mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
DHE 1.0.1 release
Signed-off-by: Sven Dowideit <SvenDowideit@home.org.au>
This commit is contained in:
parent
a47fb5edca
commit
38af208da1
4 changed files with 152 additions and 4 deletions
|
@ -88,6 +88,7 @@ pages:
|
|||
- ['docker-hub-enterprise/install.md', 'Docker Hub Enterprise', ' Installation' ]
|
||||
- ['docker-hub-enterprise/configuration.md', 'Docker Hub Enterprise', ' Configuration options' ]
|
||||
- ['docker-hub-enterprise/support.md', 'Docker Hub Enterprise', 'Support' ]
|
||||
- ['docker-hub-enterprise/release-notes.md', 'Docker Hub Enterprise', 'Release notes' ]
|
||||
|
||||
# Examples:
|
||||
- ['examples/index.md', '**HIDDEN**']
|
||||
|
|
|
@ -33,9 +33,9 @@ copy of DHE.
|
|||
|
||||
## Prerequisites
|
||||
|
||||
DHE requires the following:
|
||||
DHE 1.0.1 requires the following:
|
||||
|
||||
* Commercially supported Docker Engine 1.6.0 or later running on an
|
||||
* Commercially supported Docker Engine 1.6.1 or later running on an
|
||||
Ubuntu 14.04 LTS, RHEL 7.1 or RHEL 7.0 host. (See below for instructions on how
|
||||
to install the commercially supported Docker Engine.)
|
||||
|
||||
|
@ -125,6 +125,35 @@ $ exit
|
|||
|
||||
> **Note**: you may need to reboot your server to update its LTS kernel.
|
||||
|
||||
## Upgrading the Commercially Supported Docker Engine
|
||||
|
||||
CS Docker Engine 1.6.1 contains fixes to security vulnerabilities,
|
||||
and customers should upgrade to it immediately.
|
||||
|
||||
> **Note**: If you have CS Docker Engine 1.6.0 installed, it must be upgraded;
|
||||
however, due to compatibility issues, [DHE must be upgraded](#upgrading-docker-hub-enterprise)
|
||||
first.
|
||||
|
||||
The CS Docker Engine installation script set up the RHEL/Ubuntu package repositories,
|
||||
so upgrading the Engine only requires you to run the update commands on your server.
|
||||
|
||||
### RHEL 7.0/7.1 upgrade
|
||||
|
||||
To upgrade CS Docker Engine, run the following command:
|
||||
|
||||
```
|
||||
$ sudo yum update
|
||||
$ sudo systemctl daemon-reload && sudo systemctl restart docker
|
||||
```
|
||||
|
||||
### Ubuntu 14.04 LTS upgrade
|
||||
|
||||
To upgrade CS Docker Engine, run the following command:
|
||||
|
||||
```
|
||||
$ sudo apt-get update && apt-get dist-upgrade docker-engine-cs
|
||||
```
|
||||
|
||||
## Installing Docker Hub Enterprise
|
||||
|
||||
Once the commercially supported Docker Engine is installed, you can install DHE
|
||||
|
@ -133,7 +162,6 @@ and the [Docker Hub](https://registry.hub.docker.com/). It is able to restart
|
|||
and reconfigure itself using the Docker socket that is bind-mounted to its
|
||||
container.
|
||||
|
||||
|
||||
Start installing DHE by running the "dockerhubenterprise/manager" container:
|
||||
|
||||
```
|
||||
|
@ -280,7 +308,7 @@ based authentication.
|
|||
See [DHE Authentication settings](./configuration.md#authentication) for more
|
||||
details.
|
||||
|
||||
# Upgrading
|
||||
## Upgrading Docker Hub Enterprise
|
||||
|
||||
DHE has been designed to allow on-the-fly software upgrades. Start by
|
||||
clicking on the "System Health" tab. In the upper, right-hand side of the
|
||||
|
@ -306,6 +334,13 @@ DHE.
|
|||
Assuming you have a decent internet connection, the entire upgrade process
|
||||
should complete within a few minutes.
|
||||
|
||||
You should now [upgrade CS Docker Engine](#upgrading-the-commercially-supported-docker-engine).
|
||||
|
||||
> **Note**: If Docker engine is upgraded first (DHE 1.0.0 on CS Docker Engine 1.6.1),
|
||||
> DHE can still be upgraded from the command line by running:
|
||||
>
|
||||
> `sudo bash -c "$(sudo docker run dockerhubenterprise/manager:1.0.0 upgrade 1.0.1)"`
|
||||
|
||||
## Next Steps
|
||||
|
||||
For information on configuring DHE for your environment, take a look at the
|
||||
|
|
109
docs/sources/docker-hub-enterprise/release-notes.md
Normal file
109
docs/sources/docker-hub-enterprise/release-notes.md
Normal file
|
@ -0,0 +1,109 @@
|
|||
page_title: Docker Hub Enterprise: Release notes
|
||||
page_description: Release notes for Docker Hub Enterprise
|
||||
page_keywords: docker, documentation, about, technology, understanding, enterprise, hub, registry, release
|
||||
|
||||
# Release Notes
|
||||
|
||||
## Docker Hub Enterprise
|
||||
|
||||
### DHE 1.0.1
|
||||
(11 May 2015)
|
||||
|
||||
- Addresses compatibility issue with 1.6.1 CS Docker Engine
|
||||
|
||||
### DHE 1.0.0
|
||||
(23 Apr 2015)
|
||||
|
||||
- First release
|
||||
|
||||
## Commercialy Supported Docker Engine
|
||||
|
||||
### CS Docker Engine 1.6.1
|
||||
(11 May 2015)
|
||||
|
||||
Docker Engine version 1.6.1 has been released to address several vulnerabilities
|
||||
and is immediately available for all supported platforms. Users are advised to
|
||||
upgrade existing installations of the Docker Engine and use 1.6.1 for new installations.
