with /24 blocks (the default) of 256 IP addresses when networks are used by services created using VIP-based endpoint-mode (the default). This is because of limitations with Docker Swarm moby/moby#30820. Users should not work around this by increasing the IP block size. To work around this limitation, either use dnsrr endpoint-mode or use multiple smaller overlay networks.
  • Docker may experience IP exhaustion if many tasks are assigned to a single overlay network, for example if many services are attached to that network or because services on the network are scaled to many replicas. The problem may also manifest when tasks are rescheduled because of node failures. In case of node failure, Docker currently waits 24h to release overlay IP addresses. The problem can be diagnosed by looking for failed to allocate network IP for task messages in the Docker logs.
  • SELinux enablement is not supported for containers on IBM Z on RHEL because of missing Red Hat package.
  • If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A is not reachable until one of these 2 conditions happens:
  1. Container on A sends a packet out,
  2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).

17.06.2-ee-10

2018-04-27

Runtime

  • Fix version output to not have -dev.

Known issues

  • Under certain conditions, swarm leader re-election may timeout prematurely. During this period, docker commands may fail. Also during this time, creation of globally-scoped networks may be unstable. As a workaround, wait for leader election to complete before issuing commands to the cluster.
  • It’s recommended that users create overlay networks with /24 blocks (the default) of 256 IP addresses when networks are used by services created using VIP-based endpoint-mode (the default). This is because of limitations with Docker Swarm moby/moby#30820. Users should not work around this by increasing the IP block size. To work around this limitation, either use dnsrr endpoint-mode or use multiple smaller overlay networks.
  • Docker may experience IP exhaustion if many tasks are assigned to a single overlay network, for example if many services are attached to that network or because services on the network are scaled to many replicas. The problem may also manifest when tasks are rescheduled because of node failures. In case of node failure, Docker currently waits 24h to release overlay IP addresses. The problem can be diagnosed by looking for failed to allocate network IP for task messages in the Docker logs.
  • SELinux enablement is not supported for containers on IBM Z on RHEL because of missing Red Hat package.
  • If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A is not reachable until one of these 2 conditions happens:
  1. Container on A sends a packet out,
  2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).

17.06.2-ee-9

2018-04-26

Runtime

  • Make Swarm manager Raft quorum parameters configurable in daemon config. moby/moby#36726
  • Windows: Ignore missing tombstone files when closing an image.
  • Windows: Fix directory deletes when a container sharing a base image is running.

Swarm mode

Known issues

  • Under certain conditions, swarm leader re-election may timeout prematurely. During this period, docker commands may fail. Also during this time, creation of globally-scoped networks may be unstable. As a workaround, wait for leader election to complete before issuing commands to the cluster.
  • It’s recommended that users create overlay networks with /24 blocks (the default) of 256 IP addresses when networks are used by services created using VIP-based endpoint-mode (the default). This is because of limitations with Docker Swarm moby/moby#30820. Users should not work around this by increasing the IP block size. To work around this limitation, either use dnsrr endpoint-mode or use multiple smaller overlay networks.
  • Docker may experience IP exhaustion if many tasks are assigned to a single overlay network, for example if many services are attached to that network or because services on the network are scaled to many replicas. The problem may also manifest when tasks are rescheduled because of node failures. In case of node failure, Docker currently waits 24h to release overlay IP addresses. The problem can be diagnosed by looking for failed to allocate network IP for task messages in the Docker logs.
  • SELinux enablement is not supported for containers on IBM Z on RHEL because of missing Red Hat package.
  • If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A is not reachable until one of these 2 conditions happens:
  1. Container on A sends a packet out,
  2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).

17.06.2-ee-8

2018-04-17

Runtime

Networking

Packaging

  • Ensure the graphdriver dir is a shared mount within docker systemd service.

Known issues

  • Under certain conditions, swarm leader re-election may timeout prematurely. During this period, docker commands may fail. Also during this time, creation of globally-scoped networks may be unstable. As a workaround, wait for leader election to complete before issuing commands to the cluster.
  • It’s recommended that users create overlay networks with /24 blocks (the default) of 256 IP addresses when networks are used by services created using VIP-based endpoint-mode (the default). This is because of limitations with Docker Swarm moby/moby#30820. Users should not work around this by increasing the IP block size. To work around this limitation, either use dnsrr endpoint-mode or use multiple smaller overlay networks.
  • Docker may experience IP exhaustion if many tasks are assigned to a single overlay network, for example if many services are attached to that network or because services on the network are scaled to many replicas. The problem may also manifest when tasks are rescheduled because of node failures. In case of node failure, Docker currently waits 24h to release overlay IP addresses. The problem can be diagnosed by looking for failed to allocate network IP for task messages in the Docker logs.
  • SELinux enablement is not supported for containers on IBM Z on RHEL because of missing Red Hat package.
  • If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A is not reachable until one of these 2 conditions happens:
  1. Container on A sends a packet out,
  2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).

