MSR release notes¶

What’s new¶

• MSR now tags all analytics reports with the user license ID when telemetry is enabled. It does not, though, collect any further identifying information. In line with this change, the MSR settings API no longer contains anonymizeAnalytics, and the MSR web UI no longer includes the Make data anonymous toggle (ENGDTR-2607).
• Updated Django to version 3.1.10, resolving the following CVEs: CVE-2021-31542 and CVE-2021-32052 (ENGDTR-2651).

Bug fixes¶

• Fixed an issue with the MSR web UI wherein the System > Storage page failed to display (ENGDTR-2632).
• Fixed an issue in the MSR web UI wherein the Scanning enabled setting failed to display correctly after changing it, navigating away from, and back to the Security tab (FIELD-3541).
• Fixed an issue in the MSR web UI wherein after clicking Sync Database Now, the In Progress icon failed to disappear at the correct time and the scanning information (including the database version) failed to update without a browser refresh (FIELD-3541).
• Fixed an issue in the MSR web UI wherein the value of Scanning timeout limit failed to display correctly after changing it, navigating away from, and back to the Security tab (FIELD-3541).

What’s new¶

• MSR now applies a 56-character limit on “namespace/repository” length at creation, and thus eliminates a situation wherein attempts to push tags to repos with too-long names return a 500 Internal Server Error (ENGDTR-2525).
• The MSR UI now includes a horizontal scrollbar (in addition to the existing vertical scrollbar), thus allowing users to better adjust the window dimensions (FIELD-2082).
• The enableManifestLists setting is no longer needed and has been removed due to breaking Docker Content Trust (FIELD-2642, FIELD-2644).
• Updated the MSR web UI Last updated at trigger for the promotion and mirror policies to include the option to specify before a particular time (after already exists) (FIELD-2180).
• The mirantis/dtr --help documentation no longer recommends using the --rm option when invoking commands. Leaving it out preserves containers after they have finished running, thus allowing users to retrieve logs at a later time (FIELD-2204).

Bug fixes¶

• Pulling images from a repository using crictl no longer returns a 500 error (FIELD-3331, ENGDTR-2569).
• Fixed broken links to MSR documentation in the MSR web UI (FIELD-3822).
• Fixed an issue wherein pushing images with previously-pushed layer data that has been deleted from storage caused unknown blob errors. Pushing such images now replaces missing layer data. Sweeping image layers with image layer data missing from storage no longer causes garbage collection to error out (FIELD-1836).

Security¶

• Vulnerability scans no longer report CVE-2016-4074 as a result of the 2021.03 scanner update.
• A self-scan can report a false positive for CVE-2021-29482 (ENGDTR-2608).

What’s new¶

• Intermittent failures no longer occur during metadata garbage collection when using Google Cloud Storage as the back end (ENGDTR-2376).
• All analytics reports for instances of MSR with a Mirantis-issued license key now include the license ID (even when the anonymize analytics setting is enabled). The license subject reads License ID in the web UI (ENGDTR-2327).

Bug fixes¶

• Fixed an issue wherein the S3 back end storage settings did not display in the web UI after upgrading from MSR 2.7.3 to 2.7.8 (FIELD-3395).
• Fixed an issue with the MSR web UI wherein lengthy tag names overlapped with adjacent text in the repository tag list (FIELD-1631).

Security¶

• MSR is not vulnerable to CVE-2019-15562, despite its detection in dtr-notary-signer and dtr-notary-server vulnerability scans, as the SQL backend is not used in Notary deployment (ENGDTR-2319).
• Vulnerability scans of the dtr-jobrunner can give false positives for CVE-2020-29363, CVE-2020-29361, and CVE-2020-29362 in the p11-kit component. The container’s version of p11-kit is not vulnerable to these CVEs. (ENGDTR-2319).
• Resolved CVE-2019-20907 (ENGDTR-2259).

Security¶

• Resolved CVE-2019-17495 in Swagger UI bundle and standalone preset libraries (ENGDTR-1780, ENGDTR-1781).
• Updated various UI dependencies, thus resolving the following CVEs: CVE-2020-7707, CVE-2018-1000620, CVE-2019-15562, CVE-2017-14623, CVE-2016-8867, CVE-2020-9283, CVE-2020-7919, CVE-2019-0205, CVE-2019-11254, CVE-2020-8911, and CVE-2020-8912 (ENGDTR-2271, ENGDTR-2272, ENGDTR-2179).

Bug fixes¶

• Fixed issue wherein intermittent scanner failures occurred whenever multiple scanning jobs were running concurrently. Also fixed scanner failures that occurred when scanning certain Go binaries (ENGDTR-2116, ENGDTR-2053).
• Fixed an issue in which the update_vuln_db (vulnerability database update) job returned success even when a replica failed to update its database (ENGDTR-2039).
• Fixed an issue wherein the read-only registry banner would remain following a backup/restore, even once the registry was returned to read-write mode. In addition, also fixed an issue in which following a backup/restore the registry could not be set back into read-only mode after it had been unset (ENGDTR-2015, FIELD-2775).
• Fixed an issue wherein whenever a webhook for repository events was registered, garant would crash when a push created a repository (ENGDTR-2123).

