https://docs.docker.com/engine/release-notes/

Docker官网安全更新，19.03.0版本发布

Builder


Fixed COPY --from to preserve ownership. moby/moby#38599

builder-next:


Added inline cache support --cache-from. docker/engine#215
Outputs configuration allowed. moby/moby#38898
Fixed gcr workaround token cache. docker/engine#212
stopprogress called on download error. docker/engine#215
Buildkit now uses systemd’s resolv.conf. docker/engine#260.
Setting buildkit outputs now allowed. docker/cli#1766
Look for Dockerfile specific dockerignore file (for example, Dockerfile.dockerignore) for
ignored paths. docker/engine#215
Automatically detect if process execution is possible for x86, arm, and arm64 binaries.
docker/engine#215
Updated buildkit to 1f89ec1. docker/engine#260
Use Dockerfile frontend version docker/dockerfile:1.1 by default.
docker/engine#215
No longer rely on an external image for COPY/ADD operations.
docker/engine#215




Client


Added --pids-limit flag to docker update. docker/cli#1765
Added systctl support for services. docker/cli#1754
Added support for template_driver in compose files. docker/cli#1746
Added --device support for Windows. docker/cli#1606
Added support for Data Path Port configuration. docker/cli#1509
Added fast context switch: commands. docker/cli#1501
Support added for --mount type=bind,bind-nonrecursive,... docker/cli#1430
Added maximum replicas per node. docker/cli#1612
Added option to pull images quietly. docker/cli#882
Added a separate --domainname flag. docker/cli#1130
Added support for secret drivers in docker stack deploy. docker/cli#1783
Added ability to use swarm Configs as CredentialSpecs on services.
docker/cli#1781
Added --security-opt systempaths=unconfined support. docker/cli#1808
Added basic framework for writing and running CLI plugins. docker/cli#1564
docker/cli#1898
Bumped Docker App to v0.8.0. docker/docker-ce-packaging#341
Added support for Docker buildx. docker/docker-ce-packaging#336
Added support for Docker Assemble v0.36.0.
Added support for Docker Cluster v1.0.0-rc2.
Added support for Docker Template v0.1.4.
Added support for Docker Registry v0.1.0-rc1.
Bumped google.golang.org/grpc to v1.20.1. docker/cli#1884
CLI changed to pass driver specific options to docker run. docker/cli#1767
Bumped Golang 1.12.5. docker/cli#1875
docker system info output now segregates information relevant to the client and daemon.
docker/cli#1638
(Experimental) When targeting Kubernetes, added support for x-pull-secret: some-pull-secret in
compose-files service configs. docker/cli#1617
(Experimental) When targeting Kubernetes, added support for x-pull-policy: <Never|Always|IfNotPresent>
in compose-files service configs. docker/cli#1617
cp, save, export: Now preventing overwriting irregular files. docker/cli#1515
npipe volume type on stack file now allowed. docker/cli#1195
Fixed tty initial size error. docker/cli#1529
Fixed problem with labels copying value from environment variables.
docker/cli#1671


API


Updated API version to v1.40. moby/moby#38089
Added warnings to /info endpoint, and moved detection to the daemon.
moby/moby#37502
Added HEAD support for /_ping endpoint. moby/moby#38570
Added Cache-Control headers to disable caching /_ping endpoint.
moby/moby#38569
Added containerd, runc, and docker-init versions to /version.
moby/moby#37974
Added undocumented /grpc endpoint and registered BuildKit’s controller.
moby/moby#38990


Experimental

Enabled checkpoint/restore of containers with TTY. moby/moby#38405
LCOW: Added support for memory and CPU limits. moby/moby#37296
Windows: Added ContainerD runtime. moby/moby#38541
Windows: LCOW now requires Windows RS5+. moby/moby#39108


Security


mount: added BindOptions.NonRecursive (API v1.40). moby/moby#38003
seccomp: whitelisted io_pgetevents(). moby/moby#38895
seccomp: ptrace(2) for 4.8+ kernels now allowed. moby/moby#38137


Runtime


Running dockerd as a non-root user (Rootless mode) is now allowed.
moby/moby#380050
Rootless: optional support provided for lxc-user-nic SUID binary.
docker/engine#208
Added DeviceRequests to HostConfig to support NVIDIA GPUs. moby/moby#38828
Added --device support for Windows. moby/moby#37638
Added memory.kernelTCP support for linux. moby/moby#37043
Windows credential specs can now be passed directly to the engine.
moby/moby#38777
Added pids-limit support in docker update. moby/moby#32519
Added support for exact list of capabilities. moby/moby#38380
daemon: Now use ‘private’ ipc mode by default. moby/moby#35621
daemon: switched to semaphore-gated WaitGroup for startup tasks. moby/moby#38301
Now use idtools.LookupGroup instead of parsing /etc/group file for docker.sock ownership to
fix: api.go doesn't respect nsswitch.conf. moby/moby#38126
cli: fixed images filter when using multi reference filter. moby/moby#38171
Bumped Golang to 1.12.5. docker/engine#209
Bumped containerd to 1.2.6. moby/moby#39016
Bumped runc to 1.0.0-rc8, opencontainers/selinux v1.2.2. docker/engine#210
Bumped google.golang.org/grpc to v1.20.1. docker/engine#215
Performance optimized in aufs and layer store for massively parallel container creation/removal.
moby/moby#39135 moby/moby#39209
Root is now passed to chroot for chroot Tar/Untar (CVE-2018-15664)
moby/moby#39292
Fixed docker --init with /dev bind mount. moby/moby#37665
The right device number is now fetched when greater than 255 and using the --device-read-bps option.
moby/moby#39212
Fixed Path does not exist error when path definitely exists. moby/moby#39251


