This documentation provides information on how to deploy Mirantis Container
Runtime (MCR). The documentation is intended to help operators to understand
the core concepts of the product.
The information provided in this documentation set is being constantly
improved and amended based on the feedback and kind requests from the
consumers of MCR.
Mirantis Container Runtime (MCR) enables you to power your business-critical
applications with the industry-leading enterprise container engine. You can
run containers on any platform with a fully supported and highly secure
container runtime. MCR provides the core functionality and security compliance
needed to enable your container orchestration solution of choice with
certified proven support for both Kubernetes and Swarm. The most common
use cases include:
Container orchestration solution
Organisations often have unique container orchestration requirements and may
choose to utilise alternative systems to manage their containers. MCR provides
freedom to select the best orchestration solution for your needs whilst still
ensuring you have a secure, trusted, and supported container runtime to run
your mission-critical workloads.
Secure and validated containers
The challenges in ensuring that the software supply chain is secure does not
stop at the container orchestration solution. The key part of securing your
container solution is ensuring that only validated and trusted containers
can be deployed and run. MCR combined with Mirantis Secure Registry (MSR)
gives you the ability to validate and sign your container images to ensure
that only approved images can be run in your environment.
Secure validated encryption
Regulated industries need to meet federal regulations to ensure that
appropriate levels of encryption are enabled. MCR provides FIPS 140-2
Validated cryptography ensuring that you meet the highest standards
necessary to comply with the federal requirements.
Multiple operating systems and infrastructures
With the drive towards multi-cloud and hybrid cloud, computing organisations
need to support multiple operating systems on multiple platforms. MCR is
certified to run on multiple operating systems, including CentOS, RHEL,
Ubuntu, and Windows, for consistent runtime regardless of the platform.
The MCR Reference Architecture is a work in progress, the intent of which is to
keep MCR users apprised of the technical details that pertain to the
differences between Mirantis Container Runtime and Docker Engine.
overlay2 is the only storage driver supported by MCR
23.0, with the exception of btrfs, which MCR
supports on SLES.
Note
A number of unsupported storage driver options that are available in
MCR 20.10 are unavailable in MCR 23.0, as Mirantis
is moving users away from unsupported configurations.
The vfs storage driver is available in MCR
23.0 for debugging purposes only.
Mirantis Container Runtime (MCR) is a client-server application with these
major components:
A server which is a type of long-running program called a daemon process
(the dockerd command).
A REST API which specifies interfaces that programs can use to talk to the
daemon and instruct it what to do.
A command line interface (CLI) client (the docker command).
MCR can be installed on several Linux distros as well as on Windows.
Note
MCR is derived from the Moby project, an open
framework created by Docker Inc. As such, most of the product commands and
setup instruction are identical to those for Docker Engine.
Users are not authorized to run MCR without a valid license. For more
information, refer to Mirantis Agreements and Terms.
For MCR to recognize your license, you must apply your customer license file
at runtime.
To make MCR aware of your license and entitlement, perform the following for
each node that will host MCR:
Download the license file.
If you purchased a license from the Mirantis Store, the license file is
available through a link in your confirmation email. Otherwise, contact
Mirantis Sales and Support to gain access to the file.
Apply the license file.
Platform
Applying the license
Linux distributions
Determine the location of the data root directory. This
information is available in the daemon.json file associated
with MCR. Alternatively, you can specify the data root directory
using the --data-root flag at MCR start up. Note that
the default data-root directory is /var/lib/docker.
Copy the license file to the data root directory and name it
docker.lic. It is imperative that the license be readable by
the account/user that runs the docker daemon.
Windows servers
Currently, you do not need to apply a license for Windows server
systems, as Mirantis Container Runtime can be run using the
installation script.
Start MCR. If MCR is already running, restart it.
Note
MKE, MSR, and Mirantis Container Cloud have implied MCR licenses.
There are two ways to install and upgrade Mirantis Container Runtime (MCR):
YUM repository: Set up a Docker repository and install Mirantis Container
Runtime from it. This is the recommended approach because installation
and upgrades are managed with YUM and easier to do.
RPM package: Download the RPM package, install it manually, and manage
upgrades manually. This is useful when installing Mirantis Container Runtime
on air-gapped systems with no access to the internet.
The Mirantis Container Runtime package is called docker-ee. Older
versions were called docker or docker-engine. Uninstall all
older versions and associated dependencies. The contents of
/var/lib/docker/ are preserved, including images, containers,
volumes, and networks.
The advantage of using a repository from which to install Mirantis Container
Runtime (or any software) is that it provides a certain level of automation.
RPM-based distributions such as CentOS, use a tool called YUM that work with
your repositories to manage dependencies and provide automatic updates.
The list returned depends on which repositories you enabled, and is
specific to your version of CentOS (indicated by .el7 in this
example).
Install a specific version by its fully qualified package name,
which is the package name (docker-ee) plus the version string
(2nd column) starting at the first colon (:), up to the first
hyphen, separated by a hyphen (-). For example,
docker-ee-23.0.1.
Docker is installed but not started. The docker group is created,
but no users are added to the group.
Start Docker:
sudosystemctlstartdocker
Verify that Mirantis Container Runtime is installed correctly by
running the hello-world image. This command downloads a test
image, runs it in a container, prints an informational message, and
exits:
sudodockerrunhello-world
Mirantis Container Runtime is installed and running. Use sudo to
run Docker commands.
Docker is installed but not started. The docker group is created,
but no users are added to the group.
Start Docker
sudosystemctlstartdocker
Verify that Mirantis Container Runtime is installed correctly by
running the hello-world image. This command downloads a test
image, runs it in a container, prints an informational message, and
exits:
sudodockerrunhello-world
Mirantis Container Runtime is installed and running. Use sudo to
run Docker commands.
By default, MCR automatically records and transmits data to Mirantis for
monitoring and analysis purposes. The data collected provides the Mirantis
Customer Success Organization with information that helps us to better
understand the operational use of MCR by our customers. It also provides key
feedback in the form of product usage statistics, which enable our product
teams to enhance Mirantis products and services.
To disable the telemetry function, set
features.telemetry to false in your /etc/docker/daemon.json file.
Change the setting to true to re-enable telemetry.
{"features":{"telemetry":false}}
Caution
To send the telemetry, verify that dockerd can resolve api.segment.io
and create a TCP (HTTPS) connection on port 443.
Delete all images, containers, and volumes (because these are not
automatically removed from your host):
sudorm-rf/var/lib/docker
Delete other Docker related resources:
sudorm-rf/run/docker
sudorm-rf/etc/docker
Delete any edited configuration files manually.
Install Mirantis Container Runtime for Oracle Linux¶
There are two ways to install and upgrade Mirantis Container Runtime (MCR).
YUM repository: Set up a Docker repository and install Mirantis Container
Runtime from it. This is the recommended approach because installation
and upgrades are managed with YUM and easier to do.
RPM package: Download the RPM package, install it manually, and manage
upgrades manually. This is useful when installing Mirantis Container Runtime
on air-gapped systems with no access to the internet.
With Mirantis Container Runtime license for versions 23.0.x, Mirantis provides
FIPS 140-2 support in Oracle Linux 7.x and 8.x (as per the
MCR 23.0 Compatibility Matrix). This includes a FIPS supported
cryptographic module. If the Oracle Linux implementation already has FIPS
support enabled, FIPS is also automatically enabled in MCR. If FIPS support is
not already enabled in your Oracle Linux implementation, refer to the Oracle
Linux product documentation for enablement instructions.
To verify the FIPS 140-2 module is enabled in the Linux kernel, confirm
the file /proc/sys/crypto/fips_enabled contains 1.
cat/proc/sys/crypto/fips_enabled1
Note
FIPS is only supported in Mirantis Container Runtime.
MKE and MSR currently do not have support for FIPS 140-2.
You can override FIPS 140-2 compliance on a system that is not in FIPS
140-2 mode. Note, this does not change FIPS 140-2 mode on the
system. To override the FIPS 140-2 mode, follow ths steps below.
Create a file called
/etc/systemd/system/docker.service.d/fips-module.conf. Add the
following:
[Service]Environment="DOCKER_FIPS=1"
Reload the Docker configuration to systemd.
sudosystemctldaemon-reload
Restart the Docker service as root.
sudosystemctlrestartdocker
To confirm Docker is running with FIPS 140-2 enabled, run the
dockerinfo command.
If the system has the FIPS 140-2 cryptographic module installed on the
operating system, it is possible to disable FIPS 140-2 compliance.
To disable FIPS 140-2 in Docker but not the operating system, set the
value DOCKER_FIPS=0 in the
/etc/systemd/system/docker.service.d/fips-module.conf.
The Mirantis Container Runtime package is called docker-ee. Older
versions were called docker or docker-engine. Uninstall all
older versions and associated dependencies. The contents of
/var/lib/docker/ are preserved, including images, containers,
volumes, and networks.
The advantage of using a repository from which to install Mirantis Container
Runtime (or any software) is that it provides a certain level of automation.
RPM-based distributions such as Oracle Linux, use a tool called YUM that work
with your repositories to manage dependencies and provide automatic updates.
The list returned depends on which repositories you enabled, and is
specific to your version of Oracle Linux (indicated by .el7 in this example).
Install a specific version by its fully qualified package name,
which is the package name (docker-ee) plus the version string
(2nd column) starting at the first colon (:), up to the first
hyphen, separated by a hyphen (-). For example,
docker-ee-18.09.1.
Docker is installed but not started. The docker group is created,
but no users are added to the group.
Start Docker:
sudosystemctlstartdocker
Verify that Mirantis Container Runtime is installed correctly by
running the hello-world image. This command downloads a test
image, runs it in a container, prints an informational message, and
exits:
sudodockerrunhello-world
Mirantis Container Runtime is installed and running. Use sudo to
run Docker commands.
Navigate to oraclelinux/7/x86_64/. Choose your
Oracle Linux version, architecture, and MCR version. Download the
.rpm file from the Packages directory.
Docker is installed but not started. The docker group is created,
but no users are added to the group.
Start Docker:
sudosystemctlstartdocker
Verify that Mirantis Container Runtime is installed correctly by
running the hello-world image. This command downloads a test
image, runs it in a container, prints an informational message, and
exits:
sudodockerrunhello-world
Mirantis Container Runtime is installed and running. Use sudo to
run Docker commands.
Oracle Linux 8
Go to repos.mirantis.com in your browser. Navigate to oraclelinux/.
Choose your Oracle Linux version, architecture, and MCR
version. Download the .rpm file from the Packages directory.
If you have trouble with selinux using the packages under the 8
directory, try choosing the version-specific directory instead.
Install Mirantis Container Runtime, changing the path below to the path
where you downloaded the Docker package.
Docker is installed but not started. The docker group is created, but no
users are added to the group.
Start Docker:
sudosystemctlstartdocker
Verify that Mirantis Container Runtime is installed correctly by running
the hello-world image. This command downloads a test image, runs it in a
container, prints an informational message, and exits:
sudodockerrunhello-world
Mirantis Container Runtime is now installed and running. Make sure to use
sudo to run Docker commands (refer to the Docker documentation for Linux
postinstall for information on how to allow non-privileged users to run
Docker commands.
By default, MCR automatically records and transmits data to Mirantis for
monitoring and analysis purposes. The data collected provides the Mirantis
Customer Success Organization with information that helps us to better
understand the operational use of MCR by our customers. It also provides key
feedback in the form of product usage statistics, which enable our product
teams to enhance Mirantis products and services.
To disable the telemetry function, set
features.telemetry to false in your /etc/docker/daemon.json file.
Change the setting to true to re-enable telemetry.
{"features":{"telemetry":false}}
Caution
To send the telemetry, verify that dockerd can resolve api.segment.io
and create a TCP (HTTPS) connection on port 443.
You must delete any edited configuration files manually.
Install Mirantis Container Runtime for Red Hat Enterprise Linux¶
There are two ways to install and upgrade Mirantis Container Runtime (MCR).
