From 740b1b5a2d89ef8d2c4c606636e5b42234298734 Mon Sep 17 00:00:00 2001 From: Sven Dowideit Date: Fri, 22 May 2015 09:14:06 +1000 Subject: [PATCH] Publish release notes for latest cs Docker engine Signed-off-by: Sven Dowideit --- .../docker-hub-enterprise/release-notes.md | 125 +++++++++++++----- 1 file changed, 93 insertions(+), 32 deletions(-) diff --git a/docs/sources/docker-hub-enterprise/release-notes.md b/docs/sources/docker-hub-enterprise/release-notes.md index f7bd85d849..f445e2ded2 100644 --- a/docs/sources/docker-hub-enterprise/release-notes.md +++ b/docs/sources/docker-hub-enterprise/release-notes.md @@ -16,79 +16,140 @@ page_keywords: docker, documentation, about, technology, understanding, enterpri - First release -## Commercialy Supported Docker Engine +## Commercially Supported Docker Engine ### CS Docker Engine 1.6.2-cs5 +(21 May 2015) For customers running Docker Engine on [supported versions of RedHat Enterprise Linux](https://www.docker.com/enterprise/support/) with [SELinux enabled](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/ 6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux -Enabling_and_Disabling_SELinux.html), the `docker build` and `docker run` -commands will fail because bind mounted volumes or files are not accessible. As -a result, customers with SELinux enabled cannot use these commands in their -environment. By installing Docker Engine 1.6.2-cs5, customers can run with -SELinux enabled and run these commands on their supported operating system. +commands will not have DNS host name resolution and bind-mounted volumes may +not be accessible. +As a result, customers with SELinux will be unable to use hostname-based network +access in either `docker build` or `docker run`, nor will they be able to +`docker run` containers +that use `--volume` or `-v` bind-mounts (with an incorrect SELinux label) in +their environment. By installing Docker +Engine 1.6.2-cs5, customers can use Docker as intended on RHEL with SELinux enabled. -**Affected Versions**: Docker Engine: 1.6.x-cs1 through 1.6.x-cs4 +For example, you see will failures like: -It is **highly recommended** that all customers running Docker Engine 1.6.x-cs1 -through 1.6.x-cs4 update to this release. +``` +[root@dhe ~]# docker -v +Docker version 1.6.0-cs2, build b8dd430 +[root@dhe ~]# ping dhe.home.org.au +PING dhe.home.org.au (10.10.10.104) 56(84) bytes of data. +64 bytes from dhe.home.gateway (10.10.10.104): icmp_seq=1 ttl=64 time=0.663 ms +^C +--- dhe.home.org.au ping statistics --- +2 packets transmitted, 2 received, 0% packet loss, time 1001ms +rtt min/avg/max/mdev = 0.078/0.370/0.663/0.293 ms +[root@dhe ~]# docker run --rm -it debian ping dhe.home.org.au +ping: unknown host +[root@dhe ~]# docker run --rm -it debian cat /etc/resolv.conf +cat: /etc/resolv.conf: Permission denied +[root@dhe ~]# docker run --rm -it debian apt-get update +Err http://httpredir.debian.org jessie InRelease -#### How to workaround this issue +Err http://security.debian.org jessie/updates InRelease -Customers who do not install this update have two options. The -first option, is to disable SELinux. This is *not recommended* for production -systems where SELinux is required. +Err http://httpredir.debian.org jessie-updates InRelease + +Err http://security.debian.org jessie/updates Release.gpg + Could not resolve 'security.debian.org' +Err http://httpredir.debian.org jessie Release.gpg + Could not resolve 'httpredir.debian.org' +Err http://httpredir.debian.org jessie-updates Release.gpg + Could not resolve 'httpredir.debian.org' +[output truncated] + +``` + +or when running a `docker build`: + +``` +[root@dhe ~]# docker build . +Sending build context to Docker daemon 11.26 kB +Sending build context to Docker daemon +Step 0 : FROM fedora + ---> e26efd418c48 +Step 1 : RUN yum install httpd + ---> Running in cf274900ea35 + +One of the configured repositories failed (Fedora 21 - x86_64), +and yum doesn't have enough cached data to continue. At this point the only +safe thing yum can do is fail. There are a few ways to work "fix" this: + +[output truncated] +``` + + +**Affected Versions**: All previous versions of Docker Engine when SELinux +is enabled. + +Docker **highly recommends** that all customers running previous versions of +Docker Engine update to this release. + +#### **How to workaround this issue** + +Customers who choose not to install this update have two options. The +first option is to disable SELinux. This is *not recommended* for production +systems where SELinux is typically required. + +The second option is to pass the following parameter in to `docker run`. -The second option is to pass the following parameter in to `docker run`. - --security-opt=label:type:docker_t This parameter cannot be passed to the `docker build` command. -#### Upgrade notes +#### **Upgrade notes** + +When upgrading, make sure you stop DHE first, perform the Engine upgrade, and +then restart DHE. If you are running with SELinux enabled, previous Docker Engine releases allowed -you to bind mount additional volumes or files inside the container as follows: +you to bind-mount additional volumes or files inside the container as follows: - $ docker run -it -v /home/user/foo.txt:/foobar.txt:ro + $ docker run -it -v /home/user/foo.txt:/foobar.txt:ro -In the 1.6.2-cs5 release, you must ensure additional bind mounts have the correct -SELinux context. As an example, if you want to mount `foobar.txt` as read only -into the container, do the following to create and test your bind mount: +In the 1.6.2-cs5 release, you must ensure additional bind-mounts have the correct +SELinux context. For example, if you want to mount `foobar.txt` as read-only +into the container, do the following to create and test your bind-mount: 1. Add the `z` option to the bind mount when you specify `docker run`. - $ docker run -it -v /home/user/foo.txt:/foobar.txt:ro,z + $ docker run -it -v /home/user/foo.txt:/foobar.txt:ro,z -2. Exec into your new container. +2. Exec into your new container. - For example, if your container is `bashful_curie` open a shell on the + For example, if your container is `bashful_curie`, open a shell on the container: - + $ docker exec -it bashful_curie bash -3. Use the `cat` command to check the permissions on the mounted file. +3. Use `cat` to check the permissions on the mounted file. $ cat /foobar.txt the contents of foobar appear If you see the file's contents, your mount succeeded. If you receive a - `Permission denied` message and/or the `/var/log/audit/audit.log` file on your - Docker host contains an AVC Denial message, the mount did not succeed. + `Permission denied` message and/or the `/var/log/audit/audit.log` file on + your Docker host contains an AVC Denial message, the mount did not succeed. type=AVC msg=audit(1432145409.197:7570): avc: denied { read } for pid=21167 comm="cat" name="foobar.txt" dev="xvda2" ino=17704136 scontext=system_u:system_r:svirt_lxc_net_t:s0:c909,c965 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file - + Recheck your command line to make sure you passed in the `z` option. -### CS Docker Engine 1.6.2 + +### CS Docker Engine 1.6.2-cs4 (13 May 2015) Fix mount regression for `/sys`. - -### CS Docker Engine 1.6.1 +### CS Docker Engine 1.6.1-cs3 (11 May 2015) Docker Engine version 1.6.1 has been released to address several vulnerabilities @@ -172,7 +233,7 @@ proactively tighten the policy further by outright denying the use of the Because this addition is preventative, no CVE-ID is requested. -### CS Docker Engine 1.6.0 +### CS Docker Engine 1.6.0-cs2 (23 Apr 2015) - First release, please see the [Docker Engine 1.6.0 Release notes](/release-notes/)