17.06.2-ee-7

2018-03-19

Important notes about this release

  • The overlay2 detection has been improved in this release. On Linux distributions where devicemapper was the default storage driver, overlay2 is now used by default, if the kernel supports it.

Logging

Networking

Packaging

Runtime

Swarm mode

Known issues

  • It’s recommended that users create overlay networks with /24 blocks (the default) of 256 IP addresses when networks are used by services created using VIP-based endpoint-mode (the default). This is because of limitations with Docker Swarm moby/moby#30820. Users should not work around this by increasing the IP block size. To work around this limitation, either use dnsrr endpoint-mode or use multiple smaller overlay networks.
  • Docker may experience IP exhaustion if many tasks are assigned to a single overlay network, for example if many services are attached to that network or because services on the network are scaled to many replicas. The problem may also manifest when tasks are rescheduled because of node failures. In case of node failure, Docker currently waits 24h to release overlay IP addresses. The problem can be diagnosed by looking for failed to allocate network IP for task messages in the Docker logs.
  • SELinux enablement is not supported for containers on IBM Z on RHEL because of missing Red Hat package.
  • If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A is not reachable until one of these 2 conditions happens:
  1. Container on A sends a packet out,
  2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).

17.06.2-ee-6

2017-11-27

Runtime

Swarm mode

Known issues

  • It’s recommended that users create overlay networks with /24 blocks (the default) of 256 IP addresses when networks are used by services created using VIP-based endpoint-mode (the default). This is because of limitations with Docker Swarm moby/moby#30820. Users should not work around this by increasing the IP block size. To work around this limitation, either use dnsrr endpoint-mode or use multiple smaller overlay networks.
  • Docker may experience IP exhaustion if many tasks are assigned to a single overlay network, for example if many services are attached to that network or because services on the network are scaled to many replicas. The problem may also manifest when tasks are rescheduled because of node failures. In case of node failure, Docker currently waits 24h to release overlay IP addresses. The problem can be diagnosed by looking for failed to allocate network IP for task messages in the Docker logs.
  • SELinux enablement is not supported for containers on IBM Z on RHEL because of missing Red Hat package.
  • If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A is not reachable until one of these 2 conditions happens:
  1. Container on A sends a packet out,
  2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).

17.06.2-ee-5

2017-11-02

Important notes about this release

  • Starting with Docker EE 17.06.2-ee-5, Ubuntu, SLES, RHEL packages are also available for IBM Power using the ppc64le architecture.

  • Docker EE 17.06.2-ee-5 now enables the telemetry plugin by default on all supported Linux distributions. For more details, including how to opt out, see the documentation.

Client

Logging

Networking

Packaging

  • Add telemetry plugin for all linux distributions
  • Fix install of docker-ee on RHEL7 s390x by removing dependency on container-selinux

Runtime

Swarm mode

  • Increase gRPC request timeout to 20 seconds for sending snapshots to prevent context deadline exceeded errors docker/swarmkit#2391
  • When a node is removed, delete all of its attachment tasks so networks used by those tasks can be removed docker/swarmkit#2414

Known issues

  • It’s recommended that users create overlay networks with /24 blocks (the default) of 256 IP addresses when networks are used by services created using VIP-based endpoint-mode (the default). This is because of limitations with Docker Swarm moby/moby#30820. Users should not work around this by increasing the IP block size. To work around this limitation, either use dnsrr endpoint-mode or use multiple smaller overlay networks.
  • Docker may experience IP exhaustion if many tasks are assigned to a single overlay network, for example if many services are attached to that network or because services on the network are scaled to many replicas. The problem may also manifest when tasks are rescheduled because of node failures. In case of node failure, Docker currently waits 24h to release overlay IP addresses. The problem can be diagnosed by looking for failed to allocate network IP for task messages in the Docker logs.
  • SELinux enablement is not supported for containers on IBM Z on RHEL because of missing Red Hat package.
  • If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A is not reachable until one of these 2 conditions happens:
  1. Container on A sends a packet out,
  2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).