YUM repository: Set up a Docker repository and install Mirantis Container
Runtime from it. This is the recommended approach because installation and
upgrades are managed with YUM and easier to do.
RPM package: Download the RPM package, install it manually, and manage
upgrades manually. This is useful when installing Mirantis Container Runtime
on air-gapped systems with no access to the internet.
Mirantis Container Runtime supports Red Hat Enterprise Linux 64-bit, versions
7.4 and higher running on x86_64. Refer to the
MCR 23.0 Compatibility Matrix for specific details.
On Red Hat Enterprise Linux, Mirantis Container Runtime supports the
overlay2 storage driver. The following limitations apply:
OverlayFS: If selinux is enabled, the
overlay2 storage driver is supported on RHEL 7.4 or higher.
If selinux is disabled, overlay2 is supported on RHEL 7.2 or higher
with kernel version 3.10.0-693 and higher.
With Mirantis Container Runtime license for versions 23.0.x, Mirantis provides
FIPS 140-2 support in RHEL 7.x, 8.x, and 9.x (as per the
MCR 23.0 Compatibility Matrix). This includes a FIPS supported
cryptographic module. If the RHEL implementation already has FIPS support
enabled, FIPS is also automatically enabled in MCR. If FIPS support is not
already enabled in your RHEL implementation, see the Red Hat Product
Documentation for instructions on how to enable it.
To verify the FIPS 140-2 module is enabled in the Linux kernel, confirm
the file /proc/sys/crypto/fips_enabled contains 1.
cat/proc/sys/crypto/fips_enabled1
Note
FIPS is only supported in Mirantis Container Runtime.
MKE and MSR currently do not have support for FIPS 140-2.
You can override FIPS 140-2 compliance on a system that is not in FIPS
140-2 mode. Note, this does not change FIPS 140-2 mode on the
system. To override the FIPS 140-2 mode, follow ths steps below.
Create a file called
/etc/systemd/system/docker.service.d/fips-module.conf. Add the
following:
[Service]Environment="DOCKER_FIPS=1"
Reload the Docker configuration to systemd.
sudosystemctldaemon-reload
Restart the Docker service as root.
sudosystemctlrestartdocker
To confirm Docker is running with FIPS 140-2 enabled, run the
dockerinfo command.
If the system has the FIPS 140-2 cryptographic module installed on the
operating system, it is possible to disable FIPS 140-2 compliance.
To disable FIPS 140-2 in Docker but not the operating system, set the
value DOCKER_FIPS=0 in the
/etc/systemd/system/docker.service.d/fips-module.conf.
The Mirantis Container Runtime package is called docker-ee. Older
versions were called docker or docker-engine. Uninstall all
older versions and associated dependencies. The contents of
/var/lib/docker/ are preserved, including images, containers,
volumes, and networks.
The advantage of using a repository from which to install Mirantis Container
Runtime (or any software) is that it provides a certain level of automation.
RPM-based distributions such as Red Hat Enterprise Linux, use a tool called YUM
that work with your repositories to manage dependencies and provide automatic
updates.
Also, store your OS version string in /etc/yum/vars/dockerosversion.
Most users should use 7, 8, or 9 but you can also use the
more specific minor version, starting from 7.2.
The list returned depends on which repositories you enabled, and is
specific to your version of Red Hat Enterprise Linux (indicated by
.el7 in this example).
Install a specific version by its fully qualified package name,
which is the package name (docker-ee) plus the version string
(2nd column) starting at the first colon (:), up to the first
hyphen, separated by a hyphen (-). For example,
docker-ee-23.0.1.
Docker is installed but not started. The docker group is created,
but no users are added to the group.
Start Docker:
sudosystemctlstartdocker
Verify that Mirantis Container Runtime is installed correctly by
running the hello-world image. This command downloads a test
image, runs it in a container, prints an informational message, and
exits:
sudodockerrunhello-world
Mirantis Container Runtime is installed and running. Use sudo to run Docker
commands.
To manually install Mirantis Container Runtime, download the .rpm file for
your release. You need to download a new file each time you want to upgrade.
Alternately, obtain that package manually from Red Hat. There is no way
to publicly browse this repository.
Go to repos.mirantis.com in your browser. Navigate to rhel/. Choose
your Red Hat Enterprise Linux version, architecture, and Docker version.
Download the .rpm file from the Packages directory.
If you have trouble with selinux using the packages under the 7
directory, try choosing the version-specific directory instead, such as
7.3.
Install MCR, changing the path below to the path where you downloaded the
Docker package.
Docker is installed but not started. The docker group is created, but no
users are added to the group.
Start Docker:
sudosystemctlstartdocker
Verify that Mirantis Container Runtime is installed correctly by running
the hello-world image. This command downloads a test image, runs it in a
container, prints an informational message, and exits:
sudodockerrunhello-world
Mirantis Container Runtime is now installed and running. Make sure to use
sudo to run Docker commands (refer to the Docker documentation for
Linux postinstall for
information on how to allow non-privileged users to run Docker commands.
RHEL 8
Go to repos.mirantis.com in your browser. Navigate to rhel/. Choose
your Red Hat Enterprise Linux version, architecture, and Docker version.
Download the .rpm file from the Packages directory.
If you have trouble with selinux using the packages under the 8
directory, try choosing the version-specific directory instead.
Install Mirantis Container Runtime, changing the path below to the path
where you downloaded the Docker package.
Docker is installed but not started. The docker group is created, but no
users are added to the group.
Start Docker:
sudosystemctlstartdocker
Verify that Mirantis Container Runtime is installed correctly by running
the hello-world image. This command downloads a test image, runs it in a
container, prints an informational message, and exits:
sudodockerrunhello-world
Mirantis Container Runtime is now installed and running. Make sure to use
sudo to run Docker commands (refer to the Docker documentation for Linux
postinstall for information on how to allow non-privileged users to run
Docker commands.
RHEL 9
Go to repos.mirantis.com in your browser. Navigate to rhel/. Choose
your Red Hat Enterprise Linux version, architecture, and Docker version.
Download the .rpm file from the Packages directory.
If you have trouble with selinux using the packages under the 9
directory, try choosing the version-specific directory instead.
Install Mirantis Container Runtime, changing the path below to the path
where you downloaded the Docker package.
Docker is installed but not started. The docker group is created, but no
users are added to the group.
Start Docker:
sudosystemctlstartdocker
Verify that Mirantis Container Runtime is installed correctly by running
the hello-world image. This command downloads a test image, runs it in a
container, prints an informational message, and exits:
sudodockerrunhello-world
Mirantis Container Runtime is now installed and running. Make sure to use
sudo to run Docker commands (refer to the Docker documentation for Linux
postinstall for information on how to allow non-privileged users to run
Docker commands.
By default, MCR automatically records and transmits data to Mirantis for
monitoring and analysis purposes. The data collected provides the Mirantis
Customer Success Organization with information that helps us to better
understand the operational use of MCR by our customers. It also provides key
feedback in the form of product usage statistics, which enable our product
teams to enhance Mirantis products and services.
To disable the telemetry function, set
features.telemetry to false in your /etc/docker/daemon.json file.
Change the setting to true to re-enable telemetry.
{"features":{"telemetry":false}}
Caution
To send the telemetry, verify that dockerd can resolve api.segment.io
and create a TCP (HTTPS) connection on port 443.
To install Mirantis Container Runtime, you need the 64-bit version of SLES 12.x
or later, running on the x86_64 architecture. Mirantis Container Runtime is
not supported on OpenSUSE.
The only supported storage driver for Mirantis Container Runtime on SLES
is Btrfs, which is used by default if the underlying filesystem
hosting /var/lib/docker/ is a BTRFS filesystem.
Note
IBM Z (s390x) is supported for Mirantis Container Runtime 17.06.xx only.
Docker creates a DOCKER iptables chain when it starts. The SUSE
firewall may block access to this chain, which can prevent you from
running containers with published ports. You may see errors such as the
following:
WARNING: IPv4 forwarding is disabled. Networking will not work.
docker: Error response from daemon: driver failed programming external
connectivity on endpoint adoring_ptolemy
(0bb5fa80bc476f8a0d343973929bb3b7c039fc6d7cd30817e837bc2a511fce97):
(iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 80 -j DNAT --to-destination 172.17.0.2:80 ! -i docker0: iptables: No chain/target/match by that name.
(exit status 1)).
If you see errors like this, adjust the start-up script order so that the
firewall is started before Docker, and Docker stops before the firewall stops.
Refer to the SLES systemd daemon documentation.
Older versions of Docker were called docker or docker-engine. If
you use OS images from a cloud provider, you may need to remove the
runc package, which conflicts with Docker. If these are installed,
uninstall them, along with associated dependencies.
sudozypperrmdockerdocker-enginerunc
If removal of the docker-engine package fails, use the following
command instead:
sudorpm-edocker-engine
It’s OK if zypper reports that none of these packages are installed.
The contents of /var/lib/docker/, including images, containers,
volumes, and networks, are preserved. The Mirantis Container Runtime
package is now called docker-ee.
By default, SLES formats the / filesystem using Btrfs, so most
people do not not need to do the steps in this section. If you use OS
images from a cloud provider, you may need to do this step. If the
filesystem that hosts /var/lib/docker/ is not a BTRFS
filesystem, you must configure a BTRFS filesystem and mount it on
/var/lib/docker/.
Check whether / (or /var/ or /var/lib/ or
/var/lib/docker/ if they are separate mount points) are formatted
using Btrfs. If you do not have separate mount points for any of
these, a duplicate result for / is returned.
df-T//var/var/lib/var/lib/docker
You need to complete the rest of these steps only if one of thefollowing is true:
You have a separate /var/ filesystem that is not formatted
with Btrfs
You do not have a separate /var/ or /var/lib/ or
/var/lib/docker/ filesystem and / is not formatted with
Btrfs
If /var/lib/docker is already a separate mount point and is not
formatted with Btrfs, back up its contents so that you can restore
them after step 3.
Format your dedicated block device or devices as a Btrfs filesystem.
This example assumes that you are using two block devices called
/dev/xvdf and /dev/xvdg. Make sure you are using the right
device names.
Important
Double-check the block device names because this is a destructive
operation.
sudomkfs.btrfs-f/dev/xvdf/dev/xvdg
There are many more options for Btrfs, including striping and RAID. See the
Btrfs documentation.
Mount the new Btrfs filesystem on the /var/lib/docker/ mount
point. You can specify any of the block devices used to create the
Btrfs filesystem.
sudomount-tbtrfs/dev/xvdf/var/lib/docker
Don’t forget to make the change permanent across reboots by adding an
entry to /etc/fstab.
If /var/lib/docker previously existed and you backed up its
contents during step 1, restore them onto /var/lib/docker.
You can install Mirantis Container Runtime in different ways, depending
on your needs.
Most users set up Docker’s repositories and install from
them, for ease of installation and upgrade tasks. This is the
recommended approach.
Some users download the RPM package and install it manually and
manage upgrades completely manually. This is useful in situations
such as installing Docker on air-gapped systems with no access to the
internet.
Before you install Mirantis Container Runtime for the first time on a
new host machine, you need to set up the Docker repository. Afterward,
you can install and update Docker from the repository.
If this is the first time you have refreshed the package index since
adding the Docker repositories, you are prompted to accept the GPG
key, and the key’s fingerprint is shown. Verify that the fingerprint
matches 77FEDA131A831D29A418D3E899E5FF2E76682BC9 and if so, accept the key.
Install the latest patch release, or proceed to the next step to install a
specific version.
MCR nodes in rootless mode cannot currently be a member of an MKE
cluster.
Start Docker.
