Mirantis Secure Registry release notes

Mirantis Secure Registry release notes

DTR is now MSR

The product formerly known as Docker Trustred Registry (DTR) is now Mirantis Secure Registry (MSR).

This document describes the latest changes, additions, known issues, and fixes for Mirantis Secure Registry.

Important

When malware is present in customer images, malware scanners operating on MSR’s nodes at runtime can wrongly report MSR as a bad actor. If your malware scanner detects any issue in a running instance of MSR, refer to Vulnerability scanning.

Version 2.8

2.8.4

(2020-11-12)

Bug fixes

  • Fixed issue wherein intermittent scanner failures occurred whenever multiple scanning jobs were running concurrently. Also fixed scanner failures that occurred when scanning certain Go binaries (ENGDTR-2116, ENGDTR-2053).

  • Fixed an issue wherein whenever a webhook for repository events was registered, garant would crash when a push created a repository (ENGDTR-2123).

  • Fixed an issue wherein the DTR API did not return a resource count (FIELD-2628).

Security

  • CVE-2020-1404 has been resolved (ENGDTR-2146).

2.8.3

(2020-09-15)

What’s new

  • In the bootstrapper, all visible name references to Universal Control Plane have been changed to ** Mirantis Kubernetes Engine, and all name references to UCP have been changed to MKE (ENGDTR-2246).

  • Messaging information has been edited to refer to Mirantis.

  • The default TLS server certificate generated when MSR is installed can now be used for server authentication. Chrome running in its default configuration will now permit users to bypass the certificate error and access MSR.

  • MSR is now fully functional without a license, with the exception of image scanning, which continues to require an Advanced license (ENGDTR-1812).

  • MSR now creates events for changes to repository descriptions.

  • MSR now creates events for a change to a repository’s ImmutableTags field.

  • Documented API endpoints now display in the Swagger Live API documentation:

    • /_ping

    • /health

    • /nginx_status

    • /admin/settings

    (ENGDTR-1701)

Bug fixes

  • Fixed an issue that caused tags to appear as if they were pushed 2019 years ago by a nameless entity.

  • Fixed an issue wherein repository team access was not cleaned up following team deletion (ENGDTR-989).

  • Fixed the following API handlers so that they correctly return an HTTP 401 Unauthorized response when unauthenticated:

    • /repositories

    • /index/dockersearch

    • /index/autocomplete

    (ENGDTR-1824)

  • Fixed an issue wherin a blank page would display when viewing scanned image components while looking at multi arch image constituents.

  • Fixed an issue wherein the read-only registry banner would remain following a backup/restore, even once the registry was returned to read-write mode. In addition, also fixed an issue in which following a backup/restore the registry could not be set back into read-only mode after it had been unset (ENGDTR-2015, FIELD-2775).

  • Fixed an issue wherein the UI was not properly handling a fresh MSR setup without a garbage collection cron set, which resulted in seemingly infinite loading (ENGDTR-2029).

  • Fixed an issue wherein garbage collection cron job could not be disabled from the UI (ENGDTR-2030).

  • Fixed an issue wherein users were not able to configure MSR to check for upgrades after having previously disabled the feature (ENGDTR-2036).

  • Fixed an issue wherein non-admin users were seeing admin options on the settings page (ENGDTR-2032).

  • Fixed an issue in which the update_vuln_db (vulnerability database update) job returned success even when a replica failed to update its database (ENGDTR-2039).

  • Fixed an issue in which usage analytics were sometimes sent even when the Analytics: Send data setting was turned off.

  • Fixed an issue whereby scanning data was not cleaned up following images garbage collection (ENGDTR-1692).

Security

  • Updated component signature files used for image scanning.

  • Bumped Alpine base image to 3.12.

  • Fixed an issue wherein requests to remote /v2/ endpoints for mirroring would leak information about the remote registry (ENGDTR-1821).

  • Updated RethinkDB Client used to v6 and bump many other component libraries

  • Updated images to be built from Go 1.14 (ENGDTR-1989).

Known issues

  • If an image’s vulnerability information is not available, rescan the image. If this does not resolve the situation, contact customer support. (Intermittent failures will be addressed in an upcoming release.) (ENGDTR-2053)

  • Several of the highest severity CVEs have been resolved in MSR, and this work will continue going forward (ENGDTR-1874).

