Docker EE 17.06 release notes

This document describes the latest changes, additions, known issues, and fixes for Docker Enterprise Edition (Docker EE).

Docker EE is functionally equivalent to the corresponding Docker CE that it references. However, Docker EE also includes back-ported fixes (security-related and priority defects) from the open source. It incorporates defect fixes that you can use in environments where new features cannot be adopted as quickly for consistency and compatibility reasons.

17.06.2-ee-5 (2017-11-02)

Important notes about this release

• Starting with Docker EE 17.06.2-ee-5, Ubuntu, SLES, RHEL packages are also available for IBM Power using the ppc64le architecture.

• Docker EE 17.06.2-ee-5 now enables the telemetry plugin by default on all supported Linux distributions. For more details, including how to opt out, see the documentation.

Client

• Set APIVersion on the client, even when Ping fails docker/cli#546

Logging

• Fix “raw” mode with the Splunk logging driver moby/moby#34520

Networking

• Disable hostname lookup to speed up check if chain chain exists docker/libnetwork#1974
• Handle cleanup DNS for attachable container to prevent leak in name resolution docker/libnetwork#1989

Packaging

• Add telemetry plugin for all linux distributions
• Fix install of docker-ee on RHEL7 s390x by removing dependency on container-selinux

Runtime

• Automatically set may_detach_mounts=1 on startup moby/moby#34886
• Fallback to use naive diff driver if enable CONFIG_OVERLAY_FS_REDIRECT_DIR moby/moby#34342
• Set selinux label on local volumes from mounts API moby/moby#34684
• Close pipe in overlay2 graphdriver moby/moby#34863
• Relabel config files moby/moby#34732
• Add support for Windows version filtering on pull of docker image moby/moby#35090

Swarm mode

• Increase gRPC request timeout to 20 seconds for sending snapshots to prevent context deadline exceeded errors docker/swarmkit#2391
• When a node is removed, delete all of its attachment tasks so networks used by those tasks can be removed docker/swarmkit#2414

Known issues

• It’s recommended that users create overlay networks with /24 blocks (the default) of 256 IP addresses when networks are used by services created using VIP-based endpoint-mode (the default). This is because of limitations with Docker Swarm moby/moby#30820. Users should not work around this by increasing the IP block size. To work around this limitation, either use dnsrr endpoint-mode or use multiple smaller overlay networks.
• Docker may experience IP exhaustion if many tasks are assigned to a single overlay network, for example if many services are attached to that network or because services on the network are scaled to many replicas. The problem may also manifest when tasks are rescheduled because of node failures. In case of node failure, Docker currently waits 24h to release overlay IP addresses. The problem can be diagnosed by looking for failed to allocate network IP for task messages in the Docker logs.
• SELinux enablement is not supported for containers on IBM Z on RHEL because of missing Red Hat package.

17.06.2-ee-4 (2017-10-12)

Client

• Fix idempotence of docker stack deploy when secrets or configs are used docker/cli#509

Logging

• Avoid using a map for log attributes to prevent panic moby/moby#34174

Networking

• Fix for garbage collection logic in NetworkDB. Entries were not properly garbage collected and deleted within the expected time docker/libnetwork#1944 docker/libnetwork#1960
• Allow configuration of max packet size in network DB to use the full available MTU. Note this will require a configuration in the docker daemon and need a dockerd restart docker/libnetwork#1839
• Overlay fix for transient IP reuse docker/libnetwork#1935 docker/libnetwork#1968
• Serialize IP allocation docker/libnetwork#1788

17.06.2-ee-3 (2017-09-22)

Swarm mode

• Increase max message size to allow larger snapshots docker/swarmkit#131

17.06.1-ee-2 (2017-08-24)

Client

• Enable TCP Keep-Alive in Docker client #415

Networking

• Lock goroutine to OS thread while changing NS #1911

Runtime

• devmapper: ensure that UdevWait is called after calls to setCookie #33732
• aufs: ensure diff layers are correctly removed to prevent leftover files from using up storage #34587

Swarm mode

• Ignore PullOptions for running tasks #2351

17.06.1-ee (2017-08-16)

Important notes about this release

• Starting with Docker EE 17.06.1, Ubuntu, SLES, RHEL packages are also available for IBM Z using the s390x architecture.

• Docker EE 17.06.1 includes a new telemetry plugin which is enabled by default on Ubuntu hosts. For more details, including how to opt out, see [the documentation(/enterprise/telemetry/).

