This document describes the latest changes, additions, known issues, and fixes for Mirantis Container Runtime.
Mirantis Container Runtime builds upon the corresponding Docker Engine - Community that it references. Mirantis Container Runtime includes enterprise features as well as back-ported fixes (security-related and priority defects) from the open source. It also incorporates defect fixes for environments in which new features cannot be adopted as quickly for consistency and compatibility reasons.
Note
The client and container runtime are in separate packages from
the daemon. Users should install and update
all three packages at the same time to get the latest patch releases.
For example, on Ubuntu:
sudo apt-get install docker-ee docker-ee-cli containerd.io
. See
the install instructions for the corresponding linux distro for
details.
(2021-06-29)
Component | Version |
---|---|
Mirantis Container Runtime | 19.03.17 |
containerd | 1.4.6 |
runc | 1.0.0-rc95 |
(2021-05-17)
Component | Version |
---|---|
Mirantis Container Runtime | 19.03.16 |
containerd | 1.3.10 |
runc | 1.0.0-rc10 |
Fixed an issue wherein swarm service VIPs timed out from Windows containers, resulting in the following error in dockerd event logs:
Failed to add ILB policy for service service […] failed during
hnsCallRawResponse: hnsCall failed in Win32: The specified port already
exists.
The Windows Operating System update KB4577668 introduced the issue on October 13, 2020, affecting all versions of MCR (FIELD-3310).
Centos and RHEL 7.x kernels can experience memory exhaustion due to slab cache usage. Because this is a kernel feature, the issue cannot be resolved with MCR code.
Workarounds:
cgroups.memory=nokmem
and apply the change (for customers using Centos
or RHEL 7.7 and above).(FIELD-3466)
(2021-04-12)
Component | Version |
---|---|
Mirantis Container Runtime | 19.03.15 |
containerd | 1.3.10 |
runc | 1.0.0-rc10 |
(2021-03-01)
No changes were made to MCR for the March 1, 2021 software patch (only MKE is affected). As such, the product retains the 19.03.14 version number and there are no new release notes to report.
(2021-02-02)
No changes were made to MCR for the February 2, 2021 software patch (only MKE is affected). As such, the product retains the 19.03.14 version number and there are no new release notes to report.
(2020-12-17)
Component | Version |
---|---|
Docker Engine - Enterprise | 19.03.14 |
containerd | 1.3.9 |
runc | 1.0.0-rc10 |
(2020-11-12)
Component | Version |
---|---|
Mirantis Container Runtime | 19.03.13 |
containerd | 1.3.7 |
runc | 1.0.0-rc10 |
(2020-08-10)
(2020-06-24)
(2020-05-28)
2019-11-14
entitlements
in builder config.
docker/engine#4122019-10-17
DOCKER-USER
iptables chain
issue.
docker/engine#404code = ResourceExhausted
desc = grpc: received message larger than max (5351376 vs. 4194304)
. This
does not indicate any failure or misconfiguration by the user, and requires
no response.404
error after being deployed.docker service update --force
.docker pause
container before doing file operations.
moby/moby#39252docker cp
regression due to CVE mitigation. An error is produced
when the source of docker cp
is set to /
.2019-10-08
runc
in containerd.
CVE-2017-18367POST /images/create
returning a 500 status code when
providing an incorrect platform option.
docker/engine#365POST /build
returning a 500 status code when providing an
incorrect platform option.
docker/engine#365docker rmi
stuck in certain misconfigured systems, e.g. dead
NFS share.
docker/engine#335max-size
is set and
max-file=1
.
docker/engine#378DOCKER-USER
iptables chain is missing:
docker/for-linux#810.
Users cannot perform additional container network traffic filtering
on top of this iptables chain. You are not affected by this issue if
you are not customizing iptable chains on top of DOCKER-USER
.
Workaround: Insert the iptables chain after the docker daemon starts. For example:
iptables -N DOCKER-USER iptables -I FORWARD -j DOCKER-USER
iptables -A DOCKER-USER -j RETURN
code = ResourceExhausted
desc = grpc: received message larger than max (5351376 vs. 4194304)
.
This does not indicate any failure or misconfiguration by the user, and
requires no response.404
error after being deployed.docker service update --force
.docker pause
container before doing file operations.
moby/moby#39252docker cp
regression due to CVE mitigation. An error is produced
when the source of docker cp
is set to /
.2019-09-03
COPY --from
to non-existing directory on Windows.
moby/moby#39695docker login --username
.context create
.
docker/cli#1985code = ResourceExhausted
desc = grpc: received message larger than max (5351376 vs. 4194304)
.