SLES 15:
sudosystemctlstartdocker
SLES 12:
sudoservicedockerstart
On production systems, you should install a specific version of
Mirantis Container Runtime instead of always using the latest. List
the available versions. The following example only lists binary
packages and is truncated. To also list source packages, omit the
-tpackage flag from the command.
zyppersearch-s--match-exact-tpackagedocker-ee
The contents of the list depend upon which repositories you have
enabled. Choose a specific version to install. The fourth column is
the version string. The last column is the repository name, which
indicates which repository the package is from and by extension its
stability level. To install a specific version, append the version
string to the package name and separate them by a hyphen (-):
On SLES15
Requires the addition of the docker-ee-rootless-extras package.
Docker is installed but not started. The docker group is created,
but no users are added to the group.
Configure Docker to use the Btrfs filesystem. This is only required
ifthe ``/`` filesystem is not using BTRFS. However, explicitly
specifying the storage-driver has no harmful side effects.
Edit the file /etc/docker/daemon.json (create it if it does not
exist) and add the following contents:
{"storage-driver":"btrfs"}
Save and close the file.
Start Docker.
sudoservicedockerstart
Verify that Docker is installed correctly by running the
hello-world image.
sudodockerrunhello-world
This command downloads a test image and runs it in a container. When
the container runs, it prints an informational message and exits.
Mirantis Container Runtime is installed and running. You need to use
sudo to run Docker commands.
If you cannot use the official Docker repository to install Mirantis Container
Runtime, you can download the .rpm file for your release and install it
manually. You need to download a new file each time you want to upgrade Docker.
Go to sles/15/x86_64/stable-23.0/ and choose the directory
corresponding to the desired Mirantis Container Runtime version. Download
the .rpm file from the Packages directory.
Docker is installed but not started. The docker group is created,
but no users are added to the group.
Configure Docker to use the Btrfs filesystem. This is only required
ifthe ``/`` filesystem is not using Btrfs. However, explicitly
specifying the storage-driver has no harmful side effects.
Edit the file /etc/docker/daemon.json (create it if it does not
exist) and add the following contents:
{"storage-driver":"btrfs"}
Save and close the file.
Start Docker.
sudoservicedockerstart
Verify that Docker is installed correctly by running the
hello-world image.
sudodockerrunhello-world
This command downloads a test image and runs it in a container. When
the container runs, it prints an informational message and exits.
Mirantis Container Runtime is installed and running. You need to use
sudo to run Docker commands.
To upgrade Mirantis Container Runtime, download the newer package file
and repeat the installation procedure,
using zypperupdate instead of zypperinstall, and pointing to
the new file.
By default, MCR automatically records and transmits data to Mirantis for
monitoring and analysis purposes. The data collected provides the Mirantis
Customer Success Organization with information that helps us to better
understand the operational use of MCR by our customers. It also provides key
feedback in the form of product usage statistics, which enable our product
teams to enhance Mirantis products and services.
To disable the telemetry function, set
features.telemetry to false in your /etc/docker/daemon.json file.
Change the setting to true to re-enable telemetry.
{"features":{"telemetry":false}}
Caution
To send the telemetry, verify that dockerd can resolve api.segment.io
and create a TCP (HTTPS) connection on port 443.
Uninstall the Mirantis Container Runtime package using the command
below.
sudozypperrmdocker-eedocker-ee-clicontainerd.io
Images, containers, volumes, or customized configuration files on
your host are not automatically removed. To delete all images,
containers, and volumes.
sudorm-rf/var/lib/docker/*
If you used a separate BTRFS filesystem to host the contents of
/var/lib/docker/, you can unmount and format the Btrfs
filesystem.
You must delete any edited configuration files manually.
For Ubuntu 16.04 and higher, the Linux kernel includes support for overlay2,
and Mirantis Container Runtime uses it as the default storage driver. If you
need to use aufs instead, it must be manually configured.
Mirantis Container Runtime can be installed either by using Mirantis
repositories, or by downloading and installing the DEB package and thereafter
manually managing all upgrades. The Mirantis repository method is recommended,
for the ease it lends in terms of both installation and upgrade tasks. The more
manual DEB package approach, however, is useful in certain situations, such as
installing MCR on air-gapped system that have no access to the Internet.
Continue from this point if you are using Mirantis repositories on Ubuntu, or
to install from a Debian package go to
Install from a Debian package.
Verify that you now have the key with the fingerprint
DD911E995A64A202E85907D6BC14F10B6D085F96, by searching
for the last eight characters of the fingerprint. Use the command
as-is. It works because of the variable you set earlier.
Install the latest version of Mirantis Container Runtime and
containerd, or go to the next step to install a specific version. Any
existing installation of MCR is replaced.
If you have multiple Mirantis repositories enabled, installing or
updating without specifying a version in the apt-getinstall
or apt-get update command always installs the highest possible
version, which may not be appropriate for your stability needs.
On production systems, you should install a specific version of
Mirantis Container Runtime instead of always using the latest. The
following output is truncated.
The contents of the list depend upon which repositories are enabled,
and are specific to your version of Ubuntu (indicated by the
focal suffix on the version, in this example). Choose a specific
version to install. The second column is the version string. The
third column is the repository name, which indicates which repository
the package is from and by extension its stability level. To install
a specific version, append the version string to the package name and
separate them by an equals sign (=).
MCR nodes in rootless mode cannot currently be a member of an MKE
cluster.
The MCR daemon starts automatically.
Verify that MCR is installed correctly by running the hello-world
image.
sudodockerrunhello-world
This command downloads a test image and runs it in a container. When
the container runs, it prints an informational message and exits.
Mirantis Container Runtime is installed and running. The docker
group is created but no users are added to it. You need to use sudo
to run MCR commands.
If you cannot use the Mirantis repository to install Mirantis Container
Runtime, you can download the .deb files for your release and install them
manually. You need to download a new file or set of files each time you want to
upgrade Mirantis Container Runtime.
Go to /ubuntu/dists/bionic/pool/stable-<VERSION>/amd64/ and download
the .deb file for the Ubuntu release and architecture you want to
install.
Note
Starting with 19.03, you have to download three .deb files.
They are docker-ee-cli_<version>.deb,
containerd.io_<version>.deb, and docker-ee_<version>.deb.
Install MCR, changing the path below to the path where you
downloaded the Mirantis Container Runtime package.
Verify that MCR is installed correctly by running the hello-world image.
sudodockerrunhello-world
This command downloads a test image and runs it in a container. When
the container runs, it prints an informational message and exits.
Mirantis Container Runtime is installed and running. The docker group is
created but no users are added to it. You need to use sudo to run MCR
commands.
By default, MCR automatically records and transmits data to Mirantis for
monitoring and analysis purposes. The data collected provides the Mirantis
Customer Success Organization with information that helps us to better
understand the operational use of MCR by our customers. It also provides key
feedback in the form of product usage statistics, which enable our product
teams to enhance Mirantis products and services.
To disable the telemetry function, set
features.telemetry to false in your /etc/docker/daemon.json file.
Change the setting to true to re-enable telemetry.
{"features":{"telemetry":false}}
Caution
To send the telemetry, verify that dockerd can resolve api.segment.io
and create a TCP (HTTPS) connection on port 443.
Images, containers, volumes, or customized configuration files on
your host are not automatically removed. Run the following command to
delete all images, containers, and volumes.
sudorm-rf/var/lib/docker
You must delete any edited configuration files manually.
Mirantis Container Runtime (MCR) enables native Docker containers on Windows
Server. Windows Server 2019 and later versions are supported. The Mirantis
Container Runtime installation package includes everything you need to run
Docker on Windows Server. This topic describes pre-install considerations, and
how to download and install Mirantis Container Runtime.
Mirantis provides an installation script to ease MCR installation on a Windows
Server machine. The script uses default values, thus allowing it to be run
without configuration. You can, however, override the default values with
script parameters and env variables. Parameter values take precedence over env
variables. Both take precedence over inbuilt default values.
The installation script must be executed from an elevated command prompt.
If you want to change the default daemon values, ensure that you have the
alternative cofigurations and the related collateral in place prior to
executing the script. For example, if you want to enable TLS, store the
certificates and write the daemon configuration file before invoking the
script.
The installer will issue a prompt, should it require a reboot.
Note
The installation script installs a numerically higher version by
default. The latest tag, however, explicitly denotes the binary that was
last pushed, which may not be a numerically higher version.
Test your MCR installation by running the hello-world container.
dockerrunhello-world:nanoserver
The container starts, prints the HellofromDocker! message, and then exits.
MCR provides FIPS 140-2 support in Windows Server, which includes a FIPS
supported cryptographic module. If the Windows implementation already has FIPS
support enabled, FIPS is automatically enabled in MCR.
Note
FIPS 140-2 is only supported in MCR. MKE and MSR currently do not support FIPS 140-2.
To enable FIPS 140-2 compliance on a system that is not in FIPS 140-2
mode, run the following command in PowerShell:
You can also enable FIPS 140-2 mode using the Windows Registry. To update
the pertinent registry key, execute the following PowerShell command as
an Administrator:
To confirm Docker is running with FIPS-140-2 enabled, run the
docker info.
Labels:com.docker.security.fips=enabled
Note
FIPS-140-2 compliance can be disabled if the FIPS-140-2 cryptographic
module is installed on the operating system. To disable FIPS-140-2 in
Docker but not the operating system, set the value "DOCKER_FIPS","0" in
[System.Environment].\
If your hardware is air-gapped you can still install MCR. To do so, download
the installer and copy the files to the air-gapped machine (the default
installation assumes that the zipped files and script are in the same
location).
Run the installation script with the -DownloadOnly parameter. As per the
parameter name, this action only downloads the zip file (no installation is
performed).
.\<installation-script>-DownloadOnly
Copy the installation script and the installation zip file over to the
air-gapped machine and run the install with the -Offline parameter.
Use the following three parameters separately or in tandem to install a
specific version of MCR for Windows Server.
Caution
MCR does not support using earlier versions of containerd than the version
with which it is released. For supported containerd versions, refer to the
Major component versions section of the required MCR version in
Release Notes.
The installation script uses the parameters detailed below.
Parameter
Description
.PARAMETER DownloadUrl
[Alternately specified by $Env:DOWNLOAD_URL]
Specifies an alternative repository in which to download container
runtime packages.
.PARAMETER Channel
[Alternately specified by $Env:CHANNEL]
Specifies which channel to use for picking the binaries (examples
include stable and test). Default: stable.
.PARAMETER DockerVersion
[Alternately specified by $Env:DOCKER_VERSION]
Specifies the version number for the DockerEE binaries to install.
The latest version is the default.
.PARAMETER ContainerdVersion
[Alternately specified by $Env:CONTAINERD_VERSION]
Specifies the version number for the containerd binaries to install
The latest version is the default.
.PARAMETER DryRun
If specified, list different steps to use without actually invoking
those steps.
.PARAMETER Uninstall
If specified, uninstalls all packages. This includes
unregistering the corresponding services and removing paths
for the package from the registry.
All other script parameters (except DryRun and DestPath) are
ignored if this switch is specified. Common parameters such
as -Verbose are still honored.
.PARAMETER Ver
Print version info for the script and exit.
.PARAMETER NoServiceStarts
If specified, services are not started on successful install.
By default, all services installed by the script are
left in a running state before exit.
.PARAMETER DestPath
Path to the directory under which binaries will be installed.
Default: %PROGRAMDATA%
.PARAMETER OfflinePackagesPath
The folder for airgap/offline scenarios. For use when the
offline or DownloadOnly parameters are specified. Used to
either save the downloaded packages for later offline use
or for pointing to previously downloaded packages for
offline install.
.PARAMETER Offline
Install packages in offline/airgap mode. By default the
current directory is used to locate previously
downloaded packages, a setting that can be overridden by using
the OfflinePackagesPath parameter.
.PARAMETER DownloadOnly
Download and save packages for later offline/airgap install.
This is often arises if you have ming/mingw64 as a part of your PATH env
variable. As a workaround, ensure that the offending software is
not on the PATH and run the script again.
The script supports airgap functionality by providing access to
download packages while online, as well as to install those selfsame
packages while offline.
