Docker Engine 18.09 release notes
18.09.9
2019-09-03
Client
- Fix Windows absolute path detection on non-Windows. docker/cli#1990
- Fix Docker refusing to load key from delegation.key on Windows. docker/cli#1968
- Completion scripts updates for bash and zsh.
Logging
- Fix for reading journald logs. moby/moby#37819 moby/moby#38859
Networking
- Prevent panic on network attached to a container with disabled networking. moby/moby#39589
- Fix service port for an application becomes unavailable randomly. docker/libnetwork#2069
- Fix cleaning up
--config-only
networks--config-from
networkshave ungracefully exited. docker/libnetwork#2373
Runtime
- Update to Go 1.11.13.
- Fix a potential engine panic when using XFS disk quota for containers. moby/moby#39644
Swarm
- Fix “grpc: received message larger than max” errors. moby/moby#39306
- Fix an issue where nodes several tasks could not be removed. docker/swarmkit#2867
18.09.8
2019-07-17
Runtime
- Masked the secrets updated to the log files when running Docker Engine in debug mode. CVE-2019-13509: If a Docker engine is running in debug mode, and
docker stack deploy
is used to redeploy a stack which includes non-external secrets, the logs will contain the secret.
Client
- Fixed rollback config type interpolation for
parallelism
andmax_failure_ratio
fields.
Known Issue
- There are important changes to the upgrade process that, if not correctly followed, can have an impact on the availability of applications running on the Swarm during upgrades. These constraints impact any upgrades coming from any version before 18.09 to version 18.09 or later.
18.09.7
2019-06-27
Builder
- Fixed a panic error when building dockerfiles that contain only comments. moby/moby#38487
- Added a workaround for GCR authentication issue. moby/moby#38246
- Builder-next: Fixed a bug in the GCR token cache implementation workaround. moby/moby#39183
Networking
- Fixed an error where
--network-rm
would fail to remove a network. moby/moby#39174
Runtime
- Added performance optimizations in aufs and layer store that helps in massively parallel container creation and removal. moby/moby#39107, moby/moby#39135
- Updated containerd to version 1.2.6. moby/moby#39016
- Fixed CVE-2018-15664 symlink-exchange attack with directory traversal. moby/moby#39357
- Windows: fixed support for
docker service create --limit-cpu
. moby/moby#39190 - daemon: fixed a mirrors validation issue. moby/moby#38991
- Docker no longer supports sorting UID and GID ranges in ID maps. moby/moby#39288
Logging
- Added a fix that now allows large log lines for logger plugins. moby/moby#39038
Known Issue
- There are important changes to the upgrade process that, if not correctly followed, can have an impact on the availability of applications running on the Swarm during upgrades. These constraints impact any upgrades coming from any version before 18.09 to version 18.09 or later.
18.09.6
2019-05-06
Builder
- Fixed
COPY
andADD
with multiple<src>
to not invalidate cache ifDOCKER_BUILDKIT=1
.moby/moby#38964
Networking
- Cleaned up the cluster provider when the agent is closed. docker/libnetwork#2354
- Windows: Now selects a random host port if the user does not specify a host port. docker/libnetwork#2369
Known Issues
- There are important changes to the upgrade process that, if not correctly followed, can have an impact on the availability of applications running on the Swarm during upgrades. These constraints impact any upgrades coming from any version before 18.09 to version 18.09 or later.
18.09.5
2019-04-11
Builder
- Fixed
DOCKER_BUILDKIT=1 docker build --squash ..
docker/engine#176
Client
- Fixed tty initial size error. docker/cli#1775
- Fixed dial-stdio goroutine leakage. docker/cli#1795
- Fixed the stack informer’s selector used to track deployment. docker/cli#1794
Networking
- Fixed
network=host
using wrongresolv.conf
withsystemd-resolved
. docker/engine#180 - Fixed Windows ARP entries getting corrupted randomly under load. docker/engine#192
Runtime
- Now showing stopped containers with restart policy as
Restarting
. docker/engine#181 - Now using original process spec for execs. docker/engine#178
Swarm Mode
- Fixed leaking task resources when nodes are deleted. docker/engine#185
Known Issues
- There are important changes to the upgrade process that, if not correctly followed, can have an impact on the availability of applications running on the Swarm during upgrades. These constraints impact any upgrades coming from any version before 18.09 to version 18.09 or later.
18.09.4
2019-03-28
Builder
- Fixed CVE-2019-13139 by adding validation for
git ref
to avoid misinterpretation as a flag. moby/moby#38944
Runtime
- Fixed
docker cp
error for filenames greater than 100 characters. moby/moby#38634 - Fixed
layer/layer_store
to ensureNewInputTarStream
resources are released. moby/moby#38413 - Increased GRPC limit for
GetConfigs
. moby/moby#38800 - Updated
containerd
1.2.5. docker/engine#173
Swarm Mode
- Fixed nil pointer exception when joining node to swarm. moby/moby#38618
- Fixed issue for swarm nodes not being able to join as masters if http proxy is set. [moby/moby#36951]
Known Issues
- There are important changes to the upgrade process that, if not correctly followed, can have impact on the availability of applications running on the Swarm during upgrades. These constraints impact any upgrades coming from any version before 18.09 to version 18.09 or later.