2.8.2

(2020-08-10)

What’s new

  • Starting with this release, we moved the location of our offline bundles for MSR from https://packages.docker.com/caas/ to https://packages.mirantis.com/caas/ for the following versions.

    • MSR 2.8.2

    • MSR 2.7.8

    • DTR 2.6.15

    Offline bundles for other previous versions of MSR will remain on the docker domain.

  • Due to infrastructure changes, licenses will no longer auto-update and the related screens in MSR have been removed (ENGORC-1848).

Bug fixes

  • We fixed an issue that caused the system to become unresponsive when using /api/v1/repositories/{namespace}/{reponame}/tags/{reference}/scan

  • We updated help links in the MSR user interface so that the user can see the correct help topics.

  • Previously a MSR license may not have been successfully retrieved during installation, even when the license was available. It is now fetched properly (ENGDTR-1870).

Security

  • We upgraded our Synopsis vulnerability scanner to version 2020.03. This will result in improved vulnerability scanning both by finding more vulnerabilities andsignificantly reducing false positives that may have been previously reported (ENGDTR-1868).

2.8.1

(2020-06-24)

Enhancements

  • MSR now uses Mirantis’s JWT-based licensing flow, in addition to the legacy Docker Hub licensing method). (ENGDTR-1604)

Bug fixes

  • Removal of auto refresh license toggle from the UI license screen (ENGDTR-1846).

  • Information leak tied to the remote registry endpoint (ENGDTR-1821).

  • The text/csv response file gained from using the scan summary API endpoint to obtain the latest security scanning results contains “column headers” but no true response data (ENGDTR-1646).

  • Due to scanner improvements, libidn2 no longer displays false positives ( ENGDTR-1816).

Security

2.8.0

(2020-05-28)

New features

Support for CVSS Version 3 scanning.

Enhancements

  • Users can now filter through repository tags with a type of either app, image, or plugin.

  • All cron jobs are now included in backups.

  • An alert now displays in the bottom right side of the MSR web interface when a user scans a tag.

  • Improvement to performance on Scan Summary API (POST api/v0/imagescan/ scansummary/ tags)

  • Addition of pagination for promotion policies in the MSR web interface.

  • An option is now availalbe for reducing backup size by not backing up the events table for online backups (offline backups do not have this option). This adds a new flag to MSR CLI for the backup command: –ignore-events-table.

  • Addition of an Event parameter validation to include parameters for event or object type.

  • Create events for repository permission changes.

  • Addition of a check prior to running MSR remove that determine whether a replica id exists in the cluster. Can be overridden with –force.

  • Improvement to the error messaging for default crons when there is no advance license.

Bug fixes

  • Pull mirroring policies now do a full pull mirror for a repository when the tag limit is increased, a pruning policy is deleted, or when a policy pulls a tag that has just been deleted.

  • Addition of a repository event that will distinguish policy promotions from manual promotions that are done on a single image using the Promote button in the MSR web interface.

  • Fix of an issue that prevented license information from updating after the license is changed in the MSR web interface.

  • Improvements to the MSR web interface for organizations, including the organization list, the organization viewer, the organization repo, and the new organization screen.

  • Fixed an issue where the constituent image platforms was not populated for the/api/v1/repositories/{namespace}/{reponame}/tags and/api/v1/repositories/{namespace}/{reponame}/tags/{reference} API endpoints

  • Fxed an issue with invoking /api/v0/workers/{id}/capacity API with an invalid {id}, which should cause a 404 error but instead returns 200 (OK).

  • Fixed misleading error messaging on immutable repos.

  • Fixed issue where scan summaries were not exporting correctly.

  • Fixed an issue where the repository readme wouldn’t update.

  • Fixed an issue where the repository readme submission wouldn’t show.

  • Fixed pull / push mirroring validation logic.

  • Fixed broken webhook skipTLS button.

  • Fixed issue where scanning information wasn’t being copied over with promotion policies.

  • Fixed issue where notification banners were making part of the UI inaccessible.

  • Fixed a bug where webhook events weren’t being tracked correctly.

  • Fixed a bug where pagination for namespace repositories for a non admin user was not working.

  • Scanning data that corresponds to images and layers marked for deletion is deleted during garbage collection.

Security

  • Fixed problem where storage backend credentials were being returned in API calls to admin/settings.

Known issues

MSR does not yet offer a method for deleting scanned data that has been orphaned following the garbage collection of associated metadata.