17.06.2-ee-4

2017-10-12

Client

  • Fix idempotence of docker stack deploy when secrets or configs are used docker/cli#509

Logging

Networking

Known issues

If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A is not reachable until one of these 2 conditions happens:

  1. Container on A sends a packet out,
  2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).

17.06.2-ee-3

2017-09-22

Swarm mode

Known issues

If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A is not reachable until one of these 2 conditions happens:

  1. Container on A sends a packet out,
  2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).

17.06.1-ee-2

2017-08-24

Client

  • Enable TCP Keep-Alive in Docker client #415

Networking

  • Lock goroutine to OS thread while changing NS #1911

Runtime

  • devmapper: ensure that UdevWait is called after calls to setCookie #33732
  • aufs: ensure diff layers are correctly removed to prevent leftover files from using up storage #34587

Swarm mode

  • Ignore PullOptions for running tasks #2351

Known issues

If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A is not reachable until one of these 2 conditions happens:

  1. Container on A sends a packet out,
  2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).

17.06.1-ee-1

2017-08-16

Important notes about this release

  • Starting with Docker EE 17.06.1, Ubuntu, SLES, RHEL packages are also available for IBM Z using the s390x architecture.

  • Docker EE 17.06.1 includes a new telemetry plugin which is enabled by default on Ubuntu hosts. For more details, including how to opt out, see [the documentation(/enterprise/telemetry/).

  • Docker 17.06 by default disables communication with legacy (v1) registries. If you require interaction with registries that have not yet migrated to the v2 protocol, set the --disable-legacy-registry=false daemon option.

Builder

  • Add --iidfile option to docker build. It allows specifying a location where to save the resulting image ID
  • Allow specifying any remote ref in git checkout URLs #32502
  • Add multi-stage build support #31257 #32063
  • Allow using build-time args (ARG) in FROM #31352
  • Add an option for specifying build target #32496
  • Accept -f - to read Dockerfile from stdin, but use local context for building #31236
  • The values of default build time arguments (e.g HTTP_PROXY) are no longer displayed in docker image history unless a corresponding ARG instruction is written in the Dockerfile. #31584
  • Fix setting command if a custom shell is used in a parent image #32236
  • Fix docker build --label when the label includes single quotes and a space #31750
  • Disable container logging for build containers #29552
  • Fix use of **/ in .dockerignore #29043
  • Fix a regression, where ADD from remote URL’s extracted archives #89
  • Fix handling of remote “git@” notation #100
  • Fix copy --from conflict with force pull #86

Client

  • Add --format option to docker stack ls #31557
  • Add support for labels in compose initiated builds #32632 #32972
  • Add --format option to docker history #30962
  • Add --format option to docker system df #31482
  • Allow specifying Nameservers and Search Domains in stack files #32059
  • Add support for read_only service to docker stack deploy #docker/cli/73
  • Display Swarm cluster and node TLS information #docker/cli/44
  • Add support for placement preference to docker stack deploy #docker/cli/35
  • Add new ca subcommand to docker swarm to allow managing a swarm CA #docker/cli/48
  • Add credential-spec to compose #docker/cli/71
  • Add support for csv format options to --network and --network-add #docker/cli/62 #33130
  • Fix stack compose bind-mount volumes on Windows #docker/cli/136
  • Correctly handle a Docker daemon without registry info #docker/cli/126
  • Allow --detach and --quiet flags when using --rollback #docker/cli/144
  • Remove deprecated --email flag from docker login #docker/cli/143
  • Adjusted docker stats memory output #docker/cli/80
  • Add --mount flag to docker run and docker create #32251
  • Add --type=secret to docker inspect #32124
  • Add --format option to docker secret ls #31552
  • Add --filter option to docker secret ls #30810
  • Add --filter scope=<swarm|local> to docker network ls #31529
  • Add --cpus support to docker update #31148
  • Add label filter to docker system prune and other prune commands #30740
  • docker stack rm now accepts multiple stacks as input #32110
  • Improve docker version --format option when the client has downgraded the API version #31022
  • Prompt when using an encrypted client certificate to connect to a docker daemon #31364
  • Display created tags on successful docker build #32077
  • Cleanup compose convert error messages #32087
  • Sort docker stack ls by name #31085
  • Flags for specifying bind mount consistency #31047
  • Output of docker CLI --help is now wrapped to the terminal width #28751
  • Suppress image digest in docker ps #30848
  • Hide command options that are related to Windows #30788
  • Fix docker plugin install prompt to accept “enter” for the “N” default #30769
  • Add truncate function for Go templates #30484
  • Support expanded syntax of ports in stack deploy #30476
  • Support expanded syntax of mounts in stack deploy #30597 #31795
  • Add --add-host for docker build #30383
  • Add .CreatedAt placeholder for docker network ls --format #29900
  • Update order of --secret-rm and --secret-add #29802
  • Add --filter enabled=true for docker plugin ls #28627
  • Add --format to docker service ls #28199
  • Add publish and expose filter for docker ps --filter #27557
  • Support multiple service IDs on docker service ps #25234
  • Allow swarm join with --availability=drain #24993
  • Docker inspect now shows “docker-default” when AppArmor is enabled and no other profile was defined #27083
  • Make pruning volumes optional when running docker system prune, and add a --volumes flag #109
  • Show progress of replicated tasks before they are assigned #97
  • Fix docker wait hanging if the container does not exist #106
  • If docker swarm ca is called without the --rotate flag, warn if other flags are passed #110
  • Fix API version negotiation not working if the daemon returns an error #115
  • Print an error if “until” filter is combined with “--volumes” on system prune #154