• Docker 17.06 by default disables communication with legacy (v1) registries. If you require interaction with registries that have not yet migrated to the v2 protocol, set the --disable-legacy-registry=false daemon option. Interaction with v1 registries will be removed in Docker 17.12.

Builder

• Add --iidfile option to docker build. It allows specifying a location where to save the resulting image ID
• Allow specifying any remote ref in git checkout URLs #32502
• Add multi-stage build support #31257 #32063
• Allow using build-time args (ARG) in FROM #31352
• Add an option for specifying build target #32496
• Accept -f - to read Dockerfile from stdin, but use local context for building #31236
• The values of default build time arguments (e.g HTTP_PROXY) are no longer displayed in docker image history unless a corresponding ARG instruction is written in the Dockerfile. #31584
• Fix setting command if a custom shell is used in a parent image #32236
• Fix docker build --label when the label includes single quotes and a space #31750
• Disable container logging for build containers #29552
• Fix use of **/ in .dockerignore #29043
• Fix a regression, where ADD from remote URL’s extracted archives #89
• Fix handling of remote “git@” notation #100
• Fix copy --from conflict with force pull #86

Client

• Add --format option to docker stack ls #31557
• Add support for labels in compose initiated builds #32632 #32972
• Add --format option to docker history #30962
• Add --format option to docker system df #31482
• Allow specifying Nameservers and Search Domains in stack files #32059
• Add support for read_only service to docker stack deploy #docker/cli/73
• Display Swarm cluster and node TLS information #docker/cli/44
• Add support for placement preference to docker stack deploy #docker/cli/35
• Add new ca subcommand to docker swarm to allow managing a swarm CA #docker/cli/48
• Add credential-spec to compose #docker/cli/71
• Add support for csv format options to --network and --network-add #docker/cli/62 #33130
• Fix stack compose bind-mount volumes on Windows #docker/cli/136
• Correctly handle a Docker daemon without registry info #docker/cli/126
• Allow --detach and --quiet flags when using –rollback #docker/cli/144
• Remove deprecated --email flag from docker login #docker/cli/143
• Adjusted docker stats memory output #docker/cli/80
• Add --mount flag to docker run and docker create #32251
• Add --type=secret to docker inspect #32124
• Add --format option to docker secret ls #31552
• Add --filter option to docker secret ls #30810
• Add --filter scope=<swarm|local> to docker network ls #31529
• Add --cpus support to docker update #31148
• Add label filter to docker system prune and other prune commands #30740
• docker stack rm now accepts multiple stacks as input #32110
• Improve docker version --format option when the client has downgraded the API version #31022
• Prompt when using an encrypted client certificate to connect to a docker daemon #31364
• Display created tags on successful docker build #32077
• Cleanup compose convert error messages #32087
• Sort docker stack ls by name #31085
• Flags for specifying bind mount consistency #31047
• Output of docker CLI –help is now wrapped to the terminal width #28751
• Suppress image digest in docker ps #30848
• Hide command options that are related to Windows #30788
• Fix docker plugin install prompt to accept “enter” for the “N” default #30769
• Add truncate function for Go templates #30484
• Support expanded syntax of ports in stack deploy #30476
• Support expanded syntax of mounts in stack deploy #30597 #31795
• Add --add-host for docker build #30383
• Add .CreatedAt placeholder for docker network ls --format #29900
• Update order of --secret-rm and --secret-add #29802
• Add --filter enabled=true for docker plugin ls #28627
• Add --format to docker service ls #28199
• Add publish and expose filter for docker ps --filter #27557
• Support multiple service IDs on docker service ps #25234
• Allow swarm join with --availability=drain #24993
• Docker inspect now shows “docker-default” when AppArmor is enabled and no other profile was defined #27083
• Make pruning volumes optional when running docker system prune, and add a --volumes flag #109
• Show progress of replicated tasks before they are assigned #97
• Fix docker wait hanging if the container does not exist #106
• If docker swarm ca is called without the --rotate flag, warn if other flags are passed #110
• Fix API version negotiation not working if the daemon returns an error #115
• Print an error if “until” filter is combined with “–volumes” on system prune #154

Contrib

• Add support for building docker debs for Ubuntu 17.04 Zesty on amd64 #32435

Daemon

• Fix --api-cors-header being ignored if --api-enable-cors is not set #32174
• Cleanup docker tmp dir on start #31741
• Deprecate --graph flag in favor or --data-root #28696