18.09.3
2019-02-28
Networking fixes
- Windows: now avoids regeneration of network IDs to prevent broken references to networks. docker/engine#149
- Windows: Fixed an issue to address
- restart always
flag on standalone containers not working when specifying a network. (docker/escalation#1037) - Fixed an issue to address the IPAM state from networkdb if the manager is not attached to the overlay network. (docker/escalation#1049)
Runtime fixes and updates
- Updated to Go version 1.10.8.
- Modified names in the container name generator. docker/engine#159
- When copying an existing folder, xattr set errors when the target filesystem doesn’t support xattr are now ignored. docker/engine#135
- Graphdriver: fixed “device” mode not being detected if “character-device” bit is set. docker/engine#160
- Fixed nil pointer derefence on failure to connect to containerd. docker/engine#162
- Deleted stale containerd object on start failure. docker/engine#154
Known Issues
- There are important changes to the upgrade process that, if not correctly followed, can have impact on the availability of applications running on the Swarm during upgrades. These constraints impact any upgrades coming from any version before 18.09 to version 18.09 or greater.
18.09.2
2019-02-11
Security fixes
- Update
runc
to address a critical vulnerability that allows specially-crafted containers to gain administrative privileges on the host. CVE-2019-5736 - Ubuntu 14.04 customers using a 3.13 kernel will need to upgrade to a supported Ubuntu 4.x kernel
For additional information, refer to the Docker blog post.
Known Issues
- There are important changes to the upgrade process that, if not correctly followed, can have impact on the availability of applications running on the Swarm during upgrades. These constraints impact any upgrades coming from any version before 18.09 to version 18.09 or greater.
18.09.1
2019-01-09
Important notes about this release
In Docker versions prior to 18.09, containerd was managed by the Docker engine daemon. In Docker Engine 18.09, containerd is managed by systemd. Since containerd is managed by systemd, any custom configuration to the docker.service
systemd configuration which changes mount settings (for example, MountFlags=slave
) breaks interactions between the Docker Engine daemon and containerd, and you will not be able to start containers.
Run the following command to get the current value of the MountFlags
property for the docker.service
:
sudo systemctl show --property=MountFlags docker.service
MountFlags=
Update your configuration if this command prints a non-empty value for MountFlags
, and restart the docker service.
Security fixes
- Upgraded Go language to 1.10.6 to resolve CVE-2018-16873, CVE-2018-16874, and CVE-2018-16875.
- Fixed authz plugin for 0-length content and path validation.
- Added
/proc/asound
to masked paths docker/engine#126
Improvements
- Updated to BuildKit 0.3.3 docker/engine#122
- Updated to containerd 1.2.2 docker/engine#144
- Provided additional warnings for use of deprecated legacy overlay and devicemapper storage drivers docker/engine#85
- prune: perform image pruning before build cache pruning docker/cli#1532
- Added bash completion for experimental CLI commands (manifest) docker/cli#1542
- Windows: allow process isolation on Windows 10 docker/engine#81
Fixes
- Disable kmem accounting in runc on RHEL/CentOS (docker/escalation#614, docker/escalation#692) docker/engine#121
- Fixed inefficient networking configuration docker/engine#123
- Fixed docker system prune doesn’t accept until filter docker/engine#122
- Avoid unset credentials in
containerd
docker/engine#122 - Fixed iptables compatibility on Debian docker/engine#107
- Fixed setting default schema to tcp for docker host docker/cli#1454
- Fixed bash completion for
service update --force
docker/cli#1526 - Windows: DetachVhd attempt in cleanup docker/engine#113
- API: properly handle invalid JSON to return a 400 status docker/engine#110
- API: ignore default address-pools on API < 1.39 docker/engine#118
- API: add missing default address pool fields to swagger docker/engine#119
- awslogs: account for UTF-8 normalization in limits docker/engine#112
- Prohibit reading more than 1MB in HTTP error responses docker/engine#114
- apparmor: allow receiving of signals from
docker kill
docker/engine#116 - overlay2: use index=off if possible (fix EBUSY on mount) docker/engine#84
Packaging
- Add docker.socket requirement for docker.service. docker/docker-ce-packaging#276
- Add socket activation for RHEL-based distributions. docker/docker-ce-packaging#274
- Add libseccomp requirement for RPM packages. docker/docker-ce-packaging#266
Known Issues
- When upgrading from 18.09.0 to 18.09.1,
containerd
is not upgraded to the correct version on Ubuntu. - There are important changes to the upgrade process that, if not correctly followed, can have impact on the availability of applications running on the Swarm during upgrades. These constraints impact any upgrades coming from any version before 18.09 to version 18.09 or greater.