Contrib

  • Add support for building docker debs for Ubuntu 17.04 Zesty on amd64 #32435

Daemon

  • Fix --api-cors-header being ignored if --api-enable-cors is not set #32174
  • Cleanup docker tmp dir on start #31741
  • Deprecate --graph flag in favor or --data-root #28696

Distribution

  • Select digest over tag when both are provided during a pull #33214

Logging

  • Add monitored resource type metadata for GCP logging driver #32930
  • Add multiline processing to the AWS CloudWatch logs driver #30891
  • Add support for logging driver plugins #28403
  • Add support for showing logs of individual tasks to docker service logs, and add /task/{id}/logs REST endpoint #32015
  • Add --log-opt env-regex option to match environment variables using a regular expression #27565
  • Implement optional ring buffer for container logs #28762
  • Add --log-opt awslogs-create-group=<true|false> for awslogs (CloudWatch) to support creation of log groups as needed #29504
  • Fix segfault when using the gcplogs logging driver with a “static” binary #29478
  • Fix stderr logging for journald and syslog #95
  • Fix log readers can block writes indefinitely #98
  • Fix awslogs driver repeating last event #151

Networking

  • Add Support swarm-mode services with node-local networks such as macvlan, ipvlan, bridge, host #32981
  • Pass driver-options to network drivers on service creation #32981
  • Isolate Swarm Control-plane traffic from Application data traffic using --data-path-addr #32717
  • Several improvements to Service Discovery #docker/libnetwork/1796
  • Allow user to replace, and customize the ingress network #31714
  • Fix UDP traffic in containers not working after the container is restarted #32505
  • Fix files being written to /var/lib/docker if a different data-root is set #32505
  • Check parameter --ip, --ip6 and --link-local-ip in docker network connect #30807
  • Added support for dns-search #30117
  • Added --verbose option for docker network inspect to show task details from all swarm nodes #31710
  • Clear stale datapath encryption states when joining the cluster docker/libnetwork#1354
  • Ensure iptables initialization only happens once docker/libnetwork#1676
  • Fix bad order of iptables filter rules docker/libnetwork#961
  • Add anonymous container alias to service record on attachable network docker/libnetwork#1651
  • Support for com.docker.network.container_interface_prefix driver label docker/libnetwork#1667
  • Improve network list performance by omitting network details that are not used #30673
  • Fix issue with driver options not received by network drivers #127

