SUSE-RU-2016:0248-1: moderate: Recommended update for Docker
sle-updates at lists.suse.com
sle-updates at lists.suse.com
Tue Jan 26 07:11:21 MST 2016
SUSE Recommended Update: Recommended update for Docker
______________________________________________________________________________
Announcement ID: SUSE-RU-2016:0248-1
Rating: moderate
References: #954737 #954812 #956434 #958255 #959405
Affected Products:
SUSE Linux Enterprise Module for Containers 12
______________________________________________________________________________
An update that has 5 recommended fixes can now be installed.
Description:
Docker has been updated to version 1.9.1, bringing several fixes,
enhancements and new features.
Runtime:
- Do not prevent daemon from booting if images could not be restored.
- Force IPC mount to unmount on daemon shutdown/init.
- Turn IPC unmount errors into warnings.
- Fix 'docker stats' performance regression.
- Clarify cryptic error message upon 'docker logs' if '--log-driver=none'.
- Fix opq whiteouts problems for files with dot prefix.
- Do not make network calls when normalizing names.
- Output block IO metrics on 'docker stats'.
- Detail network stats per interface on 'docker stats'.
- Add 'ancestor=<image>' filter to 'docker ps --filter' flag to filter
containers based on their ancestor images.
- Add 'label=<somelabel>' filter to 'docker ps --filter' to filter
containers based on label.
- Add '--kernel-memory' flag to 'docker run'.
- Add '--message' flag to 'docker import' allowing to specify an optional
message.
- Add '--privileged' flag to 'docker exec'.
- Add '--stop-signal' flag to 'docker run' to replace the container
process stopping signal.
- Add a new 'unless-stopped' restart policy.
- Inspecting an image now returns tags.
- Add container size information to 'docker inspect'.
- Add 'RepoTags' and 'RepoDigests' field to '/images/{name:.*}/json'.
- Remove the deprecated '/container/ps' endpoint from the API.
- Send and document correct HTTP codes for '/exec/<name>/start'.
- Share shm and mqueue between containers sharing IPC namespace.
- Event stream now shows OOM status when '--oom-kill-disable' is set.
- Ensure special network files (e.g. /etc/hosts) are read-only if
bind-mounted with 'ro' option.
- Improve 'rmi' performance.
- Do not update /etc/hosts for the default bridge network, except for
links.
- Fix conflict with duplicate container names.
- Fix an issue with incorrect template execution in 'docker inspect'.
- Deprecate '-c' short flag variant for '--cpu-shares' in 'docker run'.
- Change systemd unit file to no longer use the deprecated "-d" option.
(bsc#954737)
- Use file system cgroups by default.
Client:
- Fix bug with 'docker inspect' output when not connected to daemon.
- Fix 'docker inspect -f {{.HostConfig.Dns}} somecontainer'.
- Allow 'docker import' to import from local files.
Builder:
- Fix regression with symlink behavior in ADD/COPY.
- Add a 'STOPSIGNAL' Dockerfile instruction allowing to set a different
stop-signal for the container process.
- Add an 'ARG' Dockerfile instruction and a '--build-arg' flag to 'docker
build' that allows to add build-time environment variables.
- Improve cache miss performance.
Storage:
- Try defaulting to xfs instead of ext4 for performance reasons.
- Fix displayed file system in docker info.
- Implement deferred deletion capability in devicemapper.
Networking:
- Promote 'docker network' from experimental to part of the standard
release.
- New network top-level concept, with associated subcommands and API.
WARNING: the API is different from the experimental API.
- Support for multiple isolated/micro-segmented networks.
- Built-in multihost networking using VXLAN based overlay driver.
- Support for third-party network plugins.
- Ability to dynamically connect containers to multiple networks.
- Support for user-defined IP address management via pluggable IPAM
drivers.
- Allow passing a network ID as an argument for '--net'.
- Fix connect to host and prevent disconnect from host for 'host' network.
- Fix '--fixed-cidr' issue when gateway ip falls in ip-range and ip-range
is not the first block in the network.
- Restore deterministic 'IPv6' generation from 'MAC' address on default
'bridge' network.
- Allow port-mapping only for endpoints created on docker run.
- Fixed an endpoint delete issue with a possible stale sbox.
- Add daemon flags '--cluster-store' and '--cluster-advertise' for
built-in nodes discovery.
- Add '--cluster-store-opt' for setting up TLS settings.
- Add '--dns-opt' to the daemon.
- Deprecate the following container 'NetworkSettings' fields in API v1.21:
'EndpointID', 'Gateway', 'GlobalIPv6Address', 'GlobalIPv6PrefixLen',
'IPAddress', 'IPPrefixLen', 'IPv6Gateway' and 'MacAddress'. Those are
now specific to the 'bridge' network. Use 'NetworkSettings.Networks' to
inspect the networking settings of a container per network.
Distribution:
- Correct parent chain in v2 push when v1Compatibility files on the disk
are inconsistent.
- Make 'docker search' work with partial names.
- Push optimization by avoiding buffering to file.
- The daemon will display progress for images that were already being
pulled by another client.
- Only permissions required for the current action being performed are
requested.
- Renaming trust keys (and respective environment variables) from
'offline' to 'root' and 'tagging' to 'repository'.
- Deprecate trust key environment variables
'DOCKER_CONTENT_TRUST_OFFLINE_PASSPHRASE' and
'DOCKER_CONTENT_TRUST_TAGGING_PASSPHRASE'.
Volumes:
- New top-level 'volume' sub-command and API.
- Move API volume driver settings to host-specific config.
- Print an error message if volume name is not unique.
- Ensure volumes created from Dockerfiles always use the local volume
driver.
- Deprecate auto-creating missing host paths for bind mounts.
Logging:
- Add 'awslogs' logging driver for Amazon CloudWatch.
- Add generic 'tag' log option to allow customizing container/image
information passed to driver (e.g. show container names).
- Implement the 'docker logs' endpoint for the journald driver.
- Deprecate driver-specific log tags (e.g. 'syslog-tag', etc.).
Security:
- Only relabel if user requested so with the 'z' option. (SELinux)
- Add SELinux profiles to the rpm package.
- Add AppArmor policy that prevents writing to /proc.
- Fix creation of AppArmor profiles. (bsc#958255)
- Add rules for auditd. (bsc#959405)
Patch Instructions:
To install this SUSE Recommended Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Module for Containers 12:
zypper in -t patch SUSE-SLE-Module-Containers-12-2016-156=1
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Module for Containers 12 (ppc64le s390x x86_64):
docker-1.9.1-58.1
docker-debuginfo-1.9.1-58.1
docker-debugsource-1.9.1-58.1
References:
https://bugzilla.suse.com/954737
https://bugzilla.suse.com/954812
https://bugzilla.suse.com/956434
https://bugzilla.suse.com/958255
https://bugzilla.suse.com/959405
More information about the sle-updates
mailing list