Introduction¶

This documentation provides information on how to deploy Mirantis Container Runtime (MCR). The documentation is intended to help operators to understand the core concepts of the product.

The information provided in this documentation set is being constantly improved and amended based on the feedback and kind requests from the consumers of MCR.

Product Overview¶

Mirantis Container Runtime (MCR) enables you to power your business-critical applications with the industry-leading enterprise container engine. You can run containers on any platform with a fully supported and highly secure container runtime. MCR provides the core functionality and security compliance needed to enable your container orchestration solution of choice with certified proven support for both Kubernetes and Swarm. The most common use cases include:

Container orchestration solution: Organisations often have unique container orchestration requirements and may choose to utilise alternative systems to manage their containers. MCR provides freedom to select the best orchestration solution for your needs whilst still ensuring you have a secure, trusted, and supported container runtime to run your mission-critical workloads.
Secure and validated containers: The challenges in ensuring that the software supply chain is secure does not stop at the container orchestration solution. The key part of securing your container solution is ensuring that only validated and trusted containers can be deployed and run. MCR combined with Mirantis Secure Registry (MSR) gives you the ability to validate and sign your container images to ensure that only approved images can be run in your environment.
Secure validated encryption: Regulated industries need to meet federal regulations to ensure that appropriate levels of encryption are enabled. MCR provides FIPS 140-2 Validated cryptography ensuring that you meet the highest standards necessary to comply with the federal requirements.
Multiple operating systems and infrastructures: With the drive towards multi-cloud and hybrid cloud, computing organisations need to support multiple operating systems on multiple platforms. MCR is certified to run on multiple operating systems, including CentOS, RHEL, Ubuntu, and Windows, for consistent runtime regardless of the platform.

Reference Architecture¶

The Mirantis Container Runtime (MCR) Reference Architecture is a work in progress, the intent of which is to keep MCR users apprised of the technical details that pertain to the differences between MCR and Docker Engine.

Storage driver compatibility¶

overlay2 is the only storage driver MCR builds and supports, with the exception of the btrfs storage driver, which Mirantis will continue to build and support exclusively for the SLES platform (for which overlay2 is also viable).

MCR storage driver compatibility¶
Graphdriver	MCR 20.10	MCR 23.0
overlay2	Supported	Supported
btrfs	Supported only on SLES. Unsupported on all other Linux platforms.	Supported only on SLES. Unavailable on all other Linux platforms.
zfs	Unsupported	Unavailable
fuseoverlayfs	Unsupported	Unavailable
aufs	Unsupported	Unavailable
overlay	Unsupported	Unavailable
devicemapper	Unsupported	Unavailable
vfs	Unsupported	Unsupported

Deployment Guide¶

Mirantis Container Runtime (MCR) is a client-server application with these major components:

A server which is a type of long-running program called a daemon process (the dockerd command).
A REST API which specifies interfaces that programs can use to talk to the daemon and instruct it what to do.
A command line interface (CLI) client (the docker command).

MCR can be installed on several Linux distros as well as on Windows.

Note

MCR is derived from the Moby project, an open framework created by Docker Inc. As such, most of the product commands and setup instruction are identical to those for Docker Engine.

Install the license¶

Warning

Users are not authorized to run MCR without a valid license. For more information, refer to Mirantis Agreements and Terms.

For MCR to recognize your license, you must apply your customer license file at runtime.

To make MCR aware of your license and entitlement, perform the following for each node that will host MCR:

Download the license file.

If you purchased a license from the Mirantis Store, the license file is available through a link in your confirmation email. Otherwise, contact Mirantis Sales and Support to gain access to the file.

Apply the license file.

Platform	Applying the license
Linux distributions	Determine the location of the data root directory. This information is available in the `daemon.json` file associated with MCR. Alternatively, you can specify the data root directory using the --data-root flag at MCR start up. Note that the default data-root directory is `/var/lib/docker`. Copy the license file to the data root directory and name it `docker.lic`. It is imperative that the license be readable by the account/user that runs the docker daemon.
Windows servers	Currently, you do not need to apply a license for Windows server systems, as Mirantis Container Runtime can be run using the installation script.

Platform

Applying the license

Linux distributions

Determine the location of the data root directory. This information is available in the daemon.json file associated with MCR. Alternatively, you can specify the data root directory using the --data-root flag at MCR start up. Note that the default data-root directory is /var/lib/docker.
Copy the license file to the data root directory and name it docker.lic. It is imperative that the license be readable by the account/user that runs the docker daemon.

Windows servers

Currently, you do not need to apply a license for Windows server systems, as Mirantis Container Runtime can be run using the installation script.

Start MCR. If MCR is already running, restart it.

Note

MKE, MSR, and Mirantis Container Cloud have implied MCR licenses.

Install MCR on Windows Servers¶

Mirantis Container Runtime (MCR) enables native Docker containers on Windows Server. The Mirantis Container Runtime installation package includes everything you need to run Docker on Windows Server. This topic describes pre-install considerations, and how to download and install Mirantis Container Runtime.

Note

Refer to the MCR 20.10 Compatibility Matrix for information on which Windows Server versions are supported.

System requirements¶

Windows OS CPU and RAM requirements that must be met are specified in the Windows Server Requirements.

Install MCR with an Internet connection¶

Mirantis provides an installation script to ease MCR installation on a Windows Server machine. The script uses default values, thus allowing it to be run without configuration. You can, however, override the default values with script parameters and env variables. Parameter values take precedence over env variables. Both take precedence over inbuilt default values.

The installation script must be executed from an elevated command prompt. If you want to change the default daemon values, ensure that you have the alternative cofigurations and the related collateral in place prior to executing the script. For example, if you want to enable TLS, store the certificates and write the daemon configuration file before invoking the script.

Obtain the installation script for MCR for Windows Server at https://get.mirantis.com/install.ps1.

(Optional): Allow downloaded script files to run in the current session

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force -Scope Process;

Run the installation script.

The installer will issue a prompt, should it require a reboot.

Note

The installation script installs a numerically higher version by default. The latest tag, however, explicitly denotes the binary that was last pushed, which may not be a numerically higher version.

Test your MCR installation by running the hello-world container.

docker run hello-world:nanoserver

The container starts, prints the Hello from Docker! message, and then exits.

Unable to find image 'hello-world:nanoserver' locally
nanoserver: Pulling from library/hello-world
bce2fbc256ea: Pull complete
3ac17e2e6106: Pull complete
8cac44e17f16: Pull complete
5e160e4d8db3: Pull complete
Digest: sha256:25eac12ba40f7591969085ab3fb9772e8a4307553c14ea72d0e6f98b2c8ced9d
Status: Downloaded newer image for hello-world:nanoserver

Hello from Docker!
This message shows that your installation appears to be working correctly.

FIPS 140-2 cryptographic module support¶

Federal Information Processing Standards (FIPS) Publication 140-2 is a United States Federal security requirement for cryptographic modules.

MCR provides FIPS 140-2 support in Windows Server, which includes a FIPS supported cryptographic module. If the Windows implementation already has FIPS support enabled, FIPS is automatically enabled in MCR.

Note

FIPS 140-2 is only supported in MCR. MKE and MSR currently do not support FIPS 140-2.

To enable FIPS 140-2 compliance on a system that is not in FIPS 140-2 mode, run the following command in PowerShell:

[System.Environment]::SetEnvironmentVariable("DOCKER_FIPS", "1", "Machine")

You can also enable FIPS 140-2 mode using the Windows Registry. To update the pertinent registry key, execute the following PowerShell command as an Administrator:

Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\" -Name "Enabled" -Value "1"

Restart the Docker service.

Stop-Service docker
Start-Service docker

To confirm Docker is running with FIPS-140-2 enabled, run the docker info.

Labels:
 com.docker.security.fips=enabled

Note

FIPS-140-2 compliance can be disabled if the FIPS-140-2 cryptographic module is installed on the operating system. To disable FIPS-140-2 in Docker but not the operating system, set the value "DOCKER_FIPS","0" in [System.Environment].\

Install MCR offline¶

If your hardware is air-gapped you can still install MCR. To do so, download the installer and copy the files to the air-gapped machine (the default installation assumes that the zipped files and script are in the same location).

On any Internet connected system, go to https://get.mirantis.com/install.ps1 to obtain the MCR for Windows Server installation script.

(Optional): Allow the downloaded script files to run in the current session.

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force -Scope Process;

Run the installation script with the -DownloadOnly parameter. As per the parameter name, this action only downloads the zip file (no installation is performed).
```
.\<installation-script> -DownloadOnly
```
Copy the installation script and the installation zip file over to the air-gapped machine and run the install with the -Offline parameter.
```
.\<installation-script> -Offline
```
If prompted, reboot the installer.

Install a specific version¶

Use the following three parameters separately or in tandem to install a specific version of MCR for Windows Server.

Caution

MCR does not support using earlier versions of containerd than the version with which it is released. For supported containerd versions, refer to the Components section of the required MCR version in Release Notes.

.\install.ps1 -Channel
.\install.ps1 -ContainerdVersion
.\install.ps1 -DockerVersion

For example, the installation script will always use the latest GA.

For parameter descriptions, refer to Install script usage.

Update MCR¶

To update MCR to the most recent release, download the latest copy of the installation script and rerun the installation steps.

Go to the Mirantis Container Runtime for Windows Server web page to obtain the installation script for MCR for Windows Server.

(Optional): Allow downloaded script files to run in the current session.

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force -Scope Process

Run the installation script.

Install script usage¶

The installation script uses the parameters detailed below.

Parameter	Description
.PARAMETER DownloadUrl	[Alternately specified by $Env:DOWNLOAD_URL] Specifies an alternative repository in which to download container runtime packages.
.PARAMETER Channel	[Alternately specified by $Env:CHANNEL] Specifies which channel to use for picking the binaries (examples include `stable` and `test`). Default: `stable`.
.PARAMETER DockerVersion	[Alternately specified by $Env:DOCKER_VERSION] Specifies the version number for the DockerEE binaries to install. The latest version is the default.
.PARAMETER ContainerdVersion	[Alternately specified by $Env:CONTAINERD_VERSION] Specifies the version number for the containerd binaries to install The latest version is the default.
.PARAMETER DryRun	If specified, list different steps to use without actually invoking those steps.
.PARAMETER Uninstall	If specified, uninstalls all packages. This includes unregistering the corresponding services and removing paths for the package from the registry. All other script parameters (except `DryRun` and `DestPath`) are ignored if this switch is specified. Common parameters such as -Verbose are still honored.
.PARAMETER Ver	Print version info for the script and exit.
.PARAMETER NoServiceStarts	If specified, services are not started on successful install. By default, all services installed by the script are left in a running state before exit.
.PARAMETER DestPath	Path to the directory under which binaries will be installed. Default: %PROGRAMDATA%
.PARAMETER OfflinePackagesPath	The folder for airgap/offline scenarios. For use when the offline or `DownloadOnly` parameters are specified. Used to either save the downloaded packages for later offline use or for pointing to previously downloaded packages for offline install.
.PARAMETER Offline	Install packages in offline/airgap mode. By default the current directory is used to locate previously downloaded packages, a setting that can be overridden by using the `OfflinePackagesPath` parameter.
.PARAMETER DownloadOnly	Download and save packages for later offline/airgap install.
.PARAMETER EngineOnly	Skip all steps except those related to MCR.

Install script notes¶

In scenarios where you have existing software installed that has its own copies of OpenSSL libraries, you may encounter the following error:
```
OpenSSL error: error:0F06D065:common libcrypto
routines:FIPS_mode_set:fips mode not supported
```
This is often arises if you have ming/mingw64 as a part of your PATH env variable. As a workaround, ensure that the offending software is not on the PATH and run the script again.
The script supports airgap functionality by providing access to download packages while online, as well as to install those selfsame packages while offline.

For downloads, please ensure that the script has access to the internet. Use the -DownloadOnly parameter. By default the script will use the current directory to store the packages after download, a setting that can be changed by specifying the path explicitly with the -OfflinePackagesPath parameter.

For offline/airgap install, please use the -Offline parameter. By default the script searches for pacakages in the current directory, a setting that can be changed by specifying the -OfflinePackagesPath parameter.

While downloading using -DownloadOnly parameter, confirm that the download path is accessible to the script, especially if you run the script without administrative rights.