Security¶

• Updated images to be built from Go 1.14 (ENGDTR-1989).

• The following CVEs have been resolved: CVE-2020-11656, CVE-2019-19646, CVE-2018-1000878, CVE-2018-1000877, CVE-2018-11243, CVE-2019-14296, CVE-2020-1967, CVE-2015-4646, CVE-2019-15601, CVE-2020-13630, CVE-2019-19921, CVE-2019-1000019, CVE-2019-20509, CVE-2018-1000879, CVE-2019-1000020, CVE-2018-1000880, CVE-2020-1720, CVE-2020-13631, CVE-2019-20051, CVE-2019-20021, CVE-2015-4645, CVE-2020-13632, CVE-2020-13435, CVE-2019-19645, CVE-2019-20053, CVE-2019-14295, CVE-2019-17595, CVE-2019-1551, CVE-2019-17594, CVE-2020-14155, CVE-2019-15562, CVE-2017-14623, CVE-2016-8867, CVE-2020-9283, CVE-2020-7919, CVE-2019-0205, CVE-2020-14040, CVE-2020-14040, CVE-2020-14040, CVE-2019-11254, CVE-2020-8911, CVE-2020-8912

  (ENGDOCS-2179)

What’s new¶

• Starting with this release, we moved the location of our offline bundles for MSR from https://packages.docker.com/caas/ to https://packages.mirantis.com/caas/ for the following versions.

  • MSR 2.8.2
  • MSR 2.7.8
  • MSR 2.6.15

  Offline bundles for other previous versions of MSR will remain on the docker domain.

• Due to infrastructure changes, licenses will no longer auto-update and the relaged screens in MSR have been removed.

Bug fixes¶

• We fixed an issue that caused the system to become unresponsive when using /api/v1/repositories/{namespace}/{reponame}/tags/{reference}/scan
• We updated help links in the MSR user interface so that the user can see the correct help topics.
• Previously a MSR license may not have been successfully retrieved during installation, even when the license was available. It is now fetched properly (ENGDTR-1870).

Security¶

• We upgraded our Synopsis vulnerability scanner to version 2020.03. This will result in improvedvulnerability scanning both by finding more vulnerabilities andsignificantly reducing false positives that may have been previouslyreported (ENGDTR-1868).

What’s New¶

• MSR now uses Mirantis’s JWT-based licensing flow, in addition to the legacy Docker Hub licensing method). (ENGDTR-1604)

Bug fixes¶

• Removal of auto refresh license toggle from the UI license screen. (ENGDTR-1846)
• Information leak tied to the remote registry endpoint. (ENGDTR-1821)
• The text/csv response file gained from using the scan summary API endpoint to obtain the latest security scanning results contains “column headers” but no true response data. (ENGDTR-1646)

Security¶

• Changes to the whitelist URLs for outgoing connections: URLs to de-whitelist if there are no pre-Patch 2020-06 versions of Mirantis Container Runtime running the following. (ENGDTR-1847)
  • http://license.enterprise.docker.com
  • http://dss-cve-updates.enterprise.docker.com
  • URLs to whitelist for Patch 2020-06 and later:
    • http://license.mirantis.com
    • http://dss-cve-updates.mirantis.com

Bug Fixes¶

• UX improvement with regard to replica removal. By default, MSR now checks whether the replica being moved actually exists (the --force argument can be used to skip the check). (docker/dhe-deploy #10886)
• Fixed pagination issues encountered when non-admin users list the repositories in a namespace. (docker/dhe-deploy #10873)
• Fixed UI for OpenStack Swift storage backend settings. (docker/dhe-deploy #10866)
• Fixed issue that prevented non-admin users from being able to create promotion policies. (docker/dhe-deploy #10862)
• Fixed discrepencies in promotion policy creation UX. (docker/dhe-deploy #10865)

Security¶

• Update tooling to Golang 1.13.8. (docker/dhe-deploy #10901)

Bug fixes¶

• Fixed the bug that caused the jobrunner logs to flood with unable to cancel request: nil. (docker/dhe-deploy #10807)
• Fixed the bug that resulted in added licenses not presenting in the UI prior to a page refresh. (docker/dhe-deploy #10815)
• Update offline license instructions, to direct users to hub.docker.com (and not store.docker.com). (docker/dhe-deploy #10835)
• Addition of more descriptive error messaging for a situation in which an advanced license for tag pruning and poll mirroring is missing. (docker/dhe-deploy #10827)

Security¶

• Includes a new version of the security scanner which re-enables daily CVE database updates. Following the patch release upgrade, security scans will fail until a new version of the database is provided (if MSR is configured for online updates, this will occur automatically within 24 hours). To trigger an immediate update, (1) access the MSR UI, (2) go to the Security under System settings, and (3) click the Sync database now button.

