En

Docker官网安全更新(2018-11-08)

来源:Docker官网 发布日期:2018-11-08 阅读次数:266 评论:0

基本信息

发布日期:2018-11-08(官方当地时间)

更新类型:安全更新

更新版本:18.09.0

感知时间:2019-12-05 19:41:37

风险等级:未知

情报贡献:TSRC

更新标题

Docker官网安全更新,18.09.0版本发布

更新详情



Important notes about this release

In Docker versions prior to 18.09, containerd was managed by the Docker engine daemon. In Docker Engine 18.09, containerd is managed by systemd. Since containerd is managed by systemd, any custom configuration to the docker.service systemd
configuration which changes mount settings (for example, MountFlags=slave) breaks interactions between the Docker Engine daemon and containerd, and you will not be able to start containers.

Run the following command to get the current value of the MountFlags property for the docker.service:

sudo systemctl show --property=MountFlags docker.service
MountFlags=


Update your configuration if this command prints a non-empty value for MountFlags, and restart the docker service.

New features for Docker Engine EE


FIPS Compliance added for Windows Server 2016 and later
Docker Content Trust Enforcement for the Enterprise Engine. This allows the Docker Engine - Enterprise to run containers not signed by a specific organization.


New features for Docker Engine EE and CE


Updated API version to 1.39 moby/moby#37640
Added support for remote connections using SSH docker/cli#1014
Builder: added prune options to the API moby/moby#37651
Added “Warnings” to /info endpoint, and move detection to the daemon moby/moby#37502
Allows BuildKit builds to run without experimental mode enabled. Buildkit can now be configured with an option in daemon.json moby/moby#37593 moby/moby#37686 moby/moby#37692 docker/cli#1303 docker/cli#1275
Added support for build-time secrets using a --secret flag when using BuildKit docker/cli#1288
Added SSH agent socket forwarder (docker build --ssh $SSHMOUNTID=$SSH_AUTH_SOCK) when using BuildKit docker/cli#1438 / docker/cli#1419
Added --chown flag support for ADD and COPY commands on Windows moby/moby#35521
Added builder prune subcommand to prune BuildKit build cache docker/cli#1295 docker/cli#1334
BuildKit: Adds configurable garbage collection policy for the BuildKit build cache docker/engine#59 / moby/moby#37846
BuildKit: Adds support for docker build --pull ... when using BuildKit moby/moby#37613
BuildKit: Adds support or “registry-mirrors” and “insecure-registries” when using BuildKit docker/engine#59 / moby/moby#37852
BuildKit: Enables net modes and bridge. moby/moby#37620
Added docker engine subcommand to manage the lifecycle of a Docker Engine running as a privileged container on top of containerd, and to allow upgrades to Docker Engine Enterprise docker/cli#1260
Exposed product license in docker info output docker/cli#1313
Showed warnings produced by daemon in docker info output docker/cli#1225
Added “local” log driver moby/moby#37092
Amazon CloudWatch: adds awslogs-endpoint logging option moby/moby#37374
Added support for global default address pools moby/moby#37558 docker/cli#1233
Configured containerd log-level to be the same as dockerd moby/moby#37419
Added configuration option for cri-containerd moby/moby#37519
Updates containerd client to v1.2.0-rc.1 moby/moby#37664, docker/engine#75 / moby/moby#37710
Added support for global default address pools moby/moby#37558 docker/cli#1233
Moved the POST /session endpoint out of experimental. moby/moby#40028


Improvements for Docker Engine EE and CE


Does not return “<unknown>” in /info response moby/moby#37472
BuildKit: Changes --console=[auto,false,true] to --progress=[auto,plain,tty] docker/cli#1276
BuildKit: Sets BuildKit’s ExportedProduct variable to show useful errors in the future. moby/moby#37439
Hides --data-path-addr flags when connected to a daemon that doesn’t support this option docker/docker/cli#1240
Only shows buildkit-specific flags if BuildKit is enabled docker/cli#1438 / docker/cli#1427
Improves version output alignment docker/cli#1204
Sorts plugin names and networks in a natural order docker/cli#1166, docker/cli#1266
Updates bash and zsh completion scripts
Passes log-level to containerd. moby/moby#37419
Uses direct server return (DSR) in east-west overlay load balancing docker/engine#93 / docker/libnetwork#2270
Builder: temporarily disables bridge networking when using buildkit. moby/moby#37691
Blocks task starting until node attachments are ready moby/moby#37604
Propagates the provided external CA certificate to the external CA object in swarm. docker/cli#1178
Removes Ubuntu 14.04 “Trusty Tahr” as a supported platform docker-ce-packaging#255 / docker-ce-packaging#254
Removes Debian 8 “Jessie” as a supported platform docker-ce-packaging#255 / docker-ce-packaging#254
Removes ‘docker-‘ prefix for containerd and runc binaries docker/engine#61 / moby/moby#37907, docker-ce-packaging#241
Splits “engine”, “cli”, and “containerd” to separate packages, and run containerd as a separate systemd service docker-ce-packaging#131, docker-ce-packaging#158
Builds binaries with Go 1.10.4 docker-ce-packaging#181
Removes -ce / -ee suffix from version string docker-ce-packaging#206