The following is required so that the script can be invoked with named parameters (for example, -ContainerdVersion 1.3.4...). If a parameter is used, its type is checked by powershell - we give a higher precedence to the parameters specified in this manner versus the same value specified by env vars.

Parameters received at invocation time. Some of these values are merged with values specified by env vars - see reconcileParams. Others are used as-is.

Disable MCR Telemetry¶

By default, MCR automatically records and transmits data to Mirantis for monitoring and analysis purposes. The data collected provides the Mirantis Customer Success Organization with information that helps Mirantis to better understand the operational use of MCR by our customers. It also provides key feedback in the form of product usage statistics, which enables our product teams to enhance Mirantis products and services.

To disable the telemetry function, set features.telemetry to false in the daemon.json file, which is located in C:\ProgramData\docker\config\.

{"features":{"telemetry": false}}

You can change the setting back to true to re-enable telemetry

Caution

To send the telemetry, verify that dockerd can resolve api.segment.io and create a TCP (HTTPS) connection on port 443.

Uninstall MCR¶

Use the following commands to remove MCR from a Windows Server.

Leave any active Docker Swarms.
```
docker swarm leave --force
```
Prune container data.
```
docker system prune -all
```
Run the installation script using the uninstall flag to remove MCR from the system.

Use MCR with Kubernetes¶

Customers who use MCR with Kubernetes directly (without MKE) must use a plugin maintained by Kubernetes called dockershim for Kubernetes 1.23 and below or a plugin maintained by Mirantis called cri-docker (included in MCR) for Kubernetes 1.24 and above.

To configure cri-docker:

systemctl enable cri-docker.service

Use MCR with Docker Swarm¶

Mirantis Container Runtime (MCR) supports the use of Docker Swarm.

The following Docker documentation topics offer detailed information that can help you to run MCR in swarm mode:

Security¶

Several Docker resources are available which cover the basics of Mirantis Container Runtime security, including:

Docker Security Documentation describes the fundamentals, such as namespaces and control groups, the attack surface of the Docker daemon, and other kernel security features.
CIS Docker Community Edition Benchmark details the various security-related options in MCR.
Docker Bench Security is a script that audits your configuration of MCR against the CIS Benchmark.

Antivirus and antimalware¶

When antivirus and antimalware software products scan files in use by MCR, these files can lock in a way that causes Docker commands to hang or causes orphaned snapshots to leak disk space. To circumvent these problems, you can add the Docker data directory to the software’s exclusion list, which is by default /var/lib/docker on Linux systems and %ProgramData%\docker on Windows Server systems. As a result of this action, though, viruses or malware in local Docker images, writable layers of containers, or volumes will go undetected.

Note

If you choose to exclude the Docker data directory from background virus scanning, Mirantis recommends that you schedule recurring tasks for stopping MCR, for scanning the data directory, and for restarting MCR. Make sure to stagger these recurring tasks, though, as running them in sync can cause a system outage.

Open Source Components and Licenses¶

Click any product component license below to download a text file of that license to your local system.

Get Support¶

Mirantis Container Runtime (MCR) subscriptions provide access to prioritized support for designated contacts from your company, agency, team, or organization. MCR service levels are based on your subscription level and the cloud or cluster that you designate in your technical support case. Our support offerings are described on the Enterprise-Grade Cloud Native and Kubernetes Support page. You may inquire about Mirantis support subscriptions by using the contact us form.

The CloudCare Portal is the primary way that Mirantis interacts with customers who are experiencing technical issues. Access to the CloudCare Portal requires prior authorization by your company, agency, team, or organization, and a brief email verification step. After Mirantis sets up its back-end systems at the start of the support subscription, a designated administrator at your company, agency, team, or organization, can designate additional contacts. If you have not already received and verified an invitation to our CloudCare Portal, contact your local designated administrator, who can add you to the list of designated contacts. Most companies, agencies, teams, and organizations have multiple designated administrators for the CloudCare Portal, and these are often the persons most closely involved with the software. If you do not know who your local designated administrator is, or you are having problems accessing the CloudCare Portal, you may also send an email to Mirantis support at support@mirantis.com.

Once you have verified your contact details and changed your password, you and all of your colleagues will have access to all of the cases and resources purchased. Mirantis recommends that you retain your Welcome to Mirantis email, because it contains information on how to access the CloudCare Portal, guidance on submitting new cases, managing your resources, and other related issues.

We encourage all customers with technical problems to use the knowledge base, which you can access on the Knowledge tab of the CloudCare Portal. We also encourage you to review the MKE product documentation and release notes prior to filing a technical case, as the problem may already be fixed in a later release or a workaround solution provided to a problem experienced by other customers.

One of the features of the CloudCare Portal is the ability to associate cases with a specific MKE cluster. These are referred to in the Portal as “Clouds”. Mirantis pre-populates your customer account with one or more Clouds based on your subscription(s). You may also create and manage your Clouds to better match how you use your subscription.

Mirantis also recommends and encourages customers to file new cases based on a specific Cloud in your account. This is because most Clouds also have associated support entitlements, licenses, contacts, and cluster configurations. These greatly enhance the ability of Mirantis to support you in a timely manner.

You can locate the existing Clouds associated with your account by using the Clouds tab at the top of the portal home page. Navigate to the appropriate Cloud and click on the Cloud name. Once you have verified that the Cloud represents the correct MKE cluster and support entitlement, you can create a new case via the New Case button near the top of the Cloud page.

One of the key items required for technical support of most MKE cases is the support bundle. This is a compressed archive in ZIP format of configuration data and log files from the cluster. There are several ways to gather a support bundle, each described in the paragraphs below. After you obtain a support bundle, you can upload the bundle to your new technical support case by following the instructions in the Mirantis knowledge base, using the Detail view of your case.

Obtain a full-cluster support bundle using the MKE web UI¶

Log in to the MKE web UI as an administrator.
In the left-side nagivation panel, navigate to <user name> and click Support Bundle.

It may take several minutes for the download to complete.

Note

The default name for the generated support bundle file is docker-support-<cluster-id>-YYYYmmdd-hh_mm_ss.zip. Mirantis suggests that you not alter the file name before submittal to the customer portal. However, if necessary, you can add a custom string between docker-support and <cluster-id>, as in: docker-support-MyProductionCluster-<cluster-id>-YYYYmmdd-hh_mm_ss.zip.
Submit the support bundle to Mirantis by clicking Share support bundle on the success prompt that displays when the support bundle finishes downloading.

Note

Mirantis uses the support bundles you submit for product improvement purposes. Be aware, though that these submissions are not sent directly to the Mirantis Customer Support team that is assigned to the particular issue.
Fill in the Jira feedback dialog, and click Submit.

Obtain a single-node support bundle using the CLI¶

Use SSH to log into a node and run:

MKE_VERSION=$((docker container inspect ucp-proxy \
--format '{{index .Config.Labels "com.docker.ucp.version"}}' \
2>/dev/null || echo -n 3.7.1)|tr -d [[:space:]])

docker container run --rm \
  --name ucp \
  -v /var/run/docker.sock:/var/run/docker.sock \
  --log-driver none \
  mirantis/ucp:${MKE_VERSION} \
  support > \
  docker-support-${HOSTNAME}-$(date +%Y%m%d-%H_%M_%S).tgz

Important

If SELinux is enabled, include the following additional flag: --security-opt label=disable.

Note

The CLI-derived support bundle only contains logs for the node on which you are running the command. If your MKE cluster is highly available, collect support bundles from all manager nodes.

Add the --submit option to the support command to submit the support bundle to Mirantis Customer Support. The support bundle will be sent, along with the following information:
- Cluster ID
- MKE version
- MCR version
- OS/architecture
- Cluster size
Note

Mirantis uses the support bundles you submit for product improvement purposes. Be aware, though that these submissions are not sent directly to the Mirantis Customer Support team that is assigned to the particular issue.

For more information on the support command, refer to mke-cli-support.

Use PowerShell to obtain a support bundle¶

Run the following command on Windows worker nodes to collect the support information and automatically place it in a zip file:

$MKE_SUPPORT_DIR = Join-Path -Path (Get-Location) -ChildPath 'dsinfo'
$MKE_SUPPORT_ARCHIVE = Join-Path -Path (Get-Location) -ChildPath $('docker-support-' + (hostname) + '-' + (Get-Date -UFormat "%Y%m%d-%H_%M_%S") + '.zip')
$MKE_PROXY_CONTAINER = & docker container ls --filter "name=ucp-proxy" --format "{{.Image}}"
$MKE_REPO = if ($MKE_PROXY_CONTAINER) { ($MKE_PROXY_CONTAINER -split '/')[0] } else { 'mirantis' }
$MKE_VERSION = if ($MKE_PROXY_CONTAINER) { ($MKE_PROXY_CONTAINER -split ':')[1] } else { '3.6.0' }
docker container run --name windowssupport `
-e UTILITY_CONTAINER="$MKE_REPO/ucp-containerd-shim-process-win:$MKE_VERSION" `
-v \\.\pipe\docker_engine:\\.\pipe\docker_engine `
-v \\.\pipe\containerd-containerd:\\.\pipe\containerd-containerd `
-v 'C:\Windows\system32\winevt\logs:C:\eventlogs:ro' `
-v 'C:\Windows\Temp:C:\wintemp:ro' $MKE_REPO/ucp-dsinfo-win:$MKE_VERSION
docker cp windowssupport:'C:\dsinfo' .
docker rm -f windowssupport
Compress-Archive -Path $MKE_SUPPORT_DIR -DestinationPath $MKE_SUPPORT_ARCHIVE

Release Notes¶

Important

The version numbering scheme for Mirantis Container Runtime 20.10 is independent and dissimilar from that in use by the upstream Moby and Docker CLI projects. As such, Mirantis recommends that users consult the MCR 20.10 patch release notes to determine Mirantis-specific changes and improvements.

Considerations

In developing MCR 20.10.x, Mirantis has been transitioning from legacy Docker Hub-issued licenses to JWT licenses, as detailed below:
- Versions 20.10.0 to 20.10.6: Docker Hub licenses and JWT licenses
- Versions 20.10.7 and later: JWT licenses only
Using a JWT license with an MKE instance that manages MCR causes the engine to log error messages in the daemon log file, though MCR does not fail. This applies to MKE 3.4.x versions prior to 3.4.6 and MKE 3.3.x versions prior to 3.3.13.
CentOS 8 entered EOL status as of 31-December-2021. For this reason, Mirantis no longer supports CentOS 8 for all versions of MCR. We encourage customers who are using CentOS 8 to migrate onto any one of the supported operating systems, as further bug fixes will not be forthcoming. Refer to the MCR 20.10 Compatibility Matrix for more information.

MCR 20.10.21 current

Patch release for MCR 20.10 introducing the following updates:

Updated containerd to version 1.6.25-rc.1.
Updated Golang to version 1.20.10m1.

Learn more

MCR 20.10.20

Patch release for MCR 20.10 introducing the following updates:

Updated containerd to version 1.6.22.
Updated Golang to version 1.19.12.

Learn more

MCR 20.10.19

Patch release for MCR 20.10 introducing the following updates:

Updated containerd to version 1.6.22.
CVE fixes.

Learn more

MCR 20.10.18

Patch release for MCR 20.10 introducing the following updates:

Updated Fipster (Go runtime) to version go1.19.10m1.
Updated Docker Buildx to version 0.10.5.
Updated containerd to version 1.6.21.
Updated cri-dockerd to version 0.3.4.
CVE fixes.

Learn more

MCR 20.10.17

Patch release for MCR 20.10 introducing the following key features:

Updated Fipster (Go runtime) to version go1.19.8m1.
Updated containerd to version 1.6.20.
CVE fixes.

Learn more

MCR 20.10.16

Patch release for MCR 20.10 introducing the following key features:

Updated Fipster (Go runtime) to version go1.19.7m3.
Updated Docker Buildx to version 0.10.4.
Updated containerd to version 1.6.19.
Updated cri-dockerd to version 0.3.1.
CVE fixes.

Learn more

MCR 20.10.15

Patch release for MCR 20.10 introducing the following key features:

Updated Golang to version 1.18.10.
Updated docker buildx to version 0.10.0.
Added support for Oracle Linux 8.

Learn more

MCR 20.10.14

Patch release for MCR 20.10 introducing the following key features:

Updated Golang to version 1.18.7.