For downloads, please ensure that the script has access to the internet. Use
the -DownloadOnly parameter. By default the script will use the current
directory to store the packages after download, a setting that can be
changed by specifying the path explicitly with the -OfflinePackagesPath
parameter.
For offline/airgap install, please use the -Offline parameter. By
default the script searches for pacakages in the current directory, a
setting that can be changed by specifying the -OfflinePackagesPath
parameter.
While downloading using -DownloadOnly parameter, confirm that the
download path is accessible to the script, especially if you run the
script without administrative rights.
The following is required so that the script can be invoked with named
parameters (for example, -ContainerdVersion1.3.4...). If a parameter is
used, its type is checked by powershell - we give a higher precedence to the
parameters specified in this manner versus the same value specified by env
vars.
Parameters received at invocation time. Some of these values are merged
with values specified by env vars - see reconcileParams. Others are used as-is.
By default, MCR automatically records and transmits data to Mirantis for
monitoring and analysis purposes. The data collected provides the Mirantis
Customer Success Organization with information that helps Mirantis to better
understand the operational use of MCR by our customers. It also provides key
feedback in the form of product usage statistics, which enables our product
teams to enhance Mirantis products and services.
To disable the telemetry function, set features.telemetry to false in
the daemon.json file, which is located in
C:\ProgramData\docker\config\.
{"features":{"telemetry":false}}
You can change the setting back to true to re-enable telemetry
Caution
To send the telemetry, verify that dockerd can resolve api.segment.io
and create a TCP (HTTPS) connection on port 443.
Customers who use MCR with Kubernetes directly (without MKE) must use a
plugin maintained by Kubernetes called dockershim for Kubernetes 1.23 and
below or a plugin maintained by Mirantis called cri-docker (included in
MCR) for Kubernetes 1.24 and above.
Several Docker resources are available which cover the basics of Mirantis
Container Runtime security, including:
Docker Security Documentation describes the
fundamentals, such as namespaces and control groups, the attack surface of
the Docker daemon, and other kernel security features.
When antivirus and antimalware software products scan files in use by MCR,
these files can lock in a way that causes Docker commands to hang or causes
orphaned snapshots to leak disk space. To circumvent these problems, you can
add the Docker data directory to the software’s exclusion list, which is by
default /var/lib/docker on Linux systems and %ProgramData%\docker on
Windows Server systems. As a result of this action, though, viruses or malware
in local Docker images, writable layers of containers, or volumes will go
undetected.
Note
If you choose to exclude the Docker data directory from background virus
scanning, Mirantis recommends that you schedule recurring tasks for stopping
MCR, for scanning the data directory, and for restarting MCR. Make sure to
stagger these recurring tasks, though, as running them in sync can cause a
system outage.
When transferring data among networked systems, trust is a central concern. In
particular, when communicating over an untrusted medium such as the internet,
it is critical to ensure the integrity and the publisher of all the data a
system operates on. You use Docker Engine to push and pull images to a public
or private registry. Docker Content Trust (DCT) gives you the ability to verify
both the integrity and the publisher of all the data received from a registry
over any channel.
Docker Content Trust provides the ability to use digital signatures for data
sent to and received from remote Docker registries. These signatures allow
client-side or runtime verification of the integrity and publisher of specific
image tags.
Through DCT, image publishers can sign their images and image consumers can
verify the signatures of the images they pull. Publishers could be individuals
or organizations manually signing their content or automated software supply
chains signing content as part of their release process.
An individual image record has the following identifier:
[REGISTRY_HOST[:REGISTRY_PORT]/]REPOSITORY[:TAG]
A particular image REPOSITORY can have multiple tags. For example,
latest and 3.1.2 are both tags on the mongo image. An image
publisher can build an image and tag combination many times changing the image
with each build.
DCT is associated with the TAG portion of an image. Each image repository
has a set of keys that image publishers use to sign an image tag. Image
publishers have discretion on which tags they sign.
An image repository can contain an image with one tag that is signed and
another tag that is not. For example, consider the Mongo image repository. The latest tag could be unsigned
while the 3.1.6 tag could be signed. It is the responsibility of the image
publisher to decide if an image tag is signed or not. In this representation,
some image tags are signed, others are not:
Publishers can choose to sign a specific tag or not. As a result, the content
of an unsigned tag and that of a signed tag with the same name may not match.
For example, a publisher can push a tagged image someimage:latest and sign
it. Later, the same publisher can push an unsigned someimage:latest image.
This second push replaces the last unsigned tag latest but does not affect
the signed latest version. The ability to choose which tags they can sign
allows publishers to iterate over the unsigned version of an image before
officially signing it.
Image consumers can enable DCT to ensure that images they use are signed. If a
consumer enables DCT, they can only pull, run, or build with trusted images.
Enabling DCT is a bit like applying a “filter” to your registry. Consumers
“see” only signed image tags while the less desirable, unsigned image tags are
“invisible” to them.
To the consumer who has not enabled DCT, nothing changes with regard to how
they work with Docker images. Every image is visible regardless of whether it
is signed or not.
Trust for an image tag is managed through the use of signing keys. A key set is
created when an operation using DCT is first invoked. A key set consists of the
following classes of keys:
an offline key that is the root of DCT for an image tag
repository or tagging keys that sign tags
server-managed keys such as the timestamp key, which provides freshness
security guarantees for your repository
The following image depicts the various signing keys and their relationships:
Warning
Once lost, the root key is not recoverable.
You should back up the root key somewhere safe. Given that it is only required
to create new repositories, you should store it offline in hardware. For
details on securing, and backing up your keys, make sure you read Manage keys
for content trust.
Within the Docker CLI, you can sign and push a container image with the
$ docker trust command syntax. This is built on top of the Notary
feature set, more information for which can be found in the Notary Github
Repository.
A prerequisite for signing an image is a container image Registry with a Notary
server attached, such as a Mirantis Secure Registry or Docker Hub.
Instructions for standing up a self-hosted environment can be found in the
Docker official documentation, Deploy Notary Server with Compose.
A delegation key pair is required to sign a container image. These keys can be
generated locally using $ docker trust key generate or generated by
a certificate authority. If you are using Mirantis Kubernetes Engine, the
Client Bundle provides adequate keys for a delegation.
To sign images with Docker Content Trust:
Add the delegation private key to the local Docker trust repository, which
by default is stored in ~/.docker/trust/.
If you are generating delegation keys with $ docker trust key
generate, the private key is automatically added to the local trust store.
If you are importing a separate key, such as one from a MKE Client Bundle,
you must use the $ docker trust key load command:
$ dockertrustkeygeneratejeff
Generating key for jeff...Enter passphrase for new jeff key with ID 9deed25:Repeat passphrase for new jeff key with ID 9deed25:Successfully generated and loaded private key. Corresponding public keyavailable: /home/ubuntu/Documents/mytrustdir/jeff.pub
If you have an existing key, run the following command:
$ dockertrustkeyloadkey.pem--namejeff
Loading key from "key.pem"...Enter passphrase for new jeff key with ID 8ae710e:Repeat passphrase for new jeff key with ID 8ae710e:Successfully imported key from key.pem
Add the delegation public key to the Notary server. Each delegation key in
Notary is specific to a particular image repository. If this is the first
time you are adding a delegation to that repository, this command will also
initiate the repository, using a local Notary canonical root key. To
understand more about initiating a repository, and the role of delegations,
refer to the official Docker documentation, Delegations for content trust.
$ dockertrustsigneradd--keycert.pemjeffmsr.example.com/admin/demo
Adding signer "jeff" to msr.example.com/admin/demo...Enter passphrase for new repository key with ID 10b5e94:
Use the delegation private key to sign a particular tag and push the
signature up to the registry.
$ dockertrustsignmsr.example.com/admin/demo:1
Signing and pushing trust data for local image msr.example.com/admin/demo:1, may overwrite remote trust dataThe push refers to repository [msr.example.com/admin/demo]7bff100f35cb: Pushed1: digest: sha256:3d2e482b82608d153a374df3357c0291589a61cc194ec4a9ca2381073a17f58e size: 528Signing and pushing trust metadataEnter passphrase for signer key with ID 8ae710e:Successfully signed msr.example.com/admin/demo:1
Alternatively, once the keys have been imported an image can be pushed with
the $ docker push command:
$ exportDOCKER_CONTENT_TRUST=1$ dockerpushmsr.example.com/admin/demo:1
The push refers to repository [msr.example.com/admin/demo:1]7bff100f35cb: Pushed1: digest: sha256:3d2e482b82608d153a374df3357c0291589a61cc194ec4a9ca2381073a17f58e size: 528Signing and pushing trust metadataEnter passphrase for signer key with ID 8ae710e:Successfully signed msr.example.com/admin/demo:1
To view remote trust data for a tag or repository:
Run the $ docker trust inspect command to view remote trust data for
a tag or a repository:
$ dockertrustinspect--prettymsr.example.com/admin/demo:1
Signatures for msr.example.com/admin/demo:1SIGNED TAG DIGEST SIGNERS1 3d2e482b82608d153a374df3357c0291589a61cc194ec4a9ca2381073a17f58e jeffList of signers and their keys for msr.example.com/admin/demo:1SIGNER KEYSjeff 8ae710e3ba82Administrative keys for msr.example.com/admin/demo:1 Repository Key: 10b5e94c916a0977471cc08fa56c1a5679819b2005ba6a257aa78ce76d3a1e27 Root Key: 84ca6e4416416d78c4597e754f38517bea95ab427e5f95871f90d460573071fc
To remove remote trust data for a tag:
Run the $ docker trust revoke command to remove remote trust data
for a tag:
$ dockertrustrevokemsr.example.com/admin/demo:1
Enter passphrase for signer key with ID 8ae710e:Successfully deleted signature for msr.example.com/admin/demo:1
Runtime enforcement is a feature that is exclusive to MCR. It is not
available in Moby or Docker CE.
The implementation is separate from the onlyrunsignedimages
feature of Mirantis Kubernetes Engine.
Docker Content Trust within the Mirantis Container Runtime prevents a user from
using a container image from an untrusted source. It will also prevent a user
from building a container image from a base layer from an untrusted source.
Trusted sources can include Official Docker Images, found on the Docker Hub or User
trusted sources, with repositories and tags signed with the commands detailed
in Signing Images with Docker Content Trust.
Engine Signature Verification prevents the following:
$ docker container run of an unsigned or altered image.
$ docker pull of an unsigned or altered image.
$ docker build where the FROM image is not signed or is not
scratch.
Note
The implicit pulls and runs performed by worker nodes for a Swarm service on
$ docker service create and $ docker service update
are also verified. Tag resolution of services requires that all nodes in the
Swarm including managers have content trust enabled and similarly
configured.
DCT does not verify that the filesystem of a running container has not been
altered from what was in the image. For example, it does not prevent a
container from writing to the filesystem, once the container is running.
Moreover, it does not prevent the image filesystem from being altered on the
disk of a Docker host. DCT will also not prevent unsigned images from being
imported, loaded, or created.
Enabling DCT within the Mirantis Container Runtime¶
DCT is controlled by the Docker Engine configuration file, which by default is
located at /etc/docker/daemon.json. For more information on the
configuration file, refer to the official docker documentation, Daemon
configuration file.
Note
The configuration can be set only on Linux machines.
The content-trust section is based around a mode option that
instructs the engine on whether to enforce signed images, and a
trust-pinning section that instructs the engine on which sources to trust.
Mode can take one of three values: disabled, permissive, or
enforced.
disabled
Verification is not active and the remainder of the content-trust related
configuration is ignored. This is the default value if mode is not
specified.
permissive
Verification will be performed, while failures are only logged. Images that
cannot be verified successfully can still be pulled and run. This
configuration is intended for testing of changes related to
content-trust. The results of the signature verification are displayed in
the MCR daemon logs.
enforced
Content trust is enforced, thus an image that cannot be verified
successfully is not pulled or run.
