En

Docker官网安全更新(2017-08-16)

来源:Docker官网 发布日期:2017-08-16 阅读次数:1502 评论:0

基本信息

发布日期:2017-08-16(官方当地时间)

更新类型:安全更新

更新版本:17.06.1-ee-1

感知时间:2019-12-05 19:41:37

风险等级:未知

情报贡献:TSRC

更新标题

Docker官网安全更新,17.06.1-ee-1版本发布

更新详情



Important notes about this release



Starting with Docker EE 17.06.1, Ubuntu, SLES, RHEL packages are also available
for IBM Z using the s390x architecture.


Docker EE 17.06.1 includes a new telemetry plugin
which is enabled by default on Ubuntu hosts. For more details, including how to
opt out, see [the documentation(/enterprise/telemetry/).


Docker 17.06 by default disables communication with legacy (v1)
registries. If you require interaction with registries that have not yet
migrated to the v2 protocol, set the --disable-legacy-registry=false daemon
option.



Builder


Add --iidfile option to docker build. It allows specifying a location where to save the resulting image ID
Allow specifying any remote ref in git checkout URLs #32502
Add multi-stage build support #31257 #32063
Allow using build-time args (ARG) in FROM #31352
Add an option for specifying build target #32496
Accept -f - to read Dockerfile from stdin, but use local context for building #31236
The values of default build time arguments (e.g HTTP_PROXY) are no longer displayed in docker image history unless a corresponding ARG instruction is written in the Dockerfile. #31584
Fix setting command if a custom shell is used in a parent image #32236
Fix docker build --label when the label includes single quotes and a space #31750
Disable container logging for build containers #29552
Fix use of **/ in .dockerignore #29043
Fix a regression, where ADD from remote URL’s extracted archives #89
Fix handling of remote “git@” notation #100
Fix copy --from conflict with force pull #86


Client


Add --format option to docker stack ls #31557
Add support for labels in compose initiated builds #32632 #32972
Add --format option to docker history #30962
Add --format option to docker system df #31482
Allow specifying Nameservers and Search Domains in stack files #32059
Add support for read_only service to docker stack deploy #docker/cli/73
Display Swarm cluster and node TLS information #docker/cli/44
Add support for placement preference to docker stack deploy #docker/cli/35
Add new ca subcommand to docker swarm to allow managing a swarm CA #docker/cli/48
Add credential-spec to compose #docker/cli/71
Add support for csv format options to --network and --network-add #docker/cli/62 #33130
Fix stack compose bind-mount volumes on Windows #docker/cli/136
Correctly handle a Docker daemon without registry info #docker/cli/126
Allow --detach and --quiet flags when using --rollback #docker/cli/144
Remove deprecated --email flag from docker login #docker/cli/143
Adjusted docker stats memory output #docker/cli/80
Add --mount flag to docker run and docker create #32251
Add --type=secret to docker inspect #32124
Add --format option to docker secret ls #31552
Add --filter option to docker secret ls #30810
Add --filter scope=<swarm|local> to docker network ls #31529
Add --cpus support to docker update #31148
Add label filter to docker system prune and other prune commands #30740
docker stack rm now accepts multiple stacks as input #32110
Improve docker version --format option when the client has downgraded the API version #31022
Prompt when using an encrypted client certificate to connect to a docker daemon #31364
Display created tags on successful docker build #32077
Cleanup compose convert error messages #32087
Sort docker stack ls by name #31085
Flags for specifying bind mount consistency #31047
Output of docker CLI --help is now wrapped to the terminal width #28751
Suppress image digest in docker ps #30848
Hide command options that are related to Windows #30788
Fix docker plugin install prompt to accept “enter” for the “N” default #30769
Add truncate function for Go templates #30484
Support expanded syntax of ports in stack deploy #30476
Support expanded syntax of mounts in stack deploy #30597 #31795
Add --add-host for docker build #30383
Add .CreatedAt placeholder for docker network ls --format #29900
Update order of --secret-rm and --secret-add #29802
Add --filter enabled=true for docker plugin ls #28627
Add --format to docker service ls #28199
Add publish and expose filter for docker ps --filter #27557
Support multiple service IDs on docker service ps #25234
Allow swarm join with --availability=drain #24993
Docker inspect now shows “docker-default” when AppArmor is enabled and no other profile was defined #27083
Make pruning volumes optional when running docker system prune, and add a --volumes flag #109
Show progress of replicated tasks before they are assigned #97
Fix docker wait hanging if the container does not exist #106
If docker swarm ca is called without the --rotate flag, warn if other flags are passed #110
Fix API version negotiation not working if the daemon returns an error #115
Print an error if “until” filter is combined with “--volumes” on system prune #154