Learn more

MCR 20.10.13

Patch release for MCR 20.10 introducing the following key features:

Updated Golang to version 1.17.13.
Added support for Windows Server 2022.

Learn more

MCR 20.10.12

Patch release for MCR 20.10 introducing the following key features:

Updated containerd to 1.6.6.
Added rootless mode for many Linux distributions.
Updated docker buildx to version 0.8.2.

Learn more

MCR 20.10.11

Patch release for MCR 20.10 introducing the following key features:

Updated the etcd dependency to prevent the daemon from incorrectly holding file locks.
Support added for Rocky Linux 8.
Updated the Golang runtime to Go version 1.16.15.

Learn more

MCR 20.10.10

Patch release for MCR 20.10 introducing the following key features:

Updated docker buildx to version 0.7.1.
Updated the Golang runtime to Go version 1.16.13.

Learn more

MCR 20.10.9

Patch release for MCR 20.10 introducing the following key features:

Created parent directories inside a chroot during docker cp to prevent a specially-crafted container from changing permissions of existing files in the host filesystem.
Locked down file permissions to prevent unprivileged users from discovering and executing programs in /var/lib/docker.
Added support for clone3 syscall in the default seccomp policy, to support running containers based on recent versions of Ubuntu.

Learn more

MCR 20.10.8

Patch release for MCR 20.10 introducing the following key feature:

MCR now prints a warning when using the --platform option to pull a single-arch image that does not match the specified architecture.

Learn more

MCR 20.10.7

Patch release for MCR 20.10 introducing the following key feature:

MCR now accepts only JWT licenses. To upgrade MCR, customers using a Docker Hub-issued license must first replace it with the new license version.

Learn more

MCR 20.10.6

Patch release for MCR 20.10 introducing the following key features:

Suppressed warnings for deprecated cgroups.
The docker CLI now ignores SIGURG signals, and thus no longer sends them to containers on Linux.
Updated BuildKit to version 0.8.3-3-g244e8cde.

Learn more

MCR 20.10.5

Patch release for MCR 20.10 introducing the following key feature:

Added a technical preview for cri-docker (previously known as dockershim).

Learn more

MCR 20.10.4

Patch release for MCR 20.10 introducing the following key feature:

MCR confirms that AppArmor and SELinux profiles are applied when building with BuildKit.

Learn more

MCR 20.10.0

Patch release for MCR 20.10 introducing the following key features:

Support for cgroups v2 which limits process resource usage (such as CPU, memory, and disk). MCR uses cgroups in conjunction with Linux namespaces to isolate processes inside containers.
Support for using docker logs to read container logs, regardless of the configured logging driver or plugin.
Support for Ubuntu 20.04.
CLI improvements.

Learn more

20.10.21¶

(2023-11-20)

Components¶

Component	Version
Mirantis Container Runtime	20.10.21
Moby	20.10.27
containerd	1.6.25-rc.1
runc	1.1.9
cri-dockerd	0.3.7
buildx	0.12.0-rc1
Golang runtime	go1.20.10m1
buildkit	0.8.4-0.20221020190723-eeb7b65ab7d6
rootlesskit	0.14.4

Daemon¶

moby/moby#46704 Atomically
fixed an issue wherein images failed to pull when interrupted by a power cut.
Fixed an issue that pertained to the enablement of FIPS for swarm.

Security¶

Resolved CVE-2023-39325
Resolved CVE-2023-44487
Deny containers access to /sys/devices/virtual/powercap by default, a change that hardens against CVE-2020-8694, CVE-2020-8695, CVE-2020-12912, and an attack known as the PLATYPUS attack.

For more detail, refer to https://github.com/moby/moby/commit/81ebe71275768629689a23bc3bca34b3b374a6a6.

Networking¶

moby/moby#46693 Fixed the deadlock between getSvcRecords and processEndpointDelete.

Packaging¶

Updated Golang to version 1.20.10m1

20.10.20¶

(2023-09-26)

Components¶

Component	Version
Mirantis Container Runtime	20.10.20
Moby	20.10.26
containerd	1.6.22
runc	1.1.8
cri-dockerd	0.3.4
buildx	0.10.5
Golang runtime	1.19.12m1
buildkit	0.8.4-0.20221020190723-eeb7b65ab7d6
rootlesskit	0.1.0

Packaging¶

Updated Golang to version 1.19.12:
- Resolved CVE-2023-29409
- Security fix: `net/http: insufficient sanitization of Host header <https://github.com/golang/go/issues/60374>’__

20.10.19¶

(2023-08-16)

Components¶

Component	Version
Mirantis Container Runtime	20.10.19
Moby	20.10.25
containerd	1.6.22
runc	1.1.8
cri-dockerd	0.3.4
buildx	0.10.5
Golang runtime	1.19.10m1
buildkit	0.8.4-0.20221020190723-eeb7b65ab7d6
rootlesskit	0.14.4

Packaging¶

Updated containerd to version 1.6.22 to resolve the following vulnerabilities:
- CVE-2022-32149
- CVE-2022-41721

20.10.18¶

(2023-07-13)

Components¶

Component	Version
Mirantis Container Runtime	20.10.18
containerd	1.6.21
runc	1.1.7
cri-dockerd	0.3.4
buildx	0.10.5
Golang runtime	1.19.10m1
buildkit	0.8.4-0.20221020190723-eeb7b65ab7d6
rootlesskit	0.14.4

Daemon¶

Fixed the AppArmor profile docker-default /proc/sys rule (moby/moby#45716).
Fixed an issue wherein the use of buildkit typed errors support, as well as support for other gRPC services, was not assured (moby/moby#42329).

Packaging¶

Updated containerd to version 1.6.21.
Updated Fipster (Go runtime) to version 1.19.10m1.
- Security fixes for the following CVEs: CVE-2023-29402, CVE-2023-29403, CVE-2023-29404, and CVE-2023-29405.
- Fixed an issue wherein Windows containerd.exe and ctr.exe were not Mirantis code signed.

20.10.17¶

(2023-05-16)

Components¶

Component	Version
Mirantis Container Runtime	20.10.17
containerd	1.6.20
runc	1.1.4
cri-dockerd	0.3.1
buildx	0.10.4
Golang runtime	1.19.8m1
buildkit	0.8.3-31.gc0149372
rootlesskit	0.14.4

Daemon¶

Fixed a log loss with the AWSLogs log driver (moby/moby#45349).
Fixed a panic in libnetwork that occurred during daemon startup (moby/libnetwork/#2677).

Packaging¶

Updated containerd to version 1.6.20.
Updated Fipster (Go runtime) to version 1.19.8m1.
- Security fixes for the following CVEs: CVE-2023-24534, CVE-2023-24536, CVE-2023-24537, CVE-2023-24538.
- Early backport of Go CL 478660 to solve a regression related to RLIMIT_NOFILE.

20.10.16¶

(2023-04-04)

Components¶

Component	Version
Mirantis Container Runtime	20.10.16
containerd	1.6.19
runc	1.1.4
cri-dockerd	0.3.1
buildx	0.10.4
Golang runtime	1.19.7m3
buildkit	0.8.3-31.gc0149372
rootlesskit	0.14.4

Security¶

Fixed a number of issues that can cause Swarm encrypted overlay networks to fail to uphold their guarantees, addressing CVE-2023-28841, CVE-2023-28840, and CVE-2023-28842.
- A lack of kernel support for encrypted overlay networks now reports as an error.
- Encrypted overlay networks are eagerly set up, rather than waiting for multiple nodes to attach.
- Encrypted overlay networks are now usable on Red Hat Enterprise Linux 9 through the use of the xt_bpf kernel module.
Users of Swarm overlay networks should review GHSA-vwm3-crmr-xfxw to ensure that unintentional exposure has not occurred. In addition, you can consult Mirantis KB000009856 for temporary mitigation instructions.

Packaging¶

Updated Fipster (Go runtime) to version go1.19.7m3.
- Fixes for Go CVEs: CVE-2022-41724, CVE-2022-41723, CVE-2022-41725, CVE-2022-41722, and CVE-2023-24532.
- Fixes for FIPS module CVEs: CVE-2023-0286, CVE-2023-0215, and CVE-2022-4304.
- Early backport of Go CL 478660 to solve a regression related to RLIMIT_NOFILE.
Updated containerd to version 1.6.19.
Updated Docker Buildx to v0.10.4.
Updated cri-dockerd to 0.3.1.

20.10.15¶

(2023-02-16)

Components¶

Component	Version
Mirantis Container Runtime	20.10.15
containerd	1.6.15
runc	1.1.4
cri-dockerd	0.3.0
buildx	0.10.0
Golang runtime	1.18.10
buildkit	0.8.3-31.gc0149372
rootlesskit	0.14.4

Removal¶

Removal of registry-cli plugin.
Removal of docker app plugin.

Daemon¶

Improved the error message that results from attempting to pull an unsupported image format or OCI artifact (moby/moby#44413), (moby/moby#44569).
Fixed an invalid standard handle identifier panic that occurs when registering MCR as a service from a legacy CLI on Windows (moby/moby#44326).
Fixed an issue wherein Windows builds would hang whenever MCR invoked Git for Windows with a remote Git build context. (moby/moby#44332).

Networking¶

Fixed an issue wherein the ephemeral port range for the host was ignored when selecting random ports for containers (moby/moby#44476).

Builder¶

Fixed an issue wherein a docker build would fail when using --add-host=host.docker.internal:host-gateway with BuildKit enabled (moby/moby#44650).
Fixed ssh: parse error in message type 27 errors that would occur during docker build commands run on hosts using OpenSSH 8.9 or later (moby/moby#3862).

Client¶

Removed experimental gate for the --platform option in bash completion (docker/cli#3824).

Packaging¶

Added support for Oracle Linux 8.
Updated Golang runtime to version 1.18.10.
Updated Docker Buildx to v0.10.0.
Updated cri-dockerd to 0.3.0.

20.10.14¶

(2022-11-17)

Components¶

Component	Version
Mirantis Container Runtime	20.10.14
containerd	1.6.9
runc	1.1.4
cri-dockerd	0.2.3
buildx	0.9.1
Golang runtime	1.18.7
registry-cli plugin	0.1.0-rc2 (deprecated)
buildkit	0.8.3-31.gc0149372
rootlesskit	0.14.4
docker app plugin	0.9.1-beta3 (deprecated)

Deprecation¶

Deprecated support for the registry-cli plugin.
Deprecated support for the docker app plugin.

Important

Mirantis will remove deprecated components in a future MCR release.

Daemon¶

Fixed a bug wherein the use of docker volume prune removed volumes that were still in use if the daemon was running with “live restore” and was restarted (moby/moby#44238).
Updated handling of image:tag@digest references. When pulling an image using image:tag@digest (“pull by digest”), image resolution occurs through the content-addressable digest and the image and tag are not used. While expected, this can lead to confusing behavior, and can also potentially be exploited through social engineering to run an image that is already present in the local image store. MCR now checks whether the digest matches the repository name that is used to pull the image.
Fixed a security vulnerability related to supplementary group permissions that can allow a container process to bypass primary group restrictions within the container CVE-2022-36109, GHSA-rc4r-wh2q-q6c4.
Added support to seccomp for Landlock syscalls in the default policy (moby/moby#43991).
Updated the default seccomp policy to support new syscalls that were introduced in kernel 5.12 - 5.16 (moby/moby#43991).
Fixed an issue wherein cache lookup for image manifests failed, which resulted in a redundant roundtrip to the image registry (moby/moby#44109).
Fixed an issue wherein exec processes and healthchecks were not terminated once they timed out (moby/moby#44018).

Client¶

Added mitigation for CVE-2022-39253 when using the classic Builder with a Git URL as the build context.

Builder¶

Updated handling of image:tag@digest references. Refer to the Daemon section of these release notes for details.
Added mitigation to the classic Builder and updated BuildKit to v0.8. 3-31-gc0149372, for CVE-2022-39253.
Fixed an issue that can result in a panic during docker builder prune or docker system prune (moby/moby#44122).
Fixed an issue where file capabilities were not preserved during build (moby/moby#43876).
Fixed an issue that can result in a panic caused by a concurrent map read and map write (moby/moby#44067).

