From 7554949da654fb55dd1bccc3308ef12c013a16d5 Mon Sep 17 00:00:00 2001 From: Mary Anthony Date: Wed, 20 May 2015 14:39:00 -0700 Subject: [PATCH] Updating with 1.6.2-cs5 notes Signed-off-by: Mary Anthony --- .../docker-hub-enterprise/release-notes.md | 64 +++++++++++++++++++ 1 file changed, 64 insertions(+) diff --git a/docs/sources/docker-hub-enterprise/release-notes.md b/docs/sources/docker-hub-enterprise/release-notes.md index d6f19caca1..f7bd85d849 100644 --- a/docs/sources/docker-hub-enterprise/release-notes.md +++ b/docs/sources/docker-hub-enterprise/release-notes.md @@ -18,6 +18,70 @@ page_keywords: docker, documentation, about, technology, understanding, enterpri ## Commercialy Supported Docker Engine +### CS Docker Engine 1.6.2-cs5 + +For customers running Docker Engine on [supported versions of RedHat Enterprise +Linux](https://www.docker.com/enterprise/support/) with [SELinux +enabled](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/ +6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux +-Enabling_and_Disabling_SELinux.html), the `docker build` and `docker run` +commands will fail because bind mounted volumes or files are not accessible. As +a result, customers with SELinux enabled cannot use these commands in their +environment. By installing Docker Engine 1.6.2-cs5, customers can run with +SELinux enabled and run these commands on their supported operating system. + +**Affected Versions**: Docker Engine: 1.6.x-cs1 through 1.6.x-cs4 + +It is **highly recommended** that all customers running Docker Engine 1.6.x-cs1 +through 1.6.x-cs4 update to this release. + +#### How to workaround this issue + +Customers who do not install this update have two options. The +first option, is to disable SELinux. This is *not recommended* for production +systems where SELinux is required. + +The second option is to pass the following parameter in to `docker run`. + + --security-opt=label:type:docker_t + +This parameter cannot be passed to the `docker build` command. + +#### Upgrade notes + +If you are running with SELinux enabled, previous Docker Engine releases allowed +you to bind mount additional volumes or files inside the container as follows: + + $ docker run -it -v /home/user/foo.txt:/foobar.txt:ro + +In the 1.6.2-cs5 release, you must ensure additional bind mounts have the correct +SELinux context. As an example, if you want to mount `foobar.txt` as read only +into the container, do the following to create and test your bind mount: + +1. Add the `z` option to the bind mount when you specify `docker run`. + + $ docker run -it -v /home/user/foo.txt:/foobar.txt:ro,z + +2. Exec into your new container. + + For example, if your container is `bashful_curie` open a shell on the + container: + + $ docker exec -it bashful_curie bash + +3. Use the `cat` command to check the permissions on the mounted file. + + $ cat /foobar.txt + the contents of foobar appear + + If you see the file's contents, your mount succeeded. If you receive a + `Permission denied` message and/or the `/var/log/audit/audit.log` file on your + Docker host contains an AVC Denial message, the mount did not succeed. + + type=AVC msg=audit(1432145409.197:7570): avc: denied { read } for pid=21167 comm="cat" name="foobar.txt" dev="xvda2" ino=17704136 scontext=system_u:system_r:svirt_lxc_net_t:s0:c909,c965 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file + + Recheck your command line to make sure you passed in the `z` option. + ### CS Docker Engine 1.6.2 (13 May 2015)