The Notary Canonical Root Key ID, or DCT Root Key, describes only the root key
used to sign a repository, or rather its respective keys. This is the root key
on the host that originally signed the repository, such as your workstation. It
can be retrieved from the workstation that signed the repository through
$ grep -r "root" ~/.docker/trust/private/ (assuming your trust data
is at ~/.docker/trust/*). It is expected that this canonical ID has
initiated multiple image repositories (mymsr/user1/image1andmymsr/user1/image2).
Use a canonical ID. In the example that follows, the canonical ID has signed
two repos, mymsr/user1/repo1 and mymsr/user1/repo2. Note that
wildcards are allowed.
The Notary Root key ID, or DCT Certificate ID, describes the same as the Notary
Canonical Root Key ID; the ID is unique per repository. For example,
mymsr/user1/image1 and mymsr/usr1/image2 will each have a unique
certificate ID. A certificate ID can be retrieved through a $ docker
trust inspect command, labeled as a root-key, referring back to the
Notary key name. This is designed for when different users are signing their
own repositories, such as when there is no central signing server. As a
cert-id is more granular, it would take priority if a conflict occurs over
a root ID.
If your engine is unable to communicate to the registry, DCT can be enabled to
trust cached signature data. This is configured through the
allow-expired-cached-trust-data option.
Content trust is disabled by default in the Docker Client. To enable it, set
the DOCKER_CONTENT_TRUST environment variable to 1. This prevents users
from working with tagged images unless they contain a signature.
When DCT is enabled in the Docker client, docker CLI commands that operate
on tagged images must either have content signatures or explicit content
hashes. The commands that operate with DCT are:
push
build
create
pull
run
For example, with DCT enabled a docker pull someimage:latest command
only succeeds if someimage:latest is signed. However, an operation with an
explicit content hash always succeeds as long as the hash exists:
$ dockerpullmsr.example.com/user/image:1
Error: remote trust data does not exist for msr.example.com/user/image: msr.example.com does not have trust data for msr.example.com/user/image$ dockerpullmsr.example.com/user/image@sha256:d149ab53f8718e987c3a3024bb8aa0e2caadf6c0328f1d9d850b2a2a67f2819a
sha256:ee7491c9c31db1ffb7673d91e9fac5d6354a89d0e97408567e09df069a1687c1: Pulling from user/imageff3a5c916c92: Pull completea59a168caba3: Pull completeDigest: sha256:ee7491c9c31db1ffb7673d91e9fac5d6354a89d0e97408567e09df069a1687c1Status: Downloaded newer image for msr.example.com/user/image@sha256:ee7491c9c31db1ffb7673d91e9fac5d6354a89d0e97408567e09df069a1687c1
Mirantis Container Runtime (MCR) subscriptions provide access to prioritized
support for designated contacts from your company, agency, team, or
organization. MCR service levels are based on your subscription level and the
cloud or cluster that you designate in your technical support case. Our support
offerings are described on the
Enterprise-Grade Cloud Native and Kubernetes Support page.
You may inquire about Mirantis support subscriptions by using the
contact us form.
The CloudCare Portal is the primary way
that Mirantis interacts with customers who are experiencing technical issues.
Access to the CloudCare Portal requires prior authorization by your company,
agency, team, or organization, and a brief email verification step. After
Mirantis sets up its backend systems at the start of the support subscription,
a designated administrator at your company, agency, team, or organization, can
designate additional contacts. If you have not already received and verified an
invitation to our CloudCare Portal, contact your local designated
administrator, who can add you to the list of designated contacts. Most
companies, agencies, teams, and organizations have multiple designated
administrators for the CloudCare Portal, and these are often the persons most
closely involved with the software. If you do not know who your local
designated administrator is, or you are having problems accessing the CloudCare
Portal, you may also send an email to Mirantis support at
support@mirantis.com.
Once you have verified your contact details and changed your password, you and
all of your colleagues will have access to all of the cases and resources
purchased. Mirantis recommends that you retain your Welcome to Mirantis
email, because it contains information on how to access the CloudCare Portal,
guidance on submitting new cases, managing your resources, and other related
issues.
We encourage all customers with technical problems to use the
knowledge base, which you can access on the Knowledge tab
of the CloudCare Portal. We also encourage you to review the
MKE product documentation and release notes prior to
filing a technical case, as the problem may already be fixed in a later
release or a workaround solution provided to a problem experienced by other
customers.
One of the features of the CloudCare Portal is the ability to associate
cases with a specific MKE cluster. These are referred to in the Portal as
“Clouds”. Mirantis pre-populates your customer account with one or more
Clouds based on your subscription(s). You may also create and manage
your Clouds to better match how you use your subscription.
Mirantis also recommends and encourages customers to file new cases based on a
specific Cloud in your account. This is because most Clouds also have
associated support entitlements, licenses, contacts, and cluster
configurations. These greatly enhance the ability of Mirantis to support you in
a timely manner.
You can locate the existing Clouds associated with your account by using the
Clouds tab at the top of the portal home page. Navigate to the
appropriate Cloud and click on the Cloud name. Once you have verified that the
Cloud represents the correct MKE cluster and support entitlement, you
can create a new case via the New Case button near the top of the
Cloud page.
One of the key items required for technical support of most MKE cases is the
support bundle. This is a compressed archive in ZIP format of configuration
data and log files from the cluster. There are several ways to gather a support
bundle, each described in the paragraphs below. After you obtain a support
bundle, you can upload the bundle to your new technical support case by
following the instructions in the Mirantis knowledge base,
using the Detail view of your case.
Obtain a full-cluster support bundle using the MKE web UI¶
Log in to the MKE web UI as an administrator.
In the left-side nagivation panel, navigate to
<user name> and click Support Bundle.
It may take several minutes for the download to complete.
Note
The default name for the generated support bundle file is
docker-support-<cluster-id>-YYYYmmdd-hh_mm_ss.zip. Mirantis suggests
that you not alter the file name before submittal to the customer portal.
However, if necessary, you can add a custom string between
docker-support and <cluster-id>, as in:
docker-support-MyProductionCluster-<cluster-id>-YYYYmmdd-hh_mm_ss.zip.
Submit the support bundle to Mirantis by clicking Share support
bundle on the success prompt that displays when the support bundle finishes
downloading.
Note
Mirantis uses the support bundles you submit for product improvement
purposes. Be aware, though that these submissions are not sent directly
to the Mirantis Customer Support team that is assigned to the particular
issue.
Fill in the Jira feedback dialog, and click Submit.
Obtain a single-node support bundle using the CLI¶
If SELinux is enabled, include the following additional flag:
--security-optlabel=disable.
Note
The CLI-derived support bundle only contains logs for the node on which
you are running the command. If your MKE cluster is highly available,
collect support bundles from all manager nodes.
Add the --submit option to the support command to submit
the support bundle to Mirantis Customer Support. The support
bundle will be sent, along with the following information:
Cluster ID
MKE version
MCR version
OS/architecture
Cluster size
Note
Mirantis uses the support bundles you submit for product improvement
purposes. Be aware, though that these submissions are not sent directly
to the Mirantis Customer Support team that is assigned to the particular
issue.
For more information on the support command, refer to
mke-cli-support.
Mirantis Container Runtime 23.0 follows the version numbering scheme of the
upstream Moby and Docker CLI projects. Mirantis may skip upstream versions
released in short succession, though, and opt instead to release a patch
that contains the content of all upstream versions released in the
intervening period since the previous MCR 23.0 patch release.
MCR 23.0.15 current
The MCR 23.0.15 patch release focuses on the delivery of bug fixes and the
upgrade to Go 1.22.
Updated containerd 1.6.36
MCR 23.0.14
Patch release for MCR 23.0, which focuses on the delivery of CVE and bug
fixes.
Updated containerd 1.6.33
Updated runc 1.1.13-m1
Updated cri-dockerd 0.3.15
Updated Fipster (Go runtime) go1.21.12m
MCR 23.0.13
Patch release for MCR 23.0, which focuses on the delivery of CVE and bug
fixes.
Updated containerd to version 1.6.32
MCR 23.0.12
Patch release for MCR 23.0, which focuses on the delivery of CVE and bug
fixes.
Updated cri-dockerd to version 0.3.14
Updated Fipster (Go runtime) to version go1.21.10m
MCR 23.0.11
Patch release for MCR 23.0, which focuses on the delivery of CVE and bug
fixes.
Updated containerd to version 1.6.31-rc.1
Updated runc to 1.1.12-m3
Updated cri-dockerd to version 0.3.13
Updated Fipster (Go runtime) to version go1.21.9m3
MCR 23.0.10
Patch release for MCR 23.0, which focuses on the delivery of CVE and bug
fixes.
Updated containerd to version 1.6.30-rc.2
Updated runc to 1.1.12-rc1.m1
Updated cri-dockerd to version 0.3.11
Updated Fipster (Go runtime) to version go1.21.8m1
MCR 23.0.9-1
Patch release for MCR 23.0 that delivers a runc update that fixes CVE-2024-21626.
MCR 23.0.9
Patch release for MCR 23.0, which focuses on the delivery of CVE and bug fixes.
Fixed an issue that pertains to the enabling of FIPS for Swarm.
Fixed an issue that prevented docker exec from working in FIPS mode.
Updated Fipster (Go runtime) to version 1.20.12m1
Updated containerd to version 1.6.28-rc.1
Update cri-dockerd to version 0.3.9
Updated buildx version 0.12.0m(4932eecc)
MCR 23.0.8
Patch release for MCR 23.0, which introduces the following key product
improvements:
Updated Fipster (Go runtime) to version go1.20.10m1
Updated containerd to version 1.6.25-rc.1
Update cri-dockerd to version 0.3.7
Updated buildx version 0.12.0-rc1
Resolved CVEs in the Go runtime
MCR 23.0.7
Patch release for MCR 23.0, which introduces the following key product
improvements:
Updated Fipster (Go runtime) to version go1.19.12m1
Updated containerd to version 1.6.22
Resolved CVEs in the Go runtime
MCR 23.0.6
Patch release for MCR 23.0, which introduces the following key product
improvements:
Updated Fipster (Go runtime) to version go1.19.10m1
Updated containerd to version 1.6.21
Updated docker buildx to version 0.10.5
Updated cri-dockerd to version 0.3.4
Resolved CVEs in the Go runtime
MCR 23.0.5
Patch release for MCR 23.0, which introduces the following key product
improvements:
Updated Fipster (Go runtime) to version go1.19.8m1
Bug fixes in the daemon and CLI
Resolved CVEs in the Go runtime
MCR 23.0.3
Patch release for MCR 23.0, which introduces the following key product
improvements:
Updated Fipster (Go runtime) to version go1.19.7m3
Updated containerd to version 1.6.19
Updated docker buildx to version 0.10.4
Updated cri-dockerd to version 0.3.1
Resolved CVEs in Moby
Resolved CVEs in the Go runtime and FIPS module
MCR 23.0.1
Initial release for MCR 23.0, which introduces the following features and
improvements:
The upstream pull requests detailed in the sections that follow are those that
pertain to the MCR product. For the complete list of changes and pull requests
upstream, refer to the github-milestones-23.0.15.
What is new
The MCR 23.0.15 patch release focuses on the delivery of bug fixes and the
upgrade to Go 1.22.
Known issues that apply to Moby 23.0.15 and thus also to MCR 23.0.15 include:
moby/moby#47728 The DNS
records for containers on a node that has restarted may not be resolvable by
containers on other nodes on the same overlay network. This may also occur
without a daemon restart, if the underlay network is experiencing packet loss
at the time the container is started. Only recently uncovered, this has been
an issue since the advent of the NetworkDB moby component.
The upstream pull requests detailed in the sections that follow are those that
pertain to the MCR product. For the complete list of changes and pull requests
upstream, refer to the github-milestones-23.0.14.
What is new
The MCR 23.0.14 patch release focuses on the delivery of CVE and
bug fixes.
Bug fixes
Moby
moby/moby#47891
Do not depend on containerd platform. Parse to return a typed error.
opencontainers/runc#4257 libcontainer: allow containers to make apps think fips is enabled/disabled for testing.
