1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00

DHE 1.0.1 release

Signed-off-by: Sven Dowideit <SvenDowideit@home.org.au>
This commit is contained in:
Sven Dowideit 2015-05-11 21:23:56 +00:00
parent a47fb5edca
commit 38af208da1
4 changed files with 152 additions and 4 deletions

View file

@ -88,6 +88,7 @@ pages:
- ['docker-hub-enterprise/install.md', 'Docker Hub Enterprise', '&nbsp;&nbsp;Installation' ]
- ['docker-hub-enterprise/configuration.md', 'Docker Hub Enterprise', '&nbsp;&nbsp;Configuration options' ]
- ['docker-hub-enterprise/support.md', 'Docker Hub Enterprise', 'Support' ]
- ['docker-hub-enterprise/release-notes.md', 'Docker Hub Enterprise', 'Release notes' ]
# Examples:
- ['examples/index.md', '**HIDDEN**']

View file

@ -33,9 +33,9 @@ copy of DHE.
## Prerequisites
DHE requires the following:
DHE 1.0.1 requires the following:
* Commercially supported Docker Engine 1.6.0 or later running on an
* Commercially supported Docker Engine 1.6.1 or later running on an
Ubuntu 14.04 LTS, RHEL 7.1 or RHEL 7.0 host. (See below for instructions on how
to install the commercially supported Docker Engine.)
@ -125,6 +125,35 @@ $ exit
> **Note**: you may need to reboot your server to update its LTS kernel.
## Upgrading the Commercially Supported Docker Engine
CS Docker Engine 1.6.1 contains fixes to security vulnerabilities,
and customers should upgrade to it immediately.
> **Note**: If you have CS Docker Engine 1.6.0 installed, it must be upgraded;
however, due to compatibility issues, [DHE must be upgraded](#upgrading-docker-hub-enterprise)
first.
The CS Docker Engine installation script set up the RHEL/Ubuntu package repositories,
so upgrading the Engine only requires you to run the update commands on your server.
### RHEL 7.0/7.1 upgrade
To upgrade CS Docker Engine, run the following command:
```
$ sudo yum update
$ sudo systemctl daemon-reload && sudo systemctl restart docker
```
### Ubuntu 14.04 LTS upgrade
To upgrade CS Docker Engine, run the following command:
```
$ sudo apt-get update && apt-get dist-upgrade docker-engine-cs
```
## Installing Docker Hub Enterprise
Once the commercially supported Docker Engine is installed, you can install DHE
@ -133,7 +162,6 @@ and the [Docker Hub](https://registry.hub.docker.com/). It is able to restart
and reconfigure itself using the Docker socket that is bind-mounted to its
container.
Start installing DHE by running the "dockerhubenterprise/manager" container:
```
@ -280,7 +308,7 @@ based authentication.
See [DHE Authentication settings](./configuration.md#authentication) for more
details.
# Upgrading
## Upgrading Docker Hub Enterprise
DHE has been designed to allow on-the-fly software upgrades. Start by
clicking on the "System Health" tab. In the upper, right-hand side of the
@ -306,6 +334,13 @@ DHE.
Assuming you have a decent internet connection, the entire upgrade process
should complete within a few minutes.
You should now [upgrade CS Docker Engine](#upgrading-the-commercially-supported-docker-engine).
> **Note**: If Docker engine is upgraded first (DHE 1.0.0 on CS Docker Engine 1.6.1),
> DHE can still be upgraded from the command line by running:
>
> `sudo bash -c "$(sudo docker run dockerhubenterprise/manager:1.0.0 upgrade 1.0.1)"`
## Next Steps
For information on configuring DHE for your environment, take a look at the

View file

@ -0,0 +1,109 @@
page_title: Docker Hub Enterprise: Release notes
page_description: Release notes for Docker Hub Enterprise
page_keywords: docker, documentation, about, technology, understanding, enterprise, hub, registry, release
# Release Notes
## Docker Hub Enterprise
### DHE 1.0.1
(11 May 2015)
- Addresses compatibility issue with 1.6.1 CS Docker Engine
### DHE 1.0.0
(23 Apr 2015)
- First release
## Commercialy Supported Docker Engine
### CS Docker Engine 1.6.1
(11 May 2015)
Docker Engine version 1.6.1 has been released to address several vulnerabilities
and is immediately available for all supported platforms. Users are advised to
upgrade existing installations of the Docker Engine and use 1.6.1 for new installations.
It should be noted that each of the vulnerabilities allowing privilege escalation
