UCP release notes¶

Components¶

Bug fixes¶

• Fixed an UI issue that resulted in the display of a blank Admin Settings page whenever Docker content trust is not enabled (ENGORC-2914).

Security¶

• Upgraded Golang to 1.15.2 (ENGORC-7900).

Components¶

What’s new¶

• Starting with this release, we moved the location of our offline bundles for DTR from https://packages.docker.com/caas/ to https://packages.mirantis.com/caas/ for the following versions.

  • UCP 3.3.2
  • UCP 3.2.8
  • UCP 3.1.15

  Offline bundles for other previous versions of DTR will remain on the docker domain.

• Due to infrastructure changes, licenses will no longer auto-update and the relaged screens in DTR have been removed.

• Added tracing to Interlock (ENGORC-7565).

Bug fixes¶

• We fixed an issue in which Docker Content Trust was randomly failing to verify valid signatures (FIELD-2302).
• We fixed an issue that prevented users from logging into UCP using Security Assertion Markup Language (SAML) after the root certificate for Active Directory Federation Services (ADFS) has been renewed (ENGORC-7754).
• We fixed an issue that caused the system to become unresponsive when using /api/v1/repositories/{namespace}/{reponame}/tags/{reference}/scan
• We updated help links in the DTR user interface so that the user can see the correct help topics.
• When HitlessServiceUpdate is enabled, the config service no longer waits for the proxy service to complete an update, thus reducing the delay between a configuration change being made and taking effect (FIELD-2152).
• Added interlock configuration validation (ENGORC-7643).
• We fixed an issue that causes API path traversal (ENGORC-7744).
• We fixed an issue in which UCP support dumps check for the obsolete dtr-br network and subsequently report an error in dsinfo.txt (FIELD-2670).

Security¶

• We updated our Go engine to address CVE-2020-14040 (ENGORC-7772)
• We upgraded our Synopsis vulnerability scanner to version 2020.03. This will result in improved vulnerability scanning both by finding more vulnerabilities andsignificantly reducing false positives that may have been previouslyreported.
• We fixed an issue that caused the “docker ps” command to provide the incorrect status (starting) for running containers after sourcing a client bundle. This command now shows the correct (healthy) status value (ENGORC-7721).

Bug fixes¶

• Any LDAP search that returns 0 members (a normal result) results in the aborting of the entire LDAP sync. (ENGORC-3237)
• ucp-metrics does not restart to pick up new certificates following certificate rotation, and as a result ucp-metrics ceases getting metrics. (By default, the lifecycle of a certificate is three months, though this setting can be reconfigured by users.) (ENGORC-2943)

Components¶

Security¶

• Upgraded Golang to 1.13.8.
• Updated several Golang vendors to address security issues.

Platform¶

• Windows Server 1803 is EOL and is no longer supported by UCP, starting with this release.

Bug Fixes¶

• Updated swarm-rafttool. (FIELD-2081)
• Improved the speed to generate a Windows support dump. (FIELD-2304)
• Fixed an issue during authz migration for upgrading UCP 3.0 to UCP 3.1. (FIELD-2253)

Components¶

Security¶

• Upgraded Golang to 1.12.12.

Kubernetes¶

• Kubernetes has been upgraded to fix CVE-2019-11253.

Bug fixes¶

• Any LDAP search that returns 0 members (a normal result) results in the aborting of the entire LDAP sync. (ENGORC-3237)
• ucp-metrics does not restart to pick up new certificates following certificate rotation, and as a result ucp-metrics ceases getting metrics. (By default, the lifecycle of a certificate is three months, though this setting can be reconfigured by users.) (ENGORC-2943)
• Adds authorization checks for the volumes referenced by the VolumesFrom Containers option. Previously, this field was ignored by the container create request parser, leading to a gap in permissions checks. (ENGORC-2781)

Components¶

Bug fixes¶

• Upgraded RethinkDB Go Client to v5. (ENGORC-2704)
• Fixes an issue that caused slow response with increasing number of collections. (ENGORC-2638)

Kubernetes¶

• Enabled Kubernetes Node Authorizer Plugin. (ENGORC-2652)