This does not indicate any failure or misconfiguration by the user, and
requires no response.404
error after being deployed.docker service update --force
./sbin/iptables --wait -C FORWARD
-o docker_gwbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables --wait -C FORWARD -o docker0 -m conntrack --ctstate
RELATED,ESTABLISHED -j ACCEPT
docker pause
container before doing file operations.
moby/moby#39252docker cp
regression due to CVE mitigation. An error is produced
when the source of docker cp
is set to /
.2019-07-25
code = ResourceExhausted
desc = grpc: received message larger than max (5351376 vs. 4194304)
. This
does not indicate any failure or misconfiguration by the user, and requires
no response.404
error after being deployed.docker service update --force
./sbin/iptables --wait -C FORWARD
-o docker_gwbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables --wait -C FORWARD -o docker0 -m conntrack --ctstate
RELATED,ESTABLISHED -j ACCEPT
docker pause
container before doing file operations.
moby/moby#39252docker cp
regression due to CVE mitigation. An error is produced
when the source of docker cp
is set to /
.2019-07-22
COPY --from
to preserve ownership.
moby/moby#38599--cache-from
.
docker/engine#215stopprogress
called on download error.
docker/engine#215resolv.conf
.
docker/engine#260.docker/dockerfile:1.1
by
default.
docker/engine#215--pids-limit
flag to docker update
.
docker/cli#1765template_driver
in compose files.
docker/cli#1746--device
support for Windows.
docker/cli#1606--mount type=bind,bind-nonrecursive,...
docker/cli#1430--domainname
flag.
docker/cli#1130docker stack deploy
.
docker/cli#1783Configs
as CredentialSpecs
on
services.
docker/cli#1781--security-opt systempaths=unconfined
support.
docker/cli#1808docker run
.
docker/cli#1767docker system info
output now segregates information relevant to
the client and daemon.
docker/cli#1638x-pull-secret: some-pull-secret
in compose-files service configs.
docker/cli#1617x-pull-policy: <Never|Always|IfNotPresent>
in compose-files
service configs.
docker/cli#1617/info
endpoint, and moved detection to the
daemon. moby/moby#37502/_ping
endpoint.
moby/moby#38570Cache-Control
headers to disable caching /_ping
endpoint.
moby/moby#38569containerd
, runc
, and docker-init
versions to
/version
.
moby/moby#37974/grpc
endpoint and registered BuildKit’s
controller.
moby/moby#38990io_pgetevents()
.
moby/moby#38895ptrace(2)
for 4.8+ kernels now allowed.
moby/moby#38137dockerd
as a non-root user (Rootless mode) is now
allowed.
moby/moby#380050lxc-user-nic
SUID binary.
docker/engine#208--device
support for Windows.
moby/moby#37638memory.kernelTCP
support for linux.
moby/moby#37043idtools.LookupGroup
instead of parsing /etc/group
file for docker.sock ownership to fix:
api.go doesn't respect nsswitch.conf
.
moby/moby#38126containerd
to 1.2.6.
moby/moby#39016runc
to 1.0.0-rc8, opencontainers/selinux v1.2.2.
docker/engine#210google.golang.org/grpc
to v1.20.1.
docker/engine#215docker --init
with /dev bind mount.
moby/moby#37665--device-read-bps
option.
moby/moby#39212Path does not exist
error when path definitely exists.
moby/moby#39251--network-rm
.
docker/engine#213PortBindings
to
IPv4zero (0.0.0.0).
docker/libnetwork#2376IMAGE_NAME
attribute to journald
log events.
moby/moby#38032aufs
storage driver and added warning.
moby/moby#38090code = ResourceExhausted
desc = grpc: received message larger than max (5351376 vs. 4194304)
. This
does not indicate any failure or misconfiguration by the user, and requires
no response.404
error after being deployed.docker service update --force
./sbin/iptables --wait -C FORWARD
-o docker_gwbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables --wait -C FORWARD -o docker0 -m conntrack --ctstate
RELATED,ESTABLISHED -j ACCEPT
docker pause
container before doing file operations.
moby/moby#39252docker cp
regression due to CVE mitigation. An error is produced
when the source of docker cp
is set to /
.