Packaging¶

Updated Golang to version 1.18.7, which resolves CVE-2022-2879, CVE-2022-2280, and CVE-2022-41715.
Updated containerd to version 1.6.9.
Added support for RHEL 9, and Rocky 9.
Updated Docker Buildx to v0.9.1.

20.10.13¶

(2022-08-11)

Components¶

Component	Version
Mirantis Container Runtime	20.10.13
containerd	1.6.6
runc	1.1.2
cri-docker	0.2.3
buildx	0.8.2
Golang runtime	1.17.13
registry-cli	0.1.0-rc2
buildkit	0.8.3-4
rootlesskit	0.14.4
docker app	0.9.1-beta3

Builder¶

Fixed an issue wherein Dockerfiles with a VOLUME statement broke named pipes (FIELD-4917) (moby/moby#43584).

Networking¶

Fixed a Windows port conflict by installing MSFT KB5015880 (FIELD-4218) (moby/moby#43644).

Packaging¶

Updated Golang to version 1.17.13, which resolves CVE-2022-1705, CVE-2022-32148, CVE-2022-30631, CVE-2022-30633, CVE-2022-28131, CVE-2022-30635, CVE-2022-30632, CVE-2022-30630, CVE-2022-1962, and CVE-2022-32189.
Added support for Windows Server 2022.

20.10.12¶

(2022-06-21)

Components¶

Component	Version
Mirantis Container Runtime	20.10.12
containerd	1.6.6
runc	1.1.2

Client¶

Updated the sys module - golang.org/x/sys - pkg.go.dev dependency, which serves to fix CVE-2022-29526.

Daemon¶

Deployed an RWMutex for stateCounter, to prevent potential locking congestion (moby/moby#43426).
Fixed an issue wherein the daemon was unable to locate an available IP range under certain conditions (moby/moby#43360).
Fixed an issue where docker stats was showing empty stats when running with containerd 1.5.0 or later (moby/moby#43567).
Updated the golang.org/x/sys build-time dependency, which serves to fix CVE-2022-29526.
Added support to reload the content-trust setting in /etc/docker/daemon.json through the use of the systemctl reload docker command (FIELD-4665).

Swarm¶

Fixed an issue wherein the Interlock proxy config size was reaching and attempting to exceed the swarm-config-size limitation (FIELD-4709) (moby/moby#43356).

Networking¶

Fixed an application performance issue with VIP endpoint (FIELD-3942) (FIELD-4867) (moby/moby#43683).
Fixed an issue wherein UDP ports were not available for five minutes following a container stoppage or crash in swarm service VIP endpoint mode (FIELD-4882).

Packaging¶

Updated containerd to 1.6.6, to address CVE-2022-31030.
Updated buildx to 0.8.2
Updated Golang runtime to 1.17.11, which fixes CVE-2022-30634, CVE-2022-30629, CVE-2022-30580, and CVE-2022-29804.
Removed support for SLES15 SP1 and SLES15 SP2.
Added rootless mode for the following Linux distributions:
- RHEL 7.9
- RHEL 8.4
- CentOS 7.9
- Rocky 8.5
- SLES15 SP3
- Ubuntu 18.04.x
- Ubuntu 20.04.x LTS
MCR does not support rootless mode for Oracle Linux 7 and SLES 12 (ENGINE-538).

Known issues¶

A Windows port conflict on the daemon side requires a pending upstream fix on the Windows side (hostnetsvc.dll) (FIELD-4218) (moby/moby#43644).

20.10.11¶

(2022-04-05)

Components¶

Component	Version
Mirantis Container Runtime	20.10.11
containerd	1.5.11
runc	1.0.3

Runtime¶

Fixed a race condition that occurs when you update the container state (moby/moby#43166).
Updated the etcd dependency to prevent the daemon from incorrectly holding file locks (moby/moby#43259).
Fixed detection of user namespaces that occurs when configuring the default net.ipv4. ping_group_range sysctl (moby/moby#43084).

Distribution¶

MCR now retries downloading image-manifests if a connection failure occurs during image pull (moby/moby#43333).

Logging¶

MCR now prevents an OOM from occuring when using the local logging driver with containers that produce a large amount of log messages (moby/moby#43165).
MCR now updates the fluentd log driver, to prevent a potential daemon crash and to prevent containers from hanging when using the fluentd-async-connect=true while the remote server is unreachable (moby/moby#43147).

Packaging¶

Fixed an install.p1 issue pertaining to errors that occurred when using offline mode (FIELD-4602).
Updated containerd to version 1.5.11 to address CVE-2022-23648 and CVE-2022-24769).
Support added for Rocky Linux 8.
Removed the docker cluster plugin.
Updated the Golang runtime to Go version 1.16.15.

20.10.10¶

(2022-02-10)

Components¶

Component	Version
Mirantis Container Runtime	20.10.10
containerd	1.5.9
runc	1.0.3

Packaging¶

Updated docker buildx to version 0.7.1.
Updated containerd to version 1.5.9 to address CVE-2021-43816.
Addressed an issue wherein the default run of install.ps1 did not install the numerical lower version of docker and containerd (FIELD-4533).
Updated the Golang runtime to Go version 1.16.13.

Known issues¶

The removal of the ipa SELinux module from the base system configuration of Red Hat Enterprise Linux 8.4 stripped container_exec_t processes inside containers of their ability to read pidfile-labeled files, including conttainer_var_run_t.

Workaround:

Workflows that rely on bind mounting the Docker socket in a container running on RHEL 8.4 or later should mount the socket with --security-opt=disable or an SELinux mount option, such as Z.

20.10.9¶

(2021-12-21)

Components¶

Component	Version
Mirantis Container Runtime	20.10.9
containerd	1.5.8
runc	1.0.2

Swarm¶

Fixed an issue wherein updating a service did not roll back on failure (moby/moby#42875).

Runtime¶

Created parent directories inside a chroot during docker cp to prevent a specially-crafted container from changing permissions of existing files in the host filesystem. This fix resolves CVE-2021-41089.
Locked down file permissions to prevent unprivileged users from discovering and executing programs in /var/lib/docker, to resolve CVE-2021-41091.
Added support for clone3 syscall in the default seccomp policy, to support running containers based on recent versions of Ubuntu (moby/moby/#42836.
Windows: Updated hcsshim library to fix a bug in sparse file handling of container layers, which was exposed by recent changes in Windows (moby/moby#42944.
Fixed a number of situations wherein docker stop could hang and never resolve (moby/moby#42956).
Fixed a FIPS mode memory leak issue that arose in MCR 20.10.8 (FIELD-4523, ENGINE-539, ENGINE-543).

Client¶

Ensured default auth config has address field set, to prevent credentials from being sent to the default registry, to resolve CVE-2021-41092.

Builder¶

Fixed platform-matching logic to repair docker build not finding images in the local image cache on Arm machines when using BuildKit (moby/moby#42954).

Windows¶

Fixed an issue wherein the panic.log file only had the read-only attribute set (moby/moby#42987).

Packaging¶

Updated containerd to version 1.5.8 to resolve CVE-2021-41190.
Updated the Golang runtime to Go version 1.16.10.

20.10.8¶

(2021-10-28)

Components¶

Component	Version
Mirantis Container Runtime	20.10.8
containerd	1.5.8 (from 2021-11-23) 1.5.7 (prior to 2021-11-23)
runc	1.0.2

Component

Version

Mirantis Container Runtime

20.10.8

containerd

1.5.8 (from 2021-11-23)

1.5.7 (prior to 2021-11-23)

runc

1.0.2

Deprecation¶

Deprecated support for encrypted TLS private keys. Legacy PEM encryption (as specified in RFC 1423) is insecure by design. Because legacy PEM encryption does not authenticate the ciphertext, it is vulnerable to padding oracle attacks that can allow an attacker to recover the plaintext (docker/cli#3219).
Deprecated Kubernetes stack support (docker/cli#3174).

Runtime¶

MCR now prints a warning when using the --platform option to pull a single-arch image that does not match the specified architecture (moby/moby#42633).
Fixed an issue wherein the following incorrect warning displayed when running cgroups v2:
```
Your kernel does not support swap memory limit.
```
moby/moby#42479
Fixed an issue with MCR on Windows wherein containers were not stopped if HcsShutdownComputeSystem returned an ERROR_PROC_NOT_FOUND error (moby/moby#42613).
Fixed an issue wherein using a JWT license with an MKE instance that manages MCR caused MCR to log error messages (FIELD-4201).
Fixed an issue wherein the docker info and docker version commands did not properly display the MCR license information on nodes that do not belong to a swarm (FIELD-4180).

Client¶

Fixed an issue with MCR on Windows wherein the following incorrect error displayed when trying to call term.StdStreams():
```
Invalid standard handle identifier
```
docker/cli#3132

Packaging¶

Updated containerd to version 1.5.7 to resolve CVE-2021-41103.
Updated the Golang runtime to Go version 1.16.7.
Updated the FIPS library with certificate number 3993.
Updated the bundled buildx version to 0.6.1 for RPM and DEB packages.

20.10.7¶

(2021-08-19)

Components¶

Component	Version
Mirantis Container Runtime	20.10.7
containerd	1.4.8 (prior to 2021-09-13) 1.5.5 (from 2021-09-13)
runc	1.0.0 (prior to 2021-09-13) 1.0.1 (from 2021-09-13)

Component

Version

Mirantis Container Runtime

20.10.7

containerd

1.4.8 (prior to 2021-09-13)

1.5.5 (from 2021-09-13)

runc

1.0.0 (prior to 2021-09-13)

1.0.1 (from 2021-09-13)

Swarm¶

Fixed a SwarmKit bug in the log broker that caused the cluster to stop functioning at times (FIELD-3764).

Runtime¶

MCR now accepts only JWT licenses. To upgrade MCR, customers using a Docker Hub-issued license must first replace it with the new license version (ENGINE-486).

To request a JWT license, contact support@mirantis.com.

Packaging¶

Resolved CVE-2021-32760 by updating containerd to version 1.4.8.

Deprecation notes¶

In correlation with the End of Life date for MKE 3.2.x and MSR 2.7.x, Mirantis stopped maintaining the associated documentation set on 2021-07-21.

20.10.6¶

(2021-06-29)

Components¶

Component	Version
Mirantis Container Runtime	20.10.6
containerd	1.4.6
runc	1.0.0-rc95

Client¶

Suppressed warnings for deprecated cgroups (docker/cli#3099).
The docker CLI now ignores SIGURG signals, and thus no longer sends them to containers on Linux. Starting with version 1.14, the Go runtime uses SIGURG signals internally as an interrupt to support preemptable syscalls. docker CLI previously forwarded these signals to the containers it was attached to (docker/cli#3107, moby/moby#42421).

Builder¶

Updated BuildKit to version 0.8.3-3-g244e8cde (moby/moby#42448).
- Transformed relative mountpoints for exec mounts in the executor to work around a breaking change in runc version 1.0.0-rc94 and higher (moby/buildkit#2137).
- Added retry on push 5xx errors (moby/buildkit#2043).
- Fixed an issue wherein renaming a file copied using a COPY command with a wildcard did not invalidate the build-cache. This change invalidates existing build caches for copy commands that use a wildcard (moby/buildkit#2018).
- Fixed an issue wherein the use of mounts did not invalidate the build-cache (moby/buildkit#2076).
Fixed an issue wherein MCR did not cache the FROM image when using legacy schema 1 images, resulting in build failures (moby/moby#42382).

Networking¶

Updated libnetwork to fix publishing ports on environments with the kernel boot parameter ipv6.disable=1 and a deadlock that caused internal DNS lookups to fail (moby/moby#42413).
Fixed an issue wherein overlapping IP addresses could occur due to nodes failing to clean up their old load balancer IP addresses (FIELD-3915).

Logging¶

Updated the hcsshim SDK to make daemon logs on Windows less verbose (moby/moby#42292).

Packaging¶

Updated containerd to version 1.4.6 and runc to version 1.0.0-rc95 to address CVE-2021-30465 (ENGINE-482).

20.10.5¶

(2021-05-17)

Components¶

Component	Version
Mirantis Container Runtime	20.10.5
containerd	1.4.4
runc	1.0.0-rc92

Packaging¶

Added a technical preview for cri-docker (previously known as dockershim).
Fixed an issue wherein killing containerd caused systemd to stop docker.

