Docker Engine release notes

This document describes the latest changes, additions, known issues, and fixes for Docker Engine - Community.

Note: The client and container runtime are now in separate packages from the daemon in Docker Engine 18.09. Users should install and update all three packages at the same time to get the latest patch releases. For example, on Ubuntu: sudo apt install docker-ce docker-ce-cli containerd.io. See the install instructions for the corresponding linux distro for details.

Version 19.03

19.03.8

2020-03-10

Runtime

19.03.7

2020-03-03

Builder

Runtime

Client

19.03.6

2020-02-12

Builder

Networking

Runtime

19.03.5

2019-11-14

Builder

  • builder-next: Added entitlements in builder config. docker/engine#412
  • Fix builder-next: permission errors on using build secrets or ssh forwarding with userns-remap. docker/engine#420
  • Fix builder-next: copying a symlink inside an already copied directory. docker/engine#420

Packaging

  • Support RHEL 8 packages

Runtime

19.03.4

2019-10-17

Networking

  • Rollback libnetwork changes to fix DOCKER-USER iptables chain issue. docker/engine#404

Known Issues

Existing

  • In some circumstances with large clusters, Docker information might, as part of the Swarm section, include the error code = ResourceExhausted desc = grpc: received message larger than max (5351376 vs. 4194304). This does not indicate any failure or misconfiguration by the user, and requires no response.
  • Orchestrator port conflict can occur when redeploying all services as new. Due to many Swarm manager requests in a short amount of time, some services are not able to receive traffic and are causing a 404 error after being deployed.
    • Workaround: restart all tasks via docker service update --force.
  • CVE-2018-15664 symlink-exchange attack with directory traversal. Workaround until proper fix is available in upcoming patch release: docker pause container before doing file operations. moby/moby#39252
  • docker cp regression due to CVE mitigation. An error is produced when the source of docker cp is set to /.

19.03.3

2019-10-08

Security

Builder

  • Fix builder-next: resolve digest for third party registries. docker/engine#339

  • Fix builder-next: user namespace builds when daemon started with socket activation. docker/engine#373

  • Fix builder-next; session: release forwarded ssh socket connection per connection. docker/engine#373

  • Fix build-next: llbsolver: error on multiple cache importers. docker/engine#373

Client

  • Added support for Docker Template 0.1.6.

  • Mitigate against YAML files that have excessive aliasing. docker/cli#2119

Runtime

Known Issues

New

  • DOCKER-USER iptables chain is missing: docker/for-linux#810. Users cannot perform additional container network traffic filtering on top of this iptables chain. You are not affected by this issue if you are not customizing iptable chains on top of DOCKER-USER.
    • Workaround: Insert the iptables chain after the docker daemon starts. For example:
      iptables -N DOCKER-USER
      iptables -I FORWARD -j DOCKER-USER
      iptables -A DOCKER-USER -j RETURN
      

Existing

  • In some circumstances with large clusters, docker information might, as part of the Swarm section, include the error code = ResourceExhausted desc = grpc: received message larger than max (5351376 vs. 4194304). This does not indicate any failure or misconfiguration by the user, and requires no response.
  • Orchestrator port conflict can occur when redeploying all services as new. Due to many swarm manager requests in a short amount of time, some services are not able to receive traffic and are causing a 404 error after being deployed.
    • Workaround: restart all tasks via docker service update --force.
  • CVE-2018-15664 symlink-exchange attack with directory traversal. Workaround until proper fix is available in upcoming patch release: docker pause container before doing file operations. moby/moby#39252
  • docker cp regression due to CVE mitigation. An error is produced when the source of docker cp is set to /.

19.03.2

2019-09-03

Builder

Client

  • Fix Windows absolute path detection on non-Windows docker/cli#1990

  • Fix to zsh completion script for docker login --username.

  • Fix context: produce consistent output on context create. docker/cli#1985

  • Fix support for HTTP proxy env variable. docker/cli#2059

Logging

Networking

  • Prevent panic on network attached to a container with disabled networking. moby/moby#39589

Runtime

  • Bump Golang to 1.12.8.