Security
The runc binaries provided here were built with go1.21.11, which includes a
security fix
for os.RemoveAll to fix a bug that would allow an attacker to trick runc
into deleting a directory on the host. We encourage users to update, and if
they build runc themselves, make sure they build their binaries using
go1.21.11 or later, or go1.22.4 or later.
Known issues that apply to Moby 23.0.14 and thus also to MCR 23.0.14 include:
moby/moby#47728 The DNS
records for containers on a node that has restarted may not be resolvable by
containers on other nodes on the same overlay network. This may also occur
without a daemon restart, if the underlay network is experiencing packet loss
at the time the container is started. Only recently uncovered, this has been
an issue since the advent of the NetworkDB moby component.
The upstream pull requests detailed in the sections that follow are those that
pertain to the MCR product. For the complete list of changes and pull requests
upstream, refer to the GitHub milestones.
What is new
The MCR 23.0.13 patch release focuses on the delivery of CVE and
bug fixes.
Known issues that apply to Moby 23.0.13 and thus also to MCR 23.0.13 include:
moby/moby#47728 The DNS
records for containers on a node that has restarted may not be resolvable by
containers on other nodes on the same overlay network. This may also occur
without a daemon restart, if the underlay network is experiencing packet loss
at the time the container is started. Only recently uncovered, this has been
an issue since the advent of the NetworkDB moby component.
The upstream pull requests detailed in the sections that follow are those that
pertain to the MCR product. For the complete list of changes and pull requests
upstream, refer to the GitHub milestones.
Enhancements
moby/moby#47831
apparmor: Allow confined runc to kill containers.
moby/moby#47780
Don’t check source exists with CreateMountpoint.
Known issues that apply to Moby 23.0.12 and thus also to MCR 23.0.12 include:
moby/moby#47728 The DNS
records for containers on a node that has restarted may not be resolvable by
containers on other nodes on the same overlay network. This may also occur
without a daemon restart, if the underlay network is experiencing packet loss
at the time the container is started. Only recently uncovered, this has been
an issue since the advent of the NetworkDB moby component.
ENGINE-855 Promoting a
worker node to the manager role shortly after demoting a different manager
node down to a worker role can cause the newly promoted node to fail. The
node fails before it becomes a manager and is never joined to the Raft
quorum.
Workaround:
Wait 30 seconds between demoting a manager node to a worker role and
promoting a different worker node to a manager role. If a node promotion
fails:
Run the docker node rm command from a different manager node to
remove the failed worker node from the cluster.
Run the docker swarm leave command from the failed worker node
to have that node exit the cluster. The worker node can now rejoin the
cluster as a fresh manager.
The upstream pull requests detailed in the sections that follow are those that
pertain to the MCR product. For the complete list of changes and pull requests
upstream, refer to the GitHub milestones.
Known issues that apply to Moby 23.0.11 and thus also to MCR 23.0.11 include:
moby/moby#47728 The DNS
records for containers on a node that has restarted may not be resolvable by
containers on other nodes on the same overlay network. This may also occur
without a daemon restart, if the underlay network is experiencing packet loss
at the time the container is started. Only recently uncovered, this has been
an issue since the advent of the NetworkDB moby component.
ENGINE-855 Promoting a
worker node to the manager role shortly after demoting a different manager
node down to a worker role can cause the newly promoted node to fail. The
node fails before it becomes a manager and is never joined to the Raft
quorum.
Workaround:
Wait 30 seconds between demoting a manager node to a worker role and
promoting a different worker node to a manager role. If a node promotion
fails:
Run the docker node rm command from a different manager node to
remove the failed worker node from the cluster.
Run the docker swarm leave command from the failed worker node
to have that node exit the cluster. The worker node can now rejoin the
cluster as a fresh manager.
Following the initial MCR 23.0.10 patch release, as testing and internal
usage continued, it was discovered that Mirantis customers on Linux could be
impacted by an upstream race condition issue in the 1.6.30-rc.1 version of
containerd. To remedy the matter, Mirantis quickly replaced that version of
containerd with a new version, containerd 1.6.30-rc.2.
The upstream pull requests detailed in the sections that follow are those that
pertain to the MCR product. For the complete list of changes and pull requests
upstream, refer to the GitHub milestones.
Fixed an issue that pertains to the enabling of FIPS for Swarm. Users need to
be aware that with this fix in place, FIPS-disabled nodes can no longer join a
FIPS-enabled cluster.
Fixed an issue that prevented docker exec from working in FIPS mode.
The upstream pull requests detailed in the sections that follow are those that
pertain to the MCR product. For the complete list of changes and pull requests
upstream, refer to the GitHub milestones.
What is new
The MCR 23.0.9 patch release focuses on the delivery of CVE and bug fixes.
Security
The upgrade to cri-dockerd 0.3.9 resolves the following CVEs:
containerd/containerd#9111 Check whether
content actually needed to be pushed to remote registry, and also whether
the cross-repo was mounted or already existed.
The upstream pull requests detailed in the sections that follow are those that
pertain to the MCR product. For the complete list of changes and pull requests
upstream, refer to the GitHub milestones.
What is new
The MCR 23.0.8 patch release focuses on the delivery of CVE and bug fixes.
The upstream pull requests detailed in the sections that follow are those that
pertain to the MCR product. For the complete list of changes and pull requests
upstream, refer to the GitHub milestones.
What is new
The MCR 23.0.7 patch release focuses on the delivery of CVE and bug fixes.
Bug fixes
moby/moby#45635 Fixed an
issue wherein encrypted overlay networks did not work on ports other than
4789.
The upstream pull requests detailed in the sections that follow are those that
pertain to the MCR product. For the complete list of changes and pull requests
upstream, refer to the GitHub milestones.
What is new
The MCR 23.0.6 patch release focuses on the delivery of CVE and bug fixes.
Bug fixes
moby/moby#45465 Fixed an
issue wherein the vfs storage driver was not working on NFS.
The upstream pull requests detailed in the sections that follow are those that
pertain to the MCR product. For the complete list of changes and pull requests
upstream, refer to the GitHub milestones.
What is new
docker/cli#4229 Added the
--all / -a option to the dockervolumeprune command.
docker/cli#4320 Added the
--format=json option to the dockerinfo command.
Bug fixes
docker/cli#4141 Fixed a
performance regression introduced in Docker CLI 23.0.0.
docker/cli#4157 Fixed an
issue wherein the progress indicator on docker cp was not
functioning as intended.
docker/cli#4177 Fixed an
issue with shell completion for docker compose --file.
moby/moby#45246 Fixed an
error that was caused by the incorrect handling of “default-address-pools”
in daemon.json.
moby/moby#45350 Fixed a log
loss with the AWSLogs log driver.
moby/moby#45403 Fixed a
regression introduced in v23.0.4 wherein dockerd would refuse to start
if the fixed-cidr config parameter was provided but not bip.
moby/moby#45376 Fixed a
panic in libnetwork that occurred during daemon startup.
moby/moby#45410 Fixed an
issue wherein the tag event was not sent when an image was built with
buildx.
The upstream pull requests detailed in the sections that follow are those that
pertain to the MCR product. For the complete list of changes and pull requests
upstream, refer to the GitHub milestones.
What is new
The MCR 23.0.3 patch release focuses on the delivery of CVE and bug fixes.
Security
moby/moby#45110 Credentials
are now redacted from Git URLs when generating BuildKit buildinfo. Fixes
CVE-2023-26054.
Fixed a number of issues that can cause Swarm encrypted overlay networks
to fail to uphold their guarantees, addressing CVE-2023-28841,
CVE-2023-28840, and
CVE-2023-28842.
A lack of kernel support for encrypted overlay networks now reports
as an error.
Encrypted overlay networks are eagerly set up, rather than waiting for
multiple nodes to attach.
Encrypted overlay networks are now usable on Red Hat Enterprise Linux 9
through the use of the xt_bpf kernel module.
Users of Swarm overlay networks should review GHSA-vwm3-crmr-xfxw
to ensure that unintentional exposure has not occurred. In addition, you
can consult Mirantis KB000009856 for temporary mitigation
instructions.
Bug fixes
containerd/containerd#8087,
moby/moby#45043 Resolved a
failure to start containers on detection of an AppArmor-enabled kernel,
due to missing checks for apparmor_parser.
moby/moby#45159 Fixed an
issued wherein anonymous volumes created by a VOLUME line in a
Dockerfile were being excluded from volume prune.
moby/moby#45155 Fixed an
issue wherein errors were not properly propagated during removal of
volumes on a Swarm node.
moby/moby#45112 Initiated a
temporary fix in BuildKit COPY--link by disabling mergeop/diffop
optimization.
moby/swarmkit#3112,
moby/moby#45107 Fixed an
issue wherein child tasks were not properly cleaned up following the
removal of a parent Swarm job.
moby/swarmkit#3082,
moby/moby#45107 Fixed an
issue with Swarm service creation logic that prevented a GenericResource
and a non-default network from being used together.
moby/swarmkit#3116,
moby/moby#45107 Fixed an
issue wherein Swarm CSI support required that the CSI plugin offer staging
endpoints in order to publish a volume.
containerd/fifo#47,
moby/moby#45051 Fixed an
issue wherein a panic occurred due to log buffering in a small number of
configurations.
moby/moby#45016 Errors that
originate in the REST-to-Swarm-gRPC-API translation layer are now logged
at the debug level, to reduce redundancy and noise.
moby/moby#45000 Fixed an
issue wherein a DNS resolution problem affected containers created with
--dns-opt or --dns-search when
systemd-resolved was used outside the container.
moby/moby#44980 Fixed a
panic that occurred whenever an attempt was made to log a
malformed/incorrect DNS query that originated from a container.
docker/cli#4107 Improved the
speed of docker ps by allowing users to opt out of size
calculations using --size=false.
docker/cli#4092 Extended
support for Bash completion to all plugins.
docker/cli#4083 Fixed an
issue wherein docker stack deploy failed on Windows when
special environment variables set by cmd.exe are present.
docker/cli#4065 Added
forward compatibility for future API versions by considering empty image
tags to be the same as <none>.
docker/cli#4063 Context
files are now written atomically to reduce the probability of corruption,
with improvements made to the correlating error message.
Beginning with the release of MCR 23.0, Mirantis no longer delivers
unsupported storage drivers to customers. While this creates an upgrade
barrier for customers using MCR 20.10 with an unsupported storage
driver, it is certain to prevent the late discovery of an unsupportable MCR deployment.
overlay2 is the only storage driver MCR builds and supports, with the
exception of the btrfs storage driver, which Mirantis will continue
to build and support exclusively for the SLES platform (for which
overlay2 is also viable).
In addition, Mirantis continues to make the vfs storage driver
available, but only for the purpose of helping to debug the storage back
end. The vfs driver remains unsupported and is entirely unfit for
use in production environments.
In removing the unsupported storage drivers, Mirantis aims to align
customers with a longer-term migration to new storage backends that are
currently under development in the Moby project.
Other points of interest:
overlay2 is now preferred to btrfs and zfs, which affects
new MCR deployments running on SLES systems.
overlay2 can no longer be used on a file system without
d_type,which may prevent in-place upgrades.
Semantic Versioning (SemVer) format
Beginning with the MCR 23.0 release, in alignment with Moby, Semantic
Versioning (SemVer) replaces Calendar Versioning (CalVer). Upstream Moby
is moving to SemVer as part of the migration to a Go module, however
Moby 23.0 is not yet Go module compatible.
CSI drivers
MCR 23.0 introduces experimental support for Container Storage Interface
(CSI) drivers in Swarm. CSI drivers are the same storage drivers that
Kubernetes uses, and as Swarm matures as a CSI-compliant implementation
it is expected that an entire ecosystem of persistent storage backends
will become available.
For use with Swarm, a CSI driver must not have a direct coupling to the
Kubernetes control plane. The driver must also be packaged natively for
Swarm as an Engine plugin.