Packaging

  • Rely on container-selinux on Centos/Fedora/RHEL when available #32437

Plugins

  • Make plugin removes more resilient to failure #91

Runtime

  • Add build & engine info prometheus metrics #32792
  • Update containerd to d24f39e203aa6be4944f06dd0fe38a618a36c764 #33007
  • Update runc to 992a5be178a62e026f4069f443c6164912adbf09 #33007
  • Add option to auto-configure blkdev for devmapper #31104
  • Add log driver list to docker info #32540
  • Add API endpoint to allow retrieving an image manifest #32061
  • Do not remove container from memory on error with forceremove #31012
  • Add support for metric plugins #32874
  • Return an error when an invalid filter is given to prune commands #33023
  • Add daemon option to allow pushing foreign layers #33151
  • Fix an issue preventing containerd to be restarted after it died #32986
  • Add cluster events to Docker event stream. #32421
  • Add support for DNS search on windows #33311
  • Upgrade to Go 1.8.3 #33387
  • Prevent a containerd crash when journald is restarted #33007
  • Fix healthcheck failures due to invalid environment variables #33249
  • Prevent a directory to be created in lieu of the daemon socket when a container mounting it is to be restarted during a shutdown #30348
  • Prevent a container to be restarted upon stop if its stop signal is set to SIGKILL #33335
  • Ensure log drivers get passed the same filename to both StartLogging and StopLogging endpoints #33583
  • Remove daemon data structure dump on SIGUSR1 to avoid a panic #33598
  • Ensure health probe is stopped when a container exits #32274
  • Handle paused container when restoring without live-restore set #31704
  • Do not allow sub second in healthcheck options in Dockerfile #31177
  • Support name and id prefix in secret update #30856
  • Use binary frame for websocket attach endpoint #30460
  • Fix linux mount calls not applying propagation type changes #30416
  • Fix ExecIds leak on failed exec -i #30340
  • Prune named but untagged images if danglingOnly=true #30330
  • Add daemon flag to set no_new_priv as default for unprivileged containers #29984
  • Add daemon option --default-shm-size #29692
  • Support registry mirror config reload #29650
  • Ignore the daemon log config when building images #29552
  • Move secret name or ID prefix resolving from client to daemon #29218
  • Add the ability to specify extra rules for a container device cgroup devices.allow mechanism #22563
  • Fix cpu.cfs_quota_us being reset when running systemd daemon-reload #31736
  • Prevent a goroutine leak when healthcheck gets stopped #90
  • Do not error on relabel when relabel not supported #92
  • Limit max backoff delay to 2 seconds for GRPC connection #94
  • Fix issue preventing containers to run when memory cgroup was specified due to bug in certain kernels #102
  • Fix container not responding to SIGKILL when paused #102
  • Improve error message if an image for an incompatible OS is loaded #108
  • Fix a handle leak in go-winio #112
  • Fix issue upon upgrade, preventing docker from showing running containers when --live-restore is enabled #117
  • Fix bug where services using secrets would fail to start on daemons using the userns-remap feature #121
  • Fix error handling with not-exist errors on remove #142
  • Fix REST API Swagger representation cannot be loaded with SwaggerUI #156

Security

  • Allow personality with UNAME26 bit set in default seccomp profile #32965
  • Allow setting SELinux type or MCS labels when using --ipc=container: or --ipc=host #30652
  • Redact secret data on secret creation #99

Swarm mode

  • Add an option to allow specifying a different interface for the data traffic (as opposed to control traffic) #32717
  • Allow specifying a secret location within the container #32571
  • Add support for secrets on Windows #32208
  • Add TLS Info to swarm info and node info endpoint #32875
  • Add support for services to carry arbitrary config objects #32336, #docker/cli/45,#33169
  • Add API to rotate swarm CA certificate #32993
  • Service digest pining is now handled client side #32388, #33239
  • Placement now also take platform in account #33144
  • Fix possible hang when joining fails #docker-ce/19
  • Fix an issue preventing external CA to be accepted #33341
  • Fix possible orchestration panic in mixed version clusters #swarmkit/2233
  • Avoid assigning duplicate IPs during initialization #swarmkit/2237
  • Add update/rollback order for services (--update-order / --rollback-order) #30261
  • Add support for synchronous service create and service update #31144
  • Add support for “grace periods” on healthchecks through the HEALTHCHECK --start-period and --health-start-period flag to docker service create, docker service update, docker create, and docker run to support containers with an initial startup time #28938
  • docker service create now omits fields that are not specified by the user, when possible. This allows defaults to be applied inside the manager #32284
  • docker service inspect now shows default values for fields that are not specified by the user #32284
  • Move docker service logs out of experimental #32462
  • Add support for Credential Spec and SELinux to services to the API #32339
  • Add --entrypoint flag to docker service create and docker service update #29228
  • Add --network-add and --network-rm to docker service update #32062
  • Add --credential-spec flag to docker service create and docker service update #32339
  • Add --filter mode=<global|replicated> to docker service ls #31538
  • Resolve network IDs on the client side, instead of in the daemon when creating services #32062
  • Add --format option to docker node ls #30424
  • Add --prune option to docker stack deploy to remove services that are no longer defined in the docker-compose file #31302
  • Add PORTS column for docker service ls when using ingress mode #30813
  • Fix unnescessary re-deploying of tasks when environment-variables are used #32364
  • Fix docker stack deploy not supporting endpoint_mode when deploying from a docker compose file #32333
  • Proceed with startup if cluster component cannot be created to allow recovering from a broken swarm setup #31631
  • Topology-aware scheduling #30725
  • Automatic service rollback on failure #31108
  • Worker and manager on the same node are now connected through a UNIX socket docker/swarmkit#1828, docker/swarmkit#1850, docker/swarmkit#1851
  • Improve raft transport package docker/swarmkit#1748
  • No automatic manager shutdown on demotion/removal docker/swarmkit#1829
  • Use TransferLeadership to make leader demotion safer docker/swarmkit#1939
  • Decrease default monitoring period docker/swarmkit#1967
  • Add Service logs formatting #31672
  • Fix service logs API to be able to specify stream #31313
  • Add --stop-signal for service create and service update #30754
  • Add --read-only for service create and service update #30162
  • Renew the context after communicating with the registry #31586
  • (experimental) Add --tail and --since options to docker service logs #31500
  • (experimental) Add --no-task-ids and --no-trunc options to docker service logs #31672
  • Do not add duplicate platform information to service spec #107
  • Cluster update and memory issue fixes #114
  • Changing get network request to return predefined network in swarm #150