Networking¶

• Interlock has been upgraded to version 3.0.0. This upgrade includes the following updates:
  • New Interlock configuration options:
    • HitlessServiceUpdate: When set to true, the proxy service no longer needs to restart when services are updated, reducing service interruptions. The proxy also does not have to restart when services are added or removed, as long as the set of service networks attached to the proxy is unchanged. If secrets or service networks need to be added or removed, the proxy service will restart as in previous releases. (ENGCORE-792)
    • Networks: Defines a list of networks to which the proxy service will connect at startup. The proxy service will only connect to these networks and will no longer automatically connect to back-end service networks. This allows administrators to control which networks are used to connect to the proxy service and to avoid unnecessary proxy restarts caused by network changes . (ENGCORE-912)
  • Log an error if the com.docker.lb.network label does not match any of the networks to which the service is attached. (ENGCORE-837)
  • Do not generate an invalid NGINX configuration file if HTTPVersion is invalid. (FIELD-2046)

Components¶

Kubernetes¶

• Kubernetes has been upgraded to version 1.11.10-docker-1. This version was built with Golang 1.12.9.
• Kubernetes DNS has been upgraded to 1.14.13 and is now deployed with more than one replica by default.

Networking¶

• Calico has been upgraded to version 3.8.2.
• Interlock has been upgraded to version 2.6.1.

Security¶

• Upgraded Golang to 1.12.9.

UI¶

• A warning message will be shown when one attempts to upgrade from 3.1.x to 3.2.x via the UCP UI. This upgrade can only be performed by the CLI.

Components¶

Bug fixes¶

• Added toleration to calico-node DaemonSet so it can run on all nodes in the cluster
• Fixes an issue where sensitive command line arguments provided to the UCP installer command were also printed in the debug logs.
• Added a restrictive robots.txt to the root of the UCP API server.

Known issues¶

• There are important changes to the upgrade process that, if not correctly followed, can impact the availability of applications running on the Swarm during upgrades. These constraints impact any upgrades coming from any Docker Engine version before 18.09 to version 18.09 or greater.
• To deploy Pods with containers using Restricted Parameters, the user must be an admin and a service account must explicitly have a ClusterRoleBinding with cluster-admin as the ClusterRole. Restricted Parameters on Containers include:
  • Host Bind Mounts
  • Privileged Mode
  • Extra Capabilities
  • Host Networking
  • Host IPC
  • Host PID
• If you delete the built-in ClusterRole or ClusterRoleBinding for cluster-admin, restart the ucp-kube-apiserver container on any manager node to recreate them. (#14483)
• Pod Security Policies are not supported in this release. (#15105)
• The default Kubelet configuration for UCP Manager nodes is expecting 4GB of free disk space in the /var partition.

Components¶

Kubernetes¶

• Kubernetes has been upgraded to version 1.11.10.

Enhancements¶

• A user_workload_defaults section has been added to the UCP configuration file that allows admins to set default field values that will be applied to Swarm services if those fields are not explicitly set when the service is created. Only a subset of Swarm service fields may be set.
• Users can now set the kubeletMaxPods option for all nodes in the cluster. (ENGORC-2334)
• Users can now adjust the internal Kubernetes Service IP Range from the default 10.96.0.0/16 at install time. for more details. (ENGCORE-683)

Bug fixes¶

• Added a migration logic to remove all actions on pods/exec and pods/attach Kubernetes subresource from the migrated UCP View-Only role. (ENGORC-2434)
• Fixed an issue that allows unauthenticated user to list directories. (ENGORC-2175)

Deprecated platforms¶

• Removed support for Windows Server 1709 as it is now end of life.

Known issues¶

• Upgrading from UCP 3.1.4 to 3.1.5 causes missing Swarm placement constraints banner for some Swarm services (ENGORC-2191). This can cause Swarm services to run unexpectedly on Kubernetes nodes. See https://www.docker.com/ddc-41 for more information.
  • Workaround: Delete any ucp-*-s390x Swarm services. For example, ucp-auth-api-s390x.
• There are important changes to the upgrade process that, if not correctly followed, can impact the availability of applications running on the Swarm during upgrades. These constraints impact any upgrades coming from any Docker Engine version before 18.09 to version 18.09 or greater. For more information about upgrading Docker Enterprise to version 2.1.
• To deploy Pods with containers using Restricted Parameters, the user must be an admin and a service account must explicitly have a ClusterRoleBinding with cluster-admin as the ClusterRole. Restricted Parameters on Containers include:
  • Host Bind Mounts
  • Privileged Mode
  • Extra Capabilities
  • Host Networking
  • Host IPC
  • Host PID
• If you delete the built-in ClusterRole or ClusterRoleBinding for cluster-admin, restart the ucp-kube-apiserver container on any manager node to recreate them. (#14483)
• Pod Security Policies are not supported in this release. (#15105)
• The default Kubelet configuration for UCP Manager nodes is expecting 4GB of free disk space in the /var partition.