At this time, CSI on Swarm is only fit for development and experimental
use. Mirantis is working actively with the Moby development community to
evangelize Swarm CSI and further develop its implementation, quickly
addressing any bugs and missing features as these become apparent.
BuildKit and buildx by default
MCR 23.0 defaults to the BuildKit builder (DOCKER_BUILDKIT=1) on
Linux. In addition, the 23.0 CLI makes dockerbuild an alias for
dockerbuildxbuild. This reflects the growing maturity of BuildKit,
and it will help customers to take advantage of the significant
improvements that BuidlKit brings in caching, performance, and
flexibility. Though this is a large change in behavior, it is also a
mostly transparent one, and users should be aware that they can still
request the previous behavior through DOCKER_BUILDKIT=0.
The MCR 23.0 release increments the supported Docker Engine API version
to 1.42. With this version of the API, the volume prune action only
considers anonymous volumes, ignoring those that were given a name at
creation. This change in behavior only occurs when both the CLI and
daemon support API version 1.42. Only MCR 23.0 supports API 1.42 at this
time, and thus an updated API client such as the MCR 23.0 CLI is
required to encounter this new behavior. Users should be aware that
older versions of the Docker Engine API continue to consider both
anonymous and named volumes when performing a volume prune.
A new all=1 filter is available for use with Docker Engine API 1.42,
to widen the filtering so that it once again considers named volumes.
Specifically, using an MCR 23.0 CLI, dockervolumeprune--filterall=1 produces the same result as dockervolumeprune with an
older CLI. dockersystemprune-a is not able to specify this
filter, and as such will always reflect the default behavior of the
negotiated API version.
Support for Windows Server 2016 is dropped in MCR 23.0. Windows Server
RS5 / LTSC 2019 (build 17763) is the new baseline version.
Health checks
In MCR 23.0, the overhead that is required to perform a health check is
no longer counted as part of the time threshold. Health checks now
properly resume when the daemon is restarted with running containers.
Also, rather than being left to hang indefinitely, timed-out health
checks are now more reliably killed.
Rootless and seccomp
MCR 23.0 further develops rootless mode by improving support for
privileged features, and by making significant enhancements to the
capabilities of the seccomp filtering implementation.
Advanced MCR users should consider the following changes when diagnosing
issues with privilege and permissions:
Engine plugins are discoverable at well known user-specific paths in
rootless mode.
--privileged rootless containers can use host devices.
--ipc=host now works in rootless mode.
seccomp profiles can now pass additional flags to the seccomp userspace
binary.
ErrnoRet can now be set in seccomp profiles.
clone3 is correctly blocked so that glibc will instead use
clone.
AF_VSOCK is blocked in the default profile as it cannot be
containerized.
Other enhancements to the built-in seccomp profile for new system
calls, such as BPF and clock_settime64.
The upstream pull requests detailed in the sections that follow are those that
pertain to the MCR product. For the complete list of changes and pull requests
upstream, refer to the GitHub milestones.
What is new
moby/moby#43992 Set Buildx
and BuildKit as the default builder on Linux.
moby/moby#43887,
moby/moby#43993 Added support
for alternate OCI runtimes that are compatible with the containerd runtime
v2 API on Linux.
moby/moby#42089 Added support
for the containerd runhcs shim on Windows (off by default).
moby/moby#42393 Added the
dockerd--validate option, to check the daemon JSON configuration and
exit.
moby/moby#42835 Added the
ability to configure the daemon HTTP proxy through flags or JSON
configuration.
moby/moby#42626 Added support
for RFC 3021 point-to-point networks (IPv4 /31s) and single hosts (IPv4
/32s). For networks with two or fewer addresses, IPAM does not reserve a
network and broadcast address.
moby/moby#42542 Added support
for setting ipvlan_flag and using the l3sipvlan_mode in the
ipvlan network driver.
moby/moby#43557 Added support
for displaying the value of the metacopy option for the overlay2
storage driver.
moby/moby#43368 Added support
for describing Windows devices using the syntax IDType://ID.
moby/moby#42330 Added
RootlessKit, slirp4netns, and VPNKit version reporting.
moby/moby#41982 Added
experimental support for SwarmKit cluster volumes (CSI).
docker/cli#3606 CLI: Add
cluster volume (CSI) options to dockervolume.
docker/cli#3662 CLI: Add
cluster volume (CSI) support to dockerstack.
docker/cli#2907 Added support
for SwarmKit jobs in dockerstackdeploy.
docker/cli#3544 Added the
dockerstackconfig command, which outputs the merged and interpolated
configuration files as used by stackdeploy.
docker/cli#3567 Added the
dockercontextshow command, which prints the name of the current
context.
docker/cli#2936 Added the
--format=json shorthand variant of --format="{{json.}}" to all
commands supporting the --format flag.
docker/cli#3377 Added a
--quiet option to both the dockercreate and dockerrun
commands, to suppress output when pulling an image.
docker/cli#3547 Added a
--force option to the dockernetworkrm subcommand, which causes
the CLI to return a 0 exit code even if the network does not exist.
This option has no effect on the server-side procedure for removing a
network.
docker/cli#3614 Added a
--signal option to the dockerstop and dockerrestart commands.
moby/moby#44703 Added a
--version (-v) flag to docker-proxy.
moby/moby#44778 Plugins are
now discoverable in well-known user-level paths when the daemon is running
in rootless mode.
moby/moby#44777,
moby/moby#44832 Improved the
daemon handling of common alternate JSON encodings in the JSON
configuration file, which includes the reporting of useful errors.
UTF-8 with a byte order mark is accepted.
UTF-16 with a byte order mark is accepted.
Invalid UTF-8 is reported early, with a comprehensible error message.
moby/moby#43369 Now allows
the use of STOPSIGNAL through the dockercommit command.
moby/moby#42132 Added a new
option to the awslogs log driver, to allow for skipping log stream
creation in CloudWatch.
moby/moby#42838 Added a new
option to the awslogs log driver, to specify the log format that is
sent to CloudWatch.
moby/moby#43100 Added a new
option to the fluentd log driver, to set the reconnection interval.
moby/moby#42224 Added new
options-setters to the Go API client: WithTLSClientConfigFromEnv(),
WithHostFromEnv(), and WithVersionFromEnv().
docker/cli#3429 Added
generation of shell command completion through a dockercompletion
subcommand.
Added to the API:
moby/moby#42064Swarm
header to GET/_ping and HEAD/_ping, which allows single-request
detection of Swarm support.
moby/moby#43206signal
parameter to POST/containers/{id}/stop and POST/containers/{id}/restart, to set the signal used.
moby/moby#43484CreateMountPoint parameter to POST/containers/create.
moby/moby#42531shared-size parameter to GET/images/json, to enable shared-size
computation of images.
moby/moby#42559type
parameter to GET/system/df, to control which object types are
considered in computing disk usage.
Removed
docker/cli#2504 Removed
support for reading configuration from ~/.dockercfg.
docker/cli#3739 Removed the
-g and --graph daemon options in favor of --data-root.
docker/cli#3470 Removed
client-side sorting of results, in favor of the order in which the search
API returns results.
docker/cli#3542 Removed
warnings related to deprecated storage drivers from the CLI. Such warnings
are now handled by the daemon instead.
docker/cli#3543 Removed
Experimental client field from dockerversion.
moby/moby#43378 Explicit
opt-in is required to use deprecated storage drivers, which are not
automatically selected when upgrading.
moby/moby#43472 Removed
deprecated support for overlay and overlay2 storage drivers on
backing filesystems without d_type support.
moby/moby#44279 Removed the
deprecated overrideKernelCheck option from the overlay2 storage
driver.
moby/moby#43695 Removed
support for the deprecated io.containerd.runtime.v1.linux OCI runtime.
moby/moby#42247 Removed
host-discovery and overlay networks with external k/v stores.
moby/moby#44414 Removed a
deprecated arm platform fallback. --platformlinux/arm/vY now
returns an error when arm/vY is not available rather than pulling the
wrong image.
moby/moby#42694 Removed the
deprecated SetCustomHTTPHeaders(), CustomHTTPHeaders()
options-setters from the Go client API.
moby/moby#44022 Removed the
deprecated WithDialer() option-setter from the Go client API. Instead,
use WithDialContext().
moby/moby#43250 Removed the
daemon implementation of opts.QuotedString, which has moved to the
CLI.
moby/moby#43555 Removed the
separate daemon ID from the trust-key in the daemon, and disabled the
generation of the trust-key.
moby/moby#43214 Removed from
the API the deprecated KernelMemory option from POST/containers/create on API version >= 1.42.
moby/moby#43254 Removed
daemon support for Windows versions older than Windows Server RS5 / LTSC
2019 (build 17763).
Deprecated
moby/moby#42608 Deprecated
BuilderSize on API version >= 1.42.
moby/moby#43908 Deprecated
BuildCache.Parent in favor of the newly introduced
BuildCache.Parents on API version >= 1.42.
moby/moby#43477 Deprecated
pkg/urlutil, moving the implementation to
builder/remotecontext/urlutil.
moby/moby#42648 Added
support for setting flags passed to seccomp(2) in seccomp profiles.
moby/moby#42005 Refactored
seccomp types to reuse runtime-spec, and added support for ErrnoRet.
moby/moby#42604 Added
support for DefaultErrnoRet in seccomp profiles.
moby/moby#42649 Added an
explicit DefaultErrnoRet field to the default seccomp profile, with no
resulting behavior change.
moby/moby#44563 Blocked
socket with AF_VSOCK in the default seccomp profile.
moby/moby#42083 Reenabled
process_vm_readv and process_vm_writev in the default seccomp
profile.
moby/moby#43812 Added
syscalls related to PKU to the default seccomp profile.
moby/moby#43775 Now allow
clock_settime64 with CAP_SYS_TIME.
moby/moby#43988 Now allow
bpf with CAP_BPF and perf_event_open with CAP_PERFMON.
moby/moby#42681 Explicitly
set the clone3 syscall to return ENOSYS in the default seccomp
profile, in order to ensure glibc correctly falls back to using
clone.
Bug fixes
moby/moby#44944 Fixed an
issue wherein BuildKit-enabled builds with inline caching enabled were
causing the daemon to crash.
moby/moby#44959 Fixed an
issue wherein BuildKit improperly loaded cached layers created by previous
versions.
moby/moby#44937 Fixed an
issue wherein ipvlan networks created prior to upgrading would prevent
the daemon from starting.
moby/moby#44922 Fixed an
issue wherein the overlay2 storage driver failed early in metacopy
testing when it was initialized on an unsupported backing filesystem.
moby/moby#44892 Fixed an
issue wherein exec exit events were misinterpreted as container exits
under some runtimes, such as Kata Containers.
docker/cli#4004 Improved the
error message that the CLI returned upon receipt of a truncated JSON
response caused by the API hanging up during a request.
docker/cli#4004 Fixed an
incorrect CLI exit code that occurred when attempting to execute a
directory with a runc compiled using Go 1.20.
docker/cli#4004 Fixed an
issue wherein --device-write-bps interpreted the size argument not
as a size but as a path.
moby/moby#42661 Promoted
overlay2 to default storage driver. btrfs and zfs are now
opt-in.
docker/cli#2708 Added a
loading spinner to the dockercp command.
docker/cli#2819 Deprecated
the ElectAuthServer function and forced it to return the default
registry without calling the GET/info API endpoint.
docker/cli#2940 Progress bars
no longer reverse when Swarm services are rolled back.
docker/cli#2972net.JoinHostPort() is now used to fix formatting with IPv6 addresses.
docker/cli#3044 CLI error
messages are now printed to stderr.
docker/cli#3179 Improved the
performance of dockerinfo for instances in which a custom --format
is used that only requires local information. Now, the CLI only uses the
daemon API if it detects that information from the daemon is required.
docker/cli#3245 Removed the
default value from the --stop-signal flag, as at times it may not
reflect the actual default in use by the daemon.