  • Fix a potential engine panic when using XFS disk quota for containers. moby/moby#39644

Swarm

Known issues

  • In some circumstances with large clusters, docker information might, as part of the Swarm section, include the error code = ResourceExhausted desc = grpc: received message larger than max (5351376 vs. 4194304). This does not indicate any failure or misconfiguration by the user, and requires no response.
  • Orchestrator port conflict can occur when redeploying all services as new. Due to many swarm manager requests in a short amount of time, some services are not able to receive traffic and are causing a 404 error after being deployed.
    • Workaround: restart all tasks via docker service update --force.
  • Traffic cannot egress the HOST because of missing Iptables rules in the FORWARD chain The missing rules are :
       /sbin/iptables --wait -C FORWARD -o docker_gwbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
       /sbin/iptables --wait -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    
    • Workaround: Add these rules back using a script and cron definitions. The script must contain ‘-C’ commands to check for the presence of a rule and ‘-A’ commands to add rules back. Run the script on a cron in regular intervals, for example, every minutes.
    • Affected versions: 18.09.1, 19.03.0
  • CVE-2018-15664 symlink-exchange attack with directory traversal. Workaround until proper fix is available in upcoming patch release: docker pause container before doing file operations. moby/moby#39252
  • docker cp regression due to CVE mitigation. An error is produced when the source of docker cp is set to /.

19.03.1

2019-07-25

Security

  • Fixed loading of nsswitch based config inside chroot under Glibc. CVE-2019-14271

Known issues

  • In some circumstances, in large clusters, docker information might, as part of the Swarm section, include the error code = ResourceExhausted desc = grpc: received message larger than max (5351376 vs. 4194304). This does not indicate any failure or misconfiguration by the user, and requires no response.
  • Orchestrator port conflict can occur when redeploying all services as new. Due to many swarm manager requests in a short amount of time, some services are not able to receive traffic and are causing a 404 error after being deployed.
    • Workaround: restart all tasks via docker service update --force.
  • Traffic cannot egress the HOST because of missing Iptables rules in the FORWARD chain The missing rules are :
      /sbin/iptables --wait -C FORWARD -o docker_gwbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      /sbin/iptables --wait -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    
    • Workaround: Add these rules back using a script and cron definitions. The script must contain ‘-C’ commands to check for the presence of a rule and ‘-A’ commands to add rules back. Run the script on a cron in regular intervals, for example, every minutes.
    • Affected versions: 18.09.1, 19.03.0
  • CVE-2018-15664 symlink-exchange attack with directory traversal. Workaround until proper fix is available in upcoming patch release: docker pause container before doing file operations. moby/moby#39252
  • docker cp regression due to CVE mitigation. An error is produced when the source of docker cp is set to /.

19.03.0

2019-07-22

Builder

Client

API

Experimental

Security

Runtime

Networking

Swarm

Logging

Deprecation

  • Deprecate image manifest v2 schema1 in favor of v2 schema2. Future version of Docker will remove support for v2 schema1 althogether. moby/moby#39365
  • Removed v1.10 migrator. moby/moby#38265
  • Now skipping deprecated storage-drivers in auto-selection. moby/moby#38019
  • Deprecated aufs storage driver and added warning. moby/moby#38090
  • Removed support for 17.09.

For more information on deprecated flags and APIs, refer to https://docs.docker.com/engine/deprecated/ for target removal dates.

Known issues

  • In some circumstances with large clusters, docker information might, as part of the Swarm section, include the error code = ResourceExhausted desc = grpc: received message larger than max (5351376 vs. 4194304). This does not indicate any failure or misconfiguration by the user, and requires no response.
  • Orchestrator port conflict can occur when redeploying all services as new. Due to many swarm manager requests in a short amount of time, some services are not able to receive traffic and are causing a 404 error after being deployed.
    • Workaround: restart all tasks via docker service update --force.
  • Traffic cannot egress the HOST because of missing Iptables rules in the FORWARD chain The missing rules are :
      /sbin/iptables --wait -C FORWARD -o docker_gwbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      /sbin/iptables --wait -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    
    • Workaround: Add these rules back using a script and cron definitions. The script must contain ‘-C’ commands to check for the presence of a rule and ‘-A’ commands to add rules back. Run the script on a cron in regular intervals, for example, every minutes.
    • Affected versions: 18.09.1, 19.03.0
  • CVE-2018-15664 symlink-exchange attack with directory traversal. Workaround until proper fix is available in upcoming patch release: docker pause container before doing file operations. moby/moby#39252
  • docker cp regression due to CVE mitigation. An error is produced when the source of docker cp is set to /.
docker, docker engine, ce, whats new, release notes