Components¶

Security¶

• Refer to UCP image vulnerabilities for details regarding actions to be taken, timeline, and any status updates/issues/recommendations.

Bug fixes¶

• Updated the UCP base image layers to fix a number of old libraries and components that had security vulnerabilities.

Known issues¶

• Upgrading from UCP 3.1.4 to 3.1.5 causes missing Swarm placement constraints banner for some Swarm services (ENGORC-2191). This can cause Swarm services to run unexpectedly on Kubernetes nodes.
  • Workaround: Delete any ucp-*-s390x Swarm services. For example, ucp-auth-api-s390x.
• There are important changes to the upgrade process that, if not correctly followed, can impact the availability of applications running on the Swarm during upgrades. These constraints impact any upgrades coming from any Docker Engine version before 18.09 to version 18.09 or greater. For more information about upgrading Docker Enterprise to version 2.1.
• To deploy Pods with containers using Restricted Parameters, the user must be an admin and a service account must explicitly have a ClusterRoleBinding with cluster-admin as the ClusterRole. Restricted Parameters on Containers include:
  • Host Bind Mounts
  • Privileged Mode
  • Extra Capabilities
  • Host Networking
  • Host IPC
  • Host PID
• If you delete the built-in ClusterRole or ClusterRoleBinding for cluster-admin, restart the ucp-kube-apiserver container on any manager node to recreate them. (#14483)
• Pod Security Policies are not supported in this release. (#15105)
• The default Kubelet configuration for UCP Manager nodes is expecting 4GB of free disk space in the /var partition.

Components¶

Kubernetes¶

• Kubernetes has been upgraded to version 1.11.9.

Networking¶

• Updated Calico to version 3.5.3.

Authentication and Authorization¶

• Accessing the ListAccount API endpoint now requires an admin user. Accessing the GetAccount API endpoint now requires an admin user, the actual user, or a member of the organization being inspected. ENGORC-100

Known issues¶

• Upgrading from UCP 3.1.4 to 3.1.5 causes missing Swarm placement constraints banner for some Swarm services (ENGORC-2191). This can cause Swarm services to run unexpectedly on Kubernetes nodes. See https://www.docker.com/ddc-41 for more information.
  • Workaround: Delete any ucp-*-s390x Swarm services. For example, ucp-auth-api-s390x.
• There are important changes to the upgrade process that, if not correctly followed, can impact the availability of applications running on the Swarm during upgrades. These constraints impact any upgrades coming from any Docker Engine version before 18.09 to version 18.09 or greater. For more information about about upgrading Docker Enterprise to version 2.1.
• To deploy Pods with containers using Restricted Parameters, the user must be an admin and a service account must explicitly have a ClusterRoleBinding with cluster-admin as the ClusterRole. Restricted Parameters on Containers include:
  • Host Bind Mounts
  • Privileged Mode
  • Extra Capabilities
  • Host Networking
  • Host IPC
  • Host PID
• If you delete the built-in ClusterRole or ClusterRoleBinding for cluster-admin, restart the ucp-kube-apiserver container on any manager node to recreate them. (#14483)
• Pod Security Policies are not supported in this release. (#15105)
• The default Kubelet configuration for UCP Manager nodes is expecting 4GB of free disk space in the /var partition.

Components¶

Kubernetes¶

• Kubernetes has been upgraded to version 1.11.8 (ENGORC-2024).

Networking¶

• Calico has been upgraded to version 3.5.2. (ENGORC-2045). For more information, see the Calico Release Notes

Authentication and Authorization¶

• Added LDAP Settings API to the list of publicly documented API endpoints. (ENGORC-98)
• Added a new exclude_server_identity_headers field to the UCP config. If set to true, the headers are not included in UCP API responses. (docker/orca#16039)
• Hid most of the UCP banners for non-admin users. (docker/orca#14631)
• When LDAP or SAML is enabled, provided admin users an option to disable managed password authentication, which includes login and creation of new users. (ENGORC-1999)

Bug fixes¶

• Changed Interlock proxy service default update-action-failure to rollback. (ENGCORE-117)
• Added validation for service configuration label values. (ENGCORE-114)
• Fixed an issue with continuous interlock reconciliation if ucp-interlock service image does not match expected version. (ENGORC-2081)