Distribution

• Select digest over tag when both are provided during a pull #33214

Logging

• Add monitored resource type metadata for GCP logging driver #32930
• Add multiline processing to the AWS CloudWatch logs driver #30891
• Add support for logging driver plugins #28403
• Add support for showing logs of individual tasks to docker service logs, and add /task/{id}/logs REST endpoint #32015
• Add --log-opt env-regex option to match environment variables using a regular expression #27565
• Implement optional ring buffer for container logs #28762
• Add --log-opt awslogs-create-group=<true|false> for awslogs (CloudWatch) to support creation of log groups as needed #29504
• Fix segfault when using the gcplogs logging driver with a “static” binary #29478
• Fix stderr logging for journald and syslog #95
• Fix log readers can block writes indefinitely #98
• Fix awslogs driver repeating last event #151

Networking

• Add Support swarm-mode services with node-local networks such as macvlan, ipvlan, bridge, host #32981
• Pass driver-options to network drivers on service creation #32981
• Isolate Swarm Control-plane traffic from Application data traffic using –data-path-addr #32717
• Several improvments to Service Discovery #docker/libnetwork/1796
• Allow user to replace, and customize the ingress network #31714
• Fix UDP traffic in containers not working after the container is restarted #32505
• Fix files being written to /var/lib/docker if a different data-root is set #32505
• Check parameter --ip, --ip6 and --link-local-ip in docker network connect #30807
• Added support for dns-search #30117
• Added –verbose option for docker network inspect to show task details from all swarm nodes #31710
• Clear stale datapath encryption states when joining the cluster docker/libnetwork#1354
• Ensure iptables initialization only happens once docker/libnetwork#1676
• Fix bad order of iptables filter rules docker/libnetwork#961
• Add anonymous container alias to service record on attachable network docker/libnetwork#1651
• Support for com.docker.network.container_interface_prefix driver label docker/libnetwork#1667
• Improve network list performance by omitting network details that are not used #30673
• Fix issue with driver options not received by network drivers #127

Packaging

• Rely on container-selinux on Centos/Fedora/RHEL when available #32437

Plugins

• Make plugin removes more resilient to failure #91

Runtime

• Add build & engine info prometheus metrics #32792
• Update containerd to d24f39e203aa6be4944f06dd0fe38a618a36c764 #33007
• Update runc to 992a5be178a62e026f4069f443c6164912adbf09 #33007
• Add option to auto-configure blkdev for devmapper #31104
• Add log driver list to docker info #32540
• Add API endpoint to allow retrieving an image manifest #32061
• Do not remove container from memory on error with forceremove #31012
• Add support for metric plugins #32874
• Return an error when an invalid filter is given to prune commands #33023
• Add daemon option to allow pushing foreign layers #33151
• Fix an issue preventing containerd to be restarted after it died #32986
• Add cluster events to Docker event stream. #32421
• Add support for DNS search on windows #33311
• Upgrade to Go 1.8.3 #33387
• Prevent a containerd crash when journald is restarted #33007
• Fix healthcheck failures due to invalid environment variables #33249
• Prevent a directory to be created in lieu of the daemon socket when a container mounting it is to be restarted during a shutdown #30348
• Prevent a container to be restarted upon stop if its stop signal is set to SIGKILL #33335
• Ensure log drivers get passed the same filename to both StartLogging and StopLogging endpoints #33583
• Remove daemon data structure dump on SIGUSR1 to avoid a panic #33598
• Ensure health probe is stopped when a container exits #32274
• Handle paused container when restoring without live-restore set #31704
• Do not allow sub second in healthcheck options in Dockerfile #31177
• Support name and id prefix in secret update #30856
• Use binary frame for websocket attach endpoint #30460
• Fix linux mount calls not applying propagation type changes #30416
• Fix ExecIds leak on failed exec -i #30340
• Prune named but untagged images if danglingOnly=true #30330
• Add daemon flag to set no_new_priv as default for unprivileged containers #29984
• Add daemon option --default-shm-size #29692
• Support registry mirror config reload #29650
• Ignore the daemon log config when building images #29552
• Move secret name or ID prefix resolving from client to daemon #29218
• Add the ability to specify extra rules for a container device cgroup devices.allow mechanism #22563
• Fix cpu.cfs_quota_us being reset when running systemd daemon-reload #31736
• Prevent a goroutine leak when healthcheck gets stopped #90
• Do not error on relabel when relabel not supported #92
• Limit max backoff delay to 2 seconds for GRPC connection #94
• Fix issue preventing containers to run when memory cgroup was specified due to bug in certain kernels #102
• Fix container not responding to SIGKILL when paused #102
• Improve error message if an image for an incompatible OS is loaded #108
• Fix a handle leak in go-winio #112
• Fix issue upon upgrade, preventing docker from showing running containers when --live-restore is enabled #117
• Fix bug where services using secrets would fail to start on daemons using the userns-remap feature #121
• Fix error handling with not-exist errors on remove #142
• Fix REST API Swagger representation cannot be loaded with SwaggerUI #156

