Docker Engine release notes¶

Client¶

• Bumped to go1.13.15 to address CVE-2020-16845

Engine¶

• Bumped to go1.13.15 to address CVE-2020-16845

Client¶

• Bumped to go1.13.13 to address CVE-2020-14039

Engine¶

• Bumped to go1.13.13 to address CVE-2020-14039
• Disable IPv6 router advertisements to address CVE-2020-13401
• Fixed license warning regression on Windows
• Bump vendor x/text to address CVE-2019-19794
• Bump vendor miekg/dns to address CVE-2018-17419
• Bump vendor x/crypto to address CVE-2020-7919

Networking¶

• Fix for ‘failed to get network during CreateEndpoint’
• Fix panic in the DNS resolver moby/moby#40715
• libnetwork: cleanup VFP during overlay network removal

Runtime¶

• Bump Golang to 1.13.10
• Cease listening on the same address multiple times

Builder¶

• Fix builder-next: filter type in BuildKit GC config. docker/engine#409

Runtime¶

• Bump Golang to 1.12.12.

Swarm¶

• Fix update out of sequence and increase max recv gRPC message size for nodes and secrets. docker/swarmkit#2900
• Fix for specifying --default-addr-pool for docker swarm init not picked up by ingress network. docker/swarmkit#2892

Client¶

• Fix client version not being pinned when set. docker/engine#118
• Improve error message shown on Windows when daemon is not running or client does not have elevated permissions. docker/engine#343
• Mitigate against YAML files that have excessive aliasing. docker/cli#2119

Runtime¶

• Send exec exit event even if the exec fails to find the binary. docker/engine#357
• Devicemapper: use correct API to get the free loop device index. docker/engine#348
• Fix overlay2 busy error on mount using kernels >=5.2. docker/engine#333
• Sleep before attemping to restart event processing. docker/engine#362
• Seccomp: add sigprocmask (used by x86 glibc) to default profile. docker/engine#341
• Fix panic on 32-bit ARMv7 caused by misaligned struct member. docker/engine#364
• Fix docker rmi stuck in case of misconfigured system (such as dead NFS share). docker/engine#336
• Fix jsonfile logger: follow logs stuck when max-size is set and max-file=1. docker/engine#377

Client¶

• Fix Windows absolute path detection on non-Windows. docker/cli#1990
• Fix Docker refusing to load key from delegation.key on Windows. docker/cli#1968
• Completion scripts updates for bash and zsh.

Logging¶

• Fix for reading journald logs. moby/moby#37819 moby/moby#38859

Networking¶

• Prevent panic on network attached to a container with disabled networking. moby/moby#39589
• Fix service port for an application becomes unavailable randomly. docker/libnetwork#2069
• Fix cleaning up --config-only networks --config-from networkshave ungracefully exited. docker/libnetwork#2373

Runtime¶

• Update to Go 1.11.13.
• Fix a potential engine panic when using XFS disk quota for containers. moby/moby#39644

Swarm¶

• Fix

grpc: received message larger than max

errors.

moby/moby#39306

• Fix an issue where nodes several tasks could not be removed. docker/swarmkit#2867

Runtime¶

• Masked the secrets updated to the log files when running Docker Engine in debug mode. CVE-2019-13509: If a Docker engine is running in debug mode, and docker stack deploy is used to redeploy a stack which includes non-external secrets, the logs will contain the secret.

Client¶

• Fixed rollback config type interpolation for parallelism and max_failure_ratio fields.

Known Issue¶

• There are important changes to the upgrade process that, if not correctly followed, can have an impact on the availability of applications running on the Swarm during upgrades. These constraints impact any upgrades coming from any version before 18.09 to version 18.09 or later.