  If MSR is configured for offline updates, download the database for version 2.7.5 or higher. (docker/dhe-deploy #10845)

Bug fixes¶

• Fixed a bug where MKE pulling image vulnerability summaries from MSR caused excessive CPU load in MKE. (docker/dhe-deploy #10784)

Security¶

• Bumped the Golang version for MSR to 1.12.12. (docker/dhe-deploy #10769)

Bug Fixes¶

• Fixed a bug where attempting to pull mirror manifest lists would not trigger an evaluation of their existing push mirroring policies, and they would not get push mirrored to a remote MSR. (docker/dhe-deploy #10676)
• Fixed a bug where the S3 storage driver did not honor HTTP proxy settings. (docker/dhe-deploy #10639)
• Content Security Policy (CSSP) headers are now on one line to comply with RFC 7230. (docker/dhe-deploy #10594)

Security¶

• Bumped the version of the Alpine base images from 3.9 to 3.10. (docker/dhe-deploy #10716)

Known issues¶

Bug fixes¶

• Fixed a bug which prevented non-admin users from creating or editing promotion policies. (docker/dhe-deploy #10551)
• Fixed an issue where promotion policy details could not be displayed. (docker/dhe-deploy #10510)
• Fixed a bug which can cause scanning jobs to deadlock. (docker/dhe-deploy #10632)

Security¶

• Updated the Go programming language version for MSR to 1.12.9. (docker/dhe-deploy #10570)

Known issues¶

Bug fixes¶

• In 2.7.0, users may see vuln_db_update jobs fail with the message Unable to get update url: Could not get signed urls with errors – 2.7.1 addresses this issue. With it your vulnerability database update jobs should succeed.

Known issues¶

• Application mirroring to and from Docker Hub does not work as experimental applications are not yet fully supported on Docker Hub.
• The time that an application is pushed is incorrect.
• If an incorrect password is entered when changing your password, the UI will not give the appropriate error message, and the save button will stay in a loading state.
  • Workaround: Refresh the page.
• After a promotion policy is created, it cannot be edited through the UI.
  • Workaround: Either delete the promotion policy and re-create it, or use the API to view and edit the promotion policy.
• Non-admin users cannot create promotion policies through the UI.

Security¶

Refer to MSR image vulnerabilities for details regarding actions to be taken and any status updates, issues, and recommendations.

New Features¶

• Web Interface
  • Users can now filter events by object type. (docker/dhe-deploy #10231)
  • Docker artifacts such as apps, plugins, images, and multi-arch images are shown as distinct types with granular views into app details including metadata and scan results for an application’s constituent images. Learn more.
  • Users can now import a client certificate and key to the browser in order to access the web interface without using their credentials.
  • The Logout menu item is hidden from the left navigation pane if client certificates are used for MSR authentication instead of user credentials. (docker/dhe-deploy#10147)
• App Distribution
  • It is now possible to distribute docker apps via MSR. This includes application pushes, pulls, and general management features like promotions, mirroring, and pruning.
• Registry CLI
  • The Docker CLI now includes a docker registry management command which lets you interact with Docker Hub and trusted registries.
    • Features supported on both MSR and Hub include listing remote tags and inspecting image manifests.
    • Features supported on MSR alone include removing tags, listing repository events (such as image pushes and pulls), listing asynchronous jobs (such as mirroring pushes and pulls), and reviewing job logs. Learn more.
• Client Cert-based Authentication
  • Users can now use MKE client bundles for MSR authentication.
  • Users can now add their client certificate and key to their local Engine for performing pushes and pulls without logging in.
  • Users can now use client certificates to make API requests to MSR instead of providing their credentials.

Enhancements¶

• Users can now edit mirroring policies. (docker/dhe-deploy #10157)
• docker run -it --rm docker/dtr:2.7.0-beta4 now includes a global option, --version, which prints the MSR version and associated commit hash. (docker/dhe-deploy #10144)
• Users can now set up push and pull mirroring policies through the API using an authentication token instead of their credentials. (docker/dhe-deploy#10002)
• MSR is now on Golang 1.12.4. (docker/dhe-deploy#10274)
• For new mirroring policies, the Mirror direction now defaults to the Pull tab instead of Push. (docker/dhe-deploy#10004)

Bug Fixes¶

• Fixed an issue where a webhook notification was triggered twice on non-scanning image promotion events on a repository with scan on push enabled. (docker/dhe-deploy#9909)

Known issues¶

• Application mirroring to and from Docker Hub does not work as experimental applications are not yet fully supported on Docker Hub.
• The time that an application is pushed is incorrect.
• The Application Configuration in the UI says it is an invocation image.
• When changing your password if an incorrect password is entered the UI will not give the appropriate error message, and the save button will stay in a loading state.
  • Workaround: Refresh the page.
• After a promotion policy is created, it cannot be edited through the UI.
  • Workaround: Either delete the promotion policy and re-create it, or use the API to view and edit the promotion policy.
• Non-admin users cannot create promotion policies through the UI.

Deprecations¶

• Upgrade
  • The --no-image-check flag has been removed from the upgrade command as image check is no longer a part of the upgrade process.