20.10.4¶
(2021-04-12)
Components¶
Component |
Version |
---|---|
Mirantis Container Runtime |
20.10.4 |
containerd |
1.4.4 |
runc |
1.0.0-rc92 |
Security¶
Resolved CVE-2021-21285, thereby preventing invalid images from crashing the Docker daemon (ENGINE-438).
Resolved CVE-2021-21284, thereby preventing a remapped root from accessing the Docker state by locking down file permissions (ENGINE-438).
MCR now confirms that AppArmor and SELinux profiles are applied when building with BuildKit (ENGINE-438).
Resolved CVE-2021-21334, and in the process updated containerd to version 1.4.4 (ENGINE-438).
Updated syscall list to Linux 5.11 in the
seccomp
profile (moby/moby#41971).
Builder¶
Fixed the incorrect cache match for inline cache import with empty layers (moby/moby#42061).
Updated BuildKit to version 0.8.2 (moby/moby#42061).
Avoids error caching on token fetch in resolver.
Fixed checksum to contain indexes of inputs in fileop, thus preventing certain cache misses.
Fixed reference count issues on typed errors with mount references, addressing
invalid mutable ref
errors.Set token only for main remote access, thereby allowing submodule cloning with different credentials.
Ensures blobs are deleted after pull in
/var/lib/docker/buildkit/content/blobs/sha256
. Run builder prune to clean up old state (moby/moby#42065).Fixed parallel pull synchronization regression (moby/moby#42049).
Ensures
libnetwork
state files do not leak (moby/moby#41972).
Client¶
Customers who use MCR with Kubernetes directly (without using MKE) need to enable the
cri-docker
plugin in MCR beginning with Kubernetes version 1.23 (planned for late 2021), at which point Kubernetes will no longer maintaindockershim
(MKE-8126).Learn more
cri-docker
Fixed an issue wherein
docker login
resulted in a panic if no config file was present (docker/cli#2959).Fixed an issue wherein MCR erroneously displayed the warning:
WARNING: Error loading config file: .dockercfg: $HOME is not defined
(docker/cli#2958).
Runtime¶
Silenced docker info warnings that cannot be addressed (moby/moby#41958).
Avoids creating parent directories for
XGlobalHeader
(moby/moby#42017)>Uses 0755 permissions when creating missing directories (moby/moby#42017).
Falls back to manifest list when no platform matches in the image config (moby/moby#42045 and moby/moby#41873).
Fixed an issue wherein the daemon panicked when an admin specified a custom default runtime (moby/moby#41974).
Fixed an issue wherein an empty daemon configuration caused a panic (moby/moby#41976).
Fixed an issue wherein the daemon panicked when starting a container with an invalid device cgroup rule (moby/moby#42001).
Fixed an issue wherein the userns-remap option did not work when the username and UID matched (moby/moby#42013).
Logger¶
Honors
label-regex
config even iflabels
is not set (moby/moby#42046).Handles long log messages correctly, preventing awslogs in non-blocking mode to split events larger than 16 KB (mobymoby#41975).
Swarm¶
Fixed an issue wherein custom Docker heartbeat periods reverted back to the default setting on restart. Thus, previously stalled tasks will no longer be stuck in a pending state (FIELD-3563, moby/moby#42060).
Fixed an issue wherein MCR ignored --update-order and --rollback-order flags (docker/cli#2963).
Fixed an issue wherein docker service rollback sometimes returned a non-zero exit code (docker/cli#2964).
Fixed an issue wherein the direction of the progress bar rendered inconsistently on docker service rollback (docker/cli#2964).