Builder¶

• Fixed a panic error when building dockerfiles that contain only comments. moby/moby#38487
• Added a workaround for GCR authentication issue. moby/moby#38246
• Builder-next: Fixed a bug in the GCR token cache implementation workaround. moby/moby#39183

Networking¶

• Fixed an error where --network-rm would fail to remove a network. moby/moby#39174

Runtime¶

• Added performance optimizations in aufs and layer store that helps in massively parallel container creation and removal. moby/moby#39107, moby/moby#39135
• Updated containerd to version 1.2.6. moby/moby#39016
• Fixed CVE-2018-15664 symlink-exchange attack with directory traversal. moby/moby#39357
• Windows: fixed support for docker service create --limit-cpu. moby/moby#39190
• daemon: fixed a mirrors validation issue. moby/moby#38991
• Docker no longer supports sorting UID and GID ranges in ID maps. moby/moby#39288

Logging¶

• Added a fix that now allows large log lines for logger plugins. moby/moby#39038

Known Issue¶

• There are important changes to the upgrade process that, if not correctly followed, can have an impact on the availability of applications running on the Swarm during upgrades. These constraints impact any upgrades coming from any version before 18.09 to version 18.09 or later.

Builder¶

• Fixed COPY and ADD with multiple <src> to not invalidate cache if DOCKER_BUILDKIT=1.moby/moby#38964

Networking¶

• Cleaned up the cluster provider when the agent is closed. docker/libnetwork#2354
• Windows: Now selects a random host port if the user does not specify a host port. docker/libnetwork#2369

Known Issues¶

• There are important changes to the upgrade process that, if not correctly followed, can have an impact on the availability of applications running on the Swarm during upgrades. These constraints impact any upgrades coming from any version before 18.09 to version 18.09 or later.

Builder¶

• Fixed DOCKER_BUILDKIT=1 docker build --squash .. docker/engine#176

Client¶

• Fixed tty initial size error. docker/cli#1775
• Fixed dial-stdio goroutine leakage. docker/cli#1795
• Fixed the stack informer’s selector used to track deployment. docker/cli#1794

Networking¶

• Fixed network=host using wrong resolv.conf with systemd-resolved. docker/engine#180
• Fixed Windows ARP entries getting corrupted randomly under load. docker/engine#192

Runtime¶

• Now showing stopped containers with restart policy as Restarting. docker/engine#181
• Now using original process spec for execs. docker/engine#178

Swarm Mode¶

• Fixed leaking task resources when nodes are deleted. docker/engine#185

Known Issues¶

• There are important changes to the upgrade process that, if not correctly followed, can have an impact on the availability of applications running on the Swarm during upgrades. These constraints impact any upgrades coming from any version before 18.09 to version 18.09 or later.

Builder¶

• Fixed CVE-2019-13139 by adding validation for git ref to avoid misinterpretation as a flag. moby/moby#38944

Runtime¶

• Fixed docker cp error for filenames greater than 100 characters. moby/moby#38634
• Fixed layer/layer_store to ensure NewInputTarStream resources are released. moby/moby#38413
• Increased GRPC limit for GetConfigs. moby/moby#38800
• Updated containerd 1.2.5. docker/engine#173

Swarm Mode¶

• Fixed nil pointer exception when joining node to swarm. moby/moby#38618
• Fixed issue for swarm nodes not being able to join as masters if http proxy is set. [moby/moby#36951]

Known Issues¶

• There are important changes to the upgrade process that, if not correctly followed, can have impact on the availability of applications running on the Swarm during upgrades. These constraints impact any upgrades coming from any version before 18.09 to version 18.09 or later.

Networking fixes¶

• Windows: now avoids regeneration of network IDs to prevent broken references to networks. docker/engine#149
• Windows: Fixed an issue to address `- restart always` flag on standalone containers not working when specifying a network. (docker/escalation#1037)
• Fixed an issue to address the IPAM state from networkdb if the manager is not attached to the overlay network. (docker/escalation#1049)

Runtime fixes and updates¶

• Updated to Go version 1.10.8.
• Modified names in the container name generator. docker/engine#159
• When copying an existing folder, xattr set errors when the target filesystem doesn’t support xattr are now ignored. docker/engine#135
• Graphdriver: fixed “device” mode not being detected if “character-device” bit is set. docker/engine#160
• Fixed nil pointer derefence on failure to connect to containerd. docker/engine#162
• Deleted stale containerd object on start failure. docker/engine#154

Known Issues¶

• There are important changes to the upgrade process that, if not correctly followed, can have impact on the availability of applications running on the Swarm during upgrades. These constraints impact any upgrades coming from any version before 18.09 to version 18.09 or greater.