may only be exploited by a malicious Dockerfile or image. Users are advised to
run their own images and/or images built by trusted parties, such as those in
the official images library.
Please send any questions to security@docker.com.
#### **[CVE-2015-3629](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3629) Symlink traversal on container respawn allows local privilege escalation**
Libcontainer version 1.6.0 introduced changes which facilitated a mount namespace
breakout upon respawn of a container. This allowed malicious images to write
files to the host system and escape containerization.
Libcontainer and Docker Engine 1.6.1 have been released to address this
vulnerability. Users running untrusted images are encouraged to upgrade Docker Engine.
Discovered by Tõnis Tiigi.
#### **[CVE-2015-3627](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3627) Insecure opening of file-descriptor 1 leading to privilege escalation**
The file-descriptor passed by libcontainer to the pid-1 process of a container
has been found to be opened prior to performing the chroot, allowing insecure
open and symlink traversal. This allows malicious container images to trigger
a local privilege escalation.
Libcontainer and Docker Engine 1.6.1 have been released to address this
vulnerability. Users running untrusted images are encouraged to upgrade
Docker Engine.
Discovered by Tõnis Tiigi.
#### **[CVE-2015-3630](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3630) Read/write proc paths allow host modification & information disclosure**
Several paths underneath /proc were writable from containers, allowing global
system manipulation and configuration. These paths included `/proc/asound`,
`/proc/timer_stats`, `/proc/latency_stats`, and `/proc/fs`.
By allowing writes to `/proc/fs`, it has been noted that CIFS volumes could be
forced into a protocol downgrade attack by a root user operating inside of a
container. Machines having loaded the timer_stats module were vulnerable to
having this mechanism enabled and consumed by a container.
We are releasing Docker Engine 1.6.1 to address this vulnerability. All
versions up to 1.6.1 are believed vulnerable. Users running untrusted
images are encouraged to upgrade.
Discovered by Eric Windisch of the Docker Security Team.
#### **[CVE-2015-3631](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3631) Volume mounts allow LSM profile escalation**
By allowing volumes to override files of `/proc` within a mount namespace, a user
could specify arbitrary policies for Linux Security Modules, including setting
an unconfined policy underneath AppArmor, or a `docker_t` policy for processes
managed by SELinux. In all versions of Docker up until 1.6.1, it is possible for
malicious images to configure volume mounts such that files of proc may be overridden.
We are releasing Docker Engine 1.6.1 to address this vulnerability. All versions
up to 1.6.1 are believed vulnerable. Users running untrusted images are encouraged
to upgrade.
Discovered by Eric Windisch of the Docker Security Team.
#### **AppArmor policy improvements**
The 1.6.1 release also marks preventative additions to the AppArmor policy.
Recently, several CVEs against the kernel have been reported whereby mount
namespaces could be circumvented through the use of the sys_mount syscall from
inside of an unprivileged Docker container. In all reported cases, the
AppArmor policy included in libcontainer and shipped with Docker has been
sufficient to deflect these attacks. However, we have deemed it prudent to
proactively tighten the policy further by outright denying the use of the
`sys_mount` syscall.
Because this addition is preventative, no CVE-ID is requested.
### CS Docker Engine 1.6.0
(23 Apr 2015)
- First release, please see the [Docker Engine 1.6.0 Release notes](/release-notes/)
for more details.

View file

@ -131,3 +131,6 @@ handled centrally by Machine instead of letting each driver individually do it.
hosts TLS certificates for good security practice and for if a hosts IP
address changes.
## Docker Hub Enterprise & Commercialy Supported Docker Engine
See the [DHE and CS Docker Engine release notes](docker-hub-enterprise/release-notes.md).