Client¶

Reverted docker/cli#2960 to stop hanging in docker start --attach and removed spurious Unsupported signal: <nil>. Discarding messages (docker/cli#2987).

Builder¶

Fixed an issue wherein the classic builder was silently ignoring unsupported Dockerfile options. It now prompts the user to enable BuildKit instead (moby/moby#42197).

Logging¶

Fixed sporadic and unexpected EOF errors in json-file handling (moby/moby#42174).

Networking¶

Fixed a regression that caused IPv6 addresses not to be bound by default when mapping ports (moby/moby#42205).
Fixed implicit IPv6 port-mappings not included in the API response. Prior to version 20.10.0, while published ports were accessible through both IPv4 and IPv6 by default, the API only included information about the IPv4 (0.0.0.0) mapping (moby/moby#42205).
Fixed a regression wherein the docker-proxy did not terminate in all cases (moby/moby#42205).
Fixed an issue wherein iptables forwarding rules were not cleaned up when containers were removed (moby/moby#42205).
Fixed an issue wherein swarm service VIPs timed out from Windows containers, resulting in the following error in dockerd event logs:
```
Failed to add ILB policy for service service […] failed during
hnsCallRawResponse: hnsCall failed in Win32: The specified port already
exists.
```
The Windows Operating System update KB4577668 introduced the issue on October 13, 2020, affecting all versions of MCR (FIELD-3310).

Known issues¶

Centos and RHEL 7.x kernels may experience memory exhaustion due to slab cache usage. Because this is a kernel feature, the issue cannot be resolved with MCR code.

Workarounds:
- (Recommended) Update to a kernel that supports setting cgroups.memory=nokmem and apply the change (for customers using Centos or RHEL 7.7 and above).
- Increase the memory available to the machine for slab usage.
(FIELD-3466)

20.10.4¶

(2021-04-12)

Components¶

Component	Version
Mirantis Container Runtime	20.10.4
containerd	1.4.4
runc	1.0.0-rc92

Security¶

Resolved CVE-2021-21285, thereby preventing invalid images from crashing the Docker daemon (ENGINE-438).
Resolved CVE-2021-21284, thereby preventing a remapped root from accessing the Docker state by locking down file permissions (ENGINE-438).
MCR now confirms that AppArmor and SELinux profiles are applied when building with BuildKit (ENGINE-438).
Resolved CVE-2021-21334, and in the process updated containerd to version 1.4.4 (ENGINE-438).
Updated syscall list to Linux 5.11 in the seccomp profile (moby/moby#41971).

Builder¶

Fixed the incorrect cache match for inline cache import with empty layers (moby/moby#42061).
Updated BuildKit to version 0.8.2 (moby/moby#42061).
- Avoids error caching on token fetch in resolver.
- Fixed checksum to contain indexes of inputs in fileop, thus preventing certain cache misses.
- Fixed reference count issues on typed errors with mount references, addressing invalid mutable ref errors.
- Set token only for main remote access, thereby allowing submodule cloning with different credentials.
Ensures blobs are deleted after pull in /var/lib/docker/buildkit/content/blobs/sha256. Run builder prune to clean up old state (moby/moby#42065).
Fixed parallel pull synchronization regression (moby/moby#42049).
Ensures libnetwork state files do not leak (moby/moby#41972).

Client¶

Customers who use MCR with Kubernetes directly (without using MKE) need to enable the cri-docker plugin in MCR beginning with Kubernetes version 1.23 (planned for late 2021), at which point Kubernetes will no longer maintain dockershim (MKE-8126).

Learn more

cri-docker
Fixed an issue wherein docker login resulted in a panic if no config file was present (docker/cli#2959).
Fixed an issue wherein MCR erroneously displayed the warning: WARNING: Error loading config file: .dockercfg: $HOME is not defined (docker/cli#2958).

Runtime¶

Silenced docker info warnings that cannot be addressed (moby/moby#41958).
Avoids creating parent directories for XGlobalHeader (moby/moby#42017)>
Uses 0755 permissions when creating missing directories (moby/moby#42017).
Falls back to manifest list when no platform matches in the image config (moby/moby#42045 and moby/moby#41873).
Fixed an issue wherein the daemon panicked when an admin specified a custom default runtime (moby/moby#41974).
Fixed an issue wherein an empty daemon configuration caused a panic (moby/moby#41976).
Fixed an issue wherein the daemon panicked when starting a container with an invalid device cgroup rule (moby/moby#42001).
Fixed an issue wherein the userns-remap option did not work when the username and UID matched (moby/moby#42013).

Logger¶

Honors label-regex config even if labels is not set (moby/moby#42046).
Handles long log messages correctly, preventing awslogs in non-blocking mode to split events larger than 16 KB (mobymoby#41975).

Swarm¶

Fixed an issue wherein custom Docker heartbeat periods reverted back to the default setting on restart. Thus, previously stalled tasks will no longer be stuck in a pending state (FIELD-3563, moby/moby#42060).
Fixed an issue wherein MCR ignored --update-order and --rollback-order flags (docker/cli#2963).
Fixed an issue wherein docker service rollback sometimes returned a non-zero exit code (docker/cli#2964).
Fixed an issue wherein the direction of the progress bar rendered inconsistently on docker service rollback (docker/cli#2964).

20.10.0¶

(2021-03-11)

Components¶

Component	Version
Mirantis Container Runtime	20.10.0
containerd	1.4.3
runc	1.0.0-rc92

What’s new¶

Added support for cgroups v2 which limits process resource usage (such as CPU, memory, and disk). MCR uses cgroups in conjunction with Linux namespaces to isolate processes inside containers. As a result, rootless is now a fully supported feature.
Added support for using docker logs to read container logs, regardless of the configured logging driver or plugin. Previously, docker logs did not support the use of many third party logging drivers, and this led to log data gathering issues.

Learn more

Refer to the Docker documentation, Configure logging drivers.
Added support for Ubuntu 20.04.
Added several CLI improvements. Along with the removal of some older and mostly unused commands, various new commands and flags have been added that make it easier to get started and to script using MCR:
- docker push has been modified to align the default behavior with docker pull. Pushing an image name without a tag now pushes only the :latest rather than all tags, and -a/all-tags can now be used to push all the tags of an image.
- The --pull flag has been added to the docker run and docker create commands, affording greater control over when users pull images. The option is tristate, offering missing (default), always, and late settings.
- The -env-file flag has been added to docker exec, allowing use with a file that contains environment variables and subsequent printing or use of any of the variables inside the file.
Learn more

For a complete list of the CLI improvements, refer to the Docker release notes.

Deprecated features¶

Making docker pull requests against non-compliant registries that do not support pull-by-digest now results in a warning and deprecation notice (docker/cli#2872).
Unauthenticated TCP access now results in a more severe warning and deprecation notice (moby/moby#41285).
KernelMemory (docker run --kernel-memory) is deprecated (moby/moby#41254 and docker/cli#2652).
The aufs storage driver is deprecated (docker/cli#1484).
The --cluster-advertise, --cluster-store, and --cluster-store-opt flags are deprecated from the dockerd CLI (moby/moby#40614 and moby/moby#40510).
The legacy Dockerfile ENV name value syntax is deprecated. Use ENV name=value instead (docker/cli#2743).
The previously deprecated filter parameter has been removed for API v1.41 and up (moby/moby#40491).
The distribution manifest v2 schema 1 is now disabled on push (moby/moby#41295).
The MalformedHostHeaderOverride hack has been removed, causing CLI v1.12 and earlier to break. Affected users should upgrade to a more recent client version or set the DOCKER_API_VERSION environment variable to the needed API version (moby/moby#39076).
The docker engine subcommands have been removed (docker/cli#2207).
The top-level docker deploy command and .dab (“Docker Application Bundle”) file format have both been removed in favor of using docker stack deploy with compose files (docker/cli#2216).
The docker search --automated and docker search --stars flags have been removed in favor of using their docker search --filter equivalents (docker/cli#2338).
Use of reserved namespaces in engine labels is deprecated (docker/cli#2326).

Deprecation notes¶

Taking into account continuous reorganization and enhancement of Mirantis Container Runtime (MCR), certain components are deprecated and eventually removed from the product. Such deprecations for MCR 20.10.x include:

Deprecated support for the registry-cli plugin.
Deprecated support for the docker app plugin.
Deprecated support for encrypted TLS private keys.
Kubernetes stack support is deprecated.
In correlation with the End of Life date for MKE 3.2.x and MSR 2.7.x, Mirantis stopped maintaining the associated documentation set on 2021-07-21.
Initiating docker pull requests against non-compliant registries that do not support pull-by-digest is deprecated.
KernelMemory (docker run --kernel-memory) is deprecated.
The aufs storage driver is deprecated.
The --cluster-advertisea, --cluster-store, and --cluster-store-opt flags are deprecated from the dockerd CLI.
The legacy Dockerfile ENV name value syntax is deprecated. Use ENV name=value instead.
The distribution manifest v2 schema 1 is now disabled on push.
The MalformedHostHeaderOverride hack has been removed, causing CLI v1.12 and earlier to break.
The docker engine subcommands have been removed.
The top-level docker deploy command and .dab (“Docker Application Bundle”) file format have both been removed in favor of using docker stack deploy with compose files.
The docker search --automated and docker search --stars flags have been removed in favor of using their docker search --filter equivalents.
Use of reserved namespaces in engine labels is deprecated.

Release Compatibility Matrix¶

MCR 20.10 Compatibility Matrix¶

Mirantis Container Runtime (MCR) enables containers to run efficiently on any substrate, powering business critical applications at leading companies worldwide.

Mirantis validates MCR for the operating system environments specified here, adhering to the MKE, MSR, and MCR Maintenance Lifecycle. Support for MCR is defined in the Mirantis Cloud Native Platform Subscription Services agreement.

Note

MCR 20.10.17 is the final 20.10.x version to support Ubuntu 18.04.x, as standard LTS support for the distribution ended on 2023-May-31.
MKE 3.5.x and 3.4.x do not support Windows Server 2022.
OS distributed versions not listed in the following matrix are not supported under Standard Support Subscriptions. For such versions, contact your Mirantis rep to discuss support options.

Caution

CentOS 8 entered EOL status as of 31-December-2021. For this reason, Mirantis no longer supports CentOS 8 for all versions of MCR. We encourage customers who are using CentOS 8 to migrate onto any one of the supported operating systems, as further bug fixes will not be forthcoming.