Known issues¶

• Upgrading from UCP 3.1.4 to 3.1.5 causes missing Swarm placement constraints banner for some Swarm services (ENGORC-2191). This can cause Swarm services to run unexpectedly on Kubernetes nodes. See https://www.docker.com/ddc-41 for more information.
  • Workaround: Delete any ucp-*-s390x Swarm services. For example, ucp-auth-api-s390x.
• There are important changes to the upgrade process that, if not correctly followed, can impact the availability of applications running on the Swarm during upgrades. These constraints impact any upgrades coming from any Docker Engine version before 18.09 to version 18.09 or greater. For more information about about upgrading Docker Enterprise to version 2.1.
• To deploy Pods with containers using Restricted Parameters, the user must be an admin and a service account must explicitly have a ClusterRoleBinding with cluster-admin as the ClusterRole. Restricted Parameters on Containers include:
  • Host Bind Mounts
  • Privileged Mode
  • Extra Capabilities
  • Host Networking
  • Host IPC
  • Host PID
• If you delete the built-in ClusterRole or ClusterRoleBinding for cluster-admin, restart the ucp-kube-apiserver container on any manager node to recreate them. (#14483)
• Pod Security Policies are not supported in this release. (#15105)
• The default Kubelet configuration for UCP Manager nodes is expecting 4GB of free disk space in the /var partition.

Components¶

New platforms¶

• Added support for SLES 15.
• Added support for Oracle 7.6.

Kubernetes¶

• Kubernetes has been upgraded to version 1.11.7. (docker/orca#16157).

Bug fixes¶

• Bump the Golang version that is used to build UCP to version 1.10.8. (docker/orca#16068)
• Fixed an issue that caused UCP upgrade failure to upgrade with Interlock deployment. (docker/orca#16009)
• Fixed an issue that caused ucp-agent(s) on worker nodes to constantly reboot when audit logging is enabled. (docker/orca#16122)
• Fixed an issue to ensure that non-admin user actions (with the RestrictedControl role) against RBAC resources are read-only. (docker/orca#16121)
• Fixed an issue to prevent UCP users from updating services with a port that conflicts with the UCP controller port. (escalation#855)
• Fixed an issue to validate Calico certs expiration dates and update accordingly. (escalation#981)
• Kubelet no longer deletes images, starting with the oldest unused images, after exceeding 85% disk space utilization. This was an issue in air-gapped environments. (docker/orca#16082)

Enhancements¶

• Changed packaging and builds for UCP to build bootstrapper last. This avoids the “upgrade available” banner on all UCPs until the entirety of UCP is available.

Known issues¶

• Newly added Windows node reports “Awaiting healthy status in classic node inventory”.
• There are important changes to the upgrade process that, if not correctly followed, can impact the availability of applications running on the Swarm during upgrades. These constraints impact any upgrades coming from any Docker Engine version before 18.09 to version 18.09 or greater. For more information about about upgrading Docker Enterprise to version 2.1.
• In the UCP web interface, LDAP settings disappear after submitting them. However, the settings are properly saved. (docker/orca#15503)
• To deploy Pods with containers using Restricted Parameters, the user must be an admin and a service account must explicitly have a ClusterRoleBinding with cluster-admin as the ClusterRole. Restricted Parameters on Containers include:
  • Host Bind Mounts
  • Privileged Mode
  • Extra Capabilities
  • Host Networking
  • Host IPC
  • Host PID
• If you delete the built-in ClusterRole or ClusterRoleBinding for cluster-admin, restart the ucp-kube-apiserver container on any manager node to recreate them. (docker/orca#14483)
• Pod Security Policies are not supported in this release. (docker/orca#15105)
• The default Kubelet configuration for UCP Manager nodes is expecting 4GB of free disk space in the /var partition.

Components¶

New platforms¶

• Added support for Windows Server 2019 and Windows Server 1809. (docker/orca#15810)
• Added support for RHEL 7.6 with Devicemapper and Overlay2 storage drivers. (docker/orca#15535)
• Added support for Oracle Enterprise Linux 7.6 with Overlay2 storage driver. (docker/orca#15791)

Networking¶

• Calico has been upgraded to version 3.5.0 (#15884). For more information, see the Calico Release Notes

Bug fixes¶

• Fixes system hang following UCP backup and docker daemon shutdown. (docker/escalation#841)
• Non-admin users can no longer create PersistentVolumes using the Local Storage Class, as this allowed non-admins to by pass security controls and mount host directories. (docker/orca#15936)
• Added support for the limit arg in docker ps. (docker/orca#15812)
• Fixed an issue with ucp-proxy health check. (docker/orca#15814, docker/orca#15813, docker/orca#16021, docker/orca#15811)
• Fixed an issue with manual creation of a ClusterRoleBinding or RoleBinding for User or Group subjects requiring the ID of the user, organization, or team. (docker/orca#14935)
• Fixed an issue in which Kube Rolebindings only worked on UCP User ID and not UCP username. (docker/orca#14935)

Known issue¶

• By default, Kubelet begins deleting images, starting with the oldest unused images, after exceeding 85% disk space utilization. This causes an issue in an air-gapped environment. (docker/orca#16082)

Components¶

Authentication and Authorization¶

• SAML Single Logout is now supported in UCP.
• Identity Provider initiated SAML Single Sign-on is now supported in UCP. The admin can enable this feature in Admin Settings -> SAML Settings.