Contrib


Add support for building docker debs for Ubuntu 17.04 Zesty on amd64 #32435


Daemon


Fix --api-cors-header being ignored if --api-enable-cors is not set #32174
Cleanup docker tmp dir on start #31741
Deprecate --graph flag in favor or --data-root #28696


Distribution


Select digest over tag when both are provided during a pull #33214


Logging


Add monitored resource type metadata for GCP logging driver #32930
Add multiline processing to the AWS CloudWatch logs driver #30891
Add support for logging driver plugins #28403
Add support for showing logs of individual tasks to docker service logs, and add /task/{id}/logs REST endpoint #32015
Add --log-opt env-regex option to match environment variables using a regular expression #27565
Implement optional ring buffer for container logs #28762
Add --log-opt awslogs-create-group=<true|false> for awslogs (CloudWatch) to support creation of log groups as needed #29504
Fix segfault when using the gcplogs logging driver with a “static” binary #29478
Fix stderr logging for journald and syslog #95
Fix log readers can block writes indefinitely #98
Fix awslogs driver repeating last event #151


Networking


Add Support swarm-mode services with node-local networks such as macvlan, ipvlan, bridge, host #32981
Pass driver-options to network drivers on service creation #32981
Isolate Swarm Control-plane traffic from Application data traffic using --data-path-addr #32717
Several improvements to Service Discovery #docker/libnetwork/1796
Allow user to replace, and customize the ingress network #31714
Fix UDP traffic in containers not working after the container is restarted #32505
Fix files being written to /var/lib/docker if a different data-root is set #32505
Check parameter --ip, --ip6 and --link-local-ip in docker network connect #30807
Added support for dns-search #30117
Added --verbose option for docker network inspect to show task details from all swarm nodes #31710
Clear stale datapath encryption states when joining the cluster docker/libnetwork#1354
Ensure iptables initialization only happens once docker/libnetwork#1676
Fix bad order of iptables filter rules docker/libnetwork#961
Add anonymous container alias to service record on attachable network docker/libnetwork#1651
Support for com.docker.network.container_interface_prefix driver label docker/libnetwork#1667
Improve network list performance by omitting network details that are not used #30673
Fix issue with driver options not received by network drivers #127


Packaging


Rely on container-selinux on Centos/Fedora/RHEL when available #32437


Plugins


Make plugin removes more resilient to failure #91


Runtime


Add build & engine info prometheus metrics #32792
Update containerd to d24f39e203aa6be4944f06dd0fe38a618a36c764 #33007
Update runc to 992a5be178a62e026f4069f443c6164912adbf09 #33007
Add option to auto-configure blkdev for devmapper #31104
Add log driver list to docker info #32540
Add API endpoint to allow retrieving an image manifest #32061
Do not remove container from memory on error with forceremove #31012
Add support for metric plugins #32874
Return an error when an invalid filter is given to prune commands #33023
Add daemon option to allow pushing foreign layers #33151
Fix an issue preventing containerd to be restarted after it died #32986
Add cluster events to Docker event stream. #32421
Add support for DNS search on windows #33311
Upgrade to Go 1.8.3 #33387
Prevent a containerd crash when journald is restarted #33007
Fix healthcheck failures due to invalid environment variables #33249
Prevent a directory to be created in lieu of the daemon socket when a container mounting it is to be restarted during a shutdown #30348
Prevent a container to be restarted upon stop if its stop signal is set to SIGKILL #33335
Ensure log drivers get passed the same filename to both StartLogging and StopLogging endpoints #33583
Remove daemon data structure dump on SIGUSR1 to avoid a panic #33598
Ensure health probe is stopped when a container exits #32274
Handle paused container when restoring without live-restore set #31704
Do not allow sub second in healthcheck options in Dockerfile #31177
Support name and id prefix in secret update #30856
Use binary frame for websocket attach endpoint #30460
Fix linux mount calls not applying propagation type changes #30416
Fix ExecIds leak on failed exec -i #30340
Prune named but untagged images if danglingOnly=true #30330
Add daemon flag to set no_new_priv as default for unprivileged containers #29984
Add daemon option --default-shm-size #29692
Support registry mirror config reload #29650
Ignore the daemon log config when building images #29552
Move secret name or ID prefix resolving from client to daemon #29218
Add the ability to specify extra rules for a container device cgroup devices.allow mechanism #22563
Fix cpu.cfs_quota_us being reset when running systemd daemon-reload #31736
Prevent a goroutine leak when healthcheck gets stopped #90
Do not error on relabel when relabel not supported #92
Limit max backoff delay to 2 seconds for GRPC connection #94
Fix issue preventing containers to run when memory cgroup was specified due to bug in certain kernels #102
Fix container not responding to SIGKILL when paused #102
Improve error message if an image for an incompatible OS is loaded #108
Fix a handle leak in go-winio #112
Fix issue upon upgrade, preventing docker from showing running containers when --live-restore is enabled #117
Fix bug where services using secrets would fail to start on daemons using the userns-remap feature #121
Fix error handling with not-exist errors on remove #142
Fix REST API Swagger representation cannot be loaded with SwaggerUI #156