MCR	Max. supported Client API	Platform	Versions
20.10.21	1.41	CentOS	7.9.2009, 7.8.2003
		Oracle Linux 1	8.6, 7.9, 7.8
		RHEL	8.8, 8.7, 8.6, 8.5, 7.9, 7.8
		Rocky Linux	8.8, 8.7, 8.6, 8.5
		SLES	15 SP5, 15 SP4 12 SP5
		Ubuntu	20.04.6, 20.04.5, 20.04.4 2, 20.04.3, 20.04.2, 20.04.1, 20.04,
		Microsoft Windows Enterprise Server	2022, 2019, 2016 3 4
20.10.20	1.41	CentOS	7.9.2009, 7.8.2003
		Oracle Linux 1	8.6, 7.9, 7.8
		RHEL	8.8, 8.7, 8.6, 8.5, 7.9, 7.8
		Rocky Linux	8.8, 8.7, 8.6, 8.5
		SLES	15 SP4, 12 SP5
		Ubuntu	20.04.6, 20.04.5, 20.04.4 2, 20.04.3, 20.04.2, 20.04.1, 20.04,
		Microsoft Windows Enterprise Server	2022, 2019, 2016 3 4
20.10.19	1.41	CentOS	7.9.2009, 7.8.2003
		Oracle Linux 1	8.6, 7.9, 7.8
		RHEL	8.8, 8.7, 8.6, 8.5, 7.9, 7.8
		Rocky Linux	8.8, 8.7, 8.6, 8.5
		SLES	15 SP4, 12 SP5
		Ubuntu	20.04.6, 20.04.5, 20.04.4 2, 20.04.3, 20.04.2, 20.04.1, 20.04,
		Microsoft Windows Enterprise Server	2022, 2019, 2016 3 4
20.10.18	1.41	CentOS	7.9.2009, 7.8.2003
		Oracle Linux 1	8.6, 7.9, 7.8
		RHEL	8.8, 8.7, 8.6, 8.5, 7.9, 7.8
		Rocky Linux	8.8, 8.7, 8.6, 8.5
		SLES	15 SP4, 12 SP5
		Ubuntu	20.04.6, 20.04.5, 20.04.4 2, 20.04.3, 20.04.2, 20.04.1, 20.04,
		Microsoft Windows Enterprise Server	2022, 2019, 2016 3 4
20.10.17	1.41	CentOS	7.9.2009, 7.8.2003
		Oracle Linux 1	8.6, 7.9, 7.8
		RHEL	8.8, 8.7, 8.6, 8.4 7.9, 7.8
		Rocky Linux	8.7 8.6, 8.5
		SLES	15 SP4, 12 SP5
		Ubuntu	20.04.6, 20.04.5, 20.04.4 2, 20.04.3, 20.04.2, 20.04.1, 20.04, 18.04.6, 18.04.5, 18.04.4, 18.04.3, 18.04.2, 18.04.1, 18.04
		Microsoft Windows Enterprise Server	2022, 2019, 2016 3 4
20.10.16	1.41	CentOS	7.9.2009, 7.8.2003
		Oracle Linux 1	8.6, 7.9, 7.8
		RHEL	8.8, 8.7, 8.6, 8.4 7.9, 7.8
		Rocky Linux	8.7, 8.6, 8.5
		SLES	15 SP4, 12 SP5
		Ubuntu	20.04.6, 20.04.5, 20.04.4 2, 20.04.3, 20.04.2, 20.04.1, 20.04, 18.04.6, 18.04.5, 18.04.4, 18.04.3, 18.04.2, 18.04.1, 18.04
		Microsoft Windows Enterprise Server	2022, 2019, 2016 3 4
20.10.15	1.41	CentOS	7.9.2009, 7.8.2003
		Oracle Linux 1	8.6, 7.9, 7.8
		RHEL	8.8, 8.7, 8.6, 8.4 7.9, 7.8
		Rocky Linux	8.7, 8.6, 8.5
		SLES	15 SP4, 12 SP5
		Ubuntu	20.04.5, 20.04.4 2, 20.04.3, 20.04.2, 20.04.1, 20.04, 18.04.6, 18.04.5, 18.04.4, 18.04.3, 18.04.2, 18.04.1, 18.04
		Microsoft Windows Enterprise Server	2022, 2019, 2016 3 4
20.10.14	1.41	CentOS	7.9.2009, 7.8.2003
		Oracle Linux 1	7.9, 7.8
		RHEL	8.8, 8.7, 8.6, 7.9, 7.8
		Rocky Linux	8.6, 8.5
		SLES	15 SP4, 15 SP3 12 SP5
		Ubuntu	20.04.5, 20.04.4 2, 20.04.3, 20.04.2, 20.04.1, 20.04, 18.04.6, 18.04.5, 18.04.4, 18.04.3, 18.04.2, 18.04.1, 18.04
		Microsoft Windows Enterprise Server	2022, 2019, 2016 3 4
20.10.13	1.41	CentOS	7.9.2009, 7.8.2003
		Oracle Linux 1	7.9, 7.8
		RHEL	8.6, 8.5, 8.4, 7.9, 7.8
		Rocky Linux	8.6, 8.5
		SLES	15 SP3, 12 SP5
		Ubuntu	20.04.4 2, 20.04.3, 20.04.2, 20.04.1, 20.04, 18.04.6, 18.04.5, 18.04.4, 18.04.3, 18.04.2, 18.04.1, 18.04
		Microsoft Windows Enterprise Server	2022, 2019, 2016 3 4
20.10.12	1.41	CentOS	7.9.2009, 7.8.2003
		Oracle Linux 1	7.9, 7.8
		RHEL	8.6, 8.5, 8.4, 7.9, 7.8
		Rocky Linux	8.6, 8.5
		SLES	15 SP3, 12 SP5
		Ubuntu	20.04.4 2, 20.04.3, 20.04.2, 20.04.1, 20.04, 18.04.6, 18.04.5, 18.04.4, 18.04.3, 18.04.2, 18.04.1, 18.04
		Microsoft Windows Enterprise Server	2019
20.10.11	1.41	CentOS	7.9.2009, 7.8.2003
		Oracle Linux 1	7.9, 7.8
		RHEL	8.4, 8.2, 7.9, 7.8
		Rocky Linux	8.5
		SLES	15 SP3, 12 SP5
		Ubuntu	20.04.4 2, 20.04.3, 20.04.2, 20.04.1, 20.04, 18.04.6, 18.04.5, 18.04.4, 18.04.3, 18.04.2, 18.04.1, 18.04
		Microsoft Windows Enterprise Server	2019
20.10.10	1.41	CentOS	7.9.2009, 7.8.2003
		Oracle Linux 1	7.9, 7.8
		RHEL	8.4, 8.2, 7.9, 7.8
		SLES	15 SP3, 12 SP5
		Ubuntu	20.04.3, 18.04.6
		Microsoft Windows Enterprise Server	2019
20.10.9	1.41	CentOS	7.9.2009, 7.8.2003
		Oracle Linux 1	7.9, 7.8
		RHEL	8.4, 8.2, 8.1, 7.9, 7.8
		SLES	15 SP3, 15 SP2, 12 SP5
		Ubuntu	20.04.3, 18.04.6
		Microsoft Windows Enterprise Server	2019
20.10.8	1.41	CentOS	7.9.2009, 7.8.2003
		Oracle Linux 1	7.9, 7.8
		RHEL	8.4, 8.2, 8.1, 7.9, 7.8
		SLES	15 SP3, 15 SP2, 12 SP5
		Ubuntu	20.04.3, 18.04.6
		Microsoft Windows Enterprise Server	2019
20.10.7	1.41	CentOS	7.9.2009, 7.8.2003
		Oracle Linux 1	7.9, 7.8
		RHEL	8.4, 8.2, 8.1, 7.9, 7.8
		SLES	15 SP3, 15 SP2, 12 SP5
		Ubuntu	20.04.3, 18.04.6
		Microsoft Windows Enterprise Server	2019
20.10.6	1.41	CentOS	7.9.2009, 7.8.2003
		Oracle Linux 1	7.9, 7.8
		RHEL	8.4, 8.2, 8.1, 7.9, 7.8
		SLES	15 SP3, 15 SP2, 12 SP5
		Ubuntu	20.04.3, 18.04.6
		Microsoft Windows Enterprise Server	2019
20.10.5	1.41	CentOS	7.9.2009, 7.8.2003
		Oracle Linux 1	7.9, 7.8
		RHEL	8.3, 8.2, 8.1, 7.9, 7.8
		SLES	15 SP3, 15 SP2, 12 SP5
		Ubuntu	20.04.2, 18.04.4
		Microsoft Windows Enterprise Server	2019
20.10.4	1.41	CentOS	7.9.2009, 7.8.2003
		Oracle Linux 1	7.9, 7.8
		RHEL	8.3, 8.2, 8.1, 7.9, 7.8
		SLES	15 SP3, 15 SP2, 12 SP5
		Ubuntu	20.04.2, 18.04.4
		Microsoft Windows Enterprise Server	2019
20.10.0	1.41	CentOS	7.9.2009, 7.8.2003
		Oracle Linux 1	7.9, 7.8
		RHEL	8.3, 8.2, 8.1, 7.9, 7.8
		SLES	15 SP3, 15 SP2, 12 SP5
		Ubuntu	20.04.2, 18.04.4
		Microsoft Windows Enterprise Server	2019

1(1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19): Regarding the Oracle Linux kernel, only Red Hat Compatibile Kernel (RHCK) 3.10.x is supported. Unbreakable Enterprise Kernel (UEK) is not supported.
2(1,2,3,4,5,6,7,8,9,10,11): A known critical issue is present in the 5.13.0-1028-aws and 5.13.0-1029-aws kernels of the Ubuntu AMIs on AWS. The issue was resolved in the 5.13.0-1030-aws kernel. If you are an AWS user, refer to Docker container creation causes kernel oops on linux-aws 5.13.0.1028.31~20.04.22 and Docker container ports cannot be allocated, otherwise check with your cloud provider.
3(1,2,3,4,5,6,7,8,9): Windows Server 2016 does not support routing mesh, the support for which began with Windows Server version 1709. For details, refer to the Microsoft blog post, Docker’s routing mesh available with Windows Server version 1709.
4(1,2,3,4,5,6,7,8,9): MKE is not supported on Windows Server 2016.

MKE, MSR, and MCR Maintenance Lifecycle¶

The MKE, MSR, and MCR platform subscription provides software, support, and certification to enterprise development and IT teams that build and manage critical apps in production at scale. It provides a trusted platform for all apps which supply integrated management and security across the app lifecycle, comprised primarily of Mirantis Kubernetes Engine, Mirantis Secure Registry (MSR), and Mirantis Container Runtime (MCR).

Mirantis validates the MKE, MSR, and MCR platform for the operating system environments specified in the mcr-23.0-compatibility-matrix, adhering to the Maintenance Lifecycle detailed here. Support for the MKE, MSR, and MCR platform is defined in the Mirantis Cloud Native Platform Subscription Services agreement.

Detailed here are all currently supported product versions, as well as the product versions most recently deprecated. It can be assumed that all earlier product versions are at End of Life (EOL).

Important Definitions

“Major Releases” (X.y.z): Vehicles for delivering major and minor feature development and enhancements to existing features. They incorporate all applicable Error corrections made in prior Major Releases, Minor Releases, and Maintenance Releases.
“Minor Releases” (x.Y.z): Vehicles for delivering minor feature developments, enhancements to existing features, and defect corrections. They incorporate all applicable Error corrections made in prior Minor Releases, and Maintenance Releases.
“Maintenance Releases” (x.y.Z): Vehicles for delivering Error corrections that are severely affecting a number of customers and cannot wait for the next major or minor release. They incorporate all applicable defect corrections made in prior Maintenance Releases.
“End of Life” (EOL): Versions are no longer supported by Mirantis, updating to a later version is recommended.

Support lifecycle¶
GA to 12 months	12 to 18 months	18 to 24 months
Full support	Full support ¹	Limited Support for existing installations ²

¹ Software patches for critical bugs and security issues only; no feature enablement.

² Software patches for critical security issues only.

Mirantis Kubernetes Engine (MKE)¶

	3.6.z	3.7.z
General Availability (GA)	2022-OCT-13 (3.6.0)	2023-AUG-30 (3.7.0)
End of Life (EOL)	2024-OCT-13	2025-AUG-29
Release frequency	x.y.Z every 6 weeks	x.y.Z every 6 weeks
Patch release content	As needed: Maintenance releases Security patches Custom hotfixes	As needed: Maintenance releases Security patches Custom hotfixes
Supported lifespan	2 years ¹	2 years ¹

¹ Refer to the Support lifecycle table for details.

EOL MKE Versions¶

MKE Version	EOL date
2.0.z	2017-AUG-16
2.1.z	2018-FEB-07
2.2.z	2019-NOV-01
3.0.z	2020-APR-16
3.1.z	2020-NOV-06
3.2.z	2021-JUL-21
3.3.z	2022-MAY-27
3.4.z	2023-APR-11
3.5.z	2023-NOV-22

Mirantis Secure Registry (MSR)¶

	2.9.z	3.0.z	3.1.z
General Availability (GA)	2021-APR-12 (2.9.0)	2021-DEC-21 (3.0.0)	2023-SEP-28 (3.1.0)
End of Life (EOL)	2024-OCT-13	2024-APR-20	2025-SEP-27
Release frequency	x.y.Z every 6 weeks	x.y.Z every 6 weeks	x.y.Z every 6 weeks
Patch release content	As needed: Maintenance releases Security patches Custom hotfixes	As needed: Maintenance releases Security patches Custom hotfixes	As needed: Maintenance releases Security patches Custom hotfixes
Supported lifespan	2 years ¹	2 years ¹	2 years ¹

¹ Refer to the Support lifecycle table for details.

EOL MSR Versions¶

MSR Version	EOL date
2.1.z	2017-AUG-16
2.2.z	2018-FEB-07
2.3.z	2019-FEB-15
2.4.z	2019-NOV-01
2.5.z	2020-APR-16
2.6.z	2020-NOV-06
2.7.z	2021-JUL-21
2.8.z	2022-MAY-27

Mirantis Container Runtime (MCR)¶

	Enterprise 23.0
General Availability (GA)	2023-FEB-23 (23.0.1)
End of Life (EOL)	2025-JUNE-04
Release frequency	x.y.Z every 6 weeks
Patch release content	As needed: Maintenance releases Security patches Custom hotfixes
Supported lifespan	2 years ¹

¹ Refer to the Support lifecycle table for details.