|
||||
|
||||
It should be noted that each of the vulnerabilities allowing privilege escalation
|
||||
may only be exploited by a malicious Dockerfile or image. Users are advised to
|
||||
run their own images and/or images built by trusted parties, such as those in
|
||||
the official images library.
|
||||
|
||||
Please send any questions to security@docker.com.
|
||||
|
||||
|
||||
#### **[CVE-2015-3629](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3629) Symlink traversal on container respawn allows local privilege escalation**
|
||||
|
||||
Libcontainer version 1.6.0 introduced changes which facilitated a mount namespace
|
||||
breakout upon respawn of a container. This allowed malicious images to write
|
||||
files to the host system and escape containerization.
|
||||
|
||||
Libcontainer and Docker Engine 1.6.1 have been released to address this
|
||||
vulnerability. Users running untrusted images are encouraged to upgrade Docker Engine.
|
||||
|
||||
Discovered by Tõnis Tiigi.
|
||||
|
||||
|
||||
#### **[CVE-2015-3627](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3627) Insecure opening of file-descriptor 1 leading to privilege escalation**
|
||||
|
||||
The file-descriptor passed by libcontainer to the pid-1 process of a container
|
||||
has been found to be opened prior to performing the chroot, allowing insecure
|
||||
open and symlink traversal. This allows malicious container images to trigger
|
||||
a local privilege escalation.
|
||||
|
||||
Libcontainer and Docker Engine 1.6.1 have been released to address this
|
||||
vulnerability. Users running untrusted images are encouraged to upgrade
|
||||
Docker Engine.
|
||||
|
||||
Discovered by Tõnis Tiigi.
|
||||
|
||||
#### **[CVE-2015-3630](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3630) Read/write proc paths allow host modification & information disclosure**
|
||||
|
||||
Several paths underneath /proc were writable from containers, allowing global
|
||||
system manipulation and configuration. These paths included `/proc/asound`,
|
||||
`/proc/timer_stats`, `/proc/latency_stats`, and `/proc/fs`.
|
||||
|
||||
By allowing writes to `/proc/fs`, it has been noted that CIFS volumes could be
|
||||
forced into a protocol downgrade attack by a root user operating inside of a
|
||||
container. Machines having loaded the timer_stats module were vulnerable to
|
||||
having this mechanism enabled and consumed by a container.
|
||||
|
||||
We are releasing Docker Engine 1.6.1 to address this vulnerability. All
|
||||
versions up to 1.6.1 are believed vulnerable. Users running untrusted
|
||||
images are encouraged to upgrade.
|
||||
|
||||
Discovered by Eric Windisch of the Docker Security Team.
|
||||
|
||||
#### **[CVE-2015-3631](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3631) Volume mounts allow LSM profile escalation**
|
||||
|
||||
By allowing volumes to override files of `/proc` within a mount namespace, a user
|
||||
could specify arbitrary policies for Linux Security Modules, including setting
|
||||
an unconfined policy underneath AppArmor, or a `docker_t` policy for processes
|
||||
managed by SELinux. In all versions of Docker up until 1.6.1, it is possible for
|
||||
malicious images to configure volume mounts such that files of proc may be overridden.
|
||||
|
||||
We are releasing Docker Engine 1.6.1 to address this vulnerability. All versions
|
||||
up to 1.6.1 are believed vulnerable. Users running untrusted images are encouraged
|
||||
to upgrade.
|
||||
|
||||
Discovered by Eric Windisch of the Docker Security Team.
|
||||
|
||||
#### **AppArmor policy improvements**
|
||||
|
||||
The 1.6.1 release also marks preventative additions to the AppArmor policy.
|
||||
Recently, several CVEs against the kernel have been reported whereby mount
|
||||
namespaces could be circumvented through the use of the sys_mount syscall from
|
||||
inside of an unprivileged Docker container. In all reported cases, the
|
||||
AppArmor policy included in libcontainer and shipped with Docker has been
|
||||
sufficient to deflect these attacks. However, we have deemed it prudent to
|
||||
proactively tighten the policy further by outright denying the use of the
|
||||
`sys_mount` syscall.
|
||||
|
||||
Because this addition is preventative, no CVE-ID is requested.
|
||||
|
||||
### CS Docker Engine 1.6.0
|
||||
(23 Apr 2015)
|
||||
|
||||
- First release, please see the [Docker Engine 1.6.0 Release notes](/release-notes/)
|
||||
for more details.
|
|
@ -131,3 +131,6 @@ handled centrally by Machine instead of letting each driver individually do it.
|
|||
host’s TLS certificates for good security practice and for if a host’s IP
|
||||
address changes.
|
||||
|
||||
## Docker Hub Enterprise & Commercialy Supported Docker Engine
|
||||
|
||||
See the [DHE and CS Docker Engine release notes](docker-hub-enterprise/release-notes.md).
|
||||
|
|
Loading…
Reference in a new issue