Publish release notes for latest cs Docker engine

Signed-off-by: Sven Dowideit <SvenDowideit@home.org.au>
2015-05-22 09:14:06 +10:00 · 2015-05-22 09:14:06 +10:00 · 740b1b5a2d
parent b639f00280
commit 740b1b5a2d
1 changed files with 93 additions and 32 deletions
--- a/docs/sources/docker-hub-enterprise/release-notes.md
+++ b/docs/sources/docker-hub-enterprise/release-notes.md
@ -16,79 +16,140 @@ page_keywords: docker, documentation, about, technology, understanding, enterpri

 - First release

-## Commercialy Supported Docker Engine
+## Commercially Supported Docker Engine

 ### CS Docker Engine 1.6.2-cs5
+(21 May 2015)

 For customers running Docker Engine on [supported versions of RedHat Enterprise
 Linux](https://www.docker.com/enterprise/support/) with [SELinux
 enabled](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/
 6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux
 -Enabling_and_Disabling_SELinux.html), the `docker build` and `docker run`
-commands will fail because bind mounted volumes or files are not accessible. As
-a result, customers with SELinux enabled cannot use these commands in their
-environment. By installing Docker Engine 1.6.2-cs5, customers can run with
-SELinux enabled and run these commands on their supported operating system.
+commands will not have DNS host name resolution and bind-mounted volumes may
+not be accessible.
+As a result, customers with SELinux will be unable to use hostname-based network
+access in either `docker build` or `docker run`, nor will they be able to
+`docker run` containers
+that use `--volume` or `-v` bind-mounts (with an incorrect SELinux label) in
+their environment. By installing Docker
+Engine 1.6.2-cs5, customers can use Docker as intended on RHEL with SELinux enabled.

-**Affected Versions**: Docker Engine: 1.6.x-cs1 through 1.6.x-cs4
+For example, you see will failures like:

-It is **highly recommended** that all customers running Docker Engine 1.6.x-cs1
-through 1.6.x-cs4 update to this release. 
+```
+[root@dhe ~]# docker -v
+Docker version 1.6.0-cs2, build b8dd430
+[root@dhe ~]# ping dhe.home.org.au
+PING dhe.home.org.au (10.10.10.104) 56(84) bytes of data.
+64 bytes from dhe.home.gateway (10.10.10.104): icmp_seq=1 ttl=64 time=0.663 ms
+^C
+--- dhe.home.org.au ping statistics ---
+2 packets transmitted, 2 received, 0% packet loss, time 1001ms
+rtt min/avg/max/mdev = 0.078/0.370/0.663/0.293 ms
+[root@dhe ~]# docker run --rm -it debian ping dhe.home.org.au
+ping: unknown host
+[root@dhe ~]# docker run --rm -it debian cat /etc/resolv.conf
+cat: /etc/resolv.conf: Permission denied
+[root@dhe ~]# docker run --rm -it debian apt-get update
+Err http://httpredir.debian.org jessie InRelease

-#### How to workaround this issue
+Err http://security.debian.org jessie/updates InRelease

-Customers who do not install this update have two options. The
-first option, is to disable SELinux. This is *not recommended* for production
-systems where SELinux is required.
+Err http://httpredir.debian.org jessie-updates InRelease
+
+Err http://security.debian.org jessie/updates Release.gpg
+  Could not resolve 'security.debian.org'
+Err http://httpredir.debian.org jessie Release.gpg
+  Could not resolve 'httpredir.debian.org'
+Err http://httpredir.debian.org jessie-updates Release.gpg
+  Could not resolve 'httpredir.debian.org'
+[output truncated]
+
+```
+
+or when running a `docker build`:
+
+```
+[root@dhe ~]# docker build .
+Sending build context to Docker daemon 11.26 kB
+Sending build context to Docker daemon
+Step 0 : FROM fedora
+ ---> e26efd418c48
+Step 1 : RUN yum install httpd
+ ---> Running in cf274900ea35
+
+One of the configured repositories failed (Fedora 21 - x86_64),
+and yum doesn't have enough cached data to continue. At this point the only
+safe thing yum can do is fail. There are a few ways to work "fix" this:
+
+[output truncated]
+```
+
+
+**Affected Versions**: All previous versions of Docker Engine when SELinux
+is enabled.
+
+Docker **highly recommends** that all customers running previous versions of
+Docker Engine update to this release.
+
+#### **How to workaround this issue**
+
+Customers who choose not to install this update have two options. The
+first option is to disable SELinux. This is *not recommended* for production
+systems where SELinux is typically required.
+
+The second option is to pass the following parameter in to `docker run`.