Security fixes for Docker Engine - Enterprise¶

• Update runc to address a critical vulnerability that allows specially-crafted containers to gain administrative privileges on the host. CVE-2019-5736
• Ubuntu 14.04 customers using a 3.13 kernel will need to upgrade to a supported Ubuntu 4.x kernel

For additional information, refer to the Docker blog post.

Known Issues¶

• There are important changes to the upgrade process that, if not correctly followed, can have impact on the availability of applications running on the Swarm during upgrades. These constraints impact any upgrades coming from any version before 18.09 to version 18.09 or greater.

Security fixes¶

• Upgraded Go language to 1.10.6 to resolve CVE-2018-16873, CVE-2018-16874, and CVE-2018-16875.
• Fixed authz plugin for 0-length content and path validation.
• Added /proc/asound to masked paths docker/engine#126

Improvements¶

• Updated to BuildKit 0.3.3 docker/engine#122
• Updated to containerd 1.2.2 docker/engine#144
• Provided additional warnings for use of deprecated legacy overlay and devicemapper storage drivers docker/engine#85
• prune: perform image pruning before build cache pruning docker/cli#1532
• Added bash completion for experimental CLI commands (manifest) docker/cli#1542
• Windows: allow process isolation on Windows 10 docker/engine#81

Fixes¶

• Disable kmem accounting in runc on RHEL/CentOS (docker/escalation#614, docker/escalation#692) docker/engine#121
• Fixed inefficient networking configuration docker/engine#123
• Fixed docker system prune doesn’t accept until filter docker/engine#122
• Avoid unset credentials in containerd docker/engine#122
• Fixed iptables compatibility on Debian docker/engine#107
• Fixed setting default schema to tcp for docker host docker/cli#1454
• Fixed bash completion for service update --force docker/cli#1526
• Windows: DetachVhd attempt in cleanup docker/engine#113
• API: properly handle invalid JSON to return a 400 status docker/engine#110
• API: ignore default address-pools on API < 1.39 docker/engine#118
• API: add missing default address pool fields to swagger docker/engine#119
• awslogs: account for UTF-8 normalization in limits docker/engine#112
• Prohibit reading more than 1MB in HTTP error responses docker/engine#114
• apparmor: allow receiving of signals from docker kill docker/engine#116
• overlay2: use index=off if possible (fix EBUSY on mount) docker/engine#84

Packaging¶

• Add docker.socket requirement for docker.service. docker/docker-ce-packaging#276
• Add socket activation for RHEL-based distributions. docker/docker-ce-packaging#274
• Add libseccomp requirement for RPM packages. docker/docker-ce-packaging#266

Known Issues¶

• When upgrading from 18.09.0 to 18.09.1, containerd is not upgraded to the correct version on Ubuntu. Learn more.
• There are important changes to the upgrade process that, if not correctly followed, can have impact on the availability of applications running on the Swarm during upgrades. These constraints impact any upgrades coming from any version before 18.09 to version 18.09 or greater.

Important notes about this release¶

In Docker versions prior to 18.09, containerd was managed by the Docker engine daemon. In Docker Engine 18.09, containerd is managed by systemd. Since containerd is managed by systemd, any custom configuration to the docker.service systemd configuration which changes mount settings (for example, MountFlags=slave) breaks interactions between the Docker Engine daemon and containerd, and you will not be able to start containers.

Run the following command to get the current value of the MountFlags property for the docker.service:

sudo systemctl show --property=MountFlags docker.service
MountFlags=

Update your configuration if this command prints a non-empty value for MountFlags, and restart the docker service.

New features for Docker Engine EE¶

• FIPS Compliance added for Windows Server 2016 and later
• Docker Content Trust Enforcement for the Enterprise Engine. This allows the Docker Engine - Enterprise to run containers not signed by a specific organization.