18.09.0
2018-11-08
Important notes about this release
In Docker versions prior to 18.09, containerd was managed by the Docker engine daemon. In Docker Engine 18.09, containerd is managed by systemd. Since containerd is managed by systemd, any custom configuration to the docker.service
systemd
configuration which changes mount settings (for example, MountFlags=slave
) breaks interactions between the Docker Engine daemon and containerd, and you will not be able to start containers.
Run the following command to get the current value of the MountFlags
property for the docker.service
:
sudo systemctl show --property=MountFlags docker.service
MountFlags=
Update your configuration if this command prints a non-empty value for MountFlags
, and restart the docker service.
New features
- Updated API version to 1.39 moby/moby#37640
- Added support for remote connections using SSH docker/cli#1014
- Builder: added prune options to the API moby/moby#37651
- Added “Warnings” to
/info
endpoint, and move detection to the daemon moby/moby#37502 - Allows BuildKit builds to run without experimental mode enabled. Buildkit can now be configured with an option in daemon.json moby/moby#37593 moby/moby#37686 moby/moby#37692 docker/cli#1303 docker/cli#1275
- Added support for build-time secrets using a
--secret
flag when using BuildKit docker/cli#1288 - Added SSH agent socket forwarder (
docker build --ssh $SSHMOUNTID=$SSH_AUTH_SOCK
) when using BuildKit docker/cli#1438 / docker/cli#1419 - Added
--chown
flag support forADD
andCOPY
commands on Windows moby/moby#35521 - Added
builder prune
subcommand to prune BuildKit build cache docker/cli#1295 docker/cli#1334 - BuildKit: Adds configurable garbage collection policy for the BuildKit build cache docker/engine#59 / moby/moby#37846
- BuildKit: Adds support for
docker build --pull ...
when using BuildKit moby/moby#37613 - BuildKit: Adds support or “registry-mirrors” and “insecure-registries” when using BuildKit docker/engine#59 / moby/moby#37852
- BuildKit: Enables net modes and bridge. moby/moby#37620
- Added
docker engine
subcommand to manage the lifecycle of a Docker Engine running as a privileged container on top of containerd, and to allow upgrades to Docker Engine Enterprise docker/cli#1260 - Exposed product license in
docker info
output docker/cli#1313 - Showed warnings produced by daemon in
docker info
output docker/cli#1225 - Added “local” log driver moby/moby#37092
- Amazon CloudWatch: adds
awslogs-endpoint
logging option moby/moby#37374 - Added support for global default address pools moby/moby#37558 docker/cli#1233
- Configured containerd log-level to be the same as dockerd moby/moby#37419
- Added configuration option for cri-containerd moby/moby#37519
- Updates containerd client to v1.2.0-rc.1 moby/moby#37664, docker/engine#75 / moby/moby#37710
- Added support for global default address pools moby/moby#37558 docker/cli#1233
- Moved the
POST /session
endpoint out of experimental. moby/moby#40028
Improvements
- Does not return “
<unknown>
” in /info response moby/moby#37472 - BuildKit: Changes
--console=[auto,false,true]
to--progress=[auto,plain,tty]
docker/cli#1276 - BuildKit: Sets BuildKit’s ExportedProduct variable to show useful errors in the future. moby/moby#37439
- Hides
--data-path-addr
flags when connected to a daemon that doesn’t support this option docker/docker/cli#1240 - Only shows buildkit-specific flags if BuildKit is enabled docker/cli#1438 / docker/cli#1427
- Improves version output alignment docker/cli#1204
- Sorts plugin names and networks in a natural order docker/cli#1166, docker/cli#1266
- Updates bash and zsh completion scripts
- Passes log-level to containerd. moby/moby#37419
- Uses direct server return (DSR) in east-west overlay load balancing docker/engine#93 / docker/libnetwork#2270
- Builder: temporarily disables bridge networking when using buildkit. moby/moby#37691
- Blocks task starting until node attachments are ready moby/moby#37604
- Propagates the provided external CA certificate to the external CA object in swarm. docker/cli#1178
- Removes Ubuntu 14.04 “Trusty Tahr” as a supported platform docker-ce-packaging#255 / docker-ce-packaging#254
- Removes Debian 8 “Jessie” as a supported platform docker-ce-packaging#255 / docker-ce-packaging#254
- Removes ‘docker-‘ prefix for containerd and runc binaries docker/engine#61 / moby/moby#37907, docker-ce-packaging#241
- Splits “engine”, “cli”, and “containerd” to separate packages, and run containerd as a separate systemd service docker-ce-packaging#131, docker-ce-packaging#158
- Builds binaries with Go 1.10.4 docker-ce-packaging#181
- Removes