Security

• Allow personality with UNAME26 bit set in default seccomp profile #32965
• Allow setting SELinux type or MCS labels when using --ipc=container: or --ipc=host #30652
• Redact secret data on secret creation #99

Swarm mode

• Add an option to allow specifying a different interface for the data traffic (as opposed to control traffic) #32717
• Allow specifying a secret location within the container #32571
• Add support for secrets on Windows #32208
• Add TLS Info to swarm info and node info endpoint #32875
• Add support for services to carry arbitrary config objects #32336, #docker/cli/45,#33169
• Add API to rotate swarm CA certificate #32993
• Service digest pining is now handled client side #32388, #33239
• Placement now also take platform in account #33144
• Fix possible hang when joining fails #docker-ce/19
• Fix an issue preventing external CA to be accepted #33341
• Fix possible orchestration panic in mixed version clusters #swarmkit/2233
• Avoid assigning duplicate IPs during initialization #swarmkit/2237
• Add update/rollback order for services (--update-order / --rollback-order) #30261
• Add support for synchronous service create and service update #31144
• Add support for “grace periods” on healthchecks through the HEALTHCHECK --start-period and --health-start-period flag to docker service create, docker service update, docker create, and docker run to support containers with an initial startup time #28938
• docker service create now omits fields that are not specified by the user, when possible. This will allow defaults to be applied inside the manager #32284
• docker service inspect now shows default values for fields that are not specified by the user #32284
• Move docker service logs out of experimental #32462
• Add support for Credential Spec and SELinux to services to the API #32339
• Add --entrypoint flag to docker service create and docker service update #29228
• Add --network-add and --network-rm to docker service update #32062
• Add --credential-spec flag to docker service create and docker service update #32339
• Add --filter mode=<global|replicated> to docker service ls #31538
• Resolve network IDs on the client side, instead of in the daemon when creating services #32062
• Add --format option to docker node ls #30424
• Add --prune option to docker stack deploy to remove services that are no longer defined in the docker-compose file #31302
• Add PORTS column for docker service ls when using ingress mode #30813
• Fix unnescessary re-deploying of tasks when environment-variables are used #32364
• Fix docker stack deploy not supporting endpoint_mode when deploying from a docker compose file #32333
• Proceed with startup if cluster component cannot be created to allow recovering from a broken swarm setup #31631
• Topology-aware scheduling #30725
• Automatic service rollback on failure #31108
• Worker and manager on the same node are now connected through a UNIX socket docker/swarmkit#1828, docker/swarmkit#1850, docker/swarmkit#1851
• Improve raft transport package docker/swarmkit#1748
• No automatic manager shutdown on demotion/removal docker/swarmkit#1829
• Use TransferLeadership to make leader demotion safer docker/swarmkit#1939
• Decrease default monitoring period docker/swarmkit#1967
• Add Service logs formatting #31672
• Fix service logs API to be able to specify stream #31313
• Add --stop-signal for service create and service update #30754
• Add --read-only for service create and service update #30162
• Renew the context after communicating with the registry #31586
• (experimental) Add --tail and --since options to docker service logs #31500
• (experimental) Add --no-task-ids and --no-trunc options to docker service logs #31672
• Do not add duplicate platform information to service spec #107
• Cluster update and memory issue fixes #114
• Changing get network request to return predefined network in swarm #150

Windows

• Block pulling Windows images on non-Windows daemons #29001

Deprecation

• Disable legacy registry (v1) by default #33629
• Deprecate --api-enable-cors daemon flag. This flag was marked deprecated in Docker 1.6.0 but not listed in deprecated features #32352
• Remove Ubuntu 12.04 (Precise Pangolin) as supported platform. Ubuntu 12.04 is EOL, and no longer receives updates #32520

Known issues

If a container is spawned on node A, using the same IP of a container destroyed on nodeB within 5 min from the time that it exit, the container on node A will not be reachable until one of these 2 conditions happens:

1. Container on A sends a packet out,
2. The timer that cleans the arp entry in the overlay namespace is triggered (around 5 minutes).

As a workaround, send at least a packet out from each container like (ping, GARP, etc).