New features¶

• Updated API version to 1.39 moby/moby#37640
• Added support for remote connections using SSH docker/cli#1014
• Builder: added prune options to the API moby/moby#37651
• Added “Warnings” to /info endpoint, and move detection to the daemon moby/moby#37502
• Allows BuildKit builds to run without experimental mode enabled. Buildkit can now be configured with an option in daemon.json moby/moby#37593 moby/moby#37686 moby/moby#37692 docker/cli#1303 docker/cli#1275
• Added support for build-time secrets using a --secret flag when using BuildKit docker/cli#1288
• Added SSH agent socket forwarder (docker build --ssh $SSHMOUNTID=$SSH_AUTH_SOCK) when using BuildKit docker/cli#1438 / docker/cli#1419
• Added --chown flag support for ADD and COPY commands on Windows moby/moby#35521
• Added builder prune subcommand to prune BuildKit build cache docker/cli#1295 docker/cli#1334
• BuildKit: Adds configurable garbage collection policy for the BuildKit build cache docker/engine#59 / moby/moby#37846
• BuildKit: Adds support for docker build --pull ... when using BuildKit moby/moby#37613
• BuildKit: Adds support or “registry-mirrors” and “insecure-registries” when using BuildKit docker/engine#59 / moby/moby#37852
• BuildKit: Enables net modes and bridge. moby/moby#37620
• Added docker engine subcommand to manage the lifecycle of a Docker Engine running as a privileged container on top of containerd, and to allow upgrades to Docker Engine Enterprise docker/cli#1260
• Exposed product license in docker info output docker/cli#1313
• Showed warnings produced by daemon in docker info output docker/cli#1225
• Added “local” log driver moby/moby#37092
• Amazon CloudWatch: adds awslogs-endpoint logging option moby/moby#37374
• Added support for global default address pools moby/moby#37558 docker/cli#1233
• Configured containerd log-level to be the same as dockerd moby/moby#37419
• Added configuration option for cri-containerd moby/moby#37519
• Updates containerd client to v1.2.0-rc.1 moby/moby#37664, docker/engine#75 / moby/moby#37710
• Added support for global default address pools moby/moby#37558 docker/cli#1233
• Moved the POST /session endpoint out of experimental. moby/moby#40028

Improvements¶

• Does not return “<unknown>” in /info response moby/moby#37472
• BuildKit: Changes --console=[auto,false,true] to --progress=[auto,plain,tty] docker/cli#1276
• BuildKit: Sets BuildKit’s ExportedProduct variable to show useful errors in the future. moby/moby#37439
• Hides --data-path-addr flags when connected to a daemon that doesn’t support this option docker/docker/cli#1240
• Only shows buildkit-specific flags if BuildKit is enabled docker/cli#1438 / docker/cli#1427
• Improves version output alignment docker/cli#1204
• Sorts plugin names and networks in a natural order docker/cli#1166, docker/cli#1266
• Updates bash and zsh completion scripts
• Passes log-level to containerd. moby/moby#37419
• Uses direct server return (DSR) in east-west overlay load balancing docker/engine#93 / docker/libnetwork#2270
• Builder: temporarily disables bridge networking when using buildkit. moby/moby#37691
• Blocks task starting until node attachments are ready moby/moby#37604
• Propagates the provided external CA certificate to the external CA object in swarm. docker/cli#1178
• Removes Ubuntu 14.04 “Trusty Tahr” as a supported platform docker-ce-packaging#255 / docker-ce-packaging#254
• Removes Debian 8 “Jessie” as a supported platform docker-ce-packaging#255 / docker-ce-packaging#254
• Removes ‘docker-’ prefix for containerd and runc binaries docker/engine#61 / moby/moby#37907, docker-ce-packaging#241
• Splits “engine”, “cli”, and “containerd” to separate packages, and run containerd as a separate systemd service docker-ce-packaging#131, docker-ce-packaging#158
• Builds binaries with Go 1.10.4 docker-ce-packaging#181
• Removes -ce / -ee suffix from version string docker-ce-packaging#206