Networking


Moved IPVLAN driver out of experimental.
moby/moby#38983
Added support for ‘dangling’ filter. moby/moby#31551
docker/libnetwork#2230
Load balancer sandbox is now deleted when a service is updated with --network-rm.
docker/engine#213
Windows: Now forcing a nil IP specified in PortBindings to IPv4zero (0.0.0.0).
docker/libnetwork#2376


Swarm


Added support for maximum replicas per node. moby/moby#37940
Added support for GMSA CredentialSpecs from Swarmkit configs. moby/moby#38632
Added support for sysctl options in services. moby/moby#37701
Added support for filtering on node labels. moby/moby#37650
Windows: Support added for named pipe mounts in docker service create + stack yml.
moby/moby#37400
VXLAN UDP Port configuration now supported. moby/moby#38102
Now using Service Placement Constraints in Enforcer. docker/swarmkit#2857
Increased max recv gRPC message size for nodes and secrets.
docker/engine#256


Logging


Enabled gcplogs driver on Windows. moby/moby#37717
Added zero padding for RFC5424 syslog format. moby/moby#38335
Added IMAGE_NAME attribute to journald log events. moby/moby#38032


Deprecation


Deprecate image manifest v2 schema1 in favor of v2 schema2. Future version of Docker will remove
support for v2 schema1 althogether. moby/moby#39365
Removed v1.10 migrator. moby/moby#38265
Now skipping deprecated storage-drivers in auto-selection. moby/moby#38019
Deprecated aufs storage driver and added warning. moby/moby#38090
Removed support for 17.09.
SLES12 is deprecated from Docker Enterprise 3.0, and EOL of SLES12 as an operating system will occur
in Docker Enterprise 3.1. Upgrade to SLES15 for continued support on Docker Enterprise.
Windows 2016 is formally deprecated from Docker Enterprise 3.0. Only non-overlay networks are supported
on Windows 2016 in Docker Enterprise 3.0. EOL of Windows Server 2016 support will occur in Docker
Enterprise 3.1. Upgrade to Windows Server 2019 for continued support on Docker Enterprise.


For more information on deprecated flags and APIs, refer to
https://docs.docker.com/engine/deprecated/ for target removal dates.

Known issues


In some circumstances with large clusters, docker information might, as part of the Swarm section,
include the error code = ResourceExhausted desc = grpc: received message larger than
max (5351376 vs. 4194304). This does not indicate any failure or misconfiguration by the user,
and requires no response.
Orchestrator port conflict can occur when redeploying all services as new. Due to many swarm manager
requests in a short amount of time, some services are not able to receive traffic and are causing a 404
error after being deployed.

Workaround: restart all tasks via docker service update --force.


Traffic cannot egress the HOST because of missing Iptables rules in the FORWARD chain
The missing rules are :
/sbin/iptables --wait -C FORWARD -o docker_gwbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables --wait -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT


Workaround: Add these rules back using a script and cron definitions. The script
must contain ‘-C’ commands to check for the presence of a rule and ‘-A’ commands to add
rules back. Run the script on a cron in regular intervals, for example, every minutes.

Affected versions: 17.06.2-ee-16, 18.09.1, 19.03.0


CVE-2018-15664 symlink-exchange attack with directory traversal. Workaround until proper fix is available in upcoming patch release: docker pause container before doing file operations. moby/moby#39252
docker cp regression due to CVE mitigation. An error is produced when the source of docker cp is set to /.

Install Docker Engine - Enterprise fails to install on RHEL on Azure. This affects any RHEL version that uses an Extended Update Support (EUS) image. At the time of this writing, known versions affected are RHEL 7.4, 7.5, and 7.6.


Workaround options:

Use an older image and don’t get updates. Examples of EUS images are here: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/rhel-images#rhel-images-with-eus.
Import your own RHEL images into Azure and do not rely on the Extended Update Support (EUS) RHEL images.
Use a RHEL image that does not contain a minor version in the SKU. These are not attached to EUS repositories. Some examples of those are the first three images (SKUs: 7-RAW, 7-LVM, 7-RAW-CI) listed here : https://docs.microsoft.com/en-us/azure/virtual-machines/linux/rhel-images#list-of-rhel-images-available.






Version 18.09

Docker 是一个开源的应用容器引擎，让开发者可以打包他们的应用以及依赖包到一个可移植的镜像中，然后发布到任何流行的 Linux或Windows 机器上，也可以实现虚拟化。容器是完全使用沙箱机制，相互之间不会有任何接口。 [1]

CVE-2018-15664

暂无

暂无