20.10.4

(2021-04-12)

Components

Component	Version
Mirantis Container Runtime	20.10.4
containerd	1.4.4
runc	1.0.0-rc92

Security

• Resolved CVE-2021-21285, thereby preventing invalid images from crashing the Docker daemon (ENGINE-438).

• Resolved CVE-2021-21284, thereby preventing a remapped root from accessing the Docker state by locking down file permissions (ENGINE-438).

• MCR now confirms that AppArmor and SELinux profiles are applied when building with BuildKit (ENGINE-438).

• Resolved CVE-2021-21334, and in the process updated containerd to version 1.4.4 (ENGINE-438).

• Updated syscall list to Linux 5.11 in the seccomp profile (moby/moby#41971).

Builder

• Fixed the incorrect cache match for inline cache import with empty layers (moby/moby#42061).

• Updated BuildKit to version 0.8.2 (moby/moby#42061).

  • Avoids error caching on token fetch in resolver.

  • Fixed checksum to contain indexes of inputs in fileop, thus preventing certain cache misses.

  • Fixed reference count issues on typed errors with mount references, addressing invalid mutable ref errors.

  • Set token only for main remote access, thereby allowing submodule cloning with different credentials.

• Ensures blobs are deleted after pull in /var/lib/docker/buildkit/content/blobs/sha256. Run builder prune to clean up old state (moby/moby#42065).

• Fixed parallel pull synchronization regression (moby/moby#42049).

• Ensures libnetwork state files do not leak (moby/moby#41972).

Client

• Customers who use MCR with Kubernetes directly (without using MKE) need to enable the cri-docker plugin in MCR beginning with Kubernetes version 1.23 (planned for late 2021), at which point Kubernetes will no longer maintain dockershim (MKE-8126).

  Learn more

  cri-docker

• Fixed an issue wherein docker login resulted in a panic if no config file was present (docker/cli#2959).

• Fixed an issue wherein MCR erroneously displayed the warning: WARNING: Error loading config file: .dockercfg: $HOME is not defined (docker/cli#2958).

Runtime

• Silenced docker info warnings that cannot be addressed (moby/moby#41958).

• Avoids creating parent directories for XGlobalHeader (moby/moby#42017)>

• Uses 0755 permissions when creating missing directories (moby/moby#42017).

• Falls back to manifest list when no platform matches in the image config (moby/moby#42045 and moby/moby#41873).

• Fixed an issue wherein the daemon panicked when an admin specified a custom default runtime (moby/moby#41974).

• Fixed an issue wherein an empty daemon configuration caused a panic (moby/moby#41976).

• Fixed an issue wherein the daemon panicked when starting a container with an invalid device cgroup rule (moby/moby#42001).

• Fixed an issue wherein the userns-remap option did not work when the username and UID matched (moby/moby#42013).

Logger

• Honors label-regex config even if labels is not set (moby/moby#42046).

• Handles long log messages correctly, preventing awslogs in non-blocking mode to split events larger than 16 KB (mobymoby#41975).

Swarm

• Fixed an issue wherein custom Docker heartbeat periods reverted back to the default setting on restart. Thus, previously stalled tasks will no longer be stuck in a pending state (FIELD-3563, moby/moby#42060).

• Fixed an issue wherein MCR ignored --update-order and --rollback-order flags (docker/cli#2963).

• Fixed an issue wherein docker service rollback sometimes returned a non-zero exit code (docker/cli#2964).

• Fixed an issue wherein the direction of the progress bar rendered inconsistently on docker service rollback (docker/cli#2964).