EOL MCR Versions¶

MCR Version	EOL date
CSE 1.11.z	2017-MAR-02
CSE 1.12.z	2017-NOV-14
CSE 1.13.z	2018-FEB-07
EE 17.03.z	2018-MAR-01
Docker Engine - Enterprise v17.06	2020-APR-16
Docker Engine - Enterprise 18.03	2020-JUN-16
Docker Engine - Enterprise 18.09	2020-NOV-06
Docker Engine - Enterprise 19.03	2021-JUL-21
MCR 19.03.8+	2022-MAY-27
MCR 20.10.0+	2023-DEC-10

Release Cadence and Support Lifecycle¶

With the intent of improving the customer experience, Mirantis strives to offer maintenance releases for the Mirantis Container Runtime (MCR) software every six to eight weeks. Primarily, these maintenance releases will aim to resolve known issues and issues reported by customers, quash CVEs, and reduce technical debt. The version of each MCR maintenance release is reflected in the third digit position of the version number (as an example, for MCR 20.10 the most current maintenance release is MCR 20.10.20).

Regarding major releases, MCR is dependent on Docker Engine major releases upstream. Following such a release, the Mirantis support lifespan of the resulting major version of MCR will adhere to our legacy two year standard

End of Life Date

The End of Life (EOL) date for MCR 20.10 is 2023-DEC-10.

For more information on MCR version lifecycles, refer to the MKE, MSR, and MCR Maintenance Lifecycle.

The MCR team will make every effort to hold to the release cadence stated here. Customers should be aware, though, that development and release cycles can change, and without advance notice.

Technology Preview features¶

A Technology Preview feature provides early access to upcoming product innovations, allowing customers to experiment with the functionality and provide feedback.

Technology Preview features may be privately or publicly available and neither are intended for production use. While Mirantis will provide assistance with such features through official channels, normal Service Level Agreements do not apply.

As Mirantis considers making future iterations of Technology Preview features generally available, we will do our best to resolve any issues that customers experience when using these features.

During the development of a Technology Preview feature, additional components may become available to the public for evaluation. Mirantis cannot guarantee the stability of such features. As a result, if you are using Technology Preview features, you may not be able to seamlessly upgrade to subsequent product releases.

Mirantis makes no guarantees that Technology Preview features will graduate to generally available features.

QuickStart: MCR on Ubuntu¶

Use this QuickStart guide to quickly deploy Mirantis Container Runtime (MCR) to Ubuntu systems from the repository.

Introduction¶

MCR installations includes the following components:

MCR engine
MCR CLI
containerd
runc

After installing MCR, you will be able to:

Use Dockerfiles to build and run images as containers.
Share images using Docker Hub.
Run applications using Docker Compose.

The following diagram illustrates the workflow for installing MCR on Ubuntu:

Set up the repository¶

To install MCR using the Mirantis repository you must first set up the repository on the host machine.

Note

MCR only supports x86_64/amd64.

Update the apt package index:
```
sudo apt-get update
```

Install packages that allow apt to use a repository over HTTPS:

sudo apt-get install \
  apt-transport-https \
  ca-certificates \
  curl \
  software-properties-common

Store https://repos.mirantis.com in an environment variable:
```
DOCKER_EE_URL="https://repos.mirantis.com"
```
Add a $DOCKER_EE_VERSION variable into your environment.
```
DOCKER_EE_VERSION=<mcr-version>
```

Add Docker’s official GPG key:

curl -fsSL "${DOCKER_EE_URL}/ubuntu/gpg" | sudo apt-key add -

Verify that you now have the key with the fingerprint DD91 1E99 5A64 A202 E859 07D6 BC14 F10B 6D08 5F96 by searching for the last eight characters of the fingerprint:

sudo apt-key fingerprint 6D085F96

pub   4096R/0EBFCD88 2017-02-22
      Key fingerprint = DD91 1E99 5A64 A202 E859  07D6 BC14 F10B 6D08 5F96
uid                  Docker Release (EE deb) <docker@docker.com>
sub   4096R/6D085F96 2017-02-22

Use the following command to set up the stable repository:

sudo add-apt-repository \
  "deb [arch=$(dpkg --print-architecture)] $DOCKER_EE_URL/ubuntu \
  $(lsb_release -cs) \
  stable-$DOCKER_EE_VERSION"

Install MCR¶

Install the latest version of MCR and containerd:

sudo apt-get install docker-ee docker-ee-cli containerd.io

Note

To install a specific version of MCR:

sudo apt-get install docker-ee=<VERSION_STRING> docker-ee-cli=<VERSION_STRING> containerd.io

Start Docker:
```
sudo systemctl start docker
```

Verify that you installed MCR correctly:

sudo docker run hello-world

This command downloads a test image and runs it in a container. If successful, the command prints the following informational message and exits:

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
    (amd64)
 3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
 4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
 $ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker ID:
 https://hub.docker.com/

For more examples and ideas, visit:
 https://docs.docker.com/get-started/

Install the license¶

An MCR license gives the user access to Mirantis Support. You can complete this guide and start using MCR right away, and install the license later.

To install the MCR license:

Purchase an MCR subscription or contact Mirantis for more information.
Follow the link to download your MCR license file found in the confirmation email you received after purchasing MCR from the Mirantis web store. If you cannot access your confirmation email, contact Mirantis.
Copy the file to the data root directory and name it docker.lic. The default data root directory is /var/lib/docker.
Restart MCR:
```
sudo systemctl restart docker
```
Verify the installation:
```
sudo docker info | grep -i license
```

What’s next¶

Refer to Install Mirantis Container Runtime for Ubuntu to learn about these additional installation topics:
- Install from a Debian package
- Upgrade Mirantis Container Runtime
- Uninstall Mirantis Container Runtime (including old versions)
Begin using Docker Hub to find and share images.
Install Mirantis Kubernetes Engine (MKE) and Mirantis Secure Registry (MSR).
Learn about all the components of Mirantis Cloud Native Platform.

QuickStart: MCR on CentOS¶

Use this QuickStart guide to quickly deploy Mirantis Container Runtime (MCR) to CentOS systems from the repository.

Introduction¶

MCR installations includes the following components:

MCR engine
MCR CLI
containerd
runc

After installing MCR, you will be able to:

Use Dockerfiles to build and run images as containers.
Share images using Docker Hub.
Run applications using Docker Compose.

The following diagram illustrates the workflow for installing MCR on CentoOS:

Set up the repository¶

You only need to set up the repository once, after which you can install MCR from the repository and upgrade as needed. MCR supports the latest version of CentOS 64-bit running on x86_64.

Note

MCR supports the overlay2 storage drivers on CentOS. The following limitations apply:

If you enable selinux, MCR supports overlay2 on CentoOS 7.4 and higher.
If you disable selinux, MCR supports overlay2 on CentOS 7.2 and higher, with kernel version 3.10.0-693 and higher.

Remove any existing Docker repositories from /etc/yum.repos.d/:
```
sudo rm /etc/yum.repos.d/docker*.repo
```
Store https://repos.mirantis.com in an environment variable:
```
export DOCKERURL="https://repos.mirantis.com"
```

Store the value of DOCKERURL using a yum variable in /etc/yum/vars/:

sudo -E sh -c \
'echo "$DOCKERURL/centos" > /etc/yum/vars/dockerurl'

Store your operating system version string in /etc/yum/vars/dockerosversion:
```
sudo sh -c 'echo "<version>" > /etc/yum/vars/dockerosversion'
```
Install the yum-utils that provides the yum-config-manager utility:
```
sudo yum install -y yum-utils
```

Enable the extras RHEL repository to ensure access to the container-selinux package that docker-ee requires:

All architectures except IBM Power

sudo yum-config-manager --enable rhel-7-server-extras-rpms

IBM Power only (little-endian)

sudo yum-config-manager --enable extras
sudo subscription-manager repos \
--enable=rhel-7-for-power-le-extras-rpms
sudo yum makecache fast
sudo yum -y install container-selinux

AWS and Azure require that you enable another repository:

AWS

sudo yum install -y rh-amazon-rhui-client
sudo yum-config-manager --enable rhui-REGION-rhel-server-extras

Note that REGION is a literal. It does not represent the region your machine is running in.

Azure

sudo yum-config-manager --enable rhui-rhel-7-server-rhui-extras-rpms

Add the stable MCR repository:

sudo -E yum-config-manager \
--add-repo "$DOCKERURL/centos/docker-ee.repo"

Install MCR¶

Install the latest version of MCR and containerd:
```
sudo yum -y install docker-ee docker-ee-cli containerd.io
```
If prompted to accept the GPG key, verify that the fingerprint matches 77FE DA13 1A83 1D29 A418 D3E8 99E5 FF2E 7668 2BC9 and accept it.
Note

To install a specific version of MCR:
1. Download the three packages required for the desired MCR version from https://repos.mirantis.com/rhel/8/x86_64/stable-20.10/Packages/.
2. Run the following command to complete the MCR installation.
  sudo yum -y install docker-ee-<version-string> \ docker-ee-cli-<version-string> containerd.io
Start Docker:
```
sudo systemctl start docker
```

Verify that you installed MCR correctly:

sudo docker run hello-world

This command downloads a test image and runs it in a container. If successful, it prints the following informational message and exits:

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
    (amd64)
 3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
 4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
 $ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker ID:
 https://hub.docker.com/

For more examples and ideas, visit:
 https://docs.docker.com/get-started/

Install the license¶

An MCR license gives the user access to Mirantis Support. You can complete this guide and start using MCR right away, and install the license later.

To install the MCR license:

Purchase an MCR subscription or contact Mirantis for more information.
Follow the link to download your MCR license file found in the confirmation email you received after purchasing MCR from the Mirantis web store. If you cannot access your confirmation email, contact Mirantis.
Copy the file to the data root directory and name it docker.lic. The default data root directory is /var/lib/docker.
Restart MCR:
```
sudo systemctl restart docker
```
Verify the installation:
```
sudo docker info | grep -i license
```

What’s next¶

Refer to Install Mirantis Container Runtime for CentOS to learn about these additional installation topics:
- Install with a package
- Upgrade with a package
- Uninstall Mirantis Container Runtime (including old versions)
Begin using Docker Hub to find and share images.
Install Mirantis Kubernetes Engine (MKE) and Mirantis Secure Registry (MSR).
Learn about all the components of Mirantis Cloud Native Platform.

QuickStart: MCR on Oracle Linux¶

Use this QuickStart guide to quickly deploy Mirantis Container Runtime (MCR) to Oracle Linux systems from the repository.

Note

The documentation herein applies only to Oracle Linux 7. Mirantis does not support Oracle 8.

Introduction¶

MCR installations includes the following components:

MCR engine
MCR CLI
containerd
runc

After installing MCR, you will be able to:

Use Dockerfiles to build and run images as containers.
Share images using Docker Hub.
Run applications using Docker Compose.

The following diagram illustrates the workflow for installing MCR on Oracle Linux:

Set up the repository¶

Note

The documentation herein applies only to Oracle Linux 7. Mirantis does not support Oracle 8.

You only need to set up the repository once, after which you can install MCR from the repository and upgrade as needed.

MCR supports Oracle Linux 64-bit version 7.8 or later and Red Hat Compatible Kernel (RHCK) version 3.10.0-1127 or later.

Note

Mirantis recommends using fast storage, such as solid-state media.

Remove any existing Docker repositories from /etc/yum.repos.d/:
```
sudo rm /etc/yum.repos.d/docker*.repo
```
Store https://repos.mirantis.com in an environment variable:
```
export DOCKERURL="https://repos.mirantis.com"
```

Store the value of DOCKERURL using a yum variable in /etc/yum/vars/:

sudo -E sh -c \
'echo "$DOCKERURL/oraclelinux" > /etc/yum/vars/dockerurl'

Install yum-utils to get the yum-config-manager utility:
```
sudo yum install -y yum-utils
```
Enable the Oracle ol7_addons repository to ensure that you have access to the container-selinux package that docker-ee requires:
```
sudo yum-config-manager --enable ol7_addons
```

Add the stable MCR repository:

sudo -E yum-config-manager \
--add-repo \
"$DOCKERURL/oraclelinux/docker-ee.repo"

Install MCR¶

Note

The documentation herein applies only to Oracle Linux 7. Mirantis does not support Oracle 8.