Windows

  • Block pulling Windows images on non-Windows daemons #29001

Deprecation

  • Disable legacy registry (v1) by default #33629
  • Deprecate --api-enable-cors daemon flag. This flag was marked deprecated in Docker 1.6.0 but not listed in deprecated features #32352
  • Remove Ubuntu 12.04 (Precise Pangolin) as supported platform. Ubuntu 12.04 is EOL, and no longer receives updates #32520

Known issues

If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A is not reachable until one of these 2 conditions happens:

  1. Container on A sends a packet out,
  2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).

17.03.2-ee-8

2017-12-13

  • Handle cleanup DNS for attachable container to prevent leak in name resolution docker/libnetwork#1999
  • When a node is removed, delete all of its attachment tasks so networks used by those tasks can be removed docker/swarmkit#2417
  • Increase gRPC request timeout to 20 seconds for sending snapshots to prevent context deadline exceeded errors docker/swarmkit#2406
  • Avoid using a map for log attributes to prevent panic moby/moby#34174
  • Fix “raw” mode with the Splunk logging driver moby/moby#34520
  • Don’t unmount entire plugin manager tree on remove moby/moby#33422
  • Redact secret data on secret creation moby/moby#33884
  • Sort secrets and configs to ensure idempotence and prevent docker stack deploy from useless restart of services docker/cli#509
  • Automatically set may_detach_mounts=1 on startup to prevent device or resource busy errors moby/moby#34886
  • Don’t abort when setting may_detach_mounts moby/moby#35172
  • Protect health monitor channel to prevent engine panic moby/moby#35482

17.03.2-ee-7

2017-10-04

17.03.2-ee-6

2017-08-24

17.03.2-ee-5

20 Jul 2017

  • Add more locking to storage drivers #31136
  • Prevent data race on docker network connect/disconnect #33456
  • Improve service discovery reliability #1796 #18078
  • Fix resource leak in swarm mode #2215
  • Optimize docker system df for volumes on NFS #33620
  • Fix validation bug with host-mode ports in swarm mode #2177
  • Fix potential crash in swarm mode #2268
  • Improve network control-plane reliability #1704
  • Do not error out when selinux relabeling is not supported on volume filesystem #33831
  • Remove debugging code for aufs ebusy errors #31665
  • Prevent resource leak on healthchecks #33781
  • Fix issue where containerd supervisor may exit prematurely #32590
  • Fix potential containerd crash #2
  • Ensure server details are set in client even when an error is returned #33827
  • Fix issue where slow/dead docker logs clients can block the container #33897
  • Fix potential panic on Windows when running as a service #32244

17.03.2-ee-4

2017-06-01

Note

This release includes a fix for potential data loss under certain circumstances with the local (built-in) volume driver.