Fixes¶

• BuildKit: Do not cancel buildkit status request. moby/moby#37597
• Fixes no error is shown if build args are missing during docker build moby/moby#37396
• Fixes error “unexpected EOF” when adding an 8GB file moby/moby#37771
• LCOW: Ensures platform is populated on COPY/ADD. moby/moby#37563
• Fixes mapping a range of host ports to a single container port docker/cli#1102
• Fixes trust inspect typo: “AdminstrativeKeys” docker/cli#1300
• Fixes environment file parsing for imports of absent variables and those with no name. docker/cli#1019
• Fixes a potential “out of memory exception” when running docker image prune with a large list of dangling images docker/cli#1432 / docker/cli#1423
• Fixes pipe handling in ConEmu and ConsoleZ on Windows moby/moby#37600
• Fixes long startup on windows, with non-hns governed Hyper-V networks docker/engine#67 / moby/moby#37774
• Fixes daemon won’t start when “runtimes” option is defined both in config file and cli docker/engine#57 / moby/moby#37871
• Loosens permissions on /etc/docker directory to prevent “permission denied” errors when using docker manifest inspect docker/engine#56 / moby/moby#37847
• Fixes denial of service with large numbers in cpuset-cpus and cpuset-mems docker/engine#70 / moby/moby#37967
• LCOW: Add --platform to docker import docker/cli#1375 / docker/cli#1371
• LCOW: Add LinuxMetadata support by default on Windows moby/moby#37514
• LCOW: Mount to short container paths to avoid command-line length limit moby/moby#37659
• LCOW: Fix builder using wrong cache layer moby/moby#37356
• Fixes json-log file descriptors leaking when using --follow docker/engine#48 moby/moby#37576 moby/moby#37734
• Fixes a possible deadlock on closing the watcher on kqueue moby/moby#37392
• Uses poller based watcher to work around the file caching issue in Windows moby/moby#37412
• Handles systemd-resolved case by providing appropriate resolv.conf to networking layer moby/moby#37485
• Removes support for TLS < 1.2 moby/moby#37660
• Seccomp: Whitelist syscalls linked to CAP_SYS_NICE in default seccomp profile moby/moby#37242
• Seccomp: move the syslog syscall to be gated by CAP_SYS_ADMIN or CAP_SYSLOG docker/engine#64 / moby/moby#37929
• SELinux: Fix relabeling of local volumes specified via Mounts API on selinux-enabled systems moby/moby#37739
• Adds warning if REST API is accessible through an insecure connection moby/moby#37684
• Masks proxy credentials from URL when displayed in system info docker/engine#72 / moby/moby#37934
• Fixes mount propagation for btrfs docker/engine#86 / moby/moby#38026
• Fixes nil pointer dereference in node allocation docker/engine#94 / docker/swarmkit#2764

Known Issues¶

• There are important changes to the upgrade process that, if not correctly followed, can have impact on the availability of applications running on the Swarm during upgrades. These constraints impact any upgrades coming from any version before 18.09 to version 18.09 or greater.

• With https://github.com/boot2docker/boot2docker/releases/download/v18.09.0/boot2docker.iso, connection is being refused from a node on the virtual machine. Any publishing of swarm ports in virtualbox-created docker-machine VM’s will not respond. This is occurring on macOS and Windows 10, using docker-machine version 0.15 and 0.16.

  The following docker run command works, allowing access from host browser:

  docker run -d -p 4000:80 nginx

  However, the following docker service command fails, resulting in curl/chrome unable to connect (connection refused):

  docker service create -p 5000:80 nginx

  This issue is not apparent when provisioning 18.09.0 cloud VM’s using docker-machine.

  Workarounds:

  • Use cloud VM’s that don’t rely on boot2docker.
  • docker run is unaffected.
  • For Swarm, set VIRTUALBOX_BOOT2DOCKER_URL=https://github.com/boot2docker/boot2docker/releases/download/v18.06.1-ce/boot2docker.iso.

  This issue is resolved in 18.09.1.

Deprecation Notices¶

• As of EE 2.1, Docker has deprecated support for Device Mapper as a storage driver. It will continue to be supported at this time, but support will be removed in a future release. Docker will continue to support Device Mapper for existing EE 2.0 and 2.1 customers. Please contact Sales for more information.

  Docker recommends that existing customers migrate to using Overlay2 for the storage driver. The Overlay2 storage driver is now the default for Docker engine implementations.

• As of EE 2.1, Docker has deprecated support for IBM Z (s390x). Refer to the Docker Compatibility Matrix for detailed compatibility information.

For more information on the list of deprecated flags and APIs, have a look at the deprecation information where you can find the target removal dates.

End of Life Notification¶

In this release, Docker has also removed support for TLS < 1.2 moby/moby#37660, Ubuntu 14.04 “Trusty Tahr” docker-ce-packaging#255 / docker-ce-packaging#254, and Debian 8 “Jessie” docker-ce-packaging#255 / docker-ce-packaging#254.