diff --git a/docs/mkdocs.yml b/docs/mkdocs.yml index 1fc19dc963..a8b8c19965 100644 --- a/docs/mkdocs.yml +++ b/docs/mkdocs.yml @@ -88,6 +88,7 @@ pages: - ['docker-hub-enterprise/install.md', 'Docker Hub Enterprise', '  Installation' ] - ['docker-hub-enterprise/configuration.md', 'Docker Hub Enterprise', '  Configuration options' ] - ['docker-hub-enterprise/support.md', 'Docker Hub Enterprise', 'Support' ] +- ['docker-hub-enterprise/release-notes.md', 'Docker Hub Enterprise', 'Release notes' ] # Examples: - ['examples/index.md', '**HIDDEN**'] diff --git a/docs/sources/docker-hub-enterprise/install.md b/docs/sources/docker-hub-enterprise/install.md index 470fe48bc3..0873ab52ed 100644 --- a/docs/sources/docker-hub-enterprise/install.md +++ b/docs/sources/docker-hub-enterprise/install.md @@ -33,9 +33,9 @@ copy of DHE. ## Prerequisites -DHE requires the following: +DHE 1.0.1 requires the following: -* Commercially supported Docker Engine 1.6.0 or later running on an +* Commercially supported Docker Engine 1.6.1 or later running on an Ubuntu 14.04 LTS, RHEL 7.1 or RHEL 7.0 host. (See below for instructions on how to install the commercially supported Docker Engine.) @@ -125,6 +125,35 @@ $ exit > **Note**: you may need to reboot your server to update its LTS kernel. +## Upgrading the Commercially Supported Docker Engine + +CS Docker Engine 1.6.1 contains fixes to security vulnerabilities, + and customers should upgrade to it immediately. + +> **Note**: If you have CS Docker Engine 1.6.0 installed, it must be upgraded; + however, due to compatibility issues, [DHE must be upgraded](#upgrading-docker-hub-enterprise) + first. + +The CS Docker Engine installation script set up the RHEL/Ubuntu package repositories, +so upgrading the Engine only requires you to run the update commands on your server. + +### RHEL 7.0/7.1 upgrade + +To upgrade CS Docker Engine, run the following command: + +``` + $ sudo yum update + $ sudo systemctl daemon-reload && sudo systemctl restart docker +``` + +### Ubuntu 14.04 LTS upgrade + +To upgrade CS Docker Engine, run the following command: + +``` + $ sudo apt-get update && apt-get dist-upgrade docker-engine-cs +``` + ## Installing Docker Hub Enterprise Once the commercially supported Docker Engine is installed, you can install DHE @@ -133,7 +162,6 @@ and the [Docker Hub](https://registry.hub.docker.com/). It is able to restart and reconfigure itself using the Docker socket that is bind-mounted to its container. - Start installing DHE by running the "dockerhubenterprise/manager" container: ``` @@ -280,7 +308,7 @@ based authentication. See [DHE Authentication settings](./configuration.md#authentication) for more details. -# Upgrading +## Upgrading Docker Hub Enterprise DHE has been designed to allow on-the-fly software upgrades. Start by clicking on the "System Health" tab. In the upper, right-hand side of the @@ -306,6 +334,13 @@ DHE. Assuming you have a decent internet connection, the entire upgrade process should complete within a few minutes. +You should now [upgrade CS Docker Engine](#upgrading-the-commercially-supported-docker-engine). + +> **Note**: If Docker engine is upgraded first (DHE 1.0.0 on CS Docker Engine 1.6.1), +> DHE can still be upgraded from the command line by running: +> +> `sudo bash -c "$(sudo docker run dockerhubenterprise/manager:1.0.0 upgrade 1.0.1)"` + ## Next Steps For information on configuring DHE for your environment, take a look at the diff --git a/docs/sources/docker-hub-enterprise/release-notes.md b/docs/sources/docker-hub-enterprise/release-notes.md new file mode 100644 index 0000000000..635432af96 --- /dev/null +++ b/docs/sources/docker-hub-enterprise/release-notes.md @@ -0,0 +1,109 @@ +page_title: Docker Hub Enterprise: Release notes +page_description: Release notes for Docker Hub Enterprise +page_keywords: docker, documentation, about, technology, understanding, enterprise, hub, registry, release + +# Release Notes + +## Docker Hub Enterprise + +### DHE 1.0.1 +(11 May 2015) + +- Addresses compatibility issue with 1.6.1 CS Docker Engine + +### DHE 1.0.0 +(23 Apr 2015) + +- First release + +## Commercialy Supported Docker Engine + +### CS Docker Engine 1.6.1 +(11 May 2015) + +Docker Engine version 1.6.1 has been released to address several vulnerabilities +and is immediately available for all supported platforms. Users are advised to +upgrade existing installations of the Docker Engine and use 1.6.1 for new installations. + +It should be noted that each of the vulnerabilities