-The second option is to pass the following parameter in to `docker run`. 
-  
  	     --security-opt=label:type:docker_t

 This parameter cannot be passed to the `docker build` command.

-#### Upgrade notes 
+#### **Upgrade notes**
+
+When upgrading, make sure you stop DHE first, perform the Engine upgrade, and
+then restart DHE.

 If you are running with SELinux enabled, previous Docker Engine releases allowed
-you to bind mount additional volumes or files inside the container as follows:
+you to bind-mount additional volumes or files inside the container as follows:

-		$ docker run -it -v /home/user/foo.txt:/foobar.txt:ro
+		$ docker run -it -v /home/user/foo.txt:/foobar.txt:ro <imagename>

-In the 1.6.2-cs5 release, you must ensure additional bind mounts have the correct
-SELinux context. As an example, if you want to mount `foobar.txt` as read only
-into the container, do the following to create and test your bind mount:
+In the 1.6.2-cs5 release, you must ensure additional bind-mounts have the correct
+SELinux context. For example, if you want to mount `foobar.txt` as read-only
+into the container, do the following to create and test your bind-mount:

 1. Add the `z` option to the bind mount when you specify `docker run`.

-		$ docker run -it -v /home/user/foo.txt:/foobar.txt:ro,z
+		$ docker run -it -v /home/user/foo.txt:/foobar.txt:ro,z <imagename>

-2. Exec into your new container.  
+2. Exec into your new container.

-	For example, if your container is `bashful_curie` open a shell on the
+	For example, if your container is `bashful_curie`, open a shell on the
 	container:
-		
+
 		$ docker exec -it bashful_curie bash

-3. Use the `cat` command to check the permissions on the mounted file.
+3. Use `cat` to check the permissions on the mounted file.

 		$ cat /foobar.txt
 		the contents of foobar appear

 	If you see the file's contents, your mount succeeded. If you receive a
-	`Permission denied` message and/or the `/var/log/audit/audit.log` file on your
-	Docker host contains an AVC Denial message, the mount did not succeed.
+	`Permission denied` message and/or the `/var/log/audit/audit.log` file on
+	your Docker host contains an AVC Denial message, the mount did not succeed.

 		type=AVC msg=audit(1432145409.197:7570): avc:  denied  { read } for  pid=21167 comm="cat" name="foobar.txt" dev="xvda2" ino=17704136 scontext=system_u:system_r:svirt_lxc_net_t:s0:c909,c965 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
-	
+
 	Recheck your command line to make sure you passed in the `z` option.

-### CS Docker Engine 1.6.2
+
+### CS Docker Engine 1.6.2-cs4
 (13 May 2015)

 Fix mount regression for `/sys`.

-
-### CS Docker Engine 1.6.1
+### CS Docker Engine 1.6.1-cs3
 (11 May 2015)

 Docker Engine version 1.6.1 has been released to address several vulnerabilities
@ -172,7 +233,7 @@ proactively tighten the policy further by outright denying the use of the

 Because this addition is preventative, no CVE-ID is requested.

-### CS Docker Engine 1.6.0
+### CS Docker Engine 1.6.0-cs2
 (23 Apr 2015)

 - First release, please see the [Docker Engine 1.6.0 Release notes](/release-notes/)