Audit Logging¶

• UCP Audit logging is now controlled through the UCP Configuration file; it is also now configurable within the UCP web interface. (#15466)

Bug fixes¶

• Core
  • Significantly reduced database load in environments with a lot of concurrent and repeated API requests by the same user. (docker/escalation#911)
  • UCP backend will now complain when a service is created/updated if the com.docker.lb.network label is not correctly specified. (docker/orca#15015)
  • LDAP group member attribute is now case insensitive. (docker/escalation#917)
• Interlock
  • Interlock headers can now be hidden. (escalation#833)
  • Now upgrading Interlock will also upgrade interlock proxy and interlock extension as well (escalation/871)
  • Added support for ‘VIP’ backend mode, in which the Interlock proxy connects to the backend service’s Virtual IP instead of load-balancing directly to each task IP. (docker/interlock#206) (escalation/920)

Known issues¶

• In the UCP web interface, LDAP settings disappear after submitting them. However, the settings are properly saved. (docker/orca#15503)
• By default, Kubelet begins deleting images, starting with the oldest unused images, after exceeding 85% disk space utilization. This causes an issue in an air-gapped environment. (docker/orca#16082)

Components¶

Components¶

Bug fixes¶

• Swarm placement constraint warning banner no longer shows up for ucp-auth services (#14539)
• “update out of sequence” error messages no longer appear when changing admin settings (#7093)
• Kubernetes namespace status appears in the web interface (#14526)
• UCP Kubernetes compose components always run on managers (#14208)
• docker network ls --filter id=<id> now works with a UCP client bundle (#14840)
• Collection deletes are correctly blocked if there is a node in the collection (#13704)

New features¶

Networking¶

• Calico has been upgraded to version 3.2.3.

Known issues¶

• There are important changes to the upgrade process that, if not correctly followed, can impact the availability of applications running on the Swarm during upgrades. These constraints impact any upgrades coming from any Docker Engine version before 18.09 to version 18.09 or greater. For more information about about upgrading Docker Enterprise to version 2.1.
• In the UCP web interface, LDAP settings disappear after submitting them. However, the settings are properly saved. (#15503)
• You must use the ID of the user, organization, or team if you manually create a ClusterRoleBinding or RoleBinding for User or Group subjects. (#14935)
  • For the User subject Kind, the Name field contains the ID of the user.
  • For the Group subject Kind, the format depends on whether you are create a Binding for a team or an organization:
    • For an organization, the format is org:{org-id}
    • For a team, the format is team:{org-id}:{team-id}
• To deploy Pods with containers using Restricted Parameters, the user must be an admin and a service account must explicitly have a ClusterRoleBinding with cluster-admin as the ClusterRole. Restricted Parameters on Containers include:
  • Host Bind Mounts
  • Privileged Mode
  • Extra Capabilities
  • Host Networking
  • Host IPC
  • Host PID
• If you delete the built-in ClusterRole or ClusterRoleBinding for cluster-admin, restart the ucp-kube-apiserver container on any manager node to recreate them. (#14483)
• Pod Security Policies are not supported in this release. (#15105)
• The default Kubelet configuration for UCP Manager nodes is expecting 4GB of free disk space in the /var partition.

Deprecated features¶

The following features are deprecated in UCP 3.1.

• Collections
  • The ability to create a nested collection of more than 2 layers deep within the root /Swarm/ collection is now deprecated and will not be included in future versions of the product. However, current nested collections with more than 2 layers are still retained.
  • Docker recommends a maximum of two layers when creating collections within UCP under the shared cluster collection designated as /Swarm/. For example, if a production collection called /Swarm/production is created under the shared cluster collection, /Swarm/, then only one level of nesting should be created: /Swarm/production/app/.
• Kubernetes
  • PersistentVolumeLabel admission controller is deprecated in Kubernetes 1.11. This functionality will be migrated to [Cloud Controller Manager](https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/](https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/)
  • --cni-install-url is deprecated in favor of --unmanaged-cni

Components¶