Recommended update for Docker

SUSE Recommended Update: Recommended update for Docker
Announcement ID: SUSE-RU-2016:0248-1
Rating: moderate
References: #954737 #954812 #956434 #958255 #959405
Affected Products:
  • SUSE Linux Enterprise Module for Containers 12
    		•

    An update that has 5 recommended fixes can now be installed.

    Description:


    Docker has been updated to version 1.9.1, bringing several fixes,
    enhancements and new features.

    Runtime:

    - Do not prevent daemon from booting if images could not be restored.
    - Force IPC mount to unmount on daemon shutdown/init.
    - Turn IPC unmount errors into warnings.
    - Fix 'docker stats' performance regression.
    - Clarify cryptic error message upon 'docker logs' if '--log-driver=none'.
    - Fix opq whiteouts problems for files with dot prefix.
    - Do not make network calls when normalizing names.
    - Output block IO metrics on 'docker stats'.
    - Detail network stats per interface on 'docker stats'.
    - Add 'ancestor=' filter to 'docker ps --filter' flag to filter
    containers based on their ancestor images.
    - Add 'label=' filter to 'docker ps --filter' to filter
    containers based on label.
    - Add '--kernel-memory' flag to 'docker run'.
    - Add '--message' flag to 'docker import' allowing to specify an optional
    message.
    - Add '--privileged' flag to 'docker exec'.
    - Add '--stop-signal' flag to 'docker run' to replace the container
    process stopping signal.
    - Add a new 'unless-stopped' restart policy.
    - Inspecting an image now returns tags.
    - Add container size information to 'docker inspect'.
    - Add 'RepoTags' and 'RepoDigests' field to '/images/{name:.*}/json'.
    - Remove the deprecated '/container/ps' endpoint from the API.
    - Send and document correct HTTP codes for '/exec//start'.
    - Share shm and mqueue between containers sharing IPC namespace.
    - Event stream now shows OOM status when '--oom-kill-disable' is set.
    - Ensure special network files (e.g. /etc/hosts) are read-only if
    bind-mounted with 'ro' option.
    - Improve 'rmi' performance.
    - Do not update /etc/hosts for the default bridge network, except for
    links.
    - Fix conflict with duplicate container names.
    - Fix an issue with incorrect template execution in 'docker inspect'.
    - Deprecate '-c' short flag variant for '--cpu-shares' in 'docker run'.
    - Change systemd unit file to no longer use the deprecated "-d" option.
    (bsc#954737)
    - Use file system cgroups by default.

    Client:

    - Fix bug with 'docker inspect' output when not connected to daemon.
    - Fix 'docker inspect -f {{.HostConfig.Dns}} somecontainer'.
    - Allow 'docker import' to import from local files.

    Builder:

    - Fix regression with symlink behavior in ADD/COPY.
    - Add a 'STOPSIGNAL' Dockerfile instruction allowing to set a different
    stop-signal for the container process.
    - Add an 'ARG' Dockerfile instruction and a '--build-arg' flag to 'docker
    build' that allows to add build-time environment variables.
    - Improve cache miss performance.

    Storage:

    - Try defaulting to xfs instead of ext4 for performance reasons.
    - Fix displayed file system in docker info.
    - Implement deferred deletion capability in devicemapper.

    Networking:

    - Promote 'docker network' from experimental to part of the standard
    release.
    - New network top-level concept, with associated subcommands and API.
    WARNING: the API is different from the experimental API.
    - Support for multiple isolated/micro-segmented networks.
    - Built-in multihost networking using VXLAN based overlay driver.
    - Support for third-party network plugins.
    - Ability to dynamically connect containers to multiple networks.
    - Support for user-defined IP address management via pluggable IPAM
    drivers.
    - Allow passing a network ID as an argument for '--net'.
    - Fix connect to host and prevent disconnect from host for 'host' network.
    - Fix '--fixed-cidr' issue when gateway ip falls in ip-range and ip-range
    is not the first block in the network.
    - Restore deterministic 'IPv6' generation from 'MAC' address on default
    'bridge' network.
    - Allow port-mapping only for endpoints created on docker run.
    - Fixed an endpoint delete issue with a possible stale sbox.
    - Add daemon flags '--cluster-store' and '--cluster-advertise' for
    built-in nodes discovery.
    - Add '--cluster-store-opt' for setting up TLS settings.
    - Add '--dns-opt' to the daemon.
    - Deprecate the following container 'NetworkSettings' fields in API v1.21:
    'EndpointID', 'Gateway', 'GlobalIPv6Address', 'GlobalIPv6PrefixLen',
    'IPAddress', 'IPPrefixLen', 'IPv6Gateway' and 'MacAddress'. Those are
    now specific to the 'bridge' network. Use 'NetworkSettings.Networks' to
    inspect the networking settings of a container per network.

    Distribution:

    - Correct parent chain in v2 push when v1Compatibility files on the disk
    are inconsistent.
    - Make 'docker search' work with partial names.
    - Push optimization by avoiding buffering to file.
    - The daemon will display progress for images that were already being
    pulled by another client.
    - Only permissions required for the current action being performed are
    requested.
    - Renaming trust keys (and respective environment variables) from
    'offline' to 'root' and 'tagging' to 'repository'.
    - Deprecate trust key environment variables
    'DOCKER_CONTENT_TRUST_OFFLINE_PASSPHRASE' and
    'DOCKER_CONTENT_TRUST_TAGGING_PASSPHRASE'.

    Volumes:

    - New top-level 'volume' sub-command and API.
    - Move API volume driver settings to host-specific config.
    - Print an error message if volume name is not unique.
    - Ensure volumes created from Dockerfiles always use the local volume
    driver.
    - Deprecate auto-creating missing host paths for bind mounts.

    Logging:

    - Add 'awslogs' logging driver for Amazon CloudWatch.
    - Add generic 'tag' log option to allow customizing container/image
    information passed to driver (e.g. show container names).
    - Implement the 'docker logs' endpoint for the journald driver.
    - Deprecate driver-specific log tags (e.g. 'syslog-tag', etc.).

    Security:

    - Only relabel if user requested so with the 'z' option. (SELinux)
    - Add SELinux profiles to the rpm package.
    - Add AppArmor policy that prevents writing to /proc.
    - Fix creation of AppArmor profiles. (bsc#958255)
    - Add rules for auditd. (bsc#959405)

    Patch Instructions:

    To install this SUSE Recommended Update use YaST online_update.
    Alternatively you can run the command listed for your product:

    • SUSE Linux Enterprise Module for Containers 12:
      zypper in -t patch SUSE-SLE-Module-Containers-12-2016-156=1

    To bring your system up-to-date, use "zypper patch".

    Package List:

    • SUSE Linux Enterprise Module for Containers 12 (ppc64le s390x x86_64):
      • docker-1.9.1-58.1
      • docker-debuginfo-1.9.1-58.1
      • docker-debugsource-1.9.1-58.1

    References: