From afc262cc3ab68129104e3d799f8a2694f61aa68f Mon Sep 17 00:00:00 2001 From: Fred Lifton Date: Fri, 12 Dec 2014 17:18:21 -0800 Subject: [PATCH] Fixed errors in release notes Fixed a missing link and a few small formatting issues. Also deleted 1.3 notes as originally intended. Docker-DCO-1.1-Signed-off-by: Fred Lifton (github: fredlf) --- docs/sources/release-notes.md | 367 +--------------------------------- 1 file changed, 8 insertions(+), 359 deletions(-) diff --git a/docs/sources/release-notes.md b/docs/sources/release-notes.md index c6e4dff6e1..3950961506 100644 --- a/docs/sources/release-notes.md +++ b/docs/sources/release-notes.md @@ -13,7 +13,7 @@ desired version from the drop-down list at the top right of this page. This release provides a number of new features, but is mainly focused on bug fixes and improvements to platform stability and security. -For a complete list of patches, fixes, and other improvements, see +For a complete list of patches, fixes, and other improvements, see the [merge PR on GitHub](https://github.com/docker/docker/pull/9345). *New Features* @@ -57,371 +57,20 @@ were not sufficiently validated. This created a vulnerability to path traversal attacks wherein malicious images or repository spoofing could lead to graph corruption and manipulation. -Note that the above CVE's are also in Docker 1.3.3, which was released -concurrently with 1.4.0. - +> **Note:** the above CVEs are also patched in Docker 1.3.3, which was released +> concurrently with 1.4.0. + *Runtime fixes* - + * Fixed an issue that caused image archives to be read slowly. - + *Client fixes* * Fixed a regression related to STDIN redirection. * Fixed a regression involving `docker cp` when the current directory is the destination. -> **Note** +> **Note:** > Development history prior to version 1.0 can be found by -> searching in [GitHub](https://github.com/docker/docker). +> searching in the [Docker GitHub repo](https://github.com/docker/docker). -##Version 1.3.3 -(2014-12-11) - -This release fixes several security issues. In order to encourage immediate -upgrading, this release also patches some critical bugs. All users are highly -encouraged to upgrade as soon as possible. - -*Security fixes* - -Patches and changes were made to address the following vulnerabilities: - -* CVE-2014-9356: Path traversal during processing of absolute symlinks. -Absolute symlinks were not adequately checked for traversal which created a -vulnerability via image extraction and/or volume mounts. -* CVE-2014-9357: Escalation of privileges during decompression of LZMA (.xz) -archives. Docker 1.3.2 added `chroot` for archive extraction. This created a -vulnerability that could allow malicious images or builds to write files to the -host system and escape containerization, leading to privilege escalation. -* CVE-2014-9358: Path traversal and spoofing opportunities via image -identifiers. Image IDs passed either via `docker load` or registry communications -were not sufficiently validated. This created a vulnerability to path traversal -attacks wherein malicious images or repository spoofing could lead to graph -corruption and manipulation. - -*Runtime fixes* - -* Fixed an issue that cause image archives to be read slowly. - -*Client fixes* - -* Fixed a regression related to STDIN redirection. -* Fixed a regression involving `docker cp` when the current directory is the -destination. - -##Version 1.3.2 -(2014-11-24) - -This release fixes some bugs and addresses some security issues. We have also -made improvements to aspects of `docker run`. - -*Security fixes* - -Patches and changes were made to address CVE-2014-6407 and CVE-2014-6408. -Specifically, changes were made in order to: - -* Prevent host privilege escalation from an image extraction vulnerability (CVE-2014-6407). - -* Prevent container escalation from malicious security options applied to images (CVE-2014-6408). - -*Daemon fixes* - -The `--insecure-registry` flag of the `docker run` command has undergone -several refinements and additions. For details, please see the -[command-line reference](http://docs.docker.com/reference/commandline/cli/#run). - -* You can now specify a sub-net in order to set a range of registries which the Docker daemon will consider insecure. - -* By default, Docker now defines `localhost` as an insecure registry. - -* Registries can now be referenced using the Classless Inter-Domain Routing (CIDR) format. - -* When mirroring is enabled, the experimental registry v2 API is skipped. - -##Version 1.3.1 -(2014-10-28) - -This release fixes some bugs and addresses some security issues. - -*Security fixes* - -Patches and changes were made to address [CVE-2014-5277 and CVE-2014-3566](https://groups.google.com/forum/#!topic/docker-user/oYm0i3xShJU). -Specifically, changes were made to: - -* Prevent fallback to SSL protocols < TLS 1.0 for client, daemon and registry -* Secure HTTPS connection to registries with certificate verification and without HTTP fallback unless [`--insecure-registry`](/reference/commandline/cli/#run) is specified. - -*Runtime fixes* - -* Fixed issue where volumes would not be shared. - -*Client fixes* - -* Fixed issue with `--iptables=false` not automatically setting -`--ip-masq=false`. -* Fixed docker run output to non-TTY stdout. - -*Builder fixes* - -* Fixed escaping `$` for environment variables. -* Fixed issue with lowercase `onbuild` instruction in a `Dockerfile`. -* Restricted environment variable expansion to `ENV`, `ADD`, `COPY`, `WORKDIR`, -`EXPOSE`, `VOLUME`, and `USER` - -##Version 1.3.0 - -This version fixes a number of bugs and issues and adds new functions and other -improvements. The [GitHub 1.3milestone](https://github.com/docker/docker/issues?q=milestone%3A1.3.0+) has -more detailed information. Major additions and changes include: - -###New Features - -*New command: `docker exec`* - -The new `docker exec` command lets you run a process in an existing, active -container. The command has APIs for both the daemon and the client. With `docker -exec`, you'll be able to do things like add or remove devices from running -containers, debug running containers, and run commands that are not part of the -container's static specification. Details in the [command line reference](/reference/commandline/cli/#exec). - -*New command: `docker create`* - -Traditionally, the `docker run` command has been used to both create a container -and spawn a process to run it. The new `docker create` command breaks this -apart, letting you set up a container without actually starting it. This -provides more control over management of the container lifecycle, giving you the -ability to configure things like volumes or port mappings before the container -is started. For example, in a rapid-response scaling situation, you could use -`create` to prepare and stage ten containers in anticipation of heavy loads. -Details in the [command line reference](/reference/commandline/cli/#create). - -*Tech preview of new provenance features* - -This release offers a sneak peek at new image signing capabilities that are -currently under development. Soon, these capabilities will allow any image -author to sign their images to certify they have not been tampered with. For -this release, Official images are now signed by Docker, Inc. Not only does this -demonstrate the new functionality, we hope it will improve your confidence in -the security of Official images. Look for the blue ribbons denoting signed -images on the [Docker Hub](https://hub.docker.com/). The Docker Engine has been -updated to automatically verify that a given Official Repo has a current, valid -signature. When pulling a signed image, you'll see a message stating `the image -you are pulling has been verified`. If no valid signature is detected, Docker -Engine will fall back to pulling a regular, unsigned image. - -###Other improvements & changes* - -* We've added a new security options flag to the `docker run` command, -`--security-opt`, that lets you set SELinux and AppArmor labels and profiles. -This means you'll no longer have to use `docker run --privileged` on kernels -that support SE Linux or AppArmor. For more information, see the [command line -reference](/reference/commandline/cli/#run). - -* A new flag, `--add-host`, has been added to `docker run` that lets you add -lines to `/etc/hosts`. This allows you to specify different name resolution for -the container than it would get via DNS. For more information, see the [command -line reference](/reference/commandline/cli/#run). - -* You can now set a `DOCKER_TLS_VERIFY` environment variable to secure -connections by default (rather than having to pass the `--tlsverify` flag on -every call). For more information, see the [https guide](/articles/https). - -* Three security issues have been addressed in this release: [CVE-2014-5280, -CVE-2014-5270, and -CVE-2014-5282](https://groups.google.com/forum/#!msg/docker-announce/aQoVmQlcE0A/smPuBNYf8VwJ). - -##Version 1.2.0 - -This version fixes a number of bugs and issues and adds new functions and other -improvements. These include: - -###New Features - -*New restart policies* - -We added a `--restart flag` to `docker run` to specify a restart policy for your -container. Currently, there are three policies available: - -* `no` – Do not restart the container if it dies. (default) * `on-failure` – -Restart the container if it exits with a non-zero exit code. This can also -accept an optional maximum restart count (e.g. `on-failure:5`). * `always` – -Always restart the container no matter what exit code is returned. This -deprecates the `--restart` flag on the Docker daemon. - -*New flags for `docker run`: `--cap-add` and `--cap-drop`* - -In previous releases, Docker containers could either be given complete -capabilities or they could all follow a whitelist of allowed capabilities while -dropping all others. Further, using `--privileged` would grant all capabilities -inside a container, rather than applying a whitelist. This was not recommended -for production use because it’s really unsafe; it’s as if you were directly in -the host. - -This release introduces two new flags for `docker run`, `--cap-add` and -`--cap-drop`, that give you fine-grain control over the specific capabilities -you want grant to a particular container. - -*New `--device` flag for `docker run`* - -Previously, you could only use devices inside your containers by bind mounting -them (with `-v`) in a `--privileged` container. With this release, we introduce -the `--device flag` to `docker run` which lets you use a device without -requiring a privileged container. - -*Writable `/etc/hosts`, `/etc/hostname` and `/etc/resolv.conf`* - -You can now edit `/etc/hosts`, `/etc/hostname` and `/etc/resolve.conf` in a -running container. This is useful if you need to install BIND or other services -that might override one of those files. - -Note, however, that changes to these files are not saved when running `docker -build` and so will not be preserved in the resulting image. The changes will -only “stick” in a running container. - -*Docker proxy in a separate process* - -The Docker userland proxy that routes outbound traffic to your containers now -has its own separate process (one process per connection). This greatly reduces -the load on the daemon, which increases stability and efficiency. - -###Other improvements & changes - -* When using `docker rm -f`, Docker now kills the container (instead of stopping -it) before removing it . If you intend to stop the container cleanly, you can -use `docker stop`. - -* Added support for IPv6 addresses in `--dns` - -* Added search capability in private registries - -##Version 1.1.0 - -###New Features - -*`.dockerignore` support* - -You can now add a `.dockerignore` file next to your `Dockerfile` and Docker will -ignore files and directories specified in that file when sending the build -context to the daemon. Example: -https://github.com/docker/docker/blob/master/.dockerignore - -*Pause containers during commit* - -Doing a commit on a running container was not recommended because you could end -up with files in an inconsistent state (for example, if they were being written -during the commit). Containers are now paused when a commit is made to them. You -can disable this feature by doing a `docker commit --pause=false ` - -*Tailing logs* - -You can now tail the logs of a container. For example, you can get the last ten -lines of a log by using `docker logs --tail 10 `. You can also -follow the logs of a container without having to read the whole log file with -`docker logs --tail 0 -f `. - -*Allow a tar file as context for docker build* - -You can now pass a tar archive to `docker build` as context. This can be used to -automate docker builds, for example: `cat context.tar | docker build -` or -`docker run builder_image | docker build -` - -*Bind mounting your whole filesystem in a container* - -`/` is now allowed as source of `--volumes`. This means you can bind-mount your -whole system in a container if you need to. For example: `docker run -v -/:/my_host ubuntu:ro ls /my_host`. However, it is now forbidden to mount to /. - - -###Other Improvements & Changes - -* Port allocation has been improved. In the previous release, Docker could -prevent you from starting a container with previously allocated ports which -seemed to be in use when in fact they were not. This has been fixed. - -* A bug in `docker save` was introduced in the last release. The `docker save` -command could produce images with invalid metadata. The command now produces -images with correct metadata. - -* Running `docker inspect` in a container now returns which containers it is -linked to. - -* Parsing of the `docker commit` flag has improved validation, to better prevent -you from committing an image with a name such as `-m`. Image names with dashes -in them potentially conflict with command line flags. - -* The API now has Improved status codes for `start` and `stop`. Trying to start -a running container will now return a 304 error. - -* Performance has been improved overall. Starting the daemon is faster than in -previous releases. The daemon’s performance has also been improved when it is -working with large numbers of images and containers. - -* Fixed an issue with white-spaces and multi-lines in Dockerfiles. - -##Version 1.1.0 - -###New Features - -*`.dockerignore` support* - -You can now add a `.dockerignore` file next to your `Dockerfile` and Docker will -ignore files and directories specified in that file when sending the build -context to the daemon. Example: -https://github.com/dotcloud/docker/blob/master/.dockerignore - -*Pause containers during commit* - -Doing a commit on a running container was not recommended because you could end -up with files in an inconsistent state (for example, if they were being written -during the commit). Containers are now paused when a commit is made to them. You -can disable this feature by doing a `docker commit --pause=false ` - -*Tailing logs* - -You can now tail the logs of a container. For example, you can get the last ten -lines of a log by using `docker logs --tail 10 `. You can also -follow the logs of a container without having to read the whole log file with -`docker logs --tail 0 -f `. - -*Allow a tar file as context for docker build* - -You can now pass a tar archive to `docker build` as context. This can be used to -automate docker builds, for example: `cat context.tar | docker build -` or -`docker run builder_image | docker build -` - -*Bind mounting your whole filesystem in a container* - -`/` is now allowed as source of `--volumes`. This means you can bind-mount your -whole system in a container if you need to. For example: `docker run -v -/:/my_host ubuntu:ro ls /my_host`. However, it is now forbidden to mount to /. - - -###Other Improvements & Changes - -* Port allocation has been improved. In the previous release, Docker could -prevent you from starting a container with previously allocated ports which -seemed to be in use when in fact they were not. This has been fixed. - -* A bug in `docker save` was introduced in the last release. The `docker save` -command could produce images with invalid metadata. The command now produces -images with correct metadata. - -* Running `docker inspect` in a container now returns which containers it is -linked to. - -* Parsing of the `docker commit` flag has improved validation, to better prevent -you from committing an image with a name such as `-m`. Image names with dashes -in them potentially conflict with command line flags. - -* The API now has Improved status codes for `start` and `stop`. Trying to start -a running container will now return a 304 error. - -* Performance has been improved overall. Starting the daemon is faster than in -previous releases. The daemon’s performance has also been improved when it is -working with large numbers of images and containers. - -* Fixed an issue with white-spaces and multi-lines in Dockerfiles. - -##Version 1.0.0 - -First production-ready release. Prior development history can be found by -searching in [GitHub](https://github.com/docker/docker).