Fixes for Docker Engine EE and CE


BuildKit: Do not cancel buildkit status request. moby/moby#37597
Fixes no error is shown if build args are missing during docker build moby/moby#37396
Fixes error “unexpected EOF” when adding an 8GB file moby/moby#37771
LCOW: Ensures platform is populated on COPY/ADD. moby/moby#37563
Fixes mapping a range of host ports to a single container port docker/cli#1102
Fixes trust inspect typo: “AdminstrativeKeys” docker/cli#1300
Fixes environment file parsing for imports of absent variables and those with no name. docker/cli#1019
Fixes a potential “out of memory exception” when running docker image prune with a large list of dangling images docker/cli#1432 / docker/cli#1423
Fixes pipe handling in ConEmu and ConsoleZ on Windows moby/moby#37600
Fixes long startup on windows, with non-hns governed Hyper-V networks docker/engine#67 / moby/moby#37774
Fixes daemon won’t start when “runtimes” option is defined both in config file and cli docker/engine#57 / moby/moby#37871
Loosens permissions on /etc/docker directory to prevent “permission denied” errors when using docker manifest inspect docker/engine#56 / moby/moby#37847
Fixes denial of service with large numbers in cpuset-cpus and cpuset-mems docker/engine#70 / moby/moby#37967
LCOW: Add --platform to docker import docker/cli#1375 / docker/cli#1371
LCOW: Add LinuxMetadata support by default on Windows moby/moby#37514
LCOW: Mount to short container paths to avoid command-line length limit moby/moby#37659
LCOW: Fix builder using wrong cache layer moby/moby#37356
Fixes json-log file descriptors leaking when using --follow docker/engine#48 moby/moby#37576 moby/moby#37734
Fixes a possible deadlock on closing the watcher on kqueue moby/moby#37392
Uses poller based watcher to work around the file caching issue in Windows moby/moby#37412
Handles systemd-resolved case by providing appropriate resolv.conf to networking layer moby/moby#37485
Removes support for TLS < 1.2 moby/moby#37660
Seccomp: Whitelist syscalls linked to CAP_SYS_NICE in default seccomp profile moby/moby#37242
Seccomp: move the syslog syscall to be gated by CAP_SYS_ADMIN or CAP_SYSLOG docker/engine#64 / moby/moby#37929
SELinux: Fix relabeling of local volumes specified via Mounts API on selinux-enabled systems moby/moby#37739
Adds warning if REST API is accessible through an insecure connection moby/moby#37684
Masks proxy credentials from URL when displayed in system info docker/engine#72 / moby/moby#37934
Fixes mount propagation for btrfs docker/engine#86 / moby/moby#38026
Fixes nil pointer dereference in node allocation docker/engine#94 / docker/swarmkit#2764


Known Issues


There are important changes to the upgrade process that, if not correctly followed, can have impact on the availability of applications running on the Swarm during upgrades. These constraints impact any upgrades coming from any version before 18.09 to version 18.09 or greater.

With https://github.com/boot2docker/boot2docker/releases/download/v18.09.0/boot2docker.iso, connection is being refused from a node on the virtual machine. Any publishing of swarm ports in virtualbox-created docker-machine VM’s will not respond. This is occurring on macOS and Windows 10, using docker-machine version 0.15 and 0.16.

The following docker run command works, allowing access from host browser:

docker run -d -p 4000:80 nginx

However, the following docker service command fails, resulting in curl/chrome unable to connect (connection refused):

docker service create -p 5000:80 nginx

This issue is not apparent when provisioning 18.09.0 cloud VM’s using docker-machine.

Workarounds:

Use cloud VM’s that don’t rely on boot2docker.
docker run is unaffected.
For Swarm, set VIRTUALBOX_BOOT2DOCKER_URL=https://github.com/boot2docker/boot2docker/releases/download/v18.06.1-ce/boot2docker.iso.


This issue is resolved in 18.09.1.



Deprecation Notices



As of EE 2.1, Docker has deprecated support for Device Mapper as a storage driver. It will continue to be
supported at this time, but support will be removed in a future release. Docker will continue to support
Device Mapper for existing EE 2.0 and 2.1 customers. Please contact Sales for more information.

Docker recommends that existing customers
migrate to using Overlay2 for the storage driver. The Overlay2 storage driver is now the default for Docker engine implementations.


As of EE 2.1, Docker has deprecated support for IBM Z (s390x). Refer to the
Docker Compatibility Matrix for detailed
compatibility information.



For more information on the list of deprecated flags and APIs, have a look at the deprecation information where you can find the target removal dates.

End of Life Notification

In this release, Docker has also removed support for TLS < 1.2 moby/moby#37660,
Ubuntu 14.04 “Trusty Tahr” docker-ce-packaging#255 / docker-ce-packaging#254, and Debian 8 “Jessie” docker-ce-packaging#255 / docker-ce-packaging#254.

Older Docker Engine EE Release notes

软件描述

Docker 是一个开源的应用容器引擎,让开发者可以打包他们的应用以及依赖包到一个可移植的镜像中,然后发布到任何流行的 Linux或Windows 机器上,也可以实现虚拟化。容器是完全使用沙箱机制,相互之间不会有任何接口。 [1]

CVE编号

TSRC分析

暂无

业界资讯

暂无

评论

提交评论 您输入的评论有误,请重新输入