Security


Allow personality with UNAME26 bit set in default seccomp profile #32965
Allow setting SELinux type or MCS labels when using --ipc=container: or --ipc=host #30652
Redact secret data on secret creation #99


Swarm mode


Add an option to allow specifying a different interface for the data traffic (as opposed to control traffic) #32717
Allow specifying a secret location within the container #32571
Add support for secrets on Windows #32208
Add TLS Info to swarm info and node info endpoint #32875
Add support for services to carry arbitrary config objects #32336, #docker/cli/45,#33169
Add API to rotate swarm CA certificate #32993
Service digest pining is now handled client side #32388, #33239
Placement now also take platform in account #33144
Fix possible hang when joining fails #docker-ce/19
Fix an issue preventing external CA to be accepted #33341
Fix possible orchestration panic in mixed version clusters #swarmkit/2233
Avoid assigning duplicate IPs during initialization #swarmkit/2237
Add update/rollback order for services (--update-order / --rollback-order) #30261
Add support for synchronous service create and service update #31144
Add support for “grace periods” on healthchecks through the HEALTHCHECK --start-period and --health-start-period flag to
docker service create, docker service update, docker create, and docker run to support containers with an initial startup
time #28938
docker service create now omits fields that are not specified by the user, when possible. This allows defaults to be applied inside the manager #32284
docker service inspect now shows default values for fields that are not specified by the user #32284
Move docker service logs out of experimental #32462
Add support for Credential Spec and SELinux to services to the API #32339
Add --entrypoint flag to docker service create and docker service update #29228
Add --network-add and --network-rm to docker service update #32062
Add --credential-spec flag to docker service create and docker service update #32339
Add --filter mode=<global|replicated> to docker service ls #31538
Resolve network IDs on the client side, instead of in the daemon when creating services #32062
Add --format option to docker node ls #30424
Add --prune option to docker stack deploy to remove services that are no longer defined in the docker-compose file #31302
Add PORTS column for docker service ls when using ingress mode #30813
Fix unnescessary re-deploying of tasks when environment-variables are used #32364
Fix docker stack deploy not supporting endpoint_mode when deploying from a docker compose file #32333
Proceed with startup if cluster component cannot be created to allow recovering from a broken swarm setup #31631
Topology-aware scheduling #30725
Automatic service rollback on failure #31108
Worker and manager on the same node are now connected through a UNIX socket docker/swarmkit#1828, docker/swarmkit#1850, docker/swarmkit#1851
Improve raft transport package docker/swarmkit#1748
No automatic manager shutdown on demotion/removal docker/swarmkit#1829
Use TransferLeadership to make leader demotion safer docker/swarmkit#1939
Decrease default monitoring period docker/swarmkit#1967
Add Service logs formatting #31672
Fix service logs API to be able to specify stream #31313
Add --stop-signal for service create and service update #30754
Add --read-only for service create and service update #30162
Renew the context after communicating with the registry #31586
(experimental) Add --tail and --since options to docker service logs #31500
(experimental) Add --no-task-ids and --no-trunc options to docker service logs #31672
Do not add duplicate platform information to service spec #107
Cluster update and memory issue fixes #114
Changing get network request to return predefined network in swarm #150


Windows


Block pulling Windows images on non-Windows daemons #29001


Deprecation


Disable legacy registry (v1) by default #33629
Deprecate --api-enable-cors daemon flag. This flag was marked deprecated in Docker 1.6.0 but not listed in deprecated features #32352
Remove Ubuntu 12.04 (Precise Pangolin) as supported platform. Ubuntu 12.04 is EOL, and no longer receives updates #32520


Known issues

If a container is spawned on node A, using the same IP of a container destroyed
on nodeB within 5 min from the time that it exit, the container on node A is
not reachable until one of these 2 conditions happens:


Container on A sends a packet out,
The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).


As a workaround, send at least a packet out from each container like
(ping, GARP, etc).

软件描述

Docker 是一个开源的应用容器引擎,让开发者可以打包他们的应用以及依赖包到一个可移植的镜像中,然后发布到任何流行的 Linux或Windows 机器上,也可以实现虚拟化。容器是完全使用沙箱机制,相互之间不会有任何接口。 [1]

CVE编号

TSRC分析

暂无

业界资讯

暂无

评论

提交评论 您输入的评论有误,请重新输入