-ce
suffix from version string docker-ce-packaging#206
Fixes
- BuildKit: Do not cancel buildkit status request. moby/moby#37597
- Fixes no error is shown if build args are missing during docker build moby/moby#37396
- Fixes error “unexpected EOF” when adding an 8GB file moby/moby#37771
- LCOW: Ensures platform is populated on
COPY
/ADD
. moby/moby#37563 - Fixes mapping a range of host ports to a single container port docker/cli#1102
- Fixes
trust inspect
typo: “AdminstrativeKeys
” docker/cli#1300 - Fixes environment file parsing for imports of absent variables and those with no name. docker/cli#1019
- Fixes a potential “out of memory exception” when running
docker image prune
with a large list of dangling images docker/cli#1432 / docker/cli#1423 - Fixes pipe handling in ConEmu and ConsoleZ on Windows moby/moby#37600
- Fixes long startup on windows, with non-hns governed Hyper-V networks docker/engine#67 / moby/moby#37774
- Fixes daemon won’t start when “runtimes” option is defined both in config file and cli docker/engine#57 / moby/moby#37871
- Loosens permissions on
/etc/docker
directory to prevent “permission denied” errors when usingdocker manifest inspect
docker/engine#56 / moby/moby#37847 - Fixes denial of service with large numbers in
cpuset-cpus
andcpuset-mems
docker/engine#70 / moby/moby#37967 - LCOW: Add
--platform
todocker import
docker/cli#1375 / docker/cli#1371 - LCOW: Add LinuxMetadata support by default on Windows moby/moby#37514
- LCOW: Mount to short container paths to avoid command-line length limit moby/moby#37659
- LCOW: Fix builder using wrong cache layer moby/moby#37356
- Fixes json-log file descriptors leaking when using
--follow
docker/engine#48 moby/moby#37576 moby/moby#37734 - Fixes a possible deadlock on closing the watcher on kqueue moby/moby#37392
- Uses poller based watcher to work around the file caching issue in Windows moby/moby#37412
- Handles systemd-resolved case by providing appropriate resolv.conf to networking layer moby/moby#37485
- Removes support for TLS < 1.2 moby/moby#37660
- Seccomp: Whitelist syscalls linked to
CAP_SYS_NICE
in default seccomp profile moby/moby#37242 - Seccomp: move the syslog syscall to be gated by
CAP_SYS_ADMIN
orCAP_SYSLOG
docker/engine#64 / moby/moby#37929 - SELinux: Fix relabeling of local volumes specified via Mounts API on selinux-enabled systems moby/moby#37739
- Adds warning if REST API is accessible through an insecure connection moby/moby#37684
- Masks proxy credentials from URL when displayed in system info docker/engine#72 / moby/moby#37934
- Fixes mount propagation for btrfs docker/engine#86 / moby/moby#38026
- Fixes nil pointer dereference in node allocation docker/engine#94 / docker/swarmkit#2764
Known Issues
- There are important changes to the upgrade process that, if not correctly followed, can have impact on the availability of applications running on the Swarm during upgrades. These constraints impact any upgrades coming from any version before 18.09 to version 18.09 or greater.
-
With https://github.com/boot2docker/boot2docker/releases/download/v18.09.0/boot2docker.iso, connection is being refused from a node on the virtual machine. Any publishing of swarm ports in virtualbox-created docker-machine VM’s will not respond. This is occurring on macOS and Windows 10, using docker-machine version 0.15 and 0.16.
The following
docker run
command works, allowing access from host browser:docker run -d -p 4000:80 nginx
However, the following
docker service
command fails, resulting in curl/chrome unable to connect (connection refused):docker service create -p 5000:80 nginx
This issue is not apparent when provisioning 18.09.0 cloud VM’s using docker-machine.
Workarounds:
- Use cloud VM’s that don’t rely on boot2docker.
docker run
is unaffected.- For Swarm, set VIRTUALBOX_BOOT2DOCKER_URL=https://github.com/boot2docker/boot2docker/releases/download/v18.06.1-ce/boot2docker.iso.
This issue is resolved in 18.09.1.
Deprecation Notices
-
Docker has deprecated support for Device Mapper as a storage driver. It will continue to be supported at this time, but support will be removed in a future release.
The Overlay2 storage driver is now the default for Docker engine implementations.
For more information on the list of deprecated flags and APIs, have a look at the deprecation information where you can find the target removal dates.
End of Life Notification
In this release, Docker has also removed support for TLS < 1.2 moby/moby#37660, Ubuntu 14.04 “Trusty Tahr” docker-ce-packaging#255 / docker-ce-packaging#254, and Debian 8 “Jessie” docker-ce-packaging#255 / docker-ce-packaging#254.