docker/cli#3257 Added Compose
schema 3.10 to dockerstack to thus allow ommission of the
version field (resulting in latest).
docker/cli#3445 Compose
version 3 is now equivalent to 3.x, the latest version, in dockerstack.
docker/cli#3302 Fixed an
issue wherein <Ctrl-C> did not send SIGTERM when invoking dockerrun without --interactive (-i) on Windows.
docker/cli#3469 Added
relative source paths to the run command in the -v / --volume
and -m / --mount flags.
docker/cli#3627dockerexec-t now sets the console size for the executed process immediately upon
creation.
docker/cli#3645 Updated the
pretty-print format of dockerinfo, to provide more details on
installed plugins.
docker/cli#3668 Added
printing of warning messages for the dockercontextlist and dockercontextuse commands, to display whenever the context is overridden by
the environment.
docker/cli#3694 Added a
custom aliases annotation, to print all available aliases for a
command.
docker/cli#3721 The CLI no
longer creates or updates the context file when running dockercontextuse with the already active context.
docker/cli#3791 Non-existing
contexts are now ignored when dockercontextrm--force is run.
docker/cli#3812 Integers can
now be overridden to 0 in Compose files.
docker/cli#3849SIGINT
(<Ctrl-c>) now passes through to running containers rather than causing
the CLI to exit.
docker/cli#3892 Improved the
dockerportCONTAINER UX by sorting ports prior to printing.
moby/moby#39812 Improvement
to the API wherein GET/containers/{id}/logs and POST/containers/{id}/attach now report which raw-stream format is in use by
way of the Content-type response header on API version >= 1.42.
moby/moby#41636 Set default
sandbox size for Windows layers to 127GB, and ensured that the
--storage-opts flag applies to all storage on Windows.
moby/moby#41675 Removed the
plugin section from the containerd configuration file
(/var/run/docker/containerd/containerd.toml).
moby/moby#41842null
manifests are now rejected during tar import.
moby/moby#41854 Added shim
configuration for custom runtimes for plugins.
moby/moby#41935 Fixed an
issue wherein container health checks did not resume when the daemon was
restarted.
moby/moby#42273 Fixed an
issue wherein quota was disabled on cleanup of the btrfs driver.
moby/moby#42638 Accessible
host devices can now be mounted in --privileged rootless containers.
moby/moby#42676 Fixed the
incorrect handling of **/foo recursive wildcard directory patterns in
.dockerignore.
moby/moby#43103dockerimport--platform can now mark an imported image as a foreign
architecture.
moby/moby#43131 The
validation of CPU real-time options is now performed when the daemon
starts, rather than being done separately for each individual container,
which allows startup to fail earlier in the process.
moby/moby#43210 Close the
namesgenerator package off from new additions.
moby/moby#43322 The
containers/{id}/attach/ws API endpoint only attaches to the requested
streams, as specified by the stdin, stdout, and stderr
parameters on API version >= 1.42.
moby/moby#43409 Fixed an
issue wherein UDP traffic in containers did not work following container
restart under sustained traffic.
moby/moby#43434 Added support
for pulling images with custom amd64 micro-architecture feature levels, as
supported by the latest versions of Go, GCC, LLVM, and other compilers.
moby/moby#43463 Improved
validation of invalid JSON requests in the API.
moby/moby#43480 Mitigated the
impact of slow exec starts on health checks. Now, check timeout only
applies to the duration that the health check command is running, and the
time needed to start the command no longer counts against the timeout.
moby/moby#43659 Fixed an
issue wherein overlay2 mounts were not cleaned up following failed
container starts, or daemon shutdowns.
moby/moby#43675 Matched
manifest list resolution with containerd.
moby/moby#43813firewalld-enabled networking is now skipped when the daemon is running
in rootless mode.
moby/moby#43858 Fixed an
issue wherein custom NAT networks were not re-created following daemon
restart if they were missing on Windows.
moby/moby#43994 Fixed an
issue wherein the container health-check process would not terminate at
time out.
moby/moby#44237 Fixed an
issue wherein restart policies and volume refs were not correctly restored
when the live-restore feature is enabled.
moby/moby#44259 Only
anonymous volumes are now pruned by default on API version >= v1.42. To
restore the previous setting, wherein named volumes were also included in
pruning, pass the filter all=true.
moby/moby#42715 The API now
supports concurrent calls to the GET/system/df endpoint.
moby/moby#44831 Improved the
reliability of the daemon dumping the stack when sent a SIGQUIT, and
exit with status code 2 on SIGQUIT.
moby/moby#43294 Improved the
reliability of dockerlogs-f on Windows, and prevent newlines from
being dropped in the local log driver.
moby/moby#44856 Fixed an
issue wherein a rare deadlock in the daemon occurred due to the buffering
of container logs.
moby/moby#44834 Improved
error handling in misc filesystem operations so that the daemon can start
on a overlayfs backing filesystem.
moby/moby#44863 Fixed an
issue wherein --ipc=host was incorrectly handled whenever the daemon
was run in rootless mode.
moby/moby#44752 Fixed a
long-standing set of issues wherein stale conntrack entries caused
incorrect routing of UDP traffic for containers.
moby/moby#44633 Fixed an
issue wherein half-registered containers were listed in the API, as well
as a nil pointer de-reference and panic that were caused by the use of a
partially registered container in API calls.
moby/moby#44845 Fixed an
issue wherein the DOCKER-USERip6tables chain was not created.
moby/moby#44727 Fixed a
failure to clean up iptables rules when the ip6tables command is not
available.
moby/moby#44811 Fixed an
issue wherein a number of iptables NAT rules were not cleaned up when
reenabling the userland proxy.
moby/moby#44400 Fixed a
process leak that can occur when a container start fails on Linux.
moby/moby#44725 Fixed an
issue wherein the CreatedAt time of a volume was reflecting
initialization and not creation.
docker/cli#3901,
docker/cli#3904 Fixed an
issue in a number of commands wherein the CLI incorrectly reported an
incompatible server rather than an unreachable server.
Mirantis Container Runtime (MCR) enables containers to run efficiently on any
substrate, powering business critical applications at leading companies
worldwide.
MKE 3.5.x and 3.4.x do not support Windows Server 2022.
OS distributed versions not listed in the following matrix are not
supported under Standard Support Subscriptions. For such versions, contact
your Mirantis rep to discuss support options.
Caution
CentOS 8 entered EOL status as of 31-December-2021. For this reason,
Mirantis no longer supports CentOS 8 for all versions of MCR. We encourage
customers who are using CentOS 8 to migrate onto any one of the supported
operating systems, as further bug fixes will not be forthcoming.
The MKE, MSR, and MCR platform subscription provides software, support, and
certification to enterprise development and IT teams that build and manage
critical apps in production at scale. It provides a trusted platform for all
apps which supply integrated management and security across the app lifecycle,
comprised primarily of Mirantis Kubernetes Engine, Mirantis Secure Registry
(MSR), and Mirantis Container Runtime (MCR).
Detailed here are all currently supported product versions, as well as the
product versions most recently deprecated. It can be assumed that all earlier
product versions are at End of Life (EOL).
Important Definitions
“Major Releases” (X.y.z): Vehicles for delivering major and minor feature
development and enhancements to existing features. They incorporate all
applicable Error corrections made in prior Major Releases, Minor Releases,
and Maintenance Releases.
“Minor Releases” (x.Y.z): Vehicles for delivering minor feature
developments, enhancements to existing features, and defect corrections. They
incorporate all applicable Error corrections made in prior Minor Releases,
and Maintenance Releases.
“Maintenance Releases” (x.y.Z): Vehicles for delivering Error corrections
that are severely affecting a number of customers and cannot wait for the
next major or minor release. They incorporate all applicable defect
corrections made in prior Maintenance Releases.
“End of Life” (EOL): Versions are no longer supported by Mirantis,
updating to a later version is recommended.
With the intent of improving the customer experience, Mirantis strives to offer
maintenance releases for the Mirantis Container Runtime (MCR) software every
six to eight weeks. Primarily, these maintenance releases will aim to resolve
known issues and issues reported by customers, quash CVEs, and reduce technical
debt. The version of each MCR maintenance release is reflected in the third
digit position of the version number (as an example, for MCR 23.0 the most
current maintenance release is MCR 23.0.12).
Regarding major releases, MCR is dependent on Docker Engine major releases
upstream. Following such a release, the Mirantis support lifespan of the
resulting major version of MCR will adhere to our legacy two year standard.
As necessary, Mirantis may produce an MCR release between upstream releases.
These so-called dash releases can contain hotfixes, packaging changes or
depenency changes. In such cases, these dash releases replace the previous
release of the same version (as an example, MCR 23.0.9-1 replaces MCR 23.0.9).
Note
In general, MCR dash releases for a particular patch version share the same OS and kernel compatibility.
The MCR team will make every effort to hold to the release cadence stated here.
Customers should be aware, though, that development and release cycles can
change, and without advance notice.
A Technology Preview feature provides early access to upcoming product
innovations, allowing customers to experiment with the functionality and
provide feedback.
Technology Preview features may be privately or publicly available and neither
are intended for production use. While Mirantis will provide assistance with
such features through official channels, normal Service Level Agreements do not
apply.
As Mirantis considers making future iterations of Technology Preview features
generally available, we will do our best to resolve any issues that customers
experience when using these features.
During the development of a Technology Preview feature, additional components
may become available to the public for evaluation. Mirantis cannot guarantee
the stability of such features. As a result, if you are using Technology
Preview features, you may not be able to seamlessly upgrade to subsequent
product releases.
Mirantis makes no guarantees that Technology Preview features will graduate to
generally available features.
Verify that you now have the key with the fingerprint
DD911E995A64A202E85907D6BC14F10B6D085F96 by searching
for the last eight characters of the fingerprint:
Follow the link to download your MCR license file found in the confirmation
email you received after purchasing MCR from the Mirantis web store. If you
cannot access your confirmation email, contact Mirantis.
Copy the file to the data root directory and name it docker.lic. The
default data root directory is /var/lib/docker.
You only need to set up the repository once, after which you can install MCR
from the repository and upgrade as needed. MCR supports the latest version of
CentOS 64-bit running on x86_64.
Note
MCR supports the overlay2 storage drivers on CentOS. The following
limitations apply:
If you enable selinux, MCR supports overlay2 on CentoOS 7.4 and
higher.
If you disable selinux, MCR supports overlay2 on CentOS 7.2 and
higher, with kernel version 3.10.0-693 and higher.
Remove any existing Docker repositories from /etc/yum.repos.d/:
sudorm/etc/yum.repos.d/docker*.repo
Store https://repos.mirantis.com in an environment variable:
exportDOCKERURL="https://repos.mirantis.com"
Store the value of DOCKERURL using a yum variable in
/etc/yum/vars/:
Follow the link to download your MCR license file found in the confirmation
email you received after purchasing MCR from the Mirantis web store. If you
cannot access your confirmation email, contact Mirantis.
Copy the file to the data root directory and name it docker.lic. The
default data root directory is /var/lib/docker.
Follow the link to download your MCR license file found in the confirmation
email you received after purchasing MCR from the Mirantis web store. If you
cannot access your confirmation email, contact Mirantis.
Copy the file to the data root directory and name it docker.lic. The
default data root directory is /var/lib/docker.
You only need to set up the repository once, after which you can install MCR
from the repository and upgrade as needed. MCR supports RHEL 64-bit version 7.4
and higher running on x86_64.
Note
MCR supports the overlay2 storage drivers on RHEL. The following
limitations apply:
If you enable selinux, MCR supports overlay2 on RHEL 7.4 and
higher (OverlayFS).
If you disable selinux, MCR supports overlay2 on RHEL 7.2 and
higher, with kernel version 3.10.0-693 and higher.
Follow the link to download your MCR license file found in the confirmation
email you received after purchasing MCR from the Mirantis web store. If you
cannot access your confirmation email, contact Mirantis.
Copy the file to the data root directory and name it docker.lic. The
default data root directory is /var/lib/docker.