Networking

  • Fix a concurrency issue preventing network creation #33273

Runtime

  • Relabel secrets path to avoid a Permission Denied on selinux enabled systems #33236 (ref #32529
  • Fix cases where local volume were not properly relabeled if needed #33236 (ref #29428)
  • Fix an issue while upgrading if a plugin rootfs was still mounted #33236 (ref #32525)
  • Fix an issue where volume wouldn’t default to the rprivate propagation mode #33236 (ref #32851)
  • Fix a panic that could occur when a volume driver could not be retrieved #33236 (ref #32347)
  • Add a warning in docker info when the overlay or overlay2 graphdriver is used on a filesystem without d_type support #33236 (ref #31290)
  • Fix an issue with backporting mount spec to older volumes #33207
  • Fix issue where a failed unmount can lead to data loss on local volume remove #33120

Swarm Mode

  • Fix a case where tasks could get killed unexpectedly #33118
  • Fix an issue preventing to deploy services if the registry cannot be reached despite the needed images being locally present #33117

17.03.1-ee-3

2017-03-30

  • Fix an issue with the SELinux policy for Oracle Linux #31501

17.03.1-ee-2

2017-03-28

Remote API (v1.27) & Client

  • Fix autoremove on older api #31692
  • Fix default network customization for a stack #31258
  • Correct CPU usage calculation in presence of offline CPUs and newer Linux #31802
  • Fix issue where service healthcheck is {} in remote API #30197

Runtime

  • Update runc to 54296cf40ad8143b62dbcaa1d90e520a2136ddfe #31666
  • Ignore cgroup2 mountpoints opencontainers/runc#1266
  • Update containerd to 4ab9917febca54791c5f071a9d1f404867857fcc #31662 #31852
  • Register healtcheck service before calling restore() docker/containerd#609
  • Fix docker exec not working after unattended upgrades that reload apparmor profiles #31773
  • Fix unmounting layer without merge dir with Overlay2 #31069
  • Do not ignore “volume in use” errors when force-delete #31450

Swarm Mode

Windows

  • Cleanup HCS on restore #31503

17.03.0-ee-1

2017-03-02

Initial Docker EE release, based on Docker CE 17.03.0

IMPORTANT

Starting with this release, Docker is on a monthly release cycle and uses a new YY.MM versioning scheme to reflect this. Two channels are available: monthly and quarterly. Any given monthly release will only receive security and bugfixes until the next monthly release is available. Quarterly releases receive security and bugfixes for 4 months after initial release. This release includes bugfixes for 1.13.1 but there are no major feature additions and the API version stays the same. Upgrading from Docker 1.13.1 to 17.03.0 is expected to be simple and low-risk.

Client

  • Fix panic in docker stats --format #30776

Contrib

  • Update various bash and zsh completion scripts #30823, #30945 and more...
  • Block obsolete socket families in default seccomp profile - mitigates unpatched kernels’ CVE-2017-6074 #29076

Networking

  • Fix bug on overlay encryption keys rotation in cross-datacenter swarm #30727
  • Fix side effect panic in overlay encryption and network control plane communication failure (“No installed keys could decrypt the message”) on frequent swarm leader re-election #25608
  • Several fixes around system responsiveness and datapath programming when using overlay network with external kv-store docker/libnetwork#1639, docker/libnetwork#1632 and more...
  • Discard incoming plain vxlan packets for encrypted overlay network #31170
  • Release the network attachment on allocation failure #31073
  • Fix port allocation when multiple published ports map to the same target port docker/swarmkit#1835

Runtime

  • Optimize size calculation for docker system df container size #31159
  • Fix a deadlock in docker logs #30223
  • Fix CPU spin waiting for log write events #31070
  • Fix a possible crash when using journald #31231 #31263
  • Fix a panic on close of nil channel #31274
  • Fix duplicate mount point for --volumes-from in docker run #29563
  • Fix --cache-from does not cache last step #31189

Swarm Mode

  • Shutdown leaks an error when the container was never started #31279
  • Fix possibility of tasks getting stuck in the “NEW” state during a leader failover docker/swarmkit#1938
  • Fix extraneous task creations for global services that led to confusing replica counts in docker service ls docker/swarmkit#1957
  • Fix problem that made rolling updates slow when task-history-limit was set to 1 docker/swarmkit#1948
  • Restart tasks elsewhere, if appropriate, when they are shut down as a result of nodes no longer satisfying constraints docker/swarmkit#1958
  • (experimental)
docker, docker engine, ee, ce, whats new, release notes