allowing privilege escalation +may only be exploited by a malicious Dockerfile or image. Users are advised to +run their own images and/or images built by trusted parties, such as those in +the official images library. + +Please send any questions to security@docker.com. + + +#### **[CVE-2015-3629](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3629) Symlink traversal on container respawn allows local privilege escalation** + +Libcontainer version 1.6.0 introduced changes which facilitated a mount namespace +breakout upon respawn of a container. This allowed malicious images to write +files to the host system and escape containerization. + +Libcontainer and Docker Engine 1.6.1 have been released to address this +vulnerability. Users running untrusted images are encouraged to upgrade Docker Engine. + +Discovered by Tõnis Tiigi. + + +#### **[CVE-2015-3627](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3627) Insecure opening of file-descriptor 1 leading to privilege escalation** + +The file-descriptor passed by libcontainer to the pid-1 process of a container +has been found to be opened prior to performing the chroot, allowing insecure +open and symlink traversal. This allows malicious container images to trigger +a local privilege escalation. + +Libcontainer and Docker Engine 1.6.1 have been released to address this +vulnerability. Users running untrusted images are encouraged to upgrade +Docker Engine. + +Discovered by Tõnis Tiigi. + +#### **[CVE-2015-3630](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3630) Read/write proc paths allow host modification & information disclosure** + +Several paths underneath /proc were writable from containers, allowing global +system manipulation and configuration. These paths included `/proc/asound`, +`/proc/timer_stats`, `/proc/latency_stats`, and `/proc/fs`. + +By allowing writes to `/proc/fs`, it has been noted that CIFS volumes could be +forced into a protocol downgrade attack by a root user operating inside of a +container. Machines having loaded the timer_stats module were vulnerable to +having this mechanism enabled and consumed by a container. + +We are releasing Docker Engine 1.6.1 to address this vulnerability. All +versions up to 1.6.1 are believed vulnerable. Users running untrusted +images are encouraged to upgrade. + +Discovered by Eric Windisch of the Docker Security Team. + +#### **[CVE-2015-3631](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3631) Volume mounts allow LSM profile escalation** + +By allowing volumes to override files of `/proc` within a mount namespace, a user +could specify arbitrary policies for Linux Security Modules, including setting +an unconfined policy underneath AppArmor, or a `docker_t` policy for processes +managed by SELinux. In all versions of Docker up until 1.6.1, it is possible for +malicious images to configure volume mounts such that files of proc may be overridden. + +We are releasing Docker Engine 1.6.1 to address this vulnerability. All versions +up to 1.6.1 are believed vulnerable. Users running untrusted images are encouraged +to upgrade. + +Discovered by Eric Windisch of the Docker Security Team. + +#### **AppArmor policy improvements** + +The 1.6.1 release also marks preventative additions to the AppArmor policy. +Recently, several CVEs against the kernel have been reported whereby mount +namespaces could be circumvented through the use of the sys_mount syscall from +inside of an unprivileged Docker container. In all reported cases, the +AppArmor policy included in libcontainer and shipped with Docker has been +sufficient to deflect these attacks. However, we have deemed it prudent to +proactively tighten the policy further by outright denying the use of the +`sys_mount` syscall. + +Because this addition is preventative, no CVE-ID is requested. + +### CS Docker Engine 1.6.0 +(23 Apr 2015) + +- First release, please see the [Docker Engine 1.6.0 Release notes](/release-notes/) + for more details. diff --git a/docs/sources/release-notes.md b/docs/sources/release-notes.md index 1a32cbb980..0ab6206d96 100644 --- a/docs/sources/release-notes.md +++ b/docs/sources/release-notes.md @@ -131,3 +131,6 @@ handled centrally by Machine instead of letting each driver individually do it. host’s TLS certificates for good security practice and for if a host’s IP address changes. +## Docker Hub Enterprise & Commercialy Supported Docker Engine + +See the [DHE and CS Docker Engine release notes](docker-hub-enterprise/release-notes.md).