Install the latest version of MCR and containerd:
```
sudo yum -y install docker-ee docker-ee-cli containerd.io
```
If prompted to accept the GPG key, verify that the fingerprint matches 77FE DA13 1A83 1D29 A418 D3E8 99E5 FF2E 7668 2BC9 and accept it.
Note

To install a specific version of MCR:
1. Download the three packages required for the desired MCR version from https://repos.mirantis.com/oraclelinux/7/x86_64/stable-20.10/Packages/.
2. Run the following command to complete the MCR installation.
  sudo yum -y install docker-ee-<version-string> \ docker-ee-cli-<version-string> containerd.io
Start Docker:
```
sudo systemctl start docker
```

Verify that you installed MCR correctly:

sudo docker run hello-world

This command downloads a test image and runs it in a container. If successful, it prints the following informational message and exits:

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
    (amd64)
 3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
 4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
 $ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker ID:
 https://hub.docker.com/

For more examples and ideas, visit:
 https://docs.docker.com/get-started/

Install the license¶

An MCR license gives the user access to Mirantis Support. You can complete this guide and start using MCR right away, and install the license later.

To install the MCR license:

Purchase an MCR subscription or contact Mirantis for more information.
Follow the link to download your MCR license file found in the confirmation email you received after purchasing MCR from the Mirantis web store. If you cannot access your confirmation email, contact Mirantis.
Copy the file to the data root directory and name it docker.lic. The default data root directory is /var/lib/docker.
Restart MCR:
```
sudo systemctl restart docker
```
Verify the installation:
```
sudo docker info | grep -i license
```

What’s next¶

Refer to Install Mirantis Container Runtime for Oracle Linux to learn about these additional installation topics:
Begin using Docker Hub to find and share images
Install Mirantis Kubernetes Engine (MKE) and Mirantis Secure Registry (MSR)
Learn about other components of Mirantis Cloud Native Platform

QuickStart: MCR on RHEL¶

Use this QuickStart guide to quickly deploy Mirantis Container Runtime (MCR) to Red Hat Enterprise Linux (RHEL) systems from the repository.

Introduction¶

MCR installations includes the following components:

MCR engine
MCR CLI
containerd
runc

After installing MCR, you will be able to:

Use Dockerfiles to build and run images as containers.
Share images using Docker Hub.
Run applications using Docker Compose.

The following diagram illustrates the workflow for installing MCR on RHEL:

Set up the repository¶

You only need to set up the repository once, after which you can install MCR from the repository and upgrade as needed. MCR supports RHEL 64-bit version 7.4 and higher running on x86_64.

Note

MCR supports the overlay2 storage drivers on RHEL. The following limitations apply:

If you enable selinux, MCR supports overlay2 on RHEL 7.4 and higher (OverlayFS).
If you disable selinux, MCR supports overlay2 on RHEL 7.2 and higher, with kernel version 3.10.0-693 and higher.

Set up the repository for RHEL 7
Set up the repository for RHEL 8

Set up the repository for RHEL 7¶

Remove existing Docker repositories from /etc/yum.repos.d/:
```
sudo rm /etc/yum.repos.d/docker*.repo
```
Store https://repos.mirantis.com in an environment variable:
```
export DOCKERURL="https://repos.mirantis.com"
```

Store the value of DOCKERURL using a yum variable in /etc/yum/vars/:

sudo -E sh -c 'echo "$DOCKERURL/rhel" > /etc/yum/vars/dockerurl'

Store your OS version string in /etc/yum/vars/dockerosversion. Use 7 or include the minor version starting with 7.2:
```
sudo sh -c 'echo "<version>" > /etc/yum/vars/dockerosversion'
```
Install the yum-utils that provides the yum-config-manager utility:
```
sudo yum install -y yum-utils
```

Enable the extras RHEL repository to ensure access to the container-selinux package that docker-ee requires:

All architectures except IBM Power

sudo yum-config-manager --enable rhel-7-server-extras-rpms

IBM Power only (little-endian)

sudo yum-config-manager --enable extras
sudo subscription-manager repos \
--enable=rhel-7-for-power-le-extras-rpms
sudo yum makecache fast
sudo yum -y install container-selinux

Enable another repository for AWS and Azure:

AWS

sudo yum-config-manager --enable rhel-7-server-rhui-extras-rpms

Azure

sudo yum-config-manager --enable rhui-rhel-7-server-rhui-extras-rpms

Add the stable MCR repository:

sudo -E yum-config-manager \
--add-repo \
"$DOCKERURL/rhel/docker-ee.repo"

Set up the repository for RHEL 8¶

Remove existing Docker repositories from /etc/yum.repos.d/:
```
sudo rm /etc/yum.repos.d/docker*.repo
```
Store https://repos.mirantis.com in an environment variable.
```
export DOCKERURL="https://repos.mirantis.com"
```

Store the value of DOCKERURL using a yum variable in /etc/yum/vars/:

sudo -E sh -c 'echo "$DOCKERURL/rhel" > /etc/yum/vars/dockerurl'

Store your OS version string in /etc/yum/vars/dockerosversion. Use 8:
```
sudo sh -c 'echo "<version>" > /etc/yum/vars/dockerosversion'
```
Install the yum-utils that provides the yum-config-manager utility:
```
sudo yum install -y yum-utils
```

Add the stable MCR repository:

sudo -E yum-config-manager \
--add-repo \
"$DOCKERURL/rhel/docker-ee.repo"

Install MCR¶

Install the latest version of MCR and containerd:
```
sudo yum -y install docker-ee docker-ee-cli containerd.io
```
If prompted to accept the GPG key, verify that the fingerprint matches 77FE DA13 1A83 1D29 A418 D3E8 99E5 FF2E 7668 2BC9 and accept it.
Note

To install a specific version of MCR:
1. Download the three packages required for the desired MCR version from https://repos.mirantis.com/rhel/8/x86_64/stable-20.10/Packages/.
2. Run the following command to complete the MCR installation.
  sudo yum -y install docker-ee-<version-string> \ docker-ee-cli-<version-string> containerd.io
Start Docker:
```
sudo systemctl start docker
```

Verify that you installed MCR correctly:

sudo docker run hello-world

This command downloads a test image and runs it in a container. If successful, it prints the following informational message and exits:

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
    (amd64)
 3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
 4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
 $ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker ID:
 https://hub.docker.com/

For more examples and ideas, visit:
 https://docs.docker.com/get-started/

Install the license¶

An MCR license gives the user access to Mirantis Support. You can complete this guide and start using MCR right away, and install the license later.

To install the MCR license:

Purchase an MCR subscription or contact Mirantis for more information.
Follow the link to download your MCR license file found in the confirmation email you received after purchasing MCR from the Mirantis web store. If you cannot access your confirmation email, contact Mirantis.
Copy the file to the data root directory and name it docker.lic. The default data root directory is /var/lib/docker.
Restart MCR:
```
sudo systemctl restart docker
```
Verify the installation:
```
sudo docker info | grep -i license
```

What’s next¶

Refer to Install Mirantis Container Runtime for Red Hat Enterprise Linux to learn about these additional installation topics:
- FIPS 140-2-support
- Install with a package
- Upgrade from the repository
- Upgrade with a package
- Uninstall Mirantis Container Runtime
Begin using Docker Hub to find and share images
Install Mirantis Kubernetes Engine (MKE) and Mirantis Secure Registry (MSR).
Learn about other components of Mirantis Cloud Native Platform.

AWS (where `REGION` is a literal and does not represent the region your machine is running in)	Product Documentation for Red Hat Update Infrastructure 4.
Azure	Red Hat Update Infrastructure for on-demand Red Hat Enterprise Linux VMs in Azure

MCR 20.10.12 and later	Requires the addition of the `docker-ee-rootless-extras` package. sudo yum -y install docker-ee docker-ee-cli \ docker-ee-rootless-extras containerd.io Note MCR nodes in rootless mode cannot currently be a member of an MKE cluster.
MCR 20.10.11 and before	sudo yum -y install docker-ee docker-ee-cli containerd.io

MCR 20.10.12 and later	Requires the addition of the `docker-ee-rootless-extras` package. sudo yum -y install docker-ee docker-ee-cli \ docker-ee-rootless-extras containerd.io Note MCR nodes in rootless mode cannot currently be a member of an MKE cluster.
MCR 20.10.11 and before	sudo yum -y install docker-ee docker-ee-cli containerd.io

MCR 20.10.12 and later, on SLES15	Requires the addition of the `docker-ee-rootless-extras` package. sudo yum -y install docker-ee docker-ee-cli \ docker-ee-rootless-extras containerd.io Note MCR nodes in rootless mode cannot currently be a member of an MKE cluster.
MCR 20.10.11 and prior on SLES15, and for all MCR versions on SLES12	sudo yum -y install docker-ee docker-ee-cli containerd.io

MCR 20.10.12 and later, on SLES15	Requires the addition of the `docker-ee-rootless-extras` package. sudo zypper install docker-ee-<VERSION_STRING> \ docker-ee-cli-<VERSION_STRING> \ docker-ee-rootless-extras-<VERSION_STRING> containerd.io Note MCR nodes in rootless mode cannot currently be a member of an MKE cluster.
MCR 20.10.11 and prior on SLES15, and for all MCR versions on SLES12	sudo zypper install docker-ee-<VERSION_STRING> \ docker-ee-cli-<VERSION_STRING> containerd.io

Introduction¶

Product Overview¶

Reference Architecture¶

Storage driver compatibility¶

Deployment Guide¶

Install the license¶

Install MCR on Linux distros¶

Install Mirantis Container Runtime for CentOS¶

Prerequisites¶

Architectures and storage drivers¶

Uninstall old Docker versions¶

Repo install and upgrade¶

Set up the repository¶

Install from the repository¶

Package install and upgrade¶

Install with a package¶

Upgrade with a package¶

Enable MCR Telemetry¶

Run MCR as a non-root user (Rootless mode)¶

Uninstall Mirantis Container Runtime¶

Install Mirantis Container Runtime for Oracle Linux¶

Prerequisites¶

Architectures and storage drivers¶

FIPS 140-2 cryptographic module support¶

Disabling FIPS 140-2¶

Uninstall old Docker versions¶

Repo install and upgrade¶

Set up the repository¶

Install from the repository¶

Upgrade from the repository¶

Package install and upgrade¶

Install with a package¶

Upgrade with a package¶

Enable MCR Telemetry¶

Run MCR as a non-root user (Rootless mode)¶

Uninstall Mirantis Container Runtime¶

Install Mirantis Container Runtime for Red Hat Enterprise Linux¶

Prerequisites¶

Architectures and storage drivers¶

FIPS 140-2 cryptographic module support¶

Disabling FIPS 140-2¶

Uninstall old Docker versions¶

Repo install and upgrade¶

Set up the repository¶

Install from the repository¶

Upgrade from the repository¶

Package install and upgrade¶

Install with a package¶

Upgrade with a package¶

Enable MCR Telemetry¶

Run MCR as a non-root user (Rootless mode)¶

Uninstall Mirantis Container Runtime¶

Install Mirantis Container Runtime for SLES¶

Prerequisites¶

OS requirements¶

Uninstall old versions¶

Configure the Btrfs filesystem¶

Install Mirantis Container Runtime¶

Install using the repository¶

Install from a package¶

Enable MCR Telemetry¶

Run MCR as a non-root user (Rootless mode)¶

Uninstall Mirantis Container Runtime¶

Install Mirantis Container Runtime for Ubuntu¶

Prerequisites¶

Uninstall old versions¶

Install Mirantis Container Runtime¶

Install using the repository¶

Install from a Debian package¶

Enable MCR Telemetry¶

Run MCR as a non-root user (Rootless mode)¶

Uninstall Mirantis Container Runtime¶

Install MCR on Windows Servers¶

System requirements¶

Install MCR with an Internet connection¶

FIPS 140-2 cryptographic module support¶

Install MCR offline¶

Install a specific version¶

Update MCR¶

Install script usage¶