20.10.4

20.10.4

(2021-04-12)

Components

Component

Version

Mirantis Container Runtime

20.10.4

containerd

1.4.4

runc

1.0.0-rc92

Security

  • Resolved CVE-2021-21285, thereby preventing invalid images from crashing the Docker daemon (ENGINE-438).

  • Resolved CVE-2021-21284, thereby preventing a remapped root from accessing the Docker state by locking down file permissions (ENGINE-438).

  • MCR now confirms that AppArmor and SELinux profiles are applied when building with BuildKit (ENGINE-438).

  • Resolved CVE-2021-21334, and in the process updated containerd to version 1.4.4 (ENGINE-438).

  • Updated syscall list to Linux 5.11 in the seccomp profile (moby/moby#41971).

Builder

  • Fixed the incorrect cache match for inline cache import with empty layers (moby/moby#42061).

  • Updated BuildKit to version 0.8.2 (moby/moby#42061).

    • Avoids error caching on token fetch in resolver.

    • Fixed checksum to contain indexes of inputs in fileop, thus preventing certain cache misses.

    • Fixed reference count issues on typed errors with mount references, addressing invalid mutable ref errors.

    • Set token only for main remote access, thereby allowing submodule cloning with different credentials.

  • Ensures blobs are deleted after pull in /var/lib/docker/buildkit/content/blobs/sha256. Run builder prune to clean up old state (moby/moby#42065).

  • Fixed parallel pull synchronization regression (moby/moby#42049).

  • Ensures libnetwork state files do not leak (moby/moby#41972).

Client

  • Customers who use MCR with Kubernetes directly (without using MKE) need to enable the cri-docker plugin in MCR beginning with Kubernetes version 1.23 (planned for late 2021), at which point Kubernetes will no longer maintain dockershim (MKE-8126).

    Learn more

    cri-docker

  • Fixed an issue wherein docker login resulted in a panic if no config file was present (docker/cli#2959).

  • Fixed an issue wherein MCR erroneously displayed the warning: WARNING: Error loading config file: .dockercfg: $HOME is not defined (docker/cli#2958).

Runtime

  • Silenced docker info warnings that cannot be addressed (moby/moby#41958).

  • Avoids creating parent directories for XGlobalHeader (moby/moby#42017)>

  • Uses 0755 permissions when creating missing directories (moby/moby#42017).

  • Falls back to manifest list when no platform matches in the image config (moby/moby#42045 and moby/moby#41873).

  • Fixed an issue wherein the daemon panicked when an admin specified a custom default runtime (moby/moby#41974).

  • Fixed an issue wherein an empty daemon configuration caused a panic (moby/moby#41976).

  • Fixed an issue wherein the daemon panicked when starting a container with an invalid device cgroup rule (moby/moby#42001).

  • Fixed an issue wherein the userns-remap option did not work when the username and UID matched (moby/moby#42013).

Logger

  • Honors label-regex config even if labels is not set (moby/moby#42046).

  • Handles long log messages correctly, preventing awslogs in non-blocking mode to split events larger than 16 KB (mobymoby#41975).

Swarm

  • Fixed an issue wherein custom Docker heartbeat periods reverted back to the default setting on restart. Thus, previously stalled tasks will no longer be stuck in a pending state (FIELD-3563, moby/moby#42060).

  • Fixed an issue wherein MCR ignored --update-order and --rollback-order flags (docker/cli#2963).

  • Fixed an issue wherein docker service rollback sometimes returned a non-zero exit code (docker/cli#2964).

  • Fixed an issue wherein the direction of the progress bar rendered inconsistently on docker service rollback (docker/cli#2964).